Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

merge changes

Browse Source
This commit is contained in:
christos 2010-12-02 14:52:17 +00:00
parent c27878d85f
commit dfcdd76889
18 changed files with 649 additions and 1677 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
external/bsd/bind/dist/bin/dig/dighost.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: dighost.c,v 1.5 2010/08/06 10:58:03 christos Exp $ */
/* $NetBSD: dighost.c,v 1.6 2010/12/02 14:52:17 christos Exp $ */
/*
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* Id: dighost.c,v 1.328.22.3 2010/06/24 07:29:07 marka Exp */
/* Id: dighost.c,v 1.328.22.4 2010/08/10 08:43:40 marka Exp */
/*! \file
* \note
@ -1388,14 +1388,15 @@ add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns,
if (dnssec)
rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
if (nsid) {
unsigned char data[4];
isc_buffer_t buf;
isc_buffer_t *b = NULL;
isc_buffer_init(&buf, data, sizeof(data));
isc_buffer_putuint16(&buf, DNS_OPT_NSID);
isc_buffer_putuint16(&buf, 0);
rdata->data = data;
rdata->length = sizeof(data);
result = isc_buffer_allocate(mctx, &b, 4);
check_result(result, "isc_buffer_allocate");
isc_buffer_putuint16(b, DNS_OPT_NSID);
isc_buffer_putuint16(b, 0);
rdata->data = isc_buffer_base(b);
rdata->length = isc_buffer_usedlength(b);
dns_message_takebuffer(msg, &b);
} else {
rdata->data = NULL;
rdata->length = 0;

355
external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: dnssec-keygen.c,v 1.4 2010/08/06 10:58:03 christos Exp $ */
/* $NetBSD: dnssec-keygen.c,v 1.5 2010/12/02 14:52:18 christos Exp $ */
/*
* Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
@ -31,7 +31,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* Id: dnssec-keygen.c,v 1.108.8.4 2010/01/19 23:48:12 tbox Exp */
/* Id: dnssec-keygen.c,v 1.108.8.6 2010/08/16 23:46:30 tbox Exp */
/*! \file */
@ -94,27 +94,27 @@ usage(void) {
"NSEC3RSASHA1 if using -3)\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -b <key size in bits>:\n");
fprintf(stderr, " RSAMD5:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA1:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
fprintf(stderr, " RSAMD5:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA1:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
"by 64\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
fprintf(stderr, " HMAC-SHA256:\t[1..256]\n");
fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
fprintf(stderr, " HMAC-SHA256:\t[1..256]\n");
fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
fprintf(stderr, " (if using the default algorithm, key size\n"
" defaults to 2048 for KSK, or 1024 for all "
"others)\n");
fprintf(stderr, " -n <nametype>: ZONE | HOST | ENTITY | "
"USER | OTHER\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
#ifdef USE_PKCS11
@ -138,7 +138,7 @@ usage(void) {
fprintf(stderr, " -h: print usage and exit\n");
fprintf(stderr, " -m <memory debugging mode>:\n");
fprintf(stderr, " usage | trace | record | size | mctx\n");
fprintf(stderr, " usage | trace | record | size | mctx\n");
fprintf(stderr, " -v <level>: set verbosity level (0 - 10)\n");
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set key publication date "
@ -153,6 +153,11 @@ usage(void) {
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting "
"all dates\n");
fprintf(stderr, " -S <key>: generate a successor to an existing "
"key\n");
fprintf(stderr, " -i <interval>: prepublication interval for "
"successor key "
"(default: 30 days)\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
@ -192,7 +197,7 @@ progress(int p)
int
main(int argc, char **argv) {
char *algname = NULL, *nametype = NULL, *type = NULL;
char *algname = NULL, *nametype = NULL, *type = NULL;
char *classname = NULL;
char *endp;
dst_key_t *key = NULL;
@ -209,6 +214,8 @@ main(int argc, char **argv) {
isc_textregion_t r;
char filename[255];
const char *directory = NULL;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
isc_buffer_t buf;
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
@ -224,6 +231,7 @@ main(int argc, char **argv) {
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
int prepub = -1;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
@ -245,7 +253,7 @@ main(int argc, char **argv) {
/*
* Process memory debugging argument first.
*/
#define CMDLINE_FLAGS "3a:b:Cc:d:E:eFf:g:K:km:n:p:qr:s:T:t:v:hGP:A:R:I:D:"
#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:km:n:P:p:qR:r:S:s:T:t:v:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'm':
@ -438,6 +446,12 @@ main(int argc, char **argv) {
unsetdel = ISC_TRUE;
}
break;
case 'S':
predecessor = isc_commandline_argument;
break;
case 'i':
prepub = strtottl(isc_commandline_argument);
break;
case 'F':
/* Reserved for FIPS mode */
/* FALLTHROUGH */
@ -469,87 +483,205 @@ main(int argc, char **argv) {
setup_logging(verbose, mctx, &log);
if (argc < isc_commandline_index + 1)
fatal("the key name was not specified");
if (argc > isc_commandline_index + 1)
fatal("extraneous arguments");
if (predecessor == NULL) {
if (prepub == -1)
prepub = 0;
if (algname == NULL) {
use_default = ISC_TRUE;
if (use_nsec3)
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
else
algname = strdup(DEFAULT_ALGORITHM);
if (verbose > 0)
fprintf(stderr, "no algorithm specified; "
"defaulting to %s\n", algname);
}
if (argc < isc_commandline_index + 1)
fatal("the key name was not specified");
if (argc > isc_commandline_index + 1)
fatal("extraneous arguments");
if (strcasecmp(algname, "RSA") == 0) {
fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
"If you still wish to use RSA (RSAMD5) please "
"specify \"-a RSAMD5\"\n");
return (1);
} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACMD5;
} else if (strcasecmp(algname, "HMAC-SHA1") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA1;
} else if (strcasecmp(algname, "HMAC-SHA224") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA224;
} else if (strcasecmp(algname, "HMAC-SHA256") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA256;
} else if (strcasecmp(algname, "HMAC-SHA384") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA384;
} else if (strcasecmp(algname, "HMAC-SHA512") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA512;
} else {
r.base = algname;
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
isc_buffer_init(&buf, argv[isc_commandline_index],
strlen(argv[isc_commandline_index]));
isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
if (ret != ISC_R_SUCCESS)
fatal("unknown algorithm %s", algname);
if (alg == DST_ALG_DH)
options |= DST_TYPE_KEY;
}
fatal("invalid key name %s: %s",
argv[isc_commandline_index],
isc_result_totext(ret));
if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
if (strcasecmp(type, "NOAUTH") == 0)
flags |= DNS_KEYTYPE_NOAUTH;
else if (strcasecmp(type, "NOCONF") == 0)
flags |= DNS_KEYTYPE_NOCONF;
else if (strcasecmp(type, "NOAUTHCONF") == 0) {
flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
if (size < 0)
size = 0;
}
else if (strcasecmp(type, "AUTHCONF") == 0)
/* nothing */;
else
fatal("invalid type %s", type);
}
if (size < 0) {
if (use_default) {
size = ((kskflag & DNS_KEYFLAG_KSK) != 0) ? 2048 : 1024;
if (algname == NULL) {
use_default = ISC_TRUE;
if (use_nsec3)
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
else
algname = strdup(DEFAULT_ALGORITHM);
if (verbose > 0)
fprintf(stderr, "key size not specified; "
"defaulting to %d\n", size);
} else {
fatal("key size not specified (-b option)");
fprintf(stderr, "no algorithm specified; "
"defaulting to %s\n", algname);
}
if (strcasecmp(algname, "RSA") == 0) {
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
return (1);
} else if (strcasecmp(algname, "HMAC-MD5") == 0)
alg = DST_ALG_HMACMD5;
else if (strcasecmp(algname, "HMAC-SHA1") == 0)
alg = DST_ALG_HMACSHA1;
else if (strcasecmp(algname, "HMAC-SHA224") == 0)
alg = DST_ALG_HMACSHA224;
else if (strcasecmp(algname, "HMAC-SHA256") == 0)
alg = DST_ALG_HMACSHA256;
else if (strcasecmp(algname, "HMAC-SHA384") == 0)
alg = DST_ALG_HMACSHA384;
else if (strcasecmp(algname, "HMAC-SHA512") == 0)
alg = DST_ALG_HMACSHA512;
else {
r.base = algname;
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS)
fatal("unknown algorithm %s", algname);
if (alg == DST_ALG_DH)
options |= DST_TYPE_KEY;
}
if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
if (strcasecmp(type, "NOAUTH") == 0)
flags |= DNS_KEYTYPE_NOAUTH;
else if (strcasecmp(type, "NOCONF") == 0)
flags |= DNS_KEYTYPE_NOCONF;
else if (strcasecmp(type, "NOAUTHCONF") == 0) {
flags |= (DNS_KEYTYPE_NOAUTH |
DNS_KEYTYPE_NOCONF);
if (size < 0)
size = 0;
}
else if (strcasecmp(type, "AUTHCONF") == 0)
/* nothing */;
else
fatal("invalid type %s", type);
}
if (size < 0) {
if (use_default) {
if ((kskflag & DNS_KEYFLAG_KSK) != 0)
size = 2048;
else
size = 1024;
if (verbose > 0)
fprintf(stderr, "key size not "
"specified; defaulting "
"to %d\n", size);
} else {
fatal("key size not specified (-b option)");
}
}
if (!oldstyle && prepub > 0) {
if (setpub && setact && (activate - prepub) < publish)
fatal("Activation and publication dates "
"are closer together than the\n\t"
"prepublication interval.");
if (!setpub && !setact) {
setpub = setact = ISC_TRUE;
publish = now;
activate = now + prepub;
} else if (setpub && !setact) {
setact = ISC_TRUE;
activate = publish + prepub;
} else if (setact && !setpub) {
setpub = ISC_TRUE;
publish = activate - prepub;
}
if ((activate - prepub) < now)
fatal("Time until activation is shorter "
"than the\n\tprepublication interval.");
}
} else {
char keystr[DST_KEY_FORMATSIZE];
isc_stdtime_t when;
int major, minor;
if (prepub == -1)
prepub = (30 * 86400);
if (algname != NULL)
fatal("-S and -a cannot be used together");
if (size >= 0)
fatal("-S and -b cannot be used together");
if (nametype != NULL)
fatal("-S and -n cannot be used together");
if (type != NULL)
fatal("-S and -t cannot be used together");
if (setpub || unsetpub)
fatal("-S and -P cannot be used together");
if (setact || unsetact)
fatal("-S and -A cannot be used together");
if (use_nsec3)
fatal("-S and -3 cannot be used together");
if (oldstyle)
fatal("-S and -C cannot be used together");
if (genonly)
fatal("-S and -G cannot be used together");
ret = dst_key_fromnamedfile(predecessor, directory,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
mctx, &prevkey);
if (ret != ISC_R_SUCCESS)
fatal("Invalid keyfile %s: %s",
filename, isc_result_totext(ret));
if (!dst_key_isprivate(prevkey))
fatal("%s is not a private key", filename);
name = dst_key_name(prevkey);
alg = dst_key_alg(prevkey);
size = dst_key_size(prevkey);
flags = dst_key_flags(prevkey);
dst_key_format(prevkey, keystr, sizeof(keystr));
dst_key_getprivateformat(prevkey, &major, &minor);
if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
fatal("Key %s has incompatible format version %d.%d\n\t"
"It is not possible to generate a successor key.",
keystr, major, minor);
ret = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
if (ret != ISC_R_SUCCESS)
fatal("Key %s has no activation date.\n\t"
"You must use dnssec-settime -A to set one "
"before generating a successor.", keystr);
ret = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &activate);
if (ret != ISC_R_SUCCESS)
fatal("Key %s has no inactivation date.\n\t"
"You must use dnssec-settime -I to set one "
"before generating a successor.", keystr);
publish = activate - prepub;
if (publish < now)
fatal("Key %s becomes inactive\n\t"
"sooner than the prepublication period "
"for the new key ends.\n\t"
"Either change the inactivation date with "
"dnssec-settime -I,\n\t"
"or use the -i option to set a shorter "
"prepublication interval.", keystr);
ret = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
if (ret != ISC_R_SUCCESS)
fprintf(stderr, "%s: WARNING: Key %s has no removal "
"date;\n\t it will remain in the zone "
"indefinitely after rollover.\n\t "
"You can use dnssec-settime -D to "
"change this.\n", program, keystr);
setpub = setact = ISC_TRUE;
}
switch (alg) {
@ -574,6 +706,7 @@ main(int argc, char **argv) {
fatal("invalid DSS key size: %d", size);
break;
case DST_ALG_HMACMD5:
options |= DST_TYPE_KEY;
if (size < 1 || size > 512)
fatal("HMAC-MD5 key size %d out of range", size);
if (dbits != 0 && (dbits < 80 || dbits > 128))
@ -583,6 +716,7 @@ main(int argc, char **argv) {
dbits);
break;
case DST_ALG_HMACSHA1:
options |= DST_TYPE_KEY;
if (size < 1 || size > 160)
fatal("HMAC-SHA1 key size %d out of range", size);
if (dbits != 0 && (dbits < 80 || dbits > 160))
@ -592,6 +726,7 @@ main(int argc, char **argv) {
dbits);
break;
case DST_ALG_HMACSHA224:
options |= DST_TYPE_KEY;
if (size < 1 || size > 224)
fatal("HMAC-SHA224 key size %d out of range", size);
if (dbits != 0 && (dbits < 112 || dbits > 224))
@ -601,6 +736,7 @@ main(int argc, char **argv) {
dbits);
break;
case DST_ALG_HMACSHA256:
options |= DST_TYPE_KEY;
if (size < 1 || size > 256)
fatal("HMAC-SHA256 key size %d out of range", size);
if (dbits != 0 && (dbits < 128 || dbits > 256))
@ -610,6 +746,7 @@ main(int argc, char **argv) {
dbits);
break;
case DST_ALG_HMACSHA384:
options |= DST_TYPE_KEY;
if (size < 1 || size > 384)
fatal("HMAC-384 key size %d out of range", size);
if (dbits != 0 && (dbits < 192 || dbits > 384))
@ -619,6 +756,7 @@ main(int argc, char **argv) {
dbits);
break;
case DST_ALG_HMACSHA512:
options |= DST_TYPE_KEY;
if (size < 1 || size > 512)
fatal("HMAC-SHA512 key size %d out of range", size);
if (dbits != 0 && (dbits < 256 || dbits > 512))
@ -687,16 +825,6 @@ main(int argc, char **argv) {
fatal("a key with algorithm '%s' cannot be a zone key",
algname);
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
isc_buffer_init(&buf, argv[isc_commandline_index],
strlen(argv[isc_commandline_index]));
isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
if (ret != ISC_R_SUCCESS)
fatal("invalid key name %s: %s", argv[isc_commandline_index],
isc_result_totext(ret));
switch(alg) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
@ -765,9 +893,18 @@ main(int argc, char **argv) {
/*
* Set key timing metadata (unless using -C)
*
* Publish and activation dates are set to "now" by default,
* but can be overridden. Creation date is always set to
* "now".
* Creation date is always set to "now".
*
* For a new key without an explicit predecessor, publish
* and activation dates are set to "now" by default, but
* can both be overridden.
*
* For a successor key, activation is set to match the
* predecessor's inactivation date. Publish is set to 30
* days earlier than that (XXX: this should be configurable).
* If either of the resulting dates are in the past, that's
* an error; the inactivation date of the predecessor key
* must be updated before a successor key can be created.
*/
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
@ -862,6 +999,8 @@ main(int argc, char **argv) {
ret = dst_key_buildfilename(key, 0, NULL, &buf);
printf("%s\n", filename);
dst_key_free(&key);
if (prevkey != NULL)
dst_key_free(&prevkey);
cleanup_logging(&log);
cleanup_entropy(&ectx);

