diff --git a/CHANGES b/CHANGES index 1ab9f8dff7..b2be41e234 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,126 @@ -3931. [cleanup] Cleanup how dlz grammer is defined. [RT #36879] +3963. [test] Added NXRRSET test cases to the "dlzexternal" + system test. [RT #37344] + +3962. [bug] 'dig +topdown +trace +sigchase' address unhandled error + conditions. [RT #34663] + +3961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with + BADSIG. [RT #37216] + +3960. [bug] 'dig +sigchase' could loop forever. [RT #37220] + +3959. [bug] Updates could be lost if they arrived immediately + after a rndc thaw. [RT #37233] + +3958. [bug] Detect when writeable files have multiple references + in named.conf. [RT #37172] + +3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256 + and ECDSAP384SHA384. [RT #37183] + +3956. [func] Notify messages are now rate limited by notify-rate and + startup-notify-rate instead of serial-query-rate. + [RT #24454] + +3955. [bug] Notify messages due to changes are no longer queued + behind startup notify messages. [RT #24454] + +3954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112] + +3953. [bug] Don't escape semi-colon in TXT fields. [RT #37159] + +3952. [bug] dns_name_fullcompare failed to set *nlabelsp when the + two name pointers were the same. [RT #37176] + +3951. [func] Add the ability to set yet-to-be-defined EDNS flags + to dig (+ednsflags=#). [RT #37142] + +3950. [port] Changed the bin/python Makefile to work around a + bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] + +3949. [experimental] Experimental support for draft-andrews-edns1 by sending + EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when + building). Add support for limiting the EDNS version + advertised to servers: server { edns-version 0; }; + Log the EDNS version received in the query log. + [RT #35864] + +3948. [port] solaris: RCVBUFSIZE was too large on Solaris with + --with-tuning=large. [RT #37059] + +3947. [cleanup] Set the executable bit on libraries when using + libtool. [RT #36786] + +3946. [cleanup] Improved "configure" search for a python interpreter. + [RT #36992] + +3945. [bug] Invalid wildcard expansions could be incorrectly + accepted by the validator. [RT #37093] + +3944. [test] Added a regression test for "server-id". [RT #37057] + +3943. [func] SERVFAIL responses can now be cached for a + limited time (configured by "servfail-ttl", + default 10 seconds, limit 30). This can reduce + the frequency of retries when an authoritative + server is known to be failing, e.g., due to + ongoing DNSSEC validation problems. [RT #21347] + +3942. [bug] Wildcard responses from a optout range should be + marked as insecure. [RT #37072] + +3941. [doc] Include the BIND version number in the ARM. [RT #37067] + +3940. [func] "rndc nta" now allows negative trust anchors to be + set for up to one week. [RT #37069] + +3939. [func] Improve UPDATE forwarding performance by allowing TCP + connections to be shared. [RT #37039] + +3938. [placeholder] + +3937. [func] Added some debug logging to better indicate the + conditions causing SERVFAILs when resolving. + [RT #35538] + +3936. [func] Added authoritative support for the EDNS Client + Subnet (ECS) option. + + ACLs can now include "ecs" elements which specify + an address or network prefix; if an ECS option is + included in a DNS query, then the address encoded + in the option will be matched against "ecs" ACL + elements. + + Also, if an ECS address is included in a query, + then it will be used instead of the client source + address when matching "geoip" ACL elements. This + behavior can be overridden with "geoip-use-ecs no;". + (Note: to enable "geoip" ACLs, use "configure + --with-geoip". This requires libGeoIP version + 1.5.0 or higher.) + + When "ecs" or "geoip" ACL elements are used to + select a view for a query, the response will include + an ECS option to indicate which client network the + answer is valid for. + + (Thanks to Vincent Bernat.) [RT #36781] + +3935. [bug] "geoip asnum" ACL elements would not match unless + the full organization name was specified. They + can now match against the AS number alone (e.g., + AS1234). [RT #36945] + +3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve + sit-secret documentation. [RT #36980] + +3933. [bug] Corrected the implementation of dns_rdata_casecompare() + for the HIP rdata type. [RT #36911] + +3932. [test] Improved named-checkconf tests. [RT #36911] + +3931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879] 3930. [bug] "rndc nta -r" could cause a server hang if the NTA was not found. [RT #36909] @@ -23,7 +145,7 @@ retains DS and (if applicable) NSEC signatures. [RT #36946] -3921. [bug] AD was inappopriately set on RPZ responses. [RT #36833] +3921. [bug] AD was inappropriately set on RPZ responses. [RT #36833] 3920. [doc] Added doc for masterfile-style. [RT #36823] @@ -64,7 +186,7 @@ 3908. [bug] rndc now differentiates between a zone in multiple views and a zone that doesn't exist at all. [RT #36691] -3907. [cleanup] Alphabetise rndc help. [RT #36683] +3907. [cleanup] Alphabetize rndc help. [RT #36683] 3906. [protocol] Update URI record format to comply with draft-faltstrom-uri-08. [RT #36642] @@ -140,7 +262,7 @@ periodically to see whether data below them can be validated, and if so, they will be allowed to expire early. The "rndc nta -force" option - overrides this behvaior. The default NTA lifetime + overrides this behavior. The default NTA lifetime and the recheck frequency can be configured by the "nta-lifetime" and "nta-recheck" options. [RT #36146] diff --git a/README b/README index 8298ae1f88..14b6a15d48 100644 --- a/README +++ b/README @@ -56,6 +56,25 @@ BIND 9.11.0 BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier releases. New features include: + - SERVFAIL responses can now be cached for a limited time + (defaulting to 10 seconds, with an upper limit of 30). + This can reduce the frequency of retries when a query is + persistently failing. + - The new "rndc nta" command can be used to set a "negative + trust anchor", disabling DNSSEC validation for a specific + domain; this can be used when responses from a domain are + known to be failing validation due to administrative error + rather than because of a spoofing attack. Negative trust + anchors are strictly temporary; by default they expire after + one hour, but can be configured to last up to one week. + - Update forwarding performance has been improved by allowing + a single TCP connection to be shared by multiple updates. + - The EDNS Client Subnet (ECS) option is now supported for + authoritative servers; if a query contains an ECS option + then ACLs containing "geoip" or "ecs" elements can match + against the the address encoded in the option. This can be + used to select a view for a query, so that different answers + can be provided depending on the client network. - The EDNS EXPIRE option has been implemented on the client side, allowing a slave server to set the expiration timer correctly when transferring zone data from another slave @@ -68,12 +87,16 @@ BIND 9.11.0 - "dig +ttlunits" causes dig to print TTL values with time-unit suffixes: w, d, h, m, s for weeks, days, hours, minutes, and seconds. - - "serial-update-format" can now be set to "date". On update, + - "serial-update-method" can now be set to "date". On update, the serial number will be set to the current date in YYYYMMDDNN format. - "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN. - "named -L " causes named to send log messages to the specified file by default instead of to the system log. + - dig can now set arbitary EDNS options on requests (+ednsopt). + - dig can now set yet-to-be-defined EDNS flags on requests (+ednsflags). + - serial-query-rate no longer covers NOTIFY messages. These are + seperately controlled by notity-rate and startup-notify-rate. This release addresses the security flaw described in CVE-2014-3214 and CVE-2014-3859. @@ -479,23 +502,29 @@ Change Log Bug Reports and Mailing Lists - Bugs reports should be sent to + Bug reports should be sent to: bind9-bugs@isc.org - To join the BIND Users mailing list, send mail to + Feature requests can be sent to: - bind-users-request@isc.org + bind-suggest@isc.org - archives of which can be found via + To join or view the archives of the BIND Users mailing list, + visit: - http://www.isc.org/ops/lists/ + https://lists.isc.org/mailman/listinfo/bind-users If you're planning on making changes to the BIND 9 source - code, you might want to join the BIND Workers mailing list. - Send mail to + code, you may also want to join the BIND Workers mailing + list: - bind-workers-request@isc.org + https://lists.isc.org/mailman/listinfo/bind-workers + + Information on read-only Git access, coding style and developer + guidelines can be found at: + + http://www.isc.org/git/ Acknowledgments diff --git a/aclocal.m4 b/aclocal.m4 index e7ac2ec47c..a7ee53146f 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -9,7 +9,9 @@ m4_divert_text(HELP_CANON, [[ and --localstatedir are /etc and /var, respectively.]]) m4_divert_text(HELP_END, [[ Professional support for BIND is provided by Internet Systems Consortium, -Inc., doing business as DNSco. Information about paid support options is -available at http://www.dns-co.com/solutions/. Free support is provided by -our user community via a mailing list. Information on public email lists -is available at https://www.isc.org/community/mailing-list/.]]) +Inc. Information about paid support and training options is available at +https://www.isc.org/support. + +Help can also often be found on the BIND Users mailing list +(https://lists.isc.org/mailman/listinfo/bind-users) or in the #bind +channel of the Freenode IRC service.]]) diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in index 61f98c23cc..b88be3cb85 100644 --- a/bin/check/Makefile.in +++ b/bin/check/Makefile.in @@ -70,7 +70,7 @@ named-checkzone.@O@: named-checkzone.c -c ${srcdir}/named-checkzone.c named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \ - ${ISCCFGDEPLIBS} ${BIND9DEPLIBS} + ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS} export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \ export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \ ${FINALBUILDCMD} diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index 37ff16b9f0..8caabf260e 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -32,7 +32,7 @@

named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]

-

DESCRIPTION

+

DESCRIPTION

named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -52,7 +52,7 @@

-

OPTIONS

+

OPTIONS

-h

@@ -101,21 +101,21 @@

-

RETURN VALUES

+

RETURN VALUES

named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkzone(8), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8 index f83ca3b131..3706b65770 100644 --- a/bin/check/named-checkzone.8 +++ b/bin/check/named-checkzone.8 @@ -266,7 +266,7 @@ so that include directives in the configuration file are processed as if run by .PP \-T \fImode\fR .RS 4 -Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are +Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF\-formatted TXT record is not also present. Possible modes are \fB"warn"\fR (default), \fB"ignore"\fR. diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook index f2b2724d4b..9e827f398d 100644 --- a/bin/check/named-checkzone.docbook +++ b/bin/check/named-checkzone.docbook @@ -440,10 +440,10 @@ -T mode - Check if Sender Policy Framework records (TXT and SPF) - both exist or both don't exist. A warning is issued - if they don't match. Possible modes are - "warn" (default), "ignore". + Check if Sender Policy Framework (SPF) records exist + and issues a warning if an SPF-formatted TXT record is + not also present. Possible modes are "warn" + (default), "ignore". diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html index 958bbc4da1..3856cac855 100644 --- a/bin/check/named-checkzone.html +++ b/bin/check/named-checkzone.html @@ -33,7 +33,7 @@

named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

-

DESCRIPTION

+

DESCRIPTION

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -53,7 +53,7 @@

-

OPTIONS

+

OPTIONS

-d

@@ -249,10 +249,10 @@

-T mode

- Check if Sender Policy Framework records (TXT and SPF) - both exist or both don't exist. A warning is issued - if they don't match. Possible modes are - "warn" (default), "ignore". + Check if Sender Policy Framework (SPF) records exist + and issues a warning if an SPF-formatted TXT record is + not also present. Possible modes are "warn" + (default), "ignore".

-w directory

@@ -287,14 +287,14 @@

-

RETURN VALUES

+

RETURN VALUES

named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkconf(8), RFC 1035, @@ -302,7 +302,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/confgen/ddns-confgen.html b/bin/confgen/ddns-confgen.html index 1b1c9535f6..ba2b737312 100644 --- a/bin/confgen/ddns-confgen.html +++ b/bin/confgen/ddns-confgen.html @@ -32,7 +32,7 @@

ddns-confgen [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name | -z zone ]

-

DESCRIPTION

+

DESCRIPTION

tsig-keygen and ddns-confgen are invocation methods for a utility that generates keys for use @@ -68,7 +68,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm

@@ -140,7 +140,7 @@

-

SEE ALSO

+

SEE ALSO

nsupdate(1), named.conf(5), named(8), @@ -148,7 +148,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/confgen/rndc-confgen.html b/bin/confgen/rndc-confgen.html index aa92583a93..103ae78a6d 100644 --- a/bin/confgen/rndc-confgen.html +++ b/bin/confgen/rndc-confgen.html @@ -32,7 +32,7 @@

rndc-confgen [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-

DESCRIPTION

+

DESCRIPTION

rndc-confgen generates configuration files for rndc. It can be used as a @@ -48,7 +48,7 @@

-

OPTIONS

+

OPTIONS

-a
@@ -162,7 +162,7 @@
-

EXAMPLES

+

EXAMPLES

To allow rndc to be used with no manual configuration, run @@ -179,7 +179,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc.conf(5), named(8), @@ -187,7 +187,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/delv/delv.html b/bin/delv/delv.html index 99072b84fd..b2bfaa35b0 100644 --- a/bin/delv/delv.html +++ b/bin/delv/delv.html @@ -35,7 +35,7 @@

delv [queryopt...] [query...]

-

DESCRIPTION

+

DESCRIPTION

delv (Domain Entity Lookup & Validation) is a tool for sending DNS queries and validating the results, using the the same internal @@ -78,7 +78,7 @@

-

SIMPLE USAGE

+

SIMPLE USAGE

A typical invocation of delv looks like:

@@ -133,7 +133,7 @@

-

OPTIONS

+

OPTIONS

-a anchor-file
@@ -267,7 +267,7 @@
-

QUERY OPTIONS

+

QUERY OPTIONS

delv provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed. @@ -447,12 +447,12 @@

-

FILES

+

FILES

/etc/bind.keys

/etc/resolv.conf

-

SEE ALSO

+

SEE ALSO

dig(1), named(8), RFC4034, diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index 0e5e27502c..9be55a8f09 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -356,6 +356,11 @@ Specify the EDNS version to query with. Valid values are 0 to 255. Setting the E clears the remembered EDNS version. EDNS is set to 0 by default. .RE .PP +\fB+[no]ednsflags[=#]\fR +.RS 4 +Set the must\-be\-zero EDNS flags bits (Z bits) to the specified value. Decimal, hex and octal encodings are accepted. Setting a named flag (e.g. DO) will silently be ignored. By default, no Z bits are set. +.RE +.PP \fB+[no]ednsopt[=code[:value]]\fR .RS 4 Specify EDNS option with code point diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 528d105ee7..0b4045e338 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -192,6 +192,7 @@ help(void) { " +ndots=### (Set NDOTS value)\n" " +subnet=addr (Set edns-client-subnet option)\n" " +[no]edns[=###] (Set EDNS version) [0]\n" +" +ednsflags=### (Set EDNS flag bits)\n" " +ednsopt=###[:value] (Send specified EDNS option)\n" " +noednsopt (Clear list of +ednsopt options)\n" " +[no]search (Set whether to use searchlist)\n" @@ -960,6 +961,25 @@ plus_option(char *option, isc_boolean_t is_batchfile, "edns"); lookup->edns = num; break; + case 'f': + FULLCHECK("ednsflags"); + if (!state) { + lookup->ednsflags = 0; + break; + } + if (value == NULL) { + lookup->ednsflags = 0; + break; + } + result = parse_xint(&num, + value, + 0xffff, + "ednsflags"); + if (result != ISC_R_SUCCESS) + fatal("Couldn't parse " + "ednsflags"); + lookup->ednsflags = num; + break; case 'o': FULLCHECK("ednsopt"); if (!state) { diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook index ace24ac91b..2726f284e1 100644 --- a/bin/dig/dig.docbook +++ b/bin/dig/dig.docbook @@ -578,6 +578,18 @@ + + + + + Set the must-be-zero EDNS flags bits (Z bits) to the + specified value. Decimal, hex and octal encodings are + accepted. Setting a named flag (e.g. DO) will silently be + ignored. By default, no Z bits are set. + + + + diff --git a/bin/dig/dig.html b/bin/dig/dig.html index 0e11541dbc..3a5a357c7e 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -34,7 +34,7 @@

dig [global-queryopt...] [query...]

-

DESCRIPTION

+

DESCRIPTION

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -81,7 +81,7 @@

-

SIMPLE USAGE

+

SIMPLE USAGE

A typical invocation of dig looks like:

@@ -134,7 +134,7 @@

-

OPTIONS

+

OPTIONS

The -b option sets the source IP address of the query to address. This must be a valid @@ -242,7 +242,7 @@

-

QUERY OPTIONS

+

QUERY OPTIONS

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -384,6 +384,13 @@ clears the remembered EDNS version. EDNS is set to 0 by default.

+
+[no]ednsflags[=#]
+

+ Set the must-be-zero EDNS flags bits (Z bits) to the + specified value. Decimal, hex and octal encodings are + accepted. Setting a named flag (e.g. DO) will silently be + ignored. By default, no Z bits are set. +

+[no]ednsopt[=code[:value]]

Specify EDNS option with code point code @@ -637,7 +644,7 @@

-

MULTIPLE QUERIES

+

MULTIPLE QUERIES

The BIND 9 implementation of dig supports @@ -683,7 +690,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

IDN SUPPORT

+

IDN SUPPORT

If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -697,14 +704,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

FILES

+

FILES

/etc/resolv.conf

${HOME}/.digrc

-

SEE ALSO

+

SEE ALSO

host(1), named(8), dnssec-keygen(8), @@ -712,7 +719,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

-

BUGS

+

BUGS

There are probably too many query options.

diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index d3f92c0824..aeded9e427 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -56,6 +56,7 @@ #include #include #include +#include #include #include #include @@ -782,6 +783,7 @@ make_empty_lookup(void) { looknew->servfail_stops = ISC_TRUE; looknew->besteffort = ISC_TRUE; looknew->dnssec = ISC_FALSE; + looknew->ednsflags = 0; looknew->expire = ISC_FALSE; looknew->nsid = ISC_FALSE; #ifdef ISC_PLATFORM_USESIT @@ -876,6 +878,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { looknew->servfail_stops = lookold->servfail_stops; looknew->besteffort = lookold->besteffort; looknew->dnssec = lookold->dnssec; + looknew->ednsflags = lookold->ednsflags; looknew->expire = lookold->expire; looknew->nsid = lookold->nsid; #ifdef ISC_PLATFORM_USESIT @@ -1012,11 +1015,11 @@ setup_text_key(void) { isc_buffer_free(&namebuf); } -isc_result_t -parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max, - const char *desc) { +static isc_result_t +parse_uint_helper(isc_uint32_t *uip, const char *value, isc_uint32_t max, + const char *desc, int base) { isc_uint32_t n; - isc_result_t result = isc_parse_uint32(&n, value, 10); + isc_result_t result = isc_parse_uint32(&n, value, base); if (result == ISC_R_SUCCESS && n > max) result = ISC_R_RANGE; if (result != ISC_R_SUCCESS) { @@ -1028,6 +1031,18 @@ parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max, return (ISC_R_SUCCESS); } +isc_result_t +parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max, + const char *desc) { + return (parse_uint_helper(uip, value, max, desc, 10)); +} + +isc_result_t +parse_xint(isc_uint32_t *uip, const char *value, isc_uint32_t max, + const char *desc) { + return (parse_uint_helper(uip, value, max, desc, 0)); +} + static isc_uint32_t parse_bits(char *arg, const char *desc, isc_uint32_t max) { isc_result_t result; @@ -1549,15 +1564,12 @@ save_opt(dig_lookup_t *lookup, char *code, char *value) { */ static void add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns, - isc_boolean_t dnssec, dns_ednsopt_t *ednsopts, size_t count) + unsigned int flags, dns_ednsopt_t *ednsopts, size_t count) { dns_rdataset_t *rdataset = NULL; isc_result_t result; - unsigned int flags = 0; debug("add_opt()"); - if (dnssec) - flags |= DNS_MESSAGEEXTFLAG_DO; result = dns_message_buildopt(msg, &rdataset, edns, udpsize, flags, ednsopts, count); check_result(result, "dns_message_buildopt"); @@ -2451,6 +2463,7 @@ setup_lookup(dig_lookup_t *lookup) { lookup->edns > -1 || lookup->ecs_addr != NULL) { dns_ednsopt_t opts[EDNSOPTS + DNS_EDNSOPTIONS]; + unsigned int flags; int i = 0; if (lookup->udpsize == 0) @@ -2543,8 +2556,12 @@ setup_lookup(dig_lookup_t *lookup) { i += lookup->ednsoptscnt; } + flags = lookup->ednsflags; + flags &= ~DNS_MESSAGEEXTFLAG_DO; + if (lookup->dnssec) + flags |= DNS_MESSAGEEXTFLAG_DO; add_opt(lookup->sendmsg, lookup->udpsize, - lookup->edns, lookup->dnssec, opts, i); + lookup->edns, flags, opts, i); } result = dns_message_rendersection(lookup->sendmsg, @@ -4473,6 +4490,9 @@ chase_scanname_section(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *rdataset; dns_name_t *msg_name = NULL; + if (msg->counts[section] == 0) + return (NULL); + do { dns_message_currentname(msg, section, &msg_name); if (dns_name_compare(msg_name, name) == 0) { @@ -4679,8 +4699,8 @@ get_trusted_key(isc_mem_t *mctx) dns_rdatacallbacks_init_stdio(&callbacks); callbacks.add = insert_trustedkey; return (dns_master_loadfile(filename, dns_rootname, dns_rootname, - current_lookup->rdclass, 0, &callbacks, - mctx)); + current_lookup->rdclass, DNS_MASTER_NOTTL, + &callbacks, mctx)); } @@ -4880,36 +4900,36 @@ child_of_zone(dns_name_t * name, dns_name_t * zone_name, } isc_result_t -grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) -{ - isc_result_t result; - dns_rdata_t sigrdata = DNS_RDATA_INIT; +grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) { dns_rdata_sig_t siginfo; + dns_rdataset_t mysigrdataset; + isc_result_t result; - result = dns_rdataset_first(sigrdataset); + dns_rdataset_init(&mysigrdataset); + dns_rdataset_clone(sigrdataset, &mysigrdataset); + + result = dns_rdataset_first(&mysigrdataset); check_result(result, "empty RRSIG dataset"); - dns_rdata_init(&sigrdata); do { - dns_rdataset_current(sigrdataset, &sigrdata); + dns_rdata_t sigrdata = DNS_RDATA_INIT; + + dns_rdataset_current(&mysigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); check_result(result, "sigrdata tostruct siginfo"); if (dns_name_compare(&siginfo.signer, zone_name) == 0) { - dns_rdata_freestruct(&siginfo); - dns_rdata_reset(&sigrdata); - return (ISC_R_SUCCESS); + result = ISC_R_SUCCESS; + goto cleanup; } + } while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS); - dns_rdata_freestruct(&siginfo); - dns_rdata_reset(&sigrdata); + result = ISC_R_FAILURE; +cleanup: + dns_rdataset_disassociate(&mysigrdataset); - } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); - - dns_rdata_reset(&sigrdata); - - return (ISC_R_FAILURE); + return (result); } @@ -4989,26 +5009,30 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, isc_mem_t *mctx) { - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_t myrdataset; dst_key_t *dnsseckey = NULL; int i; + isc_result_t result; if (name == NULL || rdataset == NULL) return (ISC_R_FAILURE); - result = dns_rdataset_first(rdataset); + dns_rdataset_init(&myrdataset); + dns_rdataset_clone(rdataset, &myrdataset); + + result = dns_rdataset_first(&myrdataset); check_result(result, "empty rdataset"); do { - dns_rdataset_current(rdataset, &rdata); + dns_rdata_t rdata = DNS_RDATA_INIT; + + dns_rdataset_current(&myrdataset, &rdata); INSIST(rdata.type == dns_rdatatype_dnskey); result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); - for (i = 0; i < tk_list.nb_tk; i++) { if (dst_key_compare(tk_list.key[i], dnsseckey) == ISC_TRUE) { @@ -5017,22 +5041,21 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, printf(";; Ok, find a Trusted Key in the " "DNSKEY RRset: %d\n", dst_key_id(dnsseckey)); - if (sigchase_verify_sig_key(name, rdataset, - dnsseckey, - sigrdataset, - mctx) - == ISC_R_SUCCESS) { - dst_key_free(&dnsseckey); - dnsseckey = NULL; - return (ISC_R_SUCCESS); - } + result = sigchase_verify_sig_key(name, rdataset, + dnsseckey, + sigrdataset, + mctx); + if (result == ISC_R_SUCCESS) + goto cleanup; } } + dst_key_free(&dnsseckey); + } while (dns_rdataset_next(&myrdataset) == ISC_R_SUCCESS); - dns_rdata_reset(&rdata); - if (dnsseckey != NULL) - dst_key_free(&dnsseckey); - } while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS); +cleanup: + if (dnsseckey != NULL) + dst_key_free(&dnsseckey); + dns_rdataset_disassociate(&myrdataset); return (ISC_R_NOTFOUND); } @@ -5043,16 +5066,20 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, isc_mem_t *mctx) { - isc_result_t result; - dns_rdata_t keyrdata = DNS_RDATA_INIT; + dns_rdataset_t mykeyrdataset; dst_key_t *dnsseckey = NULL; + isc_result_t result; - result = dns_rdataset_first(keyrdataset); + dns_rdataset_init(&mykeyrdataset); + dns_rdataset_clone(keyrdataset, &mykeyrdataset); + + result = dns_rdataset_first(&mykeyrdataset); check_result(result, "empty DNSKEY dataset"); - dns_rdata_init(&keyrdata); do { - dns_rdataset_current(keyrdataset, &keyrdata); + dns_rdata_t keyrdata = DNS_RDATA_INIT; + + dns_rdataset_current(&mykeyrdataset, &keyrdata); INSIST(keyrdata.type == dns_rdatatype_dnskey); result = dns_dnssec_keyfromrdata(name, &keyrdata, @@ -5061,18 +5088,19 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, result = sigchase_verify_sig_key(name, rdataset, dnsseckey, sigrdataset, mctx); - if (result == ISC_R_SUCCESS) { - dns_rdata_reset(&keyrdata); - dst_key_free(&dnsseckey); - return (ISC_R_SUCCESS); - } + if (result == ISC_R_SUCCESS) + goto cleanup; dst_key_free(&dnsseckey); - dns_rdata_reset(&keyrdata); - } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); + } while (dns_rdataset_next(&mykeyrdataset) == ISC_R_SUCCESS); - dns_rdata_reset(&keyrdata); + result = ISC_R_NOTFOUND; - return (ISC_R_NOTFOUND); + cleanup: + if (dnsseckey != NULL) + dst_key_free(&dnsseckey); + dns_rdataset_disassociate(&mykeyrdataset); + + return (result); } isc_result_t @@ -5080,16 +5108,23 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset, isc_mem_t *mctx) { - isc_result_t result; - dns_rdata_t sigrdata = DNS_RDATA_INIT; dns_rdata_sig_t siginfo; + dns_rdataset_t myrdataset; + dns_rdataset_t mysigrdataset; + isc_result_t result; - result = dns_rdataset_first(sigrdataset); + dns_rdataset_init(&myrdataset); + dns_rdataset_clone(rdataset, &myrdataset); + dns_rdataset_init(&mysigrdataset); + dns_rdataset_clone(sigrdataset, &mysigrdataset); + + result = dns_rdataset_first(&mysigrdataset); check_result(result, "empty RRSIG dataset"); - dns_rdata_init(&sigrdata); do { - dns_rdataset_current(sigrdataset, &sigrdata); + dns_rdata_t sigrdata = DNS_RDATA_INIT; + + dns_rdataset_current(&mysigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); check_result(result, "sigrdata tostruct siginfo"); @@ -5100,10 +5135,10 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, */ if (siginfo.keyid == dst_key_id(dnsseckey)) { - result = dns_rdataset_first(rdataset); + result = dns_rdataset_first(&myrdataset); check_result(result, "empty DS dataset"); - result = dns_dnssec_verify(name, rdataset, dnsseckey, + result = dns_dnssec_verify(name, &myrdataset, dnsseckey, ISC_FALSE, mctx, &sigrdata); printf(";; VERIFYING "); @@ -5113,19 +5148,18 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey), isc_result_totext(result)); - if (result == ISC_R_SUCCESS) { - dns_rdata_reset(&sigrdata); - return (result); - } + if (result == ISC_R_SUCCESS) + goto cleanup; } - dns_rdata_freestruct(&siginfo); - dns_rdata_reset(&sigrdata); + } while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS); - } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); + result = ISC_R_NOTFOUND; - dns_rdata_reset(&sigrdata); + cleanup: + dns_rdataset_disassociate(&myrdataset); + dns_rdataset_disassociate(&mysigrdataset); - return (ISC_R_NOTFOUND); + return (result); } @@ -5133,27 +5167,35 @@ isc_result_t sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdataset_t *dsrdataset, isc_mem_t *mctx) { - isc_result_t result; - dns_rdata_t keyrdata = DNS_RDATA_INIT; - dns_rdata_t newdsrdata = DNS_RDATA_INIT; - dns_rdata_t dsrdata = DNS_RDATA_INIT; dns_rdata_ds_t dsinfo; + dns_rdataset_t mydsrdataset; + dns_rdataset_t mykeyrdataset; dst_key_t *dnsseckey = NULL; + isc_result_t result; unsigned char dsbuf[DNS_DS_BUFFERSIZE]; - result = dns_rdataset_first(dsrdataset); + dns_rdataset_init(&mydsrdataset); + dns_rdataset_clone(dsrdataset, &mydsrdataset); + dns_rdataset_init(&mykeyrdataset); + dns_rdataset_clone(keyrdataset, &mykeyrdataset); + + result = dns_rdataset_first(&mydsrdataset); check_result(result, "empty DSset dataset"); do { - dns_rdataset_current(dsrdataset, &dsrdata); + dns_rdata_t dsrdata = DNS_RDATA_INIT; + + dns_rdataset_current(&mydsrdataset, &dsrdata); result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL); check_result(result, "dns_rdata_tostruct for DS"); - result = dns_rdataset_first(keyrdataset); + result = dns_rdataset_first(&mykeyrdataset); check_result(result, "empty KEY dataset"); do { - dns_rdataset_current(keyrdataset, &keyrdata); + dns_rdata_t keyrdata = DNS_RDATA_INIT; + + dns_rdataset_current(&mykeyrdataset, &keyrdata); INSIST(keyrdata.type == dns_rdatatype_dnskey); result = dns_dnssec_keyfromrdata(name, &keyrdata, @@ -5165,6 +5207,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, * id of DNSKEY referenced by the DS */ if (dsinfo.key_tag == dst_key_id(dnsseckey)) { + dns_rdata_t newdsrdata = DNS_RDATA_INIT; result = dns_ds_buildrdata(name, &keyrdata, dsinfo.digest_type, @@ -5172,14 +5215,9 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdata_freestruct(&dsinfo); if (result != ISC_R_SUCCESS) { - dns_rdata_reset(&keyrdata); - dns_rdata_reset(&newdsrdata); - dns_rdata_reset(&dsrdata); - dst_key_free(&dnsseckey); - dns_rdata_freestruct(&dsinfo); printf("Oops: impossible to build" " new DS rdata\n"); - return (result); + goto cleanup; } @@ -5196,34 +5234,26 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dnsseckey, chase_sigkeyrdataset, mctx); - if (result == ISC_R_SUCCESS) { - dns_rdata_reset(&keyrdata); - dns_rdata_reset(&newdsrdata); - dns_rdata_reset(&dsrdata); - dst_key_free(&dnsseckey); - - return (result); - } + if (result == ISC_R_SUCCESS) + goto cleanup; } else { printf(";; This DS is NOT the DS for" " the chasing KEY: FAILED\n"); } - - dns_rdata_reset(&newdsrdata); } dst_key_free(&dnsseckey); - dns_rdata_reset(&keyrdata); - dnsseckey = NULL; - } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); - dns_rdata_reset(&dsrdata); + } while (dns_rdataset_next(&mykeyrdataset) == ISC_R_SUCCESS); + } while (dns_rdataset_next(&mydsrdataset) == ISC_R_SUCCESS); - } while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS); + result = ISC_R_NOTFOUND; - dns_rdata_reset(&keyrdata); - dns_rdata_reset(&newdsrdata); - dns_rdata_reset(&dsrdata); + cleanup: + if (dnsseckey != NULL) + dst_key_free(&dnsseckey); + dns_rdataset_disassociate(&mydsrdataset); + dns_rdataset_disassociate(&mykeyrdataset); - return (ISC_R_NOTFOUND); + return (result); } /* @@ -5271,6 +5301,20 @@ sigchase_td(dns_message_t *msg) isc_boolean_t have_answer = ISC_FALSE; isc_boolean_t true = ISC_TRUE; + if (msg->rcode != dns_rcode_noerror && + msg->rcode != dns_rcode_nxdomain) { + char buf[20]; + isc_buffer_t b; + + isc_buffer_init(&b, buf, sizeof(buf)); + result = dns_rcode_totext(msg->rcode, &b); + check_result(result, "dns_rcode_totext failed"); + printf("error response code %.*s\n", + (int)isc_buffer_usedlength(&b), buf); + error_message = msg; + return; + } + if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) == ISC_R_SUCCESS) { dns_message_currentname(msg, DNS_SECTION_ANSWER, &name); @@ -5283,10 +5327,13 @@ sigchase_td(dns_message_t *msg) if (!current_lookup->trace_root_sigchase) { result = dns_message_firstname(msg, DNS_SECTION_AUTHORITY); - if (result == ISC_R_SUCCESS) - dns_message_currentname(msg, - DNS_SECTION_AUTHORITY, - &name); + if (result != ISC_R_SUCCESS) { + printf("no answer or authority section\n"); + error_message = msg; + return; + } + dns_message_currentname(msg, DNS_SECTION_AUTHORITY, + &name); chase_nsrdataset = chase_scanname_section(msg, name, dns_rdatatype_ns, @@ -5296,7 +5343,7 @@ sigchase_td(dns_message_t *msg) if (chase_nsrdataset != NULL) { have_delegation_ns = ISC_TRUE; printf("no response but there is a delegation" - " in authority section:"); + " in authority section: "); dns_name_print(name, stdout); printf("\n"); } else { @@ -5706,7 +5753,7 @@ getneededrr(dns_message_t *msg) dns_rdatatype_dnskey, &chase_sigkeylookedup); if (result == ISC_R_FAILURE) { - printf("\n;; RRSIG for DNSKEY is missing to continue" + printf("\n;; RRSIG for DNSKEY is missing to continue" " validation : FAILED\n\n"); free_name(&chase_signame, mctx); if (dns_name_dynamic(&chase_name)) @@ -5726,9 +5773,8 @@ getneededrr(dns_message_t *msg) if (chase_dsrdataset == NULL) { result = advanced_rrsearch(&chase_dsrdataset, &chase_signame, - dns_rdatatype_ds, - dns_rdatatype_any, - &chase_dslookedup); + dns_rdatatype_ds, dns_rdatatype_any, + &chase_dslookedup); if (result == ISC_R_FAILURE) { printf("\n;; WARNING There is no DS for the zone: "); dns_name_print(&chase_signame, stdout); @@ -6016,7 +6062,6 @@ prove_nx_domain(dns_message_t *msg, result = dns_rdataset_next(nsecset)) { dns_rdataset_current(nsecset, &nsec); - signsecset = chase_scanname_section(msg, nsecname, dns_rdatatype_rrsig, diff --git a/bin/dig/host.html b/bin/dig/host.html index 2103aae977..3a886fab72 100644 --- a/bin/dig/host.html +++ b/bin/dig/host.html @@ -32,7 +32,7 @@

host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]

-

DESCRIPTION

+

DESCRIPTION

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -196,7 +196,7 @@

-

IDN SUPPORT

+

IDN SUPPORT

If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -210,12 +210,12 @@

-

FILES

+

FILES

/etc/resolv.conf

-

SEE ALSO

+

SEE ALSO

dig(1), named(8).

diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h index ba99428bf5..97e1e7b00c 100644 --- a/bin/dig/include/dig/dig.h +++ b/bin/dig/include/dig/dig.h @@ -196,6 +196,7 @@ isc_boolean_t sigchase; dns_ednsopt_t *ednsopts; unsigned int ednsoptscnt; isc_dscp_t dscp; + unsigned int ednsflags; }; /*% The dig_query structure */ @@ -351,6 +352,10 @@ isc_result_t parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max, const char *desc); +isc_result_t +parse_xint(isc_uint32_t *uip, const char *value, isc_uint32_t max, + const char *desc); + isc_result_t parse_netprefix(isc_sockaddr_t **sap, const char *value); diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html index 39920df333..96777b3106 100644 --- a/bin/dig/nslookup.html +++ b/bin/dig/nslookup.html @@ -21,7 +21,7 @@
-
+

Name

nslookup — query Internet name servers interactively

@@ -31,7 +31,7 @@

nslookup [-option] [name | -] [server]

-

DESCRIPTION

+

DESCRIPTION

Nslookup is a program to query Internet domain name servers. Nslookup has two modes: interactive and non-interactive. Interactive mode allows @@ -43,7 +43,7 @@

-

ARGUMENTS

+

ARGUMENTS

Interactive mode is entered in the following cases:

@@ -83,7 +83,7 @@ nslookup -query=hinfo -timeout=10

-

INTERACTIVE COMMANDS

+

INTERACTIVE COMMANDS

host [server]
@@ -299,19 +299,19 @@ nslookup -query=hinfo -timeout=10
-

FILES

+

FILES

/etc/resolv.conf

-

SEE ALSO

+

SEE ALSO

dig(1), host(1), named(8).

