mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 18:19:42 +00:00
Code Issues Releases Wiki Activity
bind/lib/dns/ssu.c

645 lines
17 KiB
C
Raw Normal View History

*** empty log message ***
2000-02-14 21:00:38 +00:00
/*
update copyright notice / whitespace
2017-10-06 23:45:54 +00:00
* Copyright (C) 2000, 2001, 2003-2008, 2010, 2011, 2013, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
Trailing whitespace trimmed. Perhaps running "perl util/spacewhack.pl in your own CVS tree will help minimize CVS conflicts. Maybe not. Blame Graff for getting me to trim all trailing whitespace.
2000-08-01 01:33:37 +00:00
*
4401. [misc] Change LICENSE to MPL 2.0.
2016-06-27 14:56:38 +10:00
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
update copyrights
2000-03-23 19:52:19 +00:00
*/
update copyright notice
2005-04-29 00:24:12 +00:00
1851. [doc] Doxygen comment markup. [RT #11398]
2005-04-27 04:57:32 +00:00
/*! \file */
update copyrights
2000-03-23 19:52:19 +00:00
/*
update copyright notice
2011-01-06 23:47:00 +00:00
* $Id: ssu.c,v 1.38 2011/01/06 23:47:00 tbox Exp $
*** empty log message ***
2000-02-14 21:00:38 +00:00
* Principal Author: Brian Wellington
*/
#include <config.h>
#include <isc/magic.h>
need <isc/mem.h>
2000-04-04 20:10:57 +00:00
#include <isc/mem.h>
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
#include <isc/netaddr.h>
1983. [func] Two new update policies. "selfsub" and "selfwild". [RT #12895]
2006-02-16 01:34:24 +00:00
#include <isc/result.h>
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
#include <isc/string.h>
ssutables are now attached/detached; zones get ssutables from config structs
2000-03-06 19:06:07 +00:00
#include <isc/util.h>
*** empty log message ***
2000-02-14 21:00:38 +00:00
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
#include <dns/dlz.h>
1983. [func] Two new update policies. "selfsub" and "selfwild". [RT #12895]
2006-02-16 01:34:24 +00:00
#include <dns/fixedname.h>
*** empty log message ***
2000-02-14 21:00:38 +00:00
#include <dns/name.h>
#include <dns/ssu.h>
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
#include <dst/gssapi.h>
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
#include <dst/dst.h>
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
use ISC_MAGIC for all magic numbers, for our friends in EBCDIC land
2001-06-04 19:33:39 +00:00
#define SSUTABLEMAGIC ISC_MAGIC('S', 'S', 'U', 'T')
#define VALID_SSUTABLE(table) ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
#define SSURULEMAGIC ISC_MAGIC('S', 'S', 'U', 'R')
#define VALID_SSURULE(table) ISC_MAGIC_VALID(table, SSURULEMAGIC)
Initial commit of simple secure update. Not compiled in by default.
2000-02-14 21:09:16 +00:00
*** empty log message ***
2000-02-14 21:00:38 +00:00
struct dns_ssurule {
#857 was incomplete, ISC_MAGIC was not being used everwhere it should have been. 'magic' was not being declared consistantly. some #include <isc/magic.h> were missing from other include files. NS_SERVER_VALID was not using ISC_MAGIC_VALID.
2001-08-28 03:58:29 +00:00
unsigned int magic;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
isc_boolean_t grant; /*%< is this a grant or a deny? */
dns_ssumatchtype_t matchtype; /*%< which type of pattern match? */
dns_name_t *identity; /*%< the identity to match */
dns_name_t *name; /*%< the name being updated */
unsigned int ntypes; /*%< number of data types covered */
dns_rdatatype_t *types; /*%< the data types. Can include */
/* ANY. if NULL, defaults to all */
/* types except SIG, SOA, and NS */
*** empty log message ***
2000-02-14 21:00:38 +00:00
ISC_LINK(dns_ssurule_t) link;
};
struct dns_ssutable {
#857 was incomplete, ISC_MAGIC was not being used everwhere it should have been. 'magic' was not being declared consistantly. some #include <isc/magic.h> were missing from other include files. NS_SERVER_VALID was not using ISC_MAGIC_VALID.
