diff options
| author | Jakob Schlyter <jakob@cvs.openbsd.org> | 2004-09-28 17:14:10 +0000 |
|---|---|---|
| committer | Jakob Schlyter <jakob@cvs.openbsd.org> | 2004-09-28 17:14:10 +0000 |
| commit | ff09ecf5e523f7c1678821dfc8753880775b9bc9 (patch) | |
| tree | cfbc352a0605ad89a62d844079441dca80fca83d /usr.sbin/bind/bin | |
| parent | ae87190605c9d85eaf9ba7728034f343685da32a (diff) | |
resolve conflicts
Diffstat (limited to 'usr.sbin/bind/bin')
73 files changed, 11530 insertions, 6287 deletions
diff --git a/usr.sbin/bind/bin/Makefile.in b/usr.sbin/bind/bin/Makefile.in index f16c4f5d9af..ec94f025641 100644 --- a/usr.sbin/bind/bin/Makefile.in +++ b/usr.sbin/bind/bin/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $ISC: Makefile.in,v 1.22 2001/01/09 21:39:05 bwelling Exp $ +# $ISC: Makefile.in,v 1.22.208.1 2004/03/06 10:21:10 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/usr.sbin/bind/bin/check/named-checkconf.html b/usr.sbin/bind/bin/check/named-checkconf.html index c20e40f4d71..9973700e3a9 100644 --- a/usr.sbin/bind/bin/check/named-checkconf.html +++ b/usr.sbin/bind/bin/check/named-checkconf.html @@ -1,27 +1,30 @@ <!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001, 2002 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: named-checkconf.html,v 1.5.2.1.4.5 2004/08/22 23:38:57 marka Exp $ --> + +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >named-checkconf</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -32,10 +35,10 @@ ALINK="#0000FF" ><H1 ><A NAME="AEN1" +></A ><SPAN CLASS="APPLICATION" >named-checkconf</SPAN -></A ></H1 ><DIV CLASS="REFNAMEDIV" @@ -59,23 +62,27 @@ NAME="AEN13" ><B CLASS="COMMAND" >named-checkconf</B -> [<TT +> [<VAR +CLASS="OPTION" +>-v</VAR +>] [<VAR CLASS="OPTION" ->-v</TT ->] [<TT +>-j</VAR +>] [<VAR CLASS="OPTION" ->-t <TT +>-t <VAR CLASS="REPLACEABLE" -><I ->directory</I -></TT -></TT ->] {filename}</P +>directory</VAR +></VAR +>] {filename} [<VAR +CLASS="OPTION" +>-z</VAR +>]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN22" +NAME="AEN26" ></A ><H2 >DESCRIPTION</H2 @@ -90,7 +97,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN26" +NAME="AEN30" ></A ><H2 >OPTIONS</H2 @@ -100,11 +107,9 @@ NAME="AEN26" CLASS="VARIABLELIST" ><DL ><DT ->-t <TT +>-t <VAR CLASS="REPLACEABLE" -><I ->directory</I -></TT +>directory</VAR ></DT ><DD ><P @@ -128,6 +133,24 @@ CLASS="COMMAND" </P ></DD ><DT +>-z</DT +><DD +><P +> Perform a check load the master zonefiles found in + <TT +CLASS="FILENAME" +>named.conf</TT +>. + </P +></DD +><DT +>-j</DT +><DD +><P +> When loading a zonefile read the journal if it exists. + </P +></DD +><DT >filename</DT ><DD ><P @@ -144,7 +167,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN45" +NAME="AEN58" ></A ><H2 >RETURN VALUES</H2 @@ -159,7 +182,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN49" +NAME="AEN62" ></A ><H2 >SEE ALSO</H2 @@ -180,12 +203,12 @@ CLASS="CITETITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN56" +NAME="AEN69" ></A ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/usr.sbin/bind/bin/dig/Makefile.in b/usr.sbin/bind/bin/dig/Makefile.in index 3af0d9fb51c..46ccff97998 100644 --- a/usr.sbin/bind/bin/dig/Makefile.in +++ b/usr.sbin/bind/bin/dig/Makefile.in @@ -1,19 +1,19 @@ -# Copyright (C) 2000, 2001 Internet Software Consortium. +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $ISC: Makefile.in,v 1.25 2001/06/08 17:18:06 gson Exp $ +# $ISC: Makefile.in,v 1.25.12.12 2004/08/18 23:25:57 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -21,26 +21,35 @@ top_srcdir = @top_srcdir@ @BIND9_VERSION@ -@BIND9_INCLUDES@ +@BIND9_MAKE_INCLUDES@ -CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} +CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \ + ${ISC_INCLUDES} ${LWRES_INCLUDES} CDEFINES = -DVERSION=\"${VERSION}\" CWARNINGS = -DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@ +ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ +DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ +BIND9LIBS = ../../lib/bind9/libbind9.@A@ ISCLIBS = ../../lib/isc/libisc.@A@ +LWRESLIBS = ../../lib/lwres/liblwres.@A@ +ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ DNSDEPLIBS = ../../lib/dns/libdns.@A@ +BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ +LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ -DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} +DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \ + ${LWRESDEPLIBS} -LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ +LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \ + ${ISCCFGLIBS} @LIBS@ SUBDIRS = -TARGETS = dig host nslookup +TARGETS = dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ OBJS = dig.@O@ dighost.@O@ host.@O@ nslookup.@O@ @@ -50,20 +59,23 @@ SRCS = dig.c dighost.c host.c nslookup.c MANPAGES = dig.1 host.1 nslookup.8 -HTMLPAGES = dig.html host.html +HTMLPAGES = dig.html host.html nslookup.html MANOBJS = ${MANPAGES} ${HTMLPAGES} @BIND9_MAKE_RULES@ -dig: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ dig.@O@ dighost.@O@ ${UOBJS} ${LIBS} +dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dig.@O@ dighost.@O@ ${UOBJS} ${LIBS} -host: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ host.@O@ dighost.@O@ ${UOBJS} ${LIBS} +host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + host.@O@ dighost.@O@ ${UOBJS} ${LIBS} -nslookup: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS} +nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS} doc man:: ${MANOBJS} @@ -77,8 +89,13 @@ installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 -install:: dig host nslookup installdirs - ${LIBTOOL} ${INSTALL_PROGRAM} dig ${DESTDIR}${bindir} - ${LIBTOOL} ${INSTALL_PROGRAM} host ${DESTDIR}${bindir} - ${LIBTOOL} ${INSTALL_PROGRAM} nslookup ${DESTDIR}${bindir} - for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; done +install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ + dig@EXEEXT@ ${DESTDIR}${bindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ + host@EXEEXT@ ${DESTDIR}${bindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ + nslookup@EXEEXT@ ${DESTDIR}${bindir} + for m in ${MANPAGES}; do \ + ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \ + done diff --git a/usr.sbin/bind/bin/dig/dig.1 b/usr.sbin/bind/bin/dig/dig.1 index d4fd67dd5b1..b22602e762d 100644 --- a/usr.sbin/bind/bin/dig/dig.1 +++ b/usr.sbin/bind/bin/dig/dig.1 @@ -1,25 +1,26 @@ -.\" -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $ISC: dig.1,v 1.14.2.4.2.6 2004/06/23 09:11:01 marka Exp $ .\" .TH "DIG" "1" "Jun 30, 2000" "BIND9" "" .SH NAME dig \- DNS lookup utility .SH SYNOPSIS .sp -\fBdig\fR [ \fB@server\fR ] [ \fB-b \fIaddress\fB\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-f \fIfilename\fB\fR ] [ \fB-k \fIfilename\fB\fR ] [ \fB-p \fIport#\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-x \fIaddr\fB\fR ] [ \fB-y \fIname:key\fB\fR ] [ \fBname\fR ] [ \fBtype\fR ] [ \fBclass\fR ] [ \fBqueryopt\fR\fI...\fR ] +\fBdig\fR [ \fB@server\fR ] [ \fB-b \fIaddress\fB\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-f \fIfilename\fB\fR ] [ \fB-k \fIfilename\fB\fR ] [ \fB-p \fIport#\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-x \fIaddr\fB\fR ] [ \fB-y \fIname:key\fB\fR ] [ \fB-4\fR ] [ \fB-6\fR ] [ \fBname\fR ] [ \fBtype\fR ] [ \fBclass\fR ] [ \fBqueryopt\fR\fI...\fR ] .sp \fBdig\fR [ \fB-h\fR ] .sp @@ -49,9 +50,9 @@ Unless it is told to query a specific name server, When no command line arguments or options are given, will perform an NS query for "." (the root). .PP -It is possible to set per user defaults for \fBdig\fR via +It is possible to set per-user defaults for \fBdig\fR via \fI${HOME}/.digrc\fR. This file is read and any options in it -are applied before the command line arguements. +are applied before the command line arguments. .SH "SIMPLE USAGE" .PP A typical invocation of \fBdig\fR looks like: @@ -86,7 +87,8 @@ ANY, A, MX, SIG, etc. .PP The \fB-b\fR option sets the source IP address of the query to \fIaddress\fR. This must be a valid address on -one of the host's network interfaces. +one of the host's network interfaces or "0.0.0.0" or "::". An optional port +may be specified by appending "#<port>" .PP The default query class (IN for internet) is overridden by the \fB-c\fR option. \fIclass\fR is any valid @@ -106,6 +108,10 @@ instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non-standard port number. .PP +The \fB-4\fR option forces \fBdig\fR to only +use IPv4 query transport. The \fB-6\fR option forces +\fBdig\fR to only use IPv6 query transport. +.PP The \fB-t\fR option sets the query type to \fItype\fR. It can be any valid query type which is supported in BIND9. The default query type "A", unless the @@ -126,9 +132,10 @@ When this option is used, there is no need to provide the automatically performs a lookup for a name like 11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are -looked up using the IP6.ARPA domain and binary labels as defined in -RFC2874. To use the older RFC1886 method using the IP6.INT domain and -"nibble" labels, specify the \fB-n\fR (nibble) option. +looked up using nibble format under the IP6.ARPA domain. +To use the older RFC1886 method using the IP6.INT domain +specify the \fB-i\fR option. Bit string labels (RFC2874) +are now experimental and are not attempted. .PP To sign the DNS queries sent by \fBdig\fR and their responses using transaction signatures (TSIG), specify a TSIG key file @@ -190,9 +197,10 @@ The search list is not used by default. Deprecated, treated as a synonym for \fI+[no]search\fR .TP \fB+[no]aaonly\fR -This option does nothing. It is provided for compatibility with old -versions of \fBdig\fR where it set an unimplemented -resolver flag. +Sets the "aa" flag in the query. +.TP +\fB+[no]aaflag\fR +A synonym for \fI+[no]aaonly\fR. .TP \fB+[no]adflag\fR Set [do not set] the AD (authentic data) bit in the query. The AD bit @@ -204,6 +212,12 @@ completeness. Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. .TP +\fB+[no]cl\fR +Display [do not display] the CLASS when printing the record. +.TP +\fB+[no]ttlid\fR +Display [do not display] the TTL when printing the record. +.TP \fB+[no]recurse\fR Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means \fBdig\fR @@ -279,10 +293,16 @@ An attempt to set \fIT\fR to less than 1 will result in a query timeout of 1 second being applied. .TP \fB+tries=T\fR -Sets the number of times to retry UDP queries to server to +Sets the number of times to try UDP queries to server to \fIT\fR instead of the default, 3. If \fIT\fR is less than or equal to zero, the number of -retries is silently rounded up to 1. +tries is silently rounded up to 1. +.TP +\fB+retry=T\fR +Sets the number of times to retry UDP queries to server to +\fIT\fR instead of the default, 2. Unlike +\fI+tries\fR, this does not include the initial +query. .TP \fB+ndots=D\fR Set the number of dots that have to appear in @@ -318,6 +338,18 @@ The default is to not display malformed answers. \fB+[no]dnssec\fR Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. +.TP +\fB+[no]sigchase\fR +Chase DNSSEC signature chains. Requires dig be compiled with +-DDIG_SIGCHASE. +.TP +\fB+trusted-key=####\fR +Specify a trusted key to be used with \fB+sigchase\fR. +Requires dig be compiled with -DDIG_SIGCHASE. +.TP +\fB+[no]topdown\fR +When chasing DNSSEC signature chains perform a top down validation. +Requires dig be compiled with -DDIG_SIGCHASE. .SH "MULTIPLE QUERIES" .PP The BIND 9 implementation of \fBdig \fR supports @@ -362,6 +394,7 @@ isc.org. .PP \fBhost\fR(1), \fBnamed\fR(8), +\fBdnssec-keygen\fR(8), \fIRFC1035\fR. .SH "BUGS" .PP diff --git a/usr.sbin/bind/bin/dig/dig.c b/usr.sbin/bind/bin/dig/dig.c index ad656342c37..df1330be8a2 100644 --- a/usr.sbin/bind/bin/dig/dig.c +++ b/usr.sbin/bind/bin/dig/dig.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dig.c,v 1.157.2.13 2003/07/30 00:42:25 marka Exp $ */ +/* $ISC: dig.c,v 1.157.2.13.2.20 2004/06/23 04:19:40 marka Exp $ */ #include <config.h> #include <stdlib.h> @@ -24,6 +24,7 @@ #include <isc/app.h> #include <isc/netaddr.h> +#include <isc/parseint.h> #include <isc/print.h> #include <isc/string.h> #include <isc/util.h> @@ -62,13 +63,15 @@ extern isc_mem_t *mctx; extern dns_messageid_t id; extern int sendcount; extern int ndots; -extern int tries; extern int lookup_counter; extern int exitcode; extern isc_sockaddr_t bind_address; extern char keynametext[MXNAME]; extern char keyfile[MXNAME]; extern char keysecret[MXNAME]; +#ifdef DIG_SIGCHASE +extern char trustedkey[MXNAME]; +#endif extern dns_tsigkey_t *key; extern isc_boolean_t validated; extern isc_taskmgr_t *taskmgr; @@ -85,7 +88,7 @@ static char domainopt[DNS_NAME_MAXTEXT]; static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE, ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE, - multiline = ISC_FALSE; + multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE; static const char *opcodetext[] = { "QUERY", @@ -132,8 +135,8 @@ static void print_usage(FILE *fp) { fputs( "Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}\n" -" {global-d-opt} host [@local-server] {local-d-opt}\n" -" [ host [@local-server] {local-d-opt} [...]]\n", fp); +" {global-d-opt} host [@local-server] {local-d-opt}\n" +" [ host [@local-server] {local-d-opt} [...]]\n", fp); } static void @@ -145,10 +148,15 @@ usage(void) { } static void +version(void) { + fputs("DiG " VERSION "\n", stderr); +} + +static void help(void) { print_usage(stdout); fputs( -"Where: domain are in the Domain Name System\n" +"Where: domain is in the Domain Name System\n" " q-class is one of (in,hs,ch,...) [default: in]\n" " q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n" " (Use ixfr=version for type ixfr)\n" @@ -156,19 +164,20 @@ help(void) { " -x dot-notation (shortcut for in-addr lookups)\n" " -i (IP6.INT reverse IPv6 lookups)\n" " -f filename (batch mode)\n" -" -b address (bind to source address)\n" +" -b address[#port] (bind to source address/port)\n" " -p port (specify port number)\n" " -t type (specify query type)\n" " -c class (specify query class)\n" " -k keyfile (specify tsig key file)\n" " -y name:key (specify named base64 tsig key)\n" -" -4 (force IPv4 query transport)\n" -" -6 (force IPv6 query transport)\n" +" -4 (use IPv4 query transport only)\n" +" -6 (use IPv6 query transport only)\n" " d-opt is of the form +keyword[=value], where keyword is:\n" " +[no]vc (TCP mode)\n" " +[no]tcp (TCP mode, alternate syntax)\n" " +time=### (Set query timeout) [5]\n" " +tries=### (Set number of UDP attempts) [3]\n" +" +retry=### (Set number of UDP retries) [2]\n" " +domain=### (Set default domainname)\n" " +bufsize=### (Set EDNS0 Max UDP packet size)\n" " +ndots=### (Set NDOTS value)\n" @@ -179,9 +188,10 @@ help(void) { "\n" " +[no]fail (Don't try next server on SERVFAIL)\n" " +[no]besteffort (Try to parse even illegal messages)\n" -" +[no]aaonly (Set AA flag in query)\n" +" +[no]aaonly (Set AA flag in query (+[no]aaflag))\n" " +[no]adflag (Set AD flag in query)\n" " +[no]cdflag (Set CD flag in query)\n" +" +[no]cl (Control display of class in records)\n" " +[no]cmd (Control display of command line)\n" " +[no]comments (Control display of comment lines)\n" " +[no]question (Control display of question)\n" @@ -191,15 +201,25 @@ help(void) { " +[no]stats (Control display of statistics)\n" " +[no]short (Disable everything except short\n" " form of answer)\n" +" +[no]ttlid (Control display of ttls in records)\n" " +[no]all (Set or clear all display flags)\n" " +[no]qr (Print question before sending)\n" " +[no]nssearch (Search all authoritative nameservers)\n" " +[no]identify (ID responders in short answers)\n" " +[no]trace (Trace delegation down from root)\n" " +[no]dnssec (Request DNSSEC records)\n" +#ifdef DIG_SIGCHASE +" +[no]sigchase (Chase DNSSEC signatures)\n" +" +trusted-key=#### (Trusted Key when chasing DNSSEC sigs)\n" +#if DIG_SIGCHASE_TD +" +[no]topdown (Do DNSSEC validation top down mode)\n" +#endif +#endif " +[no]multiline (Print records in an expanded format)\n" " global d-opts and servers (before host name) affect all queries.\n" -" local d-opts and servers (after host name) affect only that lookup.\n", +" local d-opts and servers (after host name) affect only that lookup.\n" +" -h (print help and exit)\n" +" -v (print version and exit)\n", stdout); } @@ -210,14 +230,12 @@ void received(int bytes, isc_sockaddr_t *from, dig_query_t *query) { isc_uint64_t diff; isc_time_t now; - isc_result_t result; time_t tnow; char fromtext[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_format(from, fromtext, sizeof(fromtext)); - result = isc_time_now(&now); - check_result(result, "isc_time_now"); + TIME_NOW(&now); if (query->lookup->stats && !short_form) { diff = isc_time_microdiff(&now, &query->time_sent); @@ -226,8 +244,8 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) { time(&tnow); printf(";; WHEN: %s", ctime(&tnow)); if (query->lookup->doing_xfr) { - printf(";; XFR size: %d records\n", - query->rr_count); + printf(";; XFR size: %u records (messages %u)\n", + query->rr_count, query->msg_count); } else { printf(";; MSG SIZE rcvd: %d\n", bytes); @@ -279,9 +297,7 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) { result = dns_rdata_totext(rdata, NULL, buf); check_result(result, "dns_rdata_totext"); if (query->lookup->identify) { - result = isc_time_now(&now); - if (result != ISC_R_SUCCESS) - return (result); + TIME_NOW(&now); diff = isc_time_microdiff(&now, &query->time_sent); ADD_STRING(buf, " from server "); ADD_STRING(buf, query->servname); @@ -344,6 +360,51 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags, return (ISC_R_SUCCESS); } +#ifdef DIG_SIGCHASE +isc_result_t +printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, + isc_buffer_t *target) +{ + isc_result_t result; + dns_master_style_t *style = NULL; + unsigned int styleflags = 0; + + if (rdataset == NULL || owner_name == NULL || target == NULL) + return(ISC_FALSE); + + styleflags |= DNS_STYLEFLAG_REL_OWNER; + if (nottl) + styleflags |= DNS_STYLEFLAG_NO_TTL; + if (noclass) + styleflags |= DNS_STYLEFLAG_NO_CLASS; + if (multiline) { + styleflags |= DNS_STYLEFLAG_OMIT_OWNER; + styleflags |= DNS_STYLEFLAG_OMIT_CLASS; + styleflags |= DNS_STYLEFLAG_REL_DATA; + styleflags |= DNS_STYLEFLAG_OMIT_TTL; + styleflags |= DNS_STYLEFLAG_TTL; + styleflags |= DNS_STYLEFLAG_MULTILINE; + styleflags |= DNS_STYLEFLAG_COMMENT; + } + if (multiline || (nottl && noclass)) + result = dns_master_stylecreate(&style, styleflags, + 24, 24, 24, 32, 80, 8, mctx); + else if (nottl || noclass) + result = dns_master_stylecreate(&style, styleflags, + 24, 24, 32, 40, 80, 8, mctx); + else + result = dns_master_stylecreate(&style, styleflags, + 24, 32, 40, 48, 80, 8, mctx); + check_result(result, "dns_master_stylecreate"); + + result = dns_master_rdatasettotext(owner_name, rdataset, style, target); + + if (style != NULL) + dns_master_styledestroy(&style, mctx); + + return(result); +} +#endif /* * Callback from dighost.c to print the reply from a server @@ -354,12 +415,33 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { dns_messagetextflag_t flags; isc_buffer_t *buf = NULL; unsigned int len = OUTPUTBUF; - const dns_master_style_t *style; - - if (multiline) - style = &dns_master_style_default; - else - style = &dns_master_style_debug; + dns_master_style_t *style = NULL; + unsigned int styleflags = 0; + + styleflags |= DNS_STYLEFLAG_REL_OWNER; + if (nottl) + styleflags |= DNS_STYLEFLAG_NO_TTL; + if (noclass) + styleflags |= DNS_STYLEFLAG_NO_CLASS; + if (multiline) { + styleflags |= DNS_STYLEFLAG_OMIT_OWNER; + styleflags |= DNS_STYLEFLAG_OMIT_CLASS; + styleflags |= DNS_STYLEFLAG_REL_DATA; + styleflags |= DNS_STYLEFLAG_OMIT_TTL; + styleflags |= DNS_STYLEFLAG_TTL; + styleflags |= DNS_STYLEFLAG_MULTILINE; + styleflags |= DNS_STYLEFLAG_COMMENT; + } + if (multiline || (nottl && noclass)) + result = dns_master_stylecreate(&style, styleflags, + 24, 24, 24, 32, 80, 8, mctx); + else if (nottl || noclass) + result = dns_master_stylecreate(&style, styleflags, + 24, 24, 32, 40, 80, 8, mctx); + else + result = dns_master_stylecreate(&style, styleflags, + 24, 32, 40, 48, 80, 8, mctx); + check_result(result, "dns_master_stylecreate"); if (query->lookup->cmdline[0] != 0) { if (!short_form) @@ -423,8 +505,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { repopulate_buffer: - if (query->lookup->comments && headers && !short_form) - { + if (query->lookup->comments && headers && !short_form) { result = dns_message_pseudosectiontotext(msg, DNS_PSEUDOSECTION_OPT, style, flags, buf); @@ -436,7 +517,7 @@ buftoosmall: if (result == ISC_R_SUCCESS) goto repopulate_buffer; else - return (result); + goto cleanup; } check_result(result, "dns_message_pseudosectiontotext"); @@ -514,6 +595,10 @@ buftoosmall: printf("%.*s", (int)isc_buffer_usedlength(buf), (char *)isc_buffer_base(buf)); isc_buffer_free(&buf); + +cleanup: + if (style != NULL) + dns_master_styledestroy(&style, mctx); return (result); } @@ -523,7 +608,6 @@ buftoosmall: static void printgreeting(int argc, char **argv, dig_lookup_t *lookup) { int i; - int remaining; static isc_boolean_t first = ISC_TRUE; char append[MXNAME]; @@ -535,22 +619,16 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) { i = 1; while (i < argc) { snprintf(append, sizeof(append), " %s", argv[i++]); - remaining = sizeof(lookup->cmdline) - - strlen(lookup->cmdline) - 1; - strncat(lookup->cmdline, append, remaining); + strlcat(lookup->cmdline, append, sizeof(lookup->cmdline)); } - remaining = sizeof(lookup->cmdline) - - strlen(lookup->cmdline) - 1; - strncat(lookup->cmdline, "\n", remaining); + strlcat(lookup->cmdline, "\n", sizeof(lookup->cmdline)); if (first) { - snprintf(append, sizeof (append), + snprintf(append, sizeof(append), ";; global options: %s %s\n", short_form ? "short_form" : "", printcmd ? "printcmd" : ""); first = ISC_FALSE; - remaining = sizeof(lookup->cmdline) - - strlen(lookup->cmdline) - 1; - strncat(lookup->cmdline, append, remaining); + strlcat(lookup->cmdline, append, sizeof(lookup->cmdline)); } } } @@ -593,14 +671,14 @@ reorder_args(int argc, char *argv[]) { static isc_uint32_t parse_uint(char *arg, const char *desc, isc_uint32_t max) { - char *endp; + isc_result_t result; isc_uint32_t tmp; - tmp = strtoul(arg, &endp, 10); - if (*endp != '\0') - fatal("%s '%s' must be numeric", desc, arg); - if (tmp > max) - fatal("%s '%s' out of range", desc, arg); + result = isc_parse_uint32(&tmp, arg, 10); + if (result == ISC_R_SUCCESS && tmp > max) + result = ISC_R_RANGE; + if (result != ISC_R_SUCCESS) + fatal("%s '%s': %s", desc, arg, isc_result_totext(result)); return (tmp); } @@ -618,32 +696,52 @@ plus_option(char *option, isc_boolean_t is_batchfile, char option_store[256]; char *cmd, *value, *ptr; isc_boolean_t state = ISC_TRUE; +#ifdef DIG_SIGCHASE + size_t n; +#endif strlcpy(option_store, option, sizeof(option_store)); - option_store[sizeof(option_store)-1]=0; ptr = option_store; - cmd=next_token(&ptr,"="); + cmd = next_token(&ptr,"="); if (cmd == NULL) { - printf(";; Invalid option %s\n",option_store); + printf(";; Invalid option %s\n", option_store); return; } - value=ptr; - if (strncasecmp(cmd,"no",2)==0) { + value = ptr; + if (strncasecmp(cmd, "no", 2)==0) { cmd += 2; state = ISC_FALSE; } + +#define FULLCHECK(A) \ + do { \ + size_t _l = strlen(cmd); \ + if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \ + goto invalid_option; \ + } while (0) +#define FULLCHECK2(A, B) \ + do { \ + size_t _l = strlen(cmd); \ + if ((_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) && \ + (_l >= sizeof(B) || strncasecmp(cmd, B, _l) != 0)) \ + goto invalid_option; \ + } while (0) + switch (cmd[0]) { case 'a': switch (cmd[1]) { - case 'a': /* aaflag */ + case 'a': /* aaonly / aaflag */ + FULLCHECK2("aaonly", "aaflag"); lookup->aaonly = state; break; case 'd': switch (cmd[2]) { case 'd': /* additional */ + FULLCHECK("additional"); lookup->section_additional = state; break; case 'f': /* adflag */ + FULLCHECK("adflag"); lookup->adflag = state; break; default: @@ -651,6 +749,7 @@ plus_option(char *option, isc_boolean_t is_batchfile, } break; case 'l': /* all */ + FULLCHECK("all"); lookup->section_question = state; lookup->section_authority = state; lookup->section_answer = state; @@ -660,9 +759,11 @@ plus_option(char *option, isc_boolean_t is_batchfile, printcmd = state; break; case 'n': /* answer */ + FULLCHECK("answer"); lookup->section_answer = state; break; case 'u': /* authority */ + FULLCHECK("authority"); lookup->section_authority = state; break; default: @@ -672,9 +773,11 @@ plus_option(char *option, isc_boolean_t is_batchfile, case 'b': switch (cmd[1]) { case 'e':/* besteffort */ + FULLCHECK("besteffort"); lookup->besteffort = state; break; case 'u':/* bufsize */ + FULLCHECK("bufsize"); if (value == NULL) goto need_value; if (!state) @@ -689,12 +792,19 @@ plus_option(char *option, isc_boolean_t is_batchfile, case 'c': switch (cmd[1]) { case 'd':/* cdflag */ + FULLCHECK("cdflag"); lookup->cdflag = state; break; + case 'l': /* cl */ + FULLCHECK("cl"); + noclass = !state; + break; case 'm': /* cmd */ + FULLCHECK("cmd"); printcmd = state; break; case 'o': /* comments */ + FULLCHECK("comments"); lookup->comments = state; if (lookup == default_lookup) pluscomm = state; @@ -706,12 +816,15 @@ plus_option(char *option, isc_boolean_t is_batchfile, case 'd': switch (cmd[1]) { case 'e': /* defname */ + FULLCHECK("defname"); usesearch = state; break; case 'n': /* dnssec */ + FULLCHECK("dnssec"); lookup->dnssec = state; break; case 'o': /* domain */ + FULLCHECK("domain"); if (value == NULL) goto need_value; if (!state) @@ -723,24 +836,29 @@ plus_option(char *option, isc_boolean_t is_batchfile, } break; case 'f': /* fail */ + FULLCHECK("fail"); lookup->servfail_stops = state; break; case 'i': switch (cmd[1]) { case 'd': /* identify */ + FULLCHECK("identify"); lookup->identify = state; break; case 'g': /* ignore */ default: /* Inherets default for compatibility */ + FULLCHECK("ignore"); lookup->ignore = ISC_TRUE; } break; case 'm': /* multiline */ + FULLCHECK("multiline"); multiline = state; break; case 'n': switch (cmd[1]) { case 'd': /* ndots */ + FULLCHECK("ndots"); if (value == NULL) goto need_value; if (!state) @@ -748,6 +866,7 @@ plus_option(char *option, isc_boolean_t is_batchfile, ndots = parse_uint(value, "ndots", MAXNDOTS); break; case 's': /* nssearch */ + FULLCHECK("nssearch"); lookup->ns_search_only = state; if (state) { lookup->trace_root = ISC_TRUE; @@ -770,9 +889,11 @@ plus_option(char *option, isc_boolean_t is_batchfile, case 'q': switch (cmd[1]) { case 'r': /* qr */ + FULLCHECK("qr"); qr = state; break; case 'u': /* question */ + FULLCHECK("question"); lookup->section_question = state; if (lookup == default_lookup) plusquest = state; @@ -781,15 +902,40 @@ plus_option(char *option, isc_boolean_t is_batchfile, goto invalid_option; } break; - case 'r': /* recurse */ - lookup->recurse = state; + case 'r': + switch (cmd[1]) { + case 'e': + switch (cmd[2]) { + case 'c': /* recurse */ + FULLCHECK("recurse"); + lookup->recurse = state; + break; + case 't': /* retry / retries */ + FULLCHECK2("retry", "retries"); + if (value == NULL) + goto need_value; + if (!state) + goto invalid_option; + lookup->retries = parse_uint(value, "retries", + MAXTRIES - 1); + lookup->retries++; + break; + default: + goto invalid_option; + } + break; + default: + goto invalid_option; + } break; case 's': switch (cmd[1]) { case 'e': /* search */ + FULLCHECK("search"); usesearch = state; break; case 'h': /* short */ + FULLCHECK("short"); short_form = state; if (state) { printcmd = ISC_FALSE; @@ -801,7 +947,16 @@ plus_option(char *option, isc_boolean_t is_batchfile, lookup->stats = ISC_FALSE; } break; +#ifdef DIG_SIGCHASE + case 'i': /* sigchase */ + FULLCHECK("sigchase"); + lookup->sigchase = state; + if (lookup->sigchase) + lookup->dnssec = ISC_TRUE; + break; +#endif case 't': /* stats */ + FULLCHECK("stats"); lookup->stats = state; break; default: @@ -811,10 +966,12 @@ plus_option(char *option, isc_boolean_t is_batchfile, case 't': switch (cmd[1]) { case 'c': /* tcp */ + FULLCHECK("tcp"); if (!is_batchfile) lookup->tcp_mode = state; break; case 'i': /* timeout */ + FULLCHECK("timeout"); if (value == NULL) goto need_value; if (!state) @@ -823,9 +980,16 @@ plus_option(char *option, isc_boolean_t is_batchfile, if (timeout == 0) timeout = 1; break; +#if DIG_SIGCHASE_TD + case 'o': /* topdown */ + FULLCHECK("topdown"); + lookup->do_topdown = state; + break; +#endif case 'r': switch (cmd[2]) { case 'a': /* trace */ + FULLCHECK("trace"); lookup->trace = state; lookup->trace_root = state; if (state) { @@ -835,28 +999,46 @@ plus_option(char *option, isc_boolean_t is_batchfile, lookup->stats = ISC_FALSE; lookup->section_additional = ISC_FALSE; lookup->section_authority = ISC_TRUE; - lookup->section_question = ISC_FALSE; + lookup->section_question = ISC_FALSE; } break; case 'i': /* tries */ + FULLCHECK("tries"); if (value == NULL) goto need_value; if (!state) goto invalid_option; - lookup->retries = parse_uint(value, "retries", - MAXTRIES); + lookup->retries = parse_uint(value, "tries", + MAXTRIES); if (lookup->retries == 0) lookup->retries = 1; break; +#ifdef DIG_SIGCHASE + case 'u': /* trusted-key */ + if (value == NULL) + goto need_value; + if (!state) + goto invalid_option; + n = strlcpy(trustedkey, ptr, + sizeof(trustedkey)); + if (n >= sizeof(trustedkey)) + fatal("trusted key too large"); + break; +#endif default: goto invalid_option; } break; + case 't': /* ttlid */ + FULLCHECK("ttlid"); + nottl = !state; + break; default: goto invalid_option; } break; case 'v': + FULLCHECK("vc"); if (!is_batchfile) lookup->tcp_mode = state; break; @@ -873,13 +1055,14 @@ plus_option(char *option, isc_boolean_t is_batchfile, /* * ISC_TRUE returned if value was used */ +static const char *single_dash_opts = "46dhimnv"; +static const char *dash_opts = "46bcdfhikmnptvyx"; static isc_boolean_t dash_option(char *option, char *next, dig_lookup_t **lookup, - isc_boolean_t *open_type_class, - isc_boolean_t *firstarg, - int argc, char **argv) + isc_boolean_t *open_type_class, isc_boolean_t *firstarg, + int argc, char **argv) { - char cmd, *value, *ptr; + char opt, *value, *ptr; isc_result_t result; isc_boolean_t value_from_next; isc_textregion_t tr; @@ -888,8 +1071,69 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, char textname[MXNAME]; struct in_addr in4; struct in6_addr in6; + in_port_t srcport; + char *hash, *cmd; - cmd = option[0]; + while (strpbrk(option, single_dash_opts) == &option[0]) { + /* + * Since the -[46dhimnv] options do not take an argument, + * account for them (in any number and/or combination) + * if they appear as the first character(s) of a q-opt. + */ + opt = option[0]; + switch (opt) { + case '4': + if (have_ipv4) { + isc_net_disableipv6(); + have_ipv6 = ISC_FALSE; + } else { + fatal("can't find IPv4 networking"); + return (ISC_FALSE); + } + break; + case '6': + if (have_ipv6) { + isc_net_disableipv4(); + have_ipv4 = ISC_FALSE; + } else { + fatal("can't find IPv6 networking"); + return (ISC_FALSE); + } + break; + case 'd': + ptr = strpbrk(&option[1], dash_opts); + if (ptr != &option[1]) { + cmd = option; + FULLCHECK("debug"); + debugging = ISC_TRUE; + return (ISC_FALSE); + } else + debugging = ISC_TRUE; + break; + case 'h': + help(); + exit(0); + break; + case 'i': + ip6_int = ISC_TRUE; + break; + case 'm': /* memdebug */ + /* memdebug is handled in preparse_args() */ + break; + case 'n': + /* deprecated */ + break; + case 'v': + version(); + exit(0); + break; + } + if (strlen(option) > 1U) + option = &option[1]; + else + return (ISC_FALSE); + } + opt = option[0]; if (strlen(option) > 1U) { value_from_next = ISC_FALSE; value = &option[1]; @@ -897,46 +1141,31 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, value_from_next = ISC_TRUE; value = next; } - switch (cmd) { - case 'd': - debugging = ISC_TRUE; - return (ISC_FALSE); - case 'h': - help(); - exit(0); - break; - case 'i': - ip6_int = ISC_TRUE; - return (ISC_FALSE); - case 'm': /* memdebug */ - /* memdebug is handled in preparse_args() */ - return (ISC_FALSE); - case 'n': - /* deprecated */ - return (ISC_FALSE); - case '4': - if (have_ipv4) - have_ipv6 = ISC_FALSE; - else - fatal("can't find v4 networking"); - return (ISC_FALSE); - case '6': - if (have_ipv6) - have_ipv4 = ISC_FALSE; - else - fatal("can't find v6 networking"); - return (ISC_FALSE); - } if (value == NULL) goto invalid_option; - switch (cmd) { + switch (opt) { case 'b': - if (have_ipv6 && inet_pton(AF_INET6, value, &in6) == 1) - isc_sockaddr_fromin6(&bind_address, &in6, 0); - else if (have_ipv4 && inet_pton(AF_INET, value, &in4) == 1) - isc_sockaddr_fromin(&bind_address, &in4, 0); - else + hash = strchr(value, '#'); + if (hash != NULL) { + srcport = (in_port_t) + parse_uint(hash + 1, + "port number", MAXPORT); + *hash = '\0'; + } else + srcport = 0; + if (have_ipv6 && inet_pton(AF_INET6, value, &in6) == 1) { + isc_sockaddr_fromin6(&bind_address, &in6, srcport); + isc_net_disableipv4(); + } else if (have_ipv4 && inet_pton(AF_INET, value, &in4) == 1) { + isc_sockaddr_fromin(&bind_address, &in4, srcport); + isc_net_disableipv6(); + } else { + if (hash != NULL) + *hash = '#'; fatal("invalid address %s", value); + } + if (hash != NULL) + *hash = '#'; specified_source = ISC_TRUE; return (value_from_next); case 'c': @@ -976,8 +1205,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, result = dns_rdatatype_fromtext(&rdtype, (isc_textregion_t *)&tr); if (result == ISC_R_SUCCESS && - rdtype == dns_rdatatype_ixfr) - { + rdtype == dns_rdatatype_ixfr) { result = DNS_R_UNKNOWN; } } @@ -1021,9 +1249,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, return (value_from_next); case 'x': *lookup = clone_lookup(default_lookup, ISC_TRUE); - if (get_reverse(textname, value, ip6_int, ISC_TRUE) - == ISC_R_SUCCESS) - { + if (get_reverse(textname, sizeof(textname), value, + ip6_int, ISC_FALSE) == ISC_R_SUCCESS) { strlcpy((*lookup)->textname, textname, sizeof((*lookup)->textname)); debug("looking up %s", (*lookup)->textname); @@ -1035,8 +1262,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, if (!(*lookup)->rdclassset) (*lookup)->rdclass = dns_rdataclass_in; (*lookup)->new_search = ISC_TRUE; - if (*lookup && *firstarg) - { + if (*lookup && *firstarg) { printgreeting(argc, argv, *lookup); *firstarg = ISC_FALSE; } @@ -1066,20 +1292,26 @@ static void preparse_args(int argc, char **argv) { int rc; char **rv; + char *option; rc = argc; rv = argv; for (rc--, rv++; rc > 0; rc--, rv++) { - if (strcmp(rv[0], "-m") == 0) { - memdebugging = ISC_TRUE; - isc_mem_debugging = ISC_MEM_DEBUGTRACE | - ISC_MEM_DEBUGRECORD; - return; + if (rv[0][0] != '-') + continue; + option = &rv[0][1]; + while (strpbrk(option, single_dash_opts) == &option[0]) { + if (option[0] == 'm') { + memdebugging = ISC_TRUE; + isc_mem_debugging = ISC_MEM_DEBUGTRACE | + ISC_MEM_DEBUGRECORD; + return; + } + option = &option[1]; } } } - static void parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, int argc, char **argv) { @@ -1120,14 +1352,17 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, #ifndef NOPOSIX /* - * Treat .digrc as a special batchfile + * Treat ${HOME}/.digrc as a special batchfile */ + INSIST(batchfp == NULL); homedir = getenv("HOME"); - if (homedir != NULL) - snprintf(rcfile, sizeof(rcfile), "%s/.digrc", homedir); - else - strlcpy(rcfile, ".digrc", sizeof(rcfile)); - batchfp = fopen(rcfile, "r"); + if (homedir != NULL) { + unsigned int n; + n = snprintf(rcfile, sizeof(rcfile), "%s/.digrc", + homedir); + if (n < sizeof(rcfile)) + batchfp = fopen(rcfile, "r"); + } if (batchfp != NULL) { while (fgets(batchline, sizeof(batchline), batchfp) != 0) { @@ -1138,7 +1373,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, while ((bargv[bargc] != NULL) && (bargc < 62)) { bargc++; - bargv[bargc] = next_token(&input, " \t\r\n"); + bargv[bargc] = + next_token(&input, " \t\r\n"); } bargv[0] = argv[0]; @@ -1196,10 +1432,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, tr.base = rv[0]; tr.length = strlen(rv[0]); result = dns_rdatatype_fromtext(&rdtype, - (isc_textregion_t *)&tr); + (isc_textregion_t *)&tr); if (result == ISC_R_SUCCESS && - rdtype == dns_rdatatype_ixfr) - { + rdtype == dns_rdatatype_ixfr) { result = DNS_R_UNKNOWN; fprintf(stderr, ";; Warning, " "ixfr requires a " @@ -1207,28 +1442,30 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, continue; } } - if (result == ISC_R_SUCCESS) - { + if (result == ISC_R_SUCCESS) { if (lookup->rdtypeset) { fprintf(stderr, ";; Warning, " "extra type option\n"); } if (rdtype == dns_rdatatype_ixfr) { - lookup->rdtype = dns_rdatatype_ixfr; + lookup->rdtype = + dns_rdatatype_ixfr; lookup->rdtypeset = ISC_TRUE; lookup->ixfr_serial = parse_uint(&rv[0][5], "serial number", MAXSERIAL); - lookup->section_question = plusquest; + lookup->section_question = + plusquest; lookup->comments = pluscomm; } else { lookup->rdtype = rdtype; lookup->rdtypeset = ISC_TRUE; - if (rdtype == dns_rdatatype_axfr) { - lookup->section_question = + if (rdtype == + dns_rdatatype_axfr) { + lookup->section_question = plusquest; - lookup->comments = pluscomm; + lookup->comments = pluscomm; } lookup->ixfr_serial = ISC_FALSE; } @@ -1278,7 +1515,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, perror(batchname); if (exitcode < 8) exitcode = 8; - fatal("Couldn't open specified batch file"); + fatal("couldn't open specified batch file"); } /* XXX Remove code dup from shutdown code */ next_line: @@ -1322,9 +1559,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, } /* - * Callback from dighost.c to allow program-specific shutdown code. Here, - * Here, we're possibly reading from a batch file, then shutting down for - * real if there's nothing in the batch file to read. + * Callback from dighost.c to allow program-specific shutdown code. + * Here, we're possibly reading from a batch file, then shutting down + * for real if there's nothing in the batch file to read. */ void dighost_shutdown(void) { @@ -1339,6 +1576,7 @@ dighost_shutdown(void) { return; } + fflush(stdout); if (feof(batchfp)) { batchname = NULL; isc_app_shutdown(); @@ -1410,6 +1648,9 @@ main(int argc, char **argv) { fclose(batchfp); batchname = NULL; } +#ifdef DIG_SIGCHASE + clean_trustedkey(); +#endif cancel_all(); destroy_libs(); isc_app_finish(); diff --git a/usr.sbin/bind/bin/dig/dig.docbook b/usr.sbin/bind/bin/dig/dig.docbook index 4a2e5a4e154..26471240b16 100644 --- a/usr.sbin/bind/bin/dig/dig.docbook +++ b/usr.sbin/bind/bin/dig/dig.docbook @@ -1,22 +1,22 @@ <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> <!-- - - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: dig.docbook,v 1.4.2.7 2003/05/12 02:50:15 marka Exp $ --> +<!-- $ISC: dig.docbook,v 1.4.2.7.4.9 2004/06/23 04:19:41 marka Exp $ --> <refentry> @@ -47,6 +47,8 @@ <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg> <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg> <arg><option>-y <replaceable class="parameter">name:key</replaceable></option></arg> +<arg><option>-4</option></arg> +<arg><option>-6</option></arg> <arg choice=opt>name</arg> <arg choice=opt>type</arg> <arg choice=opt>class</arg> @@ -99,9 +101,9 @@ NS query for "." (the root). </para> <para> -It is possible to set per user defaults for <command>dig</command> via +It is possible to set per-user defaults for <command>dig</command> via <filename>${HOME}/.digrc</filename>. This file is read and any options in it -are applied before the command line arguements. +are applied before the command line arguments. </para> </refsect1> @@ -153,7 +155,8 @@ ANY, A, MX, SIG, etc. <para> The <option>-b</option> option sets the source IP address of the query to <parameter>address</parameter>. This must be a valid address on -one of the host's network interfaces. +one of the host's network interfaces or "0.0.0.0" or "::". An optional port +may be specified by appending "#<port>" </para> <para> @@ -181,6 +184,12 @@ on a non-standard port number. </para> <para> +The <option>-4</option> option forces <command>dig</command> to only +use IPv4 query transport. The <option>-6</option> option forces +<command>dig</command> to only use IPv6 query transport. +</para> + +<para> The <option>-t</option> option sets the query type to <parameter>type</parameter>. It can be any valid query type which is supported in BIND9. The default query type "A", unless the @@ -203,9 +212,10 @@ When this option is used, there is no need to provide the automatically performs a lookup for a name like <literal>11.12.13.10.in-addr.arpa</literal> and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are -looked up using the IP6.ARPA domain and binary labels as defined in -RFC2874. To use the older RFC1886 method using the IP6.INT domain and -"nibble" labels, specify the <option>-n</option> (nibble) option. +looked up using nibble format under the IP6.ARPA domain. +To use the older RFC1886 method using the IP6.INT domain +specify the <option>-i</option> option. Bit string labels (RFC2874) +are now experimental and are not attempted. </para> <para> @@ -296,9 +306,12 @@ Deprecated, treated as a synonym for <parameter>+[no]search</parameter> <varlistentry><term><option>+[no]aaonly</option></term> <listitem><para> -This option does nothing. It is provided for compatibility with old -versions of <command>dig</command> where it set an unimplemented -resolver flag. +Sets the "aa" flag in the query. +</para></listitem></varlistentry> + +<varlistentry><term><option>+[no]aaflag</option></term> +<listitem><para> +A synonym for <parameter>+[no]aaonly</parameter>. </para></listitem></varlistentry> <varlistentry><term><option>+[no]adflag</option></term> @@ -315,6 +328,16 @@ Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. </para></listitem></varlistentry> +<varlistentry><term><option>+[no]cl</option></term> +<listitem><para> +Display [do not display] the CLASS when printing the record. +</para></listitem></varlistentry> + +<varlistentry><term><option>+[no]ttlid</option></term> +<listitem><para> +Display [do not display] the TTL when printing the record. +</para></listitem></varlistentry> + <varlistentry><term><option>+[no]recurse</option></term> <listitem><para> Toggle the setting of the RD (recursion desired) bit in the query. @@ -422,10 +445,18 @@ in a query timeout of 1 second being applied. <varlistentry><term><option>+tries=T</option></term> <listitem><para> -Sets the number of times to retry UDP queries to server to +Sets the number of times to try UDP queries to server to <parameter>T</parameter> instead of the default, 3. If <parameter>T</parameter> is less than or equal to zero, the number of -retries is silently rounded up to 1. +tries is silently rounded up to 1. +</para></listitem></varlistentry> + +<varlistentry><term><option>+retry=T</option></term> +<listitem><para> +Sets the number of times to retry UDP queries to server to +<parameter>T</parameter> instead of the default, 2. Unlike +<parameter>+tries</parameter>, this does not include the initial +query. </para></listitem></varlistentry> <varlistentry><term><option>+ndots=D</option></term> @@ -455,29 +486,46 @@ Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the <command>dig</command> output. -</para> -</listitem></varlistentry> +</para></listitem></varlistentry> <varlistentry><term><option>+[no]fail</option></term> <listitem><para> Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour. -</para> +</para></listitem></varlistentry> -</listitem></varlistentry> <varlistentry><term><option>+[no]besteffort</option></term> <listitem><para> Attempt to display the contents of messages which are malformed. The default is to not display malformed answers. -</para> +</para></listitem></varlistentry> -</listitem></varlistentry> <varlistentry><term><option>+[no]dnssec</option></term> <listitem><para> Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. -</para> +</para></listitem></varlistentry> + +<varlistentry><term><option>+[no]sigchase</option></term> +<listitem><para> +Chase DNSSEC signature chains. Requires dig be compiled with +-DDIG_SIGCHASE. +</para></listitem></varlistentry> + +<varlistentry><term><option>+trusted-key=####</option></term> +<listitem><para> +Specify a trusted key to be used with <option>+sigchase</option>. +Requires dig be compiled with -DDIG_SIGCHASE. +</para></listitem></varlistentry> + +<varlistentry><term><option>+[no]topdown</option></term> +<listitem><para> +When chasing DNSSEC signature chains perform a top down validation. +Requires dig be compiled with -DDIG_SIGCHASE. +</para></listitem></varlistentry> + + </variablelist> diff --git a/usr.sbin/bind/bin/dig/dig.html b/usr.sbin/bind/bin/dig/dig.html index 5ad1cdc3f1b..9035ecb5d70 100644 --- a/usr.sbin/bind/bin/dig/dig.html +++ b/usr.sbin/bind/bin/dig/dig.html @@ -1,27 +1,30 @@ <!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: dig.html,v 1.6.2.4.2.7 2004/08/22 23:38:57 marka Exp $ --> + +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >dig</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -32,8 +35,8 @@ ALINK="#0000FF" ><H1 ><A NAME="AEN1" ->dig</A -></H1 +></A +>dig</H1 ><DIV CLASS="REFNAMEDIV" ><A @@ -53,78 +56,68 @@ NAME="AEN11" ><B CLASS="COMMAND" >dig</B -> [@server] [<TT +> [@server] [<VAR CLASS="OPTION" ->-b <TT +>-b <VAR CLASS="REPLACEABLE" -><I ->address</I -></TT -></TT ->] [<TT +>address</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-c <TT +>-c <VAR CLASS="REPLACEABLE" -><I ->class</I -></TT -></TT ->] [<TT +>class</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-f <TT +>-f <VAR CLASS="REPLACEABLE" -><I ->filename</I -></TT -></TT ->] [<TT +>filename</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-k <TT +>-k <VAR CLASS="REPLACEABLE" -><I ->filename</I -></TT -></TT ->] [<TT +>filename</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-p <TT +>-p <VAR CLASS="REPLACEABLE" -><I ->port#</I -></TT -></TT ->] [<TT +>port#</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-t <TT +>-t <VAR CLASS="REPLACEABLE" -><I ->type</I -></TT -></TT ->] [<TT +>type</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-x <TT +>-x <VAR CLASS="REPLACEABLE" -><I ->addr</I -></TT -></TT ->] [<TT +>addr</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-y <TT +>-y <VAR CLASS="REPLACEABLE" -><I ->name:key</I -></TT -></TT +>name:key</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-4</VAR +>] [<VAR +CLASS="OPTION" +>-6</VAR >] [name] [type] [class] [queryopt...]</P ><P ><B CLASS="COMMAND" >dig</B -> [<TT +> [<VAR CLASS="OPTION" ->-h</TT +>-h</VAR >]</P ><P ><B @@ -135,7 +128,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN51" +NAME="AEN55" ></A ><H2 >DESCRIPTION</H2 @@ -163,9 +156,9 @@ CLASS="COMMAND" > is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments -and options is printed when the <TT +and options is printed when the <VAR CLASS="OPTION" ->-h</TT +>-h</VAR > option is given. Unlike earlier versions, the BIND9 implementation of <B @@ -187,7 +180,7 @@ CLASS="FILENAME" >When no command line arguments or options are given, will perform an NS query for "." (the root).</P ><P ->It is possible to set per user defaults for <B +>It is possible to set per-user defaults for <B CLASS="COMMAND" >dig</B > via @@ -195,12 +188,12 @@ CLASS="COMMAND" CLASS="FILENAME" >${HOME}/.digrc</TT >. This file is read and any options in it -are applied before the command line arguements.</P +are applied before the command line arguments.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN68" +NAME="AEN72" ></A ><H2 >SIMPLE USAGE</H2 @@ -220,30 +213,26 @@ CLASS="PROGRAMLISTING" CLASS="VARIABLELIST" ><DL ><DT -><TT +><CODE CLASS="CONSTANT" ->server</TT +>server</CODE ></DT ><DD ><P >is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied -<TT +<VAR CLASS="PARAMETER" -><I ->server</I -></TT +>server</VAR > argument is a hostname, <B CLASS="COMMAND" >dig</B > resolves that name before querying that name -server. If no <TT +server. If no <VAR CLASS="PARAMETER" -><I ->server</I -></TT +>server</VAR > argument is provided, <B CLASS="COMMAND" @@ -256,34 +245,30 @@ and queries the name servers listed there. The reply from the name server that responds is displayed.</P ></DD ><DT -><TT +><CODE CLASS="CONSTANT" ->name</TT +>name</CODE ></DT ><DD ><P >is the name of the resource record that is to be looked up.</P ></DD ><DT -><TT +><CODE CLASS="CONSTANT" ->type</TT +>type</CODE ></DT ><DD ><P >indicates what type of query is required — ANY, A, MX, SIG, etc. -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR > can be any valid query type. If no -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR > argument is supplied, <B CLASS="COMMAND" @@ -297,48 +282,43 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN97" +NAME="AEN101" ></A ><H2 >OPTIONS</H2 ><P ->The <TT +>The <VAR CLASS="OPTION" ->-b</TT +>-b</VAR > option sets the source IP address of the query -to <TT +to <VAR CLASS="PARAMETER" -><I ->address</I -></TT +>address</VAR >. This must be a valid address on -one of the host's network interfaces.</P +one of the host's network interfaces or "0.0.0.0" or "::". An optional port +may be specified by appending "#<port>"</P ><P >The default query class (IN for internet) is overridden by the -<TT +<VAR CLASS="OPTION" ->-c</TT -> option. <TT +>-c</VAR +> option. <VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > is any valid class, such as HS for Hesiod records or CH for CHAOSNET records.</P ><P ->The <TT +>The <VAR CLASS="OPTION" ->-f</TT +>-f</VAR > option makes <B CLASS="COMMAND" >dig </B > operate in batch mode by reading a list of lookup requests to process from the -file <TT +file <VAR CLASS="PARAMETER" -><I ->filename</I -></TT +>filename</VAR >. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to @@ -348,14 +328,12 @@ CLASS="COMMAND" > using the command-line interface.</P ><P >If a non-standard port number is to be queried, the -<TT +<VAR CLASS="OPTION" ->-p</TT -> option is used. <TT +>-p</VAR +> option is used. <VAR CLASS="PARAMETER" -><I ->port#</I -></TT +>port#</VAR > is the port number that <B CLASS="COMMAND" @@ -365,110 +343,109 @@ instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non-standard port number.</P ><P ->The <TT +>The <VAR +CLASS="OPTION" +>-4</VAR +> option forces <B +CLASS="COMMAND" +>dig</B +> to only +use IPv4 query transport. The <VAR +CLASS="OPTION" +>-6</VAR +> option forces +<B +CLASS="COMMAND" +>dig</B +> to only use IPv6 query transport.</P +><P +>The <VAR CLASS="OPTION" ->-t</TT +>-t</VAR > option sets the query type to -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR >. It can be any valid query type which is supported in BIND9. The default query type "A", unless the -<TT +<VAR CLASS="OPTION" ->-x</TT +>-x</VAR > option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT -> is set to <TT +>type</VAR +> is set to <VAR CLASS="LITERAL" ->ixfr=N</TT +>ixfr=N</VAR >. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was -<TT +<VAR CLASS="PARAMETER" -><I ->N</I -></TT +>N</VAR >.</P ><P >Reverse lookups - mapping addresses to names - are simplified by the -<TT +<VAR CLASS="OPTION" ->-x</TT -> option. <TT +>-x</VAR +> option. <VAR CLASS="PARAMETER" -><I ->addr</I -></TT +>addr</VAR > is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 address. When this option is used, there is no need to provide the -<TT +<VAR CLASS="PARAMETER" -><I ->name</I -></TT ->, <TT +>name</VAR +>, <VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > and -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR > arguments. <B CLASS="COMMAND" >dig</B > automatically performs a lookup for a name like -<TT +<VAR CLASS="LITERAL" ->11.12.13.10.in-addr.arpa</TT +>11.12.13.10.in-addr.arpa</VAR > and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are -looked up using the IP6.ARPA domain and binary labels as defined in -RFC2874. To use the older RFC1886 method using the IP6.INT domain and -"nibble" labels, specify the <TT +looked up using nibble format under the IP6.ARPA domain. +To use the older RFC1886 method using the IP6.INT domain +specify the <VAR CLASS="OPTION" ->-n</TT -> (nibble) option.</P +>-i</VAR +> option. Bit string labels (RFC2874) +are now experimental and are not attempted.</P ><P >To sign the DNS queries sent by <B CLASS="COMMAND" >dig</B > and their responses using transaction signatures (TSIG), specify a TSIG key file -using the <TT +using the <VAR CLASS="OPTION" ->-k</TT +>-k</VAR > option. You can also specify the TSIG -key itself on the command line using the <TT +key itself on the command line using the <VAR CLASS="OPTION" ->-y</TT +>-y</VAR > option; -<TT +<VAR CLASS="PARAMETER" -><I ->name</I -></TT +>name</VAR > is the name of the TSIG key and -<TT +<VAR CLASS="PARAMETER" -><I ->key</I -></TT +>key</VAR > is the actual key. The key is a base-64 encoded string, typically generated by <SPAN CLASS="CITEREFENTRY" @@ -478,9 +455,9 @@ CLASS="REFENTRYTITLE" >(8)</SPAN >. -Caution should be taken when using the <TT +Caution should be taken when using the <VAR CLASS="OPTION" ->-y</TT +>-y</VAR > option on multi-user systems as the key can be visible in the output from <SPAN @@ -511,7 +488,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN147" +NAME="AEN156" ></A ><H2 >QUERY OPTIONS</H2 @@ -526,18 +503,18 @@ sections of the answer get printed, and others determine the timeout and retry strategies.</P ><P >Each query option is identified by a keyword preceded by a plus sign -(<TT +(<VAR CLASS="LITERAL" ->+</TT +>+</VAR >). Some keywords set or reset an option. These may be preceded -by the string <TT +by the string <VAR CLASS="LITERAL" ->no</TT +>no</VAR > to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They -have the form <TT +have the form <VAR CLASS="OPTION" ->+keyword=value</TT +>+keyword=value</VAR >. The query options are: @@ -547,9 +524,9 @@ The query options are: CLASS="VARIABLELIST" ><DL ><DT -><TT +><VAR CLASS="OPTION" ->+[no]tcp</TT +>+[no]tcp</VAR ></DT ><DD ><P @@ -558,25 +535,23 @@ behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]vc</TT +>+[no]vc</VAR ></DT ><DD ><P >Use [do not use] TCP when querying name servers. This alternate -syntax to <TT +syntax to <VAR CLASS="PARAMETER" -><I ->+[no]tcp</I -></TT +>+[no]tcp</VAR > is provided for backwards compatibility. The "vc" stands for "virtual circuit".</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]ignore</TT +>+[no]ignore</VAR ></DT ><DD ><P @@ -584,18 +559,16 @@ CLASS="OPTION" default, TCP retries are performed.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+domain=somename</TT +>+domain=somename</VAR ></DT ><DD ><P >Set the search list to contain the single domain -<TT +<VAR CLASS="PARAMETER" -><I ->somename</I -></TT +>somename</VAR >, as if specified in a <B CLASS="COMMAND" @@ -605,17 +578,15 @@ CLASS="COMMAND" CLASS="FILENAME" >/etc/resolv.conf</TT >, and enable search list -processing as if the <TT +processing as if the <VAR CLASS="PARAMETER" -><I ->+search</I -></TT +>+search</VAR > option were given.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]search</TT +>+[no]search</VAR ></DT ><DD ><P @@ -627,37 +598,42 @@ CLASS="FILENAME" The search list is not used by default.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]defname</TT +>+[no]defname</VAR ></DT ><DD ><P ->Deprecated, treated as a synonym for <TT +>Deprecated, treated as a synonym for <VAR CLASS="PARAMETER" -><I ->+[no]search</I -></TT +>+[no]search</VAR ></P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]aaonly</TT +>+[no]aaonly</VAR ></DT ><DD ><P ->This option does nothing. It is provided for compatibility with old -versions of <B -CLASS="COMMAND" ->dig</B -> where it set an unimplemented -resolver flag.</P +>Sets the "aa" flag in the query.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]adflag</TT +>+[no]aaflag</VAR +></DT +><DD +><P +>A synonym for <VAR +CLASS="PARAMETER" +>+[no]aaonly</VAR +>.</P +></DD +><DT +><VAR +CLASS="OPTION" +>+[no]adflag</VAR ></DT ><DD ><P @@ -667,9 +643,9 @@ but the ability to set the bit in the query is provided for completeness.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]cdflag</TT +>+[no]cdflag</VAR ></DT ><DD ><P @@ -677,9 +653,27 @@ CLASS="OPTION" requests the server to not perform DNSSEC validation of responses.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]recurse</TT +>+[no]cl</VAR +></DT +><DD +><P +>Display [do not display] the CLASS when printing the record.</P +></DD +><DT +><VAR +CLASS="OPTION" +>+[no]ttlid</VAR +></DT +><DD +><P +>Display [do not display] the TTL when printing the record.</P +></DD +><DT +><VAR +CLASS="OPTION" +>+[no]recurse</VAR ></DT ><DD ><P @@ -689,23 +683,19 @@ CLASS="COMMAND" >dig</B > normally sends recursive queries. Recursion is automatically disabled -when the <TT +when the <VAR CLASS="PARAMETER" -><I ->+nssearch</I -></TT +>+nssearch</VAR > or -<TT +<VAR CLASS="PARAMETER" -><I ->+trace</I -></TT +>+trace</VAR > query options are used.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]nssearch</TT +>+[no]nssearch</VAR ></DT ><DD ><P @@ -718,9 +708,9 @@ looked up and display the SOA record that each name server has for the zone.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]trace</TT +>+[no]trace</VAR ></DT ><DD ><P @@ -735,9 +725,9 @@ root servers, showing the answer from each server that was used to resolve the lookup.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]cmd</TT +>+[no]cmd</VAR ></DT ><DD ><P @@ -749,9 +739,9 @@ CLASS="COMMAND" been applied. This comment is printed by default.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]short</TT +>+[no]short</VAR ></DT ><DD ><P @@ -759,26 +749,24 @@ CLASS="OPTION" verbose form.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]identify</TT +>+[no]identify</VAR ></DT ><DD ><P >Show [or do not show] the IP address and port number that supplied the -answer when the <TT +answer when the <VAR CLASS="PARAMETER" -><I ->+short</I -></TT +>+short</VAR > option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]comments</TT +>+[no]comments</VAR ></DT ><DD ><P @@ -786,9 +774,9 @@ CLASS="OPTION" print comments.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]stats</TT +>+[no]stats</VAR ></DT ><DD ><P @@ -797,9 +785,9 @@ was made, the size of the reply and so on. The default behaviour is to print the query statistics.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]qr</TT +>+[no]qr</VAR ></DT ><DD ><P @@ -807,9 +795,9 @@ CLASS="OPTION" By default, the query is not printed.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]question</TT +>+[no]question</VAR ></DT ><DD ><P @@ -817,9 +805,9 @@ CLASS="OPTION" returned. The default is to print the question section as a comment.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]answer</TT +>+[no]answer</VAR ></DT ><DD ><P @@ -827,9 +815,9 @@ CLASS="OPTION" is to display it.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]authority</TT +>+[no]authority</VAR ></DT ><DD ><P @@ -837,9 +825,9 @@ CLASS="OPTION" default is to display it.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]additional</TT +>+[no]additional</VAR ></DT ><DD ><P @@ -847,76 +835,82 @@ CLASS="OPTION" The default is to display it.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]all</TT +>+[no]all</VAR ></DT ><DD ><P >Set or clear all display flags.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+time=T</TT +>+time=T</VAR ></DT ><DD ><P > Sets the timeout for a query to -<TT +<VAR CLASS="PARAMETER" -><I ->T</I -></TT +>T</VAR > seconds. The default time out is 5 seconds. -An attempt to set <TT +An attempt to set <VAR CLASS="PARAMETER" -><I ->T</I -></TT +>T</VAR > to less than 1 will result in a query timeout of 1 second being applied.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+tries=T</TT +>+tries=T</VAR ></DT ><DD ><P ->Sets the number of times to retry UDP queries to server to -<TT +>Sets the number of times to try UDP queries to server to +<VAR CLASS="PARAMETER" -><I ->T</I -></TT +>T</VAR > instead of the default, 3. If -<TT +<VAR CLASS="PARAMETER" -><I ->T</I -></TT +>T</VAR > is less than or equal to zero, the number of -retries is silently rounded up to 1.</P +tries is silently rounded up to 1.</P ></DD ><DT -><TT +><VAR +CLASS="OPTION" +>+retry=T</VAR +></DT +><DD +><P +>Sets the number of times to retry UDP queries to server to +<VAR +CLASS="PARAMETER" +>T</VAR +> instead of the default, 2. Unlike +<VAR +CLASS="PARAMETER" +>+tries</VAR +>, this does not include the initial +query.</P +></DD +><DT +><VAR CLASS="OPTION" ->+ndots=D</TT +>+ndots=D</VAR ></DT ><DD ><P >Set the number of dots that have to appear in -<TT +<VAR CLASS="PARAMETER" -><I ->name</I -></TT -> to <TT +>name</VAR +> to <VAR CLASS="PARAMETER" -><I ->D</I -></TT +>D</VAR > for it to be considered absolute. The default value is that defined using the ndots statement in <TT @@ -925,12 +919,12 @@ CLASS="FILENAME" >, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the -<TT +<VAR CLASS="OPTION" ->search</TT -> or <TT +>search</VAR +> or <VAR CLASS="OPTION" ->domain</TT +>domain</VAR > directive in <TT CLASS="FILENAME" @@ -938,26 +932,24 @@ CLASS="FILENAME" >.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+bufsize=B</TT +>+bufsize=B</VAR ></DT ><DD ><P >Set the UDP message buffer size advertised using EDNS0 to -<TT +<VAR CLASS="PARAMETER" -><I ->B</I -></TT +>B</VAR > bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]multiline</TT +>+[no]multiline</VAR ></DT ><DD ><P @@ -970,9 +962,9 @@ CLASS="COMMAND" > output.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]fail</TT +>+[no]fail</VAR ></DT ><DD ><P @@ -981,9 +973,9 @@ to not try the next server which is the reverse of normal stub resolver behaviour.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]besteffort</TT +>+[no]besteffort</VAR ></DT ><DD ><P @@ -991,15 +983,48 @@ CLASS="OPTION" The default is to not display malformed answers.</P ></DD ><DT -><TT +><VAR CLASS="OPTION" ->+[no]dnssec</TT +>+[no]dnssec</VAR ></DT ><DD ><P >Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.</P ></DD +><DT +><VAR +CLASS="OPTION" +>+[no]sigchase</VAR +></DT +><DD +><P +>Chase DNSSEC signature chains. Requires dig be compiled with +-DDIG_SIGCHASE.</P +></DD +><DT +><VAR +CLASS="OPTION" +>+trusted-key=####</VAR +></DT +><DD +><P +>Specify a trusted key to be used with <VAR +CLASS="OPTION" +>+sigchase</VAR +>. +Requires dig be compiled with -DDIG_SIGCHASE.</P +></DD +><DT +><VAR +CLASS="OPTION" +>+[no]topdown</VAR +></DT +><DD +><P +>When chasing DNSSEC signature chains perform a top down validation. +Requires dig be compiled with -DDIG_SIGCHASE.</P +></DD ></DL ></DIV > </P @@ -1007,7 +1032,7 @@ in the OPT record in the additional section of the query.</P ><DIV CLASS="REFSECT1" ><A -NAME="AEN338" +NAME="AEN385" ></A ><H2 >MULTIPLE QUERIES</H2 @@ -1017,18 +1042,16 @@ CLASS="COMMAND" >dig </B > supports specifying multiple queries on the command line (in addition to -supporting the <TT +supporting the <VAR CLASS="OPTION" ->-f</TT +>-f</VAR > batch file option). Each of those queries can be supplied with its own set of flags, options and query options.</P ><P ->In this case, each <TT +>In this case, each <VAR CLASS="PARAMETER" -><I ->query</I -></TT +>query</VAR > argument represent an individual query in the command-line syntax described above. Each consists of any of the standard options and flags, the name to be @@ -1039,9 +1062,9 @@ should be applied to that query.</P can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except -the <TT +the <VAR CLASS="OPTION" ->+[no]cmd</TT +>+[no]cmd</VAR > option) can be overridden by a query-specific set of query options. For example: <PRE @@ -1052,46 +1075,42 @@ shows how <B CLASS="COMMAND" >dig</B > could be used from the command line -to make three lookups: an ANY query for <TT +to make three lookups: an ANY query for <VAR CLASS="LITERAL" ->www.isc.org</TT +>www.isc.org</VAR >, a reverse lookup of 127.0.0.1 and a query for the NS records of -<TT +<VAR CLASS="LITERAL" ->isc.org</TT +>isc.org</VAR >. -A global query option of <TT +A global query option of <VAR CLASS="PARAMETER" -><I ->+qr</I -></TT +>+qr</VAR > is applied, so that <B CLASS="COMMAND" >dig</B > shows the initial query it made for each lookup. The final query has a local query option of -<TT +<VAR CLASS="PARAMETER" -><I ->+noqr</I -></TT +>+noqr</VAR > which means that <B CLASS="COMMAND" >dig</B > will not print the initial query when it looks up the NS records for -<TT +<VAR CLASS="LITERAL" ->isc.org</TT +>isc.org</VAR >.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN356" +NAME="AEN403" ></A ><H2 >FILES</H2 @@ -1109,7 +1128,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN362" +NAME="AEN409" ></A ><H2 >SEE ALSO</H2 @@ -1143,7 +1162,7 @@ CLASS="CITETITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN375" +NAME="AEN422" ></A ><H2 >BUGS </H2 diff --git a/usr.sbin/bind/bin/dig/dighost.c b/usr.sbin/bind/bin/dig/dighost.c index e2da013640c..2e8d3441e83 100644 --- a/usr.sbin/bind/bin/dig/dighost.c +++ b/usr.sbin/bind/bin/dig/dighost.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dighost.c,v 1.221.2.19 2003/07/25 04:36:43 marka Exp $ */ +/* $ISC: dighost.c,v 1.221.2.19.2.14 2004/06/30 23:57:52 marka Exp $ */ /* * Notice to programmers: Do not use this code as an example of how to @@ -33,6 +33,14 @@ #include <limits.h> #include <dns/byaddr.h> +#ifdef DIG_SIGCHASE +#include <dns/dnssec.h> +#include <dns/ds.h> +#include <dns/nsec.h> +#include <isc/file.h> +#include <isc/random.h> +#include <ctype.h> +#endif #include <dns/fixedname.h> #include <dns/message.h> #include <dns/name.h> @@ -52,7 +60,9 @@ #include <isc/entropy.h> #include <isc/lang.h> #include <isc/netaddr.h> +#ifdef DIG_SIGCHASE #include <isc/netdb.h> +#endif #include <isc/print.h> #include <isc/random.h> #include <isc/result.h> @@ -62,22 +72,24 @@ #include <isc/types.h> #include <isc/util.h> +#include <lwres/lwres.h> +#include <lwres/net.h> + +#include <bind9/getaddresses.h> + #include <dig/dig.h> -#ifdef HAVE_ADDRINFO -#ifdef HAVE_GETADDRINFO -#ifdef HAVE_GAISTRERROR -#define USE_GETADDRINFO -#endif -#endif +#if ! defined(NS_INADDRSZ) +#define NS_INADDRSZ 4 #endif -#ifndef USE_GETADDRINFO -#ifndef ISC_PLATFORM_NONSTDHERRNO -extern int h_errno; -#endif +#if ! defined(NS_IN6ADDRSZ) +#define NS_IN6ADDRSZ 16 #endif +static lwres_context_t *lwctx = NULL; +static lwres_conf_t *lwconf; + ISC_LIST(dig_lookup_t) lookup_list; dig_serverlist_t server_list; ISC_LIST(dig_searchlist_t) search_list; @@ -104,7 +116,7 @@ int sendcount = 0; int recvcount = 0; int sockcount = 0; int ndots = -1; -int tries = 2; +int tries = 3; int lookup_counter = 0; /* @@ -132,6 +144,152 @@ char *progname = NULL; isc_mutex_t lookup_lock; dig_lookup_t *current_lookup = NULL; +#ifdef DIG_SIGCHASE + +isc_result_t get_trusted_key(isc_mem_t *mctx); +dns_rdataset_t * sigchase_scanname(dns_rdatatype_t type, + dns_rdatatype_t covers, + isc_boolean_t *lookedup, + dns_name_t *rdata_name); +dns_rdataset_t * chase_scanname_section(dns_message_t *msg, + dns_name_t *name, + dns_rdatatype_t type, + dns_rdatatype_t covers, + int section); +isc_result_t advanced_rrsearch(dns_rdataset_t **rdataset, + dns_name_t *name, + dns_rdatatype_t type, + dns_rdatatype_t covers, + isc_boolean_t *lookedup); +isc_result_t sigchase_verify_sig_key(dns_name_t *name, + dns_rdataset_t *rdataset, + dst_key_t* dnsseckey, + dns_rdataset_t *sigrdataset, + isc_mem_t *mctx); +isc_result_t sigchase_verify_sig(dns_name_t *name, + dns_rdataset_t *rdataset, + dns_rdataset_t *keyrdataset, + dns_rdataset_t *sigrdataset, + isc_mem_t *mctx); +isc_result_t sigchase_verify_ds(dns_name_t *name, + dns_rdataset_t *keyrdataset, + dns_rdataset_t *dsrdataset, + isc_mem_t *mctx); +void sigchase(dns_message_t *msg); +void print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx); +void print_rdataset(dns_name_t *name, + dns_rdataset_t *rdataset, isc_mem_t *mctx); +void dup_name(dns_name_t *source, dns_name_t* target, + isc_mem_t *mctx); +void dump_database(void); +void dump_database_section(dns_message_t *msg, int section); +dns_rdataset_t * search_type(dns_name_t *name, dns_rdatatype_t type, + dns_rdatatype_t covers); +isc_result_t contains_trusted_key(dns_name_t *name, + dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset, + isc_mem_t *mctx); +void print_type(dns_rdatatype_t type); +isc_result_t prove_nx_domain(dns_message_t * msg, + dns_name_t * name, + dns_name_t * rdata_name, + dns_rdataset_t ** rdataset, + dns_rdataset_t ** sigrdataset); +isc_result_t prove_nx_type(dns_message_t * msg, dns_name_t *name, + dns_rdataset_t *nsec, + dns_rdataclass_t class, + dns_rdatatype_t type, + dns_name_t * rdata_name, + dns_rdataset_t ** rdataset, + dns_rdataset_t ** sigrdataset); +isc_result_t prove_nx(dns_message_t * msg, dns_name_t * name, + dns_rdataclass_t class, + dns_rdatatype_t type, + dns_name_t * rdata_name, + dns_rdataset_t ** rdataset, + dns_rdataset_t ** sigrdataset); +static void nameFromString(const char *str, dns_name_t *p_ret); +int inf_name(dns_name_t * name1, dns_name_t * name2); +isc_result_t opentmpkey(isc_mem_t *mctx, const char *file, + char **tempp, FILE **fp); +isc_result_t removetmpkey(isc_mem_t *mctx, const char *file); +void clean_trustedkey(void ); +void insert_trustedkey(dst_key_t * key); +#if DIG_SIGCHASE_BU +isc_result_t getneededrr(dns_message_t *msg); +void sigchase_bottom_up(dns_message_t *msg); +void sigchase_bu(dns_message_t *msg); +#endif +#if DIG_SIGCHASE_TD +isc_result_t initialization(dns_name_t *name); +isc_result_t prepare_lookup(dns_name_t *name); +isc_result_t grandfather_pb_test(dns_name_t * zone_name, + dns_rdataset_t *sigrdataset); +isc_result_t child_of_zone(dns_name_t *name, + dns_name_t *zone_name, + dns_name_t *child_name); +void sigchase_td(dns_message_t *msg); +#endif +char trustedkey[MXNAME] = ""; + +dns_rdataset_t * chase_rdataset = NULL; +dns_rdataset_t * chase_sigrdataset = NULL; +dns_rdataset_t * chase_dsrdataset = NULL; +dns_rdataset_t * chase_sigdsrdataset = NULL; +dns_rdataset_t * chase_keyrdataset = NULL; +dns_rdataset_t * chase_sigkeyrdataset = NULL; +dns_rdataset_t * chase_nsrdataset = NULL; + +dns_name_t chase_name; /* the query name */ +#if DIG_SIGCHASE_TD +/* + * the current name is the parent name when we follow delegation + */ +dns_name_t chase_current_name; +/* + * the child name is used for delegation (NS DS responses in AUTHORITY section) + */ +dns_name_t chase_authority_name; +#endif +#if DIG_SIGCHASE_BU +dns_name_t chase_signame; +#endif + + +isc_boolean_t chase_siglookedup = ISC_FALSE; +isc_boolean_t chase_keylookedup = ISC_FALSE; +isc_boolean_t chase_sigkeylookedup = ISC_FALSE; +isc_boolean_t chase_dslookedup = ISC_FALSE; +isc_boolean_t chase_sigdslookedup = ISC_FALSE; +#if DIG_SIGCHASE_TD +isc_boolean_t chase_nslookedup = ISC_FALSE; +isc_boolean_t chase_lookedup = ISC_FALSE; + + +isc_boolean_t delegation_follow = ISC_FALSE; +isc_boolean_t grandfather_pb = ISC_FALSE; +isc_boolean_t have_response = ISC_FALSE; +isc_boolean_t have_delegation_ns = ISC_FALSE; +dns_message_t * error_message = NULL; +#endif + +isc_boolean_t dsvalidating = ISC_FALSE; +isc_boolean_t chase_name_dup = ISC_FALSE; + +ISC_LIST(dig_message_t) chase_message_list; +ISC_LIST(dig_message_t) chase_message_list2; + + +#define MAX_TRUSTED_KEY 5 +typedef struct struct_trusted_key_list { + dst_key_t * key[MAX_TRUSTED_KEY]; + int nb_tk; +} struct_tk_list; + +struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0}; + +#endif + /* * Apply and clear locks at the event level in global task. * Can I get rid of these using shutdown events? XXX @@ -159,6 +317,17 @@ connect_timeout(isc_task_t *task, isc_event_t *event); static void launch_next_query(dig_query_t *query, isc_boolean_t include_question); + +static void * +mem_alloc(void *arg, size_t size) { + return (isc_mem_get(arg, size)); +} + +static void +mem_free(void *arg, void *mem, size_t size) { + isc_mem_put(arg, mem, size); +} + char * next_token(char **stringp, const char *delim) { char *res; @@ -235,7 +404,7 @@ reverse_octets(const char *in, char **p, char *end) { } isc_result_t -get_reverse(char *reverse, char *value, isc_boolean_t ip6_int, +get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int, isc_boolean_t strict) { int r; @@ -248,7 +417,7 @@ get_reverse(char *reverse, char *value, isc_boolean_t ip6_int, /* This is a valid IPv6 address. */ dns_fixedname_t fname; dns_name_t *name; - unsigned int options = DNS_BYADDROPT_IPV6NIBBLE; + unsigned int options = 0; if (ip6_int) options |= DNS_BYADDROPT_IPV6INT; @@ -257,7 +426,7 @@ get_reverse(char *reverse, char *value, isc_boolean_t ip6_int, result = dns_byaddr_createptrname2(&addr, options, name); if (result != ISC_R_SUCCESS) return (result); - dns_name_format(name, reverse, MXNAME); + dns_name_format(name, reverse, len); return (ISC_R_SUCCESS); } else { /* @@ -269,7 +438,7 @@ get_reverse(char *reverse, char *value, isc_boolean_t ip6_int, * and such. */ char *p = reverse; - char *end = reverse + MXNAME; + char *end = reverse + len; if (strict && inet_pton(AF_INET, value, &addr.type.in) != 1) return (DNS_R_BADDOTTEDQUAD); result = reverse_octets(value, &p, end); @@ -332,12 +501,105 @@ make_server(const char *servname) { debug("make_server(%s)", servname); srv = isc_mem_allocate(mctx, sizeof(struct dig_server)); if (srv == NULL) - fatal("Memory allocation failure in %s:%d", + fatal("memory allocation failure in %s:%d", __FILE__, __LINE__); strlcpy(srv->servername, servname, MXNAME); ISC_LINK_INIT(srv, link); return (srv); } +static int +addr2af(int lwresaddrtype) +{ + int af = 0; + + switch (lwresaddrtype) { + case LWRES_ADDRTYPE_V4: + af = AF_INET; + break; + + case LWRES_ADDRTYPE_V6: + af = AF_INET6; + break; + } + + return (af); +} +/* + * Create a copy of the server list from the lwres configuration structure. + * The dest list must have already had ISC_LIST_INIT applied. + */ +static void +copy_server_list(lwres_conf_t *confdata, dig_serverlist_t *dest) { + dig_server_t *newsrv; + char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")]; + int af; + int i; + + debug("copy_server_list()"); + for (i = 0; i < confdata->nsnext; i++) { + af = addr2af(confdata->nameservers[i].family); + + lwres_net_ntop(af, confdata->nameservers[i].address, + tmp, sizeof(tmp)); + newsrv = make_server(tmp); + ISC_LINK_INIT(newsrv, link); + ISC_LIST_ENQUEUE(*dest, newsrv, link); + } +} +void +flush_server_list(void) { + dig_server_t *s, *ps; + + debug("flush_server_list()"); + s = ISC_LIST_HEAD(server_list); + while (s != NULL) { + ps = s; + s = ISC_LIST_NEXT(s, link); + ISC_LIST_DEQUEUE(server_list, ps, link); + isc_mem_free(mctx, ps); + } +} +void +set_nameserver(char *opt) { + dig_server_t *srv; + + if (opt == NULL) + return; + + flush_server_list(); + srv = make_server(opt); + if (srv == NULL) + fatal("memory allocation failure"); + ISC_LIST_INITANDAPPEND(server_list, srv, link); +} + +static isc_result_t +add_nameserver(lwres_conf_t *confdata, const char *addr, int af) { + + int i = confdata->nsnext; + + if (confdata->nsnext >= LWRES_CONFMAXNAMESERVERS) + return (ISC_R_FAILURE); + + switch (af) { + case AF_INET: + confdata->nameservers[i].family = LWRES_ADDRTYPE_V4; + confdata->nameservers[i].length = NS_INADDRSZ; + break; + case AF_INET6: + confdata->nameservers[i].family = LWRES_ADDRTYPE_V6; + confdata->nameservers[i].length = NS_IN6ADDRSZ; + break; + default: + return (ISC_R_FAILURE); + } + + if (lwres_net_pton(af, addr, &confdata->nameservers[i].address) == 1) { + confdata->nsnext++; + return (ISC_R_SUCCESS); + } + return (ISC_R_FAILURE); +} /* * Produce a cloned server list. The dest list must have already had @@ -373,7 +635,7 @@ make_empty_lookup(void) { looknew = isc_mem_allocate(mctx, sizeof(struct dig_lookup)); if (looknew == NULL) - fatal("Memory allocation failure in %s:%d", + fatal("memory allocation failure in %s:%d", __FILE__, __LINE__); looknew->pending = ISC_TRUE; looknew->textname[0] = 0; @@ -400,6 +662,18 @@ make_empty_lookup(void) { looknew->servfail_stops = ISC_TRUE; looknew->besteffort = ISC_TRUE; looknew->dnssec = ISC_FALSE; +#ifdef DIG_SIGCHASE + looknew->sigchase = ISC_FALSE; +#if DIG_SIGCHASE_TD + looknew->do_topdown = ISC_FALSE; + looknew->trace_root_sigchase = ISC_FALSE; + looknew->rdtype_sigchaseset = ISC_FALSE; + looknew->rdtype_sigchase = dns_rdatatype_any; + looknew->qrdtype_sigchase = dns_rdatatype_any; + looknew->rdclass_sigchase = dns_rdataclass_in; + looknew->rdclass_sigchaseset = ISC_FALSE; +#endif +#endif looknew->udpsize = 0; looknew->recurse = ISC_TRUE; looknew->aaonly = ISC_FALSE; @@ -444,6 +718,9 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { looknew = make_empty_lookup(); INSIST(looknew != NULL); strlcpy(looknew->textname, lookold->textname, MXNAME); +#if DIG_SIGCHASE_TD + strlcpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME); +#endif strlcpy(looknew->cmdline, lookold->cmdline, MXNAME); looknew->rdtype = lookold->rdtype; looknew->qrdtype = lookold->qrdtype; @@ -460,6 +737,18 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { looknew->servfail_stops = lookold->servfail_stops; looknew->besteffort = lookold->besteffort; looknew->dnssec = lookold->dnssec; +#ifdef DIG_SIGCHASE + looknew->sigchase = lookold->sigchase; +#if DIG_SIGCHASE_TD + looknew->do_topdown = lookold->do_topdown; + looknew->trace_root_sigchase = lookold->trace_root_sigchase; + looknew->rdtype_sigchaseset = lookold->rdtype_sigchaseset; + looknew->rdtype_sigchase = lookold->rdtype_sigchase; + looknew->qrdtype_sigchase = lookold->qrdtype_sigchase; + looknew->rdclass_sigchase = lookold->rdclass_sigchase; + looknew->rdclass_sigchaseset = lookold->rdclass_sigchaseset; +#endif +#endif looknew->udpsize = lookold->udpsize; looknew->recurse = lookold->recurse; looknew->aaonly = lookold->aaonly; @@ -498,7 +787,7 @@ requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { lookup_counter++; if (lookup_counter > LOOKUP_LIMIT) - fatal("Too many lookups"); + fatal("too many lookups"); looknew = clone_lookup(lookold, servers); INSIST(looknew != NULL); @@ -529,7 +818,7 @@ setup_text_key(void) { secretsize = strlen(keysecret) * 3 / 4; secretstore = isc_mem_allocate(mctx, secretsize); if (secretstore == NULL) - fatal("Memory allocation failure in %s:%d", + fatal("memory allocation failure in %s:%d", __FILE__, __LINE__); isc_buffer_init(&secretbuf, secretstore, secretsize); result = isc_base64_decodestring(keysecret, &secretbuf); @@ -564,7 +853,7 @@ setup_file_key(void) { dst_key_t *dstkey = NULL; debug("setup_file_key()"); - result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE, + result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx, &dstkey); if (result != ISC_R_SUCCESS) { fprintf(stderr, "Couldn't read key from %s: %s\n", @@ -592,98 +881,96 @@ make_searchlist_entry(char *domain) { dig_searchlist_t *search; search = isc_mem_allocate(mctx, sizeof(*search)); if (search == NULL) - fatal("Memory allocation failure in %s:%d", + fatal("memory allocation failure in %s:%d", __FILE__, __LINE__); strlcpy(search->origin, domain, MXNAME); ISC_LINK_INIT(search, link); return (search); } +static void +create_search_list(lwres_conf_t *confdata) { + int i; + dig_searchlist_t *search; + + debug("create_search_list()"); + ISC_LIST_INIT(search_list); + + for (i = 0; i < confdata->searchnxt; i++) { + search = make_searchlist_entry(confdata->search[i]); + ISC_LIST_APPEND(search_list, search, link); + } +} + /* * Setup the system as a whole, reading key information and resolv.conf * settings. */ void setup_system(void) { - char rcinput[MXNAME]; - FILE *fp; - char *ptr; - dig_server_t *srv; - dig_searchlist_t *search, *domain = NULL; - isc_boolean_t get_servers; - char *input; + dig_searchlist_t *domain = NULL; + lwres_result_t lwresult; debug("setup_system()"); - free_now = ISC_FALSE; - get_servers = ISC_TF(server_list.head == NULL); - fp = fopen(RESOLV_CONF, "r"); - /* XXX Use lwres resolv.conf reader */ - if (fp == NULL) - goto no_file; - - while (fgets(rcinput, MXNAME, fp) != 0) { - input = rcinput; - ptr = next_token(&input, " \t\r\n"); - if (ptr != NULL) { - if (get_servers && - strcasecmp(ptr, "nameserver") == 0) { - debug("got a nameserver line"); - ptr = next_token(&input, " \t\r\n"); - if (ptr != NULL) { - srv = make_server(ptr); - ISC_LIST_APPEND(server_list, srv, link); - } - } else if (strcasecmp(ptr, "options") == 0) { - ptr = next_token(&input, " \t\r\n"); - if (ptr != NULL) { - if (strncasecmp(ptr, "ndots:", 6) == 0 - && ndots == -1) - { - ndots = atoi(&ptr[6]); - debug("ndots is %d.", ndots); - } - } - } else if (strcasecmp(ptr, "search") == 0){ - while ((ptr = next_token(&input, " \t\r\n")) - != NULL) { - debug("adding search %s", ptr); - search = make_searchlist_entry(ptr); - ISC_LIST_INITANDAPPEND(search_list, - search, link); - } - } else if (strcasecmp(ptr, "domain") == 0) { - while ((ptr = next_token(&input, " \t\r\n")) - != NULL) { - if (domain != NULL) - isc_mem_free(mctx, domain); - domain = make_searchlist_entry(ptr); - } - } + lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1); + if (lwresult != LWRES_R_SUCCESS) + fatal("lwres_context_create failed"); + + (void)lwres_conf_parse(lwctx, RESOLV_CONF); + lwconf = lwres_conf_get(lwctx); + + /* Make the search list */ + if (lwconf->searchnxt > 0) + create_search_list(lwconf); + else { + /* No search list. Use the domain name if any */ + if (lwconf->domainname != NULL) { + domain = make_searchlist_entry(lwconf->domainname); + ISC_LIST_INITANDAPPEND(search_list, domain, link); + domain = NULL; } } - fclose(fp); - no_file: - - if (ISC_LIST_EMPTY(search_list) && domain != NULL) { - ISC_LIST_INITANDAPPEND(search_list, domain, link); - domain = NULL; + + ndots = lwconf->ndots; + debug("ndots is %d.", ndots); + + /* If we don't find a nameserver fall back to localhost */ + if (lwconf->nsnext == 0) { + if (have_ipv4) { + lwresult = add_nameserver(lwconf, "127.0.0.1", AF_INET); + if (lwresult != ISC_R_SUCCESS) + fatal("add_nameserver failed"); + } + if (have_ipv6) { + lwresult = add_nameserver(lwconf, "::1", AF_INET6); + if (lwresult != ISC_R_SUCCESS) + fatal("add_nameserver failed"); + } } - if (domain != NULL) - isc_mem_free(mctx, domain); - - if (ndots == -1) - ndots = 1; - if (server_list.head == NULL) { - srv = make_server("127.0.0.1"); - ISC_LIST_APPEND(server_list, srv, link); - } + if (ISC_LIST_EMPTY(server_list)) + copy_server_list(lwconf, &server_list); if (keyfile[0] != 0) setup_file_key(); else if (keysecret[0] != 0) setup_text_key(); +#ifdef DIG_SIGCHASE + /* Setup the list of messages for +sigchase */ + ISC_LIST_INIT(chase_message_list); + ISC_LIST_INIT(chase_message_list2); + dns_name_init(&chase_name, NULL); +#if DIG_SIGCHASE_TD + dns_name_init(&chase_current_name, NULL); + dns_name_init(&chase_authority_name, NULL); +#endif +#if DIG_SIGCHASE_BU + dns_name_init(&chase_signame, NULL); +#endif + +#endif + } static void @@ -716,12 +1003,6 @@ setup_libs(void) { debug("setup_libs()"); - /* - * Warning: This is not particularly good randomness. We'll - * just use random() now for getting id values, but doing so - * does NOT ensure that id's can't be guessed. - */ - result = isc_net_probeipv4(); if (result == ISC_R_SUCCESS) have_ipv4 = ISC_TRUE; @@ -906,7 +1187,7 @@ try_clear_lookup(dig_lookup_t *lookup) { q->servname); q = ISC_LIST_NEXT(q, link); } - return (ISC_FALSE); + return (ISC_FALSE); } } /* @@ -967,6 +1248,91 @@ start_lookup(void) { */ if (current_lookup != NULL) { ISC_LIST_DEQUEUE(lookup_list, current_lookup, link); +#if DIG_SIGCHASE_TD + if (current_lookup->do_topdown && + !current_lookup->rdtype_sigchaseset) { + dst_key_t * trustedkey = NULL; + isc_buffer_t *b = NULL; + isc_region_t r; + isc_result_t result; + dns_name_t query_name; + dns_name_t * key_name; + int i; + + result = get_trusted_key(mctx); + if (result != ISC_R_SUCCESS) { + printf("\n;; No trusted key, " + "+sigchase option is disabled\n"); + current_lookup->sigchase = ISC_FALSE; + goto novalidation; + } + dns_name_init(&query_name, NULL); + nameFromString(current_lookup->textname, &query_name); + + for (i = 0; i< tk_list.nb_tk; i++) { + key_name = dst_key_name(tk_list.key[i]); + + if (dns_name_issubdomain(&query_name, + key_name) == ISC_TRUE) + trustedkey = tk_list.key[i]; + /* + * Verifier que la temp est bien la plus basse + * WARNING + */ + } + if (trustedkey == NULL) { + printf("\n;; The queried zone: "); + dns_name_print(&query_name, stdout); + printf(" isn't a subdomain of any Trusted Keys" + ": +sigchase option is disable\n"); + current_lookup->sigchase = ISC_FALSE; + dns_name_free(&query_name, mctx); + goto novalidation; + } + dns_name_free(&query_name, mctx); + + + current_lookup->rdtype_sigchase + = current_lookup->rdtype; + current_lookup->rdtype_sigchaseset + = current_lookup->rdtypeset; + current_lookup->rdtype = dns_rdatatype_ns; + + + current_lookup->qrdtype_sigchase + = current_lookup->qrdtype; + current_lookup->qrdtype = dns_rdatatype_ns; + + current_lookup->rdclass_sigchase + = current_lookup->rdclass; + current_lookup->rdclass_sigchaseset + = current_lookup->rdclassset; + current_lookup->rdclass = dns_rdataclass_in; + + + strlcpy(current_lookup->textnamesigchase, + current_lookup->textname, MXNAME); + + current_lookup->trace_root_sigchase = ISC_TRUE; + + result = isc_buffer_allocate(mctx, &b, BUFSIZE); + check_result(result, "isc_buffer_allocate"); + result = dns_name_totext(dst_key_name(trustedkey), + ISC_FALSE, b); + check_result(result, "dns_name_totext"); + isc_buffer_usedregion(b, &r); + r.base[r.length] = '\0'; + strlcpy(current_lookup->textname, (char*)r.base, + MXNAME); + isc_buffer_free(&b); + + nameFromString(current_lookup->textnamesigchase, + &chase_name); + + dns_name_init(&chase_authority_name, NULL); + } + novalidation: +#endif setup_lookup(current_lookup); do_lookup(current_lookup); } else { @@ -1019,8 +1385,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) for (result = dns_message_firstname(msg, section); result == ISC_R_SUCCESS; - result = dns_message_nextname(msg, section)) - { + result = dns_message_nextname(msg, section)) { name = NULL; dns_message_currentname(msg, section, &name); @@ -1034,8 +1399,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; - result = dns_rdataset_next(rdataset)) - { + result = dns_rdataset_next(rdataset)) { char namestr[DNS_NAME_FORMATSIZE]; dns_rdata_ns_t ns; @@ -1418,7 +1782,7 @@ setup_lookup(dig_lookup_t *lookup) { serv = ISC_LIST_NEXT(serv, link)) { query = isc_mem_allocate(mctx, sizeof(dig_query_t)); if (query == NULL) - fatal("Memory allocation failure in %s:%d", + fatal("memory allocation failure in %s:%d", __FILE__, __LINE__); debug("create query %p linked to lookup %p", query, lookup); @@ -1434,6 +1798,7 @@ setup_lookup(dig_lookup_t *lookup) { query->second_rr_serial = 0; query->servname = serv->servername; query->rr_count = 0; + query->msg_count = 0; ISC_LINK_INIT(query, link); ISC_LIST_INIT(query->recvlist); ISC_LIST_INIT(query->lengthlist); @@ -1582,7 +1947,7 @@ send_tcp_connect(dig_query_t *query) { INSIST(query->sock == NULL); result = isc_socket_create(socketmgr, isc_sockaddr_pf(&query->sockaddr), - isc_sockettype_tcp, &query->sock) ; + isc_sockettype_tcp, &query->sock); check_result(result, "isc_socket_create"); sockcount++; debug("sockcount=%d", sockcount); @@ -1671,8 +2036,7 @@ send_udp(dig_query_t *query) { ISC_LIST_ENQUEUE(query->sendlist, &l->sendbuf, link); debug("sending a request"); - result = isc_time_now(&query->time_sent); - check_result(result, "isc_time_now"); + TIME_NOW(&query->time_sent); INSIST(query->sock != NULL); result = isc_socket_sendtov(query->sock, &query->sendlist, global_task, send_done, query, @@ -1698,8 +2062,8 @@ send_udp(dig_query_t *query) { */ static void connect_timeout(isc_task_t *task, isc_event_t *event) { - dig_lookup_t *l=NULL, *n; - dig_query_t *query=NULL, *cq; + dig_lookup_t *l = NULL, *n; + dig_query_t *query = NULL, *cq; UNUSED(task); REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE); @@ -1861,7 +2225,8 @@ launch_next_query(dig_query_t *query, isc_boolean_t include_question) { isc_buffer_clear(&query->slbuf); isc_buffer_clear(&query->lengthbuf); - isc_buffer_putuint16(&query->slbuf, (isc_uint16_t) query->lookup->sendbuf.used); + isc_buffer_putuint16(&query->slbuf, + (isc_uint16_t) query->lookup->sendbuf.used); ISC_LIST_INIT(query->sendlist); ISC_LINK_INIT(&query->slbuf, link); ISC_LIST_ENQUEUE(query->sendlist, &query->slbuf, link); @@ -1877,11 +2242,10 @@ launch_next_query(dig_query_t *query, isc_boolean_t include_question) { global_task, tcp_length_done, query); check_result(result, "isc_socket_recvv"); recvcount++; - debug("recvcount=%d",recvcount); + debug("recvcount=%d", recvcount); if (!query->first_soa_rcvd) { debug("sending a request in launch_next_query"); - result = isc_time_now(&query->time_sent); - check_result(result, "isc_time_now"); + TIME_NOW(&query->time_sent); result = isc_socket_sendv(query->sock, &query->sendlist, global_task, send_done, query); check_result(result, "isc_socket_sendv"); @@ -2003,6 +2367,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg, * an SOA rr. */ + query->msg_count++; result = dns_message_firstname(msg, DNS_SECTION_ANSWER); if (result != ISC_R_SUCCESS) { puts("; Transfer failed."); @@ -2129,6 +2494,10 @@ recv_done(isc_task_t *task, isc_event_t *event) { dig_query_t *query = NULL; isc_buffer_t *b = NULL; dns_message_t *msg = NULL; +#ifdef DIG_SIGCHASE + dig_message_t *chase_msg = NULL; + dig_message_t *chase_msg2 = NULL; +#endif isc_result_t result; dig_lookup_t *n, *l; isc_boolean_t docancel = ISC_FALSE; @@ -2136,6 +2505,13 @@ recv_done(isc_task_t *task, isc_event_t *event) { unsigned int parseflags; dns_messageid_t id; unsigned int msgflags; +#ifdef DIG_SIGCHASE + isc_result_t do_sigchase = ISC_FALSE; + + dns_message_t *msg_temp = NULL; + isc_region_t r; + isc_buffer_t *buf = NULL; +#endif UNUSED(task); INSIST(!free_now); @@ -2238,7 +2614,8 @@ recv_done(isc_task_t *task, isc_event_t *event) { fail = ISC_FALSE; query->warn_id = ISC_FALSE; } else - printf(";; ERROR: short (< header size) message\n"); + printf(";; ERROR: short " + "(< header size) message\n"); if (fail) { isc_event_free(&event); clear_query(query); @@ -2251,7 +2628,8 @@ recv_done(isc_task_t *task, isc_event_t *event) { printf(";; Warning: ID mismatch: " "expected ID %u, got %u\n", l->sendmsg->id, id); else - printf(";; Warning: short (< header size) message received\n"); + printf(";; Warning: short " + "(< header size) message received\n"); } if (!match) { @@ -2290,6 +2668,14 @@ recv_done(isc_task_t *task, isc_event_t *event) { debug("before parse starts"); parseflags = DNS_MESSAGEPARSE_PRESERVEORDER; +#ifdef DIG_SIGCHASE + if (!l->sigchase) { + do_sigchase = ISC_FALSE; + } else { + parseflags = 0; + do_sigchase = ISC_TRUE; + } +#endif if (l->besteffort) { parseflags |= DNS_MESSAGEPARSE_BESTEFFORT; parseflags |= DNS_MESSAGEPARSE_IGNORETRUNCATION; @@ -2313,8 +2699,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { return; } if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 - && !l->ignore && !l->tcp_mode) - { + && !l->ignore && !l->tcp_mode) { printf(";; Truncated, retrying in TCP mode.