-

Author

+

Author

Andrew Cherenson

diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html index 26bdaa46ce..3f27b49e5b 100644 --- a/bin/dnssec/dnssec-dsfromkey.html +++ b/bin/dnssec/dnssec-dsfromkey.html @@ -33,14 +33,14 @@

dnssec-dsfromkey [-h] [-V]

-

DESCRIPTION

+

DESCRIPTION

dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).

-

OPTIONS

+

OPTIONS

-1

@@ -125,7 +125,7 @@

-

EXAMPLE

+

EXAMPLE

To build the SHA-256 DS RR from the Kexample.com.+003+26160 @@ -140,7 +140,7 @@

-

FILES

+

FILES

The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name @@ -154,13 +154,13 @@

-

CAVEAT

+

CAVEAT

A keyfile error can give a "file not found" even if the file exists.

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -170,7 +170,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/dnssec/dnssec-importkey.html b/bin/dnssec/dnssec-importkey.html index 2fd402eff1..90f13f295b 100644 --- a/bin/dnssec/dnssec-importkey.html +++ b/bin/dnssec/dnssec-importkey.html @@ -33,7 +33,7 @@

dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]

-

DESCRIPTION

+

DESCRIPTION

dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files. The DNSKEY record may be read from an @@ -53,7 +53,7 @@

-

OPTIONS

+

OPTIONS

-f filename
@@ -96,7 +96,7 @@
-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -124,7 +124,7 @@

-

FILES

+

FILES

A keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name @@ -133,7 +133,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -141,7 +141,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html index 036bf863ff..ec99942033 100644 --- a/bin/dnssec/dnssec-keyfromlabel.html +++ b/bin/dnssec/dnssec-keyfromlabel.html @@ -31,7 +31,7 @@

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key @@ -47,7 +47,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -224,7 +224,7 @@
-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -296,7 +296,7 @@

-

GENERATED KEY FILES

+

GENERATED KEY FILES

When dnssec-keyfromlabel completes successfully, @@ -335,7 +335,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -344,7 +344,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index a46d38218b..167dc45f5d 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -552,6 +552,9 @@ main(int argc, char **argv) { options |= DST_TYPE_KEY; } + if (!dst_algorithm_supported(alg)) + fatal("unsupported algorithm: %d", alg); + if (use_nsec3 && alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 && alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 && @@ -719,8 +722,13 @@ main(int argc, char **argv) { fatal("invalid DSS key size: %d", size); break; case DST_ALG_ECCGOST: + size = 256; + break; case DST_ALG_ECDSA256: + size = 256; + break; case DST_ALG_ECDSA384: + size = 384; break; case DST_ALG_HMACMD5: options |= DST_TYPE_KEY; diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index a3c5cbcee5..7c18487d18 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -32,7 +32,7 @@

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -46,7 +46,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -267,7 +267,7 @@
-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -341,7 +341,7 @@

-

GENERATED KEYS

+

GENERATED KEYS

When dnssec-keygen completes successfully, @@ -387,7 +387,7 @@

-

EXAMPLE

+

EXAMPLE

To generate a 768-bit DSA key for the domain example.com, the following command would be @@ -408,7 +408,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -417,7 +417,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/dnssec/dnssec-revoke.html b/bin/dnssec/dnssec-revoke.html index 7e1c3faa60..54c01f0aea 100644 --- a/bin/dnssec/dnssec-revoke.html +++ b/bin/dnssec/dnssec-revoke.html @@ -31,7 +31,7 @@

dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -39,7 +39,7 @@

-

OPTIONS

+

OPTIONS

-h

@@ -90,14 +90,14 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html index 533a9c2001..b8b7279c81 100644 --- a/bin/dnssec/dnssec-settime.html +++ b/bin/dnssec/dnssec-settime.html @@ -31,7 +31,7 @@

dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, @@ -57,7 +57,7 @@

-

OPTIONS

+

OPTIONS

-f

@@ -112,7 +112,7 @@

-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -191,7 +191,7 @@

-

PRINTING OPTIONS

+

PRINTING OPTIONS

dnssec-settime can also be used to print the timing metadata associated with a key. @@ -217,7 +217,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -225,7 +225,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index 19831c172f..87e7eec97d 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -32,7 +32,7 @@

dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-Q] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

-

DESCRIPTION

+

DESCRIPTION

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -43,7 +43,7 @@

-

OPTIONS

+

OPTIONS

-a

@@ -494,7 +494,7 @@

-

EXAMPLE

+

EXAMPLE

The following command signs the example.com zone with the DSA key generated by dnssec-keygen @@ -524,14 +524,14 @@ db.example.com.signed %

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033, RFC 4641.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/dnssec/dnssec-verify.html b/bin/dnssec/dnssec-verify.html index 67727379ac..9988b05567 100644 --- a/bin/dnssec/dnssec-verify.html +++ b/bin/dnssec/dnssec-verify.html @@ -31,7 +31,7 @@

dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}

-

DESCRIPTION

+

DESCRIPTION

dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 @@ -39,7 +39,7 @@

-

OPTIONS

+

OPTIONS

-c class

@@ -119,7 +119,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -127,7 +127,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/named/client.c b/bin/named/client.c index 68d14a942d..af03bec1cc 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,8 +15,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.286 2012/01/31 23:47:30 tbox Exp $ */ - #include #include @@ -40,8 +38,10 @@ #include #endif +#include #include #include +#include #include #include #include @@ -122,6 +122,7 @@ #endif #define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */ +#define ECS_SIZE 20U /* 2 + 1 + 1 + [0..16] */ /*% nameserver client manager structure */ struct ns_clientmgr { @@ -244,7 +245,8 @@ static void ns_client_dumpmessage(ns_client_t *client, const char *reason); static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, dns_dispatch_t *disp, isc_boolean_t tcp); static inline isc_boolean_t -allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl); +allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr, + isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl); #ifdef ISC_PLATFORM_USESIT static void compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce, isc_buffer_t *buf); @@ -1042,7 +1044,8 @@ client_send(ns_client_t *client) { if (client->message->tsigkey != NULL) name = &client->message->tsigkey->name; if (client->view->nocasecompress == NULL || - !allowed(&netaddr, name, client->view->nocasecompress)) + !allowed(&netaddr, name, NULL, 0, NULL, + client->view->nocasecompress)) { dns_compress_setsensitive(&cctx, ISC_TRUE); } @@ -1348,16 +1351,16 @@ ns_client_error(ns_client_t *client, isc_result_t result) { } message->rcode = rcode; - /* - * FORMERR loop avoidance: If we sent a FORMERR message - * with the same ID to the same client less than two - * seconds ago, assume that we are in an infinite error - * packet dialog with a server for some protocol whose - * error responses look enough like DNS queries to - * elicit a FORMERR response. Drop a packet to break - * the loop. - */ if (rcode == dns_rcode_formerr) { + /* + * FORMERR loop avoidance: If we sent a FORMERR message + * with the same ID to the same client less than two + * seconds ago, assume that we are in an infinite error + * packet dialog with a server for some protocol whose + * error responses look enough like DNS queries to + * elicit a FORMERR response. Drop a packet to break + * the loop. + */ if (isc_sockaddr_equal(&client->peeraddr, &client->formerrcache.addr) && message->id == client->formerrcache.id && @@ -1373,6 +1376,27 @@ ns_client_error(ns_client_t *client, isc_result_t result) { client->formerrcache.addr = client->peeraddr; client->formerrcache.time = client->requesttime; client->formerrcache.id = message->id; + } else if (rcode == dns_rcode_servfail && client->query.qname != NULL && + client->view != NULL && client->view->fail_ttl != 0 && + ((client->attributes & NS_CLIENTATTR_NOSETFC) == 0)) + { + /* + * SERVFAIL caching: store qname/qtype of failed queries + */ + isc_time_t expire; + isc_interval_t i; + isc_uint32_t flags = 0; + + if ((message->flags & DNS_MESSAGEFLAG_CD) != 0) + flags = NS_FAILCACHE_CD; + + isc_interval_set(&i, client->view->fail_ttl, 0); + result = isc_time_nowplusinterval(&expire, &i); + if (result == ISC_R_SUCCESS) + dns_badcache_add(client->view->failcache, + client->query.qname, + client->query.qtype, + ISC_TRUE, flags, &expire); } ns_client_send(client); } @@ -1381,6 +1405,7 @@ isc_result_t ns_client_addopt(ns_client_t *client, dns_message_t *message, dns_rdataset_t **opt) { + unsigned char ecs[ECS_SIZE]; char nsid[BUFSIZ], *nsidp; #ifdef ISC_PLATFORM_USESIT unsigned char sit[SIT_SIZE]; @@ -1459,6 +1484,38 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, ednsopts[count].value = expire; count++; } + if (((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) && + (client->ecs_addr.family == AF_INET || + client->ecs_addr.family == AF_INET6)) + { + int i, addrbytes = (client->ecs_addrlen + 7) / 8; + isc_uint8_t *paddr; + isc_buffer_t buf; + + /* Add client subnet option. */ + isc_buffer_init(&buf, ecs, sizeof(ecs)); + if (client->ecs_addr.family == AF_INET) + isc_buffer_putuint16(&buf, 1); + else + isc_buffer_putuint16(&buf, 2); + isc_buffer_putuint8(&buf, client->ecs_addrlen); + isc_buffer_putuint8(&buf, client->ecs_scope); + + paddr = (isc_uint8_t *) &client->ecs_addr.type; + for (i = 0; i < addrbytes; i++) { + unsigned char uc; + uc = paddr[i]; + if (i == addrbytes - 1 && + ((client->ecs_addrlen % 8) != 0)) + uc &= (1U << (8 - (client->ecs_addrlen % 8))); + isc_buffer_putuint8(&buf, uc); + } + + ednsopts[count].code = DNS_OPT_CLIENT_SUBNET; + ednsopts[count].length = addrbytes + 4; + ednsopts[count].value = ecs; + count++; + } result = dns_message_buildopt(message, opt, 0, udpsize, flags, ednsopts, count); @@ -1466,14 +1523,17 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, } static inline isc_boolean_t -allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) { +allowed(isc_netaddr_t *addr, dns_name_t *signer, + isc_netaddr_t *ecs_addr, isc_uint8_t ecs_addrlen, + isc_uint8_t *ecs_scope, dns_acl_t *acl) +{ int match; isc_result_t result; if (acl == NULL) return (ISC_TRUE); - result = dns_acl_match(addr, signer, acl, &ns_g_server->aclenv, - &match, NULL); + result = dns_acl_match2(addr, signer, ecs_addr, ecs_addrlen, ecs_scope, + acl, &ns_g_server->aclenv, &match, NULL); if (result == ISC_R_SUCCESS && match > 0) return (ISC_TRUE); return (ISC_FALSE); @@ -1536,8 +1596,10 @@ ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey, tsig = dns_tsigkey_identity(mykey); } - if (allowed(&netsrc, tsig, view->matchclients) && - allowed(&netdst, tsig, view->matchdestinations)) + if (allowed(&netsrc, tsig, NULL, 0, NULL, + view->matchclients) && + allowed(&netdst, tsig, NULL, 0, NULL, + view->matchdestinations)) break; } return (ISC_TF(view == myview)); @@ -1718,6 +1780,81 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { } #endif +static isc_result_t +process_ecs(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { + isc_uint16_t family; + isc_uint8_t addrlen, addrbytes, scope, *paddr; + isc_netaddr_t caddr; + int i; + + if (optlen < 4U) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client subnet option too short"); + return (DNS_R_FORMERR); + } + + family = isc_buffer_getuint16(buf); + addrlen = isc_buffer_getuint8(buf); + scope = isc_buffer_getuint8(buf); + optlen -= 4; + + if (scope != 0U) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client subnet option: invalid scope"); + return (DNS_R_FORMERR); + } + + memset(&caddr, 0, sizeof(caddr)); + switch (family) { + case 1: + if (addrlen > 32U) + goto invalid_length; + caddr.family = AF_INET; + break; + case 2: + if (addrlen > 128U) { + invalid_length: + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client subnet option: invalid " + "address length (%u) for %s", + addrlen, family == 1 ? "IPv4" : "IPv6"); + return (DNS_R_FORMERR); + } + caddr.family = AF_INET6; + break; + default: + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client subnet option: invalid family"); + return (DNS_R_FORMERR); + } + + addrbytes = (addrlen + 7) / 8; + if (isc_buffer_remaininglength(buf) < addrbytes) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client subnet option: address too short"); + return (DNS_R_FORMERR); + } + + paddr = (isc_uint8_t *) &caddr.type; + for (i = 0; i < addrbytes; i++) { + paddr[i] = isc_buffer_getuint8(buf); + optlen--; + } + + memmove(&client->ecs_addr, &caddr, sizeof(caddr)); + client->ecs_addrlen = addrlen; + client->ecs_scope = 0; + client->attributes |= NS_CLIENTATTR_HAVEECS; + + isc_buffer_forward(buf, optlen); + return (ISC_R_SUCCESS); +} + static isc_result_t process_opt(ns_client_t *client, dns_rdataset_t *opt) { dns_rdata_t rdata; @@ -1749,7 +1886,7 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { * XXXRTH need library support for this! */ client->ednsversion = (opt->ttl & 0x00FF0000) >> 16; - if (client->ednsversion > 0) { + if (client->ednsversion > DNS_EDNS_VERSION) { isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_badednsver); result = ns_client_addopt(client, client->message, @@ -1788,6 +1925,15 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { client->attributes |= NS_CLIENTATTR_WANTEXPIRE; isc_buffer_forward(&optbuf, optlen); break; + case DNS_OPT_CLIENT_SUBNET: + result = process_ecs(client, &optbuf, optlen); + if (result != ISC_R_SUCCESS) { + ns_client_error(client, result); + goto cleanup; + } + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_ecsopt); + break; default: isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_otheropt); @@ -1884,6 +2030,7 @@ client_request(isc_task_t *task, isc_event_t *event) { isc_task_getcurrenttime(task, &client->requesttime); client->now = client->requesttime; + isc_time_set(&client->tnow, client->now, 0); if (result != ISC_R_SUCCESS) { if (TCP_CLIENT(client)) { @@ -1925,7 +2072,6 @@ client_request(isc_task_t *task, isc_event_t *event) { * client_newconn. */ if (!TCP_CLIENT(client)) { - if (ns_g_server->blackholeacl != NULL && dns_acl_match(&netaddr, NULL, ns_g_server->blackholeacl, &ns_g_server->aclenv, @@ -2033,6 +2179,10 @@ client_request(isc_task_t *task, isc_event_t *event) { opt = NULL; else opt = dns_message_getopt(client->message); + + client->ecs_addrlen = 0; + client->ecs_scope = 0; + if (opt != NULL) { /* * Are we dropping all EDNS queries? @@ -2117,17 +2267,29 @@ client_request(isc_task_t *task, isc_event_t *event) { client->message->rdclass == dns_rdataclass_any) { dns_name_t *tsig = NULL; + isc_netaddr_t *addr = NULL; + isc_uint8_t *scope = NULL; sigresult = dns_message_rechecksig(client->message, view); - if (sigresult == ISC_R_SUCCESS) - tsig = dns_tsigkey_identity(client->message->tsigkey); + if (sigresult == ISC_R_SUCCESS) { + dns_tsigkey_t *tsigkey; - if (allowed(&netaddr, tsig, view->matchclients) && - allowed(&client->destaddr, tsig, - view->matchdestinations) && - !((client->message->flags & DNS_MESSAGEFLAG_RD) - == 0 && view->matchrecursiveonly)) + tsigkey = client->message->tsigkey; + tsig = dns_tsigkey_identity(tsigkey); + } + + if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) { + addr = &client->ecs_addr; + scope = &client->ecs_scope; + } + + if (allowed(&netaddr, tsig, addr, client->ecs_addrlen, + scope, view->matchclients) && + allowed(&client->destaddr, tsig, NULL, + 0, NULL, view->matchdestinations) && + !(view->matchrecursiveonly && + (client->message->flags & DNS_MESSAGEFLAG_RD) == 0)) { dns_view_attach(view, &client->view); break; @@ -2519,6 +2681,8 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { client->recursionquota = NULL; client->interface = NULL; client->peeraddr_valid = ISC_FALSE; + client->ecs_addrlen = 0; + client->ecs_scope = 0; #ifdef ALLOW_FILTER_AAAA client->filter_aaaa = dns_aaaa_ok; #endif @@ -3055,6 +3219,8 @@ ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr, { isc_result_t result; isc_netaddr_t tmpnetaddr; + isc_netaddr_t *ecs_addr = NULL; + isc_uint8_t ecs_addrlen = 0; int match; if (acl == NULL) { @@ -3069,11 +3235,18 @@ ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr, netaddr = &tmpnetaddr; } - result = dns_acl_match(netaddr, client->signer, acl, - &ns_g_server->aclenv, &match, NULL); + if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) { + ecs_addr = &client->ecs_addr; + ecs_addrlen = client->ecs_addrlen; + } + + result = dns_acl_match2(netaddr, client->signer, + ecs_addr, ecs_addrlen, NULL, acl, + &ns_g_server->aclenv, &match, NULL); if (result != ISC_R_SUCCESS) goto deny; /* Internal error, already logged. */ + if (match > 0) goto allow; goto deny; /* Negative match or no match. */ diff --git a/bin/named/config.c b/bin/named/config.c index f7647e76f7..dbc156aba8 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -81,6 +81,7 @@ options {\n\ # named-xfer ;\n\ nta-lifetime 3600;\n\ nta-recheck 300;\n\ + notify-rate 20;\n\ # pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\ port 53;\n\ prefetch 2 9;\n\ @@ -99,6 +100,7 @@ options {\n\ serial-queries 20;\n\ serial-query-rate 20;\n\ server-id none;\n\ + startup-notify-rate 20;\n\ statistics-file \"named.stats\";\n\ statistics-interval 60;\n\ tcp-clients 100;\n\ @@ -155,6 +157,7 @@ options {\n\ cleaning-interval 0; /* now meaningless */\n\ min-roots 2;\n\ lame-ttl 600;\n\ + servfail-ttl 10;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ max-cache-ttl 604800; /* 1 week */\n\ transfer-format many-answers;\n\ @@ -177,6 +180,11 @@ options {\n\ nsec3-test-zone no;\n\ allow-new-zones no;\n\ " +#ifdef HAVE_GEOIP +"\ + geoip-use-ecs yes;\n\ +" +#endif #ifdef ALLOW_FILTER_AAAA " filter-aaaa-on-v4 no;\n\ filter-aaaa-on-v6 no;\n\ diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h index c0c3171dc3..591736a09c 100644 --- a/bin/named/include/named/client.h +++ b/bin/named/include/named/client.h @@ -131,15 +131,22 @@ struct ns_client { ns_query_t query; isc_stdtime_t requesttime; isc_stdtime_t now; + isc_time_t tnow; dns_name_t signername; /*%< [T]SIG key name */ dns_name_t * signer; /*%< NULL if not valid sig */ isc_boolean_t mortal; /*%< Die after handling request */ isc_quota_t *tcpquota; isc_quota_t *recursionquota; ns_interface_t *interface; + isc_sockaddr_t peeraddr; isc_boolean_t peeraddr_valid; isc_netaddr_t destaddr; + + isc_netaddr_t ecs_addr; /*%< EDNS client subnet */ + isc_uint8_t ecs_addrlen; + isc_uint8_t ecs_scope; + struct in6_pktinfo pktinfo; isc_dscp_t dscp; isc_event_t ctlevent; @@ -187,6 +194,17 @@ typedef ISC_LIST(ns_client_t) client_list_t; #define NS_CLIENTATTR_WANTEXPIRE 0x0800 /*%< return seconds to expire */ #define NS_CLIENTATTR_HAVEEXPIRE 0x1000 /*%< return seconds to expire */ #define NS_CLIENTATTR_WANTOPT 0x2000 /*%< add opt to reply */ +#define NS_CLIENTATTR_HAVEECS 0x4000 /*%< sent an ECS option */ + +#define NS_CLIENTATTR_NOSETFC 0x4000 /*%< don't set servfail cache */ + +/* + * Flag to use with the SERVFAIL cache to indicate + * that a query had the CD bit set. + */ +#define NS_FAILCACHE_CD 0x01 + + extern unsigned int ns_client_requests; diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h index c71c8de9b2..ff2a61073e 100644 --- a/bin/named/include/named/query.h +++ b/bin/named/include/named/query.h @@ -48,6 +48,7 @@ struct ns_query { isc_boolean_t timerset; dns_name_t * qname; dns_name_t * origqname; + dns_rdatatype_t qtype; unsigned int dboptions; unsigned int fetchoptions; dns_db_t * gluedb; @@ -88,7 +89,6 @@ struct ns_query { #define NS_QUERYATTR_DNS64EXCLUDE 0x8000 #define NS_QUERYATTR_RRL_CHECKED 0x10000 - isc_result_t ns_query_init(ns_client_t *client); diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index e1d1db275b..0b241b7471 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -182,18 +182,19 @@ enum { dns_nsstatscounter_nsidopt = 43, dns_nsstatscounter_expireopt = 44, dns_nsstatscounter_otheropt = 45, + dns_nsstatscounter_ecsopt = 46, #ifdef ISC_PLATFORM_USESIT - dns_nsstatscounter_sitopt = 46, - dns_nsstatscounter_sitbadsize = 47, - dns_nsstatscounter_sitbadtime = 48, - dns_nsstatscounter_sitnomatch = 49, - dns_nsstatscounter_sitmatch = 50, - dns_nsstatscounter_sitnew = 51, + dns_nsstatscounter_sitopt = 47, + dns_nsstatscounter_sitbadsize = 48, + dns_nsstatscounter_sitbadtime = 49, + dns_nsstatscounter_sitnomatch = 50, + dns_nsstatscounter_sitmatch = 51, + dns_nsstatscounter_sitnew = 52, - dns_nsstatscounter_max = 52 + dns_nsstatscounter_max = 53 #else - dns_nsstatscounter_max = 46 + dns_nsstatscounter_max = 47 #endif }; diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c index a0c0eda085..c263c997aa 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -177,6 +177,10 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, isc_result_t result; ns_interfacemgr_t *mgr; +#ifndef USE_ROUTE_SOCKET + UNUSED(task); +#endif + REQUIRE(mctx != NULL); REQUIRE(mgrp != NULL); REQUIRE(*mgrp == NULL); diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html index d05576fc13..4bef3e2625 100644 --- a/bin/named/lwresd.html +++ b/bin/named/lwresd.html @@ -22,7 +22,7 @@
-
+

Name

lwresd — lightweight resolver daemon

@@ -32,7 +32,7 @@

lwresd [-c config-file] [-C config-file] [-d debug-level] [-f] [-g] [-i pid-file] [-m flag] [-n #cpus] [-P port] [-p port] [-s] [-t directory] [-u user] [-v] [-4] [-6]

-

DESCRIPTION

+

DESCRIPTION

lwresd is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver @@ -67,7 +67,7 @@

-

OPTIONS

+

OPTIONS

-4

@@ -197,7 +197,7 @@

-

FILES

+

FILES

/etc/resolv.conf

@@ -210,14 +210,14 @@

-

SEE ALSO

+

SEE ALSO

named(8), lwres(3), resolver(5).

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index df4d45e6d7..6c787b20da 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -21,7 +21,7 @@
-
+

Name

named.conf — configuration file for named

@@ -31,7 +31,7 @@

named.conf

-

DESCRIPTION

+

DESCRIPTION

named.conf is the configuration file for named. Statements are enclosed @@ -50,14 +50,14 @@

-

ACL

+

ACL


acl string { address_match_element; ... };

-

KEY

+

KEY


key domain_name {
algorithm string;
@@ -66,7 +66,7 @@ key

-

MASTERS

+

MASTERS


masters string [ port integer ] {
masters | ipv4_address [port integer] |
@@ -75,7 +75,7 @@ masters

-

SERVER

+

SERVER


server ( ipv4_address[/prefixlen] | ipv6_address[/prefixlen] ) {
bogus boolean;
@@ -97,7 +97,7 @@ server

-

TRUSTED-KEYS

+

TRUSTED-KEYS


trusted-keys {
domain_name flags protocol algorithm key; ... 
@@ -105,7 +105,7 @@ trusted-keys

-

MANAGED-KEYS

+

MANAGED-KEYS


managed-keys {
domain_name initial-key flags protocol algorithm key; ... 
@@ -113,7 +113,7 @@ managed-keys

-

CONTROLS

+

CONTROLS


controls {
inet ( ipv4_address | ipv6_address | * )
@@ -125,7 +125,7 @@ controls

-

LOGGING

+

LOGGING


logging {
channel string {
@@ -143,7 +143,7 @@ logging

-

LWRES

+

LWRES


lwres {
listen-on [ port integer ] {
@@ -158,7 +158,7 @@ lwres

-

OPTIONS

+

OPTIONS


options {
avoid-v4-udp-ports { port; ... };
@@ -364,7 +364,7 @@ options

-

VIEW

+

VIEW


view string optional_class {
match-clients { address_match_element; ... };
@@ -529,7 +529,7 @@ view

-

ZONE

+

ZONE


zone string optional_class {
type ( master | slave | stub | hint | redirect |
@@ -626,12 +626,12 @@ zone

-

FILES

+

FILES

/etc/named.conf

-

SEE ALSO

+

SEE ALSO

named(8), named-checkconf(8), rndc(8), diff --git a/bin/named/named.html b/bin/named/named.html index 988f1d01f5..1602ab4f4b 100644 --- a/bin/named/named.html +++ b/bin/named/named.html @@ -32,7 +32,7 @@

named [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]

-

DESCRIPTION

+

DESCRIPTION

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -47,7 +47,7 @@

-

OPTIONS

+

OPTIONS

-4

@@ -263,7 +263,7 @@

-

SIGNALS

+

SIGNALS

In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -284,7 +284,7 @@

-

CONFIGURATION

+

CONFIGURATION

The named configuration file is too complex to describe in detail here. A complete description is provided @@ -301,7 +301,7 @@

