diff options
Diffstat (limited to 'bin')
52 files changed, 954 insertions, 440 deletions
diff --git a/bin/Makefile.in b/bin/Makefile.in index 89b4673edd35..897c0f37ebb7 100644 --- a/bin/Makefile.in +++ b/bin/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -19,7 +19,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -SUBDIRS = named rndc dig dnssec tests tools nsupdate \ +SUBDIRS = named rndc dig dnssec tools tests nsupdate \ check confgen @PKCS11_TOOLS@ TARGETS = diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c index 2bf16a686c55..46cf2bf48a53 100644 --- a/bin/check/check-tool.c +++ b/bin/check/check-tool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -196,6 +196,10 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, a->type == dns_rdatatype_a); REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) || aaaa->type == dns_rdatatype_aaaa); + + if (a == NULL || aaaa == NULL) + return (answer); + memset(&hints, 0, sizeof(hints)); hints.ai_flags = AI_CANONNAME; hints.ai_family = PF_UNSPEC; @@ -258,8 +262,7 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, } return (ISC_TRUE); } - if (a == NULL || aaaa == NULL) - return (answer); + /* * Check that all glue records really exist. */ @@ -597,7 +600,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, dns_zone_settype(zone, dns_zone_master); - isc_buffer_init(&buffer, zonename, strlen(zonename)); + isc_buffer_constinit(&buffer, zonename, strlen(zonename)); isc_buffer_add(&buffer, strlen(zonename)); dns_fixedname_init(&fixorigin); origin = dns_fixedname_name(&fixorigin); diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index a342dd9fbd9a..ef754ff29af9 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -295,6 +295,18 @@ configure_zone(const char *vclass, const char *view, } obj = NULL; + if (get_maps(maps, "check-spf", &obj)) { + if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { + zone_options |= DNS_ZONEOPT_CHECKSPF; + } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { + zone_options &= ~DNS_ZONEOPT_CHECKSPF; + } else + INSIST(0); + } else { + zone_options |= DNS_ZONEOPT_CHECKSPF; + } + + obj = NULL; if (get_checknames(maps, &obj)) { if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { zone_options |= DNS_ZONEOPT_CHECKNAMES; @@ -471,6 +483,7 @@ main(int argc, char **argv) { if (isc_commandline_option != '?') fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); + /* FALLTHROUGH */ case 'h': usage(); diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8 index 92c8bdcffcf1..b7b8a4c54672 100644 --- a/bin/check/named-checkzone.8 +++ b/bin/check/named-checkzone.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007, 2009, 2010, 2013 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2002 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and/or distribute this software for any @@ -33,9 +33,9 @@ named\-checkzone, named\-compilezone \- zone file validity checking or converting tool .SH "SYNOPSIS" .HP 16 -\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename} +\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename} .HP 18 -\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename} +\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename} .SH "DESCRIPTION" .PP \fBnamed\-checkzone\fR @@ -236,6 +236,14 @@ Chroot to so that include directives in the configuration file are processed as if run by a similarly chrooted named. .RE .PP +\-T \fImode\fR +.RS 4 +Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are +\fB"warn"\fR +(default), +\fB"ignore"\fR. +.RE +.PP \-w \fIdirectory\fR .RS 4 chdir to @@ -281,7 +289,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004\-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007, 2009, 2010, 2013 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2002 Internet Software Consortium. .br diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c index 11491b580862..fdc3ddc2caab 100644 --- a/bin/check/named-checkzone.c +++ b/bin/check/named-checkzone.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -145,19 +145,21 @@ main(int argc, char **argv) { if (progmode == progmode_compile) { zone_options |= (DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_FATALNS | + DNS_ZONEOPT_CHECKSPF | DNS_ZONEOPT_CHECKDUPRR | DNS_ZONEOPT_CHECKNAMES | DNS_ZONEOPT_CHECKNAMESFAIL | DNS_ZONEOPT_CHECKWILDCARD); } else - zone_options |= DNS_ZONEOPT_CHECKDUPRR; + zone_options |= (DNS_ZONEOPT_CHECKDUPRR | + DNS_ZONEOPT_CHECKSPF); #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0) isc_commandline_errprint = ISC_FALSE; while ((c = isc_commandline_parse(argc, argv, - "c:df:hi:jk:m:n:qr:s:t:o:vw:DF:M:S:W:")) + "c:df:hi:jk:m:n:qr:s:t:o:vw:DF:M:S:T:W:")) != EOF) { switch (c) { case 'c': @@ -363,6 +365,18 @@ main(int argc, char **argv) { } break; + case 'T': + if (ARGCMP("warn")) { + zone_options |= DNS_ZONEOPT_CHECKSPF; + } else if (ARGCMP("ignore")) { + zone_options &= ~DNS_ZONEOPT_CHECKSPF; + } else { + fprintf(stderr, "invalid argument to -T: %s\n", + isc_commandline_argument); + exit(1); + } + break; + case 'W': if (ARGCMP("warn")) zone_options |= DNS_ZONEOPT_CHECKWILDCARD; @@ -374,6 +388,7 @@ main(int argc, char **argv) { if (isc_commandline_option != '?') fprintf(stderr, "%s: invalid argument -%c\n", prog_name, isc_commandline_option); + /* FALLTHROUGH */ case 'h': usage(); diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook index 33dc15e47095..c25dd1eaf2e2 100644 --- a/bin/check/named-checkzone.docbook +++ b/bin/check/named-checkzone.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007, 2009, 2010, 2013 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -38,6 +38,7 @@ <year>2007</year> <year>2009</year> <year>2010</year> + <year>2013</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -75,6 +76,7 @@ <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg> <arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg> <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg> + <arg><option>-T <replaceable class="parameter">mode</replaceable></option></arg> <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg> <arg><option>-D</option></arg> <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg> @@ -98,6 +100,7 @@ <arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg> <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg> <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg> + <arg><option>-T <replaceable class="parameter">mode</replaceable></option></arg> <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg> <arg><option>-D</option></arg> <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg> @@ -380,6 +383,18 @@ </varlistentry> <varlistentry> + <term>-T <replaceable class="parameter">mode</replaceable></term> + <listitem> + <para> + Check if Sender Policy Framework records (TXT and SPF) + both exist or both don't exist. A warning is issued + if they don't match. Possible modes are + <command>"warn"</command> (default), <command>"ignore"</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-w <replaceable class="parameter">directory</replaceable></term> <listitem> <para> diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html index 2be53a7b3498..ab9c8efc50da 100644 --- a/bin/check/named-checkzone.html +++ b/bin/check/named-checkzone.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2007, 2009, 2010, 2013 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2002 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -29,11 +29,11 @@ </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div> -<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div> +<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div> +<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543696"></a><h2>DESCRIPTION</h2> +<a name="id2543716"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">named-checkzone</strong></span> checks the syntax and integrity of a zone file. It performs the same checks as <span><strong class="command">named</strong></span> does when loading a @@ -53,7 +53,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543731"></a><h2>OPTIONS</h2> +<a name="id2543751"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-d</span></dt> <dd><p> @@ -214,6 +214,13 @@ directives in the configuration file are processed as if run by a similarly chrooted named. </p></dd> +<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt> +<dd><p> + Check if Sender Policy Framework records (TXT and SPF) + both exist or both don't exist. A warning is issued + if they don't match. Possible modes are + <span><strong class="command">"warn"</strong></span> (default), <span><strong class="command">"ignore"</strong></span>. + </p></dd> <dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> chdir to <code class="filename">directory</code> so that @@ -247,14 +254,14 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544446"></a><h2>RETURN VALUES</h2> +<a name="id2544422"></a><h2>RETURN VALUES</h2> <p><span><strong class="command">named-checkzone</strong></span> returns an exit status of 1 if errors were detected and 0 otherwise. </p> </div> <div class="refsect1" lang="en"> -<a name="id2544458"></a><h2>SEE ALSO</h2> +<a name="id2544434"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>, <em class="citetitle">RFC 1035</em>, @@ -262,7 +269,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544491"></a><h2>AUTHOR</h2> +<a name="id2544603"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index a5db317700d8..d0cdafed364b 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -126,13 +126,17 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, switch (alg) { case DST_ALG_HMACMD5: + case DST_ALG_HMACSHA1: + case DST_ALG_HMACSHA224: + case DST_ALG_HMACSHA256: if (keysize < 1 || keysize > 512) fatal("keysize %d out of range (must be 1-512)\n", keysize); break; - case DST_ALG_HMACSHA256: - if (keysize < 1 || keysize > 256) - fatal("keysize %d out of range (must be 1-256)\n", + case DST_ALG_HMACSHA384: + case DST_ALG_HMACSHA512: + if (keysize < 1 || keysize > 1024) + fatal("keysize %d out of range (must be 1-1024)\n", keysize); break; default: diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c index 1ad14a99aa15..49119ce7adf9 100644 --- a/bin/confgen/rndc-confgen.c +++ b/bin/confgen/rndc-confgen.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007-2009, 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -140,8 +140,6 @@ main(int argc, char **argv) { keysize = strtol(isc_commandline_argument, &p, 10); if (*p != '\0' || keysize < 0) fatal("-b requires a non-negative number"); - if (keysize < 1 || keysize > 512) - fatal("-b must be in the range 1 through 512"); break; case 'c': keyfile = isc_commandline_argument; diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index 6e3bfb6c0c6e..6d8688e95e2c 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and/or distribute this software for any @@ -57,7 +57,9 @@ allows multiple lookups to be issued from the command line. Unless it is told to query a specific name server, \fBdig\fR will try each of the servers listed in -\fI/etc/resolv.conf\fR. +\fI/etc/resolv.conf\fR. If no usable server addreses are found, +\fBdig\fR +will send the query to the local host. .PP When no command line arguments or options are given, \fBdig\fR @@ -95,13 +97,20 @@ is the name or IP address of the name server to query. This can be an IPv4 addre \fIserver\fR argument is a hostname, \fBdig\fR -resolves that name before querying that name server. If no +resolves that name before querying that name server. +.sp +If no \fIserver\fR argument is provided, \fBdig\fR consults -\fI/etc/resolv.conf\fR -and queries the name servers listed there. The reply from the name server that responds is displayed. +\fI/etc/resolv.conf\fR; if an address is found there, it queries the name server at that address. If either of the +\fB\-4\fR +or +\fB\-6\fR +options are in use, then only addresses for the corresponding transport will be tried. If no usable addresses are found, +\fBdig\fR +will send the query to the local host. The reply from the name server that responds is displayed. .RE .PP \fBname\fR @@ -567,7 +576,7 @@ RFC1035. .PP There are probably too many query options. .SH "COPYRIGHT" -Copyright \(co 2004\-2010 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2010, 2013 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2003 Internet Software Consortium. .br diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 5e5ec0fa48d4..ce9ccdeee302 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -186,7 +186,7 @@ help(void) { " +domain=### (Set default domainname)\n" " +bufsize=### (Set EDNS0 Max UDP packet size)\n" " +ndots=### (Set NDOTS value)\n" -" +edns=### (Set EDNS version)\n" +" +[no]edns[=###] (Set EDNS version) [0]\n" " +[no]search (Set whether to use searchlist)\n" " +[no]showsearch (Search with intermediate results)\n" " +[no]defname (Ditto)\n" @@ -240,6 +240,8 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) { isc_uint64_t diff; isc_time_t now; time_t tnow; + struct tm tmnow; + char time_str[100]; char fromtext[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_format(from, fromtext, sizeof(fromtext)); @@ -251,7 +253,10 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) { printf(";; Query time: %ld msec\n", (long int)diff/1000); printf(";; SERVER: %s(%s)\n", fromtext, query->servname); time(&tnow); - printf(";; WHEN: %s", ctime(&tnow)); + tmnow = *localtime(&tnow); + if (strftime(time_str, sizeof(time_str), + "%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U) + printf(";; WHEN: %s\n", time_str); if (query->lookup->doing_xfr) { printf(";; XFR size: %u records (messages %u, " "bytes %" ISC_PRINT_QUADFORMAT "u)\n", @@ -259,7 +264,6 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) { query->byte_count); } else { printf(";; MSG SIZE rcvd: %u\n", bytes); - } if (key != NULL) { if (!validated) @@ -276,7 +280,7 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) { "from %s(%s) in %d ms\n\n", query->lookup->doing_xfr ? query->byte_count : (isc_uint64_t)bytes, - fromtext, query->servname, + fromtext, query->userarg, (int)diff/1000); } } @@ -525,6 +529,13 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { printf(";; WARNING: recursion requested " "but not available\n"); } + if (msg != query->lookup->sendmsg && + query->lookup->edns != -1 && msg->opt == NULL && + (msg->rcode == dns_rcode_formerr || + msg->rcode == dns_rcode_notimp)) + printf("\n;; WARNING: EDNS query returned status " + "%s - retry with '+noedns'\n", + rcode_totext(msg->rcode)); if (msg != query->lookup->sendmsg && extrabytes != 0U) printf(";; WARNING: Messages has %u extra byte%s at " "end\n", extrabytes, extrabytes != 0 ? "s" : ""); @@ -855,8 +866,10 @@ plus_option(char *option, isc_boolean_t is_batchfile, lookup->edns = -1; break; } - if (value == NULL) - goto need_value; + if (value == NULL) { + lookup->edns = 0; + break; + } result = parse_uint(&num, value, 255, "edns"); if (result != ISC_R_SUCCESS) fatal("Couldn't parse edns"); diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook index d64d038b500d..1285c437dabf 100644 --- a/bin/dig/dig.docbook +++ b/bin/dig/dig.