2001-08-28 03:58:29 +00:00
unsigned int magic;
*** empty log message ***
2000-02-14 21:00:38 +00:00
isc_mem_t *mctx;
ssutables are now attached/detached; zones get ssutables from config structs
2000-03-06 19:06:07 +00:00
unsigned int references;
isc_mutex_t lock;
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
dns_dlzdb_t *dlzdatabase;
*** empty log message ***
2000-02-14 21:00:38 +00:00
ISC_LIST(dns_ssurule_t) rules;
};
isc_result_t
ssutables are now attached/detached; zones get ssutables from config structs
2000-03-06 19:06:07 +00:00
dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) {
isc_result_t result;
dns_ssutable_t *table;
REQUIRE(tablep != NULL && *tablep == NULL);
*** empty log message ***
2000-02-14 21:00:38 +00:00
REQUIRE(mctx != NULL);
ssutables are now attached/detached; zones get ssutables from config structs
2000-03-06 19:06:07 +00:00
table = isc_mem_get(mctx, sizeof(dns_ssutable_t));
if (table == NULL)
*** empty log message ***
2000-02-14 21:00:38 +00:00
return (ISC_R_NOMEMORY);
ssutables are now attached/detached; zones get ssutables from config structs
2000-03-06 19:06:07 +00:00
result = isc_mutex_init(&table->lock);
if (result != ISC_R_SUCCESS) {
isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
return (result);
}
table->references = 1;
3520. [bug] 'mctx' was not being referenced counted in some places where it should have been. [RT #32794]
2013-03-08 14:38:03 +11:00
table->mctx = NULL;
isc_mem_attach(mctx, &table->mctx);
ssutables are now attached/detached; zones get ssutables from config structs
2000-03-06 19:06:07 +00:00
ISC_LIST_INIT(table->rules);
table->magic = SSUTABLEMAGIC;
*tablep = table;
*** empty log message ***
2000-02-14 21:00:38 +00:00
return (ISC_R_SUCCESS);
}
ssutables are now attached/detached; zones get ssutables from config structs
2000-03-06 19:06:07 +00:00
static inline void
destroy(dns_ssutable_t *table) {
*** empty log message ***
2000-02-14 21:00:38 +00:00
isc_mem_t *mctx;
ssutables are now attached/detached; zones get ssutables from config structs
2000-03-06 19:06:07 +00:00
REQUIRE(VALID_SSUTABLE(table));
*** empty log message ***
2000-02-14 21:00:38 +00:00
ssutables are now attached/detached; zones get ssutables from config structs
2000-03-06 19:06:07 +00:00
mctx = table->mctx;
while (!ISC_LIST_EMPTY(table->rules)) {
dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules);
*** empty log message ***
2000-02-14 21:00:38 +00:00
if (rule->identity != NULL) {
dns_name_free(rule->identity, mctx);
isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
}
if (rule->name != NULL) {
dns_name_free(rule->name, mctx);
isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
}
if (rule->types != NULL)
isc_mem_put(mctx, rule->types,
rule->ntypes * sizeof(dns_rdatatype_t));
ssutables are now attached/detached; zones get ssutables from config structs
2000-03-06 19:06:07 +00:00
ISC_LIST_UNLINK(table->rules, rule, link);
Added a rule iterator and rule accessor functions
2000-03-01 23:28:31 +00:00
rule->magic = 0;
*** empty log message ***
2000-02-14 21:00:38 +00:00
isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
}
and more calls to DESTROYLOCK
2000-08-26 01:37:00 +00:00
DESTROYLOCK(&table->lock);
ssutables are now attached/detached; zones get ssutables from config structs
2000-03-06 19:06:07 +00:00
table->magic = 0;
3520. [bug] 'mctx' was not being referenced counted in some places where it should have been. [RT #32794]
2013-03-08 14:38:03 +11:00
isc_mem_putanddetach(&table->mctx, table, sizeof(dns_ssutable_t));
ssutables are now attached/detached; zones get ssutables from config structs
2000-03-06 19:06:07 +00:00
}
void
dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) {
REQUIRE(VALID_SSUTABLE(source));
REQUIRE(targetp != NULL && *targetp == NULL);
LOCK(&source->lock);
INSIST(source->references > 0);
source->references++;
INSIST(source->references != 0);
UNLOCK(&source->lock);
*targetp = source;
}
void
dns_ssutable_detach(dns_ssutable_t **tablep) {
dns_ssutable_t *table;
