mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Merge branch 'master' of repo.isc.org:/proj/git/prod/bind9

Browse Source
This commit is contained in:
Jeremy C. Reed 2014-10-01 11:28:53 -05:00
commit 0b25d4d86a
283 changed files with 7538 additions and 2663 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
CHANGES
View File

@ -1,4 +1,126 @@
3931. [cleanup] Cleanup how dlz grammer is defined. [RT #36879]
3963. [test] Added NXRRSET test cases to the "dlzexternal"
system test. [RT #37344]
3962. [bug] 'dig +topdown +trace +sigchase' address unhandled error
conditions. [RT #34663]
3961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with
BADSIG. [RT #37216]
3960. [bug] 'dig +sigchase' could loop forever. [RT #37220]
3959. [bug] Updates could be lost if they arrived immediately
after a rndc thaw. [RT #37233]
3958. [bug] Detect when writeable files have multiple references
in named.conf. [RT #37172]
3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
and ECDSAP384SHA384. [RT #37183]
3956. [func] Notify messages are now rate limited by notify-rate and
startup-notify-rate instead of serial-query-rate.
[RT #24454]
3955. [bug] Notify messages due to changes are no longer queued
behind startup notify messages. [RT #24454]
3954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
3953. [bug] Don't escape semi-colon in TXT fields. [RT #37159]
3952. [bug] dns_name_fullcompare failed to set *nlabelsp when the
two name pointers were the same. [RT #37176]
3951. [func] Add the ability to set yet-to-be-defined EDNS flags
to dig (+ednsflags=#). [RT #37142]
3950. [port] Changed the bin/python Makefile to work around a
bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
3949. [experimental] Experimental support for draft-andrews-edns1 by sending
EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
building). Add support for limiting the EDNS version
advertised to servers: server { edns-version 0; };
Log the EDNS version received in the query log.
[RT #35864]
3948. [port] solaris: RCVBUFSIZE was too large on Solaris with
--with-tuning=large. [RT #37059]
3947. [cleanup] Set the executable bit on libraries when using
libtool. [RT #36786]
3946. [cleanup] Improved "configure" search for a python interpreter.
[RT #36992]
3945. [bug] Invalid wildcard expansions could be incorrectly
accepted by the validator. [RT #37093]
3944. [test] Added a regression test for "server-id". [RT #37057]
3943. [func] SERVFAIL responses can now be cached for a
limited time (configured by "servfail-ttl",
default 10 seconds, limit 30). This can reduce
the frequency of retries when an authoritative
server is known to be failing, e.g., due to
ongoing DNSSEC validation problems. [RT #21347]
3942. [bug] Wildcard responses from a optout range should be
marked as insecure. [RT #37072]
3941. [doc] Include the BIND version number in the ARM. [RT #37067]
3940. [func] "rndc nta" now allows negative trust anchors to be
set for up to one week. [RT #37069]
3939. [func] Improve UPDATE forwarding performance by allowing TCP
connections to be shared. [RT #37039]
3938. [placeholder]
3937. [func] Added some debug logging to better indicate the
conditions causing SERVFAILs when resolving.
[RT #35538]
3936. [func] Added authoritative support for the EDNS Client
Subnet (ECS) option.
ACLs can now include "ecs" elements which specify
an address or network prefix; if an ECS option is
included in a DNS query, then the address encoded
in the option will be matched against "ecs" ACL
elements.
Also, if an ECS address is included in a query,
then it will be used instead of the client source
address when matching "geoip" ACL elements. This
behavior can be overridden with "geoip-use-ecs no;".
(Note: to enable "geoip" ACLs, use "configure
--with-geoip". This requires libGeoIP version
1.5.0 or higher.)
When "ecs" or "geoip" ACL elements are used to
select a view for a query, the response will include
an ECS option to indicate which client network the
answer is valid for.
(Thanks to Vincent Bernat.) [RT #36781]
3935. [bug] "geoip asnum" ACL elements would not match unless
the full organization name was specified. They
can now match against the AS number alone (e.g.,
AS1234). [RT #36945]
3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve
sit-secret documentation. [RT #36980]
3933. [bug] Corrected the implementation of dns_rdata_casecompare()
for the HIP rdata type. [RT #36911]
3932. [test] Improved named-checkconf tests. [RT #36911]
3931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879]
3930. [bug] "rndc nta -r" could cause a server hang if the
NTA was not found. [RT #36909]
@ -23,7 +145,7 @@
retains DS and (if applicable) NSEC signatures.
[RT #36946]
3921. [bug] AD was inappopriately set on RPZ responses. [RT #36833]
3921. [bug] AD was inappropriately set on RPZ responses. [RT #36833]
3920. [doc] Added doc for masterfile-style. [RT #36823]
@ -64,7 +186,7 @@
3908. [bug] rndc now differentiates between a zone in multiple
views and a zone that doesn't exist at all. [RT #36691]
3907. [cleanup] Alphabetise rndc help. [RT #36683]
3907. [cleanup] Alphabetize rndc help. [RT #36683]
3906. [protocol] Update URI record format to comply with
draft-faltstrom-uri-08. [RT #36642]
@ -140,7 +262,7 @@
periodically to see whether data below them can be
validated, and if so, they will be allowed to
expire early. The "rndc nta -force" option
overrides this behvaior. The default NTA lifetime
overrides this behavior. The default NTA lifetime
and the recheck frequency can be configured by the
"nta-lifetime" and "nta-recheck" options. [RT #36146]

47
README
View File

@ -56,6 +56,25 @@ BIND 9.11.0
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
releases. New features include:
- SERVFAIL responses can now be cached for a limited time
(defaulting to 10 seconds, with an upper limit of 30).
This can reduce the frequency of retries when a query is
persistently failing.
- The new "rndc nta" command can be used to set a "negative
trust anchor", disabling DNSSEC validation for a specific
domain; this can be used when responses from a domain are
known to be failing validation due to administrative error
rather than because of a spoofing attack. Negative trust
anchors are strictly temporary; by default they expire after
one hour, but can be configured to last up to one week.
- Update forwarding performance has been improved by allowing
a single TCP connection to be shared by multiple updates.
- The EDNS Client Subnet (ECS) option is now supported for
authoritative servers; if a query contains an ECS option
then ACLs containing "geoip" or "ecs" elements can match
against the the address encoded in the option. This can be
used to select a view for a query, so that different answers
can be provided depending on the client network.
- The EDNS EXPIRE option has been implemented on the client
side, allowing a slave server to set the expiration timer
correctly when transferring zone data from another slave
@ -68,12 +87,16 @@ BIND 9.11.0
- "dig +ttlunits" causes dig to print TTL values with time-unit
suffixes: w, d, h, m, s for weeks, days, hours, minutes, and
seconds.
- "serial-update-format" can now be set to "date". On update,
- "serial-update-method" can now be set to "date". On update,
the serial number will be set to the current date in YYYYMMDDNN
format.
- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
- "named -L <filename>" causes named to send log messages to
the specified file by default instead of to the system log.
- dig can now set arbitary EDNS options on requests (+ednsopt).
- dig can now set yet-to-be-defined EDNS flags on requests (+ednsflags).
- serial-query-rate no longer covers NOTIFY messages. These are
seperately controlled by notity-rate and startup-notify-rate.
This release addresses the security flaw described in
CVE-2014-3214 and CVE-2014-3859.
@ -479,23 +502,29 @@ Change Log
Bug Reports and Mailing Lists
Bugs reports should be sent to
Bug reports should be sent to:
bind9-bugs@isc.org
To join the BIND Users mailing list, send mail to
Feature requests can be sent to:
bind-users-request@isc.org
bind-suggest@isc.org
archives of which can be found via
To join or view the archives of the BIND Users mailing list,
visit:
http://www.isc.org/ops/lists/
https://lists.isc.org/mailman/listinfo/bind-users
If you're planning on making changes to the BIND 9 source
code, you might want to join the BIND Workers mailing list.
Send mail to
code, you may also want to join the BIND Workers mailing
list:
bind-workers-request@isc.org
https://lists.isc.org/mailman/listinfo/bind-workers
Information on read-only Git access, coding style and developer
guidelines can be found at:
http://www.isc.org/git/
Acknowledgments

10
aclocal.m4 vendored
View File

@ -9,7 +9,9 @@ m4_divert_text(HELP_CANON, [[
and --localstatedir are /etc and /var, respectively.]])
m4_divert_text(HELP_END, [[
Professional support for BIND is provided by Internet Systems Consortium,
Inc., doing business as DNSco. Information about paid support options is
available at http://www.dns-co.com/solutions/. Free support is provided by
our user community via a mailing list. Information on public email lists
is available at https://www.isc.org/community/mailing-list/.]])
Inc. Information about paid support and training options is available at
https://www.isc.org/support.
Help can also often be found on the BIND Users mailing list
(https://lists.isc.org/mailman/listinfo/bind-users) or in the #bind
channel of the Freenode IRC service.]])

2
bin/check/Makefile.in
View File

@ -70,7 +70,7 @@ named-checkzone.@O@: named-checkzone.c
-c ${srcdir}/named-checkzone.c
named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
${FINALBUILDCMD}

10
bin/check/named-checkconf.html
View File

@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-x</code>] [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543402"></a><h2>DESCRIPTION</h2>
<a name="id2543411"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
checks the syntax, but not the semantics, of a
<span><strong class="command">named</strong></span> configuration file. The file is parsed
@ -52,7 +52,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543451"></a><h2>OPTIONS</h2>
<a name="id2543460"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
@ -101,21 +101,21 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543595"></a><h2>RETURN VALUES</h2>
<a name="id2543604"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543607"></a><h2>SEE ALSO</h2>
<a name="id2543616"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543637"></a><h2>AUTHOR</h2>
<a name="id2543645"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

2
bin/check/named-checkzone.8
View File

@ -266,7 +266,7 @@ so that include directives in the configuration file are processed as if run by
.PP
\-T \fImode\fR
.RS 4
Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are
Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF\-formatted TXT record is not also present. Possible modes are
\fB"warn"\fR
(default),
\fB"ignore"\fR.

8
bin/check/named-checkzone.docbook
View File

@ -440,10 +440,10 @@
<term>-T <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if Sender Policy Framework records (TXT and SPF)
both exist or both don't exist. A warning is issued
if they don't match. Possible modes are
<command>"warn"</command> (default), <command>"ignore"</command>.
Check if Sender Policy Framework (SPF) records exist
and issues a warning if an SPF-formatted TXT record is
not also present. Possible modes are <command>"warn"</command>
(default), <command>"ignore"</command>.
</para>
</listitem>
</varlistentry>

18
bin/check/named-checkzone.html
View File

@ -33,7 +33,7 @@
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-J <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543776"></a><h2>DESCRIPTION</h2>
<a name="id2543784"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
@ -53,7 +53,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543811"></a><h2>OPTIONS</h2>
<a name="id2543819"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
@ -249,10 +249,10 @@
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Check if Sender Policy Framework records (TXT and SPF)
both exist or both don't exist. A warning is issued
if they don't match. Possible modes are
<span><strong class="command">"warn"</strong></span> (default), <span><strong class="command">"ignore"</strong></span>.
Check if Sender Policy Framework (SPF) records exist
and issues a warning if an SPF-formatted TXT record is
not also present. Possible modes are <span><strong class="command">"warn"</strong></span>
(default), <span><strong class="command">"ignore"</strong></span>.
</p></dd>
<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
@ -287,14 +287,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544633"></a><h2>RETURN VALUES</h2>
<a name="id2544710"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544713"></a><h2>SEE ALSO</h2>
<a name="id2544722"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
@ -302,7 +302,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544746"></a><h2>AUTHOR</h2>
<a name="id2544755"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

8
bin/confgen/ddns-confgen.html
View File

@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543426"></a><h2>DESCRIPTION</h2>
<a name="id2543434"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">tsig-keygen</strong></span> and <span><strong class="command">ddns-confgen</strong></span>
are invocation methods for a utility that generates keys for use
@ -68,7 +68,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543499"></a><h2>OPTIONS</h2>
<a name="id2543508"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
@ -140,7 +140,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543697"></a><h2>SEE ALSO</h2>
<a name="id2543705"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@ -148,7 +148,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543735"></a><h2>AUTHOR</h2>
<a name="id2543744"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

10
bin/confgen/rndc-confgen.html
View File

@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543447"></a><h2>DESCRIPTION</h2>
<a name="id2543456"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
@ -48,7 +48,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543492"></a><h2>OPTIONS</h2>
<a name="id2543500"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
@ -162,7 +162,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543822"></a><h2>EXAMPLES</h2>
<a name="id2543831"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
@ -179,7 +179,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543864"></a><h2>SEE ALSO</h2>
<a name="id2543873"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@ -187,7 +187,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543902"></a><h2>AUTHOR</h2>
<a name="id2543911"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

12
bin/delv/delv.html
View File

@ -35,7 +35,7 @@
<div class="cmdsynopsis"><p><code class="command">delv</code> [queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543489"></a><h2>DESCRIPTION</h2>
<a name="id2543497"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">delv</strong></span>
(Domain Entity Lookup &amp; Validation) is a tool for sending
DNS queries and validating the results, using the the same internal
@ -78,7 +78,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543542"></a><h2>SIMPLE USAGE</h2>
<a name="id2543550"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">delv</strong></span> looks like:
</p>
@ -133,7 +133,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543651"></a><h2>OPTIONS</h2>
<a name="id2543659"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
<dd>
@ -267,7 +267,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544151"></a><h2>QUERY OPTIONS</h2>
<a name="id2544160"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">delv</strong></span>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
@ -447,12 +447,12 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544637"></a><h2>FILES</h2>
<a name="id2544646"></a><h2>FILES</h2>
<p><code class="filename">/etc/bind.keys</code></p>
<p><code class="filename">/etc/resolv.conf</code></p>
</div>
<div class="refsect1" lang="en">
<a name="id2544652"></a><h2>SEE ALSO</h2>
<a name="id2544661"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<em class="citetitle">RFC4034</em>,

5
bin/dig/dig.1
View File

@ -356,6 +356,11 @@ Specify the EDNS version to query with. Valid values are 0 to 255. Setting the E
clears the remembered EDNS version. EDNS is set to 0 by default.
.RE
.PP
\fB+[no]ednsflags[=#]\fR
.RS 4
Set the must\-be\-zero EDNS flags bits (Z bits) to the specified value. Decimal, hex and octal encodings are accepted. Setting a named flag (e.g. DO) will silently be ignored. By default, no Z bits are set.
.RE
.PP
\fB+[no]ednsopt[=code[:value]]\fR
.RS 4
Specify EDNS option with code point