-

FILES

+

FILES

/etc/named.conf

@@ -314,7 +314,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 1033, RFC 1034, RFC 1035, @@ -327,7 +327,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/named/query.c b/bin/named/query.c index a79a930fd3..e820b993f2 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -23,11 +23,13 @@ #include #include +#include #include #include #include #include +#include #include #include #include @@ -125,21 +127,25 @@ DNS_RDATASETATTR_NOQNAME) != 0) #if 0 -#define CTRACE(m) isc_log_write(ns_g_lctx, \ - NS_LOGCATEGORY_CLIENT, \ - NS_LOGMODULE_QUERY, \ - ISC_LOG_DEBUG(3), \ - "client %p: %s", client, (m)) -#define QTRACE(m) isc_log_write(ns_g_lctx, \ - NS_LOGCATEGORY_GENERAL, \ - NS_LOGMODULE_QUERY, \ - ISC_LOG_DEBUG(3), \ - "query %p: %s", query, (m)) +#define CTRACE(l,m) do { \ + if (client != NULL && client->query.qname != NULL) { \ + char qbuf[DNS_NAME_FORMATSIZE]; \ + dns_name_format(client->query.qname, qbuf, sizeof(qbuf)); \ + isc_log_write(ns_g_lctx, \ + NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, \ + l, "client %p (%s): %s", client, qbuf, (m)); \ + } else { \ + isc_log_write(ns_g_lctx, \ + NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, \ + l, "client %p (): %s", \ + client, (m)); \ + } \ +} while(0) #else -#define CTRACE(m) ((void)m) -#define QTRACE(m) ((void)m) +#define CTRACE(l,m) ((void)m) #endif + #define DNS_GETDB_NOEXACT 0x01U #define DNS_GETDB_NOLOG 0x02U #define DNS_GETDB_PARTIAL 0x04U @@ -147,6 +153,8 @@ #define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0) +#define SFCACHE_CDFLAG 0x1 + typedef struct client_additionalctx { ns_client_t *client; dns_rdataset_t *rdataset; @@ -312,13 +320,13 @@ static inline void query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) { dns_rdataset_t *rdataset = *rdatasetp; - CTRACE("query_putrdataset"); + CTRACE(ISC_LOG_DEBUG(3), "query_putrdataset"); if (rdataset != NULL) { if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); dns_message_puttemprdataset(client->message, rdatasetp); } - CTRACE("query_putrdataset: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_putrdataset: done"); } static inline void @@ -425,7 +433,7 @@ query_newnamebuf(ns_client_t *client) { isc_buffer_t *dbuf; isc_result_t result; - CTRACE("query_newnamebuf"); + CTRACE(ISC_LOG_DEBUG(3), "query_newnamebuf"); /*% * Allocate a name buffer. */ @@ -433,12 +441,13 @@ query_newnamebuf(ns_client_t *client) { dbuf = NULL; result = isc_buffer_allocate(client->mctx, &dbuf, 1024); if (result != ISC_R_SUCCESS) { - CTRACE("query_newnamebuf: isc_buffer_allocate failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_newnamebuf: isc_buffer_allocate failed: done"); return (result); } ISC_LIST_APPEND(client->query.namebufs, dbuf, link); - CTRACE("query_newnamebuf: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_newnamebuf: done"); return (ISC_R_SUCCESS); } @@ -448,7 +457,7 @@ query_getnamebuf(ns_client_t *client) { isc_result_t result; isc_region_t r; - CTRACE("query_getnamebuf"); + CTRACE(ISC_LOG_DEBUG(3), "query_getnamebuf"); /*% * Return a name buffer with space for a maximal name, allocating * a new one if necessary. @@ -457,7 +466,8 @@ query_getnamebuf(ns_client_t *client) { if (ISC_LIST_EMPTY(client->query.namebufs)) { result = query_newnamebuf(client); if (result != ISC_R_SUCCESS) { - CTRACE("query_getnamebuf: query_newnamebuf failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_getnamebuf: query_newnamebuf failed: done"); return (NULL); } } @@ -468,7 +478,8 @@ query_getnamebuf(ns_client_t *client) { if (r.length < 255) { result = query_newnamebuf(client); if (result != ISC_R_SUCCESS) { - CTRACE("query_getnamebuf: query_newnamebuf failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_getnamebuf: query_newnamebuf failed: done"); return (NULL); } @@ -476,7 +487,7 @@ query_getnamebuf(ns_client_t *client) { isc_buffer_availableregion(dbuf, &r); INSIST(r.length >= 255); } - CTRACE("query_getnamebuf: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_getnamebuf: done"); return (dbuf); } @@ -484,7 +495,7 @@ static inline void query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) { isc_region_t r; - CTRACE("query_keepname"); + CTRACE(ISC_LOG_DEBUG(3), "query_keepname"); /*% * 'name' is using space in 'dbuf', but 'dbuf' has not yet been * adjusted to take account of that. We do the adjustment. @@ -508,14 +519,14 @@ query_releasename(ns_client_t *client, dns_name_t **namep) { * rights on the buffer. */ - CTRACE("query_releasename"); + CTRACE(ISC_LOG_DEBUG(3), "query_releasename"); if (dns_name_hasbuffer(name)) { INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0); client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED; } dns_message_puttempname(client->message, namep); - CTRACE("query_releasename: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_releasename: done"); } static inline dns_name_t * @@ -528,11 +539,12 @@ query_newname(ns_client_t *client, isc_buffer_t *dbuf, REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0); - CTRACE("query_newname"); + CTRACE(ISC_LOG_DEBUG(3), "query_newname"); name = NULL; result = dns_message_gettempname(client->message, &name); if (result != ISC_R_SUCCESS) { - CTRACE("query_newname: dns_message_gettempname failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_newname: dns_message_gettempname failed: done"); return (NULL); } isc_buffer_availableregion(dbuf, &r); @@ -541,7 +553,7 @@ query_newname(ns_client_t *client, isc_buffer_t *dbuf, dns_name_setbuffer(name, nbuf); client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED; - CTRACE("query_newname: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_newname: done"); return (name); } @@ -550,17 +562,18 @@ query_newrdataset(ns_client_t *client) { dns_rdataset_t *rdataset; isc_result_t result; - CTRACE("query_newrdataset"); + CTRACE(ISC_LOG_DEBUG(3), "query_newrdataset"); rdataset = NULL; result = dns_message_gettemprdataset(client->message, &rdataset); if (result != ISC_R_SUCCESS) { - CTRACE("query_newrdataset: " + CTRACE(ISC_LOG_DEBUG(3), + "query_newrdataset: " "dns_message_gettemprdataset failed: done"); return (NULL); } dns_rdataset_init(rdataset); - CTRACE("query_newrdataset: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_newrdataset: done"); return (rdataset); } @@ -727,8 +740,10 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name, * Get the current version of this database. */ dbversion = query_findversion(client, db); - if (dbversion == NULL) + if (dbversion == NULL) { + CTRACE(ISC_LOG_ERROR, "unable to get db version"); return (DNS_R_SERVFAIL); + } if ((options & DNS_GETDB_IGNOREACL) != 0) goto approved; @@ -1191,7 +1206,7 @@ query_isduplicate(ns_client_t *client, dns_name_t *name, dns_name_t *mname = NULL; isc_result_t result; - CTRACE("query_isduplicate"); + CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate"); for (section = DNS_SECTION_ANSWER; section <= DNS_SECTION_ADDITIONAL; @@ -1202,7 +1217,8 @@ query_isduplicate(ns_client_t *client, dns_name_t *name, /* * We've already got this RRset in the response. */ - CTRACE("query_isduplicate: true: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_isduplicate: true: done"); return (ISC_TRUE); } else if (result == DNS_R_NXRRSET) { /* @@ -1218,7 +1234,7 @@ query_isduplicate(ns_client_t *client, dns_name_t *name, if (mnamep != NULL) *mnamep = mname; - CTRACE("query_isduplicate: false: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate: false: done"); return (ISC_FALSE); } @@ -1245,7 +1261,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype)) return (ISC_R_SUCCESS); - CTRACE("query_addadditional"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional"); /* * Initialization. @@ -1301,7 +1317,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (result != ISC_R_SUCCESS) goto try_cache; - CTRACE("query_addadditional: db_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: db_find"); /* * Since we are looking for authoritative data, we do not set @@ -1573,7 +1589,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } addname: - CTRACE("query_addadditional: addname"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: addname"); /* * If we haven't added anything, then we're done. */ @@ -1613,7 +1629,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } cleanup: - CTRACE("query_addadditional: cleanup"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: cleanup"); query_putrdataset(client, &rdataset); if (sigrdataset != NULL) query_putrdataset(client, &sigrdataset); @@ -1626,7 +1642,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (zone != NULL) dns_zone_detach(&zone); - CTRACE("query_addadditional: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: done"); return (eresult); } @@ -1744,7 +1760,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL); - CTRACE("query_addadditional2"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2"); /* * We treat type A additional section processing as if it @@ -1776,14 +1792,16 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (result != ISC_R_SUCCESS) goto findauthdb; if (zone == NULL) { - CTRACE("query_addadditional2: auth zone not found"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: auth zone not found"); goto try_cache; } /* Is the cached DB up-to-date? */ result = query_iscachevalid(zone, cdb, NULL, cversion); if (result != ISC_R_SUCCESS) { - CTRACE("query_addadditional2: old auth additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: old auth additional cache"); query_discardcache(client, rdataset_base, additionaltype, type, &zone, &cdb, &cversion, &cnode, &cfname); @@ -1796,7 +1814,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { * ACL, since the result (not using this zone) would be same * regardless of the result. */ - CTRACE("query_addadditional2: negative auth additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: negative auth additional cache"); dns_db_closeversion(cdb, &cversion, ISC_FALSE); dns_db_detach(&cdb); dns_zone_detach(&zone); @@ -1813,7 +1832,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } /* We've got an active cache. */ - CTRACE("query_addadditional2: auth additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: auth additional cache"); dns_db_closeversion(cdb, &cversion, ISC_FALSE); db = cdb; node = cnode; @@ -1837,7 +1857,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { goto try_cache; } - CTRACE("query_addadditional2: db_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: db_find"); /* * Since we are looking for authoritative data, we do not set @@ -1922,7 +1942,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion); if (result != ISC_R_SUCCESS) { - CTRACE("query_addadditional2: old glue additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: old glue additional cache"); query_discardcache(client, rdataset_base, additionaltype, type, &zone, &cdb, &cversion, &cnode, &cfname); @@ -1931,14 +1952,15 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (cnode == NULL) { /* We have a negative cache. */ - CTRACE("query_addadditional2: negative glue additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: negative glue additional cache"); dns_db_closeversion(cdb, &cversion, ISC_FALSE); dns_db_detach(&cdb); goto cleanup; } /* Cache hit. */ - CTRACE("query_addadditional2: glue additional cache"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: glue additional cache"); dns_db_closeversion(cdb, &cversion, ISC_FALSE); db = cdb; node = cnode; @@ -2121,7 +2143,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } } - CTRACE("query_addadditional2: addname"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: addname"); /* * If we haven't added anything, then we're done. @@ -2140,7 +2162,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { fname = NULL; cleanup: - CTRACE("query_addadditional2: cleanup"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: cleanup"); if (rdataset != NULL) query_putrdataset(client, &rdataset); @@ -2159,7 +2181,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (zone != NULL) dns_zone_detach(&zone); - CTRACE("query_addadditional2: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: done"); return (eresult); } @@ -2174,7 +2196,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, * 'fname', a name in the response message for 'client'. */ - CTRACE("query_addrdataset"); + CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset"); ISC_LIST_APPEND(fname->list, rdataset, link); @@ -2196,7 +2218,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, additionalctx.rdataset = rdataset; (void)dns_rdataset_additionaldata(rdataset, query_addadditional2, &additionalctx); - CTRACE("query_addrdataset: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done"); } static isc_result_t @@ -2228,7 +2250,7 @@ query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset, * stored in 'dbuf'. In this case, query_addrrset() guarantees that * when it returns the name will either have been kept or released. */ - CTRACE("query_dns64"); + CTRACE(ISC_LOG_DEBUG(3), "query_dns64"); name = *namep; mname = NULL; mrdataset = NULL; @@ -2245,7 +2267,8 @@ query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset, * We've already got an RRset of the given name and type. * There's nothing else to do; */ - CTRACE("query_dns64: dns_message_findname succeeded: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_dns64: dns_message_findname succeeded: done"); if (dbuf != NULL) query_releasename(client, namep); return (ISC_R_SUCCESS); @@ -2376,7 +2399,7 @@ query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset, dns_message_puttemprdatalist(client->message, &dns64_rdatalist); } - CTRACE("query_dns64: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_dns64: done"); return (result); } @@ -2395,7 +2418,7 @@ query_filter64(ns_client_t *client, dns_name_t **namep, isc_result_t result; unsigned int i; - CTRACE("query_filter64"); + CTRACE(ISC_LOG_DEBUG(3), "query_filter64"); INSIST(client->query.dns64_aaaaok != NULL); INSIST(client->query.dns64_aaaaoklen == dns_rdataset_count(rdataset)); @@ -2415,7 +2438,8 @@ query_filter64(ns_client_t *client, dns_name_t **namep, * We've already got an RRset of the given name and type. * There's nothing else to do; */ - CTRACE("query_filter64: dns_message_findname succeeded: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_filter64: dns_message_findname succeeded: done"); if (dbuf != NULL) query_releasename(client, namep); return; @@ -2514,7 +2538,7 @@ query_filter64(ns_client_t *client, dns_name_t **namep, if (dbuf != NULL) query_releasename(client, &name); - CTRACE("query_filter64: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_filter64: done"); } static void @@ -2536,7 +2560,7 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, * stored in 'dbuf'. In this case, query_addrrset() guarantees that * when it returns the name will either have been kept or released. */ - CTRACE("query_addrrset"); + CTRACE(ISC_LOG_DEBUG(3), "query_addrrset"); name = *namep; rdataset = *rdatasetp; if (sigrdatasetp != NULL) @@ -2552,7 +2576,8 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, /* * We've already got an RRset of the given name and type. */ - CTRACE("query_addrrset: dns_message_findname succeeded: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addrrset: dns_message_findname succeeded: done"); if (dbuf != NULL) query_releasename(client, namep); if ((rdataset->attributes & DNS_RDATASETATTR_REQUIRED) != 0) @@ -2591,7 +2616,7 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, ISC_LIST_APPEND(mname->list, sigrdataset, link); *sigrdatasetp = NULL; } - CTRACE("query_addrrset: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addrrset: done"); } static inline isc_result_t @@ -2607,7 +2632,7 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, dns_clientinfomethods_t cm; dns_clientinfo_t ci; - CTRACE("query_addsoa"); + CTRACE(ISC_LOG_DEBUG(3), "query_addsoa"); /* * Initialization. */ @@ -2635,12 +2660,14 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, dns_name_clone(dns_db_origin(db), name); rdataset = query_newrdataset(client); if (rdataset == NULL) { + CTRACE(ISC_LOG_ERROR, "unable to allocate rdataset"); eresult = DNS_R_SERVFAIL; goto cleanup; } if (WANTDNSSEC(client) && dns_db_issecure(db)) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) { + CTRACE(ISC_LOG_ERROR, "unable to allocate sigrdataset"); eresult = DNS_R_SERVFAIL; goto cleanup; } @@ -2670,6 +2697,7 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, * This is bad. We tried to get the SOA RR at the zone top * and it didn't work! */ + CTRACE(ISC_LOG_ERROR, "unable to find SOA RR at zone apex"); eresult = DNS_R_SERVFAIL; } else { /* @@ -2734,7 +2762,7 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { dns_clientinfomethods_t cm; dns_clientinfo_t ci; - CTRACE("query_addns"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns"); /* * Initialization. */ @@ -2752,21 +2780,24 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { */ result = dns_message_gettempname(client->message, &name); if (result != ISC_R_SUCCESS) { - CTRACE("query_addns: dns_message_gettempname failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addns: dns_message_gettempname failed: done"); return (result); } dns_name_init(name, NULL); dns_name_clone(dns_db_origin(db), name); rdataset = query_newrdataset(client); if (rdataset == NULL) { - CTRACE("query_addns: query_newrdataset failed"); + CTRACE(ISC_LOG_ERROR, + "query_addns: query_newrdataset failed"); eresult = DNS_R_SERVFAIL; goto cleanup; } if (WANTDNSSEC(client) && dns_db_issecure(db)) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) { - CTRACE("query_addns: query_newrdataset failed"); + CTRACE(ISC_LOG_ERROR, + "query_addns: query_newrdataset failed"); eresult = DNS_R_SERVFAIL; goto cleanup; } @@ -2781,14 +2812,15 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { dns_rdatatype_ns, 0, client->now, rdataset, sigrdataset); } else { - CTRACE("query_addns: calling dns_db_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: calling dns_db_find"); result = dns_db_findext(db, name, NULL, dns_rdatatype_ns, client->query.dboptions, 0, &node, fname, &cm, &ci, rdataset, sigrdataset); - CTRACE("query_addns: dns_db_find complete"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: dns_db_find complete"); } if (result != ISC_R_SUCCESS) { - CTRACE("query_addns: " + CTRACE(ISC_LOG_ERROR, + "query_addns: " "dns_db_findrdataset or dns_db_find failed"); /* * This is bad. We tried to get the NS rdataset at the zone @@ -2805,7 +2837,7 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { } cleanup: - CTRACE("query_addns: cleanup"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: cleanup"); query_putrdataset(client, &rdataset); if (sigrdataset != NULL) query_putrdataset(client, &sigrdataset); @@ -2814,7 +2846,7 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { if (node != NULL) dns_db_detachnode(db, &node); - CTRACE("query_addns: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: done"); return (eresult); } @@ -3082,7 +3114,7 @@ query_addbestns(ns_client_t *client) { dns_clientinfomethods_t cm; dns_clientinfo_t ci; - CTRACE("query_addbestns"); + CTRACE(ISC_LOG_DEBUG(3), "query_addbestns"); fname = NULL; zfname = NULL; rdataset = NULL; @@ -3287,7 +3319,7 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node, isc_result_t result; unsigned int count; - CTRACE("query_addds"); + CTRACE(ISC_LOG_DEBUG(3), "query_addds"); rname = NULL; rdataset = NULL; sigrdataset = NULL; @@ -3417,7 +3449,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, dns_clientinfomethods_t cm; dns_clientinfo_t ci; - CTRACE("query_addwildcardproof"); + CTRACE(ISC_LOG_DEBUG(3), "query_addwildcardproof"); fname = NULL; rdataset = NULL; sigrdataset = NULL; @@ -3781,9 +3813,10 @@ query_resume(isc_task_t *task, isc_event_t *event) { if (devent->sigrdataset != NULL) query_putrdataset(client, &devent->sigrdataset); isc_event_free(&event); - if (fetch_canceled) + if (fetch_canceled) { + CTRACE(ISC_LOG_ERROR, "fetch cancelled"); query_error(client, DNS_R_SERVFAIL, __LINE__); - else + } else query_next(client, ISC_R_CANCELED); /* * This may destroy the client. @@ -4047,8 +4080,11 @@ rpz_ready(ns_client_t *client, dns_rdataset_t **rdatasetp) if (*rdatasetp == NULL) { *rdatasetp = query_newrdataset(client); - if (*rdatasetp == NULL) + if (*rdatasetp == NULL) { + CTRACE(ISC_LOG_ERROR, + "rpz_ready: query_newrdataset failed"); return (DNS_R_SERVFAIL); + } } else if (dns_rdataset_isassociated(*rdatasetp)) { dns_rdataset_disassociate(*rdatasetp); } @@ -4187,6 +4223,7 @@ rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, st->r.r_rdataset = NULL; result = st->r.r_result; if (result == DNS_R_DELEGATION) { + CTRACE(ISC_LOG_ERROR, "RPZ recursing"); rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, rpz_type, " rpz_rrset_find(1)", result); st->m.policy = DNS_RPZ_POLICY_ERROR; @@ -4372,8 +4409,10 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, */ rpz_clean(zonep, dbp, nodep, rdatasetp); result = rpz_ready(client, rdatasetp); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { + CTRACE(ISC_LOG_ERROR, "rpz_ready() failed"); return (DNS_R_SERVFAIL); + } *versionp = NULL; result = rpz_getdb(client, p_name, rpz_type, zonep, dbp, versionp); if (result != ISC_R_SUCCESS) @@ -4396,6 +4435,8 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, if (result != ISC_R_SUCCESS) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, " allrdatasets()", result); + CTRACE(ISC_LOG_ERROR, + "rpz_find_p: allrdatasets failed"); return (DNS_R_SERVFAIL); } for (result = dns_rdatasetiter_first(rdsiter); @@ -4413,6 +4454,9 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, " rdatasetiter", result); + CTRACE(ISC_LOG_ERROR, + "rpz_find_p: rdatasetiter_destroy " + "failed"); return (DNS_R_SERVFAIL); } /* @@ -4467,6 +4511,8 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, default: rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "", result); + CTRACE(ISC_LOG_ERROR, + "rpz_find_p: unexpected result"); return (DNS_R_SERVFAIL); } } @@ -4696,6 +4742,8 @@ rpz_rewrite_ip_rrset(ns_client_t *client, rpz_type, " NS address rewrite rrset", result); } + CTRACE(ISC_LOG_ERROR, + "rpz_rewrite_ip_rrset: unexpected result"); return (DNS_R_SERVFAIL); } @@ -5330,6 +5378,7 @@ cleanup: rpz_match_clear(st); } if (st->m.policy == DNS_RPZ_POLICY_ERROR) { + CTRACE(ISC_LOG_ERROR, "SERVFAIL due to RPZ policy"); st->m.type = DNS_RPZ_TYPE_BAD; result = DNS_R_SERVFAIL; } @@ -5563,7 +5612,7 @@ query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) { dns_rdataset_t *neg, *negsig; isc_result_t result = ISC_R_NOMEMORY; - CTRACE("query_addnoqnameproof"); + CTRACE(ISC_LOG_DEBUG(3), "query_addnoqnameproof"); fname = NULL; neg = NULL; @@ -5977,7 +6026,7 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, dns_clientinfo_t ci; ns_dbversion_t *dbversion; - CTRACE("redirect"); + CTRACE(ISC_LOG_DEBUG(3), "redirect"); if (client->view->redirect == NULL) return (ISC_FALSE); @@ -6044,7 +6093,7 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, dns_db_detach(&db); return (ISC_FALSE); } - CTRACE("redirect: found data: done"); + CTRACE(ISC_LOG_DEBUG(3), "redirect: found data: done"); dns_name_copy(found, name, NULL); if (dns_rdataset_isassociated(rdataset)) @@ -6078,15 +6127,16 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) { dns_db_t *db, *zdb; dns_dbnode_t *node; - dns_rdatatype_t type; + dns_rdatatype_t type = qtype; dns_name_t *fname, *zfname, *tname, *prefix; dns_rdataset_t *rdataset, *trdataset; dns_rdataset_t *sigrdataset, *zrdataset, *zsigrdataset; dns_rdataset_t **sigrdatasetp; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdatasetiter_t *rdsiter; - isc_boolean_t want_restart, authoritative, is_zone, need_wildcardproof; + isc_boolean_t want_restart, is_zone, need_wildcardproof; isc_boolean_t is_staticstub_zone; + isc_boolean_t authoritative = ISC_FALSE; unsigned int n, nlabels; dns_namereln_t namereln; int order; @@ -6109,11 +6159,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) isc_boolean_t nxrewrite = ISC_FALSE; dns_clientinfomethods_t cm; dns_clientinfo_t ci; + char errmsg[256]; isc_boolean_t associated; dns_section_t section; dns_ttl_t ttl; + isc_boolean_t failcache; + isc_uint32_t flags; - CTRACE("query_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_find"); /* * One-time initialization. @@ -6205,11 +6258,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) */ dbuf = query_getnamebuf(client); if (dbuf == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_getnamebuf failed (1)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } fname = query_newname(client, dbuf, &b); if (fname == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_newname failed (1)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -6221,6 +6278,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } result = dns_name_copy(tname, fname, NULL); if (result != ISC_R_SUCCESS) { + CTRACE(ISC_LOG_ERROR, + "query_find: dns_name_copy failed"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -6238,7 +6297,39 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * Not returning from recursion. + * + * First, check for a recent match in the view's SERVFAIL cache. + * If we find one, and it was from a query with CD=1, *or* + * if the current query has CD=0, then we can just return + * SERVFAIL now. */ + flags = 0; + failcache = dns_badcache_find(client->view->failcache, + client->query.qname, qtype, + &flags, &client->tnow); + if (failcache && (((flags & NS_FAILCACHE_CD) != 0) || + ((client->message->flags & DNS_MESSAGEFLAG_CD) == 0))) + { + if (isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(1))) { + char namebuf[DNS_NAME_FORMATSIZE]; + char typename[DNS_RDATATYPE_FORMATSIZE]; + + dns_name_format(client->query.qname, + namebuf, sizeof(namebuf)); + dns_rdatatype_format(qtype, + typename, sizeof(typename)); + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(1), + "servfail cache hit %s/%s (%s)", + namebuf, typename, + ((flags & NS_FAILCACHE_CD) != 0) + ? "CD=1" + : "CD=0"); + } + client->attributes |= NS_CLIENTATTR_NOSETFC; + QUERY_ERROR(DNS_R_SERVFAIL); + goto cleanup; + } /* * If it's a SIG query, we'll iterate the node. @@ -6249,7 +6340,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) type = qtype; restart: - CTRACE("query_find: restart"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: restart"); want_restart = ISC_FALSE; authoritative = ISC_FALSE; version = NULL; @@ -6326,8 +6417,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) inc_stats(client, dns_nsstatscounter_authrej); if (!PARTIALANSWER(client)) QUERY_ERROR(DNS_R_REFUSED); - } else + } else { + CTRACE(ISC_LOG_ERROR, + "query_find: query_getdb failed"); QUERY_ERROR(DNS_R_SERVFAIL); + } goto cleanup; } @@ -6360,24 +6454,30 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } db_find: - CTRACE("query_find: db_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: db_find"); /* * We'll need some resources... */ dbuf = query_getnamebuf(client); if (dbuf == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_getnamebuf failed (2)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } fname = query_newname(client, dbuf, &b); rdataset = query_newrdataset(client); if (fname == NULL || rdataset == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_newname failed (2)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } if (WANTDNSSEC(client) && (!is_zone || dns_db_issecure(db))) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_newrdataset failed (2)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -6394,7 +6494,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_cache_updatestats(client->view->cache, result); resume: - CTRACE("query_find: resume"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: resume"); /* * Rate limit these responses to this client. @@ -6759,6 +6859,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) goto cleanup; } else { /* Unable to give root server referral. */ + CTRACE(ISC_LOG_ERROR, + "unable to give root server referral"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7025,11 +7127,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (fname == NULL) { dbuf = query_getnamebuf(client); if (dbuf == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "query_getnamebuf failed (3)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } fname = query_newname(client, dbuf, &b); if (fname == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "query_newname failed (3)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7128,6 +7236,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (fname == NULL || rdataset == NULL || sigrdataset == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "failure getting " + "closest encloser"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7306,11 +7418,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (fname == NULL) { dbuf = query_getnamebuf(client); if (dbuf == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "query_getnamebuf failed (4)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } fname = query_newname(client, dbuf, &b); if (fname == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "query_newname failed (4)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7567,6 +7685,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * Something has gone wrong. */ + snprintf(errmsg, sizeof(errmsg) - 1, + "query_find: unexpected error after resuming: %s", + isc_result_totext(result)); + CTRACE(ISC_LOG_ERROR, errmsg); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7625,6 +7747,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) rdsiter = NULL; result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); if (result != ISC_R_SUCCESS) { + CTRACE(ISC_LOG_ERROR, + "query_find: type any; allrdatasets failed"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7759,12 +7883,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_rdatasetiter_destroy(&rdsiter); fname = query_newname(client, dbuf, &b); goto nxrrset_rrsig; - } else + } else { + CTRACE(ISC_LOG_ERROR, + "query_find: no matching rdatasets " + "in cache"); result = DNS_R_SERVFAIL; + } } dns_rdatasetiter_destroy(&rdsiter); if (result != ISC_R_NOMORE) { + CTRACE(ISC_LOG_ERROR, + "query_find: dns_rdatasetiter_destroy failed"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7988,7 +8118,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } addauth: - CTRACE("query_find: addauth"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: addauth"); /* * Add NS records to the authority section (if we haven't already * added them to the answer section). @@ -8016,7 +8146,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_fixedname_name(&wildcardname), ISC_TRUE, ISC_FALSE); cleanup: - CTRACE("query_find: cleanup"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: cleanup"); /* * General cleanup. */ @@ -8124,7 +8254,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) query_send(client); ns_client_detach(&client); } - CTRACE("query_find: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: done"); return (eresult); } @@ -8135,6 +8265,7 @@ log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) { char typename[DNS_RDATATYPE_FORMATSIZE]; char classname[DNS_RDATACLASS_FORMATSIZE]; char onbuf[ISC_NETADDR_FORMATSIZE]; + char ednsbuf[sizeof("E(255)")] = { 0 }; dns_rdataset_t *rdataset; int level = ISC_LOG_INFO; @@ -8148,11 +8279,14 @@ log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) { dns_rdatatype_format(rdataset->type, typename, sizeof(typename)); isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf)); + if (client->ednsversion >= 0) + snprintf(ednsbuf, sizeof(ednsbuf), "E(%d)", + client->ednsversion); + ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY, level, "query: %s %s %s %s%s%s%s%s%s (%s)", namebuf, classname, typename, WANTRECURSION(client) ? "+" : "-", - (client->signer != NULL) ? "S" : "", - (client->ednsversion >= 0) ? "E" : "", + (client->signer != NULL) ? "S" : "", ednsbuf, ((client->attributes & NS_CLIENTATTR_TCP) != 0) ? "T" : "", ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "", @@ -8212,7 +8346,7 @@ ns_query_start(ns_client_t *client) { unsigned int saved_extflags = client->extflags; unsigned int saved_flags = client->message->flags; - CTRACE("ns_query_start"); + CTRACE(ISC_LOG_DEBUG(3), "ns_query_start"); /* * Test only. @@ -8302,7 +8436,7 @@ ns_query_start(ns_client_t *client) { */ rdataset = ISC_LIST_HEAD(client->query.qname->list); INSIST(rdataset != NULL); - qtype = rdataset->type; + client->query.qtype = qtype = rdataset->type; dns_rdatatypestats_increment(ns_g_server->rcvquerystats, qtype); if (dns_rdatatype_ismeta(qtype)) { diff --git a/bin/named/server.c b/bin/named/server.c index 72bbdd285f..87896940aa 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -64,6 +64,7 @@ #include #include +#include #include #include #include @@ -1224,6 +1225,15 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize)); } + obj = NULL; + (void)cfg_map_get(cpeer, "edns-version", &obj); + if (obj != NULL) { + isc_uint32_t ednsversion = cfg_obj_asuint32(obj); + if (ednsversion > 255) + ednsversion = 255; + CHECK(dns_peer_setednsversion(peer, (isc_uint8_t)ednsversion)); + } + obj = NULL; (void)cfg_map_get(cpeer, "max-udp-size", &obj); if (obj != NULL) { @@ -2349,7 +2359,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, size_t max_cache_size; size_t max_acache_size; size_t max_adb_size; - isc_uint32_t lame_ttl; + isc_uint32_t lame_ttl, fail_ttl; dns_tsig_keyring_t *ring = NULL; dns_view_t *pview = NULL; /* Production view */ isc_mem_t *cmctx = NULL, *hmctx = NULL; @@ -3784,6 +3794,17 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, goto cleanup; } + /* + * Set the servfail-ttl. + */ + obj = NULL; + result = ns_config_get(maps, "servfail-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + fail_ttl = cfg_obj_asuint32(obj); + if (fail_ttl > 300) + fail_ttl = 300; + dns_view_setfailttl(view, fail_ttl); + result = ISC_R_SUCCESS; cleanup: @@ -4684,6 +4705,9 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) { static void scan_interfaces(ns_server_t *server, isc_boolean_t verbose) { isc_boolean_t match_mapped = server->aclenv.match_mapped; +#ifdef HAVE_GEOIP + isc_boolean_t use_ecs = server->aclenv.geoip_use_ecs; +#endif ns_interfacemgr_scan(server->interfacemgr, verbose); /* @@ -4694,6 +4718,9 @@ scan_interfaces(ns_server_t *server, isc_boolean_t verbose) { ns_interfacemgr_getaclenv(server->interfacemgr)); server->aclenv.match_mapped = match_mapped; +#ifdef HAVE_GEOIP + server->aclenv.geoip_use_ecs = use_ecs; +#endif } static isc_result_t @@ -5554,6 +5581,11 @@ load_configuration(const char *filename, ns_server_t *server, } else ns_geoip_load(NULL); ns_g_aclconfctx->geoip = ns_g_geoip; + + obj = NULL; + result = ns_config_get(maps, "geoip-use-ecs", &obj); + INSIST(result == ISC_R_SUCCESS); + ns_g_server->aclenv.geoip_use_ecs = cfg_obj_asboolean(obj); #endif /* HAVE_GEOIP */ /* @@ -5669,6 +5701,16 @@ load_configuration(const char *filename, ns_server_t *server, INSIST(result == ISC_R_SUCCESS); dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj)); + obj = NULL; + result = ns_config_get(maps, "notify-rate", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zonemgr_setnotifyrate(server->zonemgr, cfg_obj_asuint32(obj)); + + obj = NULL; + result = ns_config_get(maps, "startup-notify-rate", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zonemgr_setstartupnotifyrate(server->zonemgr, cfg_obj_asuint32(obj)); + obj = NULL; result = ns_config_get(maps, "serial-query-rate", &obj); INSIST(result == ISC_R_SUCCESS); @@ -7646,6 +7688,8 @@ dumpdone(void *arg, isc_result_t result) { dns_adb_dump(dctx->view->view->adb, dctx->fp); dns_resolver_printbadcache(dctx->view->view->resolver, dctx->fp); + dns_badcache_print(dctx->view->view->failcache, + "SERVFAIL cache", dctx->fp); dns_db_detach(&dctx->cache); } if (dctx->dumpzones) { @@ -9910,8 +9954,8 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t *text) { CHECK(result); } - if (ntattl > 86400) { - msg = "NTA lifetime cannot exceed one day"; + if (ntattl > 604800) { + msg = "NTA lifetime cannot exceed one week"; CHECK(ISC_R_RANGE); } @@ -10036,10 +10080,11 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t *text) { isc_buffer_putuint8(text, 0); } - if (msg != NULL) - (void) putstr(text, msg); - cleanup: + if (msg != NULL) { + (void) putstr(text, msg); + (void) putnull(text); + } if (excl) isc_task_endexclusive(server->task); if (ntatable != NULL) diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c index 6e2fe3a3c3..f0584c3ac8 100644 --- a/bin/named/statschannel.c +++ b/bin/named/statschannel.c @@ -242,6 +242,7 @@ init_desc(void) { "SitNoMatch"); SET_NSSTATDESC(sitmatch, "source identity token - match", "SitMatch"); #endif + SET_NSSTATDESC(ecsopt, "EDNS client subnet option recieved", "ECSOpt"); INSIST(i == dns_nsstatscounter_max); /* Initialize resolver statistics */ diff --git a/bin/named/win32/dlz_dlopen_driver.c b/bin/named/win32/dlz_dlopen_driver.c index a12e916661..662ae9a041 100644 --- a/bin/named/win32/dlz_dlopen_driver.c +++ b/bin/named/win32/dlz_dlopen_driver.c @@ -257,7 +257,9 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[], triedload = ISC_TRUE; /* Initialize the lock */ - isc_mutex_init(&cd->lock); + result = isc_mutex_init(&cd->lock); + if (result != ISC_R_SUCCESS) + goto failed; /* Open the library */ cd->dl_handle = LoadLibraryA(cd->dl_path); @@ -268,7 +270,7 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[], "dlz_dlopen failed to open library '%s' - %u", cd->dl_path, error); result = ISC_R_FAILURE; - goto failed; + goto cleanup_lock; } /* Find the symbols */ @@ -288,7 +290,7 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[], { /* We're missing a required symbol */ result = ISC_R_FAILURE; - goto failed; + goto cleanup_lock; } cd->dlz_allowzonexfr = (dlz_dlopen_allowzonexfr_t *) @@ -324,7 +326,7 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[], "requires %d", cd->dl_path, cd->version, DLZ_DLOPEN_VERSION); result = ISC_R_FAILURE; - goto failed; + goto cleanup_lock; } /* @@ -344,12 +346,14 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[], NULL); MAYBE_UNLOCK(cd); if (result != ISC_R_SUCCESS) - goto failed; + goto cleanup_lock; *dbdata = cd; return (ISC_R_SUCCESS); +cleanup_lock: + DESTROYLOCK(&cd->lock); failed: dlopen_log(ISC_LOG_ERROR, "dlz_dlopen of '%s' failed", dlzname); if (cd->dl_path) @@ -390,7 +394,7 @@ dlopen_dlz_destroy(void *driverarg, void *dbdata) { if (cd->dl_handle) FreeLibrary(cd->dl_handle); - (void) isc_mutex_destroy(&cd->lock); + DESTROYLOCK(&cd->lock); mctx = cd->mctx; isc_mem_put(mctx, cd, sizeof(*cd)); diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html index 36ed7084f6..8649ba9b76 100644 --- a/bin/nsupdate/nsupdate.html +++ b/bin/nsupdate/nsupdate.html @@ -32,7 +32,7 @@

nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]

-

DESCRIPTION

+

DESCRIPTION

nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -218,7 +218,7 @@

-

INPUT FORMAT

+

INPUT FORMAT

nsupdate reads input from filename @@ -520,7 +520,7 @@

-

EXAMPLES

+

EXAMPLES

The examples below show how nsupdate @@ -574,7 +574,7 @@

-

FILES

+

FILES

/etc/resolv.conf

@@ -597,7 +597,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 2136, RFC 3007, @@ -612,7 +612,7 @@

-

BUGS

+

BUGS

The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in index 40a4de618e..dfb5d59711 100644 --- a/bin/python/Makefile.in +++ b/bin/python/Makefile.in @@ -23,7 +23,7 @@ top_srcdir = @top_srcdir@ PYTHON = @PYTHON@ TARGETS = dnssec-checkds dnssec-coverage -SRCS = dnssec-checkds.py dnssec-coverage.py +PYSRCS = dnssec-checkds.py dnssec-coverage.py MANPAGES = dnssec-checkds.8 dnssec-coverage.8 HTMLPAGES = dnssec-checkds.html dnssec-coverage.html @@ -31,6 +31,14 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} @BIND9_MAKE_RULES@ +dnssec-checkds: dnssec-checkds.py + cp -f dnssec-checkds.py dnssec-checkds + chmod +x dnssec-checkds + +dnssec-coverage: dnssec-coverage.py + cp -f dnssec-coverage.py dnssec-coverage + chmod +x dnssec-coverage + doc man:: ${MANOBJS} docclean manclean maintainer-clean:: diff --git a/bin/python/dnssec-checkds.html b/bin/python/dnssec-checkds.html index 22986bbc2e..91cecd5f9e 100644 --- a/bin/python/dnssec-checkds.html +++ b/bin/python/dnssec-checkds.html @@ -32,7 +32,7 @@

dnssec-dsfromkey [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

-

DESCRIPTION

+

DESCRIPTION

dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified @@ -40,7 +40,7 @@

-

OPTIONS

+

OPTIONS

-f file

@@ -69,14 +69,14 @@

-

SEE ALSO

+

SEE ALSO

dnssec-dsfromkey(8), dnssec-keygen(8), dnssec-signzone(8),

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/python/dnssec-coverage.html b/bin/python/dnssec-coverage.html index 632e288724..b3ac5ed874 100644 --- a/bin/python/dnssec-coverage.html +++ b/bin/python/dnssec-coverage.html @@ -32,7 +32,7 @@

dnssec-coverage [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]

-

DESCRIPTION

+

DESCRIPTION

dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC @@ -60,7 +60,7 @@

-

OPTIONS

+

OPTIONS

-K directory

@@ -174,7 +174,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-checkds(8), dnssec-dsfromkey(8), @@ -183,7 +183,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index 8758edd908..201d56b24e 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -297,12 +297,12 @@ Flushes the server's cache. .PP \fBflushname\fR \fIname\fR [\fIview\fR] .RS 4 -Flushes the given name from the server's DNS cache and, if applicable, from the server's nameserver address database or bad\-server cache. +Flushes the given name from the view's DNS cache and, if applicable, from the view's nameserver address database, bad server cache and SERVFAIL cache. .RE .PP \fBflushtree\fR \fIname\fR [\fIview\fR] .RS 4 -Flushes the given name, and all of its subdomains, from the server's DNS cache, the address database, and the bad server cache. +Flushes the given name, and all of its subdomains, from the view's DNS cache, address database, bad server cache, and SERVFAIL cache. .RE .PP \fBstatus\fR @@ -339,7 +339,7 @@ Sets a DNSSEC negative trust anchor (NTA) for \fBlifetime\fR. The default lifetime is configured in named.conf via the -\fBnta\-lifetime\fR, and defaults to one hour. The lifetime cannot exceed one day. +\fBnta\-lifetime\fR, and defaults to one hour. The lifetime cannot exceed one week. .sp A negative trust anchor selectively disables DNSSEC validation for zones that known to be failing because of misconfiguration rather than an attack. When data to be validated is at or below an active NTA (and above any other configured trust anchors), \fBnamed\fR diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html index b79435a368..7e782fc3f4 100644 --- a/bin/rndc/rndc.conf.html +++ b/bin/rndc/rndc.conf.html @@ -32,7 +32,7 @@

rndc.conf

-

DESCRIPTION

+

DESCRIPTION

rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -118,7 +118,7 @@

-

EXAMPLE

+

EXAMPLE

       options {
         default-server  localhost;
@@ -192,7 +192,7 @@
-

NAME SERVER CONFIGURATION

+

NAME SERVER CONFIGURATION

The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf @@ -202,7 +202,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc-confgen(8), mmencode(1), @@ -210,7 +210,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook index b26f765ff4..a78f35804a 100644 --- a/bin/rndc/rndc.docbook +++ b/bin/rndc/rndc.docbook @@ -540,9 +540,9 @@ flushname name view - Flushes the given name from the server's DNS cache - and, if applicable, from the server's nameserver address - database or bad-server cache. + Flushes the given name from the view's DNS cache + and, if applicable, from the view's nameserver address + database, bad server cache and SERVFAIL cache. @@ -552,8 +552,8 @@ Flushes the given name, and all of its subdomains, - from the server's DNS cache, the address database, - and the bad server cache. + from the view's DNS cache, address database, + bad server cache, and SERVFAIL cache. @@ -608,7 +608,7 @@ . The default lifetime is configured in named.conf via the , and defaults to - one hour. The lifetime cannot exceed one day. + one hour. The lifetime cannot exceed one week. A negative trust anchor selectively disables diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index 263b4063cb..d76d39dc32 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -32,7 +32,7 @@

rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-V] [-y key_id] {command}

-

DESCRIPTION

+

DESCRIPTION

rndc controls the operation of a name server. It supersedes the ndc utility @@ -63,7 +63,7 @@

-

OPTIONS

+

OPTIONS

-b source-address

@@ -134,7 +134,7 @@

-

COMMANDS

+

COMMANDS

A list of commands supported by rndc can be seen by running rndc without arguments. @@ -353,15 +353,15 @@

flushname name [view]

- Flushes the given name from the server's DNS cache - and, if applicable, from the server's nameserver address - database or bad-server cache. + Flushes the given name from the view's DNS cache + and, if applicable, from the view's nameserver address + database, bad server cache and SERVFAIL cache.

flushtree name [view]

Flushes the given name, and all of its subdomains, - from the server's DNS cache, the address database, - and the bad server cache. + from the view's DNS cache, address database, + bad server cache, and SERVFAIL cache.

status

@@ -397,7 +397,7 @@ lifetime. The default lifetime is configured in <file>named.conf</file> via the nta-lifetime, and defaults to - one hour. The lifetime cannot exceed one day. + one hour. The lifetime cannot exceed one week.

