1999-12-16 23:11:07 +00:00
|
|
|
/*
|
2016-05-26 12:36:17 -07:00
|
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
1999-12-16 23:11:07 +00:00
|
|
|
*
|
|
|
|
|
* SPDX-License-Identifier: MPL-2.0
|
2021-06-03 08:37:05 +02:00
|
|
|
*
|
1999-12-16 23:11:07 +00:00
|
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
2018-02-23 09:53:12 +01:00
|
|
|
*
|
1999-12-16 23:11:07 +00:00
|
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
|
|
|
* information regarding copyright ownership.
|
|
|
|
|
*/
|
|
|
|
|
|
2018-03-28 14:56:40 +02:00
|
|
|
#include <inttypes.h>
|
2018-04-17 08:29:14 -07:00
|
|
|
#include <stdbool.h>
|
2018-03-28 14:56:40 +02:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
#include <isc/buffer.h>
|
2002-01-21 11:00:25 +00:00
|
|
|
#include <isc/file.h>
|
2000-08-10 00:53:36 +00:00
|
|
|
#include <isc/mem.h>
|
2021-10-04 17:14:53 +02:00
|
|
|
#include <isc/result.h>
|
2009-01-27 22:30:00 +00:00
|
|
|
#include <isc/stats.h>
|
2022-04-11 15:53:34 +01:00
|
|
|
#include <isc/string.h>
|
2000-04-28 01:12:23 +00:00
|
|
|
#include <isc/util.h>
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2000-05-08 14:38:29 +00:00
|
|
|
#include <dns/acl.h>
|
2010-12-16 09:51:30 +00:00
|
|
|
#include <dns/db.h>
|
2001-03-04 21:21:39 +00:00
|
|
|
#include <dns/fixedname.h>
|
2016-05-26 21:23:19 +02:00
|
|
|
#include <dns/ipkeylist.h>
|
2017-05-02 13:23:08 -07:00
|
|
|
#include <dns/journal.h>
|
2019-09-03 11:42:10 +02:00
|
|
|
#include <dns/kasp.h>
|
2000-12-01 18:22:17 +00:00
|
|
|
#include <dns/log.h>
|
2014-04-17 17:10:29 -07:00
|
|
|
#include <dns/masterdump.h>
|
2001-03-04 21:21:39 +00:00
|
|
|
#include <dns/name.h>
|
2020-10-23 15:02:19 +02:00
|
|
|
#include <dns/nsec3.h>
|
2010-12-16 09:51:30 +00:00
|
|
|
#include <dns/rdata.h>
|
|
|
|
|
#include <dns/rdatalist.h>
|
|
|
|
|
#include <dns/rdataset.h>
|
2001-03-04 21:21:39 +00:00
|
|
|
#include <dns/rdatatype.h>
|
2010-12-18 01:56:23 +00:00
|
|
|
#include <dns/sdlz.h>
|
2000-08-29 03:48:00 +00:00
|
|
|
#include <dns/ssu.h>
|
2008-04-03 05:55:52 +00:00
|
|
|
#include <dns/stats.h>
|
2017-09-08 13:39:09 -07:00
|
|
|
#include <dns/tsig.h>
|
2003-02-26 23:29:00 +00:00
|
|
|
#include <dns/view.h>
|
1999-12-16 23:11:07 +00:00
|
|
|
#include <dns/zone.h>
|
2000-11-27 19:42:38 +00:00
|
|
|
|
2017-09-08 13:39:09 -07:00
|
|
|
#include <ns/client.h>
|
|
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
#include <named/config.h>
|
2000-12-01 18:22:17 +00:00
|
|
|
#include <named/globals.h>
|
|
|
|
|
#include <named/log.h>
|
2004-01-05 06:56:44 +00:00
|
|
|
#include <named/server.h>
|
2000-11-27 19:42:38 +00:00
|
|
|
#include <named/zoneconf.h>
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2008-05-21 23:17:21 +00:00
|
|
|
/* ACLs associated with zone */
|
|
|
|
|
typedef enum {
|
|
|
|
|
allow_notify,
|
|
|
|
|
allow_query,
|
2013-01-03 15:13:45 -08:00
|
|
|
allow_query_on,
|
2008-05-21 23:17:21 +00:00
|
|
|
allow_transfer,
|
|
|
|
|
allow_update,
|
|
|
|
|
allow_update_forwarding
|
|
|
|
|
} acl_type_t;
|
|
|
|
|
|
2000-05-25 19:27:48 +00:00
|
|
|
#define RETERR(x) \
|
|
|
|
|
do { \
|
|
|
|
|
isc_result_t _r = (x); \
|
|
|
|
|
if (_r != ISC_R_SUCCESS) \
|
|
|
|
|
return ((_r)); \
|
|
|
|
|
} while (0)
|
|
|
|
|
|
2009-06-10 00:27:22 +00:00
|
|
|
#define CHECK(x) \
|
|
|
|
|
do { \
|
|
|
|
|
result = (x); \
|
|
|
|
|
if (result != ISC_R_SUCCESS) \
|
|
|
|
|
goto cleanup; \
|
|
|
|
|
} while (0)
|
|
|
|
|
|
2005-04-27 04:57:32 +00:00
|
|
|
/*%
|
1999-12-16 23:11:07 +00:00
|
|
|
* Convenience function for configuring a single zone ACL.
|
|
|
|
|
*/
|
|
|
|
|
static isc_result_t
|
2006-02-28 02:39:52 +00:00
|
|
|
configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
|
2008-05-21 23:17:21 +00:00
|
|
|
const cfg_obj_t *config, acl_type_t acltype,
|
2008-01-18 23:46:58 +00:00
|
|
|
cfg_aclconfctx_t *actx, dns_zone_t *zone,
|
1999-12-16 23:11:07 +00:00
|
|
|
void (*setzacl)(dns_zone_t *, dns_acl_t *),
|
|
|
|
|
void (*clearzacl)(dns_zone_t *)) {
|
|
|
|
|
isc_result_t result;
|
2008-05-21 23:17:21 +00:00
|
|
|
const cfg_obj_t *maps[5] = { NULL, NULL, NULL, NULL, NULL };
|
2006-02-28 02:39:52 +00:00
|
|
|
const cfg_obj_t *aclobj = NULL;
|
2001-03-04 21:21:39 +00:00
|
|
|
int i = 0;
|
2008-05-21 23:17:21 +00:00
|
|
|
dns_acl_t **aclp = NULL, *acl = NULL;
|
|
|
|
|
const char *aclname;
|
2008-05-21 23:47:01 +00:00
|
|
|
dns_view_t *view;
|
2008-05-21 23:17:21 +00:00
|
|
|
|
2008-05-21 23:47:01 +00:00
|
|
|
view = dns_zone_getview(zone);
|
2008-05-21 23:17:21 +00:00
|
|
|
|
|
|
|
|
switch (acltype) {
|
|
|
|
|
case allow_notify:
|
2008-05-21 23:47:01 +00:00
|
|
|
if (view != NULL) {
|
|
|
|
|
aclp = &view->notifyacl;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2008-05-21 23:17:21 +00:00
|
|
|
aclname = "allow-notify";
|
|
|
|
|
break;
|
|
|
|
|
case allow_query:
|
2008-05-21 23:47:01 +00:00
|
|
|
if (view != NULL) {
|
|
|
|
|
aclp = &view->queryacl;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2008-05-21 23:17:21 +00:00
|
|
|
aclname = "allow-query";
|
|
|
|
|
break;
|
2013-01-03 15:13:45 -08:00
|
|
|
case allow_query_on:
|
|
|
|
|
if (view != NULL) {
|
|
|
|
|
aclp = &view->queryonacl;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2013-01-03 15:13:45 -08:00
|
|
|
aclname = "allow-query-on";
|
|
|
|
|
break;
|
2008-05-21 23:17:21 +00:00
|
|
|
case allow_transfer:
|
2008-05-21 23:47:01 +00:00
|
|
|
if (view != NULL) {
|
|
|
|
|
aclp = &view->transferacl;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2008-05-21 23:17:21 +00:00
|
|
|
aclname = "allow-transfer";
|
|
|
|
|
break;
|
|
|
|
|
case allow_update:
|
2008-05-21 23:47:01 +00:00
|
|
|
if (view != NULL) {
|
|
|
|
|
aclp = &view->updateacl;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2008-05-21 23:17:21 +00:00
|
|
|
aclname = "allow-update";
|
|
|
|
|
break;
|
|
|
|
|
case allow_update_forwarding:
|
2008-05-21 23:47:01 +00:00
|
|
|
if (view != NULL) {
|
|
|
|
|
aclp = &view->upfwdacl;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2008-05-21 23:17:21 +00:00
|
|
|
aclname = "allow-update-forwarding";
|
|
|
|
|
break;
|
2008-05-21 23:47:01 +00:00
|
|
|
default:
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2008-05-21 23:17:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* First check to see if ACL is defined within the zone */
|
|
|
|
|
if (zconfig != NULL) {
|
|
|
|
|
maps[0] = cfg_tuple_get(zconfig, "options");
|
2017-09-08 13:39:09 -07:00
|
|
|
(void)named_config_get(maps, aclname, &aclobj);
|
2008-05-21 23:17:21 +00:00
|
|
|
if (aclobj != NULL) {
|
|
|
|
|
aclp = NULL;
|
|
|
|
|
goto parse_acl;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Failing that, see if there's a default ACL already in the view */
|
|
|
|
|
if (aclp != NULL && *aclp != NULL) {
|
|
|
|
|
(*setzacl)(zone, *aclp);
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
|
2008-05-21 23:17:21 +00:00
|
|
|
/* Check for default ACLs that haven't been parsed yet */
|
2010-08-11 18:14:20 +00:00
|
|
|
if (vconfig != NULL) {
|
|
|
|
|
const cfg_obj_t *options = cfg_tuple_get(vconfig, "options");
|
|
|
|
|
if (options != NULL) {
|
|
|
|
|
maps[i++] = options;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2010-08-11 18:14:20 +00:00
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
if (config != NULL) {
|
2006-02-28 02:39:52 +00:00
|
|
|
const cfg_obj_t *options = NULL;
|
2001-03-04 21:21:39 +00:00
|
|
|
(void)cfg_map_get(config, "options", &options);
|
|
|
|
|
if (options != NULL) {
|
|
|
|
|
maps[i++] = options;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2000-02-22 21:24:24 +00:00
|
|
|
}
|
2017-09-08 13:39:09 -07:00
|
|
|
maps[i++] = named_g_defaults;
|
2001-03-04 21:21:39 +00:00
|
|
|
maps[i] = NULL;
|
|
|
|
|
|
2017-09-08 13:39:09 -07:00
|
|
|
(void)named_config_get(maps, aclname, &aclobj);
|
2001-03-04 21:21:39 +00:00
|
|
|
if (aclobj == NULL) {
|
1999-12-16 23:11:07 +00:00
|
|
|
(*clearzacl)(zone);
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
|
2008-05-21 23:17:21 +00:00
|
|
|
parse_acl:
|
2017-09-08 13:39:09 -07:00
|
|
|
result = cfg_acl_fromconfig(aclobj, config, named_g_lctx, actx,
|
2021-01-25 16:14:02 +11:00
|
|
|
named_g_mctx, 0, &acl);
|
2001-03-04 21:21:39 +00:00
|
|
|
if (result != ISC_R_SUCCESS) {
|
|
|
|
|
return (result);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2008-05-21 23:17:21 +00:00
|
|
|
(*setzacl)(zone, acl);
|
|
|
|
|
|
2008-05-21 23:47:01 +00:00
|
|
|
/* Set the view default now */
|
2008-05-21 23:17:21 +00:00
|
|
|
if (aclp != NULL) {
|
|
|
|
|
dns_acl_attach(acl, aclp);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2008-05-21 23:17:21 +00:00
|
|
|
|
|
|
|
|
dns_acl_detach(&acl);
|
2001-03-04 21:21:39 +00:00
|
|
|
return (ISC_R_SUCCESS);
|
1999-12-16 23:11:07 +00:00
|
|
|
}
|
|
|
|
|
|
2005-04-27 04:57:32 +00:00
|
|
|
/*%
|
2001-03-04 21:21:39 +00:00
|
|
|
* Parse the zone update-policy statement.