20
bin/dig/dig.c
View File

@ -192,6 +192,7 @@ help(void) {
" +ndots=### (Set NDOTS value)\n"
" +subnet=addr (Set edns-client-subnet option)\n"
" +[no]edns[=###] (Set EDNS version) [0]\n"
" +ednsflags=### (Set EDNS flag bits)\n"
" +ednsopt=###[:value] (Send specified EDNS option)\n"
" +noednsopt (Clear list of +ednsopt options)\n"
" +[no]search (Set whether to use searchlist)\n"
@ -960,6 +961,25 @@ plus_option(char *option, isc_boolean_t is_batchfile,
"edns");
lookup->edns = num;
break;
case 'f':
FULLCHECK("ednsflags");
if (!state) {
lookup->ednsflags = 0;
break;
}
if (value == NULL) {
lookup->ednsflags = 0;
break;
}
result = parse_xint(&num,
value,
0xffff,
"ednsflags");
if (result != ISC_R_SUCCESS)
fatal("Couldn't parse "
"ednsflags");
lookup->ednsflags = num;
break;
case 'o':
FULLCHECK("ednsopt");
if (!state) {

12
bin/dig/dig.docbook
View File

@ -578,6 +578,18 @@
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]ednsflags[=#]</option></term>
<listitem>
<para>
Set the must-be-zero EDNS flags bits (Z bits) to the
specified value. Decimal, hex and octal encodings are
accepted. Setting a named flag (e.g. DO) will silently be
ignored. By default, no Z bits are set.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]ednsopt[=code[:value]]</option></term>
<listitem>

25
bin/dig/dig.html
View File

@ -34,7 +34,7 @@
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543536"></a><h2>DESCRIPTION</h2>
<a name="id2543544"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@ -81,7 +81,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543614"></a><h2>SIMPLE USAGE</h2>
<a name="id2543623"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
@ -134,7 +134,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543718"></a><h2>OPTIONS</h2>
<a name="id2543726"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
@ -242,7 +242,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544009"></a><h2>QUERY OPTIONS</h2>
<a name="id2544018"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@ -384,6 +384,13 @@
clears the remembered EDNS version. EDNS is set to
0 by default.
</p></dd>
<dt><span class="term"><code class="option">+[no]ednsflags[=#]</code></span></dt>
<dd><p>
Set the must-be-zero EDNS flags bits (Z bits) to the
specified value. Decimal, hex and octal encodings are
accepted. Setting a named flag (e.g. DO) will silently be
ignored. By default, no Z bits are set.
</p></dd>
<dt><span class="term"><code class="option">+[no]ednsopt[=code[:value]]</code></span></dt>
<dd><p>
Specify EDNS option with code point <code class="option">code</code>
@ -637,7 +644,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545276"></a><h2>MULTIPLE QUERIES</h2>
<a name="id2545299"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
@ -683,7 +690,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545338"></a><h2>IDN SUPPORT</h2>
<a name="id2545361"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@ -697,14 +704,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545361"></a><h2>FILES</h2>
<a name="id2545383"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545378"></a><h2>SEE ALSO</h2>
<a name="id2545400"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@ -712,7 +719,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545415"></a><h2>BUGS</h2>
<a name="id2545437"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>

283
bin/dig/dighost.c
View File

@ -56,6 +56,7 @@
#include <dns/log.h>
#include <dns/message.h>
#include <dns/name.h>
#include <dns/rcode.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdatalist.h>
@ -782,6 +783,7 @@ make_empty_lookup(void) {
looknew->servfail_stops = ISC_TRUE;
looknew->besteffort = ISC_TRUE;
looknew->dnssec = ISC_FALSE;
looknew->ednsflags = 0;
looknew->expire = ISC_FALSE;
looknew->nsid = ISC_FALSE;
#ifdef ISC_PLATFORM_USESIT
@ -876,6 +878,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
looknew->servfail_stops = lookold->servfail_stops;
looknew->besteffort = lookold->besteffort;
looknew->dnssec = lookold->dnssec;
looknew->ednsflags = lookold->ednsflags;
looknew->expire = lookold->expire;
looknew->nsid = lookold->nsid;
#ifdef ISC_PLATFORM_USESIT
@ -1012,11 +1015,11 @@ setup_text_key(void) {
isc_buffer_free(&namebuf);
}
isc_result_t
parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
const char *desc) {
static isc_result_t
parse_uint_helper(isc_uint32_t *uip, const char *value, isc_uint32_t max,
const char *desc, int base) {
isc_uint32_t n;
isc_result_t result = isc_parse_uint32(&n, value, 10);
isc_result_t result = isc_parse_uint32(&n, value, base);
if (result == ISC_R_SUCCESS && n > max)
result = ISC_R_RANGE;
if (result != ISC_R_SUCCESS) {
@ -1028,6 +1031,18 @@ parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
return (ISC_R_SUCCESS);
}
isc_result_t
parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
const char *desc) {
return (parse_uint_helper(uip, value, max, desc, 10));
}
isc_result_t
parse_xint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
const char *desc) {
return (parse_uint_helper(uip, value, max, desc, 0));
}
static isc_uint32_t
parse_bits(char *arg, const char *desc, isc_uint32_t max) {
isc_result_t result;
@ -1549,15 +1564,12 @@ save_opt(dig_lookup_t *lookup, char *code, char *value) {
*/
static void
add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns,
isc_boolean_t dnssec, dns_ednsopt_t *ednsopts, size_t count)
unsigned int flags, dns_ednsopt_t *ednsopts, size_t count)
{
dns_rdataset_t *rdataset = NULL;
isc_result_t result;
unsigned int flags = 0;
debug("add_opt()");
if (dnssec)
flags |= DNS_MESSAGEEXTFLAG_DO;
result = dns_message_buildopt(msg, &rdataset, edns, udpsize, flags,
ednsopts, count);
check_result(result, "dns_message_buildopt");
@ -2451,6 +2463,7 @@ setup_lookup(dig_lookup_t *lookup) {
lookup->edns > -1 || lookup->ecs_addr != NULL)
{
dns_ednsopt_t opts[EDNSOPTS + DNS_EDNSOPTIONS];
unsigned int flags;
int i = 0;
if (lookup->udpsize == 0)
@ -2543,8 +2556,12 @@ setup_lookup(dig_lookup_t *lookup) {
i += lookup->ednsoptscnt;
}
flags = lookup->ednsflags;
flags &= ~DNS_MESSAGEEXTFLAG_DO;
if (lookup->dnssec)
flags |= DNS_MESSAGEEXTFLAG_DO;
add_opt(lookup->sendmsg, lookup->udpsize,
lookup->edns, lookup->dnssec, opts, i);
lookup->edns, flags, opts, i);
}
result = dns_message_rendersection(lookup->sendmsg,
@ -4473,6 +4490,9 @@ chase_scanname_section(dns_message_t *msg, dns_name_t *name,
dns_rdataset_t *rdataset;
dns_name_t *msg_name = NULL;
if (msg->counts[section] == 0)
return (NULL);
do {
dns_message_currentname(msg, section, &msg_name);
if (dns_name_compare(msg_name, name) == 0) {
@ -4679,8 +4699,8 @@ get_trusted_key(isc_mem_t *mctx)
dns_rdatacallbacks_init_stdio(&callbacks);
callbacks.add = insert_trustedkey;
return (dns_master_loadfile(filename, dns_rootname, dns_rootname,
current_lookup->rdclass, 0, &callbacks,
mctx));
current_lookup->rdclass, DNS_MASTER_NOTTL,
&callbacks, mctx));
}
@ -4880,36 +4900,36 @@ child_of_zone(dns_name_t * name, dns_name_t * zone_name,
}
isc_result_t
grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset)
{
isc_result_t result;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) {
dns_rdata_sig_t siginfo;
dns_rdataset_t mysigrdataset;
isc_result_t result;
result = dns_rdataset_first(sigrdataset);
dns_rdataset_init(&mysigrdataset);
dns_rdataset_clone(sigrdataset, &mysigrdataset);
result = dns_rdataset_first(&mysigrdataset);
check_result(result, "empty RRSIG dataset");
dns_rdata_init(&sigrdata);
do {
dns_rdataset_current(sigrdataset, &sigrdata);
dns_rdata_t sigrdata = DNS_RDATA_INIT;
dns_rdataset_current(&mysigrdataset, &sigrdata);
result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
check_result(result, "sigrdata tostruct siginfo");
if (dns_name_compare(&siginfo.signer, zone_name) == 0) {
dns_rdata_freestruct(&siginfo);
dns_rdata_reset(&sigrdata);
return (ISC_R_SUCCESS);
result = ISC_R_SUCCESS;
goto cleanup;
}
} while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS);
dns_rdata_freestruct(&siginfo);
dns_rdata_reset(&sigrdata);
result = ISC_R_FAILURE;
cleanup:
dns_rdataset_disassociate(&mysigrdataset);
} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
dns_rdata_reset(&sigrdata);
return (ISC_R_FAILURE);
return (result);
}
@ -4989,26 +5009,30 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
dns_rdataset_t *sigrdataset,
isc_mem_t *mctx)
{
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t myrdataset;
dst_key_t *dnsseckey = NULL;
int i;
isc_result_t result;
if (name == NULL || rdataset == NULL)
return (ISC_R_FAILURE);
result = dns_rdataset_first(rdataset);
dns_rdataset_init(&myrdataset);
dns_rdataset_clone(rdataset, &myrdataset);
result = dns_rdataset_first(&myrdataset);
check_result(result, "empty rdataset");
do {
dns_rdataset_current(rdataset, &rdata);
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&myrdataset, &rdata);
INSIST(rdata.type == dns_rdatatype_dnskey);
result = dns_dnssec_keyfromrdata(name, &rdata,
mctx, &dnsseckey);
check_result(result, "dns_dnssec_keyfromrdata");
for (i = 0; i < tk_list.nb_tk; i++) {
if (dst_key_compare(tk_list.key[i], dnsseckey)
== ISC_TRUE) {
@ -5017,22 +5041,21 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
printf(";; Ok, find a Trusted Key in the "
"DNSKEY RRset: %d\n",
dst_key_id(dnsseckey));
if (sigchase_verify_sig_key(name, rdataset,
dnsseckey,
sigrdataset,
mctx)
== ISC_R_SUCCESS) {
dst_key_free(&dnsseckey);
dnsseckey = NULL;
return (ISC_R_SUCCESS);
}
result = sigchase_verify_sig_key(name, rdataset,
dnsseckey,
sigrdataset,
mctx);
if (result == ISC_R_SUCCESS)
goto cleanup;
}
}
dst_key_free(&dnsseckey);
} while (dns_rdataset_next(&myrdataset) == ISC_R_SUCCESS);
dns_rdata_reset(&rdata);
if (dnsseckey != NULL)
dst_key_free(&dnsseckey);
} while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
cleanup:
if (dnsseckey != NULL)
dst_key_free(&dnsseckey);
dns_rdataset_disassociate(&myrdataset);
return (ISC_R_NOTFOUND);
}
@ -5043,16 +5066,20 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
dns_rdataset_t *sigrdataset,
isc_mem_t *mctx)
{
isc_result_t result;
dns_rdata_t keyrdata = DNS_RDATA_INIT;
dns_rdataset_t mykeyrdataset;
dst_key_t *dnsseckey = NULL;
isc_result_t result;
result = dns_rdataset_first(keyrdataset);
dns_rdataset_init(&mykeyrdataset);
dns_rdataset_clone(keyrdataset, &mykeyrdataset);
result = dns_rdataset_first(&mykeyrdataset);
check_result(result, "empty DNSKEY dataset");
dns_rdata_init(&keyrdata);
do {
dns_rdataset_current(keyrdataset, &keyrdata);
dns_rdata_t keyrdata = DNS_RDATA_INIT;
dns_rdataset_current(&mykeyrdataset, &keyrdata);
INSIST(keyrdata.type == dns_rdatatype_dnskey);
result = dns_dnssec_keyfromrdata(name, &keyrdata,
@ -5061,18 +5088,19 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
result = sigchase_verify_sig_key(name, rdataset, dnsseckey,
sigrdataset, mctx);
if (result == ISC_R_SUCCESS) {
dns_rdata_reset(&keyrdata);
dst_key_free(&dnsseckey);
return (ISC_R_SUCCESS);
}
if (result == ISC_R_SUCCESS)
goto cleanup;
dst_key_free(&dnsseckey);
dns_rdata_reset(&keyrdata);
} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
} while (dns_rdataset_next(&mykeyrdataset) == ISC_R_SUCCESS);
dns_rdata_reset(&keyrdata);
result = ISC_R_NOTFOUND;
return (ISC_R_NOTFOUND);
cleanup:
if (dnsseckey != NULL)
dst_key_free(&dnsseckey);
dns_rdataset_disassociate(&mykeyrdataset);
return (result);
}
isc_result_t
@ -5080,16 +5108,23 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset,
isc_mem_t *mctx)
{
isc_result_t result;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
dns_rdata_sig_t siginfo;
dns_rdataset_t myrdataset;
dns_rdataset_t mysigrdataset;
isc_result_t result;
result = dns_rdataset_first(sigrdataset);
dns_rdataset_init(&myrdataset);
dns_rdataset_clone(rdataset, &myrdataset);
dns_rdataset_init(&mysigrdataset);
dns_rdataset_clone(sigrdataset, &mysigrdataset);
result = dns_rdataset_first(&mysigrdataset);
check_result(result, "empty RRSIG dataset");
dns_rdata_init(&sigrdata);
do {
dns_rdataset_current(sigrdataset, &sigrdata);
dns_rdata_t sigrdata = DNS_RDATA_INIT;
dns_rdataset_current(&mysigrdataset, &sigrdata);
result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
check_result(result, "sigrdata tostruct siginfo");
@ -5100,10 +5135,10 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
*/
if (siginfo.keyid == dst_key_id(dnsseckey)) {
result = dns_rdataset_first(rdataset);
result = dns_rdataset_first(&myrdataset);
check_result(result, "empty DS dataset");
result = dns_dnssec_verify(name, rdataset, dnsseckey,
result = dns_dnssec_verify(name, &myrdataset, dnsseckey,
ISC_FALSE, mctx, &sigrdata);
printf(";; VERIFYING ");
@ -5113,19 +5148,18 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey),
isc_result_totext(result));
if (result == ISC_R_SUCCESS) {
dns_rdata_reset(&sigrdata);
return (result);
}
if (result == ISC_R_SUCCESS)
goto cleanup;
}
dns_rdata_freestruct(&siginfo);
dns_rdata_reset(&sigrdata);
} while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS);
} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
result = ISC_R_NOTFOUND;
dns_rdata_reset(&sigrdata);
cleanup:
dns_rdataset_disassociate(&myrdataset);
dns_rdataset_disassociate(&mysigrdataset);
return (ISC_R_NOTFOUND);
return (result);
}
@ -5133,27 +5167,35 @@ isc_result_t
sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
{
isc_result_t result;
dns_rdata_t keyrdata = DNS_RDATA_INIT;
dns_rdata_t newdsrdata = DNS_RDATA_INIT;
dns_rdata_t dsrdata = DNS_RDATA_INIT;
dns_rdata_ds_t dsinfo;
dns_rdataset_t mydsrdataset;
dns_rdataset_t mykeyrdataset;
dst_key_t *dnsseckey = NULL;
isc_result_t result;
unsigned char dsbuf[DNS_DS_BUFFERSIZE];
result = dns_rdataset_first(dsrdataset);
dns_rdataset_init(&mydsrdataset);
dns_rdataset_clone(dsrdataset, &mydsrdataset);
dns_rdataset_init(&mykeyrdataset);
dns_rdataset_clone(keyrdataset, &mykeyrdataset);
result = dns_rdataset_first(&mydsrdataset);
check_result(result, "empty DSset dataset");
do {
dns_rdataset_current(dsrdataset, &dsrdata);
dns_rdata_t dsrdata = DNS_RDATA_INIT;
dns_rdataset_current(&mydsrdataset, &dsrdata);
result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
check_result(result, "dns_rdata_tostruct for DS");
result = dns_rdataset_first(keyrdataset);
result = dns_rdataset_first(&mykeyrdataset);
check_result(result, "empty KEY dataset");
do {
dns_rdataset_current(keyrdataset, &keyrdata);
dns_rdata_t keyrdata = DNS_RDATA_INIT;
dns_rdataset_current(&mykeyrdataset, &keyrdata);
INSIST(keyrdata.type == dns_rdatatype_dnskey);
result = dns_dnssec_keyfromrdata(name, &keyrdata,
@ -5165,6 +5207,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
* id of DNSKEY referenced by the DS
*/
if (dsinfo.key_tag == dst_key_id(dnsseckey)) {
dns_rdata_t newdsrdata = DNS_RDATA_INIT;
result = dns_ds_buildrdata(name, &keyrdata,
dsinfo.digest_type,
@ -5172,14 +5215,9 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
dns_rdata_freestruct(&dsinfo);
if (result != ISC_R_SUCCESS) {
dns_rdata_reset(&keyrdata);
dns_rdata_reset(&newdsrdata);
dns_rdata_reset(&dsrdata);
dst_key_free(&dnsseckey);
dns_rdata_freestruct(&dsinfo);
printf("Oops: impossible to build"
" new DS rdata\n");
return (result);
goto cleanup;
}
@ -5196,34 +5234,26 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
dnsseckey,
chase_sigkeyrdataset,
mctx);
if (result == ISC_R_SUCCESS) {
dns_rdata_reset(&keyrdata);
dns_rdata_reset(&newdsrdata);
dns_rdata_reset(&dsrdata);
dst_key_free(&dnsseckey);
return (result);
}
if (result == ISC_R_SUCCESS)
goto cleanup;
} else {
printf(";; This DS is NOT the DS for"
" the chasing KEY: FAILED\n");
}
dns_rdata_reset(&newdsrdata);
}
dst_key_free(&dnsseckey);
dns_rdata_reset(&keyrdata);
dnsseckey = NULL;
} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
dns_rdata_reset(&dsrdata);
} while (dns_rdataset_next(&mykeyrdataset) == ISC_R_SUCCESS);
} while (dns_rdataset_next(&mydsrdataset) == ISC_R_SUCCESS);
} while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS);
result = ISC_R_NOTFOUND;
dns_rdata_reset(&keyrdata);
dns_rdata_reset(&newdsrdata);
dns_rdata_reset(&dsrdata);
cleanup:
if (dnsseckey != NULL)
dst_key_free(&dnsseckey);
dns_rdataset_disassociate(&mydsrdataset);
dns_rdataset_disassociate(&mykeyrdataset);
return (ISC_R_NOTFOUND);
return (result);
}
/*
@ -5271,6 +5301,20 @@ sigchase_td(dns_message_t *msg)
isc_boolean_t have_answer = ISC_FALSE;
isc_boolean_t true = ISC_TRUE;
if (msg->rcode != dns_rcode_noerror &&
msg->rcode != dns_rcode_nxdomain) {
char buf[20];
isc_buffer_t b;
isc_buffer_init(&b, buf, sizeof(buf));
result = dns_rcode_totext(msg->rcode, &b);
check_result(result, "dns_rcode_totext failed");
printf("error response code %.*s\n",
(int)isc_buffer_usedlength(&b), buf);
error_message = msg;
return;
}
if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
== ISC_R_SUCCESS) {
dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
@ -5283,10 +5327,13 @@ sigchase_td(dns_message_t *msg)
if (!current_lookup->trace_root_sigchase) {
result = dns_message_firstname(msg,
DNS_SECTION_AUTHORITY);
if (result == ISC_R_SUCCESS)
dns_message_currentname(msg,
DNS_SECTION_AUTHORITY,
&name);
if (result != ISC_R_SUCCESS) {
printf("no answer or authority section\n");
error_message = msg;
return;
}
dns_message_currentname(msg, DNS_SECTION_AUTHORITY,
&name);
chase_nsrdataset
= chase_scanname_section(msg, name,
dns_rdatatype_ns,
@ -5296,7 +5343,7 @@ sigchase_td(dns_message_t *msg)
if (chase_nsrdataset != NULL) {
have_delegation_ns = ISC_TRUE;
printf("no response but there is a delegation"
" in authority section:");
" in authority section: ");
dns_name_print(name, stdout);
printf("\n");
} else {
@ -5706,7 +5753,7 @@ getneededrr(dns_message_t *msg)
dns_rdatatype_dnskey,
&chase_sigkeylookedup);
if (result == ISC_R_FAILURE) {
printf("\n;; RRSIG for DNSKEY is missing to continue"
printf("\n;; RRSIG for DNSKEY is missing to continue"
" validation : FAILED\n\n");
free_name(&chase_signame, mctx);
if (dns_name_dynamic(&chase_name))
@ -5726,9 +5773,8 @@ getneededrr(dns_message_t *msg)
if (chase_dsrdataset == NULL) {
result = advanced_rrsearch(&chase_dsrdataset, &chase_signame,
dns_rdatatype_ds,
dns_rdatatype_any,
&chase_dslookedup);
dns_rdatatype_ds, dns_rdatatype_any,
&chase_dslookedup);
if (result == ISC_R_FAILURE) {
printf("\n;; WARNING There is no DS for the zone: ");
dns_name_print(&chase_signame, stdout);
@ -6016,7 +6062,6 @@ prove_nx_domain(dns_message_t *msg,
result = dns_rdataset_next(nsecset)) {
dns_rdataset_current(nsecset, &nsec);
signsecset
= chase_scanname_section(msg, nsecname,
dns_rdatatype_rrsig,