6
external/bsd/bind/dist/bin/named/main.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: main.c,v 1.5 2010/08/06 10:58:04 christos Exp $ */
/* $NetBSD: main.c,v 1.6 2010/12/02 14:52:18 christos Exp $ */
/*
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* Id: main.c,v 1.175.60.3 2010/06/26 23:46:27 tbox Exp */
/* Id: main.c,v 1.175.60.3.8.1 2010/09/15 12:13:29 marka Exp */
/*! \file */
@ -511,6 +511,8 @@ parse_command_line(int argc, char *argv[]) {
ns_g_clienttest = ISC_TRUE;
else if (!strcmp(isc_commandline_argument, "nosoa"))
ns_g_nosoa = ISC_TRUE;
else if (!strcmp(isc_commandline_argument, "noaa"))
ns_g_noaa = ISC_TRUE;
else if (!strcmp(isc_commandline_argument, "maxudp512"))
maxudp = 512;
else if (!strcmp(isc_commandline_argument, "maxudp1460"))

538
external/bsd/bind/dist/bin/named/server.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: server.c,v 1.5 2010/08/06 10:58:04 christos Exp $ */
/* $NetBSD: server.c,v 1.6 2010/12/02 14:52:18 christos Exp $ */
/*
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* Id: server.c,v 1.556.8.20 2010/07/19 06:14:11 marka Exp */
/* Id: server.c,v 1.556.8.27.6.3 2010/11/16 02:26:24 sar Exp */
/*! \file */
@ -205,6 +205,17 @@ struct zonelistentry {
ISC_LINK(struct zonelistentry) link;
};
/*%
* Configuration context to retain for each view that allows
* new zones to be added at runtime
*/
struct cfg_context {
isc_mem_t * mctx;
cfg_obj_t * config;
cfg_parser_t * parser;
cfg_aclconfctx_t actx;
};
/*
* These zones should not leak onto the Internet.
*/
@ -256,9 +267,6 @@ static const struct {
/* Example Prefix, RFC 3849. */
{ "8.B.D.0.1.0.0.2.IP6.ARPA", ISC_FALSE },
/* ORCHID Prefix, RFC 4843. */
{ "0.1.1.0.0.2.IP6.ARPA", ISC_FALSE },
{ NULL, ISC_FALSE }
};
@ -288,7 +296,7 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view,
static isc_result_t
configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
cfg_aclconfctx_t *aclconf);
cfg_aclconfctx_t *aclconf, isc_boolean_t added);
static isc_result_t
add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
@ -296,14 +304,8 @@ add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
static void
end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
/*
* Stores config for building zones after the fact
*/
static cfg_obj_t *nzf_config = NULL;
static cfg_parser_t *nzf_parser = NULL;
static const char *nzf_file = NULL;
static const cfg_obj_t *nzf_option = NULL;
static cfg_aclconfctx_t nzf_actx;
static void
cfgctx_destroy(void **cfgp);
/*%
* Configure a single view ACL at '*aclp'. Get its configuration from
@ -1295,10 +1297,11 @@ cache_sharable(dns_view_t *originview, dns_view_t *view,
* global defaults in 'config' used exclusively.
*/
static isc_result_t
configure_view(dns_view_t *view, const cfg_obj_t *config,
const cfg_obj_t *vconfig, ns_cachelist_t *cachelist,
const cfg_obj_t *bindkeys, isc_mem_t *mctx,
cfg_aclconfctx_t *actx, isc_boolean_t need_hints)
configure_view(dns_view_t *view, cfg_parser_t* parser,
cfg_obj_t *config, cfg_obj_t *vconfig,
ns_cachelist_t *cachelist, const cfg_obj_t *bindkeys,
isc_mem_t *mctx, cfg_aclconfctx_t *actx,
isc_boolean_t need_hints)
{
const cfg_obj_t *maps[4];
const cfg_obj_t *cfgmaps[3];
@ -1351,6 +1354,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
isc_boolean_t auto_dlv = ISC_FALSE;
ns_cache_t *nsc;
isc_boolean_t zero_no_soattl;
cfg_parser_t *newzones_parser = NULL;
cfg_obj_t *nzfconf = NULL;
REQUIRE(DNS_VIEW_VALID(view));
@ -1441,6 +1446,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
dns_acache_setcachesize(view->acache, max_acache_size);
}
CHECK(configure_view_acl(vconfig, config, "allow-query", NULL, actx,
ns_g_mctx, &view->queryacl));
if (view->queryacl == NULL) {
CHECK(configure_view_acl(NULL, ns_g_config, "allow-query",
NULL, actx, ns_g_mctx,
&view->queryacl));
}
/*
* Configure the zones.
*/
@ -1455,7 +1468,62 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
{
const cfg_obj_t *zconfig = cfg_listelt_value(element);
CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
actx));
actx, ISC_FALSE));
}
/*
* Are we allowing zones to be added and deleted dynamically?
*/
obj = NULL;
result = ns_config_get(maps, "allow-new-zones", &obj);
if (result == ISC_R_SUCCESS) {
isc_boolean_t allow = cfg_obj_asboolean(obj);
struct cfg_context *cfg = NULL;
if (allow) {
cfg = isc_mem_get(view->mctx, sizeof(*cfg));
if (cfg == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup;
}
memset(cfg, 0, sizeof(*cfg));
isc_mem_attach(view->mctx, &cfg->mctx);
if (config != NULL)
cfg_obj_attach(config, &cfg->config);
cfg_parser_attach(parser, &cfg->parser);
cfg_aclconfctx_clone(actx, &cfg->actx);
}
dns_view_setnewzones(view, allow, cfg, cfgctx_destroy);
}
/*
* If we're allowing added zones, then load zone configuration
* from the newzone file for zones that were added during previous
* runs.
*/
if (view->new_zone_file != NULL) {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"loading additional zones for view '%s'",
view->name);
CHECK(cfg_parser_create(view->mctx, ns_g_lctx,
&newzones_parser));
result = cfg_parse_file(newzones_parser, view->new_zone_file,
&cfg_type_newzones, &nzfconf);
if (result == ISC_R_SUCCESS) {
zonelist = NULL;
cfg_map_get(nzfconf, "zone", &zonelist);
for (element = cfg_list_first(zonelist);
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *zconfig =
cfg_listelt_value(element);
CHECK(configure_zone(config, zconfig, vconfig,
mctx, view, actx,
ISC_TRUE));
}
}
}
#ifdef DLZ
@ -1994,13 +2062,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
* configured in named.conf.
*/
CHECK(configure_view_acl(vconfig, config, "allow-query-cache", NULL,
actx, ns_g_mctx, &view->queryacl));
actx, ns_g_mctx, &view->cacheacl));
CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", NULL,
actx, ns_g_mctx, &view->queryonacl));
if (view->queryonacl == NULL)
actx, ns_g_mctx, &view->cacheonacl));
if (view->cacheonacl == NULL)
CHECK(configure_view_acl(NULL, ns_g_config,
"allow-query-cache-on", NULL, actx,
ns_g_mctx, &view->queryonacl));
ns_g_mctx, &view->cacheonacl));
if (strcmp(view->name, "_bind") != 0) {
CHECK(configure_view_acl(vconfig, config, "allow-recursion",
NULL, actx, ns_g_mctx,
@ -2016,14 +2084,20 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
* "allow-recursion" inherits from "allow-query-cache" if set,
* otherwise from "allow-query" if set.
*/
if (view->queryacl == NULL && view->recursionacl != NULL)
dns_acl_attach(view->recursionacl, &view->queryacl);
if (view->queryacl == NULL && view->recursion)
if (view->cacheacl == NULL && view->recursionacl != NULL)
dns_acl_attach(view->recursionacl, &view->cacheacl);
/*
* XXXEACH: This call to configure_view_acl() is redundant. We
* are leaving it as it is because we are making a minimal change
* for a patch release. In the future this should be changed to
* dns_acl_attach(view->queryacl, &view->cacheacl).
*/
if (view->cacheacl == NULL && view->recursion)
CHECK(configure_view_acl(vconfig, config, "allow-query", NULL,
actx, ns_g_mctx, &view->queryacl));
actx, ns_g_mctx, &view->cacheacl));
if (view->recursion &&
view->recursionacl == NULL && view->queryacl != NULL)
dns_acl_attach(view->queryacl, &view->recursionacl);
view->recursionacl == NULL && view->cacheacl != NULL)
dns_acl_attach(view->cacheacl, &view->recursionacl);
/*
* Set default "allow-recursion", "allow-recursion-on" and
@ -2039,17 +2113,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
"allow-recursion-on", NULL,
actx, ns_g_mctx,
&view->recursiononacl));
if (view->queryacl == NULL) {
if (view->cacheacl == NULL) {
if (view->recursion)
CHECK(configure_view_acl(NULL, ns_g_config,
"allow-query-cache", NULL,
actx, ns_g_mctx,
&view->queryacl));
else {
if (view->queryacl != NULL)
dns_acl_detach(&view->queryacl);
CHECK(dns_acl_none(ns_g_mctx, &view->queryacl));
}
&view->cacheacl));
else
CHECK(dns_acl_none(mctx, &view->cacheacl));
}
/*
@ -2467,6 +2538,12 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
if (cache != NULL)
dns_cache_detach(&cache);
if (newzones_parser != NULL) {
if (nzfconf != NULL)
cfg_obj_destroy(newzones_parser, &nzfconf);
