diff options
Diffstat (limited to 'contrib/bind9/bin/confgen')
| -rw-r--r-- | contrib/bind9/bin/confgen/Makefile.in | 101 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/ddns-confgen.8 | 143 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/ddns-confgen.c | 257 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/ddns-confgen.docbook | 218 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/ddns-confgen.html | 141 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/include/confgen/os.h | 39 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/keygen.c | 218 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/keygen.h | 41 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/rndc-confgen.8 | 211 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/rndc-confgen.c | 270 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/rndc-confgen.docbook | 287 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/rndc-confgen.html | 188 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/unix/Makefile.in | 35 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/unix/os.c | 43 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/util.c | 56 | ||||
| -rw-r--r-- | contrib/bind9/bin/confgen/util.h | 52 |
16 files changed, 2300 insertions, 0 deletions
diff --git a/contrib/bind9/bin/confgen/Makefile.in b/contrib/bind9/bin/confgen/Makefile.in new file mode 100644 index 000000000000..da3587982cd3 --- /dev/null +++ b/contrib/bind9/bin/confgen/Makefile.in @@ -0,0 +1,101 @@ +# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: Makefile.in,v 1.8 2009-12-05 23:31:40 each Exp $ + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ + ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} + +CDEFINES = +CWARNINGS = + +ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ +ISCCCLIBS = ../../lib/isccc/libisccc.@A@ +ISCLIBS = ../../lib/isc/libisc.@A@ +ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ +DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ +BIND9LIBS = ../../lib/bind9/libbind9.@A@ + +ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ +ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ +ISCDEPLIBS = ../../lib/isc/libisc.@A@ +DNSDEPLIBS = ../../lib/dns/libdns.@A@ +BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ + +RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@ +RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS} + +LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ + +NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@ + +CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} + +SRCS= rndc-confgen.c ddns-confgen.c + +SUBDIRS = unix + +TARGETS = rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ + +MANPAGES = rndc-confgen.8 ddns-confgen.8 + +HTMLPAGES = rndc-confgen.html ddns-confgen.html + +MANOBJS = ${MANPAGES} ${HTMLPAGES} + +UOBJS = unix/os.@O@ + +@BIND9_MAKE_RULES@ + +rndc-confgen.@O@: rndc-confgen.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ + -DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \ + -c ${srcdir}/rndc-confgen.c + +ddns-confgen.@O@: ddns-confgen.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c + +rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} + export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ + ${FINALBUILDCMD} + +ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} + export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ + ${FINALBUILDCMD} + +doc man:: ${MANOBJS} + +docclean manclean maintainer-clean:: + rm -f ${MANOBJS} + +installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir} + ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8 + ${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8 + +clean distclean maintainer-clean:: + rm -f ${TARGETS} diff --git a/contrib/bind9/bin/confgen/ddns-confgen.8 b/contrib/bind9/bin/confgen/ddns-confgen.8 new file mode 100644 index 000000000000..d69af398e614 --- /dev/null +++ b/contrib/bind9/bin/confgen/ddns-confgen.8 @@ -0,0 +1,143 @@ +.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +.\" +.\" Permission to use, copy, modify, and/or distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $Id: ddns-confgen.8,v 1.10 2009-09-19 01:14:52 tbox Exp $ +.\" +.hy 0 +.ad l +.\" Title: ddns\-confgen +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: Jan 29, 2009 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" +.TH "DDNS\-CONFGEN" "8" "Jan 29, 2009" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +ddns\-confgen \- ddns key generation tool +.SH "SYNOPSIS" +.HP 13 +\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR] [\fB\-q\fR] [name] +.SH "DESCRIPTION" +.PP +\fBddns\-confgen\fR +generates a key for use by +\fBnsupdate\fR +and +\fBnamed\fR. It simplifies configuration of dynamic zones by generating a key and providing the +\fBnsupdate\fR +and +\fBnamed.conf\fR +syntax that will be needed to use it, including an example +\fBupdate\-policy\fR +statement. +.PP +If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample +\fBnamed.conf\fR +syntax. For example, +\fBddns\-confgen example.com\fR +would generate a key called "ddns\-key.example.com", and sample +\fBnamed.conf\fR +command that could be used in the zone definition for "example.com". +.PP +Note that +\fBnamed\fR +itself can configure a local DDNS key for use with +\fBnsupdate \-l\fR. +\fBddns\-confgen\fR +is only needed when a more elaborate configuration is required: for instance, if +\fBnsupdate\fR +is to be used from a remote system. +.SH "OPTIONS" +.PP +\-a \fIalgorithm\fR +.RS 4 +Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256. +.RE +.PP +\-h +.RS 4 +Prints a short summary of the options and arguments to +\fBddns\-confgen\fR. +.RE +.PP +\-k \fIkeyname\fR +.RS 4 +Specifies the key name of the DDNS authentication key. The default is +\fBddns\-key\fR +when neither the +\fB\-s\fR +nor +\fB\-z\fR +option is specified; otherwise, the default is +\fBddns\-key\fR +as a separate label followed by the argument of the option, e.g., +\fBddns\-key.example.com.\fR +The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods. +.RE +.PP +\-q +.RS 4 +Quiet mode: Print only the key, with no explanatory text or usage examples. +.RE +.PP +\-r \fIrandomfile\fR +.RS 4 +Specifies a source of random data for generating the authorization. If the operating system does not provide a +\fI/dev/random\fR +or equivalent device, the default source of randomness is keyboard input. +\fIrandomdev\fR +specifies the name of a character device or file containing random data to be used instead of the default. The special value +\fIkeyboard\fR +indicates that keyboard input should be used. +.RE +.PP +\-s \fIname\fR +.RS 4 +Single host mode: The example +\fBnamed.conf\fR +text shows how to set an update policy for the specified +\fIname\fR +using the "name" nametype. The default key name is ddns\-key.\fIname\fR. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the +\fB\-z\fR +option. +.RE +.PP +\-z \fIzone\fR +.RS 4 +zone mode: The example +\fBnamed.conf\fR +text shows how to set an update policy for the specified +\fIzone\fR +using the "zonesub" nametype, allowing updates to all subdomain names within that +\fIzone\fR. This option cannot be used with the +\fB\-s\fR +option. +.RE +.SH "SEE ALSO" +.PP +\fBnsupdate\fR(1), +\fBnamed.conf\fR(5), +\fBnamed\fR(8), +BIND 9 Administrator Reference Manual. +.SH "AUTHOR" +.PP +Internet Systems Consortium +.SH "COPYRIGHT" +Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC") +.br diff --git a/contrib/bind9/bin/confgen/ddns-confgen.c b/contrib/bind9/bin/confgen/ddns-confgen.c new file mode 100644 index 000000000000..814a5657bb4d --- /dev/null +++ b/contrib/bind9/bin/confgen/ddns-confgen.c @@ -0,0 +1,257 @@ +/* + * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: ddns-confgen.c,v 1.9 2009-09-29 15:06:05 fdupont Exp $ */ + +/*! \file */ + +/** + * ddns-confgen generates configuration files for dynamic DNS. It can + * be used as a convenient alternative to writing the ddns.key file + * and the corresponding key and update-policy statements in named.conf. + */ + +#include <config.h> + +#include <stdlib.h> +#include <stdarg.h> + +#include <isc/assertions.h> +#include <isc/base64.h> +#include <isc/buffer.h> +#include <isc/commandline.h> +#include <isc/entropy.h> +#include <isc/file.h> +#include <isc/keyboard.h> +#include <isc/mem.h> +#include <isc/net.h> +#include <isc/print.h> +#include <isc/result.h> +#include <isc/string.h> +#include <isc/time.h> +#include <isc/util.h> + +#include <dns/keyvalues.h> +#include <dns/name.h> + +#include <dst/dst.h> +#include <confgen/os.h> + +#include "util.h" +#include "keygen.h" + +#define DEFAULT_KEYNAME "ddns-key" + +static char program[256]; +const char *progname; + +isc_boolean_t verbose = ISC_FALSE; + +ISC_PLATFORM_NORETURN_PRE static void +usage(int status) ISC_PLATFORM_NORETURN_POST; + +static void +usage(int status) { + + fprintf(stderr, "\ +Usage:\n\ + %s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\ + -a alg: algorithm (default hmac-sha256)\n\ + -k keyname: name of the key as it will be used in named.conf\n\ + -r randomfile: source of random data (use \"keyboard\" for key timing)\n\ + -s name: domain name to be updated using the created key\n\ + -z zone: name of the zone as it will be used in named.conf\n\ + -q: quiet mode: print the key, with no explanatory text\n", + progname); + + exit (status); +} + +int +main(int argc, char **argv) { + isc_boolean_t show_final_mem = ISC_FALSE; + isc_boolean_t quiet = ISC_FALSE; + isc_buffer_t key_txtbuffer; + char key_txtsecret[256]; + isc_mem_t *mctx = NULL; + isc_result_t result = ISC_R_SUCCESS; + const char *randomfile = NULL; + const char *keyname = NULL; + const char *zone = NULL; + const char *self_domain = NULL; + char *keybuf = NULL; + dns_secalg_t alg = DST_ALG_HMACSHA256; + const char *algname = alg_totext(alg); + int keysize = 256; + int len = 0; + int ch; + + result = isc_file_progname(*argv, program, sizeof(program)); + if (result != ISC_R_SUCCESS) + memcpy(program, "ddns-confgen", 13); + progname = program; + + isc_commandline_errprint = ISC_FALSE; + + while ((ch = isc_commandline_parse(argc, argv, + "a:hk:Mmr:qs:Vy:z:")) != -1) { + switch (ch) { + case 'a': + algname = isc_commandline_argument; + alg = alg_fromtext(algname); + if (alg == DST_ALG_UNKNOWN) + fatal("Unsupported algorithm '%s'", algname); + keysize = alg_bits(alg); + break; + case 'h': + usage(0); + case 'k': + case 'y': + keyname = isc_commandline_argument; + break; + case 'M': + isc_mem_debugging = ISC_MEM_DEBUGTRACE; + break; + case 'm': + show_final_mem = ISC_TRUE; + break; + case 'q': + quiet = ISC_TRUE; + break; + case 'r': + randomfile = isc_commandline_argument; + break; + case 's': + self_domain = isc_commandline_argument; + break; + case 'V': + verbose = ISC_TRUE; + break; + case 'z': + zone = isc_commandline_argument; + break; + case '?': + if (isc_commandline_option != '?') { + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); + usage(1); + } else + usage(0); + break; + default: + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); + } + } + + argc -= isc_commandline_index; + argv += isc_commandline_index; + + if (self_domain != NULL && zone != NULL) + usage(1); /* -s and -z cannot coexist */ + + if (argc > 0) + usage(1); + + DO("create memory context", isc_mem_create(0, 0, &mctx)); + + if (keyname == NULL) { + const char *suffix = NULL; + + keyname = DEFAULT_KEYNAME; + if (self_domain != NULL) + suffix = self_domain; + else if (zone != NULL) + suffix = zone; + if (suffix != NULL) { + len = strlen(keyname) + strlen(suffix) + 2; + keybuf = isc_mem_get(mctx, len); + if (keybuf == NULL) + fatal("failed to allocate memory for keyname"); + snprintf(keybuf, len, "%s.%s", keyname, suffix); + keyname = (const char *) keybuf; + } + } + + isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret)); + + generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer); + + + if (!quiet) + printf("\ +# To activate this key, place the following in named.conf, and\n\ +# in a separate keyfile on the system or systems from which nsupdate\n\ +# will be run:\n"); + + printf("\ +key \"%s\" {\n\ + algorithm %s;\n\ + secret \"%.*s\";\n\ +};\n", + keyname, algname, + (int)isc_buffer_usedlength(&key_txtbuffer), + (char *)isc_buffer_base(&key_txtbuffer)); + + if (!quiet) { + if (self_domain != NULL) { + printf("\n\ +# Then, in the \"zone\" statement for the zone containing the\n\ +# name \"%s\", place an \"update-policy\" statement\n\ +# like this one, adjusted as needed for your preferred permissions:\n\ +update-policy {\n\ + grant %s name %s ANY;\n\ +};\n", + self_domain, keyname, self_domain); + } else if (zone != NULL) { + printf("\n\ +# Then, in the \"zone\" definition statement for \"%s\",\n\ +# place an \"update-policy\" statement like this one, adjusted as \n\ +# needed for your preferred permissions:\n\ +update-policy {\n\ + grant %s zonesub ANY;\n\ +};\n", + zone, keyname); + } else { + printf("\n\ +# Then, in the \"zone\" statement for each zone you wish to dynamically\n\ +# update, place an \"update-policy\" statement granting update permission\n\ +# to this key. For example, the following statement grants this key\n\ +# permission to update any name within the zone:\n\ +update-policy {\n\ + grant %s zonesub ANY;\n\ +};\n", + keyname); + } + + printf("\n\ +# After the keyfile has been placed, the following command will\n\ +# execute nsupdate using this key:\n\ +nsupdate -k <keyfile>\n"); + + } + + if (keybuf != NULL) + isc_mem_put(mctx, keybuf, len); + + if (show_final_mem) + isc_mem_stats(mctx, stderr); + + isc_mem_destroy(&mctx); + + return (0); +} diff --git a/contrib/bind9/bin/confgen/ddns-confgen.docbook b/contrib/bind9/bin/confgen/ddns-confgen.docbook new file mode 100644 index 000000000000..2b3e1c0556a5 --- /dev/null +++ b/contrib/bind9/bin/confgen/ddns-confgen.docbook @@ -0,0 +1,218 @@ +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" + [<!ENTITY mdash "—">]> +<!-- + - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: ddns-confgen.docbook,v 1.6 2009-09-18 22:08:55 fdupont Exp $ --> +<refentry id="man.ddns-confgen"> + <refentryinfo> + <date>Jan 29, 2009</date> + </refentryinfo> + + <refmeta> + <refentrytitle><application>ddns-confgen</application></refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo>BIND9</refmiscinfo> + </refmeta> + + <refnamediv> + <refname><application>ddns-confgen</application></refname> + <refpurpose>ddns key generation tool</refpurpose> + </refnamediv> + + <docinfo> + <copyright> + <year>2009</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + </docinfo> + + <refsynopsisdiv> + <cmdsynopsis> + <command>ddns-confgen</command> + <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg> + <arg><option>-h</option></arg> + <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg> + <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg> + <group> + <arg choice="plain">-s <replaceable class="parameter">name</replaceable></arg> + <arg choice="plain">-z <replaceable class="parameter">zone</replaceable></arg> + </group> + <arg><option>-q</option></arg> + <arg choice="opt">name</arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>DESCRIPTION</title> + <para><command>ddns-confgen</command> + generates a key for use by <command>nsupdate</command> + and <command>named</command>. It simplifies configuration + of dynamic zones by generating a key and providing the + <command>nsupdate</command> and <command>named.conf</command> + syntax that will be needed to use it, including an example + <command>update-policy</command> statement. + </para> + + <para> + If a domain name is specified on the command line, it will + be used in the name of the generated key and in the sample + <command>named.conf</command> syntax. For example, + <command>ddns-confgen example.com</command> would + generate a key called "ddns-key.example.com", and sample + <command>named.conf</command> command that could be used + in the zone definition for "example.com". + </para> + + <para> + Note that <command>named</command> itself can configure a + local DDNS key for use with <command>nsupdate -l</command>. + <command>ddns-confgen</command> is only needed when a + more elaborate configuration is required: for instance, if + <command>nsupdate</command> is to be used from a remote system. + </para> + </refsect1> + + <refsect1> + <title>OPTIONS</title> + + <variablelist> + <varlistentry> + <term>-a <replaceable class="parameter">algorithm</replaceable></term> + <listitem> + <para> + Specifies the algorithm to use for the TSIG key. Available + choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, + hmac-sha384 and hmac-sha512. The default is hmac-sha256. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-h</term> + <listitem> + <para> + Prints a short summary of the options and arguments to + <command>ddns-confgen</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-k <replaceable class="parameter">keyname</replaceable></term> + <listitem> + <para> + Specifies the key name of the DDNS authentication key. + The default is <constant>ddns-key</constant> when neither + the <option>-s</option> nor <option>-z</option> option is + specified; otherwise, the default + is <constant>ddns-key</constant> as a separate label + followed by the argument of the option, e.g., + <constant>ddns-key.example.com.</constant> + The key name must have the format of a valid domain name, + consisting of letters, digits, hyphens and periods. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-q</term> + <listitem> + <para> + Quiet mode: Print only the key, with no explanatory text or + usage examples. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-r <replaceable class="parameter">randomfile</replaceable></term> + <listitem> + <para> + Specifies a source of random data for generating the + authorization. If the operating system does not provide a + <filename>/dev/random</filename> or equivalent device, the + default source of randomness is keyboard input. + <filename>randomdev</filename> specifies the name of a + character device or file containing random data to be used + instead of the default. The special value + <filename>keyboard</filename> indicates that keyboard input + should be used. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-s <replaceable class="parameter">name</replaceable></term> + <listitem> + <para> + Single host mode: The example <command>named.conf</command> text + shows how to set an update policy for the specified + <replaceable class="parameter">name</replaceable> + using the "name" nametype. + The default key name is + ddns-key.<replaceable class="parameter">name</replaceable>. + Note that the "self" nametype cannot be used, since + the name to be updated may differ from the key name. + This option cannot be used with the <option>-z</option> option. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-z <replaceable class="parameter">zone</replaceable></term> + <listitem> + <para> + zone mode: The example <command>named.conf</command> text + shows how to set an update policy for the specified + <replaceable class="parameter">zone</replaceable> + using the "zonesub" nametype, allowing updates to all subdomain + names within + that <replaceable class="parameter">zone</replaceable>. + This option cannot be used with the <option>-s</option> option. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + <para><citerefentry> + <refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citetitle>BIND 9 Administrator Reference Manual</citetitle>. + </para> + </refsect1> + + <refsect1> + <title>AUTHOR</title> + <para><corpauthor>Internet Systems Consortium</corpauthor> + </para> + </refsect1> + +</refentry><!-- + - Local variables: + - mode: sgml + - End: +--> diff --git a/contrib/bind9/bin/confgen/ddns-confgen.html b/contrib/bind9/bin/confgen/ddns-confgen.html new file mode 100644 index 000000000000..17c3f26dccae --- /dev/null +++ b/contrib/bind9/bin/confgen/ddns-confgen.html @@ -0,0 +1,141 @@ +<!-- + - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $Id: ddns-confgen.html,v 1.10 2009-09-19 01:14:52 tbox Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>ddns-confgen</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="man.ddns-confgen"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">ddns-confgen</span> — ddns key generation tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2543395"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">ddns-confgen</strong></span> + generates a key for use by <span><strong class="command">nsupdate</strong></span> + and <span><strong class="command">named</strong></span>. It simplifies configuration + of dynamic zones by generating a key and providing the + <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span> + syntax that will be needed to use it, including an example + <span><strong class="command">update-policy</strong></span> statement. + </p> +<p> + If a domain name is specified on the command line, it will + be used in the name of the generated key and in the sample + <span><strong class="command">named.conf</strong></span> syntax. For example, + <span><strong class="command">ddns-confgen example.com</strong></span> would + generate a key called "ddns-key.example.com", and sample + <span><strong class="command">named.conf</strong></span> command that could be used + in the zone definition for "example.com". + </p> +<p> + Note that <span><strong class="command">named</strong></span> itself can configure a + local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>. + <span><strong class="command">ddns-confgen</strong></span> is only needed when a + more elaborate configuration is required: for instance, if + <span><strong class="command">nsupdate</strong></span> is to be used from a remote system. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543454"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> +<dd><p> + Specifies the algorithm to use for the TSIG key. Available + choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, + hmac-sha384 and hmac-sha512. The default is hmac-sha256. + </p></dd> +<dt><span class="term">-h</span></dt> +<dd><p> + Prints a short summary of the options and arguments to + <span><strong class="command">ddns-confgen</strong></span>. + </p></dd> +<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt> +<dd><p> + Specifies the key name of the DDNS authentication key. + The default is <code class="constant">ddns-key</code> when neither + the <code class="option">-s</code> nor <code class="option">-z</code> option is + specified; otherwise, the default + is <code class="constant">ddns-key</code> as a separate label + followed by the argument of the option, e.g., + <code class="constant">ddns-key.example.com.