\n"); n = requeue_lookup(l, ISC_TRUE); n->tcp_mode = ISC_TRUE; @@ -2408,24 +2793,33 @@ recv_done(isc_task_t *task, isc_event_t *event) { } if (!l->doing_xfr || l->xfr_q == query) { +#ifdef DIG_SIGCHASE + int count = 0; +#endif if (msg->rcode != dns_rcode_noerror && l->origin != NULL) { if (!next_origin(msg, query)) { printmessage(query, msg, ISC_TRUE); received(b->used, &sevent->address, query); } } else if (!l->trace && !l->ns_search_only) { - printmessage(query, msg, ISC_TRUE); +#ifdef DIG_SIGCHASE + if (!do_sigchase) +#endif + printmessage(query, msg, ISC_TRUE); } else if (l->trace) { int n = 0; +#ifdef DIG_SIGCHASE + count = msg->counts[DNS_SECTION_ANSWER]; +#else int count = msg->counts[DNS_SECTION_ANSWER]; +#endif debug("in TRACE code"); if (!l->ns_search_only) printmessage(query, msg, ISC_TRUE); l->rdtype = l->qrdtype; - if (l->trace_root || (l->ns_search_only && count > 0)) - { + if (l->trace_root || (l->ns_search_only && count > 0)) { if (!l->trace_root) l->rdtype = dns_rdatatype_soa; n = followup_lookup(msg, query, @@ -2452,9 +2846,58 @@ recv_done(isc_task_t *task, isc_event_t *event) { docancel = ISC_TRUE; l->trace_root = ISC_FALSE; } else +#ifdef DIG_SIGCHASE + if (!do_sigchase) +#endif printmessage(query, msg, ISC_TRUE); } +#ifdef DIG_SIGCHASE + if ( do_sigchase) { + chase_msg = isc_mem_allocate(mctx, + sizeof(dig_message_t)); + if (chase_msg == NULL) { + fatal("Memory allocation failure in %s:%d", + __FILE__, __LINE__); + } + ISC_LIST_INITANDAPPEND(chase_message_list, chase_msg, + link); + if (dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, + &msg_temp) != ISC_R_SUCCESS) { + fatal("dns_message_create in %s:%d", + __FILE__, __LINE__); + } + + isc_buffer_usedregion(b, &r); + result = isc_buffer_allocate(mctx, &buf, r.length); + + check_result(result, "isc_buffer_allocate"); + result = isc_buffer_copyregion(buf, &r); + check_result(result, "isc_buffer_copyregion"); + + result = dns_message_parse(msg_temp, buf, 0); + + isc_buffer_free(&buf); + chase_msg->msg = msg_temp; + + chase_msg2 = isc_mem_allocate(mctx, + sizeof(dig_message_t)); + if (chase_msg2 == NULL) { + fatal("Memory allocation failure in %s:%d", + __FILE__, __LINE__); + } + ISC_LIST_INITANDAPPEND(chase_message_list2, chase_msg2, + link); + chase_msg2->msg = msg; + } +#endif + + } + +#ifdef DIG_SIGCHASE + if (l->sigchase && ISC_LIST_EMPTY(lookup_list) ) { + sigchase(msg_temp); } +#endif if (l->pending) debug("still pending."); @@ -2475,21 +2918,37 @@ recv_done(isc_task_t *task, isc_event_t *event) { check_next_lookup(l); } } else { - if (msg->rcode == dns_rcode_noerror || l->origin == NULL) - received(b->used, &sevent->address, query); + + if (msg->rcode == dns_rcode_noerror || l->origin == NULL) { + +#ifdef DIG_SIGCHASE + if (!l->sigchase) +#endif + received(b->used, &sevent->address, query); + } + if (!query->lookup->ns_search_only) query->lookup->pending = ISC_FALSE; if (!query->lookup->ns_search_only || - query->lookup->trace_root || docancel) - { - dns_message_destroy(&msg); + query->lookup->trace_root || docancel) { +#ifdef DIG_SIGCHASE + if (!do_sigchase) +#endif + dns_message_destroy(&msg); + cancel_lookup(l); } clear_query(query); check_next_lookup(l); } - if (msg != NULL) - dns_message_destroy(&msg); + if (msg != NULL) { +#ifdef DIG_SIGCHASE + if (do_sigchase) + msg = NULL; + else +#endif + dns_message_destroy(&msg); + } isc_event_free(&event); UNLOCK_LOOKUP; } @@ -2501,75 +2960,16 @@ recv_done(isc_task_t *task, isc_event_t *event) { */ void get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) { - struct in_addr in4; - struct in6_addr in6; -#ifdef USE_GETADDRINFO - struct addrinfo *res = NULL, hints; - int result; -#else - struct hostent *he; -#endif - - debug("get_address()"); + int count; + isc_result_t result; - if (inet_pton(AF_INET6, host, &in6) == 1) { - if (!have_ipv6) - fatal("Protocol family INET6 not supported '%s'", host); - isc_sockaddr_fromin6(sockaddr, &in6, port); - } else if (inet_pton(AF_INET, host, &in4) == 1) { - if (have_ipv4) - isc_sockaddr_fromin(sockaddr, &in4, port); - else - isc_sockaddr_v6fromin(sockaddr, &in4, port); - } else { -#ifdef USE_GETADDRINFO - memset(&hints, 0, sizeof(hints)); - if (!have_ipv6) - hints.ai_family = PF_INET; - else if (!have_ipv4) - hints.ai_family = PF_INET6; - else { - hints.ai_family = PF_UNSPEC; -#ifdef AI_ADDRCONFIG - hints.ai_flags = AI_ADDRCONFIG; -#endif - } - debug ("before getaddrinfo()"); - isc_app_block(); -#ifdef AI_ADDRCONFIG - again: -#endif - result = getaddrinfo(host, NULL, &hints, &res); -#ifdef AI_ADDRCONFIG - if (result == EAI_BADFLAGS && - (hints.ai_flags & AI_ADDRCONFIG) != 0) { - hints.ai_flags &= ~AI_ADDRCONFIG; - goto again; - } -#endif - isc_app_unblock(); - if (result != 0) { - fatal("Couldn't find server '%s': %s", - host, gai_strerror(result)); - } - memcpy(&sockaddr->type.sa, res->ai_addr, res->ai_addrlen); - sockaddr->length = res->ai_addrlen; - isc_sockaddr_setport(sockaddr, port); - freeaddrinfo(res); -#else - debug ("before gethostbyname()"); - isc_app_block(); - he = gethostbyname(host); - isc_app_unblock(); - if (he == NULL) - fatal("Couldn't find server '%s' (h_errno=%d)", - host, h_errno); - INSIST(he->h_addrtype == AF_INET); - isc_sockaddr_fromin(sockaddr, - (struct in_addr *)(he->h_addr_list[0]), - port); -#endif - } + isc_app_block(); + result = bind9_getaddresses(host, port, sockaddr, 1, &count); + isc_app_unblock(); + if (result != ISC_R_SUCCESS) + fatal("couldn't get address for '%s': %s", + host, isc_result_totext(result)); + INSIST(count == 1); } /* @@ -2651,8 +3051,10 @@ cancel_all(void) { */ void destroy_libs(void) { - void *ptr; - dig_server_t *s; +#ifdef DIG_SIGCHASE + void * ptr; + dig_message_t *chase_msg; +#endif debug("destroy_libs()"); if (global_task != NULL) { @@ -2678,13 +3080,11 @@ destroy_libs(void) { free_now = ISC_TRUE; - s = ISC_LIST_HEAD(server_list); - while (s != NULL) { - debug("freeing global server %p", s); - ptr = s; - s = ISC_LIST_NEXT(s, link); - isc_mem_free(mctx, ptr); - } + lwres_conf_clear(lwctx); + lwres_context_destroy(&lwctx); + + flush_server_list(); + clear_searchlist(); if (commctx != NULL) { debug("freeing commctx"); @@ -2717,8 +3117,1955 @@ destroy_libs(void) { UNLOCK_LOOKUP; DESTROYLOCK(&lookup_lock); +#ifdef DIG_SIGCHASE + + debug("Destroy the messages kept for sigchase"); + /* Destroy the messages kept for sigchase */ + chase_msg = ISC_LIST_HEAD(chase_message_list); + + while (chase_msg != NULL) { + INSIST(chase_msg->msg != NULL); + dns_message_destroy(&(chase_msg->msg)); + ptr = chase_msg; + chase_msg = ISC_LIST_NEXT(chase_msg, link); + isc_mem_free(mctx, ptr); + } + + chase_msg = ISC_LIST_HEAD(chase_message_list2); + + while (chase_msg != NULL) { + INSIST(chase_msg->msg != NULL); + dns_message_destroy(&(chase_msg->msg)); + ptr = chase_msg; + chase_msg = ISC_LIST_NEXT(chase_msg, link); + isc_mem_free(mctx, ptr); + } + if (dns_name_dynamic(&chase_name)) + dns_name_free(&chase_name, mctx); +#if DIG_SIGCHASE_TD + if (dns_name_dynamic(&chase_current_name)) + dns_name_free(&chase_current_name, mctx); + if (dns_name_dynamic(&chase_authority_name)) + dns_name_free(&chase_authority_name, mctx); +#endif +#if DIG_SIGCHASE_BU + if (dns_name_dynamic(&chase_signame)) + dns_name_free(&chase_signame, mctx); +#endif + + debug("Destroy memory"); + +#endif if (memdebugging != 0) isc_mem_stats(mctx, stderr); if (mctx != NULL) isc_mem_destroy(&mctx); } + + + + +#ifdef DIG_SIGCHASE +void +print_type(dns_rdatatype_t type) +{ + isc_buffer_t * b = NULL; + isc_result_t result; + isc_region_t r; + + result = isc_buffer_allocate(mctx, &b, 4000); + check_result(result, "isc_buffer_allocate"); + + result = dns_rdatatype_totext(type, b); + check_result(result, "print_type"); + + isc_buffer_usedregion(b, &r); + r.base[r.length] = '\0'; + + printf("%s", r.base); + + isc_buffer_free(&b); +} + + +void +dump_database_section( dns_message_t *msg, int section) +{ + dns_name_t *msg_name=NULL; + + dns_rdataset_t *rdataset; + + do { + dns_message_currentname(msg, section, &msg_name); + + for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) { + dns_name_print(msg_name, stdout); + printf("\n"); + print_rdataset(msg_name, rdataset, mctx); + printf("end\n"); + } + msg_name = NULL; + } while ( dns_message_nextname(msg, section) == ISC_R_SUCCESS); +} + + +void dump_database(void) +{ + dig_message_t * msg; + + for (msg = ISC_LIST_HEAD(chase_message_list); msg != NULL; + msg = ISC_LIST_NEXT(msg, link)) { + if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER) + == ISC_R_SUCCESS) + dump_database_section(msg->msg, DNS_SECTION_ANSWER); + + if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY) + == ISC_R_SUCCESS) + dump_database_section(msg->msg, DNS_SECTION_AUTHORITY); + + if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL) + == ISC_R_SUCCESS) + dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL); + } +} + + +dns_rdataset_t * search_type(dns_name_t *name, + dns_rdatatype_t type, + dns_rdatatype_t covers) +{ + dns_rdataset_t *rdataset; + dns_rdata_sig_t siginfo; + dns_rdata_t sigrdata; + isc_result_t result; + + for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) { + if (type == dns_rdatatype_any) { + if (rdataset->type != dns_rdatatype_rrsig) + return rdataset; + } + else if ((type == dns_rdatatype_rrsig) && + (rdataset->type == dns_rdatatype_rrsig)) { + dns_rdata_init(&sigrdata); + result = dns_rdataset_first(rdataset); + check_result(result, "empty rdataset"); + dns_rdataset_current(rdataset, &sigrdata); + result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); + check_result(result, "sigrdata tostruct siginfo"); + + if ((siginfo.covered == covers) || + (covers == dns_rdatatype_any)) { + dns_rdata_reset(&sigrdata); + dns_rdata_freestruct(&siginfo); + return rdataset; + } + dns_rdata_reset(&sigrdata); + dns_rdata_freestruct(&siginfo); + } + else if (rdataset->type == type) + return rdataset; + } + return NULL; +} + +dns_rdataset_t * +chase_scanname_section(dns_message_t *msg, + dns_name_t *name, + dns_rdatatype_t type, + dns_rdatatype_t covers, + int section) +{ + dns_rdataset_t *rdataset; + dns_name_t *msg_name = NULL; + + do { + dns_message_currentname(msg, section, &msg_name); + if (dns_name_compare(msg_name, name) == 0) { + rdataset = search_type(msg_name, type, covers); + if ( rdataset != NULL) + return rdataset; + } + msg_name = NULL; + } while ( dns_message_nextname(msg, section) == ISC_R_SUCCESS); + + return(NULL); +} + + +dns_rdataset_t * +chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) +{ + dns_rdataset_t *rdataset = NULL; + dig_message_t * msg; + + for (msg = ISC_LIST_HEAD(chase_message_list2); msg != NULL; + msg = ISC_LIST_NEXT(msg, link)) { + if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER) + == ISC_R_SUCCESS) + rdataset = chase_scanname_section(msg->msg, name, + type, covers, + DNS_SECTION_ANSWER); + if (rdataset != NULL) + return rdataset; + if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY) + == ISC_R_SUCCESS) + rdataset = + chase_scanname_section(msg->msg, name, + type, covers, + DNS_SECTION_AUTHORITY); + if (rdataset != NULL) + return rdataset; + if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL) + == ISC_R_SUCCESS) + rdataset = + chase_scanname_section(msg->msg, name, type, + covers, + DNS_SECTION_ADDITIONAL); + if (rdataset != NULL) + return rdataset; + } + + return NULL; +} + +dns_rdataset_t * +sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, + isc_boolean_t * lookedup, + dns_name_t *rdata_name ) +{ + dig_lookup_t *lookup; + isc_buffer_t *b = NULL; + isc_region_t r; + isc_result_t result; + dns_rdataset_t * temp; + dns_rdatatype_t querytype; + + if ((temp=chase_scanname(rdata_name, type, covers))!=NULL) { + return(temp); + } + + if (*lookedup == ISC_TRUE) { + return(NULL); + } + + lookup = clone_lookup(current_lookup, ISC_TRUE); + lookup->trace_root = ISC_FALSE; + lookup->new_search = ISC_TRUE; + + result = isc_buffer_allocate(mctx, &b, BUFSIZE); + check_result(result, "isc_buffer_allocate"); + result = dns_name_totext(rdata_name, ISC_FALSE, b); + check_result(result, "dns_name_totext"); + isc_buffer_usedregion(b, &r); + r.base[r.length] = '\0'; + strlcpy(lookup->textname, (char*)r.base, sizeof(lookup->textname)); + isc_buffer_free(&b); + + if (type == dns_rdatatype_rrsig) + querytype = covers; + else + querytype = type; + if (querytype == 0 || querytype == 255) { + printf("Error in the queried type: %d\n", querytype); + return(NULL); + } + + lookup->rdtype = querytype; + lookup->rdtypeset = ISC_TRUE; + lookup->qrdtype = querytype; + *lookedup = ISC_TRUE; + + ISC_LIST_APPEND(lookup_list, lookup, link); + printf("\n\nLaunch a query to find a RRset of type "); + print_type(type); + printf(" for zone: %s\n", lookup->textname); + return(NULL); +} + +void +insert_trustedkey(dst_key_t * key) +{ + if (key == NULL) + return; + if (tk_list.nb_tk >= MAX_TRUSTED_KEY) + return; + + tk_list.key[tk_list.nb_tk++] = key; + return; +} + +void +clean_trustedkey() +{ + int i = 0; + + for (i= 0; i < MAX_TRUSTED_KEY; i++) { + if (tk_list.key[i] != NULL) { + dst_key_free(&tk_list.key[i]); + tk_list.key[i] = NULL; + } + else + break; + } + tk_list.nb_tk = 0; + return; +} + +char alphnum[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; + +isc_result_t +removetmpkey(isc_mem_t *mctx, const char *file) +{ + char *tempnamekey = NULL; + int tempnamekeylen; + isc_result_t result; + + tempnamekeylen = strlen(file)+10; + + tempnamekey = isc_mem_allocate(mctx, tempnamekeylen); + if (tempnamekey == NULL) + return (ISC_R_NOMEMORY); + + memset(tempnamekey, 0, tempnamekeylen); + + strlcat(tempnamekey, file, tempnamekeylen); + strlcat(tempnamekey,".key", tempnamekeylen); + isc_file_remove(tempnamekey); + + result = isc_file_remove(tempnamekey); + isc_mem_free(mctx, tempnamekey); + return(result); +} + +isc_result_t +opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { + FILE *f = NULL; + isc_result_t result; + char *tempname = NULL; + char *tempnamekey = NULL; + int tempnamelen; + int tempnamekeylen; + char *x; + char *cp; + isc_uint32_t which; + + while (1) { + tempnamelen = strlen(file) + 20; + tempname = isc_mem_allocate(mctx, tempnamelen); + if (tempname == NULL) + return (ISC_R_NOMEMORY); + memset(tempname, 0, tempnamelen); + + result = isc_file_mktemplate(file, tempname, tempnamelen); + if (result != ISC_R_SUCCESS) + goto cleanup; + + cp = tempname; + while (*cp != '\0') + cp++; + if (cp == tempname) { + isc_mem_free(mctx, tempname); + return (ISC_R_FAILURE); + } + + x = cp--; + while (cp >= tempname && *cp == 'X') { + isc_random_get(&which); + *cp = alphnum[which % (sizeof(alphnum) - 1)]; + x = cp--; + } + + tempnamekeylen = tempnamelen+5; + tempnamekey = isc_mem_allocate(mctx, tempnamekeylen); + if (tempnamekey == NULL) + return (ISC_R_NOMEMORY); + + memset(tempnamekey, 0, tempnamekeylen); + strlcpy(tempnamekey, tempname, tempnamelen); + strlcat(tempnamekey ,".key", tempnamelen); + + + if (isc_file_exists(tempnamekey)) { + isc_mem_free(mctx, tempnamekey); + isc_mem_free(mctx, tempname); + continue; + } + + if ((f = fopen(tempnamekey, "w")) == NULL) { + printf("get_trusted_key(): trusted key not found %s\n", + tempnamekey); + return ISC_R_FAILURE; + } + break; + } + isc_mem_free(mctx, tempnamekey); + *tempp = tempname; + *fp = f; + return (ISC_R_SUCCESS); + + cleanup: + isc_mem_free(mctx, tempname); + + return (result); +} + + +isc_result_t +get_trusted_key(isc_mem_t *mctx) +{ + isc_result_t result; + const char * filename = NULL; + char * filetemp =NULL; + char buf[1500]; + FILE *fp , *fptemp; + dst_key_t * key = NULL; + + result = isc_file_exists(trustedkey); + if (result != ISC_TRUE) { + result = isc_file_exists("/etc/trusted-key.key"); + if (result != ISC_TRUE) { + result = isc_file_exists("./trusted-key.key"); + if (result != ISC_TRUE) + return ISC_R_FAILURE; + else + filename = "./trusted-key.key"; + } + else + filename = "/etc/trusted-key.key"; + } + else + filename = trustedkey; + + if (filename == NULL) { + printf("No trusted key\n"); + return ISC_R_FAILURE; + } + + if ((fp = fopen(filename, "r")) == NULL) { + printf("get_trusted_key(): trusted key not found %s\n", + filename); + return ISC_R_FAILURE; + } + while (fgets(buf, 1500, fp) != NULL) { + result = opentmpkey(mctx,"tmp_file", &filetemp, &fptemp); + if (result != ISC_R_SUCCESS) { + fclose(fp); + return ISC_R_FAILURE; + } + if (fputs(buf, fptemp)<0) { + fclose(fp); + fclose(fptemp); + return ISC_R_FAILURE; + } + fclose(fptemp); + result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC | + DST_TYPE_KEY, mctx, &key); + removetmpkey(mctx, filetemp); + isc_mem_free(mctx, filetemp); + if (result != ISC_R_SUCCESS ) { + fclose(fp); + return ISC_R_FAILURE; + } + insert_trustedkey(key); +#if 0 + dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp"); +#endif + key = NULL; + } + return ISC_R_SUCCESS; +} + + +static void +nameFromString(const char *str, dns_name_t *p_ret) { + size_t len = strlen(str); + isc_result_t result; + isc_buffer_t buffer; + dns_fixedname_t fixedname; + + REQUIRE(p_ret != NULL); + REQUIRE(str != NULL); + + isc_buffer_init(&buffer, str, len); + isc_buffer_add(&buffer, len); + + dns_fixedname_init(&fixedname); + result = dns_name_fromtext(dns_fixedname_name(&fixedname), &buffer, + dns_rootname, ISC_TRUE, NULL); + check_result(result, "nameFromString"); + + if (dns_name_dynamic(p_ret)) + dns_name_free(p_ret, mctx); + + result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret); + check_result(result, "nameFromString"); +} + + +#if DIG_SIGCHASE_TD +isc_result_t +prepare_lookup(dns_name_t *name) +{ + isc_result_t result; + dig_lookup_t * lookup = NULL; + dig_server_t *s; + void *ptr; + + lookup = clone_lookup(current_lookup, ISC_TRUE); + lookup->trace_root = ISC_FALSE; + lookup->new_search = ISC_TRUE; + lookup->trace_root_sigchase = ISC_FALSE; + + strlcpy(lookup->textname, lookup->textnamesigchase, MXNAME); + + lookup->rdtype = lookup->rdtype_sigchase; + lookup->rdtypeset = ISC_TRUE; + lookup->qrdtype = lookup->qrdtype_sigchase; + + s = ISC_LIST_HEAD(lookup->my_server_list); + while (s != NULL) { + debug("freeing server %p belonging to %p", + s, lookup); + ptr = s; + s = ISC_LIST_NEXT(s, link); + ISC_LIST_DEQUEUE(lookup->my_server_list, + (dig_server_t *)ptr, link); + isc_mem_free(mctx, ptr); + } + + + for (result = dns_rdataset_first(chase_nsrdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(chase_nsrdataset)) { + char namestr[DNS_NAME_FORMATSIZE]; + dns_rdata_ns_t ns; + dns_rdata_t rdata = DNS_RDATA_INIT; + dig_server_t * srv = NULL; +#define __FOLLOW_GLUE__ +#ifdef __FOLLOW_GLUE__ + isc_buffer_t * b = NULL; + isc_result_t result; + isc_region_t r; + dns_rdataset_t * rdataset =NULL; + isc_boolean_t true = ISC_TRUE; +#endif + + memset(namestr, 0, DNS_NAME_FORMATSIZE); + + dns_rdataset_current(chase_nsrdataset, &rdata); + + (void)dns_rdata_tostruct(&rdata, &ns, NULL); + + + +#ifdef __FOLLOW_GLUE__ + + result = advanced_rrsearch(&rdataset, &ns.name, + dns_rdatatype_aaaa, + dns_rdatatype_any, &true); + if (result == ISC_R_SUCCESS) { + for (result = dns_rdataset_first(rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(rdataset)) { + dns_rdata_t aaaa = DNS_RDATA_INIT; + dns_rdataset_current(rdataset, &aaaa); + + result = isc_buffer_allocate(mctx, &b, 80); + check_result(result, "isc_buffer_allocate"); + + dns_rdata_totext(&aaaa, &ns.name, b); + isc_buffer_usedregion(b, &r); + r.base[r.length] = '\0'; + strlcpy(namestr, (char*)r.base, + DNS_NAME_FORMATSIZE); + isc_buffer_free(&b); + dns_rdata_reset(&aaaa); + + + srv = make_server(namestr); + + ISC_LIST_APPEND(lookup->my_server_list, + srv, link); + } + } + + rdataset = NULL; + result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a, + dns_rdatatype_any, &true); + if (result == ISC_R_SUCCESS) { + for (result = dns_rdataset_first(rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(rdataset)) { + dns_rdata_t a = DNS_RDATA_INIT; + dns_rdataset_current(rdataset, &a); + + result = isc_buffer_allocate(mctx, &b, 80); + check_result(result, "isc_buffer_allocate"); + + dns_rdata_totext(&a, &ns.name, b); + isc_buffer_usedregion(b, &r); + r.base[r.length] = '\0'; + strlcpy(namestr, (char*)r.base, + DNS_NAME_FORMATSIZE); + isc_buffer_free(&b); + dns_rdata_reset(&a); + printf("ns name: %s\n", namestr); + + + srv = make_server(namestr); + + ISC_LIST_APPEND(lookup->my_server_list, + srv, link); + } + } +#else + + dns_name_format(&ns.name, namestr, sizeof(namestr)); + printf("ns name: "); + dns_name_print(&ns.name, stdout); + printf("\n"); + srv = make_server(namestr); + + ISC_LIST_APPEND(lookup->my_server_list, srv, link); + +#endif + dns_rdata_freestruct(&ns); + dns_rdata_reset(&rdata); + + } + + ISC_LIST_APPEND(lookup_list, lookup, link); + printf("\nLaunch a query to find a RRset of type "); + print_type(lookup->rdtype); + printf(" for zone: %s", lookup->textname); + printf(" with nameservers:"); + printf("\n"); + print_rdataset(name, chase_nsrdataset, mctx); + return ISC_R_SUCCESS; +} + + +isc_result_t +child_of_zone(dns_name_t * name, dns_name_t * zone_name, + dns_name_t * child_name) +{ + dns_namereln_t name_reln; + int orderp; + unsigned int nlabelsp; + + name_reln = dns_name_fullcompare(name, zone_name, &orderp, &nlabelsp); + if ( (name_reln != dns_namereln_subdomain) || + (dns_name_countlabels(name) <= + dns_name_countlabels(zone_name) +1)) { + printf("\n;; ERROR : "); + dns_name_print(name, stdout); + printf(" is not a subdomain of: "); + dns_name_print(zone_name, stdout); + printf(" FAILED\n\n"); + return ISC_R_FAILURE; + } + + dns_name_getlabelsequence(name, + dns_name_countlabels(name) - + dns_name_countlabels(zone_name) -1, + dns_name_countlabels(zone_name) +1, + child_name); + return ISC_R_SUCCESS; +} + +isc_result_t +grandfather_pb_test(dns_name_t * zone_name, dns_rdataset_t * sigrdataset) +{ + isc_result_t result; + dns_rdata_t sigrdata; + dns_rdata_sig_t siginfo; + + result = dns_rdataset_first(sigrdataset); + check_result(result, "empty RRSIG dataset"); + dns_rdata_init(&sigrdata); + + do { + dns_rdataset_current(sigrdataset, &sigrdata); + + result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); + check_result(result, "sigrdata tostruct siginfo"); + + if (dns_name_compare(&siginfo.signer, zone_name) == 0) { + dns_rdata_freestruct(&siginfo); + dns_rdata_reset(&sigrdata); + return ISC_R_SUCCESS; + } + + dns_rdata_freestruct(&siginfo); + + } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); + + dns_rdata_reset(&sigrdata); + + return ISC_R_FAILURE; +} + + +isc_result_t +initialization(dns_name_t * name) +{ + isc_result_t result; + isc_boolean_t true = ISC_TRUE; + + chase_nsrdataset = NULL; + result = advanced_rrsearch(&chase_nsrdataset, name, dns_rdatatype_ns, + dns_rdatatype_any, &true); + if (result != ISC_R_SUCCESS) { + printf("\n;; NS RRset is missing to continue validation:" + " FAILED\n\n"); + return ISC_R_FAILURE; + } + INSIST(chase_nsrdataset != NULL); + prepare_lookup(name); + + dup_name(name, &chase_current_name, mctx); + + return ISC_R_SUCCESS; +} +#endif + +void +print_rdataset(dns_name_t * name, dns_rdataset_t *rdataset, isc_mem_t *mctx) +{ + isc_buffer_t * b = NULL; + isc_result_t result; + isc_region_t r; + + result = isc_buffer_allocate(mctx, &b, 9000); + check_result(result, "isc_buffer_allocate"); + + printrdataset(name, rdataset, b); + + isc_buffer_usedregion(b, &r); + r.base[r.length] = '\0'; + + + printf("%s\n", r.base); + + isc_buffer_free(&b); +} + + +void +dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) { + isc_result_t result; + + if (dns_name_dynamic(target)) + dns_name_free(target, mctx); + result = dns_name_dup(source, mctx, target); + check_result(result, "dns_name_dup"); +} + +/* + * + * take a DNSKEY RRset and the RRSIG RRset corresponding in parameter + * return ISC_R_SUCCESS if the DNSKEY RRset contains a trusted_key + * and the RRset is valid + * return ISC_R_NOTFOUND if not contains trusted key + or if the RRset isn't valid + * return ISC_R_FAILURE if problem + * + */ +isc_result_t +contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset, + isc_mem_t *mctx) +{ + isc_result_t result; + dns_rdata_t rdata; + dst_key_t * trustedKey = NULL; + dst_key_t * dnsseckey = NULL; + int i; + + if (name == NULL || rdataset == NULL) { + return ISC_R_FAILURE; + } + + result = dns_rdataset_first(rdataset); + check_result(result, "empty rdataset"); + dns_rdata_init(&rdata); + + do { + dns_rdataset_current(rdataset, &rdata); + INSIST(rdata.type == dns_rdatatype_dnskey); + + result = dns_dnssec_keyfromrdata(name, &rdata, + mctx, &dnsseckey); + check_result(result, "dns_dnssec_keyfromrdata"); + + + for (i = 0; i< tk_list.nb_tk; i++) { + if (dst_key_compare(tk_list.key[i], dnsseckey) + == ISC_TRUE) { + dns_rdata_reset(&rdata); + + printf(";; Ok, find a Trusted Key in the " + "DNSKEY RRset: %d\n", + dst_key_id(dnsseckey)); + if (sigchase_verify_sig_key(name, rdataset, + dnsseckey, + sigrdataset, + mctx) + == ISC_R_SUCCESS) { + dst_key_free(&dnsseckey); + dnsseckey = NULL; + return ISC_R_SUCCESS; + } + } + } + + dns_rdata_reset(&rdata); + if (dnsseckey != NULL) + dst_key_free(&dnsseckey); + } while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS); + + if (trustedKey != NULL) + dst_key_free(&trustedKey); + trustedKey = NULL; + + return ISC_R_NOTFOUND; +} + +isc_result_t +sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, + dns_rdataset_t *keyrdataset, + dns_rdataset_t *sigrdataset, + isc_mem_t *mctx) +{ + isc_result_t result; + dns_rdata_t keyrdata; + dst_key_t * dnsseckey = NULL; + + result = dns_rdataset_first(keyrdataset); + check_result(result, "empty DNSKEY dataset"); + dns_rdata_init(&keyrdata); + + do { + dns_rdataset_current(keyrdataset, &keyrdata); + INSIST(keyrdata.type == dns_rdatatype_dnskey); + + result = dns_dnssec_keyfromrdata(name, &keyrdata, + mctx, &dnsseckey); + check_result(result, "dns_dnssec_keyfromrdata"); + + result = sigchase_verify_sig_key(name, rdataset, dnsseckey, + sigrdataset, mctx); + if (result == ISC_R_SUCCESS) { + dns_rdata_reset(&keyrdata); + dst_key_free(&dnsseckey); + return(ISC_R_SUCCESS); + } + dst_key_free(&dnsseckey); + } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); + + dns_rdata_reset(&keyrdata); + + return ISC_R_NOTFOUND; +} + +isc_result_t +sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, + dst_key_t* dnsseckey, + dns_rdataset_t *sigrdataset, isc_mem_t *mctx) +{ + isc_result_t result; + dns_rdata_t sigrdata; + dns_rdata_sig_t siginfo; + + result = dns_rdataset_first(sigrdataset); + check_result(result, "empty RRSIG dataset"); + dns_rdata_init(&sigrdata); + + do { + dns_rdataset_current(sigrdataset, &sigrdata); + + result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); + check_result(result, "sigrdata tostruct siginfo"); + + /* + * Test if the id of the DNSKEY is + * the id of the DNSKEY signer's + */ + if (siginfo.keyid == dst_key_id(dnsseckey)) { + + result = dns_rdataset_first(rdataset); + check_result(result, "empty DS dataset"); + + result = dns_dnssec_verify(name, rdataset, dnsseckey, + ISC_FALSE, mctx, &sigrdata); + + printf(";; VERIFYING "); + print_type(rdataset->type); + printf(" RRset for "); + dns_name_print(name, stdout); + printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey), + isc_result_totext(result)); + + if (result == ISC_R_SUCCESS) { + dns_rdata_reset(&sigrdata); + return result; + } + } + dns_rdata_freestruct(&siginfo); + + } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); + + dns_rdata_reset(&sigrdata); + + return ISC_R_NOTFOUND; +} + + +isc_result_t +sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, + dns_rdataset_t *dsrdataset, isc_mem_t *mctx) +{ + isc_result_t result; + dns_rdata_t keyrdata; + dns_rdata_t newdsrdata; + dns_rdata_t dsrdata; + dns_rdata_ds_t dsinfo; + dst_key_t* dnsseckey = NULL; + unsigned char dsbuf[DNS_DS_BUFFERSIZE]; + + result = dns_rdataset_first(dsrdataset); + check_result(result, "empty DSset dataset"); + dns_rdata_init(&dsrdata); + do { + dns_rdataset_current(dsrdataset, &dsrdata); + + result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL); + check_result(result, "dns_rdata_tostruct for DS"); + + result = dns_rdataset_first(keyrdataset); + check_result(result, "empty KEY dataset"); + dns_rdata_init(&keyrdata); + + do { + dns_rdataset_current(keyrdataset, &keyrdata); + INSIST(keyrdata.type == dns_rdatatype_dnskey); + + result = dns_dnssec_keyfromrdata(name, &keyrdata, + mctx, &dnsseckey); + check_result(result, "dns_dnssec_keyfromrdata"); + + /* + * Test if the id of the DNSKEY is the + * id of DNSKEY referenced by the DS + */ + if (dsinfo.key_tag == dst_key_id(dnsseckey)) { + dns_rdata_init(&newdsrdata); + + result = dns_ds_buildrdata(name, &keyrdata, + dsinfo.digest_type, + dsbuf, &newdsrdata); + dns_rdata_freestruct(&dsinfo); + + if (result != ISC_R_SUCCESS) { + dns_rdata_reset(&keyrdata); + dns_rdata_reset(&newdsrdata); + dns_rdata_reset(&dsrdata); + dst_key_free(&dnsseckey); + dns_rdata_freestruct(&dsinfo); + printf("Oops: impossible to build" + " new DS rdata\n"); + return result; + } + + + if (dns_rdata_compare(&dsrdata, + &newdsrdata) == 0) { + printf(";; OK a DS valids a DNSKEY" + " in the RRset\n"); + printf(";; Now verify that this" + " DNSKEY validates the " + "DNSKEY RRset\n"); + + result = sigchase_verify_sig_key(name, + keyrdataset, + dnsseckey, + chase_sigkeyrdataset, + mctx); + if (result == ISC_R_SUCCESS) { + dns_rdata_reset(&keyrdata); + dns_rdata_reset(&newdsrdata); + dns_rdata_reset(&dsrdata); + dst_key_free(&dnsseckey); + + return result; + } + } + else { + printf(";; This DS is NOT the DS for" + " the chasing KEY: FAILED\n"); + } + + dns_rdata_reset(&newdsrdata); + } + dst_key_free(&dnsseckey); + dnsseckey = NULL; + } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); + dns_rdata_reset(&keyrdata); + + } while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS); +#if 0 + dns_rdata_reset(&dsrdata); WARNING +#endif + + return ISC_R_NOTFOUND; +} + +/* + * + * take a pointer on a rdataset in parameter and try to resolv it. + * the searched rrset is a rrset on 'name' with type 'type' + * (and if the type is a rrsig the signature cover 'covers'). + * the lookedup is to known if you have already done the query on the net. + * ISC_R_SUCCESS: if we found the rrset + * ISC_R_NOTFOUND: we do not found the rrset in cache + * and we do a query on the net + * ISC_R_FAILURE: rrset not found + */ +isc_result_t +advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t * name, + dns_rdatatype_t type, + dns_rdatatype_t covers, + isc_boolean_t *lookedup) +{ + isc_boolean_t tmplookedup; + + INSIST(rdataset != NULL); + + if (*rdataset != NULL) + return(ISC_R_SUCCESS); + + tmplookedup = *lookedup; + if ((*rdataset = sigchase_scanname(type, covers, + lookedup, name)) == NULL) { + if (tmplookedup) + return (ISC_R_FAILURE); + return (ISC_R_NOTFOUND); + } + *lookedup = ISC_FALSE; + return(ISC_R_SUCCESS); +} + + + +#if DIG_SIGCHASE_TD +void +sigchase_td(dns_message_t * msg) +{ + isc_result_t result; + dns_name_t * name = NULL; + isc_boolean_t have_answer = ISC_FALSE; + + isc_boolean_t true = ISC_TRUE; + + if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) + == ISC_R_SUCCESS) { + dns_message_currentname(msg, DNS_SECTION_ANSWER, &name); + if (current_lookup->trace_root_sigchase) { + initialization(name); + return; + } + have_answer = true; + } + else { + if (!current_lookup->trace_root_sigchase) { + result = dns_message_firstname(msg, + DNS_SECTION_AUTHORITY); + if (result == ISC_R_SUCCESS) + dns_message_currentname(msg, + DNS_SECTION_AUTHORITY, + &name); + chase_nsrdataset + = chase_scanname_section(msg, name, + dns_rdatatype_ns, + dns_rdatatype_any, + DNS_SECTION_AUTHORITY); + dup_name(name, &chase_authority_name, mctx); + if (chase_nsrdataset != NULL) { + have_delegation_ns = ISC_TRUE; + printf("no response but there is a delegation" + " in authority section:"); + dns_name_print(name, stdout); + printf("\n"); + } + else { + printf("no response and no delegation in " + "authority section but a reference" + " to: "); + dns_name_print(name, stdout); + printf("\n"); + error_message = msg; + } + } + else { + printf(";; NO ANSWERS: %s\n", + isc_result_totext(result)); + dns_name_free(&chase_name, mctx); + clean_trustedkey(); + return; + } + } + + + if (have_answer) { + chase_rdataset + = chase_scanname_section(msg, &chase_name, + current_lookup + ->rdtype_sigchase, + dns_rdatatype_any, + DNS_SECTION_ANSWER); + if (chase_rdataset != NULL) + have_response = ISC_TRUE; + } + + result = advanced_rrsearch(&chase_keyrdataset, + &chase_current_name, + dns_rdatatype_dnskey, + dns_rdatatype_any, + &chase_keylookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; DNSKEY is missing to continue validation:" + " FAILED\n\n"); + goto cleanandgo; + } + if (result == ISC_R_NOTFOUND) + return; + INSIST(chase_keyrdataset != NULL); + printf("\n;; DNSKEYset:\n"); + print_rdataset(&chase_current_name , chase_keyrdataset, mctx); + + + result = advanced_rrsearch(&chase_sigkeyrdataset, + &chase_current_name, + dns_rdatatype_rrsig, + dns_rdatatype_dnskey, + &chase_sigkeylookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; RRSIG of DNSKEY is missing to continue validation:" + " FAILED\n\n"); + goto cleanandgo; + } + if (result == ISC_R_NOTFOUND) + return; + INSIST(chase_sigkeyrdataset != NULL); + printf("\n;; RRSIG of the DNSKEYset:\n"); + print_rdataset(&chase_current_name , chase_sigkeyrdataset, mctx); + + + if (!chase_dslookedup && !chase_nslookedup) { + if (!delegation_follow) { + result = contains_trusted_key(&chase_current_name, + chase_keyrdataset, + chase_sigkeyrdataset, + mctx); + } + else { + INSIST(chase_dsrdataset != NULL); + INSIST(chase_sigdsrdataset != NULL); + result = sigchase_verify_ds(&chase_current_name, + chase_keyrdataset, + chase_dsrdataset, + mctx); + } + + if (result != ISC_R_SUCCESS) { + printf("\n;; chain of trust can't be validated:" + " FAILED\n\n"); + goto cleanandgo; + } + else { + chase_dsrdataset = NULL; + chase_sigdsrdataset = NULL; + } + } + + if (have_response || (!have_delegation_ns && !have_response)) { + /* test if it's a grand father case */ + + if (have_response) { + result = advanced_rrsearch(&chase_sigrdataset, + &chase_name, + dns_rdatatype_rrsig, + current_lookup + ->rdtype_sigchase, + &true); + if (result == ISC_R_FAILURE) { + printf("\n;; RRset is missing to continue" + " validation SHOULD NOT APPEND:" + " FAILED\n\n"); + goto cleanandgo; + } + + } + else { + result = advanced_rrsearch(&chase_sigrdataset, + &chase_authority_name, + dns_rdatatype_rrsig, + dns_rdatatype_any, + &true); + if (result == ISC_R_FAILURE) { + printf("\n;; RRSIG is missing to continue" + " validation SHOULD NOT APPEND:" + " FAILED\n\n"); + goto cleanandgo; + } + } + result = grandfather_pb_test(&chase_current_name, + chase_sigrdataset); + if (result != ISC_R_SUCCESS) { + dns_name_t tmp_name; + + printf("\n;; We are in a Grand Father Problem:" + " See 2.2.1 in RFC 3568\n"); + chase_rdataset = NULL; + chase_sigrdataset = NULL; + have_response = ISC_FALSE; + have_delegation_ns = ISC_FALSE; + + dns_name_init(&tmp_name, NULL); + result = child_of_zone(&chase_name, &chase_current_name, + &tmp_name); + if (dns_name_dynamic(&chase_authority_name)) + dns_name_free( &chase_authority_name, mctx); + dup_name(&tmp_name, &chase_authority_name, mctx); + printf(";; and we try to continue chain of trust" + " validation of the zone: "); + dns_name_print(&chase_authority_name, stdout); + printf("\n"); + have_delegation_ns = ISC_TRUE; + } + else { + if (have_response) + goto finalstep; + else + chase_sigrdataset = NULL; + } + } + + if (have_delegation_ns) { + chase_nsrdataset = NULL; + result = advanced_rrsearch(&chase_nsrdataset, + &chase_authority_name, + dns_rdatatype_ns, + dns_rdatatype_any, + &chase_nslookedup); + if (result == ISC_R_FAILURE) { + printf("\n;;NSset is missing to continue validation:" + " FAILED\n\n"); + goto cleanandgo; + } + if (result == ISC_R_NOTFOUND) { + return; + } + INSIST(chase_nsrdataset != NULL); + + result = advanced_rrsearch(&chase_dsrdataset, + &chase_authority_name, + dns_rdatatype_ds, + dns_rdatatype_any, + &chase_dslookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; DSset is missing to continue validation:" + " FAILED\n\n"); + goto cleanandgo; + } + if (result == ISC_R_NOTFOUND) + return; + INSIST(chase_dsrdataset != NULL); + printf("\n;; DSset:\n"); + print_rdataset(&chase_authority_name , chase_dsrdataset, mctx); + + result = advanced_rrsearch(&chase_sigdsrdataset, + &chase_authority_name, + dns_rdatatype_rrsig, + dns_rdatatype_ds, + &true); + if (result != ISC_R_SUCCESS) { + printf("\n;; DSset is missing to continue validation:" + " FAILED\n\n"); + goto cleanandgo; + } + printf("\n;; RRSIGset of DSset\n"); + print_rdataset(&chase_authority_name, + chase_sigdsrdataset, mctx); + INSIST(chase_sigdsrdataset != NULL); + + result = sigchase_verify_sig(&chase_authority_name, + chase_dsrdataset, + chase_keyrdataset, + chase_sigdsrdataset, mctx); + if (result != ISC_R_SUCCESS) { + printf("\n;; Impossible to verify the DSset:" + " FAILED\n\n"); + goto cleanandgo; + } + chase_keyrdataset = NULL; + chase_sigkeyrdataset = NULL; + + + prepare_lookup(&chase_authority_name); + + have_response = ISC_FALSE; + have_delegation_ns = ISC_FALSE; + delegation_follow = ISC_TRUE; + error_message = NULL; + dup_name(&chase_authority_name, &chase_current_name, mctx); + dns_name_free(&chase_authority_name, mctx); + return; + } + + + if (error_message != NULL) { + dns_rdataset_t * rdataset; + dns_rdataset_t * sigrdataset; + dns_name_t rdata_name; + isc_result_t ret = ISC_R_FAILURE; + + dns_name_init(&rdata_name, NULL); + result = prove_nx(error_message, &chase_name, + current_lookup->rdclass_sigchase, + current_lookup->rdtype_sigchase, &rdata_name, + &rdataset, &sigrdataset); + if (&rdata_name == NULL || rdataset == NULL || + sigrdataset == NULL) { + printf("\n;; Impossible to verify the non-existence," + " the NSEC RRset can't be validated:" + " FAILED\n\n"); + goto cleanandgo; + } + ret = sigchase_verify_sig(&rdata_name, rdataset, + chase_keyrdataset, + sigrdataset, mctx); + if (ret != ISC_R_SUCCESS) { + dns_name_free(&rdata_name, mctx); + printf("\n;; Impossible to verify the NSEC RR to prove" + " the non-existence : FAILED\n\n"); + goto cleanandgo; + } + dns_name_free(&rdata_name, mctx); + if (result != ISC_R_SUCCESS) { + printf("\n;; Impossible to verify the non-existence:" + " FAILED\n\n"); + goto cleanandgo; + } + else { + printf("\n;; OK the query doesn't have response but" + " we have validate this fact : SUCCESS\n\n"); + goto cleanandgo; + } + } + + cleanandgo: + printf(";; cleanandgo \n"); + if (dns_name_dynamic(&chase_current_name)) + dns_name_free(&chase_current_name, mctx); + if (dns_name_dynamic(&chase_authority_name)) + dns_name_free(&chase_authority_name, mctx); + clean_trustedkey(); + return; + + finalstep : + result = advanced_rrsearch(&chase_rdataset, &chase_name, + current_lookup->rdtype_sigchase, + dns_rdatatype_any , + &true); + if (result == ISC_R_FAILURE) { + printf("\n;; RRsig of RRset is missing to continue validation" + " SHOULD NOT APPEND: FAILED\n\n"); + goto cleanandgo; + } + result = sigchase_verify_sig(&chase_name, chase_rdataset, + chase_keyrdataset, + chase_sigrdataset, mctx); + if (result != ISC_R_SUCCESS) { + printf("\n;; Impossible to verify the RRset : FAILED\n\n"); + /* + printf("RRset:\n"); + print_rdataset(&chase_name , chase_rdataset, mctx); + printf("DNSKEYset:\n"); + print_rdataset(&chase_name , chase_keyrdataset, mctx); + printf("RRSIG of RRset:\n"); + print_rdataset(&chase_name , chase_sigrdataset, mctx); + printf("\n"); + */ + goto cleanandgo; + } + else { + printf("\n;; The Answer:\n"); + print_rdataset(&chase_name , chase_rdataset, mctx); + + printf("\n;; FINISH : we have validate the DNSSEC chain" + " of trust: SUCCESS\n\n"); + goto cleanandgo; + } +} + +#endif + + +#if DIG_SIGCHASE_BU + +isc_result_t +getneededrr(dns_message_t *msg) +{ + isc_result_t result; + dns_name_t *name = NULL; + dns_rdata_t sigrdata; + dns_rdata_sig_t siginfo; + isc_boolean_t true = ISC_TRUE; + + if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) + != ISC_R_SUCCESS) { + printf(";; NO ANSWERS: %s\n", isc_result_totext(result)); + + if (chase_name.ndata == NULL) { + return ISC_R_ADDRNOTAVAIL; + } + } + else { + dns_message_currentname(msg, DNS_SECTION_ANSWER, &name); + } + + /* What do we chase? */ + if (chase_rdataset == NULL) { + result = advanced_rrsearch(&chase_rdataset, name, + dns_rdatatype_any, + dns_rdatatype_any, &true); + if (result != ISC_R_SUCCESS) { + printf("\n;; No Answers: Validation FAILED\n\n"); + return ISC_R_NOTFOUND; + } + dup_name(name, &chase_name, mctx); + printf(";; RRset to chase:\n"); + print_rdataset(&chase_name, chase_rdataset, mctx); + } + INSIST(chase_rdataset != NULL); + + + if (chase_sigrdataset == NULL) { + result = advanced_rrsearch(&chase_sigrdataset, name, + dns_rdatatype_rrsig, + chase_rdataset->type, + &chase_siglookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; RRSIG is missing for continue validation:" + " FAILED\n\n"); + if (dns_name_dynamic(&chase_name)) + dns_name_free(&chase_name, mctx); + return ISC_R_NOTFOUND; + } + if (result == ISC_R_NOTFOUND) { + return(ISC_R_NOTFOUND); + } + printf("\n;; RRSIG of the RRset to chase:\n"); + print_rdataset(&chase_name, chase_sigrdataset, mctx); + } + INSIST(chase_sigrdataset != NULL); + + + /* first find the DNSKEY name */ + result = dns_rdataset_first(chase_sigrdataset); + check_result(result, "empty RRSIG dataset"); + dns_rdata_init(&sigrdata); + dns_rdataset_current(chase_sigrdataset, &sigrdata); + result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); + check_result(result, "sigrdata tostruct siginfo"); + dup_name(&siginfo.signer, &chase_signame, mctx); + dns_rdata_freestruct(&siginfo); + dns_rdata_reset(&sigrdata); + + /* Do we have a key? */ + if (chase_keyrdataset == NULL) { + result = advanced_rrsearch(&chase_keyrdataset, + &chase_signame, + dns_rdatatype_dnskey, + dns_rdatatype_any, + &chase_keylookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; DNSKEY is missing to continue validation:" + " FAILED\n\n"); + dns_name_free(&chase_signame, mctx); + if (dns_name_dynamic(&chase_name)) + dns_name_free(&chase_name, mctx); + return ISC_R_NOTFOUND; + } + if (result == ISC_R_NOTFOUND) { + dns_name_free(&chase_signame, mctx); + return(ISC_R_NOTFOUND); + } + printf("\n;; DNSKEYset that signs the RRset to chase:\n"); + print_rdataset(&chase_signame, chase_keyrdataset, mctx); + } + INSIST(chase_keyrdataset != NULL); + + if (chase_sigkeyrdataset == NULL) { + result = advanced_rrsearch(&chase_sigkeyrdataset, + &chase_signame, + dns_rdatatype_rrsig, + dns_rdatatype_dnskey, + &chase_sigkeylookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; RRSIG for DNSKEY is missing to continue" + " validation : FAILED\n\n"); + dns_name_free(&chase_signame, mctx); + if (dns_name_dynamic(&chase_name)) + dns_name_free(&chase_name, mctx); + return ISC_R_NOTFOUND; + } + if (result == ISC_R_NOTFOUND) { + dns_name_free(&chase_signame, mctx); + return(ISC_R_NOTFOUND); + } + printf("\n;; RRSIG of the DNSKEYset that signs the " + "RRset to chase:\n"); + print_rdataset(&chase_signame, chase_sigkeyrdataset, mctx); + } + INSIST(chase_sigkeyrdataset != NULL); + + + if (chase_dsrdataset == NULL) { + result = advanced_rrsearch(&chase_dsrdataset, &chase_signame, + dns_rdatatype_ds, + dns_rdatatype_any, + &chase_dslookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; WARNING There is no DS for the zone: "); + dns_name_print(&chase_signame, stdout); + printf("\n"); + } + if (result == ISC_R_NOTFOUND) { + dns_name_free(&chase_signame, mctx); + return(ISC_R_NOTFOUND); + } + if (chase_dsrdataset != NULL) { + printf("\n;; DSset of the DNSKEYset\n"); + print_rdataset(&chase_signame, chase_dsrdataset, mctx); + } + } + + if (chase_dsrdataset != NULL) { + /* + * if there is no RRSIG of DS, + * we don't want to search on the network + */ + result = advanced_rrsearch(&chase_sigdsrdataset, + &chase_signame, + dns_rdatatype_rrsig, + dns_rdatatype_ds, &true); + if (result == ISC_R_FAILURE) { + printf(";; WARNING : NO RRSIG DS : RRSIG DS" + " should come with DS\n"); + /* + * We continue even the DS couldn't be validated, + * because the DNSKEY could be a Trusted Key. + */ + chase_dsrdataset = NULL; + } + else { + printf("\n;; RRSIG of the DSset of the DNSKEYset\n"); + print_rdataset(&chase_signame, chase_sigdsrdataset, + mctx); + } + } + return(1); +} + + + +void +sigchase_bu(dns_message_t *msg) +{ + isc_result_t result; + int ret; + + if (tk_list.nb_tk == 0) { + result = get_trusted_key(mctx); + if (result != ISC_R_SUCCESS) { + printf("No trusted keys present\n"); + return; + } + } + + + ret = getneededrr(msg); + if (ret == ISC_R_NOTFOUND) + return; + + if (ret == ISC_R_ADDRNOTAVAIL) { + /* We have no response */ + dns_rdataset_t * rdataset; + dns_rdataset_t * sigrdataset; + dns_name_t rdata_name; + dns_name_t query_name; + + + dns_name_init(&query_name, NULL); + nameFromString(current_lookup->textname, &query_name); + + result = prove_nx(msg, &query_name, current_lookup->rdclass, + current_lookup->rdtype, &rdata_name, + &rdataset, &sigrdataset); + dns_name_free(&query_name, mctx); + if (&rdata_name == NULL || rdataset == NULL || + sigrdataset == NULL) { + printf("\n;; Impossible to verify the Non-existence," + " the NSEC RRset can't be validated: " + "FAILED\n\n"); + clean_trustedkey(); + return; + } + + if (result != ISC_R_SUCCESS) { + printf("\n No Answers and impossible to prove the" + " unsecurity : Validation FAILED\n\n"); + clean_trustedkey(); + return; + } + printf(";; An NSEC prove the non-existence of a answers," + " Now we want validate this NSEC\n"); + + dup_name(&rdata_name, &chase_name, mctx); + dns_name_free(&rdata_name, mctx); + chase_rdataset = rdataset; + chase_sigrdataset = sigrdataset; + chase_keyrdataset = NULL; + chase_sigkeyrdataset = NULL; + chase_dsrdataset = NULL; + chase_sigdsrdataset = NULL; + chase_siglookedup = ISC_FALSE; + chase_keylookedup = ISC_FALSE; + chase_dslookedup = ISC_FALSE; + chase_sigdslookedup = ISC_FALSE; + sigchase(msg); + clean_trustedkey(); + return; + } + + + printf("\n\n\n;; WE HAVE MATERIAL, WE NOW DO VALIDATION\n"); + + result = sigchase_verify_sig(&chase_name, chase_rdataset, + chase_keyrdataset, + chase_sigrdataset, mctx); + if (result != ISC_R_SUCCESS) { + dns_name_free(&chase_name, mctx); + dns_name_free(&chase_signame, mctx); + printf(";; No DNSKEY is valid to check the RRSIG" + " of the RRset: FAILED\n"); + clean_trustedkey(); + return; + } + printf(";; OK We found DNSKEY (or more) to validate the RRset\n"); + + result = contains_trusted_key(&chase_signame, chase_keyrdataset, + chase_sigkeyrdataset, mctx); + if (result == ISC_R_SUCCESS) { + dns_name_free(&chase_name, mctx); + dns_name_free(&chase_signame, mctx); + printf("\n;; Ok this DNSKEY is a Trusted Key," + " DNSSEC validation is ok: SUCCESS\n\n"); + clean_trustedkey(); + return; + } + + printf(";; Now, we are going to validate this DNSKEY by the DS\n"); + + if (chase_dsrdataset == NULL) { + dns_name_free(&chase_name, mctx); + dns_name_free(&chase_signame, mctx); + printf(";; the DNSKEY isn't trusted-key and there isn't" + " DS to validate the DNSKEY: FAILED\n"); + clean_trustedkey(); + return; + } + + result = sigchase_verify_ds(&chase_signame, chase_keyrdataset, + chase_dsrdataset, mctx); + if (result != ISC_R_SUCCESS) { + dns_name_free(&chase_signame, mctx); + dns_name_free(&chase_name, mctx); + printf(";; ERROR no DS validates a DNSKEY in the" + " DNSKEY RRset: FAILED\n"); + clean_trustedkey(); + return; + } + else + printf(";; OK this DNSKEY (validated by the DS) validates" + " the RRset of the DNSKEYs, thus the DNSKEY validates" + " the RRset\n"); + INSIST(chase_sigdsrdataset != NULL); + + dup_name(&chase_signame, &chase_name, mctx); + dns_name_free(&chase_signame, mctx); + chase_rdataset = chase_dsrdataset; + chase_sigrdataset = chase_sigdsrdataset; + chase_keyrdataset = NULL; + chase_sigkeyrdataset = NULL; + chase_dsrdataset = NULL; + chase_sigdsrdataset = NULL; + chase_siglookedup = chase_keylookedup = ISC_FALSE; + chase_dslookedup = chase_sigdslookedup = ISC_FALSE; + + printf(";; Now, we want to validate the DS : recursive call\n"); + sigchase(msg); + return; +} +#endif + +void +sigchase(dns_message_t * msg) +{ +#if DIG_SIGCHASE_TD + if (current_lookup->do_topdown) { + sigchase_td(msg); + return; + } +#endif +#if DIG_SIGCHASE_BU + sigchase_bu(msg); + return; +#endif +} + + +/* + * return 1 if name1 < name2 + * 0 if name1 == name2 + * -1 if name1 > name2 + * and -2 if problem + */ +int +inf_name(dns_name_t * name1, dns_name_t * name2) +{ + dns_label_t label1; + dns_label_t label2; + unsigned int nblabel1; + unsigned int nblabel2; + int min_lum_label; + int i; + int ret = -2; + + nblabel1 = dns_name_countlabels(name1); + nblabel2 = dns_name_countlabels(name2); + + if (nblabel1 >= nblabel2) + min_lum_label = nblabel2; + else + min_lum_label = nblabel1; + + + for (i=1 ; i < min_lum_label; i++) { + dns_name_getlabel(name1, nblabel1 -1 - i, &label1); + dns_name_getlabel(name2, nblabel2 -1 - i, &label2); + if ((ret = isc_region_compare(&label1, &label2)) != 0) { + if (ret <0 ) + return -1; + else if (ret >0 ) + return 1; + } + } + if (nblabel1 == nblabel2) + return 0; + + if (nblabel1 < nblabel2) + return -1; + else + return 1; +} + +/** + * + * + * + */ +isc_result_t +prove_nx_domain(dns_message_t *msg, + dns_name_t *name, + dns_name_t *rdata_name, + dns_rdataset_t ** rdataset, + dns_rdataset_t **sigrdataset) +{ + isc_result_t ret = ISC_R_FAILURE; + isc_result_t result = ISC_R_NOTFOUND; + dns_rdataset_t * nsecset = NULL; + dns_rdataset_t * signsecset = NULL ; + dns_rdata_t nsec = DNS_RDATA_INIT; + dns_name_t * nsecname = NULL; + dns_rdata_nsec_t nsecstruct; + + if ((result = dns_message_firstname(msg, DNS_SECTION_AUTHORITY)) + != ISC_R_SUCCESS) { + printf(";; nothing in authority section : impossible to" + " validate the non-existence : FAILED\n"); + return(ISC_R_FAILURE); + } + + do { + dns_message_currentname(msg, DNS_SECTION_AUTHORITY, &nsecname); + nsecset = search_type(nsecname, dns_rdatatype_nsec, + dns_rdatatype_any); + if (nsecset == NULL) + continue; + + printf("There is a NSEC for this zone in the" + " AUTHORITY section:\n"); + print_rdataset(nsecname, nsecset, mctx); + + for (result = dns_rdataset_first(nsecset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(nsecset)) { + dns_rdataset_current(nsecset, &nsec); + + + signsecset + = chase_scanname_section(msg, nsecname, + dns_rdatatype_rrsig, + dns_rdatatype_nsec, + DNS_SECTION_AUTHORITY); + if (signsecset == NULL) { + printf(";; no RRSIG NSEC in authority section:" + " impossible to validate the " + "non-existence: FAILED\n"); + return(ISC_R_FAILURE); + } + + ret = dns_rdata_tostruct(&nsec, &nsecstruct, NULL); + check_result(ret,"dns_rdata_tostruct"); + + if ((inf_name(nsecname, &nsecstruct.next) == 1 && + inf_name(name, &nsecstruct.next) == 1) || + (inf_name(name, nsecname) == 1 && + inf_name(&nsecstruct.next, name) == 1)) { + dns_rdata_freestruct(&nsecstruct); + *rdataset = nsecset; + *sigrdataset = signsecset; + dup_name(nsecname, rdata_name, mctx); + + return ISC_R_SUCCESS; + } + + dns_rdata_freestruct(&nsecstruct); + } + nsecname = NULL; + } while (dns_message_nextname(msg, DNS_SECTION_AUTHORITY) + == ISC_R_SUCCESS); + + *rdataset = NULL; + *sigrdataset = NULL; + rdata_name = NULL; + return(ISC_R_FAILURE); +} + +/** + * + * + * + * + * + */ +isc_result_t +prove_nx_type(dns_message_t * msg, + dns_name_t *name, + dns_rdataset_t *nsecset, + dns_rdataclass_t class, + dns_rdatatype_t type, + dns_name_t * rdata_name, + dns_rdataset_t ** rdataset, + dns_rdataset_t ** sigrdataset) +{ + isc_result_t ret; + dns_rdataset_t * signsecset; + dns_rdata_t nsec = DNS_RDATA_INIT; + + UNUSED(class); + UNUSED(rdata_name); + + ret = dns_rdataset_first(nsecset); + check_result(ret,"dns_rdataset_first"); + + dns_rdataset_current(nsecset, &nsec); + + ret = dns_nsec_typepresent(&nsec, type); + if (ret == ISC_R_SUCCESS) + printf("OK the NSEC said that the type doesn't exist \n"); + + signsecset = chase_scanname_section(msg, name, + dns_rdatatype_rrsig, + dns_rdatatype_nsec, + DNS_SECTION_AUTHORITY); + if (signsecset == NULL) { + printf("There isn't RRSIG NSEC for the zone \n"); + return ISC_R_FAILURE; + } + *rdataset = nsecset; + *sigrdataset = signsecset; + + return (ret); +} + +/** + * + * + * + * + */ +isc_result_t +prove_nx(dns_message_t * msg, + dns_name_t * name, + dns_rdataclass_t class, + dns_rdatatype_t type, + dns_name_t * rdata_name, + dns_rdataset_t ** rdataset, + dns_rdataset_t ** sigrdataset) +{ + isc_result_t ret; + dns_rdataset_t * nsecset = NULL; + + + printf("We want to prove the non-existance of a type of rdata %d" + " or of the zone: \n", type); + + if ((ret = dns_message_firstname(msg, DNS_SECTION_AUTHORITY)) + != ISC_R_SUCCESS) { + printf(";; nothing in authority section : impossible to" + " validate the non-existence : FAILED\n"); + return(ISC_R_FAILURE); + } + + nsecset = chase_scanname_section(msg, name, dns_rdatatype_nsec, + dns_rdatatype_any, + DNS_SECTION_AUTHORITY); + if (nsecset != NULL) { + printf("We have a NSEC for this zone :OK\n"); + ret = prove_nx_type(msg, name, nsecset, class, + type, rdata_name, rdataset, + sigrdataset); + if (ret != ISC_R_SUCCESS) { + printf("prove_nx: ERROR type exist\n"); + return(ret); + } else { + printf("prove_nx: OK type does not exist\n"); + return(ISC_R_SUCCESS); + } + } else { + printf("there is no NSEC for this zone: validating " + "that the zone doesn't exist\n"); + ret = prove_nx_domain(msg, name, rdata_name, + rdataset, sigrdataset); + return(ret); + } + /* Never get here */ +} +#endif diff --git a/usr.sbin/bind/bin/dig/host.1 b/usr.sbin/bind/bin/dig/host.1 index 38a1ef6548e..e4ffca4bf3c 100644 --- a/usr.sbin/bind/bin/dig/host.1 +++ b/usr.sbin/bind/bin/dig/host.1 @@ -1,25 +1,26 @@ -.\" -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2002 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $ISC: host.1,v 1.11.2.1.4.4 2004/04/13 04:11:03 marka Exp $ .\" .TH "HOST" "1" "Jun 30, 2000" "BIND9" "" .SH NAME host \- DNS lookup utility .SH SYNOPSIS .sp -\fBhost\fR [ \fB-aCdlnrTwv\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-N \fIndots\fB\fR ] [ \fB-R \fInumber\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-W \fIwait\fB\fR ] \fBname\fR [ \fBserver\fR ] +\fBhost\fR [ \fB-aCdlnrTwv\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-N \fIndots\fB\fR ] [ \fB-R \fInumber\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-W \fIwait\fB\fR ] [ \fB-4\fR ] [ \fB-6\fR ] \fBname\fR [ \fBserver\fR ] .SH "DESCRIPTION" .PP \fBhost\fR @@ -61,14 +62,14 @@ output. .PP List mode is selected by the \fB-l\fR option. This makes \fBhost\fR perform a zone transfer for zone -\fIname\fR. The argument is provided for -compatibility with older implementations. This option is equivalent -to making a query of type AXFR. +\fIname\fR. Transfer the zone printing out the NS, PTR +and address records (A/AAAA). If combined with \fB-a\fR +all records will be printed. .PP -The \fB-n\fR +The \fB-i\fR option specifies that reverse lookups of IPv6 addresses should -use the IP6.INT domain and "nibble" labels as defined in RFC1886. -The default is to use IP6.ARPA and binary labels as defined in RFC2874. +use the IP6.INT domain as defined in RFC1886. +The default is to use IP6.ARPA. .PP The \fB-N\fR option sets the number of dots that have to be in \fIname\fR for it to be considered absolute. The @@ -101,6 +102,10 @@ By default \fBhost\fR uses UDP when making queries. The the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests. .PP +The \fB-4\fR option forces \fBhost\fR to only +use IPv4 query transport. The \fB-6\fR option forces +\fBhost\fR to only use IPv6 query transport. +.PP The \fB-t\fR option is used to select the query type. \fItype\fR can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, @@ -109,7 +114,9 @@ type. By default it looks for A records, but if the \fB-C\fR option was given, queries will be made for SOA records, and if \fIname\fR is a dotted-decimal IPv4 address or colon-delimited IPv6 address, \fBhost\fR will -query for PTR records. +query for PTR records. If a query type of IXFR is chosen the starting +serial number can be specified by appending an equal followed by the +starting serial number (e.g. -t IXFR=12345678). .PP The time to wait for a reply can be controlled through the \fB-W\fR and \fB-w\fR options. The diff --git a/usr.sbin/bind/bin/dig/host.c b/usr.sbin/bind/bin/dig/host.c index e4252a4bdfe..9a5fb2bb3e9 100644 --- a/usr.sbin/bind/bin/dig/host.c +++ b/usr.sbin/bind/bin/dig/host.c @@ -1,32 +1,33 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: host.c,v 1.76.2.5 2003/07/25 04:36:44 marka Exp $ */ +/* $ISC: host.c,v 1.76.2.5.2.9 2004/04/13 03:00:06 marka Exp $ */ #include <config.h> -#include <stdlib.h> #include <limits.h> #include <isc/app.h> #include <isc/commandline.h> #include <isc/netaddr.h> +#include <isc/print.h> #include <isc/string.h> #include <isc/util.h> #include <isc/task.h> +#include <isc/stdlib.h> #include <dns/byaddr.h> #include <dns/fixedname.h> @@ -40,9 +41,10 @@ #include <dig/dig.h> extern ISC_LIST(dig_lookup_t) lookup_list; -extern ISC_LIST(dig_server_t) server_list; +extern dig_serverlist_t server_list; extern ISC_LIST(dig_searchlist_t) search_list; +extern isc_boolean_t have_ipv4, have_ipv6; extern isc_boolean_t usesearch; extern isc_boolean_t debugging; extern unsigned int timeout; @@ -54,6 +56,8 @@ extern isc_task_t *global_task; extern int fatalexit; static isc_boolean_t short_form = ISC_TRUE, listed_server = ISC_FALSE; +static isc_boolean_t default_lookups = ISC_TRUE; +static int seen_error = -1; static isc_boolean_t list_addresses = ISC_TRUE; static dns_rdatatype_t list_type = dns_rdatatype_a; @@ -96,123 +100,40 @@ static const char *rcodetext[] = { "BADVERS" }; -static const char *rtypetext[] = { - "zero", /* 0 */ - "has address", /* 1 */ - "name server", /* 2 */ - "MD", /* 3 */ - "MF", /* 4 */ - "is an alias for", /* 5 */ - "SOA", /* 6 */ - "MB", /* 7 */ - "MG", /* 8 */ - "MR", /* 9 */ - "NULL", /* 10 */ - "has well known services", /* 11 */ - "domain name pointer", /* 12 */ - "host information", /* 13 */ - "MINFO", /* 14 */ - "mail is handled by", /* 15 */ - "text", /* 16 */ - "RP", /* 17 */ - "AFSDB", /* 18 */ - "x25 address", /* 19 */ - "isdn address", /* 20 */ - "RT", /* 21 */ - "NSAP", /* 22 */ - "NSAP_PTR", /* 23 */ - "has signature", /* 24 */ - "has key", /* 25 */ - "PX", /* 26 */ - "GPOS", /* 27 */ - "has AAAA address", /* 28 */ - "LOC", /* 29 */ - "has next record", /* 30 */ - "EID", /* 31 */ - "NIMLOC", /* 32 */ - "SRV", /* 33 */ - "ATMA", /* 34 */ - "NAPTR", /* 35 */ - "KX", /* 36 */ - "CERT", /* 37 */ - "has v6 address", /* 38 */ - "DNAME", /* 39 */ - "has optional information", /* 41 */ - "has 42 record", /* 42 */ - "has 43 record", /* 43 */ - "has 44 record", /* 44 */ - "has 45 record", /* 45 */ - "has 46 record", /* 46 */ - "has 47 record", /* 47 */ - "has 48 record", /* 48 */ - "has 49 record", /* 49 */ - "has 50 record", /* 50 */ - "has 51 record", /* 51 */ - "has 52 record", /* 52 */ - "has 53 record", /* 53 */ - "has 54 record", /* 54 */ - "has 55 record", /* 55 */ - "has 56 record", /* 56 */ - "has 57 record", /* 57 */ - "has 58 record", /* 58 */ - "has 59 record", /* 59 */ - "has 60 record", /* 60 */ - "has 61 record", /* 61 */ - "has 62 record", /* 62 */ - "has 63 record", /* 63 */ - "has 64 record", /* 64 */ - "has 65 record", /* 65 */ - "has 66 record", /* 66 */ - "has 67 record", /* 67 */ - "has 68 record", /* 68 */ - "has 69 record", /* 69 */ - "has 70 record", /* 70 */ - "has 71 record", /* 71 */ - "has 72 record", /* 72 */ - "has 73 record", /* 73 */ - "has 74 record", /* 74 */ - "has 75 record", /* 75 */ - "has 76 record", /* 76 */ - "has 77 record", /* 77 */ - "has 78 record", /* 78 */ - "has 79 record", /* 79 */ - "has 80 record", /* 80 */ - "has 81 record", /* 81 */ - "has 82 record", /* 82 */ - "has 83 record", /* 83 */ - "has 84 record", /* 84 */ - "has 85 record", /* 85 */ - "has 86 record", /* 86 */ - "has 87 record", /* 87 */ - "has 88 record", /* 88 */ - "has 89 record", /* 89 */ - "has 90 record", /* 90 */ - "has 91 record", /* 91 */ - "has 92 record", /* 92 */ - "has 93 record", /* 93 */ - "has 94 record", /* 94 */ - "has 95 record", /* 95 */ - "has 96 record", /* 96 */ - "has 97 record", /* 97 */ - "has 98 record", /* 98 */ - "has 99 record", /* 99 */ - "UINFO", /* 100 */ - "UID", /* 101 */ - "GID", /* 102 */ - "UNSPEC"}; /* 103 */ +struct rtype { + unsigned int type; + const char *text; +}; +struct rtype rtypes[] = { + { 1, "has address" }, + { 2, "name server" }, + { 5, "is an alias for" }, + { 11, "has well known services" }, + { 12, "domain name pointer" }, + { 13, "host information" }, + { 15, "mail is handled by" }, + { 16, "descriptive text" }, + { 19, "x25 address" }, + { 20, "ISDN address" }, + { 24, "has signature" }, + { 25, "has key" }, + { 28, "has IPv6 address" }, + { 29, "location" }, + { 0, NULL } +}; static void show_usage(void) { fputs( -"Usage: host [-aCdlrTwv] [-c class] [-n] [-N ndots] [-t type] [-W time]\n" +"Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]\n" " [-R number] hostname [server]\n" " -a is equivalent to -v -t *\n" " -c specifies query class for non-IN data\n" " -C compares SOA records on authoritative nameservers\n" " -d is equivalent to -v\n" " -l lists all hosts in a domain, using AXFR\n" -" -i Use the old IN6.INT form of IPv6 reverse lookup\n" +" -i IP6.INT reverse lookups\n" " -N changes the number of dots allowed before root lookup is done\n" " -r disables recursive processing\n" " -R specifies number of retries for UDP packets\n" @@ -220,7 +141,9 @@ show_usage(void) { " -T enables TCP/IP mode\n" " -v enables verbose output\n" " -w specifies to wait forever for a reply\n" -" -W specifies how long to wait for a reply\n", stderr); +" -W specifies how long to wait for a reply\n" +" -4 use IPv4 query transport only\n" +" -6 use IPv6 query transport only\n", stderr); exit(1); } @@ -230,17 +153,14 @@ dighost_shutdown(void) { } void -received(int bytes, isc_sockaddr_t *from, dig_query_t *query) -{ +received(int bytes, isc_sockaddr_t *from, dig_query_t *query) { isc_time_t now; - isc_result_t result; int diff; if (!short_form) { char fromtext[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_format(from, fromtext, sizeof(fromtext)); - result = isc_time_now(&now); - check_result(result, "isc_time_now"); + TIME_NOW(&now); diff = (int) isc_time_microdiff(&now, &query->time_sent); printf("Received %u bytes from %s in %d ms\n", bytes, fromtext, diff/1000); @@ -289,8 +209,18 @@ say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata, printf("\n"); isc_buffer_free(&b); } - - +#ifdef DIG_SIGCHASE +/* Just for compatibility : not use in host program */ +isc_result_t +printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, + isc_buffer_t *target) +{ + UNUSED(owner_name); + UNUSED(rdataset); + UNUSED(target); + return(ISC_FALSE); +} +#endif static isc_result_t printsection(dns_message_t *msg, dns_section_t sectionid, const char *section_name, isc_boolean_t headers, @@ -306,7 +236,6 @@ printsection(dns_message_t *msg, dns_section_t sectionid, char t[4096]; isc_boolean_t first; isc_boolean_t no_rdata; - const char *rtt; if (sectionid == DNS_SECTION_QUESTION) no_rdata = ISC_TRUE; @@ -364,15 +293,27 @@ printsection(dns_message_t *msg, dns_section_t sectionid, } else { loopresult = dns_rdataset_first(rdataset); while (loopresult == ISC_R_SUCCESS) { + struct rtype *t; + const char *rtt; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + char typebuf2[DNS_RDATATYPE_FORMATSIZE + + 20]; dns_rdataset_current(rdataset, &rdata); - if (rdata.type <= 103) - rtt = rtypetext[rdata.type]; - else if (rdata.type == 249) - rtt = "key"; - else if (rdata.type == 250) - rtt = "signature"; - else - rtt = "unknown"; + + for (t = rtypes; t->text != NULL; t++) { + if (t->type == rdata.type) { + rtt = t->text; + goto found; + } + } + + dns_rdatatype_format(rdata.type, + typebuf, + sizeof(typebuf)); + snprintf(typebuf2, sizeof(typebuf2), + "has %s record", typebuf); + rtt = typebuf2; + found: say_message(print_name, rtt, &rdata, query); dns_rdata_reset(&rdata); @@ -431,9 +372,16 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { dns_rdataset_t *opt, *tsig = NULL; dns_name_t *tsigname; isc_result_t result = ISC_R_SUCCESS; + int force_error; UNUSED(headers); + /* + * We get called multiple times. + * Preserve any existing error status. + */ + force_error = (seen_error == 1) ? 1 : 0; + seen_error = 1; if (listed_server) { char sockstr[ISC_SOCKADDR_FORMATSIZE]; @@ -452,6 +400,36 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { msg->rcode, rcodetext[msg->rcode]); return (ISC_R_SUCCESS); } + + if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) { + char namestr[DNS_NAME_FORMATSIZE]; + dig_lookup_t *lookup; + + /* Add AAAA and MX lookups. */ + + dns_name_format(query->lookup->name, namestr, sizeof(namestr)); + lookup = clone_lookup(query->lookup, ISC_FALSE); + if (lookup != NULL) { + strlcpy(lookup->textname, namestr, + sizeof(lookup->textname)); + lookup->rdtype = dns_rdatatype_aaaa; + lookup->rdtypeset = ISC_TRUE; + lookup->origin = NULL; + lookup->retries = tries; + ISC_LIST_APPEND(lookup_list, lookup, link); + } + lookup = clone_lookup(query->lookup, ISC_FALSE); + if (lookup != NULL) { + strlcpy(lookup->textname, namestr, + sizeof(lookup->textname)); + lookup->rdtype = dns_rdatatype_mx; + lookup->rdtypeset = ISC_TRUE; + lookup->origin = NULL; + lookup->retries = tries; + ISC_LIST_APPEND(lookup_list, lookup, link); + } + } + if (!short_form) { printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n", opcodetext[msg->opcode], rcodetext[msg->rcode], @@ -544,13 +522,22 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { if (!short_form) printf("\n"); + if (short_form && !default_lookups && + ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) { + char namestr[DNS_NAME_FORMATSIZE]; + char typestr[DNS_RDATATYPE_FORMATSIZE]; + dns_name_format(query->lookup->name, namestr, sizeof(namestr)); + dns_rdatatype_format(query->lookup->rdtype, typestr, + sizeof(typestr)); + printf("%s has no %s record\n", namestr, typestr); + } + seen_error = force_error; return (result); } static void parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { char hostname[MXNAME]; - dig_server_t *srv; dig_lookup_t *lookup; int c; char store[MXNAME]; @@ -558,12 +545,13 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { isc_result_t result = ISC_R_SUCCESS; dns_rdatatype_t rdtype; dns_rdataclass_t rdclass; + isc_uint32_t serial = 0; UNUSED(is_batchfile); lookup = make_empty_lookup(); - while ((c = isc_commandline_parse(argc, argv, "ilvwrdt:c:aTCN:R:W:Dn")) + while ((c = isc_commandline_parse(argc, argv, "lvwrdt:c:aTCN:R:W:Dni46")) != EOF) { switch (c) { case 'l': @@ -580,24 +568,37 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { lookup->recurse = ISC_FALSE; break; case 't': - tr.base = isc_commandline_argument; - tr.length = strlen(isc_commandline_argument); - result = dns_rdatatype_fromtext(&rdtype, + if (strncasecmp(isc_commandline_argument, + "ixfr=", 5) == 0) { + rdtype = dns_rdatatype_ixfr; + /* XXXMPA add error checking */ + serial = strtoul(isc_commandline_argument + 5, + NULL, 10); + result = ISC_R_SUCCESS; + } else { + tr.base = isc_commandline_argument; + tr.length = strlen(isc_commandline_argument); + result = dns_rdatatype_fromtext(&rdtype, (isc_textregion_t *)&tr); + } if (result != ISC_R_SUCCESS) { fatalexit = 2; fatal("invalid type: %s\n", isc_commandline_argument); - } + } if (!lookup->rdtypeset || lookup->rdtype != dns_rdatatype_axfr) lookup->rdtype = rdtype; + lookup->rdtypeset = ISC_TRUE; if (rdtype == dns_rdatatype_axfr) { /* -l -t any -v */ list_type = dns_rdatatype_any; short_form = ISC_FALSE; lookup->tcp_mode = ISC_TRUE; + } else if (rdtype == dns_rdatatype_ixfr) { + lookup->ixfr_serial = serial; + list_type = rdtype; } else list_type = rdtype; list_addresses = ISC_FALSE; @@ -616,6 +617,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { lookup->rdclass = rdclass; lookup->rdclassset = ISC_TRUE; } + default_lookups = ISC_FALSE; break; case 'a': if (!lookup->rdtypeset || @@ -625,11 +627,13 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { list_addresses = ISC_FALSE; lookup->rdtypeset = ISC_TRUE; short_form = ISC_FALSE; + default_lookups = ISC_FALSE; break; case 'i': lookup->ip6_int = ISC_TRUE; break; case 'n': + /* deprecated */ break; case 'w': /* @@ -644,9 +648,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { timeout = 1; break; case 'R': - tries = atoi(isc_commandline_argument); - if (tries < 1) - tries = 1; + tries = atoi(isc_commandline_argument) + 1; + if (tries < 2) + tries = 2; break; case 'T': lookup->tcp_mode = ISC_TRUE; @@ -660,6 +664,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { lookup->ns_search_only = ISC_TRUE; lookup->trace_root = ISC_TRUE; lookup->identify_previous_line = ISC_TRUE; + default_lookups = ISC_FALSE; break; case 'N': debug("setting NDOTS to %s", @@ -669,26 +674,42 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { case 'D': debugging = ISC_TRUE; break; + case '4': + if (have_ipv4) { + isc_net_disableipv6(); + have_ipv6 = ISC_FALSE; + } else + fatal("can't find IPv4 networking"); + break; + case '6': + if (have_ipv6) { + isc_net_disableipv4(); + have_ipv4 = ISC_FALSE; + } else + fatal("can't find IPv6 networking"); + break; } } - if (isc_commandline_index >= argc) { + + lookup->retries = tries; + + if (isc_commandline_index >= argc) show_usage(); - } + strlcpy(hostname, argv[isc_commandline_index], sizeof(hostname)); if (argc > isc_commandline_index + 1) { - srv = make_server(argv[isc_commandline_index+1]); - debug("server is %s", srv->servername); - ISC_LIST_APPEND(server_list, srv, link); + set_nameserver(argv[isc_commandline_index+1]); + debug("server is %s", argv[isc_commandline_index+1]); listed_server = ISC_TRUE; } lookup->pending = ISC_FALSE; - if (get_reverse(store, hostname, lookup->ip6_int, ISC_TRUE) - == ISC_R_SUCCESS) - { + if (get_reverse(store, sizeof(store), hostname, + lookup->ip6_int, ISC_TRUE) == ISC_R_SUCCESS) { strlcpy(lookup->textname, store, sizeof(lookup->textname)); lookup->rdtype = dns_rdatatype_ptr; lookup->rdtypeset = ISC_TRUE; + default_lookups = ISC_FALSE; } else { strlcpy(lookup->textname, hostname, sizeof(lookup->textname)); } @@ -702,6 +723,8 @@ int main(int argc, char **argv) { isc_result_t result; + tries = 2; + ISC_LIST_INIT(lookup_list); ISC_LIST_INIT(server_list); ISC_LIST_INIT(search_list); @@ -721,6 +744,6 @@ main(int argc, char **argv) { cancel_all(); destroy_libs(); isc_app_finish(); - return (0); + return ((seen_error == 0) ? 0 : 1); } diff --git a/usr.sbin/bind/bin/dig/host.docbook b/usr.sbin/bind/bin/dig/host.docbook index 467bbc8c405..9132823b68e 100644 --- a/usr.sbin/bind/bin/dig/host.docbook +++ b/usr.sbin/bind/bin/dig/host.docbook @@ -1,22 +1,22 @@ <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> <!-- - - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: host.docbook,v 1.2.2.2 2003/03/06 04:38:10 marka Exp $ --> +<!-- $ISC: host.docbook,v 1.2.2.2.4.5 2004/04/13 01:26:26 marka Exp $ --> <refentry> @@ -44,6 +44,8 @@ <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg> <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg> <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg> + <arg><option>-4</option></arg> + <arg><option>-6</option></arg> <arg choice=req>name</arg> <arg choice=opt>server</arg> </cmdsynopsis> @@ -103,16 +105,16 @@ output. <para> List mode is selected by the <option>-l</option> option. This makes <command>host</command> perform a zone transfer for zone -<parameter>name</parameter>. The argument is provided for -compatibility with older implementations. This option is equivalent -to making a query of type AXFR. +<parameter>name</parameter>. Transfer the zone printing out the NS, PTR +and address records (A/AAAA). If combined with <option>-a</option> +all records will be printed. </para> <para> -The <option>-n</option> +The <option>-i</option> option specifies that reverse lookups of IPv6 addresses should -use the IP6.INT domain and "nibble" labels as defined in RFC1886. -The default is to use IP6.ARPA and binary labels as defined in RFC2874. +use the IP6.INT domain as defined in RFC1886. +The default is to use IP6.ARPA. </para> <para> @@ -155,6 +157,12 @@ require it, such as zone transfer (AXFR) requests. </para> <para> +The <option>-4</option> option forces <command>host</command> to only +use IPv4 query transport. The <option>-6</option> option forces +<command>host</command> to only use IPv6 query transport. +</para> + +<para> The <option>-t</option> option is used to select the query type. <parameter>type</parameter> can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, @@ -163,7 +171,9 @@ type. By default it looks for A records, but if the <option>-C</option> option was given, queries will be made for SOA records, and if <parameter>name</parameter> is a dotted-decimal IPv4 address or colon-delimited IPv6 address, <command>host</command> will -query for PTR records. +query for PTR records. If a query type of IXFR is chosen the starting +serial number can be specified by appending an equal followed by the +starting serial number (e.g. -t IXFR=12345678). </para> <para> diff --git a/usr.sbin/bind/bin/dig/host.html b/usr.sbin/bind/bin/dig/host.html index 9b3b730a428..dbbb479adf0 100644 --- a/usr.sbin/bind/bin/dig/host.html +++ b/usr.sbin/bind/bin/dig/host.html @@ -1,27 +1,30 @@ <!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2002 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: host.html,v 1.4.2.1.4.6 2004/08/22 23:38:58 marka Exp $ --> + +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >host</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -32,8 +35,8 @@ ALINK="#0000FF" ><H1 ><A NAME="AEN1" ->host</A -></H1 +></A +>host</H1 ><DIV CLASS="REFNAMEDIV" ><A @@ -53,55 +56,51 @@ NAME="AEN11" ><B CLASS="COMMAND" >host</B -> [<TT +> [<VAR CLASS="OPTION" ->-aCdlnrTwv</TT ->] [<TT +>-aCdlnrTwv</VAR +>] [<VAR CLASS="OPTION" ->-c <TT +>-c <VAR CLASS="REPLACEABLE" -><I ->class</I -></TT -></TT ->] [<TT +>class</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-N <TT +>-N <VAR CLASS="REPLACEABLE" -><I ->ndots</I -></TT -></TT ->] [<TT +>ndots</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-R <TT +>-R <VAR CLASS="REPLACEABLE" -><I ->number</I -></TT -></TT ->] [<TT +>number</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-t <TT +>-t <VAR CLASS="REPLACEABLE" -><I ->type</I -></TT -></TT ->] [<TT +>type</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-W <TT +>-W <VAR CLASS="REPLACEABLE" -><I ->wait</I -></TT -></TT +>wait</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-4</VAR +>] [<VAR +CLASS="OPTION" +>-6</VAR >] {name} [server]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN33" +NAME="AEN37" ></A ><H2 >DESCRIPTION</H2 @@ -119,11 +118,9 @@ CLASS="COMMAND" > prints a short summary of its command line arguments and options.</P ><P -><TT +><VAR CLASS="PARAMETER" -><I ->name</I -></TT +>name</VAR > is the domain name that is to be looked up. It can also be a dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which case <B @@ -131,11 +128,9 @@ CLASS="COMMAND" >host</B > will by default perform a reverse lookup for that address. -<TT +<VAR CLASS="PARAMETER" -><I ->server</I -></TT +>server</VAR > is an optional argument which is either the name or IP address of the name server that <B CLASS="COMMAND" @@ -147,45 +142,41 @@ CLASS="FILENAME" >/etc/resolv.conf</TT >.</P ><P ->The <TT +>The <VAR CLASS="OPTION" ->-a</TT +>-a</VAR > (all) option is equivalent to setting the -<TT +<VAR CLASS="OPTION" ->-v</TT +>-v</VAR > option and asking <B CLASS="COMMAND" >host</B > to make a query of type ANY.</P ><P ->When the <TT +>When the <VAR CLASS="OPTION" ->-C</TT +>-C</VAR > option is used, <B CLASS="COMMAND" >host</B > will attempt to display the SOA records for zone -<TT +<VAR CLASS="PARAMETER" -><I ->name</I -></TT +>name</VAR > from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone.</P ><P ->The <TT +>The <VAR CLASS="OPTION" ->-c</TT +>-c</VAR > option instructs to make a DNS query of class -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR >. This can be used to lookup Hesiod or Chaosnet class resource records. The default class is IN (Internet).</P ><P @@ -193,58 +184,57 @@ Chaosnet class resource records. The default class is IN (Internet).</P CLASS="COMMAND" >host</B > when the -<TT +<VAR CLASS="OPTION" ->-d</TT -> or <TT +>-d</VAR +> or <VAR CLASS="OPTION" ->-v</TT +>-v</VAR > option is used. The two options are equivalent. They have been provided for backwards -compatibility. In previous versions, the <TT +compatibility. In previous versions, the <VAR CLASS="OPTION" ->-d</TT +>-d</VAR > option -switched on debugging traces and <TT +switched on debugging traces and <VAR CLASS="OPTION" ->-v</TT +>-v</VAR > enabled verbose output.</P ><P ->List mode is selected by the <TT +>List mode is selected by the <VAR CLASS="OPTION" ->-l</TT +>-l</VAR > option. This makes <B CLASS="COMMAND" >host</B > perform a zone transfer for zone -<TT +<VAR CLASS="PARAMETER" -><I ->name</I -></TT ->. The argument is provided for -compatibility with older implementations. This option is equivalent -to making a query of type AXFR.</P +>name</VAR +>. Transfer the zone printing out the NS, PTR +and address records (A/AAAA). If combined with <VAR +CLASS="OPTION" +>-a</VAR +> +all records will be printed. </P ><P ->The <TT +>The <VAR CLASS="OPTION" ->-n</TT +>-i</VAR > option specifies that reverse lookups of IPv6 addresses should -use the IP6.INT domain and "nibble" labels as defined in RFC1886. -The default is to use IP6.ARPA and binary labels as defined in RFC2874.</P +use the IP6.INT domain as defined in RFC1886. +The default is to use IP6.ARPA.</P ><P ->The <TT +>The <VAR CLASS="OPTION" ->-N</TT +>-N</VAR > option sets the number of dots that have to be -in <TT +in <VAR CLASS="PARAMETER" -><I ->name</I -></TT +>name</VAR > for it to be considered absolute. The default value is that defined using the ndots statement in <TT @@ -266,31 +256,27 @@ CLASS="FILENAME" >.</P ><P >The number of UDP retries for a lookup can be changed with the -<TT +<VAR CLASS="OPTION" ->-R</TT -> option. <TT +>-R</VAR +> option. <VAR CLASS="PARAMETER" -><I ->number</I -></TT +>number</VAR > indicates how many times <B CLASS="COMMAND" >host</B > will repeat a query that does not get answered. The default number of retries is 1. If -<TT +<VAR CLASS="PARAMETER" -><I ->number</I -></TT +>number</VAR > is negative or zero, the number of retries will default to 1.</P ><P ->Non-recursive queries can be made via the <TT +>Non-recursive queries can be made via the <VAR CLASS="OPTION" ->-r</TT +>-r</VAR > option. Setting this option clears the <SPAN CLASS="TYPE" @@ -301,15 +287,13 @@ CLASS="COMMAND" >host</B > makes. This should mean that the name server receiving the query will not -attempt to resolve <TT +attempt to resolve <VAR CLASS="PARAMETER" -><I ->name</I -></TT +>name</VAR >. The -<TT +<VAR CLASS="OPTION" ->-r</TT +>-r</VAR > option enables <B CLASS="COMMAND" >host</B @@ -322,22 +306,36 @@ referrals to other name servers.</P CLASS="COMMAND" >host</B > uses UDP when making queries. The -<TT +<VAR CLASS="OPTION" ->-T</TT +>-T</VAR > option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests.</P ><P ->The <TT +>The <VAR +CLASS="OPTION" +>-4</VAR +> option forces <B +CLASS="COMMAND" +>host</B +> to only +use IPv4 query transport. The <VAR CLASS="OPTION" ->-t</TT +>-6</VAR +> option forces +<B +CLASS="COMMAND" +>host</B +> to only use IPv6 query transport.</P +><P +>The <VAR +CLASS="OPTION" +>-t</VAR > option is used to select the query type. -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR > can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, <B @@ -345,52 +343,48 @@ CLASS="COMMAND" >host</B > automatically selects an appropriate query type. By default it looks for A records, but if the -<TT +<VAR CLASS="OPTION" ->-C</TT +>-C</VAR > option was given, queries will be made for SOA -records, and if <TT +records, and if <VAR CLASS="PARAMETER" -><I ->name</I -></TT +>name</VAR > is a dotted-decimal IPv4 address or colon-delimited IPv6 address, <B CLASS="COMMAND" >host</B > will -query for PTR records.</P +query for PTR records. If a query type of IXFR is chosen the starting +serial number can be specified by appending an equal followed by the +starting serial number (e.g. -t IXFR=12345678).</P ><P >The time to wait for a reply can be controlled through the -<TT +<VAR CLASS="OPTION" ->-W</TT -> and <TT +>-W</VAR +> and <VAR CLASS="OPTION" ->-w</TT +>-w</VAR > options. The -<TT +<VAR CLASS="OPTION" ->-W</TT +>-W</VAR > option makes <B CLASS="COMMAND" >host</B > wait for -<TT +<VAR CLASS="PARAMETER" -><I ->wait</I -></TT -> seconds. If <TT +>wait</VAR +> seconds. If <VAR CLASS="PARAMETER" -><I ->wait</I -></TT +>wait</VAR > is less than one, the wait interval is set to one second. When the -<TT +<VAR CLASS="OPTION" ->-w</TT +>-w</VAR > option is used, <B CLASS="COMMAND" >host</B @@ -402,7 +396,7 @@ value for an integer quantity.