isc_boolean_t done = ISC_FALSE;
REQUIRE(tablep != NULL);
table = *tablep;
REQUIRE(VALID_SSUTABLE(table));
LOCK(&table->lock);
INSIST(table->references > 0);
if (--table->references == 0)
done = ISC_TRUE;
UNLOCK(&table->lock);
*tablep = NULL;
if (done)
destroy(table);
*** empty log message ***
2000-02-14 21:00:38 +00:00
}
isc_result_t
dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
const dns_name_t *identity, dns_ssumatchtype_t matchtype,
4546. [func] Extend the use of const declarations. [RT #43379]
2016-12-30 15:45:08 +11:00
const dns_name_t *name, unsigned int ntypes,
added matchtype support
2000-02-15 21:54:59 +00:00
dns_rdatatype_t *types)
*** empty log message ***
2000-02-14 21:00:38 +00:00
{
dns_ssurule_t *rule;
isc_mem_t *mctx;
isc_result_t result;
REQUIRE(VALID_SSUTABLE(table));
added matchtype support
2000-02-15 21:54:59 +00:00
REQUIRE(dns_name_isabsolute(identity));
REQUIRE(dns_name_isabsolute(name));
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
REQUIRE(matchtype <= dns_ssumatchtype_max);
if (matchtype == dns_ssumatchtype_wildcard)
added matchtype support
2000-02-15 21:54:59 +00:00
REQUIRE(dns_name_iswildcard(name));
*** empty log message ***
2000-02-14 21:00:38 +00:00
if (ntypes > 0)
REQUIRE(types != NULL);
mctx = table->mctx;
rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
if (rule == NULL)
return (ISC_R_NOMEMORY);
rule->identity = NULL;
rule->name = NULL;
rule->types = NULL;
rule->grant = grant;
added matchtype support
2000-02-15 21:54:59 +00:00
rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
if (rule->identity == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
*** empty log message ***
2000-02-14 21:00:38 +00:00
}
added matchtype support
2000-02-15 21:54:59 +00:00
dns_name_init(rule->identity, NULL);
result = dns_name_dup(identity, mctx, rule->identity);
if (result != ISC_R_SUCCESS)
goto failure;
rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
if (rule->name == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
*** empty log message ***
2000-02-14 21:00:38 +00:00
}
added matchtype support
2000-02-15 21:54:59 +00:00
dns_name_init(rule->name, NULL);
result = dns_name_dup(name, mctx, rule->name);
if (result != ISC_R_SUCCESS)
goto failure;
*** empty log message ***
2000-02-14 21:00:38 +00:00
added matchtype support
2000-02-15 21:54:59 +00:00
rule->matchtype = matchtype;
*** empty log message ***
2000-02-14 21:00:38 +00:00
rule->ntypes = ntypes;
if (ntypes > 0) {
rule->types = isc_mem_get(mctx,
ntypes * sizeof(dns_rdatatype_t));
if (rule->types == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
[master] replace memcpy() with memmove(). 3698. [cleanup] Replaced all uses of memcpy() with memmove(). [RT #35120]
2014-01-08 16:27:10 -08:00
memmove(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
1983. [func] Two new update policies. "selfsub" and "selfwild". [RT #12895]
2006-02-16 01:34:24 +00:00
} else
*** empty log message ***
2000-02-14 21:00:38 +00:00
rule->types = NULL;
Added a rule iterator and rule accessor functions
2000-03-01 23:28:31 +00:00
rule->magic = SSURULEMAGIC;
ISC_LINK_*UNSAFE -> ISC_LINK_INITAND*
2000-12-07 20:15:58 +00:00
ISC_LIST_INITANDAPPEND(table->rules, rule, link);
*** empty log message ***
2000-02-14 21:00:38 +00:00
return (ISC_R_SUCCESS);
failure:
if (rule->identity != NULL) {
if (dns_name_dynamic(rule->identity))
dns_name_free(rule->identity, mctx);
isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
}
if (rule->name != NULL) {
if (dns_name_dynamic(rule->name))
dns_name_free(rule->name, mctx);
isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
}
if (rule->types != NULL)
isc_mem_put(mctx, rule->types,
ntypes * sizeof(dns_rdatatype_t));
isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
return (result);
}
static inline isc_boolean_t
isusertype(dns_rdatatype_t type) {
Fixed this warning: "ssu.c", line 240: warning(1185): enumerated type mixed with another type by adding an ISC_TF() to the return statement of an isc_boolean_t function.