|
2000-05-25 19:27:48 +00:00
|
|
|
*/
|
2001-03-04 21:21:39 +00:00
|
|
|
static isc_result_t
|
2009-06-10 00:27:22 +00:00
|
|
|
configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
|
2009-10-12 20:48:12 +00:00
|
|
|
const char *zname) {
|
2006-02-28 02:39:52 +00:00
|
|
|
const cfg_obj_t *updatepolicy = NULL;
|
|
|
|
|
const cfg_listelt_t *element, *element2;
|
2001-03-04 21:21:39 +00:00
|
|
|
dns_ssutable_t *table = NULL;
|
|
|
|
|
isc_mem_t *mctx = dns_zone_getmctx(zone);
|
2018-04-17 08:29:14 -07:00
|
|
|
bool autoddns = false;
|
2021-10-06 13:18:16 +02:00
|
|
|
isc_result_t result = ISC_R_SUCCESS;
|
2001-03-04 21:21:39 +00:00
|
|
|
|
|
|
|
|
(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
|
2009-06-10 00:27:22 +00:00
|
|
|
|
2009-07-14 22:54:57 +00:00
|
|
|
if (updatepolicy == NULL) {
|
2006-01-05 03:32:50 +00:00
|
|
|
dns_zone_setssutable(zone, NULL);
|
2001-03-04 21:21:39 +00:00
|
|
|
return (ISC_R_SUCCESS);
|
2006-01-05 03:32:50 +00:00
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
|
2009-07-14 23:47:54 +00:00
|
|
|
if (cfg_obj_isstring(updatepolicy) &&
|
|
|
|
|
strcmp("local", cfg_obj_asstring(updatepolicy)) == 0)
|
|
|
|
|
{
|
2018-04-17 08:29:14 -07:00
|
|
|
autoddns = true;
|
2009-07-14 23:47:54 +00:00
|
|
|
updatepolicy = NULL;
|
|
|
|
|
}
|
2009-07-14 22:54:57 +00:00
|
|
|
|
2021-10-06 13:18:16 +02:00
|
|
|
dns_ssutable_create(mctx, &table);
|
2001-03-04 21:21:39 +00:00
|
|
|
|
|
|
|
|
for (element = cfg_list_first(updatepolicy); element != NULL;
|
|
|
|
|
element = cfg_list_next(element))
|
|
|
|
|
{
|
2006-02-28 02:39:52 +00:00
|
|
|
const cfg_obj_t *stmt = cfg_listelt_value(element);
|
|
|
|
|
const cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
|
|
|
|
|
const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
|
|
|
|
|
const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
|
|
|
|
|
const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
|
|
|
|
|
const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
|
2005-08-23 02:36:11 +00:00
|
|
|
const char *str;
|
2018-04-17 08:29:14 -07:00
|
|
|
bool grant = false;
|
|
|
|
|
bool usezone = false;
|
2018-09-20 15:50:07 +10:00
|
|
|
dns_ssumatchtype_t mtype = dns_ssumatchtype_name;
|
2001-03-04 21:21:39 +00:00
|
|
|
dns_fixedname_t fname, fident;
|
|
|
|
|
isc_buffer_t b;
|
2019-07-03 16:42:15 +10:00
|
|
|
dns_ssuruletype_t *types;
|
2001-03-04 21:21:39 +00:00
|
|
|
unsigned int i, n;
|
|
|
|
|
|
|
|
|
|
str = cfg_obj_asstring(mode);
|
2018-11-07 15:00:07 +07:00
|
|
|
if (strcasecmp(str, "grant") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
grant = true;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else if (strcasecmp(str, "deny") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
grant = false;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
|
|
|
|
|
str = cfg_obj_asstring(matchtype);
|
2018-02-07 13:34:02 +11:00
|
|
|
CHECK(dns_ssu_mtypefromstring(str, &mtype));
|
2020-07-29 23:36:03 +10:00
|
|
|
if (mtype == dns_ssumatchtype_subdomain &&
|
2022-11-02 19:33:14 +01:00
|
|
|
strcasecmp(str, "zonesub") == 0)
|
|
|
|
|
{
|
2018-04-17 08:29:14 -07:00
|
|
|
usezone = true;
|
2018-02-07 13:34:02 +11:00
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
|
|
|
|
|
dns_fixedname_init(&fident);
|
|
|
|
|
str = cfg_obj_asstring(identity);
|
2012-12-08 12:48:57 +11:00
|
|
|
isc_buffer_constinit(&b, str, strlen(str));
|
2001-03-04 21:21:39 +00:00
|
|
|
isc_buffer_add(&b, strlen(str));
|
|
|
|
|
result = dns_name_fromtext(dns_fixedname_name(&fident), &b,
|
2009-09-01 00:22:28 +00:00
|
|
|
dns_rootname, 0, NULL);
|
2001-03-04 21:21:39 +00:00
|
|
|
if (result != ISC_R_SUCCESS) {
|
2017-09-08 13:39:09 -07:00
|
|
|
cfg_obj_log(identity, named_g_lctx, ISC_LOG_ERROR,
|
2001-03-04 21:21:39 +00:00
|
|
|
"'%s' is not a valid name", str);
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dns_fixedname_init(&fname);
|
2009-06-10 00:27:22 +00:00
|
|
|
if (usezone) {
|
2021-05-21 17:20:44 -07:00
|
|
|
dns_name_copy(dns_zone_getorigin(zone),
|
|
|
|
|
dns_fixedname_name(&fname));
|
2009-06-10 00:27:22 +00:00
|
|
|
} else {
|
|
|
|
|
str = cfg_obj_asstring(dname);
|
2012-12-08 12:48:57 +11:00
|
|
|
isc_buffer_constinit(&b, str, strlen(str));
|
2009-06-10 00:27:22 +00:00
|
|
|
isc_buffer_add(&b, strlen(str));
|
|
|
|
|
result = dns_name_fromtext(dns_fixedname_name(&fname),
|
2009-09-01 00:22:28 +00:00
|
|
|
&b, dns_rootname, 0, NULL);
|
2009-06-10 00:27:22 +00:00
|
|
|
if (result != ISC_R_SUCCESS) {
|
2017-09-08 13:39:09 -07:00
|
|
|
cfg_obj_log(identity, named_g_lctx,
|
|
|
|
|
ISC_LOG_ERROR,
|
2009-06-10 00:27:22 +00:00
|
|
|
"'%s' is not a valid name", str);
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
}
|
|
|
|
|
|
2017-09-08 13:39:09 -07:00
|
|
|
n = named_config_listcount(typelist);
|
2001-03-04 21:21:39 +00:00
|
|
|
if (n == 0) {
|
|
|
|
|
types = NULL;
|
|
|
|
|
} else {
|
2019-07-03 16:42:15 +10:00
|
|
|
types = isc_mem_get(mctx, n * sizeof(*types));
|
2001-03-04 21:21:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
i = 0;
|
|
|
|
|
for (element2 = cfg_list_first(typelist); element2 != NULL;
|
|
|
|
|
element2 = cfg_list_next(element2))
|
|
|
|
|
{
|
2006-02-28 02:39:52 +00:00
|
|
|
const cfg_obj_t *typeobj;
|
2019-07-03 16:42:15 +10:00
|
|
|
const char *bracket;
|
2001-03-04 21:21:39 +00:00
|
|
|
isc_textregion_t r;
|
2019-07-03 16:42:15 +10:00
|
|
|
unsigned long max = 0;
|
2001-03-04 21:21:39 +00:00
|
|
|
|
|
|
|
|
INSIST(i < n);
|
|
|
|
|
|
|
|
|
|
typeobj = cfg_listelt_value(element2);
|
|
|
|
|
str = cfg_obj_asstring(typeobj);
|
2023-03-30 22:34:12 +02:00
|
|
|
r.base = UNCONST(str);
|
2001-03-04 21:21:39 +00:00
|
|
|
|
2019-07-03 16:42:15 +10:00
|
|
|
bracket = strchr(str, '(' /*)*/);
|
|
|
|
|
if (bracket != NULL) {
|
|
|
|
|
char *end = NULL;
|
|
|
|
|
r.length = bracket - str;
|
|
|
|
|
max = strtoul(bracket + 1, &end, 10);
|
|
|
|
|
if (max > 0xffff || end[0] != /*(*/ ')' ||
|
2022-11-02 19:33:14 +01:00
|
|
|
end[1] != 0)
|
|
|
|
|
{
|
2019-07-03 16:42:15 +10:00
|
|
|
cfg_obj_log(identity, named_g_lctx,
|
|
|
|
|
ISC_LOG_ERROR,
|
|
|
|
|
"'%s' is not a valid count",
|
|
|
|
|
bracket);
|
|
|
|
|
isc_mem_put(mctx, types,
|
|
|
|
|
n * sizeof(*types));
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
r.length = strlen(str);
|
|
|
|
|
}
|
|
|
|
|
types[i].max = max;
|
|
|
|
|
|
|
|
|
|
result = dns_rdatatype_fromtext(&types[i++].type, &r);
|
2001-03-04 21:21:39 +00:00
|
|
|
if (result != ISC_R_SUCCESS) {
|
2017-09-08 13:39:09 -07:00
|
|
|
cfg_obj_log(identity, named_g_lctx,
|
|
|
|
|
ISC_LOG_ERROR,
|
2019-07-03 16:42:15 +10:00
|
|
|
"'%.*s' is not a valid type",
|
|
|
|
|
(int)r.length, str);
|
2020-07-02 16:12:55 +10:00
|
|
|
isc_mem_put(mctx, types, n * sizeof(*types));
|
2001-03-04 21:21:39 +00:00
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
INSIST(i == n);
|
|
|
|
|
|
2021-10-06 13:18:16 +02:00
|
|
|
dns_ssutable_addrule(table, grant, dns_fixedname_name(&fident),
|
|
|
|
|
mtype, dns_fixedname_name(&fname), n,
|
|
|
|
|
types);
|
2001-03-04 21:21:39 +00:00
|
|
|
if (types != NULL) {
|
2019-07-03 16:42:15 +10:00
|
|
|
isc_mem_put(mctx, types, n * sizeof(*types));
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2009-06-10 00:27:22 +00:00
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
|
2009-06-10 00:27:22 +00:00
|
|
|
/*
|
2009-07-14 22:54:57 +00:00
|
|
|
* If "update-policy local;" and a session key exists,
|
|
|
|
|
* then use the default policy, which is equivalent to:
|
|
|
|
|
* update-policy { grant <session-keyname> zonesub any; };
|
2009-06-10 00:27:22 +00:00
|
|
|
*/
|
|
|
|
|
if (autoddns) {
|
2019-07-03 16:42:15 +10:00
|
|
|
dns_ssuruletype_t any = { dns_rdatatype_any, 0 };
|
2009-06-10 00:27:22 +00:00
|
|
|
|
2017-09-08 13:39:09 -07:00
|
|
|
if (named_g_server->session_keyname == NULL) {
|
|
|
|
|
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
|
|
|
|
|
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
|
2009-06-10 00:27:22 +00:00
|
|
|
"failed to enable auto DDNS policy "
|
|
|
|
|
"for zone %s: session key not found",
|
|
|
|
|
zname);
|
|
|
|
|
result = ISC_R_NOTFOUND;
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-06 13:18:16 +02:00
|
|
|
dns_ssutable_addrule(table, true,
|
|
|
|
|
named_g_server->session_keyname,
|
|
|
|
|
dns_ssumatchtype_local,
|
|
|
|
|
dns_zone_getorigin(zone), 1, &any);
|
2000-01-21 19:22:35 +00:00
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
|
|
|
|
|
dns_zone_setssutable(zone, table);
|
|
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
|
dns_ssutable_detach(&table);
|
|
|
|
|
return (result);
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-16 09:51:30 +00:00
|
|
|
/*
|
|
|
|
|
* This is the TTL used for internally generated RRsets for static-stub zones.
|
|
|
|
|
* The value doesn't matter because the mapping is static, but needs to be
|
|
|
|
|
* defined for the sake of implementation.
|
|
|
|
|
*/
|
|
|
|
|
#define STATICSTUB_SERVER_TTL 86400
|
|
|
|
|
|
|
|
|
|
/*%
|
|
|
|
|
* Configure an apex NS with glues for a static-stub zone.
|
|
|
|
|
* For example, for the zone named "example.com", the following RRs will be
|
|
|
|
|
* added to the zone DB:
|
|
|
|
|
* example.com. NS example.com.
|
|
|
|
|
* example.com. A 192.0.2.1
|
|
|
|
|
* example.com. AAAA 2001:db8::1
|
|
|
|
|
*/
|
|
|
|
|
static isc_result_t
|
|
|
|
|
configure_staticstub_serveraddrs(const cfg_obj_t *zconfig, dns_zone_t *zone,
|
|
|
|
|
dns_rdatalist_t *rdatalist_ns,
|
|
|
|
|
dns_rdatalist_t *rdatalist_a,
|
|
|
|
|
dns_rdatalist_t *rdatalist_aaaa) {
|
|
|
|
|
const cfg_listelt_t *element;
|
|
|
|
|
isc_mem_t *mctx = dns_zone_getmctx(zone);
|
|
|
|
|
isc_region_t region, sregion;
|
|
|
|
|
dns_rdata_t *rdata;
|
|
|
|
|
isc_result_t result = ISC_R_SUCCESS;
|
2020-02-12 13:59:18 +01:00
|
|
|
|
2010-12-16 09:51:30 +00:00
|
|
|
for (element = cfg_list_first(zconfig); element != NULL;
|
|
|
|
|
element = cfg_list_next(element))
|
|
|
|
|
{
|
|
|
|
|
const isc_sockaddr_t *sa;
|
|
|
|
|
isc_netaddr_t na;
|
|
|
|
|
const cfg_obj_t *address = cfg_listelt_value(element);
|
|
|
|
|
dns_rdatalist_t *rdatalist;
|
|
|
|
|
|
|
|
|
|
sa = cfg_obj_assockaddr(address);
|
|
|
|
|
if (isc_sockaddr_getport(sa) != 0) {
|
2017-09-08 13:39:09 -07:00
|
|
|
cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
|
2010-12-16 09:51:30 +00:00
|
|
|
"port is not configurable for "
|
|
|
|
|
"static stub server-addresses");
|
|
|
|
|
return (ISC_R_FAILURE);
|
|
|
|
|
}
|
|
|
|
|
isc_netaddr_fromsockaddr(&na, sa);
|
|
|
|
|
if (isc_netaddr_getzone(&na) != 0) {
|
2017-09-08 13:39:09 -07:00
|
|
|
cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
|
2010-12-16 09:51:30 +00:00
|
|
|
"scoped address is not allowed "
|
|
|
|
|
"for static stub "
|
|
|
|
|
"server-addresses");
|
|
|
|
|
return (ISC_R_FAILURE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch (na.family) {
|
|
|
|
|
case AF_INET:
|
|
|
|
|
region.length = sizeof(na.type.in);
|
|
|
|
|
rdatalist = rdatalist_a;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
INSIST(na.family == AF_INET6);
|
|
|
|
|
region.length = sizeof(na.type.in6);
|
|
|
|
|
rdatalist = rdatalist_aaaa;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rdata = isc_mem_get(mctx, sizeof(*rdata) + region.length);
|
|
|
|
|
region.base = (unsigned char *)(rdata + 1);
|
2014-01-08 16:27:10 -08:00
|
|
|
memmove(region.base, &na.type, region.length);
|
2010-12-16 09:51:30 +00:00
|
|
|
dns_rdata_init(rdata);
|
|
|
|
|
dns_rdata_fromregion(rdata, dns_zone_getclass(zone),
|
|
|
|
|
rdatalist->type, ®ion);
|
|
|
|
|
ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If no address is specified (unlikely in this context, but possible),
|
|
|
|
|
* there's nothing to do anymore.
|
|
|
|
|
*/
|
|
|
|
|
if (ISC_LIST_EMPTY(rdatalist_a->rdata) &&
|
2022-11-02 19:33:14 +01:00
|
|
|
ISC_LIST_EMPTY(rdatalist_aaaa->rdata))
|
|
|
|
|
{
|
2010-12-16 09:51:30 +00:00
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Add to the list an apex NS with the ns name being the origin name */
|
|
|
|
|
dns_name_toregion(dns_zone_getorigin(zone), &sregion);
|
|
|
|
|
rdata = isc_mem_get(mctx, sizeof(*rdata) + sregion.length);
|
|
|
|
|
region.length = sregion.length;
|
|
|
|
|
region.base = (unsigned char *)(rdata + 1);
|
2014-01-08 16:27:10 -08:00
|
|
|
memmove(region.base, sregion.base, region.length);
|
2010-12-16 09:51:30 +00:00
|
|
|
dns_rdata_init(rdata);
|
|
|
|
|
dns_rdata_fromregion(rdata, dns_zone_getclass(zone), dns_rdatatype_ns,
|
|
|
|
|
®ion);
|
|
|
|
|
ISC_LIST_APPEND(rdatalist_ns->rdata, rdata, link);
|
|
|
|
|
|
|
|
|
|
return (result);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*%
|
|
|
|
|
* Configure an apex NS with an out-of-zone NS names for a static-stub zone.
|
|
|
|
|
* For example, for the zone named "example.com", something like the following
|
|
|
|
|
* RRs will be added to the zone DB:
|
|
|
|
|
* example.com. NS ns.example.net.
|
|
|
|
|
*/
|
|
|
|
|
static isc_result_t
|
|
|
|
|
configure_staticstub_servernames(const cfg_obj_t *zconfig, dns_zone_t *zone,
|
|
|
|
|
dns_rdatalist_t *rdatalist,
|
|
|
|
|
const char *zname) {
|
|
|
|
|
const cfg_listelt_t *element;
|
|
|
|
|
isc_mem_t *mctx = dns_zone_getmctx(zone);
|
|
|
|
|
dns_rdata_t *rdata;
|
|
|
|
|
isc_region_t sregion, region;
|
|
|
|
|
isc_result_t result = ISC_R_SUCCESS;
|
2020-02-12 13:59:18 +01:00
|
|
|
|
2010-12-16 09:51:30 +00:00
|
|
|
for (element = cfg_list_first(zconfig); element != NULL;
|
|
|
|
|
element = cfg_list_next(element))
|
|
|
|
|
{
|
|
|
|
|
const cfg_obj_t *obj;
|
|
|
|
|
const char *str;
|
|
|
|
|
dns_fixedname_t fixed_name;
|
|
|
|
|
dns_name_t *nsname;
|
|
|
|
|
isc_buffer_t b;
|
|
|
|
|
|
|
|
|
|
obj = cfg_listelt_value(element);
|
|
|
|
|
str = cfg_obj_asstring(obj);
|
|
|
|
|
|
2018-03-28 14:38:09 +02:00
|
|
|
nsname = dns_fixedname_initname(&fixed_name);
|
2010-12-16 09:51:30 +00:00
|
|
|
|
2012-12-08 12:48:57 +11:00
|
|
|
isc_buffer_constinit(&b, str, strlen(str));
|
2010-12-16 09:51:30 +00:00
|
|
|
isc_buffer_add(&b, strlen(str));
|
|
|
|
|
result = dns_name_fromtext(nsname, &b, dns_rootname, 0, NULL);
|
|
|
|
|
if (result != ISC_R_SUCCESS) {
|
2017-09-08 13:39:09 -07:00
|
|
|
cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
|
2010-12-16 09:51:30 +00:00
|
|
|
"server-name '%s' is not a valid "
|
|
|
|
|
"name",
|
|
|
|
|
str);
|
|
|
|
|
return (result);
|
|
|
|
|
}
|
|
|
|
|
if (dns_name_issubdomain(nsname, dns_zone_getorigin(zone))) {
|
2017-09-08 13:39:09 -07:00
|
|
|
cfg_obj_log(zconfig, named_g_lctx, ISC_LOG_ERROR,
|
2010-12-16 09:51:30 +00:00
|
|
|
"server-name '%s' must not be a "
|
|
|
|
|
"subdomain of zone name '%s'",
|
|
|
|
|
str, zname);
|
|
|
|
|
return (ISC_R_FAILURE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dns_name_toregion(nsname, &sregion);
|
|
|
|
|
rdata = isc_mem_get(mctx, sizeof(*rdata) + sregion.length);
|
|
|
|
|
region.length = sregion.length;
|
|
|
|
|
region.base = (unsigned char *)(rdata + 1);
|
2014-01-08 16:27:10 -08:00
|
|
|
memmove(region.base, sregion.base, region.length);
|
2010-12-16 09:51:30 +00:00
|
|
|
dns_rdata_init(rdata);
|
|
|
|
|
dns_rdata_fromregion(rdata, dns_zone_getclass(zone),
|
|
|
|
|
dns_rdatatype_ns, ®ion);
|
|
|
|
|
ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (result);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*%
|
|
|
|
|
* Configure static-stub zone.
