merge 9.8.0-P2:
- fixes CVE-2011-1910: Large RRSIG RRsets and Negative Caching can crash named - fixes CVE-2011-0414: bind lockup during IXFR - return a more correct error in case of policy violation bump version of libdns and libisc
This commit is contained in:
spz
parent
9a6f7751cf
commit
f93f010473
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: ad.mips64eb,v 1.49 2011/05/13 01:56:27 christos Exp $
|
||||
# $NetBSD: ad.mips64eb,v 1.50 2011/05/29 15:17:08 spz Exp $
|
||||
./libexec/ld.elf_so-64 base-compat-shlib compat,pic
|
||||
./libexec/ld.elf_so-o32 base-sysutil-bin compat,pic
|
||||
./usr/lib/64 base-compat-lib
|
||||
|
|
@ -82,7 +82,7 @@
|
|||
./usr/lib/64/libdm.so.0 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libdm.so.0.0 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libdns.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libdns.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libdns.so.5.4 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libdns_sd.so.0 base-compat-shlib compat,pic,mdns
|
||||
./usr/lib/64/libdns_sd.so.0.0 base-compat-shlib compat,pic,mdns
|
||||
./usr/lib/64/libdwarf.so.0 base-compat-shlib compat,pic
|
||||
|
|
@ -116,7 +116,7 @@
|
|||
./usr/lib/64/libipsec.so.3 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libipsec.so.3.0 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libisc.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libisc.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libisc.so.5.4 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libisccc.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libisccc.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libisccfg.so.5 base-compat-shlib compat,pic
|
||||
|
|
@ -393,7 +393,7 @@
|
|||
./usr/lib/o32/libipsec.so.3 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libipsec.so.3.0 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libisc.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libisc.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libisc.so.5.4 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libisccc.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libisccc.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libisccfg.so.5 base-compat-shlib compat,pic
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: ad.mips64el,v 1.47 2011/05/13 01:56:27 christos Exp $
|
||||
# $NetBSD: ad.mips64el,v 1.48 2011/05/29 15:17:09 spz Exp $
|
||||
./libexec/ld.elf_so-64 base-compat-shlib compat,pic
|
||||
./libexec/ld.elf_so-o32 base-sysutil-bin compat,pic
|
||||
./usr/lib/64 base-compat-lib
|
||||
|
|
@ -82,7 +82,7 @@
|
|||
./usr/lib/64/libdm.so.0 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libdm.so.0.0 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libdns.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libdns.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libdns.so.5.4 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libdns_sd.so.0 base-compat-shlib compat,pic,mdns
|
||||
./usr/lib/64/libdns_sd.so.0.0 base-compat-shlib compat,pic,mdns
|
||||
./usr/lib/64/libdwarf.so.0 base-compat-shlib compat,pic
|
||||
|
|
@ -116,7 +116,7 @@
|
|||
./usr/lib/64/libipsec.so.3 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libipsec.so.3.0 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libisc.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libisc.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libisc.so.5.4 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libisccc.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libisccc.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/64/libisccfg.so.5 base-compat-shlib compat,pic
|
||||
|
|
@ -359,7 +359,7 @@
|
|||
./usr/lib/o32/libdm.so.0 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libdm.so.0.0 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libdns.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libdns.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libdns.so.5.4 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libdns_sd.so.0 base-compat-shlib compat,pic,mdns
|
||||
./usr/lib/o32/libdns_sd.so.0.0 base-compat-shlib compat,pic,mdns
|
||||
./usr/lib/o32/libdwarf.so.0 base-compat-shlib compat,pic
|
||||
|
|
@ -393,7 +393,7 @@
|
|||
./usr/lib/o32/libipsec.so.3 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libipsec.so.3.0 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libisc.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libisc.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libisc.so.5.4 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libisccc.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libisccc.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/o32/libisccfg.so.5 base-compat-shlib compat,pic
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: md.amd64,v 1.122 2011/05/13 01:56:27 christos Exp $
|
||||
# $NetBSD: md.amd64,v 1.123 2011/05/29 15:17:09 spz Exp $
|
||||
./dev/lms0 base-obsolete obsolete
|
||||
./dev/mms0 base-obsolete obsolete
|
||||
./libexec/ld.elf_so-i386 base-sys-shlib compat,pic
|
||||
|
|
@ -85,7 +85,7 @@
|
|||
./usr/lib/i386/libdm.so.0 base-compat-shlib compat,pic
|
||||
./usr/lib/i386/libdm.so.0.0 base-compat-shlib compat,pic
|
||||