2000-05-14 02:29:23 +00:00
return (ISC_TF(type != dns_rdatatype_ns &&
type != dns_rdatatype_soa &&
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
type != dns_rdatatype_rrsig));
*** empty log message ***
2000-02-14 21:00:38 +00:00
}
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
static void
4546. [func] Extend the use of const declarations. [RT #43379]
2016-12-30 15:45:08 +11:00
reverse_from_address(dns_name_t *tcpself, const isc_netaddr_t *tcpaddr) {
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
char buf[16 * 4 + sizeof("IP6.ARPA.")];
isc_result_t result;
4546. [func] Extend the use of const declarations. [RT #43379]
2016-12-30 15:45:08 +11:00
const unsigned char *ap;
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
isc_buffer_t b;
unsigned long l;
switch (tcpaddr->family) {
case AF_INET:
l = ntohl(tcpaddr->type.in.s_addr);
result = isc_string_printf(buf, sizeof(buf),
"%lu.%lu.%lu.%lu.IN-ADDR.ARPA.",
(l >> 0) & 0xff, (l >> 8) & 0xff,
update copyright notice
2008-01-18 23:46:58 +00:00
(l >> 16) & 0xff, (l >> 24) & 0xff);
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
RUNTIME_CHECK(result == ISC_R_SUCCESS);
break;
case AF_INET6:
ap = tcpaddr->type.in6.s6_addr;
result = isc_string_printf(buf, sizeof(buf),
"%x.%x.%x.%x.%x.%x.%x.%x."
"%x.%x.%x.%x.%x.%x.%x.%x."
"%x.%x.%x.%x.%x.%x.%x.%x."
"%x.%x.%x.%x.%x.%x.%x.%x."
"IP6.ARPA.",
ap[15] & 0x0f, (ap[15] >> 4) & 0x0f,
ap[14] & 0x0f, (ap[14] >> 4) & 0x0f,
ap[13] & 0x0f, (ap[13] >> 4) & 0x0f,
ap[12] & 0x0f, (ap[12] >> 4) & 0x0f,
ap[11] & 0x0f, (ap[11] >> 4) & 0x0f,
ap[10] & 0x0f, (ap[10] >> 4) & 0x0f,
ap[9] & 0x0f, (ap[9] >> 4) & 0x0f,
ap[8] & 0x0f, (ap[8] >> 4) & 0x0f,
ap[7] & 0x0f, (ap[7] >> 4) & 0x0f,
ap[6] & 0x0f, (ap[6] >> 4) & 0x0f,
ap[5] & 0x0f, (ap[5] >> 4) & 0x0f,
ap[4] & 0x0f, (ap[4] >> 4) & 0x0f,
ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
ap[2] & 0x0f, (ap[2] >> 4) & 0x0f,
ap[1] & 0x0f, (ap[1] >> 4) & 0x0f,
ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
break;
default:
INSIST(0);
}
isc_buffer_init(&b, buf, strlen(buf));
isc_buffer_add(&b, strlen(buf));
result = dns_name_fromtext(tcpself, &b, dns_rootname, 0, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
}
static void
4546. [func] Extend the use of const declarations. [RT #43379]
2016-12-30 15:45:08 +11:00
stf_from_address(dns_name_t *stfself, const isc_netaddr_t *tcpaddr) {
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
char buf[sizeof("X.X.X.X.Y.Y.Y.Y.2.0.0.2.IP6.ARPA.")];
isc_result_t result;
4546. [func] Extend the use of const declarations. [RT #43379]
2016-12-30 15:45:08 +11:00
const unsigned char *ap;
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
isc_buffer_t b;
unsigned long l;
switch(tcpaddr->family) {
case AF_INET:
l = ntohl(tcpaddr->type.in.s_addr);
result = isc_string_printf(buf, sizeof(buf),
"%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx"
"2.0.0.2.IP6.ARPA.",
l & 0xf, (l >> 4) & 0xf,
(l >> 8) & 0xf, (l >> 12) & 0xf,
(l >> 16) & 0xf, (l >> 20) & 0xf,
(l >> 24) & 0xf, (l >> 28) & 0xf);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
break;
case AF_INET6:
ap = tcpaddr->type.in6.s6_addr;
result = isc_string_printf(buf, sizeof(buf),
"%x.%x.%x.%x.%x.%x.%x.%x."