</P ><DIV CLASS="REFSECT1" ><A -NAME="AEN105" +NAME="AEN115" ></A ><H2 >FILES</H2 @@ -415,7 +409,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN109" +NAME="AEN119" ></A ><H2 >SEE ALSO</H2 diff --git a/usr.sbin/bind/bin/dig/include/dig/dig.h b/usr.sbin/bind/bin/dig/include/dig/dig.h index 4a46ab46485..3da7eb6953b 100644 --- a/usr.sbin/bind/bin/dig/include/dig/dig.h +++ b/usr.sbin/bind/bin/dig/include/dig/dig.h @@ -1,21 +1,21 @@ /* - * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dig.h,v 1.71.2.6 2003/07/25 04:36:44 marka Exp $ */ +/* $ISC: dig.h,v 1.71.2.6.2.6 2004/06/19 02:30:12 sra Exp $ */ #ifndef DIG_H #define DIG_H @@ -74,11 +74,27 @@ * be 1. */ +/* + * Defaults for the sigchase suboptions. Consolidated here because + * these control the layout of dig_lookup_t (among other things). + */ +#ifdef DIG_SIGCHASE +#ifndef DIG_SIGCHASE_BU +#define DIG_SIGCHASE_BU 1 +#endif +#ifndef DIG_SIGCHASE_TD +#define DIG_SIGCHASE_TD 1 +#endif +#endif + ISC_LANG_BEGINDECLS typedef struct dig_lookup dig_lookup_t; typedef struct dig_query dig_query_t; typedef struct dig_server dig_server_t; +#ifdef DIG_SIGCHASE +typedef struct dig_message dig_message_t; +#endif typedef ISC_LIST(dig_server_t) dig_serverlist_t; typedef struct dig_searchlist dig_searchlist_t; @@ -110,10 +126,27 @@ struct dig_lookup { new_search, besteffort, dnssec; +#ifdef DIG_SIGCHASE +isc_boolean_t sigchase; +#if DIG_SIGCHASE_TD + isc_boolean_t do_topdown, + trace_root_sigchase, + rdtype_sigchaseset, + rdclass_sigchaseset; + /* Name we are going to validate RRset */ + char textnamesigchase[MXNAME]; +#endif +#endif + char textname[MXNAME]; /* Name we're going to be looking up */ char cmdline[MXNAME]; dns_rdatatype_t rdtype; dns_rdatatype_t qrdtype; +#if DIG_SIGCHASE_TD + dns_rdatatype_t rdtype_sigchase; + dns_rdatatype_t qrdtype_sigchase; + dns_rdataclass_t rdclass_sigchase; +#endif dns_rdataclass_t rdclass; isc_boolean_t rdtypeset; isc_boolean_t rdclassset; @@ -156,6 +189,7 @@ struct dig_query { warn_id; isc_uint32_t first_rr_serial; isc_uint32_t second_rr_serial; + isc_uint32_t msg_count; isc_uint32_t rr_count; char *servname; isc_bufferlist_t sendlist, @@ -182,7 +216,12 @@ struct dig_searchlist { char origin[MXNAME]; ISC_LINK(dig_searchlist_t) link; }; - +#ifdef DIG_SIGCHASE +struct dig_message { + dns_message_t *msg; + ISC_LINK(dig_message_t) link; +}; +#endif /* * Routines in dighost.c. */ @@ -190,7 +229,7 @@ void get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr); isc_result_t -get_reverse(char *reverse, char *value, isc_boolean_t ip6int, +get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int, isc_boolean_t strict); void @@ -236,6 +275,12 @@ dig_server_t * make_server(const char *servname); void +flush_server_list(void); + +void +set_nameserver(char *opt); + +void clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest); @@ -248,9 +293,19 @@ destroy_libs(void); void set_search_domain(char *domain); +#ifdef DIG_SIGCHASE +void +clean_trustedkey(void); +#endif + /* * Routines to be defined in dig.c, host.c, and nslookup.c. */ +#ifdef DIG_SIGCHASE +isc_result_t +printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, + isc_buffer_t *target); +#endif isc_result_t printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers); @@ -275,6 +330,14 @@ dighost_shutdown(void); char * next_token(char **stringp, const char *delim); +#ifdef DIG_SIGCHASE +/* Chasing functions */ +dns_rdataset_t * +chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers); +void +chase_sig(dns_message_t *msg); +#endif + ISC_LANG_ENDDECLS #endif diff --git a/usr.sbin/bind/bin/dig/nslookup.1 b/usr.sbin/bind/bin/dig/nslookup.1 new file mode 100644 index 00000000000..a06406afb38 --- /dev/null +++ b/usr.sbin/bind/bin/dig/nslookup.1 @@ -0,0 +1,192 @@ +.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $ISC: nslookup.1,v 1.1.6.2 2004/08/20 02:29:39 marka Exp $ +.\" +.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "" +.SH NAME +nslookup \- query Internet name servers interactively +.SH SYNOPSIS +.sp +\fBnslookup\fR [ \fB-option\fR ] [ \fBname | -\fR ] [ \fBserver\fR ] +.SH "DESCRIPTION" +.PP +\fBNslookup\fR +is a program to query Internet domain name servers. \fBNslookup\fR +has two modes: interactive and non-interactive. Interactive mode allows +the user to query name servers for information about various hosts and +domains or to print a list of hosts in a domain. Non-interactive mode is +used to print just the name and requested information for a host or +domain. +.SH "ARGUMENTS" +.PP +Interactive mode is entered in the following cases: +.IP 1. +when no arguments are given (the default name server will be used) +.IP 2. +when the first argument is a hyphen (-) and the second argument is +the host name or Internet address of a name server. +.PP +Non-interactive mode is used when the name or Internet address of the +host to be looked up is given as the first argument. The optional second +argument specifies the host name or address of a name server. +.PP +Options can also be specified on the command line if they precede the +arguments and are prefixed with a hyphen. For example, to +change the default query type to host information, and the initial timeout to 10 seconds, type: +.PP +.sp +.nf +nslookup -query=hinfo -timeout=10 +.sp +.fi +.SH "INTERACTIVE COMMANDS" +.TP +\fBhost [server]\fR +Look up information for host using the current default server or +using server, if specified. If host is an Internet address and +the query type is A or PTR, the name of the host is returned. +If host is a name and does not have a trailing period, the +search list is used to qualify the name. + +To look up a host not in the current domain, append a period to +the name. +.TP +\fBserver \fIdomain\fB\fR +.TP +\fBlserver \fIdomain\fB\fR +Change the default server to \fIdomain\fR; lserver uses the initial +server to look up information about \fIdomain\fR, while server uses +the current default server. If an authoritative answer can't be +found, the names of servers that might have the answer are +returned. +.TP +\fBroot\fR +not implemented +.TP +\fBfinger\fR +not implemented +.TP +\fBls\fR +not implemented +.TP +\fBview\fR +not implemented +.TP +\fBhelp\fR +not implemented +.TP +\fB?\fR +not implemented +.TP +\fBexit\fR +Exits the program. +.TP +\fBset \fIkeyword[=value]\fB\fR +This command is used to change state information that affects +the lookups. Valid keywords are: +.RS +.TP +\fBall\fR +Prints the current values of the frequently used +options to \fBset\fR. Information about the current default +server and host is also printed. +.TP +\fBclass=\fIvalue\fB\fR +Change the query class to one of: +.RS +.TP +\fBIN\fR +the Internet class +.TP +\fBCH\fR +the Chaos class +.TP +\fBHS\fR +the Hesiod class +.TP +\fBANY\fR +wildcard +.RE +.PP +The class specifies the protocol group of the information. + +(Default = IN; abbreviation = cl) +.TP +\fB\fI[no]\fBdebug\fR +Turn debugging mode on. A lot more information is +printed about the packet sent to the server and the +resulting answer. + +(Default = nodebug; abbreviation = [no]deb) +.TP +\fB\fI[no]\fBd2\fR +Turn debugging mode on. A lot more information is +printed about the packet sent to the server and the +resulting answer. + +(Default = nod2) +.TP +\fBdomain=\fIname\fB\fR +Sets the search list to \fIname\fR. +.TP +\fB\fI[no]\fBsearch\fR +If the lookup request contains at least one period but +doesn't end with a trailing period, append the domain +names in the domain search list to the request until an +answer is received. + +(Default = search) +.TP +\fBport=\fIvalue\fB\fR +Change the default TCP/UDP name server port to \fIvalue\fR. + +(Default = 53; abbreviation = po) +.TP +\fBquerytype=\fIvalue\fB\fR +.TP +\fBtype=\fIvalue\fB\fR +Change the top of the information query. + +(Default = A; abbreviations = q, ty) +.TP +\fB\fI[no]\fBrecurse\fR +Tell the name server to query other servers if it does not have the +information. + +(Default = recurse; abbreviation = [no]rec) +.TP +\fBretry=\fInumber\fB\fR +Set the number of retries to number. +.TP +\fBtimeout=\fInumber\fB\fR +Change the initial timeout interval for waiting for a +reply to number seconds. +.TP +\fB\fI[no]\fBvc\fR +Always use a virtual circuit when sending requests to the server. + +(Default = novc) +.RE +.SH "FILES" +.PP +\fI/etc/resolv.conf\fR +.SH "SEE ALSO" +.PP +\fBdig\fR(1), +\fBhost\fR(1), +\fBnamed\fR(8). +.SH "AUTHOR" +.PP +Andrew Cherenson diff --git a/usr.sbin/bind/bin/dig/nslookup.c b/usr.sbin/bind/bin/dig/nslookup.c index 0070b19b7a4..0a6ea08caea 100644 --- a/usr.sbin/bind/bin/dig/nslookup.c +++ b/usr.sbin/bind/bin/dig/nslookup.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: nslookup.c,v 1.90.2.5 2003/10/09 07:32:30 marka Exp $ */ +/* $ISC: nslookup.c,v 1.90.2.4.2.7 2004/08/18 23:25:58 marka Exp $ */ #include <config.h> @@ -25,6 +25,7 @@ #include <isc/buffer.h> #include <isc/commandline.h> #include <isc/event.h> +#include <isc/parseint.h> #include <isc/string.h> #include <isc/timer.h> #include <isc/util.h> @@ -44,25 +45,20 @@ #include <dig/dig.h> extern ISC_LIST(dig_lookup_t) lookup_list; -extern ISC_LIST(dig_server_t) server_list; +extern dig_serverlist_t server_list; extern ISC_LIST(dig_searchlist_t) search_list; -extern isc_boolean_t have_ipv6, usesearch, qr, debugging; +extern isc_boolean_t usesearch, debugging; extern in_port_t port; extern unsigned int timeout; extern isc_mem_t *mctx; -extern dns_messageid_t id; -extern int sendcount; -extern int ndots; extern int tries; extern int lookup_counter; -extern int exitcode; -extern isc_taskmgr_t *taskmgr; extern isc_task_t *global_task; extern char *progname; static isc_boolean_t short_form = ISC_TRUE, - tcpmode = ISC_FALSE, deprecation_msg = ISC_FALSE, + tcpmode = ISC_FALSE, identify = ISC_FALSE, stats = ISC_TRUE, comments = ISC_TRUE, section_question = ISC_TRUE, section_answer = ISC_TRUE, section_authority = ISC_TRUE, @@ -137,7 +133,8 @@ static const char *rtypetext[] = { "v6 address = ", /* 38 */ "dname = ", /* 39 */ "rtype_40 = ", /* 40 */ - "optional = "}; /* 41 */ + "optional = " /* 41 */ +}; #define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0])) @@ -192,7 +189,18 @@ printa(dns_rdata_t *rdata) { printf("Address: %.*s\n", (int)isc_buffer_usedlength(&b), (char *)isc_buffer_base(&b)); } - +#ifdef DIG_SIGCHASE +/* Just for compatibility : not use in host program */ +isc_result_t +printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, + isc_buffer_t *target) +{ + UNUSED(owner_name); + UNUSED(rdataset); + UNUSED(target); + return(ISC_FALSE); +} +#endif static void printrdata(dns_rdata_t *rdata) { isc_result_t result; @@ -520,7 +528,46 @@ static void safecpy(char *dest, char *src, int size) { strlcpy(dest, src, size); } - + +static isc_result_t +parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max, + const char *desc) { + isc_uint32_t n; + isc_result_t result = isc_parse_uint32(&n, value, 10); + if (result == ISC_R_SUCCESS && n > max) + result = ISC_R_RANGE; + if (result != ISC_R_SUCCESS) { + printf("invalid %s '%s': %s\n", desc, + value, isc_result_totext(result)); + return result; + } + *uip = n; + return (ISC_R_SUCCESS); +} + +static void +set_port(const char *value) { + isc_uint32_t n; + isc_result_t result = parse_uint(&n, value, 65535, "port"); + if (result == ISC_R_SUCCESS) + port = (isc_uint16_t) n; +} + +static void +set_timeout(const char *value) { + isc_uint32_t n; + isc_result_t result = parse_uint(&n, value, UINT_MAX, "timeout"); + if (result == ISC_R_SUCCESS) + timeout = n; +} + +static void +set_tries(const char *value) { + isc_uint32_t n; + isc_result_t result = parse_uint(&n, value, INT_MAX, "tries"); + if (result == ISC_R_SUCCESS) + tries = n; +} static void setoption(char *opt) { @@ -559,21 +606,21 @@ setoption(char *opt) { set_search_domain(domainopt); usesearch = ISC_TRUE; } else if (strncasecmp(opt, "port=", 5) == 0) { - port = atoi(&opt[5]); + set_port(&opt[5]); } else if (strncasecmp(opt, "po=", 3) == 0) { - port = atoi(&opt[3]); + set_port(&opt[3]); } else if (strncasecmp(opt, "timeout=", 8) == 0) { - timeout = atoi(&opt[8]); + set_timeout(&opt[8]); } else if (strncasecmp(opt, "t=", 2) == 0) { - timeout = atoi(&opt[2]); + set_timeout(&opt[2]); } else if (strncasecmp(opt, "rec", 3) == 0) { recurse = ISC_TRUE; } else if (strncasecmp(opt, "norec", 5) == 0) { recurse = ISC_FALSE; } else if (strncasecmp(opt, "retry=", 6) == 0) { - tries = atoi(&opt[6]); + set_tries(&opt[6]); } else if (strncasecmp(opt, "ret=", 4) == 0) { - tries = atoi(&opt[4]); + set_tries(&opt[4]); } else if (strncasecmp(opt, "def", 3) == 0) { usesearch = ISC_TRUE; } else if (strncasecmp(opt, "nodef", 5) == 0) { @@ -590,12 +637,12 @@ setoption(char *opt) { debugging = ISC_TRUE; } else if (strncasecmp(opt, "nod2", 4) == 0) { debugging = ISC_FALSE; - } else if (strncasecmp(opt, "search",3) == 0) { + } else if (strncasecmp(opt, "search", 3) == 0) { usesearch = ISC_TRUE; - } else if (strncasecmp(opt, "nosearch",5) == 0) { + } else if (strncasecmp(opt, "nosearch", 5) == 0) { usesearch = ISC_FALSE; - } else if (strncasecmp(opt, "sil",3) == 0) { - deprecation_msg = ISC_FALSE; + } else if (strncasecmp(opt, "sil", 3) == 0) { + /* deprecation_msg = ISC_FALSE; */ } else { printf("*** Invalid option: %s\n", opt); } @@ -626,9 +673,8 @@ addlookup(char *opt) { rdclass = dns_rdataclass_in; } lookup = make_empty_lookup(); - if (get_reverse(store, opt, lookup->ip6_int, ISC_TRUE) - == ISC_R_SUCCESS) - { + if (get_reverse(store, sizeof(store), opt, lookup->ip6_int, ISC_TRUE) + == ISC_R_SUCCESS) { safecpy(lookup->textname, store, sizeof(lookup->textname)); lookup->rdtype = dns_rdatatype_ptr; lookup->rdtypeset = ISC_TRUE; @@ -664,44 +710,12 @@ addlookup(char *opt) { } static void -flush_server_list(void) { - dig_server_t *s, *ps; - - debug("flush_server_list()"); - s = ISC_LIST_HEAD(server_list); - while (s != NULL) { - ps = s; - s = ISC_LIST_NEXT(s, link); - ISC_LIST_DEQUEUE(server_list, ps, link); - isc_mem_free(mctx, ps); - } -} - -/* - * This works on the global server list, instead of on a per-lookup - * server list, since the change is persistent. - */ -static void -setsrv(char *opt) { - dig_server_t *srv; - - if (opt == NULL) - return; - - flush_server_list(); - srv = isc_mem_allocate(mctx, sizeof(struct dig_server)); - if (srv == NULL) - fatal("memory allocation failure"); - safecpy(srv->servername, opt, sizeof(srv->servername)); - ISC_LIST_INITANDAPPEND(server_list, srv, link); -} - -static void get_next_command(void) { char *buf; char *ptr, *arg; char *input; + fflush(stdout); buf = isc_mem_allocate(mctx, COMMSIZE); if (buf == NULL) fatal("memory allocation failure"); @@ -723,21 +737,19 @@ get_next_command(void) { setoption(arg); else if ((strcasecmp(ptr, "server") == 0) || (strcasecmp(ptr, "lserver") == 0)) { - setsrv(arg); + set_nameserver(arg); show_settings(ISC_TRUE, ISC_TRUE); } else if (strcasecmp(ptr, "exit") == 0) { in_use = ISC_FALSE; goto cleanup; } else if (strcasecmp(ptr, "help") == 0 || - strcasecmp(ptr, "?") == 0) - { + strcasecmp(ptr, "?") == 0) { printf("The '%s' command is not yet implemented.\n", ptr); goto cleanup; } else if (strcasecmp(ptr, "finger") == 0 || strcasecmp(ptr, "root") == 0 || strcasecmp(ptr, "ls") == 0 || - strcasecmp(ptr, "view") == 0) - { + strcasecmp(ptr, "view") == 0) { printf("The '%s' command is not implemented.\n", ptr); goto cleanup; } else @@ -765,7 +777,7 @@ parse_args(int argc, char **argv) { addlookup(argv[0]); } else - setsrv(argv[0]); + set_nameserver(argv[0]); } } } @@ -849,12 +861,6 @@ main(int argc, char **argv) { parse_args(argc, argv); - if (deprecation_msg) { - fputs( -"Note: nslookup is deprecated and may be removed from future releases.\n" -"Consider using the `dig' or `host' programs instead. Run nslookup with\n" -"the `-sil[ent]' option to prevent this message from appearing.\n", stderr); - } setup_system(); if (domainopt[0] != '\0') set_search_domain(domainopt); diff --git a/usr.sbin/bind/bin/dnssec/dnssec-keygen.html b/usr.sbin/bind/bin/dnssec/dnssec-keygen.html index a4802275819..2c1e379609e 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-keygen.html +++ b/usr.sbin/bind/bin/dnssec/dnssec-keygen.html @@ -1,27 +1,30 @@ <!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: dnssec-keygen.html,v 1.5.2.1.4.6 2004/08/22 23:38:58 marka Exp $ --> + +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >dnssec-keygen</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -32,10 +35,10 @@ ALINK="#0000FF" ><H1 ><A NAME="AEN1" +></A ><SPAN CLASS="APPLICATION" >dnssec-keygen</SPAN -></A ></H1 ><DIV CLASS="REFNAMEDIV" @@ -59,89 +62,78 @@ NAME="AEN13" ><B CLASS="COMMAND" >dnssec-keygen</B -> {-a <TT +> {-a <VAR CLASS="REPLACEABLE" -><I ->algorithm</I -></TT ->} {-b <TT +>algorithm</VAR +>} {-b <VAR CLASS="REPLACEABLE" -><I ->keysize</I -></TT ->} {-n <TT +>keysize</VAR +>} {-n <VAR CLASS="REPLACEABLE" -><I ->nametype</I -></TT ->} [<TT +>nametype</VAR +>} [<VAR CLASS="OPTION" ->-c <TT +>-c <VAR CLASS="REPLACEABLE" -><I ->class</I -></TT -></TT ->] [<TT +>class</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-e</TT ->] [<TT +>-e</VAR +>] [<VAR CLASS="OPTION" ->-g <TT +>-f <VAR CLASS="REPLACEABLE" -><I ->generator</I -></TT -></TT ->] [<TT +>flag</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-g <VAR +CLASS="REPLACEABLE" +>generator</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-h</VAR +>] [<VAR CLASS="OPTION" ->-h</TT ->] [<TT +>-k</VAR +>] [<VAR CLASS="OPTION" ->-p <TT +>-p <VAR CLASS="REPLACEABLE" -><I ->protocol</I -></TT -></TT ->] [<TT +>protocol</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-r <TT +>-r <VAR CLASS="REPLACEABLE" -><I ->randomdev</I -></TT -></TT ->] [<TT +>randomdev</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-s <TT +>-s <VAR CLASS="REPLACEABLE" -><I ->strength</I -></TT -></TT ->] [<TT +>strength</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-t <TT +>-t <VAR CLASS="REPLACEABLE" -><I ->type</I -></TT -></TT ->] [<TT +>type</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-v <TT +>-v <VAR CLASS="REPLACEABLE" -><I ->level</I -></TT -></TT +>level</VAR +></VAR >] {name}</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN48" +NAME="AEN53" ></A ><H2 >DESCRIPTION</H2 @@ -150,7 +142,7 @@ NAME="AEN48" CLASS="COMMAND" >dnssec-keygen</B > generates keys for DNSSEC - (Secure DNS), as defined in RFC 2535. It can also generate + (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. </P @@ -158,7 +150,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN52" +NAME="AEN57" ></A ><H2 >OPTIONS</H2 @@ -168,38 +160,37 @@ NAME="AEN52" CLASS="VARIABLELIST" ><DL ><DT ->-a <TT +>-a <VAR CLASS="REPLACEABLE" -><I ->algorithm</I -></TT +>algorithm</VAR ></DT ><DD ><P > Selects the cryptographic algorithm. The value of - <TT + <VAR CLASS="OPTION" ->algorithm</TT -> must be one of RSAMD5 or RSA, +>algorithm</VAR +> must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC-MD5. These values are case insensitive. </P ><P -> Note that for DNSSEC, DSA is a mandatory to implement algorithm, - and RSA is recommended. For TSIG, HMAC-MD5 is mandatory. +> Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, + and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + </P +><P +> Note 2: HMAC-MD5 and DH automatically set the -k flag. </P ></DD ><DT ->-b <TT +>-b <VAR CLASS="REPLACEABLE" -><I ->keysize</I -></TT +>keysize</VAR ></DT ><DD ><P > Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSA keys must be between + size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC-MD5 keys must be @@ -207,30 +198,26 @@ CLASS="REPLACEABLE" </P ></DD ><DT ->-n <TT +>-n <VAR CLASS="REPLACEABLE" -><I ->nametype</I -></TT +>nametype</VAR ></DT ><DD ><P > Specifies the owner type of the key. The value of - <TT + <VAR CLASS="OPTION" ->nametype</TT +>nametype</VAR > must either be ZONE (for a DNSSEC - zone key), HOST or ENTITY (for a key associated with a host), - or USER (for a key associated with a user). These values are + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. </P ></DD ><DT ->-c <TT +>-c <VAR CLASS="REPLACEABLE" -><I ->class</I -></TT +>class</VAR ></DT ><DD ><P @@ -242,15 +229,24 @@ CLASS="REPLACEABLE" >-e</DT ><DD ><P -> If generating an RSA key, use a large exponent. +> If generating an RSAMD5/RSASHA1 key, use a large exponent. </P ></DD ><DT ->-g <TT +>-f <VAR CLASS="REPLACEABLE" -><I ->generator</I -></TT +>flag</VAR +></DT +><DD +><P +> Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. + </P +></DD +><DT +>-g <VAR +CLASS="REPLACEABLE" +>generator</VAR ></DT ><DD ><P @@ -272,27 +268,29 @@ CLASS="COMMAND" </P ></DD ><DT ->-p <TT +>-k</DT +><DD +><P +> Generate KEY records rather than DNSKEY records. + </P +></DD +><DT +>-p <VAR CLASS="REPLACEABLE" -><I ->protocol</I -></TT +>protocol</VAR ></DT ><DD ><P > Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 2 (email) for - keys of type USER and 3 (DNSSEC) for all other key types. + is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. </P ></DD ><DT ->-r <TT +>-r <VAR CLASS="REPLACEABLE" -><I ->randomdev</I -></TT +>randomdev</VAR ></DT ><DD ><P @@ -316,11 +314,9 @@ CLASS="FILENAME" </P ></DD ><DT ->-s <TT +>-s <VAR CLASS="REPLACEABLE" -><I ->strength</I -></TT +>strength</VAR ></DT ><DD ><P @@ -330,17 +326,15 @@ CLASS="REPLACEABLE" </P ></DD ><DT ->-t <TT +>-t <VAR CLASS="REPLACEABLE" -><I ->type</I -></TT +>type</VAR ></DT ><DD ><P -> Indicates the use of the key. <TT +> Indicates the use of the key. <VAR CLASS="OPTION" ->type</TT +>type</VAR > must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate @@ -348,11 +342,9 @@ CLASS="OPTION" </P ></DD ><DT ->-v <TT +>-v <VAR CLASS="REPLACEABLE" -><I ->level</I -></TT +>level</VAR ></DT ><DD ><P @@ -365,7 +357,7 @@ CLASS="REPLACEABLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN121" +NAME="AEN136" ></A ><H2 >GENERATED KEYS</H2 @@ -461,37 +453,31 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN148" +NAME="AEN163" ></A ><H2 >EXAMPLE</H2 ><P > To generate a 768-bit DSA key for the domain - <TT + <KBD CLASS="USERINPUT" -><B ->example.com</B -></TT +>example.com</KBD >, the following command would be issued: </P ><P -> <TT +> <KBD CLASS="USERINPUT" -><B ->dnssec-keygen -a DSA -b 768 -n ZONE example.com</B -></TT +>dnssec-keygen -a DSA -b 768 -n ZONE example.com</KBD > </P ><P > The command would print a string of the form: </P ><P -> <TT +> <KBD CLASS="USERINPUT" -><B ->Kexample.com.+003+26160</B -></TT +>Kexample.com.+003+26160</KBD > </P ><P @@ -512,7 +498,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN161" +NAME="AEN176" ></A ><H2 >SEE ALSO</H2 @@ -521,20 +507,6 @@ NAME="AEN161" CLASS="CITEREFENTRY" ><SPAN CLASS="REFENTRYTITLE" ->dnssec-makekeyset</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-signkey</SPAN ->(8)</SPAN ->, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" >dnssec-signzone</SPAN >(8)</SPAN >, @@ -559,12 +531,12 @@ CLASS="CITETITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN177" +NAME="AEN186" ></A ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.8 b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.8 index 4463d08584c..b55ca723cbf 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.8 +++ b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.8 @@ -1,18 +1,19 @@ -.\" -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $ISC: dnssec-makekeyset.8,v 1.16.2.2.4.1 2004/03/06 07:41:39 marka Exp $ .\" .TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" "" .SH NAME diff --git a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.c b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.c index 350436c2f73..535f9105300 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.c +++ b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.c @@ -1,23 +1,22 @@ /* - * Portions Copyright (C) 2000, 2001 Internet Software Consortium. + * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2000-2003 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND - * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS - * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND - * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK - * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE + * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR + * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dnssec-makekeyset.c,v 1.52.2.1 2001/10/05 00:21:45 bwelling Exp $ */ +/* $ISC: dnssec-makekeyset.c,v 1.52.2.1.10.7 2004/08/28 06:25:27 marka Exp $ */ #include <config.h> @@ -26,15 +25,16 @@ #include <isc/commandline.h> #include <isc/entropy.h> #include <isc/mem.h> +#include <isc/print.h> #include <isc/string.h> #include <isc/util.h> #include <dns/db.h> +#include <dns/diff.h> #include <dns/dnssec.h> #include <dns/fixedname.h> #include <dns/log.h> #include <dns/rdata.h> -#include <dns/rdatalist.h> #include <dns/rdataset.h> #include <dns/result.h> #include <dns/secalg.h> @@ -44,8 +44,6 @@ #include "dnssectool.h" -#define BUFSIZE 2048 - const char *program = "dnssec-makekeyset"; int verbose; @@ -71,6 +69,8 @@ usage(void) { fprintf(stderr, "\n"); + fprintf(stderr, "Version: %s\n", VERSION); + fprintf(stderr, "Options: (default value in parenthesis) \n"); fprintf(stderr, "\t-a\n"); fprintf(stderr, "\t\tverify generated signatures\n"); @@ -112,42 +112,29 @@ zonekey_on_list(dst_key_t *key) { return (ISC_FALSE); } -static isc_boolean_t -rdata_on_list(dns_rdata_t *rdata, dns_rdatalist_t *list) { - dns_rdata_t *trdata; - for (trdata = ISC_LIST_HEAD(list->rdata); - trdata != NULL; - trdata = ISC_LIST_NEXT(trdata, link)) - { - if (dns_rdata_compare(trdata, rdata) == 0) - return (ISC_TRUE); - } - return (ISC_FALSE); -} - int main(int argc, char *argv[]) { int i, ch; char *startstr = NULL, *endstr = NULL; - char *randomfile = NULL; dns_fixedname_t fdomain; dns_name_t *domain = NULL; char *output = NULL; char *endp; - unsigned char *data; + unsigned char data[65536]; dns_db_t *db; - dns_dbnode_t *node; dns_dbversion_t *version; + dns_diff_t diff; + dns_difftuple_t *tuple; + dns_fixedname_t tname; dst_key_t *key = NULL; - dns_rdata_t *rdata; - dns_rdatalist_t rdatalist, sigrdatalist; - dns_rdataset_t rdataset, sigrdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_t rdataset; + dns_rdataclass_t rdclass; isc_result_t result; isc_buffer_t b; isc_region_t r; isc_log_t *log = NULL; keynode_t *keynode; - dns_name_t *savedname = NULL; unsigned int eflags; isc_boolean_t pseudorandom = ISC_FALSE; isc_boolean_t tryverify = ISC_FALSE; @@ -181,7 +168,7 @@ main(int argc, char *argv[]) { break; case 'r': - randomfile = isc_commandline_argument; + setup_entropy(mctx, isc_commandline_argument, &ectx); break; case 'v': @@ -208,13 +195,14 @@ main(int argc, char *argv[]) { if (argc < 1) usage(); - setup_entropy(mctx, randomfile, &ectx); + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); eflags = ISC_ENTROPY_BLOCKING; if (!pseudorandom) eflags |= ISC_ENTROPY_GOODONLY; result = dst_lib_init(mctx, ectx, eflags); if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", + fatal("could not initialize dst: %s", isc_result_totext(result)); isc_stdtime_get(&now); @@ -237,11 +225,8 @@ main(int argc, char *argv[]) { setup_logging(verbose, mctx, &log); - dns_rdatalist_init(&rdatalist); - rdatalist.rdclass = 0; - rdatalist.type = dns_rdatatype_key; - rdatalist.covers = 0; - rdatalist.ttl = ttl; + dns_diff_init(mctx, &diff); + rdclass = 0; ISC_LIST_INIT(keylist); @@ -255,48 +240,37 @@ main(int argc, char *argv[]) { if (result != ISC_R_SUCCESS) fatal("error loading key from %s: %s", argv[i], isc_result_totext(result)); - if (rdatalist.rdclass == 0) - rdatalist.rdclass = dst_key_class(key); + if (rdclass == 0) + rdclass = dst_key_class(key); - isc_buffer_init(&namebuf, namestr, sizeof namestr); + isc_buffer_init(&namebuf, namestr, sizeof(namestr)); result = dns_name_tofilenametext(dst_key_name(key), ISC_FALSE, &namebuf); check_result(result, "dns_name_tofilenametext"); isc_buffer_putuint8(&namebuf, 0); - - if (savedname == NULL) { - savedname = isc_mem_get(mctx, sizeof(dns_name_t)); - if (savedname == NULL) - fatal("out of memory"); - dns_name_init(savedname, NULL); - result = dns_name_dup(dst_key_name(key), mctx, - savedname); - if (result != ISC_R_SUCCESS) - fatal("out of memory"); - } else { - char savednamestr[DNS_NAME_FORMATSIZE]; - dns_name_format(savedname, savednamestr, - sizeof savednamestr); - if (!dns_name_equal(savedname, dst_key_name(key)) != 0) - fatal("all keys must have the same owner - %s " - "and %s do not match", - savednamestr, namestr); + + if (domain == NULL) { + dns_fixedname_init(&fdomain); + domain = dns_fixedname_name(&fdomain); + dns_name_copy(dst_key_name(key), domain, NULL); + } else if (!dns_name_equal(domain, dst_key_name(key))) { + char str[DNS_NAME_FORMATSIZE]; + dns_name_format(domain, str, sizeof(str)); + fatal("all keys must have the same owner - %s " + "and %s do not match", str, namestr); } + if (output == NULL) { size_t len; - len = strlen("keyset-") + strlen(namestr) + 1; - output = isc_mem_allocate(mctx, len); + len = strlen("keyset-") + strlen(namestr); + output = isc_mem_allocate(mctx, len + 1); if (output == NULL) fatal("out of memory"); - strlcpy(output, "keyset-", len); - strlcat(output, namestr, len); - } - if (domain == NULL) { - dns_fixedname_init(&fdomain); - domain = dns_fixedname_name(&fdomain); - dns_name_copy(dst_key_name(key), domain, NULL); + strlcpy(output, "keyset-", len + 1); + strlcat(output, namestr, len + 1); } + if (dst_key_iszonekey(key)) { dst_key_t *zonekey = NULL; result = dst_key_fromnamedfile(argv[i], @@ -307,8 +281,7 @@ main(int argc, char *argv[]) { fatal("failed to read private key %s: %s", argv[i], isc_result_totext(result)); if (!zonekey_on_list(zonekey)) { - keynode = isc_mem_get(mctx, - sizeof (keynode_t)); + keynode = isc_mem_get(mctx, sizeof(keynode_t)); if (keynode == NULL) fatal("out of memory"); keynode->key = zonekey; @@ -316,39 +289,41 @@ main(int argc, char *argv[]) { } else dst_key_free(&zonekey); } - rdata = isc_mem_get(mctx, sizeof(dns_rdata_t)); - if (rdata == NULL) - fatal("out of memory"); - dns_rdata_init(rdata); - data = isc_mem_get(mctx, BUFSIZE); - if (data == NULL) - fatal("out of memory"); - isc_buffer_init(&b, data, BUFSIZE); + dns_rdata_reset(&rdata); + isc_buffer_init(&b, data, sizeof(data)); result = dst_key_todns(key, &b); + dst_key_free(&key); if (result != ISC_R_SUCCESS) fatal("failed to convert key %s to a DNS KEY: %s", argv[i], isc_result_totext(result)); isc_buffer_usedregion(&b, &r); - dns_rdata_fromregion(rdata, rdatalist.rdclass, - dns_rdatatype_key, &r); - if (!rdata_on_list(rdata, &rdatalist)) - ISC_LIST_APPEND(rdatalist.rdata, rdata, link); - else { - isc_mem_put(mctx, data, BUFSIZE); - isc_mem_put(mctx, rdata, sizeof *rdata); - } - dst_key_free(&key); + dns_rdata_fromregion(&rdata, rdclass, dns_rdatatype_dnskey, &r); + tuple = NULL; + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, + domain, ttl, &rdata, &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(&diff, &tuple); } - dns_rdataset_init(&rdataset); - result = dns_rdatalist_tordataset(&rdatalist, &rdataset); - check_result(result, "dns_rdatalist_tordataset()"); + db = NULL; + result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone, + rdclass, 0, NULL, &db); + if (result != ISC_R_SUCCESS) + fatal("failed to create a database"); - dns_rdatalist_init(&sigrdatalist); - sigrdatalist.rdclass = rdatalist.rdclass; - sigrdatalist.type = dns_rdatatype_sig; - sigrdatalist.covers = dns_rdatatype_key; - sigrdatalist.ttl = ttl; + version = NULL; + dns_db_newversion(db, &version); + + result = dns_diff_apply(&diff, db, version); + check_result(result, "dns_diff_apply"); + dns_diff_clear(&diff); + + dns_fixedname_init(&tname); + dns_rdataset_init(&rdataset); + result = dns_db_find(db, domain, version, dns_rdatatype_dnskey, 0, 0, + NULL, dns_fixedname_name(&tname), &rdataset, + NULL); + check_result(result, "dns_db_find"); if (ISC_LIST_EMPTY(keylist)) fprintf(stderr, @@ -358,69 +333,48 @@ main(int argc, char *argv[]) { keynode != NULL; keynode = ISC_LIST_NEXT(keynode, link)) { - rdata = isc_mem_get(mctx, sizeof(dns_rdata_t)); - if (rdata == NULL) - fatal("out of memory"); - dns_rdata_init(rdata); - data = isc_mem_get(mctx, BUFSIZE); - if (data == NULL) - fatal("out of memory"); - isc_buffer_init(&b, data, BUFSIZE); + dns_rdata_reset(&rdata); + isc_buffer_init(&b, data, sizeof(data)); result = dns_dnssec_sign(domain, &rdataset, keynode->key, &starttime, &endtime, mctx, &b, - rdata); + &rdata); isc_entropy_stopcallbacksources(ectx); if (result != ISC_R_SUCCESS) { char keystr[KEY_FORMATSIZE]; - key_format(keynode->key, keystr, sizeof keystr); + key_format(keynode->key, keystr, sizeof(keystr)); fatal("failed to sign keyset with key %s: %s", keystr, isc_result_totext(result)); } if (tryverify) { result = dns_dnssec_verify(domain, &rdataset, keynode->key, ISC_TRUE, - mctx, rdata); + mctx, &rdata); if (result != ISC_R_SUCCESS) { char keystr[KEY_FORMATSIZE]; - key_format(keynode->key, keystr, sizeof keystr); + key_format(keynode->key, keystr, sizeof(keystr)); fatal("signature from key '%s' failed to " "verify: %s", keystr, isc_result_totext(result)); } } - ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link); - dns_rdataset_init(&sigrdataset); - result = dns_rdatalist_tordataset(&sigrdatalist, &sigrdataset); - check_result(result, "dns_rdatalist_tordataset()"); - } - - db = NULL; - result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone, - rdataset.rdclass, 0, NULL, &db); - if (result != ISC_R_SUCCESS) { - char domainstr[DNS_NAME_FORMATSIZE]; - dns_name_format(domain, domainstr, sizeof domainstr); - fatal("failed to create a database for %s", domainstr); + tuple = NULL; + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, + domain, ttl, &rdata, &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(&diff, &tuple); } - version = NULL; - dns_db_newversion(db, &version); - - node = NULL; - result = dns_db_findnode(db, domain, ISC_TRUE, &node); - check_result(result, "dns_db_findnode()"); + result = dns_diff_apply(&diff, db, version); + check_result(result, "dns_diff_apply"); + dns_diff_clear(&diff); - dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL); - if (!ISC_LIST_EMPTY(keylist)) - dns_db_addrdataset(db, node, version, 0, &sigrdataset, 0, - NULL); + dns_rdataset_disassociate(&rdataset); - dns_db_detachnode(db, &node); dns_db_closeversion(db, &version, ISC_TRUE); result = dns_db_dump(db, version, output); if (result != ISC_R_SUCCESS) { char domainstr[DNS_NAME_FORMATSIZE]; - dns_name_format(domain, domainstr, sizeof domainstr); + dns_name_format(domain, domainstr, sizeof(domainstr)); fatal("failed to write database for %s to %s", domainstr, output); } @@ -429,20 +383,6 @@ main(int argc, char *argv[]) { dns_db_detach(&db); - dns_rdataset_disassociate(&rdataset); - while (!ISC_LIST_EMPTY(rdatalist.rdata)) { - rdata = ISC_LIST_HEAD(rdatalist.rdata); - ISC_LIST_UNLINK(rdatalist.rdata, rdata, link); - isc_mem_put(mctx, rdata->data, BUFSIZE); - isc_mem_put(mctx, rdata, sizeof *rdata); - } - while (!ISC_LIST_EMPTY(sigrdatalist.rdata)) { - rdata = ISC_LIST_HEAD(sigrdatalist.rdata); - ISC_LIST_UNLINK(sigrdatalist.rdata, rdata, link); - isc_mem_put(mctx, rdata->data, BUFSIZE); - isc_mem_put(mctx, rdata, sizeof *rdata); - } - while (!ISC_LIST_EMPTY(keylist)) { keynode = ISC_LIST_HEAD(keylist); ISC_LIST_UNLINK(keylist, keynode, link); @@ -450,11 +390,6 @@ main(int argc, char *argv[]) { isc_mem_put(mctx, keynode, sizeof(keynode_t)); } - if (savedname != NULL) { - dns_name_free(savedname, mctx); - isc_mem_put(mctx, savedname, sizeof(dns_name_t)); - } - cleanup_logging(&log); cleanup_entropy(&ectx); diff --git a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.docbook b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.docbook index 444afbfe8b7..47c70a638e4 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.docbook +++ b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.docbook @@ -1,22 +1,22 @@ <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> <!-- + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: dnssec-makekeyset.docbook,v 1.2.2.3 2003/03/06 04:38:13 marka Exp $ --> +<!-- $ISC: dnssec-makekeyset.docbook,v 1.2.2.3.4.2 2004/06/03 02:24:55 marka Exp $ --> <refentry> <refentryinfo> @@ -220,7 +220,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.html b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.html index e081ccf9f8a..ff7c424da66 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.html +++ b/usr.sbin/bind/bin/dnssec/dnssec-makekeyset.html @@ -1,19 +1,22 @@ <!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: dnssec-makekeyset.html,v 1.4.2.2.4.1 2004/03/06 10:21:15 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signkey.8 b/usr.sbin/bind/bin/dnssec/dnssec-signkey.8 index ceda9dbca33..ea55dd5af77 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signkey.8 +++ b/usr.sbin/bind/bin/dnssec/dnssec-signkey.8 @@ -1,18 +1,19 @@ -.\" -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $ISC: dnssec-signkey.8,v 1.18.2.1.4.1 2004/03/06 07:41:39 marka Exp $ .\" .TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" "" .SH NAME diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signkey.c b/usr.sbin/bind/bin/dnssec/dnssec-signkey.c index 677e781d279..f821b990a4c 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signkey.c +++ b/usr.sbin/bind/bin/dnssec/dnssec-signkey.c @@ -1,23 +1,22 @@ /* - * Portions Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2000-2003 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND - * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS - * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND - * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK - * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE + * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR + * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dnssec-signkey.c,v 1.50.2.3 2003/10/09 07:32:31 marka Exp $ */ +/* $ISC: dnssec-signkey.c,v 1.50.2.2.2.7 2004/08/28 06:25:28 marka Exp $ */ #include <config.h> @@ -27,16 +26,17 @@ #include <isc/commandline.h> #include <isc/entropy.h> #include <isc/mem.h> +#include <isc/print.h> #include <isc/util.h> #include <dns/db.h> #include <dns/dbiterator.h> +#include <dns/diff.h> #include <dns/dnssec.h> #include <dns/fixedname.h> #include <dns/log.h> #include <dns/rdata.h> #include <dns/rdataclass.h> -#include <dns/rdatalist.h> #include <dns/rdataset.h> #include <dns/rdatasetiter.h> #include <dns/rdatastruct.h> @@ -50,8 +50,6 @@ const char *program = "dnssec-signkey"; int verbose; -#define BUFSIZE 2048 - typedef struct keynode keynode_t; struct keynode { dst_key_t *key; @@ -73,6 +71,8 @@ usage(void) { fprintf(stderr, "\n"); + fprintf(stderr, "Version: %s\n", VERSION); + fprintf(stderr, "Options: (default value in parenthesis) \n"); fprintf(stderr, "\t-a\n"); fprintf(stderr, "\t\tverify generated signatures\n"); @@ -119,9 +119,11 @@ loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) { result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &key); if (result != ISC_R_SUCCESS) continue; - if (!dst_key_iszonekey(key)) + if (!dst_key_iszonekey(key)) { + dst_key_free(&key); continue; - keynode = isc_mem_get(mctx, sizeof (keynode_t)); + } + keynode = isc_mem_get(mctx, sizeof(keynode_t)); if (keynode == NULL) fatal("out of memory"); keynode->key = key; @@ -133,7 +135,7 @@ loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) { } static dst_key_t * -findkey(dns_rdata_sig_t *sig) { +findkey(dns_rdata_rrsig_t *sig) { keynode_t *keynode; for (keynode = ISC_LIST_HEAD(keylist); keynode != NULL; @@ -158,28 +160,28 @@ main(int argc, char *argv[]) { dns_name_t *domain; char *output = NULL; char *endp; - unsigned char *data; - char *randomfile = NULL; + unsigned char data[65536]; dns_db_t *db; dns_dbnode_t *node; dns_dbversion_t *version; + dns_diff_t diff; + dns_difftuple_t *tuple; dns_dbiterator_t *dbiter; dns_rdatasetiter_t *rdsiter; dst_key_t *key = NULL; - dns_rdata_t *rdata; + dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_t sigrdata = DNS_RDATA_INIT; - dns_rdatalist_t sigrdatalist; - dns_rdataset_t rdataset, sigrdataset, newsigrdataset; - dns_rdata_sig_t sig; + dns_rdataset_t rdataset, sigrdataset; + dns_rdata_rrsig_t sig; isc_result_t result; isc_buffer_t b; - isc_textregion_t tr; isc_log_t *log = NULL; keynode_t *keynode; isc_boolean_t pseudorandom = ISC_FALSE; unsigned int eflags; dns_rdataclass_t rdclass; - static isc_boolean_t tryverify = ISC_FALSE; + isc_boolean_t tryverify = ISC_FALSE; + isc_boolean_t settime = ISC_FALSE; size_t len; result = isc_mem_create(0, 0, &mctx); @@ -210,7 +212,7 @@ main(int argc, char *argv[]) { break; case 'r': - randomfile = isc_commandline_argument; + setup_entropy(mctx, isc_commandline_argument, &ectx); break; case 'v': @@ -233,16 +235,10 @@ main(int argc, char *argv[]) { if (argc < 2) usage(); - if (classname != NULL) { - tr.base = classname; - tr.length = strlen(classname); - result = dns_rdataclass_fromtext(&rdclass, &tr); - if (result != ISC_R_SUCCESS) - fatal("unknown class %s",classname); - } else - rdclass = dns_rdataclass_in; + rdclass = strtoclass(classname); - setup_entropy(mctx, randomfile, &ectx); + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); eflags = ISC_ENTROPY_BLOCKING; if (!pseudorandom) eflags |= ISC_ENTROPY_GOODONLY; @@ -257,6 +253,12 @@ main(int argc, char *argv[]) { !(startstr == NULL && endstr == NULL)) fatal("if -s or -e is specified, both must be"); + if (startstr != NULL) { + starttime = strtotime(startstr, now, now); + endtime = strtotime(endstr, now, starttime); + settime = ISC_TRUE; + } + setup_logging(verbose, mctx, &log); if (strlen(argv[0]) < 8U || strncmp(argv[0], "keyset-", 7) != 0) @@ -303,29 +305,31 @@ main(int argc, char *argv[]) { check_result(result, "dns_name_tofilenametext()"); isc_buffer_putuint8(&b, 0); - len = strlen("signedkey-") + strlen(tdomain) + 1; - output = isc_mem_allocate(mctx, len); + len = strlen("signedkey-") + strlen(tdomain); + output = isc_mem_allocate(mctx, len + 1); if (output == NULL) fatal("out of memory"); - strlcpy(output, "signedkey-", len); - strlcat(output, tdomain, len); + strlcpy(output, "signedkey-", len + 1); + strlcat(output, tdomain, len + 1); version = NULL; dns_db_newversion(db, &version); dns_rdataset_init(&rdataset); dns_rdataset_init(&sigrdataset); - result = dns_db_findrdataset(db, node, version, dns_rdatatype_key, 0, + result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0, 0, &rdataset, &sigrdataset); if (result != ISC_R_SUCCESS) { char domainstr[DNS_NAME_FORMATSIZE]; - dns_name_format(domain, domainstr, sizeof domainstr); + dns_name_format(domain, domainstr, sizeof(domainstr)); fatal("failed to find rdataset '%s KEY': %s", domainstr, isc_result_totext(result)); } loadkeys(domain, &rdataset); + dns_diff_init(mctx, &diff); + if (!dns_rdataset_isassociated(&sigrdataset)) fatal("no SIG KEY set present"); @@ -340,47 +344,29 @@ main(int argc, char *argv[]) { ISC_TRUE, mctx, &sigrdata); if (result != ISC_R_SUCCESS) { char keystr[KEY_FORMATSIZE]; - key_format(key, keystr, sizeof keystr); + key_format(key, keystr, sizeof(keystr)); fatal("signature by key '%s' did not verify: %s", keystr, isc_result_totext(result)); } - dns_rdata_reset(&sigrdata); + if (!settime) { + starttime = sig.timesigned; + endtime = sig.timeexpire; + settime = ISC_TRUE; + } dns_rdata_freestruct(&sig); + dns_rdata_reset(&sigrdata); result = dns_rdataset_next(&sigrdataset); } while (result == ISC_R_SUCCESS); - if (startstr != NULL) { - starttime = strtotime(startstr, now, now); - endtime = strtotime(endstr, now, starttime); - } else { - starttime = sig.timesigned; - endtime = sig.timeexpire; - } - - for (keynode = ISC_LIST_HEAD(keylist); keynode != NULL; keynode = ISC_LIST_NEXT(keynode, link)) if (!keynode->verified) - fatal("Not all zone keys self signed the key set"); - - result = dns_rdataset_first(&sigrdataset); - check_result(result, "dns_rdataset_first()"); - dns_rdataset_current(&sigrdataset, &sigrdata); - result = dns_rdata_tostruct(&sigrdata, &sig, mctx); - check_result(result, "dns_rdata_tostruct()"); - - dns_rdataset_disassociate(&sigrdataset); + fatal("not all zone keys self signed the key set"); argc -= 1; argv += 1; - dns_rdatalist_init(&sigrdatalist); - sigrdatalist.rdclass = rdataset.rdclass; - sigrdatalist.type = dns_rdatatype_sig; - sigrdatalist.covers = dns_rdatatype_key; - sigrdatalist.ttl = rdataset.ttl; - for (i = 0; i < argc; i++) { key = NULL; result = dst_key_fromnamedfile(argv[i], @@ -391,45 +377,45 @@ main(int argc, char *argv[]) { fatal("failed to read key %s from disk: %s", argv[i], isc_result_totext(result)); - rdata = isc_mem_get(mctx, sizeof(dns_rdata_t)); - if (rdata == NULL) - fatal("out of memory"); - dns_rdata_init(rdata); - data = isc_mem_get(mctx, BUFSIZE); - if (data == NULL) - fatal("out of memory"); - isc_buffer_init(&b, data, BUFSIZE); + dns_rdata_reset(&rdata); + isc_buffer_init(&b, data, sizeof(data)); result = dns_dnssec_sign(domain, &rdataset, key, &starttime, &endtime, - mctx, &b, rdata); + mctx, &b, &rdata); isc_entropy_stopcallbacksources(ectx); if (result != ISC_R_SUCCESS) { char keystr[KEY_FORMATSIZE]; - key_format(key, keystr, sizeof keystr); + key_format(key, keystr, sizeof(keystr)); fatal("key '%s' failed to sign data: %s", keystr, isc_result_totext(result)); } if (tryverify) { result = dns_dnssec_verify(domain, &rdataset, key, - ISC_TRUE, mctx, rdata); + ISC_TRUE, mctx, &rdata); if (result != ISC_R_SUCCESS) { char keystr[KEY_FORMATSIZE]; - key_format(key, keystr, sizeof keystr); + key_format(key, keystr, sizeof(keystr)); fatal("signature from key '%s' failed to " "verify: %s", keystr, isc_result_totext(result)); } } - ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link); + tuple = NULL; + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, + domain, rdataset.ttl, + &rdata, &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(&diff, &tuple); dst_key_free(&key); } - dns_rdataset_init(&newsigrdataset); - result = dns_rdatalist_tordataset(&sigrdatalist, &newsigrdataset); - check_result (result, "dns_rdatalist_tordataset()"); + result = dns_db_deleterdataset(db, node, version, dns_rdatatype_rrsig, + dns_rdatatype_dnskey); + check_result(result, "dns_db_deleterdataset"); - dns_db_addrdataset(db, node, version, 0, &newsigrdataset, 0, NULL); - check_result (result, "dns_db_addrdataset()"); + result = dns_diff_apply(&diff, db, version); + check_result(result, "dns_diff_apply"); + dns_diff_clear(&diff); dns_db_detachnode(db, &node); dns_db_closeversion(db, &version, ISC_TRUE); @@ -441,16 +427,7 @@ main(int argc, char *argv[]) { printf("%s\n", output); dns_rdataset_disassociate(&rdataset); - dns_rdataset_disassociate(&newsigrdataset); - - dns_rdata_freestruct(&sig); - - while (!ISC_LIST_EMPTY(sigrdatalist.rdata)) { - rdata = ISC_LIST_HEAD(sigrdatalist.rdata); - ISC_LIST_UNLINK(sigrdatalist.rdata, rdata, link); - isc_mem_put(mctx, rdata->data, BUFSIZE); - isc_mem_put(mctx, rdata, sizeof *rdata); - } + dns_rdataset_disassociate(&sigrdataset); dns_db_detach(&db); diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signkey.docbook b/usr.sbin/bind/bin/dnssec/dnssec-signkey.docbook index 39eb7ec135e..40cf45ba2f2 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signkey.docbook +++ b/usr.sbin/bind/bin/dnssec/dnssec-signkey.docbook @@ -1,22 +1,22 @@ <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> <!-- + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: dnssec-signkey.docbook,v 1.2.2.2 2003/03/06 04:38:13 marka Exp $ --> +<!-- $ISC: dnssec-signkey.docbook,v 1.2.2.2.4.2 2004/06/03 02:24:55 marka Exp $ --> <refentry> <refentryinfo> @@ -224,7 +224,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signkey.html b/usr.sbin/bind/bin/dnssec/dnssec-signkey.html index 7f0306c0782..fb134bfe1b3 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signkey.html +++ b/usr.sbin/bind/bin/dnssec/dnssec-signkey.html @@ -1,19 +1,22 @@ <!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: dnssec-signkey.html,v 1.4.2.1.4.1 2004/03/06 10:21:15 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 b/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 index 39710938075..6f158fcb6c6 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 +++ b/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 @@ -1,35 +1,34 @@ -.\" -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $ISC: dnssec-signzone.8,v 1.23.2.1.4.6 2004/06/11 02:32:46 marka Exp $ .\" .TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" "" .SH NAME dnssec-signzone \- DNSSEC zone signing tool .SH SYNOPSIS .sp -\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-h\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ] +\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-g\fR ] [ \fB-h\fR ] [ \fB-k \fIkey\fB\fR ] [ \fB-l \fIdomain\fB\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] [ \fB-z\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ] .SH "DESCRIPTION" .PP -\fBdnssec-signzone\fR signs a zone. It generates NXT -and SIG records and produces a signed version of the zone. If there -is a \fIsignedkey\fR file from the zone's parent, -the parent's signatures will be incorporated into the generated -signed zone file. The security status of delegations from the the -signed zone (that is, whether the child zones are secure or not) is +\fBdnssec-signzone\fR signs a zone. It generates +NSEC and RRSIG records and produces a signed version of the +zone. The security status of delegations from the signed zone +(that is, whether the child zones are secure or not) is determined by the presence or absence of a -\fIsignedkey\fR file for each child zone. +\fIkeyset\fR file for each child zone. .SH "OPTIONS" .TP \fB-a\fR @@ -38,22 +37,34 @@ Verify all generated signatures. \fB-c \fIclass\fB\fR Specifies the DNS class of the zone. .TP +\fB-k \fIkey\fB\fR +Treat specified key as a key signing key ignoring any +key flags. This option may be specified multiple times. +.TP +\fB-l \fIdomain\fB\fR +Generate a DLV set in addition to the key (DNSKEY) and DS sets. +The domain is appended to the name of the records. +.TP \fB-d \fIdirectory\fB\fR -Look for \fIsignedkey\fR files in +Look for \fIkeyset\fR files in \fBdirectory\fR as the directory .TP +\fB-g\fR +Generate DS records for child zones from keyset files. +Existing DS records will be removed. +.TP \fB-s \fIstart-time\fB\fR -Specify the date and time when the generated SIG records +Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no \fBstart-time\fR is specified, the current -time is used. +time minus 1 hour (to allow for clock skew) is used. .TP \fB-e \fIend-time\fB\fR -Specify the date and time when the generated SIG records +Specify the date and time when the generated RRSIG records expire. As with \fBstart-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from @@ -74,7 +85,7 @@ Prints a short summary of the options and arguments to When a previously signed zone is passed as input, records may be resigned. The \fBinterval\fR option specifies the cycle interval as an offset from the current -time (in seconds). If a SIG record expires after the +time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced. @@ -83,7 +94,7 @@ between the signature end and start times. So if neither \fBend-time\fR or \fBstart-time\fR are specified, \fBdnssec-signzone\fR generates signatures that are valid for 30 days, with a cycle -interval of 7.5 days. Therefore, if any existing SIG records +interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced. .TP @@ -117,6 +128,9 @@ Print statistics at completion. \fB-v \fIlevel\fB\fR Sets the debugging level. .TP +\fB-z\fR +Ignore KSK flag on key when determining what to sign. +.TP \fBzonefile\fR The file containing the zone to be signed. Sets the debugging level. @@ -130,8 +144,8 @@ current directory. The following command signs the \fBexample.com\fR zone with the DSA key generated in the \fBdnssec-keygen\fR man page. The zone's keys must be in the zone. If there are -\fIsignedkey\fR files associated with this zone -or any child zones, they must be in the current directory. +\fIkeyset\fR files associated with child zones, +they must be in the current directory. \fBexample.com\fR, the following command would be issued: .PP @@ -146,9 +160,8 @@ should be referenced in a zone statement in a .SH "SEE ALSO" .PP \fBdnssec-keygen\fR(8), -\fBdnssec-signkey\fR(8), \fIBIND 9 Administrator Reference Manual\fR, \fIRFC 2535\fR. .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.c b/usr.sbin/bind/bin/dnssec/dnssec-signzone.c index 47b456ffea6..c96cd98d549 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.c +++ b/usr.sbin/bind/bin/dnssec/dnssec-signzone.c @@ -1,23 +1,22 @@ /* - * Portions Copyright (C) 1999-2001, 2003 Internet Software Consortium. + * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 1999-2003 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND - * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS - * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND - * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK - * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE + * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR + * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dnssec-signzone.c,v 1.139.2.2 2003/03/06 04:38:13 marka Exp $ */ +/* $ISC: dnssec-signzone.c,v 1.139.2.2.4.16 2004/08/28 06:25:29 marka Exp $ */ #include <config.h> @@ -32,6 +31,8 @@ #include <isc/mem.h> #include <isc/mutex.h> #include <isc/os.h> +#include <isc/print.h> +#include <isc/serial.h> #include <isc/stdio.h> #include <isc/string.h> #include <isc/task.h> @@ -42,12 +43,13 @@ #include <dns/dbiterator.h> #include <dns/diff.h> #include <dns/dnssec.h> +#include <dns/ds.h> #include <dns/fixedname.h> #include <dns/keyvalues.h> #include <dns/log.h> #include <dns/master.h> #include <dns/masterdump.h> -#include <dns/nxt.h> +#include <dns/nsec.h> #include <dns/rdata.h> #include <dns/rdataset.h> #include <dns/rdataclass.h> @@ -55,11 +57,9 @@ #include <dns/rdatastruct.h> #include <dns/rdatatype.h> #include <dns/result.h> -#include <dns/secalg.h> #include <dns/time.h> #include <dst/dst.h> -#include <dst/result.h> #include "dnssectool.h" @@ -67,12 +67,15 @@ const char *program = "dnssec-signzone"; int verbose; #define BUFSIZE 2048 +#define MAXDSKEYS 8 typedef struct signer_key_struct signer_key_t; struct signer_key_struct { dst_key_t *key; - isc_boolean_t isdefault; + isc_boolean_t issigningkey; + isc_boolean_t isdsk; + isc_boolean_t isksk; unsigned int position; ISC_LINK(signer_key_t) link; }; @@ -85,7 +88,6 @@ typedef struct signer_event sevent_t; struct signer_event { ISC_EVENT_COMMON(sevent_t); dns_fixedname_t *fname; - dns_fixedname_t *fnextname; dns_dbnode_t *node; }; @@ -109,15 +111,19 @@ static isc_taskmgr_t *taskmgr = NULL; static dns_db_t *gdb; /* The database */ static dns_dbversion_t *gversion; /* The database version */ static dns_dbiterator_t *gdbiter; /* The database iterator */ +static dns_rdataclass_t gclass; /* The class */ static dns_name_t *gorigin; /* The database origin */ -static dns_dbnode_t *gnode = NULL; /* The "current" database node */ -static dns_name_t *lastzonecut; static isc_task_t *master = NULL; static unsigned int ntasks = 0; static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE; static unsigned int assigned = 0, completed = 0; static isc_boolean_t nokeys = ISC_FALSE; static isc_boolean_t removefile = ISC_FALSE; +static isc_boolean_t generateds = ISC_FALSE; +static isc_boolean_t ignoreksk = ISC_FALSE; +static dns_name_t *dlv = NULL; +static dns_fixedname_t dlv_fixed; +static dns_master_style_t *dsstyle = NULL; #define INCSTAT(counter) \ if (printstats) { \ @@ -143,15 +149,63 @@ set_bit(unsigned char *array, unsigned int index, unsigned int bit) { array[index / 8] &= (~mask & 0xFF); } +static void +dumpnode(dns_name_t *name, dns_dbnode_t *node) { + isc_result_t result; + + result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, name, + masterstyle, fp); + check_result(result, "dns_master_dumpnodetostream"); +} + +static void +dumpdb(dns_db_t *db) { + dns_dbiterator_t *dbiter = NULL; + dns_dbnode_t *node; + dns_fixedname_t fname; + dns_name_t *name; + isc_result_t result; + + dbiter = NULL; + result = dns_db_createiterator(db, ISC_FALSE, &dbiter); + check_result(result, "dns_db_createiterator()"); + + dns_fixedname_init(&fname); + name = dns_fixedname_name(&fname); + node = NULL; + + for (result = dns_dbiterator_first(dbiter); + result == ISC_R_SUCCESS; + result = dns_dbiterator_next(dbiter)) + { + result = dns_dbiterator_current(dbiter, &node, name); + check_result(result, "dns_dbiterator_current()"); + dumpnode(name, node); + dns_db_detachnode(db, &node); + } + if (result != ISC_R_NOMORE) + fatal("iterating database: %s", isc_result_totext(result)); + + dns_dbiterator_destroy(&dbiter); +} + static signer_key_t * -newkeystruct(dst_key_t *dstkey, isc_boolean_t isdefault) { +newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) { signer_key_t *key; key = isc_mem_get(mctx, sizeof(signer_key_t)); if (key == NULL) fatal("out of memory"); key->key = dstkey; - key->isdefault = isdefault; + if ((dst_key_flags(dstkey) & DNS_KEYFLAG_KSK) != 0) { + key->issigningkey = signwithkey; + key->isksk = ISC_TRUE; + key->isdsk = ISC_FALSE; + } else { + key->issigningkey = signwithkey; + key->isksk = ISC_FALSE; + key->isdsk = ISC_TRUE; + } key->position = keycount++; ISC_LINK_INIT(key, link); return (key); @@ -168,8 +222,8 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata, isc_entropy_stopcallbacksources(ectx); if (result != ISC_R_SUCCESS) { char keystr[KEY_FORMATSIZE]; - key_format(key, keystr, sizeof keystr); - fatal("key '%s' failed to sign data: %s", + key_format(key, keystr, sizeof(keystr)); + fatal("dnskey '%s' failed to sign data: %s", keystr, isc_result_totext(result)); } INCSTAT(nsigned); @@ -189,7 +243,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata, static inline isc_boolean_t issigningkey(signer_key_t *key) { - return (key->isdefault); + return (key->issigningkey); } static inline isc_boolean_t @@ -199,30 +253,32 @@ iszonekey(signer_key_t *key) { } /* - * Finds the key that generated a SIG, if possible. First look at the keys + * Finds the key that generated a RRSIG, if possible. First look at the keys * that we've loaded already, and then see if there's a key on disk. */ static signer_key_t * -keythatsigned(dns_rdata_sig_t *sig) { +keythatsigned(dns_rdata_rrsig_t *rrsig) { isc_result_t result; dst_key_t *pubkey = NULL, *privkey = NULL; signer_key_t *key; key = ISC_LIST_HEAD(keylist); while (key != NULL) { - if (sig->keyid == dst_key_id(key->key) && - sig->algorithm == dst_key_alg(key->key) && - dns_name_equal(&sig->signer, dst_key_name(key->key))) + if (rrsig->keyid == dst_key_id(key->key) && + rrsig->algorithm == dst_key_alg(key->key) && + dns_name_equal(&rrsig->signer, dst_key_name(key->key))) return key; key = ISC_LIST_NEXT(key, link); } - result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm, - DST_TYPE_PUBLIC, NULL, mctx, &pubkey); + result = dst_key_fromfile(&rrsig->signer, rrsig->keyid, + rrsig->algorithm, DST_TYPE_PUBLIC, + NULL, mctx, &pubkey); if (result != ISC_R_SUCCESS) return (NULL); - result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm, + result = dst_key_fromfile(&rrsig->signer, rrsig->keyid, + rrsig->algorithm, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, NULL, mctx, &privkey); if (result == ISC_R_SUCCESS) { @@ -235,8 +291,8 @@ keythatsigned(dns_rdata_sig_t *sig) { } /* - * Check to see if we expect to find a key at this name. If we see a SIG - * and can't find the signing key that we expect to find, we drop the sig. + * Check to see if we expect to find a key at this name. If we see a RRSIG + * and can't find the signing key that we expect to find, we drop the rrsig. * I'm not sure if this is completely correct, but it seems to work. */ static isc_boolean_t @@ -247,7 +303,7 @@ expecttofindkey(dns_name_t *name) { char namestr[DNS_NAME_FORMATSIZE]; dns_fixedname_init(&fname); - result = dns_db_find(gdb, name, gversion, dns_rdatatype_key, options, + result = dns_db_find(gdb, name, gversion, dns_rdatatype_dnskey, options, 0, NULL, dns_fixedname_name(&fname), NULL, NULL); switch (result) { case ISC_R_SUCCESS: @@ -259,18 +315,18 @@ expecttofindkey(dns_name_t *name) { case DNS_R_DNAME: return (ISC_FALSE); } - dns_name_format(name, namestr, sizeof namestr); - fatal("failure looking for '%s KEY' in database: %s", + dns_name_format(name, namestr, sizeof(namestr)); + fatal("failure looking for '%s DNSKEY' in database: %s", namestr, isc_result_totext(result)); return (ISC_FALSE); /* removes a warning */ } static inline isc_boolean_t setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key, - dns_rdata_t *sig) + dns_rdata_t *rrsig) { isc_result_t result; - result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, sig); + result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, rrsig); if (result == ISC_R_SUCCESS) { INCSTAT(nverified); return (ISC_TRUE); @@ -281,17 +337,17 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key, } /* - * Signs a set. Goes through contortions to decide if each SIG should + * Signs a set. Goes through contortions to decide if each RRSIG should * be dropped or retained, and then determines if any new SIGs need to * be generated. */ static void -signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, +signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, dns_rdataset_t *set) { dns_rdataset_t sigset; dns_rdata_t sigrdata = DNS_RDATA_INIT; - dns_rdata_sig_t sig; + dns_rdata_rrsig_t rrsig; signer_key_t *key; isc_result_t result; isc_boolean_t nosigs = ISC_FALSE; @@ -304,20 +360,20 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, char typestr[TYPE_FORMATSIZE]; char sigstr[SIG_FORMATSIZE]; - dns_name_format(name, namestr, sizeof namestr); - type_format(set->type, typestr, sizeof typestr); + dns_name_format(name, namestr, sizeof(namestr)); + type_format(set->type, typestr, sizeof(typestr)); ttl = ISC_MIN(set->ttl, endtime - starttime); dns_rdataset_init(&sigset); - result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_sig, + result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_rrsig, set->type, 0, &sigset, NULL); if (result == ISC_R_NOTFOUND) { result = ISC_R_SUCCESS; nosigs = ISC_TRUE; } if (result != ISC_R_SUCCESS) - fatal("failed while looking for '%s SIG %s': %s", + fatal("failed while looking for '%s RRSIG %s': %s", namestr, typestr, isc_result_totext(result)); vbprintf(1, "%s/%s:\n", namestr, typestr); @@ -344,41 +400,44 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, dns_rdataset_current(&sigset, &sigrdata); - result = dns_rdata_tostruct(&sigrdata, &sig, NULL); + result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL); check_result(result, "dns_rdata_tostruct"); - expired = ISC_TF(now + cycle > sig.timeexpire); - future = ISC_TF(now < sig.timesigned); + future = isc_serial_lt(now, rrsig.timesigned); - key = keythatsigned(&sig); - sig_format(&sig, sigstr, sizeof sigstr); + key = keythatsigned(&rrsig); + sig_format(&rrsig, sigstr, sizeof(sigstr)); + if (key != NULL && issigningkey(key)) + expired = isc_serial_gt(now + cycle, rrsig.timeexpire); + else + expired = isc_serial_gt(now, rrsig.timeexpire); - if (sig.timesigned > sig.timeexpire) { - /* sig is dropped and not replaced */ - vbprintf(2, "\tsig by %s dropped - " + if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) { + /* rrsig is dropped and not replaced */ + vbprintf(2, "\trrsig by %s dropped - " "invalid validity period\n", sigstr); } else if (key == NULL && !future && - expecttofindkey(&sig.signer)) + expecttofindkey(&rrsig.signer)) { - /* sig is dropped and not replaced */ - vbprintf(2, "\tsig by %s dropped - " - "private key not found\n", + /* rrsig is dropped and not replaced */ + vbprintf(2, "\trrsig by %s dropped - " + "private dnskey not found\n", sigstr); } else if (key == NULL || future) { - vbprintf(2, "\tsig by %s %s - key not found\n", + vbprintf(2, "\trrsig by %s %s - dnskey not found\n", expired ? "retained" : "dropped", sigstr); if (!expired) keep = ISC_TRUE; } else if (issigningkey(key)) { if (!expired && setverifies(name, set, key, &sigrdata)) { - vbprintf(2, "\tsig by %s retained\n", sigstr); + vbprintf(2, "\trrsig by %s retained\n", sigstr); keep = ISC_TRUE; wassignedby[key->position] = ISC_TRUE; nowsignedby[key->position] = ISC_TRUE; } else { - vbprintf(2, "\tsig by %s dropped - %s\n", + vbprintf(2, "\trrsig by %s dropped - %s\n", sigstr, expired ? "expired" : "failed to verify"); @@ -388,34 +447,52 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, } else if (iszonekey(key)) { if (!expired && setverifies(name, set, key, &sigrdata)) { - vbprintf(2, "\tsig by %s retained\n", sigstr); + vbprintf(2, "\trrsig by %s retained\n", sigstr); keep = ISC_TRUE; wassignedby[key->position] = ISC_TRUE; nowsignedby[key->position] = ISC_TRUE; } else { - vbprintf(2, "\tsig by %s dropped - %s\n", + vbprintf(2, "\trrsig by %s dropped - %s\n", sigstr, expired ? "expired" : "failed to verify"); wassignedby[key->position] = ISC_TRUE; } } else if (!expired) { - vbprintf(2, "\tsig by %s retained\n", sigstr); + vbprintf(2, "\trrsig by %s retained\n", sigstr); keep = ISC_TRUE; } else { - vbprintf(2, "\tsig by %s expired\n", sigstr); + vbprintf(2, "\trrsig by %s expired\n", sigstr); } if (keep) { nowsignedby[key->position] = ISC_TRUE; INCSTAT(nretained); + if (sigset.ttl != ttl) { + vbprintf(2, "\tfixing ttl %s\n", sigstr); + tuple = NULL; + result = dns_difftuple_create(mctx, + DNS_DIFFOP_DEL, + name, sigset.ttl, + &sigrdata, + &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(del, &tuple); + result = dns_difftuple_create(mctx, + DNS_DIFFOP_ADD, + name, ttl, + &sigrdata, + &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(add, &tuple); + } } else { tuple = NULL; result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, name, sigset.ttl, &sigrdata, &tuple); check_result(result, "dns_difftuple_create"); - dns_diff_append(diff, &tuple); + dns_diff_append(del, &tuple); INCSTAT(ndropped); } @@ -425,8 +502,10 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, unsigned char array[BUFSIZE]; char keystr[KEY_FORMATSIZE]; - key_format(key->key, keystr, sizeof keystr); - vbprintf(1, "\tresigning with key %s\n", keystr); + INSIST(!keep); + + key_format(key->key, keystr, sizeof(keystr)); + vbprintf(1, "\tresigning with dnskey %s\n", keystr); isc_buffer_init(&b, array, sizeof(array)); signwithkey(name, set, &trdata, key->key, &b); nowsignedby[key->position] = ISC_TRUE; @@ -435,11 +514,11 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, name, ttl, &trdata, &tuple); check_result(result, "dns_difftuple_create"); - dns_diff_append(diff, &tuple); + dns_diff_append(add, &tuple); } dns_rdata_reset(&sigrdata); - dns_rdata_freestruct(&sig); + dns_rdata_freestruct(&rrsig); result = dns_rdataset_next(&sigset); } if (result == ISC_R_NOMORE) @@ -449,62 +528,42 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, if (dns_rdataset_isassociated(&sigset)) dns_rdataset_disassociate(&sigset); - key = ISC_LIST_HEAD(keylist); - while (key != NULL) { - if (key->isdefault && !nowsignedby[key->position]) { - isc_buffer_t b; - dns_rdata_t trdata = DNS_RDATA_INIT; - unsigned char array[BUFSIZE]; - char keystr[KEY_FORMATSIZE]; + for (key = ISC_LIST_HEAD(keylist); + key != NULL; + key = ISC_LIST_NEXT(key, link)) + { + isc_buffer_t b; + dns_rdata_t trdata; + unsigned char array[BUFSIZE]; + char keystr[KEY_FORMATSIZE]; - key_format(key->key, keystr, sizeof keystr); - vbprintf(1, "\tsigning with key %s\n", keystr); - isc_buffer_init(&b, array, sizeof(array)); - signwithkey(name, set, &trdata, key->key, &b); - tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - name, ttl, &trdata, - &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(diff, &tuple); - } - key = ISC_LIST_NEXT(key, link); + if (nowsignedby[key->position]) + continue; + + if (!key->issigningkey) + continue; + if (!(ignoreksk || key->isdsk || + (key->isksk && + set->type == dns_rdatatype_dnskey && + dns_name_equal(name, gorigin)))) + continue; + + key_format(key->key, keystr, sizeof(keystr)); + vbprintf(1, "\tsigning with dnskey %s\n", keystr); + dns_rdata_init(&trdata); + isc_buffer_init(&b, array, sizeof(array)); + signwithkey(name, set, &trdata, key->key, &b); + tuple = NULL; + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, + ttl, &trdata, &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(add, &tuple); } isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t)); isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t)); } -/* Determine if a KEY set contains a null key */ -static isc_boolean_t -hasnullkey(dns_rdataset_t *rdataset) { - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - isc_boolean_t found = ISC_FALSE; - - result = dns_rdataset_first(rdataset); - while (result == ISC_R_SUCCESS) { - dst_key_t *key = NULL; - - dns_rdata_reset(&rdata); - dns_rdataset_current(rdataset, &rdata); - result = dns_dnssec_keyfromrdata(dns_rootname, - &rdata, mctx, &key); - if (result != ISC_R_SUCCESS) - fatal("could not convert KEY into internal format: %s", - isc_result_totext(result)); - if (dst_key_isnullkey(key)) - found = ISC_TRUE; - dst_key_free(&key); - if (found == ISC_TRUE) - return (ISC_TRUE); - result = dns_rdataset_next(rdataset); - } - if (result != ISC_R_NOMORE) - fatal("failure looking for null keys"); - return (ISC_FALSE); -} - static void opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass, dns_db_t **dbp) @@ -524,7 +583,7 @@ opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass, check_result(result, "dns_name_tofilenametext()"); if (isc_buffer_availablelength(&b) == 0) { char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, sizeof namestr); + dns_name_format(name, namestr, sizeof(namestr)); fatal("name '%s' is too long", namestr); } isc_buffer_putuint8(&b, 0); @@ -539,242 +598,185 @@ opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass, } /* - * Looks for signatures of the zone keys by the parent, and imports them - * if found. + * Loads the key set for a child zone, if there is one, and builds DS records. */ -static void -importparentsig(dns_diff_t *diff, dns_name_t *name, dns_rdataset_t *set) { - dns_db_t *newdb = NULL; - dns_dbnode_t *newnode = NULL; - dns_rdataset_t newset, sigset; - dns_rdata_t rdata = DNS_RDATA_INIT, newrdata = DNS_RDATA_INIT; +static isc_result_t +loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { + dns_db_t *db = NULL; + dns_dbversion_t *ver = NULL; + dns_dbnode_t *node = NULL; isc_result_t result; + dns_rdataset_t keyset; + dns_rdata_t key, ds; + unsigned char dsbuf[DNS_DS_BUFFERSIZE]; + dns_diff_t diff; + dns_difftuple_t *tuple = NULL; - dns_rdataset_init(&newset); - dns_rdataset_init(&sigset); - - opendb("signedkey-", name, dns_db_class(gdb), &newdb); - if (newdb == NULL) - return; - - result = dns_db_findnode(newdb, name, ISC_FALSE, &newnode); - if (result != ISC_R_SUCCESS) - goto failure; - result = dns_db_findrdataset(newdb, newnode, NULL, dns_rdatatype_key, - 0, 0, &newset, &sigset); - if (result != ISC_R_SUCCESS) - goto failure; - - if (!dns_rdataset_isassociated(&newset) || - !dns_rdataset_isassociated(&sigset)) - goto failure; + opendb("keyset-", name, gclass, &db); + if (db == NULL) + return (ISC_R_NOTFOUND); - if (dns_rdataset_count(set) != dns_rdataset_count(&newset)) { - result = DNS_R_BADDB; - goto failure; + result = dns_db_findnode(db, name, ISC_FALSE, &node); + if (result != ISC_R_SUCCESS) { + dns_db_detach(&db); + return (DNS_R_BADDB); } - - result = dns_rdataset_first(set); - check_result(result, "dns_rdataset_first()"); - for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(set)) { - dns_rdataset_current(set, &rdata); - result = dns_rdataset_first(&newset); - check_result(result, "dns_rdataset_first()"); - for (; - result == ISC_R_SUCCESS; - result = dns_rdataset_next(&newset)) - { - dns_rdataset_current(&newset, &newrdata); - if (dns_rdata_compare(&rdata, &newrdata) == 0) - break; - dns_rdata_reset(&newrdata); - } - dns_rdata_reset(&newrdata); - dns_rdata_reset(&rdata); - if (result != ISC_R_SUCCESS) - break; + dns_rdataset_init(&keyset); + result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0, + &keyset, NULL); + if (result != ISC_R_SUCCESS) { + dns_db_detachnode(db, &node); + dns_db_detach(&db); + return (result); } - if (result != ISC_R_NOMORE) - goto failure; - vbprintf(2, "found the parent's signature of our zone key\n"); + vbprintf(2, "found DNSKEY records\n"); - result = dns_rdataset_first(&sigset); - while (result == ISC_R_SUCCESS) { - dns_difftuple_t *tuple = NULL; + result = dns_db_newversion(db, &ver); + check_result(result, "dns_db_newversion"); - dns_rdataset_current(&sigset, &rdata); - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, - sigset.ttl, &rdata, &tuple); + dns_diff_init(mctx, &diff); + + for (result = dns_rdataset_first(&keyset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&keyset)) + { + dns_rdata_init(&key); + dns_rdata_init(&ds); + dns_rdataset_current(&keyset, &key); + result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA1, + dsbuf, &ds); + check_result(result, "dns_ds_buildrdata"); + + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, + ttl, &ds, &tuple); check_result(result, "dns_difftuple_create"); - dns_diff_append(diff, &tuple); - result = dns_rdataset_next(&sigset); - dns_rdata_reset(&rdata); + dns_diff_append(&diff, &tuple); } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; - - failure: - if (dns_rdataset_isassociated(&newset)) - dns_rdataset_disassociate(&newset); - if (dns_rdataset_isassociated(&sigset)) - dns_rdataset_disassociate(&sigset); - if (newnode != NULL) - dns_db_detachnode(newdb, &newnode); - if (newdb != NULL) - dns_db_detach(&newdb); - if (result != ISC_R_SUCCESS) - fatal("zone signedkey file is invalid or does not match zone"); -} - -/* - * Looks for our signatures of child keys. If present, inform the caller. - */ -static isc_boolean_t -haschildkey(dns_name_t *name) { - dns_db_t *newdb = NULL; - dns_dbnode_t *newnode = NULL; - dns_rdataset_t set, sigset; - dns_rdata_t sigrdata = DNS_RDATA_INIT; - isc_result_t result; - isc_boolean_t found = ISC_FALSE; - dns_rdata_sig_t sig; - signer_key_t *key; - - dns_rdataset_init(&set); - dns_rdataset_init(&sigset); - - opendb("signedkey-", name, dns_db_class(gdb), &newdb); - if (newdb == NULL) - return (ISC_FALSE); + result = dns_diff_apply(&diff, db, ver); + check_result(result, "dns_diff_apply"); + dns_diff_clear(&diff); - result = dns_db_findnode(newdb, name, ISC_FALSE, &newnode); - if (result != ISC_R_SUCCESS) - goto failure; - result = dns_db_findrdataset(newdb, newnode, NULL, dns_rdatatype_key, - 0, 0, &set, &sigset); - if (result != ISC_R_SUCCESS) - goto failure; + dns_db_closeversion(db, &ver, ISC_TRUE); - if (!dns_rdataset_isassociated(&set) || - !dns_rdataset_isassociated(&sigset)) - goto failure; + result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0, 0, + dsset, NULL); + check_result(result, "dns_db_findrdataset"); - result = dns_rdataset_first(&sigset); - check_result(result, "dns_rdataset_first()"); - dns_rdata_init(&sigrdata); - for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(&sigset)) { - dns_rdataset_current(&sigset, &sigrdata); - result = dns_rdata_tostruct(&sigrdata, &sig, NULL); - if (result != ISC_R_SUCCESS) - goto failure; - key = keythatsigned(&sig); - dns_rdata_freestruct(&sig); - if (key == NULL) { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, sizeof namestr); - fprintf(stderr, - "creating KEY from signedkey file for %s: " - "%s\n", - namestr, isc_result_totext(result)); - goto failure; - } - result = dns_dnssec_verify(name, &set, key->key, - ISC_FALSE, mctx, &sigrdata); - if (result == ISC_R_SUCCESS) { - found = ISC_TRUE; - break; - } else { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, sizeof namestr); - fprintf(stderr, - "verifying SIG in signedkey file for %s: %s\n", - namestr, isc_result_totext(result)); - } - dns_rdata_reset(&sigrdata); - } - - failure: - if (dns_rdataset_isassociated(&set)) - dns_rdataset_disassociate(&set); - if (dns_rdataset_isassociated(&sigset)) - dns_rdataset_disassociate(&sigset); - if (newnode != NULL) - dns_db_detachnode(newdb, &newnode); - if (newdb != NULL) - dns_db_detach(&newdb); - - return (found); + dns_rdataset_disassociate(&keyset); + dns_db_detachnode(db, &node); + dns_db_detach(&db); + return (result); } -/* - * There probably should be a dns_nxt_setbit, but it can get complicated if - * the length of the bit set needs to be increased. In this case, since the - * NXT bit is set and both SIG and KEY are less than NXT, the easy way works. - */ -static void -nxt_setbit(dns_rdataset_t *rdataset, dns_rdatatype_t type) { +static isc_boolean_t +nsec_setbit(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdatatype_t type, + unsigned int val) +{ isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_nxt_t nxt; + dns_rdata_nsec_t nsec; + unsigned int newlen; + unsigned char bitmap[8192 + 512]; + unsigned char nsecdata[8192 + 512 + DNS_NAME_MAXWIRE]; + isc_boolean_t answer = ISC_FALSE; + unsigned int i, len, window; + int octet; result = dns_rdataset_first(rdataset); check_result(result, "dns_rdataset_first()"); dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &nxt, NULL); + result = dns_rdata_tostruct(&rdata, &nsec, NULL); check_result(result, "dns_rdata_tostruct"); - set_bit(nxt.typebits, type, 1); - dns_rdata_freestruct(&nxt); -} -static void -createnullkey(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, - dns_ttl_t ttl) -{ - unsigned char keydata[4]; - dns_rdata_t keyrdata = DNS_RDATA_INIT; - dns_rdata_key_t key; - dns_diff_t diff; - dns_difftuple_t *tuple = NULL; - isc_buffer_t b; - isc_result_t result; - char namestr[DNS_NAME_FORMATSIZE]; + INSIST(nsec.len <= sizeof(bitmap)); - dns_name_format(name, namestr, sizeof namestr); - vbprintf(2, "adding null key at %s\n", namestr); - - key.common.rdclass = dns_db_class(db); - key.common.rdtype = dns_rdatatype_key; - ISC_LINK_INIT(&key.common, link); - key.mctx = NULL; - key.flags = DNS_KEYTYPE_NOKEY | DNS_KEYOWNER_ZONE; - key.protocol = DNS_KEYPROTO_DNSSEC; - key.algorithm = DNS_KEYALG_DSA; - key.datalen = 0; - key.data = NULL; - isc_buffer_init(&b, keydata, sizeof keydata); - result = dns_rdata_fromstruct(&keyrdata, dns_db_class(db), - dns_rdatatype_key, &key, &b); - if (result != ISC_R_SUCCESS) - fatal("failed to build null key"); + newlen = 0; - dns_diff_init(mctx, &diff); + memset(bitmap, 0, sizeof(bitmap)); + for (i = 0; i < nsec.len; i += len) { + INSIST(i + 2 <= nsec.len); + window = nsec.typebits[i]; + len = nsec.typebits[i+1]; + i += 2; + INSIST(len > 0 && len <= 32); + INSIST(i + len <= nsec.len); + memmove(&bitmap[window * 32 + 512], &nsec.typebits[i], len); + } + set_bit(bitmap + 512, type, val); + for (window = 0; window < 256; window++) { + for (octet = 31; octet >= 0; octet--) + if (bitmap[window * 32 + 512 + octet] != 0) + break; + if (octet < 0) + continue; + bitmap[newlen] = window; + bitmap[newlen + 1] = octet + 1; + newlen += 2; + /* + * Overlapping move. + */ + memmove(&bitmap[newlen], &bitmap[window * 32 + 512], octet + 1); + newlen += octet + 1; + } + if (newlen != nsec.len || + memcmp(nsec.typebits, bitmap, newlen) != 0) { + dns_rdata_t newrdata = DNS_RDATA_INIT; + isc_buffer_t b; + dns_diff_t diff; + dns_difftuple_t *tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, ttl, - &keyrdata, &tuple); - check_result(result, "dns_difftuple_create"); + dns_diff_init(mctx, &diff); + result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, name, + rdataset->ttl, &rdata, &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(&diff, &tuple); + + nsec.typebits = bitmap; + nsec.len = newlen; + isc_buffer_init(&b, nsecdata, sizeof(nsecdata)); + result = dns_rdata_fromstruct(&newrdata, rdata.rdclass, + dns_rdatatype_nsec, &nsec, + &b); + check_result(result, "dns_rdata_fromstruct"); + + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, + name, rdataset->ttl, + &newrdata, &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(&diff, &tuple); + result = dns_diff_apply(&diff, gdb, gversion); + check_result(result, "dns_difftuple_apply"); + dns_diff_clear(&diff); + answer = ISC_TRUE; + } + dns_rdata_freestruct(&nsec); + return (answer); +} - dns_diff_append(&diff, &tuple); +static isc_boolean_t +delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) { + dns_rdataset_t nsset; + isc_result_t result; - result = dns_diff_apply(&diff, db, version); - check_result(result, "dns_diff_apply"); + if (dns_name_equal(name, gorigin)) + return (ISC_FALSE); - dns_diff_clear(&diff); + dns_rdataset_init(&nsset); + result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ns, + 0, 0, &nsset, NULL); + if (dns_rdataset_isassociated(&nsset)) { + if (ttlp != NULL) + *ttlp = nsset.ttl; + dns_rdataset_disassociate(&nsset); + } + + return (ISC_TF(result == ISC_R_SUCCESS)); } /* * Signs all records at a name. This mostly just signs each set individually, - * but also adds the SIG bit to any NXTs generated earlier, deals with + * but also adds the RRSIG bit to any NSECs generated earlier, deals with * parent/child KEY signatures, and handles other exceptional cases. */ static void @@ -783,96 +785,96 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_rdataset_t rdataset; dns_rdatasetiter_t *rdsiter; isc_boolean_t isdelegation = ISC_FALSE; - isc_boolean_t childkey = ISC_FALSE; - static int warnwild = 0; + isc_boolean_t hasds = ISC_FALSE; isc_boolean_t atorigin; - isc_boolean_t neednullkey = ISC_FALSE; - dns_diff_t diff; + isc_boolean_t changed = ISC_FALSE; + dns_diff_t del, add; + char namestr[DNS_NAME_FORMATSIZE]; + isc_uint32_t nsttl = 0; - if (dns_name_iswildcard(name)) { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, sizeof namestr); - if (warnwild++ == 0) { - fprintf(stderr, "%s: warning: BIND 9 doesn't properly " - "handle wildcards in secure zones:\n", - program); - fprintf(stderr, "\t- wildcard nonexistence proof is " - "not generated by the server\n"); - fprintf(stderr, "\t- wildcard nonexistence proof is " - "not required by the resolver\n"); - } - fprintf(stderr, "%s: warning: wildcard name seen: %s\n", - program, namestr); - } + dns_name_format(name, namestr, sizeof(namestr)); atorigin = dns_name_equal(name, gorigin); /* - * If this is not the origin, determine if it's a delegation point. + * Determine if this is a delegation point. */ - if (!atorigin) { - dns_rdataset_t nsset; - - dns_rdataset_init(&nsset); - result = dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_ns, 0, 0, &nsset, - NULL); - /* Is this a delegation point? */ - if (result == ISC_R_SUCCESS) { - isdelegation = ISC_TRUE; - dns_rdataset_disassociate(&nsset); - } - } + if (delegation(name, node, &nsttl)) + isdelegation = ISC_TRUE; /* - * If this is a delegation point, determine if we need to generate - * a null key. + * If this is a delegation point, look for a DS set. */ if (isdelegation) { - dns_rdataset_t keyset; - dns_ttl_t nullkeyttl; - - childkey = haschildkey(name); - neednullkey = ISC_TRUE; - nullkeyttl = zonettl; + dns_rdataset_t dsset; + dns_rdataset_t sigdsset; - dns_rdataset_init(&keyset); + dns_rdataset_init(&dsset); + dns_rdataset_init(&sigdsset); result = dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_key, 0, 0, &keyset, - NULL); - if (result == ISC_R_SUCCESS && childkey) { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, sizeof namestr); - if (hasnullkey(&keyset)) { - fatal("%s has both a signedkey file and " - "null keys in the zone. Aborting.", - namestr); - } - vbprintf(2, "child key for %s found\n", namestr); - neednullkey = ISC_FALSE; - dns_rdataset_disassociate(&keyset); - } - else if (result == ISC_R_SUCCESS) { - if (hasnullkey(&keyset)) - neednullkey = ISC_FALSE; - nullkeyttl = keyset.ttl; - dns_rdataset_disassociate(&keyset); - } else if (childkey) { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, sizeof namestr); - vbprintf(2, "child key for %s found\n", namestr); - neednullkey = ISC_FALSE; + dns_rdatatype_ds, + 0, 0, &dsset, &sigdsset); + if (result == ISC_R_SUCCESS) { + dns_rdataset_disassociate(&dsset); + if (generateds) { + result = dns_db_deleterdataset(gdb, node, + gversion, + dns_rdatatype_ds, + 0); + check_result(result, "dns_db_deleterdataset"); + } else + hasds = ISC_TRUE; } + if (generateds) { + result = loadds(name, nsttl, &dsset); + if (result == ISC_R_SUCCESS) { + result = dns_db_addrdataset(gdb, node, + gversion, 0, + &dsset, 0, NULL); + check_result(result, "dns_db_addrdataset"); + hasds = ISC_TRUE; + dns_rdataset_disassociate(&dsset); + if (dns_rdataset_isassociated(&sigdsset)) + dns_rdataset_disassociate(&sigdsset); + } else if (dns_rdataset_isassociated(&sigdsset)) { + result = dns_db_deleterdataset(gdb, node, + gversion, + dns_rdatatype_rrsig, + dns_rdatatype_ds); + check_result(result, "dns_db_deleterdataset"); + dns_rdataset_disassociate(&sigdsset); + } + } else if (dns_rdataset_isassociated(&sigdsset)) + dns_rdataset_disassociate(&sigdsset); + } - if (neednullkey) - createnullkey(gdb, gversion, name, nullkeyttl); + /* + * Make sure that NSEC bits are appropriately set. + */ + dns_rdataset_init(&rdataset); + RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion, + dns_rdatatype_nsec, 0, 0, &rdataset, + NULL) == ISC_R_SUCCESS); + if (!nokeys) + changed = nsec_setbit(name, &rdataset, dns_rdatatype_rrsig, 1); + if (changed) { + dns_rdataset_disassociate(&rdataset); + RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion, + dns_rdatatype_nsec, 0, 0, + &rdataset, + NULL) == ISC_R_SUCCESS); } + if (hasds) + (void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 1); + else + (void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 0); + dns_rdataset_disassociate(&rdataset); /* * Now iterate through the rdatasets. */ - dns_diff_init(mctx, &diff); - dns_rdataset_init(&rdataset); + dns_diff_init(mctx, &del); + dns_diff_init(mctx, &add); rdsiter = NULL; result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); @@ -880,58 +882,50 @@ signname(dns_dbnode_t *node, dns_name_t *name) { while (result == ISC_R_SUCCESS) { dns_rdatasetiter_current(rdsiter, &rdataset); - /* If this is a SIG set, skip it. */ - if (rdataset.type == dns_rdatatype_sig) - goto skip; - - /* - * If this is a KEY set at the apex, look for a signedkey file. - */ - if (atorigin && rdataset.type == dns_rdatatype_key) { - importparentsig(&diff, name, &rdataset); + /* If this is a RRSIG set, skip it. */ + if (rdataset.type == dns_rdatatype_rrsig) goto skip; - } /* * If this name is a delegation point, skip all records - * except an NXT set a KEY set containing a null key. + * except NSEC and DS sets. Otherwise check that there + * isn't a DS record. */ if (isdelegation) { - if (!