./usr/lib/i386/libdns.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/i386/libdns.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/i386/libdns.so.5.4 base-compat-shlib compat,pic
|
||||
./usr/lib/i386/libdns_sd.so.0 base-compat-shlib compat,pic,mdns
|
||||
./usr/lib/i386/libdns_sd.so.0.0 base-compat-shlib compat,pic,mdns
|
||||
./usr/lib/i386/libdwarf.so.0 base-compat-shlib compat,pic
|
||||
|
|
@ -121,7 +121,7 @@
|
|||
./usr/lib/i386/libipsec.so.3 base-compat-shlib compat,pic
|
||||
./usr/lib/i386/libipsec.so.3.0 base-compat-shlib compat,pic
|
||||
./usr/lib/i386/libisc.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/i386/libisc.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/i386/libisc.so.5.4 base-compat-shlib compat,pic
|
||||
./usr/lib/i386/libisccc.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/i386/libisccc.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/i386/libisccfg.so.5 base-compat-shlib compat,pic
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: md.sparc64,v 1.115 2011/05/13 01:56:27 christos Exp $
|
||||
# $NetBSD: md.sparc64,v 1.116 2011/05/29 15:17:09 spz Exp $
|
||||
./libexec/ld.elf_so-sparc base-sysutil-bin compat,pic
|
||||
./sbin/edlabel base-sysutil-root obsolete
|
||||
./usr/bin/fdformat base-util-bin
|
||||
|
|
@ -83,7 +83,7 @@
|
|||
./usr/lib/sparc/libdm.so.0 base-compat-shlib compat,pic
|
||||
./usr/lib/sparc/libdm.so.0.0 base-compat-shlib compat,pic
|
||||
./usr/lib/sparc/libdns.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/sparc/libdns.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/sparc/libdns.so.5.4 base-compat-shlib compat,pic
|
||||
./usr/lib/sparc/libdns_sd.so.0 base-compat-shlib compat,pic,mdns
|
||||
./usr/lib/sparc/libdns_sd.so.0.0 base-compat-shlib compat,pic,mdns
|
||||
./usr/lib/sparc/libdwarf.so.0 base-compat-shlib compat,pic
|
||||
|
|
@ -117,7 +117,7 @@
|
|||
./usr/lib/sparc/libipsec.so.3 base-compat-shlib compat,pic
|
||||
./usr/lib/sparc/libipsec.so.3.0 base-compat-shlib compat,pic
|
||||
./usr/lib/sparc/libisc.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/sparc/libisc.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/sparc/libisc.so.5.4 base-compat-shlib compat,pic
|
||||
./usr/lib/sparc/libisccc.so.5 base-compat-shlib compat,pic
|
||||
./usr/lib/sparc/libisccc.so.5.3 base-compat-shlib compat,pic
|
||||
./usr/lib/sparc/libisccfg.so.5 base-compat-shlib compat,pic
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: shl.mi,v 1.584 2011/05/13 01:56:27 christos Exp $
|
||||
# $NetBSD: shl.mi,v 1.585 2011/05/29 15:17:09 spz Exp $
|
||||
#
|
||||
# Note: Don't delete entries from here - mark them as "obsolete" instead,
|
||||
# unless otherwise stated below.
|
||||
|
|
@ -198,7 +198,7 @@
|
|||
./usr/lib/libdm.so.0.0 base-sys-shlib
|
||||
./usr/lib/libdns.so base-bind-shlib
|
||||
./usr/lib/libdns.so.5 base-bind-shlib
|
||||
./usr/lib/libdns.so.5.3 base-bind-shlib
|
||||
./usr/lib/libdns.so.5.4 base-bind-shlib
|
||||
./usr/lib/libdns_sd.so base-mdns-shlib mdns
|
||||
./usr/lib/libdns_sd.so.0 base-mdns-shlib mdns
|
||||
./usr/lib/libdns_sd.so.0.0 base-mdns-shlib mdns
|
||||
|
|
@ -255,7 +255,7 @@
|
|||
./usr/lib/libipsec.so.3.0 base-net-shlib
|
||||
./usr/lib/libisc.so base-bind-shlib
|
||||
./usr/lib/libisc.so.5 base-bind-shlib
|
||||
./usr/lib/libisc.so.5.3 base-bind-shlib
|
||||
./usr/lib/libisc.so.5.4 base-bind-shlib
|
||||
./usr/lib/libisccc.so base-bind-shlib
|
||||
./usr/lib/libisccc.so.5 base-bind-shlib
|
||||
./usr/lib/libisccc.so.5.3 base-bind-shlib
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
/* $NetBSD: bind.keys.h,v 1.2 2011/02/16 03:46:45 christos Exp $ */
|
||||
/* $NetBSD: bind.keys.h,v 1.3 2011/05/29 15:17:09 spz Exp $ */
|
||||
|
||||
/*
|
||||
* Generated by bindkeys.pl 1.7 2011/01/04 23:47:13 tbox Exp
|
||||
* From bind.keys 1.7 2011/01/03 23:45:07 each Exp
|
||||
* Generated by bindkeys.pl 1.7 2011-01-04 23:47:13 tbox Exp
|
||||
* From bind.keys 1.7 2011-01-03 23:45:07 each Exp
|
||||
*/
|
||||
#define TRUSTED_KEYS "\
|
||||
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: query.c,v 1.3 2011/05/06 15:28:19 taca Exp $ */
|
||||
/* $NetBSD: query.c,v 1.4 2011/05/29 15:17:09 spz Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
|
@ -17,7 +17,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Id: query.c,v 1.353.8.1 2011-02-03 07:39:02 marka Exp */
|
||||
/* Id: query.c,v 1.353.8.2.2.1 2011-04-27 17:06:27 each Exp */
|
||||
|
||||
/*! \file */
|
||||
|
||||
|
|
@ -4043,8 +4043,8 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
|
|||
version = NULL;
|
||||
result = rpz_getdb(client, rpz_type, qnamef, zonep, dbp, &version);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
*policyp = DNS_RPZ_POLICY_ERROR;
|
||||
return (DNS_R_SERVFAIL);
|
||||
*policyp = DNS_RPZ_POLICY_MISS;
|
||||
return (DNS_R_NXDOMAIN);
|
||||
}
|
||||
|
||||
dns_fixedname_init(&fixed);
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: server.c,v 1.8 2011/02/16 03:46:46 christos Exp $ */
|
||||
/* $NetBSD: server.c,v 1.9 2011/05/29 15:17:09 spz Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
|
@ -17,7 +17,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Id: server.c,v 1.599.8.3 2011-02-03 12:17:49 tbox Exp */
|
||||
/* Id: server.c,v 1.599.8.4 2011-02-16 19:46:12 each Exp */
|
||||
|
||||
/*! \file */
|
||||
|
||||
|