8
bin/dig/host.html
View File

@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-v</code>] [<code class="option">-V</code>] {name} [server]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543446"></a><h2>DESCRIPTION</h2>
<a name="id2543454"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@ -196,7 +196,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543844"></a><h2>IDN SUPPORT</h2>
<a name="id2543852"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@ -210,12 +210,12 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543866"></a><h2>FILES</h2>
<a name="id2543875"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543878"></a><h2>SEE ALSO</h2>
<a name="id2543886"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>

5
bin/dig/include/dig/dig.h
View File

@ -196,6 +196,7 @@ isc_boolean_t sigchase;
dns_ednsopt_t *ednsopts;
unsigned int ednsoptscnt;
isc_dscp_t dscp;
unsigned int ednsflags;
};
/*% The dig_query structure */
@ -351,6 +352,10 @@ isc_result_t
parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
const char *desc);
isc_result_t
parse_xint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
const char *desc);
isc_result_t
parse_netprefix(isc_sockaddr_t **sap, const char *value);

14
bin/dig/nslookup.html
View File

@ -21,7 +21,7 @@
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="id2476275"></a><div class="titlepage"></div>
<a name="id2476283"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>nslookup &#8212; query Internet name servers interactively</p>
@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">nslookup</code> [<code class="option">-option</code>] [name | -] [server]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543433"></a><h2>DESCRIPTION</h2>
<a name="id2543442"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">Nslookup</strong></span>
is a program to query Internet domain name servers. <span><strong class="command">Nslookup</strong></span>
has two modes: interactive and non-interactive. Interactive mode allows
@ -43,7 +43,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543449"></a><h2>ARGUMENTS</h2>
<a name="id2543458"></a><h2>ARGUMENTS</h2>
<p>
Interactive mode is entered in the following cases:
</p>
@ -83,7 +83,7 @@ nslookup -query=hinfo -timeout=10
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543504"></a><h2>INTERACTIVE COMMANDS</h2>
<a name="id2543512"></a><h2>INTERACTIVE COMMANDS</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
<dd>
@ -299,19 +299,19 @@ nslookup -query=hinfo -timeout=10
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2546317"></a><h2>FILES</h2>
<a name="id2546326"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2546329"></a><h2>SEE ALSO</h2>
<a name="id2546338"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2546363"></a><h2>Author</h2>
<a name="id2546372"></a><h2>Author</h2>
<p>
Andrew Cherenson
</p>

14
bin/dnssec/dnssec-dsfromkey.html
View File

@ -33,14 +33,14 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543506"></a><h2>DESCRIPTION</h2>
<a name="id2543514"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543517"></a><h2>OPTIONS</h2>
<a name="id2543526"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
@ -125,7 +125,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543771"></a><h2>EXAMPLE</h2>
<a name="id2543780"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@ -140,7 +140,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543801"></a><h2>FILES</h2>
<a name="id2543810"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@ -154,13 +154,13 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543836"></a><h2>CAVEAT</h2>
<a name="id2543845"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543846"></a><h2>SEE ALSO</h2>
<a name="id2543854"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@ -170,7 +170,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543885"></a><h2>AUTHOR</h2>
<a name="id2543894"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

12
bin/dnssec/dnssec-importkey.html
View File

@ -33,7 +33,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543466"></a><h2>DESCRIPTION</h2>
<a name="id2543475"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-importkey</strong></span>
reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an
@ -53,7 +53,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543492"></a><h2>OPTIONS</h2>
<a name="id2543500"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
@ -96,7 +96,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543623"></a><h2>TIMING OPTIONS</h2>
<a name="id2543632"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@ -124,7 +124,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543670"></a><h2>FILES</h2>
<a name="id2543678"></a><h2>FILES</h2>
<p>
A keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@ -133,7 +133,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543691"></a><h2>SEE ALSO</h2>
<a name="id2543700"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@ -141,7 +141,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543724"></a><h2>AUTHOR</h2>
<a name="id2543733"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

12
bin/dnssec/dnssec-keyfromlabel.html
View File

@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543530"></a><h2>DESCRIPTION</h2>
<a name="id2543539"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
generates a key pair of files that referencing a key object stored
in a cryptographic hardware service module (HSM). The private key
@ -47,7 +47,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543552"></a><h2>OPTIONS</h2>
<a name="id2543560"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
@ -224,7 +224,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544011"></a><h2>TIMING OPTIONS</h2>
<a name="id2544020"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@ -296,7 +296,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544269"></a><h2>GENERATED KEY FILES</h2>
<a name="id2544278"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
@ -335,7 +335,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544342"></a><h2>SEE ALSO</h2>
<a name="id2544350"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@ -344,7 +344,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544379"></a><h2>AUTHOR</h2>
<a name="id2544388"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

8
bin/dnssec/dnssec-keygen.c
View File

@ -552,6 +552,9 @@ main(int argc, char **argv) {
options |= DST_TYPE_KEY;
}
if (!dst_algorithm_supported(alg))
fatal("unsupported algorithm: %d", alg);
if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
@ -719,8 +722,13 @@ main(int argc, char **argv) {
fatal("invalid DSS key size: %d", size);
break;
case DST_ALG_ECCGOST:
size = 256;
break;
case DST_ALG_ECDSA256:
size = 256;
break;
case DST_ALG_ECDSA384:
size = 384;
break;
case DST_ALG_HMACMD5:
options |= DST_TYPE_KEY;

14
bin/dnssec/dnssec-keygen.html
View File

@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543596"></a><h2>DESCRIPTION</h2>
<a name="id2543605"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@ -46,7 +46,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543614"></a><h2>OPTIONS</h2>
<a name="id2543623"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
@ -267,7 +267,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544211"></a><h2>TIMING OPTIONS</h2>
<a name="id2544219"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@ -341,7 +341,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544401"></a><h2>GENERATED KEYS</h2>
<a name="id2544409"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
@ -387,7 +387,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544551"></a><h2>EXAMPLE</h2>
<a name="id2544560"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
@ -408,7 +408,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544663"></a><h2>SEE ALSO</h2>
<a name="id2544672"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
@ -417,7 +417,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544694"></a><h2>AUTHOR</h2>
<a name="id2544702"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

8
bin/dnssec/dnssec-revoke.html
View File

@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543388"></a><h2>DESCRIPTION</h2>
<a name="id2543397"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-revoke</strong></span>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
@ -39,7 +39,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543400"></a><h2>OPTIONS</h2>
<a name="id2543409"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
@ -90,14 +90,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543536"></a><h2>SEE ALSO</h2>
<a name="id2543544"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543560"></a><h2>AUTHOR</h2>
<a name="id2543569"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

12
bin/dnssec/dnssec-settime.html
View File

@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543438"></a><h2>DESCRIPTION</h2>
<a name="id2543447"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-settime</strong></span>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
@ -57,7 +57,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543486"></a><h2>OPTIONS</h2>
<a name="id2543495"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f</span></dt>
<dd><p>
@ -112,7 +112,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543687"></a><h2>TIMING OPTIONS</h2>
<a name="id2543696"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@ -191,7 +191,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543826"></a><h2>PRINTING OPTIONS</h2>
<a name="id2543834"></a><h2>PRINTING OPTIONS</h2>
<p>
<span><strong class="command">dnssec-settime</strong></span> can also be used to print the
timing metadata associated with a key.
@ -217,7 +217,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543904"></a><h2>SEE ALSO</h2>
<a name="id2543912"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@ -225,7 +225,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543937"></a><h2>AUTHOR</h2>
<a name="id2543945"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