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -45,6 +45,7 @@ <year>2008</year> <year>2009</year> <year>2010</year> + <year>2013</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -116,9 +117,10 @@ <para> Unless it is told to query a specific name server, - <command>dig</command> will try each of the servers listed - in - <filename>/etc/resolv.conf</filename>. + <command>dig</command> will try each of the servers listed in + <filename>/etc/resolv.conf</filename>. If no usable server addreses + are found, <command>dig</command> will send the query to the local + host. </para> <para> @@ -157,20 +159,25 @@ <term><constant>server</constant></term> <listitem> <para> - is the name or IP address of the name server to query. This can - be an IPv4 - address in dotted-decimal notation or an IPv6 + is the name or IP address of the name server to query. This + can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied - <parameter>server</parameter> argument is a - hostname, - <command>dig</command> resolves that name before - querying that name - server. If no <parameter>server</parameter> - argument is provided, - <command>dig</command> consults <filename>/etc/resolv.conf</filename> - and queries the name servers listed there. The reply from the - name - server that responds is displayed. + <parameter>server</parameter> argument is a hostname, + <command>dig</command> resolves that name before querying + that name server. + </para> + <para> + If no <parameter>server</parameter> argument is + provided, <command>dig</command> consults + <filename>/etc/resolv.conf</filename>; if an + address is found there, it queries the name server at + that address. If either of the <option>-4</option> or + <option>-6</option> options are in use, then + only addresses for the corresponding transport + will be tried. If no usable addresses are found, + <command>dig</command> will send the query to the + local host. The reply from the name server that + responds is displayed. </para> </listitem> </varlistentry> diff --git a/bin/dig/dig.html b/bin/dig/dig.html index ceef3fa8d988..a1cd5cf52daf 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -34,7 +34,7 @@ <div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543524"></a><h2>DESCRIPTION</h2> +<a name="id2543527"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -57,9 +57,10 @@ </p> <p> Unless it is told to query a specific name server, - <span><strong class="command">dig</strong></span> will try each of the servers listed - in - <code class="filename">/etc/resolv.conf</code>. + <span><strong class="command">dig</strong></span> will try each of the servers listed in + <code class="filename">/etc/resolv.conf</code>. If no usable server addreses + are found, <span><strong class="command">dig</strong></span> will send the query to the local + host. </p> <p> When no command line arguments or options are given, @@ -80,7 +81,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543597"></a><h2>SIMPLE USAGE</h2> +<a name="id2543606"></a><h2>SIMPLE USAGE</h2> <p> A typical invocation of <span><strong class="command">dig</strong></span> looks like: </p> @@ -91,22 +92,29 @@ </p> <div class="variablelist"><dl> <dt><span class="term"><code class="constant">server</code></span></dt> -<dd><p> - is the name or IP address of the name server to query. This can - be an IPv4 - address in dotted-decimal notation or an IPv6 +<dd> +<p> + is the name or IP address of the name server to query. This + can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied - <em class="parameter"><code>server</code></em> argument is a - hostname, - <span><strong class="command">dig</strong></span> resolves that name before - querying that name - server. If no <em class="parameter"><code>server</code></em> - argument is provided, - <span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code> - and queries the name servers listed there. The reply from the - name - server that responds is displayed. - </p></dd> + <em class="parameter"><code>server</code></em> argument is a hostname, + <span><strong class="command">dig</strong></span> resolves that name before querying + that name server. + </p> +<p> + If no <em class="parameter"><code>server</code></em> argument is + provided, <span><strong class="command">dig</strong></span> consults + <code class="filename">/etc/resolv.conf</code>; if an + address is found there, it queries the name server at + that address. If either of the <code class="option">-4</code> or + <code class="option">-6</code> options are in use, then + only addresses for the corresponding transport + will be tried. If no usable addresses are found, + <span><strong class="command">dig</strong></span> will send the query to the + local host. The reply from the name server that + responds is displayed. + </p> +</dd> <dt><span class="term"><code class="constant">name</code></span></dt> <dd><p> is the name of the resource record that is to be looked up. @@ -126,7 +134,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543688"></a><h2>OPTIONS</h2> +<a name="id2543709"></a><h2>OPTIONS</h2> <p> The <code class="option">-b</code> option sets the source IP address of the query to <em class="parameter"><code>address</code></em>. This must be a valid @@ -230,7 +238,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544037"></a><h2>QUERY OPTIONS</h2> +<a name="id2544058"></a><h2>QUERY OPTIONS</h2> <p><span><strong class="command">dig</strong></span> provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -561,7 +569,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2545186"></a><h2>MULTIPLE QUERIES</h2> +<a name="id2545207"></a><h2>MULTIPLE QUERIES</h2> <p> The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports @@ -607,7 +615,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2545248"></a><h2>IDN SUPPORT</h2> +<a name="id2545337"></a><h2>IDN SUPPORT</h2> <p> If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -621,14 +629,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2545338"></a><h2>FILES</h2> +<a name="id2545360"></a><h2>FILES</h2> <p><code class="filename">/etc/resolv.conf</code> </p> <p><code class="filename">${HOME}/.digrc</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2545355"></a><h2>SEE ALSO</h2> +<a name="id2545377"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, @@ -636,7 +644,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2545393"></a><h2>BUGS</h2> +<a name="id2545414"></a><h2>BUGS</h2> <p> There are probably too many query options. </p> diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 9695de0dbc4c..8ea7d8ec0366 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -794,6 +794,7 @@ make_empty_lookup(void) { dns_fixedname_init(&looknew->fdomain); ISC_LINK_INIT(looknew, link); ISC_LIST_INIT(looknew->q); + ISC_LIST_INIT(looknew->connecting); ISC_LIST_INIT(looknew->my_server_list); return (looknew); } @@ -815,11 +816,11 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { looknew = make_empty_lookup(); INSIST(looknew != NULL); - strncpy(looknew->textname, lookold->textname, MXNAME); + strlcpy(looknew->textname, lookold->textname, MXNAME); #if DIG_SIGCHASE_TD - strncpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME); + strlcpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME); #endif - strncpy(looknew->cmdline, lookold->cmdline, MXNAME); + strlcpy(looknew->cmdline, lookold->cmdline, MXNAME); looknew->textname[MXNAME-1] = 0; looknew->rdtype = lookold->rdtype; looknew->qrdtype = lookold->qrdtype; @@ -998,7 +999,7 @@ parse_hmac(const char *hmac) { len = strlen(hmac); if (len >= (int) sizeof(buf)) fatal("unknown key type '%.*s'", len, hmac); - strncpy(buf, hmac, sizeof(buf)); + strlcpy(buf, hmac, sizeof(buf)); digestbits = 0; @@ -1080,8 +1081,8 @@ read_confkey(void) { secretstr = cfg_obj_asstring(secretobj); algorithm = cfg_obj_asstring(algorithmobj); - strncpy(keynametext, keyname, sizeof(keynametext)); - strncpy(keysecret, secretstr, sizeof(keysecret)); + strlcpy(keynametext, keyname, sizeof(keynametext)); + strlcpy(keysecret, secretstr, sizeof(keysecret)); parse_hmac(algorithm); setup_text_key(); @@ -1164,7 +1165,7 @@ make_searchlist_entry(char *domain) { if (search == NULL) fatal("memory allocation failure in %s:%d", __FILE__, __LINE__); - strncpy(search->origin, domain, MXNAME); + strlcpy(search->origin, domain, MXNAME); search->origin[MXNAME-1] = 0; ISC_LINK_INIT(search, link); return (search); @@ -1473,7 +1474,10 @@ clear_query(dig_query_t *query) { if (lookup->current_query == query) lookup->current_query = NULL; - ISC_LIST_UNLINK(lookup->q, query, link); + if (ISC_LINK_LINKED(query, link)) + ISC_LIST_UNLINK(lookup->q, query, link); + if (ISC_LINK_LINKED(query, clink)) + ISC_LIST_UNLINK(lookup->connecting, query, clink); if (ISC_LINK_LINKED(&query->recvbuf, link)) ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf, link); @@ -1481,6 +1485,7 @@ clear_query(dig_query_t *query) { ISC_LIST_DEQUEUE(query->lengthlist, &query->lengthbuf, link); INSIST(query->recvspace != NULL); + if (query->sock != NULL) { isc_socket_detach(&query->sock); sockcount--; @@ -1508,13 +1513,22 @@ try_clear_lookup(dig_lookup_t *lookup) { debug("try_clear_lookup(%p)", lookup); - if (ISC_LIST_HEAD(lookup->q) != NULL) { + if (ISC_LIST_HEAD(lookup->q) != NULL || + ISC_LIST_HEAD(lookup->connecting) != NULL) + { if (debugging) { q = ISC_LIST_HEAD(lookup->q); while (q != NULL) { debug("query to %s still pending", q->servname); q = ISC_LIST_NEXT(q, link); } + + q = ISC_LIST_HEAD(lookup->connecting); + while (q != NULL) { + debug("query to %s still connecting", + q->servname); + q = ISC_LIST_NEXT(q, clink); + } } return (ISC_FALSE); } @@ -1642,7 +1656,7 @@ start_lookup(void) { = current_lookup->rdclassset; current_lookup->rdclass = dns_rdataclass_in; - strncpy(current_lookup->textnamesigchase, + strlcpy(current_lookup->textnamesigchase, current_lookup->textname, MXNAME); current_lookup->trace_root_sigchase = ISC_TRUE; @@ -1654,7 +1668,7 @@ start_lookup(void) { check_result(result, "dns_name_totext"); isc_buffer_usedregion(b, &r); r.base[r.length] = '\0'; - strncpy(current_lookup->textname, (char*)r.base, + strlcpy(current_lookup->textname, (char*)r.base, MXNAME); isc_buffer_free(&b); @@ -2290,7 +2304,6 @@ setup_lookup(dig_lookup_t *lookup) { query->rr_count = 0; query->msg_count = 0; query->byte_count = 0; - ISC_LINK_INIT(query, link); ISC_LIST_INIT(query->recvlist); ISC_LIST_INIT(query->lengthlist); query->sock = NULL; @@ -2303,6 +2316,7 @@ setup_lookup(dig_lookup_t *lookup) { isc_buffer_init(&query->slbuf, query->slspace, 2); query->sendbuf = lookup->renderbuf; + ISC_LINK_INIT(query, clink); ISC_LINK_INIT(query, link); ISC_LIST_ENQUEUE(lookup->q, query, link); } @@ -2424,6 +2438,7 @@ static void force_timeout(dig_lookup_t *l, dig_query_t *query) { isc_event_t *event; + debug("force_timeout ()"); event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE, connect_timeout, l, sizeof(isc_event_t)); @@ -2491,6 +2506,7 @@ send_tcp_connect(dig_query_t *query) { send_tcp_connect(next); return; } + INSIST(query->sock == NULL); result = isc_socket_create(socketmgr, isc_sockaddr_pf(&query->sockaddr), @@ -2521,6 +2537,9 @@ send_tcp_connect(dig_query_t *query) { if (l->ns_search_only && !l->trace_root) { debug("sending next, since searching"); next = ISC_LIST_NEXT(query, link); + if (ISC_LINK_LINKED(query, link)) + ISC_LIST_DEQUEUE(l->q, query, link); + ISC_LIST_ENQUEUE(l->connecting, query, clink); if (next != NULL) send_tcp_connect(next); } @@ -2601,7 +2620,7 @@ send_udp(dig_query_t *query) { static void connect_timeout(isc_task_t *task, isc_event_t *event) { dig_lookup_t *l = NULL; - dig_query_t *query = NULL, *cq; + dig_query_t *query = NULL, *next, *cq; UNUSED(task); REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE); @@ -2625,7 +2644,9 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { if (query->sock != NULL) isc_socket_cancel(query->sock, NULL, ISC_SOCKCANCEL_ALL); - send_tcp_connect(ISC_LIST_NEXT(cq, link)); + next = ISC_LIST_NEXT(cq, link); + if (next != NULL) + send_tcp_connect(next); } UNLOCK_LOOKUP; return; @@ -2868,9 +2889,8 @@ connect_done(isc_task_t *task, isc_event_t *event) { if (next != NULL) { bringup_timer(next, TCP_TIMEOUT); send_tcp_connect(next); - } else { + } else check_next_lookup(l); - } UNLOCK_LOOKUP; return; } @@ -3427,6 +3447,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { if (n == 0) docancel = ISC_TRUE; l->trace_root = ISC_FALSE; + usesearch = ISC_FALSE; } else #ifdef DIG_SIGCHASE if (!do_sigchase) @@ -3603,15 +3624,19 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp) { */ void do_lookup(dig_lookup_t *lookup) { + dig_query_t *query; REQUIRE(lookup != NULL); debug("do_lookup()"); lookup->pending = ISC_TRUE; - if (lookup->tcp_mode) - send_tcp_connect(ISC_LIST_HEAD(lookup->q)); - else - send_udp(ISC_LIST_HEAD(lookup->q)); + query = ISC_LIST_HEAD(lookup->q); + if (query != NULL) { + if (lookup->tcp_mode) + send_tcp_connect(query); + else + send_udp(query); + } } /*% @@ -4083,7 +4108,7 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, check_result(result, "dns_name_totext"); isc_buffer_usedregion(b, &r); r.base[r.length] = '\0'; - strcpy(lookup->textname, (char*)r.base); + strlcpy(lookup->textname, (char*)r.base, sizeof(lookup->textname)); isc_buffer_free(&b); if (type == dns_rdatatype_rrsig) @@ -4208,7 +4233,7 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { return (ISC_R_NOMEMORY); memset(tempnamekey, 0, tempnamekeylen); - strncpy(tempnamekey, tempname, tempnamelen); + strlcpy(tempnamekey, tempname, tempnamelen); strcat(tempnamekey ,".key"); @@ -4342,7 +4367,7 @@ prepare_lookup(dns_name_t *name) lookup->new_search = ISC_TRUE; lookup->trace_root_sigchase = ISC_FALSE; - strncpy(lookup->textname, lookup->textnamesigchase, MXNAME); + strlcpy(lookup->textname, lookup->textnamesigchase, MXNAME); lookup->rdtype = lookup->rdtype_sigchase; lookup->rdtypeset = ISC_TRUE; @@ -4401,7 +4426,7 @@ prepare_lookup(dns_name_t *name) dns_rdata_totext(&aaaa, &ns.name, b); isc_buffer_usedregion(b, &r); r.base[r.length] = '\0'; - strncpy(namestr, (char*)r.base, + strlcpy(namestr, (char*)r.base, DNS_NAME_FORMATSIZE); isc_buffer_free(&b); dns_rdata_reset(&aaaa); @@ -4430,7 +4455,7 @@ prepare_lookup(dns_name_t *name) dns_rdata_totext(&a, &ns.name, b); isc_buffer_usedregion(b, &r); r.base[r.length] = '\0'; - strncpy(namestr, (char*)r.base, + strlcpy(namestr, (char*)r.base, DNS_NAME_FORMATSIZE); isc_buffer_free(&b); dns_rdata_reset(&a); @@ -4609,7 +4634,6 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, { isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; - dst_key_t *trustedKey = NULL; dst_key_t *dnsseckey = NULL; int i; @@ -4653,10 +4677,6 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_free(&dnsseckey); } while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS); - if (trustedKey != NULL) - dst_key_free(&trustedKey); - trustedKey = NULL; - return (ISC_R_NOTFOUND); } diff --git a/bin/dig/host.c b/bin/dig/host.c index 82eea056c0d1..6b37f5f76a1a 100644 --- a/bin/dig/host.c +++ b/bin/dig/host.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009-2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -446,10 +446,18 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { if (msg->rcode != 0) { char namestr[DNS_NAME_FORMATSIZE]; dns_name_format(query->lookup->name, namestr, sizeof(namestr)); - printf("Host %s not found: %d(%s)\n", - (msg->rcode != dns_rcode_nxdomain) ? namestr : - query->lookup->textname, msg->rcode, - rcode_totext(msg->rcode)); + + if (query->lookup->identify_previous_line) + printf("Nameserver %s:\n\t%s not found: %d(%s)\n", + query->servname, + (msg->rcode != dns_rcode_nxdomain) ? namestr : + query->lookup->textname, msg->rcode, + rcode_totext(msg->rcode)); + else + printf("Host %s not found: %d(%s)\n", + (msg->rcode != dns_rcode_nxdomain) ? namestr : + query->lookup->textname, msg->rcode, + rcode_totext(msg->rcode)); return (ISC_R_SUCCESS); } diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h index 6c186dec5e4b..e03974564530 100644 --- a/bin/dig/include/dig/dig.h +++ b/bin/dig/include/dig/dig.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -168,6 +168,7 @@ isc_boolean_t sigchase; dns_name_t *oname; ISC_LINK(dig_lookup_t) link; ISC_LIST(dig_query_t) q; + ISC_LIST(dig_query_t) connecting; dig_query_t *current_query; dig_serverlist_t my_server_list; dig_searchlist_t *origin; @@ -214,6 +215,7 @@ struct dig_query { slspace[4]; isc_socket_t *sock; ISC_LINK(dig_query_t) link; + ISC_LINK(dig_query_t) clink; isc_sockaddr_t sockaddr; isc_time_t time_sent; isc_uint64_t byte_count; diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index e91e02dda5ae..6572d4c6ff36 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -356,6 +356,8 @@ main(int argc, char **argv) { fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n" "If you still wish to use RSA (RSAMD5) please " "specify \"-a RSAMD5\"\n"); + if (freeit != NULL) + free(freeit); return (1); } else { r.base = algname; diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 8af100c7bdea..3d22f997cc2d 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -526,6 +526,7 @@ main(int argc, char **argv) { "recommended.\nIf you still wish to " "use RSA (RSAMD5) please specify " "\"-a RSAMD5\"\n"); + INSIST(freeit == NULL); return (1); } else if (strcasecmp(algname, "HMAC-MD5") == 0) alg = DST_ALG_HMACMD5; @@ -960,8 +961,15 @@ main(int argc, char **argv) { dst_key_settime(key, DST_TIME_INACTIVE, inactive); - if (setdel) + if (setdel) { + if (setinact && delete < inactive) + fprintf(stderr, "%s: warning: Key is " + "scheduled to be deleted " + "before it is scheduled to be " + "made inactive.\n", + program); dst_key_settime(key, DST_TIME_DELETE, delete); + } } else { if (setpub || setact || setrev || setinact || setdel || unsetpub || unsetact || diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 8346f1c91182..fb116e6efe2a 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -20,7 +20,6 @@ #include <config.h> -#include <libgen.h> #include <stdlib.h> #include <unistd.h> diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index f7f4486eefe7..a7fbed3bcbdb 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009-2013 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -20,7 +20,6 @@ #include <config.h> -#include <libgen.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> @@ -140,6 +139,7 @@ main(int argc, char **argv) { int prepub = -1; isc_stdtime_t now; isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0; + isc_stdtime_t prevact = 0, previnact = 0, prevdel = 0; isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE; isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE; isc_boolean_t setdel = ISC_FALSE; @@ -344,7 +344,6 @@ main(int argc, char **argv) { if (predecessor != NULL) { char keystr[DST_KEY_FORMATSIZE]; - isc_stdtime_t when; int major, minor; if (prepub == -1) @@ -376,19 +375,20 @@ main(int argc, char **argv) { fatal("Predecessor has incompatible format " "version %d.%d\n\t", major, minor); - result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when); + result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &prevact); if (result != ISC_R_SUCCESS) fatal("Predecessor has no activation date. " "You must set one before\n\t" "generating a successor."); - result = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &act); + result = dst_key_gettime(prevkey, DST_TIME_INACTIVE, + &previnact); if (result != ISC_R_SUCCESS) fatal("Predecessor has no inactivation date. " "You must set one before\n\t" "generating a successor."); - pub = act - prepub; + pub = prevact - prepub; if (pub < now && prepub != 0) fatal("Predecessor will become inactive before the\n\t" "prepublication period ends. Either change " @@ -396,13 +396,18 @@ main(int argc, char **argv) { "or use the -i option to set a shorter " "prepublication interval."); - result = dst_key_gettime(prevkey, DST_TIME_DELETE, &when); + result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel); if (result != ISC_R_SUCCESS) - fprintf(stderr, "%s: WARNING: Predecessor has no " + fprintf(stderr, "%s: warning: Predecessor has no " "removal date;\n\t" "it will remain in the zone " "indefinitely after rollover.\n", program); + else if (prevdel < previnact) + fprintf(stderr, "%s: warning: Predecessor is " + "scheduled to be deleted\n\t" + "before it is scheduled to be " + "inactive.\n", program); changed = setpub = setact = ISC_TRUE; dst_key_free(&prevkey); @@ -464,6 +469,20 @@ main(int argc, char **argv) { fatal("Key flags mismatch"); } + prevdel = previnact = 0; + if ((setdel && setinact && del < inact) || + (dst_key_gettime(key, DST_TIME_INACTIVE, + &previnact) == ISC_R_SUCCESS && + setdel && !setinact && del < previnact) || + (dst_key_gettime(key, DST_TIME_DELETE, + &prevdel) == ISC_R_SUCCESS && + setinact && !setdel && prevdel < inact) || + (!setdel && !setinact && prevdel < previnact)) + fprintf(stderr, "%s: warning: Key is scheduled to " + "be deleted before it is\n\t" + "scheduled to be inactive.\n", + program); + if (force) set_keyversion(key); else diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 237624948a26..86c3aee7095e 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -646,6 +646,8 @@ hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len) if (l->entries == l->size) { l->size = l->size * 2 + 100; l->hashbuf = realloc(l->hashbuf, l->size * l->length); + if (l->hashbuf == NULL) + fatal("unable to grow hashlist: out of memory"); } memset(l->hashbuf + l->entries * l->length, 0, l->length); memcpy(l->hashbuf + l->entries * l->length, hash, len); @@ -2027,7 +2029,9 @@ add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) { * Remove records of the given type and their signatures. */ static void -remove_records(dns_dbnode_t *node, dns_rdatatype_t which) { +remove_records(dns_dbnode_t *node, dns_rdatatype_t which, + isc_boolean_t checknsec) +{ isc_result_t result; dns_rdatatype_t type, covers; dns_rdatasetiter_t *rdsiter = NULL; @@ -2048,10 +2052,12 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which) { covers = rdataset.covers; dns_rdataset_disassociate(&rdataset); if (type == which || covers == which) { - if (which == dns_rdatatype_nsec && !update_chain) + if (which == dns_rdatatype_nsec && + checknsec && !update_chain) fatal("Zone contains NSEC records. Use -u " "to update to NSEC3."); - if (which == dns_rdatatype_nsec3param && !update_chain) + if (which == dns_rdatatype_nsec3param && + checknsec && !update_chain) fatal("Zone contains NSEC3 chains. Use -u " "to update to NSEC."); result = dns_db_deleterdataset(gdb, node, gversion, @@ -2063,6 +2069,39 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which) { dns_rdatasetiter_destroy(&rdsiter); } +/* + * Remove signatures covering the given type (0 == all signatures). + */ +static void +remove_sigs(dns_dbnode_t *node, dns_rdatatype_t which) { + isc_result_t result; + dns_rdatatype_t type, covers; + dns_rdatasetiter_t *rdsiter = NULL; + dns_rdataset_t rdataset; + + dns_rdataset_init(&rdataset); + result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + check_result(result, "dns_db_allrdatasets()"); + for (result = dns_rdatasetiter_first(rdsiter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter)) { + dns_rdatasetiter_current(rdsiter, &rdataset); + type = rdataset.type; + covers = rdataset.covers; + dns_rdataset_disassociate(&rdataset); + + if (type == dns_rdatatype_rrsig && + (covers == which || which == 0)) + { + result = dns_db_deleterdataset(gdb, node, gversion, + type, covers); + check_result(result, "dns_db_deleterdataset()"); + continue; + } + } + dns_rdatasetiter_destroy(&rdsiter); +} + /*% * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records. */ @@ -2139,14 +2178,17 @@ nsecify(void) { } if (dns_name_equal(name, gorigin)) - remove_records(node, dns_rdatatype_nsec3param); + remove_records(node, dns_rdatatype_nsec3param, + ISC_TRUE); if (delegation(name, node, &nsttl)) { zonecut = dns_fixedname_name(&fzonecut); dns_name_copy(name, zonecut, NULL); + remove_sigs(node, 0); if (generateds) add_ds(name, node, nsttl); } + result = dns_dbiterator_next(dbiter); nextnode = NULL; while (result == ISC_R_SUCCESS) { @@ -2164,6 +2206,9 @@ nsecify(void) { (zonecut != NULL && dns_name_issubdomain(nextname, zonecut))) { + remove_sigs(nextnode, 0); + remove_records(nextnode, dns_rdatatype_nsec, + ISC_FALSE); dns_db_detachnode(gdb, &nextnode); result = dns_dbiterator_next(dbiter); continue; @@ -2555,7 +2600,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, } if (dns_name_equal(name, gorigin)) - remove_records(node, dns_rdatatype_nsec); + remove_records(node, dns_rdatatype_nsec, ISC_TRUE); result = dns_dbiterator_next(dbiter); nextnode = NULL; @@ -2572,6 +2617,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, if (!dns_name_issubdomain(nextname, gorigin) || (zonecut != NULL && dns_name_issubdomain(nextname, zonecut))) { + remove_sigs(nextnode, 0); dns_db_detachnode(gdb, &nextnode); result = dns_dbiterator_next(dbiter); continue; @@ -2579,6 +2625,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, if (delegation(nextname, nextnode, &nsttl)) { zonecut = dns_fixedname_name(&fzonecut); dns_name_copy(nextname, zonecut, NULL); + remove_sigs(nextnode, 0); if (generateds) add_ds(nextname, nextnode, nsttl); if (OPTOUT(nsec3flags) && @@ -3011,7 +3058,7 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt, dns_rdata_nsec3_t nsec3; dns_fixedname_t fname; dns_name_t *hashname; - unsigned char orig_salt[256]; + unsigned char orig_salt[255]; size_t orig_saltlen; dns_hash_t orig_hash; isc_uint16_t orig_iter; diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in index ea919ae5e2da..e3ce3bd1547b 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -21,6 +21,12 @@ top_srcdir = @top_srcdir@ @BIND9_VERSION@ +@BIND9_PRODUCT@ + +@BIND9_DESCRIPTION@ + +@BIND9_SRCID@ + @BIND9_CONFIGARGS@ @BIND9_MAKE_INCLUDES@ @@ -114,6 +120,9 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} main.