|
@ -3478,6 +3478,7 @@ add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
|
|||
|
||||
if (pview != NULL && pview->managed_keys != NULL) {
|
||||
dns_zone_attach(pview->managed_keys, &view->managed_keys);
|
||||
dns_zone_setview(pview->managed_keys, view);
|
||||
dns_view_detach(&pview);
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: ncache.c,v 1.2 2011/02/16 03:47:04 christos Exp $ */
|
||||
/* $NetBSD: ncache.c,v 1.3 2011/05/29 15:17:09 spz Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004, 2005, 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
|
@ -17,7 +17,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Id: ncache.c,v 1.50.124.1 2011-02-03 07:39:03 marka Exp */
|
||||
/* Id: ncache.c,v 1.50.124.1.2.1 2011-05-27 00:57:31 each Exp */
|
||||
|
||||
/*! \file */
|
||||
|
||||
|
|
@ -188,7 +188,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
|
|||
*/
|
||||
isc_buffer_availableregion(&buffer,
|
||||
&r);
|
||||
if (r.length < 2)
|
||||
if (r.length < 3)
|
||||
return (ISC_R_NOSPACE);
|
||||
isc_buffer_putuint16(&buffer,
|
||||
rdataset->type);
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: rbtdb.c,v 1.7 2011/02/16 03:47:04 christos Exp $ */
|
||||
/* $NetBSD: rbtdb.c,v 1.8 2011/05/29 15:17:09 spz Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
|
@ -17,7 +17,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Id: rbtdb.c,v 1.310 2011-01-13 09:53:04 marka Exp */
|
||||
/* Id: rbtdb.c,v 1.310.8.1 2011-02-18 23:23:08 each Exp */
|
||||
|
||||
/*! \file */
|
||||
|
||||
|
|
@ -394,12 +394,15 @@ typedef ISC_LIST(rbtdb_version_t) rbtdb_versionlist_t;
|
|||
typedef struct {
|
||||
/* Unlocked. */
|
||||
dns_db_t common;
|
||||
/* Locks the data in this struct */
|
||||
#if DNS_RBTDB_USERWLOCK
|
||||
isc_rwlock_t lock;
|
||||
#else
|
||||
isc_mutex_t lock;
|
||||
#endif
|
||||
/* Locks the tree structure (prevents nodes appearing/disappearing) */
|
||||
isc_rwlock_t tree_lock;
|
||||
/* Locks for individual tree nodes */
|
||||
unsigned int node_lock_count;
|
||||
rbtdb_nodelock_t * node_locks;
|
||||
dns_rbtnode_t * origin_node;
|
||||
|
|
@ -7266,7 +7269,7 @@ getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
|
|||
|
||||
REQUIRE(VALID_RBTDB(rbtdb));
|
||||
|
||||
RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
|
||||
RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
|
||||
|
||||
for (i = 0; i < rbtdb->node_lock_count; i++) {
|
||||
NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_read);
|
||||
|
|
@ -7302,7 +7305,7 @@ getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
|
|||
result = ISC_R_SUCCESS;
|
||||
|
||||
unlock:
|
||||
RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
|
||||
RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
|
||||
|
||||
return (result);
|
||||
}
|
||||
|
|
@ -7324,7 +7327,7 @@ resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version)
|
|||
header = rdataset->private3;
|
||||
header--;
|
||||
|
||||
RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
|
||||
RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
|
||||
NODE_LOCK(&rbtdb->node_locks[node->locknum].lock,
|
||||
isc_rwlocktype_write);
|
||||
/*
|
||||
|
|
@ -7338,7 +7341,7 @@ resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version)
|
|||
|
||||
NODE_UNLOCK(&rbtdb->node_locks[node->locknum].lock,
|
||||
isc_rwlocktype_write);
|
||||
RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
|
||||
RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
|
||||
}
|
||||
|
||||
static dns_stats_t *
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: resolver.c,v 1.8 2011/02/16 03:47:04 christos Exp $ */
|
||||
/* $NetBSD: resolver.c,v 1.9 2011/05/29 15:17:09 spz Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
|
@ -17,7 +17,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Id: resolver.c,v 1.428.6.3 2011-02-08 22:56:53 marka Exp */
|
||||
/* Id: resolver.c,v 1.428.6.5 2011-02-18 23:41:51 mgraff Exp */
|
||||
|
||||
/*! \file */
|
||||
|
||||
|
|
@ -2366,77 +2366,13 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
|
|||
}
|
||||
|
||||
/*
|
||||
* Return 'bits' bits of random entropy from fctx->rand_buf,
|
||||
* refreshing it by calling isc_random_get() whenever the requested
|
||||
* number of bits is greater than the number in the buffer.
|
||||
*/
|
||||
static inline isc_uint32_t
|
||||
random_bits(fetchctx_t *fctx, isc_uint32_t bits) {
|
||||
isc_uint32_t ret = 0;
|
||||
|
||||
REQUIRE(VALID_FCTX(fctx));
|
||||
REQUIRE(bits <= 32);
|
||||
if (bits == 0)
|
||||
return (0);
|
||||
|
||||
if (bits >= fctx->rand_bits) {
|
||||
/* if rand_bits == 0, this is unnecessary but harmless */
|
||||
bits -= fctx->rand_bits;
|
||||
ret = fctx->rand_buf << bits;
|
||||
|
||||
/* refresh random buffer now */
|
||||
isc_random_get(&fctx->rand_buf);
|
||||
fctx->rand_bits = sizeof(fctx->rand_buf) * CHAR_BIT;
|
||||
}
|
||||
|
||||
if (bits > 0) {
|
||||
isc_uint32_t mask = 0xffffffff;
|
||||
if (bits < 32) {
|
||||
mask = (1 << bits) - 1;
|
||||
}
|
||||
|
||||
ret |= fctx->rand_buf & mask;
|
||||
fctx->rand_buf >>= bits;
|
||||
fctx->rand_bits -= bits;
|
||||
}
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* Add some random jitter to a server's RTT value so that the
|
||||
* order of queries will be unpredictable.