(rdataset.type == dns_rdatatype_nxt || - (rdataset.type == dns_rdatatype_key && - hasnullkey(&rdataset)))) + if (rdataset.type != dns_rdatatype_nsec && + rdataset.type != dns_rdatatype_ds) goto skip; + } else if (rdataset.type == dns_rdatatype_ds) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namebuf, sizeof(namebuf)); + fatal("'%s': found DS RRset without NS RRset\n", + namebuf); } - if (rdataset.type == dns_rdatatype_nxt) { - if (!nokeys) - nxt_setbit(&rdataset, dns_rdatatype_sig); - if (neednullkey) - nxt_setbit(&rdataset, dns_rdatatype_key); - } - - signset(&diff, node, name, &rdataset); + signset(&del, &add, node, name, &rdataset); skip: dns_rdataset_disassociate(&rdataset); result = dns_rdatasetiter_next(rdsiter); } - if (result != ISC_R_NOMORE) { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, sizeof namestr); + if (result != ISC_R_NOMORE) fatal("rdataset iteration for name '%s' failed: %s", namestr, isc_result_totext(result)); - } + dns_rdatasetiter_destroy(&rdsiter); - result = dns_diff_apply(&diff, gdb, gversion); - if (result != ISC_R_SUCCESS) { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, sizeof namestr); + result = dns_diff_applysilently(&del, gdb, gversion); + if (result != ISC_R_SUCCESS) + fatal("failed to delete SIGs at node '%s': %s", + namestr, isc_result_totext(result)); + + result = dns_diff_applysilently(&add, gdb, gversion); + if (result != ISC_R_SUCCESS) fatal("failed to add SIGs at node '%s': %s", namestr, isc_result_totext(result)); - } - dns_diff_clear(&diff); + + dns_diff_clear(&del); + dns_diff_clear(&add); } static inline isc_boolean_t @@ -948,7 +942,8 @@ active_node(dns_dbnode_t *node) { result = dns_rdatasetiter_first(rdsiter); while (result == ISC_R_SUCCESS) { dns_rdatasetiter_current(rdsiter, &rdataset); - if (rdataset.type != dns_rdatatype_nxt) + if (rdataset.type != dns_rdatatype_nsec && + rdataset.type != dns_rdatatype_rrsig) active = ISC_TRUE; dns_rdataset_disassociate(&rdataset); if (!active) @@ -959,65 +954,43 @@ active_node(dns_dbnode_t *node) { if (result != ISC_R_NOMORE) fatal("rdataset iteration failed: %s", isc_result_totext(result)); - dns_rdatasetiter_destroy(&rdsiter); if (!active) { /* - * Make sure there is no NXT record for this node. + * Make sure there is no NSEC / RRSIG records for + * this node. */ result = dns_db_deleterdataset(gdb, node, gversion, - dns_rdatatype_nxt, 0); + dns_rdatatype_nsec, 0); if (result == DNS_R_UNCHANGED) result = ISC_R_SUCCESS; - check_result(result, "dns_db_deleterdataset"); - } - - return (active); -} - -static inline isc_result_t -next_active(dns_name_t *name, dns_dbnode_t **nodep) { - isc_result_t result; - isc_boolean_t active; - - do { - active = ISC_FALSE; - result = dns_dbiterator_current(gdbiter, nodep, name); - if (result == ISC_R_SUCCESS) { - active = active_node(*nodep); - if (!active) { - dns_db_detachnode(gdb, nodep); - result = dns_dbiterator_next(gdbiter); + check_result(result, "dns_db_deleterdataset(nsec)"); + + result = dns_rdatasetiter_first(rdsiter); + for (result = dns_rdatasetiter_first(rdsiter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter)) { + dns_rdatasetiter_current(rdsiter, &rdataset); + if (rdataset.type == dns_rdatatype_rrsig) { + dns_rdatatype_t type = rdataset.type; + dns_rdatatype_t covers = rdataset.covers; + result = dns_db_deleterdataset(gdb, node, + gversion, type, + covers); + if (result == DNS_R_UNCHANGED) + result = ISC_R_SUCCESS; + check_result(result, + "dns_db_deleterdataset(rrsig)"); } + dns_rdataset_disassociate(&rdataset); } - } while (result == ISC_R_SUCCESS && !active); - - return (result); -} - -static inline isc_result_t -next_nonglue(dns_name_t *name, dns_dbnode_t **nodep, dns_name_t *origin, - dns_name_t *lastcut) -{ - isc_result_t result; + if (result != ISC_R_NOMORE) + fatal("rdataset iteration failed: %s", + isc_result_totext(result)); + } + dns_rdatasetiter_destroy(&rdsiter); - do { - result = next_active(name, nodep); - if (result == ISC_R_SUCCESS) { - if (dns_name_issubdomain(name, origin) && - (lastcut == NULL || - !dns_name_issubdomain(name, lastcut))) - return (ISC_R_SUCCESS); - result = dns_master_dumpnodetostream(mctx, gdb, - gversion, - *nodep, name, - masterstyle, fp); - check_result(result, "dns_master_dumpnodetostream"); - dns_db_detachnode(gdb, nodep); - result = dns_dbiterator_next(gdbiter); - } - } while (result == ISC_R_SUCCESS); - return (result); + return (active); } /* @@ -1030,25 +1003,30 @@ soattl(void) { dns_name_t *name; isc_result_t result; dns_ttl_t ttl; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_soa_t soa; dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); dns_rdataset_init(&soaset); result = dns_db_find(gdb, gorigin, gversion, dns_rdatatype_soa, 0, 0, NULL, name, &soaset, NULL); - if (result != ISC_R_SUCCESS) { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, sizeof namestr); - fatal("failed to find '%s SOA' in the zone: %s", - namestr, isc_result_totext(result)); - } - ttl = soaset.ttl; + if (result != ISC_R_SUCCESS) + fatal("failed to find an SOA at the zone apex: %s", + isc_result_totext(result)); + + result = dns_rdataset_first(&soaset); + check_result(result, "dns_rdataset_first"); + dns_rdataset_current(&soaset, &rdata); + result = dns_rdata_tostruct(&rdata, &soa, NULL); + check_result(result, "dns_rdata_tostruct"); + ttl = soa.minimum; dns_rdataset_disassociate(&soaset); return (ttl); } /* - * Delete any SIG records at a node. + * Delete any RRSIG records at a node. */ static void cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { @@ -1064,7 +1042,7 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { isc_boolean_t destroy = ISC_FALSE; dns_rdatatype_t covers = 0; dns_rdatasetiter_current(rdsiter, &set); - if (set.type == dns_rdatatype_sig) { + if (set.type == dns_rdatatype_rrsig) { covers = set.covers; destroy = ISC_TRUE; } @@ -1072,7 +1050,7 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { result = dns_rdatasetiter_next(rdsiter); if (destroy) { dresult = dns_db_deleterdataset(db, node, version, - dns_rdatatype_sig, + dns_rdatatype_rrsig, covers); check_result(dresult, "dns_db_deleterdataset"); } @@ -1096,11 +1074,6 @@ presign(void) { result = dns_dbiterator_first(gdbiter); check_result(result, "dns_dbiterator_first()"); - - lastzonecut = NULL; - - zonettl = soattl(); - } /* @@ -1108,129 +1081,75 @@ presign(void) { */ static void postsign(void) { - if (lastzonecut != NULL) { - dns_name_free(lastzonecut, mctx); - isc_mem_put(mctx, lastzonecut, sizeof(dns_name_t)); - } dns_dbiterator_destroy(&gdbiter); } /* - * Find the next name to nxtify & sign - */ -static isc_result_t -getnextname(dns_name_t *name, dns_name_t *nextname, dns_dbnode_t **nodep) { - isc_result_t result; - dns_dbnode_t *nextnode, *curnode; - - LOCK(&namelock); - - if (shuttingdown || finished) { - result = ISC_R_NOMORE; - if (gnode != NULL) - dns_db_detachnode(gdb, &gnode); - goto out; - } - - if (gnode == NULL) { - dns_fixedname_t ftname; - dns_name_t *tname; - - dns_fixedname_init(&ftname); - tname = dns_fixedname_name(&ftname); - - result = next_nonglue(tname, &gnode, gorigin, lastzonecut); - if (result != ISC_R_SUCCESS) - fatal("failed to iterate through the zone"); - } - - nextnode = NULL; - curnode = NULL; - dns_dbiterator_current(gdbiter, &curnode, name); - if (!dns_name_equal(name, gorigin)) { - dns_rdatasetiter_t *rdsiter = NULL; - dns_rdataset_t set; - - dns_rdataset_init(&set); - result = dns_db_allrdatasets(gdb, curnode, gversion, 0, - &rdsiter); - check_result(result, "dns_db_allrdatasets"); - result = dns_rdatasetiter_first(rdsiter); - while (result == ISC_R_SUCCESS) { - dns_rdatasetiter_current(rdsiter, &set); - if (set.type == dns_rdatatype_ns) { - dns_rdataset_disassociate(&set); - break; - } - dns_rdataset_disassociate(&set); - result = dns_rdatasetiter_next(rdsiter); - } - if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE) - fatal("rdataset iteration failed: %s", - isc_result_totext(result)); - if (result == ISC_R_SUCCESS) { - if (lastzonecut != NULL) - dns_name_free(lastzonecut, mctx); - else { - lastzonecut = isc_mem_get(mctx, - sizeof(dns_name_t)); - if (lastzonecut == NULL) - fatal("out of memory"); - } - dns_name_init(lastzonecut, NULL); - result = dns_name_dup(name, mctx, lastzonecut); - check_result(result, "dns_name_dup()"); - } - dns_rdatasetiter_destroy(&rdsiter); - } - result = dns_dbiterator_next(gdbiter); - if (result == ISC_R_SUCCESS) - result = next_nonglue(nextname, &nextnode, gorigin, - lastzonecut); - if (result == ISC_R_NOMORE) { - dns_name_clone(gorigin, nextname); - finished = ISC_TRUE; - result = ISC_R_SUCCESS; - } else if (result != ISC_R_SUCCESS) - fatal("iterating through the database failed: %s", - isc_result_totext(result)); - dns_db_detachnode(gdb, &curnode); - - *nodep = gnode; - gnode = nextnode; - - out: - UNLOCK(&namelock); - return (result); -} - -/* * Assigns a node to a worker thread. This is protected by the master task's * lock. */ static void assignwork(isc_task_t *task, isc_task_t *worker) { - dns_fixedname_t *fname, *fnextname; + dns_fixedname_t *fname; + dns_name_t *name; dns_dbnode_t *node; sevent_t *sevent; + dns_rdataset_t nsec; + isc_boolean_t found; isc_result_t result; + if (shuttingdown) + return; + + if (finished) { + if (assigned == completed) { + isc_task_detach(&task); + isc_app_shutdown(); + } + return; + } + fname = isc_mem_get(mctx, sizeof(dns_fixedname_t)); - fnextname = isc_mem_get(mctx, sizeof(dns_fixedname_t)); - if (fname == NULL || fnextname == NULL) + if (fname == NULL) fatal("out of memory"); dns_fixedname_init(fname); - dns_fixedname_init(fnextname); + name = dns_fixedname_name(fname); node = NULL; - result = getnextname(dns_fixedname_name(fname), - dns_fixedname_name(fnextname), &node); - if (result == ISC_R_NOMORE) { - isc_mem_put(mctx, fname, sizeof(dns_fixedname_t)); - isc_mem_put(mctx, fnextname, sizeof(dns_fixedname_t)); + found = ISC_FALSE; + LOCK(&namelock); + while (!found) { + result = dns_dbiterator_current(gdbiter, &node, name); + if (result != ISC_R_SUCCESS) + fatal("failure iterating database: %s", + isc_result_totext(result)); + dns_rdataset_init(&nsec); + result = dns_db_findrdataset(gdb, node, gversion, + dns_rdatatype_nsec, 0, 0, + &nsec, NULL); + if (result == ISC_R_SUCCESS) + found = ISC_TRUE; + else + dumpnode(name, node); + if (dns_rdataset_isassociated(&nsec)) + dns_rdataset_disassociate(&nsec); + if (!found) + dns_db_detachnode(gdb, &node); + + result = dns_dbiterator_next(gdbiter); + if (result == ISC_R_NOMORE) { + finished = ISC_TRUE; + break; + } else if (result != ISC_R_SUCCESS) + fatal("failure iterating database: %s", + isc_result_totext(result)); + } + UNLOCK(&namelock); + if (!found) { if (assigned == completed) { isc_task_detach(&task); isc_app_shutdown(); } + isc_mem_put(mctx, fname, sizeof(dns_fixedname_t)); return; } sevent = (sevent_t *) @@ -1241,8 +1160,7 @@ assignwork(isc_task_t *task, isc_task_t *worker) { sevent->node = node; sevent->fname = fname; - sevent->fnextname = fnextname; - isc_task_send(worker, (isc_event_t **)&sevent); + isc_task_send(worker, ISC_EVENT_PTR(&sevent)); assigned++; } @@ -1263,17 +1181,12 @@ startworker(isc_task_t *task, isc_event_t *event) { */ static void writenode(isc_task_t *task, isc_event_t *event) { - isc_result_t result; isc_task_t *worker; sevent_t *sevent = (sevent_t *)event; completed++; worker = (isc_task_t *)event->ev_sender; - result = dns_master_dumpnodetostream(mctx, gdb, gversion, - sevent->node, - dns_fixedname_name(sevent->fname), - masterstyle, fp); - check_result(result, "dns_master_dumpnodetostream"); + dumpnode(dns_fixedname_name(sevent->fname), sevent->node); cleannode(gdb, gversion, sevent->node); dns_db_detachnode(gdb, &sevent->node); isc_mem_put(mctx, sevent->fname, sizeof(dns_fixedname_t)); @@ -1282,25 +1195,19 @@ writenode(isc_task_t *task, isc_event_t *event) { } /* - * Sign and nxtify a database node. + * Sign a database node. */ static void sign(isc_task_t *task, isc_event_t *event) { - dns_fixedname_t *fname, *fnextname; + dns_fixedname_t *fname; dns_dbnode_t *node; sevent_t *sevent, *wevent; - isc_result_t result; sevent = (sevent_t *)event; node = sevent->node; fname = sevent->fname; - fnextname = sevent->fnextname; isc_event_free(&event); - result = dns_nxt_build(gdb, gversion, node, - dns_fixedname_name(fnextname), zonettl); - check_result(result, "dns_nxt_build()"); - isc_mem_put(mctx, fnextname, sizeof(dns_fixedname_t)); signname(node, dns_fixedname_name(fname)); wevent = (sevent_t *) isc_event_allocate(mctx, task, SIGNER_EVENT_WRITE, @@ -1309,7 +1216,82 @@ sign(isc_task_t *task, isc_event_t *event) { fatal("failed to allocate event\n"); wevent->node = node; wevent->fname = fname; - isc_task_send(master, (isc_event_t **)&wevent); + isc_task_send(master, ISC_EVENT_PTR(&wevent)); +} + +/* + * Generate NSEC records for the zone. + */ +static void +nsecify(void) { + dns_dbiterator_t *dbiter = NULL; + dns_dbnode_t *node = NULL, *nextnode = NULL; + dns_fixedname_t fname, fnextname, fzonecut; + dns_name_t *name, *nextname, *zonecut; + isc_boolean_t done = ISC_FALSE; + isc_result_t result; + + dns_fixedname_init(&fname); + name = dns_fixedname_name(&fname); + dns_fixedname_init(&fnextname); + nextname = dns_fixedname_name(&fnextname); + dns_fixedname_init(&fzonecut); + zonecut = NULL; + + result = dns_db_createiterator(gdb, ISC_FALSE, &dbiter); + check_result(result, "dns_db_createiterator()"); + + result = dns_dbiterator_first(dbiter); + check_result(result, "dns_dbiterator_first()"); + + while (!done) { + dns_dbiterator_current(dbiter, &node, name); + if (delegation(name, node, NULL)) { + zonecut = dns_fixedname_name(&fzonecut); + dns_name_copy(name, zonecut, NULL); + } + result = dns_dbiterator_next(dbiter); + nextnode = NULL; + while (result == ISC_R_SUCCESS) { + isc_boolean_t active = ISC_FALSE; + result = dns_dbiterator_current(dbiter, &nextnode, + nextname); + if (result != ISC_R_SUCCESS) + break; + active = active_node(nextnode); + if (!active) { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + if (result != ISC_R_SUCCESS) { + dns_db_detachnode(gdb, &nextnode); + break; + } + if (!dns_name_issubdomain(nextname, gorigin) || + (zonecut != NULL && + dns_name_issubdomain(nextname, zonecut))) + { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + dns_db_detachnode(gdb, &nextnode); + break; + } + if (result == ISC_R_NOMORE) { + dns_name_clone(gorigin, nextname); + done = ISC_TRUE; + } else if (result != ISC_R_SUCCESS) + fatal("iterating through the database failed: %s", + isc_result_totext(result)); + result = dns_nsec_build(gdb, gversion, node, nextname, + zonettl); + check_result(result, "dns_nsec_build()"); + dns_db_detachnode(gdb, &node); + } + + dns_dbiterator_destroy(&dbiter); } /* @@ -1376,7 +1358,7 @@ loadzonekeys(dns_db_t *db) { for (i = 0; i < nkeys; i++) { signer_key_t *key; - key = newkeystruct(keys[i], ISC_FALSE); + key = newkeystruct(keys[i], ISC_TRUE); ISC_LIST_APPEND(keylist, key, link); } dns_db_detachnode(db, &node); @@ -1405,7 +1387,7 @@ loadzonepubkeys(dns_db_t *db) { dns_rdataset_init(&rdataset); result = dns_db_findrdataset(db, node, currentversion, - dns_rdatatype_key, 0, 0, &rdataset, NULL); + dns_rdatatype_dnskey, 0, 0, &rdataset, NULL); if (result != ISC_R_SUCCESS) fatal("failed to find keys at the zone apex: %s", isc_result_totext(result)); @@ -1435,6 +1417,176 @@ loadzonepubkeys(dns_db_t *db) { } static void +warnifallksk(dns_db_t *db) { + dns_dbversion_t *currentversion = NULL; + dns_dbnode_t *node = NULL; + dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + dst_key_t *pubkey; + isc_result_t result; + dns_rdata_key_t key; + isc_boolean_t have_non_ksk = ISC_FALSE; + + dns_db_currentversion(db, ¤tversion); + + result = dns_db_findnode(db, gorigin, ISC_FALSE, &node); + if (result != ISC_R_SUCCESS) + fatal("failed to find the zone's origin: %s", + isc_result_totext(result)); + + dns_rdataset_init(&rdataset); + result = dns_db_findrdataset(db, node, currentversion, + dns_rdatatype_dnskey, 0, 0, &rdataset, NULL); + if (result != ISC_R_SUCCESS) + fatal("failed to find keys at the zone apex: %s", + isc_result_totext(result)); + result = dns_rdataset_first(&rdataset); + check_result(result, "dns_rdataset_first"); + while (result == ISC_R_SUCCESS) { + pubkey = NULL; + dns_rdata_reset(&rdata); + dns_rdataset_current(&rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &key, NULL); + check_result(result, "dns_rdata_tostruct"); + if ((key.flags & DNS_KEYFLAG_KSK) == 0) { + have_non_ksk = ISC_TRUE; + result = ISC_R_NOMORE; + } else + result = dns_rdataset_next(&rdataset); + } + dns_rdataset_disassociate(&rdataset); + dns_db_detachnode(db, &node); + dns_db_closeversion(db, ¤tversion, ISC_FALSE); + if (!have_non_ksk && !ignoreksk) + fprintf(stderr, "%s: warning: No non-KSK dnskey found. " + "Supply non-KSK dnskey or use '-z'.\n", + program); +} + +static void +writeset(const char *prefix, dns_rdatatype_t type) { + char *filename; + char namestr[DNS_NAME_FORMATSIZE]; + dns_db_t *db = NULL; + dns_dbversion_t *version = NULL; + dns_diff_t diff; + dns_difftuple_t *tuple = NULL; + dns_fixedname_t fixed; + dns_name_t *name; + dns_rdata_t rdata, ds; + isc_boolean_t have_ksk = ISC_FALSE; + isc_boolean_t have_non_ksk = ISC_FALSE; + isc_buffer_t b; + isc_buffer_t namebuf; + isc_region_t r; + isc_result_t result; + signer_key_t *key; + unsigned char dsbuf[DNS_DS_BUFFERSIZE]; + unsigned char keybuf[DST_KEY_MAXSIZE]; + unsigned int filenamelen; + const dns_master_style_t *style = + (type == dns_rdatatype_dnskey) ? masterstyle : dsstyle; + + isc_buffer_init(&namebuf, namestr, sizeof(namestr)); + result = dns_name_tofilenametext(gorigin, ISC_FALSE, &namebuf); + check_result(result, "dns_name_tofilenametext"); + isc_buffer_putuint8(&namebuf, 0); + filenamelen = strlen(prefix) + strlen(namestr); + if (directory != NULL) + filenamelen += strlen(directory) + 1; + filename = isc_mem_get(mctx, filenamelen + 1); + if (filename == NULL) + fatal("out of memory"); + if (directory != NULL) + sprintf(filename, "%s/", directory); + else + filename[0] = 0; + strlcat(filename, prefix, filenamelen + 1); + strlcat(filename, namestr, filenamelen + 1); + + dns_diff_init(mctx, &diff); + + for (key = ISC_LIST_HEAD(keylist); + key != NULL; + key = ISC_LIST_NEXT(key, link)) + if (!key->isksk) { + have_non_ksk = ISC_TRUE; + break; + } + + for (key = ISC_LIST_HEAD(keylist); + key != NULL; + key = ISC_LIST_NEXT(key, link)) + if (key->isksk) { + have_ksk = ISC_TRUE; + break; + } + + if (type == dns_rdatatype_dlv) { + dns_name_t tname; + unsigned int labels; + + dns_name_init(&tname, NULL); + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + labels = dns_name_countlabels(gorigin); + dns_name_getlabelsequence(gorigin, 0, labels - 1, &tname); + result = dns_name_concatenate(&tname, dlv, name, NULL); + check_result(result, "dns_name_concatenate"); + } else + name = gorigin; + + for (key = ISC_LIST_HEAD(keylist); + key != NULL; + key = ISC_LIST_NEXT(key, link)) + { + if (have_ksk && have_non_ksk && !key->isksk) + continue; + dns_rdata_init(&rdata); + dns_rdata_init(&ds); + isc_buffer_init(&b, keybuf, sizeof(keybuf)); + result = dst_key_todns(key->key, &b); + check_result(result, "dst_key_todns"); + isc_buffer_usedregion(&b, &r); + dns_rdata_fromregion(&rdata, gclass, dns_rdatatype_dnskey, &r); + if (type != dns_rdatatype_dnskey) { + result = dns_ds_buildrdata(gorigin, &rdata, + DNS_DSDIGEST_SHA1, + dsbuf, &ds); + check_result(result, "dns_ds_buildrdata"); + if (type == dns_rdatatype_dlv) + ds.type = dns_rdatatype_dlv; + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, + name, 0, &ds, &tuple); + } else + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, + gorigin, zonettl, + &rdata, &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(&diff, &tuple); + } + + result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone, + gclass, 0, NULL, &db); + check_result(result, "dns_db_create"); + + result = dns_db_newversion(db, &version); + check_result(result, "dns_db_newversion"); + + result = dns_diff_apply(&diff, db, version); + check_result(result, "dns_diff_apply"); + dns_diff_clear(&diff); + + result = dns_master_dump(mctx, db, version, style, filename); + check_result(result, "dns_master_dump"); + + isc_mem_put(mctx, filename, filenamelen + 1); + + dns_db_closeversion(db, &version, ISC_FALSE); + dns_db_detach(&db); +} + +static void print_time(FILE *fp) { time_t currenttime; @@ -1454,14 +1606,18 @@ usage(void) { fprintf(stderr, "\n"); + fprintf(stderr, "Version: %s\n", VERSION); + fprintf(stderr, "Options: (default value in parenthesis) \n"); fprintf(stderr, "\t-c class (IN)\n"); fprintf(stderr, "\t-d directory\n"); - fprintf(stderr, "\t\tdirectory to find signedkey files (.)\n"); + fprintf(stderr, "\t\tdirectory to find keyset files (.)\n"); + fprintf(stderr, "\t-g:\t"); + fprintf(stderr, "generate DS records from keyset files\n"); fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n"); - fprintf(stderr, "\t\tSIG start time - absolute|offset (now)\n"); + fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n"); fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); - fprintf(stderr, "\t\tSIG end time - absolute|from start|from now " + fprintf(stderr, "\t\tRRSIG end time - absolute|from start|from now " "(now + 30 days)\n"); fprintf(stderr, "\t-i interval:\n"); fprintf(stderr, "\t\tcycle interval - resign " @@ -1481,22 +1637,16 @@ usage(void) { fprintf(stderr, "\t-t:\t"); fprintf(stderr, "print statistics\n"); fprintf(stderr, "\t-n ncpus (number of cpus present)\n"); + fprintf(stderr, "\t-k key_signing_key\n"); + fprintf(stderr, "\t-l lookasidezone\n"); + fprintf(stderr, "\t-z:\t"); + fprintf(stderr, "ignore KSK flag in DNSKEYs"); fprintf(stderr, "\n"); fprintf(stderr, "Signing Keys: "); fprintf(stderr, "(default: all zone keys that have private keys)\n"); fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n"); -#ifndef ISC_RFC2535 - fprintf(stderr, -"WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING\n" -"WARNING WARNING\n" -"WARNING This version of dnssec-signzone produces zones that are WARNING\n" -"WARNING incompatible with the forthcoming DS based DNSSEC WARNING\n" -"WARNING standard. WARNING\n" -"WARNING WARNING\n" -"WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING\n"); -#endif exit(0); } @@ -1506,12 +1656,38 @@ removetempfile(void) { isc_file_remove(tempfile); } +static void +print_stats(isc_time_t *timer_start, isc_time_t *timer_finish) { + isc_uint64_t runtime_us; /* Runtime in microseconds */ + isc_uint64_t runtime_ms; /* Runtime in milliseconds */ + isc_uint64_t sig_ms; /* Signatures per millisecond */ + + runtime_us = isc_time_microdiff(timer_finish, timer_start); + + printf("Signatures generated: %10d\n", nsigned); + printf("Signatures retained: %10d\n", nretained); + printf("Signatures dropped: %10d\n", ndropped); + printf("Signatures successfully verified: %10d\n", nverified); + printf("Signatures unsuccessfully verified: %10d\n", nverifyfailed); + runtime_ms = runtime_us / 1000; + printf("Runtime in seconds: %7u.%03u\n", + (unsigned int) (runtime_ms / 1000), + (unsigned int) (runtime_ms % 1000)); + if (runtime_us > 0) { + sig_ms = ((isc_uint64_t)nsigned * 1000000000) / runtime_us; + printf("Signatures per second: %7u.%03u\n", + (unsigned int) sig_ms / 1000, + (unsigned int) sig_ms % 1000); + } +} + int main(int argc, char *argv[]) { int i, ch; char *startstr = NULL, *endstr = NULL, *classname = NULL; char *origin = NULL, *file = NULL, *output = NULL; - char *randomfile = NULL; + char *dskeyfile[MAXDSKEYS]; + int ndskeys = 0; char *endp; isc_time_t timer_start, timer_finish; signer_key_t *key; @@ -1522,8 +1698,11 @@ main(int argc, char *argv[]) { isc_boolean_t free_output = ISC_FALSE; int tempfilelen; dns_rdataclass_t rdclass; - isc_textregion_t r; + dns_db_t *udb = NULL; isc_task_t **tasks = NULL; + isc_buffer_t b; + int len; + masterstyle = &dns_master_style_explicitttl; check_result(isc_app_start(), "isc_app_start"); @@ -1535,21 +1714,38 @@ main(int argc, char *argv[]) { dns_result_register(); while ((ch = isc_commandline_parse(argc, argv, - "c:s:e:i:v:o:f:ahpr:td:n:")) + "ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z")) != -1) { switch (ch) { + case 'a': + tryverify = ISC_TRUE; + break; + case 'c': classname = isc_commandline_argument; break; - case 's': - startstr = isc_commandline_argument; + case 'd': + directory = isc_commandline_argument; break; case 'e': endstr = isc_commandline_argument; break; + case 'f': + output = isc_commandline_argument; + break; + + case 'g': + generateds = ISC_TRUE; + break; + + case 'h': + default: + usage(); + break; + case 'i': endp = NULL; cycle = strtol(isc_commandline_argument, &endp, 0); @@ -1558,67 +1754,73 @@ main(int argc, char *argv[]) { "positive"); break; - case 'p': - pseudorandom = ISC_TRUE; + case 'l': + dns_fixedname_init(&dlv_fixed); + len = strlen(isc_commandline_argument); + isc_buffer_init(&b, isc_commandline_argument, len); + isc_buffer_add(&b, len); + + dns_fixedname_init(&dlv_fixed); + dlv = dns_fixedname_name(&dlv_fixed); + result = dns_name_fromtext(dlv, &b, dns_rootname, + ISC_FALSE, NULL); + check_result(result, "dns_name_fromtext(dlv)"); break; - case 'r': - randomfile = isc_commandline_argument; + case 'k': + if (ndskeys == MAXDSKEYS) + fatal("too many key-signing keys specified"); + dskeyfile[ndskeys++] = isc_commandline_argument; break; - case 'v': + case 'n': endp = NULL; - verbose = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0') - fatal("verbose level must be numeric"); + ntasks = strtol(isc_commandline_argument, &endp, 0); + if (*endp != '\0' || ntasks > ISC_INT32_MAX) + fatal("number of cpus must be numeric"); break; case 'o': origin = isc_commandline_argument; break; - case 'f': - output = isc_commandline_argument; + case 'p': + pseudorandom = ISC_TRUE; break; - case 'a': - tryverify = ISC_TRUE; + case 'r': + setup_entropy(mctx, isc_commandline_argument, &ectx); break; - case 't': - printstats = ISC_TRUE; + case 's': + startstr = isc_commandline_argument; break; - case 'd': - directory = isc_commandline_argument; + case 'S': + /* This is intentionally undocumented */ + /* -S: simple output style */ + masterstyle = &dns_master_style_simple; break; - case 'n': - endp = NULL; - ntasks = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0' || ntasks > ISC_INT32_MAX) - fatal("number of cpus must be numeric"); + case 't': + printstats = ISC_TRUE; break; - case 'h': - default: - usage(); + case 'v': + endp = NULL; + verbose = strtol(isc_commandline_argument, &endp, 0); + if (*endp != '\0') + fatal("verbose level must be numeric"); + break; + case 'z': + ignoreksk = ISC_TRUE; + break; } } -#ifndef ISC_RFC2535 - fprintf(stderr, -"WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING\n" -"WARNING WARNING\n" -"WARNING This version of dnssec-signzone produces zones that are WARNING\n" -"WARNING incompatible with the forth coming DS based DNSSEC WARNING\n" -"WARNING standard. WARNING\n" -"WARNING WARNING\n" -"WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING\n"); -#endif - - setup_entropy(mctx, randomfile, &ectx); + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); eflags = ISC_ENTROPY_BLOCKING; if (!pseudorandom) eflags |= ISC_ENTROPY_GOODONLY; @@ -1631,7 +1833,7 @@ main(int argc, char *argv[]) { if (startstr != NULL) starttime = strtotime(startstr, now, now); else - starttime = now; + starttime = now - 3600; /* Allow for some clock skew. */ if (endstr != NULL) endtime = strtotime(endstr, now, starttime); @@ -1645,15 +1847,7 @@ main(int argc, char *argv[]) { ntasks = isc_os_ncpus(); vbprintf(4, "using %d cpus\n", ntasks); - - if (classname != NULL) { - r.base = classname; - r.length = strlen(classname); - result = dns_rdataclass_fromtext(&rdclass, &r); - if (result != ISC_R_SUCCESS) - fatal("unknown class %s",classname); - } else - rdclass = dns_rdataclass_in; + rdclass = strtoclass(classname); setup_logging(verbose, mctx, &log); @@ -1668,36 +1862,35 @@ main(int argc, char *argv[]) { argc -= 1; argv += 1; + if (origin == NULL) + origin = file; + if (output == NULL) { size_t len; free_output = ISC_TRUE; - len = strlen(file) + strlen(".signed") + 1; - output = isc_mem_allocate(mctx, len); + len = strlen(file) + strlen(".signed"); + output = isc_mem_allocate(mctx, len + 1); if (output == NULL) fatal("out of memory"); - snprintf(output, len, "%s.signed", file); + snprintf(output, len + 1, "%s.signed", file); } - if (origin == NULL) - origin = file; + result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL, + 0, 24, 0, 0, 0, 8, mctx); + check_result(result, "dns_master_stylecreate"); + gdb = NULL; - isc_time_now(&timer_start); + TIME_NOW(&timer_start); loadzone(file, origin, rdclass, &gdb); gorigin = dns_db_origin(gdb); + gclass = dns_db_class(gdb); + zonettl = soattl(); ISC_LIST_INIT(keylist); if (argc == 0) { - signer_key_t *key; - loadzonekeys(gdb); - - key = ISC_LIST_HEAD(keylist); - while (key != NULL) { - key->isdefault = ISC_TRUE; - key = ISC_LIST_NEXT(key, link); - } } else { for (i = 0; i < argc; i++) { dst_key_t *newkey = NULL; @@ -1707,7 +1900,7 @@ main(int argc, char *argv[]) { DST_TYPE_PRIVATE, mctx, &newkey); if (result != ISC_R_SUCCESS) - fatal("cannot load key %s: %s", argv[i], + fatal("cannot load dnskey %s: %s", argv[i], isc_result_totext(result)); key = ISC_LIST_HEAD(keylist); @@ -1718,10 +1911,9 @@ main(int argc, char *argv[]) { dns_name_equal(dst_key_name(dkey), dst_key_name(newkey))) { - key->isdefault = ISC_TRUE; if (!dst_key_isprivate(dkey)) fatal("cannot sign zone with " - "non-private key %s", + "non-private dnskey %s", argv[i]); break; } @@ -1737,16 +1929,66 @@ main(int argc, char *argv[]) { loadzonepubkeys(gdb); } + for (i = 0; i < ndskeys; i++) { + dst_key_t *newkey = NULL; + + result = dst_key_fromnamedfile(dskeyfile[i], + DST_TYPE_PUBLIC | + DST_TYPE_PRIVATE, + mctx, &newkey); + if (result != ISC_R_SUCCESS) + fatal("cannot load dnskey %s: %s", dskeyfile[i], + isc_result_totext(result)); + + key = ISC_LIST_HEAD(keylist); + while (key != NULL) { + dst_key_t *dkey = key->key; + if (dst_key_id(dkey) == dst_key_id(newkey) && + dst_key_alg(dkey) == dst_key_alg(newkey) && + dns_name_equal(dst_key_name(dkey), + dst_key_name(newkey))) + { + /* Override key flags. */ + key->issigningkey = ISC_TRUE; + key->isksk = ISC_TRUE; + key->isdsk = ISC_FALSE; + dst_key_free(&dkey); + key->key = newkey; + break; + } + key = ISC_LIST_NEXT(key, link); + } + if (key == NULL) { + /* Override dnskey flags. */ + key = newkeystruct(newkey, ISC_TRUE); + key->isksk = ISC_TRUE; + key->isdsk = ISC_FALSE; + ISC_LIST_APPEND(keylist, key, link); + } + } + if (ISC_LIST_EMPTY(keylist)) { fprintf(stderr, "%s: warning: No keys specified or found\n", program); nokeys = ISC_TRUE; } + warnifallksk(gdb); + gversion = NULL; result = dns_db_newversion(gdb, &gversion); check_result(result, "dns_db_newversion()"); + nsecify(); + + if (!nokeys) { + writeset("keyset-", dns_rdatatype_dnskey); + writeset("dsset-", dns_rdatatype_ds); + if (dlv != NULL) { + writeset("dlvset-", dns_rdatatype_dlv); + } + } + tempfilelen = strlen(output) + 20; tempfile = isc_mem_get(mctx, tempfilelen); if (tempfile == NULL) @@ -1806,6 +2048,11 @@ main(int argc, char *argv[]) { isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *)); postsign(); + if (udb != NULL) { + dumpdb(udb); + dns_db_detach(&udb); + } + result = isc_stdio_close(fp); check_result(result, "isc_stdio_close"); removefile = ISC_FALSE; @@ -1822,7 +2069,6 @@ main(int argc, char *argv[]) { printf("%s\n", output); dns_db_closeversion(gdb, &gversion, ISC_FALSE); - dns_db_detach(&gdb); while (!ISC_LIST_EMPTY(keylist)) { @@ -1837,6 +2083,8 @@ main(int argc, char *argv[]) { if (free_output) isc_mem_free(mctx, output); + dns_master_styledestroy(&dsstyle, mctx); + cleanup_logging(&log); dst_lib_destroy(); cleanup_entropy(&ectx); @@ -1847,35 +2095,8 @@ main(int argc, char *argv[]) { (void) isc_app_finish(); if (printstats) { - isc_uint64_t runtime_us; /* Runtime in microseconds */ - isc_uint64_t runtime_ms; /* Runtime in milliseconds */ - isc_uint64_t sig_ms; /* Signatures per millisecond */ - - isc_time_now(&timer_finish); - - runtime_us = isc_time_microdiff(&timer_finish, &timer_start); - - printf("Signatures generated: %10d\n", - nsigned); - printf("Signatures retained: %10d\n", - nretained); - printf("Signatures dropped: %10d\n", - ndropped); - printf("Signatures successfully verified: %10d\n", - nverified); - printf("Signatures unsuccessfully verified: %10d\n", - nverifyfailed); - runtime_ms = runtime_us / 1000; - printf("Runtime in seconds: %7u.%03u\n", - (unsigned int) (runtime_ms / 1000), - (unsigned int) (runtime_ms % 1000)); - if (runtime_us > 0) { - sig_ms = ((isc_uint64_t)nsigned * 1000000000) / - runtime_us; - printf("Signatures per second: %7u.%03u\n", - (unsigned int) sig_ms / 1000, - (unsigned int) sig_ms % 1000); - } + TIME_NOW(&timer_finish); + print_stats(&timer_start, &timer_finish); } return (0); diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook b/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook index 5cea47eddf0..a559e80064e 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook +++ b/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook @@ -1,22 +1,22 @@ <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> <!-- - - Copyright (C) 2001, 2003 Internet Software Consortium. + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: dnssec-signzone.docbook,v 1.2.2.2 2003/03/06 04:38:13 marka Exp $ --> +<!-- $ISC: dnssec-signzone.docbook,v 1.2.2.2.4.8 2004/06/11 01:17:35 marka Exp $ --> <refentry> <refentryinfo> @@ -40,17 +40,21 @@ <arg><option>-a</option></arg> <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg> - <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg> <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg> <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg> + <arg><option>-g</option></arg> <arg><option>-h</option></arg> + <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg> + <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg> <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg> <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg> <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg> <arg><option>-p</option></arg> <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg> + <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg> <arg><option>-t</option></arg> <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> + <arg><option>-z</option></arg> <arg choice="req">zonefile</arg> <arg rep="repeat">key</arg> </cmdsynopsis> @@ -59,14 +63,12 @@ <refsect1> <title>DESCRIPTION</title> <para> - <command>dnssec-signzone</command> signs a zone. It generates NXT - and SIG records and produces a signed version of the zone. If there - is a <filename>signedkey</filename> file from the zone's parent, - the parent's signatures will be incorporated into the generated - signed zone file. The security status of delegations from the the - signed zone (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - <filename>signedkey</filename> file for each child zone. + <command>dnssec-signzone</command> signs a zone. It generates + NSEC and RRSIG records and produces a signed version of the + zone. The security status of delegations from the signed zone + (that is, whether the child zones are secure or not) is + determined by the presence or absence of a + <filename>keyset</filename> file for each child zone. </para> </refsect1> @@ -93,27 +95,57 @@ </varlistentry> <varlistentry> + <term>-k <replaceable class="parameter">key</replaceable></term> + <listitem> + <para> + Treat specified key as a key signing key ignoring any + key flags. This option may be specified multiple times. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-l <replaceable class="parameter">domain</replaceable></term> + <listitem> + <para> + Generate a DLV set in addition to the key (DNSKEY) and DS sets. + The domain is appended to the name of the records. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-d <replaceable class="parameter">directory</replaceable></term> <listitem> <para> - Look for <filename>signedkey</filename> files in + Look for <filename>keyset</filename> files in <option>directory</option> as the directory </para> </listitem> </varlistentry> <varlistentry> + <term>-g</term> + <listitem> + <para> + Generate DS records for child zones from keyset files. + Existing DS records will be removed. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-s <replaceable class="parameter">start-time</replaceable></term> <listitem> <para> - Specify the date and time when the generated SIG records + Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no <option>start-time</option> is specified, the current - time is used. + time minus 1 hour (to allow for clock skew) is used. </para> </listitem> </varlistentry> @@ -122,7 +154,7 @@ <term>-e <replaceable class="parameter">end-time</replaceable></term> <listitem> <para> - Specify the date and time when the generated SIG records + Specify the date and time when the generated RRSIG records expire. As with <option>start-time</option>, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from @@ -161,7 +193,7 @@ When a previously signed zone is passed as input, records may be resigned. The <option>interval</option> option specifies the cycle interval as an offset from the current - time (in seconds). If a SIG record expires after the + time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced. </para> @@ -171,7 +203,7 @@ <option>end-time</option> or <option>start-time</option> are specified, <command>dnssec-signzone</command> generates signatures that are valid for 30 days, with a cycle - interval of 7.5 days. Therefore, if any existing SIG records + interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced. </para> @@ -245,6 +277,15 @@ </varlistentry> <varlistentry> + <term>-z</term> + <listitem> + <para> + Ignore KSK flag on key when determining what to sign. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>zonefile</term> <listitem> <para> @@ -274,8 +315,8 @@ The following command signs the <userinput>example.com</userinput> zone with the DSA key generated in the <command>dnssec-keygen</command> man page. The zone's keys must be in the zone. If there are - <filename>signedkey</filename> files associated with this zone - or any child zones, they must be in the current directory. + <filename>keyset</filename> files associated with child zones, + they must be in the current directory. <userinput>example.com</userinput>, the following command would be issued: </para> @@ -300,10 +341,6 @@ <refentrytitle>dnssec-keygen</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, - <citerefentry> - <refentrytitle>dnssec-signkey</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>, <citetitle>RFC 2535</citetitle>. </para> @@ -312,7 +349,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.html b/usr.sbin/bind/bin/dnssec/dnssec-signzone.html index 6925d324553..4c0f0008897 100644 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.html +++ b/usr.sbin/bind/bin/dnssec/dnssec-signzone.html @@ -1,27 +1,30 @@ <!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: dnssec-signzone.html,v 1.4.2.1.4.7 2004/08/22 23:38:58 marka Exp $ --> + +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >dnssec-signzone</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -32,10 +35,10 @@ ALINK="#0000FF" ><H1 ><A NAME="AEN1" +></A ><SPAN CLASS="APPLICATION" >dnssec-signzone</SPAN -></A ></H1 ><DIV CLASS="REFNAMEDIV" @@ -59,104 +62,102 @@ NAME="AEN13" ><B CLASS="COMMAND" >dnssec-signzone</B -> [<TT +> [<VAR CLASS="OPTION" ->-a</TT ->] [<TT +>-a</VAR +>] [<VAR CLASS="OPTION" ->-c <TT +>-c <VAR CLASS="REPLACEABLE" -><I ->class</I -></TT -></TT ->] [<TT +>class</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-d <TT +>-d <VAR CLASS="REPLACEABLE" -><I ->directory</I -></TT -></TT ->] [<TT +>directory</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-s <TT +>-e <VAR CLASS="REPLACEABLE" -><I ->start-time</I -></TT -></TT ->] [<TT +>end-time</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-e <TT +>-f <VAR CLASS="REPLACEABLE" -><I ->end-time</I -></TT -></TT ->] [<TT +>output-file</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-g</VAR +>] [<VAR CLASS="OPTION" ->-f <TT +>-h</VAR +>] [<VAR +CLASS="OPTION" +>-k <VAR CLASS="REPLACEABLE" -><I ->output-file</I -></TT -></TT ->] [<TT +>key</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-h</TT ->] [<TT +>-l <VAR +CLASS="REPLACEABLE" +>domain</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-i <TT +>-i <VAR CLASS="REPLACEABLE" -><I ->interval</I -></TT -></TT ->] [<TT +>interval</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-n <TT +>-n <VAR CLASS="REPLACEABLE" -><I ->nthreads</I -></TT -></TT ->] [<TT +>nthreads</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-o <TT +>-o <VAR CLASS="REPLACEABLE" -><I ->origin</I -></TT -></TT ->] [<TT +>origin</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-p</TT ->] [<TT +>-p</VAR +>] [<VAR CLASS="OPTION" ->-r <TT +>-r <VAR CLASS="REPLACEABLE" -><I ->randomdev</I -></TT -></TT ->] [<TT +>randomdev</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-t</TT ->] [<TT +>-s <VAR +CLASS="REPLACEABLE" +>start-time</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-v <TT +>-t</VAR +>] [<VAR +CLASS="OPTION" +>-v <VAR CLASS="REPLACEABLE" -><I ->level</I -></TT -></TT +>level</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-z</VAR >] {zonefile} [key...]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN56" +NAME="AEN66" ></A ><H2 >DESCRIPTION</H2 @@ -164,26 +165,21 @@ NAME="AEN56" > <B CLASS="COMMAND" >dnssec-signzone</B -> signs a zone. It generates NXT - and SIG records and produces a signed version of the zone. If there - is a <TT -CLASS="FILENAME" ->signedkey</TT -> file from the zone's parent, - the parent's signatures will be incorporated into the generated - signed zone file. The security status of delegations from the the - signed zone (that is, whether the child zones are secure or not) is - determined by the presence or absence of a +> signs a zone. It generates + NSEC and RRSIG records and produces a signed version of the + zone. The security status of delegations from the signed zone + (that is, whether the child zones are secure or not) is + determined by the presence or absence of a <TT CLASS="FILENAME" ->signedkey</TT +>keyset</TT > file for each child zone. </P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN62" +NAME="AEN71" ></A ><H2 >OPTIONS</H2 @@ -200,11 +196,9 @@ CLASS="VARIABLELIST" </P ></DD ><DT ->-c <TT +>-c <VAR CLASS="REPLACEABLE" -><I ->class</I -></TT +>class</VAR ></DT ><DD ><P @@ -212,76 +206,98 @@ CLASS="REPLACEABLE" </P ></DD ><DT ->-d <TT +>-k <VAR +CLASS="REPLACEABLE" +>key</VAR +></DT +><DD +><P +> Treat specified key as a key signing key ignoring any + key flags. This option may be specified multiple times. + </P +></DD +><DT +>-l <VAR +CLASS="REPLACEABLE" +>domain</VAR +></DT +><DD +><P +> Generate a DLV set in addition to the key (DNSKEY) and DS sets. + The domain is appended to the name of the records. + </P +></DD +><DT +>-d <VAR CLASS="REPLACEABLE" -><I ->directory</I -></TT +>directory</VAR ></DT ><DD ><P > Look for <TT CLASS="FILENAME" ->signedkey</TT +>keyset</TT > files in - <TT + <VAR CLASS="OPTION" ->directory</TT +>directory</VAR > as the directory </P ></DD ><DT ->-s <TT +>-g</DT +><DD +><P +> Generate DS records for child zones from keyset files. + Existing DS records will be removed. + </P +></DD +><DT +>-s <VAR CLASS="REPLACEABLE" -><I ->start-time</I -></TT +>start-time</VAR ></DT ><DD ><P -> Specify the date and time when the generated SIG records +> Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. - If no <TT + If no <VAR CLASS="OPTION" ->start-time</TT +>start-time</VAR > is specified, the current - time is used. + time minus 1 hour (to allow for clock skew) is used. </P ></DD ><DT ->-e <TT +>-e <VAR CLASS="REPLACEABLE" -><I ->end-time</I -></TT +>end-time</VAR ></DT ><DD ><P -> Specify the date and time when the generated SIG records - expire. As with <TT +> Specify the date and time when the generated RRSIG records + expire. As with <VAR CLASS="OPTION" ->start-time</TT +>start-time</VAR >, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is - indicated with now+N. If no <TT + indicated with now+N. If no <VAR CLASS="OPTION" ->end-time</TT +>end-time</VAR > is specified, 30 days from the start time is used as a default. </P ></DD ><DT ->-f <TT +>-f <VAR CLASS="REPLACEABLE" -><I ->output-file</I -></TT +>output-file</VAR ></DT ><DD ><P @@ -305,50 +321,46 @@ CLASS="COMMAND" </P ></DD ><DT ->-i <TT +>-i <VAR CLASS="REPLACEABLE" -><I ->interval</I -></TT +>interval</VAR ></DT ><DD ><P > When a previously signed zone is passed as input, records - may be resigned. The <TT + may be resigned. The <VAR CLASS="OPTION" ->interval</TT +>interval</VAR > option specifies the cycle interval as an offset from the current - time (in seconds). If a SIG record expires after the + time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced. </P ><P > The default cycle interval is one quarter of the difference between the signature end and start times. So if neither - <TT + <VAR CLASS="OPTION" ->end-time</TT -> or <TT +>end-time</VAR +> or <VAR CLASS="OPTION" ->start-time</TT +>start-time</VAR > are specified, <B CLASS="COMMAND" >dnssec-signzone</B > generates signatures that are valid for 30 days, with a cycle - interval of 7.5 days. Therefore, if any existing SIG records + interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced. </P ></DD ><DT ->-n <TT +>-n <VAR CLASS="REPLACEABLE" -><I ->ncpus</I -></TT +>ncpus</VAR ></DT ><DD ><P @@ -357,11 +369,9 @@ CLASS="REPLACEABLE" </P ></DD ><DT ->-o <TT +>-o <VAR CLASS="REPLACEABLE" -><I ->origin</I -></TT +>origin</VAR ></DT ><DD ><P @@ -380,11 +390,9 @@ CLASS="REPLACEABLE" </P ></DD ><DT ->-r <TT +>-r <VAR CLASS="REPLACEABLE" -><I ->randomdev</I -></TT +>randomdev</VAR ></DT ><DD ><P @@ -415,11 +423,9 @@ CLASS="FILENAME" </P ></DD ><DT ->-v <TT +>-v <VAR CLASS="REPLACEABLE" -><I ->level</I -></TT +>level</VAR ></DT ><DD ><P @@ -427,6 +433,13 @@ CLASS="REPLACEABLE" </P ></DD ><DT +>-z</DT +><DD +><P +> Ignore KSK flag on key when determining what to sign. + </P +></DD +><DT >zonefile</DT ><DD ><P @@ -449,16 +462,14 @@ CLASS="REPLACEABLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN154" +NAME="AEN181" ></A ><H2 >EXAMPLE</H2 ><P -> The following command signs the <TT +> The following command signs the <KBD CLASS="USERINPUT" -><B ->example.com</B -></TT +>example.com</KBD > zone with the DSA key generated in the <B CLASS="COMMAND" @@ -467,23 +478,19 @@ CLASS="COMMAND" man page. The zone's keys must be in the zone. If there are <TT CLASS="FILENAME" ->signedkey</TT -> files associated with this zone - or any child zones, they must be in the current directory. - <TT +>keyset</TT +> files associated with child zones, + they must be in the current directory. + <KBD CLASS="USERINPUT" -><B ->example.com</B -></TT +>example.com</KBD >, the following command would be issued: </P ><P -> <TT +> <KBD CLASS="USERINPUT" -><B ->dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</B -></TT +>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</KBD > </P ><P @@ -508,7 +515,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN168" +NAME="AEN195" ></A ><H2 >SEE ALSO</H2 @@ -520,13 +527,6 @@ CLASS="REFENTRYTITLE" >dnssec-keygen</SPAN >(8)</SPAN >, - <SPAN -CLASS="CITEREFENTRY" -><SPAN -CLASS="REFENTRYTITLE" ->dnssec-signkey</SPAN ->(8)</SPAN ->, <I CLASS="CITETITLE" >BIND 9 Administrator Reference Manual</I @@ -540,12 +540,12 @@ CLASS="CITETITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN179" +NAME="AEN203" ></A ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/usr.sbin/bind/bin/dnssec/dnssectool.c b/usr.sbin/bind/bin/dnssec/dnssectool.c index 14632df2ab9..01e655d4712 100644 --- a/usr.sbin/bind/bin/dnssec/dnssectool.c +++ b/usr.sbin/bind/bin/dnssec/dnssectool.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: dnssectool.c,v 1.31.2.4 2003/10/09 07:32:31 marka Exp $ */ +/* $ISC: dnssectool.c,v 1.31.2.3.2.4 2004/03/08 02:07:38 marka Exp $ */ #include <config.h> @@ -23,6 +23,8 @@ #include <isc/buffer.h> #include <isc/entropy.h> +#include <isc/list.h> +#include <isc/mem.h> #include <isc/string.h> #include <isc/time.h> #include <isc/util.h> @@ -31,6 +33,7 @@ #include <dns/log.h> #include <dns/name.h> #include <dns/rdatastruct.h> +#include <dns/rdataclass.h> #include <dns/rdatatype.h> #include <dns/result.h> #include <dns/secalg.h> @@ -41,7 +44,15 @@ extern int verbose; extern const char *program; -static isc_entropysource_t *source = NULL; +typedef struct entropysource entropysource_t; + +struct entropysource { + isc_entropysource_t *source; + isc_mem_t *mctx; + ISC_LINK(entropysource_t) link; +}; + +static ISC_LIST(entropysource_t) sources; static fatalcallback_t *fatalcallback = NULL; void @@ -107,12 +118,12 @@ alg_format(const dns_secalg_t alg, char *cp, unsigned int size) { } void -sig_format(dns_rdata_sig_t *sig, char *cp, unsigned int size) { +sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) { char namestr[DNS_NAME_FORMATSIZE]; char algstr[DNS_NAME_FORMATSIZE]; - dns_name_format(&sig->signer, namestr, sizeof namestr); - alg_format(sig->algorithm, algstr, sizeof algstr); + dns_name_format(&sig->signer, namestr, sizeof(namestr)); + alg_format(sig->algorithm, algstr, sizeof(algstr)); snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid); } @@ -121,8 +132,8 @@ key_format(const dst_key_t *key, char *cp, unsigned int size) { char namestr[DNS_NAME_FORMATSIZE]; char algstr[DNS_NAME_FORMATSIZE]; - dns_name_format(dst_key_name(key), namestr, sizeof namestr); - alg_format((dns_secalg_t) dst_key_alg(key), algstr, sizeof algstr); + dns_name_format(dst_key_name(key), namestr, sizeof(namestr)); + alg_format((dns_secalg_t) dst_key_alg(key), algstr, sizeof(algstr)); snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key)); } @@ -198,6 +209,8 @@ cleanup_logging(isc_log_t **logp) { void setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { isc_result_t result; + isc_entropysource_t *source = NULL; + entropysource_t *elt; int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE; REQUIRE(ectx != NULL); @@ -206,6 +219,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { result = isc_entropy_create(mctx, ectx); if (result != ISC_R_SUCCESS) fatal("could not create entropy object"); + ISC_LIST_INIT(sources); } if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { @@ -219,17 +233,32 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { if (result != ISC_R_SUCCESS) fatal("could not initialize entropy source: %s", isc_result_totext(result)); + + if (source != NULL) { + elt = isc_mem_get(mctx, sizeof(*elt)); + if (elt == NULL) + fatal("out of memory"); + elt->source = source; + elt->mctx = mctx; + ISC_LINK_INIT(elt, link); + ISC_LIST_APPEND(sources, elt, link); + } } void cleanup_entropy(isc_entropy_t **ectx) { - if (source != NULL) - isc_entropy_destroysource(&source); + entropysource_t *source; + while (!ISC_LIST_EMPTY(sources)) { + source = ISC_LIST_HEAD(sources); + ISC_LIST_UNLINK(sources, source, link); + isc_entropy_destroysource(&source->source); + isc_mem_put(source->mctx, source, sizeof(*source)); + } isc_entropy_detach(ectx); } isc_stdtime_t -strtotime(char *str, isc_int64_t now, isc_int64_t base) { +strtotime(const char *str, isc_int64_t now, isc_int64_t base) { isc_int64_t val, offset; isc_result_t result; char *endp; @@ -258,3 +287,19 @@ strtotime(char *str, isc_int64_t now, isc_int64_t base) { return ((isc_stdtime_t) val); } + +dns_rdataclass_t +strtoclass(const char *str) { + isc_textregion_t r; + dns_rdataclass_t rdclass; + isc_result_t ret; + + if (str == NULL) + return dns_rdataclass_in; + DE_CONST(str, r.base); + r.length = strlen(str); + ret = dns_rdataclass_fromtext(&rdclass, &r); + if (ret != ISC_R_SUCCESS) + fatal("unknown class %s", str); + return (rdclass); +} diff --git a/usr.sbin/bind/bin/named/client.c b/usr.sbin/bind/bin/named/client.c index edb4af4f5f8..b71e02f8025 100644 --- a/usr.sbin/bind/bin/named/client.c +++ b/usr.sbin/bind/bin/named/client.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: client.c,v 1.176.2.13 2003/07/18 06:14:30 marka Exp $ */ +/* $ISC: client.c,v 1.176.2.13.4.22 2004/07/23 02:56:51 marka Exp $ */ #include <config.h> @@ -33,6 +33,8 @@ #include <dns/dispatch.h> #include <dns/events.h> #include <dns/message.h> +#include <dns/rcode.h> +#include <dns/resolver.h> #include <dns/rdata.h> #include <dns/rdataclass.h> #include <dns/rdatalist.h> @@ -95,6 +97,7 @@ struct ns_clientmgr { /* Locked by lock. */ isc_boolean_t exiting; client_list_t active; /* Active clients */ + client_list_t recursing; /* Recursing clients */ client_list_t inactive; /* To be recycled */ }; @@ -150,7 +153,7 @@ struct ns_clientmgr { #define NS_CLIENTSTATE_WORKING 4 /* * The client object has received a request and is working - * on it. It has a view, and it may have any of a non-reset OPT, + * on it. It has a view, and it may have any of a non-reset OPT, * recursion quota, and an outstanding write request. */ @@ -174,6 +177,27 @@ static void client_request(isc_task_t *task, isc_event_t *event); static void ns_client_dumpmessage(ns_client_t *client, const char *reason); void +ns_client_recursing(ns_client_t *client, isc_boolean_t killoldest) { + ns_client_t *oldest; + REQUIRE(NS_CLIENT_VALID(client)); + + LOCK(&client->manager->lock); + if (killoldest) { + oldest = ISC_LIST_HEAD(client->manager->recursing); + if (oldest != NULL) { + ns_query_cancel(oldest); + ISC_LIST_UNLINK(*oldest->list, oldest, link); + ISC_LIST_APPEND(client->manager->active, oldest, link); + oldest->list = &client->manager->active; + } + } + ISC_LIST_UNLINK(*client->list, client, link); + ISC_LIST_APPEND(client->manager->recursing, client, link); + client->list = &client->manager->recursing; + UNLOCK(&client->manager->lock); +} + +void ns_client_settimeout(ns_client_t *client, unsigned int seconds) { isc_result_t result; isc_interval_t interval; @@ -218,13 +242,20 @@ exit_check(ns_client_t *client) { * - The client does not detach from the view until references is zero * - references does not go to zero until the resolver has shut down * + * Keep the view attached until any outstanding updates complete. */ - if (client->newstate == NS_CLIENTSTATE_FREED && client->view != NULL) + if (client->nupdates == 0 && + client->newstate == NS_CLIENTSTATE_FREED && client->view != NULL) dns_view_detach(&client->view); if (client->state == NS_CLIENTSTATE_WORKING) { INSIST(client->newstate <= NS_CLIENTSTATE_READING); /* + * Let the update processing complete. + */ + if (client->nupdates > 0) + return (ISC_TRUE); + /* * We are trying to abort request processing. */ if (client->nsends > 0) { @@ -288,9 +319,9 @@ exit_check(ns_client_t *client) { isc_quota_detach(&client->tcpquota); if (client->timerset) { - (void) isc_timer_reset(client->timer, - isc_timertype_inactive, - NULL, NULL, ISC_TRUE); + (void)isc_timer_reset(client->timer, + isc_timertype_inactive, + NULL, NULL, ISC_TRUE); client->timerset = ISC_FALSE; } @@ -423,7 +454,8 @@ exit_check(ns_client_t *client) { client->list = NULL; if (manager->exiting && ISC_LIST_EMPTY(manager->active) && - ISC_LIST_EMPTY(manager->inactive)) + ISC_LIST_EMPTY(manager->inactive) && + ISC_LIST_EMPTY(manager->recursing)) destroy_manager = manager; } /* @@ -512,13 +544,13 @@ client_shutdown(isc_task_t *task, isc_event_t *event) { (void)exit_check(client); } - static void ns_client_endrequest(ns_client_t *client) { INSIST(client->naccepts == 0); INSIST(client->nreads == 0); INSIST(client->nsends == 0); INSIST(client->nrecvs == 0); + INSIST(client->nupdates == 0); INSIST(client->state == NS_CLIENTSTATE_WORKING); CTRACE("endrequest"); @@ -611,7 +643,7 @@ ns_client_next(ns_client_t *client, isc_result_t result) { if (client->newstate > newstate) client->newstate = newstate; - (void) exit_check(client); + (void)exit_check(client); } @@ -741,7 +773,8 @@ client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) { sockflags |= ISC_SOCKFLAG_NORETRY; } - if ((client->attributes & NS_CLIENTATTR_PKTINFO) != 0) + if ((client->attributes & NS_CLIENTATTR_PKTINFO) != 0 && + (client->attributes & NS_CLIENTATTR_MULTICAST) == 0) pktinfo = &client->pktinfo; else pktinfo = NULL; @@ -819,6 +852,8 @@ ns_client_send(ns_client_t *client) { dns_compress_t cctx; isc_boolean_t cleanup_cctx = ISC_FALSE; unsigned char sendbuf[SEND_BUFFER_SIZE]; + unsigned int dnssec_opts; + unsigned int preferred_glue; REQUIRE(NS_CLIENT_VALID(client)); @@ -827,6 +862,19 @@ ns_client_send(ns_client_t *client) { if ((client->attributes & NS_CLIENTATTR_RA) != 0) client->message->flags |= DNS_MESSAGEFLAG_RA; + if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0) + dnssec_opts = 0; + else + dnssec_opts = DNS_MESSAGERENDER_OMITDNSSEC; + + preferred_glue = 0; + if (client->view != NULL) { + if (client->view->preferred_glue == dns_rdatatype_a) + preferred_glue = DNS_MESSAGERENDER_PREFER_A; + else if (client->view->preferred_glue == dns_rdatatype_aaaa) + preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA; + } + /* * XXXRTH The following doesn't deal with TCP buffer resizing. */ @@ -862,7 +910,8 @@ ns_client_send(ns_client_t *client) { goto done; result = dns_message_rendersection(client->message, DNS_SECTION_ANSWER, - DNS_MESSAGERENDER_PARTIAL); + DNS_MESSAGERENDER_PARTIAL | + dnssec_opts); if (result == ISC_R_NOSPACE) { client->message->flags |= DNS_MESSAGEFLAG_TC; goto renderend; @@ -871,7 +920,8 @@ ns_client_send(ns_client_t *client) { goto done; result = dns_message_rendersection(client->message, DNS_SECTION_AUTHORITY, - DNS_MESSAGERENDER_PARTIAL); + DNS_MESSAGERENDER_PARTIAL | + dnssec_opts); if (result == ISC_R_NOSPACE) { client->message->flags |= DNS_MESSAGEFLAG_TC; goto renderend; @@ -879,7 +929,8 @@ ns_client_send(ns_client_t *client) { if (result != ISC_R_SUCCESS) goto done; result = dns_message_rendersection(client->message, - DNS_SECTION_ADDITIONAL, 0); + DNS_SECTION_ADDITIONAL, + preferred_glue | dnssec_opts); if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE) goto done; renderend: @@ -987,6 +1038,9 @@ client_addopt(ns_client_t *client) { dns_rdatalist_t *rdatalist; dns_rdata_t *rdata; isc_result_t result; + dns_view_t *view; + dns_resolver_t *resolver; + isc_uint16_t udpsize; REQUIRE(client->opt == NULL); /* XXXRTH free old. */ @@ -1010,16 +1064,18 @@ client_addopt(ns_client_t *client) { /* * Set the maximum UDP buffer size. */ - rdatalist->rdclass = RECV_BUFFER_SIZE; + view = client->view; + resolver = (view != NULL) ? view->resolver : NULL; + if (resolver != NULL) + udpsize = dns_resolver_getudpsize(resolver); + else + udpsize = ns_g_udpsize; + rdatalist->rdclass = udpsize; /* - * Set EXTENDED-RCODE, VERSION, and Z to 0. + * Set EXTENDED-RCODE, VERSION and Z to 0. */ -#ifdef ISC_RFC2535 rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE); -#else - rdatalist->ttl = 0; -#endif /* * No ENDS options in the default case. @@ -1032,7 +1088,8 @@ client_addopt(ns_client_t *client) { ISC_LIST_INIT(rdatalist->rdata); ISC_LIST_APPEND(rdatalist->rdata, rdata, link); - dns_rdatalist_tordataset(rdatalist, rdataset); + RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) + == ISC_R_SUCCESS); client->opt = rdataset; @@ -1040,13 +1097,13 @@ client_addopt(ns_client_t *client) { } static inline isc_boolean_t -allowed(isc_netaddr_t *addr, dns_acl_t *acl) { +allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) { int match; isc_result_t result; if (acl == NULL) return (ISC_TRUE); - result = dns_acl_match(addr, NULL, acl, &ns_g_server->aclenv, + result = dns_acl_match(addr, signer, acl, &ns_g_server->aclenv, &match, NULL); if (result == ISC_R_SUCCESS && match > 0) return (ISC_TRUE); @@ -1062,7 +1119,7 @@ client_request(isc_task_t *task, isc_event_t *event) { ns_client_t *client; isc_socketevent_t *sevent; isc_result_t result; - isc_result_t sigresult; + isc_result_t sigresult = ISC_R_SUCCESS; isc_buffer_t *buffer; isc_buffer_t tbuffer; dns_view_t *view; @@ -1080,8 +1137,6 @@ client_request(isc_task_t *task, isc_event_t *event) { REQUIRE(NS_CLIENT_VALID(client)); REQUIRE(task == client->task); - UNUSED(task); - INSIST(client->recursionquota == NULL); INSIST(client->state == @@ -1125,7 +1180,7 @@ client_request(isc_task_t *task, isc_event_t *event) { goto cleanup; client->state = client->newstate = NS_CLIENTSTATE_WORKING; - isc_stdtime_get(&client->requesttime); + isc_task_getcurrenttime(task, &client->requesttime); client->now = client->requesttime; if (result != ISC_R_SUCCESS) { @@ -1172,13 +1227,15 @@ client_request(isc_task_t *task, isc_event_t *event) { } } + /* + * Silently drop multicast requests for the present. + * XXXMPA look at when/if mDNS spec stabilizes. + */ if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0) { ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), - "multicast request"); -#if 0 - ns_client_error(client, DNS_R_REFUSED); -#endif + "dropping multicast request"); + ns_client_next(client, DNS_R_REFUSED); } result = dns_message_peekheader(buffer, &id, &flags); @@ -1235,6 +1292,10 @@ client_request(isc_task_t *task, isc_event_t *event) { client->message->rcode = dns_rcode_noerror; + /* RFC1123 section 6.1.3.2 */ + if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0) + client->message->flags &= ~DNS_MESSAGEFLAG_RD; + /* * Deal with EDNS. */ @@ -1291,17 +1352,58 @@ client_request(isc_task_t *task, isc_event_t *event) { } /* - * Determine the destination address. For IPv6, we get this from the - * pktinfo structure (if supported). For IPv4, we have to make do with - * the address of the interface where the request was received. + * Determine the destination address. If the receiving interface is + * bound to a specific address, we simply use it regardless of the + * address family. All IPv4 queries should fall into this case. + * Otherwise, if this is a TCP query, get the address from the + * receiving socket (this needs a system call and can be heavy). + * For IPv6 UDP queries, we get this from the pktinfo structure (if + * supported). + * If all the attempts fail (this can happen due to memory shortage, + * etc), we regard this as an error for safety. */ - if (client->interface->addr.type.sa.sa_family == AF_INET6) { - if ((client->attributes & NS_CLIENTATTR_PKTINFO) != 0) - isc_netaddr_fromin6(&destaddr, &client->pktinfo.ipi6_addr); - else - isc_netaddr_any6(&destaddr); - } else { + if ((client->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0) isc_netaddr_fromsockaddr(&destaddr, &client->interface->addr); + else { + result = ISC_R_FAILURE; + + if (TCP_CLIENT(client)) { + isc_sockaddr_t destsockaddr; + + result = isc_socket_getsockname(client->tcpsocket, + &destsockaddr); + if (result == ISC_R_SUCCESS) + isc_netaddr_fromsockaddr(&destaddr, + &destsockaddr); + } + if (result != ISC_R_SUCCESS && + client->interface->addr.type.sa.sa_family == AF_INET6 && + (client->attributes & NS_CLIENTATTR_PKTINFO) != 0) { + isc_uint32_t zone = 0; + + /* + * XXXJT technically, we should convert the receiving + * interface ID to a proper scope zone ID. However, + * due to the fact there is no standard API for this, + * we only handle link-local addresses and use the + * interface index as link ID. Despite the assumption, + * it should cover most typical cases. + */ + if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr)) + zone = (isc_uint32_t)client->pktinfo.ipi6_ifindex; + + isc_netaddr_fromin6(&destaddr, + &client->pktinfo.ipi6_addr); + isc_netaddr_setzone(&destaddr, zone); + result = ISC_R_SUCCESS; + } + if (result != ISC_R_SUCCESS) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "failed to get request's " + "destination: %s", + isc_result_totext(result)); + goto cleanup; + } } /* @@ -1313,10 +1415,16 @@ client_request(isc_task_t *task, isc_event_t *event) { if (client->message->rdclass == view->rdclass || client->message->rdclass == dns_rdataclass_any) { - if (allowed(&netaddr, view->matchclients) && - allowed(&destaddr, view->matchdestinations) && - !((flags & DNS_MESSAGEFLAG_RD) == 0 && - view->matchrecursiveonly)) + dns_name_t *tsig = NULL; + sigresult = dns_message_rechecksig(client->message, + view); + if (sigresult == ISC_R_SUCCESS) + tsig = client->message->tsigname; + + if (allowed(&netaddr, tsig, view->matchclients) && + allowed(&destaddr, tsig, view->matchdestinations) && + !((client->message->flags & DNS_MESSAGEFLAG_RD) + == 0 && view->matchrecursiveonly)) { dns_view_attach(view, &client->view); break; @@ -1334,6 +1442,9 @@ client_request(isc_task_t *task, isc_event_t *event) { */ isc_buffer_t b; isc_region_t *r; + + dns_message_resetsig(client->message); + r = dns_message_getrawmessage(client->message); isc_buffer_init(&b, r->base, r->length); isc_buffer_add(&b, r->length); @@ -1359,7 +1470,6 @@ client_request(isc_task_t *task, isc_event_t *event) { * not. We do not log the lack of a signature unless we are * debugging. */ - sigresult = dns_message_checksig(client->message, client->view); client->signer = NULL; dns_name_init(&client->signername, NULL); result = dns_message_signer(client->message, &client->signername); @@ -1377,11 +1487,29 @@ client_request(isc_task_t *task, isc_event_t *event) { NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), "request is signed by a nonauthoritative key"); } else { + char tsigrcode[64]; + isc_buffer_t b; + dns_name_t *name = NULL; + + isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); + RUNTIME_CHECK(dns_tsigrcode_totext(client->message->tsigstatus, + &b) == ISC_R_SUCCESS); + tsigrcode[isc_buffer_usedlength(&b)] = '\0'; /* There is a signature, but it is bad. */ - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, - "request has invalid signature: %s", - isc_result_totext(result)); + if (dns_message_gettsig(client->message, &name) != NULL) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namebuf, sizeof(namebuf)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, + "request has invalid signature: " + "TSIG %s: %s (%s)", namebuf, + isc_result_totext(result), tsigrcode); + } else { + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, + "request has invalid signature: %s (%s)", + isc_result_totext(result), tsigrcode); + } /* * Accept update messages signed by unknown keys so that * update forwarding works transparently through slaves @@ -1403,15 +1531,17 @@ client_request(isc_task_t *task, isc_event_t *event) { ra = ISC_FALSE; if (client->view->resolver != NULL && client->view->recursion == ISC_TRUE && - /* XXX this will log too much too early */ - ns_client_checkacl(client, "recursion available:", - client->view->recursionacl, - ISC_TRUE, ISC_LOG_DEBUG(1)) == ISC_R_SUCCESS) + ns_client_checkaclsilent(client, client->view->recursionacl, + ISC_TRUE) == ISC_R_SUCCESS) ra = ISC_TRUE; if (ra == ISC_TRUE) client->attributes |= NS_CLIENTATTR_RA; + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, + ISC_LOG_DEBUG(3), ra ? "recursion available" : + "recursion not available"); + /* * Dispatch the request. */ @@ -1469,7 +1599,7 @@ client_timeout(isc_task_t *task, isc_event_t *event) { if (client->newstate > NS_CLIENTSTATE_READY) client->newstate = NS_CLIENTSTATE_READY; - (void) exit_check(client); + (void)exit_check(client); } static isc_result_t @@ -1488,7 +1618,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) REQUIRE(clientp != NULL && *clientp == NULL); - client = isc_mem_get(manager->mctx, sizeof *client); + client = isc_mem_get(manager->mctx, sizeof(*client)); if (client == NULL) return (ISC_R_NOMEMORY); @@ -1549,6 +1679,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) client->nreads = 0; client->nsends = 0; client->nrecvs = 0; + client->nupdates = 0; client->nctls = 0; client->references = 0; client->attributes = 0; @@ -1627,7 +1758,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) isc_task_detach(&client->task); cleanup_client: - isc_mem_put(manager->mctx, client, sizeof *client); + isc_mem_put(manager->mctx, client, sizeof(*client)); return (result); } @@ -1690,8 +1821,8 @@ client_newconn(isc_task_t *task, isc_event_t *event) { client->state = NS_CLIENTSTATE_READING; INSIST(client->recursionquota == NULL); - (void) isc_socket_getpeername(client->tcpsocket, - &client->peeraddr); + (void)isc_socket_getpeername(client->tcpsocket, + &client->peeraddr); client->peeraddr_valid = ISC_TRUE; ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), @@ -1811,7 +1942,7 @@ client_udprecv(ns_client_t *client) { isc_result_totext(result)); /* * This cannot happen in the current implementation, since - * isc_socket_recv2() cannot fail if flags == 0A + * isc_socket_recv2() cannot fail if flags == 0. * * If this does fail, we just go idle. */ @@ -1843,7 +1974,7 @@ ns_client_detach(ns_client_t **clientp) { ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), "ns_client_detach: ref = %d", client->references); - (void) exit_check(client); + (void)exit_check(client); } isc_boolean_t @@ -1882,12 +2013,13 @@ static void clientmgr_destroy(ns_clientmgr_t *manager) { REQUIRE(ISC_LIST_EMPTY(manager->active)); REQUIRE(ISC_LIST_EMPTY(manager->inactive)); + REQUIRE(ISC_LIST_EMPTY(manager->recursing)); MTRACE("clientmgr_destroy"); DESTROYLOCK(&manager->lock); manager->magic = 0; - isc_mem_put(manager->mctx, manager, sizeof *manager); + isc_mem_put(manager->mctx, manager, sizeof(*manager)); } isc_result_t @@ -1897,7 +2029,7 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, ns_clientmgr_t *manager; isc_result_t result; - manager = isc_mem_get(mctx, sizeof *manager); + manager = isc_mem_get(mctx, sizeof(*manager)); if (manager == NULL) return (ISC_R_NOMEMORY); @@ -1911,6 +2043,7 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, manager->exiting = ISC_FALSE; ISC_LIST_INIT(manager->active); ISC_LIST_INIT(manager->inactive); + ISC_LIST_INIT(manager->recursing); manager->magic = MANAGER_MAGIC; MTRACE("create"); @@ -1920,7 +2053,7 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, return (ISC_R_SUCCESS); cleanup_manager: - isc_mem_put(manager->mctx, manager, sizeof *manager); + isc_mem_put(manager->mctx, manager, sizeof(*manager)); return (result); } @@ -1941,6 +2074,11 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp) { manager->exiting = ISC_TRUE; + for (client = ISC_LIST_HEAD(manager->recursing); + client != NULL; + client = ISC_LIST_NEXT(client, link)) + isc_task_shutdown(client->task); + for (client = ISC_LIST_HEAD(manager->active); client != NULL; client = ISC_LIST_NEXT(client, link)) @@ -1952,7 +2090,8 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp) { isc_task_shutdown(client->task); if (ISC_LIST_EMPTY(manager->active) && - ISC_LIST_EMPTY(manager->inactive)) + ISC_LIST_EMPTY(manager->inactive) && + ISC_LIST_EMPTY(manager->recursing)) need_destroy = ISC_TRUE; UNLOCK(&manager->lock); @@ -2105,23 +2244,25 @@ ns_client_name(ns_client_t *client, char *peerbuf, size_t len) { snprintf(peerbuf, len, "@%p", client); } -static void -ns_client_logv(ns_client_t *client, isc_logcategory_t *category, - isc_logmodule_t *module, int level, const char *fmt, va_list ap) - ISC_FORMAT_PRINTF(5, 0); - -static void +void ns_client_logv(ns_client_t *client, isc_logcategory_t *category, isc_logmodule_t *module, int level, const char *fmt, va_list ap) { char msgbuf[2048]; char peerbuf[ISC_SOCKADDR_FORMATSIZE]; + const char *name = ""; + const char *sep = ""; vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap); - ns_client_name(client, peerbuf, sizeof peerbuf); + ns_client_name(client, peerbuf, sizeof(peerbuf)); + if (client->view != NULL && strcmp(client->view->name, "_bind") != 0 && + strcmp(client->view->name, "_default") != 0) { + name = client->view->name; + sep = ": view "; + } isc_log_write(ns_g_lctx, category, module, level, - "client %s: %s", peerbuf, msgbuf); + "client %s%s%s: %s", peerbuf, sep, name, msgbuf); } void @@ -2139,15 +2280,18 @@ ns_client_log(ns_client_t *client, isc_logcategory_t *category, } void -ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdataclass_t rdclass, - char *buf, size_t len) +ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type, + dns_rdataclass_t rdclass, char *buf, size_t len) { char namebuf[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; char classbuf[DNS_RDATACLASS_FORMATSIZE]; dns_name_format(name, namebuf, sizeof(namebuf)); + dns_rdatatype_format(type, typebuf, sizeof(typebuf)); dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf)); - (void)snprintf(buf, len, "%s '%s/%s'", msg, namebuf, classbuf); + (void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf, + classbuf); } static void @@ -2184,3 +2328,34 @@ ns_client_dumpmessage(ns_client_t *client, const char *reason) { if (buf != NULL) isc_mem_put(client->mctx, buf, len); } + +void +ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) { + ns_client_t *client; + char namebuf[DNS_NAME_FORMATSIZE]; + char peerbuf[ISC_SOCKADDR_FORMATSIZE]; + const char *name; + const char *sep; + + REQUIRE(VALID_MANAGER(manager)); + + LOCK(&manager->lock); + client = ISC_LIST_HEAD(manager->recursing); + while (client != NULL) { + ns_client_name(client, peerbuf, sizeof(peerbuf)); + if (client->view != NULL && + strcmp(client->view->name, "_bind") != 0 && + strcmp(client->view->name, "_default") != 0) { + name = client->view->name; + sep = ": view "; + } else { + name = ""; + sep = ""; + } + dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); + fprintf(f, "; client %s%s%s: '%s' requesttime %d\n", + peerbuf, sep, name, namebuf, client->requesttime); + client = ISC_LIST_NEXT(client, link); + } + UNLOCK(&manager->lock); +} diff --git a/usr.sbin/bind/bin/named/config.c b/usr.sbin/bind/bin/named/config.c index 0d8a0deba05..1048dfaa4d1 100644 --- a/usr.sbin/bind/bin/named/config.c +++ b/usr.sbin/bind/bin/named/config.c @@ -1,21 +1,21 @@ /* - * Copyright (C) 2001, 2002 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: config.c,v 1.11.2.4 2002/03/20 20:32:41 marka Exp $ */ +/* $ISC: config.c,v 1.11.2.4.8.28 2004/08/28 05:41:42 marka Exp $ */ #include <config.h> @@ -30,11 +30,12 @@ #include <isc/sockaddr.h> #include <isc/util.h> -#include <isccfg/cfg.h> +#include <isccfg/namedconf.h> #include <dns/fixedname.h> #include <dns/name.h> #include <dns/rdataclass.h> +#include <dns/rdatatype.h> #include <dns/tsig.h> #include <dns/zone.h> @@ -43,14 +44,17 @@ static char defaultconf[] = "\ options {\n\ -# blackhole {none;};\n\ - coresize default;\n\ +# blackhole {none;};\n" +#ifndef WIN32 +" coresize default;\n\ datasize default;\n\ - deallocate-on-exit true;\n\ + files default;\n\ + stacksize default;\n" +#endif +" deallocate-on-exit true;\n\ # directory <none>\n\ dump-file \"named_dump.db\";\n\ fake-iquery no;\n\ - files default;\n\ has-old-clients false;\n\ heartbeat-interval 60;\n\ host-statistics no;\n\ @@ -63,6 +67,7 @@ options {\n\ # named-xfer <obsolete>;\n\ # pid-file \"" NS_LOCALSTATEDIR "/named.pid\"; /* or /lwresd.pid */\n\ port 53;\n\ + recursing-file \"named.recursing\";\n\ " #ifdef PATH_RANDOMDEV "\ @@ -74,10 +79,11 @@ options {\n\ rrset-order {order cyclic;};\n\ serial-queries 20;\n\ serial-query-rate 20;\n\ - stacksize default;\n\ + server-id none;\n\ statistics-file \"named.stats\";\n\ statistics-interval 60;\n\ tcp-clients 100;\n\ + tcp-listen-queue 3;\n\ # tkey-dhkey <none>\n\ # tkey-gssapi-credential <none>\n\ # tkey-domain <none>\n\ @@ -87,13 +93,13 @@ options {\n\ treat-cr-as-space true;\n\ use-id-pool true;\n\ use-ixfr true;\n\ - version \""VERSION"\";\n\ + edns-udp-size 4096;\n\ \n\ /* view */\n\ allow-notify {none;};\n\ allow-update-forwarding {none;};\n\ allow-recursion {any;};\n\ - allow-v6-synthesis {none;};\n\ +# allow-v6-synthesis <obsolete>;\n\ # sortlist <none>\n\ # topology <none>\n\ auth-nxdomain false;\n\ @@ -116,11 +122,13 @@ options {\n\ max-cache-ttl 604800; /* 1 week */\n\ transfer-format many-answers;\n\ max-cache-size 0;\n\ - check-names master ignore;\n\ - check-names slave ignore;\n\ + check-names master fail;\n\ + check-names slave warn;\n\ check-names response ignore;\n\ -\n\ - /* zone */\n\ + dnssec-enable no; /* Make yes for 9.4. */ \n\ +" + +" /* zone */\n\ allow-query {any;};\n\ allow-transfer {any;};\n\ notify yes;\n\ @@ -132,6 +140,8 @@ options {\n\ # max-ixfr-log-size <obsolete>\n\ transfer-source *;\n\ transfer-source-v6 *;\n\ + alt-transfer-source *;\n\ + alt-transfer-source-v6 *;\n\ max-transfer-time-in 120;\n\ max-transfer-time-out 120;\n\ max-transfer-idle-in 60;\n\ @@ -140,9 +150,41 @@ options {\n\ min-retry-time 500;\n\ max-refresh-time 2419200; /* 4 weeks */\n\ min-refresh-time 300;\n\ + multi-master no;\n\ sig-validity-interval 30; /* days */\n\ zone-statistics false;\n\ -};"; + max-journal-size unlimited;\n\ + ixfr-from-differences false;\n\ +};\n\ +" + +"#\n\ +# Zones in the \"_bind\" view are NOT counted is the count of zones.\n\ +#\n\ +view \"_bind\" chaos {\n\ + recursion no;\n\ + notify no;\n\ +\n\ + zone \"version.bind\" chaos {\n\ + type master;\n\ + database \"_builtin version\";\n\ + };\n\ +\n\ + zone \"hostname.bind\" chaos {\n\ + type master;\n\ + database \"_builtin hostname\";\n\ + };\n\ +\n\ + zone \"authors.bind\" chaos {\n\ + type master;\n\ + database \"_builtin authors\";\n\ + };\n\ + zone \"id.server\" chaos {\n\ + type master;\n\ + database \"_builtin id\";\n\ + };\n\ +};\n\ +"; isc_result_t ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) { @@ -154,10 +196,10 @@ ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) { } isc_result_t -ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj) { +ns_config_get(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) { int i; - for (i = 0; ; i++) { + for (i = 0;; i++) { if (maps[i] == NULL) return (ISC_R_NOTFOUND); if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) @@ -165,6 +207,41 @@ ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj) { } } +isc_result_t +ns_checknames_get(cfg_obj_t **maps, const char *which, cfg_obj_t **obj) { + cfg_listelt_t *element; + cfg_obj_t *checknames; + cfg_obj_t *type; + cfg_obj_t *value; + int i; + + for (i = 0;; i++) { + if (maps[i] == NULL) + return (ISC_R_NOTFOUND); + checknames = NULL; + if (cfg_map_get(maps[i], "check-names", &checknames) == ISC_R_SUCCESS) { + /* + * Zone map entry is not a list. + */ + if (checknames != NULL && !cfg_obj_islist(checknames)) { + *obj = checknames; + return (ISC_R_SUCCESS); + } + for (element = cfg_list_first(checknames); + element != NULL; + element = cfg_list_next(element)) { + value = cfg_listelt_value(element); + type = cfg_tuple_get(value, "type"); + if (strcasecmp(cfg_obj_asstring(type), which) == 0) { + *obj = cfg_tuple_get(value, "mode"); + return (ISC_R_SUCCESS); + } + } + + } + } +} + int ns_config_listcount(cfg_obj_t *list) { cfg_listelt_t *e; @@ -197,6 +274,27 @@ ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass, return (result); } +isc_result_t +ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype, + dns_rdatatype_t *typep) { + char *str; + isc_textregion_t r; + isc_result_t result; + + if (!cfg_obj_isstring(typeobj)) { + *typep = deftype; + return (ISC_R_SUCCESS); + } + str = cfg_obj_asstring(typeobj); + r.base = str; + r.length = strlen(str); + result = dns_rdatatype_fromtext(typep, &r); + if (result != ISC_R_SUCCESS) + cfg_obj_log(typeobj, ns_g_lctx, ISC_LOG_ERROR, + "unknown type '%s'", str); + return (result); +} + dns_zonetype_t ns_config_getzonetype(cfg_obj_t *zonetypeobj) { dns_zonetype_t ztype = dns_zone_none; @@ -228,6 +326,7 @@ ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list, isc_result_t result; INSIST(addrsp != NULL && *addrsp == NULL); + INSIST(countp != NULL); addrlist = cfg_tuple_get(list, "addresses"); count = ns_config_listcount(addrlist); @@ -280,12 +379,40 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp, *addrsp = NULL; } +static isc_result_t +get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) { + isc_result_t result; + cfg_obj_t *masters = NULL; + cfg_listelt_t *elt; + + result = cfg_map_get(cctx, "masters", &masters); + if (result != ISC_R_SUCCESS) + return (result); + for (elt = cfg_list_first(masters); + elt != NULL; + elt = cfg_list_next(elt)) { + cfg_obj_t *list; + const char *listname; + + list = cfg_listelt_value(elt); + listname = cfg_obj_asstring(cfg_tuple_get(list, "name")); + + if (strcasecmp(listname, name) == 0) { + *ret = list; + return (ISC_R_SUCCESS); + } + } + return (ISC_R_NOTFOUND); +} + isc_result_t ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx, isc_sockaddr_t **addrsp, dns_name_t ***keysp, isc_uint32_t *countp) { - isc_uint32_t count, i = 0; + isc_uint32_t addrcount = 0, keycount = 0, i = 0; + isc_uint32_t listcount = 0, l = 0, j; + isc_uint32_t stackcount = 0, pushed = 0; isc_result_t result; cfg_listelt_t *element; cfg_obj_t *addrlist; @@ -294,12 +421,18 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx, dns_fixedname_t fname; isc_sockaddr_t *addrs = NULL; dns_name_t **keys = NULL; + char **lists = NULL; + struct { + cfg_listelt_t *element; + in_port_t port; + } *stack = NULL; - INSIST(addrsp != NULL && *addrsp == NULL); + REQUIRE(addrsp != NULL && *addrsp == NULL); + REQUIRE(keysp != NULL && *keysp == NULL); + REQUIRE(countp != NULL); + newlist: addrlist = cfg_tuple_get(list, "addresses"); - count = ns_config_listcount(addrlist); - portobj = cfg_tuple_get(list, "port"); if (cfg_obj_isuint32(portobj)) { isc_uint32_t val = cfg_obj_asuint32(portobj); @@ -317,35 +450,126 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx, result = ISC_R_NOMEMORY; - addrs = isc_mem_get(mctx, count * sizeof(isc_sockaddr_t)); - if (addrs == NULL) - goto cleanup; - - keys = isc_mem_get(mctx, count * sizeof(dns_name_t *)); - if (keys == NULL) - goto cleanup; - - for (element = cfg_list_first(addrlist); + element = cfg_list_first(addrlist); + resume: + for ( ; element != NULL; - element = cfg_list_next(element), i++) + element = cfg_list_next(element)) { cfg_obj_t *addr; cfg_obj_t *key; char *keystr; isc_buffer_t b; - INSIST(i < count); - - addr = cfg_tuple_get(cfg_listelt_value(element), "sockaddr"); + addr = cfg_tuple_get(cfg_listelt_value(element), + "masterselement"); key = cfg_tuple_get(cfg_listelt_value(element), "key"); + if (!cfg_obj_issockaddr(addr)) { + char *listname = cfg_obj_asstring(addr); + isc_result_t tresult; + + /* Grow lists? */ + if (listcount == l) { + void * new; + isc_uint32_t newlen = listcount + 16; + size_t newsize, oldsize; + + newsize = newlen * sizeof(*lists); + oldsize = listcount * sizeof(*lists); + new = isc_mem_get(mctx, newsize); + if (new == NULL) + goto cleanup; + if (listcount != 0) { + memcpy(new, lists, oldsize); + isc_mem_put(mctx, lists, oldsize); + } + lists = new; + listcount = newlen; + } + /* Seen? */ + for (j = 0; j < l; j++) + if (strcasecmp(lists[j], listname) == 0) + break; + if (j < l) + continue; + tresult = get_masters_def(config, listname, &list); + if (tresult == ISC_R_NOTFOUND) { + cfg_obj_log(addr, ns_g_lctx, ISC_LOG_ERROR, + "masters \"%s\" not found", listname); + + result = tresult; + goto cleanup; + } + if (tresult != ISC_R_SUCCESS) + goto cleanup; + lists[l++] = listname; + /* Grow stack? */ + if (stackcount == pushed) { + void * new; + isc_uint32_t newlen = stackcount + 16; + size_t newsize, oldsize; + + newsize = newlen * sizeof(*stack); + oldsize = stackcount * sizeof(*stack); + new = isc_mem_get(mctx, newsize); + if (new == NULL) + goto cleanup; + if (stackcount != 0) { + memcpy(new, stack, oldsize); + isc_mem_put(mctx, stack, oldsize); + } + stack = new; + stackcount = newlen; + } + /* + * We want to resume processing this list on the + * next element. + */ + stack[pushed].element = cfg_list_next(element); + stack[pushed].port = port; + pushed++; + goto newlist; + } + + if (i == addrcount) { + void * new; + isc_uint32_t newlen = addrcount + 16; + size_t newsize, oldsize; + + newsize = newlen * sizeof(isc_sockaddr_t); + oldsize = addrcount * sizeof(isc_sockaddr_t); + new = isc_mem_get(mctx, newsize); + if (new == NULL) + goto cleanup; + if (addrcount != 0) { + memcpy(new, addrs, oldsize); + isc_mem_put(mctx, addrs, oldsize); + } + addrs = new; + addrcount = newlen; + + newsize = newlen * sizeof(dns_name_t *); + oldsize = keycount * sizeof(dns_name_t *); + new = isc_mem_get(mctx, newsize); + if (new == NULL) + goto cleanup; + if (keycount != 0) { + memcpy(new, keys, newsize); + isc_mem_put(mctx, keys, newsize); + } + keys = new; + keycount = newlen; + } + addrs[i] = *cfg_obj_assockaddr(addr); if (isc_sockaddr_getport(&addrs[i]) == 0) isc_sockaddr_setport(&addrs[i], port); - keys[i] = NULL; - if (!cfg_obj_isstring(key)) + if (!cfg_obj_isstring(key)) { + i++; continue; + } keys[i] = isc_mem_get(mctx, sizeof(dns_name_t)); if (keys[i] == NULL) goto cleanup; @@ -363,29 +587,75 @@ ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx, keys[i]); if (result != ISC_R_SUCCESS) goto cleanup; + i++; + } + if (pushed != 0) { + pushed--; + element = stack[pushed].element; + port = stack[pushed].port; + goto resume; + } + if (i < addrcount) { + void * new; + size_t newsize, oldsize; + + newsize = i * sizeof(isc_sockaddr_t); + oldsize = addrcount * sizeof(isc_sockaddr_t); + if (i != 0) { + new = isc_mem_get(mctx, newsize); + if (new == NULL) + goto cleanup; + memcpy(new, addrs, newsize); + isc_mem_put(mctx, addrs, oldsize); + } else + new = NULL; + addrs = new; + addrcount = i; + + newsize = i * sizeof(dns_name_t *); + oldsize = keycount * sizeof(dns_name_t *); + if (i != 0) { + new = isc_mem_get(mctx, newsize); + if (new == NULL) + goto cleanup; + memcpy(new, keys, newsize); + isc_mem_put(mctx, keys, oldsize); + } else + new = NULL; + keys = new; + keycount = i; } - INSIST(i == count); + + if (lists != NULL) + isc_mem_put(mctx, lists, listcount * sizeof(*lists)); + if (stack != NULL) + isc_mem_put(mctx, stack, stackcount * sizeof(*stack)); + + INSIST(keycount == addrcount); *addrsp = addrs; *keysp = keys; - *countp = count; + *countp = addrcount; return (ISC_R_SUCCESS); cleanup: if (addrs != NULL) - isc_mem_put(mctx, addrs, count * sizeof(isc_sockaddr_t)); + isc_mem_put(mctx, addrs, addrcount * sizeof(isc_sockaddr_t)); if (keys != NULL) { - unsigned int j; - for (j = 0 ; j <= i; j++) { + for (j = 0; j <= i; j++) { if (keys[j] == NULL) continue; if (dns_name_dynamic(keys[j])) dns_name_free(keys[j], mctx); isc_mem_put(mctx, keys[j], sizeof(dns_name_t)); } - isc_mem_put(mctx, keys, count * sizeof(dns_name_t *)); + isc_mem_put(mctx, keys, keycount * sizeof(dns_name_t *)); } + if (lists != NULL) + isc_mem_put(mctx, lists, listcount * sizeof(*lists)); + if (stack != NULL) + isc_mem_put(mctx, stack, stackcount * sizeof(*stack)); return (result); } @@ -419,7 +689,7 @@ ns_config_getport(cfg_obj_t *config, in_port_t *portp) { isc_result_t result; int i; - cfg_map_get(config, "options", &options); + (void)cfg_map_get(config, "options", &options); i = 0; if (options != NULL) maps[i++] = options; diff --git a/usr.sbin/bind/bin/named/control.c b/usr.sbin/bind/bin/named/control.c index c7ab6ec8ff8..91a25027e47 100644 --- a/usr.sbin/bind/bin/named/control.c +++ b/usr.sbin/bind/bin/named/control.c @@ -1,21 +1,21 @@ /* - * Copyright (C) 2001, 2003 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: control.c,v 1.7.2.2 2003/07/22 04:03:33 marka Exp $ */ +/* $ISC: control.c,v 1.7.2.2.2.10.4.1 2004/09/20 01:00:00 marka Exp $ */ #include <config.h> @@ -24,14 +24,18 @@ #include <isc/app.h> #include <isc/event.h> #include <isc/mem.h> +#include <isc/timer.h> #include <isc/util.h> +#include <dns/result.h> + #include <isccc/alist.h> #include <isccc/cc.h> #include <isccc/result.h> #include <named/control.h> #include <named/log.h> +#include <named/os.h> #include <named/server.h> static isc_boolean_t @@ -80,17 +84,21 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { * Compare the 'command' parameter against all known control commands. */ if (command_compare(command, NS_COMMAND_RELOAD)) { - result = ns_server_reloadcommand(ns_g_server, command); + result = ns_server_reloadcommand(ns_g_server, command, text); } else if (command_compare(command, NS_COMMAND_RECONFIG)) { result = ns_server_reconfigcommand(ns_g_server, command); } else if (command_compare(command, NS_COMMAND_REFRESH)) { - result = ns_server_refreshcommand(ns_g_server, command); + result = ns_server_refreshcommand(ns_g_server, command, text); + } else if (command_compare(command, NS_COMMAND_RETRANSFER)) { + result = ns_server_retransfercommand(ns_g_server, command); } else if (command_compare(command, NS_COMMAND_HALT)) { ns_server_flushonshutdown(ns_g_server, ISC_FALSE); + ns_os_shutdownmsg(command, text); isc_app_shutdown(); result = ISC_R_SUCCESS; } else if (command_compare(command, NS_COMMAND_STOP)) { ns_server_flushonshutdown(ns_g_server, ISC_TRUE); + ns_os_shutdownmsg(command, text); isc_app_shutdown(); result = ISC_R_SUCCESS; } else if (command_compare(command, NS_COMMAND_DUMPSTATS)) { @@ -98,7 +106,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { } else if (command_compare(command, NS_COMMAND_QUERYLOG)) { result = ns_server_togglequerylog(ns_g_server); } else if (command_compare(command, NS_COMMAND_DUMPDB)) { - ns_server_dumpdb(ns_g_server); + ns_server_dumpdb(ns_g_server, command); result = ISC_R_SUCCESS; } else if (command_compare(command, NS_COMMAND_TRACE)) { result = ns_server_setdebuglevel(ns_g_server, command); @@ -108,8 +116,17 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { result = ISC_R_SUCCESS; } else if (command_compare(command, NS_COMMAND_FLUSH)) { result = ns_server_flushcache(ns_g_server, command); + } else if (command_compare(command, NS_COMMAND_FLUSHNAME)) { + result = ns_server_flushname(ns_g_server, command); } else if (command_compare(command, NS_COMMAND_STATUS)) { result = ns_server_status(ns_g_server, text); + } else if (command_compare(command, NS_COMMAND_FREEZE)) { + result = ns_server_freeze(ns_g_server, ISC_TRUE, command); + } else if (command_compare(command, NS_COMMAND_UNFREEZE) || + command_compare(command, NS_COMMAND_THAW)) { + result = ns_server_freeze(ns_g_server, ISC_FALSE, command); + } else if (command_compare(command, NS_COMMAND_RECURSING)) { + result = ns_server_dumprecursing(ns_g_server); } else if (command_compare(command, NS_COMMAND_NULL)) { result = ISC_R_SUCCESS; } else { @@ -117,7 +134,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, "unknown control channel command '%s'", command); - result = ISC_R_NOTIMPLEMENTED; + result = DNS_R_UNKNOWNCOMMAND; } return (result); diff --git a/usr.sbin/bind/bin/named/controlconf.c b/usr.sbin/bind/bin/named/controlconf.c index cb2f951aee4..788c175f0cb 100644 --- a/usr.sbin/bind/bin/named/controlconf.c +++ b/usr.sbin/bind/bin/named/controlconf.c @@ -1,43 +1,40 @@ /* - * Copyright (C) 2001, 2003 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: controlconf.c,v 1.28.2.9 2003/07/22 04:03:33 marka Exp $ */ +/* $ISC: controlconf.c,v 1.28.2.9.2.6 2004/03/08 09:04:14 marka Exp $ */ #include <config.h> #include <isc/base64.h> #include <isc/buffer.h> #include <isc/event.h> -#include <isc/file.h> -#include <isc/fsaccess.h> #include <isc/mem.h> #include <isc/net.h> #include <isc/netaddr.h> -#include <isc/print.h> #include <isc/random.h> #include <isc/result.h> -#include <isc/stdio.h> #include <isc/stdtime.h> #include <isc/string.h> #include <isc/timer.h> #include <isc/util.h> -#include <isccfg/cfg.h> -#include <isccfg/check.h> +#include <isccfg/namedconf.h> + +#include <bind9/check.h> #include <isccc/alist.h> #include <isccc/cc.h> @@ -48,11 +45,8 @@ #include <isccc/symtab.h> #include <isccc/util.h> -#include <dns/keyvalues.h> #include <dns/result.h> -#include <dst/dst.h> - #include <named/config.h> #include <named/control.h> #include <named/log.h> @@ -835,7 +829,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) { if (keyid->keyname == NULL) CHECK(ISC_R_NOMEMORY); - CHECK(cfg_check_key(key, ns_g_lctx)); + CHECK(bind9_check_key(key, ns_g_lctx)); (void)cfg_map_get(key, "algorithm", &algobj); (void)cfg_map_get(key, "secret", &secretobj); diff --git a/usr.sbin/bind/bin/named/include/named/control.h b/usr.sbin/bind/bin/named/include/named/control.h index fff0ea0ae4e..5f594b24fa1 100644 --- a/usr.sbin/bind/bin/named/include/named/control.h +++ b/usr.sbin/bind/bin/named/include/named/control.h @@ -1,21 +1,21 @@ /* - * Copyright (C) 2001, 2003 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: control.h,v 1.6.2.2 2003/07/22 04:03:35 marka Exp $ */ +/* $ISC: control.h,v 1.6.2.2.2.6.6.1 2004/09/20 01:00:01 marka Exp $ */ #ifndef NAMED_CONTROL_H #define NAMED_CONTROL_H 1 @@ -36,13 +36,19 @@ #define NS_COMMAND_RELOAD "reload" #define NS_COMMAND_RECONFIG "reconfig" #define NS_COMMAND_REFRESH "refresh" +#define NS_COMMAND_RETRANSFER "retransfer" #define NS_COMMAND_DUMPSTATS "stats" #define NS_COMMAND_QUERYLOG "querylog" #define NS_COMMAND_DUMPDB "dumpdb" #define NS_COMMAND_TRACE "trace" #define NS_COMMAND_NOTRACE "notrace" #define NS_COMMAND_FLUSH "flush" +#define NS_COMMAND_FLUSHNAME "flushname" #define NS_COMMAND_STATUS "status" +#define NS_COMMAND_FREEZE "freeze" +#define NS_COMMAND_UNFREEZE "unfreeze" +#define NS_COMMAND_THAW "thaw" +#define NS_COMMAND_RECURSING "recursing" #define NS_COMMAND_NULL "null" isc_result_t diff --git a/usr.sbin/bind/bin/named/include/named/globals.h b/usr.sbin/bind/bin/named/include/named/globals.h index c114c883a21..157f0e44bc2 100644 --- a/usr.sbin/bind/bin/named/include/named/globals.h +++ b/usr.sbin/bind/bin/named/include/named/globals.h @@ -1,21 +1,21 @@ /* - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: globals.h,v 1.59 2001/08/08 20:37:31 gson Exp $ */ +/* $ISC: globals.h,v 1.59.68.5 2004/03/08 04:04:20 marka Exp $ */ #ifndef NAMED_GLOBALS_H #define NAMED_GLOBALS_H 1 @@ -46,6 +46,7 @@ EXTERN isc_taskmgr_t * ns_g_taskmgr INIT(NULL); EXTERN dns_dispatchmgr_t * ns_g_dispatchmgr INIT(NULL); EXTERN isc_entropy_t * ns_g_entropy INIT(NULL); EXTERN isc_entropy_t * ns_g_fallbackentropy INIT(NULL); + /* * XXXRTH We're going to want multiple timer managers eventually. One * for really short timers, another for client timers, and one @@ -85,6 +86,7 @@ EXTERN const char * lwresd_g_resolvconffile INIT("/etc" "/resolv.conf"); EXTERN isc_boolean_t ns_g_conffileset INIT(ISC_FALSE); EXTERN isc_boolean_t lwresd_g_useresolvconf INIT(ISC_FALSE); +EXTERN isc_uint16_t ns_g_udpsize INIT(4096); /* * Initial resource limits. @@ -110,6 +112,8 @@ EXTERN const char * ns_g_pidfile INIT(NS_LOCALSTATEDIR "/run/named.pid"); EXTERN const char * ns_g_username INIT("named"); +EXTERN int ns_g_listen INIT(3); + #undef EXTERN #undef INIT diff --git a/usr.sbin/bind/bin/named/interfacemgr.c b/usr.sbin/bind/bin/named/interfacemgr.c index 80b9342c96b..8f36666fc48 100644 --- a/usr.sbin/bind/bin/named/interfacemgr.c +++ b/usr.sbin/bind/bin/named/interfacemgr.