From 78c3882f77baeaba4c58a339e760a6135437aa11 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Tue, 26 Aug 2014 01:05:40 +0000 Subject: [PATCH 01/92] regen master --- doc/misc/options | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/misc/options b/doc/misc/options index 70e4a06a3f..6f4d1d7b48 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -373,7 +373,6 @@ view { check-wildcard ; cleaning-interval ; clients-per-query ; - database ; deny-answer-addresses { ; ... } [ except-from { ; ... } ]; deny-answer-aliases { ; ... } [ except-from { @@ -508,7 +507,6 @@ view { root-delegation-only [ exclude { ; ... } ]; rrset-order { [ class ] [ type ] [ name ] ; ... }; - search ; serial-update-method ( increment | unixtime | date ); server { bogus ; From 0c2313eb367de3b58801d643d52c0fd9bc0e5df7 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 27 Aug 2014 21:36:13 -0700 Subject: [PATCH 02/92] [master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911] --- CHANGES | 5 ++ bin/check/Makefile.in | 2 +- .../checkconf/check-dup-records-fail.conf | 26 ++++++++++ .../system/checkconf/check-dup-records.db | 36 ++++++++++++++ .../system/checkconf/check-mx-cname-fail.conf | 25 ++++++++++ bin/tests/system/checkconf/check-mx-cname.db | 29 +++++++++++ bin/tests/system/checkconf/check-mx-fail.conf | 25 ++++++++++ bin/tests/system/checkconf/check-mx.db | 27 +++++++++++ .../system/checkconf/check-names-fail.conf | 25 ++++++++++ bin/tests/system/checkconf/check-names.db | 31 ++++++++++++ .../checkconf/check-srv-cname-fail.conf | 25 ++++++++++ bin/tests/system/checkconf/check-srv-cname.db | 31 ++++++++++++ bin/tests/system/checkconf/clean.sh | 1 + bin/tests/system/checkconf/tests.sh | 48 +++++++++++++++++++ lib/dns/rdata/generic/hip_55.c | 12 ++--- 15 files changed, 339 insertions(+), 9 deletions(-) create mode 100644 bin/tests/system/checkconf/check-dup-records-fail.conf create mode 100644 bin/tests/system/checkconf/check-dup-records.db create mode 100644 bin/tests/system/checkconf/check-mx-cname-fail.conf create mode 100644 bin/tests/system/checkconf/check-mx-cname.db create mode 100644 bin/tests/system/checkconf/check-mx-fail.conf create mode 100644 bin/tests/system/checkconf/check-mx.db create mode 100644 bin/tests/system/checkconf/check-names-fail.conf create mode 100644 bin/tests/system/checkconf/check-names.db create mode 100644 bin/tests/system/checkconf/check-srv-cname-fail.conf create mode 100644 bin/tests/system/checkconf/check-srv-cname.db diff --git a/CHANGES b/CHANGES index 1ab9f8dff7..4e17e0333e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +3933. [bug] Corrected the implementation of dns_rdata_casecompare() + for the HIP rdata type. [RT #36911] + +3932. [test] Improved named-checkconf tests. [RT #36911] + 3931. [cleanup] Cleanup how dlz grammer is defined. [RT #36879] 3930. [bug] "rndc nta -r" could cause a server hang if the diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in index 61f98c23cc..b88be3cb85 100644 --- a/bin/check/Makefile.in +++ b/bin/check/Makefile.in @@ -70,7 +70,7 @@ named-checkzone.@O@: named-checkzone.c -c ${srcdir}/named-checkzone.c named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \ - ${ISCCFGDEPLIBS} ${BIND9DEPLIBS} + ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS} export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \ export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \ ${FINALBUILDCMD} diff --git a/bin/tests/system/checkconf/check-dup-records-fail.conf b/bin/tests/system/checkconf/check-dup-records-fail.conf new file mode 100644 index 0000000000..6dd363a0e1 --- /dev/null +++ b/bin/tests/system/checkconf/check-dup-records-fail.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-dup-records" { + type master; + file "check-dup-records.db"; + check-dup-records fail; +}; + diff --git a/bin/tests/system/checkconf/check-dup-records.db b/bin/tests/system/checkconf/check-dup-records.db new file mode 100644 index 0000000000..9c2669bb63 --- /dev/null +++ b/bin/tests/system/checkconf/check-dup-records.db @@ -0,0 +1,36 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail + +mail A 10.0.0.1 +ns2 A 10.53.0.2 + +; following records are not de-duplicated +; and will be matched by check-dup-records +duplicate HIP ( 2 200100107B1A74DF365639CC39F1D578 + AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D + rvs.example.com. ) +duplicate HIP ( 2 200100107B1A74DF365639CC39F1D578 + AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D + RVS.example.com. ) diff --git a/bin/tests/system/checkconf/check-mx-cname-fail.conf b/bin/tests/system/checkconf/check-mx-cname-fail.conf new file mode 100644 index 0000000000..600e2a70c8 --- /dev/null +++ b/bin/tests/system/checkconf/check-mx-cname-fail.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-mx-cname" { + type master; + file "check-mx-cname.db"; + check-mx-cname fail; +}; diff --git a/bin/tests/system/checkconf/check-mx-cname.db b/bin/tests/system/checkconf/check-mx-cname.db new file mode 100644 index 0000000000..56312ece92 --- /dev/null +++ b/bin/tests/system/checkconf/check-mx-cname.db @@ -0,0 +1,29 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail + +; MX points to a CNAME which is detected by check-mx-cname +mail CNAME ns2 + +ns2 A 10.53.0.2 diff --git a/bin/tests/system/checkconf/check-mx-fail.conf b/bin/tests/system/checkconf/check-mx-fail.conf new file mode 100644 index 0000000000..750adf16f7 --- /dev/null +++ b/bin/tests/system/checkconf/check-mx-fail.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-mx" { + type master; + file "check-mx.db"; + check-mx fail; +}; diff --git a/bin/tests/system/checkconf/check-mx.db b/bin/tests/system/checkconf/check-mx.db new file mode 100644 index 0000000000..d6fa9f49a8 --- /dev/null +++ b/bin/tests/system/checkconf/check-mx.db @@ -0,0 +1,27 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +; MX appears to be an address and will be detected by check-mx + MX 10 10.0.0.1 + +ns2 A 10.53.0.2 diff --git a/bin/tests/system/checkconf/check-names-fail.conf b/bin/tests/system/checkconf/check-names-fail.conf new file mode 100644 index 0000000000..5d31671ac0 --- /dev/null +++ b/bin/tests/system/checkconf/check-names-fail.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-names" { + type master; + file "check-names.db"; + check-names fail; +}; diff --git a/bin/tests/system/checkconf/check-names.db b/bin/tests/system/checkconf/check-names.db new file mode 100644 index 0000000000..4a7d687df5 --- /dev/null +++ b/bin/tests/system/checkconf/check-names.db @@ -0,0 +1,31 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail + +mail A 10.0.0.1 +ns2 A 10.53.0.2 + +; the RDATA of this record contains a name that may be considered +; invalid and will be detected by check-names configuration. +check-names SRV 1 2 3 _underscore diff --git a/bin/tests/system/checkconf/check-srv-cname-fail.conf b/bin/tests/system/checkconf/check-srv-cname-fail.conf new file mode 100644 index 0000000000..f0503b3e83 --- /dev/null +++ b/bin/tests/system/checkconf/check-srv-cname-fail.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-srv-cname" { + type master; + file "check-srv-cname.db"; + check-srv-cname fail; +}; diff --git a/bin/tests/system/checkconf/check-srv-cname.db b/bin/tests/system/checkconf/check-srv-cname.db new file mode 100644 index 0000000000..6ed1f4263e --- /dev/null +++ b/bin/tests/system/checkconf/check-srv-cname.db @@ -0,0 +1,31 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail + +mail A 10.0.0.1 +ns2 A 10.53.0.2 + +check-srv-cname SRV 1 2 3 target +; SRV points to a CNAME which is detected by check-srv-cname configuration +target CNAME mail diff --git a/bin/tests/system/checkconf/clean.sh b/bin/tests/system/checkconf/clean.sh index 772d521d0c..61febd74f5 100644 --- a/bin/tests/system/checkconf/clean.sh +++ b/bin/tests/system/checkconf/clean.sh @@ -16,3 +16,4 @@ rm -f good.conf.in good.conf.out badzero.conf *.out rm -rf test.keydir +rm -f checkconf.out* diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index f3d87f0981..4e4f4da701 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -191,5 +191,53 @@ $CHECKCONF -z altdlz.conf > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi status=`expr $status + $ret` +echo "I: check that check-names fails as configured" +ret=0 +$CHECKCONF -z check-names-fail.conf > checkconf.out1 2>&1 && ret=1 +grep "near '_underscore': bad name (check-names)" checkconf.out1 > /dev/null || ret=1 +grep "zone check-names/IN: loaded serial" < checkconf.out1 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that check-mx fails as configured" +ret=0 +$CHECKCONF -z check-mx-fail.conf > checkconf.out2 2>&1 && ret=1 +grep "near '10.0.0.1': MX is an address" checkconf.out2 > /dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" < checkconf.out2 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that check-dup-records fails as configured" +ret=0 +$CHECKCONF -z check-dup-records-fail.conf > checkconf.out3 2>&1 && ret=1 +grep "has semantically identical records" checkconf.out3 > /dev/null || ret=1 +grep "zone check-dup-records/IN: loaded serial" < checkconf.out3 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that check-mx fails as configured" +ret=0 +$CHECKCONF -z check-mx-fail.conf > checkconf.out4 2>&1 && ret=1 +grep "failed: MX is an address" checkconf.out4 > /dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" < checkconf.out4 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that check-mx-cname fails as configured" +ret=0 +$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out5 2>&1 && ret=1 +grep "MX.* is a CNAME (illegal)" checkconf.out5 > /dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" < checkconf.out5 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that check-srv-cname fails as configured" +ret=0 +$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out6 2>&1 && ret=1 +grep "SRV.* is a CNAME (illegal)" checkconf.out6 > /dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" < checkconf.out6 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/lib/dns/rdata/generic/hip_55.c b/lib/dns/rdata/generic/hip_55.c index 3522b7a7a9..eee581f26a 100644 --- a/lib/dns/rdata/generic/hip_55.c +++ b/lib/dns/rdata/generic/hip_55.c @@ -468,23 +468,19 @@ casecompare_hip(ARGS_COMPARE) { INSIST(r1.length > 4); INSIST(r2.length > 4); - r1.length = 4; - r2.length = 4; - order = isc_region_compare(&r1, &r2); + order = memcmp(r1.base, r2.base, 4); if (order != 0) return (order); hit_len = uint8_fromregion(&r1); isc_region_consume(&r1, 2); /* hit length + algorithm */ key_len = uint16_fromregion(&r1); - - dns_rdata_toregion(rdata1, &r1); - dns_rdata_toregion(rdata2, &r2); - isc_region_consume(&r1, 4); + isc_region_consume(&r1, 2); /* key length */ isc_region_consume(&r2, 4); + INSIST(r1.length >= (unsigned) (hit_len + key_len)); INSIST(r2.length >= (unsigned) (hit_len + key_len)); - order = isc_region_compare(&r1, &r2); + order = memcmp(r1.base, r2.base, hit_len + key_len); if (order != 0) return (order); isc_region_consume(&r1, hit_len + key_len); From 05d81eae94425a5124e07626af4bcc178960bd0e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 29 Aug 2014 10:16:32 +1000 Subject: [PATCH 03/92] update-copyrights --- util/copyrights | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/util/copyrights b/util/copyrights index 157ba5544a..d43244f545 100644 --- a/util/copyrights +++ b/util/copyrights @@ -880,6 +880,16 @@ ./bin/tests/system/checkconf/bad-sharedzone1.conf CONF-C 2013 ./bin/tests/system/checkconf/bad-sharedzone2.conf CONF-C 2013 ./bin/tests/system/checkconf/bad-tsig.conf CONF-C 2012,2013 +./bin/tests/system/checkconf/check-dup-records-fail.conf CONF-C 2014 +./bin/tests/system/checkconf/check-dup-records.db ZONE 2014 +./bin/tests/system/checkconf/check-mx-cname-fail.conf CONF-C 2014 +./bin/tests/system/checkconf/check-mx-cname.db ZONE 2014 +./bin/tests/system/checkconf/check-mx-fail.conf CONF-C 2014 +./bin/tests/system/checkconf/check-mx.db ZONE 2014 +./bin/tests/system/checkconf/check-names-fail.conf CONF-C 2014 +./bin/tests/system/checkconf/check-names.db ZONE 2014 +./bin/tests/system/checkconf/check-srv-cname-fail.conf CONF-C 2014 +./bin/tests/system/checkconf/check-srv-cname.db ZONE 2014 ./bin/tests/system/checkconf/clean.sh SH 2011,2012,2013,2014 ./bin/tests/system/checkconf/dlz-bad.conf CONF-C 2012,2013 ./bin/tests/system/checkconf/dnssec.1 CONF-C 2011 From 7c73ac5e130db18837724ab53d46b23ddb98ce6e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 29 Aug 2014 14:35:21 +1000 Subject: [PATCH 04/92] 3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve sit-secrets documentation. [RT #36980] --- CHANGES | 3 ++ bin/tests/system/sit/bad-sit-badhex.conf | 3 ++ bin/tests/system/sit/bad-sit-toolong.conf | 3 ++ bin/tests/system/sit/tests.sh | 9 ++++ doc/arm/Bv9ARM-book.xml | 8 ++- lib/bind9/check.c | 60 +++++++++++++++++++++++ 6 files changed, 84 insertions(+), 2 deletions(-) create mode 100644 bin/tests/system/sit/bad-sit-badhex.conf create mode 100644 bin/tests/system/sit/bad-sit-toolong.conf diff --git a/CHANGES b/CHANGES index 4e17e0333e..cdf0f42017 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve + sit-secrets documentation. [RT #36980] + 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] diff --git a/bin/tests/system/sit/bad-sit-badhex.conf b/bin/tests/system/sit/bad-sit-badhex.conf new file mode 100644 index 0000000000..6b84d8a6a1 --- /dev/null +++ b/bin/tests/system/sit/bad-sit-badhex.conf @@ -0,0 +1,3 @@ +options { + sit-secret "012345678901234567890123456789012345678901234567890123456789012"; +}; diff --git a/bin/tests/system/sit/bad-sit-toolong.conf b/bin/tests/system/sit/bad-sit-toolong.conf new file mode 100644 index 0000000000..aec4d252c8 --- /dev/null +++ b/bin/tests/system/sit/bad-sit-toolong.conf @@ -0,0 +1,3 @@ +options { + sit-secret "01234567890123456789012345678901234567890123456789012345678901234567890"; +}; diff --git a/bin/tests/system/sit/tests.sh b/bin/tests/system/sit/tests.sh index fa1a71abb0..5842a98714 100755 --- a/bin/tests/system/sit/tests.sh +++ b/bin/tests/system/sit/tests.sh @@ -32,6 +32,15 @@ havetc() { grep 'flags:.* tc[^;]*;' $1 > /dev/null } +for bad in bad*.conf +do + ret=0 + echo "I:checking that named-checkconf detects error in $bad" + $CHECKCONF $bad > /dev/null 2>&1 + if [ $? != 1 ]; then echo "I:failed"; ret=1; fi + status=`expr $status + $ret` +done + n=`expr $n + 1` echo "I:checking SIT token returned to empty SIT option ($n)" ret=0 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 7562a331ed..01f2c207c3 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -6421,12 +6421,16 @@ options { - sit-secret + sit-secret + If set, this is a shared secret used for generating and verifying Source Identity Token EDNS options within a anycast cluster. If not set the system - will generate a random secret at startup. + will generate a random secret at startup. The + shared secret is encoded as a hex string and needs + to be 128 bits for AES128, 160 bits for SHA1 and + 256 bits for SHA256. diff --git a/lib/bind9/check.c b/lib/bind9/check.c index a8d5e00aa6..38c1b244ed 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -24,10 +24,12 @@ #include #include #include +#include #include #include #include #include +#include #include #include #include @@ -35,6 +37,18 @@ #include #include +#ifdef ISC_PLATFORM_USESIT +#ifdef AES_SIT +#include +#endif +#ifdef HMAC_SHA1_SIT +#include +#endif +#ifdef HMAC_SHA256_SIT +#include +#endif +#endif + #include #include #include @@ -1186,6 +1200,52 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, "(%d seconds)", recheck, lifetime); } +#ifdef ISC_PLATFORM_USESIT + obj = NULL; + (void) cfg_map_get(options, "sit-secret", &obj); + if (obj != NULL) { + isc_buffer_t b; + unsigned char secret[32]; + + memset(secret, 0, sizeof(secret)); + isc_buffer_init(&b, secret, sizeof(secret)); + tresult = isc_hex_decodestring(cfg_obj_asstring(obj), &b); + if (tresult == ISC_R_NOSPACE) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "sit-secret: too long"); + } else if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "sit-secret: invalid hex string"); + } + if (tresult != ISC_R_SUCCESS) + result = tresult; +#ifdef AES_SIT + if (tresult == ISC_R_SUCCESS && + isc_buffer_usedlength(&b) != ISC_AES128_KEYLENGTH) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "AES sit-secret must be on 128 bits"); + result = ISC_R_RANGE; + } +#endif +#ifdef HMAC_SHA1_SIT + if (tresult == ISC_R_SUCCESS && + isc_buffer_usedlength(&b) != ISC_SHA1_DIGESTLENGTH) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "SHA1 sit-secret must be on 160 bits"); + result = ISC_R_RANGE; + } +#endif +#ifdef HMAC_SHA256_SIT + if (tresult == ISC_R_SUCCESS && + isc_buffer_usedlength(&b) != ISC_SHA256_DIGESTLENGTH) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "SHA256 sit-secret must be on 256 bits"); + result = ISC_R_RANGE; + } +#endif + } +#endif + return (result); } From 9ba4efa4ac6d2d687cf1377bc9733d08d84da64c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 29 Aug 2014 14:38:23 +1000 Subject: [PATCH 05/92] spelling --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index cdf0f42017..e162d87aff 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,5 @@ 3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve - sit-secrets documentation. [RT #36980] + sit-secret documentation. [RT #36980] 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] From 180319f572fb6c1ca7000d22ea79a8dd77ae3f91 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 28 Aug 2014 21:40:32 -0700 Subject: [PATCH 06/92] [master] fix geoip asnum matching 3935. [bug] "geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., AS1234). [RT #36945] --- CHANGES | 5 + bin/tests/system/geoip/ns2/named10.conf | 14 +- bin/tests/system/geoip/ns2/named11.conf | 32 +++- bin/tests/system/geoip/ns2/named12.conf | 47 +++++- bin/tests/system/geoip/ns2/named13.conf | 77 +--------- bin/tests/system/geoip/ns2/named14.conf | 112 ++++++++++++++ bin/tests/system/geoip/tests.sh | 27 +++- doc/arm/Bv9ARM-book.xml | 191 ++++++++++++------------ lib/dns/geoip.c | 17 ++- lib/isccfg/aclconf.c | 66 +++++--- util/copyrights | 5 +- 11 files changed, 383 insertions(+), 210 deletions(-) create mode 100644 bin/tests/system/geoip/ns2/named14.conf diff --git a/CHANGES b/CHANGES index e162d87aff..e7c9c89b54 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +3935. [bug] "geoip asnum" ACL elements would not match unless + the full organization name was specified. They + can now match against the AS number alone (e.g., + AS1234). [RT #36945] + 3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve sit-secret documentation. [RT #36980] diff --git a/bin/tests/system/geoip/ns2/named10.conf b/bin/tests/system/geoip/ns2/named10.conf index 1ceece41cf..29d9d43459 100644 --- a/bin/tests/system/geoip/ns2/named10.conf +++ b/bin/tests/system/geoip/ns2/named10.conf @@ -40,7 +40,7 @@ controls { }; view one { - match-clients { geoip domain one.de; }; + match-clients { geoip asnum "AS100001"; }; zone "example" { type master; file "example1.db"; @@ -48,7 +48,7 @@ view one { }; view two { - match-clients { geoip domain two.com; }; + match-clients { geoip asnum "AS100002"; }; zone "example" { type master; file "example2.db"; @@ -56,7 +56,7 @@ view two { }; view three { - match-clients { geoip domain three.com; }; + match-clients { geoip asnum "AS100003"; }; zone "example" { type master; file "example3.db"; @@ -64,7 +64,7 @@ view three { }; view four { - match-clients { geoip domain four.com; }; + match-clients { geoip asnum "AS100004"; }; zone "example" { type master; file "example4.db"; @@ -72,7 +72,7 @@ view four { }; view five { - match-clients { geoip domain five.es; }; + match-clients { geoip asnum "AS100005"; }; zone "example" { type master; file "example5.db"; @@ -80,7 +80,7 @@ view five { }; view six { - match-clients { geoip domain six.it; }; + match-clients { geoip asnum "AS100006"; }; zone "example" { type master; file "example6.db"; @@ -88,7 +88,7 @@ view six { }; view seven { - match-clients { geoip domain seven.org; }; + match-clients { geoip asnum "AS100007"; }; zone "example" { type master; file "example7.db"; diff --git a/bin/tests/system/geoip/ns2/named11.conf b/bin/tests/system/geoip/ns2/named11.conf index 85c0d32c34..1ceece41cf 100644 --- a/bin/tests/system/geoip/ns2/named11.conf +++ b/bin/tests/system/geoip/ns2/named11.conf @@ -40,7 +40,7 @@ controls { }; view one { - match-clients { geoip netspeed 0; }; + match-clients { geoip domain one.de; }; zone "example" { type master; file "example1.db"; @@ -48,7 +48,7 @@ view one { }; view two { - match-clients { geoip netspeed 1; }; + match-clients { geoip domain two.com; }; zone "example" { type master; file "example2.db"; @@ -56,7 +56,7 @@ view two { }; view three { - match-clients { geoip netspeed 2; }; + match-clients { geoip domain three.com; }; zone "example" { type master; file "example3.db"; @@ -64,13 +64,37 @@ view three { }; view four { - match-clients { geoip netspeed 3; }; + match-clients { geoip domain four.com; }; zone "example" { type master; file "example4.db"; }; }; +view five { + match-clients { geoip domain five.es; }; + zone "example" { + type master; + file "example5.db"; + }; +}; + +view six { + match-clients { geoip domain six.it; }; + zone "example" { + type master; + file "example6.db"; + }; +}; + +view seven { + match-clients { geoip domain seven.org; }; + zone "example" { + type master; + file "example7.db"; + }; +}; + view none { match-clients { any; }; zone "example" { diff --git a/bin/tests/system/geoip/ns2/named12.conf b/bin/tests/system/geoip/ns2/named12.conf index a650a635d2..85c0d32c34 100644 --- a/bin/tests/system/geoip/ns2/named12.conf +++ b/bin/tests/system/geoip/ns2/named12.