cfg_parser_destroy(&newzones_parser);
}
return (result);
}
@ -2720,7 +2797,7 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
static isc_result_t
configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
cfg_aclconfctx_t *aclconf)
cfg_aclconfctx_t *aclconf, isc_boolean_t added)
{
dns_view_t *pview = NULL; /* Production view */
dns_zone_t *zone = NULL; /* New or reused zone */
@ -2933,6 +3010,11 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
CHECK(dns_view_adddelegationonly(view, origin));
}
/*
* Mark whether the zone was originally added at runtime or not
*/
dns_zone_setadded(zone, added);
/*
* Configure the zone.
*/
@ -4013,17 +4095,6 @@ load_configuration(const char *filename, ns_server_t *server,
}
}
/* Are we preserving config for adding zones dynamically? */
obj = NULL;
result = cfg_map_get(options, "new-zone-file", &obj);
if (obj && nzf_option == NULL) {
nzf_file = cfg_obj_asstring(obj);
if (nzf_file && *nzf_file) {
/* Remember this configuration */
nzf_option = config;
}
}
/*
* Rescan the interface list to pick up changes in the
* listen-on option. It's important that we do this before we try
@ -4111,28 +4182,14 @@ load_configuration(const char *filename, ns_server_t *server,
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *vconfig = cfg_listelt_value(element);
cfg_obj_t *vconfig = cfg_listelt_value(element);
view = NULL;
CHECK(create_view(vconfig, &viewlist, &view));
INSIST(view != NULL);
CHECK(configure_view(view, config, vconfig,
CHECK(configure_view(view, conf_parser, config, vconfig,
&cachelist, bindkeys,
ns_g_mctx, &aclconfctx, ISC_TRUE));
if (vconfig != NULL) {
/*
* Are we preserving config for dynamically added
* zones?
*/
const cfg_obj_t *voptions;
voptions = cfg_tuple_get(vconfig, "options");
obj = NULL;
result = cfg_map_get(voptions, "new-zone-file", &obj);
if (obj && nzf_option == NULL)
nzf_option = config;
}
dns_view_freeze(view);
dns_view_detach(&view);
}
@ -4149,7 +4206,7 @@ load_configuration(const char *filename, ns_server_t *server,
* In either case, we need to configure and freeze it.
*/
CHECK(create_view(NULL, &viewlist, &view));
CHECK(configure_view(view, config, NULL,
CHECK(configure_view(view, conf_parser, config, NULL,
&cachelist, bindkeys,
ns_g_mctx, &aclconfctx, ISC_TRUE));
dns_view_freeze(view);
@ -4166,10 +4223,10 @@ load_configuration(const char *filename, ns_server_t *server,
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *vconfig = cfg_listelt_value(element);
cfg_obj_t *vconfig = cfg_listelt_value(element);
CHECK(create_view(vconfig, &builtin_viewlist, &view));
CHECK(configure_view(view, config, vconfig,
CHECK(configure_view(view, conf_parser, config, vconfig,
&cachelist, bindkeys,
ns_g_mctx, &aclconfctx, ISC_FALSE));
dns_view_freeze(view);
@ -4456,16 +4513,7 @@ load_configuration(const char *filename, ns_server_t *server,
if (v6portset != NULL)
isc_portset_destroy(ns_g_mctx, &v6portset);
/* Preserve config, we'll need it when adding zones */
if (nzf_option != NULL) {
nzf_parser = conf_parser;
conf_parser = NULL;
nzf_config = config;
config = NULL;
memcpy(&nzf_actx, &aclconfctx, sizeof(cfg_aclconfctx_t));
} else {
cfg_aclconfctx_destroy(&aclconfctx);
}
cfg_aclconfctx_clear(&aclconfctx);
if (conf_parser != NULL) {
if (config != NULL)
@ -4673,12 +4721,6 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
cfg_obj_destroy(ns_g_parser, &ns_g_config);
cfg_parser_destroy(&ns_g_parser);
if (nzf_config) {
cfg_aclconfctx_destroy(&nzf_actx);
cfg_obj_destroy(nzf_parser, &nzf_config);
cfg_parser_destroy(&nzf_parser);
}
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL;
view = view_next) {
@ -6436,14 +6478,18 @@ ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
}
/*
* Act on a "sign" command from the command channel.
* Act on a "sign" or "loadkeys" command from the command channel.
*/
isc_result_t
ns_server_sign(ns_server_t *server, char *args) {
ns_server_rekey(ns_server_t *server, char *args) {
isc_result_t result;
dns_zone_t *zone = NULL;
dns_zonetype_t type;
isc_uint16_t keyopts;
isc_boolean_t fullsign = ISC_FALSE;
if (strncasecmp(args, NS_COMMAND_SIGN, strlen(NS_COMMAND_SIGN)) == 0)
fullsign = ISC_TRUE;
result = zone_from_args(server, args, &zone, NULL);
if (result != ISC_R_SUCCESS)
@ -6458,10 +6504,14 @@ ns_server_sign(ns_server_t *server, char *args) {
}
keyopts = dns_zone_getkeyopts(zone);
if ((keyopts & DNS_ZONEKEY_ALLOW) != 0)
dns_zone_rekey(zone);
else
/* "rndc loadkeys" requires "auto-dnssec maintain". */
if ((keyopts & DNS_ZONEKEY_ALLOW) == 0)
result = ISC_R_NOPERM;
else if ((keyopts & DNS_ZONEKEY_MAINTAIN) == 0 && !fullsign)
result = ISC_R_NOPERM;
else
dns_zone_rekey(zone, fullsign);
dns_zone_detach(&zone);
return (result);
@ -6611,14 +6661,14 @@ isc_result_t
ns_server_add_zone(ns_server_t *server, char *args) {
isc_result_t result;
isc_buffer_t argbuf;
size_t arglen, len;
size_t arglen;
cfg_parser_t *parser = NULL;
cfg_obj_t *config = NULL;
const cfg_obj_t *vconfig = NULL;
const cfg_obj_t *views = NULL;
const cfg_listelt_t *element;
const cfg_obj_t *vconfig = NULL;
const cfg_obj_t *views = NULL;
const cfg_obj_t *parms = NULL;
const cfg_obj_t *obj = NULL;
const cfg_listelt_t *element;
const char *zonename;
const char *classname = NULL;
const char *argp;
@ -6627,16 +6677,9 @@ ns_server_add_zone(ns_server_t *server, char *args) {
dns_view_t *view = 0;
isc_buffer_t buf, *nbuf = NULL;
dns_name_t dnsname;
const char *filename = 0;
const char *filepart = NULL;
char fnamebuf[512];
struct stat sb;
dns_zone_t *zone = NULL;
FILE *fp = NULL;
/* Are we accepting new zones? */
if (nzf_option == NULL)
return (ISC_R_FAILURE);
struct cfg_context *cfg = NULL;
/* Try to parse the argument string */
arglen = strlen(args);
@ -6655,33 +6698,6 @@ ns_server_add_zone(ns_server_t *server, char *args) {
dns_name_setbuffer(&dnsname, nbuf);
CHECK(dns_name_fromtext(&dnsname, &buf, dns_rootname, ISC_FALSE, NULL));
/*
* If new-zone-file indicates a directory rather than a file,
* then "filepart" is the filename in the directory in which to
* write the zone configuration text.
*/
obj = cfg_tuple_get(parms, "filepart");
if (obj && cfg_obj_isstring(obj))
filepart = cfg_obj_asstring(obj);
if (filepart != NULL && *filepart != '\0') {
/* No hidden fles or full paths */
if (*filepart == '.' ||
#ifdef WIN32
*filepart == '\\' ||
#endif
*filepart == '/')
{
result = ISC_R_INVALIDFILE;
goto cleanup;
}
/* No crawling up the directory tree */
if (strstr(filepart, "..") != NULL) {
result = ISC_R_INVALIDFILE;
goto cleanup;
}
}
/* Make sense of optional class argument */
obj = cfg_tuple_get(parms, "class");
CHECK(ns_config_getclass(obj, dns_rdataclass_in, &rdclass));
@ -6696,6 +6712,18 @@ ns_server_add_zone(ns_server_t *server, char *args) {
viewname = "_default";
CHECK(dns_viewlist_find(&server->viewlist, viewname, rdclass, &view));
/* Are we accepting new zones? */
if (view->new_zone_file == NULL) {
result = ISC_R_NOPERM;
goto cleanup;
}
cfg = (struct cfg_context *) view->new_zone_config;
if (cfg == NULL) {
result = ISC_R_FAILURE;
goto cleanup;
}
/* Zone shouldn't already exist */
result = dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone);
if (result == ISC_R_SUCCESS) {
@ -6709,66 +6737,27 @@ ns_server_add_zone(ns_server_t *server, char *args) {
else if (result != ISC_R_NOTFOUND)
goto cleanup;
/* Find configuration for this view */
(void)cfg_map_get(nzf_config, "view", &views);
/* Find the view statement */
cfg_map_get(cfg->config, "view", &views);
for (element = cfg_list_first(views);
element != NULL;
element = cfg_list_next(element))
{
const char *vname;
vconfig = cfg_listelt_value(element);
vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
if (vname && !strcasecmp(vname, viewname)) {
/* What is save file for this view? */
if (vconfig != NULL) {
const cfg_obj_t *voptions;
voptions = cfg_tuple_get(vconfig, "options");
if (voptions) {
obj = NULL;
result = cfg_map_get(voptions,
"new-zone-file",
&obj);
if (result == ISC_R_SUCCESS)
filename =
cfg_obj_asstring(obj);
}
}
if (vname && !strcasecmp(vname, viewname))
break;
}
vconfig = NULL;