@O@: main.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DVERSION=\"${VERSION}\" \ + -DPRODUCT=\"${PRODUCT}\" \ + -DDESCRIPTION=\"${DESCRIPTION}\" \ + -DSRCID=\"${SRCID}\" \ -DCONFIGARGS="\"${CONFIGARGS}\"" \ -DNS_LOCALSTATEDIR=\"${localstatedir}\" \ -DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c @@ -124,6 +133,7 @@ bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/bindkeys.pl config.@O@: config.c bind.keys.h ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DVERSION=\"${VERSION}\" \ + -DSRCID=\"${SRCID}\" \ -DNS_LOCALSTATEDIR=\"${localstatedir}\" \ -DNS_SYSCONFDIR=\"${sysconfdir}\" \ -c ${srcdir}/config.c @@ -167,3 +177,6 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 @DLZ_DRIVER_RULES@ + +named-symtbl.@O@: named-symtbl.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c diff --git a/bin/named/client.c b/bin/named/client.c index 606cc2d4dad4..ff4ab691c184 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -1394,10 +1394,9 @@ client_request(isc_task_t *task, isc_event_t *event) { INSIST(client->recursionquota == NULL); - INSIST(client->state == - TCP_CLIENT(client) ? - NS_CLIENTSTATE_READING : - NS_CLIENTSTATE_READY); + INSIST(client->state == (TCP_CLIENT(client) ? + NS_CLIENTSTATE_READING : + NS_CLIENTSTATE_READY)); ns_client_requests++; @@ -2408,6 +2407,9 @@ ns_client_replace(ns_client_t *client) { CTRACE("replace"); + REQUIRE(client != NULL); + REQUIRE(client->manager != NULL); + result = ns_clientmgr_createclients(client->manager, 1, client->interface, (TCP_CLIENT(client) ? diff --git a/bin/named/config.c b/bin/named/config.c index 9e453ade3bc6..25ebac4db0c1 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -150,6 +150,7 @@ options {\n\ check-names response ignore;\n\ check-dup-records warn;\n\ check-mx warn;\n\ + check-spf warn;\n\ acache-enable no;\n\ acache-cleaning-interval 60;\n\ max-acache-size 16M;\n\ @@ -639,17 +640,16 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, if (isc_sockaddr_getport(&addrs[i]) == 0) isc_sockaddr_setport(&addrs[i], port); keys[i] = NULL; - if (!cfg_obj_isstring(key)) { - i++; + i++; /* Increment here so that cleanup on error works. */ + if (!cfg_obj_isstring(key)) continue; - } - keys[i] = isc_mem_get(mctx, sizeof(dns_name_t)); - if (keys[i] == NULL) + keys[i - 1] = isc_mem_get(mctx, sizeof(dns_name_t)); + if (keys[i - 1] == NULL) goto cleanup; - dns_name_init(keys[i], NULL); + dns_name_init(keys[i - 1], NULL); keystr = cfg_obj_asstring(key); - isc_buffer_init(&b, keystr, strlen(keystr)); + isc_buffer_constinit(&b, keystr, strlen(keystr)); isc_buffer_add(&b, strlen(keystr)); dns_fixedname_init(&fname); result = dns_name_fromtext(dns_fixedname_name(&fname), &b, @@ -657,10 +657,9 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, if (result != ISC_R_SUCCESS) goto cleanup; result = dns_name_dup(dns_fixedname_name(&fname), mctx, - keys[i]); + keys[i - 1]); if (result != ISC_R_SUCCESS) goto cleanup; - i++; } if (pushed != 0) { pushed--; @@ -716,7 +715,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, if (addrs != NULL) isc_mem_put(mctx, addrs, addrcount * sizeof(isc_sockaddr_t)); if (keys != NULL) { - for (j = 0; j <= i; j++) { + for (j = 0; j < i; j++) { if (keys[j] == NULL) continue; if (dns_name_dynamic(keys[j])) diff --git a/bin/named/control.c b/bin/named/control.c index ff084fc7d5a9..2a1a5a8e734e 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -61,7 +61,7 @@ command_compare(const char *text, const char *command) { isc_result_t ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { isccc_sexpr_t *data; - char *command; + char *command = NULL; isc_result_t result; int log_level; #ifdef HAVE_LIBSCF diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c index daf00d04ed65..73c0f37e9737 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2011-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -149,7 +149,7 @@ free_listener(controllistener_t *listener) { if (listener->acl != NULL) dns_acl_detach(&listener->acl); - isc_mem_put(listener->mctx, listener, sizeof(*listener)); + isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener)); } static void @@ -1066,8 +1066,9 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, result = ISC_R_NOMEMORY; if (result == ISC_R_SUCCESS) { + listener->mctx = NULL; + isc_mem_attach(mctx, &listener->mctx); listener->controls = cp; - listener->mctx = mctx; listener->task = cp->server->task; listener->address = *addr; listener->sock = NULL; diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h index 109d160b456b..e6414d2f7a7a 100644 --- a/bin/named/include/named/client.h +++ b/bin/named/include/named/client.h @@ -165,16 +165,17 @@ struct ns_client { #define NS_CLIENT_MAGIC ISC_MAGIC('N','S','C','c') #define NS_CLIENT_VALID(c) ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC) -#define NS_CLIENTATTR_TCP 0x01 -#define NS_CLIENTATTR_RA 0x02 /*%< Client gets recursive service */ -#define NS_CLIENTATTR_PKTINFO 0x04 /*%< pktinfo is valid */ -#define NS_CLIENTATTR_MULTICAST 0x08 /*%< recv'd from multicast */ -#define NS_CLIENTATTR_WANTDNSSEC 0x10 /*%< include dnssec records */ -#define NS_CLIENTATTR_WANTNSID 0x20 /*%< include nameserver ID */ +#define NS_CLIENTATTR_TCP 0x001 +#define NS_CLIENTATTR_RA 0x002 /*%< Client gets recursive service */ +#define NS_CLIENTATTR_PKTINFO 0x004 /*%< pktinfo is valid */ +#define NS_CLIENTATTR_MULTICAST 0x008 /*%< recv'd from multicast */ +#define NS_CLIENTATTR_WANTDNSSEC 0x010 /*%< include dnssec records */ +#define NS_CLIENTATTR_WANTNSID 0x020 /*%< include nameserver ID */ #ifdef ALLOW_FILTER_AAAA_ON_V4 -#define NS_CLIENTATTR_FILTER_AAAA 0x40 /*%< suppress AAAAs */ -#define NS_CLIENTATTR_FILTER_AAAA_RC 0x80 /*%< recursing for A against AAAA */ +#define NS_CLIENTATTR_FILTER_AAAA 0x040 /*%< suppress AAAAs */ +#define NS_CLIENTATTR_FILTER_AAAA_RC 0x080 /*%< recursing for A against AAAA */ #endif +#define NS_CLIENTATTR_WANTAD 0x100 /*%< want AD in response if possible */ extern unsigned int ns_client_requests; diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index 842931677b55..39307f36996b 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -66,6 +66,9 @@ EXTERN isc_timermgr_t * ns_g_timermgr INIT(NULL); EXTERN isc_socketmgr_t * ns_g_socketmgr INIT(NULL); EXTERN cfg_parser_t * ns_g_parser INIT(NULL); EXTERN const char * ns_g_version INIT(VERSION); +EXTERN const char * ns_g_product INIT(PRODUCT); +EXTERN const char * ns_g_description INIT(DESCRIPTION); +EXTERN const char * ns_g_srcid INIT(SRCID); EXTERN const char * ns_g_configargs INIT(CONFIGARGS); EXTERN in_port_t ns_g_port INIT(0); EXTERN in_port_t lwresd_g_listenport INIT(0); @@ -120,6 +123,7 @@ EXTERN isc_boolean_t ns_g_coreok INIT(ISC_TRUE); EXTERN const char * ns_g_chrootdir INIT(NULL); EXTERN isc_boolean_t ns_g_foreground INIT(ISC_FALSE); EXTERN isc_boolean_t ns_g_logstderr INIT(ISC_FALSE); +EXTERN isc_boolean_t ns_g_nosyslog INIT(ISC_FALSE); EXTERN const char * ns_g_defaultsessionkeyfile INIT(NS_LOCALSTATEDIR "/run/named/" @@ -153,6 +157,7 @@ EXTERN isc_boolean_t ns_g_memstatistics INIT(ISC_FALSE); EXTERN isc_boolean_t ns_g_clienttest INIT(ISC_FALSE); EXTERN isc_boolean_t ns_g_nosoa INIT(ISC_FALSE); EXTERN isc_boolean_t ns_g_noaa INIT(ISC_FALSE); +EXTERN isc_boolean_t ns_g_nonearest INIT(ISC_FALSE); #undef EXTERN #undef INIT diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index 25aa641ad37e..9982e88e09e4 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -165,7 +165,9 @@ enum { dns_nsstatscounter_updatefail = 34, dns_nsstatscounter_updatebadprereq = 35, - dns_nsstatscounter_max = 36 + dns_nsstatscounter_rpz_rewrites = 36, + + dns_nsstatscounter_max = 37 }; void diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c index d194d2b877cf..15ffe00aa51a 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -79,11 +79,13 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, if (mgr == NULL) return (ISC_R_NOMEMORY); + mgr->mctx = NULL; + isc_mem_attach(mctx, &mgr->mctx); + result = isc_mutex_init(&mgr->lock); if (result != ISC_R_SUCCESS) goto cleanup_mem; - mgr->mctx = mctx; mgr->taskmgr = taskmgr; mgr->socketmgr = socketmgr; mgr->dispatchmgr = dispatchmgr; @@ -115,7 +117,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, ns_listenlist_detach(&mgr->listenon4); ns_listenlist_detach(&mgr->listenon6); cleanup_mem: - isc_mem_put(mctx, mgr, sizeof(*mgr)); + isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr)); return (result); } @@ -128,7 +130,7 @@ ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) { clearlistenon(mgr); DESTROYLOCK(&mgr->lock); mgr->magic = 0; - isc_mem_put(mgr->mctx, mgr, sizeof(*mgr)); + isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr)); } dns_aclenv_t * diff --git a/bin/named/log.c b/bin/named/log.c index 5d19dcb205c6..a34dea47ecb7 100644 --- a/bin/named/log.c +++ b/bin/named/log.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -201,7 +201,7 @@ isc_result_t ns_log_setdefaultcategory(isc_logconfig_t *lcfg) { isc_result_t result; - if (! ns_g_logstderr) { + if (! ns_g_logstderr && ! ns_g_nosyslog) { result = isc_log_usechannel(lcfg, "default_syslog", ISC_LOGCATEGORY_DEFAULT, NULL); if (result != ISC_R_SUCCESS) diff --git a/bin/named/logconf.c b/bin/named/logconf.c index 5d17ab0e6016..f02b97fcddee 100644 --- a/bin/named/logconf.c +++ b/bin/named/logconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2011, 2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -246,14 +246,16 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) { isc_result_totext(result)); } else (void)isc_stdio_close(fp); - } else { - syslog(LOG_ERR, "isc_file_isplainfile '%s' failed: %s", - dest.file.name, isc_result_totext(result)); - fprintf(stderr, "isc_file_isplainfile '%s' failed: %s", - dest.file.name, isc_result_totext(result)); + goto done; } + if (!ns_g_nosyslog) + syslog(LOG_ERR, "isc_file_isplainfile '%s' failed: %s", + dest.file.name, isc_result_totext(result)); + fprintf(stderr, "isc_file_isplainfile '%s' failed: %s", + dest.file.name, isc_result_totext(result)); } + done: return (result); } diff --git a/bin/named/lwresd.c b/bin/named/lwresd.c index 11198a4324f2..7ee2196364e9 100644 --- a/bin/named/lwresd.c +++ b/bin/named/lwresd.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -368,7 +368,7 @@ ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres, dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); - isc_buffer_init(&namebuf, searchstr, + isc_buffer_constinit(&namebuf, searchstr, strlen(searchstr)); isc_buffer_add(&namebuf, strlen(searchstr)); result = dns_name_fromtext(name, &namebuf, diff --git a/bin/named/main.c b/bin/named/main.c index 30c6ef9cac56..f6c929e5b967 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -523,6 +523,10 @@ parse_command_line(int argc, char *argv[]) { maxudp = 512; else if (!strcmp(isc_commandline_argument, "maxudp1460")) maxudp = 1460; + else if (!strcmp(isc_commandline_argument, "nosyslog")) + ns_g_nosyslog = ISC_TRUE; + else if (!strcmp(isc_commandline_argument, "nonearest")) + ns_g_nonearest = ISC_TRUE; else fprintf(stderr, "unknown -T flag '%s\n", isc_commandline_argument); @@ -531,10 +535,16 @@ parse_command_line(int argc, char *argv[]) { ns_g_username = isc_commandline_argument; break; case 'v': - printf("BIND %s\n", ns_g_version); + printf("%s %s", ns_g_product, ns_g_version); + if (*ns_g_description != 0) + printf(" %s", ns_g_description); + printf("\n"); exit(0); case 'V': - printf("BIND %s built with %s\n", ns_g_version, + printf("%s %s", ns_g_product, ns_g_version); + if (*ns_g_description != 0) + printf(" %s", ns_g_description); + printf(" <id:%s> built with %s\n", ns_g_srcid, ns_g_configargs); #ifdef OPENSSL printf("using OpenSSL version: %s\n", @@ -787,8 +797,8 @@ setup(void) { isc_result_totext(result)); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, - ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version, - saved_command_line); + ISC_LOG_NOTICE, "starting %s %s%s", ns_g_product, + ns_g_version, saved_command_line); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ISC_LOG_NOTICE, "built with %s", ns_g_configargs); @@ -1029,9 +1039,9 @@ main(int argc, char *argv[]) { */ strlcat(version, #if defined(NO_VERSION_DATE) || !defined(__DATE__) - "named version: BIND " VERSION, + "named version: BIND " VERSION " <" SRCID ">", #else - "named version: BIND " VERSION " (" __DATE__ ")", + "named version: BIND " VERSION " <" SRCID "> (" __DATE__ ")", #endif sizeof(version)); result = isc_file_progname(*argv, program_name, sizeof(program_name)); diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 4356c192e6b6..09b147ee7de2 