10
bin/dnssec/dnssec-signzone.html
View File

@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543652"></a><h2>DESCRIPTION</h2>
<a name="id2543660"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@ -43,7 +43,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543667"></a><h2>OPTIONS</h2>
<a name="id2543675"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
@ -494,7 +494,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2545322"></a><h2>EXAMPLE</h2>
<a name="id2545262"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@ -524,14 +524,14 @@ db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
<a name="id2545378"></a><h2>SEE ALSO</h2>
<a name="id2545318"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545405"></a><h2>AUTHOR</h2>
<a name="id2545414"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

8
bin/dnssec/dnssec-verify.html
View File

@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543397"></a><h2>DESCRIPTION</h2>
<a name="id2543405"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-verify</strong></span>
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@ -39,7 +39,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543409"></a><h2>OPTIONS</h2>
<a name="id2543417"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
@ -119,7 +119,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543652"></a><h2>SEE ALSO</h2>
<a name="id2543660"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@ -127,7 +127,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543677"></a><h2>AUTHOR</h2>
<a name="id2543686"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

231
bin/named/client.c
View File

@ -15,8 +15,6 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: client.c,v 1.286 2012/01/31 23:47:30 tbox Exp $ */
#include <config.h>
#include <isc/formatcheck.h>
@ -40,8 +38,10 @@
#include <isc/hmacsha.h>
#endif
#include <dns/badcache.h>
#include <dns/db.h>
#include <dns/dispatch.h>
#include <dns/edns.h>
#include <dns/events.h>
#include <dns/message.h>
#include <dns/peer.h>
@ -122,6 +122,7 @@
#endif
#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
#define ECS_SIZE 20U /* 2 + 1 + 1 + [0..16] */
/*% nameserver client manager structure */
struct ns_clientmgr {
@ -244,7 +245,8 @@ static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
dns_dispatch_t *disp, isc_boolean_t tcp);
static inline isc_boolean_t
allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl);
allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr,
isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl);
#ifdef ISC_PLATFORM_USESIT
static void compute_sit(ns_client_t *client, isc_uint32_t when,
isc_uint32_t nonce, isc_buffer_t *buf);
@ -1042,7 +1044,8 @@ client_send(ns_client_t *client) {
if (client->message->tsigkey != NULL)
name = &client->message->tsigkey->name;
if (client->view->nocasecompress == NULL ||
!allowed(&netaddr, name, client->view->nocasecompress))
!allowed(&netaddr, name, NULL, 0, NULL,
client->view->nocasecompress))
{
dns_compress_setsensitive(&cctx, ISC_TRUE);
}
@ -1348,16 +1351,16 @@ ns_client_error(ns_client_t *client, isc_result_t result) {
}
message->rcode = rcode;
/*
* FORMERR loop avoidance: If we sent a FORMERR message
* with the same ID to the same client less than two
* seconds ago, assume that we are in an infinite error
* packet dialog with a server for some protocol whose
* error responses look enough like DNS queries to
* elicit a FORMERR response. Drop a packet to break
* the loop.
*/
if (rcode == dns_rcode_formerr) {
/*
* FORMERR loop avoidance: If we sent a FORMERR message
* with the same ID to the same client less than two
* seconds ago, assume that we are in an infinite error
* packet dialog with a server for some protocol whose
* error responses look enough like DNS queries to
* elicit a FORMERR response. Drop a packet to break
* the loop.
*/
if (isc_sockaddr_equal(&client->peeraddr,
&client->formerrcache.addr) &&
message->id == client->formerrcache.id &&
@ -1373,6 +1376,27 @@ ns_client_error(ns_client_t *client, isc_result_t result) {
client->formerrcache.addr = client->peeraddr;
client->formerrcache.time = client->requesttime;
client->formerrcache.id = message->id;
} else if (rcode == dns_rcode_servfail && client->query.qname != NULL &&
client->view != NULL && client->view->fail_ttl != 0 &&
((client->attributes & NS_CLIENTATTR_NOSETFC) == 0))
{
/*
* SERVFAIL caching: store qname/qtype of failed queries
*/
isc_time_t expire;
isc_interval_t i;
isc_uint32_t flags = 0;
if ((message->flags & DNS_MESSAGEFLAG_CD) != 0)
flags = NS_FAILCACHE_CD;
isc_interval_set(&i, client->view->fail_ttl, 0);
result = isc_time_nowplusinterval(&expire, &i);
if (result == ISC_R_SUCCESS)
dns_badcache_add(client->view->failcache,
client->query.qname,
client->query.qtype,
ISC_TRUE, flags, &expire);
}
ns_client_send(client);
}
@ -1381,6 +1405,7 @@ isc_result_t
ns_client_addopt(ns_client_t *client, dns_message_t *message,
dns_rdataset_t **opt)
{
unsigned char ecs[ECS_SIZE];
char nsid[BUFSIZ], *nsidp;
#ifdef ISC_PLATFORM_USESIT
unsigned char sit[SIT_SIZE];
@ -1459,6 +1484,38 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
ednsopts[count].value = expire;
count++;
}
if (((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) &&
(client->ecs_addr.family == AF_INET ||
client->ecs_addr.family == AF_INET6))
{
int i, addrbytes = (client->ecs_addrlen + 7) / 8;
isc_uint8_t *paddr;
isc_buffer_t buf;
/* Add client subnet option. */
isc_buffer_init(&buf, ecs, sizeof(ecs));
if (client->ecs_addr.family == AF_INET)
isc_buffer_putuint16(&buf, 1);
else
isc_buffer_putuint16(&buf, 2);
isc_buffer_putuint8(&buf, client->ecs_addrlen);
isc_buffer_putuint8(&buf, client->ecs_scope);
paddr = (isc_uint8_t *) &client->ecs_addr.type;
for (i = 0; i < addrbytes; i++) {
unsigned char uc;
uc = paddr[i];
if (i == addrbytes - 1 &&
((client->ecs_addrlen % 8) != 0))
uc &= (1U << (8 - (client->ecs_addrlen % 8)));
isc_buffer_putuint8(&buf, uc);
}
ednsopts[count].code = DNS_OPT_CLIENT_SUBNET;
ednsopts[count].length = addrbytes + 4;
ednsopts[count].value = ecs;
count++;
}
result = dns_message_buildopt(message, opt, 0, udpsize, flags,
ednsopts, count);
@ -1466,14 +1523,17 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
}
static inline isc_boolean_t
allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) {
allowed(isc_netaddr_t *addr, dns_name_t *signer,
isc_netaddr_t *ecs_addr, isc_uint8_t ecs_addrlen,
isc_uint8_t *ecs_scope, dns_acl_t *acl)
{
int match;
isc_result_t result;
if (acl == NULL)
return (ISC_TRUE);
result = dns_acl_match(addr, signer, acl, &ns_g_server->aclenv,
&match, NULL);
result = dns_acl_match2(addr, signer, ecs_addr, ecs_addrlen, ecs_scope,
acl, &ns_g_server->aclenv, &match, NULL);
if (result == ISC_R_SUCCESS && match > 0)
return (ISC_TRUE);
return (ISC_FALSE);
@ -1536,8 +1596,10 @@ ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
tsig = dns_tsigkey_identity(mykey);
}
if (allowed(&netsrc, tsig, view->matchclients) &&
allowed(&netdst, tsig, view->matchdestinations))
if (allowed(&netsrc, tsig, NULL, 0, NULL,
view->matchclients) &&
allowed(&netdst, tsig, NULL, 0, NULL,
view->matchdestinations))
break;
}
return (ISC_TF(view == myview));
@ -1718,6 +1780,81 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
}
#endif
static isc_result_t
process_ecs(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
isc_uint16_t family;
isc_uint8_t addrlen, addrbytes, scope, *paddr;
isc_netaddr_t caddr;
int i;
if (optlen < 4U) {
ns_client_log(client, NS_LOGCATEGORY_CLIENT,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
"EDNS client subnet option too short");
return (DNS_R_FORMERR);
}
family = isc_buffer_getuint16(buf);
addrlen = isc_buffer_getuint8(buf);
scope = isc_buffer_getuint8(buf);
optlen -= 4;
if (scope != 0U) {
ns_client_log(client, NS_LOGCATEGORY_CLIENT,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
"EDNS client subnet option: invalid scope");
return (DNS_R_FORMERR);
}
memset(&caddr, 0, sizeof(caddr));
switch (family) {
case 1:
if (addrlen > 32U)
goto invalid_length;
caddr.family = AF_INET;
break;
case 2:
if (addrlen > 128U) {
invalid_length:
ns_client_log(client, NS_LOGCATEGORY_CLIENT,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
"EDNS client subnet option: invalid "
"address length (%u) for %s",
addrlen, family == 1 ? "IPv4" : "IPv6");
return (DNS_R_FORMERR);
}
caddr.family = AF_INET6;
break;
default:
ns_client_log(client, NS_LOGCATEGORY_CLIENT,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
"EDNS client subnet option: invalid family");
return (DNS_R_FORMERR);
}
addrbytes = (addrlen + 7) / 8;
if (isc_buffer_remaininglength(buf) < addrbytes) {
ns_client_log(client, NS_LOGCATEGORY_CLIENT,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
"EDNS client subnet option: address too short");
return (DNS_R_FORMERR);
}
paddr = (isc_uint8_t *) &caddr.type;
for (i = 0; i < addrbytes; i++) {
paddr[i] = isc_buffer_getuint8(buf);
optlen--;
}
memmove(&client->ecs_addr, &caddr, sizeof(caddr));
client->ecs_addrlen = addrlen;
client->ecs_scope = 0;
client->attributes |= NS_CLIENTATTR_HAVEECS;
isc_buffer_forward(buf, optlen);
return (ISC_R_SUCCESS);
}
static isc_result_t
process_opt(ns_client_t *client, dns_rdataset_t *opt) {
dns_rdata_t rdata;
@ -1749,7 +1886,7 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
* XXXRTH need library support for this!
*/
client->ednsversion = (opt->ttl & 0x00FF0000) >> 16;
if (client->ednsversion > 0) {
if (client->ednsversion > DNS_EDNS_VERSION) {
isc_stats_increment(ns_g_server->nsstats,
dns_nsstatscounter_badednsver);
result = ns_client_addopt(client, client->message,
@ -1788,6 +1925,15 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
isc_buffer_forward(&optbuf, optlen);
break;
case DNS_OPT_CLIENT_SUBNET:
result = process_ecs(client, &optbuf, optlen);
if (result != ISC_R_SUCCESS) {
ns_client_error(client, result);
goto cleanup;
}
isc_stats_increment(ns_g_server->nsstats,
dns_nsstatscounter_ecsopt);
break;
default:
isc_stats_increment(ns_g_server->nsstats,
dns_nsstatscounter_otheropt);
@ -1884,6 +2030,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
isc_task_getcurrenttime(task, &client->requesttime);
client->now = client->requesttime;
isc_time_set(&client->tnow, client->now, 0);
if (result != ISC_R_SUCCESS) {
if (TCP_CLIENT(client)) {
@ -1925,7 +2072,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
* client_newconn.
*/
if (!TCP_CLIENT(client)) {
if (ns_g_server->blackholeacl != NULL &&
dns_acl_match(&netaddr, NULL, ns_g_server->blackholeacl,
&ns_g_server->aclenv,
@ -2033,6 +2179,10 @@ client_request(isc_task_t *task, isc_event_t *event) {
opt = NULL;
else
opt = dns_message_getopt(client->message);
client->ecs_addrlen = 0;
client->ecs_scope = 0;
if (opt != NULL) {
/*
* Are we dropping all EDNS queries?
@ -2117,17 +2267,29 @@ client_request(isc_task_t *task, isc_event_t *event) {
client->message->rdclass == dns_rdataclass_any)
{
dns_name_t *tsig = NULL;
isc_netaddr_t *addr = NULL;
isc_uint8_t *scope = NULL;
sigresult = dns_message_rechecksig(client->message,
view);
if (sigresult == ISC_R_SUCCESS)
tsig = dns_tsigkey_identity(client->message->tsigkey);
if (sigresult == ISC_R_SUCCESS) {
dns_tsigkey_t *tsigkey;
if (allowed(&netaddr, tsig, view->matchclients) &&
allowed(&client->destaddr, tsig,
view->matchdestinations) &&
!((client->message->flags & DNS_MESSAGEFLAG_RD)
== 0 && view->matchrecursiveonly))
tsigkey = client->message->tsigkey;
tsig = dns_tsigkey_identity(tsigkey);
}
if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) {
addr = &client->ecs_addr;
scope = &client->ecs_scope;
}
if (allowed(&netaddr, tsig, addr, client->ecs_addrlen,
scope, view->matchclients) &&
allowed(&client->destaddr, tsig, NULL,
0, NULL, view->matchdestinations) &&
!(view->matchrecursiveonly &&
(client->message->flags & DNS_MESSAGEFLAG_RD) == 0))
{
dns_view_attach(view, &client->view);
break;
@ -2519,6 +2681,8 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
client->recursionquota = NULL;
client->interface = NULL;
client->peeraddr_valid = ISC_FALSE;
client->ecs_addrlen = 0;
client->ecs_scope = 0;
#ifdef ALLOW_FILTER_AAAA
client->filter_aaaa = dns_aaaa_ok;
#endif
@ -3055,6 +3219,8 @@ ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
{
isc_result_t result;
isc_netaddr_t tmpnetaddr;
isc_netaddr_t *ecs_addr = NULL;
isc_uint8_t ecs_addrlen = 0;
int match;
if (acl == NULL) {
@ -3069,11 +3235,18 @@ ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
netaddr = &tmpnetaddr;
}
result = dns_acl_match(netaddr, client->signer, acl,
&ns_g_server->aclenv, &match, NULL);
if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) {
ecs_addr = &client->ecs_addr;
ecs_addrlen = client->ecs_addrlen;
}
result = dns_acl_match2(netaddr, client->signer,
ecs_addr, ecs_addrlen, NULL, acl,
&ns_g_server->aclenv, &match, NULL);
if (result != ISC_R_SUCCESS)
goto deny; /* Internal error, already logged. */
if (match > 0)
goto allow;
goto deny; /* Negative match or no match. */