}
/* Can we add and remove zones in this view? */
if (filename == NULL || *filename == '\0')
filename = nzf_file;
/* Open save file for write configuration */
CHECK(isc_stdio_open(view->new_zone_file, "a", &fp));
if (filename == NULL || *filename == '\0') {
/* No adding zones in this view */
result = ISC_R_FAILURE;
goto cleanup;
}
/* Possibly contruct a full path */
if (filepart != NULL && *filepart != '\0') {
snprintf(fnamebuf, 512, "%s/%s", filename, filepart);
filename = fnamebuf;
}
/* Path must be an existing file */
if (stat(filename, &sb) < 0) {
result = ISC_R_FILENOTFOUND;
goto cleanup;
}
if (!S_ISREG(sb.st_mode)) {
result = ISC_R_FILENOTFOUND;
goto cleanup;
}
/* Mark zone unfrozen so that zone can be added. */
/* Mark view unfrozen so that zone can be added */
dns_view_thaw(view);
result = configure_zone(nzf_option, parms, vconfig,
server->mctx, view, &nzf_actx);
result = configure_zone(cfg->config, parms, vconfig,
server->mctx, view, &cfg->actx, ISC_FALSE);
dns_view_freeze(view);
if (result != ISC_R_SUCCESS) {
goto cleanup;
@ -6800,30 +6789,30 @@ ns_server_add_zone(ns_server_t *server, char *args) {
goto cleanup;
}
/* Write zone configuration out to our save file */
CHECK(isc_stdio_open(filename, "a", &fp));
/* Flag the zone as having been added at runtime */
dns_zone_setadded(zone, ISC_TRUE);
/* Emit just the zone name from args */
CHECK(isc_stdio_write("zone ", 5, 1, fp, &len));
CHECK(isc_stdio_write(zonename, strlen(zonename), 1, fp, &len));
CHECK(isc_stdio_write(" ", 1, 1, fp, &len));
CHECK(isc_stdio_write("zone ", 5, 1, fp, NULL));
CHECK(isc_stdio_write(zonename, strlen(zonename), 1, fp, NULL));
CHECK(isc_stdio_write(" ", 1, 1, fp, NULL));
/* Classname, if not default */
if (classname != NULL && *classname != '\0') {
CHECK(isc_stdio_write(classname, strlen(classname), 1, fp,
&len));
CHECK(isc_stdio_write(" ", 1, 1, fp, &len));
NULL));
CHECK(isc_stdio_write(" ", 1, 1, fp, NULL));
}
/* Find beginning of option block from args */
for (argp = args; *argp; argp++, arglen--) {
if (*argp == '{') { /* Assume matching '}' */
/* Add that to our file */
CHECK(isc_stdio_write(argp, arglen, 1, fp, &len));
CHECK(isc_stdio_write(argp, arglen, 1, fp, NULL));
/* Make sure we end with a LF */
if (argp[arglen-1] != '\n') {
CHECK(isc_stdio_write("\n", 1, 1, fp, &len));
CHECK(isc_stdio_write("\n", 1, 1, fp, NULL));
}
break;
}
@ -6856,50 +6845,6 @@ ns_server_add_zone(ns_server_t *server, char *args) {
return (result);
}
/*
* Pull an optional quoted filepart out of an arglist, shuffling memory
* so we can hand it off to zone_from_args() later
*/
static char *
extract_optional_qstring(char **args) {
char *p = *args;
char *str, *d;
char quote;
/* Skip past the command name */
while (isspace((unsigned char)*p))
p++;
while (*p && !isspace((unsigned char)*p))
p++;
/* Look for an open quote */
while (isspace((unsigned char)*p))
p++;
if (*p != '\'' && *p != '"')
return (NULL);
/* Move that string to the front of the buf */
quote = *p++;
str = d = *args;
while (*p && *p != quote)
*d++ = *p++;
if (!*p)
return (NULL); /* No matching close quote */
/* End that string */
*d++ = 0;
*args = d;
/* A bogus command name to placate zone_from_args() */
*d++ = 'X';
/* Cover over any remainder with spaces */
while (d <= p)
*d++ = ' ';
return (str);
}
/*
* Act on a "delzone" command from the command channel.
*/
@ -6908,45 +6853,15 @@ ns_server_del_zone(ns_server_t *server, char *args) {
isc_result_t result;
dns_zone_t *zone = NULL;
dns_view_t *view = NULL;
const cfg_obj_t *views = NULL;
const cfg_obj_t *obj = NULL;
const cfg_obj_t *vconfig = NULL;
dns_db_t *dbp = NULL;
const char *filename = NULL;
char *filepart = NULL;
char fnamebuf[512];
char *tmpname = NULL;
const cfg_listelt_t *element;
char buf[1024];
const char *zonename = NULL;
size_t znamelen = 0;
FILE *ifp = NULL, *ofp = NULL;
/* Only accept removes if we're accepting adds */
if (nzf_option == NULL)
return (ISC_R_FAILURE);
/* Possibly a filename in quotes */
filepart = extract_optional_qstring(&args);
if (filepart != NULL && *filepart != '\0') {
/* No hidden fles or full paths */
if (*filepart == '.' ||
#ifdef WIN32
*filepart == '\\' ||
#endif
*filepart == '/')
{
result = ISC_R_INVALIDFILE;
goto cleanup;
}
/* No crawling up the directory tree */
if (strstr(filepart, "..") != NULL) {
result = ISC_R_INVALIDFILE;
goto cleanup;
}
}
/* Make sense of rest of params */
/* Parse parameters */
CHECK(zone_from_args(server, args, &zone, &zonename));
if (result != ISC_R_SUCCESS)
return (result);
@ -6955,56 +6870,27 @@ ns_server_del_zone(ns_server_t *server, char *args) {
goto cleanup;
}
if (zonename != NULL && *zonename != '\0')
/*
* Was this zone originally added at runtime?
* If not, we can't delete it now.
*/
if (!dns_zone_getadded(zone)) {
result = ISC_R_NOPERM;
goto cleanup;
}
if (zonename != NULL)
znamelen = strlen(zonename);
/* Dig out configuration for this zone */
view = dns_zone_getview(zone);
(void)cfg_map_get(nzf_config, "view", &views);
for (element = cfg_list_first(views);
element != NULL;
element = cfg_list_next(element))
{
const char *vname;
vconfig = cfg_listelt_value(element);
vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
if (vname != NULL && !strcasecmp(vname, view->name)) {
/* What is save file for this view? */
if (vconfig != NULL) {
const cfg_obj_t *voptions;
voptions = cfg_tuple_get(vconfig, "options");
if (voptions != NULL) {
obj = NULL;
result = cfg_map_get(voptions,
"new-zone-file",
&obj);
if (result == ISC_R_SUCCESS)
filename =
cfg_obj_asstring(obj);
}
}
break;
}
vconfig = NULL;
}
/* Can we add and remove zones in this view? */
if (filename == NULL || *filename == '\0')
filename = nzf_file;
if (filename == NULL || *filename == '\0') {
filename = view->new_zone_file;
if (filename == NULL) {
/* No adding zones in this view */
result = ISC_R_FAILURE;
goto cleanup;
}
/* Possibly contruct a full path */
if (filepart != NULL && *filepart != '\0') {
snprintf(fnamebuf, 512, "%s/%s", filename, filepart);
filename = fnamebuf;
}
/* Rewrite zone list */
result = isc_stdio_open(filename, "r", &ifp);
if (ifp != NULL && result == ISC_R_SUCCESS) {
@ -7012,8 +6898,8 @@ ns_server_del_zone(ns_server_t *server, char *args) {
size_t n;
/* Create a temporary file */
CHECK(isc_string_printf(buf, 1023, "%s.%d", filename,
getpid()));
CHECK(isc_string_printf(buf, 1023, "%s.%ld", filename,
(long)getpid()));
if (!(tmpname = isc_mem_strdup(server->mctx, buf))) {
result = ISC_R_NOMEMORY;
goto cleanup;
@ -7056,7 +6942,7 @@ ns_server_del_zone(ns_server_t *server, char *args) {
/* Skip over an option block (matching # of braces) */
if (found) {
int obrace = 0, cbrace = 0;
while (1) {
for (;;) {
while (*p) {
if (*p == '{') obrace++;
if (*p == '}') cbrace++;
@ -7068,14 +6954,26 @@ ns_server_del_zone(ns_server_t *server, char *args) {
break;
p = buf;
}
/* Just spool the remainder of the file out */
result = isc_stdio_read(buf, 1, 1024, ifp, &n);
while (n > 0U) {
if (result == ISC_R_EOF)
result = ISC_R_SUCCESS;
CHECK(result);
isc_stdio_write(buf, 1, n, ofp, NULL);
result = isc_stdio_read(buf, 1, 1024, ifp, &n);
}
/* Move temporary into place */
CHECK(isc_file_rename(tmpname, view->new_zone_file));
} else {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
"deleted zone %s was missing from "
"new zone file", zonename);
goto cleanup;
}
/* Just spool the remainder of the file out */
while ((n = fread(buf, 1, 1024, ifp)) > 0U)
fwrite(buf, 1, n, ofp);
/* Move temporary into place */
CHECK(isc_file_rename(tmpname, filename));
}
/* Stop answering for this zone */
@ -7106,3 +7004,25 @@ ns_server_del_zone(ns_server_t *server, char *args) {
return (result);
}
static void
cfgctx_destroy(void **cfgp) {
struct cfg_context *cfg;
isc_mem_t *mctx;
REQUIRE(cfgp != NULL && *cfgp != NULL);
cfg = *cfgp;
mctx = cfg->mctx;
cfg->mctx = NULL;
if (cfg->parser != NULL) {
if (cfg->config != NULL)
cfg_obj_destroy(cfg->parser, &cfg->config);
cfg_parser_destroy(&cfg->parser);
}
cfg_aclconfctx_clear(&cfg->actx);
isc_mem_put(mctx, cfg, sizeof(*cfg));
isc_mem_detach(&mctx);
*cfgp = NULL;
}