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -187,7 +187,7 @@ options { random\-device \fIquoted_string\fR; recursive\-clients \fIinteger\fR; serial\-query\-rate \fIinteger\fR; - server\-id ( \fIquoted_string\fR | none |; + server\-id ( \fIquoted_string\fR | none ); stacksize \fIsize\fR; statistics\-file \fIquoted_string\fR; statistics\-interval \fIinteger\fR; // not yet implemented @@ -592,5 +592,5 @@ zone \fIstring\fR \fIoptional_class\fR { \fBrndc\fR(8), BIND 9 Administrator Reference Manual. .SH "COPYRIGHT" -Copyright \(co 2004\-2011 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2011, 2013 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index c6ee1db1ca49..2527ac3ae7e8 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -44,6 +44,7 @@ <year>2009</year> <year>2010</year> <year>2011</year> + <year>2013</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> @@ -218,7 +219,7 @@ options { random-device <replaceable>quoted_string</replaceable>; recursive-clients <replaceable>integer</replaceable>; serial-query-rate <replaceable>integer</replaceable>; - server-id ( <replaceable>quoted_string</replaceable> | none |; + server-id ( <replaceable>quoted_string</replaceable> | none ); stacksize <replaceable>size</replaceable>; statistics-file <replaceable>quoted_string</replaceable>; statistics-interval <replaceable>integer</replaceable>; // not yet implemented diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index 71bd94669503..a8b35edc8602 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -31,7 +31,7 @@ <div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543353"></a><h2>DESCRIPTION</h2> +<a name="id2543356"></a><h2>DESCRIPTION</h2> <p><code class="filename">named.conf</code> is the configuration file for <span><strong class="command">named</strong></span>. Statements are enclosed @@ -50,14 +50,14 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543381"></a><h2>ACL</h2> +<a name="id2543384"></a><h2>ACL</h2> <div class="literallayout"><p><br> acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> <br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543397"></a><h2>KEY</h2> +<a name="id2543400"></a><h2>KEY</h2> <div class="literallayout"><p><br> key <em class="replaceable"><code>domain_name</code></em> {<br> algorithm <em class="replaceable"><code>string</code></em>;<br> @@ -66,7 +66,7 @@ key <em class="replaceable"><code>domain_name</code></em> {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543416"></a><h2>MASTERS</h2> +<a name="id2543419"></a><h2>MASTERS</h2> <div class="literallayout"><p><br> masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br> @@ -75,7 +75,7 @@ masters <em class="replaceable"><code>string</code></em> [<span class="optional" </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543462"></a><h2>SERVER</h2> +<a name="id2543465"></a><h2>SERVER</h2> <div class="literallayout"><p><br> server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br> bogus <em class="replaceable"><code>boolean</code></em>;<br> @@ -97,7 +97,7 @@ server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/pref </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543530"></a><h2>TRUSTED-KEYS</h2> +<a name="id2543533"></a><h2>TRUSTED-KEYS</h2> <div class="literallayout"><p><br> trusted-keys {<br> <em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br> @@ -105,7 +105,7 @@ trusted-keys {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543556"></a><h2>MANAGED-KEYS</h2> +<a name="id2543559"></a><h2>MANAGED-KEYS</h2> <div class="literallayout"><p><br> managed-keys {<br> <em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br> @@ -113,7 +113,7 @@ managed-keys {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543585"></a><h2>CONTROLS</h2> +<a name="id2543588"></a><h2>CONTROLS</h2> <div class="literallayout"><p><br> controls {<br> inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br> @@ -125,7 +125,7 @@ controls {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543620"></a><h2>LOGGING</h2> +<a name="id2543623"></a><h2>LOGGING</h2> <div class="literallayout"><p><br> logging {<br> channel <em class="replaceable"><code>string</code></em> {<br> @@ -143,7 +143,7 @@ logging {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543658"></a><h2>LWRES</h2> +<a name="id2543661"></a><h2>LWRES</h2> <div class="literallayout"><p><br> lwres {<br> listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br> @@ -156,7 +156,7 @@ lwres {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543700"></a><h2>OPTIONS</h2> +<a name="id2543703"></a><h2>OPTIONS</h2> <div class="literallayout"><p><br> options {<br> avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br> @@ -184,7 +184,7 @@ options {<br> random-device <em class="replaceable"><code>quoted_string</code></em>;<br> recursive-clients <em class="replaceable"><code>integer</code></em>;<br> serial-query-rate <em class="replaceable"><code>integer</code></em>;<br> - server-id ( <em class="replaceable"><code>quoted_string</code></em> | none |;<br> + server-id ( <em class="replaceable"><code>quoted_string</code></em> | none );<br> stacksize <em class="replaceable"><code>size</code></em>;<br> statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br> statistics-interval <em class="replaceable"><code>integer</code></em>; // not yet implemented<br> @@ -360,7 +360,7 @@ options {<br> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2544574"></a><h2>VIEW</h2> +<a name="id2544578"></a><h2>VIEW</h2> <div class="literallayout"><p><br> view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br> match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br> @@ -523,7 +523,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2545284"></a><h2>ZONE</h2> +<a name="id2545287"></a><h2>ZONE</h2> <div class="literallayout"><p><br> zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br> type ( master | slave | stub | hint |<br> @@ -618,12 +618,12 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2545664"></a><h2>FILES</h2> +<a name="id2545667"></a><h2>FILES</h2> <p><code class="filename">/etc/named.conf</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2545675"></a><h2>SEE ALSO</h2> +<a name="id2545678"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, diff --git a/bin/named/query.c b/bin/named/query.c index 9e67f2d2187f..8c589841396b 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -94,6 +94,10 @@ /*% Want DNSSEC? */ #define WANTDNSSEC(c) (((c)->attributes & \ NS_CLIENTATTR_WANTDNSSEC) != 0) +/*% Want WANTAD? */ +#define WANTAD(c) (((c)->attributes & \ + NS_CLIENTATTR_WANTAD) != 0) + /*% No authority? */ #define NOAUTHORITY(c) (((c)->query.attributes & \ NS_QUERYATTR_NOAUTHORITY) != 0) @@ -651,7 +655,7 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name, dns_dbversion_t **versionp) { isc_result_t result; - dns_acl_t *queryacl; + dns_acl_t *queryacl, *queryonacl; ns_dbversion_t *dbversion; REQUIRE(zone != NULL); @@ -763,6 +767,21 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name, client->query.attributes |= NS_QUERYATTR_QUERYOKVALID; } + /* If and only if we've gotten this far, check allow-query-on too */ + if (result == ISC_R_SUCCESS) { + queryonacl = dns_zone_getqueryonacl(zone); + if (queryonacl == NULL) + queryonacl = client->view->queryonacl; + + result = ns_client_checkaclsilent(client, NULL, + queryonacl, ISC_TRUE); + if ((options & DNS_GETDB_NOLOG) == 0 && + result != ISC_R_SUCCESS) + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, ISC_LOG_INFO, + "query-on denied"); + } + dbversion->acl_checked = ISC_TRUE; if (result != ISC_R_SUCCESS) { dbversion->queryok = ISC_FALSE; @@ -831,12 +850,29 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, } static void -rpz_log_rewrite(ns_client_t *client, const char *disabled, +rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled, dns_rpz_policy_t policy, dns_rpz_type_t type, - dns_name_t *rpz_qname) { + dns_zone_t *zone, dns_name_t *rpz_qname) +{ + isc_stats_t *zonestats; char qname_buf[DNS_NAME_FORMATSIZE]; char rpz_qname_buf[DNS_NAME_FORMATSIZE]; + /* + * Count enabled rewrites in the global counter. + * Count both enabled and disabled rewrites for each zone. + */ + if (!disabled && policy != DNS_RPZ_POLICY_PASSTHRU) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_rpz_rewrites); + } + if (zone != NULL) { + zonestats = dns_zone_getrequeststats(zone); + if (zonestats != NULL) + isc_stats_increment(zonestats, + dns_nsstatscounter_rpz_rewrites); + } + if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL)) return; @@ -845,7 +881,7 @@ rpz_log_rewrite(ns_client_t *client, const char *disabled, ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY, DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s", - disabled, + disabled ? "disabled " : "", dns_rpz_type2str(type), dns_rpz_policy2str(policy), qname_buf, rpz_qname_buf); } @@ -861,6 +897,9 @@ rpz_log_fail(ns_client_t *client, int level, if (!isc_log_wouldlog(ns_g_lctx, level)) return; + /* + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". + */ dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1)); dns_name_format(name, namebuf2, sizeof(namebuf2)); ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS, @@ -3075,6 +3114,14 @@ query_addbestns(ns_client_t *client) { goto cleanup; /* + * If the answer is secure only add NS records if they are secure * when the client may be looking for AD in the response. + */ + if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) && + ((rdataset->trust != dns_trust_secure) || + (sigrdataset != NULL && sigrdataset->trust != dns_trust_secure))) + goto cleanup; + + /* * If the client doesn't want DNSSEC we can discard the sigrdataset * now. */ @@ -4028,6 +4075,8 @@ rpz_rewrite_rrset(ns_client_t *client, dns_rpz_type_t rpz_type, rdatasetp, resuming); switch (result) { case ISC_R_SUCCESS: + case DNS_R_GLUE: + case DNS_R_ZONECUT: result = rpz_rewrite_ip(client, *rdatasetp, rpz_type); break; case DNS_R_EMPTYNAME: @@ -4121,6 +4170,8 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, dns_name_t *found; isc_result_t result; + REQUIRE(nodep != NULL); + result = rpz_ready(client, zonep, dbp, nodep, rdatasetp); if (result != ISC_R_SUCCESS) { *policyp = DNS_RPZ_POLICY_ERROR; @@ -4204,26 +4255,32 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, result = DNS_R_CNAME; } break; + case DNS_R_NXRRSET: + policy = DNS_RPZ_POLICY_NODATA; + break; case DNS_R_DNAME: /* * DNAME policy RRs have very few if any uses that are not * better served with simple wildcards. Making the work would * require complications to get the number of labels matched * in the name or the found name to the main DNS_R_DNAME case - * in query_find(). So fall through to treat them as NODATA. + * in query_find(). + */ + dns_rdataset_disassociate(*rdatasetp); + dns_db_detachnode(*dbp, nodep); + /* + * Fall through to treat it as a miss. */ - case DNS_R_NXRRSET: - policy = DNS_RPZ_POLICY_NODATA; - break; case DNS_R_NXDOMAIN: case DNS_R_EMPTYNAME: /* * If we don't get a qname hit, * see if it is worth looking for other types. */ - dns_db_rpz_enabled(*dbp, client->query.rpz_st); + (void)dns_db_rpz_enabled(*dbp, client->query.rpz_st); dns_db_detach(dbp); dns_zone_detach(zonep); + result = DNS_R_NXDOMAIN; policy = DNS_RPZ_POLICY_MISS; break; default: @@ -4231,9 +4288,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, dns_zone_detach(zonep); rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef, "", result); - policy = DNS_RPZ_POLICY_ERROR; - result = DNS_R_SERVFAIL; - break; + return (DNS_R_SERVFAIL); } *policyp = policy; @@ -4299,6 +4354,9 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, if (result == ISC_R_SUCCESS) break; INSIST(result == DNS_R_NAMETOOLONG); + /* + * Trim the name until it is not too long. + */ labels = dns_name_countlabels(prefix); if (labels < 2) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, @@ -4322,7 +4380,6 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, rdatasetp, &policy); switch (result) { case DNS_R_NXDOMAIN: - case DNS_R_EMPTYNAME: break; case DNS_R_SERVFAIL: rpz_clean(&zone, &db, &node, rdatasetp); @@ -4345,13 +4402,45 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, (st->m.type == rpz_type && 0 >= dns_name_compare(rpz_qname, st->qname)))) continue; - +#if 0 + /* + * This code would block a customer reported information + * leak of rpz rules by rewriting requests in the + * rpz-ip, rpz-nsip, rpz-nsdname,and rpz-passthru TLDs. + * Without this code, a bad guy could request + * 24.0.3.2.10.rpz-ip. to find the policy rule for + * 10.2.3.0/14. It is an insignificant leak and this + * code is not worth its cost, because the bad guy + * could publish "evil.com A 10.2.3.4" and request + * evil.com to get the same information. + * Keep code with "#if 0" in case customer demand + * is irresistible. + * + * We have the less frequent case of a triggered + * policy. Check that we have not trigger on one + * of the pretend RPZ TLDs. + * This test would make it impossible to rewrite + * names in TLDs that start with "rpz-" should + * ICANN ever allow such TLDs. + */ + labels = dns_name_countlabels(qname); + if (labels >= 2) { + dns_label_t label; + + dns_name_getlabel(qname, labels-2, &label); + if (label.length >= sizeof(DNS_RPZ_PREFIX)-1 && + strncasecmp((const char *)label.base+1, + DNS_RPZ_PREFIX, + sizeof(DNS_RPZ_PREFIX)-1) == 0) + continue; + } +#endif /* * Merely log DNS_RPZ_POLICY_DISABLED hits. */ if (rpz->policy == DNS_RPZ_POLICY_DISABLED) { - rpz_log_rewrite(client, "disabled ", - policy, rpz_type, rpz_qname); + rpz_log_rewrite(client, ISC_TRUE, policy, + rpz_type, zone, rpz_qname); continue; } @@ -4482,7 +4571,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult, rdataset = NULL; if ((st->state & DNS_RPZ_DONE_QNAME) == 0) { /* - * Check rules for the query name if this it the first time + * Check rules for the query name if this is the first time * for the current qname, i.e. we've not been recursing. * There is a first time for each name in a CNAME chain. */ @@ -4524,7 +4613,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult, dns_fixedname_init(&nsnamef); dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef)); - while (st->r.label > 1) { + while (st->r.label > client->view->rpz_min_ns_labels) { /* * Get NS rrset for each domain in the current qname. */ @@ -4655,8 +4744,8 @@ cleanup: st->m.policy == DNS_RPZ_POLICY_ERROR) { if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU && result != DNS_R_DELEGATION) - rpz_log_rewrite(client, "", st->m.policy, st->m.type, - st->qname); + rpz_log_rewrite(client, ISC_FALSE, st->m.policy, + st->m.type, st->m.zone, st->qname); rpz_match_clear(st); } if (st->m.policy == DNS_RPZ_POLICY_ERROR) { @@ -4671,7 +4760,7 @@ cleanup: } /* - * See if response policy zone rewriting is allowed a lack of interest + * See if response policy zone rewriting is allowed by a lack of interest * by the client in DNSSEC or a lack of signatures. */ static isc_boolean_t @@ -4766,7 +4855,8 @@ rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st, fname, dns_trust_authanswer, st->m.ttl); if (result != ISC_R_SUCCESS) return (result); - rpz_log_rewrite(client, "", st->m.policy, st->m.type, st->qname); + rpz_log_rewrite(client, ISC_FALSE, st->m.policy, + st->m.type, st->m.zone, st->qname); ns_client_qnamereplace(client, fname); /* * Turn off DNSSEC because the results of a @@ -5703,9 +5793,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC | DNS_MESSAGEFLAG_AD); query_putrdataset(client, &sigrdataset); + rpz_st->q.is_zone = is_zone; is_zone = ISC_TRUE; - rpz_log_rewrite(client, "", rpz_st->m.policy, - rpz_st->m.type, rpz_st->qname); + rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy, + rpz_st->m.type, zone, rpz_st->qname); } } @@ -6080,6 +6171,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) rdataset = NULL; sigrdataset = NULL; type = qtype = dns_rdatatype_a; + rpz_st = client->query.rpz_st; + if (rpz_st != NULL) { + /* + * Arrange for RPZ rewriting of any A records. + */ + if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0) + is_zone = rpz_st->q.is_zone; + rpz_st_clear(client); + } dns64 = ISC_TRUE; goto db_find; } @@ -6108,7 +6208,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * closest provable encloser. */ if (dns_rdataset_isassociated(rdataset) && - !dns_name_equal(qname, found)) { + !dns_name_equal(qname, found) && + !(ns_g_nonearest && + qtype != dns_rdatatype_ds)) + { unsigned int count; unsigned int skip; @@ -6338,6 +6441,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) sigrdataset = NULL; fname = NULL; type = qtype = dns_rdatatype_a; + rpz_st = client->query.rpz_st; + if (rpz_st != NULL) { + /* + * Arrange for RPZ rewriting of any A records. + */ + if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0) + is_zone = rpz_st->q.is_zone; + rpz_st_clear(client); + } dns64 = ISC_TRUE; goto db_find; } @@ -6838,6 +6950,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) rdataset = NULL; sigrdataset = NULL; type = qtype = dns_rdatatype_a; + rpz_st = client->query.rpz_st; + if (rpz_st != NULL) { + /* + * Arrange for RPZ rewriting of any A records. + */ + if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0) + is_zone = rpz_st->q.is_zone; + rpz_st_clear(client); + } dns64_exclude = dns64 = ISC_TRUE; goto db_find; } @@ -7124,7 +7245,6 @@ ns_query_start(ns_client_t *client) { dns_rdatatype_t qtype; unsigned int saved_extflags = client->extflags; unsigned int saved_flags = client->message->flags; - isc_boolean_t want_ad; CTRACE("ns_query_start"); @@ -7286,13 +7406,11 @@ ns_query_start(ns_client_t *client) { client->query.attributes &= ~NS_QUERYATTR_SECURE; /* - * Set 'want_ad' if the client has set AD in the query. + * Set NS_CLIENTATTR_WANTDNSSEC if the client has set AD in the query. * This allows AD to be returned on queries without DO set. */ if ((message->flags & DNS_MESSAGEFLAG_AD) != 0) - want_ad = ISC_TRUE; - else - want_ad = ISC_FALSE; + client->attributes |= NS_CLIENTATTR_WANTAD; /* * This is an ordinary query. @@ -7317,7 +7435,7 @@ ns_query_start(ns_client_t *client) { * Set AD. We must clear it if we add non-validated data to a * response. */ - if (WANTDNSSEC(client) || want_ad) + if (WANTDNSSEC(client) || WANTAD(client)) message->flags |= DNS_MESSAGEFLAG_AD; qclient = NULL; diff --git a/bin/named/server.c b/bin/named/server.c index c3eb1ea0ae67..05c68b992ec4 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -159,7 +159,7 @@ * a cache. Only effective when a finite max-cache-size is specified. * This is currently defined to be 8MB. */ -#define MAX_ADB_SIZE_FOR_CACHESHARE 8388608 +#define MAX_ADB_SIZE_FOR_CACHESHARE 8388608U struct ns_dispatch { isc_sockaddr_t addr; @@ -242,6 +242,72 @@ static const struct { { "31.172.IN-ADDR.ARPA", ISC_TRUE }, { "168.192.IN-ADDR.ARPA", ISC_TRUE }, + /* RFC 6598 */ + { "64.100.IN-ADDR.ARPA", ISC_FALSE }, + { "65.100.IN-ADDR.ARPA", ISC_FALSE }, + { "66.100.IN-ADDR.ARPA", ISC_FALSE }, + { "67.100.IN-ADDR.ARPA", ISC_FALSE }, + { "68.100.IN-ADDR.ARPA", ISC_FALSE }, + { "69.100.IN-ADDR.ARPA", ISC_FALSE }, + { "70.100.IN-ADDR.ARPA", ISC_FALSE }, + { "71.100.IN-ADDR.ARPA", ISC_FALSE }, + { "72.100.IN-ADDR.ARPA", ISC_FALSE }, + { "73.100.IN-ADDR.ARPA", ISC_FALSE }, + { "74.100.IN-ADDR.ARPA", ISC_FALSE }, + { "75.100.IN-ADDR.ARPA", ISC_FALSE }, + { "76.100.IN-ADDR.ARPA", ISC_FALSE }, + { "77.100.IN-ADDR.ARPA", ISC_FALSE }, + { "78.100.IN-ADDR.ARPA", ISC_FALSE }, + { "79.100.IN-ADDR.ARPA", ISC_FALSE }, + { "80.100.IN-ADDR.ARPA", ISC_FALSE }, + { "81.100.IN-ADDR.ARPA", ISC_FALSE }, + { "82.100.IN-ADDR.ARPA", ISC_FALSE }, + { "83.100.IN-ADDR.ARPA", ISC_FALSE }, + { "84.100.IN-ADDR.ARPA", ISC_FALSE }, + { "85.100.IN-ADDR.ARPA", ISC_FALSE }, + { "86.100.IN-ADDR.ARPA", ISC_FALSE }, + { "87.100.IN-ADDR.ARPA", ISC_FALSE }, + { "88.100.IN-ADDR.ARPA", ISC_FALSE }, + { "89.100.IN-ADDR.ARPA", ISC_FALSE }, + { "90.100.IN-ADDR.ARPA", ISC_FALSE }, + { "91.100.IN-ADDR.ARPA", ISC_FALSE }, + { "92.100.IN-ADDR.ARPA", ISC_FALSE }, + { "93.100.IN-ADDR.ARPA", ISC_FALSE }, + { "94.100.IN-ADDR.ARPA", ISC_FALSE }, + { "95.100.IN-ADDR.ARPA", ISC_FALSE }, + { "96.100.IN-ADDR.ARPA", ISC_FALSE }, + { "97.100.IN-ADDR.ARPA", ISC_FALSE }, + { "98.100.IN-ADDR.ARPA", ISC_FALSE }, + { "99.100.IN-ADDR.ARPA", ISC_FALSE }, + { "100.100.IN-ADDR.ARPA", ISC_FALSE }, + { "101.100.IN-ADDR.ARPA", ISC_FALSE }, + { "102.100.IN-ADDR.ARPA", ISC_FALSE }, + { "103.100.IN-ADDR.ARPA", ISC_FALSE }, + { "104.100.IN-ADDR.ARPA", ISC_FALSE }, + { "105.100.IN-ADDR.ARPA", ISC_FALSE }, + { "106.100.IN-ADDR.ARPA", ISC_FALSE }, + { "107.100.IN-ADDR.ARPA", ISC_FALSE }, + { "108.100.IN-ADDR.ARPA", ISC_FALSE }, + { "109.100.IN-ADDR.ARPA", ISC_FALSE }, + { "110.100.IN-ADDR.ARPA", ISC_FALSE }, + { "111.100.IN-ADDR.ARPA", ISC_FALSE }, + { "112.100.IN-ADDR.ARPA", ISC_FALSE }, + { "113.100.IN-ADDR.ARPA", ISC_FALSE }, + { "114.100.IN-ADDR.ARPA", ISC_FALSE }, + { "115.100.IN-ADDR.ARPA", ISC_FALSE }, + { "116.100.IN-ADDR.ARPA", ISC_FALSE }, + { "117.100.IN-ADDR.ARPA", ISC_FALSE }, + { "118.100.IN-ADDR.ARPA", ISC_FALSE }, + { "119.100.IN-ADDR.ARPA", ISC_FALSE }, + { "120.100.IN-ADDR.ARPA", ISC_FALSE }, + { "121.100.IN-ADDR.ARPA", ISC_FALSE }, + { "122.100.IN-ADDR.ARPA", ISC_FALSE }, + { "123.100.IN-ADDR.ARPA", ISC_FALSE }, + { "124.100.IN-ADDR.ARPA", ISC_FALSE }, + { "125.100.IN-ADDR.ARPA", ISC_FALSE }, + { "126.100.IN-ADDR.ARPA", ISC_FALSE }, + { "127.100.IN-ADDR.ARPA", ISC_FALSE }, + /* RFC 5735 and RFC 5737 */ { "0.IN-ADDR.ARPA", ISC_FALSE }, /* THIS NETWORK */ { "127.IN-ADDR.ARPA", ISC_FALSE }, /* LOOPBACK */ @@ -447,7 +513,7 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config, element = cfg_list_next(element)) { nameobj = cfg_listelt_value(element); str = cfg_obj_asstring(nameobj); - isc_buffer_init(&b, str, strlen(str)); + isc_buffer_constinit(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); /* @@ -564,7 +630,7 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key, keystruct.common.rdtype, &keystruct, &rrdatabuf)); dns_fixedname_init(&fkeyname); - isc_buffer_init(&namebuf, keynamestr, strlen(keynamestr)); + isc_buffer_constinit(&namebuf, keynamestr, strlen(keynamestr)); isc_buffer_add(&namebuf, strlen(keynamestr)); CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL)); CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf, @@ -798,7 +864,17 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, */ obj = NULL; (void)ns_config_get(maps, "managed-keys-directory", &obj); - directory = obj != NULL ? cfg_obj_asstring(obj) : NULL; + directory = (obj != NULL ? cfg_obj_asstring(obj) : NULL); + if (directory != NULL) + result = isc_file_isdirectory(directory); + if (result != ISC_R_SUCCESS) { + isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, + "invalid managed-keys-directory %s: %s", + directory, isc_result_totext(result)); + goto cleanup; + + } CHECK(add_keydata_zone(view, directory, ns_g_mctx)); cleanup: @@ -824,7 +900,7 @@ mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) { { obj = cfg_listelt_value(element); str = cfg_obj_asstring(cfg_tuple_get(obj, "name")); - isc_buffer_init(&b, str, strlen(str)); + isc_buffer_constinit(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); value = cfg_obj_asboolean(cfg_tuple_get(obj, "value")); @@ -977,7 +1053,7 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) { else str = "*"; addroot = ISC_TF(strcmp(str, "*") == 0); - isc_buffer_init(&b, str, strlen(str)); + isc_buffer_constinit(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); dns_fixedname_init(&fixed); result = dns_name_fromtext(dns_fixedname_name(&fixed), &b, @@ -1163,7 +1239,7 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); str = cfg_obj_asstring(cfg_tuple_get(disabled, "name")); - isc_buffer_init(&b, str, strlen(str)); + isc_buffer_constinit(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); @@ -1215,7 +1291,7 @@ on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) { { value = cfg_listelt_value(element); str = cfg_obj_asstring(value); - isc_buffer_init(&b, str, strlen(str)); + isc_buffer_constinit(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL); @@ -1399,7 +1475,7 @@ dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na, dns64_dbtype[3] = contact; dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); - isc_buffer_init(&b, reverse, strlen(reverse)); + isc_buffer_constinit(&b, reverse, strlen(reverse)); isc_buffer_add(&b, strlen(reverse)); CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); CHECK(dns_zone_create(&zone, mctx)); @@ -1430,39 +1506,57 @@ cleanup: } static isc_result_t +configure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name, + const char *str, const char *msg) +{ + isc_result_t result; + + result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx); + if (result != ISC_R_SUCCESS) + cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, + "invalid %s '%s'", msg, str); + return (result); +} + +static isc_result_t +configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name, + const char *str, const dns_name_t *origin) +{ + isc_result_t result; + + result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE, + view->mctx); + if (result != ISC_R_SUCCESS) + cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, + "invalid zone '%s'", str); + return (result); +} + +static isc_result_t configure_rpz(dns_view_t *view, const cfg_listelt_t *element, isc_boolean_t recursive_only_def, dns_ttl_t ttl_def) { - const cfg_obj_t *rpz_obj, *policy_obj, *obj; + const cfg_obj_t *rpz_obj, *obj; const char *str; dns_rpz_zone_t *old, *new; - dns_zone_t *zone = NULL; isc_result_t result; + rpz_obj = cfg_listelt_value(element); + new = isc_mem_get(view->mctx, sizeof(*new)); if (new == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup; + cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, + "no memory for response policy zones"); + return (ISC_R_NOMEMORY); } memset(new, 0, sizeof(*new)); dns_name_init(&new->origin, NULL); dns_name_init(&new->nsdname, NULL); - dns_name_init(&new->cname, NULL); dns_name_init(&new->passthru, NULL); + dns_name_init(&new->cname, NULL); ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link); - rpz_obj = cfg_listelt_value(element); - policy_obj = cfg_tuple_get(rpz_obj, "policy"); - if (cfg_obj_isvoid(policy_obj)) { - new->policy = DNS_RPZ_POLICY_GIVEN; - } else { - str = cfg_obj_asstring(cfg_tuple_get(policy_obj, - "policy name")); - new->policy = dns_rpz_str2policy(str); - INSIST(new->policy != DNS_RPZ_POLICY_ERROR); - } - obj = cfg_tuple_get(rpz_obj, "recursive-only"); if (cfg_obj_isvoid(obj)) { new->recursive_only = recursive_only_def; @@ -1480,47 +1574,14 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element, } str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name")); - result = dns_name_fromstring(&new->origin, str, DNS_NAME_DOWNCASE, - view->mctx); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, - "invalid