|
||||
*
|
||||
* RTT values of servers which have been tried are fuzzed by 128 ms.
|
||||
* Servers that haven't been tried yet have their RTT set to a random
|
||||
* value between 0 ms and 7 ms; they should get to go first, but in
|
||||
* unpredictable order.
|
||||
*/
|
||||
static inline void
|
||||
randomize_srtt(fetchctx_t *fctx, dns_adbaddrinfo_t *ai) {
|
||||
if (TRIED(ai)) {
|
||||
ai->srtt >>= 10; /* convert to milliseconds, near enough */
|
||||
ai->srtt |= (ai->srtt & 0x80) | random_bits(fctx, 7);
|
||||
ai->srtt <<= 10; /* now back to microseconds */
|
||||
} else
|
||||
ai->srtt = random_bits(fctx, 3) << 10;
|
||||
}
|
||||
|
||||
/*
|
||||
* Sort addrinfo list by RTT (with random jitter)
|
||||
* Sort addrinfo list by RTT.
|
||||
*/
|
||||
static void
|
||||
sort_adbfind(fetchctx_t *fctx, dns_adbfind_t *find) {
|
||||
sort_adbfind(dns_adbfind_t *find) {
|
||||
dns_adbaddrinfo_t *best, *curr;
|
||||
dns_adbaddrinfolist_t sorted;
|
||||
|
||||
/* Add jitter to SRTT values */
|
||||
curr = ISC_LIST_HEAD(find->list);
|
||||
while (curr != NULL) {
|
||||
randomize_srtt(fctx, curr);
|
||||
curr = ISC_LIST_NEXT(curr, publink);
|
||||
}
|
||||
|
||||
/* Lame N^2 bubble sort. */
|
||||
ISC_LIST_INIT(sorted);
|
||||
while (!ISC_LIST_EMPTY(find->list)) {
|
||||
|
|
@ -2454,19 +2390,19 @@ sort_adbfind(fetchctx_t *fctx, dns_adbfind_t *find) {
|
|||
}
|
||||
|
||||
/*
|
||||
* Sort a list of finds by server RTT (with random jitter)
|
||||
* Sort a list of finds by server RTT.
|
||||
*/
|
||||
static void
|
||||
sort_finds(fetchctx_t *fctx, dns_adbfindlist_t *findlist) {
|
||||
sort_finds(dns_adbfindlist_t *findlist) {
|
||||
dns_adbfind_t *best, *curr;
|
||||
dns_adbfindlist_t sorted;
|
||||
dns_adbaddrinfo_t *addrinfo, *bestaddrinfo;
|
||||
|
||||
/* Sort each find's addrinfo list by SRTT (after adding jitter) */
|
||||
/* Sort each find's addrinfo list by SRTT. */
|
||||
for (curr = ISC_LIST_HEAD(*findlist);
|
||||
curr != NULL;
|
||||
curr = ISC_LIST_NEXT(curr, publink))
|
||||
sort_adbfind(fctx, curr);
|
||||
sort_adbfind(curr);
|
||||
|
||||
/* Lame N^2 bubble sort. */
|
||||
ISC_LIST_INIT(sorted);
|
||||
|
|
@ -2851,8 +2787,8 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
|
|||
* We've found some addresses. We might still be looking
|
||||
* for more addresses.
|
||||
*/
|
||||
sort_finds(fctx, &fctx->finds);
|
||||
sort_finds(fctx, &fctx->altfinds);
|
||||
sort_finds(&fctx->finds);
|
||||
sort_finds(&fctx->altfinds);
|
||||
result = ISC_R_SUCCESS;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: validator.c,v 1.3 2011/02/16 03:47:05 christos Exp $ */
|
||||
/* $NetBSD: validator.c,v 1.4 2011/05/29 15:17:09 spz Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
|
@ -17,7 +17,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Id: validator.c,v 1.197 2010-12-23 04:07:58 marka Exp */
|
||||
/* Id: validator.c,v 1.197.40.1 2011-05-27 00:57:31 each Exp */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
|
|
@ -430,7 +430,8 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
|
|||
validator_done(val, ISC_R_CANCELED);
|
||||
} else if (eresult == ISC_R_SUCCESS) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"keyset with trust %d", rdataset->trust);
|
||||
"keyset with trust %s",
|
||||
dns_trust_totext(rdataset->trust));
|
||||
/*
|
||||
* Only extract the dst key if the keyset is secure.