504
external/bsd/bind/dist/doc/draft/draft-ietf-dnsext-dnssec-registry-fixes-05.txt vendored
View File

@ -1,504 +0,0 @@
DNS Extensions Working Group S. Rose
Internet-Draft NIST
Updates: 2536, 2539, 3110, 4034, June 18, 2010
4398, 5155, 5702
(if approved)
Intended status: Standards Track
Expires: December 20, 2010
DNS Security (DNSSEC) DNSKEY IANA Registry Algorithm Status Addition
draft-ietf-dnsext-dnssec-registry-fixes-05
Abstract
The DNS Security Extensions (DNSSEC) has an IANA registry to allocate
cryptographic algorithm suites for use in generating digital
signatures over DNS data. Newly introduced cryptographic algorithms
to DNSSEC mean implementors need to know which algorithms need to be
implemented, which are optional, and which are obsolete. This
document adds a column to the IANA registry table for Domain Name
System Security (DNSSEC) Algorithm Numbers which lists their current
status for use.
Status of This Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 20, 2010.
Copyright Notice
Rose Expires December 20, 2010 [Page 1]
Internet-Draft IANA Registry Fixes June 2010
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terms Used in this Document to Indicate Status . . . . . . 3
1.2. Requirements Language . . . . . . . . . . . . . . . . . . . 4
2. DNS Security Algorithm Number Subregistry Fixes . . . . . . . . 4
2.1. Individual Fixes . . . . . . . . . . . . . . . . . . . . . 4
2.2. Updated Registry Snapshot . . . . . . . . . . . . . . . . . 5
2.3. Specifying New Algorithms and Updating Status of
Existing Entries . . . . . . . . . . . . . . . . . . . . . 6
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1. Normative References . . . . . . . . . . . . . . . . . . . 7
5.2. Informative References . . . . . . . . . . . . . . . . . . 9
Rose Expires December 20, 2010 [Page 2]
Internet-Draft IANA Registry Fixes June 2010
1. Introduction
The Domain Name System (DNS) Security Extensions (DNSSEC) [RFC4033],
[RFC4034], and [RFC4035] uses digital signatures over DNS data to
provide source authentication and integrity protection. DNSSEC uses
an IANA registry to allocate codes for digital signature algorithms
(consisting of a cryptographic algorithm and one-way hash function).
The original list of algorithm status is found in [RFC4034]. Other
DNSSEC documents have added new algorithms or changed the status of
algorithms in the registry. However, implementors must read through
all the documents in order to discover which algorithms are mandatory
to implement and which are optional or no longer used.
This document requests a column to be added to the IANA registry for
Domain Name System Security (DNSSEC) Algorithm Numbers. This column
will list the current status of each digital signature algorithm in
the registry at the time of writing and assigns status for algorithms
used with DNSSEC that did not have a status when they were originally
specified. This document updates the following: [RFC2536],
[RFC2539], [RFC3110], [RFC4034], [RFC4398], [RFC5155], [RFC5702], and
[RFCTBD].
1.1. Terms Used in this Document to Indicate Status
The following terms are used within this document to indicate the
current implementation status of the given digital signature
algorithm as of the time of writing. Here, "implementation" refers
to any component (e.g. validator, signer, etc.) that conforms to this
document. Some of these terms were used without definition in
previous documents and are defined here.
MANDATORY: Implementations MUST support this algorithm to be
considered currently inter-operable.
OPTIONAL: Implementation MAY support this algorithm. The presence
or lack thereof this algorithm MUST NOT be used to judge
conformance to this document.
ENCOURAGED: Implementations SHOULD support this algorithm, but
like DISCRETIONARY, lack of support MUST NOT be used to judge
conformance to this document. This term is also used to hint of a
possible status change in the future to MANDATORY.
OBSOLETE: New implementations SHOULD NOT support this algorithm.
These words are also defined in
[I-D.ogud-iana-protocol-maintenance-words], but the definitions above
Rose Expires December 20, 2010 [Page 3]
Internet-Draft IANA Registry Fixes June 2010
are used for this document.
1.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. DNS Security Algorithm Number Subregistry Fixes
The DNS Security Algorithm Number subregistry (part of the Domain
Name System (DNS) Security Number registry) will be modified to
include a new column. This column will contain the current
implementation requirements of the given algorithm. This document
does not make any changes to any other column in the registry table.
There are additional fixes to entries that are described in sub-
section 2.1. The overall new registry table is in sub-section 2.2.
The values for the status were obtained from [RFC4034] with updates
for algorithms specified after the original DNSSEC specification.
The status of algorithms marked OPTIONAL in [RFC4034] are changed to
DISCRETIONARY as defined in
[I-D.ogud-iana-protocol-maintenance-words]. The status of algorithms
marked NOT RECOMMENDED in [RFC4034] are changed to OBSOLETE as
defined in [I-D.ogud-iana-protocol-maintenance-words].
2.1. Individual Fixes
This document changes three entries in the Domain Name System
Security (DNSSEC) Algorithm Registry. They are:
The description for assignment number 4 is changed to "Reserved until
2020".
The description for assignment number 9 is changed to "Reserved until
2020".
The description for assignment number 11 is changed to "Reserved
until 2020".
Registry entries 13-251 remains Unassigned.
The status of RSASHA1-NSEC3-SHA1 and DSA-NSEC3-SHA1 are both set to
DISCRETIONARY. The status of RSA/SHA-256 and RSA/SHA-512 are set to
ENCOURAGED as it is believed that these algorithms will replace older
algorithms (e.g. RSA/SHA-1) that have a perceived weakness in their
hash algorithm (SHA-1).
Rose Expires December 20, 2010 [Page 4]
Internet-Draft IANA Registry Fixes June 2010
2.2. Updated Registry Snapshot
As of the current time, the DNS Security Algorithm Number subregistry
would look like the following:
Zone Trans
Number Description Mnem. Sign Sign Status Reference
------ ----------- ------ ---- ----- ------------ ---------
0 Reserved [RFC4398]
1 RSA/MD5 RSAMD5 N Y OBSOLETE [RFC4034],
[RFC3110]
(this memo)
2 Diffie-Hellman DH N Y OPTIONAL [RFC2539]
(this memo)
3 DSA/SHA-1 DSASHA1 Y Y OPTIONAL [RFC2536],
[RFC4034],
FIPS 186-3,
FIPS 180-3
(this memo)
4 Reserved until ECC (this memo)
2020
5 RSA/SHA-1 RSASHA1 Y Y MANDATORY [RFC4034]
(this memo)
6 DSA-NSEC3-SHA1 DSA-NSEC3 Y Y OPTOINAL [RFC5155]
-SHA1 (this memo)
7 RSASHA1-NSEC3 RSASHA1- Y Y OPTIONAL [RFC5155]
-SHA1 NSEC3- (this memo)
SHA1
8 RSA/SHA-256 RSASHA256 Y * ENCOURAGED [RFC5702]
9 Reserved until (this memo)
2020
10 RSA/SHA-512 RSASHA512 Y * ENCOURAGED [RFC5702]
(this memo)
11 Reserved until (this memo)
2020
12 GOST R GOST-ECC Y * OPTIONAL [RFCTBD]
34.10-2001 (this memo)
13-251 Unassigned
252 Reserved for INDIRECT N N OPTIONAL [RFC4034]
Indirect keys (this memo)
253 private PRIVATE Y Y OPTIONAL [RFC4034]
algorithm (this memo)
254 private PRIVATEOID Y Y OPTIONAL [RFC4034]
algorithm OID (this memo)
255 Reserved
Rose Expires December 20, 2010 [Page 5]
Internet-Draft IANA Registry Fixes June 2010
2.3. Specifying New Algorithms and Updating Status of Existing Entries
[I-D.ietf-dnsext-dnssec-alg-allocation] establishes a parallel
procedure for obtaining an algorithm number for new algorithms other
than a standards track document. Algorithms entered into the
registry using that procedure are always OPTIONAL.
Adding a newly specified algorithm to the registry with any status
other than OPTIONAL SHALL entail an update of this document in order
to specify new content to the registry.
Altering the status of any existing algorithm in the registry SHALL
entail an update to this document in order to change the contents of
the registry.
3. IANA Considerations
This document seeks to add a column (titled "Status") to the Domain
Name System (DNS) Security Algorithm Numbers registry to indicate
each algorithm's status for implementations seeking to conform to
this document. The new table is in Section 2.2 and includes the
additional following changes detailed in Section 2.1:
The description of assignment 4 is changed from "Reserved for ECC" to
"Reserved until 2020".
The description of assignment 9 is changed from "Unassigned" to
"Reserved until 2020".
The description for assignment number 11 is changed from "Unassigned"
to "Reserved until 2020".
Registry entries 13-251 remains Unassigned.
The references for current algorithms in the table in Section 2.2
have been updated to remove obsolete RFC's and replaced with the
current reference.
The references to FIPS 180 and FIPS 186 have been updated (to FIPS
180-3 and FIPS 186-3 respectively) to reflect the latest versions.
These revisions are maintenance updates and the relevant content of
the FIPS documents have not changed.
This draft updates the references of the entries that have an
assigned status, in the table in Section 2.2, the text '(this memo)'
should be replaced with the final RFC when published.
The Domain Name System (DNS) Security Algorithm Number registry is
Rose Expires December 20, 2010 [Page 6]
Internet-Draft IANA Registry Fixes June 2010
available at http://www.iana.org/assignments/dns-sec-alg-numbers/
dns-sec-alg-numbers.xhtml.
4. Security Considerations
This document seeks to add a status column to an existing IANA
registry. It is not meant to be a discussion on algorithm
superiority. No new security considerations are raised in this
document.
5. References
5.1. Normative References
[I-D.ietf-dnsext-dnssec-alg-allocation] Hoffman, P.,
"Cryptographic Algorithm
Identifier Allocation for
DNSSEC", draft-ietf-
dnsext-dnssec-alg-
allocation-03 (work in
progress), March 2010.
[I-D.ogud-iana-protocol-maintenance-words] Gudmundsson, O. and S.
Rose, "Definitions for
expressing standards
requirements in IANA
registries.", draft-ogud-
iana-protocol-
maintenance-words-03
(work in progress),
January 2010.
[RFC.TBD] Dolmatov, V., "Use of
GOST signature algorithms
in DNSKEY and RRSIG
Resource Records for
DNSSEC", draft-ietf-
dnsext-dnssec-gost-07
(work in progress),
March 2010.
[RFC2119] Bradner, S., "Key words
for use in RFCs to
Indicate Requirement
Levels", BCP 14,
RFC 2119, March 1997.
[RFC2536] Eastlake, D., "DSA KEYs
Rose Expires December 20, 2010 [Page 7]
Internet-Draft IANA Registry Fixes June 2010
and SIGs in the Domain
Name System (DNS)",
RFC 2536, March 1999.
[RFC2539] Eastlake, D., "Storage of
Diffie-Hellman Keys in
the Domain Name System
(DNS)", RFC 2539,
March 1999.
[RFC3110] Eastlake, D., "RSA/SHA-1
SIGs and RSA KEYs in the
Domain Name System
(DNS)", RFC 3110,
May 2001.
[RFC4033] Arends, R., Austein, R.,
Larson, M., Massey, D.,
and S. Rose, "DNS
Security Introduction and
Requirements", RFC 4033,
March 2005.
[RFC4034] Arends, R., Austein, R.,
Larson, M., Massey, D.,
and S. Rose, "Resource
Records for the DNS
Security Extensions",
RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R.,
Larson, M., Massey, D.,
and S. Rose, "Protocol
Modifications for the DNS
Security Extensions",
RFC 4035, March 2005.
[RFC4398] Josefsson, S., "Storing
Certificates in the
Domain Name System
(DNS)", RFC 4398,
March 2006.
[RFC5155] Laurie, B., Sisson, G.,
Arends, R., and D.
Blacka, "DNS Security
(DNSSEC) Hashed
Authenticated Denial of
Rose Expires December 20, 2010 [Page 8]
Internet-Draft IANA Registry Fixes June 2010
Existence", RFC 5155,
March 2008.
[RFC5702] Jansen, J., "Use of SHA-2
Algorithms with RSA in
DNSKEY and RRSIG Resource
Records for DNSSEC",
RFC 5702, October 2009.
5.2. Informative References
[FIPS.180-3.2008] National Institute of
Standards and Technology,
"Secure Hash Standard",
FIPS PUB 180-3,
October 2008, <http://
csrc.nist.gov/
publications/fips/
fips180-3/fips180-3.pdf>.
[FIPS.186-3.2009] National Institute of
Standards and Technology,
"Digital Signature
Standard", FIPS PUB
186-3, June 2009, <http:/
/csrc.nist.gov/
publications/fips/
fips186-3/
fips_186-3.pdf>.
Author's Address
Scott Rose
NIST
100 Bureau Dr.
Gaithersburg, MD 20899
USA
Phone: +1-301-975-8439
EMail: scottr.nist@gmail.com
Rose Expires December 20, 2010 [Page 9]

673
external/bsd/bind/dist/doc/draft/draft-yao-dnsext-bname-03.txt vendored
View File