A negative trust anchor selectively disables @@ -581,7 +581,7 @@

-

LIMITATIONS

+

LIMITATIONS

There is currently no way to provide the shared secret for a key_id without using the configuration file. @@ -591,7 +591,7 @@

-

SEE ALSO

+

SEE ALSO

rndc.conf(5), rndc-confgen(8), named(8), @@ -601,7 +601,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in index 9202b8732c..a4ce2fd1e9 100644 --- a/bin/tests/system/Makefile.in +++ b/bin/tests/system/Makefile.in @@ -21,7 +21,8 @@ top_srcdir = @top_srcdir@ @BIND9_MAKE_INCLUDES@ -SUBDIRS = dlzexternal filter-aaaa geoip lwresd rpz rsabigexponent tkey tsiggss +SUBDIRS = builtin dlzexternal filter-aaaa geoip lwresd resolver rpz \ + rsabigexponent tkey tsiggss TARGETS = @BIND9_MAKE_RULES@ diff --git a/bin/tests/system/acl/ns2/named6.conf b/bin/tests/system/acl/ns2/named6.conf new file mode 100644 index 0000000000..1a5cd8dfad --- /dev/null +++ b/bin/tests/system/acl/ns2/named6.conf @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; + allow-query-on { 10.53.0.2; }; +}; + +include "../../common/controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db"; +}; + +zone "tsigzone" { + type master; + file "tsigzone.db"; + allow-transfer { ecs 10.53/16; !10/8; }; +}; diff --git a/bin/tests/system/acl/ns2/named7.conf b/bin/tests/system/acl/ns2/named7.conf new file mode 100644 index 0000000000..1adb71b4b8 --- /dev/null +++ b/bin/tests/system/acl/ns2/named7.conf @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; + allow-query-on { 10.53.0.2; }; +}; + +include "../../common/controls.conf"; + +view one { + match-clients { ecs 192.0.2/24; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "example" { + type master; + file "example.db"; + }; +}; + +view two { + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "example" { + type master; + file "example.db"; + }; +}; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index b74c0c9f9f..27efd5cde8 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -150,5 +150,35 @@ $DIG +tcp soa example. \ @10.53.0.2 -b 10.53.0.3 -p 5300 > dig.out.${t} grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } +echo "I:testing EDNS client-subnet ACL processing" +cp -f ns2/named6.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 5 + +# should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr -p 5300 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 +subnet="10.53.0/24" axfr -p 5300 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } + +echo "I:testing EDNS client-subnet response scope" +cp -f ns2/named7.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 5 + +t=`expr $t + 1` +$DIG example. soa @10.53.0.2 +subnet="10.53.0.1/32" -p 5300 > dig.out.${t} +grep "CLIENT-SUBNET.*10.53.0.1/32/0" dig.out.${t} > /dev/null || { echo "I:test $t failed" ; status=1; } + +t=`expr $t + 1` +$DIG example. soa @10.53.0.2 +subnet="192.0.2.128/32" -p 5300 > dig.out.${t} +grep "CLIENT-SUBNET.*192.0.2.128/32/24" dig.out.${t} > /dev/null || { echo "I:test $t failed" ; status=1; } + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/builtin/Makefile.in b/bin/tests/system/builtin/Makefile.in new file mode 100644 index 0000000000..cafaa8c449 --- /dev/null +++ b/bin/tests/system/builtin/Makefile.in @@ -0,0 +1,56 @@ +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id$ + + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${ISC_INCLUDES} + +CDEFINES = +CWARNINGS = + +DNSLIBS = +ISCLIBS = + +DNSDEPLIBS = +ISCDEPLIBS = + +DEPLIBS = + +LIBS = @LIBS@ + +TARGETS = gethostname@EXEEXT@ + +SRCS = gethostname.c + +OBJS = gethostname.@O@ + +@BIND9_MAKE_RULES@ + +all: gethostname@EXEEXT@ + +gethostname@EXEEXT@: ${OBJS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJS} ${LIBS} + +clean distclean:: + rm -f ${TARGETS} + diff --git a/bin/tests/system/builtin/clean.sh b/bin/tests/system/builtin/clean.sh new file mode 100644 index 0000000000..352d096aa3 --- /dev/null +++ b/bin/tests/system/builtin/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +rm -f ns?/named.run +rm -f ns?/named.memstats +rm -f rndc.status.ns* +rm -f dig.out.ns* diff --git a/bin/tests/system/builtin/gethostname.c b/bin/tests/system/builtin/gethostname.c new file mode 100644 index 0000000000..201fdc7ebc --- /dev/null +++ b/bin/tests/system/builtin/gethostname.c @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include +#include +#include + +#include + +#ifndef MAXHOSTNAMELEN +#ifdef HOST_NAME_MAX +#define MAXHOSTNAMELEN HOST_NAME_MAX +#else +#define MAXHOSTNAMELEN 256 +#endif +#endif + +int +main(int argc, char **argv) { + char hostname[MAXHOSTNAMELEN]; + int n; + + UNUSED(argc); + UNUSED(argv); + + n = gethostname(hostname, sizeof(hostname)); + if (n == -1) { + perror("gethostname"); + exit(1); + } + fprintf(stdout, "%s\n", hostname); + return (0); +} diff --git a/bin/tests/system/builtin/ns2/named.conf b/bin/tests/system/builtin/ns2/named.conf new file mode 100644 index 0000000000..49feac5388 --- /dev/null +++ b/bin/tests/system/builtin/ns2/named.conf @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.3 2011/08/09 04:12:25 tbox Exp $ */ + +include "../../common/rndc.key"; + +controls { inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + server-id hostname; +}; diff --git a/bin/tests/system/builtin/ns3/named.conf b/bin/tests/system/builtin/ns3/named.conf new file mode 100644 index 0000000000..30e21d4ce0 --- /dev/null +++ b/bin/tests/system/builtin/ns3/named.conf @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.3 2011/08/09 04:12:25 tbox Exp $ */ + +include "../../common/rndc.key"; + +controls { inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + hostname "this.is.a.test.of.hostname"; + server-id "this.is.a.test.of.server-id"; + version "this is a test of version"; +}; diff --git a/bin/tests/system/builtin/tests.sh b/bin/tests/system/builtin/tests.sh index ae5607f6ea..3f6185b3b6 100644 --- a/bin/tests/system/builtin/tests.sh +++ b/bin/tests/system/builtin/tests.sh @@ -1,4 +1,4 @@ -# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2011, 2012, 2014 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -39,4 +39,85 @@ sleep 1 grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1 if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi +VERSION=`../../../../isc-config.sh --version | cut -d = -f 2` +HOSTNAME=`./gethostname` + +n=`expr $n + 1` +ret=0 +echo "I:Checking that default version works for rndc ($n)" +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 status > rndc.status.ns1.$n 2>&1 +grep "^version: $VERSION " rndc.status.ns1.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo "I:Checking that custom version works for rndc ($n)" +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > rndc.status.ns3.$n 2>&1 +grep "^version: $VERSION (this is a test of version) " rndc.status.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo "I:Checking that default version works for query ($n)" +$DIG +short version.bind txt ch @10.53.0.1 -p 5300 > dig.out.ns1.$n +grep "^\"$VERSION\"$" dig.out.ns1.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo "I:Checking that custom version works for query ($n)" +$DIG +short version.bind txt ch @10.53.0.3 -p 5300 > dig.out.ns3.$n +grep "^\"this is a test of version\"$" dig.out.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo "I:Checking that default hostname works for query ($n)" +$DIG +short hostname.bind txt ch @10.53.0.1 -p 5300 > dig.out.ns1.$n +grep "^\"$HOSTNAME\"$" dig.out.ns1.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo "I:Checking that custom hostname works for query ($n)" +$DIG +short hostname.bind txt ch @10.53.0.3 -p 5300 > dig.out.ns3.$n +grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo "I:Checking that default server-id is none for query ($n)" +$DIG id.server txt ch @10.53.0.1 -p 5300 > dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns1.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo "I:Checking that server-id hostname works for query ($n)" +$DIG +short id.server txt ch @10.53.0.2 -p 5300 > dig.out.ns2.$n +grep "^\"$HOSTNAME\"$" dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo "I:Checking that server-id hostname works for EDNS name server ID request ($n)" +$DIG +norec +nsid foo @10.53.0.2 -p 5300 > dig.out.ns2.$n +grep "^; NSID: .* (\"$HOSTNAME\")$" dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo "I:Checking that custom server-id works for query ($n)" +$DIG +short id.server txt ch @10.53.0.3 -p 5300 > dig.out.ns3.$n +grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo "I:Checking that custom server-id works for EDNS name server ID request ($n)" +$DIG +norec +nsid foo @10.53.0.3 -p 5300 > dig.out.ns3.$n +grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo I:failed; status=`expr $status + $ret`; fi + exit $status diff --git a/bin/tests/system/checkconf/bad-sharedwritable1.conf b/bin/tests/system/checkconf/bad-sharedwritable1.conf new file mode 100644 index 0000000000..4997d51a73 --- /dev/null +++ b/bin/tests/system/checkconf/bad-sharedwritable1.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +zone a { + type master; + file "shared.db"; +}; +zone b { + type slave; + file "shared.db"; + masters { 1.2.3.4; }; +}; diff --git a/bin/tests/system/checkconf/bad-sharedwritable2.conf b/bin/tests/system/checkconf/bad-sharedwritable2.conf new file mode 100644 index 0000000000..c9bdc43a63 --- /dev/null +++ b/bin/tests/system/checkconf/bad-sharedwritable2.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +zone a { + type slave; + file "shared.db"; + masters { 1.2.3.4; }; +}; +zone b { + type slave; + file "shared.db"; + masters { 1.2.3.4; }; +}; diff --git a/bin/tests/system/checkconf/check-dup-records-fail.conf b/bin/tests/system/checkconf/check-dup-records-fail.conf new file mode 100644 index 0000000000..6dd363a0e1 --- /dev/null +++ b/bin/tests/system/checkconf/check-dup-records-fail.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-dup-records" { + type master; + file "check-dup-records.db"; + check-dup-records fail; +}; + diff --git a/bin/tests/system/checkconf/check-dup-records.db b/bin/tests/system/checkconf/check-dup-records.db new file mode 100644 index 0000000000..9c2669bb63 --- /dev/null +++ b/bin/tests/system/checkconf/check-dup-records.db @@ -0,0 +1,36 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail + +mail A 10.0.0.1 +ns2 A 10.53.0.2 + +; following records are not de-duplicated +; and will be matched by check-dup-records +duplicate HIP ( 2 200100107B1A74DF365639CC39F1D578 + AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D + rvs.example.com. ) +duplicate HIP ( 2 200100107B1A74DF365639CC39F1D578 + AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D + RVS.example.com. ) diff --git a/bin/tests/system/checkconf/check-mx-cname-fail.conf b/bin/tests/system/checkconf/check-mx-cname-fail.conf new file mode 100644 index 0000000000..600e2a70c8 --- /dev/null +++ b/bin/tests/system/checkconf/check-mx-cname-fail.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-mx-cname" { + type master; + file "check-mx-cname.db"; + check-mx-cname fail; +}; diff --git a/bin/tests/system/checkconf/check-mx-cname.db b/bin/tests/system/checkconf/check-mx-cname.db new file mode 100644 index 0000000000..56312ece92 --- /dev/null +++ b/bin/tests/system/checkconf/check-mx-cname.db @@ -0,0 +1,29 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail + +; MX points to a CNAME which is detected by check-mx-cname +mail CNAME ns2 + +ns2 A 10.53.0.2 diff --git a/bin/tests/system/checkconf/check-mx-fail.conf b/bin/tests/system/checkconf/check-mx-fail.conf new file mode 100644 index 0000000000..750adf16f7 --- /dev/null +++ b/bin/tests/system/checkconf/check-mx-fail.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-mx" { + type master; + file "check-mx.db"; + check-mx fail; +}; diff --git a/bin/tests/system/checkconf/check-mx.db b/bin/tests/system/checkconf/check-mx.db new file mode 100644 index 0000000000..d6fa9f49a8 --- /dev/null +++ b/bin/tests/system/checkconf/check-mx.db @@ -0,0 +1,27 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +; MX appears to be an address and will be detected by check-mx + MX 10 10.0.0.1 + +ns2 A 10.53.0.2 diff --git a/bin/tests/system/checkconf/check-names-fail.conf b/bin/tests/system/checkconf/check-names-fail.conf new file mode 100644 index 0000000000..5d31671ac0 --- /dev/null +++ b/bin/tests/system/checkconf/check-names-fail.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-names" { + type master; + file "check-names.db"; + check-names fail; +}; diff --git a/bin/tests/system/checkconf/check-names.db b/bin/tests/system/checkconf/check-names.db new file mode 100644 index 0000000000..4a7d687df5 --- /dev/null +++ b/bin/tests/system/checkconf/check-names.db @@ -0,0 +1,31 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail + +mail A 10.0.0.1 +ns2 A 10.53.0.2 + +; the RDATA of this record contains a name that may be considered +; invalid and will be detected by check-names configuration. +check-names SRV 1 2 3 _underscore diff --git a/bin/tests/system/checkconf/check-srv-cname-fail.conf b/bin/tests/system/checkconf/check-srv-cname-fail.conf new file mode 100644 index 0000000000..f0503b3e83 --- /dev/null +++ b/bin/tests/system/checkconf/check-srv-cname-fail.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-srv-cname" { + type master; + file "check-srv-cname.db"; + check-srv-cname fail; +}; diff --git a/bin/tests/system/checkconf/check-srv-cname.db b/bin/tests/system/checkconf/check-srv-cname.db new file mode 100644 index 0000000000..6ed1f4263e --- /dev/null +++ b/bin/tests/system/checkconf/check-srv-cname.db @@ -0,0 +1,31 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail + +mail A 10.0.0.1 +ns2 A 10.53.0.2 + +check-srv-cname SRV 1 2 3 target +; SRV points to a CNAME which is detected by check-srv-cname configuration +target CNAME mail diff --git a/bin/tests/system/checkconf/clean.sh b/bin/tests/system/checkconf/clean.sh index 772d521d0c..61febd74f5 100644 --- a/bin/tests/system/checkconf/clean.sh +++ b/bin/tests/system/checkconf/clean.sh @@ -16,3 +16,4 @@ rm -f good.conf.in good.conf.out badzero.conf *.out rm -rf test.keydir +rm -f checkconf.out* diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index be652696b0..d14ccd8580 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -93,7 +93,7 @@ view "second" { }; zone "example1" { type master; - file "yyy"; + file "zzz"; update-policy local; zone-statistics yes; }; diff --git a/bin/tests/system/checkconf/max-ttl.conf b/bin/tests/system/checkconf/max-ttl.conf index 694ad2b518..53ce380063 100644 --- a/bin/tests/system/checkconf/max-ttl.conf +++ b/bin/tests/system/checkconf/max-ttl.conf @@ -35,4 +35,3 @@ zone "maxttl3.example" { file "maxttl-bad.db"; max-zone-ttl 120; }; - diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index f3d87f0981..4e4f4da701 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -191,5 +191,53 @@ $CHECKCONF -z altdlz.conf > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi status=`expr $status + $ret` +echo "I: check that check-names fails as configured" +ret=0 +$CHECKCONF -z check-names-fail.conf > checkconf.out1 2>&1 && ret=1 +grep "near '_underscore': bad name (check-names)" checkconf.out1 > /dev/null || ret=1 +grep "zone check-names/IN: loaded serial" < checkconf.out1 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that check-mx fails as configured" +ret=0 +$CHECKCONF -z check-mx-fail.conf > checkconf.out2 2>&1 && ret=1 +grep "near '10.0.0.1': MX is an address" checkconf.out2 > /dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" < checkconf.out2 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that check-dup-records fails as configured" +ret=0 +$CHECKCONF -z check-dup-records-fail.conf > checkconf.out3 2>&1 && ret=1 +grep "has semantically identical records" checkconf.out3 > /dev/null || ret=1 +grep "zone check-dup-records/IN: loaded serial" < checkconf.out3 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that check-mx fails as configured" +ret=0 +$CHECKCONF -z check-mx-fail.conf > checkconf.out4 2>&1 && ret=1 +grep "failed: MX is an address" checkconf.out4 > /dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" < checkconf.out4 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that check-mx-cname fails as configured" +ret=0 +$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out5 2>&1 && ret=1 +grep "MX.* is a CNAME (illegal)" checkconf.out5 > /dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" < checkconf.out5 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that check-srv-cname fails as configured" +ret=0 +$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out6 2>&1 && ret=1 +grep "SRV.* is a CNAME (illegal)" checkconf.out6 > /dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" < checkconf.out6 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 37786696a0..ae576cc1b6 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -66,14 +66,15 @@ RANDFILE=$TOP/bin/tests/system/random.data # v6synth SUBDIRS="acl additional allow_query addzone autosign builtin cacheclean case checkconf @CHECKDS@ checknames checkzone - @COVERAGE@ database dlv dlvauto dlz dlzexternal - dname dns64 dnssec dsdigest dscp ecdsa emptyzones filter-aaaa - formerr forward geoip glue gost ixfr inline limits logfileconfig - lwresd masterfile masterformat metadata notify nslookup nsupdate - pending @PKCS11_TEST@ redirect resolver rndc rpz rrl rrchecker - rrsetorder rsabigexponent sit smartsign sortlist spf staticstub - statistics stub tkey tsig tsiggss unknown upforwd verify - views wildcard xfer xferquota zero zonechecks" + @COVERAGE@ database dlv dlvauto dlz dlzexternal dname dns64 + dnssec dsdigest dscp ecdsa ednscompliance emptyzones + filter-aaaa formerr forward geoip glue gost ixfr inline + limits logfileconfig lwresd masterfile masterformat metadata + notify nslookup nsupdate pending @PKCS11_TEST@ redirect + resolver rndc rpz rrl rrchecker rrsetorder rsabigexponent + sit sfcache smartsign sortlist spf staticstub statistics + stub tkey tsig tsiggss unknown upforwd verify views wildcard + xfer xferquota zero zonechecks" # Use the CONFIG_SHELL detected by configure for tests SHELL=@SHELL@ diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh index d97139c2fc..0f672214de 100644 --- a/bin/tests/system/dlzexternal/tests.sh +++ b/bin/tests/system/dlzexternal/tests.sh @@ -72,6 +72,12 @@ status=`expr $status + $ret` test_update deny.example.nil. TXT "86400 TXT helloworld" "helloworld" should_fail && ret=1 status=`expr $status + $ret` +newtest "I:testing nxrrset" +$DIG $DIGOPTS testdc1.example.nil AAAA > dig.out.$n +grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.$n > /dev/null || ret=1 +status=`expr $status + $ret` + newtest "I:testing prerequisites are checked correctly" cat > ns1/update.txt << EOF server 10.53.0.1 5300 @@ -181,6 +187,13 @@ grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +newtest "I:checking no redirected lookup for nonexistent type" +$DIG $DIGOPTS @10.53.0.1 exists aaaa > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + newtest "I:checking redirected lookup for a long nonexistent name" $DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a > dig.out.ns1.test$n || ret=1 grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 2e20d835d4..d2e381c578 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -74,3 +74,6 @@ rm -f ns4/named_dump.db rm -f ns3/badds.example.db rm -f delve.out* rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit +rm -f Kexample.* +rm -f keygen.err +rm -f ns3/future.example.db ns3/trusted-future.key diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index a9a9937547..36cc88b7b9 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -151,3 +151,6 @@ NS.LOWER A 10.53.0.3 expiring NS ns.expiring ns.expiring A 10.53.0.3 + +future NS ns.future +ns.future A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/future.example.db.in b/bin/tests/system/dnssec/ns3/future.example.db.in new file mode 100644 index 0000000000..446b89babf --- /dev/null +++ b/bin/tests/system/dnssec/ns3/future.example.db.in @@ -0,0 +1,45 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: optout.example.db.in,v 1.3 2008/09/25 04:02:38 tbox Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +child NS ns2.example. +insecure.empty NS ns.insecure.empty +ns.insecure.empty A 10.53.0.3 +foo.*.empty-wild NS ns diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index ed7cb8df0e..7ae4bf6d4f 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -276,6 +276,11 @@ zone "publish-inactive.example" { update-policy local; }; +zone "future.example" { + type master; + file "future.example.db.signed"; +}; + include "siginterval.conf"; include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 3b2b250e7c..4dafbf4200 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -474,3 +474,15 @@ cat $infile $keyname.key >$zonefile $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 sed -e 's/bogus/badds/g' < dsset-bogus.example. > dsset-badds.example. + +# +# A zone with future signatures. +# +zone=future.example +infile=future.example.db.in +zonefile=future.example.db +kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile # > /dev/null 2>&1 +cp -f $kskname.key trusted-future.key diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 1736fe2079..ab65200677 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -271,7 +271,7 @@ $DIG $DIGOPTS a.wild.optout.example. \ stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n $PERL ../digcomp.pl dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi @@ -1796,7 +1796,7 @@ echo "I:check with bad nta lifetime" $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1 grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 > /dev/null || ret=1 echo "I:check with too long nta lifetime" -$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -l 5d23h foo > rndc.out.ns4.test$n.3 2>&1 +$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1 grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -2640,5 +2640,75 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:check that 'dnssec-keygen -S' works for all supported algorithms ($n)" +ret=0 +alg=1 +until test $alg = 256 +do + size= + case $alg in + 1) size="-b 512";; + 2) # Diffie Helman + alg=`expr $alg + 1` + continue;; + 3) size="-b 512";; + 5) size="-b 512";; + 6) size="-b 512";; + 7) size="-b 512";; + 8) size="-b 512";; + 10) size="-b 1024";; + 157|160|161|162|163|164|165) # private - non standard + alg=`expr $alg + 1` + continue;; + esac + key1=`$KEYGEN -a $alg $size -n zone -r $RANDFILE example 2> keygen.err` + if grep "unsupported algorithm" keygen.err > /dev/null + then + alg=`expr $alg + 1` + continue + fi + if test -z "$key1" + then + echo "I: '$KEYGEN -a $alg': failed" + cat keygen.err + ret=1 + alg=`expr $alg + 1` + continue + fi + $SETTIME -I now+4d $key1.private > /dev/null + key2=`$KEYGEN -v 10 -r $RANDFILE -i 3d -S $key1.private 2> /dev/null` + test -f $key2.key -a -f $key2.private || { + ret=1 + echo "I: 'dnssec-keygen -S' failed for algorithm: $alg" + } + alg=`expr $alg + 1` +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +# +# Test for +sigchase with a null set of trusted keys. +# +$DIG -p 5300 @10.53.0.3 +sigchase +trusted-key=/dev/null > dig.out.ns3.test$n 2>&1 +if grep "Invalid option: +sigchase" dig.out.ns3.test$n > /dev/null +then + echo "I:Skipping 'dig +sigchase' tests" + n=`expr $n + 1` +else + echo "I:checking that 'dig +sigchase' doesn't loop with future inception ($n)" + ret=0 + $DIG -p 5300 @10.53.0.3 dnskey future.example +sigchase \ + +trusted-key=ns3/trusted-future.key > dig.out.ns3.test$n & + pid=$! + sleep 1 + kill -9 $pid 2> /dev/null + wait $pid + grep ";; No DNSKEY is valid to check the RRSIG of the RRset: FAILED" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` + n=`expr $n + 1` +fi + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/ednscompliance/clean.sh b/bin/tests/system/ednscompliance/clean.sh new file mode 100644 index 0000000000..3c5f50f025 --- /dev/null +++ b/bin/tests/system/ednscompliance/clean.sh @@ -0,0 +1,17 @@ +#!/bin/sh +# +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +rm -f dig.out* diff --git a/bin/tests/system/ednscompliance/ns1/named.conf b/bin/tests/system/ednscompliance/ns1/named.conf new file mode 100644 index 0000000000..869e95e3f4 --- /dev/null +++ b/bin/tests/system/ednscompliance/ns1/named.conf @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "." { + type master; + file "root.db"; +}; + diff --git a/bin/tests/system/ednscompliance/ns1/root.db b/bin/tests/system/ednscompliance/ns1/root.db new file mode 100644 index 0000000000..a44acf16ec --- /dev/null +++ b/bin/tests/system/ednscompliance/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 300 +. IN SOA marka.isc.org. a.root.servers.nil. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.6 diff --git a/bin/tests/system/ednscompliance/tests.sh b/bin/tests/system/ednscompliance/tests.sh new file mode 100644 index 0000000000..ab958de00c --- /dev/null +++ b/bin/tests/system/ednscompliance/tests.sh @@ -0,0 +1,104 @@ +#!/bin/sh +# +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 +zone=. + +n=`expr $n + 1` +echo "I:check +edns=100 sets version 100 ($n)" +ret=0 reason= +$DIG -p 5300 @10.53.0.1 +qr +norec +edns=100 soa $zone > dig.out$n +grep "EDNS: version: 100," dig.out$n > /dev/null || { ret=1; reason="version"; } +if [ $ret != 0 ]; then echo "I:failed $reason"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +ret=0 reason= +echo "I:check +ednsopt=100 adds option 100 ($n)" +$DIG -p 5300 @10.53.0.1 +qr +norec +ednsopt=100 soa $zone > dig.out$n +grep "; OPT=100" dig.out$n > /dev/null || { ret=1; reason="option"; } +if [ $ret != 0 ]; then echo "I:failed $reason"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:check +ednsflags=0x80 sets flags to 0080 ($n)" +ret=0 reason= +$DIG -p 5300 @10.53.0.1 +qr +norec +ednsflags=0x80 soa $zone > dig.out$n +grep "MBZ: 0080" dig.out$n > /dev/null || { ret=1; reason="flags"; } +if [ $ret != 0 ]; then echo "I:failed $reason"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:Unknown EDNS version ($n)" +ret=0 reason= +$DIG -p 5300 @10.53.0.1 +norec +edns=100 soa $zone > dig.out$n +grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } +grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } +grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reaons="soa"; } +if [ $ret != 0 ]; then echo "I:failed $reason"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:Unknown EDNS option ($n)" +ret=0 reason= +$DIG -p 5300 @10.53.0.1 +norec +ednsopt=100 soa $zone > dig.out$n +grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } +grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } +grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; } +grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; } +if [ $ret != 0 ]; then echo "I:failed $reason"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:Unknown EDNS version + option ($n)" +ret=0 reason= +$DIG -p 5300 @10.53.0.1 +norec +edns=100 +ednsopt=100 soa $zone > dig.out$n +grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } +grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } +grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; } +grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +if [ $ret != 0 ]; then echo "I:failed: $reason"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo "I:Unknown EDNS flag ($n)" +ret=0 reason= +$DIG -p 5300 @10.53.0.1 +norec +ednsflags=0x80 soa $zone > dig.out$n +grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } +grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } +grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; } +grep ".IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; } +if [ $ret != 0 ]; then echo "I:failed $reason"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:Unknown EDNS version + flag ($n)" +ret=0 reason= +$DIG -p 5300 @10.53.0.1 +norec +edns=100 +ednsflags=0x80 soa $zone > dig.out$n +grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } +grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } +grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; } +grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +if [ $ret != 0 ]; then echo "I:failed $reason"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo "I:exit status: $status" +exit $status diff --git a/bin/tests/system/genzone.sh b/bin/tests/system/genzone.sh index 1957aaa2eb..93768d3b3d 100644 --- a/bin/tests/system/genzone.sh +++ b/bin/tests/system/genzone.sh @@ -121,6 +121,9 @@ txt09 TXT foo\010bar txt10 TXT foo\ bar txt11 TXT "\"foo\"" txt12 TXT \"foo\" +txt13 TXT "foo;" +txt14 TXT "foo\;" +txt15 TXT "bar\\;" ; type 17 rp01 RP mbox-dname txt-dname diff --git a/bin/tests/system/geoip/clean.sh b/bin/tests/system/geoip/clean.sh index 22d5e74466..6fa60e3e93 100644 --- a/bin/tests/system/geoip/clean.sh +++ b/bin/tests/system/geoip/clean.sh @@ -15,5 +15,5 @@ # PERFORMANCE OF THIS SOFTWARE. rm -f ns2/named.conf -rm -f ns2/example[1234567].db +rm -f ns2/example*.db rm -f dig.out.* rndc.out.* diff --git a/bin/tests/system/geoip/data/GeoIP.csv b/bin/tests/system/geoip/data/GeoIP.csv index f158a5b494..8e718540df 100644 --- a/bin/tests/system/geoip/data/GeoIP.csv +++ b/bin/tests/system/geoip/data/GeoIP.csv @@ -5,3 +5,4 @@ 10.53.0.5/32 CL 10.53.0.6/32 DE 10.53.0.7/32 EH +192.0.2/24 O1 diff --git a/bin/tests/system/geoip/data/GeoIP.dat b/bin/tests/system/geoip/data/GeoIP.dat index 027c1757c1..345092f371 100644 Binary files a/bin/tests/system/geoip/data/GeoIP.dat and b/bin/tests/system/geoip/data/GeoIP.dat differ diff --git a/bin/tests/system/geoip/data/README b/bin/tests/system/geoip/data/README index 47a6858f59..cea325b321 100644 --- a/bin/tests/system/geoip/data/README +++ b/bin/tests/system/geoip/data/README @@ -18,8 +18,8 @@ GeoIPDoain.dat: Domain Name GeoIPASNum.dat: AS Number GeoIPNetSpeed.dat: Net Speed -GeoIP.dat can also be generated using the open source 'geoip-csv-to-dat' -utility: +GeoIP.dat can also be egenerated using the open source 'geoip-csv-to-dat' +utility (also known in some packages as "geoip-generator"): $ geoip-csv-to-dat -i "BIND9 geoip test data v1" -o GeoIP.dat << EOF "10.53.0.1","10.53.0.1","171245569","171245569","AU","Australia" @@ -29,4 +29,5 @@ $ geoip-csv-to-dat -i "BIND9 geoip test data v1" -o GeoIP.dat << EOF "10.53.0.5","10.53.0.5","171245573","171245573","CL","Chile" "10.53.0.6","10.53.0.6","171245574","171245574","DE","Germany" "10.53.0.7","10.53.0.7","171245575","171245575","EH","Western Sahara" +"192.0.2.0","192.0.2.255","3221225984","3221226239","O1","Other" EOF diff --git a/bin/tests/system/geoip/ns2/named1.conf b/bin/tests/system/geoip/ns2/named1.conf index 367b5c7fa6..2679b47962 100644 --- a/bin/tests/system/geoip/ns2/named1.conf +++ b/bin/tests/system/geoip/ns2/named1.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -95,6 +95,14 @@ view seven { }; }; +view other { + match-clients { geoip db country country O1; }; + zone "example" { + type master; + file "exampleother.db"; + }; +}; + view none { match-clients { any; }; zone "example" { diff --git a/bin/tests/system/geoip/ns2/named10.conf b/bin/tests/system/geoip/ns2/named10.conf index 1ceece41cf..3594f615ab 100644 --- a/bin/tests/system/geoip/ns2/named10.conf +++ b/bin/tests/system/geoip/ns2/named10.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -40,7 +40,7 @@ controls { }; view one { - match-clients { geoip domain one.de; }; + match-clients { geoip asnum "AS100001"; }; zone "example" { type master; file "example1.db"; @@ -48,7 +48,7 @@ view one { }; view two { - match-clients { geoip domain two.com; }; + match-clients { geoip asnum "AS100002"; }; zone "example" { type master; file "example2.db"; @@ -56,7 +56,7 @@ view two { }; view three { - match-clients { geoip domain three.com; }; + match-clients { geoip asnum "AS100003"; }; zone "example" { type master; file "example3.db"; @@ -64,7 +64,7 @@ view three { }; view four { - match-clients { geoip domain four.com; }; + match-clients { geoip asnum "AS100004"; }; zone "example" { type master; file "example4.db"; @@ -72,7 +72,7 @@ view four { }; view five { - match-clients { geoip domain five.es; }; + match-clients { geoip asnum "AS100005"; }; zone "example" { type master; file "example5.db"; @@ -80,7 +80,7 @@ view five { }; view six { - match-clients { geoip domain six.it; }; + match-clients { geoip asnum "AS100006"; }; zone "example" { type master; file "example6.db"; @@ -88,7 +88,7 @@ view six { }; view seven { - match-clients { geoip domain seven.org; }; + match-clients { geoip asnum "AS100007"; }; zone "example" { type master; file "example7.db"; diff --git a/bin/tests/system/geoip/ns2/named11.conf b/bin/tests/system/geoip/ns2/named11.conf index 85c0d32c34..7770619205 100644 --- a/bin/tests/system/geoip/ns2/named11.conf +++ b/bin/tests/system/geoip/ns2/named11.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -40,7 +40,7 @@ controls { }; view one { - match-clients { geoip netspeed 0; }; + match-clients { geoip domain one.de; }; zone "example" { type master; file "example1.db"; @@ -48,7 +48,7 @@ view one { }; view two { - match-clients { geoip netspeed 1; }; + match-clients { geoip domain two.com; }; zone "example" { type master; file "example2.db"; @@ -56,7 +56,7 @@ view two { }; view three { - match-clients { geoip netspeed 2; }; + match-clients { geoip domain three.com; }; zone "example" { type master; file "example3.db"; @@ -64,13 +64,37 @@ view three { }; view four { - match-clients { geoip netspeed 3; }; + match-clients { geoip domain four.com; }; zone "example" { type master; file "example4.db"; }; }; +view five { + match-clients { geoip domain five.es; }; + zone "example" { + type master; + file "example5.db"; + }; +}; + +view six { + match-clients { geoip domain six.it; }; + zone "example" { + type master; + file "example6.db"; + }; +}; + +view seven { + match-clients { geoip domain seven.org; }; + zone "example" { + type master; + file "example7.db"; + }; +}; + view none { match-clients { any; }; zone "example" { diff --git a/bin/tests/system/geoip/ns2/named12.conf b/bin/tests/system/geoip/ns2/named12.conf index a650a635d2..a5025022a9 100644 --- a/bin/tests/system/geoip/ns2/named12.conf +++ b/bin/tests/system/geoip/ns2/named12.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -18,10 +18,6 @@ controls { /* empty */ }; -acl blocking { - geoip db country country AU; -}; - options { query-source address 10.53.0.2; notify-source 10.53.0.2; @@ -32,7 +28,6 @@ options { listen-on-v6 { none; }; recursion no; geoip-directory "../data"; - blackhole { blocking; }; }; key rndc_key { @@ -43,3 +38,43 @@ key rndc_key { controls { inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; }; + +view one { + match-clients { geoip netspeed 0; }; + zone "example" { + type master; + file "example1.db"; + }; +}; + +view two { + match-clients { geoip netspeed 1; }; + zone "example" { + type master; + file "example2.db"; + }; +}; + +view three { + match-clients { geoip netspeed 2; }; + zone "example" { + type master; + file "example3.db"; + }; +}; + +view four { + match-clients { geoip netspeed 3; }; + zone "example" { + type master; + file "example4.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type master; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip/ns2/named13.conf b/bin/tests/system/geoip/ns2/named13.conf index f92d25216c..a650a635d2 100644 --- a/bin/tests/system/geoip/ns2/named13.conf +++ b/bin/tests/system/geoip/ns2/named13.conf @@ -18,6 +18,10 @@ controls { /* empty */ }; +acl blocking { + geoip db country country AU; +}; + options { query-source address 10.53.0.2; notify-source 10.53.0.2; @@ -28,6 +32,7 @@ options { listen-on-v6 { none; }; recursion no; geoip-directory "../data"; + blackhole { blocking; }; }; key rndc_key { @@ -38,75 +43,3 @@ key rndc_key { controls { inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; }; - -acl gAU { geoip db country country AU; }; -acl gUS { geoip db country country US; }; -acl gGB { geoip db country country GB; }; -acl gCA { geoip db country country CA; }; -acl gCL { geoip db country country CL; }; -acl gDE { geoip db country country DE; }; -acl gEH { geoip db country country EH; }; - -view one { - match-clients { gAU; }; - zone "example" { - type master; - file "example1.db"; - }; -}; - -view two { - match-clients { gUS; }; - zone "example" { - type master; - file "example2.db"; - }; -}; - -view three { - match-clients { gGB; }; - zone "example" { - type master; - file "example3.db"; - }; -}; - -view four { - match-clients { gCA; }; - zone "example" { - type master; - file "example4.db"; - }; -}; - -view five { - match-clients { gCL; }; - zone "example" { - type master; - file "example5.db"; - }; -}; - -view six { - match-clients { gDE; }; - zone "example" { - type master; - file "example6.db"; - }; -}; - -view seven { - match-clients { gEH; }; - zone "example" { - type master; - file "example7.db"; - }; -}; - -view none { - match-clients { any; }; - zone "example" { - type master; - file "example.db.in"; - }; -}; diff --git a/bin/tests/system/geoip/ns2/named14.conf b/bin/tests/system/geoip/ns2/named14.conf new file mode 100644 index 0000000000..10c6d9becb --- /dev/null +++ b/bin/tests/system/geoip/ns2/named14.conf @@ -0,0 +1,113 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 127.0.0.1; 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + geoip-directory "../data"; + geoip-use-ecs no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + +acl gAU { geoip db country country AU; }; +acl gUS { geoip db country country US; }; +acl gGB { geoip db country country GB; }; +acl gCA { geoip db country country CA; }; +acl gCL { geoip db country country CL; }; +acl gDE { geoip db country country DE; }; +acl gEH { geoip db country country EH; }; + +view one { + match-clients { gAU; }; + zone "example" { + type master; + file "example1.db"; + }; +}; + +view two { + match-clients { gUS; }; + zone "example" { + type master; + file "example2.db"; + }; +}; + +view three { + match-clients { gGB; }; + zone "example" { + type master; + file "example3.db"; + }; +}; + +view four { + match-clients { gCA; }; + zone "example" { + type master; + file "example4.db"; + }; +}; + +view five { + match-clients { gCL; }; + zone "example" { + type master; + file "example5.db"; + }; +}; + +view six { + match-clients { gDE; }; + zone "example" { + type master; + file "example6.db"; + }; +}; + +view seven { + match-clients { gEH; }; + zone "example" { + type master; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type master; + file "examplebogus.db"; + }; +}; diff --git a/bin/tests/system/geoip/setup.sh b/bin/tests/system/geoip/setup.sh index 5de40eb6ef..2aaeaca15f 100644 --- a/bin/tests/system/geoip/setup.sh +++ b/bin/tests/system/geoip/setup.sh @@ -21,7 +21,7 @@ $SHELL clean.sh cp ns2/named1.conf ns2/named.conf -for i in 1 2 3 4 5 6 7; do +for i in 1 2 3 4 5 6 7 other bogus; do cp ns2/example.db.in ns2/example${i}.db echo "@ IN TXT \"$i\"" >> ns2/example$i.db done diff --git a/bin/tests/system/geoip/tests.sh b/bin/tests/system/geoip/tests.sh index e7ab56a57b..19d05ce66f 100644 --- a/bin/tests/system/geoip/tests.sh +++ b/bin/tests/system/geoip/tests.sh @@ -38,6 +38,30 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP country database by code (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/0" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking response scope using client subnet ($n)" +ret=0 +$DIG +tcp -p5300 @10.53.0.2 txt example -b 127.0.0.1 +subnet="10.53.0.1/32" > dig.out.ns2.test$n.1 || ret=1 +grep 'CLIENT-SUBNET.