|
||||
*/
|
||||
|
|
@ -507,7 +508,8 @@ dsfetched(isc_task_t *task, isc_event_t *event) {
|
|||
validator_done(val, ISC_R_CANCELED);
|
||||
} else if (eresult == ISC_R_SUCCESS) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"dsset with trust %d", rdataset->trust);
|
||||
"dsset with trust %s",
|
||||
dns_trust_totext(rdataset->trust));
|
||||
val->dsset = &val->frdataset;
|
||||
result = validatezonekey(val);
|
||||
if (result != DNS_R_WAIT)
|
||||
|
|
@ -662,7 +664,8 @@ keyvalidated(isc_task_t *task, isc_event_t *event) {
|
|||
validator_done(val, ISC_R_CANCELED);
|
||||
} else if (eresult == ISC_R_SUCCESS) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"keyset with trust %d", val->frdataset.trust);
|
||||
"keyset with trust %s",
|
||||
dns_trust_totext(val->frdataset.trust));
|
||||
/*
|
||||
* Only extract the dst key if the keyset is secure.
|
||||
*/
|
||||
|
|
@ -733,10 +736,10 @@ dsvalidated(isc_task_t *task, isc_event_t *event) {
|
|||
isc_boolean_t have_dsset;
|
||||
dns_name_t *name;
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"%s with trust %d",
|
||||
"%s with trust %s",
|
||||
val->frdataset.type == dns_rdatatype_ds ?
|
||||
"dsset" : "ds non-existance",
|
||||
val->frdataset.trust);
|
||||
dns_trust_totext(val->frdataset.trust));
|
||||
have_dsset = ISC_TF(val->frdataset.type == dns_rdatatype_ds);
|
||||
name = dns_fixedname_name(&val->fname);
|
||||
if ((val->attributes & VALATTR_INSECURITY) != 0 &&
|
||||
|
|
@ -1387,8 +1390,8 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
|
|||
INSIST(type == dns_rdatatype_dlv);
|
||||
if (val->frdataset.trust != dns_trust_secure) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"covering nsec: trust %u",
|
||||
val->frdataset.trust);
|
||||
"covering nsec: trust %s",
|
||||
dns_trust_totext(val->frdataset.trust));
|
||||
goto notfound;
|
||||
}
|
||||
result = dns_rdataset_first(&val->frdataset);
|
||||
|
|
@ -1723,8 +1726,8 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
|
|||
* See if we've got the key used in the signature.
|
||||
*/
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"keyset with trust %d",
|
||||
val->frdataset.trust);
|
||||
"keyset with trust %s",
|
||||
dns_trust_totext(val->frdataset.trust));
|
||||
result = get_dst_key(val, siginfo, val->keyset);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
/*
|
||||
|
|
@ -2494,8 +2497,11 @@ validatezonekey(dns_validator_t *val) {
|
|||
" insecure DS");
|
||||
return (DNS_R_MUSTBESECURE);
|
||||
}
|
||||
markanswer(val, "validatezonekey (2)");
|
||||
return (ISC_R_SUCCESS);
|
||||
if (val->view->dlv == NULL || DLVTRIED(val)) {
|
||||
markanswer(val, "validatezonekey (2)");
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
return (startfinddlvsep(val, val->event->name));
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
@ -3233,7 +3239,8 @@ dlvvalidated(isc_task_t *task, isc_event_t *event) {
|
|||
validator_done(val, ISC_R_CANCELED);
|
||||
} else if (eresult == ISC_R_SUCCESS) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"dlvset with trust %d", val->frdataset.trust);
|
||||
"dlvset with trust %s",
|
||||
dns_trust_totext(val->frdataset.trust));
|
||||
dns_rdataset_clone(&val->frdataset, &val->dlv);
|
||||
val->havedlvsep = ISC_TRUE;
|
||||
if (dlv_algorithm_supported(val))
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: xfrin.c,v 1.2 2011/02/16 03:47:05 christos Exp $ */
|
||||
/* $NetBSD: xfrin.c,v 1.3 2011/05/29 15:17:10 spz Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
|
@ -17,7 +17,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Id: xfrin.c,v 1.166 2008-09-25 04:12:39 marka Exp */
|
||||
/* Id: xfrin.c,v 1.166.522.2 2011-02-19 01:21:27 each Exp */
|
||||
|
||||
/*! \file */
|
||||
|
||||
|
|
@ -85,8 +85,9 @@ typedef enum {
|
|||
XFRST_IXFR_DEL,
|
||||
XFRST_IXFR_ADDSOA,
|
||||
XFRST_IXFR_ADD,
|
||||
XFRST_IXFR_END,
|
||||
XFRST_AXFR,
|
||||
XFRST_END
|
||||
XFRST_AXFR_END
|
||||
} xfrin_state_t;
|
||||
|
||||
/*%
|
||||
|
|
@ -205,6 +206,7 @@ static isc_result_t axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
|
|||
dns_rdata_t *rdata);
|
||||
static isc_result_t axfr_apply(dns_xfrin_ctx_t *xfr);
|
||||
static isc_result_t axfr_commit(dns_xfrin_ctx_t *xfr);
|
||||
static isc_result_t axfr_finalize(dns_xfrin_ctx_t *xfr);
|
||||
|
||||
static isc_result_t ixfr_init(dns_xfrin_ctx_t *xfr);
|
||||
static isc_result_t ixfr_apply(dns_xfrin_ctx_t *xfr);
|
||||
|
|
@ -320,6 +322,16 @@ axfr_commit(dns_xfrin_ctx_t *xfr) {
|
|||
|
||||
CHECK(axfr_apply(xfr));
|
||||
CHECK(dns_db_endload(xfr->db, &xfr->axfr.add_private));
|
||||
|
||||
result = ISC_R_SUCCESS;
|
||||
failure:
|
||||
return (result);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