@ -1,673 +0,0 @@
Network Working Group J. Yao
Internet-Draft X. Lee
Intended status: Standards Track CNNIC
Expires: December 30, 2010 P. Vixie
Internet Software Consortium
June 28, 2010
Bundle DNS Name Redirection
draft-yao-dnsext-bname-03.txt
Abstract
This document defines a new DNS Resource Record called "BNAME", which
provides the capability to map itself and its subtree of the DNS name
space to another domain. It differs from the CNAME record which only
maps a single node of the DNS name space, from the DNAME which only
maps the subtree of the DNS name space to another domain.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 30, 2010.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Yao, et al. Expires December 30, 2010 [Page 1]
Internet-Draft bname June 2010
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The BNAME Resource Record . . . . . . . . . . . . . . . . . . 4
3.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. The BNAME Substitution . . . . . . . . . . . . . . . . . . 4
3.3. The BNAME Rules . . . . . . . . . . . . . . . . . . . . . 4
4. Query Processing . . . . . . . . . . . . . . . . . . . . . . . 4
4.1. Processing by Servers . . . . . . . . . . . . . . . . . . 5
4.2. Processing by Resolvers . . . . . . . . . . . . . . . . . 7
5. BNAME in DNSSEC . . . . . . . . . . . . . . . . . . . . . . . 8
5.1. BNAME Validating . . . . . . . . . . . . . . . . . . . . . 8
5.2. BNAME alias algorithm identifiers . . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
9. Change History . . . . . . . . . . . . . . . . . . . . . . . . 10
9.1. draft-yao-dnsext-bname: Version 00 . . . . . . . . . . . . 10
9.2. draft-yao-dnsext-bname: Version 01 . . . . . . . . . . . . 10
9.3. draft-yao-dnsext-bname: Version 02 . . . . . . . . . . . . 10
9.4. draft-yao-dnsext-bname: Version 03 . . . . . . . . . . . . 10
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
10.1. Normative References . . . . . . . . . . . . . . . . . . . 10
10.2. Informative References . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
Yao, et al. Expires December 30, 2010 [Page 2]
Internet-Draft bname June 2010
1. Introduction
More and more internationalized domain name labels [RFC3490] appear
in the DNS trees. Some labels [RFC3743] are equivalent in some
languages. The internet users want them to be identical in the DNS
resolution. For example, color.exmaple.com==colour.example.com. The
BNAME represents for bundle names. This document defines a new DNS
Resource Record called "BNAME", which provides the capability to map
an entire tree of the DNS name space to another domain. It means
that the BNAME redirects both itself and its descendants to its
owner. The DNAME [RFC2672] and [RFC2672bis] do not redirect itself,
only the descendants. The domain name that owns a DNAME record is
allowed to have other resource record types at that domain name. The
domain name that owns a BNAME record is not allowed to have other
resource record types at that domain name unless they are the DNSSEC
related resource record types defined in [RFC4033], [RFC4034],
[RFC4035] and [RFC5155]. A server MAY refuse to load a zone that has
data at a sub-domain of a domain name owning a BNAME RR or that has
other data except the DNSSEC related resource record types and BNAME
at that name. BNAME is a singleton type, meaning only one BNAME is
allowed per name except the DNSSEC related resource record types.
Resolvers, servers and zone content administrators should be cautious
that usage of BNAME or its combination with CNAME or DNAME may lead
to form loops. The loops should be avoided.
1.1. Terminology
All the basic terms used in this specification are defined in the
documents [RFC1034], [RFC1035] and [RFC2672].
2. Motivation
In some languages, some characters have the variants, which look
differently or very similar but are identical in the meaning. For
example, Chinese character U+56FD and its variant U+570B look
differently, but are identical in the meaning. If Internationalized
Domain Label" or "IDL" [RFC3743] are composed of variant characters,
we regard this kind of IDL as the IDL variant. If these IDL variants
are put into the DNS for resolution, they are expected to be
identical in the DNS resolution. More comprehensible example is that
we expect color.exmaple.com to be equivalent with the
colour.exmaple.com in the DNS resolution. The BNAME Resource Record
and its processing rules are conceived as a solution to this
equivalence problem. Without the BNAME mechanism, current mechanisms
such as DNAME or CNAME are not enough capable to solve all the
problems with the emergence of internationalized domain names. The
internationalized domain names may have alias or equivalence of the
Yao, et al. Expires December 30, 2010 [Page 3]
Internet-Draft bname June 2010
original one. The BNAME solution provides the solution to both ASCII
alias names and internationalized domain alias names.
3. The BNAME Resource Record
3.1. Format
The BNAME RR has mnemonic BNAME and type code xx (decimal). It is
not class-sensitive. Its RDATA is comprised of a single field,
<target>, which contains a fully qualified domain name that must be
sent in uncompressed form [RFC1035], [RFC3597]. The <target> field
MUST be present. The presentation format of <target> is that of a
domain name [RFC1035]. The wildcards in the BNAME RR SHOULD NOT be
used.
<owner> <ttl> <class> BNAME <target>
The effect of the BNAME RR is the substitution of the record's
<target> for its owner name, as a suffix of a domain name. This
substitution has to be applied for every BNAME RR found in the
resolution process, which allows fairly lengthy valid chains of BNAME
RRs.
3.2. The BNAME Substitution
A BNAME substitution is performed by replacing the suffix labels of
the name being sought matching the owner name of the BNAME resource
record with the string of labels in the RDATA field. The matching
labels end with the root label in all cases. Only whole labels are
replaced.
3.3. The BNAME Rules
There are two rules which governs the use of BNAMEs in a zone file.
The first one is that there SHOULD be no descendants under the owner
of the BNAME. The second one is that no resource records can co-
exist with the BNAME for the same name except the DNSSEC related
resource record types. It means that if a BNAME RR is present at a
node N, there MUST be no other data except the DNSSEC related
resource record types at N and no data at any descendant of N. This
restriction applies only to records of the same class as the BNAME
record.
4. Query Processing
To exploit the BNAME mechanism the name resolution algorithms
Yao, et al. Expires December 30, 2010 [Page 4]
Internet-Draft bname June 2010
[RFC1034] must be modified slightly for both servers and resolvers.
Both modified algorithms incorporate the operation of making a
substitution on a name (either QNAME or SNAME) under control of a
BNAME record. This operation will be referred to as "the BNAME
substitution".
4.1. Processing by Servers
For a server performing non-recursive service steps 3.a, 3.c and 4 of
section 4.3.2 [RFC1034] are changed to check for a BNAME record, and
to return certain BNAME records from zone data and the cache. When
preparing a response, a server performing a BNAME substitution will
in all cases include the relevant BNAME RR in the answer section. A
CNAME RR is synthesized and included in the answer section. This
will help the client to reach the correct DNS data. The provided
synthesized CNAME RR, MUST have
The same CLASS as the QCLASS of the query,
TTL equal to the corresponding BNAME RR,
An <owner> equal to the QNAME in effect at the moment the BNAME RR
was encountered, and
An RDATA field containing the new QNAME formed by the action of
the BNAME substitution.
The revised server algorithm is:
1. Set or clear the value of recursion available in the response
depending on whether the name server is willing to provide
recursive service. If recursive service is available and
requested via the RD bit in the query, go to step 5, otherwise
step 2.
2. Search the available zones for the zone which is the nearest
ancestor to QNAME. If such a zone is found, go to step 3,
otherwise step 4.
3. Start matching down, label by label, in the zone. The matching
process can terminate several ways:
Yao, et al. Expires December 30, 2010 [Page 5]
Internet-Draft bname June 2010
a. If the whole of QNAME is matched, we have found the node.
If the data at the node is a CNAME, and QTYPE doesn't match
CNAME, copy the CNAME RR into the answer section of the
response, change QNAME to the canonical name in the CNAME RR,
and go back to step 1.
If the data at the node is a BNAME, and QTYPE doesn't
match BNAME, copy the BNAME RR and also a corresponding,
synthesized CNAME RR into the answer section of the
response, change QNAME to the name carried as RDATA in
the BNAME RR, and go back to step 1.
Otherwise, copy all RRs which match QTYPE into the answer
section and go to step 6.
b. If a match would take us out of the authoritative data, we have
a referral. This happens when we encounter a node with NS RRs
marking cuts along the bottom of a zone.
Copy the NS RRs for the subzone into the authority section of
the reply. Put whatever addresses are available into the
additional section, using glue RRs if the addresses are not
available from authoritative data or the cache. Go to step 4.
c. If at some label, a match is impossible (i.e., the
corresponding label does not exist), look to see whether the
last label matched has a BNAME record.
If a BNAME record exists at that point, copy that record into
the answer section. If substitution of its <target> for its
<owner> in QNAME would overflow the legal size for a <domain-
name>, set RCODE to YXDOMAIN [RFC2136] and exit; otherwise
perform the substitution and continue. The server SHOULD
synthesize a corresponding CNAME record as described above and
include it in the answer section. Go back to step 1.
If there was no BNAME record, look to see if the "*" label
exists.
If the "*" label does not exist, check whether the name we are
looking for is the original QNAME in the query or a name we
have followed due to a CNAME. If the name is original, set an
authoritative name error in the response and exit. Otherwise
just exit.
Yao, et al. Expires December 30, 2010 [Page 6]
Internet-Draft bname June 2010
If the "*" label does exist, match RRs at that node against
QTYPE. If any match, copy them into the answer section, but
set the owner of the RR to be QNAME, and not the node with the
"*" label. Go to step 6.
4. Start matching down in the cache. If QNAME is found in the cache,
copy all RRs attached to it that match QTYPE into the answer
section. If QNAME is not found in the cache but a BNAME record is
present at QNAME, copy that BNAME record into the
answer section. If there was no delegation from authoritative
data, look for the best one from the cache, and put it in the
authority section. Go to step 6.
5. Use the local resolver or a copy of its algorithm (see resolver
section of this memo) to answer the query. Store the results,
including any intermediate CNAMEs and BNAMEs, in the answer
section of the response.
6. Using local data only, attempt to add other RRs which may be
useful to the additional section of the query. Exit.
Note that there will be at most one ancestor with a BNAME as
described in step 4 unless some zone's data is in violation of the
no-descendants limitation in section 3. An implementation might take
advantage of this limitation by stopping the search of step 3c or
step 4 when a BNAME record is encountered.
4.2. Processing by Resolvers
A resolver or a server providing recursive service must be modified
to treat a BNAME as somewhat analogous to a CNAME. The resolver
algorithm of [RFC1034] section 5.3.3 is modified to renumber step 4.d
as 4.e and insert a new 4.d. The complete algorithm becomes:
Yao, et al. Expires December 30, 2010 [Page 7]
Internet-Draft bname June 2010
1. See if the answer is in local information, and if so return it to
the client.
2. Find the best servers to ask.
3. Send them queries until one returns a response.
4. Analyze the response, either:
a. if the response answers the question or contains a name error,
cache the data as well as returning it back to the client.
b. if the response contains a better delegation to other servers,
cache the delegation information, and go to step 2.
c. if the response shows a CNAME and that is not the answer
itself, cache the CNAME, change the SNAME to the canonical name
in the CNAME RR and go to step 1.
d. if the response shows a BNAME and that is not the answer
itself, cache the BNAME. If substitution of the BNAME's
<target> for its <owner> in the SNAME would overflow the legal
size for a <domain-name>, return an implementation-dependent
error to the application; otherwise perform the substitution
and go to step 1.
e. if the response shows a server failure or other bizarre
contents, delete the server from the SLIST and go back to step
3.
A resolver or recursive server which understands BNAME records but
sends non-extended queries MUST augment step 4.c by deleting from the
reply any CNAME records which have an <owner> which is a subdomain of
the <owner> of any BNAME record in the response.
5. BNAME in DNSSEC
5.1. BNAME Validating
With the deployment of DNSSEC, more and more servers and resolvers
will support DNSSEC. In order to make BNAME valid in DNSSEC
verification, the DNSSEC enabled resolvers and servers MUST support
BNAME. The synthesized CNAME in the answer section for the BNAME
will never be signed. DNSSEC validators MUST understand BNAME,
verify the BNAME and then checking that the CNAME was properly
synthesized in order to verify the synthesized CNAME. In any
Yao, et al. Expires December 30, 2010 [Page 8]
Internet-Draft bname June 2010
negative response, the NSEC or NSEC3 [RFC5155] record type bit map
SHOULD be checked to see that there was no BNAME that could have been
applied. If the BNAME bit in the type bit map is set and the query
type is not BNAME, then BNAME substitution should have been done.
5.2. BNAME alias algorithm identifiers
In order to prevent BNAME-unaware resolvers from attempting to
validate responses from BNAME-signed zones, this specification
allocates two new DNSKEY algorithm identifiers. Algorithm Y, DSA-
BNAME-SHA1 is an alias for algorithm 3, DSA. Algorithm Z, RSASHA1-
BNAME-SHA1 is an alias for algorithm 5, RSASHA1. These are not new
algorithms, they are additional identifiers for the existing
algorithms. Zones signed according to this specification MUST only
use these algorithm identifiers for their DNSKEY RRs. The BNAME-
unaware resolvers will not know these new identifiers and treat
responses from the BNAME signed zone as insecure, otherwise the bname
RR will be regarded as bogus if there is no such a mechanism. These
algorithm identifiers are used with the BNAME hash algorithm SHA1.
Using other BNAME hash algorithms requires allocation of a new alias.
Validating resolvers which follow the BNAME specification MUST
recognize the new alias algorithm identifier.
6. IANA Considerations
IANA is requested to assign the number to XX. This document updates
the IANA registry "DNS SECURITY ALGORITHM NUMBERS". IANA is
requested to assign the number to Y and Z.
[[anchor14: Note in draft: before this document goes to WG Last call,
it is better that we list all DNSSEC algorithms that need to be
aliased to reflect compatibility with this extension.]]
7. Security Considerations
Both ASCII domain name labels and non-ASCII ones have some aliases.
We can bundle the domain name labels and their aliases through BNAME
in the DNS resolutions. The name labels and their aliases in the
particular languages are only known by those who know these
languages. Those labels may be regarded as different ones by those
who don't know those languages. Those who do not know the aliases
should only use the familar ones. The applications will not know the
aliases unless they are properly configured.
Yao, et al. Expires December 30, 2010 [Page 9]
Internet-Draft bname June 2010
8. Acknowledgements
Because the BNAME is very similar to DNAME, the authors learn a lot
from [RFC2672]. Many ideas are from the discussion in the DNSOP and
DNSEXT mailling list. Thanks a lot to all in the list. Many
important comments and suggestions are contributed by many members of
the DNSEXT and DNSOP WGs. The authors especially thanks the
following ones:Niall O'Reilly, Glen Zorn, Mark Andrews, George
Barwood,Olafur Gudmundsson, Sun Guonian and Hanfeng for improving
this document.
9. Change History
[[anchor17: RFC Editor: Please remove this section.]]
9.1. draft-yao-dnsext-bname: Version 00
o Bundle DNS Name Redirection
9.2. draft-yao-dnsext-bname: Version 01
o Improve the algorithm
o Improve the text
9.3. draft-yao-dnsext-bname: Version 02
o Add the DNSSEC discussion
o Improve the text
9.4. draft-yao-dnsext-bname: Version 03
o Update the DNSSEC discussion
o Update the IANA consideration
10. References
10.1. Normative References
[ASCII] American National Standards Institute (formerly United
States of America Standards Institute), "USA Code for
Information Interchange", ANSI X3.4-1968, 1968.
[EDNS0] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
RFC 2671, August 1999.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
Yao, et al. Expires December 30, 2010 [Page 10]
Internet-Draft bname June 2010
STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, April 1997.
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
RFC 2671, August 1999.
[RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection",
RFC 2672, August 1999.
[RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)",
RFC 3490, March 2003.
[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record
(RR) Types", RFC 3597, September 2003.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", RFC 3629, November 2003.
[RFC3743] Konishi, K., Huang, K., Qian, H., and Y. Ko, "Joint
Engineering Team (JET) Guidelines for Internationalized
Domain Names (IDN) Registration and Administration for
Chinese, Japanese, and Korean", RFC 3743, April 2004.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
Security (DNSSEC) Hashed Authenticated Denial of
Existence", RFC 5155, March 2008.
Yao, et al. Expires December 30, 2010 [Page 11]
Internet-Draft bname June 2010
10.2. Informative References
[RFC2672bis]
Rose, S. and W. Wijngaards, "Update to DNAME Redirection
in the DNS", Internet-Draft ietf-dnsext-rfc2672bis-dname-
17.txt, 6 2009.
Authors' Addresses
Jiankang YAO
CNNIC
No.4 South 4th Street, Zhongguancun
Beijing
Phone: +86 10 58813007
Email: yaojk@cnnic.cn
Xiaodong LEE
CNNIC
No.4 South 4th Street, Zhongguancun
Beijing
Phone: +86 10 58813020
Email: lee@cnnic.cn
Paul Vixie
Internet Software Consortium
950 Charter Street
Redwood City, CA
Phone: +1 650 779 7001
Email: vixie@isc.org
Yao, et al. Expires December 30, 2010 [Page 12]