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: interfacemgr.c,v 1.59.2.5 2002/02/08 03:57:10 marka Exp $ */ +/* $ISC: interfacemgr.c,v 1.59.2.5.8.15 2004/08/10 04:56:23 jinmei Exp $ */ #include <config.h> @@ -119,7 +119,7 @@ ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) { ns_listenlist_detach(&mgr->listenon6); DESTROYLOCK(&mgr->lock); mgr->magic = 0; - isc_mem_put(mgr->mctx, mgr, sizeof *mgr); + isc_mem_put(mgr->mctx, mgr, sizeof(*mgr)); } dns_aclenv_t * @@ -293,6 +293,9 @@ ns_interface_accepttcp(ns_interface_t *ifp) { isc_result_totext(result)); goto tcp_socket_failure; } +#ifndef ISC_ALLOW_MAPPED + isc_socket_ipv6only(ifp->tcpsocket, ISC_TRUE); +#endif result = isc_socket_bind(ifp->tcpsocket, &ifp->addr); if (result != ISC_R_SUCCESS) { isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, @@ -300,7 +303,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) { isc_result_totext(result)); goto tcp_bind_failure; } - result = isc_socket_listen(ifp->tcpsocket, 3); + result = isc_socket_listen(ifp->tcpsocket, ns_g_listen); if (result != ISC_R_SUCCESS) { isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, "listening on TCP socket: %s", @@ -308,6 +311,12 @@ ns_interface_accepttcp(ns_interface_t *ifp) { goto tcp_listen_failure; } + /* + * If/when there a multiple filters listen to the + * result. + */ + (void)isc_socket_filter(ifp->tcpsocket, "dataready"); + result = ns_clientmgr_createclients(ifp->clientmgr, ifp->ntcptarget, ifp, ISC_TRUE); @@ -329,7 +338,8 @@ ns_interface_accepttcp(ns_interface_t *ifp) { static isc_result_t ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, - const char *name, ns_interface_t **ifpret) + const char *name, ns_interface_t **ifpret, + isc_boolean_t accept_tcp) { isc_result_t result; ns_interface_t *ifp = NULL; @@ -343,15 +353,17 @@ ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, if (result != ISC_R_SUCCESS) goto cleanup_interface; - result = ns_interface_accepttcp(ifp); - if (result != ISC_R_SUCCESS) { - /* - * XXXRTH We don't currently have a way to easily stop dispatch - * service, so we return currently return ISC_R_SUCCESS (the - * UDP stuff will work even if TCP creation failed). This will - * be fixed later. - */ - result = ISC_R_SUCCESS; + if (accept_tcp == ISC_TRUE) { + result = ns_interface_accepttcp(ifp); + if (result != ISC_R_SUCCESS) { + /* + * XXXRTH We don't currently have a way to easily stop + * dispatch service, so we currently return + * ISC_R_SUCCESS (the UDP stuff will work even if TCP + * creation failed). This will be fixed later. + */ + result = ISC_R_SUCCESS; + } } *ifpret = ifp; return (ISC_R_SUCCESS); @@ -468,73 +480,218 @@ clearacl(isc_mem_t *mctx, dns_acl_t **aclp) { return (ISC_R_SUCCESS); } +static isc_boolean_t +listenon_is_ip6_any(ns_listenelt_t *elt) { + if (elt->acl->length != 1) + return (ISC_FALSE); + if (elt->acl->elements[0].negative == ISC_FALSE && + elt->acl->elements[0].type == dns_aclelementtype_any) + return (ISC_TRUE); /* listen-on-v6 { any; } */ + return (ISC_FALSE); /* All others */ +} + static isc_result_t -do_ipv4(ns_interfacemgr_t *mgr) { +setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) { + isc_result_t result; + dns_aclelement_t elt; + unsigned int family; + unsigned int prefixlen; + + family = interface->address.family; + + elt.type = dns_aclelementtype_ipprefix; + elt.negative = ISC_FALSE; + elt.u.ip_prefix.address = interface->address; + elt.u.ip_prefix.prefixlen = (family == AF_INET) ? 32 : 128; + result = dns_acl_appendelement(mgr->aclenv.localhost, &elt); + if (result != ISC_R_SUCCESS) + return (result); + + result = isc_netaddr_masktoprefixlen(&interface->netmask, + &prefixlen); + + /* Non contigious netmasks not allowed by IPv6 arch. */ + if (result != ISC_R_SUCCESS && family == AF_INET6) + return (result); + + if (result != ISC_R_SUCCESS) { + isc_log_write(IFMGR_COMMON_LOGARGS, + ISC_LOG_WARNING, + "omitting IPv4 interface %s from " + "localnets ACL: %s", + interface->name, + isc_result_totext(result)); + } else { + elt.u.ip_prefix.prefixlen = prefixlen; + if (dns_acl_elementmatch(mgr->aclenv.localnets, &elt, + NULL) == ISC_R_NOTFOUND) { + result = dns_acl_appendelement(mgr->aclenv.localnets, + &elt); + if (result != ISC_R_SUCCESS) + return (result); + } + } + + return (ISC_R_SUCCESS); +} + +static isc_result_t +do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, + isc_boolean_t verbose) +{ isc_interfaceiter_t *iter = NULL; + isc_boolean_t scan_ipv4 = ISC_FALSE; + isc_boolean_t scan_ipv6 = ISC_FALSE; + isc_boolean_t adjusting = ISC_FALSE; + isc_boolean_t ipv6only = ISC_TRUE; + isc_boolean_t ipv6pktinfo = ISC_TRUE; isc_result_t result; + isc_netaddr_t zero_address, zero_address6; + ns_listenelt_t *le; + isc_sockaddr_t listen_addr; + ns_interface_t *ifp; + isc_boolean_t log_explicit = ISC_FALSE; + + if (ext_listen != NULL) + adjusting = ISC_TRUE; + + if (isc_net_probeipv6() == ISC_R_SUCCESS) + scan_ipv6 = ISC_TRUE; +#ifdef WANT_IPV6 + else + isc_log_write(IFMGR_COMMON_LOGARGS, + verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1), + "no IPv6 interfaces found"); +#endif + + if (isc_net_probeipv4() == ISC_R_SUCCESS) + scan_ipv4 = ISC_TRUE; + else + isc_log_write(IFMGR_COMMON_LOGARGS, + verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1), + "no IPv4 interfaces found"); + + /* + * A special, but typical case; listen-on-v6 { any; }. + * When we can make the socket IPv6-only, open a single wildcard + * socket for IPv6 communication. Otherwise, make separate socket + * for each IPv6 address in order to avoid accepting IPv4 packets + * as the form of mapped addresses unintentionally unless explicitly + * allowed. + */ +#ifndef ISC_ALLOW_MAPPED + if (scan_ipv6 == ISC_TRUE && + isc_net_probe_ipv6only() != ISC_R_SUCCESS) { + ipv6only = ISC_FALSE; + log_explicit = ISC_TRUE; + } +#endif + if (scan_ipv6 == ISC_TRUE && + isc_net_probe_ipv6pktinfo() != ISC_R_SUCCESS) { + ipv6pktinfo = ISC_FALSE; + log_explicit = ISC_TRUE; + } + if (scan_ipv6 == ISC_TRUE && ipv6only && ipv6pktinfo) { + for (le = ISC_LIST_HEAD(mgr->listenon6->elts); + le != NULL; + le = ISC_LIST_NEXT(le, link)) { + struct in6_addr in6a; + + if (!listenon_is_ip6_any(le)) + continue; + + in6a = in6addr_any; + isc_sockaddr_fromin6(&listen_addr, &in6a, le->port); + + ifp = find_matching_interface(mgr, &listen_addr); + if (ifp != NULL) { + ifp->generation = mgr->generation; + } else { + isc_log_write(IFMGR_COMMON_LOGARGS, + ISC_LOG_INFO, + "listening on IPv6 " + "interfaces, port %u", + le->port); + result = ns_interface_setup(mgr, &listen_addr, + "<any>", &ifp, + ISC_TRUE); + if (result == ISC_R_SUCCESS) + ifp->flags |= NS_INTERFACEFLAG_ANYADDR; + else + isc_log_write(IFMGR_COMMON_LOGARGS, + ISC_LOG_ERROR, + "listening on all IPv6 " + "interfaces failed"); + /* Continue. */ + } + } + } + + isc_netaddr_any(&zero_address); + isc_netaddr_any6(&zero_address6); result = isc_interfaceiter_create(mgr->mctx, &iter); if (result != ISC_R_SUCCESS) return (result); - result = clearacl(mgr->mctx, &mgr->aclenv.localhost); - if (result != ISC_R_SUCCESS) - goto cleanup_iter; - result = clearacl(mgr->mctx, &mgr->aclenv.localnets); - if (result != ISC_R_SUCCESS) - goto cleanup_iter; + if (adjusting == ISC_FALSE) { + result = clearacl(mgr->mctx, &mgr->aclenv.localhost); + if (result != ISC_R_SUCCESS) + goto cleanup_iter; + result = clearacl(mgr->mctx, &mgr->aclenv.localnets); + if (result != ISC_R_SUCCESS) + goto cleanup_iter; + } for (result = isc_interfaceiter_first(iter); result == ISC_R_SUCCESS; result = isc_interfaceiter_next(iter)) { - ns_interface_t *ifp; isc_interface_t interface; - ns_listenelt_t *le; - dns_aclelement_t elt; - unsigned int prefixlen; + ns_listenlist_t *ll; + unsigned int family; result = isc_interfaceiter_current(iter, &interface); if (result != ISC_R_SUCCESS) break; - if (interface.address.family != AF_INET) + family = interface.address.family; + if (family != AF_INET && family != AF_INET6) continue; - - if ((interface.flags & INTERFACE_F_UP) == 0) + if (scan_ipv4 == ISC_FALSE && family == AF_INET) + continue; + if (scan_ipv6 == ISC_FALSE && family == AF_INET6) continue; - elt.type = dns_aclelementtype_ipprefix; - elt.negative = ISC_FALSE; - elt.u.ip_prefix.address = interface.address; - elt.u.ip_prefix.prefixlen = 32; - result = dns_acl_appendelement(mgr->aclenv.localhost, &elt); - if (result != ISC_R_SUCCESS) - goto ignore_interface; + /* + * Test for the address being nonzero rather than testing + * INTERFACE_F_UP, because on some systems the latter + * follows the media state and we could end up ignoring + * the interface for an entire rescan interval due to + * a temporary media glitch at rescan time. + */ + if (family == AF_INET && + isc_netaddr_equal(&interface.address, &zero_address)) { + continue; + } + if (family == AF_INET6 && + isc_netaddr_equal(&interface.address, &zero_address6)) { + continue; + } - result = isc_netaddr_masktoprefixlen(&interface.netmask, - &prefixlen); - if (result != ISC_R_SUCCESS) { - isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_WARNING, - "omitting IPv4 interface %s from " - "localnets ACL: %s", - interface.name, - isc_result_totext(result)); - } else { - elt.u.ip_prefix.prefixlen = prefixlen; - /* XXX suppress duplicates */ - result = dns_acl_appendelement(mgr->aclenv.localnets, - &elt); + if (adjusting == ISC_FALSE) { + result = setup_locals(mgr, &interface); if (result != ISC_R_SUCCESS) goto ignore_interface; } - for (le = ISC_LIST_HEAD(mgr->listenon4->elts); + ll = (family == AF_INET) ? mgr->listenon4 : mgr->listenon6; + for (le = ISC_LIST_HEAD(ll->elts); le != NULL; le = ISC_LIST_NEXT(le, link)) { int match; + isc_boolean_t ipv6_wildcard = ISC_FALSE; isc_netaddr_t listen_netaddr; isc_sockaddr_t listen_sockaddr; @@ -542,8 +699,15 @@ do_ipv4(ns_interfacemgr_t *mgr) { * Construct a socket address for this IP/port * combination. */ - isc_netaddr_fromin(&listen_netaddr, - &interface.address.type.in); + if (family == AF_INET) { + isc_netaddr_fromin(&listen_netaddr, + &interface.address.type.in); + } else { + isc_netaddr_fromin6(&listen_netaddr, + &interface.address.type.in6); + isc_netaddr_setzone(&listen_netaddr, + interface.address.zone); + } isc_sockaddr_fromnetaddr(&listen_sockaddr, &listen_netaddr, le->port); @@ -558,28 +722,91 @@ do_ipv4(ns_interfacemgr_t *mgr) { if (match <= 0) continue; + /* + * The case of "any" IPv6 address will require + * special considerations later, so remember it. + */ + if (family == AF_INET6 && ipv6only && ipv6pktinfo && + listenon_is_ip6_any(le)) + ipv6_wildcard = ISC_TRUE; + + /* + * When adjusting interfaces with extra a listening + * list, see if the address matches the extra list. + * If it does, and is also covered by a wildcard + * interface, we need to listen on the address + * explicitly. + */ + if (adjusting == ISC_TRUE) { + ns_listenelt_t *ele; + + match = 0; + for (ele = ISC_LIST_HEAD(ext_listen->elts); + ele != NULL; + ele = ISC_LIST_NEXT(ele, link)) { + dns_acl_match(&listen_netaddr, NULL, + ele->acl, NULL, + &match, NULL); + if (match > 0 && ele->port == le->port) + break; + else + match = 0; + } + if (ipv6_wildcard == ISC_TRUE && match == 0) + continue; + } + ifp = find_matching_interface(mgr, &listen_sockaddr); if (ifp != NULL) { ifp->generation = mgr->generation; } else { char sabuf[ISC_SOCKADDR_FORMATSIZE]; + + if (adjusting == ISC_FALSE && + ipv6_wildcard == ISC_TRUE) + continue; + + if (log_explicit && family == AF_INET6 && + !adjusting && listenon_is_ip6_any(le)) { + isc_log_write(IFMGR_COMMON_LOGARGS, + verbose ? ISC_LOG_INFO : + ISC_LOG_DEBUG(1), + "IPv6 socket API is " + "incomplete; explicitly " + "binding to each IPv6 " + "address separately"); + log_explicit = ISC_FALSE; + } isc_sockaddr_format(&listen_sockaddr, sabuf, sizeof(sabuf)); isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO, - "listening on IPv4 interface " - "%s, %s", interface.name, sabuf); + "%s" + "listening on %s interface " + "%s, %s", + (adjusting == ISC_TRUE) ? + "additionally " : "", + (family == AF_INET) ? + "IPv4" : "IPv6", + interface.name, sabuf); result = ns_interface_setup(mgr, &listen_sockaddr, interface.name, - &ifp); + &ifp, + (adjusting == ISC_TRUE) ? + ISC_FALSE : + ISC_TRUE); + if (result != ISC_R_SUCCESS) { isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_ERROR, - "creating IPv4 interface %s " - "failed; interface ignored", - interface.name); + ISC_LOG_ERROR, + "creating %s interface " + "%s failed; interface " + "ignored", + (family == AF_INET) ? + "IPv4" : "IPv6", + interface.name); } /* Continue. */ } @@ -590,13 +817,14 @@ do_ipv4(ns_interfacemgr_t *mgr) { ignore_interface: isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, - "ignoring IPv4 interface %s: %s", + "ignoring %s interface %s: %s", + (family == AF_INET) ? "IPv4" : "IPv6", interface.name, isc_result_totext(result)); continue; } if (result != ISC_R_NOMORE) UNEXPECTED_ERROR(__FILE__, __LINE__, - "IPv4: interface iteration failed: %s", + "interface iteration failed: %s", isc_result_totext(result)); else result = ISC_R_SUCCESS; @@ -605,100 +833,18 @@ do_ipv4(ns_interfacemgr_t *mgr) { return (result); } -static isc_boolean_t -listenon_is_ip6_none(ns_listenelt_t *elt) { - if (elt->acl->length == 0) - return (ISC_TRUE); /* listen-on-v6 { } */ - if (elt->acl->length > 1) - return (ISC_FALSE); /* listen-on-v6 { ...; ...; } */ - if (elt->acl->elements[0].negative == ISC_TRUE && - elt->acl->elements[0].type == dns_aclelementtype_any) - return (ISC_TRUE); /* listen-on-v6 { none; } */ - return (ISC_FALSE); /* All others */ -} - -static isc_boolean_t -listenon_is_ip6_any(ns_listenelt_t *elt) { - if (elt->acl->length != 1) - return (ISC_FALSE); - if (elt->acl->elements[0].negative == ISC_FALSE && - elt->acl->elements[0].type == dns_aclelementtype_any) - return (ISC_TRUE); /* listen-on-v6 { any; } */ - return (ISC_FALSE); /* All others */ -} - -static isc_result_t -do_ipv6(ns_interfacemgr_t *mgr) { - isc_result_t result; - ns_interface_t *ifp; - isc_sockaddr_t listen_addr; - struct in6_addr in6a; - ns_listenelt_t *le; - - for (le = ISC_LIST_HEAD(mgr->listenon6->elts); - le != NULL; - le = ISC_LIST_NEXT(le, link)) - { - if (listenon_is_ip6_none(le)) - continue; - if (! listenon_is_ip6_any(le)) { - isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_ERROR, - "bad IPv6 listen-on list: " - "must be 'any' or 'none'"); - return (ISC_R_FAILURE); - } - - in6a = in6addr_any; - isc_sockaddr_fromin6(&listen_addr, &in6a, le->port); - - ifp = find_matching_interface(mgr, &listen_addr); - if (ifp != NULL) { - ifp->generation = mgr->generation; - } else { - isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO, - "listening on IPv6 interfaces, port %u", - le->port); - result = ns_interface_setup(mgr, &listen_addr, - "<any>", &ifp); - if (result != ISC_R_SUCCESS) { - isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_ERROR, - "listening on IPv6 interfaces " - "failed"); - /* Continue. */ - } - } - } - return (ISC_R_SUCCESS); -} - -void -ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose) { +static void +ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, + isc_boolean_t verbose) +{ isc_boolean_t purge = ISC_TRUE; REQUIRE(NS_INTERFACEMGR_VALID(mgr)); mgr->generation++; /* Increment the generation count. */ - if (isc_net_probeipv6() == ISC_R_SUCCESS) { - if (do_ipv6(mgr) != ISC_R_SUCCESS) - purge = ISC_FALSE; - } -#ifdef WANT_IPV6 - else - isc_log_write(IFMGR_COMMON_LOGARGS, - verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1), - "no IPv6 interfaces found"); -#endif - - if (isc_net_probeipv4() == ISC_R_SUCCESS) { - if (do_ipv4(mgr) != ISC_R_SUCCESS) - purge = ISC_FALSE; - } else - isc_log_write(IFMGR_COMMON_LOGARGS, - verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1), - "no IPv4 interfaces found"); + if (do_scan(mgr, ext_listen, verbose) != ISC_R_SUCCESS) + purge = ISC_FALSE; /* * Now go through the interface list and delete anything that @@ -714,9 +860,23 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose) { * we're in lwresd-only mode, in which case that is to * be expected. */ - if (ISC_LIST_EMPTY(mgr->interfaces) && ! ns_g_lwresdonly) + if (ext_listen == NULL && + ISC_LIST_EMPTY(mgr->interfaces) && ! ns_g_lwresdonly) { isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING, "not listening on any interfaces"); + } +} + +void +ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose) { + ns_interfacemgr_scan0(mgr, NULL, verbose); +} + +void +ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list, + isc_boolean_t verbose) +{ + ns_interfacemgr_scan0(mgr, list, verbose); } void @@ -735,3 +895,16 @@ ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value) { UNLOCK(&mgr->lock); } +void +ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr) { + ns_interface_t *interface; + + LOCK(&mgr->lock); + interface = ISC_LIST_HEAD(mgr->interfaces); + while (interface != NULL) { + if (interface->clientmgr != NULL) + ns_client_dumprecursing(f, interface->clientmgr); + interface = ISC_LIST_NEXT(interface, link); + } + UNLOCK(&mgr->lock); +} diff --git a/usr.sbin/bind/bin/named/lwdgnba.c b/usr.sbin/bind/bin/named/lwdgnba.c index 7b264a298ea..36d13d6c1ac 100644 --- a/usr.sbin/bind/bin/named/lwdgnba.c +++ b/usr.sbin/bind/bin/named/lwdgnba.c @@ -1,21 +1,21 @@ /* - * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: lwdgnba.c,v 1.13.2.2 2003/10/09 07:32:32 marka Exp $ */ +/* $ISC: lwdgnba.c,v 1.13.2.1.2.5 2004/03/08 04:04:19 marka Exp $ */ #include <config.h> @@ -67,7 +67,7 @@ byaddr_done(isc_task_t *task, isc_event_t *event) { bevent = NULL; if (client->na.family != AF_INET6 || - (client->options & DNS_BYADDROPT_IPV6NIBBLE) == 0) { + (client->options & DNS_BYADDROPT_IPV6INT) != 0) { if (result == DNS_R_NCACHENXDOMAIN || result == DNS_R_NCACHENXRRSET || result == DNS_R_NXDOMAIN || @@ -80,12 +80,10 @@ byaddr_done(isc_task_t *task, isc_event_t *event) { } /* - * Fall back to IP6.INT nibble then IP6.ARPA bitstring. + * Fall back to ip6.int reverse if the default ip6.arpa + * fails. */ - if ((client->options & DNS_BYADDROPT_IPV6INT) == 0) - client->options |= DNS_BYADDROPT_IPV6INT; - else - client->options &= ~DNS_BYADDROPT_IPV6NIBBLE; + client->options |= DNS_BYADDROPT_IPV6INT; start_byaddr(client); return; @@ -182,11 +180,11 @@ init_gnba(ns_lwdclient_t *client) { * Initialize the real name and alias arrays in the reply we're * going to build up. */ - for (i = 0 ; i < LWRES_MAX_ALIASES ; i++) { + for (i = 0; i < LWRES_MAX_ALIASES; i++) { client->aliases[i] = NULL; client->aliaslen[i] = 0; } - for (i = 0 ; i < LWRES_MAX_ADDRS ; i++) { + for (i = 0; i < LWRES_MAX_ADDRS; i++) { client->addrs[i].family = 0; client->addrs[i].length = 0; memset(client->addrs[i].address, 0, LWRES_ADDR_MAXLEN); @@ -223,10 +221,7 @@ ns_lwdclient_processgnba(ns_lwdclient_t *client, lwres_buffer_t *b) { if (req->addr.address == NULL) goto out; - /* - * Start with IP6.ARPA NIBBLE lookups. - */ - client->options = DNS_BYADDROPT_IPV6NIBBLE; + client->options = 0; if (req->addr.family == LWRES_ADDRTYPE_V4) { client->na.family = AF_INET; if (req->addr.length != 4) @@ -255,6 +250,7 @@ ns_lwdclient_processgnba(ns_lwdclient_t *client, lwres_buffer_t *b) { * going to build up. */ init_gnba(client); + client->options = 0; /* * Start the find. diff --git a/usr.sbin/bind/bin/named/lwresd.c b/usr.sbin/bind/bin/named/lwresd.c index 94bf4e141d2..ba5b42cf565 100644 --- a/usr.sbin/bind/bin/named/lwresd.c +++ b/usr.sbin/bind/bin/named/lwresd.c @@ -1,21 +1,21 @@ /* - * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: lwresd.c,v 1.37.2.2 2003/07/22 04:03:34 marka Exp $ */ +/* $ISC: lwresd.c,v 1.37.2.2.2.5 2004/03/08 04:04:19 marka Exp $ */ /* * Main program for the Lightweight Resolver Daemon. @@ -38,7 +38,7 @@ #include <isc/task.h> #include <isc/util.h> -#include <isccfg/cfg.h> +#include <isccfg/namedconf.h> #include <dns/log.h> #include <dns/result.h> @@ -152,7 +152,7 @@ ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx, if (lwc->nsnext > 0) { CHECK(buffer_putstr(&b, "\tforwarders {\n")); - for (i = 0 ; i < lwc->nsnext ; i++) { + for (i = 0; i < lwc->nsnext; i++) { CHECK(lwaddr_sockaddr_fromlwresaddr( &sa, &lwc->nameservers[i], @@ -173,7 +173,7 @@ ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx, CHECK(buffer_putstr(&b, "\t\t{\n")); CHECK(buffer_putstr(&b, "\t\t\tany;\n")); CHECK(buffer_putstr(&b, "\t\t\t{\n")); - for (i = 0 ; i < lwc->sortlistnxt; i++) { + for (i = 0; i < lwc->sortlistnxt; i++) { lwres_addr_t *lwaddr = &lwc->sortlist[i].addr; lwres_addr_t *lwmask = &lwc->sortlist[i].mask; unsigned int mask; @@ -245,7 +245,7 @@ ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx, if (lwc->lwnext > 0) { CHECK(buffer_putstr(&b, "\tlisten-on {\n")); - for (i = 0 ; i < lwc->lwnext ; i++) { + for (i = 0; i < lwc->lwnext; i++) { CHECK(lwaddr_sockaddr_fromlwresaddr(&sa, &lwc->lwservers[i], 0)); @@ -341,7 +341,7 @@ ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres, } searchobj = NULL; - cfg_map_get(lwres, "search", &searchobj); + (void)cfg_map_get(lwres, "search", &searchobj); if (searchobj != NULL) { lwresd->search = NULL; result = ns_lwsearchlist_create(lwresd->mctx, @@ -602,7 +602,7 @@ listener_startclients(ns_lwreslistener_t *listener) { * Create the client managers. */ result = ISC_R_SUCCESS; - for (i = 0 ; i < NTASKS && result == ISC_R_SUCCESS; i++) + for (i = 0; i < NTASKS && result == ISC_R_SUCCESS; i++) result = ns_lwdclientmgr_create(listener, NRECVS, ns_g_taskmgr); @@ -618,7 +618,13 @@ listener_startclients(ns_lwreslistener_t *listener) { LOCK(&listener->lock); cm = ISC_LIST_HEAD(listener->cmgrs); while (cm != NULL) { - ns_lwdclient_startrecv(cm); + result = ns_lwdclient_startrecv(cm); + if (result != ISC_R_SUCCESS) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_LWRESD, ISC_LOG_ERROR, + "could not start lwres " + "client handler: %s", + isc_result_totext(result)); cm = ISC_LIST_NEXT(cm, link); } UNLOCK(&listener->lock); @@ -785,7 +791,7 @@ ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config) { port = LWRES_UDP_PORT; listenerslist = NULL; - cfg_map_get(lwres, "listen-on", &listenerslist); + (void)cfg_map_get(lwres, "listen-on", &listenerslist); if (listenerslist == NULL) { struct in_addr localhost; isc_sockaddr_t address; diff --git a/usr.sbin/bind/bin/named/lwresd.html b/usr.sbin/bind/bin/named/lwresd.html index 32bfe1c65e0..06b01664ace 100644 --- a/usr.sbin/bind/bin/named/lwresd.html +++ b/usr.sbin/bind/bin/named/lwresd.html @@ -1,27 +1,30 @@ <!-- + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: lwresd.html,v 1.4.2.1.4.3 2004/08/22 23:38:59 marka Exp $ --> + +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >lwresd</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -32,10 +35,10 @@ ALINK="#0000FF" ><H1 ><A NAME="AEN1" +></A ><SPAN CLASS="APPLICATION" >lwresd</SPAN -></A ></H1 ><DIV CLASS="REFNAMEDIV" @@ -59,82 +62,66 @@ NAME="AEN13" ><B CLASS="COMMAND" >lwresd</B -> [<TT +> [<VAR CLASS="OPTION" ->-C <TT +>-C <VAR CLASS="REPLACEABLE" -><I ->config-file</I -></TT -></TT ->] [<TT +>config-file</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-d <TT +>-d <VAR CLASS="REPLACEABLE" -><I ->debug-level</I -></TT -></TT ->] [<TT +>debug-level</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-f</TT ->] [<TT +>-f</VAR +>] [<VAR CLASS="OPTION" ->-g</TT ->] [<TT +>-g</VAR +>] [<VAR CLASS="OPTION" ->-i <TT +>-i <VAR CLASS="REPLACEABLE" -><I ->pid-file</I -></TT -></TT ->] [<TT +>pid-file</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-n <TT +>-n <VAR CLASS="REPLACEABLE" -><I ->#cpus</I -></TT -></TT ->] [<TT +>#cpus</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-P <TT +>-P <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT -></TT ->] [<TT +>port</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-p <TT +>-p <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT -></TT ->] [<TT +>port</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-s</TT ->] [<TT +>-s</VAR +>] [<VAR CLASS="OPTION" ->-t <TT +>-t <VAR CLASS="REPLACEABLE" -><I ->directory</I -></TT -></TT ->] [<TT +>directory</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-u <TT +>-u <VAR CLASS="REPLACEABLE" -><I ->user</I -></TT -></TT ->] [<TT +>user</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-v</TT +>-v</VAR >]</P ></DIV ><DIV @@ -183,18 +170,18 @@ CLASS="COMMAND" CLASS="FILENAME" >/etc/resolv.conf</TT > contains any - <TT + <VAR CLASS="OPTION" ->nameserver</TT +>nameserver</VAR > entries, <B CLASS="COMMAND" >lwresd</B > sends recursive DNS queries to those servers. This is similar to the use of forwarders in a caching name server. If no - <TT + <VAR CLASS="OPTION" ->nameserver</TT +>nameserver</VAR > entries are present, or if forwarding fails, <B CLASS="COMMAND" @@ -217,19 +204,15 @@ NAME="AEN63" CLASS="VARIABLELIST" ><DL ><DT ->-C <TT +>-C <VAR CLASS="REPLACEABLE" -><I ->config-file</I -></TT +>config-file</VAR ></DT ><DD ><P -> Use <TT +> Use <VAR CLASS="REPLACEABLE" -><I ->config-file</I -></TT +>config-file</VAR > as the configuration file instead of the default, <TT @@ -239,19 +222,15 @@ CLASS="FILENAME" </P ></DD ><DT ->-d <TT +>-d <VAR CLASS="REPLACEABLE" -><I ->debug-level</I -></TT +>debug-level</VAR ></DT ><DD ><P -> Set the daemon's debug level to <TT +> Set the daemon's debug level to <VAR CLASS="REPLACEABLE" -><I ->debug-level</I -></TT +>debug-level</VAR >. Debugging traces from <B CLASS="COMMAND" @@ -279,19 +258,15 @@ CLASS="FILENAME" </P ></DD ><DT ->-n <TT +>-n <VAR CLASS="REPLACEABLE" -><I ->#cpus</I -></TT +>#cpus</VAR ></DT ><DD ><P -> Create <TT +> Create <VAR CLASS="REPLACEABLE" -><I ->#cpus</I -></TT +>#cpus</VAR > worker threads to take advantage of multiple CPUs. If not specified, <B @@ -304,38 +279,30 @@ CLASS="COMMAND" </P ></DD ><DT ->-P <TT +>-P <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT +>port</VAR ></DT ><DD ><P > Listen for lightweight resolver queries on port - <TT + <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT +>port</VAR >. If not specified, the default is port 921. </P ></DD ><DT ->-p <TT +>-p <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT +>port</VAR ></DT ><DD ><P -> Send DNS lookups to port <TT +> Send DNS lookups to port <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT +>port</VAR >. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a @@ -367,22 +334,18 @@ CLASS="NOTE" ></DIV ></DD ><DT ->-t <TT +>-t <VAR CLASS="REPLACEABLE" -><I ->directory</I -></TT +>directory</VAR ></DT ><DD ><P -> <TT +> <CODE CLASS="FUNCTION" ->chroot()</TT -> to <TT +>chroot()</CODE +> to <VAR CLASS="REPLACEABLE" -><I ->directory</I -></TT +>directory</VAR > after processing the command line arguments, but before reading the configuration file. @@ -407,14 +370,14 @@ ALIGN="CENTER" ALIGN="LEFT" ><P > This option should be used in conjunction with the - <TT + <VAR CLASS="OPTION" ->-u</TT +>-u</VAR > option, as chrooting a process running as root doesn't enhance security on most - systems; the way <TT + systems; the way <CODE CLASS="FUNCTION" ->chroot()</TT +>chroot()</CODE > is defined allows a process with root privileges to escape a chroot jail. @@ -425,22 +388,18 @@ CLASS="FUNCTION" ></DIV ></DD ><DT ->-u <TT +>-u <VAR CLASS="REPLACEABLE" -><I ->user</I -></TT +>user</VAR ></DT ><DD ><P -> <TT +> <CODE CLASS="FUNCTION" ->setuid()</TT -> to <TT +>setuid()</CODE +> to <VAR CLASS="REPLACEABLE" -><I ->user</I -></TT +>user</VAR > after completing privileged operations, such as creating sockets that listen on privileged ports. @@ -530,7 +489,7 @@ NAME="AEN162" ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/usr.sbin/bind/bin/named/main.c b/usr.sbin/bind/bin/named/main.c index 0eec853876d..10a7a1e2ddc 100644 --- a/usr.sbin/bind/bin/named/main.c +++ b/usr.sbin/bind/bin/named/main.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: main.c,v 1.119.2.5 2003/10/09 07:32:33 marka Exp $ */ +/* $ISC: main.c,v 1.119.2.3.2.16 2004/09/01 07:16:35 marka Exp $ */ #include <config.h> @@ -33,6 +33,8 @@ #include <isc/platform.h> #include <isc/privsep.h> #include <isc/resource.h> +#include <isc/stdio.h> +#include <isc/string.h> #include <isc/task.h> #include <isc/timer.h> #include <isc/util.h> @@ -46,12 +48,17 @@ #include <dst/result.h> +#ifdef HAVE_LIBSCF +#include <libscf.h> +#endif + /* * Defining NS_MAIN provides storage declarations (rather than extern) * for variables in named/globals.h. */ #define NS_MAIN 1 +#include <named/builtin.h> #include <named/control.h> #include <named/globals.h> /* Explicit, though named/log.h includes it. */ #include <named/interfacemgr.h> @@ -69,7 +76,8 @@ static isc_boolean_t want_stats = ISC_FALSE; static char program_name[ISC_DIR_NAMEMAX] = "named"; static char absolute_conffile[ISC_DIR_PATHMAX]; -static char saved_command_line[512]; +static char saved_command_line[512]; +static char version[512]; void ns_main_earlywarning(const char *format, ...) { @@ -215,11 +223,12 @@ library_unexpected_error(const char *file, int line, const char *format, static void lwresd_usage(void) { fprintf(stderr, - "usage: lwresd [-c conffile | -C resolvconffile] " - "[-d debuglevel] [-f|-g]\n" - " [-n number_of_cpus] [-p port]" + "usage: lwresd [-4|-6] [-c conffile | -C resolvconffile] " + "[-d debuglevel]\n" + " [-f|-g] [-n number_of_cpus] [-p port] " "[-P listen-port] [-s]\n" - " [-t chrootdir] [-u username] [-i pidfile]\n"); + " [-t chrootdir] [-u username] [-i pidfile]\n" + " [-m {usage|trace|record}]\n"); } static void @@ -229,9 +238,10 @@ usage(void) { return; } fprintf(stderr, - "usage: named [-c conffile] [-d debuglevel] " + "usage: named [-4|-6] [-c conffile] [-d debuglevel] " "[-f|-g] [-n number_of_cpus]\n" - " [-p port] [-s] [-t chrootdir] [-u username] [-i pidfile]\n"); + " [-p port] [-s] [-t chrootdir] [-u username] [-i pidfile]\n" + " [-m {usage|trace|record}]\n"); } static void @@ -292,18 +302,69 @@ parse_int(char *arg, const char *desc) { return (tmp); } +static struct flag_def { + const char *name; + unsigned int value; +} mem_debug_flags[] = { + { "trace", ISC_MEM_DEBUGTRACE }, + { "record", ISC_MEM_DEBUGRECORD }, + { "usage", ISC_MEM_DEBUGUSAGE }, + { NULL, 0 } +}; + +static void +set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) { + for (;;) { + const struct flag_def *def; + const char *end = strchr(arg, ','); + int arglen; + if (end == NULL) + end = arg + strlen(arg); + arglen = end - arg; + for (def = defs; def->name != NULL; def++) { + if (arglen == (int)strlen(def->name) && + memcmp(arg, def->name, arglen) == 0) { + *ret |= def->value; + goto found; + } + } + ns_main_earlyfatal("unrecognized flag '%.*s'", arglen, arg); + found: + if (*end == '\0') + break; + arg = end + 1; + } +} + static void parse_command_line(int argc, char *argv[]) { int ch; int port; + isc_boolean_t disable6 = ISC_FALSE; + isc_boolean_t disable4 = ISC_FALSE; save_command_line(argc, argv); isc_commandline_errprint = ISC_FALSE; while ((ch = isc_commandline_parse(argc, argv, - "c:C:d:fgi:ln:N:p:P:st:u:vx:")) != - -1) { + "46c:C:d:fgi:lm:n:N:p:P:st:u:vx:")) != -1) { switch (ch) { + case '4': + if (disable4) + ns_main_earlyfatal("cannot specify -4 and -6"); + if (isc_net_probeipv4() != ISC_R_SUCCESS) + ns_main_earlyfatal("IPv4 not supported by OS"); + isc_net_disableipv6(); + disable6 = ISC_TRUE; + break; + case '6': + if (disable6) + ns_main_earlyfatal("cannot specify -4 and -6"); + if (isc_net_probeipv6() != ISC_R_SUCCESS) + ns_main_earlyfatal("IPv6 not supported by OS"); + isc_net_disableipv4(); + disable4 = ISC_TRUE; + break; case 'c': ns_g_conffile = isc_commandline_argument; lwresd_g_conffile = isc_commandline_argument; @@ -334,6 +395,10 @@ parse_command_line(int argc, char *argv[]) { case 'l': ns_g_lwresdonly = ISC_TRUE; break; + case 'm': + set_flags(isc_commandline_argument, mem_debug_flags, + &isc_mem_debugging); + break; case 'N': /* Deprecated. */ case 'n': ns_g_cpus = parse_int(isc_commandline_argument, @@ -386,23 +451,26 @@ parse_command_line(int argc, char *argv[]) { usage(); ns_main_earlyfatal("extra command line arguments"); } - - } static isc_result_t create_managers(void) { isc_result_t result; +#ifdef ISC_PLATFORM_USETHREADS + unsigned int cpus_detected; +#endif #ifdef ISC_PLATFORM_USETHREADS + cpus_detected = isc_os_ncpus(); if (ns_g_cpus == 0) - ns_g_cpus = isc_os_ncpus(); + ns_g_cpus = cpus_detected; + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, + ISC_LOG_INFO, "found %u CPU%s, using %u worker thread%s", + cpus_detected, cpus_detected == 1 ? "" : "s", + ns_g_cpus, ns_g_cpus == 1 ? "" : "s"); #else ns_g_cpus = 1; #endif - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, - ISC_LOG_INFO, "using %u CPU%s", - ns_g_cpus, ns_g_cpus == 1 ? "" : "s"); result = isc_taskmgr_create(ns_g_mctx, ns_g_cpus, 0, &ns_g_taskmgr); if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, @@ -451,9 +519,9 @@ destroy_managers(void) { ns_lwresd_shutdown(); isc_entropy_detach(&ns_g_entropy); - if (ns_g_fallbackentropy != NULL) { + if (ns_g_fallbackentropy != NULL) isc_entropy_detach(&ns_g_fallbackentropy); - } + /* * isc_taskmgr_destroy() will block until all tasks have exited, */ @@ -487,28 +555,32 @@ setup(void) { ns_os_inituserinfo(ns_g_username); /* - * Initialize time conversion information and /dev/null + * Initialize time conversion information */ ns_os_tzset(); + ns_os_opendevnull(); +#ifdef PATH_RANDOMDEV /* * Initialize system's random device as fallback entropy source * if running chroot'ed. */ - result = isc_entropy_create(ns_g_mctx, &ns_g_fallbackentropy); - if (result != ISC_R_SUCCESS) - ns_main_earlyfatal("isc_entropy_create() failed: %s", - isc_result_totext(result)); -#ifdef PATH_RANDOMDEV if (ns_g_chrootdir != NULL) { + result = isc_entropy_create(ns_g_mctx, &ns_g_fallbackentropy); + if (result != ISC_R_SUCCESS) + ns_main_earlyfatal("isc_entropy_create() failed: %s", + isc_result_totext(result)); + result = isc_entropy_createfilesource(ns_g_fallbackentropy, PATH_RANDOMDEV); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { ns_main_earlywarning("could not open pre-chroot " "entropy source %s: %s", PATH_RANDOMDEV, isc_result_totext(result)); + isc_entropy_detach(&ns_g_fallbackentropy); + } } #endif @@ -586,6 +658,8 @@ setup(void) { ns_main_earlyfatal("create_managers() failed: %s", isc_result_totext(result)); + ns_builtin_init(); + /* * Add calls to register sdb drivers here. */ @@ -600,6 +674,8 @@ cleanup(void) { ns_server_destroy(&ns_g_server); + ns_builtin_deinit(); + /* * Add calls to unregister sdb drivers here. */ @@ -610,10 +686,125 @@ cleanup(void) { ns_log_shutdown(); } +static char *memstats = NULL; + +void +ns_main_setmemstats(const char *filename) { + /* + * Caller has to ensure locking. + */ + + if (memstats != NULL) { + free(memstats); + memstats = NULL; + } + if (filename == NULL) + return; + memstats = malloc(strlen(filename) + 1); + if (memstats) + strlcpy(memstats, filename, strlen(filename) + 1); +} + +#ifdef HAVE_LIBSCF +/* + * Get FMRI for the current named process + */ +static char * +scf_get_ins_name(void) { + scf_handle_t *h = NULL; + int namelen; + char *ins_name; + + if ((h = scf_handle_create(SCF_VERSION)) == NULL) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "scf_handle_create() failed: %s", + scf_strerror(scf_error())); + return (NULL); + } + + if (scf_handle_bind(h) == -1) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "scf_handle_bind() failed: %s", + scf_strerror(scf_error())); + scf_handle_destroy(h); + return (NULL); + } + + if ((namelen = scf_myname(h, NULL, 0)) == -1) { + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_MAIN, ISC_LOG_INFO, + "scf_myname() failed: %s", + scf_strerror(scf_error())); + scf_handle_destroy(h); + return (NULL); + } + + if ((ins_name = malloc(namelen + 1)) == NULL) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "scf_get_ins_named() memory " + "allocation failed: %s", + isc_result_totext(ISC_R_NOMEMORY)); + scf_handle_destroy(h); + return (NULL); + } + + if (scf_myname(h, ins_name, namelen + 1) == -1) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "scf_myname() failed: %s", + scf_strerror(scf_error())); + scf_handle_destroy(h); + free(ins_name); + return (NULL); + } + + scf_handle_destroy(h); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, + ISC_LOG_INFO, "instance name:%s", ins_name); + + return (ins_name); +} + +static void +scf_cleanup(void) { + char *s; + char *ins_name; + + if ((ins_name = scf_get_ins_name()) != NULL) { + if ((s = smf_get_state(ins_name)) != NULL) { + if ((strcmp(SCF_STATE_STRING_ONLINE, s) == 0) || + (strcmp(SCF_STATE_STRING_DEGRADED, s) == 0)) { + if (smf_disable_instance(ins_name, 0) != 0) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "smf_disable_instance() failed: %s", + scf_strerror(scf_error())); + } + } + free(s); + } else { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "smf_get_state() failed: %s", + scf_strerror(scf_error())); + } + free(ins_name); + } +} +#endif + int main(int argc, char *argv[]) { isc_result_t result; + /* + * Record version in core image. + * strings named.core | grep "named version:" + */ + strlcat(version, +#ifdef __DATE__ + "named version: BIND " VERSION " (" __DATE__ ")", +#else + "named version: BIND " VERSION, +#endif + sizeof(version)); result = isc_file_progname(*argv, program_name, sizeof(program_name)); if (result != ISC_R_SUCCESS) ns_main_earlyfatal("program name too long"); @@ -632,17 +823,29 @@ main(int argc, char *argv[]) { ns_main_earlyfatal("isc_app_start() failed: %s", isc_result_totext(result)); - result = isc_mem_create(0, 0, &ns_g_mctx); - if (result != ISC_R_SUCCESS) - ns_main_earlyfatal("isc_mem_create() failed: %s", - isc_result_totext(result)); - dns_result_register(); dst_result_register(); isccc_result_register(); parse_command_line(argc, argv); + /* + * Warn about common configuration error. + */ + if (ns_g_chrootdir != NULL) { + int len = strlen(ns_g_chrootdir); + if (strncmp(ns_g_chrootdir, ns_g_conffile, len) == 0 && + (ns_g_conffile[len] == '/' || ns_g_conffile[len] == '\\')) + ns_main_earlywarning("config filename (-c %s) contains " + "chroot path (-t %s)", + ns_g_conffile, ns_g_chrootdir); + } + + result = isc_mem_create(0, 0, &ns_g_mctx); + if (result != ISC_R_SUCCESS) + ns_main_earlyfatal("isc_mem_create() failed: %s", + isc_result_totext(result)); + setup(); /* @@ -665,14 +868,29 @@ main(int argc, char *argv[]) { } } while (result != ISC_R_SUCCESS); +#ifdef HAVE_LIBSCF + scf_cleanup(); +#endif + cleanup(); if (want_stats) { isc_mem_stats(ns_g_mctx, stdout); isc_mutex_stats(stdout); } + if (memstats != NULL) { + FILE *fp = NULL; + result = isc_stdio_open(memstats, "w", &fp); + if (result == ISC_R_SUCCESS) { + isc_mem_stats(ns_g_mctx, fp); + isc_mutex_stats(fp); + isc_stdio_close(fp); + } + } isc_mem_destroy(&ns_g_mctx); + ns_main_setmemstats(NULL); + isc_app_finish(); ns_os_closedevnull(); diff --git a/usr.sbin/bind/bin/named/named.8 b/usr.sbin/bind/bin/named/named.8 index 848144cde44..67f8a2e0bc1 100644 --- a/usr.sbin/bind/bin/named/named.8 +++ b/usr.sbin/bind/bin/named/named.8 @@ -1,25 +1,26 @@ -.\" -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $ISC: named.8,v 1.17.208.3 2004/06/03 05:35:47 marka Exp $ .\" .TH "NAMED" "8" "June 30, 2000" "BIND9" "" .SH NAME named \- Internet domain name server .SH SYNOPSIS .sp -\fBnamed\fR [ \fB-c \fIconfig-file\fB\fR ] [ \fB-d \fIdebug-level\fB\fR ] [ \fB-f\fR ] [ \fB-g\fR ] [ \fB-n \fI#cpus\fB\fR ] [ \fB-p \fIport\fB\fR ] [ \fB-s\fR ] [ \fB-t \fIdirectory\fB\fR ] [ \fB-u \fIuser\fB\fR ] [ \fB-v\fR ] [ \fB-x \fIcache-file\fB\fR ] +\fBnamed\fR [ \fB-4\fR ] [ \fB-6\fR ] [ \fB-c \fIconfig-file\fB\fR ] [ \fB-d \fIdebug-level\fB\fR ] [ \fB-f\fR ] [ \fB-g\fR ] [ \fB-n \fI#cpus\fB\fR ] [ \fB-p \fIport\fB\fR ] [ \fB-s\fR ] [ \fB-t \fIdirectory\fB\fR ] [ \fB-u \fIuser\fB\fR ] [ \fB-v\fR ] [ \fB-x \fIcache-file\fB\fR ] .SH "DESCRIPTION" .PP \fBnamed\fR is a Domain Name System (DNS) server, @@ -36,6 +37,16 @@ will communicate with the child and bind to privileged ports on its behalf. See CAVEATS section below. .SH "OPTIONS" .TP +\fB-4\fR +Use IPv4 only even if the host machine is capable of IPv6. +\fB-4\fR and \fB-6\fR are mutually +exclusive. +.TP +\fB-6\fR +Use IPv6 only even if the host machine is capable of IPv4. +\fB-4\fR and \fB-6\fR are mutually +exclusive. +.TP \fB-c \fIconfig-file\fB\fR Use \fIconfig-file\fR as the configuration file instead of the default, @@ -156,7 +167,7 @@ The default process-id file. \fIBIND 9 Administrator Reference Manual\fR. .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium .SH "CAVEATS" \fBnamed\fR runs privilege separated for binding the privileged ports after an interface or address diff --git a/usr.sbin/bind/bin/named/named.html b/usr.sbin/bind/bin/named/named.html index 28a14d3b637..08a1d5db250 100644 --- a/usr.sbin/bind/bin/named/named.html +++ b/usr.sbin/bind/bin/named/named.html @@ -1,27 +1,30 @@ <!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: named.html,v 1.4.2.1.4.4 2004/08/22 23:38:59 marka Exp $ --> + +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >named</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -32,10 +35,10 @@ ALINK="#0000FF" ><H1 ><A NAME="AEN1" +></A ><SPAN CLASS="APPLICATION" >named</SPAN -></A ></H1 ><DIV CLASS="REFNAMEDIV" @@ -59,80 +62,72 @@ NAME="AEN13" ><B CLASS="COMMAND" >named</B -> [<TT +> [<VAR +CLASS="OPTION" +>-4</VAR +>] [<VAR CLASS="OPTION" ->-c <TT +>-6</VAR +>] [<VAR +CLASS="OPTION" +>-c <VAR CLASS="REPLACEABLE" -><I ->config-file</I -></TT -></TT ->] [<TT +>config-file</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-d <TT +>-d <VAR CLASS="REPLACEABLE" -><I ->debug-level</I -></TT -></TT ->] [<TT +>debug-level</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-f</TT ->] [<TT +>-f</VAR +>] [<VAR CLASS="OPTION" ->-g</TT ->] [<TT +>-g</VAR +>] [<VAR CLASS="OPTION" ->-n <TT +>-n <VAR CLASS="REPLACEABLE" -><I ->#cpus</I -></TT -></TT ->] [<TT +>#cpus</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-p <TT +>-p <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT -></TT ->] [<TT +>port</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-s</TT ->] [<TT +>-s</VAR +>] [<VAR CLASS="OPTION" ->-t <TT +>-t <VAR CLASS="REPLACEABLE" -><I ->directory</I -></TT -></TT ->] [<TT +>directory</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-u <TT +>-u <VAR CLASS="REPLACEABLE" -><I ->user</I -></TT -></TT ->] [<TT +>user</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-v</TT ->] [<TT +>-v</VAR +>] [<VAR CLASS="OPTION" ->-x <TT +>-x <VAR CLASS="REPLACEABLE" -><I ->cache-file</I -></TT -></TT +>cache-file</VAR +></VAR >]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN45" +NAME="AEN49" ></A ><H2 >DESCRIPTION</H2 @@ -160,7 +155,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN52" +NAME="AEN56" ></A ><H2 >OPTIONS</H2 @@ -170,19 +165,45 @@ NAME="AEN52" CLASS="VARIABLELIST" ><DL ><DT ->-c <TT +>-4</DT +><DD +><P +> Use IPv4 only even if the host machine is capable of IPv6. + <VAR +CLASS="OPTION" +>-4</VAR +> and <VAR +CLASS="OPTION" +>-6</VAR +> are mutually + exclusive. + </P +></DD +><DT +>-6</DT +><DD +><P +> Use IPv6 only even if the host machine is capable of IPv4. + <VAR +CLASS="OPTION" +>-4</VAR +> and <VAR +CLASS="OPTION" +>-6</VAR +> are mutually + exclusive. + </P +></DD +><DT +>-c <VAR CLASS="REPLACEABLE" -><I ->config-file</I -></TT +>config-file</VAR ></DT ><DD ><P -> Use <TT +> Use <VAR CLASS="REPLACEABLE" -><I ->config-file</I -></TT +>config-file</VAR > as the configuration file instead of the default, <TT @@ -192,33 +213,27 @@ CLASS="FILENAME" ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible - <TT + <VAR CLASS="OPTION" ->directory</TT +>directory</VAR > option in the configuration - file, <TT + file, <VAR CLASS="REPLACEABLE" -><I ->config-file</I -></TT +>config-file</VAR > should be an absolute pathname. </P ></DD ><DT ->-d <TT +>-d <VAR CLASS="REPLACEABLE" -><I ->debug-level</I -></TT +>debug-level</VAR ></DT ><DD ><P -> Set the daemon's debug level to <TT +> Set the daemon's debug level to <VAR CLASS="REPLACEABLE" -><I ->debug-level</I -></TT +>debug-level</VAR >. Debugging traces from <B CLASS="COMMAND" @@ -246,19 +261,15 @@ CLASS="FILENAME" </P ></DD ><DT ->-n <TT +>-n <VAR CLASS="REPLACEABLE" -><I ->#cpus</I -></TT +>#cpus</VAR ></DT ><DD ><P -> Create <TT +> Create <VAR CLASS="REPLACEABLE" -><I ->#cpus</I -></TT +>#cpus</VAR > worker threads to take advantage of multiple CPUs. If not specified, <B @@ -271,19 +282,15 @@ CLASS="COMMAND" </P ></DD ><DT ->-p <TT +>-p <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT +>port</VAR ></DT ><DD ><P -> Listen for queries on port <TT +> Listen for queries on port <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT +>port</VAR >. If not specified, the default is port 53. </P @@ -311,22 +318,18 @@ CLASS="NOTE" ></DIV ></DD ><DT ->-t <TT +>-t <VAR CLASS="REPLACEABLE" -><I ->directory</I -></TT +>directory</VAR ></DT ><DD ><P -> <TT +> <CODE CLASS="FUNCTION" ->chroot()</TT -> to <TT +>chroot()</CODE +> to <VAR CLASS="REPLACEABLE" -><I ->directory</I -></TT +>directory</VAR > after processing the command line arguments, but before reading the configuration file. @@ -351,14 +354,14 @@ ALIGN="CENTER" ALIGN="LEFT" ><P > This option should be used in conjunction with the - <TT + <VAR CLASS="OPTION" ->-u</TT +>-u</VAR > option, as chrooting a process running as root doesn't enhance security on most - systems; the way <TT + systems; the way <CODE CLASS="FUNCTION" ->chroot()</TT +>chroot()</CODE > is defined allows a process with root privileges to escape a chroot jail. @@ -369,22 +372,18 @@ CLASS="FUNCTION" ></DIV ></DD ><DT ->-u <TT +>-u <VAR CLASS="REPLACEABLE" -><I ->user</I -></TT +>user</VAR ></DT ><DD ><P -> <TT +> <CODE CLASS="FUNCTION" ->setuid()</TT -> to <TT +>setuid()</CODE +> to <VAR CLASS="REPLACEABLE" -><I ->user</I -></TT +>user</VAR > after completing privileged operations, such as creating sockets that listen on privileged ports. @@ -401,14 +400,14 @@ CLASS="COMMAND" >named</B > uses the kernel's capability mechanism to drop all root privileges - except the ability to <TT + except the ability to <CODE CLASS="FUNCTION" ->bind()</TT +>bind()</CODE > to a privileged port and set process resource limits. - Unfortunately, this means that the <TT + Unfortunately, this means that the <VAR CLASS="OPTION" ->-u</TT +>-u</VAR > option only works when <B CLASS="COMMAND" @@ -416,9 +415,9 @@ CLASS="COMMAND" > is run on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since previous kernels did not allow privileges - to be retained after <TT + to be retained after <CODE CLASS="FUNCTION" ->setuid()</TT +>setuid()</CODE >. </P ></BLOCKQUOTE @@ -432,19 +431,15 @@ CLASS="FUNCTION" </P ></DD ><DT ->-x <TT +>-x <VAR CLASS="REPLACEABLE" -><I ->cache-file</I -></TT +>cache-file</VAR ></DT ><DD ><P -> Load data from <TT +> Load data from <VAR CLASS="REPLACEABLE" -><I ->cache-file</I -></TT +>cache-file</VAR > into the cache of the default view. </P @@ -482,7 +477,7 @@ ALIGN="LEFT" ><DIV CLASS="REFSECT1" ><A -NAME="AEN137" +NAME="AEN153" ></A ><H2 >SIGNALS</H2 @@ -522,7 +517,7 @@ CLASS="VARIABLELIST" ><DIV CLASS="REFSECT1" ><A -NAME="AEN151" +NAME="AEN167" ></A ><H2 >CONFIGURATION</H2 @@ -542,7 +537,7 @@ CLASS="CITETITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN156" +NAME="AEN172" ></A ><H2 >FILES</H2 @@ -577,7 +572,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN169" +NAME="AEN185" ></A ><H2 >SEE ALSO</H2 @@ -617,12 +612,12 @@ CLASS="CITETITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN182" +NAME="AEN198" ></A ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/usr.sbin/bind/bin/named/notify.c b/usr.sbin/bind/bin/named/notify.c index fbb436349b1..9f8dcee6aec 100644 --- a/usr.sbin/bind/bin/named/notify.c +++ b/usr.sbin/bind/bin/named/notify.c @@ -1,25 +1,26 @@ /* - * Copyright (C) 1999-2001, 2003 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: notify.c,v 1.24.2.2 2003/07/22 04:03:34 marka Exp $ */ +/* $ISC: notify.c,v 1.24.2.2.2.7 2004/08/28 06:25:30 marka Exp $ */ #include <config.h> #include <isc/log.h> +#include <isc/print.h> #include <dns/message.h> #include <dns/rdataset.h> @@ -36,11 +37,11 @@ */ static void -notify_log(int level, const char *fmt, ...) { +notify_log(ns_client_t *client, int level, const char *fmt, ...) { va_list ap; va_start(ap, fmt); - isc_log_vwrite(ns_g_lctx, DNS_LOGCATEGORY_NOTIFY, NS_LOGMODULE_NOTIFY, + ns_client_logv(client, DNS_LOGCATEGORY_NOTIFY, NS_LOGMODULE_NOTIFY, level, fmt, ap); va_end(ap); } @@ -76,14 +77,17 @@ ns_notify_start(ns_client_t *client) { dns_name_t *zonename; dns_rdataset_t *zone_rdataset; dns_zone_t *zone = NULL; - char str[DNS_NAME_FORMATSIZE]; + char namebuf[DNS_NAME_FORMATSIZE]; + char tsigbuf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")]; + dns_name_t *tsigname; /* * Interpret the question section. */ result = dns_message_firstname(request, DNS_SECTION_QUESTION); if (result != ISC_R_SUCCESS) { - notify_log(ISC_LOG_INFO, "notify question section empty"); + notify_log(client, ISC_LOG_NOTICE, + "notify question section empty"); goto formerr; } @@ -94,7 +98,7 @@ ns_notify_start(ns_client_t *client) { dns_message_currentname(request, DNS_SECTION_QUESTION, &zonename); zone_rdataset = ISC_LIST_HEAD(zonename->list); if (ISC_LIST_NEXT(zone_rdataset, link) != NULL) { - notify_log(ISC_LOG_INFO, + notify_log(client, ISC_LOG_NOTICE, "notify question section contains multiple RRs"); goto formerr; } @@ -102,29 +106,36 @@ ns_notify_start(ns_client_t *client) { /* The zone section must have exactly one name. */ result = dns_message_nextname(request, DNS_SECTION_ZONE); if (result != ISC_R_NOMORE) { - notify_log(ISC_LOG_INFO, + notify_log(client, ISC_LOG_NOTICE, "notify question section contains multiple RRs"); - goto failure; + goto formerr; } /* The one rdataset must be an SOA. */ if (zone_rdataset->type != dns_rdatatype_soa) { - notify_log(ISC_LOG_INFO, + notify_log(client, ISC_LOG_NOTICE, "notify question section contains no SOA"); goto formerr; } - dns_name_format(zonename, str, sizeof(str)); + tsigname = NULL; + if (dns_message_gettsig(request, &tsigname) != NULL) { + dns_name_format(tsigname, namebuf, sizeof(namebuf)); + snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'", namebuf); + } else + tsigbuf[0] = '\0'; + dns_name_format(zonename, namebuf, sizeof(namebuf)); result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone); if (result != ISC_R_SUCCESS) goto notauth; - switch(dns_zone_gettype(zone)) { + switch (dns_zone_gettype(zone)) { case dns_zone_master: case dns_zone_slave: case dns_zone_stub: /* Allow dialup passive to work. */ - notify_log(ISC_LOG_INFO, "received notify for zone '%s'", str); + notify_log(client, ISC_LOG_INFO, + "received notify for zone '%s'%s", namebuf, tsigbuf); respond(client, dns_zone_notifyreceive(zone, ns_client_getsockaddr(client), request)); break; @@ -135,9 +146,9 @@ ns_notify_start(ns_client_t *client) { return; notauth: - notify_log(ISC_LOG_INFO, - "received notify for zone '%s': not authoritative", - str); + notify_log(client, ISC_LOG_NOTICE, + "received notify for zone '%s'%s: not authoritative", + namebuf, tsigbuf); result = DNS_R_NOTAUTH; goto failure; diff --git a/usr.sbin/bind/bin/named/query.c b/usr.sbin/bind/bin/named/query.c index 0976e0a6eb8..24e13c7c636 100644 --- a/usr.sbin/bind/bin/named/query.c +++ b/usr.sbin/bind/bin/named/query.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: query.c,v 1.198.2.14 2003/09/02 02:27:53 marka Exp $ */ +/* $ISC: query.c,v 1.198.2.13.4.30 2004/06/30 14:13:05 marka Exp $ */ #include <config.h> @@ -29,6 +29,7 @@ #include <dns/db.h> #include <dns/events.h> #include <dns/message.h> +#include <dns/order.h> #include <dns/rdata.h> #include <dns/rdataclass.h> #include <dns/rdatalist.h> @@ -62,12 +63,14 @@ NS_QUERYATTR_CACHEGLUEOK) != 0) #define WANTRECURSION(c) (((c)->query.attributes & \ NS_QUERYATTR_WANTRECURSION) != 0) -#define WANTDNSSEC(c) (((c)->query.attributes & \ - NS_QUERYATTR_WANTDNSSEC) != 0) +#define WANTDNSSEC(c) (((c)->attributes & \ + NS_CLIENTATTR_WANTDNSSEC) != 0) #define NOAUTHORITY(c) (((c)->query.attributes & \ NS_QUERYATTR_NOAUTHORITY) != 0) #define NOADDITIONAL(c) (((c)->query.attributes & \ NS_QUERYATTR_NOADDITIONAL) != 0) +#define SECURE(c) (((c)->query.attributes & \ + NS_QUERYATTR_SECURE) != 0) #if 0 #define CTRACE(m) isc_log_write(ns_g_lctx, \ @@ -87,65 +90,18 @@ #define DNS_GETDB_NOEXACT 0x01U #define DNS_GETDB_NOLOG 0x02U - -static unsigned char ip6int_ndata[] = "\003ip6\003int"; -static unsigned char ip6int_offsets[] = { 0, 4, 8 }; - -static dns_name_t ip6int_name = { - DNS_NAME_MAGIC, - ip6int_ndata, 9, 3, - DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, - ip6int_offsets, NULL, - {(void *)-1, (void *)-1}, - {NULL, NULL} -}; - -static isc_result_t -query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type, - isc_stdtime_t now, - dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); - -static inline void -query_adda6rrset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset, - dns_rdataset_t *sigrdataset); +#define DNS_GETDB_PARTIAL 0x04U static void query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype); -static void -synth_fwd_start(ns_client_t *client); - -static void -synth_fwd_startfind(ns_client_t *client); - -static void -synth_fwd_respond(ns_client_t *client, dns_adbfind_t *find); - -static void -synth_fwd_finddone(isc_task_t *task, isc_event_t *ev); - -static void -synth_finish(ns_client_t *client, isc_result_t result); - -static void -synth_rev_start(ns_client_t *client); - -static void -synth_rev_byaddrdone_arpa(isc_task_t *task, isc_event_t *event); - -static void -synth_rev_byaddrdone_int(isc_task_t *task, isc_event_t *event); - -static void -synth_rev_respond(ns_client_t *client, dns_byaddrevent_t *bevent); - /* * Increment query statistics counters. */ static inline void inc_stats(ns_client_t *client, dns_statscounter_t counter) { dns_zone_t *zone = client->query.authzone; - + REQUIRE(counter < DNS_STATS_NCOUNTERS); ns_g_server->querystats[counter]++; @@ -205,10 +161,43 @@ query_maybeputqname(ns_client_t *client) { } static inline void +query_freefreeversions(ns_client_t *client, isc_boolean_t everything) { + ns_dbversion_t *dbversion, *dbversion_next; + unsigned int i; + + for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0; + dbversion != NULL; + dbversion = dbversion_next, i++) + { + dbversion_next = ISC_LIST_NEXT(dbversion, link); + /* + * If we're not freeing everything, we keep the first three + * dbversions structures around. + */ + if (i > 3 || everything) { + ISC_LIST_UNLINK(client->query.freeversions, dbversion, + link); + isc_mem_put(client->mctx, dbversion, + sizeof(*dbversion)); + } + } +} + +void +ns_query_cancel(ns_client_t *client) { + LOCK(&client->query.fetchlock); + if (client->query.fetch != NULL) { + dns_resolver_cancelfetch(client->query.fetch); + + client->query.fetch = NULL; + } + UNLOCK(&client->query.fetchlock); +} + +static inline void query_reset(ns_client_t *client, isc_boolean_t everything) { isc_buffer_t *dbuf, *dbuf_next; ns_dbversion_t *dbversion, *dbversion_next; - unsigned int i; /* * Reset the query state of a client to its default state. @@ -217,11 +206,7 @@ query_reset(ns_client_t *client, isc_boolean_t everything) { /* * Cancel the fetch if it's running. */ - if (client->query.fetch != NULL) { - dns_resolver_cancelfetch(client->query.fetch); - - client->query.fetch = NULL; - } + ns_query_cancel(client); /* * Cleanup any active versions. @@ -243,24 +228,7 @@ query_reset(ns_client_t *client, isc_boolean_t everything) { if (client->query.authzone != NULL) dns_zone_detach(&client->query.authzone); - /* - * Clean up free versions. - */ - for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0; - dbversion != NULL; - dbversion = dbversion_next, i++) { - dbversion_next = ISC_LIST_NEXT(dbversion, link); - /* - * If we're not freeing everything, we keep the first three - * dbversions structures around. - */ - if (i > 3 || everything) { - ISC_LIST_UNLINK(client->query.freeversions, dbversion, - link); - isc_mem_put(client->mctx, dbversion, - sizeof *dbversion); - } - } + query_freefreeversions(client, everything); for (dbuf = ISC_LIST_HEAD(client->query.namebufs); dbuf != NULL; @@ -275,7 +243,8 @@ query_reset(ns_client_t *client, isc_boolean_t everything) { query_maybeputqname(client); client->query.attributes = (NS_QUERYATTR_RECURSIONOK | - NS_QUERYATTR_CACHEOK); + NS_QUERYATTR_CACHEOK | + NS_QUERYATTR_SECURE); client->query.restarts = 0; client->query.timerset = ISC_FALSE; client->query.origqname = NULL; @@ -461,7 +430,7 @@ query_newdbversion(ns_client_t *client, unsigned int n) { ns_dbversion_t *dbversion; for (i = 0; i < n; i++) { - dbversion = isc_mem_get(client->mctx, sizeof *dbversion); + dbversion = isc_mem_get(client->mctx, sizeof(*dbversion)); if (dbversion != NULL) { dbversion->db = NULL; dbversion->version = NULL; @@ -509,6 +478,9 @@ ns_query_init(ns_client_t *client) { client->query.restarts = 0; client->query.timerset = ISC_FALSE; client->query.qname = NULL; + result = isc_mutex_init(&client->query.fetchlock); + if (result != ISC_R_SUCCESS) + return (result); client->query.fetch = NULL; client->query.authdb = NULL; client->query.authzone = NULL; @@ -516,11 +488,15 @@ ns_query_init(ns_client_t *client) { client->query.isreferral = ISC_FALSE; query_reset(client, ISC_FALSE); result = query_newdbversion(client, 3); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { + DESTROYLOCK(&client->query.fetchlock); return (result); - dns_a6_init(&client->query.a6ctx, query_simplefind, query_adda6rrset, - NULL, NULL, client); - return (query_newnamebuf(client)); + } + result = query_newnamebuf(client); + if (result != ISC_R_SUCCESS) + query_freefreeversions(client, ISC_TRUE); + + return (result); } static inline ns_dbversion_t * @@ -562,8 +538,9 @@ query_findversion(ns_client_t *client, dns_db_t *db, } static inline isc_result_t -query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, - dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp) +query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, + unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, + dns_dbversion_t **versionp) { isc_result_t result; isc_boolean_t check_acl, new_zone; @@ -572,6 +549,7 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, unsigned int ztoptions; dns_zone_t *zone = NULL; dns_db_t *db = NULL; + isc_boolean_t partial = ISC_FALSE; REQUIRE(zonep != NULL && *zonep == NULL); REQUIRE(dbp != NULL && *dbp == NULL); @@ -584,6 +562,8 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL, &zone); + if (result == DNS_R_PARTIALMATCH) + partial = ISC_TRUE; if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) result = dns_zone_getdb(zone, &db); @@ -656,13 +636,12 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, result = ns_client_checkaclsilent(client, queryacl, ISC_TRUE); if (log) { - char msg[DNS_NAME_FORMATSIZE + DNS_RDATACLASS_FORMATSIZE - + sizeof "query '/'"]; + char msg[NS_CLIENT_ACLMSGSIZE("query")]; if (result == ISC_R_SUCCESS) { if (isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(3))) { - ns_client_aclmsg("query", name, + ns_client_aclmsg("query", name, qtype, client->view->rdclass, msg, sizeof(msg)); ns_client_log(client, @@ -672,7 +651,7 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, "%s approved", msg); } } else { - ns_client_aclmsg("query", name, + ns_client_aclmsg("query", name, qtype, client->view->rdclass, msg, sizeof(msg)); ns_client_log(client, DNS_LOGCATEGORY_SECURITY, @@ -715,6 +694,8 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, *dbp = db; *versionp = dbversion->version; + if (partial && (options & DNS_GETDB_PARTIAL) != 0) + return (DNS_R_PARTIALMATCH); return (ISC_R_SUCCESS); refuse: @@ -729,7 +710,8 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, } static inline isc_result_t -query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options) +query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, + dns_db_t **dbp, unsigned int options) { isc_result_t result; isc_boolean_t check_acl; @@ -768,12 +750,11 @@ query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options) if (check_acl) { isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); + char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; - result = ns_client_checkacl(client, "query (cache)", - client->view->queryacl, - ISC_TRUE, - log ? ISC_LOG_INFO : - ISC_LOG_DEBUG(3)); + result = ns_client_checkaclsilent(client, + client->view->queryacl, + ISC_TRUE); if (result == ISC_R_SUCCESS) { /* * We were allowed by the default @@ -782,6 +763,25 @@ query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options) */ client->query.attributes |= NS_QUERYATTR_QUERYOK; + if (log && isc_log_wouldlog(ns_g_lctx, + ISC_LOG_DEBUG(3))) + { + ns_client_aclmsg("query (cache)", name, qtype, + client->view->rdclass, + msg, sizeof(msg)); + ns_client_log(client, + DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, + ISC_LOG_DEBUG(3), + "%s approved", msg); + } + } else if (log) { + ns_client_aclmsg("query (cache)", name, qtype, + client->view->rdclass, msg, + sizeof(msg)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, ISC_LOG_INFO, + "%s denied", msg); } /* * We've now evaluated the view's query ACL, and @@ -811,155 +811,23 @@ query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options) static inline isc_result_t -query_getdb(ns_client_t *client, dns_name_t *name, unsigned int options, - dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, - isc_boolean_t *is_zonep) +query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, + unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, + dns_dbversion_t **versionp, isc_boolean_t *is_zonep) { isc_result_t result; - result = query_getzonedb(client, name, options, zonep, dbp, versionp); + result = query_getzonedb(client, name, qtype, options, + zonep, dbp, versionp); if (result == ISC_R_SUCCESS) { *is_zonep = ISC_TRUE; } else if (result == ISC_R_NOTFOUND) { - result = query_getcachedb(client, dbp, options); + result = query_getcachedb(client, name, qtype, dbp, options); *is_zonep = ISC_FALSE; } return (result); } -static isc_result_t -query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type, - isc_stdtime_t now, - dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) -{ - ns_client_t *client = arg; - isc_result_t result; - dns_fixedname_t foundname; - dns_db_t *db; - dns_dbversion_t *version; - unsigned int dboptions; - isc_boolean_t is_zone; - dns_rdataset_t zrdataset, zsigrdataset; - dns_zone_t *zone; - - REQUIRE(NS_CLIENT_VALID(client)); - REQUIRE(rdataset != NULL); - - dns_rdataset_init(&zrdataset); - if (sigrdataset != NULL) - dns_rdataset_init(&zsigrdataset); - - /* - * Find a database to answer the query. - */ - zone = NULL; - db = NULL; - version = NULL; - result = query_getdb(client, name, 0, &zone, &db, &version, &is_zone); - if (result != ISC_R_SUCCESS) - goto cleanup; - - db_find: - /* - * Now look for an answer in the database. - */ - dns_fixedname_init(&foundname); - dboptions = client->query.dboptions; - if (db == client->query.gluedb || (!is_zone && CACHEGLUEOK(client))) - dboptions |= DNS_DBFIND_GLUEOK; - result = dns_db_find(db, name, version, type, dboptions, - now, NULL, dns_fixedname_name(&foundname), - rdataset, sigrdataset); - if (result == DNS_R_DELEGATION || - result == ISC_R_NOTFOUND) { - if (dns_rdataset_isassociated(rdataset)) - dns_rdataset_disassociate(rdataset); - if (sigrdataset != NULL && - dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - if (is_zone) { - if (USECACHE(client)) { - /* - * Either the answer is in the cache, or we - * don't know it. - */ - is_zone = ISC_FALSE; - version = NULL; - dns_db_detach(&db); - dns_db_attach(client->view->cachedb, &db); - goto db_find; - } - } else { - /* - * We don't have the data in the cache. If we've got - * glue from the zone, use it. - */ - if (dns_rdataset_isassociated(&zrdataset)) { - dns_rdataset_clone(&zrdataset, rdataset); - if (sigrdataset != NULL && - dns_rdataset_isassociated(&zsigrdataset)) - dns_rdataset_clone(&zsigrdataset, - sigrdataset); - result = ISC_R_SUCCESS; - goto cleanup; - } - } - /* - * We don't know the answer. - */ - result = ISC_R_NOTFOUND; - } else if (result == DNS_R_GLUE) { - if (USECACHE(client) && RECURSIONOK(client)) { - /* - * We found an answer, but the cache may be better. - * Remember what we've got and go look in the cache. - */ - is_zone = ISC_FALSE; - version = NULL; - dns_rdataset_clone(rdataset, &zrdataset); - dns_rdataset_disassociate(rdataset); - if (sigrdataset != NULL && - dns_rdataset_isassociated(sigrdataset)) - { - dns_rdataset_clone(sigrdataset, &zsigrdataset); - dns_rdataset_disassociate(sigrdataset); - } - dns_db_detach(&db); - dns_db_attach(client->view->cachedb, &db); - goto db_find; - } - /* - * Otherwise, the glue is the best answer. - */ - result = ISC_R_SUCCESS; - } else if (result != ISC_R_SUCCESS) { - if (dns_rdataset_isassociated(rdataset)) - dns_rdataset_disassociate(rdataset); - if (sigrdataset != NULL && - dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - result = ISC_R_NOTFOUND; - } - /* - * If we get here, the result is ISC_R_SUCCESS, and we found the - * answer we were looking for in the zone. - */ - - cleanup: - if (dns_rdataset_isassociated(&zrdataset)) { - dns_rdataset_disassociate(&zrdataset); - if (sigrdataset != NULL && - dns_rdataset_isassociated(&zsigrdataset)) - dns_rdataset_disassociate(&zsigrdataset); - } - if (db != NULL) - dns_db_detach(&db); - if (zone != NULL) - dns_zone_detach(&zone); - - return (result); -} - static inline isc_boolean_t query_isduplicate(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, dns_name_t **mnamep) @@ -1012,7 +880,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { dns_dbnode_t *node; dns_db_t *db; dns_name_t *fname, *mname; - dns_rdataset_t *rdataset, *sigrdataset, *a6rdataset, *trdataset; + dns_rdataset_t *rdataset, *sigrdataset, *trdataset; isc_buffer_t *dbuf; isc_buffer_t b; dns_dbversion_t *version; @@ -1035,7 +903,6 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { fname = NULL; rdataset = NULL; sigrdataset = NULL; - a6rdataset = NULL; trdataset = NULL; db = NULL; version = NULL; @@ -1075,7 +942,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { * Look for a zone database that might contain authoritative * additional data. */ - result = query_getzonedb(client, name, DNS_GETDB_NOLOG, + result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG, &zone, &db, &version); if (result != ISC_R_SUCCESS) goto try_cache; @@ -1108,7 +975,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { */ try_cache: - result = query_getcachedb(client, &db, DNS_GETDB_NOLOG); + result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG); if (result != ISC_R_SUCCESS) /* * Most likely the client isn't allowed to query the cache. @@ -1202,7 +1069,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (qtype == dns_rdatatype_a) { /* - * We now go looking for A, A6, and AAAA records, along with + * We now go looking for A and AAAA records, along with * their signatures. * * XXXRTH This code could be more efficient. @@ -1269,49 +1136,6 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } } result = dns_db_findrdataset(db, node, version, - dns_rdatatype_a6, 0, - client->now, rdataset, - sigrdataset); - if (result == DNS_R_NCACHENXDOMAIN) - goto addname; - if (result == DNS_R_NCACHENXRRSET) { - dns_rdataset_disassociate(rdataset); - INSIST(sigrdataset == NULL || - ! dns_rdataset_isassociated(sigrdataset)); - } - if (result == ISC_R_SUCCESS) { - mname = NULL; - if (!query_isduplicate(client, fname, - dns_rdatatype_a6, &mname)) { - if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; - } else - need_addname = ISC_TRUE; - a6rdataset = rdataset; - ISC_LIST_APPEND(fname->list, rdataset, link); - added_something = ISC_TRUE; - if (sigrdataset != NULL && - dns_rdataset_isassociated(sigrdataset)) - { - ISC_LIST_APPEND(fname->list, - sigrdataset, link); - sigrdataset = - query_newrdataset(client); - } - rdataset = query_newrdataset(client); - if (rdataset == NULL) - goto addname; - if (WANTDNSSEC(client) && sigrdataset == NULL) - goto addname; - } else { - dns_rdataset_disassociate(rdataset); - if (sigrdataset != NULL && - dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - } - } - result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa, 0, client->now, rdataset, sigrdataset); @@ -1378,15 +1202,12 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { /* * RFC 2535 section 3.5 says that when A or AAAA records are * retrieved as additional data, any KEY RRs for the owner name - * should be added to the additional data section. Note: we - * do NOT include A6 in the list of types with such treatment - * in additional data because we'd have to do it for each A6 - * in the A6 chain. + * should be added to the additional data section. * * XXXRTH We should lower the priority here. Alternatively, * we could raise the priority of glue records. */ - eresult = query_addadditional(client, name, dns_rdatatype_key); + eresult = query_addadditional(client, name, dns_rdatatype_dnskey); } else if (type == dns_rdatatype_srv && trdataset != NULL) { /* * If we're adding SRV records to the additional data @@ -1398,16 +1219,6 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { client); } - /* - * If we added an A6 rdataset, we should also add everything we - * know about the A6 chains. We wait until now to do this so that - * they'll come after any additional data added above. - */ - if (a6rdataset != NULL) { - dns_a6_reset(&client->query.a6ctx); - dns_a6_foreach(&client->query.a6ctx, a6rdataset, client->now); - } - cleanup: CTRACE("query_addadditional: cleanup"); query_putrdataset(client, &rdataset); @@ -1426,86 +1237,6 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { return (eresult); } -static void -query_adda6rrset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset, - dns_rdataset_t *sigrdataset) -{ - ns_client_t *client = arg; - dns_rdataset_t *crdataset, *csigrdataset; - isc_buffer_t b, *dbuf; - dns_name_t *fname, *mname; - - /* - * Add an rrset to the additional data section. - */ - - REQUIRE(NS_CLIENT_VALID(client)); - REQUIRE(rdataset->type == dns_rdatatype_a6); - - /* - * Get some resources... - */ - fname = NULL; - crdataset = NULL; - csigrdataset = NULL; - dbuf = query_getnamebuf(client); - if (dbuf == NULL) - goto cleanup; - fname = query_newname(client, dbuf, &b); - crdataset = query_newrdataset(client); - if (fname == NULL || crdataset == NULL) - goto cleanup; - if (sigrdataset != NULL) { - csigrdataset = query_newrdataset(client); - if (csigrdataset == NULL) - goto cleanup; - } - - if (dns_name_copy(name, fname, NULL) != ISC_R_SUCCESS) - goto cleanup; - dns_rdataset_clone(rdataset, crdataset); - if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_clone(sigrdataset, csigrdataset); - - mname = NULL; - if (query_isduplicate(client, fname, crdataset->type, &mname)) - goto cleanup; - if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; - } else { - query_keepname(client, fname, dbuf); - dns_message_addname(client->message, fname, - DNS_SECTION_ADDITIONAL); - } - - ISC_LIST_APPEND(fname->list, crdataset, link); - crdataset = NULL; - /* - * Note: we only add SIGs if we've added the type they cover, so - * we do not need to check if the SIG rdataset is already in the - * response. - */ - if (sigrdataset != NULL && dns_rdataset_isassociated(csigrdataset)) { - ISC_LIST_APPEND(fname->list, csigrdataset, link); - csigrdataset = NULL; - } - - fname = NULL; - - /* - * In spite of RFC 2535 section 3.5, we don't currently try to add - * KEY RRs for the A6 records. It's just too much work. - */ - - cleanup: - query_putrdataset(client, &crdataset); - if (sigrdataset != NULL) - query_putrdataset(client, &csigrdataset); - if (fname != NULL) - query_releasename(client, &fname); -} - static inline void query_addrdataset(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) @@ -1521,22 +1252,20 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, ISC_LIST_APPEND(fname->list, rdataset, link); + if (client->view->order != NULL) + rdataset->attributes |= dns_order_find(client->view->order, + fname, rdataset->type, + rdataset->rdclass); if (NOADDITIONAL(client)) return; /* * Add additional data. * - * We don't care if dns_a6_foreach or dns_rdataset_additionaldata() - * fail. + * We don't care if dns_rdataset_additionaldata() fails. */ - if (type == dns_rdatatype_a6) { - dns_a6_reset(&client->query.a6ctx); - (void)dns_a6_foreach(&client->query.a6ctx, rdataset, - client->now); - } else - (void)dns_rdataset_additionaldata(rdataset, - query_addadditional, client); + (void)dns_rdataset_additionaldata(rdataset, + query_addadditional, client); /* * RFC 2535 section 3.5 says that when NS, SOA, A, or AAAA records * are retrieved, any KEY RRs for the owner name should be added @@ -1551,7 +1280,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, * XXXRTH We should lower the priority here. Alternatively, * we could raise the priority of glue records. */ - (void)query_addadditional(client, fname, dns_rdatatype_key); + (void)query_addadditional(client, fname, dns_rdatatype_dnskey); } CTRACE("query_addrdataset: done"); } @@ -1611,6 +1340,10 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, query_releasename(client, namep); } + if (rdataset->trust != dns_trust_secure && + (section == DNS_SECTION_ANSWER || + section == DNS_SECTION_AUTHORITY)) + client->query.attributes &= ~NS_QUERYATTR_SECURE; /* * Note: we only add SIGs if we've added the type they cover, so * we do not need to check if the SIG rdataset is already in the @@ -1690,7 +1423,9 @@ query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) { result = dns_rdataset_first(rdataset); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_rdataset_current(rdataset, &rdata); - dns_rdata_tostruct(&rdata, &soa, NULL); + result = dns_rdata_tostruct(&rdata, &soa, NULL); + if (result != ISC_R_SUCCESS) + goto cleanup; if (zero_ttl) { rdataset->ttl = 0; @@ -1812,7 +1547,7 @@ query_addns(ns_client_t *client, dns_db_t *db) { static inline isc_result_t query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname, - dns_ttl_t ttl, dns_name_t **anamep, dns_rdatatype_t type) + dns_trust_t trust, dns_name_t **anamep, dns_rdatatype_t type) { dns_rdataset_t *rdataset; dns_rdatalist_t *rdatalist; @@ -1848,7 +1583,7 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname, rdatalist->type = type; rdatalist->covers = 0; rdatalist->rdclass = client->message->rdclass; - rdatalist->ttl = ttl; + rdatalist->ttl = 0; dns_name_toregion(tname, &r); rdata->data = r.base; @@ -1858,7 +1593,9 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname, ISC_LIST_INIT(rdatalist->rdata); ISC_LIST_APPEND(rdatalist->rdata, rdata, link); - dns_rdatalist_tordataset(rdatalist, rdataset); + RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) + == ISC_R_SUCCESS); + rdataset->trust = trust; query_addrrset(client, anamep, &rdataset, NULL, NULL, DNS_SECTION_ANSWER); @@ -1903,8 +1640,8 @@ query_addbestns(ns_client_t *client) { /* * Find the right database. */ - result = query_getdb(client, client->query.qname, 0, &zone, &db, - &version, &is_zone); + result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0, + &zone, &db, &version, &is_zone); if (result != ISC_R_SUCCESS) goto cleanup; @@ -1939,6 +1676,7 @@ query_addbestns(ns_client_t *client) { query_keepname(client, fname, dbuf); zdb = db; zfname = fname; + fname = NULL; zrdataset = rdataset; rdataset = NULL; zsigrdataset = sigrdataset; @@ -1999,6 +1737,11 @@ query_addbestns(ns_client_t *client) { (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending))) goto cleanup; + if (WANTDNSSEC(client) && SECURE(client) && + (rdataset->trust == dns_trust_glue || + (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue))) + goto cleanup; + query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf, DNS_SECTION_AUTHORITY); @@ -2026,6 +1769,264 @@ query_addbestns(ns_client_t *client) { } static void +query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node) { + dns_name_t *rname; + dns_rdataset_t *rdataset, *sigrdataset; + isc_result_t result; + + CTRACE("query_addds"); + rname = NULL; + rdataset = NULL; + sigrdataset = NULL; + + /* + * We'll need some resources... + */ + rdataset = query_newrdataset(client); + sigrdataset = query_newrdataset(client); + if (rdataset == NULL || sigrdataset == NULL) + goto cleanup; + + /* + * Look for the DS record, which may or may not be present. + */ + result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0, + client->now, rdataset, sigrdataset); + /* + * If we didn't find it, look for an NSEC. */ + if (result == ISC_R_NOTFOUND) + result = dns_db_findrdataset(db, node, NULL, + dns_rdatatype_nsec, 0, client->now, + rdataset, sigrdataset); + if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) + goto cleanup; + if (!dns_rdataset_isassociated(rdataset) || + !dns_rdataset_isassociated(sigrdataset)) + goto cleanup; + + /* + * We've already added the NS record, so if the name's not there, + * we have other problems. Use this name rather than calling + * query_addrrset(). + */ + result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY); + if (result != ISC_R_SUCCESS) + goto cleanup; + + rname = NULL; + dns_message_currentname(client->message, DNS_SECTION_AUTHORITY, + &rname); + result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL); + if (result != ISC_R_SUCCESS) + goto cleanup; + + ISC_LIST_APPEND(rname->list, rdataset, link); + ISC_LIST_APPEND(rname->list, sigrdataset, link); + rdataset = NULL; + sigrdataset = NULL; + + cleanup: + if (rdataset != NULL) + query_putrdataset(client, &rdataset); + if (sigrdataset != NULL) + query_putrdataset(client, &sigrdataset); +} + +static void +query_addwildcardproof(ns_client_t *client, dns_db_t *db, + dns_name_t *name, isc_boolean_t ispositive) +{ + isc_buffer_t *dbuf, b; + dns_name_t *fname; + dns_rdataset_t *rdataset, *sigrdataset; + dns_fixedname_t wfixed; + dns_name_t *wname; + dns_dbnode_t *node; + unsigned int options; + unsigned int olabels, nlabels; + isc_result_t result; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_nsec_t nsec; + isc_boolean_t have_wname; + int order; + + CTRACE("query_addwildcardproof"); + fname = NULL; + rdataset = NULL; + sigrdataset = NULL; + node = NULL; + + /* + * Get the NOQNAME proof then if !ispositve + * get the NOWILDCARD proof. + * + * DNS_DBFIND_NOWILD finds the NSEC records that covers the + * name ignoring any wildcard. From the owner and next names + * of this record you can compute which wildcard (if it exists) + * will match by finding the longest common suffix of the + * owner name and next names with the qname and prefixing that + * with the wildcard label. + * + * e.g. + * Given: + * example SOA + * example NSEC b.example + * b.example A + * b.example NSEC a.d.example + * a.d.example A + * a.d.example NSEC g.f.example + * g.f.example A + * g.f.example