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -18,10 +18,6 @@ controls { /* empty */ }; -acl blocking { - geoip db country country AU; -}; - options { query-source address 10.53.0.2; notify-source 10.53.0.2; @@ -32,7 +28,6 @@ options { listen-on-v6 { none; }; recursion no; geoip-directory "../data"; - blackhole { blocking; }; }; key rndc_key { @@ -43,3 +38,43 @@ key rndc_key { controls { inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; }; + +view one { + match-clients { geoip netspeed 0; }; + zone "example" { + type master; + file "example1.db"; + }; +}; + +view two { + match-clients { geoip netspeed 1; }; + zone "example" { + type master; + file "example2.db"; + }; +}; + +view three { + match-clients { geoip netspeed 2; }; + zone "example" { + type master; + file "example3.db"; + }; +}; + +view four { + match-clients { geoip netspeed 3; }; + zone "example" { + type master; + file "example4.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type master; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip/ns2/named13.conf b/bin/tests/system/geoip/ns2/named13.conf index f92d25216c..a650a635d2 100644 --- a/bin/tests/system/geoip/ns2/named13.conf +++ b/bin/tests/system/geoip/ns2/named13.conf @@ -18,6 +18,10 @@ controls { /* empty */ }; +acl blocking { + geoip db country country AU; +}; + options { query-source address 10.53.0.2; notify-source 10.53.0.2; @@ -28,6 +32,7 @@ options { listen-on-v6 { none; }; recursion no; geoip-directory "../data"; + blackhole { blocking; }; }; key rndc_key { @@ -38,75 +43,3 @@ key rndc_key { controls { inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; }; - -acl gAU { geoip db country country AU; }; -acl gUS { geoip db country country US; }; -acl gGB { geoip db country country GB; }; -acl gCA { geoip db country country CA; }; -acl gCL { geoip db country country CL; }; -acl gDE { geoip db country country DE; }; -acl gEH { geoip db country country EH; }; - -view one { - match-clients { gAU; }; - zone "example" { - type master; - file "example1.db"; - }; -}; - -view two { - match-clients { gUS; }; - zone "example" { - type master; - file "example2.db"; - }; -}; - -view three { - match-clients { gGB; }; - zone "example" { - type master; - file "example3.db"; - }; -}; - -view four { - match-clients { gCA; }; - zone "example" { - type master; - file "example4.db"; - }; -}; - -view five { - match-clients { gCL; }; - zone "example" { - type master; - file "example5.db"; - }; -}; - -view six { - match-clients { gDE; }; - zone "example" { - type master; - file "example6.db"; - }; -}; - -view seven { - match-clients { gEH; }; - zone "example" { - type master; - file "example7.db"; - }; -}; - -view none { - match-clients { any; }; - zone "example" { - type master; - file "example.db.in"; - }; -}; diff --git a/bin/tests/system/geoip/ns2/named14.conf b/bin/tests/system/geoip/ns2/named14.conf new file mode 100644 index 0000000000..f92d25216c --- /dev/null +++ b/bin/tests/system/geoip/ns2/named14.conf @@ -0,0 +1,112 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + +acl gAU { geoip db country country AU; }; +acl gUS { geoip db country country US; }; +acl gGB { geoip db country country GB; }; +acl gCA { geoip db country country CA; }; +acl gCL { geoip db country country CL; }; +acl gDE { geoip db country country DE; }; +acl gEH { geoip db country country EH; }; + +view one { + match-clients { gAU; }; + zone "example" { + type master; + file "example1.db"; + }; +}; + +view two { + match-clients { gUS; }; + zone "example" { + type master; + file "example2.db"; + }; +}; + +view three { + match-clients { gGB; }; + zone "example" { + type master; + file "example3.db"; + }; +}; + +view four { + match-clients { gCA; }; + zone "example" { + type master; + file "example4.db"; + }; +}; + +view five { + match-clients { gCL; }; + zone "example" { + type master; + file "example5.db"; + }; +}; + +view six { + match-clients { gDE; }; + zone "example" { + type master; + file "example6.db"; + }; +}; + +view seven { + match-clients { gEH; }; + zone "example" { + type master; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type master; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip/tests.sh b/bin/tests/system/geoip/tests.sh index e7ab56a57b..3e916aed31 100644 --- a/bin/tests/system/geoip/tests.sh +++ b/bin/tests/system/geoip/tests.sh @@ -197,7 +197,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 / sleep 3 n=`expr $n + 1` -echo "I:checking GeoIP domain database ($n)" +echo "I:checking GeoIP asnum database - ASNNNN only ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do @@ -216,10 +216,10 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 / sleep 3 n=`expr $n + 1` -echo "I:checking GeoIP netspeed database ($n)" +echo "I:checking GeoIP domain database ($n)" ret=0 lret=0 -for i in 1 2 3 4; do +for i in 1 2 3 4 5 6 7; do $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 j=`cat dig.out.ns2.test$n.$i | tr -d '"'` [ "$i" = "$j" ] || lret=1 @@ -234,6 +234,25 @@ cp -f ns2/named12.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' sleep 3 +n=`expr $n + 1` +echo "I:checking GeoIP netspeed database ($n)" +ret=0 +lret=0 +for i in 1 2 3 4; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + +echo "I:reloading server" +cp -f ns2/named13.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 3 + n=`expr $n + 1` echo "I:checking GeoIP blackhole ACL ($n)" ret=0 @@ -243,7 +262,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 status 2>&1 > rndc.out.ns2.tes status=`expr $status + $ret` echo "I:reloading server" -cp -f ns2/named13.conf ns2/named.conf +cp -f ns2/named14.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' sleep 3 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 01f2c207c3..e0cf9264f4 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2564,10 +2564,10 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. lwres statement in named.conf. - The number of client queries that the lwresd - daemon is able to serve can be set using the - and - statements in the configuration. + The number of client queries that the lwresd + daemon is able to serve can be set using the + and + statements in the configuration. @@ -3459,17 +3459,20 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. "isp", "org", "asnum", "domain" and "netspeed". - value is the value to searched for - within the database. A string may be quoted if it contains - spaces or other special characters. If this is a "country" - search and the string is two characters long, then it must be a - standard ISO-3166-1 two-letter country code, and if it is three - characters long then it must be an ISO-3166-1 three-letter - country code; otherwise it is the full name of the country. - Similarly, if this is a "region" search and the string is - two characters long, then it must be a standard two-letter state - or province abbreviation; otherwise it is the full name of the - state or province. + value is the value to search + for within the database. A string may be quoted if it + contains spaces or other special characters. If this is + an "asnum" search, then the leading "ASNNNN" string can be + used, otherwise the full description must be used (e.g. + "ASNNNN Example Company Name"). If this is a "country" + search and the string is two characters long, then it must + be a standard ISO-3166-1 two-letter country code, and if it + is three characters long then it must be an ISO-3166-1 + three-letter country code; otherwise it is the full name + of the country. Similarly, if this is a "region" search + and the string is two characters long, then it must be a + standard two-letter state or province abbreviation; + otherwise it is the full name of the state or province. The database field indicates which @@ -4718,32 +4721,32 @@ badresp:1,adberr:0,findfail:0,valfail:0] minimum number of dots in a relative domain name that should result in an exact match lookup before search path elements are appended. - - - The statement specifies the number - of worker threads the lightweight resolver will dedicate to serving - clients. By default the number is the same as the number of CPUs on - the system; this can be overridden using the - command line option when starting the server. - - - The specifies - the number of client objects per thread the lightweight - resolver should create to serve client queries. - By default, if the lightweight resolver runs as a part - of named, 256 client objects are - created for each task; if it runs as lwresd, - 1024 client objects are created for each thread. The maximum - value is 32768; higher values will be silently ignored and - the maximum will be used instead. - Note that setting too high a value may overconsume - system resources. - - - The maximum number of client queries that the lightweight - resolver can handle at any one time equals - times . - + + + The statement specifies the number + of worker threads the lightweight resolver will dedicate to serving + clients. By default the number is the same as the number of CPUs on + the system; this can be overridden using the + command line option when starting the server. + + + The specifies + the number of client objects per thread the lightweight + resolver should create to serve client queries. + By default, if the lightweight resolver runs as a part + of named, 256 client objects are + created for each task; if it runs as lwresd, + 1024 client objects are created for each thread. The maximum + value is 32768; higher values will be silently ignored and + the maximum will be used instead. + Note that setting too high a value may overconsume + system resources. + + + The maximum number of client queries that the lightweight + resolver can handle at any one time equals + times . + <command>masters</command> Statement Grammar @@ -5793,7 +5796,7 @@ options { For convenience, TTL-style time unit suffixes can be used to specify the NTA lifetime in seconds, minutes or hours. defaults to - one hour. It cannot exceed one day. + one hour. It cannot exceed one day. @@ -5802,31 +5805,31 @@ options { nta-recheck - Species how often to check whether negative - trust anchors added via rndc nta - are still necessary. + Species how often to check whether negative + trust anchors added via rndc nta + are still necessary. - A negative trust anchor is normally used when a - domain has stopped validating due to operator error; - it temporarily disables DNSSEC validation for that - domain. In the interest of ensuring that DNSSEC - validation is turned back on as soon as possible, - named will periodically send a - query to the domain, ignoring negative trust anchors, - to find out whether it can now be validated. If so, - the negative trust anchor is allowed to expire early. + A negative trust anchor is normally used when a + domain has stopped validating due to operator error; + it temporarily disables DNSSEC validation for that + domain. In the interest of ensuring that DNSSEC + validation is turned back on as soon as possible, + named will periodically send a + query to the domain, ignoring negative trust anchors, + to find out whether it can now be validated. If so, + the negative trust anchor is allowed to expire early. - Validity checks can be disabled for an individual - NTA by using rndc nta -f, or - for all NTA's by setting - to zero. + Validity checks can be disabled for an individual + NTA by using rndc nta -f, or + for all NTA's by setting + to zero. For convenience, TTL-style time unit suffixes can be - used to specify the NTA recheck interval in seconds, - minutes or hours. The default is five minutes. + used to specify the NTA recheck interval in seconds, + minutes or hours. The default is five minutes. @@ -9020,24 +9023,24 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; masterfile-style - - Specifies the formatting of zone files during dump - when the is - text. (This option is ignored - with any other .) - - - When set to relative, - records are printed in a multi-line format with owner - names expressed relative to a shared origin. When set - to full, records are printed in - a single-line format with absolute owner names. - The full format is most suitable - when a zone file needs to be processed automatically - by a script. The relative format - is more human-readable, and is thus suitable when a - zone is to be edited by hand. The default is - relative. + + Specifies the formatting of zone files during dump + when the is + text. (This option is ignored + with any other .) + + + When set to relative, + records are printed in a multi-line format with owner + names expressed relative to a shared origin. When set + to full, records are printed in + a single-line format with absolute owner names. + The full format is most suitable + when a zone file needs to be processed automatically + by a script. The relative format + is more human-readable, and is thus suitable when a + zone is to be edited by hand. The default is + relative. @@ -9050,8 +9053,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept - before dropping additional clients. - named will attempt to + before dropping additional clients. + named will attempt to self tune this value and changes will be logged. The default values are 10 and 100. @@ -10564,15 +10567,15 @@ rate-limit { The request-expire clause determines - whether the local server, when acting as a slave, will - request the EDNS EXPIRE value. The EDNS EXPIRE value - indicates the remaining time before the zone data will - expire and need to be be refreshed. This is used - when a secondary server transfers a zone from another - secondary server; when transferring from the primary, the - expiration timer is set from the EXPIRE field of the SOA - record instead. - The default is yes. + whether the local server, when acting as a slave, will + request the EDNS EXPIRE value. The EDNS EXPIRE value + indicates the remaining time before the zone data will + expire and need to be be refreshed. This is used + when a secondary server transfers a zone from another + secondary server; when transferring from the primary, the + expiration timer is set from the EXPIRE field of the SOA + record instead. + The default is yes. @@ -12459,11 +12462,11 @@ example.com. NS ns2.example.net. When set to serial-update-method date;, the - new SOA serial number will be the current date - in the form "YYYYMMDD", followed by two zeroes, - unless the existing serial number is already greater - than or equal to that value, in which case it is - incremented by one. + new SOA serial number will be the current date + in the form "YYYYMMDD", followed by two zeroes, + unless the existing serial number is already greater + than or equal to that value, in which case it is + incremented by one. diff --git a/lib/dns/geoip.c b/lib/dns/geoip.c index 291b0d05e9..ec6beb7acb 100644 --- a/lib/dns/geoip.c +++ b/lib/dns/geoip.c @@ -766,8 +766,21 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, return (ISC_FALSE); s = name_lookup(db, subtype, ipnum); - if (s != NULL && strcasecmp(elt->as_string, s) == 0) - return (ISC_TRUE); + if (s != NULL) { + size_t l; + if (strcasecmp(elt->as_string, s) == 0) + return (ISC_TRUE); + if (subtype != dns_geoip_as_asnum) + break; + /* + * Just check if the ASNNNN value matches. + */ + l = strlen(elt->as_string); + if (l > 0U && strchr(elt->as_string, ' ') == NULL && + strncasecmp(elt->as_string, s, l) == 0 && + s[l] == ' ') + return (ISC_TRUE); + } break; case dns_geoip_netspeed_id: diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c index 76f6ad4a9a..83d5ae6509 100644 --- a/lib/isccfg/aclconf.c +++ b/lib/isccfg/aclconf.c @@ -482,6 +482,7 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx, const char *stype, *search; dns_geoip_subtype_t subtype; dns_aclelement_t de; + size_t len; REQUIRE(dep != NULL); @@ -493,35 +494,52 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx, stype = cfg_obj_asstring(cfg_tuple_get(obj, "subtype")); search = cfg_obj_asstring(cfg_tuple_get(obj, "search")); + len = strlen(search); - if (strcasecmp(stype, "country") == 0 && strlen(search) == 2) { + if (len == 0) { + cfg_obj_log(obj, lctx, ISC_LOG_ERROR, + "zero-length geoip search field"); + return (ISC_R_FAILURE); + } + + if (strcasecmp(stype, "country") == 0 && len == 2) { /* Two-letter country code */ subtype = dns_geoip_countrycode; - strncpy(de.geoip_elem.as_string, search, 2); - } else if (strcasecmp(stype, "country") == 0 && strlen(search) == 3) { + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); + } else if (strcasecmp(stype, "country") == 0 && len == 3) { /* Three-letter country code */ subtype = dns_geoip_countrycode3; - strncpy(de.geoip_elem.as_string, search, 3); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "country") == 0) { /* Country name */ subtype = dns_geoip_countryname; - strncpy(de.geoip_elem.as_string, search, 255); - } else if (strcasecmp(stype, "region") == 0 && strlen(search) == 2) { + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); + } else if (strcasecmp(stype, "region") == 0 && len == 2) { /* Two-letter region code */ subtype = dns_geoip_region; - strncpy(de.geoip_elem.as_string, search, 2); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "region") == 0) { /* Region name */ subtype = dns_geoip_regionname; - strncpy(de.geoip_elem.as_string, search, 255); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "city") == 0) { /* City name */ subtype = dns_geoip_city_name; - strncpy(de.geoip_elem.as_string, search, 255); - } else if (strcasecmp(stype, "postal") == 0 && strlen(search) < 7) { + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); + } else if (strcasecmp(stype, "postal") == 0 && len < 7) { subtype = dns_geoip_city_postalcode; - strncpy(de.geoip_elem.as_string, search, 6); - de.geoip_elem.as_string[6] = '\0'; + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); + } else