33
external/bsd/bind/dist/lib/dns/include/dns/zone.h vendored
View File

@ -1,7 +1,7 @@
/* $NetBSD: zone.h,v 1.5 2010/08/06 10:58:12 christos Exp $ */
/* $NetBSD: zone.h,v 1.6 2010/12/02 14:52:18 christos Exp $ */
/*
* Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* Id: zone.h,v 1.174.4.1 2009/12/29 22:23:00 marka Exp */
/* Id: zone.h,v 1.174.4.4 2010/08/16 22:27:18 marka Exp */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
@ -91,6 +91,7 @@ typedef enum {
#define DNS_ZONEKEY_ALLOW 0x00000001U /*%< fetch keys on command */
#define DNS_ZONEKEY_MAINTAIN 0x00000002U /*%< publish/sign on schedule */
#define DNS_ZONEKEY_CREATE 0x00000004U /*%< make keys when needed */
#define DNS_ZONEKEY_FULLSIGN 0x00000008U /*%< roll to new keys immediately */
#ifndef DNS_ZONE_MINREFRESH
#define DNS_ZONE_MINREFRESH 300 /*%< 5 minutes */
@ -1781,9 +1782,14 @@ dns_zone_getprivatetype(dns_zone_t *zone);
*/
void
dns_zone_rekey(dns_zone_t *zone);
dns_zone_rekey(dns_zone_t *zone, isc_boolean_t fullsign);
/*%<
* Update the zone's DNSKEY set from the key repository.
*
* If 'fullsign' is true, trigger an immediate full signing of
* the zone with the new key. Otherwise, if there are no keys or
* if the new keys are for algorithms that have already signed the
* zone, then the zone can be re-signed incrementally.
*/
isc_result_t
@ -1804,6 +1810,25 @@ dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
* ISC_R_SUCCESS if there were no errors examining the zone contents.
*/
void
dns_zone_setadded(dns_zone_t *zone, isc_boolean_t added);
/*%
* Sets the value of zone->added, which should be ISC_TRUE for
* zones that were originally added by "rndc addzone".
*
* Requires:
* \li 'zone' to be valid.
*/
isc_boolean_t
dns_zone_getadded(dns_zone_t *zone);
/*%
* Returns ISC_TRUE if the zone was originally added at runtime
* using "rndc addzone".
*
* Requires:
* \li 'zone' to be valid.
*/
ISC_LANG_ENDDECLS