8
bin/named/config.c
View File

@ -81,6 +81,7 @@ options {\n\
# named-xfer <obsolete>;\n\
nta-lifetime 3600;\n\
nta-recheck 300;\n\
notify-rate 20;\n\
# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
port 53;\n\
prefetch 2 9;\n\
@ -99,6 +100,7 @@ options {\n\
serial-queries 20;\n\
serial-query-rate 20;\n\
server-id none;\n\
startup-notify-rate 20;\n\
statistics-file \"named.stats\";\n\
statistics-interval 60;\n\
tcp-clients 100;\n\
@ -155,6 +157,7 @@ options {\n\
cleaning-interval 0; /* now meaningless */\n\
min-roots 2;\n\
lame-ttl 600;\n\
servfail-ttl 10;\n\
max-ncache-ttl 10800; /* 3 hours */\n\
max-cache-ttl 604800; /* 1 week */\n\
transfer-format many-answers;\n\
@ -177,6 +180,11 @@ options {\n\
nsec3-test-zone no;\n\
allow-new-zones no;\n\
"
#ifdef HAVE_GEOIP
"\
geoip-use-ecs yes;\n\
"
#endif
#ifdef ALLOW_FILTER_AAAA
" filter-aaaa-on-v4 no;\n\
filter-aaaa-on-v6 no;\n\

18
bin/named/include/named/client.h
View File

@ -131,15 +131,22 @@ struct ns_client {
ns_query_t query;
isc_stdtime_t requesttime;
isc_stdtime_t now;
isc_time_t tnow;
dns_name_t signername; /*%< [T]SIG key name */
dns_name_t * signer; /*%< NULL if not valid sig */
isc_boolean_t mortal; /*%< Die after handling request */
isc_quota_t *tcpquota;
isc_quota_t *recursionquota;
ns_interface_t *interface;
isc_sockaddr_t peeraddr;
isc_boolean_t peeraddr_valid;
isc_netaddr_t destaddr;
isc_netaddr_t ecs_addr; /*%< EDNS client subnet */
isc_uint8_t ecs_addrlen;
isc_uint8_t ecs_scope;
struct in6_pktinfo pktinfo;
isc_dscp_t dscp;
isc_event_t ctlevent;
@ -187,6 +194,17 @@ typedef ISC_LIST(ns_client_t) client_list_t;
#define NS_CLIENTATTR_WANTEXPIRE 0x0800 /*%< return seconds to expire */
#define NS_CLIENTATTR_HAVEEXPIRE 0x1000 /*%< return seconds to expire */
#define NS_CLIENTATTR_WANTOPT 0x2000 /*%< add opt to reply */
#define NS_CLIENTATTR_HAVEECS 0x4000 /*%< sent an ECS option */
#define NS_CLIENTATTR_NOSETFC 0x4000 /*%< don't set servfail cache */
/*
* Flag to use with the SERVFAIL cache to indicate
* that a query had the CD bit set.
*/
#define NS_FAILCACHE_CD 0x01
extern unsigned int ns_client_requests;

2
bin/named/include/named/query.h
View File

@ -48,6 +48,7 @@ struct ns_query {
isc_boolean_t timerset;
dns_name_t * qname;
dns_name_t * origqname;
dns_rdatatype_t qtype;
unsigned int dboptions;
unsigned int fetchoptions;
dns_db_t * gluedb;
@ -88,7 +89,6 @@ struct ns_query {
#define NS_QUERYATTR_DNS64EXCLUDE 0x8000
#define NS_QUERYATTR_RRL_CHECKED 0x10000
isc_result_t
ns_query_init(ns_client_t *client);

17
bin/named/include/named/server.h
View File

@ -182,18 +182,19 @@ enum {
dns_nsstatscounter_nsidopt = 43,
dns_nsstatscounter_expireopt = 44,
dns_nsstatscounter_otheropt = 45,
dns_nsstatscounter_ecsopt = 46,
#ifdef ISC_PLATFORM_USESIT
dns_nsstatscounter_sitopt = 46,
dns_nsstatscounter_sitbadsize = 47,
dns_nsstatscounter_sitbadtime = 48,
dns_nsstatscounter_sitnomatch = 49,
dns_nsstatscounter_sitmatch = 50,
dns_nsstatscounter_sitnew = 51,
dns_nsstatscounter_sitopt = 47,
dns_nsstatscounter_sitbadsize = 48,
dns_nsstatscounter_sitbadtime = 49,
dns_nsstatscounter_sitnomatch = 50,
dns_nsstatscounter_sitmatch = 51,
dns_nsstatscounter_sitnew = 52,
dns_nsstatscounter_max = 52
dns_nsstatscounter_max = 53
#else
dns_nsstatscounter_max = 46
dns_nsstatscounter_max = 47
#endif
};

4
bin/named/interfacemgr.c
View File

@ -177,6 +177,10 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
isc_result_t result;
ns_interfacemgr_t *mgr;
#ifndef USE_ROUTE_SOCKET
UNUSED(task);
#endif
REQUIRE(mctx != NULL);
REQUIRE(mgrp != NULL);
REQUIRE(*mgrp == NULL);

12
bin/named/lwresd.html
View File

@ -22,7 +22,7 @@
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="id2476274"></a><div class="titlepage"></div>
<a name="id2476282"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">lwresd</span> &#8212; lightweight resolver daemon</p>
@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">lwresd</code> [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-4</code>] [<code class="option">-6</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543470"></a><h2>DESCRIPTION</h2>
<a name="id2543479"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">lwresd</strong></span>
is the daemon providing name lookup
services to clients that use the BIND 9 lightweight resolver
@ -67,7 +67,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543517"></a><h2>OPTIONS</h2>
<a name="id2543526"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-4</span></dt>
<dd><p>
@ -197,7 +197,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543934"></a><h2>FILES</h2>
<a name="id2543943"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
<dd><p>
@ -210,14 +210,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543974"></a><h2>SEE ALSO</h2>
<a name="id2543982"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544008"></a><h2>AUTHOR</h2>
<a name="id2544017"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

32
bin/named/named.conf.html
View File

@ -21,7 +21,7 @@
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="id2476274"></a><div class="titlepage"></div>
<a name="id2476282"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><code class="filename">named.conf</code> &#8212; configuration file for named</p>
@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543362"></a><h2>DESCRIPTION</h2>
<a name="id2543370"></a><h2>DESCRIPTION</h2>
<p><code class="filename">named.conf</code> is the configuration file
for
<span><strong class="command">named</strong></span>. Statements are enclosed
@ -50,14 +50,14 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543389"></a><h2>ACL</h2>
<a name="id2543398"></a><h2>ACL</h2>
<div class="literallayout"><p><br>
acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
<br>
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543405"></a><h2>KEY</h2>
<a name="id2543414"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>domain_name</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
@ -66,7 +66,7 @@ key
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543425"></a><h2>MASTERS</h2>
<a name="id2543433"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
@ -75,7 +75,7 @@ masters
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543470"></a><h2>SERVER</h2>
<a name="id2543479"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
@ -97,7 +97,7 @@ server
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543539"></a><h2>TRUSTED-KEYS</h2>
<a name="id2543547"></a><h2>TRUSTED-KEYS</h2>
<div class="literallayout"><p><br>
trusted-keys {<br>
<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@ -105,7 +105,7 @@ trusted-keys
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543564"></a><h2>MANAGED-KEYS</h2>
<a name="id2543573"></a><h2>MANAGED-KEYS</h2>
<div class="literallayout"><p><br>
managed-keys {<br>
<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@ -113,7 +113,7 @@ managed-keys
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543593"></a><h2>CONTROLS</h2>
<a name="id2543602"></a><h2>CONTROLS</h2>
<div class="literallayout"><p><br>
controls {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
@ -125,7 +125,7 @@ controls
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543628"></a><h2>LOGGING</h2>
<a name="id2543637"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
channel <em class="replaceable"><code>string</code></em> {<br>
@ -143,7 +143,7 @@ logging
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543667"></a><h2>LWRES</h2>
<a name="id2543675"></a><h2>LWRES</h2>
<div class="literallayout"><p><br>
lwres {<br>
listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
@ -158,7 +158,7 @@ lwres
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543715"></a><h2>OPTIONS</h2>
<a name="id2543723"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
@ -364,7 +364,7 @@ options
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544600"></a><h2>VIEW</h2>
<a name="id2544609"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@ -529,7 +529,7 @@ view
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2545322"></a><h2>ZONE</h2>
<a name="id2545331"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
type ( master | slave | stub | hint | redirect |<br>
@ -626,12 +626,12 @@ zone
</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2545712"></a><h2>FILES</h2>
<a name="id2545720"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545723"></a><h2>SEE ALSO</h2>
<a name="id2545732"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,

14
bin/named/named.html
View File

@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-D <em class="replaceable"><code>string</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-L <em class="replaceable"><code>logfile</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543515"></a><h2>DESCRIPTION</h2>
<a name="id2543524"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named</strong></span>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@ -47,7 +47,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543540"></a><h2>OPTIONS</h2>
<a name="id2543548"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-4</span></dt>
<dd><p>
@ -263,7 +263,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544213"></a><h2>SIGNALS</h2>
<a name="id2544221"></a><h2>SIGNALS</h2>
<p>
In routine operation, signals should not be used to control
the nameserver; <span><strong class="command">rndc</strong></span> should be used
@ -284,7 +284,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544261"></a><h2>CONFIGURATION</h2>
<a name="id2544269"></a><h2>CONFIGURATION</h2>
<p>
The <span><strong class="command">named</strong></span> configuration file is too complex
to describe in detail here. A complete description is provided
@ -301,7 +301,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544297"></a><h2>FILES</h2>
<a name="id2544374"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
<dd><p>
@ -314,7 +314,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544405"></a><h2>SEE ALSO</h2>
<a name="id2544413"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
@ -327,7 +327,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544475"></a><h2>AUTHOR</h2>
<a name="id2544484"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

328
bin/named/query.c
View File

File diff suppressed because it is too large Load Diff

57
bin/named/server.c
View File

@ -64,6 +64,7 @@
#include <dns/acache.h>
#include <dns/adb.h>
#include <dns/badcache.h>
#include <dns/cache.h>
#include <dns/db.h>
#include <dns/dispatch.h>
@ -1224,6 +1225,15 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize));
}
obj = NULL;
(void)cfg_map_get(cpeer, "edns-version", &obj);
if (obj != NULL) {
isc_uint32_t ednsversion = cfg_obj_asuint32(obj);
if (ednsversion > 255)
ednsversion = 255;
CHECK(dns_peer_setednsversion(peer, (isc_uint8_t)ednsversion));
}
obj = NULL;
(void)cfg_map_get(cpeer, "max-udp-size", &obj);
if (obj != NULL) {
@ -2349,7 +2359,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
size_t max_cache_size;
size_t max_acache_size;
size_t max_adb_size;
isc_uint32_t lame_ttl;
isc_uint32_t lame_ttl, fail_ttl;
dns_tsig_keyring_t *ring = NULL;
dns_view_t *pview = NULL; /* Production view */
isc_mem_t *cmctx = NULL, *hmctx = NULL;
@ -3784,6 +3794,17 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
goto cleanup;
}
/*
* Set the servfail-ttl.
*/
obj = NULL;
result = ns_config_get(maps, "servfail-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
fail_ttl = cfg_obj_asuint32(obj);
if (fail_ttl > 300)
fail_ttl = 300;
dns_view_setfailttl(view, fail_ttl);
result = ISC_R_SUCCESS;
cleanup:
@ -4684,6 +4705,9 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
static void
scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
isc_boolean_t match_mapped = server->aclenv.match_mapped;
#ifdef HAVE_GEOIP
isc_boolean_t use_ecs = server->aclenv.geoip_use_ecs;
#endif
ns_interfacemgr_scan(server->interfacemgr, verbose);
/*
@ -4694,6 +4718,9 @@ scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
ns_interfacemgr_getaclenv(server->interfacemgr));
server->aclenv.match_mapped = match_mapped;
#ifdef HAVE_GEOIP
server->aclenv.geoip_use_ecs = use_ecs;
#endif
}
static isc_result_t
@ -5554,6 +5581,11 @@ load_configuration(const char *filename, ns_server_t *server,
} else
ns_geoip_load(NULL);
ns_g_aclconfctx->geoip = ns_g_geoip;
obj = NULL;
result = ns_config_get(maps, "geoip-use-ecs", &obj);
INSIST(result == ISC_R_SUCCESS);
ns_g_server->aclenv.geoip_use_ecs = cfg_obj_asboolean(obj);
#endif /* HAVE_GEOIP */
/*
@ -5669,6 +5701,16 @@ load_configuration(const char *filename, ns_server_t *server,
INSIST(result == ISC_R_SUCCESS);
dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "notify-rate", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zonemgr_setnotifyrate(server->zonemgr, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "startup-notify-rate", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zonemgr_setstartupnotifyrate(server->zonemgr, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "serial-query-rate", &obj);
INSIST(result == ISC_R_SUCCESS);
@ -7646,6 +7688,8 @@ dumpdone(void *arg, isc_result_t result) {
dns_adb_dump(dctx->view->view->adb, dctx->fp);
dns_resolver_printbadcache(dctx->view->view->resolver,
dctx->fp);
dns_badcache_print(dctx->view->view->failcache,
"SERVFAIL cache", dctx->fp);
dns_db_detach(&dctx->cache);
}
if (dctx->dumpzones) {
@ -9910,8 +9954,8 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t *text) {
CHECK(result);
}
if (ntattl > 86400) {
msg = "NTA lifetime cannot exceed one day";
if (ntattl > 604800) {
msg = "NTA lifetime cannot exceed one week";
CHECK(ISC_R_RANGE);
}
@ -10036,10 +10080,11 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t *text) {
isc_buffer_putuint8(text, 0);
}
if (msg != NULL)
(void) putstr(text, msg);
cleanup:
if (msg != NULL) {
(void) putstr(text, msg);
(void) putnull(text);
}
if (excl)
isc_task_endexclusive(server->task);
if (ntatable != NULL)

1
bin/named/statschannel.c
View File

@ -242,6 +242,7 @@ init_desc(void) {
"SitNoMatch");
SET_NSSTATDESC(sitmatch, "source identity token - match", "SitMatch");
#endif
SET_NSSTATDESC(ecsopt, "EDNS client subnet option recieved", "ECSOpt");
INSIST(i == dns_nsstatscounter_max);
/* Initialize resolver statistics */