</code> + The key name must have the format of a valid domain name, + consisting of letters, digits, hyphens and periods. + </p></dd> +<dt><span class="term">-q</span></dt> +<dd><p> + Quiet mode: Print only the key, with no explanatory text or + usage examples. + </p></dd> +<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt> +<dd><p> + Specifies a source of random data for generating the + authorization. If the operating system does not provide a + <code class="filename">/dev/random</code> or equivalent device, the + default source of randomness is keyboard input. + <code class="filename">randomdev</code> specifies the name of a + character device or file containing random data to be used + instead of the default. The special value + <code class="filename">keyboard</code> indicates that keyboard input + should be used. + </p></dd> +<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt> +<dd><p> + Single host mode: The example <span><strong class="command">named.conf</strong></span> text + shows how to set an update policy for the specified + <em class="replaceable"><code>name</code></em> + using the "name" nametype. + The default key name is + ddns-key.<em class="replaceable"><code>name</code></em>. + Note that the "self" nametype cannot be used, since + the name to be updated may differ from the key name. + This option cannot be used with the <code class="option">-z</code> option. + </p></dd> +<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt> +<dd><p> + zone mode: The example <span><strong class="command">named.conf</strong></span> text + shows how to set an update policy for the specified + <em class="replaceable"><code>zone</code></em> + using the "zonesub" nametype, allowing updates to all subdomain + names within + that <em class="replaceable"><code>zone</code></em>. + This option cannot be used with the <code class="option">-s</code> option. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2543642"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>, + <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>, + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543681"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/contrib/bind9/bin/confgen/include/confgen/os.h b/contrib/bind9/bin/confgen/include/confgen/os.h new file mode 100644 index 000000000000..bf80f00ef417 --- /dev/null +++ b/contrib/bind9/bin/confgen/include/confgen/os.h @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: os.h,v 1.3 2009-06-11 23:47:55 tbox Exp $ */ + +/*! \file */ + +#ifndef RNDC_OS_H +#define RNDC_OS_H 1 + +#include <isc/lang.h> +#include <stdio.h> + +ISC_LANG_BEGINDECLS + +int set_user(FILE *fd, const char *user); +/*%< + * Set the owner of the file referenced by 'fd' to 'user'. + * Returns: + * 0 success + * -1 insufficient permissions, or 'user' does not exist. + */ + +ISC_LANG_ENDDECLS + +#endif diff --git a/contrib/bind9/bin/confgen/keygen.c b/contrib/bind9/bin/confgen/keygen.c new file mode 100644 index 000000000000..c259e7e6a721 --- /dev/null +++ b/contrib/bind9/bin/confgen/keygen.c @@ -0,0 +1,218 @@ +/* + * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: keygen.c,v 1.4 2009-11-12 14:02:38 marka Exp $ */ + +/*! \file */ + +#include <config.h> + +#include <stdlib.h> +#include <stdarg.h> + +#include <isc/base64.h> +#include <isc/buffer.h> +#include <isc/entropy.h> +#include <isc/file.h> +#include <isc/keyboard.h> +#include <isc/mem.h> +#include <isc/result.h> +#include <isc/string.h> + +#include <dns/keyvalues.h> +#include <dns/name.h> + +#include <dst/dst.h> +#include <confgen/os.h> + +#include "util.h" +#include "keygen.h" + +/*% + * Convert algorithm type to string. + */ +const char * +alg_totext(dns_secalg_t alg) { + switch (alg) { + case DST_ALG_HMACMD5: + return "hmac-md5"; + case DST_ALG_HMACSHA1: + return "hmac-sha1"; + case DST_ALG_HMACSHA224: + return "hmac-sha224"; + case DST_ALG_HMACSHA256: + return "hmac-sha256"; + case DST_ALG_HMACSHA384: + return "hmac-sha384"; + case DST_ALG_HMACSHA512: + return "hmac-sha512"; + default: + return "(unknown)"; + } +} + +/*% + * Convert string to algorithm type. + */ +dns_secalg_t +alg_fromtext(const char *name) { + if (strcmp(name, "hmac-md5") == 0) + return DST_ALG_HMACMD5; + if (strcmp(name, "hmac-sha1") == 0) + return DST_ALG_HMACSHA1; + if (strcmp(name, "hmac-sha224") == 0) + return DST_ALG_HMACSHA224; + if (strcmp(name, "hmac-sha256") == 0) + return DST_ALG_HMACSHA256; + if (strcmp(name, "hmac-sha384") == 0) + return DST_ALG_HMACSHA384; + if (strcmp(name, "hmac-sha512") == 0) + return DST_ALG_HMACSHA512; + return DST_ALG_UNKNOWN; +} + +/*% + * Return default keysize for a given algorithm type. + */ +int +alg_bits(dns_secalg_t alg) { + switch (alg) { + case DST_ALG_HMACMD5: + return 128; + case DST_ALG_HMACSHA1: + return 160; + case DST_ALG_HMACSHA224: + return 224; + case DST_ALG_HMACSHA256: + return 256; + case DST_ALG_HMACSHA384: + return 384; + case DST_ALG_HMACSHA512: + return 512; + default: + return 0; + } +} + +/*% + * Generate a key of size 'keysize' using entropy source 'randomfile', + * and place it in 'key_txtbuffer' + */ +void +generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, + int keysize, isc_buffer_t *key_txtbuffer) { + isc_result_t result = ISC_R_SUCCESS; + isc_entropysource_t *entropy_source = NULL; + int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE; + int entropy_flags = 0; + isc_entropy_t *ectx = NULL; + isc_buffer_t key_rawbuffer; + isc_region_t key_rawregion; + char key_rawsecret[64]; + dst_key_t *key = NULL; + + switch (alg) { + case DST_ALG_HMACMD5: + if (keysize < 1 || keysize > 512) + fatal("keysize %d out of range (must be 1-512)\n", + keysize); + break; + case DST_ALG_HMACSHA256: + if (keysize < 1 || keysize > 256) + fatal("keysize %d out of range (must be 1-256)\n", + keysize); + break; + default: + fatal("unsupported algorithm %d\n", alg); + } + + + DO("create entropy context", isc_entropy_create(mctx, &ectx)); + + if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { + randomfile = NULL; + open_keyboard = ISC_ENTROPY_KEYBOARDYES; + } + DO("start entropy source", isc_entropy_usebestsource(ectx, + &entropy_source, + randomfile, + open_keyboard)); + + entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY; + + DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags)); + + DO("generate key", dst_key_generate(dns_rootname, alg, + keysize, 0, 0, + DNS_KEYPROTO_ANY, + dns_rdataclass_in, mctx, &key)); + + isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret)); + + DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer)); + + isc_buffer_usedregion(&key_rawbuffer, &key_rawregion); + + DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "", + key_txtbuffer)); + + /* + * Shut down the entropy source now so the "stop typing" message + * does not muck with the output. + */ + if (entropy_source != NULL) + isc_entropy_destroysource(&entropy_source); + + if (key != NULL) + dst_key_free(&key); + + isc_entropy_detach(&ectx); + dst_lib_destroy(); +} + +/*% + * Write a key file to 'keyfile'. If 'user' is non-NULL, + * make that user the owner of the file. The key will have + * the name 'keyname' and the secret in the buffer 'secret'. + */ +void +write_key_file(const char *keyfile, const char *user, + const char *keyname, isc_buffer_t *secret, + dns_secalg_t alg) { + isc_result_t result; + const char *algname = alg_totext(alg); + FILE *fd = NULL; + + DO("create keyfile", isc_file_safecreate(keyfile, &fd)); + + if (user != NULL) { + if (set_user(fd, user) == -1) + fatal("unable to set file owner\n"); + } + + fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n" + "\tsecret \"%.