"%x.%x.%x.%x.IP6.ARPA.",
ap[5] & 0x0f, (ap[5] >> 4) & 0x0f,
ap[4] & 0x0f, (ap[4] >> 4) & 0x0f,
ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
ap[2] & 0x0f, (ap[2] >> 4) & 0x0f,
ap[1] & 0x0f, (ap[1] >> 4) & 0x0f,
ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
break;
default:
INSIST(0);
}
isc_buffer_init(&b, buf, strlen(buf));
isc_buffer_add(&b, strlen(buf));
result = dns_name_fromtext(stfself, &b, dns_rootname, 0, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
}
*** empty log message ***
2000-02-14 21:00:38 +00:00
isc_boolean_t
4546. [func] Extend the use of const declarations. [RT #43379]
2016-12-30 15:45:08 +11:00
dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
const dns_name_t *name, const isc_netaddr_t *tcpaddr,
dns_rdatatype_t type, const dst_key_t *key)
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
{
return (dns_ssutable_checkrules2
(table, signer, name, tcpaddr,
tcpaddr == NULL ? ISC_FALSE : ISC_TRUE,
NULL, type, key));
}
isc_boolean_t
dns_ssutable_checkrules2(dns_ssutable_t *table, const dns_name_t *signer,
const dns_name_t *name, const isc_netaddr_t *addr,
isc_boolean_t tcp, const dns_aclenv_t *env,
dns_rdatatype_t type, const dst_key_t *key)
*** empty log message ***
2000-02-14 21:00:38 +00:00
{
dns_ssurule_t *rule;
unsigned int i;
1983. [func] Two new update policies. "selfsub" and "selfwild". [RT #12895]
2006-02-16 01:34:24 +00:00
dns_fixedname_t fixed;
dns_name_t *wildcard;
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
dns_name_t *tcpself;
dns_name_t *stfself;
1983. [func] Two new update policies. "selfsub" and "selfwild". [RT #12895]
2006-02-16 01:34:24 +00:00
isc_result_t result;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
int match;
*** empty log message ***
2000-02-14 21:00:38 +00:00
REQUIRE(VALID_SSUTABLE(table));
REQUIRE(signer == NULL || dns_name_isabsolute(signer));
REQUIRE(dns_name_isabsolute(name));
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
REQUIRE(addr == NULL || env != NULL);
*** empty log message ***
2000-02-14 21:00:38 +00:00
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
if (signer == NULL && addr == NULL)
*** empty log message ***
2000-02-14 21:00:38 +00:00
return (ISC_FALSE);
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
*** empty log message ***
2000-02-14 21:00:38 +00:00
for (rule = ISC_LIST_HEAD(table->rules);
rule != NULL;
rule = ISC_LIST_NEXT(rule, link))
{
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
switch (rule->matchtype) {
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_name:
case dns_ssumatchtype_local:
case dns_ssumatchtype_subdomain:
case dns_ssumatchtype_wildcard:
case dns_ssumatchtype_self:
case dns_ssumatchtype_selfsub:
case dns_ssumatchtype_selfwild:
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
if (signer == NULL)
continue;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
if (dns_name_iswildcard(rule->identity)) {
if (!dns_name_matcheswildcard(signer,
rule->identity))
continue;
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
} else {
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
if (!dns_name_equal(signer, rule->identity))
continue;
}
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_selfkrb5:
case dns_ssumatchtype_selfms:
case dns_ssumatchtype_subdomainkrb5:
case dns_ssumatchtype_subdomainms:
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
if (signer == NULL)
continue;
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_tcpself:
case dns_ssumatchtype_6to4self:
if (!tcp || addr == NULL)
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
continue;
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_external:
case dns_ssumatchtype_dlz:
break;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
}
added matchtype support
2000-02-15 21:54:59 +00:00
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
switch (rule->matchtype) {
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_name:
added matchtype support
2000-02-15 21:54:59 +00:00
if (!dns_name_equal(name, rule->name))
continue;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_subdomain:
added matchtype support
2000-02-15 21:54:59 +00:00
if (!dns_name_issubdomain(name, rule->name))
continue;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_local:
if (addr == NULL) {
continue;
}
if (!dns_name_issubdomain(name, rule->name)) {
continue;
}
dns_acl_match(addr, NULL, env->localhost,
NULL, &match, NULL);
if (match == 0) {
[master] log when update-policy local gets a key match from a remote host 4788. [cleanup] When using "update-policy local", log a warning when an update matching the session key is received from a remote host. [RT #46213] - this completes change #4762.