117
external/bsd/bind/dist/lib/dns/rbtdb.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: rbtdb.c,v 1.5 2010/08/06 10:58:12 christos Exp $ */
/* $NetBSD: rbtdb.c,v 1.6 2010/12/02 14:52:18 christos Exp $ */
/*
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* Id: rbtdb.c,v 1.292.8.9 2010/05/10 01:41:11 marka Exp */
/* Id: rbtdb.c,v 1.292.8.12.6.1 2010/11/16 07:04:09 marka Exp */
/*! \file */
@ -413,7 +413,6 @@ typedef struct {
rbtdb_version_t * current_version;
rbtdb_version_t * future_version;
rbtdb_versionlist_t open_versions;
isc_boolean_t overmem;
isc_task_t * task;
dns_dbnode_t *soanode;
dns_dbnode_t *nsnode;
@ -3278,6 +3277,9 @@ matchparams(rdatasetheader_t *header, rbtdb_search_t *search)
return (ISC_FALSE);
}
/*
* Find node of the NSEC/NSEC3 record that is 'name'.
*/
static inline isc_result_t
previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
dns_name_t *name, dns_name_t *origin,
@ -3289,15 +3291,15 @@ previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
dns_rbtnode_t *nsecnode;
isc_result_t result;
REQUIRE(nodep != NULL && *nodep == NULL);
if (type == dns_rdatatype_nsec3) {
result = dns_rbtnodechain_prev(&search->chain, NULL, NULL);
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
return (result);
result = dns_rbtnodechain_current(&search->chain, name, origin,
nodep);
if (result != ISC_R_SUCCESS)
return (result);
return (ISC_R_SUCCESS);
return (result);
}
dns_fixedname_init(&ftarget);
@ -3330,11 +3332,11 @@ previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
* Try the previous node in the NSEC tree.
*/
result = dns_rbtnodechain_prev(nsecchain,
name, origin);
name, origin);
if (result == DNS_R_NEWORIGIN)
result = ISC_R_SUCCESS;
} else if (result == ISC_R_NOTFOUND
|| result == DNS_R_PARTIALMATCH) {
} else if (result == ISC_R_NOTFOUND ||
result == DNS_R_PARTIALMATCH) {
result = dns_rbtnodechain_current(nsecchain,
name, origin, NULL);
if (result == ISC_R_NOTFOUND)
@ -3351,8 +3353,6 @@ previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
result = dns_rbtnodechain_prev(nsecchain, name, origin);
if (result == DNS_R_NEWORIGIN)
result = ISC_R_SUCCESS;
if (result != ISC_R_SUCCESS)
return (result);
}
if (result != ISC_R_SUCCESS)
return (result);
@ -3376,10 +3376,7 @@ previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
* same name as the node in the auxiliary NSEC tree, except for
* nodes in the auxiliary tree that are awaiting deletion.
*/
if (result == DNS_R_PARTIALMATCH)
result = ISC_R_NOTFOUND;
if (result != ISC_R_NOTFOUND) {
if (result != DNS_R_PARTIALMATCH && result != ISC_R_NOTFOUND) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_CACHE, ISC_LOG_ERROR,
"previous_closest_nsec(): %s",
@ -3389,6 +3386,11 @@ previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
}
}
/*
* Find the NSEC/NSEC3 which is or before the current point on the
* search chain. For NSEC3 records only NSEC3 records that match the
* current NSEC3PARAM record are considered.
*/
static inline isc_result_t
find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
dns_name_t *foundname, dns_rdataset_t *rdataset,
@ -3422,15 +3424,16 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
* Use the auxiliary tree only starting with the second node in the
* hope that the original node will be right much of the time.
*/
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
dns_fixedname_init(&forigin);
origin = dns_fixedname_name(&forigin);
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
dns_fixedname_init(&forigin);
origin = dns_fixedname_name(&forigin);
again:
node = NULL;
prevnode = NULL;
result = dns_rbtnodechain_current(&search->chain, name, origin, &node);
if (result != ISC_R_SUCCESS)
return (result);
if (result != ISC_R_SUCCESS)
return (result);
do {
NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
isc_rwlocktype_read);
@ -3481,8 +3484,10 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
empty_node = ISC_TRUE;
found = NULL;
foundsig = NULL;
result = dns_rbtnodechain_prev(&search->chain,
NULL, NULL);
result = previous_closest_nsec(type, search,
name, origin,
&prevnode, NULL,
NULL);
} else if (found != NULL &&
(foundsig != NULL || !need_sig)) {
/*
@ -3522,8 +3527,10 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
*/
empty_node = ISC_TRUE;
result = previous_closest_nsec(type, search,
name, origin, &prevnode,
&nsecchain, &first);
name, origin,
&prevnode,
&nsecchain,
&first);
} else {
/*
* We found an active node, but either the
@ -3544,6 +3551,7 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
isc_rwlocktype_read);
node = prevnode;
prevnode = NULL;
} while (empty_node && result == ISC_R_SUCCESS);
if (!first)
@ -5119,7 +5127,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
if (now == 0)
isc_stdtime_get(&now);
if (rbtdb->overmem) {
if (isc_mem_isovermem(rbtdb->common.mctx)) {
isc_uint32_t val;
isc_random_get(&val);
@ -5129,8 +5137,8 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
force_expire = ISC_TF(rbtnode->down == NULL && val % 4 == 0);
/*
* Note that 'log' can be true IFF rbtdb->overmem is also true.
* rbtdb->overmem can currently only be true for cache
* Note that 'log' can be true IFF overmem is also true.
* overmem can currently only be true for cache
* databases -- hence all of the "overmem cache" log strings.
*/
log = ISC_TF(isc_log_wouldlog(dns_lctx, level));
@ -5175,7 +5183,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
"reprieve by RETAIN() %s",
printname);
}
} else if (rbtdb->overmem && log)
} else if (isc_mem_isovermem(rbtdb->common.mctx) && log)
isc_log_write(dns_lctx, category, module, level,
"overmem cache: saved %s", printname);
@ -5187,10 +5195,12 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
static void
overmem(dns_db_t *db, isc_boolean_t overmem) {
dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
/* This is an empty callback. See adb.c:water() */
if (IS_CACHE(rbtdb))
rbtdb->overmem = overmem;
UNUSED(db);
UNUSED(overmem);
return;
}
static void
@ -5608,14 +5618,14 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
dns_rdataset_t *addedrdataset, isc_stdtime_t now)
{
rbtdb_changed_t *changed = NULL;
rdatasetheader_t *topheader, *topheader_prev, *header;
rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
unsigned char *merged;
isc_result_t result;
isc_boolean_t header_nx;
isc_boolean_t newheader_nx;
isc_boolean_t merge;
dns_rdatatype_t rdtype, covers;
rbtdb_rdatatype_t negtype;
rbtdb_rdatatype_t negtype, sigtype;
dns_trust_t trust;
int idx;
@ -5653,7 +5663,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE;
topheader_prev = NULL;
sigheader = NULL;
negtype = 0;
if (rbtversion == NULL && !newheader_nx) {
rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
@ -5662,26 +5672,34 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
* We're adding a negative cache entry.
*/
covers = RBTDB_RDATATYPE_EXT(newheader->type);
if (covers == dns_rdatatype_any) {
sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
covers);
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
/*
* We're adding an negative cache entry
* If we're adding an negative cache entry
* which covers all types (NXDOMAIN,
* NODATA(QTYPE=ANY)).
*
* We make all other data stale so that the
* only rdataset that can be found at this
* node is the negative cache entry.
*
* Otherwise look for any RRSIGs of the
* given type so they can be marked stale
* later.
*/
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
if (covers == dns_rdatatype_any) {
set_ttl(rbtdb, topheader, 0);
topheader->attributes |=
RDATASET_ATTR_STALE;
}
rbtnode->dirty = 1;
goto find_header;
rbtnode->dirty = 1;
} else if (topheader->type == sigtype)
sigheader = topheader;
}
if (covers == dns_rdatatype_any)
goto find_header;
negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
} else {
/*
@ -5920,6 +5938,11 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
if (rbtversion == NULL) {
set_ttl(rbtdb, header, 0);
header->attributes |= RDATASET_ATTR_STALE;
if (sigheader != NULL) {
set_ttl(rbtdb, sigheader, 0);
sigheader->attributes |=
RDATASET_ATTR_STALE;
}
}
idx = newheader->node->locknum;
if (IS_CACHE(rbtdb)) {
@ -6136,6 +6159,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
isc_boolean_t delegating;
isc_boolean_t newnsec;
isc_boolean_t tree_locked = ISC_FALSE;
isc_boolean_t cache_is_overmem = ISC_FALSE;
REQUIRE(VALID_RBTDB(rbtdb));
@ -6232,12 +6256,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
* the tree. In the latter case the lock does not necessarily have to
* be acquired but it will help purge stale entries more effectively.
*/
if (delegating || newnsec || (IS_CACHE(rbtdb) && rbtdb->overmem)) {
if (IS_CACHE(rbtdb) && isc_mem_isovermem(rbtdb->common.mctx))
cache_is_overmem = ISC_TRUE;
if (delegating || newnsec || cache_is_overmem) {
tree_locked = ISC_TRUE;
RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
}
if (IS_CACHE(rbtdb) && rbtdb->overmem)
if (cache_is_overmem)
overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
@ -7401,7 +7427,6 @@ dns_rbtdb_create
return (result);
}
rbtdb->attributes = 0;
rbtdb->overmem = ISC_FALSE;
rbtdb->task = NULL;
/*

35
external/bsd/bind/dist/lib/dns/resolver.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: resolver.c,v 1.6 2010/08/06 10:58:12 christos Exp $ */
/* $NetBSD: resolver.c,v 1.7 2010/12/02 14:52:18 christos Exp $ */
/*
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* Id: resolver.c,v 1.413.14.11 2010/07/11 00:12:18 each Exp */
/* Id: resolver.c,v 1.413.14.11.6.2 2010/09/15 12:24:38 marka Exp */
/*! \file */
@ -5632,7 +5632,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
* trying other servers.
*/
if (dns_name_equal(ns_name, &fctx->domain)) {
log_formerr(fctx, "sideways referral");
log_formerr(fctx, "non-improving referral");
return (DNS_R_FORMERR);
}
@ -6454,6 +6454,29 @@ iscname(fetchctx_t *fctx) {
return (result == ISC_R_SUCCESS ? ISC_TRUE : ISC_FALSE);
}
static isc_boolean_t
betterreferral(fetchctx_t *fctx) {
isc_result_t result;
dns_name_t *name;
dns_rdataset_t *rdataset;
dns_message_t *message = fctx->rmessage;
for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
result == ISC_R_SUCCESS;
result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) {
name = NULL;
dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
if (!isstrictsubdomain(name, &fctx->domain))
continue;
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
if (rdataset->type == dns_rdatatype_ns)
return (ISC_TRUE);
}
return (ISC_FALSE);
}
static void
resquery_response(isc_task_t *task, isc_event_t *event) {
isc_result_t result = ISC_R_SUCCESS;
@ -6933,6 +6956,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
* it as a valid answer.
*/
result = answer_response(fctx);
} else if (fctx->type != dns_rdatatype_ns &&
!betterreferral(fctx)) {
/*
* Lame response !!!.
*/
result = answer_response(fctx);
} else {
if (fctx->type == dns_rdatatype_ns) {
/*

13
external/bsd/bind/dist/lib/isc/include/isc/mem.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: mem.h,v 1.4 2010/08/06 10:58:12 christos Exp $ */
/* $NetBSD: mem.h,v 1.5 2010/12/02 14:52:19 christos Exp $ */
/*
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* Id: mem.h,v 1.86.102.2 2010/03/04 23:49:20 tbox Exp */
/* Id: mem.h,v 1.86.102.3 2010/08/11 22:56:59 jinmei Exp */
#ifndef ISC_MEM_H
#define ISC_MEM_H 1
@ -226,6 +226,7 @@ typedef struct isc_memmethods {
void *water_arg, size_t hiwater, size_t lowater);
void (*waterack)(isc_mem_t *ctx, int flag);
size_t (*inuse)(isc_mem_t *mctx);
isc_boolean_t (*isovermem)(isc_mem_t *mctx);
isc_result_t (*mpcreate)(isc_mem_t *mctx, size_t size,
isc_mempool_t **mpctxp);
} isc_memmethods_t;
@ -422,6 +423,14 @@ isc_mem_inuse(isc_mem_t *mctx);
* allocated from the system but not yet used.
*/
isc_boolean_t
isc_mem_isovermem(isc_mem_t *mctx);
/*%<
* Return true iff the memory context is in "over memory" state, i.e.,
* a hiwater mark has been set and the used amount of memory has exceeds
* the mark.
*/
void
isc_mem_setwater(isc_mem_t *mctx, isc_mem_water_t water, void *water_arg,
size_t hiwater, size_t lowater);

5
external/bsd/bind/include/config.h vendored
View File

@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* Id: config.h.in,v 1.122.32.10 2010/06/22 04:04:22 marka Exp */
/* Id: config.h.in,v 1.122.32.11 2010/08/16 05:14:58 marka Exp */
/*! \file */
@ -374,9 +374,6 @@ int sigwait(const unsigned int *set, int *sig);
non-blocking. */
/* #undef USE_FIONBIO_IOCTL */
/** define if the system have backtrace function. */
/* #undef HAVE_LIBCTRACE */
/* define if idnkit support is to be included. */
/* #undef WITH_IDN */

4
external/bsd/bind/include/isc/platform.h vendored
View File

@ -207,8 +207,10 @@
/*
* Defined if we are using threads.
*/
#if 0
/* Put in the Makefile */
/* #define ISC_PLATFORM_USETHREADS 1 */
#define ISC_PLATFORM_USETHREADS 1
#endif
/*
* Defined if unistd.h does not cause fd_set to be delared.

4
external/bsd/bind/lib/libbind9/shlib_version vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: shlib_version,v 1.4 2009/12/26 23:08:23 christos Exp $
# $NetBSD: shlib_version,v 1.5 2010/12/02 14:52:19 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing
#
major=5
minor=1
minor=2

4
external/bsd/bind/lib/libdns/shlib_version vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: shlib_version,v 1.4 2009/12/26 23:08:23 christos Exp $
# $NetBSD: shlib_version,v 1.5 2010/12/02 14:52:19 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing
#
major=5
minor=1
minor=2

4
external/bsd/bind/lib/libisc/shlib_version vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: shlib_version,v 1.4 2009/12/26 23:08:23 christos Exp $
# $NetBSD: shlib_version,v 1.5 2010/12/02 14:52:20 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing
#
major=5
minor=1
minor=2

4
external/bsd/bind/lib/libisccc/shlib_version vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: shlib_version,v 1.4 2009/12/26 23:08:23 christos Exp $
# $NetBSD: shlib_version,v 1.5 2010/12/02 14:52:20 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing
#
major=5
minor=1
minor=2

4
external/bsd/bind/lib/libisccfg/shlib_version vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: shlib_version,v 1.4 2009/12/26 23:08:23 christos Exp $
# $NetBSD: shlib_version,v 1.5 2010/12/02 14:52:20 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing
#
major=5
minor=1
minor=2

4
external/bsd/bind/lib/liblwres/shlib_version vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: shlib_version,v 1.4 2009/12/26 23:08:24 christos Exp $
# $NetBSD: shlib_version,v 1.5 2010/12/02 14:52:20 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing
#
major=5
minor=1
minor=2