*10.53.0.1/32/32' dig.out.ns2.test$n.1 > /dev/null || ret=1 +$DIG +tcp -p5300 @10.53.0.2 txt example -b 127.0.0.1 +subnet="192.0.2.64/32" > dig.out.ns2.test$n.2 || ret=1 +grep 'CLIENT-SUBNET.*192.0.2.64/32/24' dig.out.ns2.test$n.2 > /dev/null || ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" cp -f ns2/named2.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -115,6 +139,21 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP region database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + + echo "I:reloading server" cp -f ns2/named6.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -134,6 +173,20 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP city database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" cp -f ns2/named7.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -153,6 +206,20 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP isp database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" cp -f ns2/named8.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -172,6 +239,20 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP org database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" cp -f ns2/named9.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -191,11 +272,58 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP asnum database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" cp -f ns2/named10.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' sleep 3 +n=`expr $n + 1` +echo "I:checking GeoIP asnum database - ASNNNN only ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking GeoIP domain database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + +echo "I:reloading server" +cp -f ns2/named11.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 3 + n=`expr $n + 1` echo "I:checking GeoIP domain database ($n)" ret=0 @@ -211,7 +339,7 @@ done status=`expr $status + $ret` echo "I:reloading server" -cp -f ns2/named11.conf ns2/named.conf +cp -f ns2/named12.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' sleep 3 @@ -229,8 +357,22 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP netspeed database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" -cp -f ns2/named12.conf ns2/named.conf +cp -f ns2/named13.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' sleep 3 @@ -243,7 +385,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 status 2>&1 > rndc.out.ns2.tes status=`expr $status + $ret` echo "I:reloading server" -cp -f ns2/named13.conf ns2/named.conf +cp -f ns2/named14.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' sleep 3 @@ -261,5 +403,29 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +echo "I:reloading server" +cp -f ns2/named14.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 3 + +n=`expr $n + 1` +echo "I:checking geoip-use-ecs ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.ecs.$i || lret=1 + j=`cat dig.out.ns2.test$n.ecs.$i | tr -d '"'` + [ "$j" = "bogus" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh index b6861d2fd9..49eb0923ed 100644 --- a/bin/tests/system/inline/clean.sh +++ b/bin/tests/system/inline/clean.sh @@ -25,6 +25,8 @@ rm -f ns2/bits.db.jnl rm -f ns1/signer.out rm -f ns2/retransfer.db rm -f ns2/retransfer.db.jnl +rm -f ns2/retransfer3.db +rm -f ns2/retransfer3.db.jnl rm -f ns3/K* rm -f ns3/bits.bk rm -f ns3/bits.bk.jnl diff --git a/bin/tests/system/inline/ns2/named.conf b/bin/tests/system/inline/ns2/named.conf index c7e8d47bc4..538ff436fe 100644 --- a/bin/tests/system/inline/ns2/named.conf +++ b/bin/tests/system/inline/ns2/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2011-2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -51,7 +51,7 @@ zone "retransfer" { zone "retransfer3" { type master; - file "retransfer.db"; + file "retransfer3.db"; allow-update { any; }; notify no; }; diff --git a/bin/tests/system/inline/ns5/named.conf.post b/bin/tests/system/inline/ns5/named.conf.post index 9f19fec9c8..adfe861c17 100644 --- a/bin/tests/system/inline/ns5/named.conf.post +++ b/bin/tests/system/inline/ns5/named.conf.post @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2011, 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf.post,v 1.2 2011/10/12 00:10:19 marka Exp $ */ +/* $Id$ */ // NS5 @@ -33,6 +33,7 @@ options { recursion no; notify yes; notify-delay 0; + servfail-ttl 0; }; zone "bits" { diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh index 3a8ac278ee..fbbdb3c0bc 100644 --- a/bin/tests/system/inline/setup.sh +++ b/bin/tests/system/inline/setup.sh @@ -25,6 +25,7 @@ rm -f ns1/root.db.signed touch ns2/trusted.conf cp ns2/bits.db.in ns2/bits.db cp ns2/bits.db.in ns2/retransfer.db +cp ns2/bits.db.in ns2/retransfer3.db rm -f ns2/bits.db.jnl cp ns3/master.db.in ns3/master.db diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index f0c96ac955..97e92fefd0 100755 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -614,6 +614,7 @@ done if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +ret=0 n=`expr $n + 1` echo "I:checking turning on of inline signing in a slave zone via reload ($n)" $DIG $DIGOPTS @10.53.0.5 -p 5300 +dnssec bits SOA > dig.out.ns5.test$n diff --git a/bin/tests/system/notify/clean.sh b/bin/tests/system/notify/clean.sh index 55569f36d3..7fadeefe57 100644 --- a/bin/tests/system/notify/clean.sh +++ b/bin/tests/system/notify/clean.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011, 2012, 2014 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,12 +15,11 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.14 2011/10/17 23:46:33 tbox Exp $ - # # Clean up after zone transfer tests. # rm -f ns3/example.bk dig.out.ns2.test* dig.out.ns3.test* rm -f ns2/example.db +rm -f log.out rm -f */named.memstats diff --git a/bin/tests/system/notify/ns2/generic.db b/bin/tests/system/notify/ns2/generic.db new file mode 100644 index 0000000000..1fb7e8ae96 --- /dev/null +++ b/bin/tests/system/notify/ns2/generic.db @@ -0,0 +1,28 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 300 ; refresh (300 seconds) + 300 ; retry (300 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 diff --git a/bin/tests/system/notify/ns2/named.conf b/bin/tests/system/notify/ns2/named.conf index 139114639e..1fe1086c63 100644 --- a/bin/tests/system/notify/ns2/named.conf +++ b/bin/tests/system/notify/ns2/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011, 2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,8 +15,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.23 2011/12/20 00:06:54 marka Exp $ */ - controls { /* empty */ }; options { @@ -29,6 +27,7 @@ options { listen-on-v6 { none; }; recursion no; notify yes; + startup-notify-rate 5; }; zone "." { @@ -42,3 +41,24 @@ zone "example" { // Check that named can handle a empty also-notify. also-notify { /* empty */ }; }; + +zone x1 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x2 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x3 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x4 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x5 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x6 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x7 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x8 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x9 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x10 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x11 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x12 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x13 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x14 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x15 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x16 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x17 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x18 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x19 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x20 { type master; file "generic.db"; also-notify { 10.53.0.3; }; }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh index d3096741db..1e2d7b8143 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007, 2011-2013 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011-2014 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,8 +15,6 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.36 2011/10/17 01:33:27 marka Exp $ - SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -35,6 +33,8 @@ do $DIG +tcp example @10.53.0.3 soa -p 5300 > dig.out.ns3.test$n || ret=1 grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 grep "flags:.* aa[ ;]" dig.out.ns3.test$n > /dev/null || ret=1 + nr=`grep 'x[0-9].*sending notify to' ns2/named.run | wc -l` + [ $nr -eq 20 ] || ret=1 [ $ret = 0 ] && break sleep 1 done @@ -55,6 +55,18 @@ $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 [ $ret = 0 ] || echo "I:failed" status=`expr $ret + $status` +n=`expr $n + 1` +echo "I:checking startup notify rate limit ($n)" +ret=0 +grep 'x[0-9].*sending notify to' ns2/named.run | + sed 's/.*:\([0-9][0-9]\)\..*/\1/' | uniq -c | awk '{print $1}' > log.out +# the notifies should span at least 4 seconds +wc -l log.out | awk '$1 < 4 { exit(1) }' || ret=1 +# ... with no more than 5 in any one second +awk '$1 > 5 { exit(1) }' log.out || ret=1 +[ $ret = 0 ] || echo "I:failed" +status=`expr $ret + $status` + echo "I:reloading with example2 using HUP and waiting 45 seconds" sleep 1 # make sure filesystem time stamp is newer for reload. rm -f ns2/example.db diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index 424cdf40c6..d4c1113fa2 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -36,3 +36,5 @@ rm -f dig.out.* rm -f jp.out.ns3.* rm -f Kxxx.* rm -f typelist.out.* +rm -f ns1/many.test.db ns3/many.test.db.jnl +rm -f ns3/many.test.bk ns3/many.test.bk.jnl diff --git a/bin/tests/system/nsupdate/ns1/many.test.db.in b/bin/tests/system/nsupdate/ns1/many.test.db.in new file mode 100644 index 0000000000..955e95dd48 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/many.test.db.in @@ -0,0 +1,25 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$ORIGIN . +$TTL 300 ; 5 minutes +many.test IN SOA ns1.example.nil. hostmaster.example.nil. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +many.test NS ns1.example.nil. +many.test NS ns2.example.nil. diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf index f9e3b20d30..4947ccea52 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf +++ b/bin/tests/system/nsupdate/ns1/named.conf @@ -127,3 +127,9 @@ zone "keytests.nil" { grant sha512-key name sha512.keytests.nil. ANY; }; }; + +zone "many.test" { + type master; + allow-update { any; }; + file "many.test.db"; +}; diff --git a/bin/tests/system/nsupdate/ns3/named.conf b/bin/tests/system/nsupdate/ns3/named.conf index 2abd522510..48adcf6180 100644 --- a/bin/tests/system/nsupdate/ns3/named.conf +++ b/bin/tests/system/nsupdate/ns3/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010, 2011, 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2010, 2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -16,7 +16,7 @@ /* $Id: named.conf,v 1.5 2011/02/03 12:18:11 tbox Exp $ */ -// NS1 +// NS3 controls { /* empty */ }; @@ -60,3 +60,10 @@ zone "dnskey.test" { allow-update { any; }; file "dnskey.test.db.signed"; }; + +zone "many.test" { + type slave; + masters { 10.53.0.1; }; + allow-update-forwarding { any; }; + file "many.test.bk"; +}; diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index e3528dbf7e..eb048976eb 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -62,3 +62,6 @@ $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha384 -k sha384-key -z keytests.nil > ns1/ $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha512 -k sha512-key -z keytests.nil > ns1/sha512.key (cd ns3; $SHELL -e sign.sh) + +cp -f ns1/many.test.db.in ns1/many.test.db +rm -f ns1/many.test.db.jnl diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 7dad50fef3..609088f6e4 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -597,5 +597,37 @@ serial=`$DIG +short yyyymmddvv.nil. soa @10.53.0.1 -p 5300 | awk '{print $3}'` | [ "$serial" -eq "$now" ] || ret=1 [ $ret = 0 ] || { echo I:failed; status=1; } +# +# Refactor to use perl to launch the parallel updates. +# +if false +then +n=`expr $n + 1` +echo "I:send many simultaneous updates via a update forwarder ($n)" +ret=0 +for i in 0 1 2 3 4 5 6 7 +do +( + for j in 0 1 2 3 4 5 6 7 + do + ( + $NSUPDATE << EOF +server 10.53.0.3 5300 +zone many.test +update add $i-$j.many.test 0 IN A 1.2.3.4 +send +EOF + ) & + done + wait +) & +done +wait +dig axfr many.test @10.53.0.1 -p 5300 > dig.out.test$n +lines=`awk '$4 == "A" { l++ } END { print l }' dig.out.test$n` +test ${lines:-0} -eq 64 || ret=1 +[ $ret = 0 ] || { echo I:failed; status=1; } +fi + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/resolver/.gitignore b/bin/tests/system/resolver/.gitignore new file mode 100644 index 0000000000..d2be402ef5 --- /dev/null +++ b/bin/tests/system/resolver/.gitignore @@ -0,0 +1 @@ +edns-version diff --git a/bin/tests/system/resolver/Makefile.in b/bin/tests/system/resolver/Makefile.in new file mode 100644 index 0000000000..c83612dfab --- /dev/null +++ b/bin/tests/system/resolver/Makefile.in @@ -0,0 +1,52 @@ +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${ISC_INCLUDES} ${DNS_INCLUDES} + +CDEFINES = +CWARNINGS = + +DNSLIBS = +ISCLIBS = + +DNSDEPLIBS = +ISCDEPLIBS = + +DEPLIBS = + +LIBS = @LIBS@ + +TARGETS = edns-version@EXEEXT@ + +EDNSVERSIONOBJS = edns-version.@O@ + +SRCS = edns-version.c + +@BIND9_MAKE_RULES@ + +all: edns-version@EXEEXT@ + +edns-version@EXEEXT@: ${EDNSVERSIONOBJS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${EDNSVERSIONOBJS} ${LIBS} + +clean distclean:: + rm -f ${TARGETS} diff --git a/bin/tests/system/resolver/edns-version.c b/bin/tests/system/resolver/edns-version.c new file mode 100644 index 0000000000..f8f5c9057d --- /dev/null +++ b/bin/tests/system/resolver/edns-version.c @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include +#include + +int +main(int argc, char **argv) { + UNUSED(argc); + UNUSED(argv); + printf("%d\n", DNS_EDNS_VERSION); + return (0); +} diff --git a/bin/tests/system/resolver/ns4/tld1.db b/bin/tests/system/resolver/ns4/tld1.db index 7d017c4db4..5f034f597a 100644 --- a/bin/tests/system/resolver/ns4/tld1.db +++ b/bin/tests/system/resolver/ns4/tld1.db @@ -28,3 +28,8 @@ $TTL 5 to-be-removed NS ns.to-be-removed ns.to-be-removed A 10.53.0.6 fetch 10 TXT A short ttl +no-edns-version.tld. NS ns.no-edns-version.tld. +ns.no-edns-version.tld. A 10.53.0.6 +edns-version.tld. NS ns.edns-version.tld. +ns.edns-version.tld. A 10.53.0.7 + diff --git a/bin/tests/system/resolver/ns4/tld2.db b/bin/tests/system/resolver/ns4/tld2.db index 5231dbd7ea..338f61fbb7 100644 --- a/bin/tests/system/resolver/ns4/tld2.db +++ b/bin/tests/system/resolver/ns4/tld2.db @@ -28,3 +28,7 @@ fetch 10 TXT A short ttl fetchall 10 TXT A short ttl fetchall 10 A 1.2.3.4 fetchall 10 AAAA ::1 +no-edns-version.tld. NS ns.no-edns-version.tld. +ns.no-edns-version.tld. A 10.53.0.6 +edns-version.tld. NS ns.edns-version.tld. +ns.edns-version.tld. A 10.53.0.7 diff --git a/bin/tests/system/resolver/ns5/named.conf b/bin/tests/system/resolver/ns5/named.conf index 120d0fa481..05833a6d92 100644 --- a/bin/tests/system/resolver/ns5/named.conf +++ b/bin/tests/system/resolver/ns5/named.conf @@ -32,6 +32,10 @@ options { querylog yes; }; +server 10.53.0.7 { + edns-version 0; +}; + zone "." { type hint; file "root.hint"; diff --git a/bin/tests/system/resolver/ns6/named.conf b/bin/tests/system/resolver/ns6/named.conf index 728b56ecab..fad5353d2c 100644 --- a/bin/tests/system/resolver/ns6/named.conf +++ b/bin/tests/system/resolver/ns6/named.conf @@ -30,6 +30,7 @@ options { listen-on-v6 { none; }; recursion no; // minimal-responses yes; + querylog yes; }; zone "." { @@ -54,3 +55,8 @@ zone "broken" { file "broken.db"; allow-update { any; }; }; + +zone "no-edns-version.tld" { + type master; + file "no-edns-version.tld.db"; +}; diff --git a/bin/tests/system/resolver/ns6/no-edns-version.tld.db b/bin/tests/system/resolver/ns6/no-edns-version.tld.db new file mode 100644 index 0000000000..56d3cb1ed6 --- /dev/null +++ b/bin/tests/system/resolver/ns6/no-edns-version.tld.db @@ -0,0 +1,17 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/root.db b/bin/tests/system/resolver/ns6/root.db index d8ea5d3e72..1c1ec869a1 100644 --- a/bin/tests/system/resolver/ns6/root.db +++ b/bin/tests/system/resolver/ns6/root.db @@ -1,4 +1,4 @@ -; Copyright (C) 2010, 2011 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2010, 2011, 2014 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above @@ -27,3 +27,12 @@ a.root-servers.nil. A 10.53.0.6 moves. NS ns.server. server. NS ns7.server. ns7.server. A 10.53.0.7 +; +; These two delegations are strictly not necessary as the test resolver (ns5) +; doesn't have this zone as its root. They are just done for consistancy with +; the delegations in ns4/tld. +; +no-edns-version.tld. NS ns.no-edns-version.tld. +ns.no-edns-version.tld. A 10.53.0.6 +edns-version.tld. NS ns.edns-version.tld. +ns.edns-version.tld. A 10.53.0.7 diff --git a/bin/tests/system/resolver/ns7/edns-version.tld.db b/bin/tests/system/resolver/ns7/edns-version.tld.db new file mode 100644 index 0000000000..b231cb6634 --- /dev/null +++ b/bin/tests/system/resolver/ns7/edns-version.tld.db @@ -0,0 +1,17 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.7 diff --git a/bin/tests/system/resolver/ns7/named1.conf b/bin/tests/system/resolver/ns7/named1.conf index bf522e4110..5572cf8646 100644 --- a/bin/tests/system/resolver/ns7/named1.conf +++ b/bin/tests/system/resolver/ns7/named1.conf @@ -30,6 +30,7 @@ options { empty-zones-enable yes; disable-empty-zone 20.172.in-addr.arpa; prefetch 0; + querylog yes; }; key rndc_key { @@ -51,3 +52,8 @@ zone "server" { file "server.db"; allow-update { any; }; }; + +zone "edns-version.tld" { + type master; + file "edns-version.tld.db"; +}; diff --git a/bin/tests/system/resolver/ns7/named2.conf b/bin/tests/system/resolver/ns7/named2.conf index b8daee05bf..daebe3d0e3 100644 --- a/bin/tests/system/resolver/ns7/named2.conf +++ b/bin/tests/system/resolver/ns7/named2.conf @@ -30,6 +30,7 @@ options { empty-zones-enable yes; disable-empty-zone 20.172.in-addr.arpa; prefetch 0; + querylog yes; }; key rndc_key { @@ -51,3 +52,8 @@ zone "server" { file "server.db"; allow-update { any; }; }; + +zone "edns-version.tld" { + type master; + file "edns-version.tld.db"; +}; diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh index b80f19c23d..8bde7df345 100755 --- a/bin/tests/system/resolver/tests.sh +++ b/bin/tests/system/resolver/tests.sh @@ -476,6 +476,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` n=`expr $n + 1` + echo "I:check that E was logged on EDNS queries in the query log (${n})" ret=0 $DIG @10.53.0.5 -p 5300 +edns edns.fetchall.tld any > dig.out.2.${n} || ret=1 @@ -500,5 +501,31 @@ grep ';1\.0\.0\.127\.in-addr\.arpa\..*IN.*PTR$' dig.out.3.${n} > /dev/null || re if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +edns=`./edns-version` + +n=`expr $n + 1` +echo "I:check that EDNS version is logged (${n})" +ret=0 +$DIG @10.53.0.5 -p 5300 +edns edns0.fetchall.tld any > dig.out.2.${n} || ret=1 +grep "query: edns0.fetchall.tld IN ANY +E(0)" ns5/named.run > /dev/null || ret=1 +if test ${edns:-0} != 0; then + $DIG @10.53.0.5 -p 5300 +edns=1 edns1.fetchall.tld any > dig.out.2.${n} || ret=1 + grep "query: edns1.fetchall.tld IN ANY +E(1)" ns5/named.run > /dev/null || ret=1 +fi +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +if test ${edns:-0} != 0; then + n=`expr $n + 1` + echo "I:check that edns-version is honoured (${n})" + ret=0 + $DIG @10.53.0.5 -p 5300 +edns no-edns-version.tld > dig.out.1.${n} || ret=1 + grep "query: no-edns-version.tld IN A -E(1)" ns6/named.run > /dev/null || ret=1 + $DIG @10.53.0.5 -p 5300 +edns edns-version.tld > dig.out.2.${n} || ret=1 + grep "query: edns-version.tld IN A -E(0)" ns7/named.run > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh index 8a22990eb3..8cc8992c14 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -378,5 +378,11 @@ grep "query: foo9876.bind CH TXT" ns4/named.run > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:testing rndc nta time limits" +ret=0 +$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf nta -l 2h nta1.example 2>&1 | grep "Negative trust anchor added" > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf nta -l 1d nta2.example 2>&1 | grep "Negative trust anchor added" > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf nta -l 1w nta3.example 2>&1 | grep "Negative trust anchor added" > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf nta -l 8d nta4.example 2>&1 | grep "NTA lifetime cannot exceed one week" > /dev/null || ret=1 echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 4d4978a229..6294fd48a8 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -65,7 +65,7 @@ digcmd () { # Default to +noauth and @$ns3 # Also default to -bX where X is the @value so that OS X will choose # the right IP source address. - digcmd_args=`echo "+noadd +time=1 +tries=1 -p 5300 $*" | \ + digcmd_args=`echo "+noadd +time=2 +tries=1 -p 5300 $*" | \ sed -e "/@/!s/.*/& @$ns3/" \ -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/' \ -e '/+n?o?auth/!s/.*/+noauth &/'` diff --git a/bin/tests/system/sfcache/README b/bin/tests/system/sfcache/README new file mode 100644 index 0000000000..a52626a5a2 --- /dev/null +++ b/bin/tests/system/sfcache/README @@ -0,0 +1,11 @@ +Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +The test setup for the SERVFAIL ncache tests has a secure root. + +ns1 is the root server. + +ns2 is an authoritative server for the various test domains. + +ns5 is a caching-only server, configured with the an incorrect trusted +key for the root. It is used for testing failure cases. diff --git a/bin/tests/system/sfcache/clean.sh b/bin/tests/system/sfcache/clean.sh new file mode 100644 index 0000000000..4246f976ab --- /dev/null +++ b/bin/tests/system/sfcache/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +rm -f */K*.key */K*.private */*.signed */*.db */dsset-* +rm -f */managed.conf */trusted.conf +rm -f random.data +rm -f */named.memstats +rm -f dig.* +rm -f sfcache.* diff --git a/bin/tests/system/sfcache/ns1/named.conf b/bin/tests/system/sfcache/ns1/named.conf new file mode 100644 index 0000000000..4404ab121f --- /dev/null +++ b/bin/tests/system/sfcache/ns1/named.conf @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +// NS1 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +zone "." { + type master; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns1/root.db.in b/bin/tests/system/sfcache/ns1/root.db.in new file mode 100644 index 0000000000..1935965dac --- /dev/null +++ b/bin/tests/system/sfcache/ns1/root.db.in @@ -0,0 +1,27 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/sfcache/ns1/sign.sh b/bin/tests/system/sfcache/ns1/sign.sh new file mode 100644 index 0000000000..11b0b193ed --- /dev/null +++ b/bin/tests/system/sfcache/ns1/sign.sh @@ -0,0 +1,57 @@ +#!/bin/sh -e +# +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=. +infile=root.db.in +zonefile=root.db + +(cd ../ns2 && sh sign.sh ) + +cp ../ns2/dsset-example. . + +keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` + +cat $infile $keyname.key > $zonefile + +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +# Configure the resolving server with a trusted key. +cat $keyname.key | grep -v '^; ' | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print < trusted.conf + +# ...or with a managed key. +cat $keyname.key | grep -v '^; ' | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print < managed.conf +cp trusted.conf ../ns2/trusted.conf diff --git a/bin/tests/system/sfcache/ns2/example.db.in b/bin/tests/system/sfcache/ns2/example.db.in new file mode 100644 index 0000000000..4d7c88ba6f --- /dev/null +++ b/bin/tests/system/sfcache/ns2/example.db.in @@ -0,0 +1,106 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 diff --git a/bin/tests/system/sfcache/ns2/named.conf b/bin/tests/system/sfcache/ns2/named.conf new file mode 100644 index 0000000000..84c1044489 --- /dev/null +++ b/bin/tests/system/sfcache/ns2/named.conf @@ -0,0 +1,55 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db.signed"; + allow-update { any; }; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns2/sign.sh b/bin/tests/system/sfcache/ns2/sign.sh new file mode 100644 index 0000000000..46d925fc48 --- /dev/null +++ b/bin/tests/system/sfcache/ns2/sign.sh @@ -0,0 +1,31 @@ +#!/bin/sh -e +# +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=example. +infile=example.db.in +zonefile=example.db + +keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null diff --git a/bin/tests/system/sfcache/ns5/named.conf b/bin/tests/system/sfcache/ns5/named.conf new file mode 100644 index 0000000000..2aa8b49437 --- /dev/null +++ b/bin/tests/system/sfcache/ns5/named.conf @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +// NS5 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable yes; + dnssec-enable yes; + dnssec-validation yes; + servfail-ttl 30; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns5/trusted.conf.bad b/bin/tests/system/sfcache/ns5/trusted.conf.bad new file mode 100644 index 0000000000..9bfb7eff38 --- /dev/null +++ b/bin/tests/system/sfcache/ns5/trusted.conf.bad @@ -0,0 +1,19 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +trusted-keys { + "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk="; +}; diff --git a/bin/tests/system/sfcache/prereq.sh b/bin/tests/system/sfcache/prereq.sh new file mode 100644 index 0000000000..6f18280b3e --- /dev/null +++ b/bin/tests/system/sfcache/prereq.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +../../../tools/genrandom 400 random.data + +if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1 +then + rm -f Kfoo* +else + echo "I:This test requires that --with-openssl was used." >&2 + exit 255 +fi diff --git a/bin/tests/system/sfcache/setup.sh b/bin/tests/system/sfcache/setup.sh new file mode 100644 index 0000000000..5becdfe2f2 --- /dev/null +++ b/bin/tests/system/sfcache/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh -e +# +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +../../../tools/genrandom 400 random.data + +cd ns1 && sh sign.sh + +cd ../ns5 && cp -f trusted.conf.bad trusted.conf + diff --git a/bin/tests/system/sfcache/tests.sh b/bin/tests/system/sfcache/tests.sh new file mode 100644 index 0000000000..2692585fcc --- /dev/null +++ b/bin/tests/system/sfcache/tests.sh @@ -0,0 +1,100 @@ +#!/bin/sh +# +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p 5300" + +echo "I:checking DNSSEC SERVFAIL is cached ($n)" +ret=0 +$DIG $DIGOPTS +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 dumpdb -all 2>&1 | sed 's/^/I:ns5 /' +for i in 1 2 3 4 5 6 7 8 9 10; do + awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db > sfcache.$n + [ -s "sfcache.$n" ] && break + sleep 1 +done +grep "^; foo.example/A" sfcache.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking SERVFAIL is returned from cache ($n)" +ret=0 +$DIG $DIGOPTS +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that +cd bypasses cache check ($n)" +ret=0 +$DIG $DIGOPTS +dnssec +cd foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:disabling server to force non-dnssec SERVFAIL" +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 stop 2>&1 | sed 's/^/I:ns2 /' + +awk '/SERVFAIL/ { next; out=1 } /Zone/ { out=0 } { if (out) print }' ns5/named_dump.db +echo "I:checking SERVFAIL is cached ($n)" +ret=0 +$DIG $DIGOPTS bar.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 dumpdb -all 2>&1 | sed 's/^/I:ns5 /' +for i in 1 2 3 4 5 6 7 8 9 10; do + awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db > sfcache.$n + [ -s "sfcache.$n" ] && break + sleep 1 +done +grep "^; bar.example/A" sfcache.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking SERVFAIL is returned from cache ($n)" +ret=0 +$DIG $DIGOPTS bar.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking with +cd query ($n)" +ret=0 +$DIG $DIGOPTS +cd bar.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking with +dnssec query ($n)" +ret=0 +$DIG $DIGOPTS +cd bar.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:exit status: $status" +exit $status diff --git a/bin/tests/system/sit/bad-sit-badhex.conf b/bin/tests/system/sit/bad-sit-badhex.conf new file mode 100644 index 0000000000..f61ea93fd4 --- /dev/null +++ b/bin/tests/system/sit/bad-sit-badhex.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + sit-secret "012345678901234567890123456789012345678901234567890123456789012"; +}; diff --git a/bin/tests/system/sit/bad-sit-toolong.conf b/bin/tests/system/sit/bad-sit-toolong.conf new file mode 100644 index 0000000000..812f9d808e --- /dev/null +++ b/bin/tests/system/sit/bad-sit-toolong.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + sit-secret "01234567890123456789012345678901234567890123456789012345678901234567890"; +}; diff --git a/bin/tests/system/sit/tests.sh b/bin/tests/system/sit/tests.sh index fa1a71abb0..5842a98714 100755 --- a/bin/tests/system/sit/tests.sh +++ b/bin/tests/system/sit/tests.sh @@ -32,6 +32,15 @@ havetc() { grep 'flags:.* tc[^;]*;' $1 > /dev/null } +for bad in bad*.conf +do + ret=0 + echo "I:checking that named-checkconf detects error in $bad" + $CHECKCONF $bad > /dev/null 2>&1 + if [ $? != 1 ]; then echo "I:failed"; ret=1; fi + status=`expr $status + $ret` +done + n=`expr $n + 1` echo "I:checking SIT token returned to empty SIT option ($n)" ret=0 diff --git a/bin/tests/system/upforwd/ns1/named.conf b/bin/tests/system/upforwd/ns1/named.conf index 8d9d2fa0d9..65db79125f 100644 --- a/bin/tests/system/upforwd/ns1/named.conf +++ b/bin/tests/system/upforwd/ns1/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -42,3 +42,9 @@ zone "example" { file "example.db"; allow-update { key update.example.; 10.53.0.3; }; }; + +zone "example2" { + type master; + file "example2.db"; + allow-update { key sig0.example2.; }; +}; diff --git a/bin/tests/system/upforwd/ns2/named.conf b/bin/tests/system/upforwd/ns2/named.conf index 57ad4b0014..4b609c3211 100644 --- a/bin/tests/system/upforwd/ns2/named.conf +++ b/bin/tests/system/upforwd/ns2/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -37,3 +37,9 @@ zone "example" { file "example.bk"; masters { 10.53.0.1; }; }; + +zone "example2" { + type slave; + file "example2.bk"; + masters { 10.53.0.1; }; +}; diff --git a/bin/tests/system/upforwd/ns3/named.conf b/bin/tests/system/upforwd/ns3/named.conf index 3737fb5e38..4eaf24d77b 100644 --- a/bin/tests/system/upforwd/ns3/named.conf +++ b/bin/tests/system/upforwd/ns3/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011, 2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -39,6 +39,13 @@ zone "example" { masters { 10.53.0.1; }; }; +zone "example2" { + type slave; + file "example2.bk"; + allow-update-forwarding { any; }; + masters { 10.53.0.1; }; +}; + zone "nomaster" { type slave; file "nomaster1.db"; diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh index bdd2e0e86f..5e10d88ccc 100644 --- a/bin/tests/system/upforwd/setup.sh +++ b/bin/tests/system/upforwd/setup.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011, 2012, 2014 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,8 +15,16 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.10 2011/09/02 23:46:32 tbox Exp $ +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh cp -f ns1/example1.db ns1/example.db rm -f ns1/example.db.jnl ns2/example.bk ns2/example.bk.jnl +rm -f ns1/example2.db.jnl ns2/example2.bk ns2/example2.bk.jnl cp -f ns3/nomaster.db ns3/nomaster1.db +rm -f Ksig0.example2.* + +test -r $RANDFILE || $GENRANDOM 400 $RANDFILE +keyname=`$KEYGEN -q -r $RANDFILE -n HOST -a RSASHA1 -b 1024 -T KEY sig0.example2` +cat ns1/example1.db $keyname.key > ns1/example2.db +echo $keyname > keyname diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh index a138649ac3..0491596ff5 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007, 2011-2013 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011-2014 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -25,9 +25,11 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh status=0 +n=1 +sleep 5 -echo "I:waiting for servers to be ready for testing" +echo "I:waiting for servers to be ready for testing ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do ret=0 @@ -41,32 +43,36 @@ do sleep 1 done if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` -echo "I:fetching master copy of zone before update" +echo "I:fetching master copy of zone before update ($n)" ret=0 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\ @10.53.0.1 axfr -p 5300 > dig.out.ns1 || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` -echo "I:fetching slave 1 copy of zone before update" +echo "I:fetching slave 1 copy of zone before update ($n)" $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\ @10.53.0.2 axfr -p 5300 > dig.out.ns2 || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` -echo "I:fetching slave 2 copy of zone before update" +echo "I:fetching slave 2 copy of zone before update ($n)" ret=0 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\ @10.53.0.3 axfr -p 5300 > dig.out.ns3 || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` -echo "I:comparing pre-update copies to known good data" +echo "I:comparing pre-update copies to known good data ($n)" ret=0 $PERL ../digcomp.pl knowngood.before dig.out.ns1 || ret=1 $PERL ../digcomp.pl knowngood.before dig.out.ns2 || ret=1 $PERL ../digcomp.pl knowngood.before dig.out.ns3 || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi -echo "I:updating zone (signed)" +echo "I:updating zone (signed) ($n)" ret=0 $NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - < dig.out.ns1 || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` -echo "I:fetching slave 1 copy of zone after update" +echo "I:fetching slave 1 copy of zone after update ($n)" ret=0 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\ @10.53.0.2 axfr -p 5300 > dig.out.ns2 || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi -echo "I:fetching slave 2 copy of zone after update" +echo "I:fetching slave 2 copy of zone after update ($n)" ret=0 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\ @10.53.0.3 axfr -p 5300 > dig.out.ns3 || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` -echo "I:comparing post-update copies to known good data" +echo "I:comparing post-update copies to known good data ($n)" ret=0 $PERL ../digcomp.pl knowngood.after1 dig.out.ns1 || ret=1 $PERL ../digcomp.pl knowngood.after1 dig.out.ns2 || ret=1 $PERL ../digcomp.pl knowngood.after1 dig.out.ns3 || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi -echo "I:checking 'forwarding update for zone' is logged" +echo "I:checking 'forwarding update for zone' is logged ($n)" ret=0 grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` -echo "I:updating zone (unsigned)" +echo "I:updating zone (unsigned) ($n)" ret=0 $NSUPDATE -- - < dig.out.ns1 || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi -echo "I:fetching slave 1 copy of zone after update" +echo "I:fetching slave 1 copy of zone after update ($n)" ret=0 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\ @10.53.0.2 axfr -p 5300 > dig.out.ns2 || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` -echo "I:fetching slave 2 copy of zone after update" +echo "I:fetching slave 2 copy of zone after update ($n)" ret=0 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\ @10.53.0.3 axfr -p 5300 > dig.out.ns3 || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi -echo "I:comparing post-update copies to known good data" +echo "I:comparing post-update copies to known good data ($n)" ret=0 $PERL ../digcomp.pl knowngood.after2 dig.out.ns1 || ret=1 $PERL ../digcomp.pl knowngood.after2 dig.out.ns2 || ret=1 $PERL ../digcomp.pl knowngood.after2 dig.out.ns3 || ret=1 if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` -echo "I:checking update forwarding to dead master" +echo "I:checking update forwarding to dead master ($n)" count=0 ret=0 while [ $count -lt 5 -a $ret -eq 0 ] @@ -167,6 +180,21 @@ EOF count=`expr $count + 1` done if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +echo "I:checking update forwarding to with sig0 ($n)" +keyname=`cat keyname` +$NSUPDATE -k $keyname.private -- - < dig.out.ns1.test$n +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/xfer/dig1.good b/bin/tests/system/xfer/dig1.good index 15842ab4d6..7ad4b68158 100644 --- a/bin/tests/system/xfer/dig1.good +++ b/bin/tests/system/xfer/dig1.good @@ -90,6 +90,9 @@ txt09.example. 3600 IN TXT "foo\010bar" txt10.example. 3600 IN TXT "foo bar" txt11.example. 3600 IN TXT "\"foo\"" txt12.example. 3600 IN TXT "\"foo\"" +txt13.example. 3600 IN TXT "foo;" +txt14.example. 3600 IN TXT "foo;" +txt15.example. 3600 IN TXT "bar\\;" uri01.example. 3600 IN URI 10 20 "https://www.isc.org/" uri02.example. 3600 IN URI 30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/" uri03.example. 3600 IN URI 30 40 "" diff --git a/bin/tests/system/xfer/dig2.good b/bin/tests/system/xfer/dig2.good index 2586c9acdc..cdb95dc4e2 100644 --- a/bin/tests/system/xfer/dig2.good +++ b/bin/tests/system/xfer/dig2.good @@ -90,6 +90,9 @@ txt09.example. 3600 IN TXT "foo\010bar" txt10.example. 3600 IN TXT "foo bar" txt11.example. 3600 IN TXT "\"foo\"" txt12.example. 3600 IN TXT "\"foo\"" +txt13.example. 3600 IN TXT "foo;" +txt14.example. 3600 IN TXT "foo;" +txt15.example. 3600 IN TXT "bar\\;" uri01.example. 3600 IN URI 10 20 "https://www.isc.org/" uri02.example. 3600 IN URI 30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/" uri03.example. 3600 IN URI 30 40 "" diff --git a/bin/tools/arpaname.html b/bin/tools/arpaname.html index 11067f60b3..29ea03b513 100644 --- a/bin/tools/arpaname.html +++ b/bin/tools/arpaname.html @@ -31,20 +31,20 @@

arpaname {ipaddress ...}

-

DESCRIPTION

+

DESCRIPTION

arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/tools/genrandom.html b/bin/tools/genrandom.html index 9f9c0eb100..e125a01208 100644 --- a/bin/tools/genrandom.html +++ b/bin/tools/genrandom.html @@ -31,7 +31,7 @@

genrandom [-n number] {size} {filename}

-

DESCRIPTION

+

DESCRIPTION

genrandom generates a file or a set of files containing a specified quantity @@ -40,7 +40,7 @@