axfr_finalize(dns_xfrin_ctx_t *xfr) {
|
||||
isc_result_t result;
|
||||
|
||||
CHECK(dns_zone_replacedb(xfr->zone, xfr->db, ISC_TRUE));
|
||||
|
||||
result = ISC_R_SUCCESS;
|
||||
|
|
@ -543,7 +555,7 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
|
|||
isc_uint32_t soa_serial = dns_soa_getserial(rdata);
|
||||
if (soa_serial == xfr->end_serial) {
|
||||
CHECK(ixfr_commit(xfr));
|
||||
xfr->state = XFRST_END;
|
||||
xfr->state = XFRST_IXFR_END;
|
||||
break;
|
||||
} else if (soa_serial != xfr->ixfr.current_serial) {
|
||||
xfrin_log(xfr, ISC_LOG_ERROR,
|
||||
|
|
@ -574,11 +586,12 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
|
|||
CHECK(axfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
|
||||
if (rdata->type == dns_rdatatype_soa) {
|
||||
CHECK(axfr_commit(xfr));
|
||||
xfr->state = XFRST_END;
|
||||
xfr->state = XFRST_AXFR_END;
|
||||
break;
|
||||
}
|
||||
break;
|
||||
case XFRST_END:
|
||||
case XFRST_AXFR_END:
|
||||
case XFRST_IXFR_END:
|
||||
FAIL(DNS_R_EXTRADATA);
|
||||
default:
|
||||
INSIST(0);
|
||||
|
|
@ -1320,8 +1333,9 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
|
|||
|
||||
} else if (dns_message_gettsigkey(msg) != NULL) {
|
||||
xfr->sincetsig++;
|
||||
if (xfr->sincetsig > 100 ||
|
||||
xfr->nmsg == 0 || xfr->state == XFRST_END)
|
||||
if (xfr->sincetsig > 100 || xfr->nmsg == 0 ||
|
||||
xfr->state == XFRST_AXFR_END ||
|
||||
xfr->state == XFRST_IXFR_END)
|
||||
{
|
||||
result = DNS_R_EXPECTEDTSIG;
|
||||
goto failure;
|
||||
|
|
@ -1347,16 +1361,22 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
|
|||
|
||||
dns_message_destroy(&msg);
|
||||
|
||||
if (xfr->state == XFRST_GOTSOA) {
|
||||
switch (xfr->state) {
|
||||
case XFRST_GOTSOA:
|
||||
xfr->reqtype = dns_rdatatype_axfr;
|
||||
xfr->state = XFRST_INITIALSOA;
|
||||
CHECK(xfrin_send_request(xfr));
|
||||
} else if (xfr->state == XFRST_END) {
|
||||
break;
|
||||
case XFRST_AXFR_END:
|
||||
CHECK(axfr_finalize(xfr));
|
||||
/* FALLTHROUGH */
|
||||
case XFRST_IXFR_END:
|
||||
/*
|
||||
* Close the journal.
|
||||
*/
|
||||
if (xfr->ixfr.journal != NULL)
|
||||
dns_journal_destroy(&xfr->ixfr.journal);
|
||||
|
||||
/*
|
||||
* Inform the caller we succeeded.
|
||||
*/
|
||||
|
|
@ -1370,7 +1390,8 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
|
|||
*/
|
||||
xfr->shuttingdown = ISC_TRUE;
|
||||
maybe_free(xfr);
|
||||
} else {
|
||||
break;
|
||||
default:
|
||||
/*
|
||||
* Read the next message.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: zone.c,v 1.2 2011/02/16 03:47:05 christos Exp $ */
|
||||
/* $NetBSD: zone.c,v 1.3 2011/05/29 15:17:10 spz Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
|
@ -17,7 +17,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Id: zone.c,v 1.582.8.2 2011-02-07 00:14:30 marka Exp */
|
||||
/* Id: zone.c,v 1.582.8.7 2011-02-18 23:23:08 each Exp */
|
||||
|
||||
/*! \file */
|
||||
|
||||
|
|
@ -7918,7 +7918,8 @@ void
|
|||
dns_zone_markdirty(dns_zone_t *zone) {
|
||||
|
||||
LOCK_ZONE(zone);
|
||||
set_resigntime(zone); /* XXXMPA make separate call back */
|
||||
if (zone->type == dns_zone_master)
|
||||
set_resigntime(zone); /* XXXMPA make separate call back */
|
||||
zone_needdump(zone, DNS_DUMP_DELAY);
|
||||
UNLOCK_ZONE(zone);
|
||||
}
|
||||
|
|
@ -13605,7 +13606,8 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
|
|||
if (tuple->rdata.type != dns_rdatatype_dnskey)
|
||||
continue;
|
||||
|
||||
dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
|
||||
result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
if ((dnskey.flags &
|
||||
(DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
|
||||
!= DNS_KEYOWNER_ZONE)
|
||||
|
|
@ -13651,13 +13653,14 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
|
|||
|
||||
static isc_result_t
|
||||
sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_rdatatype_t type, dns_diff_t *diff)
|
||||
dns_diff_t *diff, dns_diff_t *sig_diff)
|
||||
{
|
||||
isc_result_t result;
|
||||
isc_stdtime_t now, inception, soaexpire;
|
||||
isc_boolean_t check_ksk, keyset_kskonly;
|
||||
dst_key_t *zone_keys[MAXZONEKEYS];
|
||||
unsigned int nkeys = 0, i;
|
||||
dns_difftuple_t *tuple;
|
||||
|
||||
result = find_zone_keys(zone, db, ver, zone->mctx, MAXZONEKEYS,
|
||||
zone_keys, &nkeys);
|
||||
|
|
@ -13675,22 +13678,52 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
|||
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
|
||||
keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
|
||||
|
||||
result = del_sigs(zone, db, ver, &zone->origin, type, diff,
|
||||
zone_keys, nkeys, now);
|
||||
/*
|
||||
* See if update_sigs will update DNSKEY signature and if not
|
||||
* cause them to sign so that so that newly activated keys
|
||||
* are used.