if (strcasecmp(stype, "postal") == 0) { + cfg_obj_log(obj, lctx, ISC_LOG_ERROR, + "geoiop postal code (%s) too long", search); + return (ISC_R_FAILURE); } else if (strcasecmp(stype, "metro") == 0) { subtype = dns_geoip_city_metrocode; de.geoip_elem.as_int = atoi(search); @@ -530,23 +548,33 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx, de.geoip_elem.as_int = atoi(search); } else if (strcasecmp(stype, "tz") == 0) { subtype = dns_geoip_city_timezonecode; - strncpy(de.geoip_elem.as_string, search, 255); - } else if (strcasecmp(stype, "continent") == 0 && strlen(search) == 2) { + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); + } else if (strcasecmp(stype, "continent") == 0 && len == 2) { /* Two-letter continent code */ subtype = dns_geoip_city_continentcode; - strncpy(de.geoip_elem.as_string, search, 2); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); + } else if (strcasecmp(stype, "continent") == 0) { + cfg_obj_log(obj, lctx, ISC_LOG_ERROR, + "geoiop continent code (%s) too long", search); + return (ISC_R_FAILURE); } else if (strcasecmp(stype, "isp") == 0) { subtype = dns_geoip_isp_name; - strncpy(de.geoip_elem.as_string, search, 255); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "asnum") == 0) { subtype = dns_geoip_as_asnum; - strncpy(de.geoip_elem.as_string, search, 255); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "org") == 0) { subtype = dns_geoip_org_name; - strncpy(de.geoip_elem.as_string, search, 255); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "domain") == 0) { subtype = dns_geoip_domain_name; - strncpy(de.geoip_elem.as_string, search, 255); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "netspeed") == 0) { subtype = dns_geoip_netspeed_id; de.geoip_elem.as_int = atoi(search); diff --git a/util/copyrights b/util/copyrights index d43244f545..a1cc91e696 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1313,10 +1313,11 @@ ./bin/tests/system/geoip/geoip.c C 2013 ./bin/tests/system/geoip/ns2/example.db.in ZONE 2013 ./bin/tests/system/geoip/ns2/named1.conf CONF-C 2013 -./bin/tests/system/geoip/ns2/named10.conf CONF-C 2013 +./bin/tests/system/geoip/ns2/named10.conf CONF-C 2014 ./bin/tests/system/geoip/ns2/named11.conf CONF-C 2013 -./bin/tests/system/geoip/ns2/named12.conf CONF-C 2014 +./bin/tests/system/geoip/ns2/named12.conf CONF-C 2013 ./bin/tests/system/geoip/ns2/named13.conf CONF-C 2014 +./bin/tests/system/geoip/ns2/named14.conf CONF-C 2014 ./bin/tests/system/geoip/ns2/named2.conf CONF-C 2013 ./bin/tests/system/geoip/ns2/named3.conf CONF-C 2013 ./bin/tests/system/geoip/ns2/named4.conf CONF-C 2013 From d46855caedd5cb101795707f6f467fa363ef1448 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 28 Aug 2014 22:05:57 -0700 Subject: [PATCH 07/92] [master] ECS authoritative support 3936. [func] Added authoritative support for the EDNS Client Subnet (ECS) option. ACLs can now include "ecs" elements which specify an address or network prefix; if an ECS option is included in a DNS query, then the address encoded in the option will be matched against "ecs" ACL elements. Also, if an ECS address is included in a query, then it will be used instead of the client source address when matching "geoip" ACL elements. This behavior can be overridden with "geoip-use-ecs no;". When "ecs" or "geoip" ACL elements are used to select a view for a query, the response will include an ECS option to indicate which client network the answer is valid for. (Thanks to Vincent Bernat.) [RT #36781] --- CHANGES | 21 +++ README | 6 + bin/named/client.c | 185 +++++++++++++++++-- bin/named/config.c | 5 + bin/named/include/named/client.h | 7 + bin/named/include/named/server.h | 17 +- bin/named/server.c | 11 ++ bin/named/statschannel.c | 1 + bin/tests/system/acl/ns2/named6.conf | 50 ++++++ bin/tests/system/acl/ns2/named7.conf | 60 +++++++ bin/tests/system/acl/tests.sh | 30 ++++ bin/tests/system/geoip/clean.sh | 2 +- bin/tests/system/geoip/data/GeoIP.csv | 1 + bin/tests/system/geoip/data/GeoIP.dat | Bin 243 -> 385 bytes bin/tests/system/geoip/data/README | 5 +- bin/tests/system/geoip/ns2/named1.conf | 8 + bin/tests/system/geoip/ns2/named14.conf | 5 +- bin/tests/system/geoip/setup.sh | 2 +- bin/tests/system/geoip/tests.sh | 147 +++++++++++++++ doc/arm/Bv9ARM-book.xml | 228 +++++++++++++++++------- lib/dns/acl.c | 139 +++++++++++---- lib/dns/geoip.c | 125 +++++++++---- lib/dns/include/dns/acl.h | 29 ++- lib/dns/include/dns/geoip.h | 2 +- lib/dns/include/dns/iptable.h | 4 + lib/dns/include/dns/message.h | 2 +- lib/dns/iptable.c | 63 +++---- lib/dns/message.c | 2 - lib/dns/tests/geoip_test.c | 129 ++++++++------ lib/dns/win32/libdns.def.in | 2 + lib/isc/include/isc/radix.h | 33 ++-- lib/isc/radix.c | 165 ++++++++--------- lib/isccfg/aclconf.c | 7 +- lib/isccfg/include/isccfg/namedconf.h | 3 + lib/isccfg/namedconf.c | 16 ++ 35 files changed, 1155 insertions(+), 357 deletions(-) create mode 100644 bin/tests/system/acl/ns2/named6.conf create mode 100644 bin/tests/system/acl/ns2/named7.conf diff --git a/CHANGES b/CHANGES index e7c9c89b54..47f40b53ee 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,24 @@ +3936. [func] Added authoritative support for the EDNS Client + Subnet (ECS) option. + + ACLs can now include "ecs" elements which specify + an address or network prefix; if an ECS option is + included in a DNS query, then the address encoded + in the option will be matched against "ecs" ACL + elements. + + Also, if an ECS address is included in a query, + then it will be used instead of the client source + address when matching "geoip" ACL elements. This + behavior can be overridden with "geoip-use-ecs no;". + + When "ecs" or "geoip" ACL elements are used to + select a view for a query, the response will include + an ECS option to indicate which client network the + answer is valid for. + + (Thanks to Vincent Bernat.) [RT #36781] + 3935. [bug] "geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., diff --git a/README b/README index 8298ae1f88..23ef8a8328 100644 --- a/README +++ b/README @@ -56,6 +56,12 @@ BIND 9.11.0 BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier releases. New features include: + - The EDNS Client Subnet (ECS) option is now supported for + authoritative servers; if a query contains an ECS option + then ACLs containing "geoip" or "ecs" elements can match + against the the address encoded in the option. This can be + used to select a view for a query, so that different answers + can be provided depending on the client network. - The EDNS EXPIRE option has been implemented on the client side, allowing a slave server to set the expiration timer correctly when transferring zone data from another slave diff --git a/bin/named/client.c b/bin/named/client.c index 68d14a942d..f2fe82fa78 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -122,6 +122,7 @@ #endif #define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */ +#define ECS_SIZE 20U /* 2 + 1 + 1 + [0..16] */ /*% nameserver client manager structure */ struct ns_clientmgr { @@ -244,7 +245,8 @@ static void ns_client_dumpmessage(ns_client_t *client, const char *reason); static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, dns_dispatch_t *disp, isc_boolean_t tcp); static inline isc_boolean_t -allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl); +allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr, + isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl); #ifdef ISC_PLATFORM_USESIT static void compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce, isc_buffer_t *buf); @@ -1042,7 +1044,8 @@ client_send(ns_client_t *client) { if (client->message->tsigkey != NULL) name = &client->message->tsigkey->name; if (client->view->nocasecompress == NULL || - !allowed(&netaddr, name, client->view->nocasecompress)) + !allowed(&netaddr, name, NULL, 0, NULL, + client->view->nocasecompress)) { dns_compress_setsensitive(&cctx, ISC_TRUE); } @@ -1381,6 +1384,7 @@ isc_result_t ns_client_addopt(ns_client_t *client, dns_message_t *message, dns_rdataset_t **opt) { + unsigned char ecs[ECS_SIZE]; char nsid[BUFSIZ], *nsidp; #ifdef ISC_PLATFORM_USESIT unsigned char sit[SIT_SIZE]; @@ -1459,6 +1463,38 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, ednsopts[count].value = expire; count++; } + if (((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) && + (client->ecs_addr.family == AF_INET || + client->ecs_addr.family == AF_INET6)) + { + int i, addrbytes = (client->ecs_addrlen + 7) / 8; + isc_uint8_t *paddr; + isc_buffer_t buf; + + /* Add client subnet option. */ + isc_buffer_init(&buf, ecs, sizeof(ecs)); + if (client->ecs_addr.family == AF_INET) + isc_buffer_putuint16(&buf, 1); + else + isc_buffer_putuint16(&buf, 2); + isc_buffer_putuint8(&buf, client->ecs_addrlen); + isc_buffer_putuint8(&buf, client->ecs_scope); + + paddr = (isc_uint8_t *) &client->ecs_addr.type; + for (i = 0; i < addrbytes; i++) { + unsigned char uc; + uc = paddr[i]; + if (i == addrbytes - 1 && + ((client->ecs_addrlen % 8) != 0)) + uc &= (1U << (8 - (client->ecs_addrlen % 8))); + isc_buffer_putuint8(&buf, uc); + } + + ednsopts[count].code = DNS_OPT_CLIENT_SUBNET; + ednsopts[count].length = addrbytes + 4; + ednsopts[count].value = ecs; + count++; + } result = dns_message_buildopt(message, opt, 0, udpsize, flags, ednsopts, count); @@ -1466,14 +1502,17 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, } static inline isc_boolean_t -allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) { +allowed(isc_netaddr_t *addr, dns_name_t *signer, + isc_netaddr_t *ecs_addr, isc_uint8_t ecs_addrlen, + isc_uint8_t *ecs_scope, dns_acl_t *acl) +{ int match; isc_result_t result; if (acl == NULL) return (ISC_TRUE); - result = dns_acl_match(addr, signer, acl, &ns_g_server->aclenv, - &match, NULL); + result = dns_acl_match2(addr, signer, ecs_addr, ecs_addrlen, ecs_scope, + acl, &ns_g_server->aclenv, &match, NULL); if (result == ISC_R_SUCCESS && match > 0) return (ISC_TRUE); return (ISC_FALSE); @@ -1536,8 +1575,10 @@ ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey, tsig = dns_tsigkey_identity(mykey); } - if (allowed(&netsrc, tsig, view->matchclients) && - allowed(&netdst, tsig, view->matchdestinations)) + if (allowed(&netsrc, tsig, NULL, 0, NULL, + view->matchclients) && + allowed(&netdst, tsig, NULL, 0, NULL, + view->matchdestinations)) break; } return (ISC_TF(view == myview)); @@ -1718,6 +1759,81 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { } #endif +static isc_result_t +process_ecs(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { + isc_uint16_t family; + isc_uint8_t addrlen, addrbytes, scope, *paddr; + isc_netaddr_t caddr; + int i; + + if (optlen < 4) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client subnet option too short"); + return (DNS_R_FORMERR); + } + + family = isc_buffer_getuint16(buf); + addrlen = isc_buffer_getuint8(buf); + scope = isc_buffer_getuint8(buf); + optlen -= 4; + + if (scope != 0U) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client subnet option: invalid scope"); + return (DNS_R_FORMERR); + } + + memset(&caddr, 0, sizeof(caddr)); + switch (family) { + case 1: + if (addrlen > 32U) + goto invalid_length; + caddr.family = AF_INET; + break; + case 2: + if (addrlen > 128U) { + invalid_length: + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client subnet option: invalid " + "address length (%u) for %s", + addrlen, family == 1 ? "IPv4" : "IPv6"); + return (DNS_R_FORMERR); + } + caddr.family = AF_INET6; + break; + default: + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client subnet option: invalid family"); + return (DNS_R_FORMERR); + } + + addrbytes = (addrlen + 7) / 8; + if (isc_buffer_remaininglength(buf) < addrbytes) { + ns_client_log(client, NS_LOGCATEGORY_CLIENT, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), + "EDNS client subnet option: address too short"); + return (DNS_R_FORMERR); + } + + paddr = (isc_uint8_t *) &caddr.type; + for (i = 0; i < addrbytes; i++) { + paddr[i] = isc_buffer_getuint8(buf); + optlen--; + } + + memmove(&client->ecs_addr, &caddr, sizeof(caddr)); + client->ecs_addrlen = addrlen; + client->ecs_scope = 0; + client->attributes |= NS_CLIENTATTR_HAVEECS; + + isc_buffer_forward(buf, optlen); + return (ISC_R_SUCCESS); +} + static isc_result_t process_opt(ns_client_t *client, dns_rdataset_t *opt) { dns_rdata_t rdata; @@ -1788,6 +1904,15 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { client->attributes |= NS_CLIENTATTR_WANTEXPIRE; isc_buffer_forward(&optbuf, optlen); break; + case DNS_OPT_CLIENT_SUBNET: + result = process_ecs(client, &optbuf, optlen); + if (result != ISC_R_SUCCESS) { + ns_client_error(client, result); + goto cleanup; + } + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_ecsopt); + break; default: isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_otheropt); @@ -1925,7 +2050,6 @@ client_request(isc_task_t *task, isc_event_t *event) { * client_newconn. */ if (!TCP_CLIENT(client)) { - if (ns_g_server->blackholeacl != NULL && dns_acl_match(&netaddr, NULL, ns_g_server->blackholeacl, &ns_g_server->aclenv, @@ -2033,6 +2157,10 @@ client_request(isc_task_t *task, isc_event_t *event) { opt = NULL; else opt = dns_message_getopt(client->message); + + client->ecs_addrlen = 0; + client->ecs_scope = 0; + if (opt != NULL) { /* * Are we dropping all EDNS queries? @@ -2117,17 +2245,29 @@ client_request(isc_task_t *task, isc_event_t *event) { client->message->rdclass == dns_rdataclass_any) { dns_name_t *tsig = NULL; + isc_netaddr_t *addr = NULL; + isc_uint8_t *scope = NULL; sigresult = dns_message_rechecksig(client->message, view); - if (sigresult == ISC_R_SUCCESS) - tsig = dns_tsigkey_identity(client->message->tsigkey); + if (sigresult == ISC_R_SUCCESS) { + dns_tsigkey_t *tsigkey; - if (allowed(&netaddr, tsig, view->matchclients) && - allowed(&client->destaddr, tsig, - view->matchdestinations) && - !((client->message->flags & DNS_MESSAGEFLAG_RD) - == 0 && view->matchrecursiveonly)) + tsigkey = client->message->tsigkey; + tsig = dns_tsigkey_identity(tsigkey); + } + + if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) { + addr = &client->ecs_addr; + scope = &client->ecs_scope; + } + + if (allowed(&netaddr, tsig, addr, client->ecs_addrlen, + scope, view->matchclients) && + allowed(&client->destaddr, tsig, NULL, + 0, NULL, view->matchdestinations) && + !(view->matchrecursiveonly && + (client->message->flags & DNS_MESSAGEFLAG_RD) == 0)) { dns_view_attach(view, &client->view); break; @@ -2519,6 +2659,8 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { client->recursionquota = NULL; client->interface = NULL; client->peeraddr_valid = ISC_FALSE; + client->ecs_addrlen = 0; + client->ecs_scope = 0; #ifdef ALLOW_FILTER_AAAA client->filter_aaaa = dns_aaaa_ok; #endif @@ -3055,6 +3197,8 @@ ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr, { isc_result_t result; isc_netaddr_t tmpnetaddr; + isc_netaddr_t *ecs_addr = NULL; + isc_uint8_t ecs_addrlen = 0; int match; if (acl == NULL) { @@ -3069,11 +3213,18 @@ ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr, netaddr = &tmpnetaddr; } - result = dns_acl_match(netaddr, client->signer, acl, - &ns_g_server->aclenv, &match, NULL); + if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) { + ecs_addr = &client->ecs_addr; + ecs_addrlen = client->ecs_addrlen; + } + + result = dns_acl_match2(netaddr, client->signer, + ecs_addr, ecs_addrlen, NULL, acl, + &ns_g_server->aclenv, &match, NULL); if (result != ISC_R_SUCCESS) goto deny; /* Internal error, already logged. */ + if (match > 0) goto allow; goto deny; /* Negative match or no match. */ diff --git a/bin/named/config.c b/bin/named/config.c index f7647e76f7..dfd2852fd8 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -177,6 +177,11 @@ options {\n\ nsec3-test-zone no;\n\ allow-new-zones no;\n\ " +#ifdef HAVE_GEOIP +"\ + geoip-use-ecs yes;\n\ +" +#endif #ifdef ALLOW_FILTER_AAAA " filter-aaaa-on-v4 no;\n\ filter-aaaa-on-v6 no;\n\ diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h index c0c3171dc3..48ee578c88 100644 --- a/bin/named/include/named/client.h +++ b/bin/named/include/named/client.h @@ -137,9 +137,15 @@ struct ns_client { isc_quota_t *tcpquota; isc_quota_t *recursionquota; ns_interface_t *interface; + isc_sockaddr_t peeraddr; isc_boolean_t peeraddr_valid; isc_netaddr_t destaddr; + + isc_netaddr_t ecs_addr; /*%< EDNS client subnet */ + isc_uint8_t ecs_addrlen; + isc_uint8_t ecs_scope; + struct in6_pktinfo pktinfo; isc_dscp_t dscp; isc_event_t ctlevent; @@ -187,6 +193,7 @@ typedef ISC_LIST(ns_client_t) client_list_t; #define NS_CLIENTATTR_WANTEXPIRE 0x0800 /*%< return seconds to expire */ #define NS_CLIENTATTR_HAVEEXPIRE 0x1000 /*%< return seconds to expire */ #define NS_CLIENTATTR_WANTOPT 0x2000 /*%< add opt to reply */ +#define NS_CLIENTATTR_HAVEECS 0x4000 /*%< sent an ECS option */ extern unsigned int ns_client_requests; diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index e1d1db275b..0b241b7471 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -182,18 +182,19 @@ enum { dns_nsstatscounter_nsidopt = 43, dns_nsstatscounter_expireopt = 44, dns_nsstatscounter_otheropt = 45, + dns_nsstatscounter_ecsopt = 46, #ifdef ISC_PLATFORM_USESIT - dns_nsstatscounter_sitopt = 46, - dns_nsstatscounter_sitbadsize = 47, - dns_nsstatscounter_sitbadtime = 48, - dns_nsstatscounter_sitnomatch = 49, - dns_nsstatscounter_sitmatch = 50, - dns_nsstatscounter_sitnew = 51, + dns_nsstatscounter_sitopt = 47, + dns_nsstatscounter_sitbadsize = 48, + dns_nsstatscounter_sitbadtime = 49, + dns_nsstatscounter_sitnomatch = 50, + dns_nsstatscounter_sitmatch = 51, + dns_nsstatscounter_sitnew = 52, - dns_nsstatscounter_max = 52 + dns_nsstatscounter_max = 53 #else - dns_nsstatscounter_max = 46 + dns_nsstatscounter_max = 47 #endif }; diff --git a/bin/named/server.c b/bin/named/server.c index 72bbdd285f..eb7d02a0de 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -4684,6 +4684,9 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) { static void scan_interfaces(ns_server_t *server, isc_boolean_t verbose) { isc_boolean_t match_mapped = server->aclenv.match_mapped; +#ifdef HAVE_GEOIP + isc_boolean_t use_ecs = server->aclenv.geoip_use_ecs; +#endif ns_interfacemgr_scan(server->interfacemgr, verbose); /* @@ -4694,6 +4697,9 @@ scan_interfaces(ns_server_t *server, isc_boolean_t verbose) { ns_interfacemgr_getaclenv(server->interfacemgr)); server->aclenv.match_mapped = match_mapped; +#ifdef HAVE_GEOIP + server->aclenv.geoip_use_ecs = use_ecs; +#endif } static isc_result_t @@ -5554,6 +5560,11 @@ load_configuration(const char *filename, ns_server_t *server, } else ns_geoip_load(NULL); ns_g_aclconfctx->geoip = ns_g_geoip; + + obj = NULL; + result = ns_config_get(maps, "geoip-use-ecs", &obj); + INSIST(result == ISC_R_SUCCESS); + ns_g_server->aclenv.geoip_use_ecs = cfg_obj_asboolean(obj); #endif /* HAVE_GEOIP */ /* diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c index 6e2fe3a3c3..f0584c3ac8 100644 --- a/bin/named/statschannel.c +++ b/bin/named/statschannel.c @@ -242,6 +242,7 @@ init_desc(void) { "SitNoMatch"); SET_NSSTATDESC(sitmatch, "source identity token - match", "SitMatch"); #endif + SET_NSSTATDESC(ecsopt, "EDNS client subnet option recieved", "ECSOpt"); INSIST(i == dns_nsstatscounter_max); /* Initialize resolver statistics */ diff --git a/bin/tests/system/acl/ns2/named6.conf b/bin/tests/system/acl/ns2/named6.conf new file mode 100644 index 0000000000..1e384fb0d8 --- /dev/null +++ b/bin/tests/system/acl/ns2/named6.conf @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; + allow-query-on { 10.53.0.2; }; +}; + +include "../../common/controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db"; +}; + +zone "tsigzone" { + type master; + file "tsigzone.db"; + allow-transfer { ecs 10.53/16; !10/8; }; +}; diff --git a/bin/tests/system/acl/ns2/named7.conf b/bin/tests/system/acl/ns2/named7.conf new file mode 100644 index 0000000000..1f1c9f333a --- /dev/null +++ b/bin/tests/system/acl/ns2/named7.conf @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; + allow-query-on { 10.53.0.2; }; +}; + +include "../../common/controls.conf"; + +view one { + match-clients { ecs 192.0.2/24; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "example" { + type master; + file "example.db"; + }; +}; + +view two { + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "example" { + type master; + file "example.db"; + }; +}; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index b74c0c9f9f..27efd5cde8 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -150,5 +150,35 @@ $DIG +tcp soa example. \ @10.53.0.2 -b 10.53.0.3 -p 5300 > dig.out.