|
|
|
|
|
*/
|
|
|
|
|
static isc_result_t
|
|
|
|
|
configure_staticstub(const cfg_obj_t *zconfig, dns_zone_t *zone,
|
|
|
|
|
const char *zname, const char *dbtype) {
|
2010-12-16 23:47:08 +00:00
|
|
|
int i = 0;
|
2010-12-16 09:51:30 +00:00
|
|
|
const cfg_obj_t *obj;
|
|
|
|
|
isc_mem_t *mctx = dns_zone_getmctx(zone);
|
|
|
|
|
dns_db_t *db = NULL;
|
|
|
|
|
dns_dbversion_t *dbversion = NULL;
|
|
|
|
|
dns_dbnode_t *apexnode = NULL;
|
|
|
|
|
dns_name_t apexname;
|
|
|
|
|
isc_result_t result;
|
|
|
|
|
dns_rdataset_t rdataset;
|
|
|
|
|
dns_rdatalist_t rdatalist_ns, rdatalist_a, rdatalist_aaaa;
|
|
|
|
|
dns_rdatalist_t *rdatalists[] = { &rdatalist_ns, &rdatalist_a,
|
|
|
|
|
&rdatalist_aaaa, NULL };
|
|
|
|
|
dns_rdata_t *rdata;
|
|
|
|
|
isc_region_t region;
|
|
|
|
|
|
|
|
|
|
/* Create the DB beforehand */
|
|
|
|
|
RETERR(dns_db_create(mctx, dbtype, dns_zone_getorigin(zone),
|
|
|
|
|
dns_dbtype_stub, dns_zone_getclass(zone), 0, NULL,
|
|
|
|
|
&db));
|
2019-09-04 14:02:33 +10:00
|
|
|
|
|
|
|
|
dns_rdataset_init(&rdataset);
|
2010-12-16 09:51:30 +00:00
|
|
|
|
|
|
|
|
dns_rdatalist_init(&rdatalist_ns);
|
|
|
|
|
rdatalist_ns.rdclass = dns_zone_getclass(zone);
|
|
|
|
|
rdatalist_ns.type = dns_rdatatype_ns;
|
|
|
|
|
rdatalist_ns.ttl = STATICSTUB_SERVER_TTL;
|
|
|
|
|
|
|
|
|
|
dns_rdatalist_init(&rdatalist_a);
|
|
|
|
|
rdatalist_a.rdclass = dns_zone_getclass(zone);
|
|
|
|
|
rdatalist_a.type = dns_rdatatype_a;
|
|
|
|
|
rdatalist_a.ttl = STATICSTUB_SERVER_TTL;
|
|
|
|
|
|
|
|
|
|
dns_rdatalist_init(&rdatalist_aaaa);
|
|
|
|
|
rdatalist_aaaa.rdclass = dns_zone_getclass(zone);
|
|
|
|
|
rdatalist_aaaa.type = dns_rdatatype_aaaa;
|
|
|
|
|
rdatalist_aaaa.ttl = STATICSTUB_SERVER_TTL;
|
|
|
|
|
|
|
|
|
|
/* Prepare zone RRs from the configuration */
|
|
|
|
|
obj = NULL;
|
|
|
|
|
result = cfg_map_get(zconfig, "server-addresses", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
INSIST(obj != NULL);
|
2019-09-04 14:02:33 +10:00
|
|
|
CHECK(configure_staticstub_serveraddrs(obj, zone, &rdatalist_ns,
|
|
|
|
|
&rdatalist_a,
|
|
|
|
|
&rdatalist_aaaa));
|
2010-12-16 09:51:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
obj = NULL;
|
|
|
|
|
result = cfg_map_get(zconfig, "server-names", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
INSIST(obj != NULL);
|
2019-09-04 14:02:33 +10:00
|
|
|
CHECK(configure_staticstub_servernames(obj, zone, &rdatalist_ns,
|
|
|
|
|
zname));
|
2010-12-16 09:51:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Sanity check: there should be at least one NS RR at the zone apex
|
|
|
|
|
* to trigger delegation.
|
|
|
|
|
*/
|
|
|
|
|
if (ISC_LIST_EMPTY(rdatalist_ns.rdata)) {
|
2017-09-08 13:39:09 -07:00
|
|
|
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
|
|
|
|
|
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
|
2010-12-16 09:51:30 +00:00
|
|
|
"No NS record is configured for a "
|
|
|
|
|
"static-stub zone '%s'",
|
|
|
|
|
zname);
|
|
|
|
|
result = ISC_R_FAILURE;
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Now add NS and glue A/AAAA RRsets to the zone DB.
|
|
|
|
|
* First open a new version for the add operation and get a pointer
|
|
|
|
|
* to the apex node (all RRs are of the apex name).
|
|
|
|
|
*/
|
2019-09-04 14:02:33 +10:00
|
|
|
CHECK(dns_db_newversion(db, &dbversion));
|
|
|
|
|
|
2010-12-16 09:51:30 +00:00
|
|
|
dns_name_init(&apexname, NULL);
|
|
|
|
|
dns_name_clone(dns_zone_getorigin(zone), &apexname);
|
2019-09-04 14:02:33 +10:00
|
|
|
CHECK(dns_db_findnode(db, &apexname, false, &apexnode));
|
2010-12-16 09:51:30 +00:00
|
|
|
|
|
|
|
|
/* Add NS RRset */
|
2022-07-29 12:40:45 +00:00
|
|
|
dns_rdatalist_tordataset(&rdatalist_ns, &rdataset);
|
2019-09-04 14:02:33 +10:00
|
|
|
CHECK(dns_db_addrdataset(db, apexnode, dbversion, 0, &rdataset, 0,
|
|
|
|
|
NULL));
|
2010-12-16 09:51:30 +00:00
|
|
|
dns_rdataset_disassociate(&rdataset);
|
|
|
|
|
|
|
|
|
|
/* Add glue A RRset, if any */
|
|
|
|
|
if (!ISC_LIST_EMPTY(rdatalist_a.rdata)) {
|
2022-07-29 12:40:45 +00:00
|
|
|
dns_rdatalist_tordataset(&rdatalist_a, &rdataset);
|
2019-09-04 14:02:33 +10:00
|
|
|
CHECK(dns_db_addrdataset(db, apexnode, dbversion, 0, &rdataset,
|
|
|
|
|
0, NULL));
|
2010-12-16 09:51:30 +00:00
|
|
|
dns_rdataset_disassociate(&rdataset);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Add glue AAAA RRset, if any */
|
|
|
|
|
if (!ISC_LIST_EMPTY(rdatalist_aaaa.rdata)) {
|
2022-07-29 12:40:45 +00:00
|
|
|
dns_rdatalist_tordataset(&rdatalist_aaaa, &rdataset);
|
2019-09-04 14:02:33 +10:00
|
|
|
CHECK(dns_db_addrdataset(db, apexnode, dbversion, 0, &rdataset,
|
|
|
|
|
0, NULL));
|
2010-12-16 09:51:30 +00:00
|
|
|
dns_rdataset_disassociate(&rdataset);
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-04 14:02:33 +10:00
|
|
|
dns_db_closeversion(db, &dbversion, true);
|
|
|
|
|
dns_zone_setdb(zone, db);
|
|
|
|
|
|
2010-12-16 09:51:30 +00:00
|
|
|
result = ISC_R_SUCCESS;
|
|
|
|
|
|
|
|
|
|
cleanup:
|
2019-09-04 14:02:33 +10:00
|
|
|
if (dns_rdataset_isassociated(&rdataset)) {
|
|
|
|
|
dns_rdataset_disassociate(&rdataset);
|
|
|
|
|
}
|
|
|
|
|
if (apexnode != NULL) {
|
2010-12-16 09:51:30 +00:00
|
|
|
dns_db_detachnode(db, &apexnode);
|
2019-09-04 14:02:33 +10:00
|
|
|
}
|
|
|
|
|
if (dbversion != NULL) {
|
|
|
|
|
dns_db_closeversion(db, &dbversion, false);
|
|
|
|
|
}
|
|
|
|
|
if (db != NULL) {
|
2010-12-16 09:51:30 +00:00
|
|
|
dns_db_detach(&db);
|
2019-09-04 14:02:33 +10:00
|
|
|
}
|
2010-12-16 09:51:30 +00:00
|
|
|
for (i = 0; rdatalists[i] != NULL; i++) {
|
|
|
|
|
while ((rdata = ISC_LIST_HEAD(rdatalists[i]->rdata)) != NULL) {
|
|
|
|
|
ISC_LIST_UNLINK(rdatalists[i]->rdata, rdata, link);
|
|
|
|
|
dns_rdata_toregion(rdata, ®ion);
|
|
|
|
|
isc_mem_put(mctx, rdata,
|
|
|
|
|
sizeof(*rdata) + region.length);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-03 07:50:09 +10:00
|
|
|
INSIST(dbversion == NULL);
|
|
|
|
|
|
2010-12-16 09:51:30 +00:00
|
|
|
return (result);
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-27 04:57:32 +00:00
|
|
|
/*%
|
2001-03-04 21:21:39 +00:00
|
|
|
* Convert a config file zone type into a server zone type.
|
|
|
|
|
*/
|
2021-10-11 13:43:12 +02:00
|
|
|
static dns_zonetype_t
|
2006-02-28 02:39:52 +00:00
|
|
|
zonetype_fromconfig(const cfg_obj_t *map) {
|
|
|
|
|
const cfg_obj_t *obj = NULL;
|
2001-03-04 21:21:39 +00:00
|
|
|
isc_result_t result;
|
|
|
|
|
|
|
|
|
|
result = cfg_map_get(map, "type", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2017-09-08 13:39:09 -07:00
|
|
|
return (named_config_getzonetype(obj));
|
2000-01-21 19:22:35 +00:00
|
|
|
}
|
|
|
|
|
|
2005-04-27 04:57:32 +00:00
|
|
|
/*%
|
2000-08-10 00:53:36 +00:00
|
|
|
* Helper function for strtoargv(). Pardon the gratuitous recursion.
|
|
|
|
|
*/
|
|
|
|
|
static isc_result_t
|
2000-08-14 03:50:59 +00:00
|
|
|
strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp,
|
|
|
|
|
unsigned int n) {
|
2000-08-10 00:53:36 +00:00
|
|
|
isc_result_t result;
|
2008-01-18 23:46:58 +00:00
|
|
|
|
2000-08-10 00:53:36 +00:00
|
|
|
/* Discard leading whitespace. */
|
|
|
|
|
while (*s == ' ' || *s == '\t') {
|
|
|
|
|
s++;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2008-01-18 23:46:58 +00:00
|
|
|
|
2000-08-10 00:53:36 +00:00
|
|
|
if (*s == '\0') {
|
|
|
|
|
/* We have reached the end of the string. */
|
|
|
|
|
*argcp = n;
|
|
|
|
|
*argvp = isc_mem_get(mctx, n * sizeof(char *));
|
|
|
|
|
} else {
|
|
|
|
|
char *p = s;
|
|
|
|
|
while (*p != ' ' && *p != '\t' && *p != '\0') {
|
|
|
|
|
p++;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2000-08-10 00:53:36 +00:00
|
|
|
if (*p != '\0') {
|
|
|
|
|
*p++ = '\0';
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2000-08-10 00:53:36 +00:00
|
|
|
|
|
|
|
|
result = strtoargvsub(mctx, p, argcp, argvp, n + 1);
|
|
|
|
|
if (result != ISC_R_SUCCESS) {
|
|
|
|
|
return (result);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2000-08-10 00:53:36 +00:00
|
|
|
(*argvp)[n] = s;
|
|
|
|
|
}
|
|
|
|
|
return (ISC_R_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-27 04:57:32 +00:00
|
|
|
/*%
|
2000-08-10 00:53:36 +00:00
|
|
|
* Tokenize the string "s" into whitespace-separated words,
|
|
|
|
|
* return the number of words in '*argcp' and an array
|
|
|
|
|
* of pointers to the words in '*argvp'. The caller
|
|
|
|
|
* must free the array using isc_mem_put(). The string
|
|
|
|
|
* is modified in-place.
|
|
|
|
|
*/
|
|
|
|
|
static isc_result_t
|
2000-08-14 03:50:59 +00:00
|
|
|
strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) {
|
2000-08-10 00:53:36 +00:00
|
|
|
return (strtoargvsub(mctx, s, argcp, argvp, 0));
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-19 09:11:15 +10:00
|
|
|
static const char *const primary_synonyms[] = { "primary", "master", NULL };
|
|
|
|
|
|
|
|
|
|
static const char *const secondary_synonyms[] = { "secondary", "slave", NULL };
|
|
|
|
|
|
2004-02-27 20:41:51 +00:00
|
|
|
static void
|
2006-02-28 02:39:52 +00:00
|
|
|
checknames(dns_zonetype_t ztype, const cfg_obj_t **maps,
|
|
|
|
|
const cfg_obj_t **objp) {
|
2004-04-20 14:11:47 +00:00
|
|
|
isc_result_t result;
|
2004-02-27 20:41:51 +00:00
|
|
|
|
|
|
|
|
switch (ztype) {
|
2021-08-25 22:29:25 -07:00
|
|
|
case dns_zone_secondary:
|
2018-10-09 10:54:51 +02:00
|
|
|
case dns_zone_mirror:
|
2021-09-19 09:11:15 +10:00
|
|
|
result = named_checknames_get(maps, secondary_synonyms, objp);
|
2018-10-09 10:54:51 +02:00
|
|
|
break;
|
2021-08-25 22:29:25 -07:00
|
|
|
case dns_zone_primary:
|
2021-09-19 09:11:15 +10:00
|
|
|
result = named_checknames_get(maps, primary_synonyms, objp);
|
2018-10-09 10:54:51 +02:00
|
|
|
break;
|
2004-02-27 20:41:51 +00:00
|
|
|
default:
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2004-02-27 20:41:51 +00:00
|
|
|
}
|
2020-06-16 17:48:42 -07:00
|
|
|
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && objp != NULL && *objp != NULL);
|
2004-02-27 20:41:51 +00:00
|
|
|
}
|
|
|
|
|
|
2017-09-08 13:39:09 -07:00
|
|
|
/*
|
|
|
|
|
* Callback to see if a non-recursive query coming from 'srcaddr' to
|
|
|
|
|
* 'destaddr', with optional key 'mykey' for class 'rdclass' would be
|
|
|
|
|
* delivered to 'myview'.
|
|
|
|
|
*
|
|
|
|
|
* We run this unlocked as both the view list and the interface list
|
|
|
|
|
* are updated when the appropriate task has exclusivity.
|
|
|
|
|
*/
|
2018-04-17 08:29:14 -07:00
|
|
|
static bool
|
2017-09-08 13:39:09 -07:00
|
|
|
isself(dns_view_t *myview, dns_tsigkey_t *mykey, const isc_sockaddr_t *srcaddr,
|
|
|
|
|
const isc_sockaddr_t *dstaddr, dns_rdataclass_t rdclass, void *arg) {
|
|
|
|
|
ns_interfacemgr_t *interfacemgr = (ns_interfacemgr_t *)arg;
|
|
|
|
|
dns_aclenv_t *env = ns_interfacemgr_getaclenv(interfacemgr);
|
|
|
|
|
dns_view_t *view;
|
|
|
|
|
dns_tsigkey_t *key = NULL;
|
|
|
|
|
isc_netaddr_t netsrc;
|
|
|
|
|
isc_netaddr_t netdst;
|
|
|
|
|
|
|
|
|
|
if (interfacemgr == NULL) {
|
2018-04-17 08:29:14 -07:00
|
|
|
return (true);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2017-09-08 13:39:09 -07:00
|
|
|
|
|
|
|
|
if (!ns_interfacemgr_listeningon(interfacemgr, dstaddr)) {
|
2018-04-17 08:29:14 -07:00
|
|
|
return (false);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2017-09-08 13:39:09 -07:00
|
|
|
|
|
|
|
|
isc_netaddr_fromsockaddr(&netsrc, srcaddr);
|
|
|
|
|
isc_netaddr_fromsockaddr(&netdst, dstaddr);
|
|
|
|
|
|
|
|
|
|
for (view = ISC_LIST_HEAD(named_g_server->viewlist); view != NULL;
|
2019-09-27 09:39:35 +02:00
|
|
|
view = ISC_LIST_NEXT(view, link))
|
|
|
|
|
{
|
|
|
|
|
const dns_name_t *tsig = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
|
|
|
|
|
if (view->matchrecursiveonly) {
|
|
|
|
|
continue;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2017-09-08 13:39:09 -07:00
|
|
|
|
|
|
|
|
if (rdclass != view->rdclass) {
|
|
|
|
|
continue;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2017-09-08 13:39:09 -07:00
|
|
|
|
|
|
|
|
if (mykey != NULL) {
|
2018-04-17 08:29:14 -07:00
|
|
|
bool match;
|
2017-09-08 13:39:09 -07:00
|
|
|
isc_result_t result;
|
|
|
|
|
|
|
|
|
|
result = dns_view_gettsig(view, &mykey->name, &key);
|
|
|
|
|
if (result != ISC_R_SUCCESS) {
|
|
|
|
|
continue;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2017-09-08 13:39:09 -07:00
|
|
|
match = dst_key_compare(mykey->key, key->key);
|
|
|
|
|
dns_tsigkey_detach(&key);
|
|
|
|
|
if (!match) {
|
|
|
|
|
continue;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2017-09-08 13:39:09 -07:00
|
|
|
tsig = dns_tsigkey_identity(mykey);
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-26 20:57:41 -07:00
|
|
|
if (dns_acl_allowed(&netsrc, tsig, view->matchclients, env) &&
|
|
|
|
|
dns_acl_allowed(&netdst, tsig, view->matchdestinations,
|
|
|
|
|
env))
|
|
|
|
|
{
|
2017-09-08 13:39:09 -07:00
|
|
|
break;
|
2018-04-26 20:57:41 -07:00
|
|
|
}
|
2017-09-08 13:39:09 -07:00
|
|
|
}
|
2018-04-17 08:29:14 -07:00
|
|
|
return (view == myview);
|
2017-09-08 13:39:09 -07:00
|
|
|
}
|
|
|
|
|
|
Clean up handling of NOTIFY settings for mirror zones
Previous way of handling NOTIFY settings for mirror zones was a bit
tricky: any value of the "notify" option was accepted, but it was
subsequently overridden with dns_notifytype_explicit. Given the way
zone configuration is performed, this resulted in the following
behavior:
- if "notify yes;" was set explicitly at any configuration level or
inherited from default configuration, it was silently changed and so
only hosts specified in "also-notify", if any, were notified,
- if "notify no;" was set at any configuration level, it was
effectively honored since even though zone->notifytype was silently
set to dns_notifytype_explicit, the "also-notify" option was never
processed due to "notify no;" being set.