2017-10-25 00:58:00 -07:00
if (signer != NULL) {
isc_log_write(dns_lctx,
DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_SSU,
ISC_LOG_WARNING,
"update-policy local: "
"match on session "
"key not from "
"localhost");
}
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
continue;
}
break;
case dns_ssumatchtype_wildcard:
added matchtype support
2000-02-15 21:54:59 +00:00
if (!dns_name_matcheswildcard(name, rule->name))
continue;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_self:
added matchtype support
2000-02-15 21:54:59 +00:00
if (!dns_name_equal(signer, name))
continue;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_selfsub:
1983. [func] Two new update policies. "selfsub" and "selfwild". [RT #12895]
2006-02-16 01:34:24 +00:00
if (!dns_name_issubdomain(name, signer))
continue;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_selfwild:
1983. [func] Two new update policies. "selfsub" and "selfwild". [RT #12895]
2006-02-16 01:34:24 +00:00
dns_fixedname_init(&fixed);
wildcard = dns_fixedname_name(&fixed);
result = dns_name_concatenate(dns_wildcardname, signer,
wildcard, NULL);
if (result != ISC_R_SUCCESS)
continue;
if (!dns_name_matcheswildcard(name, wildcard))
continue;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_selfkrb5:
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
if (!dst_gssapi_identitymatchesrealmkrb5(signer, name,
rule->identity))
continue;
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_selfms:
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
if (!dst_gssapi_identitymatchesrealmms(signer, name,
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
rule->identity))
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
continue;
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_subdomainkrb5:
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
if (!dns_name_issubdomain(name, rule->name))
continue;
if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
rule->identity))
continue;
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_subdomainms:
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
if (!dns_name_issubdomain(name, rule->name))
continue;
if (!dst_gssapi_identitymatchesrealmms(signer, NULL,
rule->identity))
continue;
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_tcpself:
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
dns_fixedname_init(&fixed);
tcpself = dns_fixedname_name(&fixed);
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
reverse_from_address(tcpself, addr);
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
if (dns_name_iswildcard(rule->identity)) {
if (!dns_name_matcheswildcard(tcpself,
rule->identity))
continue;
} else {
if (!dns_name_equal(tcpself, rule->identity))
continue;
}
if (!dns_name_equal(tcpself, name))
continue;
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_6to4self:
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
dns_fixedname_init(&fixed);
stfself = dns_fixedname_name(&fixed);
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
stf_from_address(stfself, addr);
2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378]
2008-01-02 05:13:42 +00:00
if (dns_name_iswildcard(rule->identity)) {
if (!dns_name_matcheswildcard(stfself,
rule->identity))
continue;
} else {
if (!dns_name_equal(stfself, rule->identity))
continue;
}
if (!dns_name_equal(stfself, name))
continue;
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_external:
3003. [experimental] Added update-policy match type "external", enabliing named to defer the decision of whether to allow a dynamic update to an external daemon. (Contributed by Andrew Tridgell.) [RT #22758]
2011-01-06 23:24:39 +00:00
if (!dns_ssu_external_match(rule->identity, signer,
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
name, addr, type, key,
3003. [experimental] Added update-policy match type "external", enabliing named to defer the decision of whether to allow a dynamic update to an external daemon. (Contributed by Andrew Tridgell.) [RT #22758]
2011-01-06 23:24:39 +00:00
table->mctx))
continue;
break;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
case dns_ssumatchtype_dlz:
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
if (!dns_dlz_ssumatch(table->dlzdatabase, signer,
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
name, addr, type, key))
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
continue;
break;
added matchtype support
2000-02-15 21:54:59 +00:00
}
*** empty log message ***
2000-02-14 21:00:38 +00:00
if (rule->ntypes == 0) {
update copyright notice
2010-12-20 23:47:21 +00:00
/*
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
* If this is a DLZ rule, then the DLZ ssu
* checks will have already checked
* the type.