|
||||
*/
|
||||
for (tuple = ISC_LIST_HEAD(diff->tuples);
|
||||
tuple != NULL;
|
||||
tuple = ISC_LIST_NEXT(tuple, link)) {
|
||||
if (tuple->rdata.type == dns_rdatatype_dnskey &&
|
||||
dns_name_equal(&tuple->name, &zone->origin))
|
||||
break;
|
||||
}
|
||||
|
||||
if (tuple == NULL) {
|
||||
result = del_sigs(zone, db, ver, &zone->origin,
|
||||
dns_rdatatype_dnskey, sig_diff,
|
||||
zone_keys, nkeys, now);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_zone_log(zone, ISC_LOG_ERROR,
|
||||
"sign_apex:del_sigs -> %s\n",
|
||||
dns_result_totext(result));
|
||||
goto failure;
|
||||
}
|
||||
result = add_sigs(db, ver, &zone->origin, dns_rdatatype_dnskey,
|
||||
sig_diff, zone_keys, nkeys, zone->mctx,
|
||||
inception, soaexpire, check_ksk,
|
||||
keyset_kskonly);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_zone_log(zone, ISC_LOG_ERROR,
|
||||
"sign_apex:add_sigs -> %s\n",
|
||||
dns_result_totext(result));
|
||||
goto failure;
|
||||
}
|
||||
}
|
||||
|
||||
result = update_sigs(diff, db, ver, zone_keys, nkeys, zone,
|
||||
inception, soaexpire, now, check_ksk,
|
||||
keyset_kskonly, sig_diff);
|
||||
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_zone_log(zone, ISC_LOG_ERROR,
|
||||
"sign_apex:del_sigs -> %s\n",
|
||||
"sign_apex:update_sigs -> %s\n",
|
||||
dns_result_totext(result));
|
||||
goto failure;
|
||||
}
|
||||
|
||||
result = add_sigs(db, ver, &zone->origin, type, diff, zone_keys,
|
||||
nkeys, zone->mctx, inception, soaexpire,
|
||||
check_ksk, keyset_kskonly);
|
||||
|
||||
if (result != ISC_R_SUCCESS)
|
||||
dns_zone_log(zone, ISC_LOG_ERROR, "sign_apex:add_sigs -> %s\n",
|
||||
dns_result_totext(result));
|
||||
failure:
|
||||
for (i = 0; i < nkeys; i++)
|
||||
dst_key_free(&zone_keys[i]);
|
||||
|
|
@ -13806,6 +13839,26 @@ signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) {
|
|||
return (ISC_FALSE);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_diff_t *diff)
|
||||
{
|
||||
dns_name_t *origin;
|
||||
isc_boolean_t build_nsec3;
|
||||
isc_result_t result;
|
||||
|
||||
origin = dns_db_origin(db);
|
||||
CHECK(dns_private_chains(db, ver, zone->privatetype, NULL,
|
||||
&build_nsec3));
|
||||
if (build_nsec3)
|
||||
CHECK(dns_nsec3_addnsec3sx(db, ver, origin, zone->minimum,
|
||||
ISC_FALSE, zone->privatetype, diff));
|
||||
CHECK(updatesecure(db, ver, origin, zone->minimum, ISC_TRUE, diff));
|
||||
|
||||
failure:
|
||||
return (result);
|
||||
}
|
||||
|
||||
static void
|
||||
zone_rekey(dns_zone_t *zone) {
|
||||
isc_result_t result;
|
||||
|
|
@ -13815,7 +13868,7 @@ zone_rekey(dns_zone_t *zone) {
|
|||
dns_rdataset_t soaset, soasigs, keyset, keysigs;
|
||||
dns_dnsseckeylist_t dnskeys, keys, rmkeys;
|
||||
dns_dnsseckey_t *key;
|
||||
dns_diff_t diff;
|
||||
dns_diff_t diff, sig_diff;
|
||||
isc_boolean_t commit = ISC_FALSE, newactive = ISC_FALSE;
|
||||
isc_boolean_t fullsign;
|
||||
dns_ttl_t ttl = 3600;
|
||||
|
|
@ -13838,6 +13891,7 @@ zone_rekey(dns_zone_t *zone) {
|
|||
dir = dns_zone_getkeydirectory(zone);
|
||||
mctx = zone->mctx;
|
||||
dns_diff_init(mctx, &diff);
|
||||
dns_diff_init(mctx, &sig_diff);
|
||||
|
||||
CHECK(dns_zone_getdb(zone, &db));
|
||||
CHECK(dns_db_newversion(db, &ver));
|
||||
|
|
@ -13906,14 +13960,12 @@ zone_rekey(dns_zone_t *zone) {
|
|||
dnskey_sane(zone, db, ver, &diff)) {
|
||||
CHECK(dns_diff_apply(&diff, db, ver));
|
||||
CHECK(clean_nsec3param(zone, db, ver, &diff));
|
||||
CHECK(sign_apex(zone, db, ver, dns_rdatatype_dnskey,
|
||||
&diff));
|
||||
CHECK(add_signing_records(db, zone->privatetype, ver,
|
||||
&diff));
|
||||
CHECK(increment_soa_serial(db, ver, &diff, mctx));
|
||||
CHECK(sign_apex(zone, db, ver, dns_rdatatype_soa,
|
||||
&diff));
|
||||
CHECK(zone_journal(zone, &diff, "zone_rekey"));
|
||||
CHECK(add_chains(zone, db, ver, &diff));
|
||||
CHECK(sign_apex(zone, db, ver, &diff, &sig_diff));
|
||||
CHECK(zone_journal(zone, &sig_diff, "zone_rekey"));
|
||||
commit = ISC_TRUE;
|
||||
}
|
||||
}
|
||||
|
|
@ -13938,7 +13990,7 @@ zone_rekey(dns_zone_t *zone) {
|
|||
* Has a new key become active? If so, is it for
|
||||
* a new algorithm?