${t} grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } +echo "I:testing EDNS client-subnet ACL processing" +cp -f ns2/named6.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 5 + +# should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr -p 5300 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 +subnet="10.53.0/24" axfr -p 5300 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } + +echo "I:testing EDNS client-subnet response scope" +cp -f ns2/named7.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 5 + +t=`expr $t + 1` +$DIG example. soa @10.53.0.2 +subnet="10.53.0.1/32" -p 5300 > dig.out.${t} +grep "CLIENT-SUBNET.*10.53.0.1/32/0" dig.out.${t} > /dev/null || { echo "I:test $t failed" ; status=1; } + +t=`expr $t + 1` +$DIG example. soa @10.53.0.2 +subnet="192.0.2.128/32" -p 5300 > dig.out.${t} +grep "CLIENT-SUBNET.*192.0.2.128/32/24" dig.out.${t} > /dev/null || { echo "I:test $t failed" ; status=1; } + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/geoip/clean.sh b/bin/tests/system/geoip/clean.sh index 22d5e74466..6fa60e3e93 100644 --- a/bin/tests/system/geoip/clean.sh +++ b/bin/tests/system/geoip/clean.sh @@ -15,5 +15,5 @@ # PERFORMANCE OF THIS SOFTWARE. rm -f ns2/named.conf -rm -f ns2/example[1234567].db +rm -f ns2/example*.db rm -f dig.out.* rndc.out.* diff --git a/bin/tests/system/geoip/data/GeoIP.csv b/bin/tests/system/geoip/data/GeoIP.csv index f158a5b494..8e718540df 100644 --- a/bin/tests/system/geoip/data/GeoIP.csv +++ b/bin/tests/system/geoip/data/GeoIP.csv @@ -5,3 +5,4 @@ 10.53.0.5/32 CL 10.53.0.6/32 DE 10.53.0.7/32 EH +192.0.2/24 O1 diff --git a/bin/tests/system/geoip/data/GeoIP.dat b/bin/tests/system/geoip/data/GeoIP.dat index 027c1757c159e3a9d0e0dddae16689e8fa71bd28..345092f371209a4f2d02181be05eeb21c6440517 100644 GIT binary patch literal 385 zcmXxe$xcF15QO1EaRN~gMI1Q}2&kY4D!7BNVWICpA~CKs@y7S{CD@iHe{wfpsw;e6$iTqx|Nlg`)vEFg3ISuQ5FFGP!^Z~ diff --git a/bin/tests/system/geoip/data/README b/bin/tests/system/geoip/data/README index 47a6858f59..cea325b321 100644 --- a/bin/tests/system/geoip/data/README +++ b/bin/tests/system/geoip/data/README @@ -18,8 +18,8 @@ GeoIPDoain.dat: Domain Name GeoIPASNum.dat: AS Number GeoIPNetSpeed.dat: Net Speed -GeoIP.dat can also be generated using the open source 'geoip-csv-to-dat' -utility: +GeoIP.dat can also be egenerated using the open source 'geoip-csv-to-dat' +utility (also known in some packages as "geoip-generator"): $ geoip-csv-to-dat -i "BIND9 geoip test data v1" -o GeoIP.dat << EOF "10.53.0.1","10.53.0.1","171245569","171245569","AU","Australia" @@ -29,4 +29,5 @@ $ geoip-csv-to-dat -i "BIND9 geoip test data v1" -o GeoIP.dat << EOF "10.53.0.5","10.53.0.5","171245573","171245573","CL","Chile" "10.53.0.6","10.53.0.6","171245574","171245574","DE","Germany" "10.53.0.7","10.53.0.7","171245575","171245575","EH","Western Sahara" +"192.0.2.0","192.0.2.255","3221225984","3221226239","O1","Other" EOF diff --git a/bin/tests/system/geoip/ns2/named1.conf b/bin/tests/system/geoip/ns2/named1.conf index 367b5c7fa6..d9356c45e1 100644 --- a/bin/tests/system/geoip/ns2/named1.conf +++ b/bin/tests/system/geoip/ns2/named1.conf @@ -95,6 +95,14 @@ view seven { }; }; +view other { + match-clients { geoip db country country O1; }; + zone "example" { + type master; + file "exampleother.db"; + }; +}; + view none { match-clients { any; }; zone "example" { diff --git a/bin/tests/system/geoip/ns2/named14.conf b/bin/tests/system/geoip/ns2/named14.conf index f92d25216c..bce55dc0ef 100644 --- a/bin/tests/system/geoip/ns2/named14.conf +++ b/bin/tests/system/geoip/ns2/named14.conf @@ -24,10 +24,11 @@ options { transfer-source 10.53.0.2; port 5300; pid-file "named.pid"; - listen-on { 10.53.0.2; }; + listen-on { 127.0.0.1; 10.53.0.2; }; listen-on-v6 { none; }; recursion no; geoip-directory "../data"; + geoip-use-ecs no; }; key rndc_key { @@ -107,6 +108,6 @@ view none { match-clients { any; }; zone "example" { type master; - file "example.db.in"; + file "examplebogus.db"; }; }; diff --git a/bin/tests/system/geoip/setup.sh b/bin/tests/system/geoip/setup.sh index 5de40eb6ef..2aaeaca15f 100644 --- a/bin/tests/system/geoip/setup.sh +++ b/bin/tests/system/geoip/setup.sh @@ -21,7 +21,7 @@ $SHELL clean.sh cp ns2/named1.conf ns2/named.conf -for i in 1 2 3 4 5 6 7; do +for i in 1 2 3 4 5 6 7 other bogus; do cp ns2/example.db.in ns2/example${i}.db echo "@ IN TXT \"$i\"" >> ns2/example$i.db done diff --git a/bin/tests/system/geoip/tests.sh b/bin/tests/system/geoip/tests.sh index 3e916aed31..19d05ce66f 100644 --- a/bin/tests/system/geoip/tests.sh +++ b/bin/tests/system/geoip/tests.sh @@ -38,6 +38,30 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP country database by code (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/0" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking response scope using client subnet ($n)" +ret=0 +$DIG +tcp -p5300 @10.53.0.2 txt example -b 127.0.0.1 +subnet="10.53.0.1/32" > dig.out.ns2.test$n.1 || ret=1 +grep 'CLIENT-SUBNET.*10.53.0.1/32/32' dig.out.ns2.test$n.1 > /dev/null || ret=1 +$DIG +tcp -p5300 @10.53.0.2 txt example -b 127.0.0.1 +subnet="192.0.2.64/32" > dig.out.ns2.test$n.2 || ret=1 +grep 'CLIENT-SUBNET.*192.0.2.64/32/24' dig.out.ns2.test$n.2 > /dev/null || ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" cp -f ns2/named2.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -115,6 +139,21 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP region database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + + echo "I:reloading server" cp -f ns2/named6.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -134,6 +173,20 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP city database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" cp -f ns2/named7.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -153,6 +206,20 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP isp database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" cp -f ns2/named8.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -172,6 +239,20 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP org database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" cp -f ns2/named9.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -191,6 +272,20 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP asnum database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" cp -f ns2/named10.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -210,6 +305,20 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP domain database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" cp -f ns2/named11.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -248,6 +357,20 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking GeoIP netspeed database (using client subnet) ($n)" +ret=0 +lret=0 +for i in 1 2 3 4; do + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:reloading server" cp -f ns2/named13.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' @@ -280,5 +403,29 @@ done [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +echo "I:reloading server" +cp -f ns2/named14.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 3 + +n=`expr $n + 1` +echo "I:checking geoip-use-ecs ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + + $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.ecs.$i || lret=1 + j=`cat dig.out.ns2.test$n.ecs.$i | tr -d '"'` + [ "$j" = "bogus" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index e0cf9264f4..8d34bf0b4f 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -3444,66 +3444,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. - - - When BIND 9 is built with GeoIP support, - ACLs can also be used for geographic access restrictions. - This is done by specifying an ACL element of the form: - geoip db database field value - - - The field indicates which field - to search for a match. Available fields are "country", - "region", "city", "continent", "postal" (postal code), - "metro" (metro code), "area" (area code), "tz" (timezone), - "isp", "org", "asnum", "domain" and "netspeed". - - - value is the value to search - for within the database. A string may be quoted if it - contains spaces or other special characters. If this is - an "asnum" search, then the leading "ASNNNN" string can be - used, otherwise the full description must be used (e.g. - "ASNNNN Example Company Name"). If this is a "country" - search and the string is two characters long, then it must - be a standard ISO-3166-1 two-letter country code, and if it - is three characters long then it must be an ISO-3166-1 - three-letter country code; otherwise it is the full name - of the country. Similarly, if this is a "region" search - and the string is two characters long, then it must be a - standard two-letter state or province abbreviation; - otherwise it is the full name of the state or province. - - - The database field indicates which - GeoIP database to search for a match. In most cases this is - unnecessary, because most search fields can only be found in - a single database. However, searches for country can be - answered from the "city", "region", or "country" databases, - and searches for region (i.e., state or province) can be - answered from the "city" or "region" databases. For these - search types, specifying a database - will force the query to be answered from that database and no - other. If database is not - specified, then these queries will be answered from the "city", - database if it is installed, or the "region" database if it is - installed, or the "country" database, in that order. - - - Some example GeoIP ACLs: - - geoip country US; -geoip country JAP; -geoip db country country Canada; -geoip db region region WA; -geoip city "San Francisco"; -geoip region Oklahoma; -geoip postal 95062; -geoip tz "America/Los_Angeles"; -geoip org "Internet Systems Consortium"; - - - <command>controls</command> Statement Grammar @@ -4858,6 +4798,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] allow-update { address_match_list }; allow-update-forwarding { address_match_list }; automatic-interface-scan { yes_or_no }; + geoip-use-ecs yes_or_no; update-check-ksk yes_or_no; dnssec-update-mode ( maintain | no-resign ); dnssec-dnskey-kskonly yes_or_no; @@ -6240,6 +6181,20 @@ options { + + geoip-use-ecs + + + When BIND is compiled with GeoIP support and configured + with "geoip" ACL elements, this option indicates whether + the EDNS Client Subnet option, if present in a request, + should be used for matching against the GeoIP database. + The default is + geoip-use-ecs yes. + + + + has-old-clients @@ -16188,11 +16143,11 @@ HOST-127.EXAMPLE. MX 0 . Access Control Lists Access Control Lists (ACLs) are address match lists that - you can set up and nickname for future use in allow-notify, - allow-query, allow-query-on, - allow-recursion, allow-recursion-on, + you can set up and nickname for future use in + allow-notify, allow-query, + allow-query-on, allow-recursion, blackhole, allow-transfer, - etc. + match-clients, etc. Using ACLs allows you to have finer control over who can access @@ -16202,11 +16157,19 @@ HOST-127.EXAMPLE. MX 0 . It is a good idea to use ACLs, and to control access to your server. Limiting access to your server by - outside parties can help prevent spoofing and denial of service (DoS) attacks against - your server. + outside parties can help prevent spoofing and denial of service + (DoS) attacks against your server. - Here is an example of how to properly apply ACLs: + ACLs match clients on the basis of up to three characteristics: + 1) The client's IP address; 2) the TSIG or SIG(0) key that was + used to sign the request, if any; and 3) an address prefix + encoded in an EDNS Client Subnet option, if any. + + + ACLs + + Here is an example of ACLs based on client addresses: @@ -16239,10 +16202,137 @@ zone "example.com" { - This allows recursive queries of the server from the outside - unless recursion has been previously disabled. + This allows authoritative queries for "example.com" from any + address, but recursive queries only from the networks specified + in "our-nets", and no queries at all from the networks + specified in "bogusnets". + + + In addition to network addresses and prefixes, which are + matched against the source address of the DNS request, ACLs + may include elements, which specify the + name of a TSIG or SIG(0) key, or + elements, which specify a network prefix but are only matched + if that prefix matches an EDNS client subnet option included + in the request. + + + The EDNS Client Subnet (ECS) option is used by a recursive + resolver to inform an authoritative name server of the network + address block from which the original query was received, enabling + authoritative servers to give different answers to the same + resolver for different resolver clients. An ACL containing + an element of the form + ecs prefix + will match if a request arrives in containing an ECS option + encoding an address within that prefix. If the request has no + ECS option, then "ecs" elements are simply ignored. Addresses + in ACLs that are not prefixed with "ecs" are matched only + against the source address. + + + When BIND 9 is built with GeoIP support, + ACLs can also be used for geographic access restrictions. + This is done by specifying an ACL element of the form: + geoip db database field value + + + The field indicates which field + to search for a match. Available fields are "country", + "region", "city", "continent", "postal" (postal code), + "metro" (metro code), "area" (area code), "tz" (timezone), + "isp", "org", "asnum", "domain" and "netspeed". + + + value is the value to search + for within the database. A string may be quoted if it + contains spaces or other special characters. If this is + an "asnum" search, then the leading "ASNNNN" string can be + used, otherwise the full description must be used (e.g. + "ASNNNN Example Company Name"). If this is a "country" + search and the string is two characters long, then it must + be a standard ISO-3166-1 two-letter country code, and if it + is three characters long then it must be an ISO-3166-1 + three-letter country code; otherwise it is the full name + of the country. Similarly, if this is a "region" search + and the string is two characters long, then it must be a + standard two-letter state or province abbreviation; + otherwise it is the full name of the state or province. + + + The database field indicates which + GeoIP database to search for a match. In most cases this is + unnecessary, because most search fields can only be found in + a single database. However, searches for country can be + answered from the "city", "region", or "country" databases, + and searches for region (i.e., state or province) can be + answered from the "city" or "region" databases. For these + search types, specifying a database + will force the query to be answered from that database and no + other. If database is not + specified, then these queries will be answered from the "city", + database if it is installed, or the "region" database if it is + installed, or the "country" database, in that order. + + + By default, if a DNS query includes an EDNS Client Subnet (ECS) + option which encodes a non-zero address prefix, then GeoIP ACLs + will be matched against that address prefix. Otherwise, they + are matched against the source address of the query. To + prevent GeoIP ACLs from matching against ECS options, set + the geoip-use-ecs to no. + + + Some example GeoIP ACLs: + + geoip country US; +geoip country JAP; +geoip db country country Canada; +geoip db region region WA; +geoip city "San Francisco"; +geoip region Oklahoma; +geoip postal 95062; +geoip tz "America/Los_Angeles"; +geoip org "Internet Systems Consortium"; + + + + ACLs use a "first-match" logic rather than "best-match": + if an address prefix matches an ACL element, then that ACL + is considered to have matched even if a later element would + have matched more specifically. For example, the ACL + { 10/8; !10.0.0.1; } would actually + match a query from 10.0.0.1, because the first element + indicated that the query should be accepted, and the second + element is ignored. + + + When using "nested" ACLs (that is, ACLs included or referenced + within other ACLs), a negative match of a nested ACL will + the containing ACL to continue looking for matches. This + enables complex ACLs to be constructed, in which multiple + client characteristics can be checked at the same time. For + example, to construct an ACL which allows queries only when + it originates from a particular network and + only when it is signed with a particular key, use: + + +allow-query { !{ !10/8; any; }; key example; }; + + + Within the nested ACL, any address that is + not in the 10/8 network prefix will + be rejected, and this will terminate processing of the + ACL. Any address that is in the 10/8 + network prefix will be accepted, but this causes a negative + match of the nested ACL, so the containing ACL continues + processing. The query will then be accepted if it is signed + by the key "example", and rejected otherwise. The ACL, then, + will only matches when both conditions + are true. + <command>Chroot</command> and <command>Setuid</command> diff --git a/lib/dns/acl.c b/lib/dns/acl.c index 880fc3648e..11efa50e35 100644 --- a/lib/dns/acl.c +++ b/lib/dns/acl.c @@ -15,8 +15,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: acl.c,v 1.55 2011/06/17 23:47:49 tbox Exp $ */ - /*! \file */ #include @@ -194,10 +192,25 @@ dns_acl_match(const isc_netaddr_t *reqaddr, int *match, const dns_aclelement_t **matchelt) { - isc_uint16_t bitlen, family; + return (dns_acl_match2(reqaddr, reqsigner, NULL, 0, NULL, acl, env, + match, matchelt)); +} + +isc_result_t +dns_acl_match2(const isc_netaddr_t *reqaddr, + const dns_name_t *reqsigner, + const isc_netaddr_t *ecs, + isc_uint8_t ecslen, + isc_uint8_t *scope, + const dns_acl_t *acl, + const dns_aclenv_t *env, + int *match, + const dns_aclelement_t **matchelt) +{ + isc_uint16_t bitlen; isc_prefix_t pfx; isc_radix_node_t *node = NULL; - const isc_netaddr_t *addr; + const isc_netaddr_t *addr = reqaddr; isc_netaddr_t v4addr; isc_result_t result; int match_num = -1; @@ -205,20 +218,19 @@ dns_acl_match(const isc_netaddr_t *reqaddr, REQUIRE(reqaddr != NULL); REQUIRE(matchelt == NULL || *matchelt == NULL); + REQUIRE(ecs != NULL || scope == NULL); - if (env == NULL || env->match_mapped == ISC_FALSE || - reqaddr->family != AF_INET6 || - !IN6_IS_ADDR_V4MAPPED(&reqaddr->type.in6)) - addr = reqaddr; - else { - isc_netaddr_fromv4mapped(&v4addr, reqaddr); + if (env != NULL && env->match_mapped && + addr->family == AF_INET6 && + IN6_IS_ADDR_V4MAPPED(&addr->type.in6)) + { + isc_netaddr_fromv4mapped(&v4addr, addr); addr = &v4addr; } /* Always match with host addresses. */ - family = addr->family; - bitlen = family == AF_INET6 ? 128 : 32; - NETADDR_TO_PREFIX_T(addr, pfx, bitlen); + bitlen = (addr->family == AF_INET6) ? 