Effectively, this only allowed the hosts specified in "also-notify" to
be notified, when either "notify yes;" or "notify explicit;" was
explicitly set or inherited from default configuration.
Clean up handling of NOTIFY settings for mirror zones by:
- reporting a configuration error when anything else than "notify no;"
or "notify explicit;" is set for a mirror zone at the zone level,
- overriding inherited "notify yes;" setting with "notify explicit;"
for mirror zones,
- informing the user when the "notify" setting is overridden, unless
the setting in question was inherited from default configuration.
2018-10-09 10:54:51 +02:00
|
|
|
/*%
|
|
|
|
|
* For mirror zones, change "notify yes;" to "notify explicit;", informing the
|
|
|
|
|
* user only if "notify" was explicitly configured rather than inherited from
|
|
|
|
|
* default configuration.
|
|
|
|
|
*/
|
|
|
|
|
static dns_notifytype_t
|
|
|
|
|
process_notifytype(dns_notifytype_t ntype, dns_zonetype_t ztype,
|
|
|
|
|
const char *zname, const cfg_obj_t **maps) {
|
|
|
|
|
const cfg_obj_t *obj = NULL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Return the original setting if this is not a mirror zone or if the
|
|
|
|
|
* zone is configured with something else than "notify yes;".
|
|
|
|
|
*/
|
|
|
|
|
if (ztype != dns_zone_mirror || ntype != dns_notifytype_yes) {
|
|
|
|
|
return (ntype);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Only log a message if "notify" was set in the configuration
|
|
|
|
|
* hierarchy supplied in 'maps'.
|
|
|
|
|
*/
|
|
|
|
|
if (named_config_get(maps, "notify", &obj) == ISC_R_SUCCESS) {
|
|
|
|
|
cfg_obj_log(obj, named_g_lctx, ISC_LOG_INFO,
|
|
|
|
|
"'notify explicit;' will be used for mirror zone "
|
|
|
|
|
"'%s'",
|
|
|
|
|
zname);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (dns_notifytype_explicit);
|
|
|
|
|
}
|
2017-09-08 13:39:09 -07:00
|
|
|
|
1999-12-23 00:09:04 +00:00
|
|
|
isc_result_t
|
2017-09-08 13:39:09 -07:00
|
|
|
named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
|
2019-09-03 11:42:10 +02:00
|
|
|
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
|
|
|
|
|
dns_kasplist_t *kasplist, dns_zone_t *zone,
|
|
|
|
|
dns_zone_t *raw) {
|
1999-12-16 23:11:07 +00:00
|
|
|
isc_result_t result;
|
2005-08-23 02:36:11 +00:00
|
|
|
const char *zname;
|
2001-03-04 21:21:39 +00:00
|
|
|
dns_rdataclass_t zclass;
|
2001-08-07 01:58:59 +00:00
|
|
|
dns_rdataclass_t vclass;
|
2006-02-28 02:39:52 +00:00
|
|
|
const cfg_obj_t *maps[5];
|
2012-06-20 14:13:12 -05:00
|
|
|
const cfg_obj_t *nodefault[4];
|
2006-02-28 02:39:52 +00:00
|
|
|
const cfg_obj_t *zoptions = NULL;
|
|
|
|
|
const cfg_obj_t *options = NULL;
|
|
|
|
|
const cfg_obj_t *obj;
|
1999-12-16 23:11:07 +00:00
|
|
|
const char *filename = NULL;
|
2019-09-03 11:42:10 +02:00
|
|
|
const char *kaspname = NULL;
|
2012-06-20 14:13:12 -05:00
|
|
|
const char *dupcheck;
|
2023-03-08 14:56:08 +01:00
|
|
|
dns_checkdstype_t checkdstype = dns_checkdstype_explicit;
|
2001-03-05 12:04:46 +00:00
|
|
|
dns_notifytype_t notifytype = dns_notifytype_yes;
|
2018-03-28 14:19:37 +02:00
|
|
|
uint32_t count;
|
2000-08-10 00:53:36 +00:00
|
|
|
unsigned int dbargc;
|
|
|
|
|
char **dbargv;
|
|
|
|
|
static char default_dbtype[] = "rbt";
|
2012-12-06 12:39:52 -08:00
|
|
|
static char dlz_dbtype[] = "dlz";
|
|
|
|
|
char *cpval = default_dbtype;
|
2000-08-10 00:53:36 +00:00
|
|
|
isc_mem_t *mctx = dns_zone_getmctx(zone);
|
2001-04-12 21:09:35 +00:00
|
|
|
dns_dialuptype_t dialup = dns_dialuptype_no;
|
2001-03-04 21:21:39 +00:00
|
|
|
dns_zonetype_t ztype;
|
|
|
|
|
int i;
|
2018-03-28 14:19:37 +02:00
|
|
|
int32_t journal_size;
|
2018-04-17 08:29:14 -07:00
|
|
|
bool multi;
|
2019-09-03 11:42:10 +02:00
|
|
|
dns_kasp_t *kasp = NULL;
|
2018-04-17 08:29:14 -07:00
|
|
|
bool check = false, fail = false;
|
|
|
|
|
bool warn = false, ignore = false;
|
|
|
|
|
bool ixfrdiff;
|
2020-12-03 15:01:42 +01:00
|
|
|
bool use_kasp = false;
|
2005-06-20 01:05:33 +00:00
|
|
|
dns_masterformat_t masterformat;
|
2014-04-17 17:10:29 -07:00
|
|
|
const dns_master_style_t *masterstyle = &dns_master_style_default;
|
2009-01-27 22:30:00 +00:00
|
|
|
isc_stats_t *zoneqrystats;
|
2012-11-14 12:44:15 -06:00
|
|
|
dns_stats_t *rcvquerystats;
|
2019-06-19 16:02:50 +02:00
|
|
|
dns_stats_t *dnssecsignstats;
|
2018-06-04 13:41:09 +02:00
|
|
|
dns_zonestat_level_t statlevel = dns_zonestat_none;
|
2008-04-02 02:37:42 +00:00
|
|
|
int seconds;
|
2022-07-13 10:28:59 +02:00
|
|
|
dns_ttl_t maxttl = 0; /* unlimited */
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_t *mayberaw = (raw != NULL) ? raw : zone;
|
2000-07-31 19:36:48 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
i = 0;
|
|
|
|
|
if (zconfig != NULL) {
|
|
|
|
|
zoptions = cfg_tuple_get(zconfig, "options");
|
2012-06-20 14:13:12 -05:00
|
|
|
nodefault[i] = maps[i] = zoptions;
|
|
|
|
|
i++;
|
|
|
|
|
}
|
|
|
|
|
if (vconfig != NULL) {
|
|
|
|
|
nodefault[i] = maps[i] = cfg_tuple_get(vconfig, "options");
|
|
|
|
|
i++;
|
2001-03-04 21:21:39 +00:00
|
|
|
}
|
|
|
|
|
if (config != NULL) {
|
|
|
|
|
(void)cfg_map_get(config, "options", &options);
|
2012-06-20 14:13:12 -05:00
|
|
|
if (options != NULL) {
|
|
|
|
|
nodefault[i] = maps[i] = options;
|
|
|
|
|
i++;
|
|
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
}
|
2012-06-20 14:13:12 -05:00
|
|
|
nodefault[i] = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
maps[i++] = named_g_defaults;
|
2011-03-11 06:11:27 +00:00
|
|
|
maps[i] = NULL;
|
2001-08-07 01:58:59 +00:00
|
|
|
|
|
|
|
|
if (vconfig != NULL) {
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(named_config_getclass(cfg_tuple_get(vconfig, "class"),
|
|
|
|
|
dns_rdataclass_in, &vclass));
|
2001-08-07 01:58:59 +00:00
|
|
|
} else {
|
|
|
|
|
vclass = dns_rdataclass_in;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2001-08-07 01:58:59 +00:00
|
|
|
|
2000-05-25 19:27:48 +00:00
|
|
|
/*
|
|
|
|
|
* Configure values common to all zone types.
|
|
|
|
|
*/
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(named_config_getclass(cfg_tuple_get(zconfig, "class"), vclass,
|
|
|
|
|
&zclass));
|
2001-03-04 21:21:39 +00:00
|
|
|
dns_zone_setclass(zone, zclass);
|
2011-08-30 05:16:15 +00:00
|
|
|
if (raw != NULL) {
|
|
|
|
|
dns_zone_setclass(raw, zclass);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
ztype = zonetype_fromconfig(zoptions);
|
2011-08-30 05:16:15 +00:00
|
|
|
if (raw != NULL) {
|
|
|
|
|
dns_zone_settype(raw, ztype);
|
2021-08-25 22:29:25 -07:00
|
|
|
dns_zone_settype(zone, dns_zone_primary);
|
2011-08-30 05:16:15 +00:00
|
|
|
} else {
|
|
|
|
|
dns_zone_settype(zone, ztype);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2011-08-30 23:46:53 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
|
|
|
|
result = cfg_map_get(zoptions, "database", &obj);
|
|
|
|
|
if (result == ISC_R_SUCCESS) {
|
2005-08-23 02:36:11 +00:00
|
|
|
cpval = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2005-08-23 02:36:11 +00:00
|
|
|
if (cpval == NULL) {
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(ISC_R_NOMEMORY);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2005-08-23 02:36:11 +00:00
|
|
|
|
2012-12-06 12:39:52 -08:00
|
|
|
obj = NULL;
|
|
|
|
|
result = cfg_map_get(zoptions, "dlz", &obj);
|
|
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
const char *dlzname = cfg_obj_asstring(obj);
|
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
|
|
if (cpval != default_dbtype) {
|
2017-09-08 13:39:09 -07:00
|
|
|
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
|
|
|
|
|
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
|
2012-12-06 12:39:52 -08:00
|
|
|
"zone '%s': both 'database' and 'dlz' "
|
|
|
|
|
"specified",
|
|
|
|
|
zname);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(ISC_R_FAILURE);
|
2012-12-06 12:39:52 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
len = strlen(dlzname) + 5;
|
|
|
|
|
cpval = isc_mem_allocate(mctx, len);
|
|
|
|
|
snprintf(cpval, len, "dlz %s", dlzname);
|
|
|
|
|
}
|
|
|
|
|
|
2005-08-23 02:36:11 +00:00
|
|
|
result = strtoargv(mctx, cpval, &dbargc, &dbargv);
|
|
|
|
|
if (result != ISC_R_SUCCESS && cpval != default_dbtype) {
|
|
|
|
|
isc_mem_free(mctx, cpval);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(result);
|
2005-08-23 02:36:11 +00:00
|
|
|
}
|
|
|
|
|
|
2000-08-22 05:14:59 +00:00
|
|
|
/*
|
|
|
|
|
* ANSI C is strange here. There is no logical reason why (char **)
|
|
|
|
|
* cannot be promoted automatically to (const char * const *) by the
|
|
|
|
|
* compiler w/o generating a warning.
|
|
|
|
|
*/
|
2019-07-23 14:56:24 -04:00
|
|
|
dns_zone_setdbtype(zone, dbargc, (const char *const *)dbargv);
|
2000-08-10 00:53:36 +00:00
|
|
|
isc_mem_put(mctx, dbargv, dbargc * sizeof(*dbargv));
|
2019-07-23 14:56:24 -04:00
|
|
|
if (cpval != default_dbtype && cpval != dlz_dbtype) {
|
2005-08-23 02:36:11 +00:00
|
|
|
isc_mem_free(mctx, cpval);
|
2019-07-23 14:56:24 -04:00
|
|
|
}
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
|
|
|
|
result = cfg_map_get(zoptions, "file", &obj);
|
|
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
filename = cfg_obj_asstring(obj);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2005-06-20 01:05:33 +00:00
|
|
|
|
2010-07-11 00:12:57 +00:00
|
|
|
/*
|
2021-10-05 11:07:44 +02:00
|
|
|
* Unless we're using some alternative database, a primary zone
|
2010-07-11 00:12:57 +00:00
|
|
|
* will be needing a master file.
|
|
|
|
|
*/
|
2021-08-25 22:29:25 -07:00
|
|
|
if (ztype == dns_zone_primary && cpval == default_dbtype &&
|
2022-11-02 19:33:14 +01:00
|
|
|
filename == NULL)
|
|
|
|
|
{
|
2017-09-08 13:39:09 -07:00
|
|
|
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
|
|
|
|
|
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
|
2010-09-15 03:32:34 +00:00
|
|
|
"zone '%s': 'file' not specified", zname);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(ISC_R_FAILURE);
|
2010-07-11 00:12:57 +00:00
|
|
|
}
|
|
|
|
|
|
2021-08-25 22:29:25 -07:00
|
|
|
if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) {
|
2011-10-26 15:23:37 +00:00
|
|
|
masterformat = dns_masterformat_raw;
|
|
|
|
|
} else {
|
|
|
|
|
masterformat = dns_masterformat_text;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2005-06-20 01:05:33 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "masterfile-format", &obj);
|
2005-06-20 01:05:33 +00:00
|
|
|
if (result == ISC_R_SUCCESS) {
|
2005-08-23 02:36:11 +00:00
|
|
|
const char *masterformatstr = cfg_obj_asstring(obj);
|
2005-06-20 01:05:33 +00:00
|
|
|
|
2018-11-07 15:00:07 +07:00
|
|
|
if (strcasecmp(masterformatstr, "text") == 0) {
|
2005-06-20 01:05:33 +00:00
|
|
|
masterformat = dns_masterformat_text;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else if (strcasecmp(masterformatstr, "raw") == 0) {
|
2005-06-20 01:05:33 +00:00
|
|
|
masterformat = dns_masterformat_raw;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2005-06-20 01:05:33 +00:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
|
2014-04-17 17:10:29 -07:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "masterfile-style", &obj);
|
2014-04-17 17:10:29 -07:00
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
const char *masterstylestr = cfg_obj_asstring(obj);
|
|
|
|
|
|
|
|
|
|
if (masterformat != dns_masterformat_text) {
|
2017-09-08 13:39:09 -07:00
|
|
|
cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
|
2014-04-17 17:10:29 -07:00
|
|
|
"zone '%s': 'masterfile-style' "
|
|
|
|
|
"can only be used with "
|
|
|
|
|
"'masterfile-format text'",
|
|
|
|
|
zname);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(ISC_R_FAILURE);
|
2014-04-17 17:10:29 -07:00
|
|
|
}
|
|
|
|
|
|
2018-11-07 15:00:07 +07:00
|
|
|
if (strcasecmp(masterstylestr, "full") == 0) {
|
2014-04-17 17:10:29 -07:00
|
|
|
masterstyle = &dns_master_style_full;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else if (strcasecmp(masterstylestr, "relative") == 0) {
|
2014-04-17 17:10:29 -07:00
|
|
|
masterstyle = &dns_master_style_default;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2014-04-17 17:10:29 -07:00
|
|
|
}
|
|
|
|
|
|
2016-11-02 17:31:27 +11:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "max-records", &obj);
|
2016-11-02 17:31:27 +11:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
|
|
|
|
dns_zone_setmaxrecords(mayberaw, cfg_obj_asuint32(obj));
|
|
|
|
|
if (zone != mayberaw) {
|
|
|
|
|
dns_zone_setmaxrecords(zone, 0);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2016-11-02 17:31:27 +11:00
|
|
|
|
2012-10-02 23:44:03 -07:00
|
|
|
if (raw != NULL && filename != NULL) {
|
2011-08-30 05:16:15 +00:00
|
|
|
#define SIGNED ".signed"
|
|
|
|
|
size_t signedlen = strlen(filename) + sizeof(SIGNED);
|
|
|
|
|
char *signedname;
|
|
|
|
|
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(dns_zone_setfile(raw, filename, masterformat,
|
|
|
|
|
masterstyle));
|
2011-08-30 05:16:15 +00:00
|
|
|
signedname = isc_mem_get(mctx, signedlen);
|
|
|
|
|
|
|
|
|
|
(void)snprintf(signedname, signedlen, "%s" SIGNED, filename);
|
2018-04-03 16:34:41 +02:00
|
|
|
result = dns_zone_setfile(zone, signedname,
|
|
|
|
|
dns_masterformat_raw, NULL);
|
2011-08-30 05:16:15 +00:00
|
|
|
isc_mem_put(mctx, signedname, signedlen);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(result);
|
2011-08-30 05:16:15 +00:00
|
|
|
} else {
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(dns_zone_setfile(zone, filename, masterformat,
|
|
|
|
|
masterstyle));
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2004-10-07 02:15:14 +00:00
|
|
|
obj = NULL;
|
|
|
|
|
result = cfg_map_get(zoptions, "journal", &obj);
|
|
|
|
|
if (result == ISC_R_SUCCESS) {
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj)));
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2004-10-07 02:15:14 +00:00
|
|
|
|
2011-08-30 05:16:15 +00:00
|
|
|
/*
|
|
|
|
|
* Notify messages are processed by the raw zone if it exists.