16
bin/named/win32/dlz_dlopen_driver.c
View File

@ -257,7 +257,9 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
triedload = ISC_TRUE;
/* Initialize the lock */
isc_mutex_init(&cd->lock);
result = isc_mutex_init(&cd->lock);
if (result != ISC_R_SUCCESS)
goto failed;
/* Open the library */
cd->dl_handle = LoadLibraryA(cd->dl_path);
@ -268,7 +270,7 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
"dlz_dlopen failed to open library '%s' - %u",
cd->dl_path, error);
result = ISC_R_FAILURE;
goto failed;
goto cleanup_lock;
}
/* Find the symbols */
@ -288,7 +290,7 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
{
/* We're missing a required symbol */
result = ISC_R_FAILURE;
goto failed;
goto cleanup_lock;
}
cd->dlz_allowzonexfr = (dlz_dlopen_allowzonexfr_t *)
@ -324,7 +326,7 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
"requires %d",
cd->dl_path, cd->version, DLZ_DLOPEN_VERSION);
result = ISC_R_FAILURE;
goto failed;
goto cleanup_lock;
}
/*
@ -344,12 +346,14 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
NULL);
MAYBE_UNLOCK(cd);
if (result != ISC_R_SUCCESS)
goto failed;
goto cleanup_lock;
*dbdata = cd;
return (ISC_R_SUCCESS);
cleanup_lock:
DESTROYLOCK(&cd->lock);
failed:
dlopen_log(ISC_LOG_ERROR, "dlz_dlopen of '%s' failed", dlzname);
if (cd->dl_path)
@ -390,7 +394,7 @@ dlopen_dlz_destroy(void *driverarg, void *dbdata) {
if (cd->dl_handle)
FreeLibrary(cd->dl_handle);
(void) isc_mutex_destroy(&cd->lock);
DESTROYLOCK(&cd->lock);
mctx = cd->mctx;
isc_mem_put(mctx, cd, sizeof(*cd));

12
bin/nsupdate/nsupdate.html
View File

@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-T</code>] [<code class="option">-P</code>] [<code class="option">-V</code>] [filename]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543479"></a><h2>DESCRIPTION</h2>
<a name="id2543488"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">nsupdate</strong></span>
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
@ -218,7 +218,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543879"></a><h2>INPUT FORMAT</h2>
<a name="id2543888"></a><h2>INPUT FORMAT</h2>
<p><span><strong class="command">nsupdate</strong></span>
reads input from
<em class="parameter"><code>filename</code></em>
@ -520,7 +520,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544853"></a><h2>EXAMPLES</h2>
<a name="id2544861"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
<span><strong class="command">nsupdate</strong></span>
@ -574,7 +574,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544897"></a><h2>FILES</h2>
<a name="id2544905"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
<dd><p>
@ -597,7 +597,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544980"></a><h2>SEE ALSO</h2>
<a name="id2541985"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">RFC 2136</em>,
<em class="citetitle">RFC 3007</em>,
@ -612,7 +612,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2542170"></a><h2>BUGS</h2>
<a name="id2542042"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library

10
bin/python/Makefile.in
View File

@ -23,7 +23,7 @@ top_srcdir = @top_srcdir@
PYTHON = @PYTHON@
TARGETS = dnssec-checkds dnssec-coverage
SRCS = dnssec-checkds.py dnssec-coverage.py
PYSRCS = dnssec-checkds.py dnssec-coverage.py
MANPAGES = dnssec-checkds.8 dnssec-coverage.8
HTMLPAGES = dnssec-checkds.html dnssec-coverage.html
@ -31,6 +31,14 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dnssec-checkds: dnssec-checkds.py
cp -f dnssec-checkds.py dnssec-checkds
chmod +x dnssec-checkds
dnssec-coverage: dnssec-coverage.py
cp -f dnssec-coverage.py dnssec-coverage
chmod +x dnssec-coverage
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::

8
bin/python/dnssec-checkds.html
View File

@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543426"></a><h2>DESCRIPTION</h2>
<a name="id2543434"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-checkds</strong></span>
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
@ -40,7 +40,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543437"></a><h2>OPTIONS</h2>
<a name="id2543446"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd><p>
@ -69,14 +69,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543533"></a><h2>SEE ALSO</h2>
<a name="id2543542"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543568"></a><h2>AUTHOR</h2>
<a name="id2543576"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

8
bin/python/dnssec-coverage.html
View File

@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543411"></a><h2>DESCRIPTION</h2>
<a name="id2543419"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-coverage</strong></span>
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
@ -60,7 +60,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543435"></a><h2>OPTIONS</h2>
<a name="id2543444"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
@ -174,7 +174,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543736"></a><h2>SEE ALSO</h2>
<a name="id2543745"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
@ -183,7 +183,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543780"></a><h2>AUTHOR</h2>
<a name="id2543788"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

6
bin/rndc/rndc.8
View File

@ -297,12 +297,12 @@ Flushes the server's cache.
.PP
\fBflushname\fR \fIname\fR [\fIview\fR]
.RS 4
Flushes the given name from the server's DNS cache and, if applicable, from the server's nameserver address database or bad\-server cache.
Flushes the given name from the view's DNS cache and, if applicable, from the view's nameserver address database, bad server cache and SERVFAIL cache.
.RE
.PP
\fBflushtree\fR \fIname\fR [\fIview\fR]
.RS 4
Flushes the given name, and all of its subdomains, from the server's DNS cache, the address database, and the bad server cache.
Flushes the given name, and all of its subdomains, from the view's DNS cache, address database, bad server cache, and SERVFAIL cache.
.RE
.PP
\fBstatus\fR
@ -339,7 +339,7 @@ Sets a DNSSEC negative trust anchor (NTA) for
\fBlifetime\fR. The default lifetime is configured in
<file>named.conf</file>
via the
\fBnta\-lifetime\fR, and defaults to one hour. The lifetime cannot exceed one day.
\fBnta\-lifetime\fR, and defaults to one hour. The lifetime cannot exceed one week.
.sp
A negative trust anchor selectively disables DNSSEC validation for zones that known to be failing because of misconfiguration rather than an attack. When data to be validated is at or below an active NTA (and above any other configured trust anchors),
\fBnamed\fR

10
bin/rndc/rndc.conf.html
View File

@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543358"></a><h2>DESCRIPTION</h2>
<a name="id2543367"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@ -118,7 +118,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543507"></a><h2>EXAMPLE</h2>
<a name="id2543515"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
options {
default-server localhost;
@ -192,7 +192,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543598"></a><h2>NAME SERVER CONFIGURATION</h2>
<a name="id2543607"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <code class="filename">rndc.conf</code>
@ -202,7 +202,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543620"></a><h2>SEE ALSO</h2>
<a name="id2543628"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@ -210,7 +210,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543658"></a><h2>AUTHOR</h2>
<a name="id2543667"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

12
bin/rndc/rndc.docbook
View File

@ -540,9 +540,9 @@
<term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
<listitem>
<para>
Flushes the given name from the server's DNS cache
and, if applicable, from the server's nameserver address
database or bad-server cache.
Flushes the given name from the view's DNS cache
and, if applicable, from the view's nameserver address
database, bad server cache and SERVFAIL cache.
</para>
</listitem>
</varlistentry>
@ -552,8 +552,8 @@
<listitem>
<para>
Flushes the given name, and all of its subdomains,
from the server's DNS cache, the address database,
and the bad server cache.
from the view's DNS cache, address database,
bad server cache, and SERVFAIL cache.
</para>
</listitem>
</varlistentry>
@ -608,7 +608,7 @@
<option>lifetime</option>. The default lifetime is
configured in <file>named.conf</file> via the
<option>nta-lifetime</option>, and defaults to
one hour. The lifetime cannot exceed one day.
one hour. The lifetime cannot exceed one week.
</para>
<para>
A negative trust anchor selectively disables

24
bin/rndc/rndc.html
View File

@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543424"></a><h2>DESCRIPTION</h2>
<a name="id2543432"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc</strong></span>
controls the operation of a name
server. It supersedes the <span><strong class="command">ndc</strong></span> utility
@ -63,7 +63,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543459"></a><h2>OPTIONS</h2>
<a name="id2543467"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
<dd><p>
@ -134,7 +134,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543668"></a><h2>COMMANDS</h2>
<a name="id2543676"></a><h2>COMMANDS</h2>
<p>
A list of commands supported by <span><strong class="command">rndc</strong></span> can
be seen by running <span><strong class="command">rndc</strong></span> without arguments.
@ -353,15 +353,15 @@
</p></dd>
<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
<dd><p>
Flushes the given name from the server's DNS cache
and, if applicable, from the server's nameserver address
database or bad-server cache.
Flushes the given name from the view's DNS cache
and, if applicable, from the view's nameserver address
database, bad server cache and SERVFAIL cache.
</p></dd>
<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
<dd><p>
Flushes the given name, and all of its subdomains,
from the server's DNS cache, the address database,
and the bad server cache.
from the view's DNS cache, address database,
bad server cache, and SERVFAIL cache.
</p></dd>
<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
<dd><p>
@ -397,7 +397,7 @@
<code class="option">lifetime</code>. The default lifetime is
configured in <font color="red">&lt;file&gt;named.conf&lt;/file&gt;</font> via the
<code class="option">nta-lifetime</code>, and defaults to
one hour. The lifetime cannot exceed one day.
one hour. The lifetime cannot exceed one week.
</p>
<p>
A negative trust anchor selectively disables
@ -581,7 +581,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2545238"></a><h2>LIMITATIONS</h2>
<a name="id2545246"></a><h2>LIMITATIONS</h2>
<p>
There is currently no way to provide the shared secret for a
<code class="option">key_id</code> without using the configuration file.
@ -591,7 +591,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2542116"></a><h2>SEE ALSO</h2>
<a name="id2541988"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@ -601,7 +601,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2542171"></a><h2>AUTHOR</h2>
<a name="id2542043"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>

3
bin/tests/system/Makefile.in
View File

@ -21,7 +21,8 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
SUBDIRS = dlzexternal filter-aaaa geoip lwresd rpz rsabigexponent tkey tsiggss
SUBDIRS = builtin dlzexternal filter-aaaa geoip lwresd resolver rpz \
rsabigexponent tkey tsiggss
TARGETS =
@BIND9_MAKE_RULES@

50
bin/tests/system/acl/ns2/named6.conf Normal file
View File

@ -0,0 +1,50 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
notify yes;
ixfr-from-differences yes;
check-integrity no;
allow-query-on { 10.53.0.2; };
};
include "../../common/controls.conf";
zone "." {
type hint;
file "../../common/root.hint";
};
zone "example" {
type master;
file "example.db";
};
zone "tsigzone" {
type master;
file "tsigzone.db";
allow-transfer { ecs 10.53/16; !10/8; };
};

60
bin/tests/system/acl/ns2/named7.conf Normal file
View File

@ -0,0 +1,60 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
notify yes;
ixfr-from-differences yes;
check-integrity no;
allow-query-on { 10.53.0.2; };
};
include "../../common/controls.conf";
view one {
match-clients { ecs 192.0.2/24; };
zone "." {
type hint;
file "../../common/root.hint";
};
zone "example" {
type master;
file "example.db";
};
};
view two {
zone "." {
type hint;
file "../../common/root.hint";
};
zone "example" {
type master;
file "example.db";
};
};

30
bin/tests/system/acl/tests.sh
View File

@ -150,5 +150,35 @@ $DIG +tcp soa example. \
@10.53.0.2 -b 10.53.0.3 -p 5300 > dig.out.${t}
grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
echo "I:testing EDNS client-subnet ACL processing"
cp -f ns2/named6.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 5
# should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr -p 5300 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 +subnet="10.53.0/24" axfr -p 5300 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
echo "I:testing EDNS client-subnet response scope"
cp -f ns2/named7.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 5
t=`expr $t + 1`
$DIG example. soa @10.53.0.2 +subnet="10.53.0.1/32" -p 5300 > dig.out.${t}
grep "CLIENT-SUBNET.*10.53.0.1/32/0" dig.out.${t} > /dev/null || { echo "I:test $t failed" ; status=1; }
t=`expr $t + 1`
$DIG example. soa @10.53.0.2 +subnet="192.0.2.128/32" -p 5300 > dig.out.${t}
grep "CLIENT-SUBNET.*192.0.2.128/32/24" dig.out.${t} > /dev/null || { echo "I:test $t failed" ; status=1; }
echo "I:exit status: $status"
exit $status

56
bin/tests/system/builtin/Makefile.in Normal file
View File

@ -0,0 +1,56 @@
# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id$
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${ISC_INCLUDES}
CDEFINES =
CWARNINGS =
DNSLIBS =
ISCLIBS =
DNSDEPLIBS =
ISCDEPLIBS =
DEPLIBS =
LIBS = @LIBS@
TARGETS = gethostname@EXEEXT@
SRCS = gethostname.c
OBJS = gethostname.@O@
@BIND9_MAKE_RULES@
all: gethostname@EXEEXT@
gethostname@EXEEXT@: ${OBJS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJS} ${LIBS}
clean distclean::
rm -f ${TARGETS}

20
bin/tests/system/builtin/clean.sh Normal file
View File

@ -0,0 +1,20 @@
#!/bin/sh
#
# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
rm -f ns?/named.run
rm -f ns?/named.memstats
rm -f rndc.status.ns*
rm -f dig.out.ns*

48
bin/tests/system/builtin/gethostname.c Normal file
View File

@ -0,0 +1,48 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
#include <config.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <isc/util.h>
#ifndef MAXHOSTNAMELEN
#ifdef HOST_NAME_MAX
#define MAXHOSTNAMELEN HOST_NAME_MAX
#else
#define MAXHOSTNAMELEN 256
#endif
#endif
int
main(int argc, char **argv) {
char hostname[MAXHOSTNAMELEN];
int n;
UNUSED(argc);
UNUSED(argv);
n = gethostname(hostname, sizeof(hostname));
if (n == -1) {
perror("gethostname");
exit(1);
}
fprintf(stdout, "%s\n", hostname);
return (0);
}

34
bin/tests/system/builtin/ns2/named.conf Normal file
View File

@ -0,0 +1,34 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.3 2011/08/09 04:12:25 tbox Exp $ */
include "../../common/rndc.key";
controls { inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion yes;
notify no;
server-id hostname;
};

36
bin/tests/system/builtin/ns3/named.conf Normal file
View File

@ -0,0 +1,36 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.3 2011/08/09 04:12:25 tbox Exp $ */
include "../../common/rndc.key";
controls { inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; };
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
notify no;
hostname "this.is.a.test.of.hostname";
server-id "this.is.a.test.of.server-id";
version "this is a test of version";
};