|
||||
*/
|
||||
for (tuple = ISC_LIST_HEAD(diff.tuples);
|
||||
for (tuple = ISC_LIST_HEAD(sig_diff.tuples);
|
||||
tuple != NULL;
|
||||
tuple = ISC_LIST_NEXT(tuple, link)) {
|
||||
dns_rdata_dnskey_t dnskey;
|
||||
|
|
@ -14017,7 +14069,7 @@ zone_rekey(dns_zone_t *zone) {
|
|||
* the full zone, but only with the newly-added
|
||||
* keys.
|
||||
*/
|
||||
for (tuple = ISC_LIST_HEAD(diff.tuples);
|
||||
for (tuple = ISC_LIST_HEAD(sig_diff.tuples);
|
||||
tuple != NULL;
|
||||
tuple = ISC_LIST_NEXT(tuple, link)) {
|
||||
dns_rdata_dnskey_t dnskey;
|
||||
|
|
@ -14037,9 +14089,7 @@ zone_rekey(dns_zone_t *zone) {
|
|||
keyid = dst_region_computeid(&r, algorithm);
|
||||
|
||||
result = zone_signwithkey(zone, algorithm,
|
||||
keyid,
|
||||
ISC_TF(tuple->op ==
|
||||
DNS_DIFFOP_DEL));
|
||||
keyid, ISC_FALSE);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_zone_log(zone, ISC_LOG_ERROR,
|
||||
"zone_signwithkey failed: %s",
|
||||
|
|
@ -14058,7 +14108,7 @@ zone_rekey(dns_zone_t *zone) {
|
|||
* Cause the zone to add/delete NSEC3 chains for the
|
||||
* deferred NSEC3PARAM changes.
|
||||
*/
|
||||
for (tuple = ISC_LIST_HEAD(diff.tuples);
|
||||
for (tuple = ISC_LIST_HEAD(sig_diff.tuples);
|
||||
tuple != NULL;
|
||||
tuple = ISC_LIST_NEXT(tuple, link)) {
|
||||
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
|
||||
|
|
@ -14072,7 +14122,8 @@ zone_rekey(dns_zone_t *zone) {
|
|||
if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
|
||||
buf, sizeof(buf)))
|
||||
continue;
|
||||
dns_rdata_tostruct(&rdata, &nsec3param, NULL);
|
||||
result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
if (nsec3param.flags == 0)
|
||||
continue;
|
||||
|
||||
|
|
@ -14131,6 +14182,7 @@ zone_rekey(dns_zone_t *zone) {
|
|||
|
||||
failure:
|
||||
dns_diff_clear(&diff);
|
||||
dns_diff_clear(&sig_diff);
|
||||
|
||||
clear_keylist(&dnskeys, mctx);
|
||||
clear_keylist(&keys, mctx);
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: socket.c,v 1.5 2011/02/16 03:47:15 christos Exp $ */
|
||||
/* $NetBSD: socket.c,v 1.6 2011/05/29 15:17:10 spz Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
|
||||
|
|
@ -17,7 +17,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Id: socket.c,v 1.333.14.1 2011-02-03 05:50:07 marka Exp */
|
||||
/* Id: socket.c,v 1.333.14.2 2011-02-18 04:01:16 marka Exp */
|
||||
|
||||
/*! \file */
|
||||
|
||||
|
|
@ -688,6 +688,8 @@ static const isc_statscounter_t fdwatchstatsindex[] = {
|
|||
isc_sockstatscounter_fdwatchrecvfail
|
||||
};
|
||||
|
||||
#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL) || \
|
||||
defined(USE_WATCHER_THREAD)
|
||||
static void
|
||||
manager_log(isc__socketmgr_t *sockmgr,
|
||||
isc_logcategory_t *category, isc_logmodule_t *module, int level,
|
||||
|
|
@ -710,6 +712,7 @@ manager_log(isc__socketmgr_t *sockmgr,
|
|||
isc_log_write(isc_lctx, category, module, level,
|
||||
"sockmgr %p: %s", sockmgr, msgbuf);
|
||||
}
|
||||
#endif
|
||||
|
||||
static void
|
||||
socket_log(isc__socket_t *sock, isc_sockaddr_t *address,
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# $NetBSD: shlib_version,v 1.6 2011/02/16 03:47:21 christos Exp $
|
||||
# $NetBSD: shlib_version,v 1.7 2011/05/29 15:17:10 spz Exp $
|
||||
# Remember to update distrib/sets/lists/base/shl.* when changing
|
||||
#
|
||||
major=5
|
||||
minor=3
|
||||
minor=4
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# $NetBSD: shlib_version,v 1.6 2011/02/16 03:47:21 christos Exp $
|
||||
# $NetBSD: shlib_version,v 1.7 2011/05/29 15:17:10 spz Exp $
|
||||
# Remember to update distrib/sets/lists/base/shl.* when changing
|
||||
#
|
||||
major=5
|
||||
minor=3
|
||||
minor=4
|
||||
|
|
|
|||
Loading…
Reference in New Issue