|
|
|
|
|
*/
|
2021-08-25 22:29:25 -07:00
|
|
|
if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) {
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(configure_zone_acl(zconfig, vconfig, config, allow_notify,
|
|
|
|
|
ac, mayberaw, dns_zone_setnotifyacl,
|
|
|
|
|
dns_zone_clearnotifyacl));
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
|
2000-05-25 19:27:48 +00:00
|
|
|
/*
|
|
|
|
|
* XXXAG This probably does not make sense for stubs.
|
|
|
|
|
*/
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(configure_zone_acl(zconfig, vconfig, config, allow_query, ac,
|
|
|
|
|
zone, dns_zone_setqueryacl,
|
|
|
|
|
dns_zone_clearqueryacl));
|
2000-05-25 19:27:48 +00:00
|
|
|
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(configure_zone_acl(zconfig, vconfig, config, allow_query_on, ac,
|
|
|
|
|
zone, dns_zone_setqueryonacl,
|
|
|
|
|
dns_zone_clearqueryonacl));
|
2013-01-03 15:13:45 -08:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "dialup", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2001-03-04 21:21:39 +00:00
|
|
|
if (cfg_obj_isboolean(obj)) {
|
|
|
|
|
if (cfg_obj_asboolean(obj)) {
|
|
|
|
|
dialup = dns_dialuptype_yes;
|
|
|
|
|
} else {
|
|
|
|
|
dialup = dns_dialuptype_no;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
} else {
|
2005-08-23 02:36:11 +00:00
|
|
|
const char *dialupstr = cfg_obj_asstring(obj);
|
2018-11-07 15:00:07 +07:00
|
|
|
if (strcasecmp(dialupstr, "notify") == 0) {
|
2001-03-04 21:21:39 +00:00
|
|
|
dialup = dns_dialuptype_notify;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else if (strcasecmp(dialupstr, "notify-passive") == 0) {
|
2001-03-04 21:21:39 +00:00
|
|
|
dialup = dns_dialuptype_notifypassive;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else if (strcasecmp(dialupstr, "refresh") == 0) {
|
2001-03-04 21:21:39 +00:00
|
|
|
dialup = dns_dialuptype_refresh;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else if (strcasecmp(dialupstr, "passive") == 0) {
|
2001-03-04 21:21:39 +00:00
|
|
|
dialup = dns_dialuptype_passive;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
if (raw != NULL) {
|
|
|
|
|
dns_zone_setdialup(raw, dialup);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2000-11-11 01:05:43 +00:00
|
|
|
dns_zone_setdialup(zone, dialup);
|
2000-05-25 19:27:48 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "zone-statistics", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2013-02-27 11:53:58 -08:00
|
|
|
if (cfg_obj_isboolean(obj)) {
|
|
|
|
|
if (cfg_obj_asboolean(obj)) {
|
|
|
|
|
statlevel = dns_zonestat_full;
|
|
|
|
|
} else {
|
2013-02-27 13:37:54 -08:00
|
|
|
statlevel = dns_zonestat_none;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2013-02-27 11:53:58 -08:00
|
|
|
} else {
|
|
|
|
|
const char *levelstr = cfg_obj_asstring(obj);
|
2018-11-07 15:00:07 +07:00
|
|
|
if (strcasecmp(levelstr, "full") == 0) {
|
2013-02-27 11:53:58 -08:00
|
|
|
statlevel = dns_zonestat_full;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else if (strcasecmp(levelstr, "terse") == 0) {
|
2013-02-27 11:53:58 -08:00
|
|
|
statlevel = dns_zonestat_terse;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else if (strcasecmp(levelstr, "none") == 0) {
|
2013-02-27 11:53:58 -08:00
|
|
|
statlevel = dns_zonestat_none;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2013-02-27 11:53:58 -08:00
|
|
|
}
|
|
|
|
|
dns_zone_setstatlevel(zone, statlevel);
|
2012-11-14 12:44:15 -06:00
|
|
|
|
|
|
|
|
zoneqrystats = NULL;
|
|
|
|
|
rcvquerystats = NULL;
|
2019-06-19 16:02:50 +02:00
|
|
|
dnssecsignstats = NULL;
|
2013-02-27 11:53:58 -08:00
|
|
|
if (statlevel == dns_zonestat_full) {
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(isc_stats_create(mctx, &zoneqrystats,
|
|
|
|
|
ns_statscounter_max));
|
|
|
|
|
CHECK(dns_rdatatypestats_create(mctx, &rcvquerystats));
|
|
|
|
|
CHECK(dns_dnssecsignstats_create(mctx, &dnssecsignstats));
|
2008-04-03 05:55:52 +00:00
|
|
|
}
|
2013-02-27 11:53:58 -08:00
|
|
|
dns_zone_setrequeststats(zone, zoneqrystats);
|
2012-11-14 12:44:15 -06:00
|
|
|
dns_zone_setrcvquerystats(zone, rcvquerystats);
|
2019-06-19 16:02:50 +02:00
|
|
|
dns_zone_setdnssecsignstats(zone, dnssecsignstats);
|
2012-11-14 12:44:15 -06:00
|
|
|
|
2008-04-03 05:55:52 +00:00
|
|
|
if (zoneqrystats != NULL) {
|
2009-01-27 22:30:00 +00:00
|
|
|
isc_stats_detach(&zoneqrystats);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2000-11-07 23:49:42 +00:00
|
|
|
|
2012-11-14 12:44:15 -06:00
|
|
|
if (rcvquerystats != NULL) {
|
|
|
|
|
dns_stats_detach(&rcvquerystats);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2012-11-14 12:44:15 -06:00
|
|
|
|
2019-06-19 16:02:50 +02:00
|
|
|
if (dnssecsignstats != NULL) {
|
|
|
|
|
dns_stats_detach(&dnssecsignstats);
|
|
|
|
|
}
|
|
|
|
|
|
2000-05-25 19:27:48 +00:00
|
|
|
/*
|
2021-10-05 11:07:44 +02:00
|
|
|
* Configure authoritative zone functionality. This applies
|
2020-06-17 02:02:27 -07:00
|
|
|
* to primary servers (type "primary") and secondaries
|
|
|
|
|
* acting as primaries (type "secondary"), but not to stubs.
|
2000-05-25 19:27:48 +00:00
|
|
|
*/
|
2011-02-23 03:08:11 +00:00
|
|
|
if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
|
|
|
|
|
ztype != dns_zone_redirect)
|
|
|
|
|
{
|
2023-02-10 15:18:36 +01:00
|
|
|
/* Make a reference to the default policy. */
|
|
|
|
|
result = dns_kasplist_find(kasplist, "default", &kasp);
|
|
|
|
|
INSIST(result == ISC_R_SUCCESS && kasp != NULL);
|
|
|
|
|
dns_zone_setdefaultkasp(zone, kasp);
|
2023-02-21 12:15:01 +11:00
|
|
|
dns_kasp_detach(&kasp);
|
2023-02-10 15:18:36 +01:00
|
|
|
|
2019-09-03 11:42:10 +02:00
|
|
|
obj = NULL;
|
2019-11-05 17:22:35 +01:00
|
|
|
result = named_config_get(maps, "dnssec-policy", &obj);
|
2019-09-03 11:42:10 +02:00
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
kaspname = cfg_obj_asstring(obj);
|
2021-04-21 16:09:06 +02:00
|
|
|
if (strcmp(kaspname, "none") != 0) {
|
|
|
|
|
result = dns_kasplist_find(kasplist, kaspname,
|
|
|
|
|
&kasp);
|
|
|
|
|
if (result != ISC_R_SUCCESS) {
|
|
|
|
|
cfg_obj_log(
|
|
|
|
|
obj, named_g_lctx,
|
|
|
|
|
ISC_LOG_ERROR,
|
|
|
|
|
"dnssec-policy '%s' not found ",
|
|
|
|
|
kaspname);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(result);
|
2021-04-21 16:09:06 +02:00
|
|
|
}
|
|
|
|
|
dns_zone_setkasp(zone, kasp);
|
|
|
|
|
use_kasp = true;
|
2019-09-03 11:42:10 +02:00
|
|
|
}
|
2021-04-21 16:09:06 +02:00
|
|
|
}
|
|
|
|
|
if (!use_kasp) {
|
|
|
|
|
dns_zone_setkasp(zone, NULL);
|
2019-09-03 11:42:10 +02:00
|
|
|
}
|
|
|
|
|
|
2023-03-08 14:56:08 +01:00
|
|
|
obj = NULL;
|
|
|
|
|
result = named_config_get(maps, "checkds", &obj);
|
|
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
if (cfg_obj_isboolean(obj)) {
|
|
|
|
|
if (cfg_obj_asboolean(obj)) {
|
|
|
|
|
checkdstype = dns_checkdstype_yes;
|
|
|
|
|
} else {
|
|
|
|
|
checkdstype = dns_checkdstype_no;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
const char *str = cfg_obj_asstring(obj);
|
|
|
|
|
if (strcasecmp(str, "explicit") == 0) {
|
|
|
|
|
checkdstype = dns_checkdstype_explicit;
|
|
|
|
|
} else {
|
|
|
|
|
UNREACHABLE();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (raw != NULL) {
|
|
|
|
|
dns_zone_setcheckdstype(raw, dns_checkdstype_no);
|
|
|
|
|
}
|
|
|
|
|
dns_zone_setcheckdstype(zone, checkdstype);
|
|
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "notify", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2001-03-04 21:21:39 +00:00
|
|
|
if (cfg_obj_isboolean(obj)) {
|
|
|
|
|
if (cfg_obj_asboolean(obj)) {
|
|
|
|
|
notifytype = dns_notifytype_yes;
|
|
|
|
|
} else {
|
|
|
|
|
notifytype = dns_notifytype_no;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
} else {
|
2020-06-17 02:45:07 -07:00
|
|
|
const char *str = cfg_obj_asstring(obj);
|
|
|
|
|
if (strcasecmp(str, "explicit") == 0) {
|
2001-03-04 21:21:39 +00:00
|
|
|
notifytype = dns_notifytype_explicit;
|
2020-06-17 02:45:07 -07:00
|
|
|
} else if (strcasecmp(str, "master-only") == 0 ||
|
|
|
|
|
strcasecmp(str, "primary-only") == 0)
|
|
|
|
|
{
|
2004-03-30 02:13:45 +00:00
|
|
|
notifytype = dns_notifytype_masteronly;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
}
|
Clean up handling of NOTIFY settings for mirror zones
Previous way of handling NOTIFY settings for mirror zones was a bit
tricky: any value of the "notify" option was accepted, but it was
subsequently overridden with dns_notifytype_explicit. Given the way
zone configuration is performed, this resulted in the following
behavior:
- if "notify yes;" was set explicitly at any configuration level or
inherited from default configuration, it was silently changed and so
only hosts specified in "also-notify", if any, were notified,
- if "notify no;" was set at any configuration level, it was
effectively honored since even though zone->notifytype was silently
set to dns_notifytype_explicit, the "also-notify" option was never
processed due to "notify no;" being set.
Effectively, this only allowed the hosts specified in "also-notify" to
be notified, when either "notify yes;" or "notify explicit;" was
explicitly set or inherited from default configuration.
Clean up handling of NOTIFY settings for mirror zones by:
- reporting a configuration error when anything else than "notify no;"
or "notify explicit;" is set for a mirror zone at the zone level,
- overriding inherited "notify yes;" setting with "notify explicit;"
for mirror zones,
- informing the user when the "notify" setting is overridden, unless
the setting in question was inherited from default configuration.
