diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst index cc3aad616c..b4a91cd4c9 100644 --- a/bin/named/named.conf.rst +++ b/bin/named/named.conf.rst @@ -465,6 +465,17 @@ OPTIONS zone-statistics ( full | terse | none | boolean ); }; +PARENTAL-AGENTS +^^^^^^^^^^^^^^^ + +:: + + parental-agents string [ port integer ] [ + dscp integer ] { ( remote-servers | + ipv4_address [ port integer ] | + ipv6_address [ port integer ] ) [ key + string ] [ tls string ]; ... }; + PLUGIN ^^^^^^ @@ -930,6 +941,10 @@ VIEW notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; notify-to-soa boolean; + parental-agents [ port integer ] [ dscp integer ] { ( + remote-servers | ipv4_address [ port integer ] | + ipv6_address [ port integer ] ) [ key string ] [ + tls string ]; ... }; primaries [ port integer ] [ dscp integer ] { ( remote-servers | ipv4_address [ port integer ] | ipv6_address [ port integer ] ) [ key string ] [ @@ -1038,6 +1053,10 @@ ZONE notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; notify-to-soa boolean; + parental-agents [ port integer ] [ dscp integer ] { ( + remote-servers | ipv4_address [ port integer ] | + ipv6_address [ port integer ] ) [ key string ] [ tls + string ]; ... }; primaries [ port integer ] [ dscp integer ] { ( remote-servers | ipv4_address [ port integer ] | ipv6_address [ port integer ] ) [ key string ] [ tls diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index d3f0039766..bd6a9b083d 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -86,6 +86,10 @@ options { transfer-source 0.0.0.0 dscp 63; zone-statistics none; }; +parental-agents "parents" { + 10.10.10.11; + 10.10.10.12; +}; view "first" { match-clients { "none"; @@ -176,11 +180,18 @@ view "fourth" { zone "dnssec-test" { type master; file "dnssec-test.db"; + parental-agents { + 1.2.3.4; + 1.2.3.5; + }; dnssec-policy "test"; }; zone "dnssec-default" { type master; file "dnssec-default.db"; + parental-agents { + "parents"; + }; dnssec-policy "default"; }; zone "dnssec-inherit" { diff --git a/doc/arm/Makefile.am b/doc/arm/Makefile.am index 31a06ebd29..5a13110956 100644 --- a/doc/arm/Makefile.am +++ b/doc/arm/Makefile.am @@ -37,6 +37,7 @@ EXTRA_DIST = \ ../misc/master.zoneopt.rst \ ../misc/mirror.zoneopt.rst \ ../misc/options.grammar.rst \ + ../misc/parentals.grammar.rst \ ../misc/primaries.grammar.rst \ ../misc/redirect.zoneopt.rst \ ../misc/server.grammar.rst \ diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 4f563d4ed2..d6a45551eb 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -280,6 +280,9 @@ The following statements are supported: ``options`` Controls global server configuration options and sets defaults for other statements. + ``parental-agents`` + Defines a named list of servers for inclusion in primary and secondary zones' ``parental-agents`` lists. + ``primaries`` Defines a named list of servers for inclusion in stub and secondary zones' ``primaries`` or ``also-notify`` lists. (Note: this is a synonym for the original keyword ``masters``, which can still be used, but is no longer the preferred terminology.) @@ -844,6 +847,21 @@ At ``debug`` level 4 or higher, the detailed context information logged at ``debug`` level 2 is logged for errors other than SERVFAIL and for negative responses such as NXDOMAIN. +.. _parentals_grammar: + +``parental-agents`` Statement Grammar +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. include:: ../misc/parentals.grammar.rst + +.. _parentals_statement: + +``parental-agents`` Statement Definition and Usage +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +``parental-agents`` lists allow for a common set of parental agents to be easily +used by multiple primary and secondary zones in their ``parental-agents`` lists. + .. _primaries_grammar: ``primaries`` Statement Grammar diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index ac1a1555f9..4beb6c4604 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -535,6 +535,21 @@ options { .fi .UNINDENT .UNINDENT +.SS PARENTAL\-AGENTS +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +parental\-agents string [ port integer ] [ + dscp integer ] { ( remote\-servers | + ipv4_address [ port integer ] | + ipv6_address [ port integer ] ) [ key + string ] [ tls string ]; ... }; +.ft P +.fi +.UNINDENT +.UNINDENT .SS PLUGIN .INDENT 0.0 .INDENT 3.5 @@ -1029,6 +1044,10 @@ view string [ class ] { notify\-source\-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; notify\-to\-soa boolean; + parental\-agents [ port integer ] [ dscp integer ] { ( + remote\-servers | ipv4_address [ port integer ] | + ipv6_address [ port integer ] ) [ key string ] [ + tls string ]; ... }; primaries [ port integer ] [ dscp integer ] { ( remote\-servers | ipv4_address [ port integer ] | ipv6_address [ port integer ] ) [ key string ] [ @@ -1141,6 +1160,10 @@ zone string [ class ] { notify\-source\-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; notify\-to\-soa boolean; + parental\-agents [ port integer ] [ dscp integer ] { ( + remote\-servers | ipv4_address [ port integer ] | + ipv6_address [ port integer ] ) [ key string ] [ tls + string ]; ... }; primaries [ port integer ] [ dscp integer ] { ( remote\-servers | ipv4_address [ port integer ] | ipv6_address [ port integer ] ) [ key string ] [ tls diff --git a/doc/misc/master.zoneopt b/doc/misc/master.zoneopt index 45b905c545..6740613e8c 100644 --- a/doc/misc/master.zoneopt +++ b/doc/misc/master.zoneopt @@ -46,6 +46,7 @@ zone [ ] { notify-source ( | * ) [ port ( | * ) ] [ dscp ]; notify-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; notify-to-soa ; + parental-agents [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; serial-update-method ( date | increment | unixtime ); sig-signing-nodes ; sig-signing-signatures ; diff --git a/doc/misc/master.zoneopt.rst b/doc/misc/master.zoneopt.rst index 968e4b24b1..05243c40bc 100644 --- a/doc/misc/master.zoneopt.rst +++ b/doc/misc/master.zoneopt.rst @@ -48,6 +48,7 @@ notify-source ( | * ) [ port ( | * ) ] [ dscp ]; notify-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; notify-to-soa ; + parental-agents [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; serial-update-method ( date | increment | unixtime ); sig-signing-nodes ; sig-signing-signatures ; diff --git a/doc/misc/options b/doc/misc/options index e33917a6dc..87aa9e2f47 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -391,6 +391,12 @@ options { zone-statistics ( full | terse | none | ); }; +parental-agents [ port ] [ + dscp ] { ( | + [ port ] | + [ port ] ) [ key + ] [ tls ]; ... }; // may occur multiple times + plugin ( query ) [ { } ]; // may occur multiple times @@ -817,6 +823,10 @@ view [ ] { | * ) ] [ dscp ]; notify-to-soa ; nsec3-test-zone ; // test only + parental-agents [ port ] [ dscp ] { ( + | [ port ] | + [ port ] ) [ key ] [ + tls ]; ... }; primaries [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ @@ -921,6 +931,10 @@ zone [ ] { [ dscp ]; notify-to-soa ; nsec3-test-zone ; // test only + parental-agents [ port ] [ dscp ] { ( + | [ port ] | + [ port ] ) [ key ] [ tls + ]; ... }; primaries [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls diff --git a/doc/misc/options.active b/doc/misc/options.active index 49fd35e230..d8bb60f930 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -388,6 +388,12 @@ options { zone-statistics ( full | terse | none | ); }; +parental-agents [ port ] [ + dscp ] { ( | + [ port ] | + [ port ] ) [ key + ] [ tls ]; ... }; // may occur multiple times + plugin ( query ) [ { } ]; // may occur multiple times @@ -811,6 +817,10 @@ view [ ] { notify-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; notify-to-soa ; + parental-agents [ port ] [ dscp ] { ( + | [ port ] | + [ port ] ) [ key ] [ + tls ]; ... }; primaries [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ @@ -914,6 +924,10 @@ zone [ ] { notify-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; notify-to-soa ; + parental-agents [ port ] [ dscp ] { ( + | [ port ] | + [ port ] ) [ key ] [ tls + ]; ... }; primaries [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls diff --git a/doc/misc/parentals.grammar.rst b/doc/misc/parentals.grammar.rst new file mode 100644 index 0000000000..32cef5ae55 --- /dev/null +++ b/doc/misc/parentals.grammar.rst @@ -0,0 +1,7 @@ +:: + + parental-agents [ port ] [ dscp + ] { ( | + [ port ] | + [ port ] ) [ key + ] [ tls ]; ... }; diff --git a/doc/misc/slave.zoneopt b/doc/misc/slave.zoneopt index 490bb4637e..a7e7c713e3 100644 --- a/doc/misc/slave.zoneopt +++ b/doc/misc/slave.zoneopt @@ -45,6 +45,7 @@ zone [ ] { notify-source ( | * ) [ port ( | * ) ] [ dscp ]; notify-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; notify-to-soa ; + parental-agents [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; primaries [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; request-expire ; request-ixfr ; diff --git a/doc/misc/slave.zoneopt.rst b/doc/misc/slave.zoneopt.rst index d15501b7b5..48f9454c62 100644 --- a/doc/misc/slave.zoneopt.rst +++ b/doc/misc/slave.zoneopt.rst @@ -47,6 +47,7 @@ notify-source ( | * ) [ port ( | * ) ] [ dscp ]; notify-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; notify-to-soa ; + parental-agents [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; primaries [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; request-expire ; request-ixfr ; diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index c417c25a8f..a981f0dd23 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -655,6 +655,27 @@ dns_zone_setprimaries(dns_zone_t *zone, const isc_sockaddr_t *primaries, *\li Any result dns_name_dup() can return, if keynames!=NULL */ +isc_result_t +dns_zone_setparentals(dns_zone_t *zone, const isc_sockaddr_t *parentals, + dns_name_t **keynames, dns_name_t **tlsnames, + uint32_t count); +/*%< + * Set the list of parental agents for the zone. + * + * Require: + *\li 'zone' to be a valid zone. + *\li 'parentals' array of isc_sockaddr_t with port set or NULL. + *\li 'count' the number of parentals. + *\li 'keynames' array of dns_name_t's for tsig keys or NULL. + * + *\li If 'parentals' is NULL then 'count' must be zero. + * + * Returns: + *\li #ISC_R_SUCCESS + *\li #ISC_R_NOMEMORY + *\li Any result dns_name_dup() can return, if keynames!=NULL + */ + isc_result_t dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify, const isc_dscp_t *dscps, dns_name_t **keynames, diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index a512e9a2cc..f45bfe0194 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1114,6 +1114,7 @@ static cfg_clausedef_t namedconf_clauses[] = { { "lwres", NULL, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT }, { "masters", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI }, { "options", &cfg_type_options, 0 }, + { "parental-agents", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI }, { "primaries", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI }, { "statistics-channels", &cfg_type_statschannels, CFG_CLAUSEFLAG_MULTI }, @@ -2318,6 +2319,8 @@ static cfg_clausedef_t zone_only_clauses[] = { { "masters", &cfg_type_namesockaddrkeylist, CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB | CFG_ZONE_REDIRECT }, + { "parental-agents", &cfg_type_namesockaddrkeylist, + CFG_ZONE_MASTER | CFG_ZONE_SLAVE }, { "primaries", &cfg_type_namesockaddrkeylist, CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB | CFG_ZONE_REDIRECT },