NSEC z.i.example + * z.i.example A + * z.i.example NSEC example + * + * QNAME: + * a.example -> example NSEC b.example + * owner common example + * next common example + * wild *.example + * d.b.example -> b.example NSEC a.d.example + * owner common b.example + * next common example + * wild *.b.example + * a.f.example -> a.d.example NSEC g.f.example + * owner common example + * next common f.example + * wild *.f.example + * j.example -> z.i.example NSEC example + * owner common example + * next common example + * wild *.f.example + */ + options = client->query.dboptions | DNS_DBFIND_NOWILD; + dns_fixedname_init(&wfixed); + wname = dns_fixedname_name(&wfixed); + again: + have_wname = ISC_FALSE; + /* + * We'll need some resources... + */ + dbuf = query_getnamebuf(client); + if (dbuf == NULL) + goto cleanup; + fname = query_newname(client, dbuf, &b); + rdataset = query_newrdataset(client); + sigrdataset = query_newrdataset(client); + if (fname == NULL || rdataset == NULL || sigrdataset == NULL) + goto cleanup; + + result = dns_db_find(db, name, NULL, dns_rdatatype_nsec, options, + 0, &node, fname, rdataset, sigrdataset); + if (node != NULL) + dns_db_detachnode(db, &node); + if (result == DNS_R_NXDOMAIN) { + if (!ispositive) + result = dns_rdataset_first(rdataset); + if (result == ISC_R_SUCCESS) { + dns_rdataset_current(rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &nsec, NULL); + } + if (result == ISC_R_SUCCESS) { + (void)dns_name_fullcompare(name, fname, &order, + &olabels); + (void)dns_name_fullcompare(name, &nsec.next, &order, + &nlabels); + if (olabels > nlabels) + dns_name_split(name, olabels, NULL, wname); + else + dns_name_split(name, nlabels, NULL, wname); + result = dns_name_concatenate(dns_wildcardname, + wname, wname, NULL); + if (result == ISC_R_SUCCESS) + have_wname = ISC_TRUE; + dns_rdata_freestruct(&nsec); + } + query_addrrset(client, &fname, &rdataset, &sigrdataset, + dbuf, DNS_SECTION_AUTHORITY); + } + if (rdataset != NULL) + query_putrdataset(client, &rdataset); + if (sigrdataset != NULL) + query_putrdataset(client, &sigrdataset); + if (fname != NULL) + query_releasename(client, &fname); + if (have_wname) { + ispositive = ISC_TRUE; /* prevent loop */ + if (!dns_name_equal(name, wname)) { + name = wname; + goto again; + } + } + cleanup: + if (rdataset != NULL) + query_putrdataset(client, &rdataset); + if (sigrdataset != NULL) + query_putrdataset(client, &sigrdataset); + if (fname != NULL) + query_releasename(client, &fname); +} + +static void +query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, dns_name_t **namep, + dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp) +{ + dns_name_t *name; + dns_rdataset_t *sigrdataset; + dns_rdata_t sigrdata; + dns_rdata_rrsig_t sig; + unsigned int labels; + isc_buffer_t *dbuf, b; + dns_name_t *fname; + isc_result_t result; + + name = *namep; + if ((name->attributes & DNS_NAMEATTR_WILDCARD) == 0) { + query_addrrset(client, namep, rdatasetp, sigrdatasetp, + NULL, DNS_SECTION_AUTHORITY); + return; + } + + if (sigrdatasetp == NULL) + return; + sigrdataset = *sigrdatasetp; + if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset)) + return; + result = dns_rdataset_first(sigrdataset); + if (result != ISC_R_SUCCESS) + return; + dns_rdata_init(&sigrdata); + dns_rdataset_current(sigrdataset, &sigrdata); + result = dns_rdata_tostruct(&sigrdata, &sig, NULL); + if (result != ISC_R_SUCCESS) + return; + + labels = dns_name_countlabels(name); + if ((unsigned int)sig.labels + 1 >= labels) + return; + + /* XXX */ + query_addwildcardproof(client, db, + client->query.qname, + ISC_TRUE); + + /* + * We'll need some resources... + */ + dbuf = query_getnamebuf(client); + if (dbuf == NULL) + return; + fname = query_newname(client, dbuf, &b); + if (fname == NULL) + return; + dns_name_split(name, sig.labels + 1, NULL, fname); + /* This will succeed, since we've stripped labels. */ + RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname, + NULL) == ISC_R_SUCCESS); + query_addrrset(client, &fname, rdatasetp, sigrdatasetp, + dbuf, DNS_SECTION_AUTHORITY); +} + +static void query_resume(isc_task_t *task, isc_event_t *event) { dns_fetchevent_t *devent = (dns_fetchevent_t *)event; ns_client_t *client; @@ -2043,7 +2044,8 @@ query_resume(isc_task_t *task, isc_event_t *event) { REQUIRE(task == client->task); REQUIRE(RECURSING(client)); - if (devent->fetch != NULL) { + LOCK(&client->query.fetchlock); + if (client->query.fetch != NULL) { /* * This is the fetch we've been waiting for. */ @@ -2061,6 +2063,7 @@ query_resume(isc_task_t *task, isc_event_t *event) { */ fetch_cancelled = ISC_TRUE; } + UNLOCK(&client->query.fetchlock); INSIST(client->query.fetch == NULL); client->query.attributes &= ~NS_QUERYATTR_RECURSING; @@ -2080,7 +2083,10 @@ query_resume(isc_task_t *task, isc_event_t *event) { if (devent->sigrdataset != NULL) query_putrdataset(client, &devent->sigrdataset); isc_event_free(&event); - query_next(client, ISC_R_CANCELED); + if (fetch_cancelled) + query_error(client, DNS_R_SERVFAIL); + else + query_next(client, ISC_R_CANCELED); /* * This may destroy the client. */ @@ -2110,8 +2116,20 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, * connection was accepted (if allowed by the TCP quota). */ if (client->recursionquota == NULL) { + isc_boolean_t killoldest = ISC_FALSE; result = isc_quota_attach(&ns_g_server->recursionquota, &client->recursionquota); + if (result == ISC_R_SOFTQUOTA) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_QUERY, ISC_LOG_WARNING, + "recursive-clients limit exceeded, " + "aborting oldest query"); + killoldest = ISC_TRUE; + result = ISC_R_SUCCESS; + } + if (dns_resolver_nrunning(client->view->resolver) > + (unsigned int)ns_g_server->recursionquota.max) + result = ISC_R_QUOTA; if (result == ISC_R_SUCCESS && !client->mortal && (client->attributes & NS_CLIENTATTR_TCP) == 0) result = ns_client_replace(client); @@ -2120,8 +2138,11 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "no more recursive clients: %s", isc_result_totext(result)); + if (client->recursionquota != NULL) + isc_quota_detach(&client->recursionquota); return (result); } + ns_client_recursing(client, killoldest); } /* @@ -2168,98 +2189,6 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, return (result); } -static inline isc_result_t -query_findparentkey(ns_client_t *client, dns_name_t *name, - dns_zone_t **zonep, dns_db_t **dbp, - dns_dbversion_t **versionp, dns_dbnode_t **nodep, - dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) -{ - dns_db_t *pdb; - dns_dbnode_t *pnode; - dns_dbversion_t *pversion; - dns_rdataset_t prdataset, psigrdataset; - dns_rdataset_t *psigrdatasetp; - isc_result_t result; - dns_zone_t *pzone; - isc_boolean_t is_zone; - dns_fixedname_t pfoundname; - - /* - * 'name' is at a zone cut. Try to find a KEY for 'name' in - * the deepest ancestor zone of 'name' (if any). If it exists, - * update *zonep, *dbp, *nodep, rdataset, and sigrdataset and - * return ISC_R_SUCCESS. If not, leave them alone and return a - * non-success status. - */ - - pzone = NULL; - pdb = NULL; - pnode = NULL; - pversion = NULL; - dns_rdataset_init(&prdataset); - if (sigrdataset != NULL) - dns_rdataset_init(&psigrdataset); - is_zone = ISC_FALSE; - dns_fixedname_init(&pfoundname); - - result = query_getdb(client, name, DNS_GETDB_NOEXACT, - &pzone, &pdb, &pversion, &is_zone); - if (result != ISC_R_SUCCESS) - goto cleanup; - if (!is_zone) { - result = ISC_R_FAILURE; - goto cleanup; - } - - if (sigrdataset != NULL) - psigrdatasetp = &psigrdataset; - else - psigrdatasetp = NULL; - result = dns_db_find(pdb, name, pversion, dns_rdatatype_key, - client->query.dboptions, - client->now, &pnode, - dns_fixedname_name(&pfoundname), - &prdataset, psigrdatasetp); - if (result == ISC_R_SUCCESS) { - if (dns_rdataset_isassociated(rdataset)) - dns_rdataset_disassociate(rdataset); - dns_rdataset_clone(&prdataset, rdataset); - if (sigrdataset != NULL) { - if (dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - if (dns_rdataset_isassociated(&psigrdataset)) - dns_rdataset_clone(&psigrdataset, sigrdataset); - } - if (*nodep != NULL) - dns_db_detachnode(*dbp, nodep); - *nodep = pnode; - pnode = NULL; - *versionp = pversion; - if (*dbp != NULL) - dns_db_detach(dbp); - *dbp = pdb; - pdb = NULL; - if (*zonep != NULL) - dns_zone_detach(zonep); - *zonep = pzone; - pzone = NULL; - } - - cleanup: - if (dns_rdataset_isassociated(&prdataset)) - dns_rdataset_disassociate(&prdataset); - if (sigrdataset != NULL && dns_rdataset_isassociated(&psigrdataset)) - dns_rdataset_disassociate(&psigrdataset); - if (pnode != NULL) - dns_db_detachnode(pdb, &pnode); - if (pdb != NULL) - dns_db_detach(&pdb); - if (pzone != NULL) - dns_zone_detach(&pzone); - - return (result); -} - #define MAX_RESTARTS 16 #define QUERY_ERROR(r) \ @@ -2353,13 +2282,51 @@ setup_query_sortlist(ns_client_t *client) { dns_message_setsortorder(client->message, order, order_arg); } +static void +query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) { + isc_buffer_t *dbuf, b; + dns_name_t *fname; + dns_rdataset_t *nsec, *nsecsig; + isc_result_t result = ISC_R_NOMEMORY; + + CTRACE("query_addnoqnameproof"); + + fname = NULL; + nsec = NULL; + nsecsig = NULL; + + dbuf = query_getnamebuf(client); + if (dbuf == NULL) + goto cleanup; + fname = query_newname(client, dbuf, &b); + nsec = query_newrdataset(client); + nsecsig = query_newrdataset(client); + if (fname == NULL || nsec == NULL || nsecsig == NULL) + goto cleanup; + + result = dns_rdataset_getnoqname(rdataset, fname, nsec, nsecsig); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + query_addrrset(client, &fname, &nsec, &nsecsig, dbuf, + DNS_SECTION_AUTHORITY); + + cleanup: + if (nsec != NULL) + query_putrdataset(client, &nsec); + if (nsecsig != NULL) + query_putrdataset(client, &nsecsig); + if (fname != NULL) + query_releasename(client, &fname); +} + /* * Do the bulk of query processing for the current query of 'client'. * If 'event' is non-NULL, we are returning from recursion and 'qtype' * is ignored. Otherwise, 'qtype' is the query type. */ static void -query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) { +query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +{ dns_db_t *db, *zdb; dns_dbnode_t *node; dns_rdatatype_t type; @@ -2369,19 +2336,22 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_rdataset_t **sigrdatasetp; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdatasetiter_t *rdsiter; - isc_boolean_t want_restart, authoritative, is_zone; - unsigned int n, nlabels, nbits; + isc_boolean_t want_restart, authoritative, is_zone, need_wildcardproof; + unsigned int n, nlabels; dns_namereln_t namereln; int order; isc_buffer_t *dbuf; isc_buffer_t b; isc_result_t result, eresult; dns_fixedname_t fixed; + dns_fixedname_t wildcardname; dns_dbversion_t *version; dns_zone_t *zone; dns_rdata_cname_t cname; dns_rdata_dname_t dname; + unsigned int options; isc_boolean_t empty_wild; + dns_rdataset_t *noqname; CTRACE("query_find"); @@ -2404,7 +2374,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) zdb = NULL; version = NULL; zone = NULL; + need_wildcardproof = ISC_FALSE; empty_wild = ISC_FALSE; + options = 0; if (event != NULL) { /* @@ -2417,7 +2389,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) is_zone = ISC_FALSE; qtype = event->qtype; - if (qtype == dns_rdatatype_sig) + if (qtype == dns_rdatatype_rrsig) type = dns_rdatatype_any; else type = qtype; @@ -2458,7 +2430,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * If it's a SIG query, we'll iterate the node. */ - if (qtype == dns_rdatatype_sig) + if (qtype == dns_rdatatype_rrsig) type = dns_rdatatype_any; else type = qtype; @@ -2468,12 +2440,70 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) want_restart = ISC_FALSE; authoritative = ISC_FALSE; version = NULL; + need_wildcardproof = ISC_FALSE; + + if (client->view->checknames && + !dns_rdata_checkowner(client->query.qname, + client->message->rdclass, + qtype, ISC_FALSE)) { + char namebuf[DNS_NAME_FORMATSIZE]; + char typename[DNS_RDATATYPE_FORMATSIZE]; + char classname[DNS_RDATACLASS_FORMATSIZE]; + + dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); + dns_rdatatype_format(qtype, typename, sizeof(typename)); + dns_rdataclass_format(client->message->rdclass, classname, + sizeof(classname)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, ISC_LOG_ERROR, + "check-names failure %s/%s/%s", namebuf, + typename, classname); + QUERY_ERROR(DNS_R_REFUSED); + goto cleanup; + } /* * First we must find the right database. */ - result = query_getdb(client, client->query.qname, 0, &zone, &db, - &version, &is_zone); + options = 0; + if (dns_rdatatype_atparent(qtype) && + !dns_name_equal(client->query.qname, dns_rootname)) + options |= DNS_GETDB_NOEXACT; + result = query_getdb(client, client->query.qname, qtype, options, + &zone, &db, &version, &is_zone); + if ((result != ISC_R_SUCCESS || !is_zone) && !RECURSIONOK(client) && + (options & DNS_GETDB_NOEXACT) != 0 && qtype == dns_rdatatype_ds) { + /* + * Look to see if we are authoritative for the + * child zone if the query type is DS. + */ + dns_db_t *tdb = NULL; + dns_zone_t *tzone = NULL; + dns_dbversion_t *tversion = NULL; + isc_result_t tresult; + + tresult = query_getzonedb(client, client->query.qname, qtype, + DNS_GETDB_PARTIAL, &tzone, &tdb, + &tversion); + if (tresult == ISC_R_SUCCESS) { + options &= ~DNS_GETDB_NOEXACT; + query_putrdataset(client, &rdataset); + if (db != NULL) + dns_db_detach(&db); + if (zone != NULL) + dns_zone_detach(&zone); + version = tversion; + db = tdb; + zone = tzone; + is_zone = ISC_TRUE; + result = ISC_R_SUCCESS; + } else { + if (tdb != NULL) + dns_db_detach(&tdb); + if (tzone != NULL) + dns_zone_detach(&tzone); + } + } if (result != ISC_R_SUCCESS) { if (result == DNS_R_REFUSED) QUERY_ERROR(DNS_R_REFUSED); @@ -2524,63 +2554,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) client->query.dboptions, client->now, &node, fname, rdataset, sigrdataset); - /* - * We interrupt our normal query processing to bring you this special - * case... - * - * RFC 2535 (DNSSEC), section 2.3.4, discusses various special - * cases that can occur at delegation points. - * - * One of these cases is that the NULL KEY for an unsecure zone - * may occur in the delegating zone instead of in the delegated zone. - * If we're authoritative for both zones, we need to look for the - * key in the delegator if we didn't find it in the delegatee. If - * we didn't do this, a client doing DNSSEC validation could fail - * because it couldn't get the NULL KEY. - */ - if (type == dns_rdatatype_key && - is_zone && - result == DNS_R_NXRRSET && - !dns_db_issecure(db) && - dns_name_equal(client->query.qname, dns_db_origin(db))) { - /* - * We're looking for a KEY at the top of an unsecure zone, - * and we didn't find it. - */ - result = query_findparentkey(client, client->query.qname, - &zone, &db, &version, &node, - rdataset, sigrdataset); - if (result == ISC_R_SUCCESS) { - /* - * We found the parent KEY. - * - * zone, db, version, node, rdataset, and sigrdataset - * have all been updated to refer to the parent's - * data. We will resume query processing as if - * we had looked for the KEY in the parent zone in - * the first place. - * - * We need to set fname correctly. We do this here - * instead of in query_findparentkey() because - * dns_name_copy() can fail (though it shouldn't - * ever do so since we should have enough space). - */ - result = dns_name_copy(client->query.qname, - fname, NULL); - if (result != ISC_R_SUCCESS) { - QUERY_ERROR(DNS_R_SERVFAIL); - goto cleanup; - } - } else { - /* - * We couldn't find the KEY in a parent zone. - * Continue with processing of the original - * results of dns_db_find(). - */ - result = DNS_R_NXRRSET; - } - } - resume: CTRACE("query_find: resume"); switch (result) { @@ -2658,6 +2631,48 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) authoritative = ISC_FALSE; if (is_zone) { /* + * Look to see if we are authoritative for the + * child zone if the query type is DS. + */ + if (!RECURSIONOK(client) && + (options & DNS_GETDB_NOEXACT) != 0 && + qtype == dns_rdatatype_ds) { + dns_db_t *tdb = NULL; + dns_zone_t *tzone = NULL; + dns_dbversion_t *tversion = NULL; + result = query_getzonedb(client, + client->query.qname, + qtype, + DNS_GETDB_PARTIAL, + &tzone, &tdb, + &tversion); + if (result == ISC_R_SUCCESS) { + options &= ~DNS_GETDB_NOEXACT; + query_putrdataset(client, &rdataset); + if (sigrdataset != NULL) + query_putrdataset(client, + &sigrdataset); + if (fname != NULL) + query_releasename(client, + &fname); + if (node != NULL) + dns_db_detachnode(db, &node); + if (db != NULL) + dns_db_detach(&db); + if (zone != NULL) + dns_zone_detach(&zone); + version = tversion; + db = tdb; + zone = tzone; + authoritative = ISC_TRUE; + goto db_find; + } + if (tdb != NULL) + dns_db_detach(&tdb); + if (tzone != NULL) + dns_zone_detach(&tzone); + } + /* * We're authoritative for an ancestor of QNAME. */ if (!USECACHE(client) || !RECURSIONOK(client)) { @@ -2694,6 +2709,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) &rdataset, sigrdatasetp, dbuf, DNS_SECTION_AUTHORITY); client->query.gluedb = NULL; + if (WANTDNSSEC(client) && dns_db_issecure(db)) + query_addds(client, db, node); } else { /* * We might have a better answer or delegation @@ -2706,6 +2723,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) query_keepname(client, fname, dbuf); zdb = db; zfname = fname; + fname = NULL; zrdataset = rdataset; rdataset = NULL; zsigrdataset = sigrdataset; @@ -2755,7 +2773,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * Recurse! */ - if (type == dns_rdatatype_key) + if (dns_rdatatype_atparent(type)) result = query_recurse(client, qtype, NULL, NULL); else @@ -2792,6 +2810,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) client->query.gluedb = NULL; client->query.attributes &= ~NS_QUERYATTR_CACHEGLUEOK; + if (WANTDNSSEC(client)) + query_addds(client, db, node); } } goto cleanup; @@ -2802,7 +2822,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) INSIST(is_zone); if (dns_rdataset_isassociated(rdataset)) { /* - * If we've got a NXT record, we need to save the + * If we've got a NSEC record, we need to save the * name now because we're going call query_addsoa() * below, and it needs to use the name buffer. */ @@ -2824,13 +2844,12 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) goto cleanup; } /* - * Add NXT record if we found one. + * Add NSEC record if we found one. */ - if (dns_rdataset_isassociated(rdataset)) { - if (WANTDNSSEC(client)) - query_addrrset(client, &fname, &rdataset, - &sigrdataset, - NULL, DNS_SECTION_AUTHORITY); + if (WANTDNSSEC(client)) { + if (dns_rdataset_isassociated(rdataset)) + query_addnxrrsetnsec(client, db, &fname, + &rdataset, &sigrdataset); } goto cleanup; case DNS_R_EMPTYWILD: @@ -2840,7 +2859,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) INSIST(is_zone); if (dns_rdataset_isassociated(rdataset)) { /* - * If we've got a NXT record, we need to save the + * If we've got a NSEC record, we need to save the * name now because we're going call query_addsoa() * below, and it needs to use the name buffer. */ @@ -2868,13 +2887,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) goto cleanup; } /* - * Add NXT record if we found one. + * Add NSEC record if we found one. */ if (dns_rdataset_isassociated(rdataset)) { - if (WANTDNSSEC(client)) + if (WANTDNSSEC(client)) { query_addrrset(client, &fname, &rdataset, &sigrdataset, NULL, DNS_SECTION_AUTHORITY); + query_addwildcardproof(client, db, + client->query.qname, + ISC_FALSE); + } } /* * Set message rcode. @@ -2918,8 +2941,23 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) sigrdatasetp = &sigrdataset; else sigrdatasetp = NULL; + if (WANTDNSSEC(client) && + (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0) + { + dns_fixedname_init(&wildcardname); + dns_name_copy(fname, dns_fixedname_name(&wildcardname), + NULL); + need_wildcardproof = ISC_TRUE; + } + if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 && + WANTDNSSEC(client)) + noqname = rdataset; + else + noqname = NULL; query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf, DNS_SECTION_ANSWER); + if (noqname != NULL) + query_addnoqnameproof(client, noqname); /* * We set the PARTIALANSWER attribute so that if anything goes * wrong later on, we'll return what we've got so far. @@ -2964,7 +3002,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * we're going to have to split qname later on. */ namereln = dns_name_fullcompare(client->query.qname, fname, - &order, &nlabels, &nbits); + &order, &nlabels); INSIST(namereln == dns_namereln_subdomain); /* * Keep a copy of the rdataset. We have to do this because @@ -2979,6 +3017,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) sigrdatasetp = &sigrdataset; else sigrdatasetp = NULL; + if (WANTDNSSEC(client) && + (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0) + { + dns_fixedname_init(&wildcardname); + dns_name_copy(fname, dns_fixedname_name(&wildcardname), + NULL); + need_wildcardproof = ISC_TRUE; + } query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf, DNS_SECTION_ANSWER); /* @@ -3013,12 +3059,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) */ dns_fixedname_init(&fixed); prefix = dns_fixedname_name(&fixed); - result = dns_name_split(client->query.qname, nlabels, nbits, - prefix, NULL); - if (result != ISC_R_SUCCESS) { - dns_message_puttempname(client->message, &tname); - goto cleanup; - } + dns_name_split(client->query.qname, nlabels, prefix, NULL); INSIST(fname == NULL); dbuf = query_getnamebuf(client); if (dbuf == NULL) { @@ -3058,8 +3099,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * since the synthesized CNAME is NOT in the zone. */ dns_name_init(tname, NULL); - query_addcnamelike(client, client->query.qname, fname, - 0, &tname, dns_rdatatype_cname); + (void)query_addcnamelike(client, client->query.qname, fname, + trdataset->trust, &tname, + dns_rdatatype_cname); if (tname != NULL) dns_message_puttempname(client->message, &tname); /* @@ -3078,6 +3120,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) goto cleanup; } + if (WANTDNSSEC(client) && + (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0) + { + dns_fixedname_init(&wildcardname); + dns_name_copy(fname, dns_fixedname_name(&wildcardname), NULL); + need_wildcardproof = ISC_TRUE; + } + if (type == dns_rdatatype_any) { /* * XXXRTH Need to handle zonecuts with special case @@ -3139,7 +3189,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * We didn't match any rdatasets. */ - if (qtype == dns_rdatatype_sig && + if (qtype == dns_rdatatype_rrsig && result == ISC_R_NOMORE) { /* * XXXRTH If this is a secure zone and we @@ -3179,8 +3229,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) sigrdatasetp = &sigrdataset; else sigrdatasetp = NULL; + if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 && + WANTDNSSEC(client)) + noqname = rdataset; + else + noqname = NULL; query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf, DNS_SECTION_ANSWER); + if (noqname != NULL) + query_addnoqnameproof(client, noqname); /* * We shouldn't ever fail to add 'rdataset' * because it's already in the answer. @@ -3194,14 +3251,13 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * Add NS records to the authority section (if we haven't already * added them to the answer section). */ - if (!want_restart && !NOAUTHORITY(client) - ) { + if (!want_restart && !NOAUTHORITY(client)) { if (is_zone) { if (!((qtype == dns_rdatatype_ns || qtype == dns_rdatatype_any) && dns_name_equal(client->query.qname, dns_db_origin(db)))) - query_addns(client, db); + (void)query_addns(client, db); } else if (qtype != dns_rdatatype_ns) { if (fname != NULL) query_releasename(client, &fname); @@ -3209,6 +3265,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } } + /* + * Add NSEC records to the authority section if they're needed for + * DNSSEC wildcard proofs. + */ + if (need_wildcardproof && dns_db_issecure(db)) + query_addwildcardproof(client, db, + dns_fixedname_name(&wildcardname), + ISC_TRUE); cleanup: CTRACE("query_find: cleanup"); /* @@ -3235,7 +3299,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_db_detach(&zdb); } if (event != NULL) - isc_event_free((isc_event_t **)(&event)); + isc_event_free(ISC_EVENT_PTR(&event)); /* * AA bit. @@ -3302,7 +3366,10 @@ log_query(ns_client_t *client) { dns_rdatatype_format(rdataset->type, typename, sizeof(typename)); ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY, - level, "query: %s %s %s", namebuf, classname, typename); + level, "query: %s %s %s %s%s%s", namebuf, classname, + typename, WANTRECURSION(client) ? "+" : "-", + (client->signer != NULL) ? "S": "", + (client->opt != NULL) ? "E" : ""); } void @@ -3320,14 +3387,19 @@ ns_query_start(ns_client_t *client) { */ client->next = query_next_callback; + /* + * Behave as if we don't support DNSSEC if not enabled. + */ + if (!client->view->enablednssec) { + message->flags &= ~DNS_MESSAGEFLAG_CD; + client->extflags &= ~DNS_MESSAGEEXTFLAG_DO; + } + if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) client->query.attributes |= NS_QUERYATTR_WANTRECURSION; -#ifdef ISC_RFC2535 - if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0 || - (message->flags & DNS_MESSAGEFLAG_AD) != 0) - client->query.attributes |= NS_QUERYATTR_WANTDNSSEC; -#endif + if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0) + client->attributes |= NS_CLIENTATTR_WANTDNSSEC; if (client->view->minimalresponses) client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | @@ -3426,13 +3498,20 @@ ns_query_start(ns_client_t *client) { * to return data before validation has completed. */ if (message->flags & DNS_MESSAGEFLAG_CD || - qtype == dns_rdatatype_sig) + qtype == dns_rdatatype_rrsig) { client->query.dboptions |= DNS_DBFIND_PENDINGOK; client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; } /* + * Allow glue NS records to be added to the authority section + * if the answer is secure. + */ + if (message->flags & DNS_MESSAGEFLAG_CD) + client->query.attributes &= ~NS_QUERYATTR_SECURE; + + /* * This is an ordinary query. */ result = dns_message_reply(message, ISC_TRUE); @@ -3451,445 +3530,10 @@ ns_query_start(ns_client_t *client) { * Set AD. We must clear it if we add non-validated data to a * response. */ - if (WANTDNSSEC(client)) + if (client->view->enablednssec) message->flags |= DNS_MESSAGEFLAG_AD; - /* - * Synthesize IPv6 responses if appropriate. - */ - if (RECURSIONOK(client) && - (qtype == dns_rdatatype_aaaa || qtype == dns_rdatatype_ptr) && - client->message->rdclass == dns_rdataclass_in && - ns_client_checkacl(client, "v6 synthesis", - client->view->v6synthesisacl, - ISC_FALSE, ISC_LOG_DEBUG(9)) == ISC_R_SUCCESS) - { - if (qtype == dns_rdatatype_aaaa) { - qclient = NULL; - ns_client_attach(client, &qclient); - synth_fwd_start(qclient); - return; - } else { - INSIST(qtype == dns_rdatatype_ptr); - /* Must be 32 nibbles + "ip6" + "int" + root */ - if (dns_name_countlabels(client->query.qname) == 32 + 3 && - dns_name_issubdomain(client->query.qname, &ip6int_name)) { - qclient = NULL; - ns_client_attach(client, &qclient); - synth_rev_start(qclient); - return; - } - } - } - qclient = NULL; ns_client_attach(client, &qclient); query_find(qclient, NULL, qtype); } - -/* - * Generate a synthetic IPv6 forward mapping response for the current - * query of 'client'. - */ -static void -synth_fwd_start(ns_client_t *client) { - ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, - ISC_LOG_DEBUG(5), "generating synthetic AAAA response"); - - synth_fwd_startfind(client); -} - -/* - * Start an ADB find to get addresses, or more addresses, for - * a synthetic IPv6 forward mapping response. - */ -static void -synth_fwd_startfind(ns_client_t *client) { - dns_adbfind_t *find = NULL; - isc_result_t result; - dns_fixedname_t target_fixed; - dns_name_t *target; - - dns_fixedname_init(&target_fixed); - target = dns_fixedname_name(&target_fixed); - - find_again: - result = dns_adb_createfind(client->view->adb, client->task, - synth_fwd_finddone, client, client->query.qname, - dns_rootname, - DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_RETURNLAME | - DNS_ADBFIND_INET6, client->now, - target, 0, &find); - - ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, - ISC_LOG_DEBUG(5), "find returned %s", - isc_result_totext(result)); - - if (result == DNS_R_ALIAS) { - dns_name_t *ptarget = NULL; - dns_name_t *tname = NULL; - isc_buffer_t *dbuf; - isc_buffer_t b; - - /* - * Make a persistent copy of the 'target' name data in 'ptarget'; - * it will become the new query name. - */ - dbuf = query_getnamebuf(client); - if (dbuf == NULL) - goto fail; - ptarget = query_newname(client, dbuf, &b); - if (ptarget == NULL) - goto fail; - dns_name_copy(target, ptarget, NULL); - - dns_adb_destroyfind(&find); - - /* - * Get another temporary name 'tname' for insertion into the - * response message. - */ - result = dns_message_gettempname(client->message, &tname); - if (result != ISC_R_SUCCESS) - goto fail; - dns_name_init(tname, NULL); - result = query_addcnamelike(client, client->query.qname, - ptarget, 0 /* XXX ttl */, &tname, - dns_rdatatype_cname); - if (tname != NULL) - dns_message_puttempname(client->message, &tname); - if (result != ISC_R_SUCCESS) - goto fail; - - query_maybeputqname(client); - client->query.qname = ptarget; - query_keepname(client, ptarget, dbuf); - ptarget = NULL; - if (client->query.restarts < MAX_RESTARTS) { - client->query.restarts++; - goto find_again; - } else { - /* - * Probably a CNAME loop. Reply with partial - * CNAME chain. - */ - result = ISC_R_SUCCESS; - goto done; - } - } else if (result != ISC_R_SUCCESS) { - if (find != NULL) - dns_adb_destroyfind(&find); - goto fail; - } - - if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) { - ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, - ISC_LOG_DEBUG(5), "find will send event"); - } else { - synth_fwd_respond(client, find); - dns_adb_destroyfind(&find); - } - return; - - fail: - result = DNS_R_SERVFAIL; - done: - synth_finish(client, result); -} - -/* - * Handle an ADB finddone event generated as part of synthetic IPv6 - * forward mapping processing. - */ -static void -synth_fwd_finddone(isc_task_t *task, isc_event_t *ev) { - ns_client_t *client = ev->ev_arg; - dns_adbfind_t *find = ev->ev_sender; - isc_eventtype_t evtype = ev->ev_type; - - UNUSED(task); - - ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, - ISC_LOG_DEBUG(5), "got find event"); - - if (evtype == DNS_EVENT_ADBNOMOREADDRESSES) - synth_fwd_respond(client, find); - else if (evtype == DNS_EVENT_ADBMOREADDRESSES) - synth_fwd_startfind(client); - else - synth_finish(client, DNS_R_SERVFAIL); - - isc_event_free(&ev); - dns_adb_destroyfind(&find); - -} - -/* - * Generate a synthetic IPv6 forward mapping response based on - * a completed ADB lookup. - */ -static void -synth_fwd_respond(ns_client_t *client, dns_adbfind_t *find) { - dns_adbaddrinfo_t *ai; - dns_name_t *tname = NULL; - dns_rdataset_t *rdataset = NULL; - dns_rdatalist_t *rdatalist = NULL; - isc_result_t result; - - result = dns_message_gettempname(client->message, &tname); - if (result != ISC_R_SUCCESS) - goto cleanup; - dns_name_init(tname, NULL); - - result = dns_message_gettemprdatalist(client->message, &rdatalist); - if (result != ISC_R_SUCCESS) - goto cleanup; - - result = dns_message_gettemprdataset(client->message, &rdataset); - if (result != ISC_R_SUCCESS) - goto cleanup; - dns_rdataset_init(rdataset); - - ISC_LIST_INIT(rdatalist->rdata); - - rdatalist->type = dns_rdatatype_aaaa; - rdatalist->covers = 0; - rdatalist->rdclass = client->message->rdclass; - rdatalist->ttl = 0; - - dns_name_clone(client->query.qname, tname); - - for (ai = ISC_LIST_HEAD(find->list); - ai != NULL; - ai = ISC_LIST_NEXT(ai, publink)) { - dns_rdata_t *rdata = NULL; - - struct sockaddr_in6 *sin6 = &ai->sockaddr.type.sin6; - /* - * Could it be useful to return IPv4 addresses as A records? - */ - if (sin6->sin6_family != AF_INET6) - continue; - - result = dns_message_gettemprdata(client->message, &rdata); - if (result != ISC_R_SUCCESS) - goto cleanup; - - rdata->data = (unsigned char *) &sin6->sin6_addr; - rdata->length = 16; - rdata->rdclass = client->message->rdclass; - rdata->type = dns_rdatatype_aaaa; - ISC_LIST_APPEND(rdatalist->rdata, rdata, link); - } - - dns_rdatalist_tordataset(rdatalist, rdataset); - - query_addrrset(client, &tname, &rdataset, NULL, NULL, - DNS_SECTION_ANSWER); - - cleanup: - if (tname != NULL) - dns_message_puttempname(client->message, &tname); - - if (rdataset != NULL) { - if (dns_rdataset_isassociated(rdataset)) - dns_rdataset_disassociate(rdataset); - dns_message_puttemprdataset(client->message, &rdataset); - } - - synth_finish(client, result); -} - -/* - * Finish synthetic IPv6 forward mapping processing. - */ -static void -synth_finish(ns_client_t *client, isc_result_t result) { - if (result == ISC_R_SUCCESS) - query_send(client); - else - query_error(client, result); - ns_client_detach(&client); -} - -static signed char ascii2hex[256] = { - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, -1, -1, -1, -1, -1, -1, - -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 -}; - -/* - * Convert label 'i' of 'name' into its hexadecimal value, storing it - * in '*hexp'. If the label is not a valid hex nibble, return ISC_R_FAILURE. - */ -static isc_result_t -label2hex(dns_name_t *name, int i, int *hexp) { - isc_region_t label; - int hexval; - dns_name_getlabel(name, i, &label); - if (label.length != 2 || label.base[0] != '\001') - return (ISC_R_FAILURE); - hexval = ascii2hex[label.base[1]]; - if (hexval == -1) - return (ISC_R_FAILURE); - *hexp = hexval; - return (ISC_R_SUCCESS); -} - -/* - * Convert the ip6.int name 'name' into the corresponding IPv6 address - * in 'na'. - */ -static isc_result_t -nibbles2netaddr(dns_name_t *name, isc_netaddr_t *na) { - isc_result_t result; - struct in6_addr ina6; - unsigned char *addrdata = (unsigned char *) &ina6; - int i; - - for (i = 0; i < 16; i++) { - int hex0, hex1; - result = label2hex(name, 2 * i, &hex0); - if (result != ISC_R_SUCCESS) - return (result); - result = label2hex(name, 2 * i + 1, &hex1); - if (result != ISC_R_SUCCESS) - return (result); - addrdata[15-i] = (hex1 << 4) | hex0; - } - isc_netaddr_fromin6(na, &ina6); - return (ISC_R_SUCCESS); -} - -/* - * Generate a synthetic IPv6 reverse mapping response for the current - * query of 'client'. - */ -static void -synth_rev_start(ns_client_t *client) { - isc_result_t result; - dns_byaddr_t *byaddr_dummy = NULL; - - ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, - ISC_LOG_DEBUG(5), "generating synthetic PTR response"); - - result = nibbles2netaddr(client->query.qname, &client->query.synth.na); - if (result != ISC_R_SUCCESS) { - result = DNS_R_NXDOMAIN; - goto cleanup; - } - - /* Try IP6.ARPA first. */ - result = dns_byaddr_create(client->mctx, - &client->query.synth.na, - client->view, - 0, client->task, - synth_rev_byaddrdone_arpa, - client, &byaddr_dummy); - if (result == ISC_R_SUCCESS) - return; /* Wait for completion event. */ - cleanup: - synth_finish(client, result); -} - -static void -synth_rev_byaddrdone_arpa(isc_task_t *task, isc_event_t *event) { - isc_result_t result; - dns_byaddrevent_t *bevent = (dns_byaddrevent_t *)event; - ns_client_t *client = event->ev_arg; - dns_byaddr_t *byaddr = event->ev_sender; - dns_byaddr_t *byaddr_dummy = NULL; - - UNUSED(task); - - if (bevent->result == ISC_R_SUCCESS) { - synth_rev_respond(client, bevent); - } else { - /* Try IP6.INT next. */ - result = dns_byaddr_create(client->mctx, - &client->query.synth.na, - client->view, - DNS_BYADDROPT_IPV6NIBBLE, - client->task, - synth_rev_byaddrdone_int, - client, &byaddr_dummy); - if (result != ISC_R_SUCCESS) - synth_finish(client, result); - } - dns_byaddr_destroy(&byaddr); - isc_event_free(&event); -} - -static void -synth_rev_byaddrdone_int(isc_task_t *task, isc_event_t *event) { - dns_byaddrevent_t *bevent = (dns_byaddrevent_t *)event; - ns_client_t *client = event->ev_arg; - dns_byaddr_t *byaddr = event->ev_sender; - - UNUSED(task); - - if (bevent->result == ISC_R_SUCCESS) { - synth_rev_respond(client, bevent); - } else if (bevent->result == DNS_R_NCACHENXDOMAIN || - bevent->result == DNS_R_NCACHENXRRSET || - bevent->result == DNS_R_NXDOMAIN || - bevent->result == DNS_R_NXRRSET) { - /* - * We could give a NOERROR/NODATA response instead - * in some cases, but since there may be any combination - * of NXDOMAIN and NXRRSET results from the IP6.INT - * and IP6.ARPA lookups, it could still be wrong with - * respect to one or the other. - */ - synth_finish(client, DNS_R_NXDOMAIN); - } else { - synth_finish(client, bevent->result); - } - isc_event_free(&event); - dns_byaddr_destroy(&byaddr); -} - -static void -synth_rev_respond(ns_client_t *client, dns_byaddrevent_t *bevent) { - isc_result_t result = ISC_R_SUCCESS; - dns_name_t *name; - - for (name = ISC_LIST_HEAD(bevent->names); - name != NULL; - name = ISC_LIST_NEXT(name, link)) - { - dns_name_t *tname = NULL; - - /* - * Get a temporary name 'tname' for insertion into the - * response message. - */ - result = dns_message_gettempname(client->message, &tname); - if (result != ISC_R_SUCCESS) - goto fail; - dns_name_init(tname, NULL); - - result = query_addcnamelike(client, client->query.qname, - name, 0 /* XXX ttl */, - &tname, dns_rdatatype_ptr); - if (tname != NULL) - dns_message_puttempname(client->message, &tname); - if (result != ISC_R_SUCCESS) - goto fail; - } - fail: - synth_finish(client, result); -} diff --git a/usr.sbin/bind/bin/named/server.c b/usr.sbin/bind/bin/named/server.c index e0449007e85..2c2e6b631f5 100644 --- a/usr.sbin/bind/bin/named/server.c +++ b/usr.sbin/bind/bin/named/server.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: server.c,v 1.339.2.18 2003/09/19 13:40:42 marka Exp $ */ +/* $ISC: server.c,v 1.339.2.15.2.56 2004/06/18 04:39:48 marka Exp $ */ #include <config.h> @@ -28,6 +28,7 @@ #include <isc/file.h> #include <isc/hash.h> #include <isc/lex.h> +#include <isc/parseint.h> #include <isc/print.h> #include <isc/resource.h> #include <isc/stdio.h> @@ -36,9 +37,11 @@ #include <isc/timer.h> #include <isc/util.h> -#include <isccfg/cfg.h> -#include <isccfg/check.h> +#include <isccfg/namedconf.h> +#include <bind9/check.h> + +#include <dns/adb.h> #include <dns/cache.h> #include <dns/db.h> #include <dns/dispatch.h> @@ -46,11 +49,16 @@ #include <dns/journal.h> #include <dns/keytable.h> #include <dns/master.h> +#include <dns/masterdump.h> +#include <dns/order.h> #include <dns/peer.h> +#include <dns/portlist.h> #include <dns/rdataclass.h> +#include <dns/rdataset.h> #include <dns/rdatastruct.h> #include <dns/resolver.h> #include <dns/rootns.h> +#include <dns/secalg.h> #include <dns/stats.h> #include <dns/tkey.h> #include <dns/view.h> @@ -67,6 +75,7 @@ #include <named/log.h> #include <named/logconf.h> #include <named/lwresd.h> +#include <named/main.h> #include <named/os.h> #include <named/server.h> #include <named/tkeyconf.h> @@ -95,12 +104,58 @@ } \ } while (0) \ +#define CHECKMF(op, msg, file) \ + do { result = (op); \ + if (result != ISC_R_SUCCESS) { \ + isc_log_write(ns_g_lctx, \ + NS_LOGCATEGORY_GENERAL, \ + NS_LOGMODULE_SERVER, \ + ISC_LOG_ERROR, \ + "%s '%s': %s", msg, file, \ + isc_result_totext(result)); \ + goto cleanup; \ + } \ + } while (0) \ + #define CHECKFATAL(op, msg) \ do { result = (op); \ if (result != ISC_R_SUCCESS) \ fatal(msg, result); \ } while (0) \ +struct ns_dispatch { + isc_sockaddr_t addr; + unsigned int dispatchgen; + dns_dispatch_t *dispatch; + ISC_LINK(struct ns_dispatch) link; +}; + +struct dumpcontext { + isc_mem_t *mctx; + isc_boolean_t dumpcache; + isc_boolean_t dumpzones; + FILE *fp; + ISC_LIST(struct viewlistentry) viewlist; + struct viewlistentry *view; + struct zonelistentry *zone; + dns_dumpctx_t *mdctx; + dns_db_t *db; + dns_db_t *cache; + isc_task_t *task; + dns_dbversion_t *version; +}; + +struct viewlistentry { + dns_view_t *view; + ISC_LINK(struct viewlistentry) link; + ISC_LIST(struct zonelistentry) zonelist; +}; + +struct zonelistentry { + dns_zone_t *zone; + ISC_LINK(struct zonelistentry) link; +}; + static void fatal(const char *msg, isc_result_t result); @@ -121,10 +176,17 @@ configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin, cfg_obj_t *forwarders, cfg_obj_t *forwardtype); static isc_result_t +configure_alternates(cfg_obj_t *config, dns_view_t *view, + cfg_obj_t *alternates); + +static isc_result_t configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, ns_aclconfctx_t *aclconf); +static void +end_reserved_dispatches(ns_server_t *server, isc_boolean_t all); + /* * Configure a single view ACL at '*aclp'. Get its configuration by * calling 'getvcacl' (for per-view configuration) and maybe 'getscacl' @@ -146,7 +208,7 @@ configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config, maps[i++] = cfg_tuple_get(vconfig, "options"); if (config != NULL) { cfg_obj_t *options = NULL; - cfg_map_get(config, "options", &options); + (void)cfg_map_get(config, "options", &options); if (options != NULL) maps[i++] = options; } @@ -164,13 +226,12 @@ configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config, return (result); } -#ifdef ISC_RFC2535 static isc_result_t configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key, dns_keytable_t *keytable, isc_mem_t *mctx) { dns_rdataclass_t viewclass; - dns_rdata_key_t keystruct; + dns_rdata_dnskey_t keystruct; isc_uint32_t flags, proto, alg; char *keystr, *keynamestr; unsigned char keydata[4096]; @@ -198,7 +259,7 @@ configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key, &viewclass)); } keystruct.common.rdclass = viewclass; - keystruct.common.rdtype = dns_rdatatype_key; + keystruct.common.rdtype = dns_rdatatype_dnskey; /* * The key data in keystruct is not dynamically allocated. */ @@ -260,7 +321,6 @@ configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key, return (result); } -#endif /* * Configure DNSSEC keys for a view. Currently used only for @@ -274,21 +334,15 @@ configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config, isc_mem_t *mctx, dns_keytable_t **target) { isc_result_t result; -#ifdef ISC_RFC2535 cfg_obj_t *keys = NULL; cfg_obj_t *voptions = NULL; cfg_listelt_t *element, *element2; cfg_obj_t *keylist; cfg_obj_t *key; -#endif dns_keytable_t *keytable = NULL; CHECK(dns_keytable_create(mctx, &keytable)); -#ifndef ISC_RFC2535 - UNUSED(vconfig); - UNUSED(config); -#else if (vconfig != NULL) voptions = cfg_tuple_get(vconfig, "options"); @@ -312,7 +366,7 @@ configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config, keytable, mctx)); } } -#endif + dns_keytable_detach(target); *target = keytable; /* Transfer ownership. */ keytable = NULL; @@ -322,6 +376,39 @@ configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config, return (result); } +static isc_result_t +mustbesecure(cfg_obj_t *mbs, dns_resolver_t *resolver) +{ + cfg_listelt_t *element; + cfg_obj_t *obj; + const char *str; + dns_fixedname_t fixed; + dns_name_t *name; + isc_boolean_t value; + isc_result_t result; + isc_buffer_t b; + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + for (element = cfg_list_first(mbs); + element != NULL; + element = cfg_list_next(element)) + { + obj = cfg_listelt_value(element); + str = cfg_obj_asstring(cfg_tuple_get(obj, "name")); + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + CHECK(dns_name_fromtext(name, &b, dns_rootname, + ISC_FALSE, NULL)); + value = cfg_obj_asboolean(cfg_tuple_get(obj, "value")); + CHECK(dns_resolver_setmustbesecure(resolver, name, value)); + } + + result = ISC_R_SUCCESS; + + cleanup: + return (result); +} /* * Get a dispatch appropriate for the resolver of a given view. @@ -426,6 +513,56 @@ get_view_querysource_dispatch(cfg_obj_t **maps, } static isc_result_t +configure_order(dns_order_t *order, cfg_obj_t *ent) { + dns_rdataclass_t rdclass; + dns_rdatatype_t rdtype; + cfg_obj_t *obj; + dns_fixedname_t fixed; + unsigned int mode = 0; + const char *str; + isc_buffer_t b; + isc_result_t result; + + result = ns_config_getclass(cfg_tuple_get(ent, "class"), + dns_rdataclass_any, &rdclass); + if (result != ISC_R_SUCCESS) + return (result); + + result = ns_config_gettype(cfg_tuple_get(ent, "type"), + dns_rdatatype_any, &rdtype); + if (result != ISC_R_SUCCESS) + return (result); + + obj = cfg_tuple_get(ent, "name"); + if (cfg_obj_isstring(obj)) + str = cfg_obj_asstring(obj); + else + str = "*"; + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + dns_fixedname_init(&fixed); + result = dns_name_fromtext(dns_fixedname_name(&fixed), &b, + dns_rootname, ISC_FALSE, NULL); + if (result != ISC_R_SUCCESS) + return (result); + + obj = cfg_tuple_get(ent, "ordering"); + INSIST(cfg_obj_isstring(obj)); + str = cfg_obj_asstring(obj); + if (!strcasecmp(str, "fixed")) + mode = DNS_RDATASETATTR_FIXEDORDER; + else if (!strcasecmp(str, "random")) + mode = DNS_RDATASETATTR_RANDOMIZE; + else if (!strcasecmp(str, "cyclic")) + mode = 0; + else + INSIST(0); + + return (dns_order_add(order, dns_fixedname_name(&fixed), + rdtype, rdclass, mode)); +} + +static isc_result_t configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { isc_sockaddr_t *sa; isc_netaddr_t na; @@ -445,36 +582,38 @@ configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { obj = NULL; (void)cfg_map_get(cpeer, "bogus", &obj); if (obj != NULL) - dns_peer_setbogus(peer, cfg_obj_asboolean(obj)); + CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj))); obj = NULL; (void)cfg_map_get(cpeer, "provide-ixfr", &obj); if (obj != NULL) - dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj)); + CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj))); obj = NULL; (void)cfg_map_get(cpeer, "request-ixfr", &obj); if (obj != NULL) - dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)); + CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj))); obj = NULL; (void)cfg_map_get(cpeer, "edns", &obj); if (obj != NULL) - dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)); + CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj))); obj = NULL; (void)cfg_map_get(cpeer, "transfers", &obj); if (obj != NULL) - dns_peer_settransfers(peer, cfg_obj_asuint32(obj)); + CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj))); obj = NULL; (void)cfg_map_get(cpeer, "transfer-format", &obj); if (obj != NULL) { str = cfg_obj_asstring(obj); if (strcasecmp(str, "many-answers") == 0) - dns_peer_settransferformat(peer, dns_many_answers); + CHECK(dns_peer_settransferformat(peer, + dns_many_answers)); else if (strcasecmp(str, "one-answer") == 0) - dns_peer_settransferformat(peer, dns_one_answer); + CHECK(dns_peer_settransferformat(peer, + dns_one_answer)); else INSIST(0); } @@ -486,6 +625,18 @@ configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { if (result != ISC_R_SUCCESS) goto cleanup; } + + obj = NULL; + if (isc_sockaddr_pf(sa) == AF_INET) + (void)cfg_map_get(cpeer, "transfer-source", &obj); + else + (void)cfg_map_get(cpeer, "transfer-source-v6", &obj); + if (obj != NULL) { + result = dns_peer_settransfersource(peer, + cfg_obj_assockaddr(obj)); + if (result != ISC_R_SUCCESS) + goto cleanup; + } *peerp = peer; return (ISC_R_SUCCESS); @@ -494,6 +645,52 @@ configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { return (result); } +static isc_result_t +disable_algorithms(cfg_obj_t *disabled, dns_resolver_t *resolver) { + isc_result_t result; + cfg_obj_t *algorithms; + cfg_listelt_t *element; + const char *str; + dns_fixedname_t fixed; + dns_name_t *name; + isc_buffer_t b; + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + str = cfg_obj_asstring(cfg_tuple_get(disabled, "name")); + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + CHECK(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL)); + + algorithms = cfg_tuple_get(disabled, "algorithms"); + for (element = cfg_list_first(algorithms); + element != NULL; + element = cfg_list_next(element)) + { + isc_textregion_t r; + dns_secalg_t alg; + + r.base = cfg_obj_asstring(cfg_listelt_value(element)); + r.length = strlen(r.base); + + result = dns_secalg_fromtext(&alg, &r); + if (result != ISC_R_SUCCESS) { + isc_uint8_t ui; + result = isc_parse_uint8(&ui, r.base, 10); + alg = ui; + } + if (result != ISC_R_SUCCESS) { + cfg_obj_log(cfg_listelt_value(element), + ns_g_lctx, ISC_LOG_ERROR, + "invalid algorithm"); + CHECK(result); + } + CHECK(dns_resolver_disable_algorithm(resolver, name, alg)); + } + cleanup: + return (result); +} + /* * Configure 'view' according to 'vconfig', taking defaults from 'config' * where values are missing in 'vconfig'. @@ -503,7 +700,8 @@ configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { */ static isc_result_t configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, - isc_mem_t *mctx, ns_aclconfctx_t *actx) + isc_mem_t *mctx, ns_aclconfctx_t *actx, + isc_boolean_t need_hints) { cfg_obj_t *maps[4]; cfg_obj_t *cfgmaps[3]; @@ -511,12 +709,15 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *voptions = NULL; cfg_obj_t *forwardtype; cfg_obj_t *forwarders; + cfg_obj_t *alternates; cfg_obj_t *zonelist; + cfg_obj_t *disabled; cfg_obj_t *obj; cfg_listelt_t *element; in_port_t port; dns_cache_t *cache = NULL; isc_result_t result; + isc_uint32_t max_adb_size; isc_uint32_t max_cache_size; isc_uint32_t lame_ttl; dns_tsig_keyring_t *ring; @@ -526,14 +727,17 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, dns_dispatch_t *dispatch6 = NULL; isc_boolean_t reused_cache = ISC_FALSE; int i; - char *str; + const char *str; + dns_order_t *order = NULL; + isc_uint32_t udpsize; + unsigned int check = 0; REQUIRE(DNS_VIEW_VALID(view)); cmctx = NULL; if (config != NULL) - cfg_map_get(config, "options", &options); + (void)cfg_map_get(config, "options", &options); i = 0; if (vconfig != NULL) { @@ -552,7 +756,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, cfgmaps[i++] = config; cfgmaps[i] = NULL; - /* * Set the view's port number for outgoing queries. */ @@ -615,8 +818,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, */ obj = NULL; result = ns_config_get(maps, "cache-file", &obj); - if (result == ISC_R_SUCCESS) { - dns_cache_setfilename(cache, cfg_obj_asstring(obj)); + if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) { + CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj))); if (!reused_cache) CHECK(dns_cache_load(cache)); } @@ -651,20 +854,55 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, dns_cache_detach(&cache); /* + * Check-names. + */ + obj = NULL; + result = ns_checknames_get(maps, "response", &obj); + INSIST(result == ISC_R_SUCCESS); + + str = cfg_obj_asstring(obj); + if (strcasecmp(str, "fail") == 0) { + check = DNS_RESOLVER_CHECKNAMES | + DNS_RESOLVER_CHECKNAMESFAIL; + view->checknames = ISC_TRUE; + } else if (strcasecmp(str, "warn") == 0) { + check = DNS_RESOLVER_CHECKNAMES; + view->checknames = ISC_FALSE; + } else if (strcasecmp(str, "ignore") == 0) { + check = 0; + view->checknames = ISC_FALSE; + } else + INSIST(0); + + /* * Resolver. * * XXXRTH Hardwired number of tasks. */ CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4)); CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6)); + if (dispatch4 == NULL && dispatch6 == NULL) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "unable to obtain neither an IPv4 nor" + " an IPv6 dispatch"); + result = ISC_R_UNEXPECTED; + goto cleanup; + } CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31, ns_g_socketmgr, ns_g_timermgr, - 0, ns_g_dispatchmgr, + check, ns_g_dispatchmgr, dispatch4, dispatch6)); - if (dispatch4 != NULL) - dns_dispatch_detach(&dispatch4); - if (dispatch6 != NULL) - dns_dispatch_detach(&dispatch6); + + /* + * Set the ADB cache size to 1/8th of the max-cache-size. + */ + max_adb_size = 0; + if (max_cache_size != 0) { + max_adb_size = max_cache_size / 8; + if (max_adb_size == 0) + max_adb_size = 1; /* Force minimum. */ + } + dns_adb_setadbsize(view->adb, max_adb_size); /* * Set resolver's lame-ttl. @@ -678,6 +916,33 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, dns_resolver_setlamettl(view->resolver, lame_ttl); /* + * Set the resolver's EDNS UDP size. + */ + obj = NULL; + result = ns_config_get(maps, "edns-udp-size", &obj); + INSIST(result == ISC_R_SUCCESS); + udpsize = cfg_obj_asuint32(obj); + if (udpsize < 512) + udpsize = 512; + if (udpsize > 4096) + udpsize = 4096; + dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize); + + /* + * Set supported DNSSEC algorithms. + */ + dns_resolver_reset_algorithms(view->resolver); + disabled = NULL; + (void)ns_config_get(maps, "disable-algorithms", &disabled); + if (disabled != NULL) { + for (element = cfg_list_first(disabled); + element != NULL; + element = cfg_list_next(element)) + CHECK(disable_algorithms(cfg_listelt_value(element), + view->resolver)); + } + + /* * A global or view "forwarders" option, if present, * creates an entry for "." in the forwarding table. */ @@ -690,6 +955,14 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, forwarders, forwardtype)); /* + * Dual Stack Servers. + */ + alternates = NULL; + (void)ns_config_get(maps, "dual-stack-servers", &alternates); + if (alternates != NULL) + CHECK(configure_alternates(config, view, alternates)); + + /* * We have default hints for class IN if we need them. */ if (view->rdclass == dns_rdataclass_in && view->hints == NULL) @@ -699,20 +972,21 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, * If we still have no hints, this is a non-IN view with no * "hints zone" configured. Issue a warning, except if this * is a root server. Root servers never need to consult - * their hints, so it's no point requireing users to configure + * their hints, so it's no point requiring users to configure * them. */ if (view->hints == NULL) { dns_zone_t *rootzone = NULL; - dns_view_findzone(view, dns_rootname, &rootzone); + (void)dns_view_findzone(view, dns_rootname, &rootzone); if (rootzone != NULL) { dns_zone_detach(&rootzone); - } else { + need_hints = ISC_FALSE; + } + if (need_hints) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, "no root hints for view '%s'", view->name); - } } /* @@ -748,6 +1022,28 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, } /* + * Configure the views rrset-order. + */ + { + cfg_obj_t *rrsetorder = NULL; + cfg_listelt_t *element; + + (void)ns_config_get(maps, "rrset-order", &rrsetorder); + CHECK(dns_order_create(mctx, &order)); + for (element = cfg_list_first(rrsetorder); + element != NULL; + element = cfg_list_next(element)) + { + cfg_obj_t *ent = cfg_listelt_value(element); + + CHECK(configure_order(order, ent)); + } + if (view->order != NULL) + dns_order_detach(&view->order); + dns_order_attach(order, &view->order); + dns_order_detach(&order); + } + /* * Copy the aclenv object. */ dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv); @@ -828,11 +1124,31 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, CHECK(configure_view_acl(vconfig, config, "allow-query", actx, ns_g_mctx, &view->queryacl)); - CHECK(configure_view_acl(vconfig, config, "allow-recursion", - actx, ns_g_mctx, &view->recursionacl)); + if (strcmp(view->name, "_bind") != 0) + CHECK(configure_view_acl(vconfig, config, "allow-recursion", + actx, ns_g_mctx, &view->recursionacl)); - CHECK(configure_view_acl(vconfig, config, "allow-v6-synthesis", - actx, ns_g_mctx, &view->v6synthesisacl)); + /* + * Warning if both "recursion no;" and allow-recursion are active + * except for "allow-recursion { none; };". + */ + if (!view->recursion && view->recursionacl != NULL && + (view->recursionacl->length != 1 || + view->recursionacl->elements[0].type != dns_aclelementtype_any || + view->recursionacl->elements[0].negative != ISC_TRUE)) { + const char *forview = " for view "; + const char *viewname = view->name; + + if (!strcmp(view->name, "_bind") || + !strcmp(view->name, "_default")) { + forview = ""; + viewname = ""; + } + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_WARNING, + "both \"recursion no;\" and \"allow-recursion\" " + "active%s%s", forview, viewname); + } CHECK(configure_view_acl(vconfig, config, "sortlist", actx, ns_g_mctx, &view->sortlist)); @@ -846,13 +1162,67 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, result = ns_config_get(maps, "provide-ixfr", &obj); INSIST(result == ISC_R_SUCCESS); view->provideixfr = cfg_obj_asboolean(obj); + + obj = NULL; + result = ns_config_get(maps, "dnssec-enable", &obj); + INSIST(result == ISC_R_SUCCESS); + view->enablednssec = cfg_obj_asboolean(obj); + + obj = NULL; + result = ns_config_get(maps, "dnssec-lookaside", &obj); + if (result == ISC_R_SUCCESS) { + for (element = cfg_list_first(obj); + element != NULL; + element = cfg_list_next(element)) + { + const char *str; + isc_buffer_t b; + dns_name_t *dlv; + + obj = cfg_listelt_value(element); +#if 0 + dns_fixedname_t fixed; + dns_name_t *name; + + /* + * When we support multiple dnssec-lookaside + * entries this is how to find the domain to be + * checked. XXXMPA + */ + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + str = cfg_obj_asstring(cfg_tuple_get(obj, + "domain")); + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + CHECK(dns_name_fromtext(name, &b, dns_rootname, + ISC_TRUE, NULL)); +#endif + str = cfg_obj_asstring(cfg_tuple_get(obj, + "trust-anchor")); + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + dlv = dns_fixedname_name(&view->dlv_fixed); + CHECK(dns_name_fromtext(dlv, &b, dns_rootname, + ISC_TRUE, NULL)); + view->dlv = dns_fixedname_name(&view->dlv_fixed); + } + } else + view->dlv = NULL; /* * For now, there is only one kind of trusted keys, the * "security roots". */ - CHECK(configure_view_dnsseckeys(vconfig, config, mctx, - &view->secroots)); + if (view->enablednssec) { + CHECK(configure_view_dnsseckeys(vconfig, config, mctx, + &view->secroots)); + dns_resolver_resetmustbesecure(view->resolver); + obj = NULL; + result = ns_config_get(maps, "dnssec-must-be-secure", &obj); + if (result == ISC_R_SUCCESS) + CHECK(mustbesecure(obj, view->resolver)); + } obj = NULL; result = ns_config_get(maps, "max-cache-ttl", &obj); @@ -867,6 +1237,19 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, view->maxncachettl = 7 * 24 * 3600; obj = NULL; + result = ns_config_get(maps, "preferred-glue", &obj); + if (result == ISC_R_SUCCESS) { + str = cfg_obj_asstring(obj); + if (strcasecmp(str, "a") == 0) + view->preferred_glue = dns_rdatatype_a; + else if (strcasecmp(str, "aaaa") == 0) + view->preferred_glue = dns_rdatatype_aaaa; + else + view->preferred_glue = 0; + } else + view->preferred_glue = 0; + + obj = NULL; result = ns_config_get(maps, "root-delegation-only", &obj); if (result == ISC_R_SUCCESS) { dns_view_setrootdelonly(view, ISC_TRUE); @@ -898,6 +1281,12 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, result = ISC_R_SUCCESS; cleanup: + if (dispatch4 != NULL) + dns_dispatch_detach(&dispatch4); + if (dispatch6 != NULL) + dns_dispatch_detach(&dispatch6); + if (order != NULL) + dns_order_detach(&order); if (cmctx != NULL) isc_mem_detach(&cmctx); @@ -907,231 +1296,103 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, return (result); } -/* - * Create the special view that handles queries under "bind. CH". - */ static isc_result_t -create_bind_view(dns_view_t **viewp) { - isc_result_t result; - dns_view_t *view = NULL; - - REQUIRE(viewp != NULL && *viewp == NULL); - - CHECK(dns_view_create(ns_g_mctx, dns_rdataclass_ch, "_bind", &view)); - - /* Transfer ownership. */ - *viewp = view; - view = NULL; - - result = ISC_R_SUCCESS; - - cleanup: - if (view != NULL) - dns_view_detach(&view); - - return (result); -} - -/* - * Create the zone that handles queries for "version.bind. CH". The - * version string is returned either from the "version" configuration - * option or the global defaults. - */ -static isc_result_t -create_version_zone(cfg_obj_t **maps, dns_zonemgr_t *zmgr, dns_view_t *view) { +configure_hints(dns_view_t *view, const char *filename) { isc_result_t result; - dns_db_t *db = NULL; - dns_zone_t *zone = NULL; - dns_dbversion_t *dbver = NULL; - dns_difftuple_t *tuple = NULL; - dns_diff_t diff; - char *versiontext; - unsigned char buf[256]; - isc_region_t r; - size_t len; - dns_rdata_t rdata = DNS_RDATA_INIT; - static unsigned char origindata[] = "\007version\004bind"; - dns_name_t origin; - cfg_obj_t *obj = NULL; - dns_acl_t *acl = NULL; - - dns_diff_init(ns_g_mctx, &diff); - - dns_name_init(&origin, NULL); - r.base = origindata; - r.length = sizeof(origindata); - dns_name_fromregion(&origin, &r); - - result = ns_config_get(maps, "version", &obj); - INSIST(result == ISC_R_SUCCESS); - versiontext = cfg_obj_asstring(obj); - len = strlen(versiontext); - if (len > 255U) - len = 255; /* Silently truncate. */ - buf[0] = len; - memcpy(buf + 1, versiontext, len); - - r.base = buf; - r.length = 1 + len; - dns_rdata_fromregion(&rdata, dns_rdataclass_ch, dns_rdatatype_txt, &r); - - CHECK(dns_zone_create(&zone, ns_g_mctx)); - CHECK(dns_zone_setorigin(zone, &origin)); - dns_zone_settype(zone, dns_zone_master); - dns_zone_setclass(zone, dns_rdataclass_ch); - /* Transfers don't work so deny them. */ - CHECK(dns_acl_none(ns_g_mctx, &acl)); - dns_zone_setxfracl(zone, acl); - dns_acl_detach(&acl); - dns_zone_setview(zone, view); - - CHECK(dns_zonemgr_managezone(zmgr, zone)); - - CHECK(dns_db_create(ns_g_mctx, "rbt", &origin, dns_dbtype_zone, - dns_rdataclass_ch, 0, NULL, &db)); - - CHECK(dns_db_newversion(db, &dbver)); - - CHECK(dns_difftuple_create(ns_g_mctx, DNS_DIFFOP_ADD, &origin, - 0, &rdata, &tuple)); - dns_diff_append(&diff, &tuple); - CHECK(dns_diff_apply(&diff, db, dbver)); - - dns_db_closeversion(db, &dbver, ISC_TRUE); - - CHECK(dns_zone_replacedb(zone, db, ISC_FALSE)); - - CHECK(dns_view_addzone(view, zone)); - - result = ISC_R_SUCCESS; + dns_db_t *db; - cleanup: - if (zone != NULL) - dns_zone_detach(&zone); - if (dbver != NULL) - dns_db_closeversion(db, &dbver, ISC_FALSE); - if (db != NULL) + db = NULL; + result = dns_rootns_create(view->mctx, view->rdclass, filename, &db); + if (result == ISC_R_SUCCESS) { + dns_view_sethints(view, db); dns_db_detach(&db); - dns_diff_clear(&diff); + } return (result); } -/* - * Create the special zone that handles queries for "authors.bind. CH". - * The strings returned list the BIND 9 authors. - */ static isc_result_t -create_authors_zone(cfg_obj_t *options, dns_zonemgr_t *zmgr, dns_view_t *view) +configure_alternates(cfg_obj_t *config, dns_view_t *view, + cfg_obj_t *alternates) { - isc_result_t result; - dns_db_t *db = NULL; - dns_zone_t *zone = NULL; - dns_dbversion_t *dbver = NULL; - dns_difftuple_t *tuple; - dns_diff_t diff; - isc_constregion_t r; - isc_constregion_t cr; - dns_rdata_t rdata = DNS_RDATA_INIT; - static const char origindata[] = "\007authors\004bind"; - dns_name_t origin; - int i; - static const char *authors[] = { - "\014Mark Andrews", - "\015James Brister", - "\014Ben Cottrell", - "\015Michael Graff", - "\022Andreas Gustafsson", - "\012Bob Halley", - "\016David Lawrence", - "\013Danny Mayer", - "\013Damien Neil", - "\013Matt Nelson", - "\016Michael Sawyer", - "\020Brian Wellington", - NULL, - }; - cfg_obj_t *obj = NULL; - dns_acl_t *acl = NULL; + cfg_obj_t *portobj; + cfg_obj_t *addresses; + cfg_listelt_t *element; + isc_result_t result = ISC_R_SUCCESS; + in_port_t port; /* - * If a version string is specified, disable the authors.bind zone. + * Determine which port to send requests to. */ - if (options != NULL && - cfg_map_get(options, "version", &obj) == ISC_R_SUCCESS) - return (ISC_R_SUCCESS); - - dns_diff_init(ns_g_mctx, &diff); - - dns_name_init(&origin, NULL); - r.base = origindata; - r.length = sizeof(origindata); - dns_name_fromregion(&origin, (isc_region_t *)&r); - - CHECK(dns_zone_create(&zone, ns_g_mctx)); - CHECK(dns_zone_setorigin(zone, &origin)); - dns_zone_settype(zone, dns_zone_master); - dns_zone_setclass(zone, dns_rdataclass_ch); - /* Transfers don't work so deny them. */ - CHECK(dns_acl_none(ns_g_mctx, &acl)); - dns_zone_setxfracl(zone, acl); - dns_acl_detach(&acl); - dns_zone_setview(zone, view); - - CHECK(dns_zonemgr_managezone(zmgr, zone)); - - CHECK(dns_db_create(ns_g_mctx, "rbt", &origin, dns_dbtype_zone, - dns_rdataclass_ch, 0, NULL, &db)); - - CHECK(dns_db_newversion(db, &dbver)); + if (ns_g_lwresdonly && ns_g_port != 0) + port = ns_g_port; + else + CHECKM(ns_config_getport(config, &port), "port"); - for (i = 0; authors[i] != NULL; i++) { - cr.base = authors[i]; - cr.length = strlen(authors[i]); - INSIST(cr.length == ((const unsigned char *)cr.base)[0] + 1U); - dns_rdata_fromregion(&rdata, dns_rdataclass_ch, - dns_rdatatype_txt, (isc_region_t *)&cr); - tuple = NULL; - CHECK(dns_difftuple_create(ns_g_mctx, DNS_DIFFOP_ADD, &origin, - 0, &rdata, &tuple)); - dns_diff_append(&diff, &tuple); - dns_rdata_reset(&rdata); + if (alternates != NULL) { + portobj = cfg_tuple_get(alternates, "port"); + if (cfg_obj_isuint32(portobj)) { + isc_uint32_t val = cfg_obj_asuint32(portobj); + if (val > ISC_UINT16_MAX) { + cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR, + "port '%u' out of range", val); + return (ISC_R_RANGE); + } + port = (in_port_t) val; + } } - CHECK(dns_diff_apply(&diff, db, dbver)); - - dns_db_closeversion(db, &dbver, ISC_TRUE); + addresses = NULL; + if (alternates != NULL) + addresses = cfg_tuple_get(alternates, "addresses"); - CHECK(dns_zone_replacedb(zone, db, ISC_FALSE)); - - CHECK(dns_view_addzone(view, zone)); - - result = ISC_R_SUCCESS; - - cleanup: - if (zone != NULL) - dns_zone_detach(&zone); - if (dbver != NULL) - dns_db_closeversion(db, &dbver, ISC_FALSE); - if (db != NULL) - dns_db_detach(&db); - dns_diff_clear(&diff); + for (element = cfg_list_first(addresses); + element != NULL; + element = cfg_list_next(element)) + { + cfg_obj_t *alternate = cfg_listelt_value(element); + isc_sockaddr_t sa; - return (result); -} + if (!cfg_obj_issockaddr(alternate)) { + dns_fixedname_t fixed; + dns_name_t *name; + char *str = cfg_obj_asstring(cfg_tuple_get(alternate, + "name")); + isc_buffer_t buffer; + in_port_t myport = port; -static isc_result_t -configure_hints(dns_view_t *view, const char *filename) { - isc_result_t result; - dns_db_t *db; + isc_buffer_init(&buffer, str, strlen(str)); + isc_buffer_add(&buffer, strlen(str)); + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + CHECK(dns_name_fromtext(name, &buffer, dns_rootname, + ISC_FALSE, NULL)); + + portobj = cfg_tuple_get(alternate, "port"); + if (cfg_obj_isuint32(portobj)) { + isc_uint32_t val = cfg_obj_asuint32(portobj); + if (val > ISC_UINT16_MAX) { + cfg_obj_log(portobj, ns_g_lctx, + ISC_LOG_ERROR, + "port '%u' out of range", + val); + return (ISC_R_RANGE); + } + myport = (in_port_t) val; + } + CHECK(dns_resolver_addalternate(view->resolver, NULL, + name, myport)); + continue; + } - db = NULL; - result = dns_rootns_create(view->mctx, view->rdclass, filename, &db); - if (result == ISC_R_SUCCESS) { - dns_view_sethints(view, db); - dns_db_detach(&db); + sa = *cfg_obj_assockaddr(alternate); + if (isc_sockaddr_getport(&sa) == 0) + isc_sockaddr_setport(&sa, port); + CHECK(dns_resolver_addalternate(view->resolver, &sa, + NULL, 0)); } + cleanup: return (result); } @@ -1422,6 +1683,8 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig, /* * We already have this zone! */ + cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR, + "zone '%s' already exists", zname); dns_zone_detach(&dupzone); result = ISC_R_EXISTS; goto cleanup; @@ -1476,7 +1739,7 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig, if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS) { forwardtype = NULL; - cfg_map_get(zoptions, "forward", &forwardtype); + (void)cfg_map_get(zoptions, "forward", &forwardtype); CHECK(configure_forward(config, view, origin, forwarders, forwardtype)); } @@ -1574,13 +1837,137 @@ scan_interfaces(ns_server_t *server, isc_boolean_t verbose) { server->aclenv.match_mapped = match_mapped; } +static isc_result_t +add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr) { + ns_listenelt_t *lelt = NULL; + dns_acl_t *src_acl = NULL; + dns_aclelement_t aelt; + isc_result_t result; + isc_sockaddr_t any_sa6; + + REQUIRE(isc_sockaddr_pf(addr) == AF_INET6); + + isc_sockaddr_any6(&any_sa6); + if (!isc_sockaddr_equal(&any_sa6, addr)) { + aelt.type = dns_aclelementtype_ipprefix; + aelt.negative = ISC_FALSE; + aelt.u.ip_prefix.prefixlen = 128; + isc_netaddr_fromin6(&aelt.u.ip_prefix.address, + &addr->type.sin6.sin6_addr); + + result = dns_acl_create(mctx, 1, &src_acl); + if (result != ISC_R_SUCCESS) + return (result); + result = dns_acl_appendelement(src_acl, &aelt); + if (result != ISC_R_SUCCESS) + goto clean; + + result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr), + src_acl, &lelt); + if (result != ISC_R_SUCCESS) + goto clean; + ISC_LIST_APPEND(list->elts, lelt, link); + } + + return (ISC_R_SUCCESS); + + clean: + INSIST(lelt == NULL); + if (src_acl != NULL) + dns_acl_detach(&src_acl); + + return (result); +} + +/* + * Make a list of xxx-source addresses and call ns_interfacemgr_adjust() + * to update the listening interfaces accordingly. + * We currently only consider IPv6, because this only affects IPv6 wildcard + * sockets. + */ +static void +adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) { + isc_result_t result; + ns_listenlist_t *list = NULL; + dns_view_t *view; + dns_zone_t *zone, *next; + isc_sockaddr_t addr, *addrp; + + result = ns_listenlist_create(mctx, &list); + if (result != ISC_R_SUCCESS) + return; + + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) { + dns_dispatch_t *dispatch6; + + dispatch6 = dns_resolver_dispatchv6(view->resolver); + INSIST(dispatch6 != NULL); + result = dns_dispatch_getlocaladdress(dispatch6, &addr); + if (result != ISC_R_SUCCESS) + goto fail; + result = add_listenelt(mctx, list, &addr); + if (result != ISC_R_SUCCESS) + goto fail; + } + + zone = NULL; + for (result = dns_zone_first(server->zonemgr, &zone); + result == ISC_R_SUCCESS; + next = NULL, result = dns_zone_next(zone, &next), zone = next) { + dns_view_t *zoneview; + + /* + * At this point the zone list may contain a stale zone + * just removed from the configuration. To see the validity, + * check if the corresponding view is in our current view list. + */ + zoneview = dns_zone_getview(zone); + INSIST(zoneview != NULL); + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL && view != zoneview; + view = ISC_LIST_NEXT(view, link)) + ; + if (view == NULL) + continue; + + addrp = dns_zone_getnotifysrc6(zone); + result = add_listenelt(mctx, list, addrp); + if (result != ISC_R_SUCCESS) + goto fail; + + addrp = dns_zone_getxfrsource6(zone); + result = add_listenelt(mctx, list, addrp); + if (result != ISC_R_SUCCESS) + goto fail; + } + + ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE); + + clean: + ns_listenlist_detach(&list); + return; + + fail: + /* + * Even when we failed the procedure, most of other interfaces + * should work correctly. We therefore just warn it. + */ + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_WARNING, + "could not adjust the listen-on list; " + "some interfaces may not work"); + goto clean; +} + /* * This event callback is invoked to do periodic network * interface scanning. */ static void interface_timer_tick(isc_task_t *task, isc_event_t *event) { - isc_result_t result; + isc_result_t result; ns_server_t *server = (ns_server_t *) event->ev_arg; INSIST(task == server->task); UNUSED(task); @@ -1592,7 +1979,7 @@ interface_timer_tick(isc_task_t *task, isc_event_t *event) { result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); scan_interfaces(server, ISC_FALSE); - isc_task_endexclusive(server->task); + isc_task_endexclusive(server->task); } static void @@ -1609,34 +1996,41 @@ heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) { } } +/* + * Replace the current value of '*field', a dynamically allocated + * string or NULL, with a dynamically allocated copy of the + * null-terminated string pointed to by 'value', or NULL. + */ static isc_result_t -setstatsfile(ns_server_t *server, const char *name) { - char *p; +setstring(ns_server_t *server, char **field, const char *value) { + char *copy; - REQUIRE(name != NULL); + if (value != NULL) { + copy = isc_mem_strdup(server->mctx, value); + if (copy == NULL) + return (ISC_R_NOMEMORY); + } else { + copy = NULL; + } - p = isc_mem_strdup(server->mctx, name); - if (p == NULL) - return (ISC_R_NOMEMORY); - if (server->statsfile != NULL) - isc_mem_free(server->mctx, server->statsfile); - server->statsfile = p; + if (*field != NULL) + isc_mem_free(server->mctx, *field); + + *field = copy; return (ISC_R_SUCCESS); -} +} +/* + * Replace the current value of '*field', a dynamically allocated + * string or NULL, with another dynamically allocated string + * or NULL if whether 'obj' is a string or void value, respectively. + */ static isc_result_t -setdumpfile(ns_server_t *server, const char *name) { - char *p; - - REQUIRE(name != NULL); - - p = isc_mem_strdup(server->mctx, name); - if (p == NULL) - return (ISC_R_NOMEMORY); - if (server->dumpfile != NULL) - isc_mem_free(server->mctx, server->dumpfile); - server->dumpfile = p; - return (ISC_R_SUCCESS); +setoptstring(ns_server_t *server, char **field, cfg_obj_t *obj) { + if (cfg_obj_isvoid(obj)) + return (setstring(server, field, NULL)); + else + return (setstring(server, field, cfg_obj_asstring(obj))); } static void @@ -1683,6 +2077,26 @@ set_limits(cfg_obj_t **maps) { } static isc_result_t +portlist_fromconf(dns_portlist_t *portlist, unsigned int family, + cfg_obj_t *ports) +{ + cfg_listelt_t *element; + isc_result_t result = ISC_R_SUCCESS; + + for (element = cfg_list_first(ports); + element != NULL; + element = cfg_list_next(element)) { + cfg_obj_t *obj = cfg_listelt_value(element); + in_port_t port = (in_port_t)cfg_obj_asuint32(obj); + + result = dns_portlist_add(portlist, family, port); + if (result != ISC_R_SUCCESS) + break; + } + return (result); +} + +static isc_result_t load_configuration(const char *filename, ns_server_t *server, isc_boolean_t first_time) { @@ -1692,17 +2106,18 @@ load_configuration(const char *filename, ns_server_t *server, cfg_obj_t *options; cfg_obj_t *views; cfg_obj_t *obj; + cfg_obj_t *v4ports, *v6ports; cfg_obj_t *maps[3]; + cfg_obj_t *builtin_views; cfg_listelt_t *element; dns_view_t *view = NULL; dns_view_t *view_next; dns_viewlist_t viewlist; dns_viewlist_t tmpviewlist; ns_aclconfctx_t aclconfctx; - dns_dispatch_t *dispatchv4 = NULL; - dns_dispatch_t *dispatchv6 = NULL; isc_uint32_t interface_interval; isc_uint32_t heartbeat_interval; + isc_uint32_t udpsize; in_port_t listen_port; int i; @@ -1748,7 +2163,7 @@ load_configuration(const char *filename, ns_server_t *server, * option where the above parsing failed, parse resolv.conf. */ if (ns_g_lwresdonly && - (lwresd_g_useresolvconf || + (lwresd_g_useresolvconf || (!ns_g_conffileset && result == ISC_R_FILENOTFOUND))) { isc_log_write(ns_g_lctx, @@ -1766,7 +2181,7 @@ load_configuration(const char *filename, ns_server_t *server, /* * Check the validity of the configuration. */ - CHECK(cfg_check_namedconf(config, ns_g_lctx, ns_g_mctx)); + CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx)); /* * Fill in the maps array, used for resolving defaults. @@ -1803,6 +2218,38 @@ load_configuration(const char *filename, ns_server_t *server, INSIST(result == ISC_R_SUCCESS); server->aclenv.match_mapped = cfg_obj_asboolean(obj); + v4ports = NULL; + v6ports = NULL; + (void)ns_config_get(maps, "avoid-v4-udp-ports", &v4ports); + (void)ns_config_get(maps, "avoid-v6-udp-ports", &v6ports); + if (v4ports != NULL || v6ports != NULL) { + dns_portlist_t *portlist = NULL; + result = dns_portlist_create(ns_g_mctx, &portlist); + if (result == ISC_R_SUCCESS && v4ports != NULL) + result = portlist_fromconf(portlist, AF_INET, v4ports); + if (result == ISC_R_SUCCESS && v6ports != NULL) + portlist_fromconf(portlist, AF_INET6, v6ports); + if (result == ISC_R_SUCCESS) + dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, portlist); + if (portlist != NULL) + dns_portlist_detach(&portlist); + CHECK(result); + } else + dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, NULL); + + /* + * Set the EDNS UDP size when we don't match a view. + */ + obj = NULL; + result = ns_config_get(maps, "edns-udp-size", &obj); + INSIST(result == ISC_R_SUCCESS); + udpsize = cfg_obj_asuint32(obj); + if (udpsize < 512) + udpsize = 512; + if (udpsize > 4096) + udpsize = 4096; + ns_g_udpsize = (isc_uint16_t)udpsize; + /* * Configure the zone manager. */ @@ -1830,6 +2277,16 @@ load_configuration(const char *filename, ns_server_t *server, CHECKM(ns_config_getport(config, &listen_port), "port"); /* + * Find the listen queue depth. + */ + obj = NULL; + result = ns_config_get(maps, "tcp-listen-queue", &obj); + INSIST(result == ISC_R_SUCCESS); + ns_g_listen = cfg_obj_asuint32(obj); + if (ns_g_listen < 3) + ns_g_listen = 3; + + /* * Configure the interface manager according to the "listen-on" * statement. */ @@ -1910,14 +2367,15 @@ load_configuration(const char *filename, ns_server_t *server, INSIST(result == ISC_R_SUCCESS); interface_interval = cfg_obj_asuint32(obj) * 60; if (interface_interval == 0) { - isc_timer_reset(server->interface_timer, - isc_timertype_inactive, - NULL, NULL, ISC_TRUE); + CHECK(isc_timer_reset(server->interface_timer, + isc_timertype_inactive, + NULL, NULL, ISC_TRUE)); } else if (server->interface_interval != interface_interval) { isc_interval_t interval; isc_interval_set(&interval, interface_interval, 0); - isc_timer_reset(server->interface_timer, isc_timertype_ticker, - NULL, &interval, ISC_FALSE); + CHECK(isc_timer_reset(server->interface_timer, + isc_timertype_ticker, + NULL, &interval, ISC_FALSE)); } server->interface_interval = interface_interval; @@ -1929,14 +2387,15 @@ load_configuration(const char *filename, ns_server_t *server, INSIST(result == ISC_R_SUCCESS); heartbeat_interval = cfg_obj_asuint32(obj) * 60; if (heartbeat_interval == 0) { - isc_timer_reset(server->heartbeat_timer, - isc_timertype_inactive, - NULL, NULL, ISC_TRUE); + CHECK(isc_timer_reset(server->heartbeat_timer, + isc_timertype_inactive, + NULL, NULL, ISC_TRUE)); } else if (server->heartbeat_interval != heartbeat_interval) { isc_interval_t interval; isc_interval_set(&interval, heartbeat_interval, 0); - isc_timer_reset(server->heartbeat_timer, isc_timertype_ticker, - NULL, &interval, ISC_FALSE); + CHECK(isc_timer_reset(server->heartbeat_timer, + isc_timertype_ticker, + NULL, &interval, ISC_FALSE)); } server->heartbeat_interval = heartbeat_interval; @@ -1951,14 +2410,13 @@ load_configuration(const char *filename, ns_server_t *server, element != NULL; element = cfg_list_next(element)) { - cfg_obj_t *vconfig; - + cfg_obj_t *vconfig = cfg_listelt_value(element); view = NULL; - vconfig = cfg_listelt_value(element); + CHECK(create_view(vconfig, &viewlist, &view)); INSIST(view != NULL); CHECK(configure_view(view, config, vconfig, - ns_g_mctx, &aclconfctx)); + ns_g_mctx, &aclconfctx, ISC_TRUE)); dns_view_freeze(view); dns_view_detach(&view); } @@ -1976,22 +2434,30 @@ load_configuration(const char *filename, ns_server_t *server, */ CHECK(create_view(NULL, &viewlist, &view)); CHECK(configure_view(view, config, NULL, ns_g_mctx, - &aclconfctx)); + &aclconfctx, ISC_TRUE)); dns_view_freeze(view); dns_view_detach(&view); } /* - * Create (or recreate) the internal _bind view. + * Create (or recreate) the built-in views. Currently + * there is only one, the _bind view. */ - CHECK(create_bind_view(&view)); - CHECK(configure_view_acl(NULL, config, "allow-query", - &aclconfctx, ns_g_mctx, &view->queryacl)); - ISC_LIST_APPEND(viewlist, view, link); - CHECK(create_version_zone(maps, server->zonemgr, view)); - CHECK(create_authors_zone(options, server->zonemgr, view)); - dns_view_freeze(view); - view = NULL; + builtin_views = NULL; + RUNTIME_CHECK(cfg_map_get(ns_g_config, "view", + &builtin_views) == ISC_R_SUCCESS); + for (element = cfg_list_first(builtin_views); + element != NULL; + element = cfg_list_next(element)) + { + cfg_obj_t *vconfig = cfg_listelt_value(element); + CHECK(create_view(vconfig, &viewlist, &view)); + CHECK(configure_view(view, config, vconfig, ns_g_mctx, + &aclconfctx, ISC_FALSE)); + dns_view_freeze(view); + dns_view_detach(&view); + view = NULL; + } /* * Swap our new view list with the production one. @@ -2040,7 +2506,7 @@ load_configuration(const char *filename, ns_server_t *server, const char *randomdev = cfg_obj_asstring(obj); result = isc_entropy_createfilesource(ns_g_entropy, randomdev); - if (result != ISC_R_SUCCESS && ns_g_chrootdir == NULL) { + if (result != ISC_R_SUCCESS) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, @@ -2049,20 +2515,21 @@ load_configuration(const char *filename, ns_server_t *server, "%s: %s", randomdev, isc_result_totext(result)); - } #ifdef PATH_RANDOMDEV - if (result != ISC_R_SUCCESS && ns_g_chrootdir != NULL) { - isc_log_write(ns_g_lctx, - NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, - ISC_LOG_INFO, - "using pre-chroot entropy source " - "%s", - PATH_RANDOMDEV); - isc_entropy_detach(&ns_g_entropy); - isc_entropy_attach(ns_g_fallbackentropy, - &ns_g_entropy); - + if (ns_g_fallbackentropy != NULL) { + if (result != ISC_R_SUCCESS) { + isc_log_write(ns_g_lctx, + NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, + ISC_LOG_INFO, + "using pre-chroot entropy source " + "%s", + PATH_RANDOMDEV); + isc_entropy_detach(&ns_g_entropy); + isc_entropy_attach(ns_g_fallbackentropy, + &ns_g_entropy); + } + isc_entropy_detach(&ns_g_fallbackentropy); } #endif } @@ -2130,23 +2597,31 @@ load_configuration(const char *filename, ns_server_t *server, if (first_time) { cfg_obj_t *logobj = NULL; cfg_obj_t *categories = NULL; - (void)cfg_map_get(config, "logging", &logobj); - if (logobj != NULL) - (void)cfg_map_get(logobj, "category", &categories); - if (categories != NULL) { - cfg_listelt_t *element; - for (element = cfg_list_first(categories); - element != NULL; - element = cfg_list_next(element)) - { - cfg_obj_t *catobj; - char *str; - - obj = cfg_listelt_value(element); - catobj = cfg_tuple_get(obj, "name"); - str = cfg_obj_asstring(catobj); - if (strcasecmp(str, "queries") == 0) - server->log_queries = ISC_TRUE; + + obj = NULL; + if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) { + server->log_queries = cfg_obj_asboolean(obj); + } else { + + (void)cfg_map_get(config, "logging", &logobj); + if (logobj != NULL) + (void)cfg_map_get(logobj, "category", + &categories); + if (categories != NULL) { + cfg_listelt_t *element; + for (element = cfg_list_first(categories); + element != NULL; + element = cfg_list_next(element)) + { + cfg_obj_t *catobj; + char *str; + + obj = cfg_listelt_value(element); + catobj = cfg_tuple_get(obj, "name"); + str = cfg_obj_asstring(catobj); + if (strcasecmp(str, "queries") == 0) + server->log_queries = ISC_TRUE; + } } } } @@ -2162,16 +2637,71 @@ load_configuration(const char *filename, ns_server_t *server, else ns_os_writepidfile(ns_g_defaultpidfile, first_time); } + + obj = NULL; + if (options != NULL && + cfg_map_get(options, "memstatistics-file", &obj) == ISC_R_SUCCESS) + ns_main_setmemstats(cfg_obj_asstring(obj)); + else + ns_main_setmemstats(NULL); obj = NULL; result = ns_config_get(maps, "statistics-file", &obj); INSIST(result == ISC_R_SUCCESS); - CHECKM(setstatsfile(server, cfg_obj_asstring(obj)), "strdup"); + CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)), + "strdup"); obj = NULL; result = ns_config_get(maps, "dump-file", &obj); INSIST(result == ISC_R_SUCCESS); - CHECKM(setdumpfile(server, cfg_obj_asstring(obj)), "strdup"); + CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)), + "strdup"); + + obj = NULL; + result = ns_config_get(maps, "recursing-file", &obj); + INSIST(result == ISC_R_SUCCESS); + CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)), + "strdup"); + + obj = NULL; + result = ns_config_get(maps, "version", &obj); + if (result == ISC_R_SUCCESS) { + CHECKM(setoptstring(server, &server->version, obj), "strdup"); + server->version_set = ISC_TRUE; + } else { + server->version_set = ISC_FALSE; + } + + obj = NULL; + result = ns_config_get(maps, "hostname", &obj); + if (result == ISC_R_SUCCESS) { + CHECKM(setoptstring(server, &server->hostname, obj), "strdup"); + server->hostname_set = ISC_TRUE; + } else { + server->hostname_set = ISC_FALSE; + } + + obj = NULL; + result = ns_config_get(maps, "server-id", &obj); + server->server_usehostname = ISC_FALSE; + if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) { + server->server_usehostname = ISC_TRUE; + } else if (result == ISC_R_SUCCESS) { + CHECKM(setoptstring(server, &server->server_id, obj), "strdup"); + } else { + result = setoptstring(server, &server->server_id, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + } + + obj = NULL; + result = ns_config_get(maps, "flush-zones-on-shutdown", &obj); + if (result == ISC_R_SUCCESS) { + server->flushonshutdown = cfg_obj_asboolean(obj); + } else { + server->flushonshutdown = ISC_FALSE; + } + + result = ISC_R_SUCCESS; cleanup: ns_aclconfctx_destroy(&aclconfctx); @@ -2199,10 +2729,12 @@ load_configuration(const char *filename, ns_server_t *server, } - if (dispatchv4 != NULL) - dns_dispatch_detach(&dispatchv4); - if (dispatchv6 != NULL) - dns_dispatch_detach(&dispatchv6); + /* + * Adjust the listening interfaces in accordance with the source + * addresses specified in views and zones. + */ + if (isc_net_probeipv6() == ISC_R_SUCCESS) + adjust_interfaces(server, ns_g_mctx); /* Relinquish exclusive access to configuration data. */ isc_task_endexclusive(server->task); @@ -2265,7 +2797,7 @@ load_new_zones(ns_server_t *server, isc_boolean_t stop) { * so that we know when we need to force AXFR of * slave zones whose master files are missing. */ - CHECK(dns_zonemgr_forcemaint(server->zonemgr)); + dns_zonemgr_resumexfrs(server->zonemgr); cleanup: isc_task_endexclusive(server->task); return (result); @@ -2347,6 +2879,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { flush ? ": flushing changes" : ""); ns_controls_shutdown(server->controls); + end_reserved_dispatches(server, ISC_TRUE); cfg_obj_destroy(ns_g_parser, &ns_g_config); cfg_parser_destroy(&ns_g_parser); @@ -2375,6 +2908,8 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { if (server->blackholeacl != NULL) dns_acl_detach(&server->blackholeacl); + dns_db_detach(&server->in_roothints); + isc_task_endexclusive(server->task); isc_task_detach(&server->task); @@ -2401,6 +2936,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { RUNTIME_CHECK(result == ISC_R_SUCCESS); result = isc_quota_init(&server->recursionquota, 100); RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_quota_soft(&server->recursionquota, ISC_FALSE); result = dns_aclenv_init(mctx, &server->aclenv); RUNTIME_CHECK(result == ISC_R_SUCCESS); @@ -2462,19 +2998,33 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, "isc_mem_strdup"); server->querystats = NULL; - CHECKFATAL(dns_stats_alloccounters(ns_g_mctx, &server->querystats), - "dns_stats_alloccounters"); server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db"); CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, "isc_mem_strdup"); + server->recfile = isc_mem_strdup(server->mctx, "named.recursing"); + CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, + "isc_mem_strdup"); + + server->hostname_set = ISC_FALSE; + server->hostname = NULL; + server->version_set = ISC_FALSE; + server->version = NULL; + server->server_usehostname = ISC_FALSE; + server->server_id = NULL; + + CHECKFATAL(dns_stats_alloccounters(ns_g_mctx, &server->querystats), + "dns_stats_alloccounters"); + server->flushonshutdown = ISC_FALSE; server->log_queries = ISC_FALSE; server->controls = NULL; CHECKFATAL(ns_controls_create(server, &server->controls), "ns_controls_create"); + server->dispatchgen = 0; + ISC_LIST_INIT(server->dispatches); server->magic = NS_SERVER_MAGIC; *serverp = server; @@ -2488,9 +3038,17 @@ ns_server_destroy(ns_server_t **serverp) { ns_controls_destroy(&server->controls); dns_stats_freecounters(server->mctx, &server->querystats); - isc_mem_free(server->mctx, server->statsfile); + isc_mem_free(server->mctx, server->statsfile); isc_mem_free(server->mctx, server->dumpfile); + isc_mem_free(server->mctx, server->recfile); + + if (server->version != NULL) + isc_mem_free(server->mctx, server->version); + if (server->hostname != NULL) + isc_mem_free(server->mctx, server->hostname); + if (server->server_id != NULL) + isc_mem_free(server->mctx, server->server_id); dns_zonemgr_detach(&server->zonemgr); @@ -2503,8 +3061,6 @@ ns_server_destroy(ns_server_t **serverp) { INSIST(ISC_LIST_EMPTY(server->viewlist)); - dns_db_detach(&server->in_roothints); - dns_aclenv_destroy(&server->aclenv); isc_quota_destroy(&server->recursionquota); @@ -2526,14 +3082,119 @@ fatal(const char *msg, isc_result_t result) { exit(1); } +static void +start_reserved_dispatches(ns_server_t *server) { + + REQUIRE(NS_SERVER_VALID(server)); + + server->dispatchgen++; +} + +static void +end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) { + ns_dispatch_t *dispatch, *nextdispatch; + + REQUIRE(NS_SERVER_VALID(server)); + + for (dispatch = ISC_LIST_HEAD(server->dispatches); + dispatch != NULL; + dispatch = nextdispatch) { + nextdispatch = ISC_LIST_NEXT(dispatch, link); + if (!all && server->dispatchgen == dispatch-> dispatchgen) + continue; + ISC_LIST_UNLINK(server->dispatches, dispatch, link); + dns_dispatch_detach(&dispatch->dispatch); + isc_mem_put(server->mctx, dispatch, sizeof(*dispatch)); + } +} + +void +ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr) { + ns_dispatch_t *dispatch; + in_port_t port; + char addrbuf[ISC_SOCKADDR_FORMATSIZE]; + isc_result_t result; + unsigned int attrs, attrmask; + + REQUIRE(NS_SERVER_VALID(server)); + + port = isc_sockaddr_getport(addr); + if (port == 0 || port >= 1024) + return; + + for (dispatch = ISC_LIST_HEAD(server->dispatches); + dispatch != NULL; + dispatch = ISC_LIST_NEXT(dispatch, link)) { + if (isc_sockaddr_equal(&dispatch->addr, addr)) + break; + } + if (dispatch != NULL) { + dispatch->dispatchgen = server->dispatchgen; + return; + } + + dispatch = isc_mem_get(server->mctx, sizeof(*dispatch)); + if (dispatch == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + + dispatch->addr = *addr; + dispatch->dispatchgen = server->dispatchgen; + dispatch->dispatch = NULL; + + attrs = 0; + attrs |= DNS_DISPATCHATTR_UDP; + switch (isc_sockaddr_pf(addr)) { + case AF_INET: + attrs |= DNS_DISPATCHATTR_IPV4; + break; + case AF_INET6: + attrs |= DNS_DISPATCHATTR_IPV6; + break; + default: + result = ISC_R_NOTIMPLEMENTED; + goto cleanup; + } + attrmask = 0; + attrmask |= DNS_DISPATCHATTR_UDP; + attrmask |= DNS_DISPATCHATTR_TCP; + attrmask |= DNS_DISPATCHATTR_IPV4; + attrmask |= DNS_DISPATCHATTR_IPV6; + + result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr, + ns_g_taskmgr, &dispatch->addr, 4096, + 1000, 32768, 16411, 16433, + attrs, attrmask, &dispatch->dispatch); + if (result != ISC_R_SUCCESS) + goto cleanup; + + ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link); + + return; + + cleanup: + if (dispatch != NULL) + isc_mem_put(server->mctx, dispatch, sizeof(*dispatch)); + isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf)); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_WARNING, + "unable to create dispatch for reserved port %s: %s", + addrbuf, isc_result_totext(result)); +} + + static isc_result_t loadconfig(ns_server_t *server) { isc_result_t result; + start_reserved_dispatches(server); result = load_configuration(ns_g_lwresdonly ? lwresd_g_conffile : ns_g_conffile, server, ISC_FALSE); - if (result != ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) + end_reserved_dispatches(server, ISC_FALSE); + else isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "reloading configuration failed: %s", @@ -2541,7 +3202,7 @@ loadconfig(ns_server_t *server) { return (result); } -static void +static isc_result_t reload(ns_server_t *server) { isc_result_t result; CHECK(loadconfig(server)); @@ -2553,7 +3214,8 @@ reload(ns_server_t *server) { "reloading zones failed: %s", isc_result_totext(result)); } - cleanup: ; + cleanup: + return (result); } static void @@ -2581,7 +3243,7 @@ ns_server_reload(isc_task_t *task, isc_event_t *event) { INSIST(task = server->task); UNUSED(task); - reload(server); + (void)reload(server); LOCK(&server->reload_event_lock); INSIST(server->reload_event == NULL); @@ -2684,28 +3346,75 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) { } /* + * Act on a "retransfer" command from the command channel. + */ +isc_result_t +ns_server_retransfercommand(ns_server_t *server, char *args) { + isc_result_t result; + dns_zone_t *zone = NULL; + dns_zonetype_t type; + + result = zone_from_args(server, args, &zone); + if (result != ISC_R_SUCCESS) + return (result); + if (zone == NULL) + return (ISC_R_UNEXPECTEDEND); + type = dns_zone_gettype(zone); + if (type == dns_zone_slave || type == dns_zone_stub) + dns_zone_forcereload(zone); + else + result = ISC_R_NOTFOUND; + dns_zone_detach(&zone); + return (result); +} + +/* * Act on a "reload" command from the command channel. */ isc_result_t -ns_server_reloadcommand(ns_server_t *server, char *args) { +ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) { isc_result_t result; dns_zone_t *zone = NULL; dns_zonetype_t type; + const char *msg = NULL; result = zone_from_args(server, args, &zone); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) { - reload(server); + result = reload(server); + if (result == ISC_R_SUCCESS) + msg = "server reload successful"; } else { type = dns_zone_gettype(zone); - if (type == dns_zone_slave || type == dns_zone_stub) + if (type == dns_zone_slave || type == dns_zone_stub) { dns_zone_refresh(zone); - else - dns_zone_load(zone); - dns_zone_detach(&zone); + msg = "zone refresh queued"; + } else { + result = dns_zone_load(zone); + dns_zone_detach(&zone); + switch (result) { + case ISC_R_SUCCESS: + msg = "zone reload successful"; + break; + case DNS_R_CONTINUE: + msg = "zone reload queued"; + result = ISC_R_SUCCESS; + break; + case DNS_R_UPTODATE: + msg = "zone reload up-to-date"; + result = ISC_R_SUCCESS; + break; + default: + /* failure message will be generated by rndc */ + break; + } + } } - return (ISC_R_SUCCESS); + if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text)) + isc_buffer_putmem(text, (const unsigned char *)msg, + strlen(msg) + 1); + return (result); } /* @@ -2723,9 +3432,10 @@ ns_server_reconfigcommand(ns_server_t *server, char *args) { * Act on a "refresh" command from the command channel. */ isc_result_t -ns_server_refreshcommand(ns_server_t *server, char *args) { +ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) { isc_result_t result; dns_zone_t *zone = NULL; + const unsigned char msg[] = "zone refresh queued"; result = zone_from_args(server, args, &zone); if (result != ISC_R_SUCCESS) @@ -2735,6 +3445,8 @@ ns_server_refreshcommand(ns_server_t *server, char *args) { dns_zone_refresh(zone); dns_zone_detach(&zone); + if (sizeof(msg) <= isc_buffer_availablelength(text)) + isc_buffer_putmem(text, msg, sizeof(msg)); return (ISC_R_SUCCESS); } @@ -2844,8 +3556,8 @@ ns_server_dumpstats(ns_server_t *server) { isc_stdtime_get(&now); - CHECKM(isc_stdio_open(server->statsfile, "a", &fp), - "could not open statistics dump file"); + CHECKMF(isc_stdio_open(server->statsfile, "a", &fp), + "could not open statistics dump file", server->statsfile); ncounters = DNS_STATS_NCOUNTERS; fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now); @@ -2894,26 +3606,265 @@ ns_server_dumpstats(ns_server_t *server) { return (result); } +static isc_result_t +add_zone_tolist(dns_zone_t *zone, void *uap) { + struct dumpcontext *dctx = uap; + struct zonelistentry *zle; + + zle = isc_mem_get(dctx->mctx, sizeof *zle); + if (zle == NULL) + return (ISC_R_NOMEMORY); + zle->zone = NULL; + dns_zone_attach(zone, &zle->zone); + ISC_LINK_INIT(zle, link); + ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link); + return (ISC_R_SUCCESS); +} + +static isc_result_t +add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) { + struct viewlistentry *vle; + isc_result_t result = ISC_R_SUCCESS; + + vle = isc_mem_get(dctx->mctx, sizeof *vle); + if (vle == NULL) + return (ISC_R_NOMEMORY); + vle->view = NULL; + dns_view_attach(view, &vle->view); + ISC_LINK_INIT(vle, link); + ISC_LIST_INIT(vle->zonelist); + ISC_LIST_APPEND(dctx->viewlist, vle, link); + if (dctx->dumpzones) + result = dns_zt_apply(view->zonetable, ISC_TRUE, + add_zone_tolist, dctx); + return (result); +} + +static void +dumpcontext_destroy(struct dumpcontext *dctx) { + struct viewlistentry *vle; + struct zonelistentry *zle; + + vle = ISC_LIST_HEAD(dctx->viewlist); + while (vle != NULL) { + ISC_LIST_UNLINK(dctx->viewlist, vle, link); + zle = ISC_LIST_HEAD(vle->zonelist); + while (zle != NULL) { + ISC_LIST_UNLINK(vle->zonelist, zle, link); + dns_zone_detach(&zle->zone); + isc_mem_put(dctx->mctx, zle, sizeof *zle); + zle = ISC_LIST_HEAD(vle->zonelist); + } + dns_view_detach(&vle->view); + isc_mem_put(dctx->mctx, vle, sizeof *vle); + vle = ISC_LIST_HEAD(dctx->viewlist); + } + if (dctx->version != NULL) + dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE); + if (dctx->db != NULL) + dns_db_detach(&dctx->db); + if (dctx->cache != NULL) + dns_db_detach(&dctx->cache); + if (dctx->task != NULL) + isc_task_detach(&dctx->task); + if (dctx->fp != NULL) + (void)isc_stdio_close(dctx->fp); + if (dctx->mdctx != NULL) + dns_dumpctx_detach(&dctx->mdctx); + isc_mem_put(dctx->mctx, dctx, sizeof *dctx); +} + +static void +dumpdone(void *arg, isc_result_t result) { + struct dumpcontext *dctx = arg; + char buf[1024+32]; + const dns_master_style_t *style; + + if (result != ISC_R_SUCCESS) + goto cleanup; + if (dctx->mdctx != NULL) + dns_dumpctx_detach(&dctx->mdctx); + if (dctx->view == NULL) { + dctx->view = ISC_LIST_HEAD(dctx->viewlist); + if (dctx->view == NULL) + goto done; + INSIST(dctx->zone == NULL); + } + nextview: + fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name); + if (dctx->zone == NULL && dctx->cache == NULL && dctx->dumpcache) { + style = &dns_master_style_cache; + /* start cache dump */ + if (dctx->view->view->cachedb != NULL) + dns_db_attach(dctx->view->view->cachedb, &dctx->cache); + if (dctx->cache != NULL) { + + fprintf(dctx->fp, ";\n; Cache dump of view '%s'\n;\n", + dctx->view->view->name); + result = dns_master_dumptostreaminc(dctx->mctx, + dctx->cache, NULL, + style, dctx->fp, + dctx->task, + dumpdone, dctx, + &dctx->mdctx); + if (result == DNS_R_CONTINUE) + return; + if (result == ISC_R_NOTIMPLEMENTED) + fprintf(dctx->fp, "; %s\n", + dns_result_totext(result)); + else if (result != ISC_R_SUCCESS) + goto cleanup; + } + } + if (dctx->cache != NULL) { + dns_adb_dump(dctx->view->view->adb, dctx->fp); + dns_db_detach(&dctx->cache); + } + if (dctx->dumpzones) { + style = &dns_master_style_full; + nextzone: + if (dctx->version != NULL) + dns_db_closeversion(dctx->db, &dctx->version, + ISC_FALSE); + if (dctx->db != NULL) + dns_db_detach(&dctx->db); + if (dctx->zone == NULL) + dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist); + else + dctx->zone = ISC_LIST_NEXT(dctx->zone, link); + if (dctx->zone != NULL) { + /* start zone dump */ + dns_zone_name(dctx->zone->zone, buf, sizeof(buf)); + fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf); + result = dns_zone_getdb(dctx->zone->zone, &dctx->db); + if (result != ISC_R_SUCCESS) { + fprintf(dctx->fp, "; %s\n", + dns_result_totext(result)); + goto nextzone; + } + dns_db_currentversion(dctx->db, &dctx->version); + result = dns_master_dumptostreaminc(dctx->mctx, + dctx->db, + dctx->version, + style, dctx->fp, + dctx->task, + dumpdone, dctx, + &dctx->mdctx); + if (result == DNS_R_CONTINUE) + return; + if (result == ISC_R_NOTIMPLEMENTED) + fprintf(dctx->fp, "; %s\n", + dns_result_totext(result)); + if (result != ISC_R_SUCCESS) + goto cleanup; + } + } + if (dctx->view != NULL) + dctx->view = ISC_LIST_NEXT(dctx->view, link); + if (dctx->view != NULL) + goto nextview; + done: + fprintf(dctx->fp, "; Dump complete\n"); + result = isc_stdio_flush(dctx->fp); + if (result == ISC_R_SUCCESS) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "dumpdb complete"); + cleanup: + if (result != ISC_R_SUCCESS) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "dumpdb failed: %s", dns_result_totext(result)); + dumpcontext_destroy(dctx); +} + + isc_result_t -ns_server_dumpdb(ns_server_t *server) { - FILE *fp = NULL; +ns_server_dumpdb(ns_server_t *server, char *args) { + struct dumpcontext *dctx = NULL; dns_view_t *view; isc_result_t result; + char *ptr; + const char *sep; + + dctx = isc_mem_get(server->mctx, sizeof(*dctx)); + if (dctx == NULL) + return (ISC_R_NOMEMORY); + + dctx->mctx = server->mctx; + dctx->dumpcache = ISC_TRUE; + dctx->dumpzones = ISC_FALSE; + dctx->fp = NULL; + ISC_LIST_INIT(dctx->viewlist); + dctx->view = NULL; + dctx->zone = NULL; + dctx->cache = NULL; + dctx->mdctx = NULL; + dctx->db = NULL; + dctx->cache = NULL; + dctx->task = NULL; + dctx->version = NULL; + isc_task_attach(server->task, &dctx->task); + + CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp), + "could not open dump file", server->dumpfile); + + /* Skip the command name. */ + ptr = next_token(&args, " \t"); + if (ptr == NULL) + return (ISC_R_UNEXPECTEDEND); + + sep = (args == NULL) ? "" : ": "; + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "dumpdb started%s%s", sep, (args != NULL) ? args : ""); - CHECKM(isc_stdio_open(server->dumpfile, "w", &fp), - "could not open dump file"); + ptr = next_token(&args, " \t"); + if (ptr != NULL && strcmp(ptr, "-all") == 0) { + dctx->dumpzones = ISC_TRUE; + dctx->dumpcache = ISC_TRUE; + ptr = next_token(&args, " \t"); + } else if (ptr != NULL && strcmp(ptr, "-cache") == 0) { + dctx->dumpzones = ISC_FALSE; + dctx->dumpcache = ISC_TRUE; + ptr = next_token(&args, " \t"); + } else if (ptr != NULL && strcmp(ptr, "-zones") == 0) { + dctx->dumpzones = ISC_TRUE; + dctx->dumpcache = ISC_FALSE; + ptr = next_token(&args, " \t"); + } for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { - if (view->cachedb != NULL) - CHECKM(dns_view_dumpdbtostream(view, fp), - "could not dump view databases"); + if (ptr != NULL && strcmp(view->name, ptr) != 0) + continue; + CHECK(add_view_tolist(dctx, view)); } + dumpdone(dctx, ISC_R_SUCCESS); + return (ISC_R_SUCCESS); + + cleanup: + if (dctx != NULL) + dumpcontext_destroy(dctx); + return (result); +} + +isc_result_t +ns_server_dumprecursing(ns_server_t *server) { + FILE *fp = NULL; + isc_result_t result; + + CHECKMF(isc_stdio_open(server->recfile, "w", &fp), + "could not open dump file", server->recfile); + fprintf(fp,";\n; Recursing Queries\n;\n"); + ns_interfacemgr_dumprecursing(fp, server->interfacemgr); + fprintf(fp, "; Dump complete\n"); + cleanup: if (fp != NULL) - (void)isc_stdio_close(fp); + result = isc_stdio_close(fp); return (result); } @@ -2984,6 +3935,58 @@ ns_server_flushcache(ns_server_t *server, char *args) { } isc_result_t +ns_server_flushname(ns_server_t *server, char *args) { + char *ptr, *target, *viewname; + dns_view_t *view; + isc_boolean_t flushed = ISC_FALSE; + isc_result_t result; + isc_buffer_t b; + dns_fixedname_t fixed; + dns_name_t *name; + + /* Skip the command name. */ + ptr = next_token(&args, " \t"); + if (ptr == NULL) + return (ISC_R_UNEXPECTEDEND); + + /* Find the domain name to flush. */ + target = next_token(&args, " \t"); + if (target == NULL) + return (ISC_R_UNEXPECTEDEND); + + isc_buffer_init(&b, target, strlen(target)); + isc_buffer_add(&b, strlen(target)); + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL); + if (result != ISC_R_SUCCESS) + return (result); + + /* Look for the view name. */ + viewname = next_token(&args, " \t"); + + result = isc_task_beginexclusive(server->task); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + flushed = ISC_TRUE; + for (view = ISC_LIST_HEAD(server->viewlist); + view != NULL; + view = ISC_LIST_NEXT(view, link)) + { + if (viewname != NULL && strcasecmp(viewname, view->name) != 0) + continue; + result = dns_view_flushname(view, name); + if (result != ISC_R_SUCCESS) + flushed = ISC_FALSE; + } + if (flushed) + result = ISC_R_SUCCESS; + else + result = ISC_R_FAILURE; + isc_task_endexclusive(server->task); + return (result); +} + +isc_result_t ns_server_status(ns_server_t *server, isc_buffer_t *text) { int zonecount, xferrunning, xferdeferred, soaqueries; unsigned int n; @@ -3003,11 +4006,87 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { "xfers deferred: %u\n" "soa queries in progress: %u\n" "query logging is %s\n" + "recursive clients: %d/%d\n" + "tcp clients: %d/%d\n" "server is up and running", zonecount, ns_g_debuglevel, xferrunning, xferdeferred, - soaqueries, server->log_queries ? "ON" : "OFF"); + soaqueries, server->log_queries ? "ON" : "OFF", + server->recursionquota.used, server->recursionquota.max, + server->tcpquota.used, server->tcpquota.max); if (n >= isc_buffer_availablelength(text)) return (ISC_R_NOSPACE); isc_buffer_add(text, n); return (ISC_R_SUCCESS); } + +/* + * Act on a "freeze" or "unfreeze" command from the command channel. + */ +isc_result_t +ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) { + isc_result_t result; + dns_zone_t *zone = NULL; + dns_zonetype_t type; + char classstr[DNS_RDATACLASS_FORMATSIZE]; + char zonename[DNS_NAME_FORMATSIZE]; + dns_view_t *view; + char *journal; + const char *vname, *sep; + isc_boolean_t frozen; + + result = zone_from_args(server, args, &zone); + if (result != ISC_R_SUCCESS) + return (result); + if (zone == NULL) + return (ISC_R_UNEXPECTEDEND); + type = dns_zone_gettype(zone); + if (type != dns_zone_master) { + dns_zone_detach(&zone); + return (ISC_R_NOTFOUND); + } + + frozen = dns_zone_getupdatedisabled(zone); + if (freeze) { + if (frozen) + result = DNS_R_FROZEN; + if (result == ISC_R_SUCCESS) + result = dns_zone_flush(zone); + if (result == ISC_R_SUCCESS) { + journal = dns_zone_getjournal(zone); + if (journal != NULL) + (void)isc_file_remove(journal); + } + } else { + if (frozen) { + result = dns_zone_load(zone); + if (result == DNS_R_CONTINUE || + result == DNS_R_UPTODATE) + result = ISC_R_SUCCESS; + } + } + if (result == ISC_R_SUCCESS) + dns_zone_setupdatedisabled(zone, freeze); + + view = dns_zone_getview(zone); + if (strcmp(view->name, "_bind") == 0 || + strcmp(view->name, "_default") == 0) + { + vname = ""; + sep = ""; + } else { + vname = view->name; + sep = " "; + } + dns_rdataclass_format(dns_zone_getclass(zone), classstr, + sizeof(classstr)); + dns_name_format(dns_zone_getorigin(zone), + zonename, sizeof(zonename)); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "%s zone '%s/%s'%s%s: %s", + freeze ? "freezing" : "unfreezing", + zonename, classstr, sep, vname, + isc_result_totext(result)); + dns_zone_detach(&zone); + return (result); +} diff --git a/usr.sbin/bind/bin/named/unix/include/named/os.h b/usr.sbin/bind/bin/named/unix/include/named/os.h index db427bc99d3..91f2adea124 100644 --- a/usr.sbin/bind/bin/named/unix/include/named/os.h +++ b/usr.sbin/bind/bin/named/unix/include/named/os.h @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: os.h,v 1.14.2.2 2002/08/05 06:57:03 marka Exp $ */ +/* $ISC: os.h,v 1.14.2.2.8.8 2004/03/08 04:04:21 marka Exp $ */ #ifndef NS_OS_H #define NS_OS_H 1 @@ -55,6 +55,12 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time); void ns_os_shutdown(void); +isc_result_t +ns_os_gethostname(char *buf, size_t len); + +void +ns_os_shutdownmsg(char *command, isc_buffer_t *text); + void ns_os_tzset(void); diff --git a/usr.sbin/bind/bin/named/unix/os.c b/usr.sbin/bind/bin/named/unix/os.c index 8f610ccf1f3..ddd339e8d17 100644 --- a/usr.sbin/bind/bin/named/unix/os.c +++ b/usr.sbin/bind/bin/named/unix/os.c @@ -1,26 +1,26 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: os.c,v 1.46.2.4 2002/08/05 06:57:03 marka Exp $ */ +/* $ISC: os.c,v 1.46.2.4.8.16 2004/05/04 03:19:42 marka Exp $ */ #include <config.h> #include <stdarg.h> -#include <sys/types.h> /* dev_t FreeBSD 2.1 */ +#include <sys/types.h> /* dev_t FreeBSD 2.1 */ #include <sys/stat.h> #include <ctype.h> @@ -30,9 +30,14 @@ #include <pwd.h> #include <stdio.h> #include <stdlib.h> +#include <signal.h> #include <syslog.h> +#ifdef HAVE_TZSET +#include <time.h> +#endif #include <unistd.h> +#include <isc/buffer.h> #include <isc/file.h> #include <isc/print.h> #include <isc/result.h> @@ -45,8 +50,13 @@ static char *pidfile = NULL; static int pidfilefd = -1; static isc_boolean_t preopenpidfile = ISC_FALSE; + static int devnullfd = -1; +#ifndef ISC_FACILITY +#define ISC_FACILITY LOG_DAEMON +#endif + /* * If there's no <linux/capability.h>, we don't care about <sys/prctl.h> */ @@ -145,10 +155,10 @@ linux_setcaps(unsigned int caps) { if ((getuid() != 0 && !non_root_caps) || non_root) return; - memset(&caphead, 0, sizeof caphead); + memset(&caphead, 0, sizeof(caphead)); caphead.version = _LINUX_CAPABILITY_VERSION; caphead.pid = 0; - memset(&cap, 0, sizeof cap); + memset(&cap, 0, sizeof(cap)); cap.effective = caps; cap.permitted = caps; cap.inheritable = caps; @@ -273,8 +283,7 @@ setup_syslog(const char *progname) { #ifdef LOG_NDELAY options |= LOG_NDELAY; #endif - - openlog(isc_file_basename(progname), options, LOG_DAEMON); + openlog(isc_file_basename(progname), options, ISC_FACILITY); } void @@ -286,6 +295,9 @@ ns_os_init(const char *progname) { #ifdef HAVE_LINUXTHREADS mainpid = getpid(); #endif +#ifdef SIGXFSZ + signal(SIGXFSZ, SIG_IGN); +#endif } void @@ -349,8 +361,10 @@ void ns_os_closedevnull(void) { if (devnullfd != STDIN_FILENO && devnullfd != STDOUT_FILENO && - devnullfd != STDERR_FILENO) + devnullfd != STDERR_FILENO) { close(devnullfd); + devnullfd = -1; + } } static isc_boolean_t @@ -495,8 +509,11 @@ open_pidfile(const char *filename, isc_boolean_t first_time) { cleanup_pidfile(); - len = strlen(filename) + 1; - pidfile = malloc(len); + if (filename == NULL) + return; + + len = strlen(filename); + pidfile = malloc(len + 1); if (pidfile == NULL) { isc__strerror(errno, strbuf, sizeof(strbuf)); (*report)("couldn't malloc '%s': %s", filename, strbuf); @@ -579,6 +596,60 @@ ns_os_shutdown(void) { if (preopenpidfile == ISC_FALSE) cleanup_pidfile(); } +isc_result_t +ns_os_gethostname(char *buf, size_t len) { + int n; + + n = gethostname(buf, len); + return ((n == 0) ? ISC_R_SUCCESS : ISC_R_FAILURE); +} + +static char * +next_token(char **stringp, const char *delim) { + char *res; + + do { + res = strsep(stringp, delim); + if (res == NULL) + break; + } while (*res == '\0'); + return (res); +} + +void +ns_os_shutdownmsg(char *command, isc_buffer_t *text) { + char *input, *ptr; + unsigned int n; + pid_t pid; + + input = command; + + /* Skip the command name. */ + ptr = next_token(&input, " \t"); + if (ptr == NULL) + return; + + ptr = next_token(&input, " \t"); + if (ptr == NULL) + return; + + if (strcmp(ptr, "-p") != 0) + return; + +#ifdef HAVE_LINUXTHREADS + pid = mainpid; +#else + pid = getpid(); +#endif + + n = snprintf((char *)isc_buffer_used(text), + isc_buffer_availablelength(text), + "pid: %ld", (long)pid); + /* Only send a message if it is complete. */ + if (n < isc_buffer_availablelength(text)) + isc_buffer_add(text, n); +} + void ns_os_tzset(void) { #ifdef HAVE_TZSET diff --git a/usr.sbin/bind/bin/named/update.c b/usr.sbin/bind/bin/named/update.c index 8e2844cca43..129fb7f2d33 100644 --- a/usr.sbin/bind/bin/named/update.c +++ b/usr.sbin/bind/bin/named/update.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: update.c,v 1.88.2.5 2003/07/22 04:03:34 marka Exp $ */ +/* $ISC: update.c,v 1.88.2.5.2.23 2004/07/23 02:56:52 marka Exp $ */ #include <config.h> @@ -32,10 +32,11 @@ #include <dns/fixedname.h> #include <dns/journal.h> #include <dns/message.h> -#include <dns/nxt.h> +#include <dns/nsec.h> #include <dns/rdataclass.h> #include <dns/rdataset.h> #include <dns/rdatasetiter.h> +#include <dns/rdatatype.h> #include <dns/soa.h> #include <dns/ssu.h> #include <dns/view.h> @@ -99,13 +100,65 @@ */ #define FAILC(code, msg) \ do { \ + const char *_what = "failed"; \ result = (code); \ + switch (result) { \ + case DNS_R_NXDOMAIN: \ + case DNS_R_YXDOMAIN: \ + case DNS_R_YXRRSET: \ + case DNS_R_NXRRSET: \ + _what = "unsuccessful"; \ + } \ update_log(client, zone, LOGLEVEL_PROTOCOL, \ - "update failed: %s (%s)", \ + "update %s: %s (%s)", _what, \ msg, isc_result_totext(result)); \ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) +#define FAILN(code, name, msg) \ + do { \ + const char *_what = "failed"; \ + result = (code); \ + switch (result) { \ + case DNS_R_NXDOMAIN: \ + case DNS_R_YXDOMAIN: \ + case DNS_R_YXRRSET: \ + case DNS_R_NXRRSET: \ + _what = "unsuccessful"; \ + } \ + if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \ + char _nbuf[DNS_NAME_FORMATSIZE]; \ + dns_name_format(name, _nbuf, sizeof(_nbuf)); \ + update_log(client, zone, LOGLEVEL_PROTOCOL, \ + "update %s: %s: %s (%s)", _what, _nbuf, \ + msg, isc_result_totext(result)); \ + } \ + if (result != ISC_R_SUCCESS) goto failure; \ + } while (0) + +#define FAILNT(code, name, type, msg) \ + do { \ + const char *_what = "failed"; \ + result = (code); \ + switch (result) { \ + case DNS_R_NXDOMAIN: \ + case DNS_R_YXDOMAIN: \ + case DNS_R_YXRRSET: \ + case DNS_R_NXRRSET: \ + _what = "unsuccessful"; \ + } \ + if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \ + char _nbuf[DNS_NAME_FORMATSIZE]; \ + char _tbuf[DNS_RDATATYPE_FORMATSIZE]; \ + dns_name_format(name, _nbuf, sizeof(_nbuf)); \ + dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \ + update_log(client, zone, LOGLEVEL_PROTOCOL, \ + "update %s: %s/%s: %s (%s)", \ + _what, _nbuf, _tbuf, msg, \ + isc_result_totext(result)); \ + } \ + if (result != ISC_R_SUCCESS) goto failure; \ + } while (0) /* * Fail unconditionally and log as a server error. * The test against ISC_R_SUCCESS is there to keep the Solaris compiler @@ -114,7 +167,7 @@ #define FAILS(code, msg) \ do { \ result = (code); \ - update_log(client, zone, LOGLEVEL_PROTOCOL, \ + update_log(client, zone, LOGLEVEL_PROTOCOL, \ "error: %s: %s", \ msg, isc_result_totext(result)); \ if (result != ISC_R_SUCCESS) goto failure; \ @@ -176,7 +229,7 @@ update_log(ns_client_t *client, dns_zone_t *zone, sizeof(classbuf)); va_start(ap, fmt); - vsnprintf(message, sizeof message, fmt, ap); + vsnprintf(message, sizeof(message), fmt, ap); va_end(ap); ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE, @@ -184,6 +237,38 @@ update_log(ns_client_t *client, dns_zone_t *zone, namebuf, classbuf, message); } +static isc_result_t +checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message, + dns_name_t *zonename, isc_boolean_t slave) +{ + char namebuf[DNS_NAME_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; + int level = ISC_LOG_ERROR; + const char *msg = "denied"; + isc_result_t result; + + if (slave && acl == NULL) { + result = DNS_R_NOTIMP; + level = ISC_LOG_DEBUG(3); + msg = "disabled"; + } else + result = ns_client_checkaclsilent(client, acl, ISC_FALSE); + + if (result == ISC_R_SUCCESS) { + level = ISC_LOG_DEBUG(3); + msg = "approved"; + } + + dns_name_format(zonename, namebuf, sizeof(namebuf)); + dns_rdataclass_format(client->view->rdclass, classbuf, + sizeof(classbuf)); + + ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, + NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s", + message, namebuf, classbuf, msg); + return (result); +} + /* * Update a single RR in version 'ver' of 'db' and log the * update in 'diff'. @@ -618,11 +703,11 @@ ssu_checkrule(void *data, dns_rdataset_t *rrset) { isc_boolean_t result; /* - * If we're deleting all records, it's ok to delete SIG and NXT even + * If we're deleting all records, it's ok to delete RRSIG and NSEC even * if we're normally not allowed to. */ - if (rrset->type == dns_rdatatype_sig || - rrset->type == dns_rdatatype_nxt) + if (rrset->type == dns_rdatatype_rrsig || + rrset->type == dns_rdatatype_nsec) return (ISC_TRUE); result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer, ssuinfo->name, rrset->type); @@ -725,11 +810,13 @@ temp_order(const void *av, const void *bv) { * * Return ISC_R_SUCCESS if the prerequisites are satisfied, * rcode(dns_rcode_nxrrset) if not. + * + * 'temp' must be pre-sorted. */ static isc_result_t temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, - dns_dbversion_t *ver) + dns_dbversion_t *ver, dns_name_t *tmpname, dns_rdatatype_t *typep) { isc_result_t result; dns_name_t *name; @@ -737,18 +824,6 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, dns_difftuple_t *t; dns_diff_t trash; - /* Exit early if the list is empty (for efficiency only). */ - if (ISC_LIST_HEAD(temp->tuples) == NULL) - return (ISC_R_SUCCESS); - - /* - * Sort the prerequisite records by owner name, - * type, and rdata. - */ - result = dns_diff_sort(temp, temp_order); - if (result != ISC_R_SUCCESS) - return (result); - dns_diff_init(mctx, &trash); /* @@ -759,6 +834,8 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, t = ISC_LIST_HEAD(temp->tuples); while (t != NULL) { name = &t->name; + (void)dns_name_copy(name, tmpname, NULL); + *typep = t->rdata.type; /* A new unique name begins here. */ node = NULL; @@ -777,8 +854,9 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, dns_diff_t u_rrs; /* Update RRs with this name and type */ - type = t->rdata.type; - if (type == dns_rdatatype_sig) + *typep = type = t->rdata.type; + if (type == dns_rdatatype_rrsig || + type == dns_rdatatype_sig) covers = dns_rdata_covers(&t->rdata); else covers = 0; @@ -925,7 +1003,7 @@ rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { * Return true iff 'update_rr' should replace 'db_rr' according * to the special RFC2136 rules for CNAME, SOA, and WKS records. * - * RFC2136 does not mention NXT or DNAME, but multiple NXTs or DNAMEs + * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs * make little sense, so we replace those, too. */ static isc_boolean_t @@ -938,7 +1016,7 @@ replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { return (ISC_TRUE); if (db_rr->type == dns_rdatatype_soa) return (ISC_TRUE); - if (db_rr->type == dns_rdatatype_nxt) + if (db_rr->type == dns_rdatatype_nsec) return (ISC_TRUE); if (db_rr->type == dns_rdatatype_wks) { /* @@ -1027,14 +1105,16 @@ add_rr_prepare_action(void *data, rr_t *rr) { isc_result_t result = ISC_R_SUCCESS; add_rr_prepare_ctx_t *ctx = data; dns_difftuple_t *tuple = NULL; + isc_boolean_t equal; /* * If the update RR is a "duplicate" of the update RR, * the update should be silently ignored. */ - if (dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0 && - rr->ttl == ctx->update_rr_ttl) { + equal = ISC_TF(dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0); + if (equal && rr->ttl == ctx->update_rr_ttl) { ctx->ignore_add = ISC_TRUE; + return (ISC_R_SUCCESS); } /* @@ -1062,12 +1142,14 @@ add_rr_prepare_action(void *data, rr_t *rr) { &rr->rdata, &tuple)); dns_diff_append(&ctx->del_diff, &tuple); - CHECK(dns_difftuple_create(ctx->add_diff.mctx, - DNS_DIFFOP_ADD, ctx->name, - ctx->update_rr_ttl, - &rr->rdata, - &tuple)); - dns_diff_append(&ctx->add_diff, &tuple); + if (!equal) { + CHECK(dns_difftuple_create(ctx->add_diff.mctx, + DNS_DIFFOP_ADD, ctx->name, + ctx->update_rr_ttl, + &rr->rdata, + &tuple)); + dns_diff_append(&ctx->add_diff, &tuple); + } } failure: return (result); @@ -1200,7 +1282,7 @@ check_soa_increment(dns_db_t *db, dns_dbversion_t *ver, /**************************************************************************/ /* - * Incremental updating of NXTs and SIGs. + * Incremental updating of NSECs and RRSIGs. */ #define MAXZONEKEYS 32 /* Maximum number of zone keys supported. */ @@ -1240,9 +1322,8 @@ namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected) result = dns_dbiterator_next(dbit)) { dns_dbnode_t *node = NULL; - result = dns_dbiterator_current(dbit, &node, child); + CHECK(dns_dbiterator_current(dbit, &node, child)); dns_db_detachnode(db, &node); - CHECK(result); if (! dns_name_issubdomain(child, name)) break; CHECK(namelist_append_name(affected, child)); @@ -1258,20 +1339,20 @@ namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected) /* - * Helper function for non_nxt_rrset_exists(). + * Helper function for non_nsec_rrset_exists(). */ static isc_result_t -is_non_nxt_action(void *data, dns_rdataset_t *rrset) { +is_non_nsec_action(void *data, dns_rdataset_t *rrset) { UNUSED(data); - if (!(rrset->type == dns_rdatatype_nxt || - (rrset->type == dns_rdatatype_sig && - rrset->covers == dns_rdatatype_nxt))) + if (!(rrset->type == dns_rdatatype_nsec || + (rrset->type == dns_rdatatype_rrsig && + rrset->covers == dns_rdatatype_nsec))) return (ISC_R_EXISTS); return (ISC_R_SUCCESS); } /* - * Check whether there is an rrset other than a NXT or SIG NXT, + * Check whether there is an rrset other than a NSEC or RRSIG NSEC, * i.e., anything that justifies the continued existence of a name * after a secure update. * @@ -1279,12 +1360,12 @@ is_non_nxt_action(void *data, dns_rdataset_t *rrset) { * Otherwise, set it to ISC_FALSE. */ static isc_result_t -non_nxt_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, +non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t *exists) { isc_result_t result; result = foreach_rrset(db, ver, name, - is_non_nxt_action, NULL); + is_non_nsec_action, NULL); RETURN_EXISTENCE_FLAG; } @@ -1340,7 +1421,7 @@ is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, return (ISC_R_SUCCESS); } else if (result == DNS_R_ZONECUT) { /* - * We are at the zonecut. The name will have an NXT, but + * We are at the zonecut. The name will have an NSEC, but * non-delegation will be omitted from the type bit map. */ *flag = ISC_FALSE; @@ -1354,18 +1435,19 @@ is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, } /* - * Find the next/previous name that has a NXT record. + * Find the next/previous name that has a NSEC record. * In other words, skip empty database nodes and names that - * have had their NXTs removed because they are obscured by + * have had their NSECs removed because they are obscured by * a zone cut. */ static isc_result_t -next_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *oldname, - dns_name_t *newname, isc_boolean_t forward) +next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t *ver, dns_name_t *oldname, dns_name_t *newname, + isc_boolean_t forward) { isc_result_t result; dns_dbiterator_t *dbit = NULL; - isc_boolean_t has_nxt; + isc_boolean_t has_nsec; unsigned int wraps = 0; CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit)); @@ -1388,15 +1470,13 @@ next_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *oldname, CHECK(dns_dbiterator_last(dbit)); wraps++; if (wraps == 2) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE, - NS_LOGMODULE_UPDATE, - ISC_LOG_ERROR, - "secure zone with no NXTs"); + update_log(client, zone, ISC_LOG_ERROR, + "secure zone with no NSECs"); result = DNS_R_BADZONE; goto failure; } } - dns_dbiterator_current(dbit, &node, newname); + CHECK(dns_dbiterator_current(dbit, &node, newname)); dns_db_detachnode(db, &node); /* @@ -1407,9 +1487,9 @@ next_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *oldname, */ CHECK(dns_dbiterator_pause(dbit)); CHECK(rrset_exists(db, ver, newname, - dns_rdatatype_nxt, 0, &has_nxt)); + dns_rdatatype_nsec, 0, &has_nsec)); - } while (! has_nxt); + } while (! has_nsec); failure: if (dbit != NULL) dns_dbiterator_destroy(&dbit); @@ -1418,15 +1498,16 @@ next_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *oldname, } /* - * Add a NXT record for "name", recording the change in "diff". - * The existing NXT is removed. + * Add a NSEC record for "name", recording the change in "diff". + * The existing NSEC is removed. */ static isc_result_t -add_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_diff_t *diff) +add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t *ver, dns_name_t *name, dns_diff_t *diff) { isc_result_t result; dns_dbnode_t *node = NULL; - unsigned char buffer[DNS_NXT_BUFFERSIZE]; + unsigned char buffer[DNS_NSEC_BUFFERSIZE]; dns_rdata_t rdata = DNS_RDATA_INIT; dns_difftuple_t *tuple = NULL; dns_fixedname_t fixedname; @@ -1436,25 +1517,25 @@ add_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_diff_t *diff) target = dns_fixedname_name(&fixedname); /* - * Find the successor name, aka NXT target. + * Find the successor name, aka NSEC target. */ - CHECK(next_active(db, ver, name, target, ISC_TRUE)); + CHECK(next_active(client, zone, db, ver, name, target, ISC_TRUE)); /* - * Create the NXT RDATA. + * Create the NSEC RDATA. */ CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); dns_rdata_init(&rdata); - CHECK(dns_nxt_buildrdata(db, ver, node, target, buffer, &rdata)); + CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata)); dns_db_detachnode(db, &node); /* - * Delete the old NXT and record the change. + * Delete the old NSEC and record the change. */ - CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nxt, 0, + CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nsec, 0, NULL, diff)); /* - * Add the new NXT and record the change. + * Add the new NSEC and record the change. */ CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 3600, /* XXXRTH */ @@ -1469,10 +1550,10 @@ add_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_diff_t *diff) } /* - * Add a placeholder NXT record for "name", recording the change in "diff". + * Add a placeholder NSEC record for "name", recording the change in "diff". */ static isc_result_t -add_placeholder_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, +add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_diff_t *diff) { isc_result_t result; dns_difftuple_t *tuple = NULL; @@ -1481,8 +1562,8 @@ add_placeholder_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_rdata_t rdata = DNS_RDATA_INIT; r.base = data; - r.length = sizeof data; - dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nxt, &r); + r.length = sizeof(data); + dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nsec, &r); CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0, &rdata, &tuple)); CHECK(do_one_tuple(&tuple, db, ver, diff)); @@ -1491,14 +1572,16 @@ add_placeholder_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, } static isc_result_t -find_zone_keys(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx, - unsigned int maxkeys, dst_key_t **keys, unsigned int *nkeys) +find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, + isc_mem_t *mctx, unsigned int maxkeys, + dst_key_t **keys, unsigned int *nkeys) { isc_result_t result; dns_dbnode_t *node = NULL; + const char *directory = dns_zone_getkeydirectory(zone); CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); - CHECK(dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db), - mctx, maxkeys, keys, nkeys)); + CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db), + directory, mctx, maxkeys, keys, nkeys)); failure: if (node != NULL) dns_db_detachnode(db, &node); @@ -1506,7 +1589,7 @@ find_zone_keys(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx, } /* - * Add SIG records for an RRset, recording the change in "diff". + * Add RRSIG records for an RRset, recording the change in "diff". */ static isc_result_t add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, @@ -1533,12 +1616,12 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_db_detachnode(db, &node); for (i = 0; i < nkeys; i++) { - /* Calculate the signature, creating a SIG RDATA. */ + /* Calculate the signature, creating a RRSIG RDATA. */ CHECK(dns_dnssec_sign(name, &rdataset, keys[i], &inception, &expire, mctx, &buffer, &sig_rdata)); - /* Update the database and journal with the SIG. */ + /* Update the database and journal with the RRSIG. */ /* XXX inefficient - will cause dataset merging */ CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name, rdataset.ttl, &sig_rdata)); @@ -1554,48 +1637,46 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, } /* - * Update SIG and NXT records affected by an update. The original - * update, including the SOA serial update but exluding the SIG & NXT + * Update RRSIG and NSEC records affected by an update. The original + * update, including the SOA serial update but exluding the RRSIG & NSEC * changes, is in "diff" and has already been applied to "newver" of "db". * The database version prior to the update is "oldver". * - * The necessary SIG and NXT changes will be applied to "newver" + * The necessary RRSIG and NSEC changes will be applied to "newver" * and added (as a minimal diff) to "diff". * - * The SIGs generated will be valid for 'sigvalidityinterval' seconds. + * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds. */ static isc_result_t -update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver, - dns_dbversion_t *newver, dns_diff_t *diff, - isc_uint32_t sigvalidityinterval) +update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t *oldver, dns_dbversion_t *newver, + dns_diff_t *diff, isc_uint32_t sigvalidityinterval) { isc_result_t result; dns_difftuple_t *t; dns_diff_t diffnames; dns_diff_t affected; dns_diff_t sig_diff; - dns_diff_t nxt_diff; - dns_diff_t nxt_mindiff; + dns_diff_t nsec_diff; + dns_diff_t nsec_mindiff; isc_boolean_t flag; dst_key_t *zone_keys[MAXZONEKEYS]; unsigned int nkeys = 0; unsigned int i; isc_stdtime_t now, inception, expire; - dns_diff_init(mctx, &diffnames); - dns_diff_init(mctx, &affected); + dns_diff_init(client->mctx, &diffnames); + dns_diff_init(client->mctx, &affected); - dns_diff_init(mctx, &sig_diff); - dns_diff_init(mctx, &nxt_diff); - dns_diff_init(mctx, &nxt_mindiff); + dns_diff_init(client->mctx, &sig_diff); + dns_diff_init(client->mctx, &nsec_diff); + dns_diff_init(client->mctx, &nsec_mindiff); - result = find_zone_keys(db, newver, mctx, + result = find_zone_keys(zone, db, newver, client->mctx, MAXZONEKEYS, zone_keys, &nkeys); if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE, - NS_LOGMODULE_UPDATE, ISC_LOG_ERROR, - "could not get zone keys for secure " - "dynamic update"); + update_log(client, zone, ISC_LOG_ERROR, + "could not get zone keys for secure dynamic update"); goto failure; } @@ -1605,7 +1686,7 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver, /* * Find all RRsets directly affected by the update, and - * update their SIGs. Also build a list of names affected + * update their RRSIGs. Also build a list of names affected * by the update in "diffnames". */ CHECK(dns_diff_sort(diff, temp_order)); @@ -1626,17 +1707,17 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver, * affected by the update. */ - /* Don't sign SIGs. */ - if (type == dns_rdatatype_sig) + /* Don't sign RRSIGs. */ + if (type == dns_rdatatype_rrsig) goto skip; /* - * Delete all old SIGs covering this type, since they + * Delete all old RRSIGs covering this type, since they * are all invalid when the signed RRset has changed. * We may not be able to recreate all of them - tough. */ CHECK(delete_if(true_p, db, newver, name, - dns_rdatatype_sig, type, + dns_rdatatype_rrsig, type, NULL, &sig_diff)); /* @@ -1647,7 +1728,8 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver, if (flag) { CHECK(add_sigs(db, newver, name, type, &sig_diff, zone_keys, nkeys, - mctx, inception, expire)); + client->mctx, inception, + expire)); } skip: /* Skip any other updates to the same RRset. */ @@ -1660,12 +1742,12 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver, } } - /* Remove orphaned NXTs and SIG NXTs. */ + /* Remove orphaned NSECs and RRSIG NSECs. */ for (t = ISC_LIST_HEAD(diffnames.tuples); t != NULL; t = ISC_LIST_NEXT(t, link)) { - CHECK(non_nxt_rrset_exists(db, newver, &t->name, &flag)); + CHECK(non_nsec_rrset_exists(db, newver, &t->name, &flag)); if (! flag) { CHECK(delete_if(true_p, db, newver, &t->name, dns_rdatatype_any, 0, @@ -1675,7 +1757,7 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver, /* * When a name is created or deleted, its predecessor needs to - * have its NXT updated. + * have its NSEC updated. */ for (t = ISC_LIST_HEAD(diffnames.tuples); t != NULL; @@ -1697,13 +1779,14 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver, * Find the predecessor. * When names become obscured or unobscured in this update * transaction, we may find the wrong predecessor because - * the NXTs have not yet been updated to reflect the delegation + * the NSECs have not yet been updated to reflect the delegation * change. This should not matter because in this case, * the correct predecessor is either the delegation node or * a newly unobscured node, and those nodes are on the * "affected" list in any case. */ - CHECK(next_active(db, newver, &t->name, prevname, ISC_FALSE)); + CHECK(next_active(client, zone, db, newver, + &t->name, prevname, ISC_FALSE)); CHECK(namelist_append_name(&affected, prevname)); } @@ -1731,7 +1814,7 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver, continue; /* * There was a delegation change. Mark all subdomains - * of t->name as potentially needing a NXT update. + * of t->name as potentially needing a NSEC update. */ CHECK(namelist_append_subdomain(db, &t->name, &affected)); } @@ -1742,11 +1825,11 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver, CHECK(uniqify_name_list(&affected)); /* - * Determine which names should have NXTs, and delete/create - * NXTs to make it so. We don't know the final NXT targets yet, - * so we just create placeholder NXTs with arbitrary contents + * Determine which names should have NSECs, and delete/create + * NSECs to make it so. We don't know the final NSEC targets yet, + * so we just create placeholder NSECs with arbitrary contents * to indicate that their respective owner names should be part of - * the NXT chain. + * the NSEC chain. */ for (t = ISC_LIST_HEAD(affected.tuples); t != NULL; @@ -1760,26 +1843,25 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver, if (flag) { /* * This name is obscured. Delete any - * existing NXT record. + * existing NSEC record. */ CHECK(delete_if(true_p, db, newver, &t->name, - dns_rdatatype_nxt, 0, - NULL, &nxt_diff)); + dns_rdatatype_nsec, 0, + NULL, &nsec_diff)); } else { /* - * This name is not obscured. It should have a NXT. + * This name is not obscured. It should have a NSEC. */ CHECK(rrset_exists(db, newver, &t->name, - dns_rdatatype_nxt, 0, &flag)); - if (! flag) { - add_placeholder_nxt(db, newver, &t->name, - diff); - } + dns_rdatatype_nsec, 0, &flag)); + if (! flag) + CHECK(add_placeholder_nsec(db, newver, &t->name, + diff)); } } /* - * Now we know which names are part of the NXT chain. + * Now we know which names are part of the NSEC chain. * Make them all point at their correct targets. */ for (t = ISC_LIST_HEAD(affected.tuples); @@ -1787,51 +1869,52 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver, t = ISC_LIST_NEXT(t, link)) { CHECK(rrset_exists(db, newver, &t->name, - dns_rdatatype_nxt, 0, &flag)); + dns_rdatatype_nsec, 0, &flag)); if (flag) { /* - * There is a NXT, but we don't know if it is correct. + * There is a NSEC, but we don't know if it is correct. * Delete it and create a correct one to be sure. * If the update was unnecessary, the diff minimization * will take care of eliminating it from the journal, * IXFRs, etc. * - * The SIG bit should always be set in the NXTs - * we generate, because they will all get SIG NXTs. + * The RRSIG bit should always be set in the NSECs + * we generate, because they will all get RRSIG NSECs. * (XXX what if the zone keys are missing?). - * Because the SIG NXTs have not necessarily been + * Because the RRSIG NSECs have not necessarily been * created yet, the correctness of the bit mask relies - * on the assumption that NXTs are only created if + * on the assumption that NSECs are only created if * there is other data, and if there is other data, - * there are other SIGs. + * there are other RRSIGs. */ - CHECK(add_nxt(db, newver, &t->name, &nxt_diff)); + CHECK(add_nsec(client, zone, db, newver, + &t->name, &nsec_diff)); } } /* - * Minimize the set of NXT updates so that we don't - * have to regenerate the SIG NXTs for NXTs that were + * Minimize the set of NSEC updates so that we don't + * have to regenerate the RRSIG NSECs for NSECs that were * replaced with identical ones. */ - while ((t = ISC_LIST_HEAD(nxt_diff.tuples)) != NULL) { - ISC_LIST_UNLINK(nxt_diff.tuples, t, link); - dns_diff_appendminimal(&nxt_mindiff, &t); + while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) { + ISC_LIST_UNLINK(nsec_diff.tuples, t, link); + dns_diff_appendminimal(&nsec_mindiff, &t); } - /* Update SIG NXTs. */ - for (t = ISC_LIST_HEAD(nxt_mindiff.tuples); + /* Update RRSIG NSECs. */ + for (t = ISC_LIST_HEAD(nsec_mindiff.tuples); t != NULL; t = ISC_LIST_NEXT(t, link)) { if (t->op == DNS_DIFFOP_DEL) { CHECK(delete_if(true_p, db, newver, &t->name, - dns_rdatatype_sig, dns_rdatatype_nxt, + dns_rdatatype_rrsig, dns_rdatatype_nsec, NULL, &sig_diff)); } else if (t->op == DNS_DIFFOP_ADD) { - CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nxt, - &sig_diff, zone_keys, nkeys, mctx, - inception, expire)); + CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nsec, + &sig_diff, zone_keys, nkeys, + client->mctx, inception, expire)); } else { INSIST(0); } @@ -1842,19 +1925,19 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver, ISC_LIST_UNLINK(sig_diff.tuples, t, link); dns_diff_appendminimal(diff, &t); } - while ((t = ISC_LIST_HEAD(nxt_mindiff.tuples)) != NULL) { - ISC_LIST_UNLINK(nxt_mindiff.tuples, t, link); + while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) { + ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link); dns_diff_appendminimal(diff, &t); } INSIST(ISC_LIST_EMPTY(sig_diff.tuples)); - INSIST(ISC_LIST_EMPTY(nxt_diff.tuples)); - INSIST(ISC_LIST_EMPTY(nxt_mindiff.tuples)); + INSIST(ISC_LIST_EMPTY(nsec_diff.tuples)); + INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples)); failure: dns_diff_clear(&sig_diff); - dns_diff_clear(&nxt_diff); - dns_diff_clear(&nxt_mindiff); + dns_diff_clear(&nsec_diff); + dns_diff_clear(&nsec_mindiff); dns_diff_clear(&affected); dns_diff_clear(&diffnames); @@ -1889,14 +1972,16 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) { evclient = NULL; ns_client_attach(client, &evclient); + INSIST(client->nupdates == 0); + client->nupdates++; event->ev_arg = evclient; dns_zone_gettask(zone, &zonetask); - isc_task_send(zonetask, (isc_event_t **)&event); + isc_task_send(zonetask, ISC_EVENT_PTR(&event)); failure: if (event != NULL) - isc_event_free((isc_event_t **)&event); + isc_event_free(ISC_EVENT_PTR(&event)); return (result); } @@ -1973,9 +2058,8 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { CHECK(send_update_event(client, zone)); break; case dns_zone_slave: - CHECK(ns_client_checkacl(client, "update forwarding", - dns_zone_getforwardacl(zone), - ISC_FALSE, ISC_LOG_ERROR)); + CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone), + "update forwarding", zonename, ISC_TRUE)); CHECK(send_forward_event(client, zone)); break; default: @@ -1995,6 +2079,41 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { dns_zone_detach(&zone); } +/* + * DS records are not allowed to exist without corresponding NS records, + * draft-ietf-dnsext-delegation-signer-11.txt, 2.2 Protocol Change, + * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex". + */ + +static isc_result_t +remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) { + isc_result_t result; + isc_boolean_t ns_exists, ds_exists; + dns_difftuple_t *t; + + for (t = ISC_LIST_HEAD(diff->tuples); + t != NULL; + t = ISC_LIST_NEXT(t, link)) { + if (t->op != DNS_DIFFOP_DEL || + t->rdata.type != dns_rdatatype_ns) + continue; + CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0, + &ns_exists)); + if (ns_exists) + continue; + CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ds, 0, + &ds_exists)); + if (!ds_exists) + continue; + CHECK(delete_if(true_p, db, newver, &t->name, + dns_rdatatype_ds, 0, NULL, diff)); + } + return (ISC_R_SUCCESS); + + failure: + return (result); +} + static void update_action(isc_task_t *task, isc_event_t *event) { update_event_t *uev = (update_event_t *) event; @@ -2014,6 +2133,8 @@ update_action(isc_task_t *task, isc_event_t *event) { dns_rdataclass_t zoneclass; dns_name_t *zonename; dns_ssutable_t *ssutable = NULL; + dns_fixedname_t tmpnamefixed; + dns_name_t *tmpname = NULL; INSIST(event->ev_type == DNS_EVENT_UPDATE); @@ -2048,7 +2169,7 @@ update_action(isc_task_t *task, isc_event_t *event) { FAILC(DNS_R_FORMERR, "prerequisite TTL is not zero"); if (! dns_name_issubdomain(name, zonename)) - FAILC(DNS_R_NOTZONE, + FAILN(DNS_R_NOTZONE, name, "prerequisite name is out of zone"); if (update_class == dns_rdataclass_any) { @@ -2059,7 +2180,7 @@ update_action(isc_task_t *task, isc_event_t *event) { if (rdata.type == dns_rdatatype_any) { CHECK(name_exists(db, ver, name, &flag)); if (! flag) { - FAILC(DNS_R_NXDOMAIN, + FAILN(DNS_R_NXDOMAIN, name, "'name in use' prerequisite " "not satisfied"); } @@ -2068,7 +2189,7 @@ update_action(isc_task_t *task, isc_event_t *event) { rdata.type, covers, &flag)); if (! flag) { /* RRset does not exist. */ - FAILC(DNS_R_NXRRSET, + FAILNT(DNS_R_NXRRSET, name, rdata.type, "'rrset exists (value independent)' " "prerequisite not satisfied"); } @@ -2081,7 +2202,7 @@ update_action(isc_task_t *task, isc_event_t *event) { if (rdata.type == dns_rdatatype_any) { CHECK(name_exists(db, ver, name, &flag)); if (flag) { - FAILC(DNS_R_YXDOMAIN, + FAILN(DNS_R_YXDOMAIN, name, "'name not in use' prerequisite " "not satisfied"); } @@ -2090,9 +2211,9 @@ update_action(isc_task_t *task, isc_event_t *event) { rdata.type, covers, &flag)); if (flag) { /* RRset exists. */ - FAILC(DNS_R_YXRRSET, - "'rrset does not exist' " - "prerequisite not satisfied"); + FAILNT(DNS_R_YXRRSET, name, rdata.type, + "'rrset does not exist' " + "prerequisite not satisfied"); } } } else if (update_class == zoneclass) { @@ -2111,14 +2232,31 @@ update_action(isc_task_t *task, isc_event_t *event) { if (result != ISC_R_NOMORE) FAIL(result); + /* * Perform the final check of the "rrset exists (value dependent)" * prerequisites. */ - result = temp_check(mctx, &temp, db, ver); - if (result != ISC_R_SUCCESS) - FAILC(result, "'RRset exists (value dependent)' " - "prerequisite not satisfied"); + if (ISC_LIST_HEAD(temp.tuples) != NULL) { + dns_rdatatype_t type; + + /* + * Sort the prerequisite records by owner name, + * type, and rdata. + */ + result = dns_diff_sort(&temp, temp_order); + if (result != ISC_R_SUCCESS) + FAILC(result, "'RRset exists (value dependent)' " + "prerequisite not satisfied"); + + dns_fixedname_init(&tmpnamefixed); + tmpname = dns_fixedname_name(&tmpnamefixed); + result = temp_check(mctx, &temp, db, ver, tmpname, &type); + if (result != ISC_R_SUCCESS) + FAILNT(result, tmpname, type, + "'RRset exists (value dependent)' " + "prerequisite not satisfied"); + } update_log(client, zone, LOGLEVEL_DEBUG, "prerequisites are OK"); @@ -2127,23 +2265,16 @@ update_action(isc_task_t *task, isc_event_t *event) { * Check Requestor's Permissions. It seems a bit silly to do this * only after prerequisite testing, but that is what RFC2136 says. */ - if (ssutable == NULL) { - char msg[DNS_RDATACLASS_FORMATSIZE + DNS_NAME_FORMATSIZE - + sizeof("update '/'")]; - ns_client_aclmsg("update", zonename, client->view->rdclass, - msg, sizeof(msg)); - CHECK(ns_client_checkacl(client, msg, - dns_zone_getupdateacl(zone), - ISC_FALSE, ISC_LOG_ERROR)); - } else if (client->signer == NULL) { - /* This gets us a free log message. */ - char msg[DNS_RDATACLASS_FORMATSIZE + DNS_NAME_FORMATSIZE - + sizeof("update '/'")]; - ns_client_aclmsg("update", zonename, client->view->rdclass, - msg, sizeof(msg)); - CHECK(ns_client_checkacl(client, msg, NULL, ISC_FALSE, - ISC_LOG_ERROR)); - } + result = ISC_R_SUCCESS; + if (ssutable == NULL) + CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone), + "update", zonename, ISC_FALSE)); + else if (client->signer == NULL) + CHECK(checkupdateacl(client, NULL, "update", zonename, + ISC_FALSE)); + + if (dns_zone_getupdatedisabled(zone)) + FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled"); /* * Perform the Update Section Prescan. @@ -2173,6 +2304,9 @@ update_action(isc_task_t *task, isc_event_t *event) { FAILC(DNS_R_FORMERR, "meta-RR in update"); } + result = dns_zone_checknames(zone, name, &rdata); + if (result != ISC_R_SUCCESS) + FAIL(DNS_R_REFUSED); } else if (update_class == dns_rdataclass_any) { if (ttl != 0 || rdata.length != 0 || (dns_rdatatype_ismeta(rdata.type) && @@ -2193,17 +2327,17 @@ update_action(isc_task_t *task, isc_event_t *event) { /* * draft-ietf-dnsind-simple-secure-update-01 says * "Unlike traditional dynamic update, the client - * is forbidden from updating NXT records." + * is forbidden from updating NSEC records." */ if (dns_db_issecure(db)) { - if (rdata.type == dns_rdatatype_nxt) { + if (rdata.type == dns_rdatatype_nsec) { FAILC(DNS_R_REFUSED, - "explicit NXT updates are not allowed " + "explicit NSEC updates are not allowed " "in secure zones"); } - else if (rdata.type == dns_rdatatype_sig) { + else if (rdata.type == dns_rdatatype_rrsig) { FAILC(DNS_R_REFUSED, - "explicit SIG updates are currently not " + "explicit RRSIG updates are currently not " "supported in secure zones"); } } @@ -2248,6 +2382,28 @@ update_action(isc_task_t *task, isc_event_t *event) { &name, &rdata, &covers, &ttl, &update_class); if (update_class == zoneclass) { + + /* + * RFC 1123 doesn't allow MF and MD in master zones. */ + if (rdata.type == dns_rdatatype_md || + rdata.type == dns_rdatatype_mf) { + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + + dns_rdatatype_format(rdata.type, typebuf, + sizeof(typebuf)); + update_log(client, zone, LOGLEVEL_PROTOCOL, + "attempt to add %s ignored", + typebuf); + continue; + } + if (rdata.type == dns_rdatatype_ns && + dns_name_iswildcard(name)) { + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "attempt to add wildcard NS record" + "ignored"); + continue; + } if (rdata.type == dns_rdatatype_cname) { CHECK(cname_incompatible_rrset_exists(db, ver, name, @@ -2298,9 +2454,19 @@ update_action(isc_task_t *task, isc_event_t *event) { } soa_serial_changed = ISC_TRUE; } - - update_log(client, zone, - LOGLEVEL_PROTOCOL, "adding an RR"); + + if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { + char namestr[DNS_NAME_FORMATSIZE]; + char typestr[DNS_RDATATYPE_FORMATSIZE]; + dns_name_format(name, namestr, + sizeof(namestr)); + dns_rdatatype_format(rdata.type, typestr, + sizeof(typestr)); + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "adding an RR at '%s' %s", + namestr, typestr); + } /* Prepare the affected RRset for the addition. */ { @@ -2314,8 +2480,9 @@ update_action(isc_task_t *task, isc_event_t *event) { ctx.ignore_add = ISC_FALSE; dns_diff_init(mctx, &ctx.del_diff); dns_diff_init(mctx, &ctx.add_diff); - CHECK(foreach_rr(db, ver, name, rdata.type, covers, - add_rr_prepare_action, &ctx)); + CHECK(foreach_rr(db, ver, name, rdata.type, + covers, add_rr_prepare_action, + &ctx)); if (ctx.ignore_add) { dns_diff_clear(&ctx.del_diff); @@ -2330,9 +2497,17 @@ update_action(isc_task_t *task, isc_event_t *event) { } } else if (update_class == dns_rdataclass_any) { if (rdata.type == dns_rdatatype_any) { - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "delete all rrsets from a name"); + if (isc_log_wouldlog(ns_g_lctx, + LOGLEVEL_PROTOCOL)) + { + char namestr[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namestr, + sizeof(namestr)); + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "delete all rrsets from " + "name '%s'", namestr); + } if (dns_name_equal(name, zonename)) { CHECK(delete_if(type_not_soa_nor_ns_p, db, ver, name, @@ -2352,9 +2527,21 @@ update_action(isc_task_t *task, isc_event_t *event) { "or NS records ignored"); continue; } else { - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "deleting an rrset"); + if (isc_log_wouldlog(ns_g_lctx, + LOGLEVEL_PROTOCOL)) + { + char namestr[DNS_NAME_FORMATSIZE]; + char typestr[DNS_RDATATYPE_FORMATSIZE]; + dns_name_format(name, namestr, + sizeof(namestr)); + dns_rdatatype_format(rdata.type, + typestr, + sizeof(typestr)); + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "deleting rrset at '%s' %s", + namestr, typestr); + } CHECK(delete_if(true_p, db, ver, name, rdata.type, covers, &rdata, &diff)); @@ -2399,7 +2586,7 @@ update_action(isc_task_t *task, isc_event_t *event) { /* * If any changes were made, increment the SOA serial number, - * update SIGs and NXTs (if zone is secure), and write the update + * update RRSIGs and NSECs (if zone is secure), and write the update * to the journal. */ if (! ISC_LIST_EMPTY(diff.tuples)) { @@ -2414,13 +2601,16 @@ update_action(isc_task_t *task, isc_event_t *event) { CHECK(increment_soa_serial(db, ver, &diff, mctx)); } + CHECK(remove_orphaned_ds(db, ver, &diff)); + if (dns_db_issecure(db)) { - result = update_signatures(mctx, db, oldver, ver, - &diff, dns_zone_getsigvalidityinterval(zone)); + result = update_signatures(client, zone, db, oldver, + ver, &diff, + dns_zone_getsigvalidityinterval(zone)); if (result != ISC_R_SUCCESS) { update_log(client, zone, ISC_LOG_ERROR, - "SIG/NXT update failed: %s", + "RRSIG/NSEC update failed: %s", isc_result_totext(result)); goto failure; } @@ -2445,26 +2635,29 @@ update_action(isc_task_t *task, isc_event_t *event) { dns_journal_destroy(&journal); } - } - /* - * XXXRTH Just a note that this committing code will have to change - * to handle databases that need two-phase commit, but this - * isn't a priority. - */ - update_log(client, zone, LOGLEVEL_DEBUG, - "committing update transaction"); - dns_db_closeversion(db, &ver, ISC_TRUE); + /* + * XXXRTH Just a note that this committing code will have + * to change to handle databases that need two-phase + * commit, but this isn't a priority. + */ + update_log(client, zone, LOGLEVEL_DEBUG, + "committing update transaction"); + dns_db_closeversion(db, &ver, ISC_TRUE); - /* - * Mark the zone as dirty so that it will be written to disk. - */ - dns_zone_markdirty(zone); + /* + * Mark the zone as dirty so that it will be written to disk. + */ + dns_zone_markdirty(zone); - /* - * Notify slaves of the change we just made. - */ - dns_zone_notify(zone); + /* + * Notify slaves of the change we just made. + */ + dns_zone_notify(zone); + } else { + update_log(client, zone, LOGLEVEL_DEBUG, "redundant request"); + dns_db_closeversion(db, &ver, ISC_TRUE); + } result = ISC_R_SUCCESS; goto common; @@ -2512,6 +2705,8 @@ updatedone_action(isc_task_t *task, isc_event_t *event) { INSIST(event->ev_type == DNS_EVENT_UPDATEDONE); INSIST(task == client->task); + INSIST(client->nupdates > 0); + client->nupdates--; respond(client, uev->result); ns_client_detach(&client); isc_event_free(&event); @@ -2527,9 +2722,11 @@ forward_fail(isc_task_t *task, isc_event_t *event) { UNUSED(task); + INSIST(client->nupdates > 0); + client->nupdates--; respond(client, DNS_R_SERVFAIL); ns_client_detach(&client); - isc_event_free((isc_event_t **)&event); + isc_event_free(&event); } @@ -2547,7 +2744,7 @@ forward_callback(void *arg, isc_result_t result, dns_message_t *answer) { uev->ev_action = forward_done; uev->answer = answer; } - isc_task_send(client->task, (isc_event_t**)&uev); + isc_task_send(client->task, ISC_EVENT_PTR(&uev)); } static void @@ -2557,9 +2754,11 @@ forward_done(isc_task_t *task, isc_event_t *event) { UNUSED(task); + INSIST(client->nupdates > 0); + client->nupdates--; ns_client_sendraw(client, uev->answer); dns_message_destroy(&uev->answer); - isc_event_free((isc_event_t **)&event); + isc_event_free(&event); ns_client_detach(&client); } @@ -2598,13 +2797,15 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) { evclient = NULL; ns_client_attach(client, &evclient); + INSIST(client->nupdates == 0); + client->nupdates++; event->ev_arg = evclient; dns_zone_gettask(zone, &zonetask); - isc_task_send(zonetask, (isc_event_t **)&event); + isc_task_send(zonetask, ISC_EVENT_PTR(&event)); failure: if (event != NULL) - isc_event_free((isc_event_t **)&event); + isc_event_free(ISC_EVENT_PTR(&event)); return (result); } diff --git a/usr.sbin/bind/bin/named/xfrout.c b/usr.sbin/bind/bin/named/xfrout.c index 268ac92846b..86e93e3cb13 100644 --- a/usr.sbin/bind/bin/named/xfrout.c +++ b/usr.sbin/bind/bin/named/xfrout.c @@ -1,21 +1,21 @@ /* - * Copyright (C) 1999-2001, 2003 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: xfrout.c,v 1.101.2.5 2003/07/22 04:03:35 marka Exp $ */ +/* $ISC: xfrout.c,v 1.101.2.5.2.10 2004/04/02 06:08:17 marka Exp $ */ #include <config.h> @@ -38,6 +38,7 @@ #include <dns/result.h> #include <dns/soa.h> #include <dns/timer.h> +#include <dns/tsig.h> #include <dns/view.h> #include <dns/zone.h> #include <dns/zt.h> @@ -253,7 +254,7 @@ db_rr_iterator_next(db_rr_iterator_t *it) { static void db_rr_iterator_pause(db_rr_iterator_t *it) { - dns_dbiterator_pause(it->dbit); + RUNTIME_CHECK(dns_dbiterator_pause(it->dbit) == ISC_R_SUCCESS); } static void @@ -412,7 +413,7 @@ ixfr_rrstream_create(isc_mem_t *mctx, return (ISC_R_SUCCESS); failure: - ixfr_rrstream_destroy((rrstream_t **) &s); + ixfr_rrstream_destroy((rrstream_t **) (void *)&s); return (result); } @@ -499,7 +500,7 @@ axfr_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver, return (ISC_R_SUCCESS); failure: - axfr_rrstream_destroy((rrstream_t **) &s); + axfr_rrstream_destroy((rrstream_t **) (void *)&s); return (result); } @@ -619,7 +620,7 @@ soa_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver, return (ISC_R_SUCCESS); failure: - soa_rrstream_destroy((rrstream_t **) &s); + soa_rrstream_destroy((rrstream_t **) (void *)&s); return (result); } @@ -735,7 +736,7 @@ compound_rrstream_first(rrstream_t *rs) { do { rrstream_t *curstream = s->components[s->state]; s->result = curstream->methods->first(curstream); - } while (s->result == ISC_R_NOMORE && s->state < 2) ; + } while (s->result == ISC_R_NOMORE && s->state < 2); return (s->result); } @@ -828,6 +829,7 @@ typedef struct { isc_boolean_t many_answers; int sends; /* Send in progress */ isc_boolean_t shuttingdown; + const char *mnemonic; /* Style of transfer */ } xfrout_ctx_t; static isc_result_t @@ -898,8 +900,8 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { dns_peer_t *peer = NULL; isc_buffer_t *tsigbuf = NULL; char *journalfile; - char msg[DNS_RDATACLASS_FORMATSIZE + DNS_NAME_FORMATSIZE - + sizeof("zone transfer '/'")]; + char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")]; + char keyname[DNS_NAME_FORMATSIZE]; isc_boolean_t is_poll = ISC_FALSE; switch (reqtype) { @@ -1019,7 +1021,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { /* * Decide whether to allow this transfer. */ - ns_client_aclmsg("zone transfer", question_name, + ns_client_aclmsg("zone transfer", question_name, reqtype, client->view->rdclass, msg, sizeof(msg)); CHECK(ns_client_checkacl(client, msg, dns_zone_getxfracl(zone), ISC_TRUE, @@ -1138,19 +1140,24 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { (format == dns_many_answers) ? ISC_TRUE : ISC_FALSE, &xfr)); + xfr->mnemonic = mnemonic; stream = NULL; - db = NULL; - ver = NULL; quota = NULL; CHECK(xfr->stream->methods->first(xfr->stream)); + if (xfr->tsigkey != NULL) { + dns_name_format(&xfr->tsigkey->name, keyname, sizeof(keyname)); + } else + keyname[0] = '\0'; if (is_poll) xfrout_log1(client, question_name, question_class, - ISC_LOG_DEBUG(1), "IXFR poll up to date"); + ISC_LOG_DEBUG(1), "IXFR poll up to date%s%s", + (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname); else xfrout_log1(client, question_name, question_class, - ISC_LOG_INFO, "%s started", mnemonic); + ISC_LOG_INFO, "%s started%s%s", mnemonic, + (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname); /* * Hand the context over to sendstream(). Set xfr to NULL; @@ -1216,10 +1223,10 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, xfr->qname = qname; xfr->qtype = qtype; xfr->qclass = qclass; - xfr->db = db; - xfr->ver = ver; - xfr->quota = quota; - xfr->stream = stream; + xfr->db = NULL; + xfr->ver = NULL; + dns_db_attach(db, &xfr->db); + dns_db_attachversion(db, ver, &xfr->ver); xfr->end_of_stream = ISC_FALSE; xfr->tsigkey = tsigkey; xfr->lasttsig = lasttsig; @@ -1229,6 +1236,13 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, xfr->many_answers = many_answers, xfr->sends = 0; xfr->shuttingdown = ISC_FALSE; + xfr->mnemonic = NULL; + xfr->buf.base = NULL; + xfr->buf.length = 0; + xfr->txmem = NULL; + xfr->txmemlen = 0; + xfr->stream = NULL; + xfr->quota = NULL; /* * Allocate a temporary buffer for the uncompressed response @@ -1273,6 +1287,12 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, */ xfr->client->shutdown = xfrout_client_shutdown; xfr->client->shutdown_arg = xfr; + /* + * These MUST be after the last "goto failure;" / CHECK to + * prevent a double free by the caller. + */ + xfr->quota = quota; + xfr->stream = stream; *xfrp = xfr; return (ISC_R_SUCCESS); @@ -1337,7 +1357,7 @@ sendstream(xfrout_ctx_t *xfr) { msg->flags = DNS_MESSAGEFLAG_QR | DNS_MESSAGEFLAG_AA; if ((xfr->client->attributes & NS_CLIENTATTR_RA) != 0) msg->flags |= DNS_MESSAGEFLAG_RA; - dns_message_settsigkey(msg, xfr->tsigkey); + CHECK(dns_message_settsigkey(msg, xfr->tsigkey)); CHECK(dns_message_setquerytsig(msg, xfr->lasttsig)); if (xfr->lasttsig != NULL) isc_buffer_free(&xfr->lasttsig); @@ -1612,8 +1632,7 @@ xfrout_senddone(isc_task_t *task, isc_event_t *event) { sendstream(xfr); } else { /* End of zone transfer stream. */ - xfrout_log(xfr, ISC_LOG_DEBUG(6), - "end of transfer"); + xfrout_log(xfr, ISC_LOG_INFO, "%s ended", xfr->mnemonic); ns_client_next(xfr->client, ISC_R_SUCCESS); xfrout_ctx_destroy(&xfr); } diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.8 b/usr.sbin/bind/bin/nsupdate/nsupdate.8 index d47793ff592..ccd9d85251b 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.8 +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.8 @@ -1,25 +1,26 @@ -.\" -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $ISC: nsupdate.8,v 1.24.2.2.2.5 2004/03/08 09:04:15 marka Exp $ .\" .TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "" .SH NAME nsupdate \- Dynamic DNS update utility .SH SYNOPSIS .sp -\fBnsupdate\fR [ \fB-d\fR ] [ \fB [ -y \fIkeyname:secret\fB ] [ -k \fIkeyfile\fB ] \fR ] [ \fB-v\fR ] [ \fBfilename\fR ] +\fBnsupdate\fR [ \fB-d\fR ] [ \fB [ -y \fIkeyname:secret\fB ] [ -k \fIkeyfile\fB ] \fR ] [ \fB-t \fItimeout\fB\fR ] [ \fB-u \fIudptimeout\fB\fR ] [ \fB-r \fIudpretries\fB\fR ] [ \fB-v\fR ] [ \fBfilename\fR ] .SH "DESCRIPTION" .PP \fBnsupdate\fR @@ -52,10 +53,10 @@ made and the replies received from the name server. .PP Transaction signatures can be used to authenticate the Dynamic DNS updates. -These use the TSIG resource record type described in RFC2845. -The signatures rely on a shared secret that should only be known to -\fBnsupdate\fR -and the name server. +These use the TSIG resource record type described in RFC2845 or the +SIG(0) record described in RFC3535 and RFC2931. +TSIG relies on a shared secret that should only be known to +\fBnsupdate\fR and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to @@ -70,6 +71,8 @@ statements would be added to so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. +SIG(0) uses public key cryptography. To use a SIG(0) key, the public +key must be stored in a KEY record in a zone served by the name server. \fBnsupdate\fR does not read \fI/etc/named.conf\fR. @@ -79,8 +82,8 @@ uses the \fB-y\fR or \fB-k\fR -option to provide the shared secret needed to generate a TSIG record -for authenticating Dynamic DNS update requests. +option (with an HMAC-MD5 key) to provide the shared secret needed to generate +a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the \fB-k\fR @@ -110,15 +113,31 @@ This may be visible in the output from \fBps\fR(1) or in a history file maintained by the user's shell. .PP +The \fB-k\fR may also be used to specify a SIG(0) key used +to authenticate Dynamic DNS update requests. In this case, the key +specified is not an HMAC-MD5 key. +.PP By default \fBnsupdate\fR -uses UDP to send update requests to the name server. +uses UDP to send update requests to the name server unless they are too +large to fit in a UDP request in which case TCP will be used. The \fB-v\fR option makes \fBnsupdate\fR use a TCP connection. This may be preferable when a batch of update requests is made. +.PP +The \fB-t\fR option sets the maximum time a update request can +take before it is aborted. The default is 300 seconds. Zero can be used +to disable the timeout. +.PP +The \fB-u\fR option sets the UDP retry interval. The default is +3 seconds. If zero the interval will be computed from the timeout interval +and number of UDP retries. +.PP +The \fB-r\fR option sets the number of UDP retries. The default is +3. If zero only one update request will be made. .SH "INPUT FORMAT" .PP \fBnsupdate\fR @@ -178,6 +197,11 @@ statement is provided, \fBnsupdate\fR will attempt determine the correct zone to update based on the rest of the input. .TP +\fBclass classname\fR +Specify the default class. +If no \fIclass\fR is specified the default class is +\fIIN\fR. +.TP \fBkey name secret\fR Specifies that all updates are to be TSIG signed using the \fIkeyname\fR \fIkeysecret\fR pair. @@ -263,8 +287,11 @@ updates specified since the last send. .TP \fBsend\fR Sends the current message. This is equivalent to entering a blank line. +.TP +\fBanswer\fR +Displays the answer. .PP -Lines beginning with a semicolon are comments, and are ignored. +Lines beginning with a semicolon are comments and are ignored. .SH "EXAMPLES" .PP The examples below show how @@ -281,7 +308,7 @@ master name server for # nsupdate > update delete oldhost.example.com A > update add newhost.example.com 86400 A 172.16.1.1 -> +> send .sp .fi .PP @@ -297,7 +324,7 @@ The newly-added record has a 1 day TTL (86400 seconds) # nsupdate > prereq nxdomain nickname.example.com > update add nickname.example.com 86400 CNAME somehost.example.com -> +> send .sp .fi .PP @@ -310,7 +337,7 @@ This ensures that when the CNAME is added, it cannot conflict with the long-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have -SIG, KEY and NXT records.) +RRSIG, DNSKEY and NSEC records.) .SH "FILES" .TP \fB/etc/resolv.conf\fR @@ -331,6 +358,7 @@ base-64 encoding of HMAC-MD5 key created by \fBRFC2845\fR, \fBRFC1034\fR, \fBRFC2535\fR, +\fBRFC2931\fR, \fBnamed\fR(8), \fBdnssec-keygen\fR(8). .SH "BUGS" diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.c b/usr.sbin/bind/bin/nsupdate/nsupdate.c index 055ddd82eac..f78eb3bb320 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.c +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.c @@ -1,28 +1,27 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: nsupdate.c,v 1.103.2.15 2003/07/25 03:31:42 marka Exp $ */ +/* $ISC: nsupdate.c,v 1.103.2.15.2.16 2004/06/17 01:00:38 sra Exp $ */ #include <config.h> #include <ctype.h> #include <errno.h> #include <limits.h> -#include <netdb.h> #include <stdlib.h> #include <unistd.h> @@ -35,6 +34,7 @@ #include <isc/hash.h> #include <isc/lex.h> #include <isc/mem.h> +#include <isc/parseint.h> #include <isc/region.h> #include <isc/sockaddr.h> #include <isc/socket.h> @@ -47,11 +47,13 @@ #include <dns/callbacks.h> #include <dns/dispatch.h> +#include <dns/dnssec.h> #include <dns/events.h> #include <dns/fixedname.h> #include <dns/masterdump.h> #include <dns/message.h> #include <dns/name.h> +#include <dns/rcode.h> #include <dns/rdata.h> #include <dns/rdataclass.h> #include <dns/rdatalist.h> @@ -67,6 +69,8 @@ #include <lwres/lwres.h> #include <lwres/net.h> +#include <bind9/getaddresses.h> + #ifdef HAVE_ADDRINFO #ifdef HAVE_GETADDRINFO #ifdef HAVE_GAISTRERROR @@ -83,8 +87,6 @@ extern int h_errno; #define MAXCMD (4 * 1024) #define MAXWIRE (64 * 1024) -#define NAMEBUF 512 -#define WORDLEN 512 #define PACKETSIZE ((64 * 1024) - 1) #define INITTEXT (2 * 1024) #define MAXTEXT (128 * 1024) @@ -114,11 +116,10 @@ static isc_timermgr_t *timermgr = NULL; static dns_dispatch_t *dispatchv4 = NULL; static dns_dispatch_t *dispatchv6 = NULL; static dns_message_t *updatemsg = NULL; -static dns_fixedname_t resolvdomain; /* from resolv.conf's domain line */ -static dns_name_t *origin; /* Points to one of above, or dns_rootname */ static dns_fixedname_t fuserzone; static dns_name_t *userzone = NULL; -static dns_tsigkey_t *key = NULL; +static dns_tsigkey_t *tsigkey = NULL; +static dst_key_t *sig0key; static lwres_context_t *lwctx = NULL; static lwres_conf_t *lwconf; static isc_sockaddr_t *servers; @@ -134,6 +135,12 @@ static isc_boolean_t interactive = ISC_TRUE; static isc_boolean_t seenerror = ISC_FALSE; static const dns_master_style_t *style; static int requests = 0; +static unsigned int timeout = 300; +static unsigned int udp_timeout = 3; +static unsigned int udp_retries = 3; +static dns_rdataclass_t defaultclass = dns_rdataclass_in; +static dns_rdataclass_t zoneclass = dns_rdataclass_none; +static dns_message_t *answer = NULL; typedef struct nsu_requestinfo { dns_message_t *msg; @@ -157,6 +164,23 @@ ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); #define STATUS_QUIT (isc_uint16_t)2 #define STATUS_SYNTAX (isc_uint16_t)3 +static dns_rdataclass_t +getzoneclass(void) { + if (zoneclass == dns_rdataclass_none) + zoneclass = defaultclass; + return (zoneclass); +} + +static isc_boolean_t +setzoneclass(dns_rdataclass_t rdclass) { + if (zoneclass == dns_rdataclass_none || + rdclass == dns_rdataclass_none) + zoneclass = rdclass; + if (zoneclass != rdclass) + return (ISC_FALSE); + return (ISC_TRUE); +} + static void fatal(const char *format, ...) { va_list args; @@ -242,20 +266,6 @@ nsu_strsep(char **stringp, const char *delim) { return (string); } -static unsigned int -count_dots(char *s, isc_boolean_t *last_was_dot) { - int i = 0; - *last_was_dot = ISC_FALSE; - while (*s != 0) { - if (*s++ == '.') { - i++; - *last_was_dot = ISC_TRUE; - } else - *last_was_dot = ISC_FALSE; - } - return (i); -} - static void reset_system(void) { isc_result_t result; @@ -320,7 +330,7 @@ setup_keystr(void) { debug("keycreate"); result = dns_tsigkey_create(keyname, dns_tsig_hmacmd5_name, secret, secretlen, ISC_TRUE, NULL, - 0, 0, mctx, NULL, &key); + 0, 0, mctx, NULL, &tsigkey); if (result != ISC_R_SUCCESS) fprintf(stderr, "could not create key from %s: %s\n", keystr, dns_result_totext(result)); @@ -336,23 +346,27 @@ setup_keyfile(void) { debug("Creating key..."); - result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE, mctx, + result = dst_key_fromnamedfile(keyfile, + DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx, &dstkey); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not read key from %s: %s\n", keyfile, isc_result_totext(result)); return; } - result = dns_tsigkey_createfromkey(dst_key_name(dstkey), - dns_tsig_hmacmd5_name, - dstkey, ISC_FALSE, NULL, - 0, 0, mctx, NULL, &key); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not create key from %s: %s\n", - keyfile, isc_result_totext(result)); - dst_key_free(&dstkey); - return; - } + if (dst_key_alg(dstkey) == DST_ALG_HMACMD5) { + result = dns_tsigkey_createfromkey(dst_key_name(dstkey), + dns_tsig_hmacmd5_name, + dstkey, ISC_FALSE, NULL, + 0, 0, mctx, NULL, &tsigkey); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "could not create key from %s: %s\n", + keyfile, isc_result_totext(result)); + dst_key_free(&dstkey); + return; + } + } else + sig0key = dstkey; } static void @@ -365,9 +379,14 @@ doshutdown(void) { if (localaddr != NULL) isc_mem_put(mctx, localaddr, sizeof(isc_sockaddr_t)); - if (key != NULL) { - ddebug("Freeing key"); - dns_tsigkey_detach(&key); + if (tsigkey != NULL) { + ddebug("Freeing TSIG key"); + dns_tsigkey_detach(&tsigkey); + } + + if (sig0key != NULL) { + ddebug("Freeing SIG(0) key"); + dst_key_free(&sig0key); } if (updatemsg != NULL) @@ -430,7 +449,6 @@ static void setup_system(void) { isc_result_t result; isc_sockaddr_t bind_any, bind_any6; - isc_buffer_t buf; lwres_result_t lwresult; unsigned int attrs, attrmask; int i; @@ -549,20 +567,6 @@ setup_system(void) { dispatchv4, dispatchv6, &requestmgr); check_result(result, "dns_requestmgr_create"); - if (lwconf->domainname != NULL) { - dns_fixedname_init(&resolvdomain); - isc_buffer_init(&buf, lwconf->domainname, - strlen(lwconf->domainname)); - isc_buffer_add(&buf, strlen(lwconf->domainname)); - result = dns_name_fromtext(dns_fixedname_name(&resolvdomain), - &buf, dns_rootname, ISC_FALSE, - NULL); - check_result(result, "dns_name_fromtext"); - origin = dns_fixedname_name(&resolvdomain); - } - else - origin = dns_rootname; - if (keystr != NULL) setup_keystr(); else if (keyfile != NULL) @@ -571,74 +575,16 @@ setup_system(void) { static void get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) { - struct in_addr in4; - struct in6_addr in6; -#ifdef USE_GETADDRINFO - struct addrinfo *res = NULL, hints; - int result; -#else - struct hostent *he; -#endif - - ddebug("get_address()"); + int count; + isc_result_t result; - /* - * Assume we have v4 if we don't have v6, since setup_libs - * fatal()'s out if we don't have either. - */ - if (have_ipv6 && inet_pton(AF_INET6, host, &in6) == 1) - isc_sockaddr_fromin6(sockaddr, &in6, port); - else if (inet_pton(AF_INET, host, &in4) == 1) - isc_sockaddr_fromin(sockaddr, &in4, port); - else { -#ifdef USE_GETADDRINFO - memset(&hints, 0, sizeof(hints)); - if (!have_ipv6) - hints.ai_family = PF_INET; - else if (!have_ipv4) - hints.ai_family = PF_INET6; - else { - hints.ai_family = PF_UNSPEC; -#ifdef AI_ADDRCONFIG - hints.ai_flags = AI_ADDRCONFIG; -#endif - } - debug ("before getaddrinfo()"); - isc_app_block(); -#ifdef AI_ADDRCONFIG - again: -#endif - result = getaddrinfo(host, NULL, &hints, &res); -#ifdef AI_ADDRCONFIG - if (result == EAI_BADFLAGS && - (hints.ai_flags & AI_ADDRCONFIG) != 0) { - hints.ai_flags &= ~AI_ADDRCONFIG; - goto again; - } -#endif - isc_app_unblock(); - if (result != 0) { - fatal("couldn't find server '%s': %s", - host, gai_strerror(result)); - } - memcpy(&sockaddr->type.sa,res->ai_addr, res->ai_addrlen); - sockaddr->length = res->ai_addrlen; - isc_sockaddr_setport(sockaddr, port); - freeaddrinfo(res); -#else - debug ("before gethostbyname()"); - isc_app_block(); - he = gethostbyname(host); - isc_app_unblock(); - if (he == NULL) - fatal("couldn't find server '%s' (h_errno=%d)", - host, h_errno); - INSIST(he->h_addrtype == AF_INET); - isc_sockaddr_fromin(sockaddr, - (struct in_addr *)(he->h_addr_list[0]), - port); -#endif - } + isc_app_block(); + result = bind9_getaddresses(host, port, sockaddr, 1, &count); + isc_app_unblock(); + if (result != ISC_R_SUCCESS) + fatal("couldn't get address for '%s': %s", + host, isc_result_totext(result)); + INSIST(count == 1); } static void @@ -647,7 +593,8 @@ parse_args(int argc, char **argv) { isc_result_t result; debug("parse_args"); - while ((ch = isc_commandline_parse(argc, argv, "dDMy:vk:")) != -1) { + while ((ch = isc_commandline_parse(argc, argv, "dDMy:vk:r:t:u:")) != -1) + { switch (ch) { case 'd': debugging = ISC_TRUE; @@ -672,6 +619,34 @@ parse_args(int argc, char **argv) { case 'k': keyfile = isc_commandline_argument; break; + case 't': + result = isc_parse_uint32(&timeout, + isc_commandline_argument, 10); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "bad timeout '%s'\n", isc_commandline_argument); + exit(1); + } + if (timeout == 0) + timeout = ULONG_MAX; + break; + case 'u': + result = isc_parse_uint32(&udp_timeout, + isc_commandline_argument, 10); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "bad udp timeout '%s'\n", isc_commandline_argument); + exit(1); + } + if (udp_timeout == 0) + udp_timeout = ULONG_MAX; + break; + case 'r': + result = isc_parse_uint32(&udp_retries, + isc_commandline_argument, 10); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "bad udp retries '%s'\n", isc_commandline_argument); + exit(1); + } + break; default: fprintf(stderr, "%s: invalid argument -%c\n", argv[0], ch); @@ -710,9 +685,6 @@ parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) { char *word; isc_buffer_t *namebuf = NULL; isc_buffer_t source; - unsigned int dots; - isc_boolean_t last; - dns_name_t *rn; word = nsu_strsep(cmdlinep, " \t\r\n"); if (*word == 0) { @@ -722,21 +694,14 @@ parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) { result = dns_message_gettempname(msg, namep); check_result(result, "dns_message_gettempname"); - result = isc_buffer_allocate(mctx, &namebuf, NAMEBUF); + result = isc_buffer_allocate(mctx, &namebuf, DNS_NAME_MAXWIRE); check_result(result, "isc_buffer_allocate"); dns_name_init(*namep, NULL); dns_name_setbuffer(*namep, namebuf); dns_message_takebuffer(msg, &namebuf); isc_buffer_init(&source, word, strlen(word)); isc_buffer_add(&source, strlen(word)); - dots = count_dots(word, &last); - if (dots > lwconf->ndots || last) - rn = dns_rootname; - else if (userzone != NULL) - rn = userzone; - else - rn = origin; - result = dns_name_fromtext(*namep, &source, rn, + result = dns_name_fromtext(*namep, &source, dns_rootname, ISC_FALSE, NULL); check_result(result, "dns_name_fromtext"); isc_buffer_invalidate(&source); @@ -754,17 +719,12 @@ parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass, isc_lex_t *lex = NULL; dns_rdatacallbacks_t callbacks; isc_result_t result; - dns_name_t *rn; while (*cmdline != 0 && isspace((unsigned char)*cmdline)) cmdline++; if (*cmdline != 0) { dns_rdatacallbacks_init(&callbacks); - if (userzone != NULL) - rn = userzone; - else - rn = origin; result = isc_lex_create(mctx, strlen(cmdline), &lex); check_result(result, "isc_lex_create"); isc_buffer_init(&source, cmdline, strlen(cmdline)); @@ -774,7 +734,7 @@ parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass, result = isc_buffer_allocate(mctx, &buf, MAXWIRE); check_result(result, "isc_buffer_allocate"); result = dns_rdata_fromtext(rdata, rdataclass, rdatatype, lex, - rn, ISC_FALSE, mctx, buf, + dns_rootname, 0, mctx, buf, &callbacks); isc_lex_destroy(&lex); if (result == ISC_R_SUCCESS) { @@ -834,6 +794,10 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) { region.length = strlen(word); result = dns_rdataclass_fromtext(&rdataclass, ®ion); if (result == ISC_R_SUCCESS) { + if (!setzoneclass(rdataclass)) { + fprintf(stderr, "class mismatch: %s\n", word); + goto failure; + } /* * Now read the type. */ @@ -850,7 +814,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) { goto failure; } } else { - rdataclass = dns_rdataclass_in; + rdataclass = getzoneclass(); result = dns_rdatatype_fromtext(&rdatatype, ®ion); if (result != ISC_R_SUCCESS) { fprintf(stderr, "invalid type: %s\n", word); @@ -1072,11 +1036,11 @@ evaluate_key(char *cmdline) { } secretlen = isc_buffer_usedlength(&secretbuf); - if (key != NULL) - dns_tsigkey_detach(&key); + if (tsigkey != NULL) + dns_tsigkey_detach(&tsigkey); result = dns_tsigkey_create(keyname, dns_tsig_hmacmd5_name, - secret, secretlen, ISC_TRUE, NULL, 0, 0, - mctx, NULL, &key); + secret, secretlen, ISC_TRUE, NULL, 0, 0, + mctx, NULL, &tsigkey); isc_mem_free(mctx, secret); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not create key from %s %s: %s\n", @@ -1114,10 +1078,43 @@ evaluate_zone(char *cmdline) { } static isc_uint16_t +evaluate_class(char *cmdline) { + char *word; + isc_textregion_t r; + isc_result_t result; + dns_rdataclass_t rdclass; + + word = nsu_strsep(&cmdline, " \t\r\n"); + if (*word == 0) { + fprintf(stderr, "could not read class name\n"); + return (STATUS_SYNTAX); + } + + r.base = word; + r.length = strlen(word); + result = dns_rdataclass_fromtext(&rdclass, &r); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "could not parse class name: %s\n", word); + return (STATUS_SYNTAX); + } + switch (rdclass) { + case dns_rdataclass_none: + case dns_rdataclass_any: + case dns_rdataclass_reserved0: + fprintf(stderr, "bad default class: %s\n", word); + return (STATUS_SYNTAX); + default: + defaultclass = rdclass; + } + + return (STATUS_MORE); +} + +static isc_uint16_t update_addordelete(char *cmdline, isc_boolean_t isdelete) { isc_result_t result; dns_name_t *name = NULL; - unsigned long ttl; + isc_uint32_t ttl; char *word; dns_rdataclass_t rdataclass; dns_rdatatype_t rdatatype; @@ -1125,7 +1122,6 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { dns_rdatalist_t *rdatalist = NULL; dns_rdataset_t *rdataset = NULL; isc_textregion_t region; - char *endp; isc_uint16_t retval; ddebug("update_addordelete()"); @@ -1163,13 +1159,14 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { goto doneparsing; } } - ttl = strtoul(word, &endp, 10); - if (!isdigit((unsigned char)*word) || *endp != '\0') { + result = isc_parse_uint32(&ttl, word, 10); + if (result != ISC_R_SUCCESS) { if (isdelete) { ttl = 0; goto parseclass; } else { - fprintf(stderr, "ttl '%s' is not legal\n", word); + fprintf(stderr, "ttl '%s': %s\n", word, + isc_result_totext(result)); goto failure; } } @@ -1202,6 +1199,10 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { region.length = strlen(word); result = dns_rdataclass_fromtext(&rdataclass, ®ion); if (result == ISC_R_SUCCESS) { + if (!setzoneclass(rdataclass)) { + fprintf(stderr, "class mismatch: %s\n", word); + goto failure; + } /* * Now read the type. */ @@ -1226,7 +1227,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { goto failure; } } else { - rdataclass = dns_rdataclass_in; + rdataclass = getzoneclass(); result = dns_rdatatype_fromtext(&rdatatype, ®ion); if (result != ISC_R_SUCCESS) { fprintf(stderr, "'%s' is not a valid class or type: " @@ -1369,12 +1370,19 @@ get_next_command(void) { return (evaluate_local(cmdline)); if (strcasecmp(word, "zone") == 0) return (evaluate_zone(cmdline)); + if (strcasecmp(word, "class") == 0) + return (evaluate_class(cmdline)); if (strcasecmp(word, "send") == 0) return (STATUS_SEND); if (strcasecmp(word, "show") == 0) { show_message(updatemsg); return (STATUS_MORE); } + if (strcasecmp(word, "answer") == 0) { + if (answer != NULL) + show_message(answer); + return (STATUS_MORE); + } if (strcasecmp(word, "key") == 0) return (evaluate_key(cmdline)); fprintf(stderr, "incorrect section name: %s\n", word); @@ -1402,10 +1410,32 @@ done_update(void) { } static void +check_tsig_error(dns_rdataset_t *rdataset, isc_buffer_t *b) { + isc_result_t result; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_any_tsig_t tsig; + + result = dns_rdataset_first(rdataset); + check_result(result, "dns_rdataset_first"); + dns_rdataset_current(rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &tsig, NULL); + check_result(result, "dns_rdata_tostruct"); + if (tsig.error != 0) { + if (isc_buffer_remaininglength(b) < 1) + check_result(ISC_R_NOSPACE, "isc_buffer_remaininglength"); + isc__buffer_putstr(b, "(" /*)*/); + result = dns_tsigrcode_totext(tsig.error, b); + check_result(result, "dns_tsigrcode_totext"); + if (isc_buffer_remaininglength(b) < 1) + check_result(ISC_R_NOSPACE, "isc_buffer_remaininglength"); + isc__buffer_putstr(b, /*(*/ ")"); + } +} + +static void update_completed(isc_task_t *task, isc_event_t *event) { dns_requestevent_t *reqev = NULL; isc_result_t result; - dns_message_t *rcvmsg = NULL; dns_request_t *request; UNUSED(task); @@ -1432,9 +1462,9 @@ update_completed(isc_task_t *task, isc_event_t *event) { goto done; } - result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg); + result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &answer); check_result(result, "dns_message_create"); - result = dns_request_getresponse(request, rcvmsg, + result = dns_request_getresponse(request, answer, DNS_MESSAGEPARSE_PRESERVEORDER); switch (result) { case ISC_R_SUCCESS: @@ -1452,8 +1482,23 @@ update_completed(isc_task_t *task, isc_event_t *event) { check_result(result, "dns_request_getresponse"); } - if (rcvmsg->rcode != dns_rcode_noerror) + if (answer->rcode != dns_rcode_noerror) { seenerror = ISC_TRUE; + if (!debugging) { + char buf[64]; + isc_buffer_t b; + dns_rdataset_t *rds; + + isc_buffer_init(&b, buf, sizeof(buf) - 1); + result = dns_rcode_totext(answer->rcode, &b); + check_result(result, "dns_rcode_totext"); + rds = dns_message_gettsig(answer, NULL); + if (rds != NULL) + check_tsig_error(rds, &b); + fprintf(stderr, "update failed: %.