-

ARGUMENTS

+

ARGUMENTS

-n number

@@ -58,14 +58,14 @@

-

SEE ALSO

+

SEE ALSO

rand(3), arc4random(3)

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/tools/isc-hmac-fixup.html b/bin/tools/isc-hmac-fixup.html index 5f5b55f8ed..cb975589c2 100644 --- a/bin/tools/isc-hmac-fixup.html +++ b/bin/tools/isc-hmac-fixup.html @@ -31,7 +31,7 @@

isc-hmac-fixup {algorithm} {secret}

-

DESCRIPTION

+

DESCRIPTION

Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -57,7 +57,7 @@

-

SECURITY CONSIDERATIONS

+

SECURITY CONSIDERATIONS

Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -68,14 +68,14 @@

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual, RFC 2104.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/tools/named-journalprint.html b/bin/tools/named-journalprint.html index 994ae0d088..3e5e19f239 100644 --- a/bin/tools/named-journalprint.html +++ b/bin/tools/named-journalprint.html @@ -31,7 +31,7 @@

named-journalprint {journal}

-

DESCRIPTION

+

DESCRIPTION

named-journalprint prints the contents of a zone journal file in a human-readable @@ -57,7 +57,7 @@

-

SEE ALSO

+

SEE ALSO

named(8), nsupdate(8), @@ -65,7 +65,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/tools/named-rrchecker.html b/bin/tools/named-rrchecker.html index 6c7ecd4c92..a11cc5f08d 100644 --- a/bin/tools/named-rrchecker.html +++ b/bin/tools/named-rrchecker.html @@ -32,7 +32,7 @@

named-rrchecker [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]

-

DESCRIPTION

+

DESCRIPTION

named-rrchecker read a individual DNS resource record from standard input and checks if it is syntactically correct. @@ -60,7 +60,7 @@

-

SEE ALSO

+

SEE ALSO

RFC 1034, RFC 1035, diff --git a/bin/tools/nsec3hash.html b/bin/tools/nsec3hash.html index 3972733584..acb83e6ee1 100644 --- a/bin/tools/nsec3hash.html +++ b/bin/tools/nsec3hash.html @@ -31,7 +31,7 @@

nsec3hash {salt} {algorithm} {iterations} {domain}

-

DESCRIPTION

+

DESCRIPTION

nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -39,7 +39,7 @@

-

ARGUMENTS

+

ARGUMENTS

salt

@@ -63,14 +63,14 @@

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual, RFC 5155.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/configure b/configure index 926962c506..095f9e2aa0 100755 --- a/configure +++ b/configure @@ -831,6 +831,7 @@ OPENSSLGOSTLINKOBJS DST_OPENSSL_INC HAVE_SIT ISC_PLATFORM_USESIT +INSTALL_LIBRARY ISC_THREAD_DIR THREADOPTSRCS THREADOPTOBJS @@ -1760,10 +1761,12 @@ Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. Professional support for BIND is provided by Internet Systems Consortium, -Inc., doing business as DNSco. Information about paid support options is -available at http://www.dns-co.com/solutions/. Free support is provided by -our user community via a mailing list. Information on public email lists -is available at https://www.isc.org/community/mailing-list/. +Inc. Information about paid support and training options is available at +https://www.isc.org/support. + +Help can also often be found on the BIND Users mailing list +(https://lists.isc.org/mailman/listinfo/bind-users) or in the #bind +channel of the Freenode IRC service. Report bugs to . BIND home page: . @@ -11764,15 +11767,22 @@ else fi +python="python python3 python3.4 python3.3 python3.2 python3.1 python3.0 python2 python2.7 python2.6 python2.5 python2.4" +testscript='try: import argparse +except: exit(1)' case "$use_python" in no) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for python support" >&5 +$as_echo_n "checking for python support... " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 $as_echo "disabled" >&6; } ;; unspec|yes|*) case "$use_python" in unspec|yes|'') - for ac_prog in python + for p in $python + do + for ac_prog in $p do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 @@ -11817,9 +11827,43 @@ fi test -n "$PYTHON" && break done + if test "X$PYTHON" == "X"; then + continue; + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking python module 'argparse'" >&5 +$as_echo_n "checking python module 'argparse'... " >&6; } + if ${PYTHON:-false} -c "$testscript"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: found, using $PYTHON" >&5 +$as_echo "found, using $PYTHON" >&6; } + break + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 +$as_echo "not found" >&6; } + unset ac_cv_path_PYTHON + unset PYTHON + done + if test "X$PYTHON" == "X" + then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for python support" >&5 +$as_echo_n "checking for python support... " >&6; } + case "$use_python" in + unspec) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 +$as_echo "disabled" >&6; } + ;; + yes) + as_fn_error $? "missing python" "$LINENO" 5 + ;; + esac + fi ;; *) - for ac_prog in $use_python + case "$use_python" in + /*) + PYTHON="$use_python" + ;; + *) + for ac_prog in $use_python do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 @@ -11864,44 +11908,19 @@ fi test -n "$PYTHON" && break done + ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: checking python module 'argparse'" >&5 +$as_echo_n "checking python module 'argparse'... " >&6; } + if ${PYTHON:-false} -c "$testscript"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: found, using $PYTHON" >&5 +$as_echo "found, using $PYTHON" >&6; } + break + else + as_fn_error $? "not found" "$LINENO" 5 + fi ;; esac - if test "X$PYTHON" == "X" - then - case "$use_python" in - unspec) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 -$as_echo "disabled" >&6; } - ;; - yes|*) - as_fn_error $? "missing python" "$LINENO" 5 - ;; - esac - break - fi - testscript='try: import argparse -except: exit(1)' - { $as_echo "$as_me:${as_lineno-$LINENO}: checking python module 'argparse'" >&5 -$as_echo_n "checking python module 'argparse'... " >&6; } - if $PYTHON -c "$testscript"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: found, using $PYTHON" >&5 -$as_echo "found, using $PYTHON" >&6; } - else - case "$use_python" in - unspec) - PYTHON="" - - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found, python disabled" >&5 -$as_echo "not found, python disabled" >&6; } - ;; - yes) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no found" >&5 -$as_echo "no found" >&6; } - as_fn_error $? "python 'argparse' module not supported" "$LINENO" 5 - ;; - esac - fi ;; esac @@ -13707,9 +13726,9 @@ else fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing GeoIP_open" >&5 -$as_echo_n "checking for library containing GeoIP_open... " >&6; } -if ${ac_cv_search_GeoIP_open+:} false; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing GeoIP_id_by_addr_gl" >&5 +$as_echo_n "checking for library containing GeoIP_id_by_addr_gl... " >&6; } +if ${ac_cv_search_GeoIP_id_by_addr_gl+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS @@ -13722,11 +13741,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext #ifdef __cplusplus extern "C" #endif -char GeoIP_open (); +char GeoIP_id_by_addr_gl (); int main () { -return GeoIP_open (); +return GeoIP_id_by_addr_gl (); ; return 0; } @@ -13739,30 +13758,30 @@ for ac_lib in '' GeoIP; do LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_GeoIP_open=$ac_res + ac_cv_search_GeoIP_id_by_addr_gl=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext - if ${ac_cv_search_GeoIP_open+:} false; then : + if ${ac_cv_search_GeoIP_id_by_addr_gl+:} false; then : break fi done -if ${ac_cv_search_GeoIP_open+:} false; then : +if ${ac_cv_search_GeoIP_id_by_addr_gl+:} false; then : else - ac_cv_search_GeoIP_open=no + ac_cv_search_GeoIP_id_by_addr_gl=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_GeoIP_open" >&5 -$as_echo "$ac_cv_search_GeoIP_open" >&6; } -ac_res=$ac_cv_search_GeoIP_open +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_GeoIP_id_by_addr_gl" >&5 +$as_echo "$ac_cv_search_GeoIP_id_by_addr_gl" >&6; } +ac_res=$ac_cv_search_GeoIP_id_by_addr_gl if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" else - as_fn_error $? "GeoIP library not found" "$LINENO" 5 + as_fn_error $? "suitable GeoIP library not found" "$LINENO" 5 fi @@ -15320,6 +15339,7 @@ $as_echo "yes" >&6; } LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC' LIBTOOL_MODE_INSTALL='--mode=install --tag=CC' LIBTOOL_MODE_LINK='--mode=link --tag=CC' + INSTALL_LIBRARY='${INSTALL_PROGRAM}' case "$host" in *) LIBTOOL_ALLOW_UNDEFINED= ;; esac @@ -15341,9 +15361,11 @@ $as_echo "no" >&6; } LIBTOOL_MODE_LINK= LIBTOOL_ALLOW_UNDEFINED= LIBTOOL_IN_MAIN= + INSTALL_LIBRARY='${INSTALL_DATA}' ;; esac + # # was --enable-native-pkcs11 specified? # (note it implies both --without-openssl and --with-pkcs11) @@ -21668,7 +21690,7 @@ ac_config_commands="$ac_config_commands chmod" # elsewhere if there's a good reason for doing so. # -ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/sit/prereq.sh bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/tests/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh" +ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/builtin/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/resolver/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/sit/prereq.sh bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/tests/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh" # @@ -22711,6 +22733,7 @@ do "bin/tests/resolver/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/resolver/Makefile" ;; "bin/tests/sockaddr/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/sockaddr/Makefile" ;; "bin/tests/system/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/Makefile" ;; + "bin/tests/system/builtin/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/builtin/Makefile" ;; "bin/tests/system/conf.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/conf.sh" ;; "bin/tests/system/dlz/prereq.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/dlz/prereq.sh" ;; "bin/tests/system/dlzexternal/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/dlzexternal/Makefile" ;; @@ -22719,9 +22742,10 @@ do "bin/tests/system/geoip/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/geoip/Makefile" ;; "bin/tests/system/inline/checkdsa.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/inline/checkdsa.sh" ;; "bin/tests/system/lwresd/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/lwresd/Makefile" ;; - "bin/tests/system/sit/prereq.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/sit/prereq.sh" ;; + "bin/tests/system/resolver/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/resolver/Makefile" ;; "bin/tests/system/rpz/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/rpz/Makefile" ;; "bin/tests/system/rsabigexponent/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/rsabigexponent/Makefile" ;; + "bin/tests/system/sit/prereq.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/sit/prereq.sh" ;; "bin/tests/system/tkey/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/tkey/Makefile" ;; "bin/tests/system/tsiggss/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/tsiggss/Makefile" ;; "bin/tests/tasks/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/tasks/Makefile" ;; diff --git a/configure.in b/configure.in index 6c2580a89b..4334143c6d 100644 --- a/configure.in +++ b/configure.in @@ -218,50 +218,63 @@ AC_ARG_WITH(python, [ --with-python=PATH specify path to python interpreter], use_python="$withval", use_python="unspec") +python="python python3 python3.4 python3.3 python3.2 python3.1 python3.0 python2 python2.7 python2.6 python2.5 python2.4" +testscript='try: import argparse +except: exit(1)' case "$use_python" in no) + AC_MSG_CHECKING([for python support]) AC_MSG_RESULT(disabled) ;; unspec|yes|*) case "$use_python" in unspec|yes|'') - AC_PATH_PROGS(PYTHON, python) + for p in $python + do + AC_PATH_PROGS(PYTHON, $p) + if test "X$PYTHON" == "X"; then + continue; + fi + AC_MSG_CHECKING([python module 'argparse']) + if ${PYTHON:-false} -c "$testscript"; then + AC_MSG_RESULT([found, using $PYTHON]) + break + fi + AC_MSG_RESULT([not found]) + unset ac_cv_path_PYTHON + unset PYTHON + done + if test "X$PYTHON" == "X" + then + AC_MSG_CHECKING([for python support]) + case "$use_python" in + unspec) + AC_MSG_RESULT(disabled) + ;; + yes) + AC_MSG_ERROR([missing python]) + ;; + esac + fi ;; *) - AC_PATH_PROGS(PYTHON, $use_python) + case "$use_python" in + /*) + PYTHON="$use_python" + ;; + *) + AC_PATH_PROGS(PYTHON, $use_python) + ;; + esac + AC_MSG_CHECKING([python module 'argparse']) + if ${PYTHON:-false} -c "$testscript"; then + AC_MSG_RESULT([found, using $PYTHON]) + break + else + AC_MSG_ERROR([not found]) + fi ;; esac - if test "X$PYTHON" == "X" - then - case "$use_python" in - unspec) - AC_MSG_RESULT(disabled) - ;; - yes|*) - AC_MSG_ERROR([missing python]) - ;; - esac - break - fi - testscript='try: import argparse -except: exit(1)' - AC_MSG_CHECKING([python module 'argparse']) - if $PYTHON -c "$testscript"; then - AC_MSG_RESULT([found, using $PYTHON]) - else - case "$use_python" in - unspec) - PYTHON="" - AC_SUBST(CHECKDS) - AC_SUBST(COVERAGE) - AC_MSG_RESULT([not found, python disabled]) - ;; - yes) - AC_MSG_RESULT([no found]) - AC_MSG_ERROR([python 'argparse' module not supported]) - ;; - esac - fi ;; esac @@ -723,8 +736,8 @@ case "$use_geoip" in AC_CHECK_HEADER(GeoIP.h, [], [AC_MSG_ERROR([GeoIP header file not found])] ) - AC_SEARCH_LIBS(GeoIP_open, GeoIP, [], - [AC_MSG_ERROR([GeoIP library not found])] + AC_SEARCH_LIBS(GeoIP_id_by_addr_gl, GeoIP, [], + [AC_MSG_ERROR([suitable GeoIP library not found])] ) AC_SEARCH_LIBS(fabsf, m, [], [AC_MSG_ERROR([Math library not found])] @@ -1236,6 +1249,7 @@ case $use_libtool in LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC' LIBTOOL_MODE_INSTALL='--mode=install --tag=CC' LIBTOOL_MODE_LINK='--mode=link --tag=CC' + INSTALL_LIBRARY='${INSTALL_PROGRAM}' case "$host" in *) LIBTOOL_ALLOW_UNDEFINED= ;; esac @@ -1256,8 +1270,10 @@ case $use_libtool in LIBTOOL_MODE_LINK= LIBTOOL_ALLOW_UNDEFINED= LIBTOOL_IN_MAIN= + INSTALL_LIBRARY='${INSTALL_DATA}' ;; esac +AC_SUBST(INSTALL_LIBRARY) # # was --enable-native-pkcs11 specified? @@ -4487,6 +4503,7 @@ AC_CONFIG_FILES([ bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile + bin/tests/system/builtin/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile @@ -4495,9 +4512,10 @@ AC_CONFIG_FILES([ bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile - bin/tests/system/sit/prereq.sh + bin/tests/system/resolver/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile + bin/tests/system/sit/prereq.sh bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 3b8fecc3f4..83feb88c97 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -43,6 +43,7 @@ 2003 Internet Software Consortium. + @@ -70,12 +71,9 @@ BIND version 9 software package for system administrators. - - - This version of the manual corresponds to BIND version 9.10. - - + + Organization of This Document @@ -2564,10 +2562,10 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. lwres statement in named.conf. - The number of client queries that the lwresd - daemon is able to serve can be set using the - and - statements in the configuration. + The number of client queries that the lwresd + daemon is able to serve can be set using the + and + statements in the configuration. @@ -3444,63 +3442,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. - - - When BIND 9 is built with GeoIP support, - ACLs can also be used for geographic access restrictions. - This is done by specifying an ACL element of the form: - geoip db database field value - - - The field indicates which field - to search for a match. Available fields are "country", - "region", "city", "continent", "postal" (postal code), - "metro" (metro code), "area" (area code), "tz" (timezone), - "isp", "org", "asnum", "domain" and "netspeed". - - - value is the value to searched for - within the database. A string may be quoted if it contains - spaces or other special characters. If this is a "country" - search and the string is two characters long, then it must be a - standard ISO-3166-1 two-letter country code, and if it is three - characters long then it must be an ISO-3166-1 three-letter - country code; otherwise it is the full name of the country. - Similarly, if this is a "region" search and the string is - two characters long, then it must be a standard two-letter state - or province abbreviation; otherwise it is the full name of the - state or province. - - - The database field indicates which - GeoIP database to search for a match. In most cases this is - unnecessary, because most search fields can only be found in - a single database. However, searches for country can be - answered from the "city", "region", or "country" databases, - and searches for region (i.e., state or province) can be - answered from the "city" or "region" databases. For these - search types, specifying a database - will force the query to be answered from that database and no - other. If database is not - specified, then these queries will be answered from the "city", - database if it is installed, or the "region" database if it is - installed, or the "country" database, in that order. - - - Some example GeoIP ACLs: - - geoip country US; -geoip country JAP; -geoip db country country Canada; -geoip db region region WA; -geoip city "San Francisco"; -geoip region Oklahoma; -geoip postal 95062; -geoip tz "America/Los_Angeles"; -geoip org "Internet Systems Consortium"; - - - <command>controls</command> Statement Grammar @@ -4718,32 +4659,32 @@ badresp:1,adberr:0,findfail:0,valfail:0] minimum number of dots in a relative domain name that should result in an exact match lookup before search path elements are appended. - - - The statement specifies the number - of worker threads the lightweight resolver will dedicate to serving - clients. By default the number is the same as the number of CPUs on - the system; this can be overridden using the - command line option when starting the server. - - - The specifies - the number of client objects per thread the lightweight - resolver should create to serve client queries. - By default, if the lightweight resolver runs as a part - of named, 256 client objects are - created for each task; if it runs as lwresd, - 1024 client objects are created for each thread. The maximum - value is 32768; higher values will be silently ignored and - the maximum will be used instead. - Note that setting too high a value may overconsume - system resources. - - - The maximum number of client queries that the lightweight - resolver can handle at any one time equals - times . - + + + The statement specifies the number + of worker threads the lightweight resolver will dedicate to serving + clients. By default the number is the same as the number of CPUs on + the system; this can be overridden using the + command line option when starting the server. + + + The specifies + the number of client objects per thread the lightweight + resolver should create to serve client queries. + By default, if the lightweight resolver runs as a part + of named, 256 client objects are + created for each task; if it runs as lwresd, + 1024 client objects are created for each thread. The maximum + value is 32768; higher values will be silently ignored and + the maximum will be used instead. + Note that setting too high a value may overconsume + system resources. + + + The maximum number of client queries that the lightweight + resolver can handle at any one time equals + times . + <command>masters</command> Statement Grammar @@ -4855,6 +4796,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] allow-update { address_match_list }; allow-update-forwarding { address_match_list }; automatic-interface-scan { yes_or_no }; + geoip-use-ecs yes_or_no; update-check-ksk yes_or_no; dnssec-update-mode ( maintain | no-resign ); dnssec-dnskey-kskonly yes_or_no; @@ -4893,6 +4835,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] tcp-clients number; reserved-sockets number; recursive-clients number; + notify-rate number; + startup-notify-rate number; serial-query-rate number; serial-queries number; tcp-listen-queue number; @@ -4929,6 +4873,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] max-ncache-ttl number; max-cache-ttl number; max-zone-ttl number ; + servfail-ttl number; sig-validity-interval number number ; sig-signing-nodes number ; sig-signing-signatures number ; @@ -4996,8 +4941,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] prefetch number number ; rate-limit { - domain domain ; - responses-per-second size number ratio fixedpoint number ; + responses-per-second number ; referrals-per-second number ; nodata-per-second number ; nxdomains-per-second number ; @@ -5015,15 +4959,15 @@ badresp:1,adberr:0,findfail:0,valfail:0] } ; response-policy { zone zone_name ; - policy given | disabled | passthru | drop | tcp-only | nxdomain | nodata | cname domain ; - recursive-only yes_or_no ; - max-policy-ttl number ; ; - recursive-only yes_or_no ; - max-policy-ttl number ; - break-dnssec yes_or_no ; - min-ns-dots number ; - qname-wait-recurse yes_or_no ; - } ; + policy given | disabled | passthru | drop | tcp-only | nxdomain | nodata | cname domain + recursive-only yes_or_no + max-policy-ttl number ; + } + recursive-only yes_or_no + max-policy-ttl number + break-dnssec yes_or_no + min-ns-dots number + qname-wait-recurse yes_or_no ; }; @@ -5793,7 +5737,7 @@ options { For convenience, TTL-style time unit suffixes can be used to specify the NTA lifetime in seconds, minutes or hours. defaults to - one hour. It cannot exceed one day. + one hour. It cannot exceed one week. @@ -5802,31 +5746,31 @@ options { nta-recheck - Species how often to check whether negative - trust anchors added via rndc nta - are still necessary. + Species how often to check whether negative + trust anchors added via rndc nta + are still necessary. - A negative trust anchor is normally used when a - domain has stopped validating due to operator error; - it temporarily disables DNSSEC validation for that - domain. In the interest of ensuring that DNSSEC - validation is turned back on as soon as possible, - named will periodically send a - query to the domain, ignoring negative trust anchors, - to find out whether it can now be validated. If so, - the negative trust anchor is allowed to expire early. + A negative trust anchor is normally used when a + domain has stopped validating due to operator error; + it temporarily disables DNSSEC validation for that + domain. In the interest of ensuring that DNSSEC + validation is turned back on as soon as possible, + named will periodically send a + query to the domain, ignoring negative trust anchors, + to find out whether it can now be validated. If so, + the negative trust anchor is allowed to expire early. - Validity checks can be disabled for an individual - NTA by using rndc nta -f, or - for all NTA's by setting - to zero. + Validity checks can be disabled for an individual + NTA by using rndc nta -f, or + for all NTA's by setting + to zero. For convenience, TTL-style time unit suffixes can be - used to specify the NTA recheck interval in seconds, - minutes or hours. The default is five minutes. + used to specify the NTA recheck interval in seconds, + minutes or hours. The default is five minutes. @@ -6237,6 +6181,20 @@ options { + + geoip-use-ecs + + + When BIND is compiled with GeoIP support and configured + with "geoip" ACL elements, this option indicates whether + the EDNS Client Subnet option, if present in a request, + should be used for matching against the GeoIP database. + The default is + geoip-use-ecs yes. + + + + has-old-clients @@ -6421,12 +6379,16 @@ options { - sit-secret + sit-secret + If set, this is a shared secret used for generating and verifying Source Identity Token EDNS options - within a anycast cluster. If not set the system - will generate a random secret at startup. + within an anycast cluster. If not set, the system + will generate a random secret at startup. The + shared secret is encoded as a hex string and needs + to be 128 bits for AES128, 160 bits for SHA1 and + 256 bits for SHA256. @@ -7823,6 +7785,31 @@ avoid-v6-udp-ports {}; + + notify-rate + + + The rate at which NOTIFY requests will be sent + during normal zone maintenance operations. (NOTIFY + requests due to initial zone loading are subject + to a separate rate limit; see below.) The default is + 20 per second. + + + + + + startup-notify-rate + + + The rate at which NOTIFY requests will be sent + when the name server is first starting up, or when + zones have been newly added to the nameserver. + The default is 20 per second. + + + + serial-query-rate @@ -7835,14 +7822,7 @@ avoid-v6-udp-ports {}; rate at which queries are sent. The value of the serial-query-rate option, an integer, is the maximum number of queries sent - per second. The default is 20. - - - In addition to controlling the rate SOA refresh - queries are issued at - serial-query-rate also controls - the rate at which NOTIFY messages are sent from - both master and slave zones. + per second. The default is 20 per second. @@ -8707,13 +8687,28 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; 1800 (30 minutes). - - Lame-ttl also controls the amount of time DNSSEC - validation failures are cached. There is a minimum - of 30 seconds applied to bad cache entries if the - lame-ttl is set to less than 30 seconds. - + + + + servfail-ttl + + + Sets the number of seconds to cache a + SERVFAIL response due to DNSSEC validation failure or + other general server failure. If set to + 0, SERVFAIL caching is disabled. + The SERVFAIL cache is not consulted if a query has + the CD (Checking Disabled) bit set; this allows a + query that failed due to DNSSEC validation to be retried + without waiting for the SERVFAIL TTL to expire. + + + The maximum value is 300 + (5 minutes); any higher value will be silently + reduced. The default is 10 + seconds. + @@ -9016,24 +9011,24 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; masterfile-style - - Specifies the formatting of zone files during dump - when the is - text. (This option is ignored - with any other .) - - - When set to relative, - records are printed in a multi-line format with owner - names expressed relative to a shared origin. When set - to full, records are printed in - a single-line format with absolute owner names. - The full format is most suitable - when a zone file needs to be processed automatically - by a script. The relative format - is more human-readable, and is thus suitable when a - zone is to be edited by hand. The default is - relative. + + Specifies the formatting of zone files during dump + when the is + text. (This option is ignored + with any other .) + + + When set to relative, + records are printed in a multi-line format with owner + names expressed relative to a shared origin. When set + to full, records are printed in + a single-line format with absolute owner names. + The full format is most suitable + when a zone file needs to be processed automatically + by a script. The relative format + is more human-readable, and is thus suitable when a + zone is to be edited by hand. The default is + relative. @@ -9046,8 +9041,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept - before dropping additional clients. - named will attempt to + before dropping additional clients. + named will attempt to self tune this value and changes will be logged. The default values are 10 and 100. @@ -10177,20 +10172,18 @@ example.com CNAME rpz-tcp-only. All non-empty responses for a valid domain name (qname) and record type (qtype) are identical and have a limit specified - by the base responses-per-second option - (that is, responses-per-second with only a - single argument and no additional modifiers). - The default is 0, which indicates that there should be no limit. + with responses-per-second + (default 0 or no limit). All empty (NODATA) responses for a valid domain, regardless of query type, are identical. Responses in the NODATA class are limited by nodata-per-second - (default base responses-per-second). + (default responses-per-second). Requests for any and all undefined subdomains of a given valid domain result in NXDOMAIN errors, and are identical regardless of query type. They are limited by nxdomains-per-second - (default base responses-per-second). + (default responses-per-second). This controls some attacks using random names, but can be relaxed or turned off (set to 0) on servers that expect many legitimate @@ -10198,7 +10191,7 @@ example.com CNAME rpz-tcp-only. Referrals or delegations to the server of a given domain are identical and are limited by referrals-per-second - (default base responses-per-second). + (default responses-per-second). @@ -10214,76 +10207,11 @@ example.com CNAME rpz-tcp-only. This controls attacks using invalid requests or distant, broken authoritative servers. By default the limit on errors is the same as the - default base responses-per-second value, + responses-per-second value, but it can be set separately with errors-per-second. - - In addition to the base - responses-per-second value, - up to four (4) additional - responses-per-second options can be - configured, with additional parameters to indicate that - they apply to responses larger than a given size, - or with an amplification factor larger than a given - value. - The size parameter sets the minimum - DNS response size that will trigger the use of this - responses-per-second option. - The ratio parameter sets the minimum - DNS response-size / request-size ratio that falls into the - band, to two decimal places. - These selective rate limits are applied after any other - rate limits have been applied, and they only apply to - positive answers. For example: - - -rate-limit { - responses-per-second 10; - responses-per-second size 1100 5; -}; - - - ...indicates that responses should be limited to ten per second - for responses up to 1099 bytes in size, but only five per second - for responses larger than that. This configuration: - - -rate-limit { - responses-per-second 10; - responses-per-second ratio 7.25 5; - responses-per-second ratio 15.00 2; -}; - - - ...indicates that responses should be limited to ten per - second if the amplification factor is below 7.25, five per - second if above 7.25 but below 15, and two per second if - above 15. - - - Both sizes and ratios can be used together. For example: - - -rate-limit { - responses-per-second 10; - responses-per-second size 1000 ratio 5.00 5; - responses-per-second ratio 10.00 2; -}; - - - This configuration will rate-limit to five per second if - the ratio is over 5 or the size is over - 1000, and to two per second if the ratio is over 10. In the - event that two bands might be chosen (i.e., because the size - is over 1000 and the ratio is over 10), - the one that appears last in the configuration file is the - one chosen. To eliminate any ambiguity, it is recommended - that under normal circumstances, rate limiting bands should - be configured using either size or - ratio parameters, but not both. - Many attacks using DNS involve UDP requests with forged source addresses. @@ -10458,6 +10386,7 @@ rate-limit { request-sit yes_or_no ; edns yes_or_no ; edns-udp-size number ; + edns-version number ; nosit-udp-size number ; max-udp-size number ; transfers number ; @@ -10560,15 +10489,15 @@ rate-limit { The request-expire clause determines - whether the local server, when acting as a slave, will - request the EDNS EXPIRE value. The EDNS EXPIRE value - indicates the remaining time before the zone data will - expire and need to be be refreshed. This is used - when a secondary server transfers a zone from another - secondary server; when transferring from the primary, the - expiration timer is set from the EXPIRE field of the SOA - record instead. - The default is yes. + whether the local server, when acting as a slave, will + request the EDNS EXPIRE value. The EDNS EXPIRE value + indicates the remaining time before the zone data will + expire and need to be be refreshed. This is used + when a secondary server transfers a zone from another + secondary server; when transferring from the primary, the + expiration timer is set from the EXPIRE field of the SOA + record instead. + The default is yes. @@ -10578,23 +10507,40 @@ rate-limit { - The edns-udp-size option sets the EDNS UDP size - that is advertised by named when querying the remote server. - Valid values are 512 to 4096 bytes (values outside this range will be - silently adjusted to the nearest value within it). This option is - useful when you wish to - advertises a different value to this server than the value you - advertise globally, for example, when there is a firewall at the - remote site that is blocking large replies. + The edns-udp-size option sets the + EDNS UDP size that is advertised by named + when querying the remote server. Valid values are 512 + to 4096 bytes (values outside this range will be silently + adjusted to the nearest value within it). This option + is useful when you wish to advertise a different value + to this server than the value you advertise globally, + for example, when there is a firewall at the remote + site that is blocking large replies. + + + + The edns-version option sets the + maximum EDNS VERSION that will be sent to the server(s) + by the resolver. The actual EDNS version sent is still + subject to normal EDNS version negotiation rules (see + RFC 6891), the maximum EDNS version supported by the + server, and any other heuristics that indicate that a + lower version should be sent. This option is intended + to be used when a remote server reacts badly to a given + EDNS version or higher; it should be set to the highest + version the remote server is known to support. Valid + values are 0 to 255; higher values will be silently + adjusted. This option will not be needed until higher + EDNS versions than 0 are in use. The max-udp-size option sets the - maximum EDNS UDP message size named will send. Valid - values are 512 to 4096 bytes (values outside this range will - be silently adjusted). This option is useful when you - know that there is a firewall that is blocking large - replies from named. + maximum EDNS UDP message size named + will send. Valid values are 512 to 4096 bytes (values + outside this range will be silently adjusted). This + option is useful when you know that there is a firewall + that is blocking large replies from named. @@ -12455,11 +12401,11 @@ example.com. NS ns2.example.net. When set to serial-update-method date;, the - new SOA serial number will be the current date - in the form "YYYYMMDD", followed by two zeroes, - unless the existing serial number is already greater - than or equal to that value, in which case it is - incremented by one. + new SOA serial number will be the current date + in the form "YYYYMMDD", followed by two zeroes, + unless the existing serial number is already greater + than or equal to that value, in which case it is + incremented by one. @@ -16181,11 +16127,11 @@ HOST-127.EXAMPLE. MX 0 . Access Control Lists Access Control Lists (ACLs) are address match lists that - you can set up and nickname for future use in allow-notify, - allow-query, allow-query-on, - allow-recursion, allow-recursion-on, + you can set up and nickname for future use in + allow-notify, allow-query, + allow-query-on, allow-recursion, blackhole, allow-transfer, - etc. + match-clients, etc. Using ACLs allows you to have finer control over who can access @@ -16195,11 +16141,17 @@ HOST-127.EXAMPLE. MX 0 . It is a good idea to use ACLs, and to control access to your server. Limiting access to your server by - outside parties can help prevent spoofing and denial of service (DoS) attacks against - your server. + outside parties can help prevent spoofing and denial of service + (DoS) attacks against your server. - Here is an example of how to properly apply ACLs: + ACLs match clients on the basis of up to three characteristics: + 1) The client's IP address; 2) the TSIG or SIG(0) key that was + used to sign the request, if any; and 3) an address prefix + encoded in an EDNS Client Subnet option, if any. + + + Here is an example of ACLs based on client addresses: @@ -16232,10 +16184,137 @@ zone "example.com" { - This allows recursive queries of the server from the outside - unless recursion has been previously disabled. + This allows authoritative queries for "example.com" from any + address, but recursive queries only from the networks specified + in "our-nets", and no queries at all from the networks + specified in "bogusnets". + + + In addition to network addresses and prefixes, which are + matched against the source address of the DNS request, ACLs + may include elements, which specify the + name of a TSIG or SIG(0) key, or + elements, which specify a network prefix but are only matched + if that prefix matches an EDNS client subnet option included + in the request. + + + The EDNS Client Subnet (ECS) option is used by a recursive + resolver to inform an authoritative name server of the network + address block from which the original query was received, enabling + authoritative servers to give different answers to the same + resolver for different resolver clients. An ACL containing + an element of the form + ecs prefix + will match if a request arrives in containing an ECS option + encoding an address within that prefix. If the request has no + ECS option, then "ecs" elements are simply ignored. Addresses + in ACLs that are not prefixed with "ecs" are matched only + against the source address. + + + When BIND 9 is built with GeoIP support, + ACLs can also be used for geographic access restrictions. + This is done by specifying an ACL element of the form: + geoip db database field value + + + The field indicates which field + to search for a match. Available fields are "country", + "region", "city", "continent", "postal" (postal code), + "metro" (metro code), "area" (area code), "tz" (timezone), + "isp", "org", "asnum", "domain" and "netspeed". + + + value is the value to search + for within the database. A string may be quoted if it + contains spaces or other special characters. If this is + an "asnum" search, then the leading "ASNNNN" string can be + used, otherwise the full description must be used (e.g. + "ASNNNN Example Company Name"). If this is a "country" + search and the string is two characters long, then it must + be a standard ISO-3166-1 two-letter country code, and if it + is three characters long then it must be an ISO-3166-1 + three-letter country code; otherwise it is the full name + of the country. Similarly, if this is a "region" search + and the string is two characters long, then it must be a + standard two-letter state or province abbreviation; + otherwise it is the full name of the state or province. + + + The database field indicates which + GeoIP database to search for a match. In most cases this is + unnecessary, because most search fields can only be found in + a single database. However, searches for country can be + answered from the "city", "region", or "country" databases, + and searches for region (i.e., state or province) can be + answered from the "city" or "region" databases. For these + search types, specifying a database + will force the query to be answered from that database and no + other. If database is not + specified, then these queries will be answered from the "city", + database if it is installed, or the "region" database if it is + installed, or the "country" database, in that order. + + + By default, if a DNS query includes an EDNS Client Subnet (ECS) + option which encodes a non-zero address prefix, then GeoIP ACLs + will be matched against that address prefix. Otherwise, they + are matched against the source address of the query. To + prevent GeoIP ACLs from matching against ECS options, set + the geoip-use-ecs to no. + + + Some example GeoIP ACLs: + + geoip country US; +geoip country JAP; +geoip db country country Canada; +geoip db region region WA; +geoip city "San Francisco"; +geoip region Oklahoma; +geoip postal 95062; +geoip tz "America/Los_Angeles"; +geoip org "Internet Systems Consortium"; + + + + ACLs use a "first-match" logic rather than "best-match": + if an address prefix matches an ACL element, then that ACL + is considered to have matched even if a later element would + have matched more specifically. For example, the ACL + { 10/8; !10.0.0.1; } would actually + match a query from 10.0.0.1, because the first element + indicated that the query should be accepted, and the second + element is ignored. + + + When using "nested" ACLs (that is, ACLs included or referenced + within other ACLs), a negative match of a nested ACL will + the containing ACL to continue looking for matches. This + enables complex ACLs to be constructed, in which multiple + client characteristics can be checked at the same time. For + example, to construct an ACL which allows queries only when + it originates from a particular network and + only when it is signed with a particular key, use: + + +allow-query { !{ !10/8; any; }; key example; }; + + + Within the nested ACL, any address that is + not in the 10/8 network prefix will + be rejected, and this will terminate processing of the + ACL. Any address that is in the 10/8 + network prefix will be accepted, but this causes a negative + match of the nested ACL, so the containing ACL continues + processing. The query will then be accepted if it is signed + by the key "example", and rejected otherwise. The ACL, then, + will only matches when both conditions + are true. + <command>Chroot</command> and <command>Setuid</command> diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index bca9f1d43d..4a480ad5f7 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -45,17 +45,17 @@