zone '%s'", str); - goto cleanup; - } - - result = dns_name_fromstring2(&new->nsdname, DNS_RPZ_NSDNAME_ZONE, - &new->origin, DNS_NAME_DOWNCASE, - view->mctx); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, - "invalid zone '%s'", str); - goto cleanup; - } - - result = dns_name_fromstring(&new->passthru, DNS_RPZ_PASSTHRU_ZONE, - DNS_NAME_DOWNCASE, view->mctx); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, - "invalid zone '%s'", str); - goto cleanup; - } - - result = dns_view_findzone(view, &new->origin, &zone); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, - "unknown zone '%s'", str); - goto cleanup; - } - if (dns_zone_gettype(zone) != dns_zone_master && - dns_zone_gettype(zone) != dns_zone_slave) { + result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone"); + if (result != ISC_R_SUCCESS) + return (result); + if (dns_name_equal(&new->origin, dns_rootname)) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, - "zone '%s' is neither master nor slave", str); - dns_zone_detach(&zone); - result = DNS_R_NOTMASTER; - goto cleanup; + "invalid zone name '%s'", str); + return (DNS_R_EMPTYLABEL); } - dns_zone_detach(&zone); - for (old = ISC_LIST_HEAD(view->rpz_zones); old != new; old = ISC_LIST_NEXT(old, link)) { @@ -1529,26 +1590,37 @@ configure_rpz(dns_view_t *view, const cfg_listelt_t *element, cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, "duplicate '%s'", str); result = DNS_R_DUPLICATE; - goto cleanup; + return (result); } } - if (new->policy == DNS_RPZ_POLICY_CNAME) { - str = cfg_obj_asstring(cfg_tuple_get(policy_obj, "cname")); - result = dns_name_fromstring(&new->cname, str, - DNS_NAME_DOWNCASE, view->mctx); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, - "invalid cname '%s'", str); - goto cleanup; + result = configure_rpz_name2(view, rpz_obj, &new->nsdname, + DNS_RPZ_NSDNAME_ZONE, &new->origin); + if (result != ISC_R_SUCCESS) + return (result); + + result = configure_rpz_name(view, rpz_obj, &new->passthru, + DNS_RPZ_PASSTHRU_ZONE, "zone"); + if (result != ISC_R_SUCCESS) + return (result); + + obj = cfg_tuple_get(rpz_obj, "policy"); + if (cfg_obj_isvoid(obj)) { + new->policy = DNS_RPZ_POLICY_GIVEN; + } else { + str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name")); + new->policy = dns_rpz_str2policy(str); + INSIST(new->policy != DNS_RPZ_POLICY_ERROR); + if (new->policy == DNS_RPZ_POLICY_CNAME) { + str = cfg_obj_asstring(cfg_tuple_get(obj, "cname")); + result = configure_rpz_name(view, rpz_obj, &new->cname, + str, "cname"); + if (result != ISC_R_SUCCESS) + return (result); } } return (ISC_R_SUCCESS); - - cleanup: - dns_rpz_view_destroy(view); - return (result); } /* @@ -1617,6 +1689,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL; unsigned int query_timeout; struct cfg_context *nzctx; + dns_rpz_zone_t *rpz; REQUIRE(DNS_VIEW_VALID(view)); @@ -1715,6 +1788,53 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, } /* + * Make the list of response policy zone names for a view that + * is used for real lookups and so cares about hints. + */ + obj = NULL; + if (view->rdclass == dns_rdataclass_in && need_hints && + ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) { + const cfg_obj_t *rpz_obj; + isc_boolean_t recursive_only_def; + dns_ttl_t ttl_def; + + rpz_obj = cfg_tuple_get(obj, "recursive-only"); + if (!cfg_obj_isvoid(rpz_obj) && + !cfg_obj_asboolean(rpz_obj)) + recursive_only_def = ISC_FALSE; + else + recursive_only_def = ISC_TRUE; + + rpz_obj = cfg_tuple_get(obj, "break-dnssec"); + if (!cfg_obj_isvoid(rpz_obj) && + cfg_obj_asboolean(rpz_obj)) + view->rpz_break_dnssec = ISC_TRUE; + else + view->rpz_break_dnssec = ISC_FALSE; + + rpz_obj = cfg_tuple_get(obj, "max-policy-ttl"); + if (cfg_obj_isuint32(rpz_obj)) + ttl_def = cfg_obj_asuint32(rpz_obj); + else + ttl_def = DNS_RPZ_MAX_TTL_DEFAULT; + + rpz_obj = cfg_tuple_get(obj, "min-ns-dots"); + if (cfg_obj_isuint32(rpz_obj)) + view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1; + else + view->rpz_min_ns_labels = 2; + + element = cfg_list_first(cfg_tuple_get(obj, "zone list")); + while (element != NULL) { + result = configure_rpz(view, element, + recursive_only_def, ttl_def); + if (result != ISC_R_SUCCESS) + goto cleanup; + element = cfg_list_next(element); + } + } + + /* * Configure the zones. */ zonelist = NULL; @@ -1735,6 +1855,22 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, actx, ISC_FALSE)); } + for (rpz = ISC_LIST_HEAD(view->rpz_zones); + rpz != NULL; + rpz = ISC_LIST_NEXT(rpz, link)) + { + if (!rpz->defined) { + char namebuf[DNS_NAME_FORMATSIZE]; + + dns_name_format(&rpz->origin, namebuf, sizeof(namebuf)); + cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, + "'%s' is not a master or slave zone", + namebuf); + result = ISC_R_NOTFOUND; + goto cleanup; + } + } + /* * If we're allowing added zones, then load zone configuration * from the newzone file for zones that were added during previous @@ -2161,9 +2297,9 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared. */ max_adb_size = 0; - if (max_cache_size != 0) { + if (max_cache_size != 0U) { max_adb_size = max_cache_size / 8; - if (max_adb_size == 0) + if (max_adb_size == 0U) max_adb_size = 1; /* Force minimum. */ if (view != nsc->primaryview && max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) { @@ -2638,7 +2774,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, obj = cfg_listelt_value(element); str = cfg_obj_asstring(cfg_tuple_get(obj, "trust-anchor")); - isc_buffer_init(&b, str, strlen(str)); + isc_buffer_constinit(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); dlv = dns_fixedname_name(&view->dlv_fixed); CHECK(dns_name_fromtext(dlv, &b, dns_rootname, @@ -2691,7 +2827,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, element = cfg_list_next(element)) { exclude = cfg_listelt_value(element); str = cfg_obj_asstring(exclude); - isc_buffer_init(&b, str, strlen(str)); + isc_buffer_constinit(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); @@ -2745,7 +2881,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, result = ns_config_get(maps, "empty-server", &obj); if (result == ISC_R_SUCCESS) { str = cfg_obj_asstring(obj); - isc_buffer_init(&buffer, str, strlen(str)); + isc_buffer_constinit(&buffer, str, strlen(str)); isc_buffer_add(&buffer, strlen(str)); CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0, NULL)); @@ -2760,7 +2896,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, result = ns_config_get(maps, "empty-contact", &obj); if (result == ISC_R_SUCCESS) { str = cfg_obj_asstring(obj); - isc_buffer_init(&buffer, str, strlen(str)); + isc_buffer_constinit(&buffer, str, strlen(str)); isc_buffer_add(&buffer, strlen(str)); CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0, NULL)); @@ -2784,7 +2920,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, dns_forwarders_t *forwarders = NULL; dns_view_t *pview = NULL; - isc_buffer_init(&buffer, empty, strlen(empty)); + isc_buffer_constinit(&buffer, empty, strlen(empty)); isc_buffer_add(&buffer, strlen(empty)); /* * Look for zone on drop list. @@ -2800,7 +2936,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, */ (void)dns_view_findzone(view, name, &zone); if (zone != NULL) { - CHECK(setquerystats(zone, mctx, zonestats_on)); dns_zone_detach(&zone); continue; } @@ -2886,49 +3021,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, } } - /* - * Make the list of response policy zone names for views that - * are used for real lookups and so care about hints. - */ - obj = NULL; - if (view->rdclass == dns_rdataclass_in && need_hints && - ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) { - const cfg_obj_t *recursive_only_obj; - const cfg_obj_t *break_dnssec_obj, *ttl_obj; - isc_boolean_t recursive_only_def; - dns_ttl_t ttl_def; - - recursive_only_obj = cfg_tuple_get(obj, "recursive-only"); - if (!cfg_obj_isvoid(recursive_only_obj) && - !cfg_obj_asboolean(recursive_only_obj)) - recursive_only_def = ISC_FALSE; - else - recursive_only_def = ISC_TRUE; - - break_dnssec_obj = cfg_tuple_get(obj, "break-dnssec"); - if (!cfg_obj_isvoid(break_dnssec_obj) && - cfg_obj_asboolean(break_dnssec_obj)) - view->rpz_break_dnssec = ISC_TRUE; - else - view->rpz_break_dnssec = ISC_FALSE; - - ttl_obj = cfg_tuple_get(obj, "max-policy-ttl"); - if (cfg_obj_isuint32(ttl_obj)) - ttl_def = cfg_obj_asuint32(ttl_obj); - else - ttl_def = DNS_RPZ_MAX_TTL_DEFAULT; - - for (element = cfg_list_first(cfg_tuple_get(obj, "zone list")); - element != NULL; - element = cfg_list_next(element)) { - result = configure_rpz(view, element, - recursive_only_def, ttl_def); - if (result != ISC_R_SUCCESS) - goto cleanup; - dns_rpz_set_need(ISC_TRUE); - } - } - result = ISC_R_SUCCESS; cleanup: @@ -3028,7 +3120,7 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view, isc_buffer_t buffer; in_port_t myport = port; - isc_buffer_init(&buffer, str, strlen(str)); + isc_buffer_constinit(&buffer, str, strlen(str)); isc_buffer_add(&buffer, strlen(str)); dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); @@ -3280,6 +3372,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const char *zname; dns_rdataclass_t zclass; const char *ztypestr; + isc_boolean_t is_rpz; + dns_rpz_zone_t *rpz; options = NULL; (void)cfg_map_get(config, "options", &options); @@ -3290,7 +3384,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, * Get the zone origin as a dns_name_t. */ zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); - isc_buffer_init(&buffer, zname, strlen(zname)); + isc_buffer_constinit(&buffer, zname, strlen(zname)); isc_buffer_add(&buffer, strlen(zname)); dns_fixedname_init(&fixorigin); CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin), @@ -3409,6 +3503,21 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, INSIST(dupzone == NULL); /* + * Note whether this is a response policy zone. + */ + is_rpz = ISC_FALSE; + for (rpz = ISC_LIST_HEAD(view->rpz_zones); + rpz != NULL; + rpz = ISC_LIST_NEXT(rpz, link)) + { + if (dns_name_equal(&rpz->origin, origin)) { + is_rpz = ISC_TRUE; + rpz->defined = ISC_TRUE; + break; + } + } + + /* * See if we can reuse an existing zone. This is * only possible if all of these are true: * - The zone's view exists @@ -3416,6 +3525,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, * - The zone is compatible with the config * options (e.g., an existing master zone cannot * be reused if the options specify a slave zone) + * - The zone was and is or was not and is not a policy zone */ result = dns_viewlist_find(&ns_g_server->viewlist, view->name, view->rdclass, @@ -3429,6 +3539,9 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, if (zone != NULL && !ns_zone_reusable(zone, zconfig)) dns_zone_detach(&zone); + if (zone != NULL && is_rpz != dns_zone_get_rpz(zone)) + dns_zone_detach(&zone); + if (zone != NULL) { /* * We found a reusable zone. Make it use the @@ -3451,6 +3564,19 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, dns_zone_setstats(zone, ns_g_server->zonestats); } + if (is_rpz) { + result = dns_zone_rpz_enable(zone); + if (result != ISC_R_SUCCESS) { + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, + "zone '%s': incompatible" + " masterfile-format or database" + " for a response policy zone", + zname); + goto cleanup; + } + } + /* * If the zone contains a 'forwarders' statement, configure * selective forwarding. @@ -4126,7 +4252,7 @@ configure_session_key(const cfg_obj_t **maps, ns_server_t *server, INSIST(result == ISC_R_SUCCESS); keynamestr = cfg_obj_asstring(obj); dns_fixedname_init(&fname); - isc_buffer_init(&buffer, keynamestr, strlen(keynamestr)); + isc_buffer_constinit(&buffer, keynamestr, strlen(keynamestr)); isc_buffer_add(&buffer, strlen(keynamestr)); keyname = dns_fixedname_name(&fname); result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL); @@ -5858,6 +5984,7 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep, dns_rdataclass_t rdclass; REQUIRE(zonep != NULL && *zonep == NULL); + REQUIRE(zonename == NULL || *zonename == NULL); input = args; @@ -5870,7 +5997,7 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep, zonetxt = next_token(&input, " \t"); if (zonetxt == NULL) return (ISC_R_SUCCESS); - if (zonename) + if (zonename != NULL) *zonename = zonetxt; /* Look for the optional class name. */ @@ -5880,7 +6007,7 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep, viewtxt = next_token(&input, " \t"); } - isc_buffer_init(&buf, zonetxt, strlen(zonetxt)); + isc_buffer_constinit(&buf, zonetxt, strlen(zonetxt)); isc_buffer_add(&buf, strlen(zonetxt)); dns_fixedname_init(&name); result = dns_name_fromtext(dns_fixedname_name(&name), @@ -6788,7 +6915,7 @@ ns_server_flushname(ns_server_t *server, char *args) { if (target == NULL) return (ISC_R_UNEXPECTEDEND); - isc_buffer_init(&b, target, strlen(target)); + isc_buffer_constinit(&b, target, strlen(target)); isc_buffer_add(&b, strlen(target)); dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); @@ -7342,7 +7469,7 @@ ns_server_add_zone(ns_server_t *server, char *args) { CHECK(cfg_map_get(config, "addzone", &parms)); zonename = cfg_obj_asstring(cfg_tuple_get(parms, "name")); - isc_buffer_init(&buf, zonename, strlen(zonename)); + isc_buffer_constinit(&buf, zonename, strlen(zonename)); isc_buffer_add(&buf, strlen(zonename)); dns_name_init(&dnsname, NULL); isc_buffer_allocate(server->mctx, &nbuf, 256); @@ -7406,7 +7533,8 @@ ns_server_add_zone(ns_server_t *server, char *args) { CHECK(isc_stdio_open(view->new_zone_file, "a", &fp)); /* Mark view unfrozen so that zone can be added */ - isc_task_beginexclusive(server->task); + result = isc_task_beginexclusive(server->task); + RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_view_thaw(view); result = configure_zone(cfg->config, parms, vconfig, server->mctx, view, cfg->actx, ISC_FALSE); @@ -7515,8 +7643,7 @@ ns_server_del_zone(ns_server_t *server, char *args) { /* Parse parameters */ CHECK(zone_from_args(server, args, &zone, &zonename)); - if (result != ISC_R_SUCCESS) - return (result); + if (zone == NULL) { result = ISC_R_UNEXPECTEDEND; goto cleanup; @@ -7531,8 +7658,8 @@ ns_server_del_zone(ns_server_t *server, char *args) { goto cleanup; } - if (zonename != NULL) - znamelen = strlen(zonename); + INSIST(zonename != NULL); + znamelen = strlen(zonename); /* Dig out configuration for this zone */ view = dns_zone_getview(zone); diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c index 6ea0be505191..8d30b452f2bd 100644 --- a/bin/named/statschannel.c +++ b/bin/named/statschannel.