83
bin/tests/system/builtin/tests.sh
View File

@ -1,4 +1,4 @@
# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2011, 2012, 2014 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -39,4 +39,85 @@ sleep 1
grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1
if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi
VERSION=`../../../../isc-config.sh --version | cut -d = -f 2`
HOSTNAME=`./gethostname`
n=`expr $n + 1`
ret=0
echo "I:Checking that default version works for rndc ($n)"
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 status > rndc.status.ns1.$n 2>&1
grep "^version: $VERSION " rndc.status.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi
n=`expr $n + 1`
ret=0
echo "I:Checking that custom version works for rndc ($n)"
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > rndc.status.ns3.$n 2>&1
grep "^version: $VERSION (this is a test of version) " rndc.status.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi
n=`expr $n + 1`
ret=0
echo "I:Checking that default version works for query ($n)"
$DIG +short version.bind txt ch @10.53.0.1 -p 5300 > dig.out.ns1.$n
grep "^\"$VERSION\"$" dig.out.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi
n=`expr $n + 1`
ret=0
echo "I:Checking that custom version works for query ($n)"
$DIG +short version.bind txt ch @10.53.0.3 -p 5300 > dig.out.ns3.$n
grep "^\"this is a test of version\"$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi
n=`expr $n + 1`
ret=0
echo "I:Checking that default hostname works for query ($n)"
$DIG +short hostname.bind txt ch @10.53.0.1 -p 5300 > dig.out.ns1.$n
grep "^\"$HOSTNAME\"$" dig.out.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi
n=`expr $n + 1`
ret=0
echo "I:Checking that custom hostname works for query ($n)"
$DIG +short hostname.bind txt ch @10.53.0.3 -p 5300 > dig.out.ns3.$n
grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi
n=`expr $n + 1`
ret=0
echo "I:Checking that default server-id is none for query ($n)"
$DIG id.server txt ch @10.53.0.1 -p 5300 > dig.out.ns1.$n
grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi
n=`expr $n + 1`
ret=0
echo "I:Checking that server-id hostname works for query ($n)"
$DIG +short id.server txt ch @10.53.0.2 -p 5300 > dig.out.ns2.$n
grep "^\"$HOSTNAME\"$" dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi
n=`expr $n + 1`
ret=0
echo "I:Checking that server-id hostname works for EDNS name server ID request ($n)"
$DIG +norec +nsid foo @10.53.0.2 -p 5300 > dig.out.ns2.$n
grep "^; NSID: .* (\"$HOSTNAME\")$" dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi
n=`expr $n + 1`
ret=0
echo "I:Checking that custom server-id works for query ($n)"
$DIG +short id.server txt ch @10.53.0.3 -p 5300 > dig.out.ns3.$n
grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi
n=`expr $n + 1`
ret=0
echo "I:Checking that custom server-id works for EDNS name server ID request ($n)"
$DIG +norec +nsid foo @10.53.0.3 -p 5300 > dig.out.ns3.$n
grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi
exit $status

25
bin/tests/system/checkconf/bad-sharedwritable1.conf Normal file
View File

@ -0,0 +1,25 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
zone a {
type master;
file "shared.db";
};
zone b {
type slave;
file "shared.db";
masters { 1.2.3.4; };
};

26
bin/tests/system/checkconf/bad-sharedwritable2.conf Normal file
View File

@ -0,0 +1,26 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
zone a {
type slave;
file "shared.db";
masters { 1.2.3.4; };
};
zone b {
type slave;
file "shared.db";
masters { 1.2.3.4; };
};

26
bin/tests/system/checkconf/check-dup-records-fail.conf Normal file
View File

@ -0,0 +1,26 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
options {
check-integrity yes; // default is yes
};
zone "check-dup-records" {
type master;
file "check-dup-records.db";
check-dup-records fail;
};

36
bin/tests/system/checkconf/check-dup-records.db Normal file
View File

@ -0,0 +1,36 @@
; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 600 ; 10 minutes
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
MX 10 mail
mail A 10.0.0.1
ns2 A 10.53.0.2
; following records are not de-duplicated
; and will be matched by check-dup-records
duplicate HIP ( 2 200100107B1A74DF365639CC39F1D578
AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
rvs.example.com. )
duplicate HIP ( 2 200100107B1A74DF365639CC39F1D578
AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
RVS.example.com. )

25
bin/tests/system/checkconf/check-mx-cname-fail.conf Normal file
View File

@ -0,0 +1,25 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
options {
check-integrity yes; // default is yes
};
zone "check-mx-cname" {
type master;
file "check-mx-cname.db";
check-mx-cname fail;
};

29
bin/tests/system/checkconf/check-mx-cname.db Normal file
View File

@ -0,0 +1,29 @@
; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 600 ; 10 minutes
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
MX 10 mail
; MX points to a CNAME which is detected by check-mx-cname
mail CNAME ns2
ns2 A 10.53.0.2

25
bin/tests/system/checkconf/check-mx-fail.conf Normal file
View File

@ -0,0 +1,25 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
options {
check-integrity yes; // default is yes
};
zone "check-mx" {
type master;
file "check-mx.db";
check-mx fail;
};

27
bin/tests/system/checkconf/check-mx.db Normal file
View File

@ -0,0 +1,27 @@
; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 600 ; 10 minutes
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
; MX appears to be an address and will be detected by check-mx
MX 10 10.0.0.1
ns2 A 10.53.0.2

25
bin/tests/system/checkconf/check-names-fail.conf Normal file
View File

@ -0,0 +1,25 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
options {
check-integrity yes; // default is yes
};
zone "check-names" {
type master;
file "check-names.db";
check-names fail;
};

31
bin/tests/system/checkconf/check-names.db Normal file
View File

@ -0,0 +1,31 @@
; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 600 ; 10 minutes
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
MX 10 mail
mail A 10.0.0.1
ns2 A 10.53.0.2
; the RDATA of this record contains a name that may be considered
; invalid and will be detected by check-names configuration.
check-names SRV 1 2 3 _underscore

25
bin/tests/system/checkconf/check-srv-cname-fail.conf Normal file
View File

@ -0,0 +1,25 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
options {
check-integrity yes; // default is yes
};
zone "check-srv-cname" {
type master;
file "check-srv-cname.db";
check-srv-cname fail;
};

31
bin/tests/system/checkconf/check-srv-cname.db Normal file
View File

@ -0,0 +1,31 @@
; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 600 ; 10 minutes
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
MX 10 mail
mail A 10.0.0.1
ns2 A 10.53.0.2
check-srv-cname SRV 1 2 3 target
; SRV points to a CNAME which is detected by check-srv-cname configuration
target CNAME mail

1
bin/tests/system/checkconf/clean.sh
View File

@ -16,3 +16,4 @@
rm -f good.conf.in good.conf.out badzero.conf *.out
rm -rf test.keydir
rm -f checkconf.out*

2
bin/tests/system/checkconf/good.conf
View File

@ -93,7 +93,7 @@ view "second" {
};
zone "example1" {
type master;
file "yyy";
file "zzz";
update-policy local;
zone-statistics yes;
};

1
bin/tests/system/checkconf/max-ttl.conf
View File

@ -35,4 +35,3 @@ zone "maxttl3.example" {
file "maxttl-bad.db";
max-zone-ttl 120;
};

48
bin/tests/system/checkconf/tests.sh
View File

@ -191,5 +191,53 @@ $CHECKCONF -z altdlz.conf > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
echo "I: check that check-names fails as configured"
ret=0
$CHECKCONF -z check-names-fail.conf > checkconf.out1 2>&1 && ret=1
grep "near '_underscore': bad name (check-names)" checkconf.out1 > /dev/null || ret=1
grep "zone check-names/IN: loaded serial" < checkconf.out1 > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
echo "I: check that check-mx fails as configured"
ret=0
$CHECKCONF -z check-mx-fail.conf > checkconf.out2 2>&1 && ret=1
grep "near '10.0.0.1': MX is an address" checkconf.out2 > /dev/null || ret=1
grep "zone check-mx/IN: loaded serial" < checkconf.out2 > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
echo "I: check that check-dup-records fails as configured"
ret=0
$CHECKCONF -z check-dup-records-fail.conf > checkconf.out3 2>&1 && ret=1
grep "has semantically identical records" checkconf.out3 > /dev/null || ret=1
grep "zone check-dup-records/IN: loaded serial" < checkconf.out3 > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
echo "I: check that check-mx fails as configured"
ret=0
$CHECKCONF -z check-mx-fail.conf > checkconf.out4 2>&1 && ret=1
grep "failed: MX is an address" checkconf.out4 > /dev/null || ret=1
grep "zone check-mx/IN: loaded serial" < checkconf.out4 > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
echo "I: check that check-mx-cname fails as configured"
ret=0
$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out5 2>&1 && ret=1
grep "MX.* is a CNAME (illegal)" checkconf.out5 > /dev/null || ret=1
grep "zone check-mx-cname/IN: loaded serial" < checkconf.out5 > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
echo "I: check that check-srv-cname fails as configured"
ret=0
$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out6 2>&1 && ret=1
grep "SRV.* is a CNAME (illegal)" checkconf.out6 > /dev/null || ret=1
grep "zone check-mx-cname/IN: loaded serial" < checkconf.out6 > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status

17
bin/tests/system/conf.sh.in
View File

@ -66,14 +66,15 @@ RANDFILE=$TOP/bin/tests/system/random.data
# v6synth
SUBDIRS="acl additional allow_query addzone autosign builtin
cacheclean case checkconf @CHECKDS@ checknames checkzone
@COVERAGE@ database dlv dlvauto dlz dlzexternal
dname dns64 dnssec dsdigest dscp ecdsa emptyzones filter-aaaa
formerr forward geoip glue gost ixfr inline limits logfileconfig
lwresd masterfile masterformat metadata notify nslookup nsupdate
pending @PKCS11_TEST@ redirect resolver rndc rpz rrl rrchecker
rrsetorder rsabigexponent sit smartsign sortlist spf staticstub
statistics stub tkey tsig tsiggss unknown upforwd verify
views wildcard xfer xferquota zero zonechecks"
@COVERAGE@ database dlv dlvauto dlz dlzexternal dname dns64
dnssec dsdigest dscp ecdsa ednscompliance emptyzones
filter-aaaa formerr forward geoip glue gost ixfr inline
limits logfileconfig lwresd masterfile masterformat metadata
notify nslookup nsupdate pending @PKCS11_TEST@ redirect
resolver rndc rpz rrl rrchecker rrsetorder rsabigexponent
sit sfcache smartsign sortlist spf staticstub statistics
stub tkey tsig tsiggss unknown upforwd verify views wildcard
xfer xferquota zero zonechecks"
# Use the CONFIG_SHELL detected by configure for tests
SHELL=@SHELL@

13
bin/tests/system/dlzexternal/tests.sh
View File

@ -72,6 +72,12 @@ status=`expr $status + $ret`
test_update deny.example.nil. TXT "86400 TXT helloworld" "helloworld" should_fail && ret=1
status=`expr $status + $ret`
newtest "I:testing nxrrset"
$DIG $DIGOPTS testdc1.example.nil AAAA > dig.out.$n
grep "status: NOERROR" dig.out.$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.$n > /dev/null || ret=1
status=`expr $status + $ret`
newtest "I:testing prerequisites are checked correctly"
cat > ns1/update.txt << EOF
server 10.53.0.1 5300
@ -181,6 +187,13 @@ grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
newtest "I:checking no redirected lookup for nonexistent type"
$DIG $DIGOPTS @10.53.0.1 exists aaaa > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
newtest "I:checking redirected lookup for a long nonexistent name"
$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1

3
bin/tests/system/dnssec/clean.sh
View File

@ -74,3 +74,6 @@ rm -f ns4/named_dump.db
rm -f ns3/badds.example.db
rm -f delve.out*
rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
rm -f Kexample.*
rm -f keygen.err
rm -f ns3/future.example.db ns3/trusted-future.key

3
bin/tests/system/dnssec/ns2/example.db.in
View File

@ -151,3 +151,6 @@ NS.LOWER A 10.53.0.3
expiring NS ns.expiring
ns.expiring A 10.53.0.3
future NS ns.future
ns.future A 10.53.0.3

45
bin/tests/system/dnssec/ns3/future.example.db.in Normal file
View File

@ -0,0 +1,45 @@
; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: optout.example.db.in,v 1.3 2008/09/25 04:02:38 tbox Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
child NS ns2.example.
insecure.empty NS ns.insecure.empty
ns.insecure.empty A 10.53.0.3
foo.*.empty-wild NS ns

5
bin/tests/system/dnssec/ns3/named.conf
View File

@ -276,6 +276,11 @@ zone "publish-inactive.example" {
update-policy local;
};
zone "future.example" {
type master;
file "future.example.db.signed";
};
include "siginterval.conf";
include "trusted.conf";

12
bin/tests/system/dnssec/ns3/sign.sh
View File

@ -474,3 +474,15 @@ cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
sed -e 's/bogus/badds/g' < dsset-bogus.example. > dsset-badds.example.
#
# A zone with future signatures.
#
zone=future.example
infile=future.example.db.in
zonefile=future.example.db
kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
zskname=`$KEYGEN -q -r $RANDFILE $zone`
cat $infile $kskname.key $zskname.key >$zonefile
$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile # > /dev/null 2>&1
cp -f $kskname.key trusted-future.key