128 : 32; + NETADDR_TO_PREFIX_T(addr, pfx, bitlen, ISC_FALSE); /* Assume no match. */ *match = 0; @@ -228,37 +240,75 @@ dns_acl_match(const isc_netaddr_t *reqaddr, /* Found a match. */ if (result == ISC_R_SUCCESS && node != NULL) { - match_num = node->node_num[ISC_IS6(family)]; - if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE) + int off = ISC_RADIX_OFF(&pfx); + match_num = node->node_num[off]; + if (*(isc_boolean_t *) node->data[off]) *match = match_num; else *match = -match_num; } + isc_refcount_destroy(&pfx.refcount); + + /* + * If ecs is not NULL, we search the radix tree again to + * see if we find a better match on an ECS node + */ + if (ecs != NULL) { + node = NULL; + addr = ecs; + + if (env != NULL && env->match_mapped && + addr->family == AF_INET6 && + IN6_IS_ADDR_V4MAPPED(&addr->type.in6)) + { + isc_netaddr_fromv4mapped(&v4addr, addr); + addr = &v4addr; + } + + NETADDR_TO_PREFIX_T(addr, pfx, ecslen, ISC_TRUE); + + result = isc_radix_search(acl->iptable->radix, &node, &pfx); + if (result == ISC_R_SUCCESS && node != NULL) { + int off = ISC_RADIX_OFF(&pfx); + if (match_num == -1 || + node->node_num[off] < match_num) + { + match_num = node->node_num[off]; + if (scope != NULL) + *scope = node->bit; + if (*(isc_boolean_t *) node->data[off]) + *match = match_num; + else + *match = -match_num; + } + } + + isc_refcount_destroy(&pfx.refcount); + } + /* Now search non-radix elements for a match with a lower node_num. */ for (i = 0; i < acl->length; i++) { dns_aclelement_t *e = &acl->elements[i]; /* Already found a better match? */ if (match_num != -1 && match_num < e->node_num) { - isc_refcount_destroy(&pfx.refcount); - return (ISC_R_SUCCESS); + break; } - if (dns_aclelement_match(reqaddr, reqsigner, - e, env, matchelt)) { + if (dns_aclelement_match2(reqaddr, reqsigner, ecs, ecslen, + scope, e, env, matchelt)) + { if (match_num == -1 || e->node_num < match_num) { - if (e->negative == ISC_TRUE) + if (e->negative) *match = -e->node_num; else *match = e->node_num; } - isc_refcount_destroy(&pfx.refcount); - return (ISC_R_SUCCESS); + break; } } - isc_refcount_destroy(&pfx.refcount); return (ISC_R_SUCCESS); } @@ -349,7 +399,7 @@ dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos) #endif /* reverse sense of positives if this is a negative acl */ - if (!pos && source->elements[i].negative == ISC_FALSE) { + if (!pos && !source->elements[i].negative) { dest->elements[nelem + i].negative = ISC_TRUE; } else { dest->elements[nelem + i].negative = @@ -386,10 +436,29 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr, const dns_aclelement_t *e, const dns_aclenv_t *env, const dns_aclelement_t **matchelt) +{ + return (dns_aclelement_match2(reqaddr, reqsigner, NULL, 0, NULL, + e, env, matchelt)); +} + +isc_boolean_t +dns_aclelement_match2(const isc_netaddr_t *reqaddr, + const dns_name_t *reqsigner, + const isc_netaddr_t *ecs, + isc_uint8_t ecslen, + isc_uint8_t *scope, + const dns_aclelement_t *e, + const dns_aclenv_t *env, + const dns_aclelement_t **matchelt) { dns_acl_t *inner = NULL; int indirectmatch; isc_result_t result; +#ifdef HAVE_GEOIP + const isc_netaddr_t *addr = NULL; +#endif + + REQUIRE(ecs != NULL || scope == NULL); switch (e->type) { case dns_aclelementtype_keyname: @@ -421,15 +490,17 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr, case dns_aclelementtype_geoip: if (env == NULL || env->geoip == NULL) return (ISC_FALSE); - return (dns_geoip_match(reqaddr, env->geoip, &e->geoip_elem)); + addr = (env->geoip_use_ecs && ecs != NULL) ? ecs : reqaddr; + return (dns_geoip_match(addr, scope, env->geoip, + &e->geoip_elem)); #endif default: /* Should be impossible. */ INSIST(0); } - result = dns_acl_match(reqaddr, reqsigner, inner, env, - &indirectmatch, matchelt); + result = dns_acl_match2(reqaddr, reqsigner, ecs, ecslen, scope, + inner, env, &indirectmatch, matchelt); INSIST(result == ISC_R_SUCCESS); /* @@ -438,7 +509,6 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr, * surprise positive match through double negation. * XXXDCL this should be documented. */ - if (indirectmatch > 0) { if (matchelt != NULL) *matchelt = e; @@ -449,7 +519,6 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr, * A negative indirect match may have set *matchelt, but we don't * want it set when we return. */ - if (matchelt != NULL) *matchelt = NULL; @@ -519,17 +588,15 @@ initialize_action(void) { */ static void is_insecure(isc_prefix_t *prefix, void **data) { - isc_boolean_t secure; - int bitlen, family; + int bitlen, family, off; bitlen = prefix->bitlen; family = prefix->family; /* Negated entries are always secure. */ - secure = * (isc_boolean_t *)data[ISC_IS6(family)]; - if (!secure) { + off = ISC_RADIX_OFF(prefix); + if (data[off] != NULL && * (isc_boolean_t *) data[off]) return; - } /* If loopback prefix found, return */ switch (family) { @@ -628,6 +695,7 @@ dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) { env->match_mapped = ISC_FALSE; #ifdef HAVE_GEOIP env->geoip = NULL; + env->geoip_use_ecs = ISC_FALSE; #endif return (ISC_R_SUCCESS); @@ -644,6 +712,9 @@ dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s) { dns_acl_detach(&t->localnets); dns_acl_attach(s->localnets, &t->localnets); t->match_mapped = s->match_mapped; +#ifdef HAVE_GEOIP + t->geoip_use_ecs = s->geoip_use_ecs; +#endif } void diff --git a/lib/dns/geoip.c b/lib/dns/geoip.c index ec6beb7acb..e375e33819 100644 --- a/lib/dns/geoip.c +++ b/lib/dns/geoip.c @@ -72,6 +72,7 @@ typedef struct geoip_state { unsigned int family; isc_uint32_t ipnum; geoipv6_t ipnum6; + isc_uint8_t scope; GeoIPRecord *record; GeoIPRegion *region; const char *text; @@ -157,7 +158,7 @@ clean_state(geoip_state_t *state) { static isc_result_t set_state(unsigned int family, isc_uint32_t ipnum, const geoipv6_t *ipnum6, - dns_geoip_subtype_t subtype, GeoIPRecord *record, + isc_uint8_t scope, dns_geoip_subtype_t subtype, GeoIPRecord *record, GeoIPRegion *region, char *name, const char *text, int id) { isc_result_t result; @@ -198,6 +199,7 @@ set_state(unsigned int family, isc_uint32_t ipnum, const geoipv6_t *ipnum6, state->family = family; state->subtype = subtype; + state->scope = scope; state->record = record; state->region = region; state->name = name; @@ -232,10 +234,12 @@ get_state(void) { static const char * country_lookup(GeoIP *db, dns_geoip_subtype_t subtype, unsigned int family, - isc_uint32_t ipnum, const geoipv6_t *ipnum6) + isc_uint32_t ipnum, const geoipv6_t *ipnum6, + isc_uint8_t *scope) { geoip_state_t *prev_state = NULL; const char *text = NULL; + GeoIPLookup gl; REQUIRE(db != NULL); @@ -253,42 +257,55 @@ country_lookup(GeoIP *db, dns_geoip_subtype_t subtype, ((prev_state->family == AF_INET && prev_state->ipnum == ipnum) || (prev_state->family == AF_INET6 && ipnum6 != NULL && memcmp(prev_state->ipnum6.s6_addr, ipnum6->s6_addr, 16) == 0))) + { text = prev_state->text; + if (scope != NULL) + *scope = prev_state->scope; + } if (text == NULL) { switch (subtype) { case dns_geoip_country_code: if (family == AF_INET) - text = GeoIP_country_code_by_ipnum(db, ipnum); + text = GeoIP_country_code_by_ipnum_gl(db, + ipnum, &gl); #ifdef HAVE_GEOIP_V6 else - text = GeoIP_country_code_by_ipnum_v6(db, - *ipnum6); + text = GeoIP_country_code_by_ipnum_v6_gl(db, + *ipnum6, &gl); #endif break; case dns_geoip_country_code3: if (family == AF_INET) - text = GeoIP_country_code3_by_ipnum(db, ipnum); + text = GeoIP_country_code3_by_ipnum_gl(db, + ipnum, &gl); #ifdef HAVE_GEOIP_V6 else - text = GeoIP_country_code3_by_ipnum_v6(db, - *ipnum6); + text = GeoIP_country_code3_by_ipnum_v6_gl(db, + *ipnum6, &gl); #endif break; case dns_geoip_country_name: if (family == AF_INET) - text = GeoIP_country_name_by_ipnum(db, ipnum); + text = GeoIP_country_name_by_ipnum_gl(db, + ipnum, &gl); #ifdef HAVE_GEOIP_V6 else - text = GeoIP_country_name_by_ipnum_v6(db, - *ipnum6); + text = GeoIP_country_name_by_ipnum_v6_gl(db, + *ipnum6, &gl); #endif break; default: INSIST(0); } - set_state(family, ipnum, ipnum6, subtype, + if (text == NULL) + return (NULL); + + if (scope != NULL) + *scope = gl.netmask; + + set_state(family, ipnum, ipnum6, gl.netmask, subtype, NULL, NULL, NULL, text, 0); } @@ -377,7 +394,9 @@ is_city(dns_geoip_subtype_t subtype) { */ static GeoIPRecord * city_lookup(GeoIP *db, dns_geoip_subtype_t subtype, - unsigned int family, isc_uint32_t ipnum, const geoipv6_t *ipnum6) + unsigned int family, isc_uint32_t ipnum, + const geoipv6_t *ipnum6, + isc_uint8_t *scope) { GeoIPRecord *record = NULL; geoip_state_t *prev_state = NULL; @@ -397,7 +416,11 @@ city_lookup(GeoIP *db, dns_geoip_subtype_t subtype, ((prev_state->family == AF_INET && prev_state->ipnum == ipnum) || (prev_state->family == AF_INET6 && memcmp(prev_state->ipnum6.s6_addr, ipnum6->s6_addr, 16) == 0))) + { record = prev_state->record; + if (scope != NULL) + *scope = record->netmask; + } if (record == NULL) { if (family == AF_INET) @@ -409,15 +432,17 @@ city_lookup(GeoIP *db, dns_geoip_subtype_t subtype, if (record == NULL) return (NULL); - set_state(family, ipnum, ipnum6, subtype, + if (scope != NULL) + *scope = record->netmask; + + set_state(family, ipnum, ipnum6, record->netmask, subtype, record, NULL, NULL, NULL, 0); } return (record); } -static char * -region_string(GeoIPRegion *region, dns_geoip_subtype_t subtype, int *maxlen) { +static char * region_string(GeoIPRegion *region, dns_geoip_subtype_t subtype, int *maxlen) { const char *s; char *deconst; @@ -459,9 +484,12 @@ is_region(dns_geoip_subtype_t subtype) { * outside the Region database. */ static GeoIPRegion * -region_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) { +region_lookup(GeoIP *db, dns_geoip_subtype_t subtype, + isc_uint32_t ipnum, isc_uint8_t *scope) +{ GeoIPRegion *region = NULL; geoip_state_t *prev_state = NULL; + GeoIPLookup gl; REQUIRE(db != NULL); @@ -469,14 +497,21 @@ region_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) { if (prev_state != NULL && prev_state->ipnum == ipnum && is_region(prev_state->subtype)) + { region = prev_state->region; + if (scope != NULL) + *scope = prev_state->scope; + } if (region == NULL) { - region = GeoIP_region_by_ipnum(db, ipnum); + region = GeoIP_region_by_ipnum_gl(db, ipnum, &gl); if (region == NULL) return (NULL); - set_state(AF_INET, ipnum, NULL, + if (scope != NULL) + *scope = gl.netmask; + + set_state(AF_INET, ipnum, NULL, gl.netmask, subtype, NULL, region, NULL, NULL, 0); } @@ -489,9 +524,12 @@ region_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) { * or was for a search of a different subtype. */ static char * -name_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) { +name_lookup(GeoIP *db, dns_geoip_subtype_t subtype, + isc_uint32_t ipnum, isc_uint8_t *scope) +{ char *name = NULL; geoip_state_t *prev_state = NULL; + GeoIPLookup gl; REQUIRE(db != NULL); @@ -499,14 +537,21 @@ name_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) { if (prev_state != NULL && prev_state->ipnum == ipnum && prev_state->subtype == subtype) + { name = prev_state->name; + if (scope != NULL) + *scope = prev_state->scope; + } if (name == NULL) { - name = GeoIP_name_by_ipnum(db, ipnum); + name = GeoIP_name_by_ipnum_gl(db, ipnum, &gl); if (name == NULL) return (NULL); - set_state(AF_INET, ipnum, NULL, + if (scope != NULL) + *scope = gl.netmask; + + set_state(AF_INET, ipnum, NULL, gl.netmask, subtype, NULL, NULL, name, NULL, 0); } @@ -519,9 +564,12 @@ name_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) { * different subtype. */ static int -netspeed_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) { +netspeed_lookup(GeoIP *db, dns_geoip_subtype_t subtype, + isc_uint32_t ipnum, isc_uint8_t *scope) +{ geoip_state_t *prev_state = NULL; isc_boolean_t found = ISC_FALSE; + GeoIPLookup gl; int id = -1; REQUIRE(db != NULL); @@ -531,12 +579,20 @@ netspeed_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) { if (prev_state != NULL && prev_state->ipnum == ipnum && prev_state->subtype == subtype) { id = prev_state->id; + if (scope != NULL) + *scope = prev_state->scope; found = ISC_TRUE; } if (!found) { - id = GeoIP_id_by_ipnum(db, ipnum); - set_state(AF_INET, ipnum, NULL, + id = GeoIP_id_by_ipnum_gl(db, ipnum, &gl); + if (id == 0) + return (0); + + if (scope != NULL) + *scope = gl.netmask; + + set_state(AF_INET, ipnum, NULL, gl.netmask, subtype, NULL, NULL, NULL, NULL, id); } @@ -599,7 +655,7 @@ fix_subtype(const isc_netaddr_t *reqaddr, const dns_geoip_databases_t *geoip, #endif /* HAVE_GEOIP */ isc_boolean_t -dns_geoip_match(const isc_netaddr_t *reqaddr, +dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope, const dns_geoip_databases_t *geoip, const dns_geoip_elem_t *elt) { @@ -662,7 +718,7 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, INSIST(elt->as_string != NULL); - cs = country_lookup(db, subtype, family, ipnum, ipnum6); + cs = country_lookup(db, subtype, family, ipnum, ipnum6, scope); if (cs != NULL && strncasecmp(elt->as_string, cs, maxlen) == 0) return (ISC_TRUE); break; @@ -682,7 +738,8 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, if (db == NULL) return (ISC_FALSE); - record = city_lookup(db, subtype, family, ipnum, ipnum6); + record = city_lookup(db, subtype, family, + ipnum, ipnum6, scope); if (record == NULL) break; @@ -697,7 +754,8 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, if (db == NULL) return (ISC_FALSE); - record = city_lookup(db, subtype, family, ipnum, ipnum6); + record = city_lookup(db, subtype, family, + ipnum, ipnum6, scope); if (record == NULL) break; @@ -710,7 +768,8 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, if (db == NULL) return (ISC_FALSE); - record = city_lookup(db, subtype, family, ipnum, ipnum6); + record = city_lookup(db, subtype, family, + ipnum, ipnum6, scope); if (record == NULL) break; @@ -731,7 +790,7 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, if (family == AF_INET6) return (ISC_FALSE); - region = region_lookup(geoip->region, subtype, ipnum); + region = region_lookup(geoip->region, subtype, ipnum, scope); if (region == NULL) break; @@ -765,7 +824,7 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, if (family == AF_INET6) return (ISC_FALSE); - s = name_lookup(db, subtype, ipnum); + s = name_lookup(db, subtype, ipnum, scope); if (s != NULL) { size_t l; if (strcasecmp(elt->as_string, s) == 0) @@ -790,7 +849,7 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, if (family == AF_INET6) return (ISC_FALSE); - id = netspeed_lookup(geoip->netspeed, subtype, ipnum); + id = netspeed_lookup(geoip->netspeed, subtype, ipnum, scope); if (id == elt->as_int) return (ISC_TRUE); break; diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h index ebcc6c7910..d44af1ec7d 100644 --- a/lib/dns/include/dns/acl.h +++ b/lib/dns/include/dns/acl.h @@ -103,6 +103,7 @@ struct dns_aclenv { isc_boolean_t match_mapped; #ifdef HAVE_GEOIP dns_geoip_databases_t *geoip; + isc_boolean_t geoip_use_ecs; #endif }; @@ -212,12 +213,28 @@ dns_acl_match(const isc_netaddr_t *reqaddr, const dns_aclenv_t *env, int *match, const dns_aclelement_t **matchelt); + +isc_result_t +dns_acl_match2(const isc_netaddr_t *reqaddr, + const dns_name_t *reqsigner, + const isc_netaddr_t *ecs, + isc_uint8_t ecslen, + isc_uint8_t *scope, + const dns_acl_t *acl, + const dns_aclenv_t *env, + int *match, + const dns_aclelement_t **matchelt); /*%< * General, low-level ACL matching. This is expected to * be useful even for weird stuff like the topology and sortlist statements. * * Match the address 'reqaddr', and optionally the key name 'reqsigner', - * against 'acl'. 'reqsigner' may be NULL. + * and optionally the client prefix 'ecs' of length 'ecslen' + * (reported via EDNS client subnet option) against 'acl'. + * + * 'reqsigner' and 'ecs' may be NULL. If an ACL matches against 'ecs' + * and 'ecslen', then 'scope' will be set to indicate the netmask that + * matched. * * If there is a match, '*match' will be set to an integer whose absolute * value corresponds to the order in which the matching value was inserted @@ -244,6 +261,16 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr, const dns_aclelement_t *e, const dns_aclenv_t *env, const dns_aclelement_t **matchelt); + +isc_boolean_t +dns_aclelement_match2(const isc_netaddr_t *reqaddr, + const dns_name_t *reqsigner, + const isc_netaddr_t *ecs, + isc_uint8_t ecslen, + isc_uint8_t *scope, + const dns_aclelement_t *e, + const dns_aclenv_t *env, + const dns_aclelement_t **matchelt); /*%< * Like dns_acl_match, but matches against the single ACL element 'e' * rather than a complete ACL, and returns ISC_TRUE iff it matched. diff --git a/lib/dns/include/dns/geoip.h b/lib/dns/include/dns/geoip.h index 35a4036a12..a656783223 100644 --- a/lib/dns/include/dns/geoip.h +++ b/lib/dns/include/dns/geoip.h @@ -108,7 +108,7 @@ typedef struct dns_geoip_databases { ISC_LANG_BEGINDECLS isc_boolean_t -dns_geoip_match(const isc_netaddr_t *reqaddr, +dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope, const dns_geoip_databases_t *geoip, const dns_geoip_elem_t *elt); diff --git a/lib/dns/include/dns/iptable.h b/lib/dns/include/dns/iptable.h index 2ce8e18124..512e73da06 100644 --- a/lib/dns/include/dns/iptable.h +++ b/lib/dns/include/dns/iptable.h @@ -51,6 +51,10 @@ dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target); isc_result_t dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr, isc_uint16_t bitlen, isc_boolean_t pos); +isc_result_t +dns_iptable_addprefix2(dns_iptable_t *tab, isc_netaddr_t *addr, + isc_uint16_t bitlen, isc_boolean_t pos, + isc_boolean_t is_ecs); /* * Add an IP prefix to an existing IP table */ diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h index de121c764d..183ecec755 100644 --- a/lib/dns/include/dns/message.h +++ b/lib/dns/include/dns/message.h @@ -112,7 +112,7 @@ #define DNS_OPT_SIT 65001 /*%< SIT opt code */ /*%< The number of EDNS options we know about. */ -#define DNS_EDNSOPTIONS 4 +#define DNS_EDNSOPTIONS 5 #define DNS_MESSAGE_REPLYPRESERVE (DNS_MESSAGEFLAG_RD|DNS_MESSAGEFLAG_CD) #define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO) diff --git a/lib/dns/iptable.c b/lib/dns/iptable.c index 701950533c..9413774947 100644 --- a/lib/dns/iptable.c +++ b/lib/dns/iptable.c @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: iptable.c,v 1.15 2009/02/18 23:47:48 tbox Exp $ */ - #include #include @@ -63,16 +61,24 @@ isc_boolean_t dns_iptable_pos = ISC_TRUE; isc_result_t dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr, isc_uint16_t bitlen, isc_boolean_t pos) +{ + return(dns_iptable_addprefix2(tab, addr, bitlen, pos, ISC_FALSE)); +} + +isc_result_t +dns_iptable_addprefix2(dns_iptable_t *tab, isc_netaddr_t *addr, + isc_uint16_t bitlen, isc_boolean_t pos, + isc_boolean_t is_ecs) { isc_result_t result; isc_prefix_t pfx; isc_radix_node_t *node = NULL; - int family; + int i; INSIST(DNS_IPTABLE_VALID(tab)); INSIST(tab->radix); - NETADDR_TO_PREFIX_T(addr, pfx, bitlen); + NETADDR_TO_PREFIX_T(addr, pfx, bitlen, is_ecs); result = isc_radix_insert(tab->radix, &node, NULL, &pfx); if (result != ISC_R_SUCCESS) { @@ -81,28 +87,20 @@ dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr, } /* If a node already contains data, don't overwrite it */ - family = pfx.family; - if (family == AF_UNSPEC) { + if (pfx.family == AF_UNSPEC) { /* "any" or "none" */ INSIST(pfx.bitlen == 0); - if (pos) { - if (node->data[0] == NULL) - node->data[0] = &dns_iptable_pos; - if (node->data[1] == NULL) - node->data[1] = &dns_iptable_pos; - } else { - if (node->data[0] == NULL) - node->data[0] = &dns_iptable_neg; - if (node->data[1] == NULL) - node->data[1] = &dns_iptable_neg; + for (i = 0; i < 4; i++) { + if (node->data[i] == NULL) + node->data[i] = pos ? &dns_iptable_pos + : &dns_iptable_neg; } } else { /* any other prefix */ - if (node->data[ISC_IS6(family)] == NULL) { - if (pos) - node->data[ISC_IS6(family)] = &dns_iptable_pos; - else - node->data[ISC_IS6(family)] = &dns_iptable_neg; + int offset = ISC_RADIX_OFF(&pfx); + if (node->data[offset] == NULL) { + node->data[offset] = pos ? &dns_iptable_pos + : &dns_iptable_neg; } } @@ -118,7 +116,7 @@ dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, isc_boolean_t pos) { isc_result_t result; isc_radix_node_t *node, *new_node; - int max_node = 0; + int i, max_node = 0; RADIX_WALK (source->radix->head, node) { new_node = NULL; @@ -135,20 +133,15 @@ dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, isc_boolean_t pos) * could be a security risk. To prevent this, we * just leave the negative nodes negative. */ - if (!pos) { - if (node->data[0] && - *(isc_boolean_t *) node->data[0] == ISC_TRUE) - new_node->data[0] = &dns_iptable_neg; - - if (node->data[1] && - *(isc_boolean_t *) node->data[1] == ISC_TRUE) - new_node->data[1] = &dns_iptable_neg; + for (i = 0; i < 4; i++) { + if (!pos) { + if (node->data[i] && + *(isc_boolean_t *) node->data[i]) + new_node->data[i] = &dns_iptable_neg; + } + if (node->node_num[i] > max_node) + max_node = node->node_num[i]; } - - if (node->node_num[0] > max_node) - max_node = node->node_num[0]; - if (node->node_num[1] > max_node) - max_node = node->node_num[1]; } RADIX_WALK_END; tab->radix->num_added_node += max_node; diff --git a/lib/dns/message.c b/lib/dns/message.c index 88c9239eb6..06b9068dd4 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -15,8 +15,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - /*! \file */ /*** diff --git a/lib/dns/tests/geoip_test.c b/lib/dns/tests/geoip_test.c index a39ba727b4..60994d2ce9 100644 --- a/lib/dns/tests/geoip_test.c +++ b/lib/dns/tests/geoip_test.c @@ -136,8 +136,8 @@ load_geoip(const char *dir) { } static isc_boolean_t -do_lookup_string(const char *addr, dns_geoip_subtype_t subtype, - const char *string) +do_lookup_string(const char *addr, isc_uint8_t *scope, + dns_geoip_subtype_t subtype, const char *string) { dns_geoip_elem_t elt; struct in_addr in4; @@ -149,12 +149,12 @@ do_lookup_string(const char *addr, dns_geoip_subtype_t subtype, elt.subtype = subtype; strcpy(elt.as_string, string); - return (dns_geoip_match(&na, &geoip, &elt)); + return (dns_geoip_match(&na, scope, &geoip, &elt)); } static isc_boolean_t -do_lookup_string_v6(const char *addr, dns_geoip_subtype_t subtype, - const char *string) +do_lookup_string_v6(const char *addr, isc_uint8_t *scope, + dns_geoip_subtype_t subtype, const char *string) { dns_geoip_elem_t elt; struct in6_addr in6; @@ -166,11 +166,13 @@ do_lookup_string_v6(const char *addr, dns_geoip_subtype_t subtype, elt.subtype = subtype; strcpy(elt.as_string, string); - return (dns_geoip_match(&na, &geoip, &elt)); + return (dns_geoip_match(&na, scope, &geoip, &elt)); } static isc_boolean_t -do_lookup_int(const char *addr, dns_geoip_subtype_t subtype, int id) { +do_lookup_int(const char *addr, isc_uint8_t *scope, + dns_geoip_subtype_t subtype, int id) +{ dns_geoip_elem_t elt; struct in_addr in4; isc_netaddr_t na; @@ -181,7 +183,7 @@ do_lookup_int(const char *addr, dns_geoip_subtype_t subtype, int id) { elt.subtype = subtype; elt.as_int = id; - return (dns_geoip_match(&na, &geoip, &elt)); + return (dns_geoip_match(&na, scope, &geoip, &elt)); } /* @@ -196,6 +198,7 @@ ATF_TC_HEAD(country, tc) { ATF_TC_BODY(country, tc) { isc_result_t result; isc_boolean_t match; + isc_uint8_t scope; UNUSED(tc); @@ -210,16 +213,30 @@ ATF_TC_BODY(country, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.1", dns_geoip_country_code, "AU"); + match = do_lookup_string("10.53.0.1", &scope, + dns_geoip_country_code, "AU"); ATF_CHECK(match); + ATF_CHECK_EQ(scope, 32); - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", &scope, dns_geoip_country_code3, "AUS"); ATF_CHECK(match); + ATF_CHECK_EQ(scope, 32); - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", &scope, dns_geoip_country_name, "Australia"); ATF_CHECK(match); + ATF_CHECK_EQ(scope, 32); + + match = do_lookup_string("192.0.2.128", &scope, + dns_geoip_country_code, "O1"); + ATF_CHECK(match); + ATF_CHECK_EQ(scope, 24); + + match = do_lookup_string("192.0.2.128", &scope, + dns_geoip_country_name, "Other"); + ATF_CHECK(match); + ATF_CHECK_EQ(scope, 24); dns_test_end(); } @@ -232,6 +249,7 @@ ATF_TC_HEAD(country_v6, tc) { ATF_TC_BODY(country_v6, tc) { isc_result_t result; isc_boolean_t match; + isc_uint8_t scope; UNUSED(tc); @@ -246,17 +264,20 @@ ATF_TC_BODY(country_v6, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", &scope, dns_geoip_country_code, "AU"); ATF_CHECK(match); + ATF_CHECK_EQ(scope, 128); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", &scope, dns_geoip_country_code3, "AUS"); ATF_CHECK(match); + ATF_CHECK_EQ(scope, 128); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", &scope, dns_geoip_country_name, "Australia"); ATF_CHECK(match); + ATF_CHECK_EQ(scope, 128); dns_test_end(); } @@ -283,42 +304,42 @@ ATF_TC_BODY(city, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", NULL, dns_geoip_city_continentcode, "NA"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", NULL, dns_geoip_city_countrycode, "US"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", NULL, dns_geoip_city_countrycode3, "USA"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", NULL, dns_geoip_city_countryname, "United States"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", NULL, dns_geoip_city_region, "CA"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", NULL, dns_geoip_city_regionname, "California"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", NULL, dns_geoip_city_name, "Redwood City"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", NULL, dns_geoip_city_postalcode, "94063"); ATF_CHECK(match); - match = do_lookup_int("10.53.0.1", dns_geoip_city_areacode, 650); + match = do_lookup_int("10.53.0.1", NULL, dns_geoip_city_areacode, 650); ATF_CHECK(match); - match = do_lookup_int("10.53.0.1", dns_geoip_city_metrocode, 807); + match = do_lookup_int("10.53.0.1", NULL, dns_geoip_city_metrocode, 807); ATF_CHECK(match); dns_test_end(); @@ -346,36 +367,36 @@ ATF_TC_BODY(city_v6, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, dns_geoip_city_continentcode, "NA"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, dns_geoip_city_countrycode, "US"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, dns_geoip_city_countrycode3, "USA"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, dns_geoip_city_countryname, "United States"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, dns_geoip_city_region, "CA"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, dns_geoip_city_regionname, "California"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, dns_geoip_city_name, "Redwood City"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, dns_geoip_city_postalcode, "94063"); ATF_CHECK(match); @@ -405,15 +426,15 @@ ATF_TC_BODY(region, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", NULL, dns_geoip_region_code, "CA"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", NULL, dns_geoip_region_name, "California"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", + match = do_lookup_string("10.53.0.1", NULL, dns_geoip_region_countrycode, "US"); ATF_CHECK(match); @@ -447,30 +468,30 @@ ATF_TC_BODY(best, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.4", + match = do_lookup_string("10.53.0.4", NULL, dns_geoip_countrycode, "US"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", + match = do_lookup_string("10.53.0.4", NULL, dns_geoip_countrycode3, "USA"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", + match = do_lookup_string("10.53.0.4", NULL, dns_geoip_countryname, "United States"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", + match = do_lookup_string("10.53.0.4", NULL, dns_geoip_regionname, "Virginia"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", + match = do_lookup_string("10.53.0.4", NULL, dns_geoip_region, "VA"); ATF_CHECK(match); GeoIP_delete(geoip.city_v4); geoip.city_v4 = NULL; - match = do_lookup_string("10.53.0.4", + match = do_lookup_string("10.53.0.4", NULL, dns_geoip_countrycode, "AU"); ATF_CHECK(match); @@ -478,26 +499,26 @@ ATF_TC_BODY(best, tc) { * Note, region doesn't support code3 or countryname, so * the next two would be answered from the country database instead */ - match = do_lookup_string("10.53.0.4", + match = do_lookup_string("10.53.0.4", NULL, dns_geoip_countrycode3, "CAN"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", + match = do_lookup_string("10.53.0.4", NULL, dns_geoip_countryname, "Canada"); ATF_CHECK(match); GeoIP_delete(geoip.region); geoip.region = NULL; - match = do_lookup_string("10.53.0.4", + match = do_lookup_string("10.53.0.4", NULL, dns_geoip_countrycode, "CA"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", + match = do_lookup_string("10.53.0.4", NULL, dns_geoip_countrycode3, "CAN"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", + match = do_lookup_string("10.53.0.4", NULL, dns_geoip_countryname, "Canada"); ATF_CHECK(match); @@ -528,7 +549,7 @@ ATF_TC_BODY(asnum, tc) { } - match = do_lookup_string("10.53.0.3", dns_geoip_as_asnum, + match = do_lookup_string("10.53.0.3", NULL, dns_geoip_as_asnum, "AS100003 Three Network Labs"); ATF_CHECK(match); @@ -557,7 +578,7 @@ ATF_TC_BODY(isp, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.1", dns_geoip_isp_name, + match = do_lookup_string("10.53.0.1", NULL, dns_geoip_isp_name, "One Systems, Inc."); ATF_CHECK(match); @@ -586,7 +607,7 @@ ATF_TC_BODY(org, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.2", dns_geoip_org_name, + match = do_lookup_string("10.53.0.2", NULL, dns_geoip_org_name, "Two Technology Ltd."); ATF_CHECK(match); @@ -615,7 +636,7 @@ ATF_TC_BODY(domain, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.4", + match = do_lookup_string("10.53.0.4", NULL, dns_geoip_domain_name, "four.com"); ATF_CHECK(match); @@ -644,16 +665,16 @@ ATF_TC_BODY(netspeed, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_int("10.53.0.1", dns_geoip_netspeed_id, 0); + match = do_lookup_int("10.53.0.1", NULL, dns_geoip_netspeed_id, 0); ATF_CHECK(match); - match = do_lookup_int("10.53.0.2", dns_geoip_netspeed_id, 1); + match = do_lookup_int("10.53.0.2", NULL, dns_geoip_netspeed_id, 1); ATF_CHECK(match); - match = do_lookup_int("10.53.0.3", dns_geoip_netspeed_id, 2); + match = do_lookup_int("10.53.0.3", NULL, dns_geoip_netspeed_id, 2); ATF_CHECK(match); - match = do_lookup_int("10.53.0.4", dns_geoip_netspeed_id, 3); + match = do_lookup_int("10.53.0.4", NULL, dns_geoip_netspeed_id, 3); ATF_CHECK(match); dns_test_end(); diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index 862b2b03fe..422f21c3ee 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -25,9 +25,11 @@ dns_acl_isany dns_acl_isinsecure dns_acl_isnone dns_acl_match +dns_acl_match2 dns_acl_merge dns_acl_none dns_aclelement_match +dns_aclelement_match2 dns_aclenv_copy dns_aclenv_destroy dns_aclenv_init diff --git a/lib/isc/include/isc/radix.h b/lib/isc/include/isc/radix.h index 1c1887f1d0..4d0b3b08f1 100644 --- a/lib/isc/include/isc/radix.h +++ b/lib/isc/include/isc/radix.h @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: radix.h,v 1.13 2008/12/01 23:47:45 tbox Exp $ */ - /* * This source was adapted from MRT's RCS Ids: * Id: radix.h,v 1.6 1999/08/03 03:32:53 masaki Exp @@ -34,7 +32,7 @@ #ifndef _RADIX_H #define _RADIX_H -#define NETADDR_TO_PREFIX_T(na,pt,bits) \ +#define NETADDR_TO_PREFIX_T(na,pt,bits,isecs) \ do { \ memset(&(pt), 0, sizeof(pt)); \ if((na) != NULL) { \ @@ -50,6 +48,7 @@ (pt).family = AF_UNSPEC; \ (pt).bitlen = 0; \ } \ + (pt).ecs = isecs; \ isc_refcount_init(&(pt).refcount, 0); \ } while(0) @@ -57,6 +56,7 @@ typedef struct isc_prefix { isc_mem_t *mctx; unsigned int family; /* AF_INET | AF_INET6, or AF_UNSPEC for "any" */ unsigned int bitlen; /* 0 for "any" */ + isc_boolean_t ecs; /* ISC_TRUE for an EDNS client subnet address */ isc_refcount_t refcount; union { struct in_addr sin; @@ -81,23 +81,32 @@ typedef void (*isc_radix_processfunc_t)(isc_prefix_t *, void **); * return the one that was added first. * * An IPv4 prefix and an IPv6 prefix may share a radix tree node if they - * have the same length and bit pattern (e.g., 127/8 and 7f::/8). To - * disambiguate between them, node_num and data are two-element arrays; - * node_num[0] and data[0] are used for IPv4 addresses, node_num[1] - * and data[1] for IPv6 addresses. The only exception is a prefix of - * 0/0 (aka "any" or "none"), which is always stored as IPv4 but matches - * IPv6 addresses too. + * have the same length and bit pattern (e.g., 127/8 and 7f::/8). Also, + * a node that matches a client address may also match an EDNS client + * subnet address. To disambiguate between these, node_num and data + * are four-element arrays; + * + * - node_num[0] and data[0] are used for IPv4 client addresses + * - node_num[1] and data[1] for IPv4 client subnet addresses + * - node_num[2] and data[2] are used for IPv6 client addresses + * - node_num[3] and data[3] for IPv6 client subnet addresses + * + * A prefix of 0/0 (aka "any" or "none"), is always stored as IPv4, + * but matches IPv6 addresses too, as well as all client subnet + * addresses. */ -#define ISC_IS6(family) ((family) == AF_INET6 ? 1 : 0) +#define ISC_RADIX_OFF(p) \ + ((((p)->family == AF_INET6) ? 1 : 0) + ((p)->ecs ? 2 : 0)) + typedef struct isc_radix_node { isc_mem_t *mctx; isc_uint32_t bit; /* bit length of the prefix */ isc_prefix_t *prefix; /* who we are in radix tree */ struct isc_radix_node *l, *r; /* left and right children */ struct isc_radix_node *parent; /* may be used */ - void *data[2]; /* pointers to IPv4 and IPV6 data */ - int node_num[2]; /* which node this was in the tree, + void *data[4]; /* pointers to IPv4 and IPV6 data */ + int node_num[4]; /* which node this was in the tree, or -1 for glue nodes */ } isc_radix_node_t; diff --git a/lib/isc/radix.c b/lib/isc/radix.c index df26615fa9..ebe277048e 100644 --- a/lib/isc/radix.c +++ b/lib/isc/radix.c @@ -70,6 +70,7 @@ _new_prefix(isc_mem_t *mctx, isc_prefix_t **target, int family, void *dest, } prefix->family = family; + prefix->ecs = ISC_FALSE; prefix->mctx = NULL; isc_mem_attach(mctx, &prefix->mctx); @@ -182,12 +183,13 @@ _clear_radix(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func) { if (Xrn->prefix != NULL) { _deref_prefix(Xrn->prefix); - if (func != NULL && (Xrn->data[0] != NULL || - Xrn->data[1] != NULL)) + if (func != NULL) func(Xrn->data); } else { INSIST(Xrn->data[0] == NULL && - Xrn->data[1] == NULL); + Xrn->data[1] == NULL && + Xrn->data[2] == NULL && + Xrn->data[3] == NULL); } isc_mem_put(radix->mctx, Xrn, sizeof(*Xrn)); @@ -242,8 +244,7 @@ isc_radix_search(isc_radix_tree_t *radix, isc_radix_node_t **target, isc_radix_node_t *stack[RADIX_MAXBITS + 1]; u_char *addr; isc_uint32_t bitlen; - int tfamily = -1; - int cnt = 0; + int toff = -1, cnt = 0; REQUIRE(radix != NULL); REQUIRE(prefix != NULL); @@ -281,13 +282,15 @@ isc_radix_search(isc_radix_tree_t *radix, isc_radix_node_t **target, if (_comp_with_mask(isc_prefix_tochar(node->prefix), isc_prefix_tochar(prefix), - node->prefix->bitlen)) { - if (node->node_num[ISC_IS6(prefix->family)] != -1 && - ((*target == NULL) || - (*target)->node_num[ISC_IS6(tfamily)] > - node->node_num[ISC_IS6(prefix->family)])) { + node->prefix->bitlen)) + { + int off = ISC_RADIX_OFF(prefix); + if (node->node_num[off] != -1 && + ((*target == NULL) || + (*target)->node_num[toff] > node->node_num[off])) + { *target = node; - tfamily = prefix->family; + toff = off; } } } @@ -327,7 +330,8 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, if (node == NULL) return (ISC_R_NOMEMORY); node->bit = bitlen; - node->node_num[0] = node->node_num[1] = -1; + for (i = 0; i < 4; i++) + node->node_num[i] = -1; node->prefix = NULL; result = _ref_prefix(radix->mctx, &node->prefix, prefix); if (result != ISC_R_SUCCESS) { @@ -346,25 +350,24 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, * added to num_added_node at the end of * the merge operation--we don't do it here. */ - if (source->node_num[0] != -1) - node->node_num[0] = radix->num_added_node + - source->node_num[0]; - if (source->node_num[1] != -1) - node->node_num[1] = radix->num_added_node + - source->node_num[1]; - node->data[0] = source->data[0]; - node->data[1] = source->data[1]; + for (i = 0; i < 4; i++) { + if (source->node_num[i] != -1) + node->node_num[i] = + radix->num_added_node + + source->node_num[i]; + node->data[i] = source->data[i]; + } } else { + int next = ++radix->num_added_node; if (fam == AF_UNSPEC) { /* "any" or "none" */ - node->node_num[0] = node->node_num[1] = - ++radix->num_added_node; + for (i = 0; i < 4; i++) + node->node_num[i] = next; } else { - node->node_num[ISC_IS6(fam)] = - ++radix->num_added_node; + node->node_num[ISC_RADIX_OFF(prefix)] = next; } - node->data[0] = NULL; - node->data[1] = NULL; + + memset(node->data, 0, sizeof(node->data)); } radix->head = node; radix->num_active_node++; @@ -426,37 +429,33 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, if (node->prefix != NULL) { /* Set node_num only if it hasn't been set before */ if (source != NULL) { - /* Merging node */ - if (node->node_num[0] == -1 && - source->node_num[0] != -1) { - node->node_num[0] = - radix->num_added_node + - source->node_num[0]; - node->data[0] = source->data[0]; - } - if (node->node_num[1] == -1 && - source->node_num[0] != -1) { - node->node_num[1] = - radix->num_added_node + - source->node_num[1]; - node->data[1] = source->data[1]; + /* Merging nodes */ + for (i = 0; i < 4; i++) { + if (node->node_num[i] == -1 && + source->node_num[i] != -1) { + node->node_num[i] = + radix->num_added_node + + source->node_num[i]; + node->data[i] = source->data[i]; + } } } else { if (fam == AF_UNSPEC) { /* "any" or "none" */ int next = radix->num_added_node + 1; - if (node->node_num[0] == -1) { - node->node_num[0] = next; - radix->num_added_node = next; - } - if (node->node_num[1] == -1) { - node->node_num[1] = next; - radix->num_added_node = next; + for (i = 0; i < 4; i++) { + if (node->node_num[i] == -1) { + node->node_num[i] = + next; + radix->num_added_node = + next; + } } } else { - if (node->node_num[ISC_IS6(fam)] == -1) - node->node_num[ISC_IS6(fam)] - = ++radix->num_added_node; + int off = ISC_RADIX_OFF(prefix); + if (node->node_num[off] == -1) + node->node_num[off] = + ++radix->num_added_node; } } *target = node; @@ -468,27 +467,27 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, return (result); } INSIST(node->data[0] == NULL && node->node_num[0] == -1 && - node->data[1] == NULL && node->node_num[1] == -1); + node->data[1] == NULL && node->node_num[1] == -1 && + node->data[2] == NULL && node->node_num[2] == -1 && + node->data[3] == NULL && node->node_num[3] == -1); if (source != NULL) { /* Merging node */ - if (source->node_num[0] != -1) { - node->node_num[0] = radix->num_added_node + - source->node_num[0]; - node->data[0] = source->data[0]; - } - if (source->node_num[1] != -1) { - node->node_num[1] = radix->num_added_node + - source->node_num[1]; - node->data[1] = source->data[1]; + for (i = 0; i < 4; i++) { + int cur = radix->num_added_node; + if (source->node_num[i] != -1) { + node->node_num[i] = + source->node_num[i] + cur; + node->data[i] = source->data[i]; + } } } else { + int next = ++radix->num_added_node; if (fam == AF_UNSPEC) { /* "any" or "none" */ - node->node_num[0] = node->node_num[1] = - ++radix->num_added_node; + for (i = 0; i < 4; i++) + node->node_num[i] = next; } else { - node->node_num[ISC_IS6(fam)] = - ++radix->num_added_node; + node->node_num[ISC_RADIX_OFF(prefix)] = next; } } *target = node; @@ -518,30 +517,30 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, } new_node->parent = NULL; new_node->l = new_node->r = NULL; - new_node->node_num[0] = new_node->node_num[1] = -1; + for (i = 0; i < 4; i++) + new_node->node_num[i] = -1; radix->num_active_node++; if (source != NULL) { /* Merging node */ - if (source->node_num[0] != -1) - new_node->node_num[0] = radix->num_added_node + - source->node_num[0]; - if (source->node_num[1] != -1) - new_node->node_num[1] = radix->num_added_node + - source->node_num[1]; - new_node->data[0] = source->data[0]; - new_node->data[1] = source->data[1]; + for (i = 0; i < 4; i++) { + int cur = radix->num_added_node; + if (source->node_num[i] != -1) { + new_node->node_num[i] = + source->node_num[i] + cur; + new_node->data[i] = source->data[i]; + } + } } else { + int next = ++radix->num_added_node; if (fam == AF_UNSPEC) { /* "any" or "none" */ - new_node->node_num[0] = new_node->node_num[1] = - ++radix->num_added_node; + for (i = 0; i < 4; i++) + new_node->node_num[i] = next; } else { - new_node->node_num[ISC_IS6(fam)] = - ++radix->num_added_node; + new_node->node_num[ISC_RADIX_OFF(prefix)] = next; } - new_node->data[0] = NULL; - new_node->data[1] = NULL; + memset(new_node->data, 0, sizeof(new_node->data)); } if (node->bit == differ_bit) { @@ -583,8 +582,10 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, glue->bit = differ_bit; glue->prefix = NULL; glue->parent = node->parent; - glue->data[0] = glue->data[1] = NULL; - glue->node_num[0] = glue->node_num[1] = -1; + for (i = 0; i < 4; i++) { + glue->data[i] = NULL; + glue->node_num[i] = -1; + } radix->num_active_node++; if (differ_bit < radix->maxbits && BIT_TEST(addr[differ_bit>>3], 0x80 >> (differ_bit & 07))) { @@ -627,7 +628,7 @@ isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node) { _deref_prefix(node->prefix); node->prefix = NULL; - node->data[0] = node->data[1] = NULL; + memset(node->data, 0, sizeof(node->data)); return; } diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c index 83d5ae6509..03dd4401ec 100644 --- a/lib/isccfg/aclconf.c +++ b/lib/isccfg/aclconf.c @@ -696,6 +696,7 @@ cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx, /* Network prefix */ isc_netaddr_t addr; unsigned int bitlen; + isc_boolean_t setpos, setecs; cfg_obj_asnetprefix(ce, &addr, &bitlen); if (family != 0 && family != addr.family) { @@ -713,8 +714,10 @@ cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx, * If nesting ACLs (nest_level != 0), we negate * the nestedacl element, not the iptable entry. */ - result = dns_iptable_addprefix(iptab, &addr, bitlen, - ISC_TF(nest_level != 0 || !neg)); + setpos = ISC_TF(nest_level != 0 || !neg); + setecs = cfg_obj_istype(ce, &cfg_type_ecsprefix); + result = dns_iptable_addprefix2(iptab, &addr, bitlen, + setpos, setecs); if (result != ISC_R_SUCCESS) goto cleanup; diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h index 507da06587..67cca35bbc 100644 --- a/lib/isccfg/include/isccfg/namedconf.h +++ b/lib/isccfg/include/isccfg/namedconf.h @@ -54,4 +54,7 @@ LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sessionkey; LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref; /*%< A key reference, used as an ACL element */ +/*%< An EDNS client subnet address, used as an ACL element */ +LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ecsprefix; + #endif /* ISCCFG_NAMEDCONF_H */ diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index f8b3bad316..03f4b01d51 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -950,9 +950,12 @@ options_clauses[] = { { "flush-zones-on-shutdown", &cfg_type_boolean, 0 }, #ifdef HAVE_GEOIP { "geoip-directory", &cfg_type_qstringornone, 0 }, + { "geoip-use-ecs", &cfg_type_boolean, 0 }, #else { "geoip-directory", &cfg_type_qstringornone, CFG_CLAUSEFLAG_NOTCONFIGURED }, + { "geoip-use-ecs", &cfg_type_qstringornone, + CFG_CLAUSEFLAG_NOTCONFIGURED }, #endif /* HAVE_GEOIP */ { "has-old-clients", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, { "heartbeat-interval", &cfg_type_uint32, 0 }, @@ -2281,6 +2284,16 @@ doc_geoip(cfg_printer_t *pctx, const cfg_type_t *type) { } #endif /* HAVE_GEOIP */ +/*% + * An EDNS client subnet address + */ + +static keyword_type_t ecs_kw = { "ecs", &cfg_type_netprefix }; +LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_ecsprefix = { + "edns_client_subnet", parse_keyvalue, print_keyvalue, doc_keyvalue, + &cfg_rep_netprefix, &ecs_kw +}; + /*% * A "controls" statement is represented as a map with the multivalued * "inet" and "unix" clauses. @@ -2570,6 +2583,9 @@ parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) if (pctx->token.type == isc_tokentype_string && (strcasecmp(TOKEN_STRING(pctx), "key") == 0)) { CHECK(cfg_parse_obj(pctx, &cfg_type_keyref, ret)); + } else if (pctx->token.type == isc_tokentype_string && + (strcasecmp(TOKEN_STRING(pctx), "ecs") == 0)) { + CHECK(cfg_parse_obj(pctx, &cfg_type_ecsprefix, ret)); } else if (pctx->token.type == isc_tokentype_string && (strcasecmp(TOKEN_STRING(pctx), "geoip") == 0)) { #ifdef HAVE_GEOIP From f5c24a7f48cd68337c21dea47a448ae2ff2ccb8c Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 28 Aug 2014 22:37:55 -0700 Subject: [PATCH 08/92] [master] add better servfail logging 3937. [func] Added some debug logging to better indicate the conditions causing SERVFAILs when resolving. [RT #35538] --- CHANGES | 4 + bin/named/query.c | 275 ++++++++++++++++++++++++++++++--------------- lib/dns/resolver.c | 205 ++++++++++++++++++++++++++++++--- 3 files changed, 377 insertions(+), 107 deletions(-) diff --git a/CHANGES b/CHANGES index 47f40b53ee..6e122d2d1d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +3937. [func] Added some debug logging to better indicate the + conditions causing SERVFAILs when resolving. + [RT #35538] + 3936. [func] Added authoritative support for the EDNS Client Subnet (ECS) option. diff --git a/bin/named/query.c b/bin/named/query.c index a79a930fd3..7239ce8bca 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -125,21 +125,25 @@ DNS_RDATASETATTR_NOQNAME) != 0) #if 0 -#define CTRACE(m) isc_log_write(ns_g_lctx, \ - NS_LOGCATEGORY_CLIENT, \ - NS_LOGMODULE_QUERY, \ - ISC_LOG_DEBUG(3), \ - "client %p: %s", client, (m)) -#define QTRACE(m) isc_log_write(ns_g_lctx, \ - NS_LOGCATEGORY_GENERAL, \ - NS_LOGMODULE_QUERY, \ - ISC_LOG_DEBUG(3), \ - "query %p: %s", query, (m)) +#define CTRACE(l,m) do { \ + if (client != NULL && client->query.qname != NULL) { \ + char qbuf[DNS_NAME_FORMATSIZE]; \ + dns_name_format(client->query.qname, qbuf, sizeof(qbuf)); \ + isc_log_write(ns_g_lctx, \ + NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, \ + l, "client %p (%s): %s", client, qbuf, (m)); \ + } else { \ + isc_log_write(ns_g_lctx, \ + NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, \ + l, "client %p (): %s", \ + client, (m)); \ + } \ +} while(0) #else -#define CTRACE(m) ((void)m) -#define QTRACE(m) ((void)m) +#define CTRACE(l,m) ((void)m) #endif + #define DNS_GETDB_NOEXACT 0x01U #define DNS_GETDB_NOLOG 0x02U #define DNS_GETDB_PARTIAL 0x04U @@ -312,13 +316,13 @@ static inline void query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) { dns_rdataset_t *rdataset = *rdatasetp; - CTRACE("query_putrdataset"); + CTRACE(ISC_LOG_DEBUG(3), "query_putrdataset"); if (rdataset != NULL) { if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); dns_message_puttemprdataset(client->message, rdatasetp); } - CTRACE("query_putrdataset: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_putrdataset: done"); } static inline void @@ -425,7 +429,7 @@ query_newnamebuf(ns_client_t *client) { isc_buffer_t *dbuf; isc_result_t result; - CTRACE("query_newnamebuf"); + CTRACE(ISC_LOG_DEBUG(3), "query_newnamebuf"); /*% * Allocate a name buffer. */ @@ -433,12 +437,13 @@ query_newnamebuf(ns_client_t *client) { dbuf = NULL; result = isc_buffer_allocate(client->mctx, &dbuf, 1024); if (result != ISC_R_SUCCESS) { - CTRACE("query_newnamebuf: isc_buffer_allocate failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_newnamebuf: isc_buffer_allocate failed: done"); return (result); } ISC_LIST_APPEND(client->query.namebufs, dbuf, link); - CTRACE("query_newnamebuf: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_newnamebuf: done"); return (ISC_R_SUCCESS); } @@ -448,7 +453,7 @@ query_getnamebuf(ns_client_t *client) { isc_result_t result; isc_region_t r; - CTRACE("query_getnamebuf"); + CTRACE(ISC_LOG_DEBUG(3), "query_getnamebuf"); /*% * Return a name buffer with space for a maximal name, allocating * a new one if necessary. @@ -457,7 +462,8 @@ query_getnamebuf(ns_client_t *client) { if (ISC_LIST_EMPTY(client->query.namebufs)) { result = query_newnamebuf(client); if (result != ISC_R_SUCCESS) { - CTRACE("query_getnamebuf: query_newnamebuf failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_getnamebuf: query_newnamebuf failed: done"); return (NULL); } } @@ -468,7 +474,8 @@ query_getnamebuf(ns_client_t *client) { if (r.length < 255) { result = query_newnamebuf(client); if (result != ISC_R_SUCCESS) { - CTRACE("query_getnamebuf: query_newnamebuf failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_getnamebuf: query_newnamebuf failed: done"); return (NULL); } @@ -476,7 +483,7 @@ query_getnamebuf(ns_client_t *client) { isc_buffer_availableregion(dbuf, &r); INSIST(r.length >= 255); } - CTRACE("query_getnamebuf: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_getnamebuf: done"); return (dbuf); } @@ -484,7 +491,7 @@ static inline void query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) { isc_region_t r; - CTRACE("query_keepname"); + CTRACE(ISC_LOG_DEBUG(3), "query_keepname"); /*% * 'name' is using space in 'dbuf', but 'dbuf' has not yet been * adjusted to take account of that. We do the adjustment. @@ -508,14 +515,14 @@ query_releasename(ns_client_t *client, dns_name_t **namep) { * rights on the buffer. */ - CTRACE("query_releasename"); + CTRACE(ISC_LOG_DEBUG(3), "query_releasename"); if (dns_name_hasbuffer(name)) { INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0); client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED; } dns_message_puttempname(client->message, namep); - CTRACE("query_releasename: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_releasename: done"); } static inline dns_name_t * @@ -528,11 +535,12 @@ query_newname(ns_client_t *client, isc_buffer_t *dbuf, REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0); - CTRACE("query_newname"); + CTRACE(ISC_LOG_DEBUG(3), "query_newname"); name = NULL; result = dns_message_gettempname(client->message, &name); if (result != ISC_R_SUCCESS) { - CTRACE("query_newname: dns_message_gettempname failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_newname: dns_message_gettempname failed: done"); return (NULL); } isc_buffer_availableregion(dbuf, &r); @@ -541,7 +549,7 @@ query_newname(ns_client_t *client, isc_buffer_t *dbuf, dns_name_setbuffer(name, nbuf); client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED; - CTRACE("query_newname: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_newname: done"); return (name); } @@ -550,17 +558,18 @@ query_newrdataset(ns_client_t *client) { dns_rdataset_t *rdataset; isc_result_t result; - CTRACE("query_newrdataset"); + CTRACE(ISC_LOG_DEBUG(3), "query_newrdataset"); rdataset = NULL; result = dns_message_gettemprdataset(client->message, &rdataset); if (result != ISC_R_SUCCESS) { - CTRACE("query_newrdataset: " + CTRACE(ISC_LOG_DEBUG(3), + "query_newrdataset: " "dns_message_gettemprdataset failed: done"); return (NULL); } dns_rdataset_init(rdataset); - CTRACE("query_newrdataset: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_newrdataset: done"); return (rdataset); } @@ -727,8 +736,10 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name, * Get the current version of this database. */ dbversion = query_findversion(client, db); - if (dbversion == NULL) + if (dbversion == NULL) { + CTRACE(ISC_LOG_ERROR, "unable to get db version"); return (DNS_R_SERVFAIL); + } if ((options & DNS_GETDB_IGNOREACL) != 0) goto approved; @@ -1191,7 +1202,7 @@ query_isduplicate(ns_client_t *client, dns_name_t *name, dns_name_t *mname = NULL; isc_result_t result; - CTRACE("query_isduplicate"); + CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate"); for (section = DNS_SECTION_ANSWER; section <= DNS_SECTION_ADDITIONAL; @@ -1202,7 +1213,8 @@ query_isduplicate(ns_client_t *client, dns_name_t *name, /* * We've already got this RRset in the response. */ - CTRACE("query_isduplicate: true: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_isduplicate: true: done"); return (ISC_TRUE); } else if (result == DNS_R_NXRRSET) { /* @@ -1218,7 +1230,7 @@ query_isduplicate(ns_client_t *client, dns_name_t *name, if (mnamep != NULL) *mnamep = mname; - CTRACE("query_isduplicate: false: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate: false: done"); return (ISC_FALSE); } @@ -1245,7 +1257,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype)) return (ISC_R_SUCCESS); - CTRACE("query_addadditional"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional"); /* * Initialization. @@ -1301,7 +1313,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (result != ISC_R_SUCCESS) goto try_cache; - CTRACE("query_addadditional: db_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: db_find"); /* * Since we are looking for authoritative data, we do not set @@ -1573,7 +1585,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } addname: - CTRACE("query_addadditional: addname"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: addname"); /* * If we haven't added anything, then we're done. */ @@ -1613,7 +1625,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } cleanup: - CTRACE("query_addadditional: cleanup"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: cleanup"); query_putrdataset(client, &rdataset); if (sigrdataset != NULL) query_putrdataset(client, &sigrdataset); @@ -1626,7 +1638,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (zone != NULL) dns_zone_detach(&zone); - CTRACE("query_addadditional: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: done"); return (eresult); } @@ -1744,7 +1756,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL); - CTRACE("query_addadditional2"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2"); /* * We treat type A additional section processing as if it @@ -1776,14 +1788,16 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (result != ISC_R_SUCCESS) goto findauthdb; if (zone == NULL) { - CTRACE("query_addadditional2: auth zone not found"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: auth zone not found"); goto try_cache; } /* Is the cached DB up-to-date? */ result = query_iscachevalid(zone, cdb, NULL, cversion); if (result != ISC_R_SUCCESS) { - CTRACE("query_addadditional2: old auth additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: old auth additional cache"); query_discardcache(client, rdataset_base, additionaltype, type, &zone, &cdb, &cversion, &cnode, &cfname); @@ -1796,7 +1810,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { * ACL, since the result (not using this zone) would be same * regardless of the result. */ - CTRACE("query_addadditional2: negative auth additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: negative auth additional cache"); dns_db_closeversion(cdb, &cversion, ISC_FALSE); dns_db_detach(&cdb); dns_zone_detach(&zone); @@ -1813,7 +1828,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } /* We've got an active cache. */ - CTRACE("query_addadditional2: auth additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: auth additional cache"); dns_db_closeversion(cdb, &cversion, ISC_FALSE); db = cdb; node = cnode; @@ -1837,7 +1853,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { goto try_cache; } - CTRACE("query_addadditional2: db_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: db_find"); /* * Since we are looking for authoritative data, we do not set @@ -1922,7 +1938,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion); if (result != ISC_R_SUCCESS) { - CTRACE("query_addadditional2: old glue additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: old glue additional cache"); query_discardcache(client, rdataset_base, additionaltype, type, &zone, &cdb, &cversion, &cnode, &cfname); @@ -1931,14 +1948,15 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (cnode == NULL) { /* We have a negative cache. */ - CTRACE("query_addadditional2: negative glue additional cache"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addadditional2: negative glue additional cache"); dns_db_closeversion(cdb, &cversion, ISC_FALSE); dns_db_detach(&cdb); goto cleanup; } /* Cache hit. */ - CTRACE("query_addadditional2: glue additional cache"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: glue additional cache"); dns_db_closeversion(cdb, &cversion, ISC_FALSE); db = cdb; node = cnode; @@ -2121,7 +2139,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } } - CTRACE("query_addadditional2: addname"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: addname"); /* * If we haven't added anything, then we're done. @@ -2140,7 +2158,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { fname = NULL; cleanup: - CTRACE("query_addadditional2: cleanup"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: cleanup"); if (rdataset != NULL) query_putrdataset(client, &rdataset); @@ -2159,7 +2177,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (zone != NULL) dns_zone_detach(&zone); - CTRACE("query_addadditional2: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: done"); return (eresult); } @@ -2174,7 +2192,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, * 'fname', a name in the response message for 'client'. */ - CTRACE("query_addrdataset"); + CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset"); ISC_LIST_APPEND(fname->list, rdataset, link); @@ -2196,7 +2214,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname, additionalctx.rdataset = rdataset; (void)dns_rdataset_additionaldata(rdataset, query_addadditional2, &additionalctx); - CTRACE("query_addrdataset: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done"); } static isc_result_t @@ -2228,7 +2246,7 @@ query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset, * stored in 'dbuf'. In this case, query_addrrset() guarantees that * when it returns the name will either have been kept or released. */ - CTRACE("query_dns64"); + CTRACE(ISC_LOG_DEBUG(3), "query_dns64"); name = *namep; mname = NULL; mrdataset = NULL; @@ -2245,7 +2263,8 @@ query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset, * We've already got an RRset of the given name and type. * There's nothing else to do; */ - CTRACE("query_dns64: dns_message_findname succeeded: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_dns64: dns_message_findname succeeded: done"); if (dbuf != NULL) query_releasename(client, namep); return (ISC_R_SUCCESS); @@ -2376,7 +2395,7 @@ query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset, dns_message_puttemprdatalist(client->message, &dns64_rdatalist); } - CTRACE("query_dns64: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_dns64: done"); return (result); } @@ -2395,7 +2414,7 @@ query_filter64(ns_client_t *client, dns_name_t **namep, isc_result_t result; unsigned int i; - CTRACE("query_filter64"); + CTRACE(ISC_LOG_DEBUG(3), "query_filter64"); INSIST(client->query.dns64_aaaaok != NULL); INSIST(client->query.dns64_aaaaoklen == dns_rdataset_count(rdataset)); @@ -2415,7 +2434,8 @@ query_filter64(ns_client_t *client, dns_name_t **namep, * We've already got an RRset of the given name and type. * There's nothing else to do; */ - CTRACE("query_filter64: dns_message_findname succeeded: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_filter64: dns_message_findname succeeded: done"); if (dbuf != NULL) query_releasename(client, namep); return; @@ -2514,7 +2534,7 @@ query_filter64(ns_client_t *client, dns_name_t **namep, if (dbuf != NULL) query_releasename(client, &name); - CTRACE("query_filter64: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_filter64: done"); } static