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2008-2013 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -202,6 +202,8 @@ init_desc(void) { SET_NSSTATDESC(updatebadprereq, "updates rejected due to prerequisite failure", "UpdateBadPrereq"); + SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites", + "RPZRewrites"); INSIST(i == dns_nsstatscounter_max); /* Initialize resolver statistics */ @@ -877,11 +879,11 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) { TRY0(xmlTextWriterEndElement(writer)); /* views */ TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socketmgr")); - isc_socketmgr_renderxml(ns_g_socketmgr, writer); + TRY0(isc_socketmgr_renderxml(ns_g_socketmgr, writer)); TRY0(xmlTextWriterEndElement(writer)); /* socketmgr */ TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr")); - isc_taskmgr_renderxml(ns_g_taskmgr, writer); + TRY0(isc_taskmgr_renderxml(ns_g_taskmgr, writer)); TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */ TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server")); @@ -944,7 +946,7 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) { TRY0(xmlTextWriterEndElement(writer)); /* server */ TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory")); - isc_mem_renderxml(writer); + TRY0(isc_mem_renderxml(writer)); TRY0(xmlTextWriterEndElement(writer)); /* memory */ TRY0(xmlTextWriterEndElement(writer)); /* statistics */ diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c index 6d852a0871c0..e9520592dc5f 100644 --- a/bin/named/tkeyconf.c +++ b/bin/named/tkeyconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -73,7 +73,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, if (result == ISC_R_SUCCESS) { s = cfg_obj_asstring(cfg_tuple_get(obj, "name")); n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid")); - isc_buffer_init(&b, s, strlen(s)); + isc_buffer_constinit(&b, s, strlen(s)); isc_buffer_add(&b, strlen(s)); dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); @@ -87,7 +87,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, result = cfg_map_get(options, "tkey-domain", &obj); if (result == ISC_R_SUCCESS) { s = cfg_obj_asstring(obj); - isc_buffer_init(&b, s, strlen(s)); + isc_buffer_constinit(&b, s, strlen(s)); isc_buffer_add(&b, strlen(s)); dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); @@ -106,7 +106,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, if (result == ISC_R_SUCCESS) { s = cfg_obj_asstring(obj); - isc_buffer_init(&b, s, strlen(s)); + isc_buffer_constinit(&b, s, strlen(s)); isc_buffer_add(&b, strlen(s)); dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c index 776b1b9f837d..eef87e930438 100644 --- a/bin/named/tsigconf.c +++ b/bin/named/tsigconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009, 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -78,7 +78,7 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, * Create the key name. */ dns_name_init(&keyname, NULL); - isc_buffer_init(&keynamesrc, keyid, strlen(keyid)); + isc_buffer_constinit(&keynamesrc, keyid, strlen(keyid)); isc_buffer_add(&keynamesrc, strlen(keyid)); isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata)); ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname, diff --git a/bin/named/unix/dlz_dlopen_driver.c b/bin/named/unix/dlz_dlopen_driver.c index edd394656d28..98dfc5a75ba1 100644 --- a/bin/named/unix/dlz_dlopen_driver.c +++ b/bin/named/unix/dlz_dlopen_driver.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -225,7 +225,9 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[], return (ISC_R_FAILURE); } - isc_mem_create(0, 0, &mctx); + result = isc_mem_create(0, 0, &mctx); + if (result != ISC_R_SUCCESS) + return (result); cd = isc_mem_get(mctx, sizeof(*cd)); if (cd == NULL) { @@ -247,7 +249,9 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[], } /* Initialize the lock */ - isc_mutex_init(&cd->lock); + result = isc_mutex_init(&cd->lock); + if (result != ISC_R_SUCCESS) + goto failed; /* Open the library */ dlopen_flags = RTLD_NOW|RTLD_GLOBAL; @@ -351,11 +355,11 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[], failed: dlopen_log(ISC_LOG_ERROR, "dlz_dlopen of '%s' failed", dlzname); - if (cd->dl_path) + if (cd->dl_path != NULL) isc_mem_free(mctx, cd->dl_path); - if (cd->dlzname) + if (cd->dlzname != NULL) isc_mem_free(mctx, cd->dlzname); - if (dlopen_flags) + if (dlopen_flags != 0) (void) isc_mutex_destroy(&cd->lock); #ifdef HAVE_DLCLOSE if (cd->dl_handle) diff --git a/bin/named/update.c b/bin/named/update.c index 6fb6a8536721..abf5c08c6d30 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -3500,7 +3500,8 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); ISC_LIST_APPEND(diff->tuples, tuple, link); - dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); + result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE) diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c index 6cda6589e1c9..036350009da6 100644 --- a/bin/named/xfrout.c +++ b/bin/named/xfrout.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -833,14 +833,6 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class); is_dlz = ISC_TRUE; - /* - * DLZ only support full zone transfer, not incremental - */ - if (reqtype != dns_rdatatype_axfr) { - mnemonic = "AXFR-style IXFR"; - reqtype = dns_rdatatype_axfr; - } - } else { /* * not DLZ and not in normal zone table, we are @@ -852,12 +844,14 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { } else { /* zone table has a match */ switch(dns_zone_gettype(zone)) { + /* Master and slave zones are OK for transfer. */ case dns_zone_master: case dns_zone_slave: case dns_zone_dlz: - break; /* Master and slave zones are OK for transfer. */ + break; default: - FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class); + FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", + question_name, question_class); } CHECK(dns_zone_getdb(zone, &db)); dns_db_currentversion(db, &ver); @@ -992,7 +986,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { is_poll = ISC_TRUE; goto have_stream; } - journalfile = dns_zone_getjournal(zone); + journalfile = is_dlz ? NULL : dns_zone_getjournal(zone); if (journalfile != NULL) result = ixfr_rrstream_create(mctx, journalfile, diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 6eef28ae131f..404c238f02a4 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -56,6 +56,7 @@ typedef enum { allow_notify, allow_query, + allow_query_on, allow_transfer, allow_update, allow_update_forwarding @@ -104,6 +105,11 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, aclp = &view->queryacl; aclname = "allow-query"; break; + case allow_query_on: + if (view != NULL) + aclp = &view->queryonacl; + aclname = "allow-query-on"; + break; case allow_transfer: if (view != NULL) aclp = &view->transferacl; @@ -269,7 +275,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, dns_fixedname_init(&fident); str = cfg_obj_asstring(identity); - isc_buffer_init(&b, str, strlen(str)); + isc_buffer_constinit(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); result = dns_name_fromtext(dns_fixedname_name(&fident), &b, dns_rootname, 0, NULL); @@ -292,7 +298,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, } } else { str = cfg_obj_asstring(dname); - isc_buffer_init(&b, str, strlen(str)); + isc_buffer_constinit(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); result = dns_name_fromtext(dns_fixedname_name(&fname), &b, dns_rootname, 0, NULL); @@ -525,7 +531,7 @@ configure_staticstub_servernames(const cfg_obj_t *zconfig, dns_zone_t *zone, dns_fixedname_init(&fixed_name); nsname = dns_fixedname_name(&fixed_name); - isc_buffer_init(&b, str, strlen(str)); + isc_buffer_constinit(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); result = dns_name_fromtext(nsname, &b, dns_rootname, 0, NULL); if (result != ISC_R_SUCCESS) { @@ -934,6 +940,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_zone_setqueryacl, dns_zone_clearqueryacl)); + RETERR(configure_zone_acl(zconfig, vconfig, config, + allow_query_on, ac, zone, + dns_zone_setqueryonacl, + dns_zone_clearqueryonacl)); + obj = NULL; result = ns_config_get(maps, "dialup", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); @@ -1112,6 +1123,17 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, cfg_obj_asboolean(obj)); obj = NULL; + result = ns_config_get(maps, "check-spf", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); + if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { + check = ISC_TRUE; + } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { + check = ISC_FALSE; + } else + INSIST(0); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSPF, check); + + obj = NULL; result = ns_config_get(maps, "zero-no-soa-ttl", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj)); diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 1f5e3e96c9ef..e11f080c01f6 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -930,7 +930,7 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) { INSIST(count == 1); } -#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:rR::t:u:" +#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:r:R::t:u:" static void pre_parse_args(int argc, char **argv) { diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index 5811cfa141fa..e4ce5563cc3c 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -771,6 +771,7 @@ main(int argc, char **argv) { program, isc_commandline_option); usage(1); } + /* FALLTHROUGH */ case 'h': usage(0); break; diff --git a/bin/tools/genrandom.c b/bin/tools/genrandom.c index 675e5043d601..0d7eb726d6de 100644 --- a/bin/tools/genrandom.c +++ b/bin/tools/genrandom.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009, 2010, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -93,6 +93,7 @@ main(int argc, char **argv) { if (isc_commandline_option != '?') fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); + /* FALLTHROUGH */ case 'h': usage(); diff --git a/bin/tools/isc-hmac-fixup.8 b/bin/tools/isc-hmac-fixup.8 index c02ed03f4fb0..6364e54d94b8 100644 --- a/bin/tools/isc-hmac-fixup.8 +++ b/bin/tools/isc-hmac-fixup.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2010, 2013 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -23,7 +23,7 @@ .\" Manual: BIND9 .\" Source: BIND9 .\" -.TH "ISC\-HMAC\-FIXUP" "1" "January 5, 2010" "BIND9" "BIND9" +.TH "ISC\-HMAC\-FIXUP" "8" "January 5, 2010" "BIND9" "BIND9" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -57,5 +57,5 @@ RFC 2104. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2010 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2010, 2013 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/bin/tools/isc-hmac-fixup.docbook b/bin/tools/isc-hmac-fixup.docbook index c298a85861d7..cc72373352c4 100644 --- a/bin/tools/isc-hmac-fixup.docbook +++ b/bin/tools/isc-hmac-fixup.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2010, 2013 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -25,7 +25,7 @@ <refmeta> <refentrytitle><application>isc-hmac-fixup</application></refentrytitle> - <manvolnum>1</manvolnum> + <manvolnum>8</manvolnum> <refmiscinfo>BIND9</refmiscinfo> </refmeta> @@ -37,6 +37,7 @@ <docinfo> <copyright> <year>2010</year> + <year>2013</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> diff --git a/bin/tools/isc-hmac-fixup.html b/bin/tools/isc-hmac-fixup.html index d39ebf0fa166..f5ab4b5a2054 100644 --- a/bin/tools/isc-hmac-fixup.html +++ b/bin/tools/isc-hmac-fixup.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2010, 2013 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -31,7 +31,7 @@ <div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543352"></a><h2>DESCRIPTION</h2> +<a name="id2543355"></a><h2>DESCRIPTION</h2> <p> Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -57,7 +57,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543376"></a><h2>SECURITY CONSIDERATIONS</h2> +<a name="id2543379"></a><h2>SECURITY CONSIDERATIONS</h2> <p> Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span> are shortened, but as this is how the HMAC protocol works in @@ -68,14 +68,14 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543389"></a><h2>SEE ALSO</h2> +<a name="id2543393"></a><h2>SEE ALSO</h2> <p> <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2104</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2543406"></a><h2>AUTHOR</h2> +<a name="id2543410"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> |