*/
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
if (rule->matchtype != dns_ssumatchtype_dlz &&
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
!isusertype(type))
*** empty log message ***
2000-02-14 21:00:38 +00:00
continue;
1983. [func] Two new update policies. "selfsub" and "selfwild". [RT #12895]
2006-02-16 01:34:24 +00:00
} else {
*** empty log message ***
2000-02-14 21:00:38 +00:00
for (i = 0; i < rule->ntypes; i++) {
if (rule->types[i] == dns_rdatatype_any ||
rule->types[i] == type)
break;
}
if (i == rule->ntypes)
continue;
}
return (rule->grant);
}
return (ISC_FALSE);
}
Added a rule iterator and rule accessor functions
2000-03-01 23:28:31 +00:00
isc_boolean_t
dns_ssurule_isgrant(const dns_ssurule_t *rule) {
REQUIRE(VALID_SSURULE(rule));
return (rule->grant);
}
dns_name_t *
dns_ssurule_identity(const dns_ssurule_t *rule) {
REQUIRE(VALID_SSURULE(rule));
return (rule->identity);
}
unsigned int
dns_ssurule_matchtype(const dns_ssurule_t *rule) {
REQUIRE(VALID_SSURULE(rule));
return (rule->matchtype);
}
dns_name_t *
dns_ssurule_name(const dns_ssurule_t *rule) {
REQUIRE(VALID_SSURULE(rule));
return (rule->name);
}
unsigned int
dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types) {
REQUIRE(VALID_SSURULE(rule));
REQUIRE(types != NULL && *types != NULL);
*types = rule->types;
return (rule->ntypes);
}
isc_result_t
dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) {
REQUIRE(VALID_SSUTABLE(table));
Fix boolean test
2000-03-02 20:39:23 +00:00
REQUIRE(rule != NULL && *rule == NULL);
Added a rule iterator and rule accessor functions
2000-03-01 23:28:31 +00:00
*rule = ISC_LIST_HEAD(table->rules);
return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
}
isc_result_t
dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) {
REQUIRE(VALID_SSURULE(rule));
Fix boolean test
2000-03-02 20:39:23 +00:00
REQUIRE(nextrule != NULL && *nextrule == NULL);
Added a rule iterator and rule accessor functions
2000-03-01 23:28:31 +00:00
*nextrule = ISC_LIST_NEXT(rule, link);
return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
}
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
/*
* Create a specialised SSU table that points at an external DLZ database
*/
isc_result_t
dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
dns_dlzdb_t *dlzdatabase)
{
isc_result_t result;
dns_ssurule_t *rule;
dns_ssutable_t *table = NULL;
REQUIRE(tablep != NULL && *tablep == NULL);
result = dns_ssutable_create(mctx, &table);
if (result != ISC_R_SUCCESS)
return (result);
table->dlzdatabase = dlzdatabase;
rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t));
if (rule == NULL) {
dns_ssutable_detach(&table);
return (ISC_R_NOMEMORY);
}
rule->identity = NULL;
rule->name = NULL;
rule->types = NULL;
rule->grant = ISC_TRUE;
[master] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]
2017-10-06 15:13:27 -07:00
rule->matchtype = dns_ssumatchtype_dlz;
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
rule->ntypes = 0;
rule->types = NULL;
rule->magic = SSURULEMAGIC;
ISC_LIST_INITANDAPPEND(table->rules, rule, link);
*tablep = table;
return (ISC_R_SUCCESS);
}
Reference in New Issue Copy Permalink