2018-10-09 10:54:51 +02:00
|
|
|
notifytype = process_notifytype(notifytype, ztype, zname,
|
|
|
|
|
nodefault);
|
2011-08-30 05:16:15 +00:00
|
|
|
if (raw != NULL) {
|
|
|
|
|
dns_zone_setnotifytype(raw, dns_notifytype_no);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2000-07-24 22:59:44 +00:00
|
|
|
dns_zone_setnotifytype(zone, notifytype);
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "also-notify", &obj);
|
2014-01-20 15:53:51 -08:00
|
|
|
if (result == ISC_R_SUCCESS &&
|
|
|
|
|
(notifytype == dns_notifytype_yes ||
|
|
|
|
|
notifytype == dns_notifytype_explicit ||
|
|
|
|
|
(notifytype == dns_notifytype_masteronly &&
|
2021-08-25 22:29:25 -07:00
|
|
|
ztype == dns_zone_primary)))
|
2014-01-20 15:53:51 -08:00
|
|
|
{
|
2016-05-26 21:23:19 +02:00
|
|
|
dns_ipkeylist_t ipkl;
|
2016-06-22 10:49:25 +02:00
|
|
|
dns_ipkeylist_init(&ipkl);
|
|
|
|
|
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(named_config_getipandkeylist(config, "primaries",
|
|
|
|
|
obj, mctx, &ipkl));
|
2022-11-22 11:55:49 +01:00
|
|
|
dns_zone_setalsonotify(zone, ipkl.addrs, ipkl.sources,
|
2023-01-05 22:18:55 -08:00
|
|
|
ipkl.keys, ipkl.tlss,
|
2021-10-06 13:41:21 +02:00
|
|
|
ipkl.count);
|
2016-05-26 21:23:19 +02:00
|
|
|
dns_ipkeylist_clear(mctx, &ipkl);
|
2000-07-25 20:26:11 +00:00
|
|
|
} else {
|
2023-01-05 22:18:55 -08:00
|
|
|
dns_zone_setalsonotify(zone, NULL, NULL, NULL, NULL, 0);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2021-05-14 11:33:51 +02:00
|
|
|
obj = NULL;
|
|
|
|
|
result = named_config_get(maps, "parental-source", &obj);
|
|
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(dns_zone_setparentalsrc4(zone, cfg_obj_assockaddr(obj)));
|
2021-05-14 11:33:51 +02:00
|
|
|
|
|
|
|
|
obj = NULL;
|
|
|
|
|
result = named_config_get(maps, "parental-source-v6", &obj);
|
|
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(dns_zone_setparentalsrc6(zone, cfg_obj_assockaddr(obj)));
|
2021-05-14 11:33:51 +02:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "notify-source", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj)));
|
2000-11-25 02:43:56 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "notify-source-v6", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj)));
|
2000-11-25 02:43:56 +00:00
|
|
|
|
2007-09-18 00:22:31 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "notify-to-soa", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2007-09-18 00:22:31 +00:00
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_NOTIFYTOSOA,
|
|
|
|
|
cfg_obj_asboolean(obj));
|
|
|
|
|
|
2017-09-08 13:39:09 -07:00
|
|
|
dns_zone_setisself(zone, isself, named_g_server->interfacemgr);
|
2005-02-10 05:53:43 +00:00
|
|
|
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(configure_zone_acl(
|
2008-05-21 23:17:21 +00:00
|
|
|
zconfig, vconfig, config, allow_transfer, ac, zone,
|
2000-05-25 19:27:48 +00:00
|
|
|
dns_zone_setxfracl, dns_zone_clearxfracl));
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "max-transfer-time-out", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2001-06-04 21:51:27 +00:00
|
|
|
dns_zone_setmaxxfrout(zone, cfg_obj_asuint32(obj) * 60);
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "max-transfer-idle-out", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2001-06-04 21:51:27 +00:00
|
|
|
dns_zone_setidleout(zone, cfg_obj_asuint32(obj) * 60);
|
2001-08-30 05:23:00 +00:00
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "max-journal-size", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2011-08-30 05:16:15 +00:00
|
|
|
if (raw != NULL) {
|
|
|
|
|
dns_zone_setjournalsize(raw, -1);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2001-09-01 01:43:24 +00:00
|
|
|
dns_zone_setjournalsize(zone, -1);
|
|
|
|
|
if (cfg_obj_isstring(obj)) {
|
|
|
|
|
const char *str = cfg_obj_asstring(obj);
|
2017-05-02 13:23:08 -07:00
|
|
|
if (strcasecmp(str, "unlimited") == 0) {
|
|
|
|
|
journal_size = DNS_JOURNAL_SIZE_MAX;
|
|
|
|
|
} else {
|
|
|
|
|
INSIST(strcasecmp(str, "default") == 0);
|
|
|
|
|
journal_size = -1;
|
|
|
|
|
}
|
2001-09-01 01:43:24 +00:00
|
|
|
} else {
|
2022-11-13 11:04:30 +01:00
|
|
|
uint64_t value = cfg_obj_asuint64(obj);
|
2017-05-02 13:23:08 -07:00
|
|
|
if (value > DNS_JOURNAL_SIZE_MAX) {
|
2017-09-08 13:39:09 -07:00
|
|
|
cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
|
2001-09-01 01:43:24 +00:00
|
|
|
"'max-journal-size "
|
2018-03-28 14:56:40 +02:00
|
|
|
"%" PRId64 "' "
|
2001-09-04 19:20:54 +00:00
|
|
|
"is too large",
|
2001-09-01 01:43:24 +00:00
|
|
|
value);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(ISC_R_RANGE);
|
2001-08-30 05:23:00 +00:00
|
|
|
}
|
2018-03-28 14:19:37 +02:00
|
|
|
journal_size = (uint32_t)value;
|
2001-09-01 01:43:24 +00:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
if (raw != NULL) {
|
|
|
|
|
dns_zone_setjournalsize(raw, journal_size);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2001-09-01 01:43:24 +00:00
|
|
|
dns_zone_setjournalsize(zone, journal_size);
|
2001-09-08 00:21:49 +00:00
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "ixfr-from-differences", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2017-12-15 01:47:05 -08:00
|
|
|
if (cfg_obj_isboolean(obj)) {
|
2004-10-14 00:49:34 +00:00
|
|
|
ixfrdiff = cfg_obj_asboolean(obj);
|
2017-12-15 10:01:07 -08:00
|
|
|
} else if ((strcasecmp(cfg_obj_asstring(obj), "primary") == 0 ||
|
|
|
|
|
strcasecmp(cfg_obj_asstring(obj), "master") == 0) &&
|
2021-08-25 22:29:25 -07:00
|
|
|
ztype == dns_zone_primary)
|
2017-12-15 01:47:05 -08:00
|
|
|
{
|
2018-04-17 08:29:14 -07:00
|
|
|
ixfrdiff = true;
|
2017-12-15 10:01:07 -08:00
|
|
|
} else if ((strcasecmp(cfg_obj_asstring(obj), "secondary") ==
|
|
|
|
|
0 ||
|
|
|
|
|
strcasecmp(cfg_obj_asstring(obj), "slave") == 0) &&
|
2021-08-25 22:29:25 -07:00
|
|
|
ztype == dns_zone_secondary)
|
2017-12-15 01:47:05 -08:00
|
|
|
{
|
2018-04-17 08:29:14 -07:00
|
|
|
ixfrdiff = true;
|
2017-12-15 01:47:05 -08:00
|
|
|
} else {
|
2018-04-17 08:29:14 -07:00
|
|
|
ixfrdiff = false;
|
2017-12-15 01:47:05 -08:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
if (raw != NULL) {
|
|
|
|
|
dns_zone_setoption(raw, DNS_ZONEOPT_IXFRFROMDIFFS,
|
2018-04-17 08:29:14 -07:00
|
|
|
true);
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
|
2018-04-17 08:29:14 -07:00
|
|
|
false);
|
2011-08-30 05:16:15 +00:00
|
|
|
} else {
|
|
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
|
|
|
|
|
ixfrdiff);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2004-02-27 20:41:51 +00:00
|
|
|
|
2020-02-21 10:53:08 -08:00
|
|
|
obj = NULL;
|
|
|
|
|
result = named_config_get(maps, "max-ixfr-ratio", &obj);
|
|
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
|
|
|
|
if (cfg_obj_isstring(obj)) {
|
|
|
|
|
dns_zone_setixfrratio(zone, 0);
|
|
|
|
|
} else {
|
|
|
|
|
dns_zone_setixfrratio(zone, cfg_obj_aspercentage(obj));
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-06 11:50:40 +10:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "request-expire", &obj);
|
2014-08-06 11:50:40 +10:00
|
|
|
INSIST(result == ISC_R_SUCCESS);
|
|
|
|
|
dns_zone_setrequestexpire(zone, cfg_obj_asboolean(obj));
|
|
|
|
|
|
2011-09-06 22:29:33 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "request-ixfr", &obj);
|
2011-09-06 22:29:33 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS);
|
|
|
|
|
dns_zone_setrequestixfr(zone, cfg_obj_asboolean(obj));
|
|
|
|
|
|
2020-05-20 11:56:01 +10:00
|
|
|
obj = NULL;
|
2004-02-27 20:41:51 +00:00
|
|
|
checknames(ztype, maps, &obj);
|
|
|
|
|
INSIST(obj != NULL);
|
|
|
|
|
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
fail = false;
|
|
|
|
|
check = true;
|
2004-02-27 20:41:51 +00:00
|
|
|
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
fail = check = true;
|
2004-02-27 20:41:51 +00:00
|
|
|
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
fail = check = false;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
if (raw != NULL) {
|
|
|
|
|
dns_zone_setoption(raw, DNS_ZONEOPT_CHECKNAMES, check);
|
|
|
|
|
dns_zone_setoption(raw, DNS_ZONEOPT_CHECKNAMESFAIL,
|
|
|
|
|
fail);
|
|
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, false);
|
|
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL,
|
2018-04-17 08:29:14 -07:00
|
|
|
false);
|
2011-08-30 05:16:15 +00:00
|
|
|
} else {
|
|
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, check);
|
|
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL,
|
|
|
|
|
fail);
|
|
|
|
|
}
|
2005-01-11 23:10:06 +00:00
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "notify-delay", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2005-01-11 23:10:06 +00:00
|
|
|
dns_zone_setnotifydelay(zone, cfg_obj_asuint32(obj));
|
|
|
|
|
|
2005-08-24 23:54:04 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "check-sibling", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2008-01-18 23:46:58 +00:00
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING,
|
2005-08-24 23:54:04 +00:00
|
|
|
cfg_obj_asboolean(obj));
|
2006-01-05 02:19:02 +00:00
|
|
|
|
2013-04-30 13:49:41 +10:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "check-spf", &obj);
|
2013-04-30 13:49:41 +10:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
|
|
|
|
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
check = true;
|
2013-04-30 13:49:41 +10:00
|
|
|
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
check = false;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2013-04-30 13:49:41 +10:00
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSPF, check);
|
|
|
|
|
|
2022-10-05 17:49:07 +11:00
|
|
|
obj = NULL;
|
|
|
|
|
result = named_config_get(maps, "check-svcb", &obj);
|
|
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
|
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSVCB,
|
|
|
|
|
cfg_obj_asboolean(obj));
|
|
|
|
|
|
2006-01-05 02:19:02 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "zero-no-soa-ttl", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2006-01-05 02:19:02 +00:00
|
|
|
dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj));
|
2008-09-24 02:46:23 +00:00
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "nsec3-test-zone", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2008-09-24 02:46:23 +00:00
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_NSEC3TESTZONE,
|
|
|
|
|
cfg_obj_asboolean(obj));
|
2011-02-23 03:08:11 +00:00
|
|
|
} else if (ztype == dns_zone_redirect) {
|
|
|
|
|
dns_zone_setnotifytype(zone, dns_notifytype_no);
|
|
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "max-journal-size", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2011-02-23 03:08:11 +00:00
|
|
|
dns_zone_setjournalsize(zone, -1);
|
|
|
|
|
if (cfg_obj_isstring(obj)) {
|
|
|
|
|
const char *str = cfg_obj_asstring(obj);
|
2017-05-02 13:23:08 -07:00
|
|
|
if (strcasecmp(str, "unlimited") == 0) {
|
|
|
|
|
journal_size = DNS_JOURNAL_SIZE_MAX;
|
|
|
|
|
} else {
|
|
|
|
|
INSIST(strcasecmp(str, "default") == 0);
|
|
|
|
|
journal_size = -1;
|
|
|
|
|
}
|
2011-02-23 03:08:11 +00:00
|
|
|
} else {
|
2022-11-13 11:04:30 +01:00
|
|
|
uint64_t value = cfg_obj_asuint64(obj);
|
2017-05-02 13:23:08 -07:00
|
|
|
if (value > DNS_JOURNAL_SIZE_MAX) {
|
2017-09-08 13:39:09 -07:00
|
|
|
cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
|
2011-02-23 03:08:11 +00:00
|
|
|
"'max-journal-size "
|
2018-03-28 14:56:40 +02:00
|
|
|
"%" PRId64 "' "
|
2011-02-23 03:08:11 +00:00
|
|
|
"is too large",
|
|
|
|
|
value);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(ISC_R_RANGE);
|
2011-02-23 03:08:11 +00:00
|
|
|
}
|
2018-03-28 14:19:37 +02:00
|
|
|
journal_size = (uint32_t)value;
|
2011-02-23 03:08:11 +00:00
|
|
|
}
|
|
|
|
|
dns_zone_setjournalsize(zone, journal_size);
|
2000-05-25 19:27:48 +00:00
|
|
|
}
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2022-07-13 10:28:59 +02:00
|
|
|
if (use_kasp) {
|
|
|
|
|
maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone));
|
|
|
|
|
} else {
|
|
|
|
|
obj = NULL;
|
|
|
|
|
result = named_config_get(maps, "max-zone-ttl", &obj);
|
|
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
if (cfg_obj_isduration(obj)) {
|
|
|
|
|
maxttl = cfg_obj_asduration(obj);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
dns_zone_setmaxttl(zone, maxttl);
|
|
|
|
|
if (raw != NULL) {
|
|
|
|
|
dns_zone_setmaxttl(raw, maxttl);
|
|
|
|
|
}
|
|
|
|
|
|
2000-05-25 19:27:48 +00:00
|
|
|
/*
|
|
|
|
|
* Configure update-related options. These apply to
|
2020-06-17 02:02:27 -07:00
|
|
|
* primary servers only.
|
2000-05-25 19:27:48 +00:00
|
|
|
*/
|
2021-08-25 22:29:25 -07:00
|
|
|
if (ztype == dns_zone_primary) {
|
2000-12-01 18:22:17 +00:00
|
|
|
dns_acl_t *updateacl;
|
2009-06-10 00:27:22 +00:00
|
|
|
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(configure_zone_acl(zconfig, vconfig, config, allow_update,
|
|
|
|
|
ac, mayberaw, dns_zone_setupdateacl,
|
|
|
|
|
dns_zone_clearupdateacl));
|
2008-01-18 23:46:58 +00:00
|
|
|
|
2011-08-30 05:16:15 +00:00
|
|
|
updateacl = dns_zone_getupdateacl(mayberaw);
|
2000-12-01 18:22:17 +00:00
|
|
|
if (updateacl != NULL && dns_acl_isinsecure(updateacl)) {
|
2017-09-08 13:39:09 -07:00
|
|
|
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
|
|
|
|
|
NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
|
2016-12-27 09:49:02 +11:00
|
|
|
"zone '%s' allows unsigned updates "
|
|
|
|
|
"from remote hosts, which is insecure",
|
2001-03-04 21:21:39 +00:00
|
|
|
zname);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2008-01-18 23:46:58 +00:00
|
|
|
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(configure_zone_ssutable(zoptions, mayberaw, zname));
|
2011-08-30 05:16:15 +00:00
|
|
|
}
|
|
|
|
|
|
2022-06-17 10:29:51 +02:00
|
|
|
/*
|
|
|
|
|
* Configure DNSSEC signing. These apply to primary zones or zones that
|
|
|
|
|
* use inline-signing (raw != NULL).
|
|
|
|
|
*/
|
2021-08-25 22:29:25 -07:00
|
|
|
if (ztype == dns_zone_primary || raw != NULL) {
|
2018-05-03 16:43:15 +10:00
|
|
|
const cfg_obj_t *validity, *resign;
|
2018-04-17 08:29:14 -07:00
|
|
|
bool allow = false, maint = false;
|
|
|
|
|
bool sigvalinsecs;
|
2001-03-04 21:21:39 +00:00
|
|
|
|
2020-12-03 15:01:42 +01:00
|
|
|
if (use_kasp) {
|
2020-10-13 14:39:21 +02:00
|
|
|
if (dns_kasp_nsec3(kasp)) {
|
2020-11-05 11:12:24 +01:00
|
|
|
result = dns_zone_setnsec3param(
|
2020-10-13 14:39:21 +02:00
|
|
|
zone, 1, dns_kasp_nsec3flags(kasp),
|
|
|
|
|
dns_kasp_nsec3iter(kasp),
|
2020-11-05 11:12:24 +01:00
|
|
|
dns_kasp_nsec3saltlen(kasp), NULL, true,
|
|
|
|
|
false);
|
2020-10-13 14:39:21 +02:00
|
|
|
} else {
|
2020-11-05 11:12:24 +01:00
|
|
|
result = dns_zone_setnsec3param(
|
|
|
|
|
zone, 0, 0, 0, 0, NULL, true, false);
|
2020-10-13 14:39:21 +02:00
|
|
|
}
|
|
|
|
|
INSIST(result == ISC_R_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-03 15:01:42 +01:00
|
|
|
if (use_kasp) {
|
2019-10-17 11:38:56 +02:00
|
|
|
seconds = (uint32_t)dns_kasp_sigvalidity_dnskey(kasp);
|
|
|
|
|
} else {
|
|
|
|
|
obj = NULL;
|
|
|
|
|
result = named_config_get(maps, "dnskey-sig-validity",
|
|
|
|
|
&obj);
|
|
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
|
|
|
|
seconds = cfg_obj_asuint32(obj) * 86400;
|
|
|
|
|
}
|
2018-03-12 22:14:26 -07:00
|
|
|
dns_zone_setkeyvalidityinterval(zone, seconds);
|
|
|
|
|
|
2020-12-03 15:01:42 +01:00
|
|
|
if (use_kasp) {
|
2019-10-17 11:38:56 +02:00
|
|
|
seconds = (uint32_t)dns_kasp_sigvalidity(kasp);
|
|
|
|
|
dns_zone_setsigvalidityinterval(zone, seconds);
|
|
|
|
|
seconds = (uint32_t)dns_kasp_sigrefresh(kasp);
|
|
|
|
|
dns_zone_setsigresigninginterval(zone, seconds);
|
|
|
|
|
} else {
|
|
|
|
|
obj = NULL;
|
|
|
|
|
result = named_config_get(maps, "sig-validity-interval",
|
|
|
|
|
&obj);
|
|
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
|
|
|
|
|
|
|
|
|
sigvalinsecs = ns_server_getoption(
|
|
|
|
|
named_g_server->sctx, NS_SERVER_SIGVALINSECS);
|
|
|
|
|
validity = cfg_tuple_get(obj, "validity");
|
|
|
|
|
seconds = cfg_obj_asuint32(validity);
|
|
|
|
|
if (!sigvalinsecs) {
|
|
|
|
|
seconds *= 86400;
|
|
|
|
|
}
|
|
|
|
|
dns_zone_setsigvalidityinterval(zone, seconds);
|
|
|
|
|
|
|
|
|
|
resign = cfg_tuple_get(obj, "re-sign");
|
|
|
|
|
if (cfg_obj_isvoid(resign)) {
|
|
|
|
|
seconds /= 4;
|
|
|
|
|
} else if (!sigvalinsecs) {
|
Fix re-signing when `sig-validity-interval` has two arguments
Since October 2019 I have had complaints from `dnssec-cds` reporting
that the signatures on some of my test zones had expired. These were
zones signed by BIND 9.15 or 9.17, with a DNSKEY TTL of 24h and
`sig-validity-interval 10 8`.