Table of Contents

-
Scope of Document
-
Organization of This Document
-
Conventions Used in This Document
-
The Domain Name System (DNS)
+
Scope of Document
+
Organization of This Document
+
Conventions Used in This Document
+
The Domain Name System (DNS)
-
DNS Fundamentals
-
Domains and Domain Names
-
Zones
-
Authoritative Name Servers
-
Caching Name Servers
-
Name Servers in Multiple Roles
+
DNS Fundamentals
+
Domains and Domain Names
+
Zones
+
Authoritative Name Servers
+
Caching Name Servers
+
Name Servers in Multiple Roles
@@ -71,7 +71,7 @@

-Scope of Document

+Scope of Document

The Berkeley Internet Name Domain (BIND) implements a @@ -81,13 +81,11 @@ BIND version 9 software package for system administrators.

-

- This version of the manual corresponds to BIND version 9.10. -

+

This version of the manual corresponds to BIND version 9.11.

-Organization of This Document

+Organization of This Document

In this document, Chapter 1 introduces the basic DNS and BIND concepts. Chapter 2 @@ -116,7 +114,7 @@

-Conventions Used in This Document

+Conventions Used in This Document

In this document, we use the following general typographic conventions: @@ -243,7 +241,7 @@

-The Domain Name System (DNS)

+The Domain Name System (DNS)

The purpose of this document is to explain the installation and upkeep of the BIND (Berkeley Internet @@ -253,7 +251,7 @@

-DNS Fundamentals

+DNS Fundamentals

The Domain Name System (DNS) is a hierarchical, distributed database. It stores information for mapping Internet host names to @@ -275,7 +273,7 @@

-Domains and Domain Names

+Domains and Domain Names

The data stored in the DNS is identified by domain names that are organized as a tree according to organizational or administrative boundaries. Each node of the tree, @@ -321,7 +319,7 @@

-Zones

+Zones

To properly operate a name server, it is important to understand the difference between a zone @@ -374,7 +372,7 @@

-Authoritative Name Servers

+Authoritative Name Servers

Each zone is served by at least one authoritative name server, @@ -391,7 +389,7 @@

-The Primary Master

+The Primary Master

The authoritative server where the master copy of the zone data is maintained is called the @@ -411,7 +409,7 @@

-Slave Servers

+Slave Servers

The other authoritative servers, the slave servers (also known as secondary servers) @@ -427,7 +425,7 @@

-Stealth Servers

+Stealth Servers

Usually all of the zone's authoritative servers are listed in NS records in the parent zone. These NS records constitute @@ -462,7 +460,7 @@

-Caching Name Servers

+Caching Name Servers

The resolver libraries provided by most operating systems are stub resolvers, meaning that they are not @@ -489,7 +487,7 @@

-Forwarding

+Forwarding

Even a caching name server does not necessarily perform the complete recursive lookup itself. Instead, it can @@ -516,7 +514,7 @@

-Name Servers in Multiple Roles

+Name Servers in Multiple Roles

The BIND name server can simultaneously act as @@ -558,5 +556,6 @@ +

BIND Version 9.11

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 29110dfcd5..ae8e38f851 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -45,16 +45,16 @@

Table of Contents

-
Hardware requirements
-
CPU Requirements
-
Memory Requirements
-
Name Server Intensive Environment Issues
-
Supported Operating Systems
+
Hardware requirements
+
CPU Requirements
+
Memory Requirements
+
Name Server Intensive Environment Issues
+
Supported Operating Systems

-Hardware requirements

+Hardware requirements

DNS hardware requirements have traditionally been quite modest. @@ -73,7 +73,7 @@

-CPU Requirements

+CPU Requirements

CPU requirements for BIND 9 range from i486-class machines @@ -84,7 +84,7 @@

-Memory Requirements

+Memory Requirements

The memory of the server has to be large enough to fit the cache and zones loaded off disk. The max-cache-size @@ -107,7 +107,7 @@

-Name Server Intensive Environment Issues

+Name Server Intensive Environment Issues

For name server intensive environments, there are two alternative configurations that may be used. The first is where clients and @@ -124,7 +124,7 @@

-Supported Operating Systems

+Supported Operating Systems

ISC BIND 9 compiles and runs on a large number @@ -154,5 +154,6 @@ +

BIND Version 9.11

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 8ecab5f5fc..265295e0e2 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -47,14 +47,14 @@
Sample Configurations
-
A Caching-only Name Server
-
An Authoritative-only Name Server
+
A Caching-only Name Server
+
An Authoritative-only Name Server
-
Load Balancing
-
Name Server Operations
+
Load Balancing
+
Name Server Operations
-
Tools for Use With the Name Server Daemon
-
Signals
+
Tools for Use With the Name Server Daemon
+
Signals
@@ -68,7 +68,7 @@ Sample Configurations

-A Caching-only Name Server

+A Caching-only Name Server

The following sample configuration is appropriate for a caching-only name server for use by clients internal to a corporation. All @@ -98,7 +98,7 @@ zone "0.0.127.in-addr.arpa" {

-An Authoritative-only Name Server

+An Authoritative-only Name Server

This sample configuration is for an authoritative-only server that is the master server for "example.com" @@ -146,7 +146,7 @@ zone "eng.example.com" {

-Load Balancing

+Load Balancing

A primitive form of load balancing can be achieved in the DNS by using multiple records @@ -289,10 +289,10 @@ zone "eng.example.com" {

-Name Server Operations

+Name Server Operations

-Tools for Use With the Name Server Daemon

+Tools for Use With the Name Server Daemon

This section describes several indispensable diagnostic, administrative and monitoring tools available to the system @@ -606,7 +606,7 @@ controls {

-Signals

+Signals

Certain UNIX signals cause the name server to take specific actions, as described in the following table. These signals can @@ -671,5 +671,6 @@ controls { +

BIND Version 9.11

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 5c24645407..f81ee5d58a 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -49,65 +49,65 @@
Dynamic Update
The journal file
Incremental Zone Transfers (IXFR)
-
Split DNS
-
Example split DNS setup
+
Split DNS
+
Example split DNS setup
TSIG
-
Generate Shared Keys for Each Pair of Hosts
-
Copying the Shared Secret to Both Machines
-
Informing the Servers of the Key's Existence
-
Instructing the Server to Use the Key
-
TSIG Key Based Access Control
-
Errors
+
Generate Shared Keys for Each Pair of Hosts
+
Copying the Shared Secret to Both Machines
+
Informing the Servers of the Key's Existence
+
Instructing the Server to Use the Key
+
TSIG Key Based Access Control
+
Errors
-
TKEY
-
SIG(0)
+
TKEY
+
SIG(0)
DNSSEC
-
Generating Keys
-
Signing the Zone
-
Configuring Servers
+
Generating Keys
+
Signing the Zone
+
Configuring Servers
DNSSEC, Dynamic Zones, and Automatic Signing
-
Converting from insecure to secure
-
Dynamic DNS update method
-
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Converting from insecure to secure
+
Dynamic DNS update method
+
Fully automatic zone signing
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
-
Validating Resolver
-
Authoritative Server
+
Validating Resolver
+
Authoritative Server
PKCS#11 (Cryptoki) support
-
Prerequisites
-
Native PKCS#11
-
OpenSSL-based PKCS#11
-
PKCS#11 Tools
-
Using the HSM
-
Specifying the engine on the command line
-
Running named with automatic zone re-signing
+
Prerequisites
+
Native PKCS#11
+
OpenSSL-based PKCS#11
+
PKCS#11 Tools
+
Using the HSM
+
Specifying the engine on the command line
+
Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
-
Configuring DLZ
-
Sample DLZ Driver
+
Configuring DLZ
+
Sample DLZ Driver
-
IPv6 Support in BIND 9
+
IPv6 Support in BIND 9
-
Address Lookups Using AAAA Records
-
Address to Name Lookups Using Nibble Format
+
Address Lookups Using AAAA Records
+
Address to Name Lookups Using Nibble Format
@@ -271,7 +271,7 @@

-Split DNS

+Split DNS

Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a @@ -301,7 +301,7 @@

-Example split DNS setup

+Example split DNS setup

Let's say a company named Example, Inc. (example.com) @@ -558,7 +558,7 @@ nameserver 172.16.72.4

-Generate Shared Keys for Each Pair of Hosts

+Generate Shared Keys for Each Pair of Hosts

A shared secret is generated to be shared between host1 and host2. An arbitrary key name is chosen: "host1-host2.". The key name must @@ -566,7 +566,7 @@ nameserver 172.16.72.4

-Automatic Generation

+Automatic Generation

The following command will generate a 128-bit (16 byte) HMAC-SHA256 key as described above. Longer keys are better, but shorter keys @@ -590,7 +590,7 @@ nameserver 172.16.72.4

-Manual Generation

+Manual Generation

The shared secret is simply a random sequence of bits, encoded in base-64. Most ASCII strings are valid base-64 strings (assuming @@ -605,7 +605,7 @@ nameserver 172.16.72.4

-Copying the Shared Secret to Both Machines

+Copying the Shared Secret to Both Machines

This is beyond the scope of DNS. A secure transport mechanism should be used. This could be secure FTP, ssh, telephone, etc. @@ -613,7 +613,7 @@ nameserver 172.16.72.4

-Informing the Servers of the Key's Existence

+Informing the Servers of the Key's Existence

Imagine host1 and host 2 are @@ -640,7 +640,7 @@ key host1-host2. {

-Instructing the Server to Use the Key

+Instructing the Server to Use the Key

Since keys are shared between two hosts only, the server must be told when keys are to be used. The following is added to the named.conf file @@ -672,7 +672,7 @@ server 10.1.2.3 {

-TSIG Key Based Access Control

+TSIG Key Based Access Control

BIND allows IP addresses and ranges to be specified in ACL @@ -699,7 +699,7 @@ allow-update { key host1-host2. ;};

-Errors

+Errors

The processing of TSIG signed messages can result in several errors. If a signed message is sent to a non-TSIG aware @@ -725,7 +725,7 @@ allow-update { key host1-host2. ;};

-TKEY

+TKEY

TKEY is a mechanism for automatically generating a shared secret between two hosts. There are several "modes" of @@ -761,7 +761,7 @@ allow-update { key host1-host2. ;};

-SIG(0)

+SIG(0)

BIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC 2931. @@ -822,7 +822,7 @@ allow-update { key host1-host2. ;};

-Generating Keys

+Generating Keys

The dnssec-keygen program is used to generate keys. @@ -878,7 +878,7 @@ allow-update { key host1-host2. ;};

-Signing the Zone

+Signing the Zone

The dnssec-signzone program is used to sign a zone. @@ -920,7 +920,7 @@ allow-update { key host1-host2. ;};

-Configuring Servers

+Configuring Servers

To enable named to respond appropriately to DNS requests from DNSSEC aware clients, @@ -1080,7 +1080,7 @@ options { from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.

-Converting from insecure to secure

+Converting from insecure to secure

Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

@@ -1106,7 +1106,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process.

-Dynamic DNS update method

+Dynamic DNS update method

To insert the keys via dynamic update:

         % nsupdate
@@ -1142,7 +1142,7 @@ options {
 
While the initial signing and NSEC/NSEC3 chain generation
   is happening, other updates are possible as well.

 

-Fully automatic zone signing

+Fully automatic zone signing
 
To enable automatic signing, add the 
   auto-dnssec option to the zone statement in 
   named.conf. 
@@ -1198,7 +1198,7 @@ options {
   configuration. If this has not been done, the configuration will
   fail.

 

-Private-type records

+Private-type records
 
The state of the signing process is signaled by
   private-type records (with a default type value of 65534). When
   signing is complete, these records will have a nonzero value for
@@ -1239,12 +1239,12 @@ options {
 

   

 

-DNSKEY rollovers

+DNSKEY rollovers
 
As with insecure-to-secure conversions, rolling DNSSEC
   keys can be done in two ways: using a dynamic DNS update, or the 
   auto-dnssec zone option.

 

-Dynamic DNS update method

+Dynamic DNS update method
 
 To perform key rollovers via dynamic update, you need to add
   the K* files for the new keys so that 
   named can find them. You can then add the new
@@ -1266,7 +1266,7 @@ options {
   named will clean out any signatures generated
   by the old key after the update completes.

 

-Automatic key rollovers

+Automatic key rollovers
 
When a new key reaches its activation date (as set by
   dnssec-keygen or dnssec-settime),
   if the auto-dnssec zone option is set to 
@@ -1281,27 +1281,27 @@ options {
   completes in 30 days, after which it will be safe to remove the
   old key from the DNSKEY RRset.

 

-NSEC3PARAM rollovers via UPDATE

+NSEC3PARAM rollovers via UPDATE
 
Add the new NSEC3PARAM record via dynamic update. When the
   new NSEC3 chain has been generated, the NSEC3PARAM flag field
   will be zero. At this point you can remove the old NSEC3PARAM
   record. The old chain will be removed after the update request
   completes.

 

-Converting from NSEC to NSEC3

+Converting from NSEC to NSEC3
 
To do this, you just need to add an NSEC3PARAM record. When
   the conversion is complete, the NSEC chain will have been removed
   and the NSEC3PARAM record will have a zero flag field. The NSEC3
   chain will be generated before the NSEC chain is
   destroyed.

 

-Converting from NSEC3 to NSEC

+Converting from NSEC3 to NSEC
 
To do this, use nsupdate to
   remove all NSEC3PARAM records with a zero flag
   field. The NSEC chain will be generated before the NSEC3 chain is
   removed.

 

-Converting from secure to insecure

+Converting from secure to insecure
 
To convert a signed zone to unsigned using dynamic DNS,
   delete all the DNSKEY records from the zone apex using
   nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1316,14 +1316,14 @@ options {
   allow instead (or it will re-sign).
   

 

-Periodic re-signing

+Periodic re-signing
 
In any secure zone which supports dynamic updates, named
   will periodically re-sign RRsets which have not been re-signed as
   a result of some update action. The signature lifetimes will be
   adjusted so as to spread the re-sign load over time rather than
   all at once.

 

-NSEC3 and OPTOUT

+NSEC3 and OPTOUT
 

   named only supports creating new NSEC3 chains
   where all the NSEC3 records in the zone have the same OPTOUT
@@ -1345,7 +1345,7 @@ options {
   configuration files.

 

 

-Validating Resolver

+Validating Resolver

 
To configure a validating resolver to use RFC 5011 to
     maintain a trust anchor, configure the trust anchor using a 
     managed-keys statement. Information about
@@ -1356,7 +1356,7 @@ options {
 
 

 

-Authoritative Server

+Authoritative Server

 
To set up an authoritative zone for RFC 5011 trust anchor
     maintenance, generate two (or more) key signing keys (KSKs) for
     the zone. Sign the zone with one of them; this is the "active"
@@ -1452,7 +1452,7 @@ $ dnssec-signzone -S -K keys example.net<
   

 

 

-Prerequisites

+Prerequisites

 

       See the documentation provided by your HSM vendor for
       information about installing, initializing, testing and
@@ -1461,7 +1461,7 @@ $ dnssec-signzone -S -K keys example.net<
 
 

 

-Native PKCS#11

+Native PKCS#11

 

       Native PKCS#11 mode will only work with an HSM capable of carrying
       out every cryptographic operation BIND 9 may
@@ -1495,7 +1495,7 @@ $ ./configure --enable-native-pkcs11 \
 
 

 

-OpenSSL-based PKCS#11

+OpenSSL-based PKCS#11

 

       OpenSSL-based PKCS#11 mode uses a modified version of the
       OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1553,7 +1553,7 @@ $ ./configure --enable-native-pkcs11 \
     

 

 

-Patching OpenSSL

+Patching OpenSSL

 
 $ wget http://www.openssl.org/source/openssl-0.9.8y.tar.gz
   

@@ -1586,7 +1586,7 @@ $ patch -p1 -d openssl-0.9.8y \
 
 

 

-Building OpenSSL for the AEP Keyper on Linux

+Building OpenSSL for the AEP Keyper on Linux

 

         The AEP Keyper is a highly secure key storage device,
         but does not provide hardware cryptographic acceleration. It
@@ -1628,7 +1628,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
 
 

 

-Building OpenSSL for the SCA 6000 on Solaris

+Building OpenSSL for the SCA 6000 on Solaris

 

         The SCA-6000 PKCS#11 provider is installed as a system
         library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1657,7 +1657,7 @@ $ ./Configure solaris64-x86_64-cc \
 
 

 

-Building OpenSSL for SoftHSM

+Building OpenSSL for SoftHSM

 

         SoftHSM is a software library provided by the OpenDNSSEC
         project (http://www.opendnssec.org) which provides a PKCS#11
@@ -1730,7 +1730,7 @@ $ ./Configure linux-x86_64 -pthread \
     

 

 

-Configuring BIND 9 for Linux with the AEP Keyper

+Configuring BIND 9 for Linux with the AEP Keyper

 

         To link with the PKCS#11 provider, threads must be
         enabled in the BIND 9 build.
@@ -1750,7 +1750,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
 
 

 

-Configuring BIND 9 for Solaris with the SCA 6000

+Configuring BIND 9 for Solaris with the SCA 6000

 

         To link with the PKCS#11 provider, threads must be
         enabled in the BIND 9 build.
@@ -1772,7 +1772,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
 
 

 

-Configuring BIND 9 for SoftHSM

+Configuring BIND 9 for SoftHSM

 
 $ cd ../bind9
 $ ./configure --enable-threads \
@@ -1793,7 +1793,7 @@ $ ./configure --enable-threads \
 
 

 

-PKCS#11 Tools

+PKCS#11 Tools

 

       BIND 9 includes a minimal set of tools to operate the
       HSM, including 
@@ -1816,7 +1816,7 @@ $ ./configure --enable-threads \
 
 

 

-Using the HSM

+Using the HSM

 

       For OpenSSL-based PKCS#11, we must first set up the runtime
       environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1937,7 +1937,7 @@ example.net.signed
 
 

 

-Specifying the engine on the command line

+Specifying the engine on the command line

 

       When using OpenSSL-based PKCS#11, the "engine" to be used by
       OpenSSL can be specified in named and all of
@@ -1969,7 +1969,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Running named with automatic zone re-signing

+Running named with automatic zone re-signing

 

       If you want named to dynamically re-sign zones
       using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2056,7 +2056,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Configuring DLZ

+Configuring DLZ

 

       A DLZ database is configured with a dlz
       statement in named.conf:
@@ -2105,7 +2105,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Sample DLZ Driver

+Sample DLZ Driver

 

       For guidance in implementation of DLZ modules, the directory
       contrib/dlz/example contains a basic
@@ -2155,7 +2155,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-IPv6 Support in BIND 9

+IPv6 Support in BIND 9

 

         BIND 9 fully supports all currently
         defined forms of IPv6 name to address and address to name
@@ -2193,7 +2193,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Address Lookups Using AAAA Records

+Address Lookups Using AAAA Records

 

           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -2212,7 +2212,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 

 

-Address to Name Lookups Using Nibble Format

+Address to Name Lookups Using Nibble Format

 

           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
@@ -2247,5 +2247,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index f2ebbb5650..4b6d19b5d6 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -45,13 +45,13 @@
 

 
Table of Contents

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 

 

 

-The Lightweight Resolver Library

+The Lightweight Resolver Library

 

         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
@@ -145,5 +145,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index f3122b292d..dc47d30e88 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -48,58 +48,58 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

 
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Definition
             and Usage

-
managed-keys Statement Grammar

+
managed-keys Statement Grammar

 
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -503,7 +503,7 @@
 Address Match Lists
 

 

-Syntax

+Syntax

 
address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -512,7 +512,7 @@
 
 

 

-Definition and Usage

+Definition and Usage

 

             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -596,7 +596,7 @@
 
 

 

-Comment Syntax

+Comment Syntax

 

           The BIND 9 comment syntax allows for
           comments to appear
@@ -606,7 +606,7 @@
         

 

 

-Syntax

+Syntax

 

             

 
/* This is a BIND comment as in C */

@@ -622,7 +622,7 @@
 
 

 

-Definition and Usage

+Definition and Usage

 

             Comments may appear anywhere that whitespace may appear in
             a BIND configuration file.
@@ -876,7 +876,7 @@
       

 

 

-acl Statement Grammar

+acl Statement Grammar

 
acl acl-name {
     address_match_list
 };
@@ -960,64 +960,10 @@
 
 
 
-

-          When BIND 9 is built with GeoIP support,
-          ACLs can also be used for geographic access restrictions.
-          This is done by specifying an ACL element of the form:
-          geoip [db database] field value
-        

-

-          The field indicates which field
-          to search for a match.  Available fields are "country",
-          "region", "city", "continent", "postal" (postal code),
-          "metro" (metro code), "area" (area code), "tz" (timezone),
-          "isp", "org", "asnum", "domain" and "netspeed".
-        

-

-          value is the value to searched for
-          within the database.  A string may be quoted if it contains
-          spaces or other special characters.  If this is a "country"
-          search and the string is two characters long, then it must be a
-          standard ISO-3166-1 two-letter country code, and if it is three
-          characters long then it must be an ISO-3166-1 three-letter
-          country code; otherwise it is the full name of the country.
-          Similarly, if this is a "region" search and the string is
-          two characters long, then it must be a standard two-letter state
-          or province abbreviation; otherwise it is the full name of the
-          state or province.
-        

-

-          The database field indicates which
-          GeoIP database to search for a match.  In most cases this is
-          unnecessary, because most search fields can only be found in
-          a single database.  However, searches for country can be
-          answered from the "city", "region", or "country" databases,
-          and searches for region (i.e., state or province) can be
-          answered from the "city" or "region" databases.  For these
-          search types, specifying a database
-          will force the query to be answered from that database and no
-          other.  If database is not
-          specified, then these queries will be answered from the "city",
-          database if it is installed, or the "region" database if it is
-          installed, or the "country" database, in that order.
-        

-

-          Some example GeoIP ACLs:
-        

-
geoip country US;
-geoip country JAP;
-geoip db country country Canada;
-geoip db region region WA;
-geoip city "San Francisco";
-geoip region Oklahoma;
-geoip postal 95062;
-geoip tz "America/Los_Angeles";
-geoip org "Internet Systems Consortium";
-

 
 

 

-controls Statement Grammar

+controls Statement Grammar

 
controls {
    [ inet ( ip_addr | * ) [ port ip_port ]
                 allow {  address_match_list  }
@@ -1141,12 +1087,12 @@ geoip org "Internet Systems Consortium";
 
 

 

-include Statement Grammar

+include Statement Grammar

 
include filename;

 
 

 

-include Statement Definition and
+include Statement Definition and
           Usage

 

           The include statement inserts the
@@ -1161,7 +1107,7 @@ geoip org "Internet Systems Consortium";
 

 

 

-key Statement Grammar

+key Statement Grammar

 
key key_id {
     algorithm string;
     secret string;
@@ -1170,7 +1116,7 @@ geoip org "Internet Systems Consortium";
 
 

 

-key Statement Definition and Usage

+key Statement Definition and Usage

 

           The key statement defines a shared
           secret key for use with TSIG (see the section called “TSIG”)
@@ -1217,7 +1163,7 @@ geoip org "Internet Systems Consortium";
 
 

 

-logging Statement Grammar

+logging Statement Grammar

 
logging {
    [ channel channel_name {
      ( file path_name
@@ -1241,7 +1187,7 @@ geoip org "Internet Systems Consortium";
 
 

 

-logging Statement Definition and
+logging Statement Definition and
           Usage

 

           The logging statement configures a
@@ -1275,7 +1221,7 @@ geoip org "Internet Systems Consortium";
         

 

 

-The channel Phrase

+The channel Phrase

 

             All log output goes to one or more channels;
             you can make as many of them as you want.
@@ -1888,7 +1834,7 @@ category notify { null; };
 
 

 

-The query-errors Category

+The query-errors Category

 

             The query-errors category is
             specifically intended for debugging purposes: To identify
@@ -2116,7 +2062,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-lwres Statement Grammar

+lwres Statement Grammar

 

            This is the grammar of the lwres
           statement in the named.conf file:
@@ -2134,7 +2080,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-lwres Statement Definition and Usage

+lwres Statement Definition and Usage

 

           The lwres statement configures the
           name
@@ -2210,7 +2156,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-masters Statement Grammar

+masters Statement Grammar

 
 masters name [port ip_port] [dscp ip_dscp] { ( masters_list | 
       ip_addr [port ip_port] [key key] ) ; [...] };
@@ -2218,7 +2164,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-masters Statement Definition and
+masters Statement Definition and
           Usage

 
masters
           lists allow for a common set of masters to be easily used by
@@ -2228,7 +2174,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 

 

 

-options Statement Grammar

+options Statement Grammar

 

           This is the grammar of the options
           statement in the named.conf file:
@@ -2315,6 +2261,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     [ allow-update { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
     [ automatic-interface-scan { yes_or_no }; ]
+    [ geoip-use-ecs yes_or_no;]
     [ update-check-ksk yes_or_no; ]
     [ dnssec-update-mode ( maintain | no-resign ); ]
     [ dnssec-dnskey-kskonly yes_or_no; ]
@@ -2353,6 +2300,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     [ tcp-clients number; ]
     [ reserved-sockets number; ]
     [ recursive-clients number; ]
+    [ notify-rate number; ]
+    [ startup-notify-rate number; ]
     [ serial-query-rate number; ]
     [ serial-queries number; ]
     [ tcp-listen-queue number; ]
@@ -2389,6 +2338,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     [ max-ncache-ttl number; ]
     [ max-cache-ttl number; ]
     [ max-zone-ttl number ; ]
+    [ servfail-ttl number; ]
     [ sig-validity-interval number [number] ; ]
     [ sig-signing-nodes number ; ]
     [ sig-signing-signatures number ; ]
@@ -2456,8 +2406,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     [ prefetch number [number] ; ]
 
     [ rate-limit {
-        [ domain domain ; ]
-        [ responses-per-second [size number] [ratio fixedpoint] number ; ]
+        [ responses-per-second number ; ]
         [ referrals-per-second number ; ]
         [ nodata-per-second number ; ]
         [ nxdomains-per-second number ; ]
@@ -2475,15 +2424,15 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     } ; ]
     [ response-policy {
         zone zone_name ;
-        [ policy given | disabled | passthru | drop | tcp-only | nxdomain | nodata | cname domain ; ]
-        [ recursive-only yes_or_no ; ]
-        [ max-policy-ttl number ; ] ;
-        [ recursive-only yes_or_no ; ]
-        [ max-policy-ttl number ; ]
-        [ break-dnssec yes_or_no ; ]
-        [ min-ns-dots number ; ]
-        [ qname-wait-recurse yes_or_no ; ]
-    } ; ]
+        [ policy given | disabled | passthru | drop | tcp-only | nxdomain | nodata | cname domain ]
+        [ recursive-only yes_or_no ]
+        [ max-policy-ttl number ] ;
+        }
+        [ recursive-only yes_or_no ]
+        [ max-policy-ttl number ]
+        [ break-dnssec yes_or_no ]
+        [ min-ns-dots number ]
+        [ qname-wait-recurse yes_or_no ] ; ]
 };
 

 
@@ -3102,7 +3051,7 @@ options {
                   For convenience, TTL-style time unit suffixes can be
                   used to specify the NTA lifetime in seconds, minutes
                   or hours.  nta-lifetime defaults to
-                  one hour.  It cannot exceed one day.
+                  one hour.  It cannot exceed one week.
                 

 
 
nta-recheck

@@ -3489,6 +3438,15 @@ options {
                   is
                   flush-zones-on-shutdown no.
                 

+
geoip-use-ecs

+

+                  When BIND is compiled with GeoIP support and configured
+                  with "geoip" ACL elements, this option indicates whether
+                  the EDNS Client Subnet option, if present in a request,
+                  should be used for matching against the GeoIP database.
+                  The default is 
+                  geoip-use-ecs yes.
+                

 
has-old-clients

 

                   This option was incorrectly implemented
@@ -3628,8 +3586,11 @@ options {
 

                   If set, this is a shared secret used for generating
                   and verifying Source Identity Token EDNS options
-                  within a anycast cluster.  If not set the system
-                  will generate a random secret at startup.
+                  within an anycast cluster.  If not set, the system
+                  will generate a random secret at startup.  The
+                  shared secret is encoded as a hex string and needs
+                  to be 128 bits for AES128, 160 bits for SHA1 and
+                  256 bits for SHA256.
                 

 
rfc2308-type1

 

@@ -4149,7 +4110,7 @@ options {
 
 

 

-Forwarding

+Forwarding

 

             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -4193,7 +4154,7 @@ options {
 
 

 

-Dual-stack Servers

+Dual-stack Servers

 

             Dual-stack servers are used as servers of last resort to work
             around
@@ -4461,7 +4422,7 @@ options {
 
 

 

-Interfaces

+Interfaces

 

             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -4740,9 +4701,23 @@ avoid-v6-udp-ports {};
                   minutes (1
                   hour).  The maximum value is 28 days (40320 minutes).
                 

+
notify-rate

+

+                  The rate at which NOTIFY requests will be sent
+                  during normal zone maintenance operations. (NOTIFY
+                  requests due to initial zone loading are subject
+                  to a separate rate limit; see below.) The default is
+                  20 per second.
+                

+
startup-notify-rate

+

+                  The rate at which NOTIFY requests will be sent
+                  when the name server is first starting up, or when
+                  zones have been newly added to the nameserver.
+                  The default is 20 per second.
+                

 
serial-query-rate

-

-

+

                   Slave servers will periodically query master
                   servers to find out if zone serial numbers have
                   changed. Each such query uses a minute amount of
@@ -4751,16 +4726,8 @@ avoid-v6-udp-ports {};
                   rate at which queries are sent.  The value of the
                   serial-query-rate option, an
                   integer, is the maximum number of queries sent
-                  per second.  The default is 20.
-                

-

-                  In addition to controlling the rate SOA refresh
-                  queries are issued at
-                  serial-query-rate also controls
-                  the rate at which NOTIFY messages are sent from
-                  both master and slave zones.
-                

-

+                  per second.  The default is 20 per second.
+                

 
serial-queries

 

                   In BIND 8, the serial-queries
@@ -4926,7 +4893,7 @@ avoid-v6-udp-ports {};
 
 

 

-UDP Port Lists

+UDP Port Lists

 

             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -4968,7 +4935,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 

             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -5129,7 +5096,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 

@@ -5452,20 +5419,31 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 Tuning

 

 
lame-ttl

-

-

+

                   Sets the number of seconds to cache a
                   lame server indication. 0 disables caching. (This is
                   NOT recommended.)
                   The default is 600 (10 minutes) and the
                   maximum value is
                   1800 (30 minutes).
+                

+
servfail-ttl

+

+

+                  Sets the number of seconds to cache a
+                  SERVFAIL response due to DNSSEC validation failure or
+                  other general server failure.  If set to
+                  0, SERVFAIL caching is disabled.
+                  The SERVFAIL cache is not consulted if a query has
+                  the CD (Checking Disabled) bit set; this allows a
+                  query that failed due to DNSSEC validation to be retried
+                  without waiting for the SERVFAIL TTL to expire.
                 

 

-                  Lame-ttl also controls the amount of time DNSSEC
-                  validation failures are cached.  There is a minimum
-                  of 30 seconds applied to bad cache entries if the
-                  lame-ttl is set to less than 30 seconds.
+                  The maximum value is 300
+                  (5 minutes); any higher value will be silently
+                  reduced.  The default is 10
+                  seconds.
                 