74
bin/tests/system/dnssec/tests.sh
View File

@ -271,7 +271,7 @@ $DIG $DIGOPTS a.wild.optout.example. \
stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
$PERL ../digcomp.pl dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
@ -1796,7 +1796,7 @@ echo "I:check with bad nta lifetime"
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1
grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 > /dev/null || ret=1
echo "I:check with too long nta lifetime"
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -l 5d23h foo > rndc.out.ns4.test$n.3 2>&1
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1
grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
@ -2640,5 +2640,75 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check that 'dnssec-keygen -S' works for all supported algorithms ($n)"
ret=0
alg=1
until test $alg = 256
do
size=
case $alg in
1) size="-b 512";;
2) # Diffie Helman
alg=`expr $alg + 1`
continue;;
3) size="-b 512";;
5) size="-b 512";;
6) size="-b 512";;
7) size="-b 512";;
8) size="-b 512";;
10) size="-b 1024";;
157|160|161|162|163|164|165) # private - non standard
alg=`expr $alg + 1`
continue;;
esac
key1=`$KEYGEN -a $alg $size -n zone -r $RANDFILE example 2> keygen.err`
if grep "unsupported algorithm" keygen.err > /dev/null
then
alg=`expr $alg + 1`
continue
fi
if test -z "$key1"
then
echo "I: '$KEYGEN -a $alg': failed"
cat keygen.err
ret=1
alg=`expr $alg + 1`
continue
fi
$SETTIME -I now+4d $key1.private > /dev/null
key2=`$KEYGEN -v 10 -r $RANDFILE -i 3d -S $key1.private 2> /dev/null`
test -f $key2.key -a -f $key2.private || {
ret=1
echo "I: 'dnssec-keygen -S' failed for algorithm: $alg"
}
alg=`expr $alg + 1`
done
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
#
# Test for +sigchase with a null set of trusted keys.
#
$DIG -p 5300 @10.53.0.3 +sigchase +trusted-key=/dev/null > dig.out.ns3.test$n 2>&1
if grep "Invalid option: +sigchase" dig.out.ns3.test$n > /dev/null
then
echo "I:Skipping 'dig +sigchase' tests"
n=`expr $n + 1`
else
echo "I:checking that 'dig +sigchase' doesn't loop with future inception ($n)"
ret=0
$DIG -p 5300 @10.53.0.3 dnskey future.example +sigchase \
+trusted-key=ns3/trusted-future.key > dig.out.ns3.test$n &
pid=$!
sleep 1
kill -9 $pid 2> /dev/null
wait $pid
grep ";; No DNSKEY is valid to check the RRSIG of the RRset: FAILED" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
fi
echo "I:exit status: $status"
exit $status

17
bin/tests/system/ednscompliance/clean.sh Normal file
View File

@ -0,0 +1,17 @@
#!/bin/sh
#
# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
rm -f dig.out*

34
bin/tests/system/ednscompliance/ns1/named.conf Normal file
View File

@ -0,0 +1,34 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
};
zone "." {
type master;
file "root.db";
};

24
bin/tests/system/ednscompliance/ns1/root.db Normal file
View File

@ -0,0 +1,24 @@
; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 300
. IN SOA marka.isc.org. a.root.servers.nil. (
2010 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.6

104
bin/tests/system/ednscompliance/tests.sh Normal file
View File

@ -0,0 +1,104 @@
#!/bin/sh
#
# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=0
n=0
zone=.
n=`expr $n + 1`
echo "I:check +edns=100 sets version 100 ($n)"
ret=0 reason=
$DIG -p 5300 @10.53.0.1 +qr +norec +edns=100 soa $zone > dig.out$n
grep "EDNS: version: 100," dig.out$n > /dev/null || { ret=1; reason="version"; }
if [ $ret != 0 ]; then echo "I:failed $reason"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
ret=0 reason=
echo "I:check +ednsopt=100 adds option 100 ($n)"
$DIG -p 5300 @10.53.0.1 +qr +norec +ednsopt=100 soa $zone > dig.out$n
grep "; OPT=100" dig.out$n > /dev/null || { ret=1; reason="option"; }
if [ $ret != 0 ]; then echo "I:failed $reason"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check +ednsflags=0x80 sets flags to 0080 ($n)"
ret=0 reason=
$DIG -p 5300 @10.53.0.1 +qr +norec +ednsflags=0x80 soa $zone > dig.out$n
grep "MBZ: 0080" dig.out$n > /dev/null || { ret=1; reason="flags"; }
if [ $ret != 0 ]; then echo "I:failed $reason"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:Unknown EDNS version ($n)"
ret=0 reason=
$DIG -p 5300 @10.53.0.1 +norec +edns=100 soa $zone > dig.out$n
grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reaons="soa"; }
if [ $ret != 0 ]; then echo "I:failed $reason"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:Unknown EDNS option ($n)"
ret=0 reason=
$DIG -p 5300 @10.53.0.1 +norec +ednsopt=100 soa $zone > dig.out$n
grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; }
grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; }
if [ $ret != 0 ]; then echo "I:failed $reason"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:Unknown EDNS version + option ($n)"
ret=0 reason=
$DIG -p 5300 @10.53.0.1 +norec +edns=100 +ednsopt=100 soa $zone > dig.out$n
grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; }
grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
if [ $ret != 0 ]; then echo "I:failed: $reason"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:Unknown EDNS flag ($n)"
ret=0 reason=
$DIG -p 5300 @10.53.0.1 +norec +ednsflags=0x80 soa $zone > dig.out$n
grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; }
grep ".IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; }
if [ $ret != 0 ]; then echo "I:failed $reason"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:Unknown EDNS version + flag ($n)"
ret=0 reason=
$DIG -p 5300 @10.53.0.1 +norec +edns=100 +ednsflags=0x80 soa $zone > dig.out$n
grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; }
grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; }
grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; }
grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; }
if [ $ret != 0 ]; then echo "I:failed $reason"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:exit status: $status"
exit $status

3
bin/tests/system/genzone.sh
View File

@ -121,6 +121,9 @@ txt09 TXT foo\010bar
txt10 TXT foo\ bar
txt11 TXT "\"foo\""
txt12 TXT \"foo\"
txt13 TXT "foo;"
txt14 TXT "foo\;"
txt15 TXT "bar\\;"
; type 17
rp01 RP mbox-dname txt-dname

2
bin/tests/system/geoip/clean.sh
View File

@ -15,5 +15,5 @@
# PERFORMANCE OF THIS SOFTWARE.
rm -f ns2/named.conf
rm -f ns2/example[1234567].db
rm -f ns2/example*.db
rm -f dig.out.* rndc.out.*

1
bin/tests/system/geoip/data/GeoIP.csv
View File

@ -5,3 +5,4 @@
10.53.0.5/32 CL
10.53.0.6/32 DE
10.53.0.7/32 EH
192.0.2/24 O1

1 10.53.0.1/32 AU
5 10.53.0.5/32 CL
6 10.53.0.6/32 DE
7 10.53.0.7/32 EH
8 192.0.2/24 O1

BIN
bin/tests/system/geoip/data/GeoIP.dat
View File

Binary file not shown.

5
bin/tests/system/geoip/data/README
View File

@ -18,8 +18,8 @@ GeoIPDoain.dat: Domain Name
GeoIPASNum.dat: AS Number
GeoIPNetSpeed.dat: Net Speed
GeoIP.dat can also be generated using the open source 'geoip-csv-to-dat'
utility:
GeoIP.dat can also be egenerated using the open source 'geoip-csv-to-dat'
utility (also known in some packages as "geoip-generator"):
$ geoip-csv-to-dat -i "BIND9 geoip test data v1" -o GeoIP.dat << EOF
"10.53.0.1","10.53.0.1","171245569","171245569","AU","Australia"
@ -29,4 +29,5 @@ $ geoip-csv-to-dat -i "BIND9 geoip test data v1" -o GeoIP.dat << EOF
"10.53.0.5","10.53.0.5","171245573","171245573","CL","Chile"
"10.53.0.6","10.53.0.6","171245574","171245574","DE","Germany"
"10.53.0.7","10.53.0.7","171245575","171245575","EH","Western Sahara"
"192.0.2.0","192.0.2.255","3221225984","3221226239","O1","Other"
EOF

10
bin/tests/system/geoip/ns2/named1.conf
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -95,6 +95,14 @@ view seven {
};
};
view other {
match-clients { geoip db country country O1; };
zone "example" {
type master;
file "exampleother.db";
};
};
view none {
match-clients { any; };
zone "example" {

16
bin/tests/system/geoip/ns2/named10.conf
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -40,7 +40,7 @@ controls {
};
view one {
match-clients { geoip domain one.de; };
match-clients { geoip asnum "AS100001"; };
zone "example" {
type master;
file "example1.db";
@ -48,7 +48,7 @@ view one {
};
view two {
match-clients { geoip domain two.com; };
match-clients { geoip asnum "AS100002"; };
zone "example" {
type master;
file "example2.db";
@ -56,7 +56,7 @@ view two {
};
view three {
match-clients { geoip domain three.com; };
match-clients { geoip asnum "AS100003"; };
zone "example" {
type master;
file "example3.db";
@ -64,7 +64,7 @@ view three {
};
view four {
match-clients { geoip domain four.com; };
match-clients { geoip asnum "AS100004"; };
zone "example" {
type master;
file "example4.db";
@ -72,7 +72,7 @@ view four {
};
view five {
match-clients { geoip domain five.es; };
match-clients { geoip asnum "AS100005"; };
zone "example" {
type master;
file "example5.db";
@ -80,7 +80,7 @@ view five {
};
view six {
match-clients { geoip domain six.it; };
match-clients { geoip asnum "AS100006"; };
zone "example" {
type master;
file "example6.db";
@ -88,7 +88,7 @@ view six {
};
view seven {
match-clients { geoip domain seven.org; };
match-clients { geoip asnum "AS100007"; };
zone "example" {
type master;
file "example7.db";

34
bin/tests/system/geoip/ns2/named11.conf
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -40,7 +40,7 @@ controls {
};
view one {
match-clients { geoip netspeed 0; };
match-clients { geoip domain one.de; };
zone "example" {
type master;
file "example1.db";
@ -48,7 +48,7 @@ view one {
};
view two {
match-clients { geoip netspeed 1; };
match-clients { geoip domain two.com; };
zone "example" {
type master;
file "example2.db";
@ -56,7 +56,7 @@ view two {
};
view three {
match-clients { geoip netspeed 2; };
match-clients { geoip domain three.com; };
zone "example" {
type master;
file "example3.db";
@ -64,13 +64,37 @@ view three {
};
view four {
match-clients { geoip netspeed 3; };
match-clients { geoip domain four.com; };
zone "example" {
type master;
file "example4.db";
};
};
view five {
match-clients { geoip domain five.es; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { geoip domain six.it; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { geoip domain seven.org; };
zone "example" {
type master;
file "example7.db";
};
};
view none {
match-clients { any; };
zone "example" {

47
bin/tests/system/geoip/ns2/named12.conf
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -18,10 +18,6 @@
controls { /* empty */ };
acl blocking {
geoip db country country AU;
};
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
@ -32,7 +28,6 @@ options {
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
blackhole { blocking; };
};
key rndc_key {
@ -43,3 +38,43 @@ key rndc_key {
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
view one {
match-clients { geoip netspeed 0; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { geoip netspeed 1; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { geoip netspeed 2; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { geoip netspeed 3; };
zone "example" {
type master;
file "example4.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "example.db.in";
};
};

77
bin/tests/system/geoip/ns2/named13.conf
View File

@ -18,6 +18,10 @@
controls { /* empty */ };
acl blocking {
geoip db country country AU;
};
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
@ -28,6 +32,7 @@ options {
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
blackhole { blocking; };
};
key rndc_key {
@ -38,75 +43,3 @@ key rndc_key {
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
acl gAU { geoip db country country AU; };
acl gUS { geoip db country country US; };
acl gGB { geoip db country country GB; };
acl gCA { geoip db country country CA; };
acl gCL { geoip db country country CL; };
acl gDE { geoip db country country DE; };
acl gEH { geoip db country country EH; };
view one {
match-clients { gAU; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { gUS; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { gGB; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { gCA; };
zone "example" {
type master;
file "example4.db";
};
};
view five {
match-clients { gCL; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { gDE; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { gEH; };
zone "example" {
type master;
file "example7.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "example.db.in";
};
};

113
bin/tests/system/geoip/ns2/named14.conf Normal file
View File

@ -0,0 +1,113 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 127.0.0.1; 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
geoip-use-ecs no;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
acl gAU { geoip db country country AU; };
acl gUS { geoip db country country US; };
acl gGB { geoip db country country GB; };
acl gCA { geoip db country country CA; };
acl gCL { geoip db country country CL; };
acl gDE { geoip db country country DE; };
acl gEH { geoip db country country EH; };
view one {
match-clients { gAU; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { gUS; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { gGB; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { gCA; };
zone "example" {
type master;
file "example4.db";
};
};
view five {
match-clients { gCL; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { gDE; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { gEH; };
zone "example" {
type master;
file "example7.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "examplebogus.db";
};
};

2
bin/tests/system/geoip/setup.sh
View File

@ -21,7 +21,7 @@ $SHELL clean.sh
cp ns2/named1.conf ns2/named.conf
for i in 1 2 3 4 5 6 7; do
for i in 1 2 3 4 5 6 7 other bogus; do
cp ns2/example.db.in ns2/example${i}.db
echo "@ IN TXT \"$i\"" >> ns2/example$i.db
done

172
bin/tests/system/geoip/tests.sh
View File

@ -38,6 +38,30 @@ done
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking GeoIP country database by code (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/0" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking response scope using client subnet ($n)"
ret=0
$DIG +tcp -p5300 @10.53.0.2 txt example -b 127.0.0.1 +subnet="10.53.0.1/32" > dig.out.ns2.test$n.1 || ret=1
grep 'CLIENT-SUBNET.*10.53.0.1/32/32' dig.out.ns2.test$n.1 > /dev/null || ret=1
$DIG +tcp -p5300 @10.53.0.2 txt example -b 127.0.0.1 +subnet="192.0.2.64/32" > dig.out.ns2.test$n.2 || ret=1
grep 'CLIENT-SUBNET.*192.0.2.64/32/24' dig.out.ns2.test$n.2 > /dev/null || ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named2.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
@ -115,6 +139,21 @@ done
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking GeoIP region database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named6.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
@ -134,6 +173,20 @@ done
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking GeoIP city database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named7.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
@ -153,6 +206,20 @@ done
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking GeoIP isp database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named8.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
@ -172,6 +239,20 @@ done
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking GeoIP org database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named9.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
@ -191,11 +272,58 @@ done
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking GeoIP asnum database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named10.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP asnum database - ASNNNN only ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking GeoIP domain database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named11.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP domain database ($n)"
ret=0
@ -211,7 +339,7 @@ done
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named11.conf ns2/named.conf
cp -f ns2/named12.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
@ -229,8 +357,22 @@ done
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking GeoIP netspeed database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named12.conf ns2/named.conf
cp -f ns2/named13.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
@ -243,7 +385,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 status 2>&1 > rndc.out.ns2.tes
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named13.conf ns2/named.conf
cp -f ns2/named14.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
@ -261,5 +403,29 @@ done
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named14.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
n=`expr $n + 1`
echo "I:checking geoip-use-ecs ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.ecs.$i || lret=1
j=`cat dig.out.ns2.test$n.ecs.$i | tr -d '"'`
[ "$j" = "bogus" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status

Some files were not shown because too many files have changed in this diff Show More