This is the same setup we have used for our production zones since
2015, which is intended to re-sign the zones every 2 days, keeping
at least 8 days signature validity. The SOA expire interval is 7
days, so even in the presence of zone transfer problems, no-one
should ever see expired signatures. (These timers are a bit too
tight to be completely correct, because I should have increased
the expiry timers when I increased the DNSKEY TTLs from 1h to 24h.
But that should only matter when zone transfers are broken, which
was not the case for the error reports that led to this patch.)
For example, this morning my test zone contained:
dev.dns.cam.ac.uk. 86400 IN RRSIG DNSKEY 13 5 86400 (
20200701221418 20200621213022 ...)
But one of my resolvers had cached:
dev.dns.cam.ac.uk. 21424 IN RRSIG DNSKEY 13 5 86400 (
20200622063022 20200612061136 ...)
This TTL was captured at 20200622105807 so the resolver cached the
RRset 64976 seconds previously (18h02m56s), at 20200621165511
only about 12h before expiry.
The other symptom of this error was incorrect `resign` times in
the output from `rndc zonestatus`.
For example, I have configured a test zone
zone fast.dotat.at {
file "../u/z/fast.dotat.at";
type primary;
auto-dnssec maintain;
sig-validity-interval 500 499;
};
The zone is reset to a minimal zone containing only SOA and NS
records, and when `named` starts it loads and signs the zone. After
that, `rndc zonestatus` reports:
next resign node: fast.dotat.at/NS
next resign time: Fri, 28 May 2021 12:48:47 GMT
The resign time should be within the next 24h, but instead it is
near the signature expiry time, which the RRSIG(NS) says is
20210618074847. (Note 499 hours is a bit more than 20 days.)
May/June 2021 is less than 500 days from now because expiry time
jitter is applied to the NS records.
Using this test I bisected this bug to 09990672d which contained a
mistake leading to the resigning interval always being calculated in
hours, when days are expected.
This bug only occurs for configurations that use the two-argument form
of `sig-validity-interval`.
2020-06-22 20:23:29 +01:00
|
|
|
uint32_t r = cfg_obj_asuint32(resign);
|
2019-10-17 11:38:56 +02:00
|
|
|
if (seconds > 7 * 86400) {
|
Fix re-signing when `sig-validity-interval` has two arguments
Since October 2019 I have had complaints from `dnssec-cds` reporting
that the signatures on some of my test zones had expired. These were
zones signed by BIND 9.15 or 9.17, with a DNSKEY TTL of 24h and
`sig-validity-interval 10 8`.
This is the same setup we have used for our production zones since
2015, which is intended to re-sign the zones every 2 days, keeping
at least 8 days signature validity. The SOA expire interval is 7
days, so even in the presence of zone transfer problems, no-one
should ever see expired signatures. (These timers are a bit too
tight to be completely correct, because I should have increased
the expiry timers when I increased the DNSKEY TTLs from 1h to 24h.
But that should only matter when zone transfers are broken, which
was not the case for the error reports that led to this patch.)
For example, this morning my test zone contained:
dev.dns.cam.ac.uk. 86400 IN RRSIG DNSKEY 13 5 86400 (
20200701221418 20200621213022 ...)
But one of my resolvers had cached:
dev.dns.cam.ac.uk. 21424 IN RRSIG DNSKEY 13 5 86400 (
20200622063022 20200612061136 ...)
This TTL was captured at 20200622105807 so the resolver cached the
RRset 64976 seconds previously (18h02m56s), at 20200621165511
only about 12h before expiry.
The other symptom of this error was incorrect `resign` times in
the output from `rndc zonestatus`.
For example, I have configured a test zone
zone fast.dotat.at {
file "../u/z/fast.dotat.at";
type primary;
auto-dnssec maintain;
sig-validity-interval 500 499;
};
The zone is reset to a minimal zone containing only SOA and NS
records, and when `named` starts it loads and signs the zone. After
that, `rndc zonestatus` reports:
next resign node: fast.dotat.at/NS
next resign time: Fri, 28 May 2021 12:48:47 GMT
The resign time should be within the next 24h, but instead it is
near the signature expiry time, which the RRSIG(NS) says is
20210618074847. (Note 499 hours is a bit more than 20 days.)
May/June 2021 is less than 500 days from now because expiry time
jitter is applied to the NS records.
Using this test I bisected this bug to 09990672d which contained a
mistake leading to the resigning interval always being calculated in
hours, when days are expected.
This bug only occurs for configurations that use the two-argument form
of `sig-validity-interval`.
2020-06-22 20:23:29 +01:00
|
|
|
seconds = r * 86400;
|
2019-10-17 11:38:56 +02:00
|
|
|
} else {
|
Fix re-signing when `sig-validity-interval` has two arguments
Since October 2019 I have had complaints from `dnssec-cds` reporting
that the signatures on some of my test zones had expired. These were
zones signed by BIND 9.15 or 9.17, with a DNSKEY TTL of 24h and
`sig-validity-interval 10 8`.
This is the same setup we have used for our production zones since
2015, which is intended to re-sign the zones every 2 days, keeping
at least 8 days signature validity. The SOA expire interval is 7
days, so even in the presence of zone transfer problems, no-one
should ever see expired signatures. (These timers are a bit too
tight to be completely correct, because I should have increased
the expiry timers when I increased the DNSKEY TTLs from 1h to 24h.
But that should only matter when zone transfers are broken, which
was not the case for the error reports that led to this patch.)
For example, this morning my test zone contained:
dev.dns.cam.ac.uk. 86400 IN RRSIG DNSKEY 13 5 86400 (
20200701221418 20200621213022 ...)
But one of my resolvers had cached:
dev.dns.cam.ac.uk. 21424 IN RRSIG DNSKEY 13 5 86400 (
20200622063022 20200612061136 ...)
This TTL was captured at 20200622105807 so the resolver cached the
RRset 64976 seconds previously (18h02m56s), at 20200621165511
only about 12h before expiry.
The other symptom of this error was incorrect `resign` times in
the output from `rndc zonestatus`.
For example, I have configured a test zone
zone fast.dotat.at {
file "../u/z/fast.dotat.at";
type primary;
auto-dnssec maintain;
sig-validity-interval 500 499;
};
The zone is reset to a minimal zone containing only SOA and NS
records, and when `named` starts it loads and signs the zone. After
that, `rndc zonestatus` reports:
next resign node: fast.dotat.at/NS
next resign time: Fri, 28 May 2021 12:48:47 GMT
The resign time should be within the next 24h, but instead it is
near the signature expiry time, which the RRSIG(NS) says is
20210618074847. (Note 499 hours is a bit more than 20 days.)
May/June 2021 is less than 500 days from now because expiry time
jitter is applied to the NS records.
Using this test I bisected this bug to 09990672d which contained a
mistake leading to the resigning interval always being calculated in
hours, when days are expected.
This bug only occurs for configurations that use the two-argument form
of `sig-validity-interval`.
2020-06-22 20:23:29 +01:00
|
|
|
seconds = r * 3600;
|
2019-10-17 11:38:56 +02:00
|
|
|
}
|
2008-04-02 02:37:42 +00:00
|
|
|
} else {
|
2019-10-17 11:38:56 +02:00
|
|
|
seconds = cfg_obj_asuint32(resign);
|
2008-04-02 02:37:42 +00:00
|
|
|
}
|
2019-10-17 11:38:56 +02:00
|
|
|
dns_zone_setsigresigninginterval(zone, seconds);
|
2008-04-02 02:37:42 +00:00
|
|
|
}
|
2002-01-21 11:00:25 +00:00
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "key-directory", &obj);
|
2002-01-21 11:00:25 +00:00
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
filename = cfg_obj_asstring(obj);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(dns_zone_setkeydirectory(zone, filename));
|
2002-01-21 11:00:25 +00:00
|
|
|
}
|
2005-05-19 04:59:05 +00:00
|
|
|
|
2008-04-02 02:37:42 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "sig-signing-signatures", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2008-04-02 02:37:42 +00:00
|
|
|
dns_zone_setsignatures(zone, cfg_obj_asuint32(obj));
|
|
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "sig-signing-nodes", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2008-04-02 02:37:42 +00:00
|
|
|
dns_zone_setnodes(zone, cfg_obj_asuint32(obj));
|
|
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "sig-signing-type", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2008-04-02 02:37:42 +00:00
|
|
|
dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
|
|
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "update-check-ksk", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2008-04-02 02:37:42 +00:00
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
|
|
|
|
|
cfg_obj_asboolean(obj));
|
2019-10-17 11:38:56 +02:00
|
|
|
/*
|
|
|
|
|
* This setting will be ignored if dnssec-policy is used.
|
|
|
|
|
* named-checkconf will error if both are configured.
|
|
|
|
|
*/
|
2008-04-02 02:37:42 +00:00
|
|
|
|
2009-10-10 01:48:00 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2009-10-10 01:48:00 +00:00
|
|
|
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
|
|
|
|
|
cfg_obj_asboolean(obj));
|
2019-10-17 11:38:56 +02:00
|
|
|
/*
|
|
|
|
|
* This setting will be ignored if dnssec-policy is used.
|
|
|
|
|
* named-checkconf will error if both are configured.
|
|
|
|
|
*/
|
2011-04-29 21:37:15 +00:00
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "dnssec-loadkeys-interval",
|
|
|
|
|
&obj);
|
2011-04-29 21:37:15 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(dns_zone_setrefreshkeyinterval(zone,
|
|
|
|
|
cfg_obj_asuint32(obj)));
|
2011-08-30 05:16:15 +00:00
|
|
|
|
|
|
|
|
obj = NULL;
|
|
|
|
|
result = cfg_map_get(zoptions, "auto-dnssec", &obj);
|
2021-04-21 16:09:06 +02:00
|
|
|
if (kasp != NULL) {
|
|
|
|
|
bool s2i = (strcmp(dns_kasp_getname(kasp),
|
|
|
|
|
"insecure") != 0);
|
2019-10-17 11:38:56 +02:00
|
|
|
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
|
2021-04-21 16:09:06 +02:00
|
|
|
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, !s2i);
|
2019-10-17 11:38:56 +02:00
|
|
|
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
|
|
|
|
|
} else if (result == ISC_R_SUCCESS) {
|
2011-08-30 05:16:15 +00:00
|
|
|
const char *arg = cfg_obj_asstring(obj);
|
2018-11-07 15:00:07 +07:00
|
|
|
if (strcasecmp(arg, "allow") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
allow = true;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else if (strcasecmp(arg, "maintain") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
allow = maint = true;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else if (strcasecmp(arg, "off") == 0) {
|
2020-03-09 18:23:13 -07:00
|
|
|
/* Default */
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
|
2019-10-17 11:38:56 +02:00
|
|
|
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
|
|
|
|
|
}
|
2011-08-30 23:46:53 +00:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
|
2021-08-25 22:29:25 -07:00
|
|
|
if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) {
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(configure_zone_acl(zconfig, vconfig, config,
|
|
|
|
|
allow_update_forwarding, ac, mayberaw,
|
|
|
|
|
dns_zone_setforwardacl,
|
|
|
|
|
dns_zone_clearforwardacl));
|
2008-04-02 02:37:42 +00:00
|
|
|
}
|
|
|
|
|
|
2021-05-11 14:46:38 +02:00
|
|
|
/*%
|
|
|
|
|
* Configure parental agents, applies to primary and secondary zones.
|
|
|
|
|
*/
|
2021-08-25 22:29:25 -07:00
|
|
|
if (ztype == dns_zone_primary || ztype == dns_zone_secondary) {
|
2021-05-11 14:46:38 +02:00
|
|
|
obj = NULL;
|
|
|
|
|
(void)cfg_map_get(zoptions, "parental-agents", &obj);
|
|
|
|
|
if (obj != NULL) {
|
|
|
|
|
dns_ipkeylist_t ipkl;
|
|
|
|
|
dns_ipkeylist_init(&ipkl);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(named_config_getipandkeylist(
|
2021-05-11 14:46:38 +02:00
|
|
|
config, "parental-agents", obj, mctx, &ipkl));
|
2022-11-22 11:55:49 +01:00
|
|
|
dns_zone_setparentals(zone, ipkl.addrs, ipkl.sources,
|
|
|
|
|
ipkl.keys, ipkl.tlss, ipkl.count);
|
2021-05-11 14:46:38 +02:00
|
|
|
dns_ipkeylist_clear(mctx, &ipkl);
|
|
|
|
|
} else {
|
2022-11-22 11:55:49 +01:00
|
|
|
dns_zone_setparentals(zone, NULL, NULL, NULL, NULL, 0);
|
2021-05-11 14:46:38 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-02 02:37:42 +00:00
|
|
|
/*%
|
2021-10-05 11:07:44 +02:00
|
|
|
* Configure primary zone functionality.
|
2008-04-02 02:37:42 +00:00
|
|
|
*/
|
2021-08-25 22:29:25 -07:00
|
|
|
if (ztype == dns_zone_primary) {
|
2005-01-09 23:40:04 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "check-wildcard", &obj);
|
2005-01-09 23:40:04 +00:00
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
check = cfg_obj_asboolean(obj);
|
|
|
|
|
} else {
|
2018-04-17 08:29:14 -07:00
|
|
|
check = false;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKWILDCARD, check);
|
2005-05-19 04:59:05 +00:00
|
|
|
|
2009-12-04 21:09:34 +00:00
|
|
|
obj = NULL;
|
2021-09-16 11:46:13 +02:00
|
|
|
result = named_config_get(maps, "check-dup-records", &obj);
|
|
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
|
|
|
|
dupcheck = cfg_obj_asstring(obj);
|
2012-06-20 14:13:12 -05:00
|
|
|
if (strcasecmp(dupcheck, "warn") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
fail = false;
|
|
|
|
|
check = true;
|
2012-06-20 14:13:12 -05:00
|
|
|
} else if (strcasecmp(dupcheck, "fail") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
fail = check = true;
|
2012-06-20 14:13:12 -05:00
|
|
|
} else if (strcasecmp(dupcheck, "ignore") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
fail = check = false;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRR, check);
|
|
|
|
|
dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRRFAIL, fail);
|
2009-12-04 21:09:34 +00:00
|
|
|
|
2005-05-19 04:59:05 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "check-mx", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2005-05-19 04:59:05 +00:00
|
|
|
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
fail = false;
|
|
|
|
|
check = true;
|
2005-05-19 04:59:05 +00:00
|
|
|
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
fail = check = true;
|
2005-05-19 04:59:05 +00:00
|
|
|
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
fail = check = false;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMX, check);
|
|
|
|
|
dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMXFAIL, fail);
|
2005-05-19 04:59:05 +00:00
|
|
|
|
|
|
|
|
obj = NULL;
|
2021-09-16 11:46:13 +02:00
|
|
|
result = named_config_get(maps, "check-integrity", &obj);
|
|
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
|
|
|
|
dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKINTEGRITY,
|
|
|
|
|
cfg_obj_asboolean(obj));
|
2006-01-05 23:45:34 +00:00
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "check-mx-cname", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2006-01-05 23:45:34 +00:00
|
|
|
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
warn = true;
|
|
|
|
|
ignore = false;
|
2006-01-05 23:45:34 +00:00
|
|
|
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
warn = ignore = false;
|
2006-01-05 23:45:34 +00:00
|
|
|
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
warn = ignore = true;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNMXCNAME, warn);
|
|
|
|
|
dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNOREMXCNAME, ignore);
|
2006-01-05 23:45:34 +00:00
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "check-srv-cname", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2006-01-05 23:45:34 +00:00
|
|
|
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
warn = true;
|
|
|
|
|
ignore = false;
|
2006-01-05 23:45:34 +00:00
|
|
|
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
warn = ignore = false;
|
2006-01-05 23:45:34 +00:00
|
|
|
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
|
2018-04-17 08:29:14 -07:00
|
|
|
warn = ignore = true;
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNSRVCNAME, warn);
|
|
|
|
|
dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNORESRVCNAME,
|
|
|
|
|
ignore);
|
2009-10-08 23:13:07 +00:00
|
|
|
|
2011-05-23 20:10:03 +00:00
|
|
|
obj = NULL;
|
|
|
|
|
result = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
|
|
|
|
|
if (result == ISC_R_SUCCESS) {
|
|
|
|
|
const char *arg = cfg_obj_asstring(obj);
|
2018-11-07 15:00:07 +07:00
|
|
|
if (strcasecmp(arg, "no-resign") == 0) {
|
2011-05-23 20:10:03 +00:00
|
|
|
dns_zone_setkeyopt(zone, DNS_ZONEKEY_NORESIGN,
|
2018-04-17 08:29:14 -07:00
|
|
|
true);
|
2018-11-07 15:00:07 +07:00
|
|
|
} else if (strcasecmp(arg, "maintain") == 0) {
|
2020-03-09 18:23:13 -07:00
|
|
|
/* Default */
|
2018-11-07 15:00:07 +07:00
|
|
|
} else {
|
2021-10-11 12:50:17 +02:00
|
|
|
UNREACHABLE();
|
2018-11-07 15:00:07 +07:00
|
|
|
}
|
2009-10-12 23:48:02 +00:00
|
|
|
}
|
2011-07-01 02:25:48 +00:00
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "serial-update-method", &obj);
|
2011-07-01 02:25:48 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
|
|
|
|
if (strcasecmp(cfg_obj_asstring(obj), "unixtime") == 0) {
|
|
|
|
|
dns_zone_setserialupdatemethod(
|
|
|
|
|
zone, dns_updatemethod_unixtime);
|
2014-04-17 16:05:50 -07:00
|
|
|
} else if (strcasecmp(cfg_obj_asstring(obj), "date") == 0) {
|
|
|
|
|
dns_zone_setserialupdatemethod(zone,
|
|
|
|
|
dns_updatemethod_date);
|
2011-07-01 02:25:48 +00:00
|
|
|
} else {
|
|
|
|
|
dns_zone_setserialupdatemethod(
|
|
|
|
|
zone, dns_updatemethod_increment);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2000-05-25 19:27:48 +00:00
|
|
|
}
|
2000-03-06 19:06:07 +00:00
|
|
|
|
2000-05-25 19:27:48 +00:00
|
|
|
/*
|
2021-10-05 11:07:44 +02:00
|
|
|
* Configure secondary zone functionality.