 

 
max-ncache-ttl

@@ -6170,7 +6148,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 

 

 

-Content Filtering

+Content Filtering

 

             BIND 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -6293,7 +6271,7 @@ deny-answer-aliases { "example.net"; };
 
 

 

-Response Policy Zone (RPZ) Rewriting

+Response Policy Zone (RPZ) Rewriting

 

             BIND 9 includes a limited
             mechanism to modify DNS responses for requests
@@ -6664,7 +6642,7 @@ example.com                 CNAME   rpz-tcp-only.
 
 

 

-Response Rate Limiting

+Response Rate Limiting

 

             Excessive almost identical UDP responses
             can be controlled by configuring a
@@ -6717,20 +6695,18 @@ example.com                 CNAME   rpz-tcp-only.
 

             All non-empty responses for a valid domain name (qname)
             and record type (qtype) are identical and have a limit specified
-            by the base responses-per-second option
-            (that is, responses-per-second with only a
-            single argument and no additional modifiers).
-            The default is 0, which indicates that there should be no limit.
+            with responses-per-second
+            (default 0 or no limit).
             All empty (NODATA) responses for a valid domain,
             regardless of query type, are identical.
             Responses in the NODATA class are limited by
             nodata-per-second
-            (default base responses-per-second).
+            (default responses-per-second).
             Requests for any and all undefined subdomains of a given
             valid domain result in NXDOMAIN errors, and are identical
             regardless of query type.
             They are limited by nxdomains-per-second
-            (default base responses-per-second).
+            (default responses-per-second).
             This controls some attacks using random names, but
             can be relaxed or turned off (set to 0)
             on servers that expect many legitimate
@@ -6738,7 +6714,7 @@ example.com                 CNAME   rpz-tcp-only.
             Referrals or delegations to the server of a given
             domain are identical and are limited by
             referrals-per-second
-            (default base responses-per-second).
+            (default responses-per-second).
           

 

             Responses generated from local wildcards are counted and limited
@@ -6752,75 +6728,10 @@ example.com                 CNAME   rpz-tcp-only.
             This controls attacks using invalid requests or distant,
             broken authoritative servers.
             By default the limit on errors is the same as the
-            default base responses-per-second value,
+            responses-per-second value,
             but it can be set separately with
             errors-per-second.
           

-

-            In addition to the base 
-            responses-per-second value,
-            up to four (4) additional
-            responses-per-second options can be
-            configured, with additional parameters to indicate that
-            they apply to responses larger than a given size,
-            or with an amplification factor larger than a given
-            value.
-            The size parameter sets the minimum
-            DNS response size that will trigger the use of this 
-            responses-per-second option.
-            The ratio parameter sets the minimum
-            DNS response-size / request-size ratio that falls into the
-            band, to two decimal places.
-            These selective rate limits are applied after any other
-            rate limits have been applied, and they only apply to
-            positive answers. For example:
-          

-
-rate-limit {
-  responses-per-second 10;
-  responses-per-second size 1100 5;
-};
-

-

-            ...indicates that responses should be limited to ten per second
-            for responses up to 1099 bytes in size, but only five per second
-            for responses larger than that. This configuration:
-          

-
-rate-limit {
-  responses-per-second 10;
-  responses-per-second ratio 7.25 5;
-  responses-per-second ratio 15.00 2;
-};
-

-

-            ...indicates that responses should be limited to ten per
-            second if the amplification factor is below 7.25, five per
-            second if above 7.25 but below 15, and two per second if
-            above 15.
-          

-

-            Both sizes and ratios can be used together. For example:
-          

-
-rate-limit {
-  responses-per-second 10;
-  responses-per-second size 1000 ratio 5.00 5;
-  responses-per-second ratio 10.00 2;
-};
-

-

-            This configuration will rate-limit to five per second if
-            the ratio is over 5 or the size is over
-            1000, and to two per second if the ratio is over 10. In the
-            event that two bands might be chosen (i.e., because the size
-            is over 1000 and the ratio is over 10),
-            the one that appears last in the configuration file is the
-            one chosen.  To eliminate any ambiguity, it is recommended
-            that under normal circumstances, rate limiting bands should
-            be configured using either size or
-            ratio parameters, but not both.
-          

 

             Many attacks using DNS involve UDP requests with forged source
             addresses.
@@ -6984,6 +6895,7 @@ rate-limit {
     [ request-sit yes_or_no ; ]
     [ edns yes_or_no ; ]
     [ edns-udp-size number ; ]
+    [ edns-version number ; ]
     [ nosit-udp-size number ; ]
     [ max-udp-size number ; ]
     [ transfers number ; ]
@@ -7095,22 +7007,38 @@ rate-limit {
             with the remote server.  The default is yes.
           

 

-            The edns-udp-size option sets the EDNS UDP size
-            that is advertised by named when querying the remote server.
-            Valid values are 512 to 4096 bytes (values outside this range will be
-            silently adjusted to the nearest value within it).  This option is
-            useful when you wish to
-            advertises a different value to this server than the value you
-            advertise globally, for example, when there is a firewall at the
-            remote site that is blocking large replies.
+            The edns-udp-size option sets the
+            EDNS UDP size that is advertised by named
+            when querying the remote server.  Valid values are 512
+            to 4096 bytes (values outside this range will be silently
+            adjusted to the nearest value within it).  This option
+            is useful when you wish to advertise a different value
+            to this server than the value you advertise globally,
+            for example, when there is a firewall at the remote
+            site that is blocking large replies.
+          

+

+            The edns-version option sets the
+            maximum EDNS VERSION that will be sent to the server(s)
+            by the resolver.  The actual EDNS version sent is still
+            subject to normal EDNS version negotiation rules (see
+            RFC 6891), the maximum EDNS version supported by the
+            server, and any other heuristics that indicate that a
+            lower version should be sent.  This option is intended
+            to be used when a remote server reacts badly to a given
+            EDNS version or higher; it should be set to the highest
+            version the remote server is known to support.  Valid
+            values are 0 to 255; higher values will be silently
+            adjusted.  This option will not be needed until higher
+            EDNS versions than 0 are in use.
           

 

             The max-udp-size option sets the
-            maximum EDNS UDP message size named will send.  Valid
-            values are 512 to 4096 bytes (values outside this range will
-            be silently adjusted).  This option is useful when you
-            know that there is a firewall that is blocking large
-            replies from named.
+            maximum EDNS UDP message size named
+            will send.  Valid values are 512 to 4096 bytes (values
+            outside this range will be silently adjusted).  This
+            option is useful when you know that there is a firewall
+            that is blocking large replies from named.
           

 

             The nosit-udp-size option sets the
@@ -7221,7 +7149,7 @@ rate-limit {
 
 

 

-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage

 

           The statistics-channels statement
@@ -7337,7 +7265,7 @@ rate-limit {
 

 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -7381,7 +7309,7 @@ rate-limit {
 

 

 

-managed-keys Statement Grammar

+managed-keys Statement Grammar

 
managed-keys {
     name initial-key flags protocol algorithm key-data ;
     [ name initial-key flags protocol algorithm key-data ; [...]]
@@ -7519,7 +7447,7 @@ rate-limit {
 
 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -7841,10 +7769,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 
@@ -8162,7 +8090,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -8184,7 +8112,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
allow-notify

 

@@ -9115,7 +9043,7 @@ example.com. NS ns2.example.net.
 

 

 

-Multiple views

+Multiple views

 

               When multiple views are in use, a zone may be
               referenced by more than one of them. Often, the views
@@ -9166,7 +9094,7 @@ view external {
 
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -9179,7 +9107,7 @@ view external {
           

 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -9916,7 +9844,7 @@ view external {
 
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -10119,7 +10047,7 @@ view external {
 
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -10374,7 +10302,7 @@ view external {
 
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -10435,7 +10363,7 @@ view external {
 
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -10450,7 +10378,7 @@ view external {
           

 

 

-The @ (at-sign)

+The @ (at-sign)

 

               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -10461,7 +10389,7 @@ view external {
 
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -10490,7 +10418,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -10526,7 +10454,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -10545,7 +10473,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
@@ -10988,7 +10916,7 @@ HOST-127.EXAMPLE. MX 0 .
           

 

 

-Name Server Statistics Counters

+Name Server Statistics Counters

 

 
 

@@ -11584,7 +11512,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

 
 

 
 
@@ -11738,7 +11666,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Resolver Statistics Counters

+Resolver Statistics Counters

 
 

 
 
@@ -12121,7 +12049,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -12276,7 +12204,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

               Most statistics counters that were available
               in BIND 8 are also supported in
@@ -12328,5 +12256,6 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 
 

 
 
 

 

+
BIND Version 9.11

 
 
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 13cb548639..26bc45a4bb 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -59,11 +59,11 @@
 Access Control Lists
 

           Access Control Lists (ACLs) are address match lists that
-          you can set up and nickname for future use in allow-notify,
-          allow-query, allow-query-on,
-          allow-recursion, allow-recursion-on,
+          you can set up and nickname for future use in
+          allow-notify, allow-query,
+          allow-query-on, allow-recursion,
           blackhole, allow-transfer,
-          etc.
+          match-clients, etc.
         

 

           Using ACLs allows you to have finer control over who can access
@@ -73,11 +73,17 @@
 

           It is a good idea to use ACLs, and to
           control access to your server. Limiting access to your server by
-          outside parties can help prevent spoofing and denial of service (DoS) attacks against
-          your server.
+          outside parties can help prevent spoofing and denial of service
+          (DoS) attacks against your server.
         

 

-          Here is an example of how to properly apply ACLs:
+          ACLs match clients on the basis of up to three characteristics:
+          1) The client's IP address; 2) the TSIG or SIG(0) key that was
+          used to sign the request, if any; and 3) an address prefix
+          encoded in an EDNS Client Subnet option, if any.
+        

+

+          Here is an example of ACLs based on client addresses:
         

 
 // Set up an ACL named "bogusnets" that will block
@@ -108,13 +114,138 @@ zone "example.com" {
 };
 

 

-          This allows recursive queries of the server from the outside
-          unless recursion has been previously disabled.
+          This allows authoritative queries for "example.com" from any
+          address, but recursive queries only from the networks specified
+          in "our-nets", and no queries at all from the networks
+          specified in "bogusnets".
+        

+

+          In addition to network addresses and prefixes, which are
+          matched against the source address of the DNS request, ACLs
+          may include key elements, which specify the
+          name of a TSIG or SIG(0) key, or ecs
+          elements, which specify a network prefix but are only matched
+          if that prefix matches an EDNS client subnet option included
+          in the request.
+        

+

+          The EDNS Client Subnet (ECS) option is used by a recursive
+          resolver to inform an authoritative name server of the network
+          address block from which the original query was received, enabling
+          authoritative servers to give different answers to the same
+          resolver for different resolver clients.  An ACL containing
+          an element of the form
+          ecs prefix
+          will match if a request arrives in containing an ECS option
+          encoding an address within that prefix.  If the request has no
+          ECS option, then "ecs" elements are simply ignored.  Addresses
+          in ACLs that are not prefixed with "ecs" are matched only
+          against the source address.
+        

+

+          When BIND 9 is built with GeoIP support,
+          ACLs can also be used for geographic access restrictions.
+          This is done by specifying an ACL element of the form:
+          geoip [db database] field value
+        

+

+          The field indicates which field
+          to search for a match.  Available fields are "country",
+          "region", "city", "continent", "postal" (postal code),
+          "metro" (metro code), "area" (area code), "tz" (timezone),
+          "isp", "org", "asnum", "domain" and "netspeed".
+        

+

+          value is the value to search
+          for within the database.  A string may be quoted if it
+          contains spaces or other special characters.  If this is
+          an "asnum" search, then the leading "ASNNNN" string can be
+          used, otherwise the full description must be used (e.g.
+          "ASNNNN Example Company Name").  If this is a "country"
+          search and the string is two characters long, then it must
+          be a standard ISO-3166-1 two-letter country code, and if it
+          is three characters long then it must be an ISO-3166-1
+          three-letter country code; otherwise it is the full name
+          of the country.  Similarly, if this is a "region" search
+          and the string is two characters long, then it must be a
+          standard two-letter state or province abbreviation;
+          otherwise it is the full name of the state or province.
+        

+

+          The database field indicates which
+          GeoIP database to search for a match.  In most cases this is
+          unnecessary, because most search fields can only be found in
+          a single database.  However, searches for country can be
+          answered from the "city", "region", or "country" databases,
+          and searches for region (i.e., state or province) can be
+          answered from the "city" or "region" databases.  For these
+          search types, specifying a database
+          will force the query to be answered from that database and no
+          other.  If database is not
+          specified, then these queries will be answered from the "city",
+          database if it is installed, or the "region" database if it is
+          installed, or the "country" database, in that order.
+        

+

+          By default, if a DNS query includes an EDNS Client Subnet (ECS)
+          option which encodes a non-zero address prefix, then GeoIP ACLs
+          will be matched against that address prefix.  Otherwise, they
+          are matched against the source address of the query.  To
+          prevent GeoIP ACLs from matching against ECS options, set
+          the geoip-use-ecs to no.
+        

+

+          Some example GeoIP ACLs:
+        

+
geoip country US;
+geoip country JAP;
+geoip db country country Canada;
+geoip db region region WA;
+geoip city "San Francisco";
+geoip region Oklahoma;
+geoip postal 95062;
+geoip tz "America/Los_Angeles";
+geoip org "Internet Systems Consortium";
+

+

+          ACLs use a "first-match" logic rather than "best-match":
+          if an address prefix matches an ACL element, then that ACL
+          is considered to have matched even if a later element would
+          have matched more specifically.  For example, the ACL
+           { 10/8; !10.0.0.1; } would actually
+          match a query from 10.0.0.1, because the first element
+          indicated that the query should be accepted, and the second
+          element is ignored.
+        

+

+          When using "nested" ACLs (that is, ACLs included or referenced
+          within other ACLs), a negative match of a nested ACL will
+          the containing ACL to continue looking for matches.  This
+          enables complex ACLs to be constructed, in which multiple
+          client characteristics can be checked at the same time. For
+          example, to construct an ACL which allows queries only when
+          it originates from a particular network and
+          only when it is signed with a particular key, use:
+        

+
+allow-query { !{ !10/8; any; }; key example; };
+

+

+          Within the nested ACL, any address that is
+          not in the 10/8 network prefix will
+          be rejected, and this will terminate processing of the
+          ACL.  Any address that is in the 10/8
+          network prefix will be accepted, but this causes a negative
+          match of the nested ACL, so the containing ACL continues
+          processing. The query will then be accepted if it is signed
+          by the key "example", and rejected otherwise.  The ACL, then,
+          will only matches when both conditions
+          are true.
         

 
 

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
@@ -140,7 +271,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot environment
             to
@@ -168,7 +299,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
@@ -247,5 +378,6 @@ zone "example.com" {
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index e8ef6c0e7d..0a273fbd2c 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
@@ -135,5 +135,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 512357019c..5cf350e8f6 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -45,31 +45,31 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND
@@ -172,7 +172,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -260,17 +260,17 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -278,42 +278,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -322,19 +322,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -342,146 +342,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -497,47 +497,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -551,39 +551,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -604,14 +604,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
@@ -648,7 +648,7 @@
 
 

 

-Prerequisite

+Prerequisite

 
GNU make is required to build the export libraries (other
   part of BIND 9 can still be built with other types of make). In
   the reminder of this document, "make" means GNU make. Note that
@@ -657,7 +657,7 @@
 
 

 

-Compilation

+Compilation

 
 $ ./configure --enable-exportlib [other flags]
 $ make
@@ -672,7 +672,7 @@ $ make
 
 

 

-Installation

+Installation

 
 $ cd lib/export
 $ make install
@@ -694,7 +694,7 @@ $ make install
 
 

 

-Known Defects/Restrictions

+Known Defects/Restrictions

 
    
 
  • Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -734,7 +734,7 @@ $ make
 

 

 

-The dns.conf File

+The dns.conf File

 
The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -752,14 +752,14 @@ $ make
 
 

 

-Sample Applications

+Sample Applications

 
Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   

 

 

-sample: a simple stub resolver utility

+sample: a simple stub resolver utility

 

   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -823,7 +823,7 @@ $ make
 
 

 

-sample-async: a simple stub resolver, working asynchronously

+sample-async: a simple stub resolver, working asynchronously

 

   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -864,7 +864,7 @@ $ make
 
 

 

-sample-request: a simple DNS transaction client

+sample-request: a simple DNS transaction client

 

   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -905,7 +905,7 @@ $ make
 
 

 

-sample-gai: getaddrinfo() and getnameinfo() test code

+sample-gai: getaddrinfo() and getnameinfo() test code

 

   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -922,7 +922,7 @@ $ make
 
 

 

-sample-update: a simple dynamic update client program

+sample-update: a simple dynamic update client program

 

   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -1017,7 +1017,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-nsprobe: domain/name server checker in terms of RFC 4074

+nsprobe: domain/name server checker in terms of RFC 4074

 

   It checks a set
   of domains to see the name servers of the domains behave
@@ -1074,7 +1074,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-Library References

+Library References

 
As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
@@ -1099,5 +1099,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index f56b663526..1ae240ee48 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -149,5 +149,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index edfe1d93c3..4bb7bf5a59 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -40,7 +40,8 @@
 

 

 

-BIND 9 Administrator Reference Manual

+BIND 9 Administrator Reference Manual

+
BIND Version 9.11.0pre-alpha

 
Copyright © 2004-2014 Internet Systems Consortium, Inc. ("ISC")

 
Copyright © 2000-2003 Internet Software Consortium.

 

@@ -51,39 +52,39 @@
 

 
1. Introduction

 

-
Scope of Document

-
Organization of This Document

-
Conventions Used in This Document

-
The Domain Name System (DNS)

+
Scope of Document

+
Organization of This Document

+
Conventions Used in This Document

+
The Domain Name System (DNS)

 

-
DNS Fundamentals

-
Domains and Domain Names

-
Zones

-
Authoritative Name Servers

-
Caching Name Servers

-
Name Servers in Multiple Roles

+
DNS Fundamentals

+
Domains and Domain Names

+
Zones

+
Authoritative Name Servers

+
Caching Name Servers

+
Name Servers in Multiple Roles

 

 

 
2. BIND Resource Requirements

 

-
Hardware requirements

-
CPU Requirements

-
Memory Requirements

-
Name Server Intensive Environment Issues

-
Supported Operating Systems

+
Hardware requirements

+
CPU Requirements

+
Memory Requirements

+
Name Server Intensive Environment Issues

+
Supported Operating Systems

 

 
3. Name Server Configuration

 

 
Sample Configurations

 

-
A Caching-only Name Server

-
An Authoritative-only Name Server

+
A Caching-only Name Server

+
An Authoritative-only Name Server

 

-
Load Balancing

-
Name Server Operations

+
Load Balancing

+
Name Server Operations

 

-
Tools for Use With the Name Server Daemon

-
Signals

+
Tools for Use With the Name Server Daemon

+
Signals

 

 

 
4. Advanced DNS Features

@@ -92,70 +93,70 @@
 
Dynamic Update

 
The journal file

 
Incremental Zone Transfers (IXFR)

-
Split DNS

-
Example split DNS setup

+
Split DNS

+
Example split DNS setup

 
TSIG

 

-
Generate Shared Keys for Each Pair of Hosts

-
Copying the Shared Secret to Both Machines

-
Informing the Servers of the Key's Existence

-
Instructing the Server to Use the Key

-
TSIG Key Based Access Control

-
Errors

+
Generate Shared Keys for Each Pair of Hosts

+
Copying the Shared Secret to Both Machines

+
Informing the Servers of the Key's Existence

+
Instructing the Server to Use the Key

+
TSIG Key Based Access Control

+
Errors

 

-
TKEY

-
SIG(0)

+
TKEY

+
SIG(0)

 
DNSSEC

 

-
Generating Keys

-
Signing the Zone

-
Configuring Servers

+
Generating Keys

+
Signing the Zone

+
Configuring Servers

 

 
DNSSEC, Dynamic Zones, and Automatic Signing

 

-
Converting from insecure to secure

-
Dynamic DNS update method

-
Fully automatic zone signing

-
Private-type records

-
DNSKEY rollovers

-
Dynamic DNS update method

-
Automatic key rollovers

-
NSEC3PARAM rollovers via UPDATE

-
Converting from NSEC to NSEC3

-
Converting from NSEC3 to NSEC

-
Converting from secure to insecure

-
Periodic re-signing

-
NSEC3 and OPTOUT

+
Converting from insecure to secure

+
Dynamic DNS update method

+
Fully automatic zone signing

+
Private-type records

+
DNSKEY rollovers

+
Dynamic DNS update method

+
Automatic key rollovers

+
NSEC3PARAM rollovers via UPDATE

+
Converting from NSEC to NSEC3

+
Converting from NSEC3 to NSEC

+
Converting from secure to insecure

+
Periodic re-signing

+
NSEC3 and OPTOUT

 

 
Dynamic Trust Anchor Management

 

-
Validating Resolver

-
Authoritative Server

+
Validating Resolver

+
Authoritative Server

 

 
PKCS#11 (Cryptoki) support

 

-
Prerequisites

-
Native PKCS#11

-
OpenSSL-based PKCS#11

-
PKCS#11 Tools

-
Using the HSM

-
Specifying the engine on the command line

-
Running named with automatic zone re-signing

+
Prerequisites

+
Native PKCS#11

+
OpenSSL-based PKCS#11

+
PKCS#11 Tools

+
Using the HSM

+
Specifying the engine on the command line

+
Running named with automatic zone re-signing

 

 
DLZ (Dynamically Loadable Zones)

 

-
Configuring DLZ

-
Sample DLZ Driver

+
Configuring DLZ

+
Sample DLZ Driver

 

-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 

 
5. The BIND 9 Lightweight Resolver

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 
6. BIND 9 Configuration Reference

@@ -163,58 +164,58 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

 
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Definition
             and Usage

-
managed-keys Statement Grammar

+
managed-keys Statement Grammar

 
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -223,41 +224,41 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 
I. Manual pages

@@ -363,5 +364,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in
index 3ecf4af90b..5bae2b2e47 100644
--- a/doc/arm/Makefile.in
+++ b/doc/arm/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007, 2009, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001, 2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -23,6 +23,8 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
+PKGVERSION = @PACKAGE_VERSION@
+
 MANOBJS = Bv9ARM.html
 
 PDFOBJS = Bv9ARM.pdf
@@ -38,34 +40,40 @@ docclean manclean maintainer-clean:: clean
 
 docclean manclean maintainer-clean distclean::
 	rm -f releaseinfo.xml
+	rm -f pkgversion.xml
 
-Bv9ARM.html: Bv9ARM-book.xml releaseinfo.xml
+Bv9ARM.html: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml
 	expand Bv9ARM-book.xml | \
 	${XSLTPROC} --stringparam root.filename Bv9ARM \
 		${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl -
 
-Bv9ARM-all.html: Bv9ARM-book.xml releaseinfo.xml
+Bv9ARM-all.html: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml
 	expand Bv9ARM-book.xml | \
 	${XSLTPROC} -o Bv9ARM-all.html ../xsl/isc-docbook-html.xsl -
 
-Bv9ARM.tex: Bv9ARM-book.xml releaseinfo.xml
+Bv9ARM.tex: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml
 	expand Bv9ARM-book.xml | \
 	${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl - | \
 	${XSLTPROC} ${top_srcdir}/doc/xsl/isc-docbook-latex.xsl - | \
 	@PERL@ latex-fixup.pl >$@.tmp 
 	if test -s $@.tmp; then mv $@.tmp $@; else rm -f $@.tmp; exit 1; fi
 
-Bv9ARM.dvi: Bv9ARM.tex releaseinfo.xml
+Bv9ARM.dvi: Bv9ARM.tex releaseinfo.xml pkgversion.xml
 	rm -f Bv9ARM-book.aux Bv9ARM-book.dvi Bv9ARM-book.log
 	${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
 	${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
 	${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
 
-Bv9ARM.pdf: Bv9ARM.tex releaseinfo.xml
+Bv9ARM.pdf: Bv9ARM.tex releaseinfo.xml pkgversion.xml
 	rm -f Bv9ARM-book.aux Bv9ARM-book.pdf Bv9ARM-book.log
 	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
 	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
 	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
 
-releaseinfo.xml:
+FORCE:
+
+releaseinfo.xml: FORCE
 	echo >$@ 'BIND Version ${VERSION}'
+
+pkgversion.xml: FORCE
+	echo >$@ '      This version of the manual corresponds to BIND version ${PKGVERSION}.'
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 7679d48a64..0d92b571f8 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
 
arpaname  {ipaddress ...}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       arpaname translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -87,5 +87,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 9ea8342ec6..3ef31f573c 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -51,7 +51,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name  |   -z zone ]

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       tsig-keygen and ddns-confgen
       are invocation methods for a utility that generates keys for use
@@ -87,7 +87,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -159,7 +159,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -167,7 +167,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -191,5 +191,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index 2f602a7edb..1aa0dd2646 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -53,7 +53,7 @@
 
delv  [queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
delv
       (Domain Entity Lookup & Validation) is a tool for sending
       DNS queries and validating the results, using the the same internal
@@ -96,7 +96,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of delv looks like:
       

@@ -151,7 +151,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a anchor-file

 

@@ -285,7 +285,7 @@
 

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
delv
       provides a number of query options which affect the way results are
       displayed, and in some cases the way lookups are performed.
@@ -465,12 +465,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/bind.keys

 
/etc/resolv.conf

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8),
       RFC4034,
@@ -499,5 +499,6 @@
 
 
 

+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 5118533ecf..98c2e34539 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -152,7 +152,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -260,7 +260,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -402,6 +402,13 @@
 	       clears the remembered EDNS version.  EDNS is set to
 	       0 by default.
 	    

+
+[no]ednsflags[=#]

+

+	      Set the must-be-zero EDNS flags bits (Z bits) to the
+	      specified value. Decimal, hex and octal encodings are
+	      accepted. Setting a named flag (e.g. DO) will silently be
+	      ignored. By default, no Z bits are set.
+	    

 
+[no]ednsopt[=code[:value]]

 

 	      Specify EDNS option with code point code
@@ -655,7 +662,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -701,7 +708,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -715,14 +722,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -730,7 +737,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

@@ -753,5 +760,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 
 
 

+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 1b049c52ab..16a94f2a39 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -51,7 +51,7 @@
 
dnssec-dsfromkey  [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-checkds
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f file

 

@@ -88,14 +88,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-dsfromkey(8),
       dnssec-keygen(8),
       dnssec-signzone(8),
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -118,5 +118,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 91e3226388..9024f35f65 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -50,7 +50,7 @@
 
dnssec-coverage  [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-coverage
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-K directory

 

@@ -192,7 +192,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-checkds(8),
       dnssec-dsfromkey(8),
@@ -201,7 +201,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -225,5 +225,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 741508b549..8a53bde53c 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -52,14 +52,14 @@
 
dnssec-dsfromkey  [-h] [-V]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -144,7 +144,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -159,7 +159,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -189,7 +189,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -213,5 +213,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index fa68c37a08..770b62d94f 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -51,7 +51,7 @@
 
dnssec-importkey  {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-importkey
       reads a public DNSKEY record and generates a pair of
       .key/.private files.  The DNSKEY record may be read from an
@@ -71,7 +71,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f filename

 

@@ -114,7 +114,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -142,7 +142,7 @@
 

 
 

-
FILES

+
FILES

 

       A keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -151,7 +151,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -159,7 +159,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -183,5 +183,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 14d9295cc3..898a8eb8e6 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -243,7 +243,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -315,7 +315,7 @@
 

 
 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -354,7 +354,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -363,7 +363,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -387,5 +387,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 23b9fd2ca1..538c28e38f 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -285,7 +285,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -359,7 +359,7 @@
 

 
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -405,7 +405,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -426,7 +426,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -435,7 +435,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -459,5 +459,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index ebcbf68b37..7b01fb16b0 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -109,14 +109,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -140,5 +140,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 7bb6a45173..62fb9bddc6 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
 
dnssec-settime  [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -76,7 +76,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f

 

@@ -131,7 +131,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -210,7 +210,7 @@
 

 
 

-
PRINTING OPTIONS

+
PRINTING OPTIONS

 

       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -236,7 +236,7 @@
 

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -244,7 +244,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -268,5 +268,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 8fdb5fd51f..027d2b0f67 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-Q] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -512,7 +512,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -542,14 +542,14 @@ db.example.com.signed
 %

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033, RFC 4641.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -573,5 +573,6 @@ db.example.com.signed
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 29fab13ab7..746b7b967b 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
 
dnssec-verify  [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-verify
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-c class

 

@@ -138,7 +138,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -146,7 +146,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -170,5 +170,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 1797584c3a..36796ea7c0 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
 
genrandom  [-n number] {size} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       genrandom
       generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
-n number

 

@@ -77,14 +77,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       rand(3),
       arc4random(3)
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -108,5 +108,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 7ec0fe4d1e..b21a2fcd12 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -214,7 +214,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -228,12 +228,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

@@ -256,5 +256,6 @@
 
 
 

+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index 506836869f..affee619e3 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
 
isc-hmac-fixup  {algorithm} {secret}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
     

 

 

-
SECURITY CONSIDERATIONS

+
SECURITY CONSIDERATIONS

 

       Secrets that have been converted by isc-hmac-fixup
       are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 2104.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -118,5 +118,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 0b9f777c70..f176f3805e 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a
       named configuration file.  The file is parsed
@@ -70,7 +70,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -119,21 +119,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -157,5 +157,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index b04ad62af8..d5f7462386 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -267,10 +267,10 @@
           

 
-T mode

 

-	    Check if Sender Policy Framework records (TXT and SPF)
-	    both exist or both don't exist.  A warning is issued
-	    if they don't match.  Possible modes are
-	    "warn" (default), "ignore".
+	    Check if Sender Policy Framework (SPF) records exist
+	    and issues a warning if an SPF-formatted TXT record is
+	    not also present.  Possible modes are "warn"
+	    (default), "ignore".
 	  

 
-w directory

 

@@ -305,14 +305,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -320,7 +320,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -344,5 +344,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index ad1d46f7b2..e804040c47 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
 
named-journalprint  {journal}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       named-journalprint
       prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       named(8),
       nsupdate(8),
@@ -84,7 +84,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -108,5 +108,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 5be195928f..fd06e27172 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -50,7 +50,7 @@
 
named-rrchecker  [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-rrchecker
      read a individual DNS resource record from standard input and checks if it
      is syntactically correct.
@@ -78,7 +78,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 1034,
       RFC 1035,
@@ -105,5 +105,6 @@
 
 
 

+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 5067adb260..cb03b527b5 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -281,7 +281,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -302,7 +302,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -319,7 +319,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -332,7 +332,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -345,7 +345,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -369,5 +369,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 3e8c89199c..9ea9d3e3f1 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
 
nsec3hash  {salt} {algorithm} {iterations} {domain}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       nsec3hash generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
salt

 

@@ -80,14 +80,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 5155.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -109,5 +109,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 5d8bab1e04..41df8f56b4 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -236,7 +236,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -538,7 +538,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -592,7 +592,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -615,7 +615,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 2136,
       RFC 3007,
@@ -630,7 +630,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
@@ -658,5 +658,6 @@
 
 
 

+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 5d78e22383..4102a8d0bb 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
 
rndc-confgen  [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -180,7 +180,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -197,7 +197,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -205,7 +205,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -229,5 +229,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index f1ad9d33c2..9478508786 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -210,7 +210,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -228,7 +228,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -252,5 +252,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 258a3f0773..9ff757b583 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -81,7 +81,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
 

 

 

-
COMMANDS

+
COMMANDS

 

       A list of commands supported by rndc can
       be seen by running rndc without arguments.
@@ -371,15 +371,15 @@
           

 
flushname name [view] 

 

-            Flushes the given name from the server's DNS cache
-            and, if applicable, from the server's nameserver address
-            database or bad-server cache.
+            Flushes the given name from the view's DNS cache
+            and, if applicable, from the view's nameserver address
+            database, bad server cache and SERVFAIL cache.
           

 
flushtree name [view] 

 

             Flushes the given name, and all of its subdomains,
-            from the server's DNS cache, the address database,
-            and the bad server cache.
+            from the view's DNS cache, address database,
+            bad server cache, and SERVFAIL cache.
           

 
status

 

@@ -415,7 +415,7 @@
             lifetime.  The default lifetime is
             configured in <file>named.conf</file> via the
             nta-lifetime, and defaults to
-            one hour.  The lifetime cannot exceed one day.
+            one hour.  The lifetime cannot exceed one week.
           

 

             A negative trust anchor selectively disables
@@ -599,7 +599,7 @@
 

 
 

-
LIMITATIONS

+
LIMITATIONS

 

       There is currently no way to provide the shared secret for a
       key_id without using the configuration file.
@@ -609,7 +609,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -619,7 +619,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -643,5 +643,6 @@
 
 
 
+
BIND Version 9.11

 
 
diff --git a/doc/misc/options b/doc/misc/options
index 70e4a06a3f..580172d839 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -150,6 +150,7 @@ options {
         forwarders [ port  ] [ dscp  ] { ( 
             |  ) [ port  ] [ dscp  ]; ... };
         geoip-directory (  | none ); // not configured
+        geoip-use-ecs (  | none ); // not configured
         has-old-clients ; // obsolete
         heartbeat-interval ;
         host-statistics ; // not implemented
@@ -159,7 +160,7 @@ options {
         interface-interval ;
         ixfr-from-differences ;
         key-directory ;
-        lame-ttl ;
+        lame-ttl ;
         listen-on [ port  ] [ dscp  ] {
             ; ... };
         listen-on-v6 [ port  ] [ dscp  ] {
@@ -198,6 +199,7 @@ options {
         nosit-udp-size ; // not configured
         notify ;
         notify-delay ;
+        notify-rate ;
         notify-source (  | * ) [ port (  | * ) ] [
             dscp  ];
         notify-source-v6 (  | * ) [ port (  | * ) ]
@@ -258,6 +260,7 @@ options {
         serial-query-rate ;
         serial-update-method ( increment | unixtime | date );
         server-id (  | none | hostname );
+        servfail-ttl ;
         session-keyalg ;
         session-keyfile (  | none );
         session-keyname ;
@@ -268,6 +271,7 @@ options {
         sit-secret ; // not configured
         sortlist { ; ... };
         stacksize ;
+        startup-notify-rate ;
         statistics-file ;
         statistics-interval ; // not yet implemented
         suppress-initial-notify ; // not yet implemented
@@ -305,6 +309,7 @@ server  {
         bogus ;
         edns ;
         edns-udp-size ;
+        edns-version ;
         keys ;
         max-udp-size ;
         notify-source (  | * ) [ port (  | * ) ] [
@@ -373,7 +378,6 @@ view   {
         check-wildcard ;
         cleaning-interval ;
         clients-per-query ;
-        database ;
         deny-answer-addresses { ; ... } [
             except-from { ; ... } ];
         deny-answer-aliases { ; ... } [ except-from {
@@ -427,7 +431,7 @@ view   {
                 secret ;
         };
         key-directory ;
-        lame-ttl ;
+        lame-ttl ;
         maintain-ixfr-base ; // obsolete
         managed-keys {     
             ; ... };
@@ -508,12 +512,12 @@ view   {
         root-delegation-only [ exclude { ; ... } ];
         rrset-order { [ class  ] [ type  ] [ name
              ]  ; ... };
-        search ;
         serial-update-method ( increment | unixtime | date );
         server  {
                 bogus ;
                 edns ;
                 edns-udp-size ;
+                edns-version ;
                 keys ;
                 max-udp-size ;
                 notify-source (  | * ) [ port (  | *
@@ -535,6 +539,7 @@ view   {
                      | * ) ] [ dscp  ];
                 transfers ;
         };
+        servfail-ttl ;
         sig-signing-nodes ;
         sig-signing-signatures ;
         sig-signing-type ;
diff --git a/doc/xsl/isc-docbook-chunk.xsl.in b/doc/xsl/isc-docbook-chunk.xsl.in
index a766c05336..fde5362ffa 100644
--- a/doc/xsl/isc-docbook-chunk.xsl.in
+++ b/doc/xsl/isc-docbook-chunk.xsl.in
@@ -1,5 +1,5 @@