*s\";\n};\n", + keyname, algname, + (int)isc_buffer_usedlength(secret), + (char *)isc_buffer_base(secret)); + fflush(fd); + if (ferror(fd)) + fatal("write to %s failed\n", keyfile); + if (fclose(fd)) + fatal("fclose(%s) failed\n", keyfile); + fprintf(stderr, "wrote key file \"%s\"\n", keyfile); +} + diff --git a/contrib/bind9/bin/confgen/keygen.h b/contrib/bind9/bin/confgen/keygen.h new file mode 100644 index 000000000000..cea25dd4f92a --- /dev/null +++ b/contrib/bind9/bin/confgen/keygen.h @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: keygen.h,v 1.3 2009-06-11 23:47:55 tbox Exp $ */ + +#ifndef RNDC_KEYGEN_H +#define RNDC_KEYGEN_H 1 + +/*! \file */ + +#include <isc/lang.h> + +ISC_LANG_BEGINDECLS + +void generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, + int keysize, isc_buffer_t *key_txtbuffer); + +void write_key_file(const char *keyfile, const char *user, + const char *keyname, isc_buffer_t *secret, + dns_secalg_t alg); + +const char *alg_totext(dns_secalg_t alg); +dns_secalg_t alg_fromtext(const char *name); +int alg_bits(dns_secalg_t alg); + +ISC_LANG_ENDDECLS + +#endif /* RNDC_KEYGEN_H */ diff --git a/contrib/bind9/bin/confgen/rndc-confgen.8 b/contrib/bind9/bin/confgen/rndc-confgen.8 new file mode 100644 index 000000000000..a1b3ae86b735 --- /dev/null +++ b/contrib/bind9/bin/confgen/rndc-confgen.8 @@ -0,0 +1,211 @@ +.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2001, 2003 Internet Software Consortium. +.\" +.\" Permission to use, copy, modify, and/or distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $Id: rndc-confgen.8,v 1.7 2009-07-11 01:12:45 tbox Exp $ +.\" +.hy 0 +.ad l +.\" Title: rndc\-confgen +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: Aug 27, 2001 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" +.TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +rndc\-confgen \- rndc key generation tool +.SH "SYNOPSIS" +.HP 13 +\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] +.SH "DESCRIPTION" +.PP +\fBrndc\-confgen\fR +generates configuration files for +\fBrndc\fR. It can be used as a convenient alternative to writing the +\fIrndc.conf\fR +file and the corresponding +\fBcontrols\fR +and +\fBkey\fR +statements in +\fInamed.conf\fR +by hand. Alternatively, it can be run with the +\fB\-a\fR +option to set up a +\fIrndc.key\fR +file and avoid the need for a +\fIrndc.conf\fR +file and a +\fBcontrols\fR +statement altogether. +.SH "OPTIONS" +.PP +\-a +.RS 4 +Do automatic +\fBrndc\fR +configuration. This creates a file +\fIrndc.key\fR +in +\fI/etc\fR +(or whatever +\fIsysconfdir\fR +was specified as when +BIND +was built) that is read by both +\fBrndc\fR +and +\fBnamed\fR +on startup. The +\fIrndc.key\fR +file defines a default command channel and authentication key allowing +\fBrndc\fR +to communicate with +\fBnamed\fR +on the local host with no further configuration. +.sp +Running +\fBrndc\-confgen \-a\fR +allows BIND 9 and +\fBrndc\fR +to be used as drop\-in replacements for BIND 8 and +\fBndc\fR, with no changes to the existing BIND 8 +\fInamed.conf\fR +file. +.sp +If a more elaborate configuration than that generated by +\fBrndc\-confgen \-a\fR +is required, for example if rndc is to be used remotely, you should run +\fBrndc\-confgen\fR +without the +\fB\-a\fR +option and set up a +\fIrndc.conf\fR +and +\fInamed.conf\fR +as directed. +.RE +.PP +\-b \fIkeysize\fR +.RS 4 +Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128. +.RE +.PP +\-c \fIkeyfile\fR +.RS 4 +Used with the +\fB\-a\fR +option to specify an alternate location for +\fIrndc.key\fR. +.RE +.PP +\-h +.RS 4 +Prints a short summary of the options and arguments to +\fBrndc\-confgen\fR. +.RE +.PP +\-k \fIkeyname\fR +.RS 4 +Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is +\fBrndc\-key\fR. +.RE +.PP +\-p \fIport\fR +.RS 4 +Specifies the command channel port where +\fBnamed\fR +listens for connections from +\fBrndc\fR. The default is 953. +.RE +.PP +\-r \fIrandomfile\fR +.RS 4 +Specifies a source of random data for generating the authorization. If the operating system does not provide a +\fI/dev/random\fR +or equivalent device, the default source of randomness is keyboard input. +\fIrandomdev\fR +specifies the name of a character device or file containing random data to be used instead of the default. The special value +\fIkeyboard\fR +indicates that keyboard input should be used. +.RE +.PP +\-s \fIaddress\fR +.RS 4 +Specifies the IP address where +\fBnamed\fR +listens for command channel connections from +\fBrndc\fR. The default is the loopback address 127.0.0.1. +.RE +.PP +\-t \fIchrootdir\fR +.RS 4 +Used with the +\fB\-a\fR +option to specify a directory where +\fBnamed\fR +will run chrooted. An additional copy of the +\fIrndc.key\fR +will be written relative to this directory so that it will be found by the chrooted +\fBnamed\fR. +.RE +.PP +\-u \fIuser\fR +.RS 4 +Used with the +\fB\-a\fR +option to set the owner of the +\fIrndc.key\fR +file generated. If +\fB\-t\fR +is also specified only the file in the chroot area has its owner changed. +.RE +.SH "EXAMPLES" +.PP +To allow +\fBrndc\fR +to be used with no manual configuration, run +.PP +\fBrndc\-confgen \-a\fR +.PP +To print a sample +\fIrndc.conf\fR +file and corresponding +\fBcontrols\fR +and +\fBkey\fR +statements to be manually inserted into +\fInamed.conf\fR, run +.PP +\fBrndc\-confgen\fR +.SH "SEE ALSO" +.PP +\fBrndc\fR(8), +\fBrndc.conf\fR(5), +\fBnamed\fR(8), +BIND 9 Administrator Reference Manual. +.SH "AUTHOR" +.PP +Internet Systems Consortium +.SH "COPYRIGHT" +Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2001, 2003 Internet Software Consortium. +.br diff --git a/contrib/bind9/bin/confgen/rndc-confgen.c b/contrib/bind9/bin/confgen/rndc-confgen.c new file mode 100644 index 000000000000..766e3b49444e --- /dev/null +++ b/contrib/bind9/bin/confgen/rndc-confgen.c @@ -0,0 +1,270 @@ +/* + * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: rndc-confgen.c,v 1.5 2009-09-29 15:06:05 fdupont Exp $ */ + +/*! \file */ + +/** + * rndc-confgen generates configuration files for rndc. It can be used + * as a convenient alternative to writing the rndc.conf file and the + * corresponding controls and key statements in named.conf by hand. + * Alternatively, it can be run with the -a option to set up a + * rndc.key file and avoid the need for a rndc.conf file and a + * controls statement altogether. + */ + +#include <config.h> + +#include <stdlib.h> +#include <stdarg.h> + +#include <isc/assertions.h> +#include <isc/base64.h> +#include <isc/buffer.h> +#include <isc/commandline.h> +#include <isc/entropy.h> +#include <isc/file.h> +#include <isc/keyboard.h> +#include <isc/mem.h> +#include <isc/net.h> +#include <isc/print.h> +#include <isc/result.h> +#include <isc/string.h> +#include <isc/time.h> +#include <isc/util.h> + +#include <dns/keyvalues.h> +#include <dns/name.h> + +#include <dst/dst.h> +#include <confgen/os.h> + +#include "util.h" +#include "keygen.h" + +#define DEFAULT_KEYLENGTH 128 /*% Bits. */ +#define DEFAULT_KEYNAME "rndc-key" +#define DEFAULT_SERVER "127.0.0.1" +#define DEFAULT_PORT 953 + +static char program[256]; +const char *progname; + +isc_boolean_t verbose = ISC_FALSE; + +const char *keyfile, *keydef; + +ISC_PLATFORM_NORETURN_PRE static void +usage(int status) ISC_PLATFORM_NORETURN_POST; + +static void +usage(int status) { + + fprintf(stderr, "\ +Usage:\n\ + %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \ +[-s addr] [-t chrootdir] [-u user]\n\ + -a: generate just the key clause and write it to keyfile (%s)\n\ + -b bits: from 1 through 512, default %d; total length of the secret\n\ + -c keyfile: specify an alternate key file (requires -a)\n\ + -k keyname: the name as it will be used in named.conf and rndc.conf\n\ + -p port: the port named will listen on and rndc will connect to\n\ + -r randomfile: source of random data (use \"keyboard\" for key timing)\n\ + -s addr: the address to which rndc should connect\n\ + -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ + -u user: set the keyfile owner to \"user\" (requires -a)\n", + progname, keydef, DEFAULT_KEYLENGTH); + + exit (status); +} + +int +main(int argc, char **argv) { + isc_boolean_t show_final_mem = ISC_FALSE; + isc_buffer_t key_txtbuffer; + char key_txtsecret[256]; + isc_mem_t *mctx = NULL; + isc_result_t result = ISC_R_SUCCESS; + const char *keyname = NULL; + const char *randomfile = NULL; + const char *serveraddr = NULL; + dns_secalg_t alg = DST_ALG_HMACMD5; + const char *algname = alg_totext(alg); + char *p; + int ch; + int port; + int keysize; + struct in_addr addr4_dummy; + struct in6_addr addr6_dummy; + char *chrootdir = NULL; + char *user = NULL; + isc_boolean_t keyonly = ISC_FALSE; + int len; + + keydef = keyfile = RNDC_KEYFILE; + + result = isc_file_progname(*argv, program, sizeof(program)); + if (result != ISC_R_SUCCESS) + memcpy(program, "rndc-confgen", 13); + progname = program; + + keyname = DEFAULT_KEYNAME; + keysize = DEFAULT_KEYLENGTH; + serveraddr = DEFAULT_SERVER; + port = DEFAULT_PORT; + + isc_commandline_errprint = ISC_FALSE; + + while ((ch = isc_commandline_parse(argc, argv, + "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) { + switch (ch) { + case 'a': + keyonly = ISC_TRUE; + break; + case 'b': + keysize = strtol(isc_commandline_argument, &p, 10); + if (*p != '\0' || keysize < 0) + fatal("-b requires a non-negative number"); + if (keysize < 1 || keysize > 512) + fatal("-b must be in the range 1 through 512"); + break; + case 'c': + keyfile = isc_commandline_argument; + break; + case 'h': + usage(0); + case 'k': + case 'y': /* Compatible with rndc -y. */ + keyname = isc_commandline_argument; + break; + case 'M': + isc_mem_debugging = ISC_MEM_DEBUGTRACE; + break; + + case 'm': + show_final_mem = ISC_TRUE; + break; + case 'p': + port = strtol(isc_commandline_argument, &p, 10); + if (*p != '\0' || port < 0 || port > 65535) + fatal("port '%s' out of range", + isc_commandline_argument); + break; + case 'r': + randomfile = isc_commandline_argument; + break; + case 's': + serveraddr = isc_commandline_argument; + if (inet_pton(AF_INET, serveraddr, &addr4_dummy) != 1 && + inet_pton(AF_INET6, serveraddr, &addr6_dummy) != 1) + fatal("-s should be an IPv4 or IPv6 address"); + break; + case 't': + chrootdir = isc_commandline_argument; + break; + case 'u': + user = isc_commandline_argument; + break; + case 'V': + verbose = ISC_TRUE; + break; + case '?': + if (isc_commandline_option != '?') { + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); + usage(1); + } else + usage(0); + break; + default: + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); + } + } + + argc -= isc_commandline_index; + argv += isc_commandline_index; + + if (argc > 0) + usage(1); + + DO("create memory context", isc_mem_create(0, 0, &mctx)); + isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret)); + + generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer); + + if (keyonly) { + write_key_file(keyfile, chrootdir == NULL ? user : NULL, + keyname, &key_txtbuffer, alg); + + if (chrootdir != NULL) { + char *buf; + len = strlen(chrootdir) + strlen(keyfile) + 2; + buf = isc_mem_get(mctx, len); + if (buf == NULL) + fatal("isc_mem_get(%d) failed\n", len); + snprintf(buf, len, "%s%s%s", chrootdir, + (*keyfile != '/') ? "/" : "", keyfile); + + write_key_file(buf, user, keyname, &key_txtbuffer, alg); + isc_mem_put(mctx, buf, len); + } + } else { + printf("\ +# Start of rndc.conf\n\ +key \"%s\" {\n\ + algorithm %s;\n\ + secret \"%.*s\";\n\ +};\n\ +\n\ +options {\n\ + default-key \"%s\";\n\ + default-server %s;\n\ + default-port %d;\n\ +};\n\ +# End of rndc.conf\n\ +\n\ +# Use with the following in named.conf, adjusting the allow list as needed:\n\ +# key \"%s\" {\n\ +# algorithm %s;\n\ +# secret \"%.*s\";\n\ +# };\n\ +# \n\ +# controls {\n\ +# inet %s port %d\n\ +# allow { %s; } keys { \"%s\"; };\n\ +# };\n\ +# End of named.conf\n", + keyname, algname, + (int)isc_buffer_usedlength(&key_txtbuffer), + (char *)isc_buffer_base(&key_txtbuffer), + keyname, serveraddr, port, + keyname, algname, + (int)isc_buffer_usedlength(&key_txtbuffer), + (char *)isc_buffer_base(&key_txtbuffer), + serveraddr, port, serveraddr, keyname); + } + + if (show_final_mem) + isc_mem_stats(mctx, stderr); + + isc_mem_destroy(&mctx); + + return (0); +} diff --git a/contrib/bind9/bin/confgen/rndc-confgen.docbook b/contrib/bind9/bin/confgen/rndc-confgen.docbook new file mode 100644 index 000000000000..d43fcfbe8aa4 --- /dev/null +++ b/contrib/bind9/bin/confgen/rndc-confgen.docbook @@ -0,0 +1,287 @@ +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" + [<!ENTITY mdash "—">]> +<!-- + - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001, 2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: rndc-confgen.docbook,v 1.4 2009-06-15 23:47:59 tbox Exp $ --> +<refentry id="man.rndc-confgen"> + <refentryinfo> + <date>Aug 27, 2001</date> + </refentryinfo> + + <refmeta> + <refentrytitle><application>rndc-confgen</application></refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo>BIND9</refmiscinfo> + </refmeta> + + <refnamediv> + <refname><application>rndc-confgen</application></refname> + <refpurpose>rndc key generation tool</refpurpose> + </refnamediv> + + <docinfo> + <copyright> + <year>2004</year> + <year>2005</year> + <year>2007</year> + <year>2009</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + <copyright> + <year>2001</year> + <year>2003</year> + <holder>Internet Software Consortium.</holder> + </copyright> + </docinfo> + + <refsynopsisdiv> + <cmdsynopsis> + <command>rndc-confgen</command> + <arg><option>-a</option></arg> + <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg> + <arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg> + <arg><option>-h</option></arg> + <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg> + <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg> + <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg> + <arg><option>-s <replaceable class="parameter">address</replaceable></option></arg> + <arg><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg> + <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>DESCRIPTION</title> + <para><command>rndc-confgen</command> + generates configuration files + for <command>rndc</command>. It can be used as a + convenient alternative to writing the + <filename>rndc.conf</filename> file + and the corresponding <command>controls</command> + and <command>key</command> + statements in <filename>named.conf</filename> by hand. + Alternatively, it can be run with the <command>-a</command> + option to set up a <filename>rndc.key</filename> file and + avoid the need for a <filename>rndc.conf</filename> file + and a <command>controls</command> statement altogether. + </para> + + </refsect1> + + <refsect1> + <title>OPTIONS</title> + + <variablelist> + <varlistentry> + <term>-a</term> + <listitem> + <para> + Do automatic <command>rndc</command> configuration. + This creates a file <filename>rndc.key</filename> + in <filename>/etc</filename> (or whatever + <varname>sysconfdir</varname> + was specified as when <acronym>BIND</acronym> was + built) + that is read by both <command>rndc</command> + and <command>named</command> on startup. The + <filename>rndc.key</filename> file defines a default + command channel and authentication key allowing + <command>rndc</command> to communicate with + <command>named</command> on the local host + with no further configuration. + </para> + <para> + Running <command>rndc-confgen -a</command> allows + BIND 9 and <command>rndc</command> to be used as + drop-in + replacements for BIND 8 and <command>ndc</command>, + with no changes to the existing BIND 8 + <filename>named.conf</filename> file. + </para> + <para> + If a more elaborate configuration than that + generated by <command>rndc-confgen -a</command> + is required, for example if rndc is to be used remotely, + you should run <command>rndc-confgen</command> without + the + <command>-a</command> option and set up a + <filename>rndc.conf</filename> and + <filename>named.conf</filename> + as directed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-b <replaceable class="parameter">keysize</replaceable></term> + <listitem> + <para> + Specifies the size of the authentication key in bits. + Must be between 1 and 512 bits; the default is 128. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-c <replaceable class="parameter">keyfile</replaceable></term> + <listitem> + <para> + Used with the <command>-a</command> option to specify + an alternate location for <filename>rndc.key</filename>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-h</term> + <listitem> + <para> + Prints a short summary of the options and arguments to + <command>rndc-confgen</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-k <replaceable class="parameter">keyname</replaceable></term> + <listitem> + <para> + Specifies the key name of the rndc authentication key. + This must be a valid domain name. + The default is <constant>rndc-key</constant>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-p <replaceable class="parameter">port</replaceable></term> + <listitem> + <para> + Specifies the command channel port where <command>named</command> + listens for connections from <command>rndc</command>. + The default is 953. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-r <replaceable class="parameter">randomfile</replaceable></term> + <listitem> + <para> + Specifies a source of random data for generating the + authorization. If the operating + system does not provide a <filename>/dev/random</filename> + or equivalent device, the default source of randomness + is keyboard input. <filename>randomdev</filename> + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <filename>keyboard</filename> indicates that keyboard + input should be used. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-s <replaceable class="parameter">address</replaceable></term> + <listitem> + <para> + Specifies the IP address where <command>named</command> + listens for command channel connections from + <command>rndc</command>. The default is the loopback + address 127.0.0.1. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-t <replaceable class="parameter">chrootdir</replaceable></term> + <listitem> + <para> + Used with the <command>-a</command> option to specify + a directory where <command>named</command> will run + chrooted. An additional copy of the <filename>rndc.key</filename> + will be written relative to this directory so that + it will be found by the chrooted <command>named</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-u <replaceable class="parameter">user</replaceable></term> + <listitem> + <para> + Used with the <command>-a</command> option to set the + owner + of the <filename>rndc.key</filename> file generated. + If + <command>-t</command> is also specified only the file + in + the chroot area has its owner changed. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1> + <title>EXAMPLES</title> + <para> + To allow <command>rndc</command> to be used with + no manual configuration, run + </para> + <para><userinput>rndc-confgen -a</userinput> + </para> + <para> + To print a sample <filename>rndc.conf</filename> file and + corresponding <command>controls</command> and <command>key</command> + statements to be manually inserted into <filename>named.conf</filename>, + run + </para> + <para><userinput>rndc-confgen</userinput> + </para> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + <para><citerefentry> + <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citetitle>BIND 9 Administrator Reference Manual</citetitle>. + </para> + </refsect1> + + <refsect1> + <title>AUTHOR</title> + <para><corpauthor>Internet Systems Consortium</corpauthor> + </para> + </refsect1> + +</refentry><!-- + - Local variables: + - mode: sgml + - End: +--> diff --git a/contrib/bind9/bin/confgen/rndc-confgen.html b/contrib/bind9/bin/confgen/rndc-confgen.html new file mode 100644 index 000000000000..82a712091614 --- /dev/null +++ b/contrib/bind9/bin/confgen/rndc-confgen.html @@ -0,0 +1,188 @@ +<!-- + - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001, 2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $Id: rndc-confgen.html,v 1.7 2009-07-11 01:12:45 tbox Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>rndc-confgen</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="man.rndc-confgen"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">rndc-confgen</span> — rndc key generation tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2543432"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">rndc-confgen</strong></span> + generates configuration files + for <span><strong class="command">rndc</strong></span>. It can be used as a + convenient alternative to writing the + <code class="filename">rndc.conf</code> file + and the corresponding <span><strong class="command">controls</strong></span> + and <span><strong class="command">key</strong></span> + statements in <code class="filename">named.conf</code> by hand. + Alternatively, it can be run with the <span><strong class="command">-a</strong></span> + option to set up a <code class="filename">rndc.key</code> file and + avoid the need for a <code class="filename">rndc.conf</code> file + and a <span><strong class="command">controls</strong></span> statement altogether. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543477"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-a</span></dt> +<dd> +<p> + Do automatic <span><strong class="command">rndc</strong></span> configuration. + This creates a file <code class="filename">rndc.key</code> + in <code class="filename">/etc</code> (or whatever + <code class="varname">sysconfdir</code> + was specified as when <acronym class="acronym">BIND</acronym> was + built) + that is read by both <span><strong class="command">rndc</strong></span> + and <span><strong class="command">named</strong></span> on startup. The + <code class="filename">rndc.key</code> file defines a default + command channel and authentication key allowing + <span><strong class="command">rndc</strong></span> to communicate with + <span><strong class="command">named</strong></span> on the local host + with no further configuration. + </p> +<p> + Running <span><strong class="command">rndc-confgen -a</strong></span> allows + BIND 9 and <span><strong class="command">rndc</strong></span> to be used as + drop-in + replacements for BIND 8 and <span><strong class="command">ndc</strong></span>, + with no changes to the existing BIND 8 + <code class="filename">named.conf</code> file. + </p> +<p> + If a more elaborate configuration than that + generated by <span><strong class="command">rndc-confgen -a</strong></span> + is required, for example if rndc is to be used remotely, + you should run <span><strong class="command">rndc-confgen</strong></span> without + the + <span><strong class="command">-a</strong></span> option and set up a + <code class="filename">rndc.conf</code> and + <code class="filename">named.conf</code> + as directed. + </p> +</dd> +<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> +<dd><p> + Specifies the size of the authentication key in bits. + Must be between 1 and 512 bits; the default is 128. + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt> +<dd><p> + Used with the <span><strong class="command">-a</strong></span> option to specify + an alternate location for <code class="filename">rndc.key</code>. + </p></dd> +<dt><span class="term">-h</span></dt> +<dd><p> + Prints a short summary of the options and arguments to + <span><strong class="command">rndc-confgen</strong></span>. + </p></dd> +<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt> +<dd><p> + Specifies the key name of the rndc authentication key. + This must be a valid domain name. + The default is <code class="constant">rndc-key</code>. + </p></dd> +<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> +<dd><p> + Specifies the command channel port where <span><strong class="command">named</strong></span> + listens for connections from <span><strong class="command">rndc</strong></span>. + The default is 953. + </p></dd> +<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt> +<dd><p> + Specifies a source of random data for generating the + authorization. If the operating + system does not provide a <code class="filename">/dev/random</code> + or equivalent device, the default source of randomness + is keyboard input. <code class="filename">randomdev</code> + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <code class="filename">keyboard</code> indicates that keyboard + input should be used. + </p></dd> +<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt> +<dd><p> + Specifies the IP address where <span><strong class="command">named</strong></span> + listens for command channel connections from + <span><strong class="command">rndc</strong></span>. The default is the loopback + address 127.0.0.1. + </p></dd> +<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt> +<dd><p> + Used with the <span><strong class="command">-a</strong></span> option to specify + a directory where <span><strong class="command">named</strong></span> will run + chrooted. An additional copy of the <code class="filename">rndc.key</code> + will be written relative to this directory so that + it will be found by the chrooted <span><strong class="command">named</strong></span>. + </p></dd> +<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt> +<dd><p> + Used with the <span><strong class="command">-a</strong></span> option to set the + owner + of the <code class="filename">rndc.key</code> file generated. + If + <span><strong class="command">-t</strong></span> is also specified only the file + in + the chroot area has its owner changed. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2543790"></a><h2>EXAMPLES</h2> +<p> + To allow <span><strong class="command">rndc</strong></span> to be used with + no manual configuration, run + </p> +<p><strong class="userinput"><code>rndc-confgen -a</code></strong> + </p> +<p> + To print a sample <code class="filename">rndc.conf</code> file and + corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span> + statements to be manually inserted into <code class="filename">named.conf</code>, + run + </p> +<p><strong class="userinput"><code>rndc-confgen</code></strong> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543832"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, + <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543870"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/contrib/bind9/bin/confgen/unix/Makefile.in b/contrib/bind9/bin/confgen/unix/Makefile.in new file mode 100644 index 000000000000..1785e0d0f4de --- /dev/null +++ b/contrib/bind9/bin/confgen/unix/Makefile.in @@ -0,0 +1,35 @@ +# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: Makefile.in,v 1.3 2009-06-11 23:47:55 tbox Exp $ + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \ + ${DNS_INCLUDES} ${ISC_INCLUDES} + +CDEFINES = +CWARNINGS = + +OBJS = os.@O@ + +SRCS = os.c + +TARGETS = ${OBJS} + +@BIND9_MAKE_RULES@ diff --git a/contrib/bind9/bin/confgen/unix/os.c b/contrib/bind9/bin/confgen/unix/os.c new file mode 100644 index 000000000000..e439a5182648 --- /dev/null +++ b/contrib/bind9/bin/confgen/unix/os.c @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: os.c,v 1.3 2009-06-11 23:47:55 tbox Exp $ */ + +/*! \file */ + +#include <config.h> + +#include <confgen/os.h> + +#include <fcntl.h> +#include <unistd.h> +#include <sys/types.h> +#include <pwd.h> +#include <errno.h> +#include <stdio.h> +#include <sys/stat.h> + +int +set_user(FILE *fd, const char *user) { + struct passwd *pw; + + pw = getpwnam(user); + if (pw == NULL) { + errno = EINVAL; + return (-1); + } + return (fchown(fileno(fd), pw->pw_uid, -1)); +} diff --git a/contrib/bind9/bin/confgen/util.c b/contrib/bind9/bin/confgen/util.c new file mode 100644 index 000000000000..158a8d355818 --- /dev/null +++ b/contrib/bind9/bin/confgen/util.c @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: util.c,v 1.3 2009-06-11 23:47:55 tbox Exp $ */ + +/*! \file */ + +#include <config.h> + +#include <stdarg.h> +#include <stdlib.h> +#include <stdio.h> + +#include <isc/boolean.h> + +#include "util.h" + +extern isc_boolean_t verbose; +extern const char *progname; + +void +notify(const char *fmt, ...) { + va_list ap; + + if (verbose) { + va_start(ap, fmt); + vfprintf(stderr, fmt, ap); + va_end(ap); + fputs("\n", stderr); + } +} + +void +fatal(const char *format, ...) { + va_list args; + + fprintf(stderr, "%s: ", progname); + va_start(args, format); + vfprintf(stderr, format, args); + va_end(args); + fprintf(stderr, "\n"); + exit(1); +} diff --git a/contrib/bind9/bin/confgen/util.h b/contrib/bind9/bin/confgen/util.h new file mode 100644 index 000000000000..651b6e558cf2 --- /dev/null +++ b/contrib/bind9/bin/confgen/util.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: util.h,v 1.4 2009-09-29 15:06:05 fdupont Exp $ */ + +#ifndef RNDC_UTIL_H +#define RNDC_UTIL_H 1 + +/*! \file */ + +#include <isc/lang.h> +#include <isc/platform.h> + +#include <isc/formatcheck.h> + +#define NS_CONTROL_PORT 953 + +#undef DO +#define DO(name, function) \ + do { \ + result = function; \ + if (result != ISC_R_SUCCESS) \ + fatal("%s: %s", name, isc_result_totext(result)); \ + else \ + notify("%s", name); \ + } while (0) + +ISC_LANG_BEGINDECLS + +void +notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2); + +ISC_PLATFORM_NORETURN_PRE void +fatal(const char *format, ...) +ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST; + +ISC_LANG_ENDDECLS + +#endif /* RNDC_UTIL_H */ |