|
2000-05-25 19:27:48 +00:00
|
|
|
*/
|
2001-03-04 21:21:39 +00:00
|
|
|
switch (ztype) {
|
2018-10-09 10:54:51 +02:00
|
|
|
case dns_zone_mirror:
|
2018-10-09 10:54:51 +02:00
|
|
|
/*
|
|
|
|
|
* Disable outgoing zone transfers for mirror zones unless they
|
|
|
|
|
* are explicitly enabled by zone configuration.
|
|
|
|
|
*/
|
|
|
|
|
obj = NULL;
|
|
|
|
|
(void)cfg_map_get(zoptions, "allow-transfer", &obj);
|
|
|
|
|
if (obj == NULL) {
|
|
|
|
|
dns_acl_t *none;
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(dns_acl_none(mctx, &none));
|
2018-10-09 10:54:51 +02:00
|
|
|
dns_zone_setxfracl(zone, none);
|
|
|
|
|
dns_acl_detach(&none);
|
|
|
|
|
}
|
2021-10-11 12:09:16 +02:00
|
|
|
FALLTHROUGH;
|
2021-08-25 22:29:25 -07:00
|
|
|
case dns_zone_secondary:
|
2001-03-04 21:21:39 +00:00
|
|
|
case dns_zone_stub:
|
2011-02-23 03:08:11 +00:00
|
|
|
case dns_zone_redirect:
|
2005-11-30 03:33:49 +00:00
|
|
|
count = 0;
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2020-06-17 02:02:27 -07:00
|
|
|
(void)cfg_map_get(zoptions, "primaries", &obj);
|
|
|
|
|
if (obj == NULL) {
|
|
|
|
|
(void)cfg_map_get(zoptions, "masters", &obj);
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-09 10:54:51 +02:00
|
|
|
/*
|
2020-06-17 02:02:27 -07:00
|
|
|
* Use the built-in primary server list if one was not
|
2018-10-09 10:54:51 +02:00
|
|
|
* explicitly specified and this is a root zone mirror.
|
|
|
|
|
*/
|
|
|
|
|
if (obj == NULL && ztype == dns_zone_mirror &&
|
|
|
|
|
dns_name_equal(dns_zone_getorigin(zone), dns_rootname))
|
|
|
|
|
{
|
2021-05-11 14:43:02 +02:00
|
|
|
result = named_config_getremotesdef(
|
|
|
|
|
named_g_config, "primaries",
|
2020-06-17 02:02:27 -07:00
|
|
|
DEFAULT_IANA_ROOT_ZONE_PRIMARIES, &obj);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(result);
|
2018-10-09 10:54:51 +02:00
|
|
|
}
|
2001-03-04 21:21:39 +00:00
|
|
|
if (obj != NULL) {
|
2016-05-26 21:23:19 +02:00
|
|
|
dns_ipkeylist_t ipkl;
|
2016-06-22 10:49:25 +02:00
|
|
|
dns_ipkeylist_init(&ipkl);
|
|
|
|
|
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(named_config_getipandkeylist(config, "primaries",
|
|
|
|
|
obj, mctx, &ipkl));
|
2022-11-22 11:55:49 +01:00
|
|
|
dns_zone_setprimaries(mayberaw, ipkl.addrs,
|
|
|
|
|
ipkl.sources, ipkl.keys,
|
2021-10-06 13:41:21 +02:00
|
|
|
ipkl.tlss, ipkl.count);
|
2018-02-15 14:56:13 +11:00
|
|
|
count = ipkl.count;
|
2016-05-26 21:23:19 +02:00
|
|
|
dns_ipkeylist_clear(mctx, &ipkl);
|
2011-08-30 23:46:53 +00:00
|
|
|
} else {
|
2022-11-22 11:55:49 +01:00
|
|
|
dns_zone_setprimaries(mayberaw, NULL, NULL, NULL, NULL,
|
|
|
|
|
0);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2018-04-17 08:29:14 -07:00
|
|
|
multi = false;
|
2002-07-29 06:58:46 +00:00
|
|
|
if (count > 1) {
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "multi-master", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2002-07-29 06:58:46 +00:00
|
|
|
multi = cfg_obj_asboolean(obj);
|
|
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setoption(mayberaw, DNS_ZONEOPT_MULTIMASTER, multi);
|
2002-07-29 06:58:46 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "max-transfer-time-in", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setmaxxfrin(mayberaw, cfg_obj_asuint32(obj) * 60);
|
2000-01-31 19:53:14 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "max-transfer-idle-in", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setidlein(mayberaw, cfg_obj_asuint32(obj) * 60);
|
1999-12-16 23:11:07 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "max-refresh-time", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setmaxrefreshtime(mayberaw, cfg_obj_asuint32(obj));
|
2000-08-02 22:29:16 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "min-refresh-time", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setminrefreshtime(mayberaw, cfg_obj_asuint32(obj));
|
2000-08-02 22:29:16 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "max-retry-time", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setmaxretrytime(mayberaw, cfg_obj_asuint32(obj));
|
2000-08-02 22:29:16 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "min-retry-time", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setminretrytime(mayberaw, cfg_obj_asuint32(obj));
|
2000-08-02 22:29:16 +00:00
|
|
|
|
2001-10-11 01:55:03 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "transfer-source", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(dns_zone_setxfrsource4(mayberaw,
|
|
|
|
|
cfg_obj_assockaddr(obj)));
|
2001-10-11 01:55:03 +00:00
|
|
|
|
|
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
result = named_config_get(maps, "transfer-source-v6", &obj);
|
2011-03-11 06:11:27 +00:00
|
|
|
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(dns_zone_setxfrsource6(mayberaw,
|
|
|
|
|
cfg_obj_assockaddr(obj)));
|
2003-02-26 23:29:00 +00:00
|
|
|
|
2006-06-04 23:17:07 +00:00
|
|
|
obj = NULL;
|
2017-09-08 13:39:09 -07:00
|
|
|
(void)named_config_get(maps, "try-tcp-refresh", &obj);
|
2011-08-30 05:16:15 +00:00
|
|
|
dns_zone_setoption(mayberaw, DNS_ZONEOPT_TRYTCPREFRESH,
|
2006-06-04 23:17:07 +00:00
|
|
|
cfg_obj_asboolean(obj));
|
1999-12-16 23:11:07 +00:00
|
|
|
break;
|
2000-08-01 01:33:37 +00:00
|
|
|
|
2010-12-16 09:51:30 +00:00
|
|
|
case dns_zone_staticstub:
|
2023-02-21 12:15:01 +11:00
|
|
|
CHECK(configure_staticstub(zoptions, zone, zname,
|
|
|
|
|
default_dbtype));
|
2010-12-16 09:51:30 +00:00
|
|
|
break;
|
|
|
|
|
|
2000-05-25 19:27:48 +00:00
|
|
|
default:
|
|
|
|
|
break;
|
1999-12-16 23:11:07 +00:00
|
|
|
}
|
|
|
|
|
|
2023-02-21 12:15:01 +11:00
|
|
|
result = ISC_R_SUCCESS;
|
|
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
|
if (kasp != NULL) {
|
|
|
|
|
dns_kasp_detach(&kasp);
|
|
|
|
|
}
|
|
|
|
|
return (result);
|
1999-12-16 23:11:07 +00:00
|
|
|
}
|
|
|
|
|
|
2010-12-18 01:56:23 +00:00
|
|
|
/*
|
|
|
|
|
* Set up a DLZ zone as writeable
|
|
|
|
|
*/
|
|
|
|
|
isc_result_t
|
2017-09-08 13:39:09 -07:00
|
|
|
named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone,
|
|
|
|
|
dns_rdataclass_t rdclass, dns_name_t *name) {
|
2010-12-18 01:56:23 +00:00
|
|
|
dns_db_t *db = NULL;
|
|
|
|
|
isc_result_t result;
|
|
|
|
|
|
|
|
|
|
dns_zone_settype(zone, dns_zone_dlz);
|
|
|
|
|
result = dns_sdlz_setdb(dlzdatabase, rdclass, name, &db);
|
|
|
|
|
if (result != ISC_R_SUCCESS) {
|
2011-10-11 00:09:03 +00:00
|
|
|
return (result);
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2010-12-18 01:56:23 +00:00
|
|
|
result = dns_zone_dlzpostload(zone, db);
|
|
|
|
|
dns_db_detach(&db);
|
2011-10-11 00:09:03 +00:00
|
|
|
return (result);
|
2010-12-18 01:56:23 +00:00
|
|
|
}
|
|
|
|
|
|
2018-04-17 08:29:14 -07:00
|
|
|
bool
|
2022-06-07 15:35:49 +02:00
|
|
|
named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
|
2006-02-28 02:39:52 +00:00
|
|
|
const cfg_obj_t *zoptions = NULL;
|
|
|
|
|
const cfg_obj_t *obj = NULL;
|
2000-01-21 19:22:35 +00:00
|
|
|
const char *cfilename;
|
|
|
|
|
const char *zfilename;
|
2011-10-12 00:10:20 +00:00
|
|
|
dns_zone_t *raw = NULL;
|
2020-10-13 14:48:04 +02:00
|
|
|
bool has_raw, inline_signing;
|
2012-01-31 01:13:10 +00:00
|
|
|
dns_zonetype_t ztype;
|
2000-01-21 19:22:35 +00:00
|
|
|
|
2001-03-04 21:21:39 +00:00
|
|
|
zoptions = cfg_tuple_get(zconfig, "options");
|
|
|
|
|
|
2010-12-16 09:51:30 +00:00
|
|
|
/*
|
|
|
|
|
* We always reconfigure a static-stub zone for simplicity, assuming
|
2010-12-16 23:47:08 +00:00
|
|
|
* the amount of data to be loaded is small.
|
2010-12-16 09:51:30 +00:00
|
|
|
*/
|
2012-01-31 01:13:10 +00:00
|
|
|
if (zonetype_fromconfig(zoptions) == dns_zone_staticstub) {
|
|
|
|
|
dns_zone_log(zone, ISC_LOG_DEBUG(1),
|
|
|
|
|
"not reusable: staticstub");
|
2018-04-17 08:29:14 -07:00
|
|
|
return (false);
|
2012-01-31 01:13:10 +00:00
|
|
|
}
|
2011-08-30 05:16:15 +00:00
|
|
|
|
2012-01-31 01:13:10 +00:00
|
|
|
/* If there's a raw zone, use that for filename and type comparison */
|
2011-10-12 00:10:20 +00:00
|
|
|
dns_zone_getraw(zone, &raw);
|
|
|
|
|
if (raw != NULL) {
|
2012-01-31 01:13:10 +00:00
|
|
|
zfilename = dns_zone_getfile(raw);
|
|
|
|
|
ztype = dns_zone_gettype(raw);
|
2011-10-12 00:10:20 +00:00
|
|
|
dns_zone_detach(&raw);
|
2018-04-17 08:29:14 -07:00
|
|
|
has_raw = true;
|
2012-01-31 01:13:10 +00:00
|
|
|
} else {
|
|
|
|
|
zfilename = dns_zone_getfile(zone);
|
|
|
|
|
ztype = dns_zone_gettype(zone);
|
2018-04-17 08:29:14 -07:00
|
|
|
has_raw = false;
|
2012-01-31 01:13:10 +00:00
|
|
|
}
|
2011-10-12 00:10:20 +00:00
|
|
|
|
2022-06-07 15:35:49 +02:00
|
|
|
inline_signing = named_zone_inlinesigning(zconfig);
|
2020-10-13 14:48:04 +02:00
|
|
|
if (!inline_signing && has_raw) {
|
2012-01-31 01:13:10 +00:00
|
|
|
dns_zone_log(zone, ISC_LOG_DEBUG(1),
|
|
|
|
|
"not reusable: old zone was inline-signing");
|
2018-04-17 08:29:14 -07:00
|
|
|
return (false);
|
2020-10-13 14:48:04 +02:00
|
|
|
} else if (inline_signing && !has_raw) {
|
2012-01-31 01:13:10 +00:00
|
|
|
dns_zone_log(zone, ISC_LOG_DEBUG(1),
|
|
|
|
|
"not reusable: old zone was not inline-signing");
|
2018-04-17 08:29:14 -07:00
|
|
|
return (false);
|
2012-01-31 01:13:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (zonetype_fromconfig(zoptions) != ztype) {
|
|
|
|
|
dns_zone_log(zone, ISC_LOG_DEBUG(1),
|
|
|
|
|
"not reusable: type mismatch");
|
2018-04-17 08:29:14 -07:00
|
|
|
return (false);
|
2012-01-31 01:13:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
obj = NULL;
|
|
|
|
|
(void)cfg_map_get(zoptions, "file", &obj);
|
|
|
|
|
if (obj != NULL) {
|
|
|
|
|
cfilename = cfg_obj_asstring(obj);
|
|
|
|
|
} else {
|
|
|
|
|
cfilename = NULL;
|
2020-02-13 21:48:23 +01:00
|
|
|
}
|
2012-01-31 01:13:10 +00:00
|
|
|
if (!((cfilename == NULL && zfilename == NULL) ||
|
|
|
|
|
(cfilename != NULL && zfilename != NULL &&
|
|
|
|
|
strcmp(cfilename, zfilename) == 0)))
|
|
|
|
|
{
|
|
|
|
|
dns_zone_log(zone, ISC_LOG_DEBUG(1),
|
|
|
|
|
"not reusable: filename mismatch");
|
2018-04-17 08:29:14 -07:00
|
|
|
return (false);
|
2012-01-31 01:13:10 +00:00
|
|
|
}
|
2000-01-21 19:22:35 +00:00
|
|
|
|
2018-04-17 08:29:14 -07:00
|
|
|
return (true);
|
2000-01-21 19:22:35 +00:00
|
|
|
}
|
2020-10-13 14:48:04 +02:00
|
|
|
|
|
|
|
|
bool
|
2022-06-07 15:35:49 +02:00
|
|
|
named_zone_inlinesigning(const cfg_obj_t *zconfig) {
|
2020-10-13 14:48:04 +02:00
|
|
|
const cfg_obj_t *zoptions = NULL;
|
|
|
|
|
const cfg_obj_t *signing = NULL;
|
2020-12-03 15:01:42 +01:00
|
|
|
bool inline_signing = false;
|
2020-10-13 14:48:04 +02:00
|
|
|
|
|
|
|
|
zoptions = cfg_tuple_get(zconfig, "options");
|
|
|
|
|
inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) ==
|
|
|
|
|
ISC_R_SUCCESS &&
|
|
|
|
|
cfg_obj_asboolean(signing));
|
|
|
|
|
|
|
|
|
|
return (inline_signing);
|
|
|
|
|
}
|