*s\n", + (int)isc_buffer_usedlength(&b), buf); + } + } if (debugging) { isc_buffer_t *buf = NULL; int bufsz; @@ -1469,7 +1514,7 @@ update_completed(isc_task_t *task, isc_event_t *event) { isc_buffer_free(&buf); result = isc_buffer_allocate(mctx, &buf, bufsz); check_result(result, "isc_buffer_allocate"); - result = dns_message_totext(rcvmsg, style, 0, buf); + result = dns_message_totext(answer, style, 0, buf); bufsz *= 2; } while (result == ISC_R_NOSPACE); check_result(result, "dns_message_totext"); @@ -1478,7 +1523,6 @@ update_completed(isc_task_t *task, isc_event_t *event) { (char*)isc_buffer_base(buf)); isc_buffer_free(&buf); } - dns_message_destroy(&rcvmsg); done: dns_request_destroy(&request); isc_event_free(&event); @@ -1503,19 +1547,32 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master, dns_name_clone(zonename, name); result = dns_message_gettemprdataset(updatemsg, &rdataset); check_result(result, "dns_message_gettemprdataset"); - dns_rdataset_makequestion(rdataset, dns_rdataclass_in, - dns_rdatatype_soa); + dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa); ISC_LIST_INIT(name->list); ISC_LIST_APPEND(name->list, rdataset, link); dns_message_addname(updatemsg, name, DNS_SECTION_ZONE); if (usevc) options |= DNS_REQUESTOPT_TCP; - result = dns_request_createvia(requestmgr, updatemsg, srcaddr, - master, options, key, - FIND_TIMEOUT, global_task, - update_completed, NULL, &request); - check_result(result, "dns_request_createvia"); + if (tsigkey == NULL && sig0key != NULL) { + result = dns_message_setsig0key(updatemsg, sig0key); + check_result(result, "dns_message_setsig0key"); + } + if (debugging) { + char addrbuf[ISC_SOCKADDR_FORMATSIZE]; + + isc_sockaddr_format(master, addrbuf, sizeof(addrbuf)); + fprintf(stderr, "Sending update to %s\n", addrbuf); + } + result = dns_request_createvia3(requestmgr, updatemsg, srcaddr, + master, options, tsigkey, timeout, + udp_timeout, udp_retries, global_task, + update_completed, NULL, &request); + check_result(result, "dns_request_createvia3"); + + if (debugging) + show_message(updatemsg); + requests++; } @@ -1578,6 +1635,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) { sendrequest(localaddr, &servers[ns_inuse], soaquery, &request); isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t)); isc_event_free(&event); + setzoneclass(dns_rdataclass_none); return; } isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t)); @@ -1590,6 +1648,27 @@ recvsoa(isc_task_t *task, isc_event_t *event) { check_result(result, "dns_message_create"); result = dns_request_getresponse(request, rcvmsg, DNS_MESSAGEPARSE_PRESERVEORDER); + if (result == DNS_R_TSIGERRORSET && userserver != NULL) { + dns_message_destroy(&rcvmsg); + ddebug("Destroying request [%p]", request); + dns_request_destroy(&request); + reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t)); + if (reqinfo == NULL) + fatal("out of memory"); + reqinfo->msg = soaquery; + reqinfo->addr = addr; + dns_message_renderreset(soaquery); + ddebug("retrying soa request without TSIG"); + result = dns_request_createvia3(requestmgr, soaquery, + localaddr, addr, 0, NULL, + FIND_TIMEOUT * 20, + FIND_TIMEOUT * 20, 3, + global_task, recvsoa, reqinfo, + &request); + check_result(result, "dns_request_createvia"); + requests++; + return; + } check_result(result, "dns_request_getresponse"); section = DNS_SECTION_ANSWER; if (debugging) { @@ -1735,6 +1814,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) { dns_request_destroy(&request); out: + setzoneclass(dns_rdataclass_none); dns_rdata_freestruct(&soa); dns_message_destroy(&rcvmsg); ddebug("Out of recvsoa"); @@ -1752,9 +1832,10 @@ sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, fatal("out of memory"); reqinfo->msg = msg; reqinfo->addr = destaddr; - result = dns_request_createvia(requestmgr, msg, srcaddr, destaddr, - 0, NULL, FIND_TIMEOUT, global_task, - recvsoa, reqinfo, request); + result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr, 0, + (userserver != NULL) ? tsigkey : NULL, + FIND_TIMEOUT * 20, FIND_TIMEOUT, 3, + global_task, recvsoa, reqinfo, request); check_result(result, "dns_request_createvia"); requests++; } @@ -1767,10 +1848,17 @@ start_update(void) { dns_request_t *request = NULL; dns_message_t *soaquery = NULL; dns_name_t *firstname; + dns_section_t section = DNS_SECTION_UPDATE; ddebug("start_update()"); - result = dns_message_firstname(updatemsg, DNS_SECTION_UPDATE); + if (answer != NULL) + dns_message_destroy(&answer); + result = dns_message_firstname(updatemsg, section); + if (result == ISC_R_NOMORE) { + section = DNS_SECTION_PREREQUISITE; + result = dns_message_firstname(updatemsg, section); + } if (result != ISC_R_SUCCESS) { done_update(); return; @@ -1778,6 +1866,7 @@ start_update(void) { if (userzone != NULL && userserver != NULL) { send_update(userzone, userserver, localaddr); + setzoneclass(dns_rdataclass_none); return; } @@ -1793,11 +1882,10 @@ start_update(void) { result = dns_message_gettemprdataset(soaquery, &rdataset); check_result(result, "dns_message_gettemprdataset"); - dns_rdataset_makequestion(rdataset, dns_rdataclass_in, - dns_rdatatype_soa); + dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa); firstname = NULL; - dns_message_currentname(updatemsg, DNS_SECTION_UPDATE, &firstname); + dns_message_currentname(updatemsg, section, &firstname); dns_name_init(name, NULL); dns_name_clone(firstname, name); @@ -1817,6 +1905,8 @@ static void cleanup(void) { ddebug("cleanup()"); + if (answer != NULL) + dns_message_destroy(&answer); ddebug("Shutting down task manager"); isc_taskmgr_destroy(&taskmgr); @@ -1869,6 +1959,8 @@ main(int argc, char **argv) { input = stdin; + interactive = ISC_TF(isatty(0)); + isc_app_start(); parse_args(argc, argv); diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.docbook b/usr.sbin/bind/bin/nsupdate/nsupdate.docbook index 9ceffa4d033..7242155eb1e 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.docbook +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.docbook @@ -1,22 +1,22 @@ <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> <!-- - - Copyright (C) 2001, 2003 Internet Software Consortium. + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: nsupdate.docbook,v 1.8.2.3 2003/07/22 04:03:36 marka Exp $ --> +<!-- $ISC: nsupdate.docbook,v 1.8.2.3.2.8 2004/03/08 04:04:23 marka Exp $ --> <refentry> <refentryinfo> @@ -39,6 +39,9 @@ <arg><option>-y <replaceable class="parameter">keyname:secret</replaceable></option></arg> <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg> </group> +<arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg> +<arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg> +<arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg> <arg><option>-v</option></arg> <arg>filename</arg> </cmdsynopsis> @@ -81,10 +84,10 @@ made and the replies received from the name server. <para> Transaction signatures can be used to authenticate the Dynamic DNS updates. -These use the TSIG resource record type described in RFC2845. -The signatures rely on a shared secret that should only be known to -<command>nsupdate</command> -and the name server. +These use the TSIG resource record type described in RFC2845 or the +SIG(0) record described in RFC3535 and RFC2931. +TSIG relies on a shared secret that should only be known to +<command>nsupdate</command> and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to @@ -99,6 +102,8 @@ statements would be added to so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. +SIG(0) uses public key cryptography. To use a SIG(0) key, the public +key must be stored in a KEY record in a zone served by the name server. <command>nsupdate</command> does not read <filename>/etc/named.conf</filename>. @@ -109,8 +114,8 @@ uses the <option>-y</option> or <option>-k</option> -option to provide the shared secret needed to generate a TSIG record -for authenticating Dynamic DNS update requests. +option (with an HMAC-MD5 key) to provide the shared secret needed to generate +a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the <option>-k</option> @@ -144,9 +149,15 @@ This may be visible in the output from or in a history file maintained by the user's shell. </para> <para> +The <option>-k</option> may also be used to specify a SIG(0) key used +to authenticate Dynamic DNS update requests. In this case, the key +specified is not an HMAC-MD5 key. +</para> +<para> By default <command>nsupdate</command> -uses UDP to send update requests to the name server. +uses UDP to send update requests to the name server unless they are too +large to fit in a UDP request in which case TCP will be used. The <option>-v</option> option makes @@ -154,6 +165,17 @@ option makes use a TCP connection. This may be preferable when a batch of update requests is made. </para> +<para>The <option>-t</option> option sets the maximum time a update request can +take before it is aborted. The default is 300 seconds. Zero can be used +to disable the timeout. +</para> +<para>The <option>-u</option> option sets the UDP retry interval. The default is +3 seconds. If zero the interval will be computed from the timeout interval +and number of UDP retries. +</para> +<para>The <option>-r</option> option sets the number of UDP retries. The default is +3. If zero only one update request will be made. +</para> </refsect1> <refsect1> @@ -243,6 +265,23 @@ statement is provided, <command>nsupdate</command> will attempt determine the correct zone to update based on the rest of the input. </para> +</listitem> +</varlistentry> + +<varlistentry><term> +<cmdsynopsis> +<command>class</command> +<arg choice="req">classname</arg> +</cmdsynopsis> +</term> +<listitem> +<para> +Specify the default class. +If no <parameter>class</parameter> is specified the default class is +<parameter>IN</parameter>. +</para> +</listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -259,6 +298,8 @@ The <command>key</command> command overrides any key specified on the command line via <option>-y</option> or <option>-k</option>. </para> +</listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -271,6 +312,8 @@ overrides any key specified on the command line via Requires that no resource record of any type exists with name <parameter>domain-name</parameter>. </para> +</listitem> +</varlistentry> <varlistentry><term> @@ -285,6 +328,8 @@ Requires that <parameter>domain-name</parameter> exists (has as at least one resource record, of any type). </para> +</listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -304,6 +349,9 @@ and If <parameter>class</parameter> is omitted, IN (internet) is assumed. +</para> +</listitem> +</varlistentry> <varlistentry><term> @@ -326,6 +374,8 @@ If <parameter>class</parameter> is omitted, IN (internet) is assumed. </para> +</listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -358,6 +408,8 @@ The are written in the standard text representation of the resource record's RDATA. </para> +</listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -383,6 +435,8 @@ is not supplied. The <parameter>ttl</parameter> is ignored, and is only allowed for compatibility. </para> +</listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -402,6 +456,8 @@ Adds a new resource record with the specified and <parameter>data</parameter>. </para> +</listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -413,6 +469,8 @@ and Displays the current message, containing all of the prerequisites and updates specified since the last send. </para> +</listitem> +</varlistentry> <varlistentry><term> <cmdsynopsis> @@ -424,10 +482,22 @@ updates specified since the last send. Sends the current message. This is equivalent to entering a blank line. </para> </listitem> + +<varlistentry><term> +<cmdsynopsis> +<command>answer</command> +</cmdsynopsis> +</term> +<listitem> +<para> +Displays the answer. +</para> +</listitem> + </variablelist> <para> -Lines beginning with a semicolon are comments, and are ignored. +Lines beginning with a semicolon are comments and are ignored. </para> </refsect1> @@ -449,7 +519,7 @@ master name server for # nsupdate > update delete oldhost.example.com A > update add newhost.example.com 86400 A 172.16.1.1 -> +> send </programlisting> </para> <para> @@ -464,7 +534,7 @@ The newly-added record has a 1 day TTL (86400 seconds) # nsupdate > prereq nxdomain nickname.example.com > update add nickname.example.com 86400 CNAME somehost.example.com -> +> send </programlisting> </para> <para> @@ -478,7 +548,7 @@ This ensures that when the CNAME is added, it cannot conflict with the long-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have -SIG, KEY and NXT records.) +RRSIG, DNSKEY and NSEC records.) </para> </refsect1> @@ -537,6 +607,9 @@ base-64 encoding of HMAC-MD5 key created by <refentrytitle>RFC2535</refentrytitle> </citerefentry>, <citerefentry> +<refentrytitle>RFC2931</refentrytitle> +</citerefentry>, +<citerefentry> <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.html b/usr.sbin/bind/bin/nsupdate/nsupdate.html index e3c67d4a1d4..7697ead9982 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.html +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.html @@ -1,27 +1,30 @@ <!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: nsupdate.html,v 1.9.2.3.2.5 2004/08/22 23:38:59 marka Exp $ --> + +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >nsupdate</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -32,8 +35,8 @@ ALINK="#0000FF" ><H1 ><A NAME="AEN1" ->nsupdate</A -></H1 +></A +>nsupdate</H1 ><DIV CLASS="REFNAMEDIV" ><A @@ -53,34 +56,48 @@ NAME="AEN11" ><B CLASS="COMMAND" >nsupdate</B -> [<TT +> [<VAR +CLASS="OPTION" +>-d</VAR +>] [<VAR +CLASS="OPTION" +>-y <VAR +CLASS="REPLACEABLE" +>keyname:secret</VAR +></VAR +> | <VAR CLASS="OPTION" ->-d</TT ->] [<TT +>-k <VAR +CLASS="REPLACEABLE" +>keyfile</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-t <VAR +CLASS="REPLACEABLE" +>timeout</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-y <TT +>-u <VAR CLASS="REPLACEABLE" -><I ->keyname:secret</I -></TT -></TT -> | <TT +>udptimeout</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-k <TT +>-r <VAR CLASS="REPLACEABLE" -><I ->keyfile</I -></TT -></TT ->] [<TT +>udpretries</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-v</TT +>-v</VAR >] [filename]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN26" +NAME="AEN35" ></A ><H2 >DESCRIPTION</H2 @@ -115,9 +132,9 @@ Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record.</P ><P >The -<TT +<VAR CLASS="OPTION" ->-d</TT +>-d</VAR > option makes <B @@ -130,13 +147,13 @@ made and the replies received from the name server.</P ><P >Transaction signatures can be used to authenticate the Dynamic DNS updates. -These use the TSIG resource record type described in RFC2845. -The signatures rely on a shared secret that should only be known to +These use the TSIG resource record type described in RFC2845 or the +SIG(0) record described in RFC3535 and RFC2931. +TSIG relies on a shared secret that should only be known to <B CLASS="COMMAND" >nsupdate</B -> -and the name server. +> and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to @@ -160,6 +177,8 @@ CLASS="FILENAME" so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. +SIG(0) uses public key cryptography. To use a SIG(0) key, the public +key must be stored in a KEY record in a zone served by the name server. <B CLASS="COMMAND" >nsupdate</B @@ -175,22 +194,22 @@ CLASS="COMMAND" >nsupdate</B > uses the -<TT +<VAR CLASS="OPTION" ->-y</TT +>-y</VAR > or -<TT +<VAR CLASS="OPTION" ->-k</TT +>-k</VAR > -option to provide the shared secret needed to generate a TSIG record -for authenticating Dynamic DNS update requests. +option (with an HMAC-MD5 key) to provide the shared secret needed to generate +a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the -<TT +<VAR CLASS="OPTION" ->-k</TT +>-k</VAR > option, <B @@ -198,11 +217,9 @@ CLASS="COMMAND" >nsupdate</B > reads the shared secret from the file -<TT +<VAR CLASS="PARAMETER" -><I ->keyfile</I -></TT +>keyfile</VAR >, whose name is of the form <TT @@ -216,36 +233,30 @@ CLASS="FILENAME" >K{name}.+157.+{random}.key</TT > must also be present. When the -<TT +<VAR CLASS="OPTION" ->-y</TT +>-y</VAR > option is used, a signature is generated from -<TT +<VAR CLASS="PARAMETER" -><I ->keyname:secret.</I -></TT +>keyname:secret.</VAR > -<TT +<VAR CLASS="PARAMETER" -><I ->keyname</I -></TT +>keyname</VAR > is the name of the key, and -<TT +<VAR CLASS="PARAMETER" -><I ->secret</I -></TT +>secret</VAR > is the base64 encoded shared secret. Use of the -<TT +<VAR CLASS="OPTION" ->-y</TT +>-y</VAR > option is discouraged because the shared secret is supplied as a command line argument in clear text. @@ -259,16 +270,24 @@ CLASS="REFENTRYTITLE" > or in a history file maintained by the user's shell.</P ><P +>The <VAR +CLASS="OPTION" +>-k</VAR +> may also be used to specify a SIG(0) key used +to authenticate Dynamic DNS update requests. In this case, the key +specified is not an HMAC-MD5 key.</P +><P >By default <B CLASS="COMMAND" >nsupdate</B > -uses UDP to send update requests to the name server. +uses UDP to send update requests to the name server unless they are too +large to fit in a UDP request in which case TCP will be used. The -<TT +<VAR CLASS="OPTION" ->-v</TT +>-v</VAR > option makes <B @@ -277,11 +296,31 @@ CLASS="COMMAND" > use a TCP connection. This may be preferable when a batch of update requests is made.</P +><P +>The <VAR +CLASS="OPTION" +>-t</VAR +> option sets the maximum time a update request can +take before it is aborted. The default is 300 seconds. Zero can be used +to disable the timeout.</P +><P +>The <VAR +CLASS="OPTION" +>-u</VAR +> option sets the UDP retry interval. The default is +3 seconds. If zero the interval will be computed from the timeout interval +and number of UDP retries.</P +><P +>The <VAR +CLASS="OPTION" +>-r</VAR +> option sets the number of UDP retries. The default is +3. If zero only one update request will be made.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN65" +NAME="AEN82" ></A ><H2 >INPUT FORMAT</H2 @@ -291,11 +330,9 @@ CLASS="COMMAND" >nsupdate</B > reads input from -<TT +<VAR CLASS="PARAMETER" -><I ->filename</I -></TT +>filename</VAR > or standard input. Each command is supplied on exactly one line of input. @@ -334,11 +371,9 @@ CLASS="COMMAND" ><DD ><P >Sends all dynamic update requests to the name server -<TT +<VAR CLASS="PARAMETER" -><I ->servername</I -></TT +>servername</VAR >. When no server statement is provided, <B @@ -348,18 +383,14 @@ CLASS="COMMAND" will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone. -<TT +<VAR CLASS="PARAMETER" -><I ->port</I -></TT +>port</VAR > is the port number on -<TT +<VAR CLASS="PARAMETER" -><I ->servername</I -></TT +>servername</VAR > where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is @@ -375,11 +406,9 @@ CLASS="COMMAND" ><DD ><P >Sends all dynamic update requests using the local -<TT +<VAR CLASS="PARAMETER" -><I ->address</I -></TT +>address</VAR >. When no local statement is provided, @@ -388,11 +417,9 @@ CLASS="COMMAND" >nsupdate</B > will send updates using an address and port chosen by the system. -<TT +<VAR CLASS="PARAMETER" -><I ->port</I -></TT +>port</VAR > can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one. </P @@ -407,18 +434,14 @@ CLASS="COMMAND" ><DD ><P >Specifies that all updates are to be made to the zone -<TT +<VAR CLASS="PARAMETER" -><I ->zonename</I -></TT +>zonename</VAR >. If no -<TT +<VAR CLASS="PARAMETER" -><I ->zone</I -></TT +>zone</VAR > statement is provided, <B @@ -431,34 +454,49 @@ will attempt determine the correct zone to update based on the rest of the input ><P ><B CLASS="COMMAND" +>class</B +> {classname}</P +></DT +><DD +><P +>Specify the default class. +If no <VAR +CLASS="PARAMETER" +>class</VAR +> is specified the default class is +<VAR +CLASS="PARAMETER" +>IN</VAR +>.</P +></DD +><DT +><P +><B +CLASS="COMMAND" >key</B > {name} {secret}</P ></DT ><DD ><P >Specifies that all updates are to be TSIG signed using the -<TT +<VAR CLASS="PARAMETER" -><I ->keyname</I -></TT -> <TT +>keyname</VAR +> <VAR CLASS="PARAMETER" -><I ->keysecret</I -></TT +>keysecret</VAR > pair. The <B CLASS="COMMAND" >key</B > command overrides any key specified on the command line via -<TT +<VAR CLASS="OPTION" ->-y</TT -> or <TT +>-y</VAR +> or <VAR CLASS="OPTION" ->-k</TT +>-k</VAR >.</P ></DD ><DT @@ -471,11 +509,9 @@ CLASS="COMMAND" ><DD ><P >Requires that no resource record of any type exists with name -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR >.</P ></DD ><DT @@ -488,11 +524,9 @@ CLASS="COMMAND" ><DD ><P >Requires that -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR > exists (has as at least one resource record, of any type).</P ></DD @@ -506,34 +540,25 @@ CLASS="COMMAND" ><DD ><P >Requires that no resource record exists of the specified -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR >, -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > and -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR >. If -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > -is omitted, IN (internet) is assumed. - </P +is omitted, IN (internet) is assumed.</P ></DD ><DT ><P @@ -545,32 +570,24 @@ CLASS="COMMAND" ><DD ><P >This requires that a resource record of the specified -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR >, -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > and -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR > must exist. If -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > is omitted, IN (internet) is assumed.</P ></DD @@ -584,61 +601,45 @@ CLASS="COMMAND" ><DD ><P >The -<TT +<VAR CLASS="PARAMETER" -><I ->data</I -></TT +>data</VAR > from each set of prerequisites of this form sharing a common -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR >, -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR >, and -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR > are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR >, -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR >, and -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR >. The -<TT +<VAR CLASS="PARAMETER" -><I ->data</I -></TT +>data</VAR > are written in the standard text representation of the resource record's RDATA.</P @@ -653,40 +654,30 @@ CLASS="COMMAND" ><DD ><P >Deletes any resource records named -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR >. If -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR > and -<TT +<VAR CLASS="PARAMETER" -><I ->data</I -></TT +>data</VAR > is provided, only matching resource records will be removed. The internet class is assumed if -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > is not supplied. The -<TT +<VAR CLASS="PARAMETER" -><I ->ttl</I -></TT +>ttl</VAR > is ignored, and is only allowed for compatibility.</P ></DD @@ -700,24 +691,18 @@ CLASS="COMMAND" ><DD ><P >Adds a new resource record with the specified -<TT +<VAR CLASS="PARAMETER" -><I ->ttl</I -></TT +>ttl</VAR >, -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > and -<TT +<VAR CLASS="PARAMETER" -><I ->data</I -></TT +>data</VAR >.</P ></DD ><DT @@ -743,16 +728,27 @@ CLASS="COMMAND" ><P >Sends the current message. This is equivalent to entering a blank line.</P ></DD +><DT +><P +><B +CLASS="COMMAND" +>answer</B +> </P +></DT +><DD +><P +>Displays the answer.</P +></DD ></DL ></DIV > </P ><P ->Lines beginning with a semicolon are comments, and are ignored.</P +>Lines beginning with a semicolon are comments and are ignored.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN223" +NAME="AEN255" ></A ><H2 >EXAMPLES</H2 @@ -781,7 +777,7 @@ CLASS="PROGRAMLISTING" ># nsupdate > update delete oldhost.example.com A > update add newhost.example.com 86400 A 172.16.1.1 -></PRE +> send</PRE ></P ><P >Any A records for @@ -802,7 +798,7 @@ CLASS="PROGRAMLISTING" ># nsupdate > prereq nxdomain nickname.example.com > update add nickname.example.com 86400 CNAME somehost.example.com -></PRE +> send</PRE ></P ><P >The prerequisite condition gets the name server to check that there @@ -818,12 +814,12 @@ This ensures that when the CNAME is added, it cannot conflict with the long-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have -SIG, KEY and NXT records.)</P +RRSIG, DNSKEY and NSEC records.)</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN236" +NAME="AEN268" ></A ><H2 >FILES</H2 @@ -833,18 +829,18 @@ NAME="AEN236" CLASS="VARIABLELIST" ><DL ><DT -><TT +><CODE CLASS="CONSTANT" ->/etc/resolv.conf</TT +>/etc/resolv.conf</CODE ></DT ><DD ><P >used to identify default name server</P ></DD ><DT -><TT +><CODE CLASS="CONSTANT" ->K{name}.+157.+{random}.key</TT +>K{name}.+157.+{random}.key</CODE ></DT ><DD ><P @@ -858,9 +854,9 @@ CLASS="REFENTRYTITLE" >.</P ></DD ><DT -><TT +><CODE CLASS="CONSTANT" ->K{name}.+157.+{random}.private</TT +>K{name}.+157.+{random}.private</CODE ></DT ><DD ><P @@ -879,7 +875,7 @@ CLASS="REFENTRYTITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN260" +NAME="AEN292" ></A ><H2 >SEE ALSO</H2 @@ -930,6 +926,13 @@ CLASS="REFENTRYTITLE" CLASS="CITEREFENTRY" ><SPAN CLASS="REFENTRYTITLE" +>RFC2931</SPAN +></SPAN +>, +<SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" >named</SPAN >(8)</SPAN >, @@ -944,7 +947,7 @@ CLASS="REFENTRYTITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN281" +NAME="AEN315" ></A ><H2 >BUGS</H2 diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.8 b/usr.sbin/bind/bin/rndc/rndc-confgen.8 index 113708ba3be..009568e961c 100644 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.8 +++ b/usr.sbin/bind/bin/rndc/rndc-confgen.8 @@ -1,20 +1,20 @@ +.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2001-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $ISC: rndc-confgen.8,v 1.3.2.5.2.3 2004/06/03 05:35:48 marka Exp $ .\" -.\" $ISC: rndc-confgen.8,v 1.3.2.6 2003/10/09 07:32:35 marka Exp $ - .TH "RNDC-CONFGEN" "8" "Aug 27, 2001" "BIND9" "" .SH NAME rndc-confgen \- rndc key generation tool @@ -47,13 +47,23 @@ and \fBnamed\fR on startup. The \fIrndc.key\fR file defines a default command channel and authentication key allowing \fBrndc\fR to communicate with -\fBnamed\fR with no further configuration. +\fBnamed\fR on the local host +with no further configuration. Running \fBrndc-confgen -a\fR allows BIND 9 and \fBrndc\fR to be used as drop-in replacements for BIND 8 and \fBndc\fR, with no changes to the existing BIND 8 \fInamed.conf\fR file. + +If a more elaborate configuration than that +generated by \fBrndc-confgen -a\fR +is required, for example if rndc is to be used remotely, +you should run \fBrndc-confgen\fR without the +\fB-a\fR option and set up a +\fIrndc.conf\fR and +\fInamed.conf\fR +as directed. .TP \fB-b \fIkeysize\fB\fR Specifies the size of the authentication key in bits. @@ -127,4 +137,4 @@ run \fIBIND 9 Administrator Reference Manual\fR. .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.c b/usr.sbin/bind/bin/rndc/rndc-confgen.c index 383414009d3..44c498f11cb 100644 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.c +++ b/usr.sbin/bind/bin/rndc/rndc-confgen.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: rndc-confgen.c,v 1.9.2.6 2003/07/22 04:03:37 marka Exp $ */ +/* $ISC: rndc-confgen.c,v 1.9.2.6.2.4 2004/03/06 10:21:31 marka Exp $ */ #include <config.h> @@ -91,19 +91,21 @@ write_key_file(const char *keyfile, const char *user, fd = safe_create(keyfile); if (fd == NULL) - fatal("unable to create \"%s\"", keyfile); - if (user != NULL) + fatal( "unable to create \"%s\"\n", keyfile); + if (user != NULL) { if (set_user(fd, user) == -1) - fatal("unable to set file owner"); + fatal("unable to set file owner\n"); + } fprintf(fd, "key \"%s\" {\n\talgorithm hmac-md5;\n" "\tsecret \"%.*s\";\n};\n", keyname, (int)isc_buffer_usedlength(secret), (char *)isc_buffer_base(secret)); fflush(fd); if (ferror(fd)) - fatal("write to %s failed", keyfile); + fatal("write to %s failed\n", keyfile); if (fclose(fd)) - fatal("fclose(%s) failed", keyfile); + fatal("fclose(%s) failed\n", keyfile); + fprintf(stderr, "wrote key file \"%s\"\n", keyfile); } int @@ -170,7 +172,7 @@ main(int argc, char **argv) { keyname = isc_commandline_argument; break; case 'M': - isc_mem_debugging = 1; + isc_mem_debugging = ISC_MEM_DEBUGTRACE; break; case 'm': diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.docbook b/usr.sbin/bind/bin/rndc/rndc-confgen.docbook index 5c9e7971198..9a74463d805 100644 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.docbook +++ b/usr.sbin/bind/bin/rndc/rndc-confgen.docbook @@ -1,22 +1,22 @@ <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> <!-- - - Copyright (C) 2001 Internet Software Consortium. + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001, 2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: rndc-confgen.docbook,v 1.3.2.1 2003/02/07 02:39:01 marka Exp $ --> +<!-- $ISC: rndc-confgen.docbook,v 1.3.2.1.4.3 2004/06/03 02:24:58 marka Exp $ --> <refentry> <refentryinfo> @@ -86,7 +86,8 @@ <filename>rndc.key</filename> file defines a default command channel and authentication key allowing <command>rndc</command> to communicate with - <command>named</command> with no further configuration. + <command>named</command> on the local host + with no further configuration. </para> <para> Running <command>rndc-confgen -a</command> allows @@ -95,6 +96,16 @@ with no changes to the existing BIND 8 <filename>named.conf</filename> file. </para> + <para> + If a more elaborate configuration than that + generated by <command>rndc-confgen -a</command> + is required, for example if rndc is to be used remotely, + you should run <command>rndc-confgen</command> without the + <command>-a</command> option and set up a + <filename>rndc.conf</filename> and + <filename>named.conf</filename> + as directed. + </para> </listitem> </varlistentry> @@ -249,7 +260,7 @@ <refsect1> <title>AUTHOR</title> <para> - <corpauthor>Internet Software Consortium</corpauthor> + <corpauthor>Internet Systems Consortium</corpauthor> </para> </refsect1> diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.html b/usr.sbin/bind/bin/rndc/rndc-confgen.html index 8c8c2762f22..797d5ce2c5f 100644 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.html +++ b/usr.sbin/bind/bin/rndc/rndc-confgen.html @@ -1,30 +1,30 @@ <!-- + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2001-2003 Internet Software Consortium. - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $ISC: rndc-confgen.html,v 1.3.2.6 2003/10/09 07:32:35 marka Exp $ --> +<!-- $ISC: rndc-confgen.html,v 1.3.2.5.2.4 2004/08/22 23:39:00 marka Exp $ --> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >rndc-confgen</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -35,10 +35,10 @@ ALINK="#0000FF" ><H1 ><A NAME="AEN1" +></A ><SPAN CLASS="APPLICATION" >rndc-confgen</SPAN -></A ></H1 ><DIV CLASS="REFNAMEDIV" @@ -62,76 +62,60 @@ NAME="AEN13" ><B CLASS="COMMAND" >rndc-confgen</B -> [<TT +> [<VAR CLASS="OPTION" ->-a</TT ->] [<TT +>-a</VAR +>] [<VAR CLASS="OPTION" ->-b <TT +>-b <VAR CLASS="REPLACEABLE" -><I ->keysize</I -></TT -></TT ->] [<TT +>keysize</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-c <TT +>-c <VAR CLASS="REPLACEABLE" -><I ->keyfile</I -></TT -></TT ->] [<TT +>keyfile</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-h</TT ->] [<TT +>-h</VAR +>] [<VAR CLASS="OPTION" ->-k <TT +>-k <VAR CLASS="REPLACEABLE" -><I ->keyname</I -></TT -></TT ->] [<TT +>keyname</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-p <TT +>-p <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT -></TT ->] [<TT +>port</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-r <TT +>-r <VAR CLASS="REPLACEABLE" -><I ->randomfile</I -></TT -></TT ->] [<TT +>randomfile</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-s <TT +>-s <VAR CLASS="REPLACEABLE" -><I ->address</I -></TT -></TT ->] [<TT +>address</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-t <TT +>-t <VAR CLASS="REPLACEABLE" -><I ->chrootdir</I -></TT -></TT ->] [<TT +>chrootdir</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-u <TT +>-u <VAR CLASS="REPLACEABLE" -><I ->user</I -></TT -></TT +>user</VAR +></VAR >]</P ></DIV ><DIV @@ -213,13 +197,13 @@ CLASS="FILENAME" CLASS="FILENAME" >/etc</TT > (or whatever - <TT + <VAR CLASS="VARNAME" ->sysconfdir</TT +>sysconfdir</VAR > - was specified as when <SPAN + was specified as when <ACRONYM CLASS="ACRONYM" ->BIND</SPAN +>BIND</ACRONYM > was built) that is read by both <B CLASS="COMMAND" @@ -241,7 +225,8 @@ CLASS="COMMAND" <B CLASS="COMMAND" >named</B -> with no further configuration. +> on the local host + with no further configuration. </P ><P > Running <B @@ -262,13 +247,36 @@ CLASS="FILENAME" >named.conf</TT > file. </P +><P +> If a more elaborate configuration than that + generated by <B +CLASS="COMMAND" +>rndc-confgen -a</B +> + is required, for example if rndc is to be used remotely, + you should run <B +CLASS="COMMAND" +>rndc-confgen</B +> without the + <B +CLASS="COMMAND" +>-a</B +> option and set up a + <TT +CLASS="FILENAME" +>rndc.conf</TT +> and + <TT +CLASS="FILENAME" +>named.conf</TT +> + as directed. + </P ></DD ><DT ->-b <TT +>-b <VAR CLASS="REPLACEABLE" -><I ->keysize</I -></TT +>keysize</VAR ></DT ><DD ><P @@ -277,11 +285,9 @@ CLASS="REPLACEABLE" </P ></DD ><DT ->-c <TT +>-c <VAR CLASS="REPLACEABLE" -><I ->keyfile</I -></TT +>keyfile</VAR ></DT ><DD ><P @@ -307,28 +313,24 @@ CLASS="COMMAND" </P ></DD ><DT ->-k <TT +>-k <VAR CLASS="REPLACEABLE" -><I ->keyname</I -></TT +>keyname</VAR ></DT ><DD ><P > Specifies the key name of the rndc authentication key. This must be a valid domain name. - The default is <TT + The default is <CODE CLASS="CONSTANT" ->rndc-key</TT +>rndc-key</CODE >. </P ></DD ><DT ->-p <TT +>-p <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT +>port</VAR ></DT ><DD ><P @@ -344,11 +346,9 @@ CLASS="COMMAND" </P ></DD ><DT ->-r <TT +>-r <VAR CLASS="REPLACEABLE" -><I ->randomfile</I -></TT +>randomfile</VAR ></DT ><DD ><P @@ -373,11 +373,9 @@ CLASS="FILENAME" </P ></DD ><DT ->-s <TT +>-s <VAR CLASS="REPLACEABLE" -><I ->address</I -></TT +>address</VAR ></DT ><DD ><P @@ -394,11 +392,9 @@ CLASS="COMMAND" </P ></DD ><DT ->-t <TT +>-t <VAR CLASS="REPLACEABLE" -><I ->chrootdir</I -></TT +>chrootdir</VAR ></DT ><DD ><P @@ -422,11 +418,9 @@ CLASS="COMMAND" </P ></DD ><DT ->-u <TT +>-u <VAR CLASS="REPLACEABLE" -><I ->user</I -></TT +>user</VAR ></DT ><DD ><P @@ -451,7 +445,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN141" +NAME="AEN147" ></A ><H2 >EXAMPLES</H2 @@ -463,11 +457,9 @@ CLASS="COMMAND" no manual configuration, run </P ><P -> <TT +> <KBD CLASS="USERINPUT" -><B ->rndc-confgen -a</B -></TT +>rndc-confgen -a</KBD > </P ><P @@ -489,18 +481,16 @@ CLASS="FILENAME" run </P ><P -> <TT +> <KBD CLASS="USERINPUT" -><B ->rndc-confgen</B -></TT +>rndc-confgen</KBD > </P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN154" +NAME="AEN160" ></A ><H2 >SEE ALSO</H2 @@ -535,12 +525,12 @@ CLASS="CITETITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN167" +NAME="AEN173" ></A ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/usr.sbin/bind/bin/rndc/rndc.c b/usr.sbin/bind/bin/rndc/rndc.c index d75d20e53c6..26821521308 100644 --- a/usr.sbin/bind/bin/rndc/rndc.c +++ b/usr.sbin/bind/bin/rndc/rndc.c @@ -1,21 +1,21 @@ /* - * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: rndc.c,v 1.77.2.5 2003/07/22 04:03:37 marka Exp $ */ +/* $ISC: rndc.c,v 1.77.2.5.2.12.6.1 2004/09/20 01:00:01 marka Exp $ */ /* * Principal Author: DCL @@ -31,7 +31,6 @@ #include <isc/file.h> #include <isc/log.h> #include <isc/mem.h> -#include <isc/netdb.h> #include <isc/random.h> #include <isc/socket.h> #include <isc/stdtime.h> @@ -40,7 +39,7 @@ #include <isc/thread.h> #include <isc/util.h> -#include <isccfg/cfg.h> +#include <isccfg/namedconf.h> #include <isccc/alist.h> #include <isccc/base64.h> @@ -51,21 +50,11 @@ #include <isccc/types.h> #include <isccc/util.h> -#include "util.h" +#include <bind9/getaddresses.h> -#ifdef HAVE_ADDRINFO -#ifdef HAVE_GETADDRINFO -#ifdef HAVE_GAISTRERROR -#define USE_GETADDRINFO -#endif -#endif -#endif +#include "util.h" -#ifndef USE_GETADDRINFO -#ifndef ISC_PLATFORM_NONSTDHERRNO -extern int h_errno; -#endif -#endif +#define SERVERADDRS 10 char *progname; isc_boolean_t verbose; @@ -74,6 +63,9 @@ static const char *admin_conffile; static const char *admin_keyfile; static const char *version = VERSION; static const char *servername = NULL; +static isc_sockaddr_t serveraddrs[SERVERADDRS]; +static int nserveraddrs; +static int currentaddr = 0; static unsigned int remoteport = 0; static isc_socketmgr_t *socketmgr = NULL; static unsigned char databuf[2048]; @@ -88,6 +80,8 @@ static char program[256]; static isc_socket_t *sock = NULL; static isc_uint32_t serial; +static void rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task); + static void usage(int status) { fprintf(stderr, "\ @@ -101,18 +95,31 @@ command is one of the following:\n\ Reload a single zone.\n\ refresh zone [class [view]]\n\ Schedule immediate maintenance for a zone.\n\ + retransfer zone [class [view]]\n\ + Retransfer a single zone without checking serial number.\n\ + freeze zone [class [view]]\n\ + Suspend updates to a dynamic zone.\n\ + thaw zone [class [view]]\n\ + Enable updates to a frozen dynamic zone and reload it.\n\ reconfig Reload configuration file and new zones only.\n\ stats Write server statistics to the statistics file.\n\ querylog Toggle query logging.\n\ dumpdb Dump cache(s) to the dump file (named_dump.db).\n\ stop Save pending updates to master files and stop the server.\n\ + stop -p Save pending updates to master files and stop the server\n\ + reporting process id.\n\ halt Stop the server without saving pending updates.\n\ + halt -p Stop the server without saving pending updates reporting\n\ + process id.\n\ trace Increment debugging level by one.\n\ trace level Change the debugging level.\n\ notrace Set debugging level to 0.\n\ flush Flushes all of the server's caches.\n\ flush [view] Flushes the server's cache for a view.\n\ + flushname name [view]\n\ + Flush the given name from the server's cache(s)\n\ status Display status of the server.\n\ + recursing Dump the queries that are currently recursing (named.recursing)\n\ *restart Restart the server.\n\ \n\ * == not yet implemented\n\ @@ -123,74 +130,17 @@ Version: %s\n", } static void -get_address(const char *host, in_port_t port, isc_sockaddr_t *sockaddr) { - struct in_addr in4; - struct in6_addr in6; - isc_boolean_t have_ipv6; -#ifdef USE_GETADDRINFO - struct addrinfo *res = NULL, hints; - int result; -#else - struct hostent *he; -#endif - - have_ipv6 = ISC_TF(isc_net_probeipv6() == ISC_R_SUCCESS); +get_addresses(const char *host, in_port_t port) { + isc_result_t result; - /* - * Assume we have v4 if we don't have v6, since setup_libs - * fatal()'s out if we don't have either. - */ - if (have_ipv6 && inet_pton(AF_INET6, host, &in6) == 1) - isc_sockaddr_fromin6(sockaddr, &in6, port); - else if (inet_pton(AF_INET, host, &in4) == 1) - isc_sockaddr_fromin(sockaddr, &in4, port); - else { -#ifdef USE_GETADDRINFO - memset(&hints, 0, sizeof(hints)); - if (!have_ipv6) - hints.ai_family = PF_INET; - else if (isc_net_probeipv4() != ISC_R_SUCCESS) - hints.ai_family = PF_INET6; - else { - hints.ai_family = PF_UNSPEC; -#ifdef AI_ADDRCONFIG - hints.ai_flags = AI_ADDRCONFIG; -#endif - } - hints.ai_socktype = SOCK_STREAM; - isc_app_block(); -#ifdef AI_ADDRCONFIG - again: -#endif - result = getaddrinfo(host, NULL, &hints, &res); -#ifdef AI_ADDRCONFIG - if (result == EAI_BADFLAGS && - (hints.ai_flags & AI_ADDRCONFIG) != 0) { - hints.ai_flags &= ~AI_ADDRCONFIG; - goto again; - } -#endif - isc_app_unblock(); - if (result != 0) - fatal("Couldn't find server '%s': %s", - host, gai_strerror(result)); - memcpy(&sockaddr->type.sa, res->ai_addr, res->ai_addrlen); - sockaddr->length = res->ai_addrlen; - isc_sockaddr_setport(sockaddr, port); - freeaddrinfo(res); -#else - isc_app_block(); - he = gethostbyname(host); - isc_app_unblock(); - if (he == NULL) - fatal("Couldn't find server '%s' (h_errno=%d)", - host, h_errno); - INSIST(he->h_addrtype == AF_INET); - isc_sockaddr_fromin(sockaddr, - (struct in_addr *)(he->h_addr_list[0]), - port); -#endif - } + isc_app_block(); + result = bind9_getaddresses(servername, port, + serveraddrs, SERVERADDRS, &nserveraddrs); + isc_app_unblock(); + if (result != ISC_R_SUCCESS) + fatal("couldn't get address for '%s': %s", + host, isc_result_totext(result)); + INSIST(nserveraddrs > 0); } static void @@ -255,7 +205,7 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { isccc_sexpr_free(&response); isc_socket_detach(&sock); isc_task_shutdown(task); - isc_app_shutdown(); + RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS); } static void @@ -349,8 +299,20 @@ rndc_connected(isc_task_t *task, isc_event_t *event) { connects--; - if (sevent->result != ISC_R_SUCCESS) - fatal("connect failed: %s", isc_result_totext(sevent->result)); + if (sevent->result != ISC_R_SUCCESS) { + if (sevent->result != ISC_R_CANCELED && + currentaddr < nserveraddrs) + { + notify("connection failed: %s", + isc_result_totext(sevent->result)); + isc_socket_detach(&sock); + isc_event_free(&event); + rndc_startconnect(&serveraddrs[currentaddr++], task); + return; + } else + fatal("connect failed: %s", + isc_result_totext(sevent->result)); + } isc_stdtime_get(&now); DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial, @@ -382,28 +344,34 @@ rndc_connected(isc_task_t *task, isc_event_t *event) { } static void -rndc_start(isc_task_t *task, isc_event_t *event) { - isc_sockaddr_t addr; +rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) { isc_result_t result; - char socktext[ISC_SOCKADDR_FORMATSIZE]; - - isc_event_free(&event); - get_address(servername, (in_port_t) remoteport, &addr); + char socktext[ISC_SOCKADDR_FORMATSIZE]; - isc_sockaddr_format(&addr, socktext, sizeof(socktext)); + isc_sockaddr_format(addr, socktext, sizeof(socktext)); notify("using server %s (%s)", servername, socktext); DO("create socket", isc_socket_create(socketmgr, - isc_sockaddr_pf(&addr), + isc_sockaddr_pf(addr), isc_sockettype_tcp, &sock)); - DO("connect", isc_socket_connect(sock, &addr, task, rndc_connected, + DO("connect", isc_socket_connect(sock, addr, task, rndc_connected, NULL)); connects++; } static void +rndc_start(isc_task_t *task, isc_event_t *event) { + isc_event_free(&event); + + get_addresses(servername, (in_port_t) remoteport); + + currentaddr = 0; + rndc_startconnect(&serveraddrs[currentaddr++], task); +} + +static void parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, cfg_parser_t **pctxp, cfg_obj_t **configp) { @@ -461,7 +429,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, fatal("no server specified and no default"); if (!key_only) { - cfg_map_get(config, "server", &servers); + (void)cfg_map_get(config, "server", &servers); if (servers != NULL) { for (elt = cfg_list_first(servers); elt != NULL; @@ -537,7 +505,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, if (server != NULL) (void)cfg_map_get(server, "port", &defport); if (defport == NULL && options != NULL) - cfg_map_get(options, "default-port", &defport); + (void)cfg_map_get(options, "default-port", &defport); } if (defport != NULL) { remoteport = cfg_obj_asuint32(defport); @@ -574,7 +542,9 @@ main(int argc, char **argv) { admin_conffile = RNDC_CONFFILE; admin_keyfile = RNDC_KEYFILE; - isc_app_start(); + result = isc_app_start(); + if (result != ISC_R_SUCCESS) + fatal("isc_app_start() failed: %s", isc_result_totext(result)); while ((ch = isc_commandline_parse(argc, argv, "c:k:Mmp:s:Vy:")) != -1) { @@ -588,7 +558,7 @@ main(int argc, char **argv) { break; case 'M': - isc_mem_debugging = 1; + isc_mem_debugging = ISC_MEM_DEBUGTRACE; break; case 'm': @@ -686,7 +656,9 @@ main(int argc, char **argv) { DO("post event", isc_app_onrun(mctx, task, rndc_start, NULL)); - isc_app_run(); + result = isc_app_run(); + if (result != ISC_R_SUCCESS) + fatal("isc_app_run() failed: %s", isc_result_totext(result)); if (connects > 0 || sends > 0 || recvs > 0) isc_socket_cancel(sock, task, ISC_SOCKCANCEL_ALL); diff --git a/usr.sbin/bind/bin/rndc/rndc.conf.html b/usr.sbin/bind/bin/rndc/rndc.conf.html index 624d0ab2ac8..4167af74780 100644 --- a/usr.sbin/bind/bin/rndc/rndc.conf.html +++ b/usr.sbin/bind/bin/rndc/rndc.conf.html @@ -1,27 +1,30 @@ <!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: rndc.conf.html,v 1.5.2.1.4.3 2004/08/22 23:39:00 marka Exp $ --> + +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >rndc.conf</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -32,10 +35,10 @@ ALINK="#0000FF" ><H1 ><A NAME="AEN1" +></A ><TT CLASS="FILENAME" >rndc.conf</TT -></A ></H1 ><DIV CLASS="REFNAMEDIV" @@ -108,86 +111,86 @@ CLASS="FILENAME" and a key statement. </P ><P -> The <TT +> The <VAR CLASS="OPTION" ->options</TT +>options</VAR > statement contains three clauses. - The <TT + The <VAR CLASS="OPTION" ->default-server</TT +>default-server</VAR > clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to <B CLASS="COMMAND" >rndc</B ->. The <TT +>. The <VAR CLASS="OPTION" ->default-key</TT +>default-key</VAR > clause is followed by the name of a key which is identified by - a <TT + a <VAR CLASS="OPTION" ->key</TT +>key</VAR > statement. If no - <TT + <VAR CLASS="OPTION" ->keyid</TT +>keyid</VAR > is provided on the rndc command line, - and no <TT + and no <VAR CLASS="OPTION" ->key</TT +>key</VAR > clause is found in a matching - <TT + <VAR CLASS="OPTION" ->server</TT +>server</VAR > statement, this default key will be used to authenticate the server's commands and responses. The - <TT + <VAR CLASS="OPTION" ->default-port</TT +>default-port</VAR > clause is followed by the port to connect to on the remote name server. If no - <TT + <VAR CLASS="OPTION" ->port</TT +>port</VAR > option is provided on the rndc command - line, and no <TT + line, and no <VAR CLASS="OPTION" ->port</TT +>port</VAR > clause is found in a - matching <TT + matching <VAR CLASS="OPTION" ->server</TT +>server</VAR > statement, this default port will be used to connect. </P ><P -> After the <TT +> After the <VAR CLASS="OPTION" ->server</TT +>server</VAR > keyword, the server statement includes a string which is the hostname or address for a name server. The statement has two possible clauses: - <TT + <VAR CLASS="OPTION" ->key</TT -> and <TT +>key</VAR +> and <VAR CLASS="OPTION" ->port</TT +>port</VAR >. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. </P ><P -> The <TT +> The <VAR CLASS="OPTION" ->key</TT +>key</VAR > statement begins with an identifying string, the name of the key. The statement has two clauses. - <TT + <VAR CLASS="OPTION" ->algorithm</TT +>algorithm</VAR > identifies the encryption algorithm for <B CLASS="COMMAND" @@ -262,11 +265,9 @@ CLASS="COMMAND" >: </P ><P -> <TT +> <KBD CLASS="USERINPUT" -><B ->rndc-confgen</B -></TT +>rndc-confgen</KBD > </P ><P @@ -275,13 +276,13 @@ CLASS="FILENAME" >rndc.conf</TT > file, including the randomly generated key, will be written to the standard - output. Commented out <TT + output. Commented out <VAR CLASS="OPTION" ->key</TT +>key</VAR > and - <TT + <VAR CLASS="OPTION" ->controls</TT +>controls</VAR > statements for <TT CLASS="FILENAME" @@ -295,11 +296,9 @@ CLASS="COMMAND" >: </P ><P -> <TT +> <KBD CLASS="USERINPUT" -><B ->echo "known plaintext for a secret" | mmencode</B -></TT +>echo "known plaintext for a secret" | mmencode</KBD > </P ></DIV @@ -320,9 +319,9 @@ CLASS="FILENAME" CLASS="FILENAME" >named.conf</TT >. - See the sections on the <TT + See the sections on the <VAR CLASS="OPTION" ->controls</TT +>controls</VAR > statement in the BIND 9 Administrator Reference Manual for details. </P @@ -370,7 +369,7 @@ NAME="AEN91" ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/usr.sbin/bind/bin/rndc/rndc.html b/usr.sbin/bind/bin/rndc/rndc.html index dd5811bc10f..5e20ad852ab 100644 --- a/usr.sbin/bind/bin/rndc/rndc.html +++ b/usr.sbin/bind/bin/rndc/rndc.html @@ -1,27 +1,30 @@ <!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: rndc.html,v 1.7.2.1.4.3 2004/08/22 23:39:00 marka Exp $ --> + +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >rndc</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -32,10 +35,10 @@ ALINK="#0000FF" ><H1 ><A NAME="AEN1" +></A ><SPAN CLASS="APPLICATION" >rndc</SPAN -></A ></H1 ><DIV CLASS="REFNAMEDIV" @@ -59,49 +62,39 @@ NAME="AEN13" ><B CLASS="COMMAND" >rndc</B -> [<TT +> [<VAR CLASS="OPTION" ->-c <TT +>-c <VAR CLASS="REPLACEABLE" -><I ->config-file</I -></TT -></TT ->] [<TT +>config-file</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-k <TT +>-k <VAR CLASS="REPLACEABLE" -><I ->key-file</I -></TT -></TT ->] [<TT +>key-file</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-s <TT +>-s <VAR CLASS="REPLACEABLE" -><I ->server</I -></TT -></TT ->] [<TT +>server</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-p <TT +>-p <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT -></TT ->] [<TT +>port</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-V</TT ->] [<TT +>-V</VAR +>] [<VAR CLASS="OPTION" ->-y <TT +>-y <VAR CLASS="REPLACEABLE" -><I ->key_id</I -></TT -></TT +>key_id</VAR +></VAR >] {command}</P ></DIV ><DIV @@ -172,19 +165,15 @@ NAME="AEN46" CLASS="VARIABLELIST" ><DL ><DT ->-c <TT +>-c <VAR CLASS="REPLACEABLE" -><I ->config-file</I -></TT +>config-file</VAR ></DT ><DD ><P -> Use <TT +> Use <VAR CLASS="REPLACEABLE" -><I ->config-file</I -></TT +>config-file</VAR > as the configuration file instead of the default, <TT @@ -194,19 +183,15 @@ CLASS="FILENAME" </P ></DD ><DT ->-k <TT +>-k <VAR CLASS="REPLACEABLE" -><I ->key-file</I -></TT +>key-file</VAR ></DT ><DD ><P -> Use <TT +> Use <VAR CLASS="REPLACEABLE" -><I ->key-file</I -></TT +>key-file</VAR > as the key file instead of the default, <TT @@ -217,29 +202,23 @@ CLASS="FILENAME" CLASS="FILENAME" >/etc/rndc.key</TT > will be used to authenticate - commands sent to the server if the <TT + commands sent to the server if the <VAR CLASS="REPLACEABLE" -><I ->config-file</I -></TT +>config-file</VAR > does not exist. </P ></DD ><DT ->-s <TT +>-s <VAR CLASS="REPLACEABLE" -><I ->server</I -></TT +>server</VAR ></DT ><DD ><P -> <TT +> <VAR CLASS="REPLACEABLE" -><I ->server</I -></TT +>server</VAR > is the name or address of the server which matches a server statement in the configuration file for @@ -253,20 +232,16 @@ CLASS="COMMAND" </P ></DD ><DT ->-p <TT +>-p <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT +>port</VAR ></DT ><DD ><P > Send commands to TCP port - <TT + <VAR CLASS="REPLACEABLE" -><I ->port</I -></TT +>port</VAR > instead of BIND 9's default control channel port, 953. </P @@ -279,34 +254,26 @@ CLASS="REPLACEABLE" </P ></DD ><DT ->-y <TT +>-y <VAR CLASS="REPLACEABLE" -><I ->keyid</I -></TT +>keyid</VAR ></DT ><DD ><P -> Use the key <TT +> Use the key <VAR CLASS="REPLACEABLE" -><I ->keyid</I -></TT +>keyid</VAR > from the configuration file. - <TT + <VAR CLASS="REPLACEABLE" -><I ->keyid</I -></TT +>keyid</VAR > must be known by named with the same algorithm and secret string in order for control message validation to succeed. - If no <TT + If no <VAR CLASS="REPLACEABLE" -><I ->keyid</I -></TT +>keyid</VAR > is specified, <B CLASS="COMMAND" @@ -354,9 +321,9 @@ CLASS="COMMAND" </P ><P > There is currently no way to provide the shared secret for a - <TT + <VAR CLASS="OPTION" ->key_id</TT +>key_id</VAR > without using the configuration file. </P ><P @@ -413,7 +380,7 @@ NAME="AEN118" ><H2 >AUTHOR</H2 ><P -> Internet Software Consortium +> Internet Systems Consortium </P ></DIV ></BODY diff --git a/usr.sbin/bind/bin/tests/Makefile.in b/usr.sbin/bind/bin/tests/Makefile.in index 4e66efb06d6..035f61666b0 100644 --- a/usr.sbin/bind/bin/tests/Makefile.in +++ b/usr.sbin/bind/bin/tests/Makefile.in @@ -1,25 +1,25 @@ -# Copyright (C) 1998-2002 Internet Software Consortium. +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 1998-2003 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $ISC: Makefile.in,v 1.113.2.1 2002/02/12 12:02:05 marka Exp $ +# $ISC: Makefile.in,v 1.113.2.1.8.7 2004/07/20 07:01:50 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -@BIND9_INCLUDES@ +@BIND9_MAKE_INCLUDES@ CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ ${LWRES_INCLUDES} ${OMAPI_INCLUDES} @@ -27,7 +27,7 @@ CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ CDEFINES = CWARNINGS = -DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@ +DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ ISCLIBS = ../../lib/isc/libisc.@A@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ LWRESLIBS = ../../lib/lwres/liblwres.@A@ @@ -46,49 +46,49 @@ SUBDIRS = db dst master mem names net rbt sockaddr tasks timers system # genrandom is needed by the system tests # Alphabetically -TARGETS = cfg_test \ - genrandom +TARGETS = cfg_test@EXEEXT@ \ + genrandom@EXEEXT@ # All the other tests are optional and not built by default. # Alphabetically -XTARGETS = adb_test \ - byaddr_test \ - byname_test \ - compress_test \ - db_test \ - entropy_test \ - entropy2_test \ - gxba_test \ - gxbn_test \ - hash_test \ - fsaccess_test \ - inter_test \ - journalprint \ - keyboard_test \ - lcg_test \ - lex_test \ - lfsr_test \ - log_test \ - lwres_test \ - lwresconf_test \ - master_test \ - mempool_test \ - name_test \ - nxtify \ - ratelimiter_test \ - rbt_test \ - rdata_test \ - rwlock_test \ - serial_test \ - shutdown_test \ - sig0_test \ - sock_test \ - sym_test \ - task_test \ - timer_test \ - wire_test \ - zone_test +XTARGETS = adb_test@EXEEXT@ \ + byaddr_test@EXEEXT@ \ + byname_test@EXEEXT@ \ + compress_test@EXEEXT@ \ + db_test@EXEEXT@ \ + entropy_test@EXEEXT@ \ + entropy2_test@EXEEXT@ \ + gxba_test@EXEEXT@ \ + gxbn_test@EXEEXT@ \ + hash_test@EXEEXT@ \ + fsaccess_test@EXEEXT@ \ + inter_test@EXEEXT@ \ + journalprint@EXEEXT@ \ + keyboard_test@EXEEXT@ \ + lcg_test@EXEEXT@ \ + lex_test@EXEEXT@ \ + lfsr_test@EXEEXT@ \ + log_test@EXEEXT@ \ + lwres_test@EXEEXT@ \ + lwresconf_test@EXEEXT@ \ + master_test@EXEEXT@ \ + mempool_test@EXEEXT@ \ + name_test@EXEEXT@ \ + nsecify@EXEEXT@ \ + ratelimiter_test@EXEEXT@ \ + rbt_test@EXEEXT@ \ + rdata_test@EXEEXT@ \ + rwlock_test@EXEEXT@ \ + serial_test@EXEEXT@ \ + shutdown_test@EXEEXT@ \ + sig0_test@EXEEXT@ \ + sock_test@EXEEXT@ \ + sym_test@EXEEXT@ \ + task_test@EXEEXT@ \ + timer_test@EXEEXT@ \ + wire_test@EXEEXT@ \ + zone_test@EXEEXT@ # Alphabetically SRCS = adb_test.c \ @@ -114,7 +114,7 @@ SRCS = adb_test.c \ master_test.c \ mempool_test.c \ name_test.c \ - nxtify.c \ + nsecify.c \ printmsg.c \ ratelimiter_test.c \ rbt_test.c \ @@ -134,159 +134,159 @@ SRCS = adb_test.c \ all_tests: ${XTARGETS} -genrandom: genrandom.@O@ - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ genrandom.@O@ +genrandom@EXEEXT@: genrandom.@O@ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ -adb_test: adb_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ adb_test.@O@ \ +adb_test@EXEEXT@: adb_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ adb_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -nxtify: nxtify.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ nxtify.@O@ \ +nsecify@EXEEXT@: nsecify.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsecify.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -byaddr_test: byaddr_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ byaddr_test.@O@ \ +byaddr_test@EXEEXT@: byaddr_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ byaddr_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -byname_test: byname_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ byname_test.@O@ \ +byname_test@EXEEXT@: byname_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ byname_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -lcg_test: lcg_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ lcg_test.@O@ \ +lcg_test@EXEEXT@: lcg_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ lcg_test.@O@ \ ${ISCLIBS} ${LIBS} -lex_test: lex_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ lex_test.@O@ \ +lex_test@EXEEXT@: lex_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lex_test.@O@ \ ${ISCLIBS} ${LIBS} -lfsr_test: lfsr_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ lfsr_test.@O@ \ +lfsr_test@EXEEXT@: lfsr_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lfsr_test.@O@ \ ${ISCLIBS} ${LIBS} -log_test: log_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ log_test.@O@ \ +log_test@EXEEXT@: log_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ log_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -name_test: name_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ name_test.@O@ \ +name_test@EXEEXT@: name_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ name_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -hash_test: hash_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ hash_test.@O@ \ +hash_test@EXEEXT@: hash_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ hash_test.@O@ \ ${ISCLIBS} ${LIBS} -entropy_test: entropy_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ entropy_test.@O@ \ +entropy_test@EXEEXT@: entropy_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ entropy_test.@O@ \ ${ISCLIBS} ${LIBS} -entropy2_test: entropy2_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ entropy2_test.@O@ \ +entropy2_test@EXEEXT@: entropy2_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ entropy2_test.@O@ \ ${ISCLIBS} ${LIBS} -sock_test: sock_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ sock_test.@O@ \ +sock_test@EXEEXT@: sock_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sock_test.@O@ \ ${ISCLIBS} ${LIBS} -sym_test: sym_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ sym_test.@O@ \ +sym_test@EXEEXT@: sym_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sym_test.@O@ \ ${ISCLIBS} ${LIBS} -task_test: task_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ task_test.@O@ \ +task_test@EXEEXT@: task_test.@O@ ${ISCDEPLIBS} + ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ task_test.@O@ \ ${ISCLIBS} ${LIBS} -shutdown_test: shutdown_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ shutdown_test.@O@ \ +shutdown_test@EXEEXT@: shutdown_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ shutdown_test.@O@ \ ${ISCLIBS} ${LIBS} -timer_test: timer_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ timer_test.@O@ \ +timer_test@EXEEXT@: timer_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ timer_test.@O@ \ ${ISCLIBS} ${LIBS} -ratelimiter_test: ratelimiter_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ ratelimiter_test.@O@ \ +ratelimiter_test@EXEEXT@: ratelimiter_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ratelimiter_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -rbt_test: rbt_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ rbt_test.@O@ \ +rbt_test@EXEEXT@: rbt_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rbt_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -rdata_test: rdata_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ rdata_test.@O@ \ +rdata_test@EXEEXT@: rdata_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rdata_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -rwlock_test: rwlock_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ rwlock_test.@O@ \ +rwlock_test@EXEEXT@: rwlock_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rwlock_test.@O@ \ ${ISCLIBS} ${LIBS} -wire_test: wire_test.@O@ printmsg.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ wire_test.@O@ printmsg.@O@ \ +wire_test@EXEEXT@: wire_test.@O@ printmsg.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ wire_test.@O@ printmsg.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -master_test: master_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ master_test.@O@ \ +master_test@EXEEXT@: master_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ master_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -db_test: db_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ db_test.@O@ \ +db_test@EXEEXT@: db_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ db_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -compress_test: compress_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ compress_test.@O@ \ +compress_test@EXEEXT@: compress_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ compress_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -mempool_test: mempool_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ mempool_test.@O@ \ +mempool_test@EXEEXT@: mempool_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ mempool_test.@O@ \ ${ISCLIBS} ${LIBS} -serial_test: serial_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ serial_test.@O@ \ +serial_test@EXEEXT@: serial_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ serial_test.@O@ \ ${ISCLIBS} ${LIBS} -zone_test: zone_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ zone_test.@O@ \ +zone_test@EXEEXT@: zone_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -fsaccess_test: fsaccess_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ fsaccess_test.@O@ \ +fsaccess_test@EXEEXT@: fsaccess_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ fsaccess_test.@O@ \ ${ISCLIBS} ${LIBS} -inter_test: inter_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ inter_test.@O@ \ +inter_test@EXEEXT@: inter_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ inter_test.@O@ \ ${ISCLIBS} ${LIBS} -keyboard_test: keyboard_test.@O@ ${ISCDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ keyboard_test.@O@ \ +keyboard_test@EXEEXT@: keyboard_test.@O@ ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ keyboard_test.@O@ \ ${ISCLIBS} ${LIBS} -lwresconf_test: lwresconf_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ lwresconf_test.@O@ \ +lwresconf_test@EXEEXT@: lwresconf_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lwresconf_test.@O@ \ ${LWRESLIBS} ${ISCLIBS} ${LIBS} -lwres_test: lwres_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ lwres_test.@O@ \ +lwres_test@EXEEXT@: lwres_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lwres_test.@O@ \ ${LWRESLIBS} ${ISCLIBS} ${LIBS} -gxbn_test: gxbn_test.@O@ ${LWRESDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ gxbn_test.@O@ \ +gxbn_test@EXEEXT@: gxbn_test.@O@ ${LWRESDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ gxbn_test.@O@ \ ${LWRESLIBS} ${ISCLIBS} ${LIBS} -gxba_test: gxba_test.@O@ ${LWRESDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ gxba_test.@O@ \ +gxba_test@EXEEXT@: gxba_test.@O@ ${LWRESDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ gxba_test.@O@ \ ${LWRESLIBS} ${ISCLIBS} ${LIBS} -sig0_test: sig0_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ sig0_test.@O@ \ +sig0_test@EXEEXT@: sig0_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sig0_test.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -journalprint: journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ journalprint.@O@ \ +journalprint@EXEEXT@: journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ journalprint.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} -cfg_test: cfg_test.@O@ ${ISCCFGDEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS} - ${LIBTOOL} ${CC} ${CFLAGS} -o $@ cfg_test.@O@ \ +cfg_test@EXEEXT@: cfg_test.@O@ ${ISCCFGDEPLIBS} ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ cfg_test.@O@ \ ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS} distclean:: @@ -296,6 +296,8 @@ clean distclean:: rm -f ${TARGETS} ${XTARGETS} rm -f t_journal +check: test + test: @for dir in $(SUBDIRS) ;\ do \ diff --git a/usr.sbin/bind/bin/tests/db_test.c b/usr.sbin/bind/bin/tests/db_test.c index 28c32f1f5a4..bcbfb216890 100644 --- a/usr.sbin/bind/bin/tests/db_test.c +++ b/usr.sbin/bind/bin/tests/db_test.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: db_test.c,v 1.56 2001/01/09 21:40:57 bwelling Exp $ */ +/* $ISC: db_test.c,v 1.56.12.4 2004/03/08 04:04:25 marka Exp $ */ /* * Principal Author: Bob Halley @@ -248,7 +248,7 @@ load(const char *filename, const char *origintext, isc_boolean_t cache) { dbinfo *dbi; unsigned int i; - dbi = isc_mem_get(mctx, sizeof *dbi); + dbi = isc_mem_get(mctx, sizeof(*dbi)); if (dbi == NULL) return (ISC_R_NOMEMORY); @@ -281,7 +281,7 @@ load(const char *filename, const char *origintext, isc_boolean_t cache) { dns_rdataclass_in, 0, NULL, &dbi->db); if (result != ISC_R_SUCCESS) { - isc_mem_put(mctx, dbi, sizeof *dbi); + isc_mem_put(mctx, dbi, sizeof(*dbi)); return (result); } @@ -289,7 +289,7 @@ load(const char *filename, const char *origintext, isc_boolean_t cache) { result = dns_db_load(dbi->db, filename); if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) { dns_db_detach(&dbi->db); - isc_mem_put(mctx, dbi, sizeof *dbi); + isc_mem_put(mctx, dbi, sizeof(*dbi)); return (result); } printf("loaded\n"); @@ -301,7 +301,7 @@ load(const char *filename, const char *origintext, isc_boolean_t cache) { } else { if (dns_dbtable_add(dbtable, dbi->db) != ISC_R_SUCCESS) { dns_db_detach(&dbi->db); - isc_mem_put(mctx, dbi, sizeof *dbi); + isc_mem_put(mctx, dbi, sizeof(*dbi)); return (result); } } @@ -325,7 +325,7 @@ unload_all(void) { } dns_db_detach(&dbi->db); ISC_LIST_UNLINK(dbs, dbi, link); - isc_mem_put(mctx, dbi, sizeof *dbi); + isc_mem_put(mctx, dbi, sizeof(*dbi)); } } @@ -466,13 +466,13 @@ main(int argc, char *argv[]) { version = NULL; if (time_lookups) { - (void)isc_time_now(&start); + TIME_NOW(&start); } while (!done) { if (!quiet) printf("\n"); - if (fgets(s, sizeof s, stdin) == NULL) { + if (fgets(s, sizeof(s), stdin) == NULL) { done = ISC_TRUE; continue; } @@ -923,7 +923,7 @@ main(int argc, char *argv[]) { if (time_lookups) { isc_uint64_t usec; - (void)isc_time_now(&finish); + TIME_NOW(&finish); usec = isc_time_microdiff(&finish, &start); diff --git a/usr.sbin/bind/bin/tests/dst/t_dst.c b/usr.sbin/bind/bin/tests/dst/t_dst.c index 9758cab8037..f37fa7e1307 100644 --- a/usr.sbin/bind/bin/tests/dst/t_dst.c +++ b/usr.sbin/bind/bin/tests/dst/t_dst.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: t_dst.c,v 1.47 2001/08/08 22:54:31 gson Exp $ */ +/* $ISC: t_dst.c,v 1.47.206.2 2004/06/11 00:30:52 marka Exp $ */ #include <config.h> @@ -168,7 +168,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx, char tmp[PATH_MAX + 1]; char *p; int alg = DST_ALG_DH; - int type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE; + int type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE|DST_TYPE_KEY; unsigned char array1[1024], array2[1024]; isc_buffer_t b1, b2; isc_region_t r1, r2; diff --git a/usr.sbin/bind/bin/tests/genrandom.c b/usr.sbin/bind/bin/tests/genrandom.c index 34c4bdd6900..ade3b632890 100644 --- a/usr.sbin/bind/bin/tests/genrandom.c +++ b/usr.sbin/bind/bin/tests/genrandom.c @@ -1,28 +1,29 @@ /* - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: genrandom.c,v 1.8 2001/01/09 21:41:04 bwelling Exp $ */ +/* $ISC: genrandom.c,v 1.8.74.4 2004/03/08 04:04:25 marka Exp $ */ #include <config.h> #include <stdio.h> -#include <stdlib.h> #include <time.h> +#include <isc/stdlib.h> + int main(int argc, char **argv) { unsigned int bytes; diff --git a/usr.sbin/bind/bin/tests/hash_test.c b/usr.sbin/bind/bin/tests/hash_test.c index b8fb37daf56..6f6412b7bfc 100644 --- a/usr.sbin/bind/bin/tests/hash_test.c +++ b/usr.sbin/bind/bin/tests/hash_test.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: hash_test.c,v 1.8 2001/01/09 21:41:07 bwelling Exp $ */ +/* $ISC: hash_test.c,v 1.8.12.3 2004/03/08 04:04:26 marka Exp $ */ #include <config.h> @@ -35,9 +35,9 @@ print_digest(char *s, const char *hash, unsigned char *d, unsigned int i, j; printf("hash (%s) %s:\n\t", hash, s); - for (i = 0 ; i < words ; i++) { + for (i = 0; i < words; i++) { printf(" "); - for (j = 0 ; j < 4 ; j++) + for (j = 0; j < 4; j++) printf("%02x", d[i * 4 + j]); } printf("\n"); diff --git a/usr.sbin/bind/bin/tests/lcg_test.c b/usr.sbin/bind/bin/tests/lcg_test.c index 23b7604144f..5681cea9798 100644 --- a/usr.sbin/bind/bin/tests/lcg_test.c +++ b/usr.sbin/bind/bin/tests/lcg_test.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: lcg_test.c,v 1.1 2003/01/20 21:37:46 jakob Exp $ */ +/* $OpenBSD: lcg_test.c,v 1.2 2004/09/28 17:14:04 jakob Exp $ */ #include <config.h> diff --git a/usr.sbin/bind/bin/tests/rbt_test.txt b/usr.sbin/bind/bin/tests/rbt_test.txt index 2376ad4650f..e34bc5f8235 100644 --- a/usr.sbin/bind/bin/tests/rbt_test.txt +++ b/usr.sbin/bind/bin/tests/rbt_test.txt @@ -1,19 +1,19 @@ -# Copyright (C) 1999-2001, 2003 Internet Software Consortium. +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 1999-2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $ISC: rbt_test.txt,v 1.13.2.2 2003/07/22 04:03:37 marka Exp $
+# $ISC: rbt_test.txt,v 1.13.2.2.2.3 2004/03/08 04:04:26 marka Exp $
add a.vix.com
add b.vix.com
diff --git a/usr.sbin/bind/bin/tests/rwlock_test.c b/usr.sbin/bind/bin/tests/rwlock_test.c index ff24875f7cb..665070ad7e7 100644 --- a/usr.sbin/bind/bin/tests/rwlock_test.c +++ b/usr.sbin/bind/bin/tests/rwlock_test.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: rwlock_test.c,v 1.20 2001/05/02 17:35:52 gson Exp $ */ +/* $ISC: rwlock_test.c,v 1.20.206.2 2004/08/28 06:25:31 marka Exp $ */ #include <config.h> @@ -23,6 +23,7 @@ #include <stdlib.h> #include <unistd.h> +#include <isc/print.h> #include <isc/thread.h> #include <isc/rwlock.h> #include <isc/string.h> diff --git a/usr.sbin/bind/bin/tests/shutdown_test.c b/usr.sbin/bind/bin/tests/shutdown_test.c index 4fc5c61c1fa..87110002cc4 100644 --- a/usr.sbin/bind/bin/tests/shutdown_test.c +++ b/usr.sbin/bind/bin/tests/shutdown_test.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: shutdown_test.c,v 1.18 2001/01/09 21:41:38 bwelling Exp $ */ +/* $ISC: shutdown_test.c,v 1.18.12.5 2004/08/28 06:25:31 marka Exp $ */ #include <config.h> @@ -24,6 +24,7 @@ #include <isc/app.h> #include <isc/mem.h> +#include <isc/print.h> #include <isc/task.h> #include <isc/time.h> #include <isc/timer.h> @@ -79,7 +80,7 @@ shutdown_action(isc_task_t *task, isc_event_t *event) { isc_timer_detach(&info->timer); nevent = isc_event_allocate(info->mctx, info, T2_SHUTDOWNOK, t2_shutdown, &tasks[1], - sizeof *event); + sizeof(*event)); RUNTIME_CHECK(nevent != NULL); info->exiting = ISC_TRUE; isc_task_sendanddetach(&info->peer, &nevent); @@ -94,8 +95,7 @@ foo_event(isc_task_t *task, isc_event_t *event) { } static void -tick(isc_task_t *task, isc_event_t *event) -{ +tick(isc_task_t *task, isc_event_t *event) { t_info *info = event->ev_arg; isc_event_t *nevent; @@ -113,7 +113,7 @@ tick(isc_task_t *task, isc_event_t *event) nevent = isc_event_allocate(info->mctx, info, T2_SHUTDOWNDONE, t1_shutdown, &tasks[0], - sizeof *event); + sizeof(*event)); RUNTIME_CHECK(nevent != NULL); isc_task_send(info->peer, &nevent); isc_task_detach(&info->peer); @@ -123,7 +123,7 @@ tick(isc_task_t *task, isc_event_t *event) nevent = isc_event_allocate(info->mctx, info, FOO_EVENT, foo_event, task, - sizeof *event); + sizeof(*event)); RUNTIME_CHECK(nevent != NULL); isc_task_sendanddetach(&task, &nevent); } diff --git a/usr.sbin/bind/bin/tests/sock_test.c b/usr.sbin/bind/bin/tests/sock_test.c index df8f9f31d42..d28ed7ff7fa 100644 --- a/usr.sbin/bind/bin/tests/sock_test.c +++ b/usr.sbin/bind/bin/tests/sock_test.c @@ -1,21 +1,21 @@ /* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: sock_test.c,v 1.47 2001/01/09 21:41:41 bwelling Exp $ */ +/* $ISC: sock_test.c,v 1.47.12.4 2004/08/28 06:25:32 marka Exp $ */ #include <config.h> @@ -24,6 +24,7 @@ #include <unistd.h> #include <isc/mem.h> +#include <isc/print.h> #include <isc/task.h> #include <isc/socket.h> #include <isc/timer.h> @@ -82,12 +83,12 @@ my_recv(isc_task_t *task, isc_event_t *event) { dev->n, dev->result); if (dev->address.type.sa.sa_family == AF_INET6) { inet_ntop(AF_INET6, &dev->address.type.sin6.sin6_addr, - host, sizeof (host)); + host, sizeof(host)); printf("\tFrom: %s port %d\n", host, ntohs(dev->address.type.sin6.sin6_port)); } else { inet_ntop(AF_INET, &dev->address.type.sin.sin_addr, - host, sizeof (host)); + host, sizeof(host)); printf("\tFrom: %s port %d\n", host, ntohs(dev->address.type.sin.sin_port)); } @@ -111,10 +112,10 @@ my_recv(isc_task_t *task, isc_event_t *event) { region = dev->region; snprintf(buf, sizeof(buf), "\r\nReceived: %.*s\r\n\r\n", (int)dev->n, (char *)region.base); - len = strlen(buf) + 1; - region.base = isc_mem_get(mctx, len); - region.length = len; - strlcpy((char *)region.base, buf, len); + len = strlen(buf); + region.base = isc_mem_get(mctx, len + 1); + region.length = len + 1; + strlcpy((char *)region.base, buf, region.length); isc_socket_send(sock, ®ion, task, my_send, event->ev_arg); } else { region = dev->region; @@ -180,10 +181,10 @@ my_connect(isc_task_t *task, isc_event_t *event) { */ strlcpy(buf, "GET / HTTP/1.1\r\nHost: www.flame.org\r\n" "Connection: Close\r\n\r\n", sizeof(buf)); - len = strlen(buf) + 1; - region.base = isc_mem_get(mctx, len); - region.length = len; - strlcpy((char *)region.base, buf, len); + len = strlen(buf); + region.base = isc_mem_get(mctx, len + 1); + region.length = len + 1; + strlcpy((char *)region.base, buf, region.length); isc_socket_send(sock, ®ion, task, my_http_get, event->ev_arg); diff --git a/usr.sbin/bind/bin/tests/system/conf.sh.in b/usr.sbin/bind/bin/tests/system/conf.sh.in index 330da41ff4f..16f45fe587b 100644 --- a/usr.sbin/bind/bin/tests/system/conf.sh.in +++ b/usr.sbin/bind/bin/tests/system/conf.sh.in @@ -1,21 +1,21 @@ #!/bin/sh # -# Copyright (C) 2000, 2001, 2003 Internet Software Consortium. +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2003 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $ISC: conf.sh.in,v 1.23.2.2 2003/05/19 05:46:24 marka Exp $ +# $ISC: conf.sh.in,v 1.23.2.2.4.5 2004/03/08 04:04:32 marka Exp $ # # Common configuration data for system tests, to be sourced into @@ -37,17 +37,13 @@ RNDC=$TOP/bin/rndc/rndc NSUPDATE=$TOP/bin/nsupdate/nsupdate KEYGEN=$TOP/bin/dnssec/dnssec-keygen SIGNER=$TOP/bin/dnssec/dnssec-signzone -KEYSIGNER=$TOP/bin/dnssec/dnssec-signkey -KEYSETTOOL=$TOP/bin/dnssec/dnssec-makekeyset # The "stress" test is not run by default since it creates enough # load on the machine to make it unusable to other users. -# -# dnssec is missing from SUBDIRS as RFC 2535 support is disabled -# -SUBDIRS="cacheclean forward glue ixfr limits lwresd \ +# v6synth +SUBDIRS="cacheclean checknames dnssec forward glue ixfr limits lwresd \ masterfile notify nsupdate resolver sortlist stub tkey \ - unknown upforwd v6synth views xfer xferquota" + unknown upforwd views xfer xferquota" # PERL will be an empty string if no perl interpreter was found. PERL=@PERL@ diff --git a/usr.sbin/bind/bin/tests/system/ifconfig.sh b/usr.sbin/bind/bin/tests/system/ifconfig.sh index 3683f9a688e..dc802eabdc8 100644 --- a/usr.sbin/bind/bin/tests/system/ifconfig.sh +++ b/usr.sbin/bind/bin/tests/system/ifconfig.sh @@ -1,26 +1,44 @@ #!/bin/sh # +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2003 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $ISC: ifconfig.sh,v 1.35.2.8 2003/07/30 01:55:50 marka Exp $ +# $ISC: ifconfig.sh,v 1.35.2.8.2.5 2004/03/16 19:23:29 explorer Exp $ # # Set up interface aliases for bind9 system tests. # +config_guess="" +for f in ./config.guess ../../../config.guess +do + if test -f $f + then + config_guess=$f + fi +done + +if test "X$config_guess" = "X" +then + echo <<EOF >&2 +$0: must be run from the top level source directory or the +bin/tests/system directory +EOF + exit 1 +fi + # If running on hp-ux, don't even try to run config.guess. # It will try to create a temporary file in the current directory, # which fails when running as root with the current directory @@ -28,7 +46,7 @@ case `uname -a` in *HP-UX*) sys=hpux ;; - *) sys=`../../../config.guess` ;; + *) sys=`sh $config_guess` ;; esac case "$2" in @@ -39,7 +57,7 @@ esac case "$1" in start|up) - for ns in 1 2 3 4 5 + for ns in 1 2 3 4 5 6 do if test -n "$base" then @@ -54,9 +72,9 @@ case "$1" in *-sun-solaris2.[6-7]) ifconfig lo0:$int 10.53.0.$ns netmask 0xffffffff up ;; - *-*-solaris2.8) - ifconfig lo0:$int plumb - ifconfig lo0:$int 10.53.0.$ns up + *-*-solaris2.[8-9]) + /sbin/ifconfig lo0:$int plumb + /sbin/ifconfig lo0:$int 10.53.0.$ns up ;; *-*-linux*) ifconfig lo:$int 10.53.0.$ns up netmask 255.255.255.0 @@ -76,7 +94,7 @@ case "$1" in *-sgi-irix6.*) ifconfig lo0 alias 10.53.0.$ns ;; - *-*-sysv5uw[7-8]*) + *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) ifconfig lo0 10.53.0.$ns alias netmask 0xffffffff ;; *-ibm-aix4.*) @@ -99,7 +117,7 @@ case "$1" in ;; stop|down) - for ns in 5 4 3 2 1 + for ns in 6 5 4 3 2 1 do if test -n "$base" then @@ -136,7 +154,7 @@ case "$1" in *-sgi-irix6.*) ifconfig lo0 -alias 10.53.0.$ns ;; - *-*-sysv5uw[7-8]*) + *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) ifconfig lo0 -alias 10.53.0.$ns ;; *-ibm-aix4.*) diff --git a/usr.sbin/bind/bin/tests/system/lwresd/lwtest.c b/usr.sbin/bind/bin/tests/system/lwresd/lwtest.c index 75bbd0c2c3e..6c8ee2b99bc 100644 --- a/usr.sbin/bind/bin/tests/system/lwresd/lwtest.c +++ b/usr.sbin/bind/bin/tests/system/lwresd/lwtest.c @@ -1,21 +1,21 @@ /* - * Copyright (C) 2000-2003 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $ISC: lwtest.c,v 1.22.2.4 2003/07/22 04:03:38 marka Exp $ */ +/* $ISC: lwtest.c,v 1.22.2.4.2.4 2004/03/08 04:04:37 marka Exp $ */ #include <config.h> @@ -695,11 +695,11 @@ main(void) { test_gnba("10.10.10.17", LWRES_ADDRTYPE_V4, LWRES_R_NOTFOUND, NULL); test_gnba("0123:4567:89ab:cdef:0123:4567:89ab:cdef", - LWRES_ADDRTYPE_V6, LWRES_R_SUCCESS, "nibble.example"); + LWRES_ADDRTYPE_V6, LWRES_R_SUCCESS, "ip6.int.example"); test_gnba("0123:4567:89ab:cdef:0123:4567:89ab:cde0", LWRES_ADDRTYPE_V6, LWRES_R_NOTFOUND, NULL); test_gnba("1123:4567:89ab:cdef:0123:4567:89ab:cdef", - LWRES_ADDRTYPE_V6, LWRES_R_SUCCESS, "bitstring.example"); + LWRES_ADDRTYPE_V6, LWRES_R_SUCCESS, "ip6.arpa.example"); test_gnba("1123:4567:89ab:cdef:0123:4567:89ab:cde0", LWRES_ADDRTYPE_V6, LWRES_R_NOTFOUND, NULL); @@ -728,16 +728,16 @@ main(void) { test_gethostbyaddr("10.10.10.1", AF_INET, "ipv4.example"); test_gethostbyaddr("10.10.10.17", AF_INET, NULL); test_gethostbyaddr("0123:4567:89ab:cdef:0123:4567:89ab:cdef", - AF_INET6, "nibble.example"); + AF_INET6, "ip6.int.example"); test_gethostbyaddr("1123:4567:89ab:cdef:0123:4567:89ab:cdef", - AF_INET6, "bitstring.example"); + AF_INET6, "ip6.arpa.example"); test_getipnodebyaddr("10.10.10.1", AF_INET, "ipv4.example"); test_getipnodebyaddr("10.10.10.17", AF_INET, NULL); test_getipnodebyaddr("0123:4567:89ab:cdef:0123:4567:89ab:cdef", - AF_INET6, "nibble.example"); + AF_INET6, "ip6.int.example"); test_getipnodebyaddr("1123:4567:89ab:cdef:0123:4567:89ab:cdef", - AF_INET6, "bitstring.example"); + AF_INET6, "ip6.arpa.example"); test_getaddrinfo("a.example1.", AF_INET, 1, 1, "10.0.1.1"); test_getaddrinfo("a.example1.", AF_INET, 1, 0, "10.0.1.1"); @@ -751,27 +751,18 @@ main(void) { test_getnameinfo("10.10.10.1", AF_INET, "ipv4.example"); test_getnameinfo("10.10.10.17", AF_INET, NULL); test_getnameinfo("0123:4567:89ab:cdef:0123:4567:89ab:cdef", - AF_INET6, "nibble.example"); + AF_INET6, "ip6.int.example"); test_getnameinfo("1123:4567:89ab:cdef:0123:4567:89ab:cdef", - AF_INET6, "bitstring.example"); + AF_INET6, "ip6.arpa.example"); test_getnameinfo("1122:3344:5566:7788:99aa:bbcc:ddee:ff00", AF_INET6, "dname.example1"); -#ifdef ISC_RFC_2535 test_getrrsetbyname("a", 1, 1, 1, 0, 1); test_getrrsetbyname("a.example1.", 1, 1, 1, 0, 1); test_getrrsetbyname("e.example1.", 1, 1, 1, 1, 1); test_getrrsetbyname("e.example1.", 1, 255, 1, 1, 0); - test_getrrsetbyname("e.example1.", 1, 24, 1, 0, 1); + test_getrrsetbyname("e.example1.", 1, 46, 1, 0, 1); test_getrrsetbyname("", 1, 1, 0, 0, 0); -#else - test_getrrsetbyname("a", 1, 1, 1, 0, 1); - test_getrrsetbyname("a.example1.", 1, 1, 1, 0, 1); - test_getrrsetbyname("e.example1.", 1, 1, 1, 0, 1); - test_getrrsetbyname("e.example1.", 1, 255, 1, 0, 0); - /* test_getrrsetbyname("e.example1.", 1, 24, 1, 0, 1); */ - test_getrrsetbyname("", 1, 1, 0, 0, 0); -#endif if (fails == 0) printf("I:ok\n"); |