void @@ -2536,7 +2556,7 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, * stored in 'dbuf'. In this case, query_addrrset() guarantees that * when it returns the name will either have been kept or released. */ - CTRACE("query_addrrset"); + CTRACE(ISC_LOG_DEBUG(3), "query_addrrset"); name = *namep; rdataset = *rdatasetp; if (sigrdatasetp != NULL) @@ -2552,7 +2572,8 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, /* * We've already got an RRset of the given name and type. */ - CTRACE("query_addrrset: dns_message_findname succeeded: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addrrset: dns_message_findname succeeded: done"); if (dbuf != NULL) query_releasename(client, namep); if ((rdataset->attributes & DNS_RDATASETATTR_REQUIRED) != 0) @@ -2591,7 +2612,7 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, ISC_LIST_APPEND(mname->list, sigrdataset, link); *sigrdatasetp = NULL; } - CTRACE("query_addrrset: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addrrset: done"); } static inline isc_result_t @@ -2607,7 +2628,7 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, dns_clientinfomethods_t cm; dns_clientinfo_t ci; - CTRACE("query_addsoa"); + CTRACE(ISC_LOG_DEBUG(3), "query_addsoa"); /* * Initialization. */ @@ -2635,12 +2656,14 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, dns_name_clone(dns_db_origin(db), name); rdataset = query_newrdataset(client); if (rdataset == NULL) { + CTRACE(ISC_LOG_ERROR, "unable to allocate rdataset"); eresult = DNS_R_SERVFAIL; goto cleanup; } if (WANTDNSSEC(client) && dns_db_issecure(db)) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) { + CTRACE(ISC_LOG_ERROR, "unable to allocate sigrdataset"); eresult = DNS_R_SERVFAIL; goto cleanup; } @@ -2670,6 +2693,7 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, * This is bad. We tried to get the SOA RR at the zone top * and it didn't work! */ + CTRACE(ISC_LOG_ERROR, "unable to find SOA RR at zone apex"); eresult = DNS_R_SERVFAIL; } else { /* @@ -2734,7 +2758,7 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { dns_clientinfomethods_t cm; dns_clientinfo_t ci; - CTRACE("query_addns"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns"); /* * Initialization. */ @@ -2752,21 +2776,24 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { */ result = dns_message_gettempname(client->message, &name); if (result != ISC_R_SUCCESS) { - CTRACE("query_addns: dns_message_gettempname failed: done"); + CTRACE(ISC_LOG_DEBUG(3), + "query_addns: dns_message_gettempname failed: done"); return (result); } dns_name_init(name, NULL); dns_name_clone(dns_db_origin(db), name); rdataset = query_newrdataset(client); if (rdataset == NULL) { - CTRACE("query_addns: query_newrdataset failed"); + CTRACE(ISC_LOG_ERROR, + "query_addns: query_newrdataset failed"); eresult = DNS_R_SERVFAIL; goto cleanup; } if (WANTDNSSEC(client) && dns_db_issecure(db)) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) { - CTRACE("query_addns: query_newrdataset failed"); + CTRACE(ISC_LOG_ERROR, + "query_addns: query_newrdataset failed"); eresult = DNS_R_SERVFAIL; goto cleanup; } @@ -2781,14 +2808,15 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { dns_rdatatype_ns, 0, client->now, rdataset, sigrdataset); } else { - CTRACE("query_addns: calling dns_db_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: calling dns_db_find"); result = dns_db_findext(db, name, NULL, dns_rdatatype_ns, client->query.dboptions, 0, &node, fname, &cm, &ci, rdataset, sigrdataset); - CTRACE("query_addns: dns_db_find complete"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: dns_db_find complete"); } if (result != ISC_R_SUCCESS) { - CTRACE("query_addns: " + CTRACE(ISC_LOG_ERROR, + "query_addns: " "dns_db_findrdataset or dns_db_find failed"); /* * This is bad. We tried to get the NS rdataset at the zone @@ -2805,7 +2833,7 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { } cleanup: - CTRACE("query_addns: cleanup"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: cleanup"); query_putrdataset(client, &rdataset); if (sigrdataset != NULL) query_putrdataset(client, &sigrdataset); @@ -2814,7 +2842,7 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { if (node != NULL) dns_db_detachnode(db, &node); - CTRACE("query_addns: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_addns: done"); return (eresult); } @@ -3082,7 +3110,7 @@ query_addbestns(ns_client_t *client) { dns_clientinfomethods_t cm; dns_clientinfo_t ci; - CTRACE("query_addbestns"); + CTRACE(ISC_LOG_DEBUG(3), "query_addbestns"); fname = NULL; zfname = NULL; rdataset = NULL; @@ -3287,7 +3315,7 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node, isc_result_t result; unsigned int count; - CTRACE("query_addds"); + CTRACE(ISC_LOG_DEBUG(3), "query_addds"); rname = NULL; rdataset = NULL; sigrdataset = NULL; @@ -3417,7 +3445,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, dns_clientinfomethods_t cm; dns_clientinfo_t ci; - CTRACE("query_addwildcardproof"); + CTRACE(ISC_LOG_DEBUG(3), "query_addwildcardproof"); fname = NULL; rdataset = NULL; sigrdataset = NULL; @@ -3781,9 +3809,10 @@ query_resume(isc_task_t *task, isc_event_t *event) { if (devent->sigrdataset != NULL) query_putrdataset(client, &devent->sigrdataset); isc_event_free(&event); - if (fetch_canceled) + if (fetch_canceled) { + CTRACE(ISC_LOG_ERROR, "fetch cancelled"); query_error(client, DNS_R_SERVFAIL, __LINE__); - else + } else query_next(client, ISC_R_CANCELED); /* * This may destroy the client. @@ -4047,8 +4076,11 @@ rpz_ready(ns_client_t *client, dns_rdataset_t **rdatasetp) if (*rdatasetp == NULL) { *rdatasetp = query_newrdataset(client); - if (*rdatasetp == NULL) + if (*rdatasetp == NULL) { + CTRACE(ISC_LOG_ERROR, + "rpz_ready: query_newrdataset failed"); return (DNS_R_SERVFAIL); + } } else if (dns_rdataset_isassociated(*rdatasetp)) { dns_rdataset_disassociate(*rdatasetp); } @@ -4187,6 +4219,7 @@ rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, st->r.r_rdataset = NULL; result = st->r.r_result; if (result == DNS_R_DELEGATION) { + CTRACE(ISC_LOG_ERROR, "RPZ recursing"); rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, rpz_type, " rpz_rrset_find(1)", result); st->m.policy = DNS_RPZ_POLICY_ERROR; @@ -4372,8 +4405,10 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, */ rpz_clean(zonep, dbp, nodep, rdatasetp); result = rpz_ready(client, rdatasetp); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { + CTRACE(ISC_LOG_ERROR, "rpz_ready() failed"); return (DNS_R_SERVFAIL); + } *versionp = NULL; result = rpz_getdb(client, p_name, rpz_type, zonep, dbp, versionp); if (result != ISC_R_SUCCESS) @@ -4396,6 +4431,8 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, if (result != ISC_R_SUCCESS) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, " allrdatasets()", result); + CTRACE(ISC_LOG_ERROR, + "rpz_find_p: allrdatasets failed"); return (DNS_R_SERVFAIL); } for (result = dns_rdatasetiter_first(rdsiter); @@ -4413,6 +4450,9 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, " rdatasetiter", result); + CTRACE(ISC_LOG_ERROR, + "rpz_find_p: rdatasetiter_destroy " + "failed"); return (DNS_R_SERVFAIL); } /* @@ -4467,6 +4507,8 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, default: rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "", result); + CTRACE(ISC_LOG_ERROR, + "rpz_find_p: unexpected result"); return (DNS_R_SERVFAIL); } } @@ -4696,6 +4738,8 @@ rpz_rewrite_ip_rrset(ns_client_t *client, rpz_type, " NS address rewrite rrset", result); } + CTRACE(ISC_LOG_ERROR, + "rpz_rewrite_ip_rrset: unexpected result"); return (DNS_R_SERVFAIL); } @@ -5330,6 +5374,7 @@ cleanup: rpz_match_clear(st); } if (st->m.policy == DNS_RPZ_POLICY_ERROR) { + CTRACE(ISC_LOG_ERROR, "SERVFAIL due to RPZ policy"); st->m.type = DNS_RPZ_TYPE_BAD; result = DNS_R_SERVFAIL; } @@ -5563,7 +5608,7 @@ query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) { dns_rdataset_t *neg, *negsig; isc_result_t result = ISC_R_NOMEMORY; - CTRACE("query_addnoqnameproof"); + CTRACE(ISC_LOG_DEBUG(3), "query_addnoqnameproof"); fname = NULL; neg = NULL; @@ -5977,7 +6022,7 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, dns_clientinfo_t ci; ns_dbversion_t *dbversion; - CTRACE("redirect"); + CTRACE(ISC_LOG_DEBUG(3), "redirect"); if (client->view->redirect == NULL) return (ISC_FALSE); @@ -6044,7 +6089,7 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, dns_db_detach(&db); return (ISC_FALSE); } - CTRACE("redirect: found data: done"); + CTRACE(ISC_LOG_DEBUG(3), "redirect: found data: done"); dns_name_copy(found, name, NULL); if (dns_rdataset_isassociated(rdataset)) @@ -6109,11 +6154,12 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) isc_boolean_t nxrewrite = ISC_FALSE; dns_clientinfomethods_t cm; dns_clientinfo_t ci; + char errmsg[256]; isc_boolean_t associated; dns_section_t section; dns_ttl_t ttl; - CTRACE("query_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_find"); /* * One-time initialization. @@ -6205,11 +6251,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) */ dbuf = query_getnamebuf(client); if (dbuf == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_getnamebuf failed (1)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } fname = query_newname(client, dbuf, &b); if (fname == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_newname failed (1)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -6221,6 +6271,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } result = dns_name_copy(tname, fname, NULL); if (result != ISC_R_SUCCESS) { + CTRACE(ISC_LOG_ERROR, + "query_find: dns_name_copy failed"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -6249,7 +6301,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) type = qtype; restart: - CTRACE("query_find: restart"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: restart"); want_restart = ISC_FALSE; authoritative = ISC_FALSE; version = NULL; @@ -6326,8 +6378,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) inc_stats(client, dns_nsstatscounter_authrej); if (!PARTIALANSWER(client)) QUERY_ERROR(DNS_R_REFUSED); - } else + } else { + CTRACE(ISC_LOG_ERROR, + "query_find: query_getdb failed"); QUERY_ERROR(DNS_R_SERVFAIL); + } goto cleanup; } @@ -6360,24 +6415,30 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } db_find: - CTRACE("query_find: db_find"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: db_find"); /* * We'll need some resources... */ dbuf = query_getnamebuf(client); if (dbuf == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_getnamebuf failed (2)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } fname = query_newname(client, dbuf, &b); rdataset = query_newrdataset(client); if (fname == NULL || rdataset == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_newname failed (2)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } if (WANTDNSSEC(client) && (!is_zone || dns_db_issecure(db))) { sigrdataset = query_newrdataset(client); if (sigrdataset == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: query_newrdataset failed (2)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -6394,7 +6455,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_cache_updatestats(client->view->cache, result); resume: - CTRACE("query_find: resume"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: resume"); /* * Rate limit these responses to this client. @@ -6759,6 +6820,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) goto cleanup; } else { /* Unable to give root server referral. */ + CTRACE(ISC_LOG_ERROR, + "unable to give root server referral"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7025,11 +7088,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (fname == NULL) { dbuf = query_getnamebuf(client); if (dbuf == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "query_getnamebuf failed (3)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } fname = query_newname(client, dbuf, &b); if (fname == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "query_newname failed (3)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7128,6 +7197,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (fname == NULL || rdataset == NULL || sigrdataset == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "failure getting " + "closest encloser"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7306,11 +7379,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (fname == NULL) { dbuf = query_getnamebuf(client); if (dbuf == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "query_getnamebuf failed (4)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } fname = query_newname(client, dbuf, &b); if (fname == NULL) { + CTRACE(ISC_LOG_ERROR, + "query_find: " + "query_newname failed (4)"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7567,6 +7646,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * Something has gone wrong. */ + snprintf(errmsg, sizeof(errmsg) - 1, + "query_find: unexpected error after resuming: %s", + isc_result_totext(result)); + CTRACE(ISC_LOG_ERROR, errmsg); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7625,6 +7708,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) rdsiter = NULL; result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); if (result != ISC_R_SUCCESS) { + CTRACE(ISC_LOG_ERROR, + "query_find: type any; allrdatasets failed"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7759,12 +7844,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_rdatasetiter_destroy(&rdsiter); fname = query_newname(client, dbuf, &b); goto nxrrset_rrsig; - } else + } else { + CTRACE(ISC_LOG_ERROR, + "query_find: no matching rdatasets " + "in cache"); result = DNS_R_SERVFAIL; + } } dns_rdatasetiter_destroy(&rdsiter); if (result != ISC_R_NOMORE) { + CTRACE(ISC_LOG_ERROR, + "query_find: dns_rdatasetiter_destroy failed"); QUERY_ERROR(DNS_R_SERVFAIL); goto cleanup; } @@ -7988,7 +8079,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } addauth: - CTRACE("query_find: addauth"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: addauth"); /* * Add NS records to the authority section (if we haven't already * added them to the answer section). @@ -8016,7 +8107,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_fixedname_name(&wildcardname), ISC_TRUE, ISC_FALSE); cleanup: - CTRACE("query_find: cleanup"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: cleanup"); /* * General cleanup. */ @@ -8124,7 +8215,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) query_send(client); ns_client_detach(&client); } - CTRACE("query_find: done"); + CTRACE(ISC_LOG_DEBUG(3), "query_find: done"); return (eresult); } @@ -8212,7 +8303,7 @@ ns_query_start(ns_client_t *client) { unsigned int saved_extflags = client->extflags; unsigned int saved_flags = client->message->flags; - CTRACE("ns_query_start"); + CTRACE(ISC_LOG_DEBUG(3), "ns_query_start"); /* * Test only. diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index df35fa1f08..12a8fd567d 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -80,11 +80,13 @@ DNS_LOGMODULE_RESOLVER, \ ISC_LOG_DEBUG(3), \ "res %p: %s", (r), (m)) -#define FCTXTRACE(m) isc_log_write(dns_lctx, \ +#define FCTXTRACE(m) \ + isc_log_write(dns_lctx, \ DNS_LOGCATEGORY_RESOLVER, \ DNS_LOGMODULE_RESOLVER, \ ISC_LOG_DEBUG(3), \ - "fctx %p(%s): %s", fctx, fctx->info, (m)) + "fctx %p(%s): %s", \ + fctx, fctx->info, (m)) #define FCTXTRACE2(m1, m2) \ isc_log_write(dns_lctx, \ DNS_LOGCATEGORY_RESOLVER, \ @@ -92,6 +94,22 @@ ISC_LOG_DEBUG(3), \ "fctx %p(%s): %s %s", \ fctx, fctx->info, (m1), (m2)) +#define FCTXTRACE3(m, res) \ + isc_log_write(dns_lctx, \ + DNS_LOGCATEGORY_RESOLVER, \ + DNS_LOGMODULE_RESOLVER, \ + ISC_LOG_DEBUG(3), \ + "fctx %p(%s): [result: %s] %s", \ + fctx, fctx->info, \ + isc_result_totext(res), (m)) +#define FCTXTRACE4(m1, m2, res) \ + isc_log_write(dns_lctx, \ + DNS_LOGCATEGORY_RESOLVER, \ + DNS_LOGMODULE_RESOLVER, \ + ISC_LOG_DEBUG(3), \ + "fctx %p(%s): [result: %s] %s %s", \ + fctx, fctx->info, \ + isc_result_totext(res), (m1), (m2)) #define FTRACE(m) isc_log_write(dns_lctx, \ DNS_LOGCATEGORY_RESOLVER, \ DNS_LOGMODULE_RESOLVER, \ @@ -1268,6 +1286,9 @@ process_sendevent(resquery_t *query, isc_event_t *event) { case ISC_R_NOPERM: case ISC_R_ADDRNOTAVAIL: case ISC_R_CONNREFUSED: + FCTXTRACE3("query canceled in sendevent(): " + "no route to host; no response", + sevent->result); /* * No route to remote. @@ -1279,6 +1300,10 @@ process_sendevent(resquery_t *query, isc_event_t *event) { break; default: + FCTXTRACE3("query canceled in sendevent() due to " + "unexpected event result; responding", + sevent->result); + fctx_cancelquery(&query, NULL, NULL, ISC_FALSE); break; } @@ -2359,6 +2384,9 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { isc_interval_set(&interval, 20, 0); result = fctx_startidletimer(query->fctx, &interval); if (result != ISC_R_SUCCESS) { + FCTXTRACE("query canceled: idle timer failed; " + "responding"); + fctx_cancelquery(&query, NULL, NULL, ISC_FALSE); fctx_done(fctx, result, __LINE__); break; @@ -2395,6 +2423,9 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { result = resquery_send(query); if (result != ISC_R_SUCCESS) { + FCTXTRACE("query canceled: " + "resquery_send() failed; responding"); + fctx_cancelquery(&query, NULL, NULL, ISC_FALSE); fctx_done(fctx, result, __LINE__); } @@ -2406,6 +2437,10 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { case ISC_R_NOPERM: case ISC_R_ADDRNOTAVAIL: case ISC_R_CONNECTIONRESET: + FCTXTRACE3("query canceled in connected(): " + "no route to host; no response", + sevent->result); + /* * No route to remote. */ @@ -2415,6 +2450,10 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { break; default: + FCTXTRACE3("query canceled in connected() due to " + "unexpected event result; responding", + sevent->result); + isc_socket_detach(&query->tcpsocket); fctx_cancelquery(&query, NULL, NULL, ISC_FALSE); break; @@ -2495,11 +2534,12 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); dns_adb_destroyfind(&find); - if (want_try) + if (want_try) { fctx_try(fctx, ISC_TRUE, ISC_FALSE); - else if (want_done) + } else if (want_done) { + FCTXTRACE("fetch failed in finddone(); return ISC_R_FAILURE"); fctx_done(fctx, ISC_R_FAILURE, __LINE__); - else if (destroy) { + } else if (destroy) { fctx_destroy(fctx); if (bucket_empty) empty_bucket(res); @@ -3479,6 +3519,7 @@ fctx_timeout(isc_task_t *task, isc_event_t *event) { fctx->timeouts++; fctx->timeout = ISC_TRUE; + /* * We could cancel the running queries here, or we could let * them keep going. Since we normally use separate sockets for @@ -3490,10 +3531,13 @@ fctx_timeout(isc_task_t *task, isc_event_t *event) { */ query = ISC_LIST_HEAD(fctx->queries); if (query != NULL && - isc_time_compare(&tevent->due, &query->start) >= 0) { + isc_time_compare(&tevent->due, &query->start) >= 0) + { + FCTXTRACE("query timed out; no response"); fctx_cancelquery(&query, NULL, NULL, ISC_TRUE); } fctx->attributes &= ~FCTX_ATTR_ADDRWAIT; + /* * Our timer has triggered. Reestablish the fctx lifetime * timer. @@ -3777,7 +3821,6 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, unsigned int findoptions = 0; char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; - dns_name_t suffix; isc_mem_t *mctx; /* @@ -3789,6 +3832,11 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, fctx = isc_mem_get(mctx, sizeof(*fctx)); if (fctx == NULL) return (ISC_R_NOMEMORY); + + /* + * Make fctx->info point to a copy of a formatted string + * "name/type". + */ dns_name_format(name, buf, sizeof(buf)); dns_rdatatype_format(type, typebuf, sizeof(typebuf)); strcat(buf, "/"); /* checked */ @@ -3798,6 +3846,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, result = ISC_R_NOMEMORY; goto cleanup_fetch; } + FCTXTRACE("create"); dns_name_init(&fctx->name, NULL); result = dns_name_dup(name, mctx, &fctx->name); @@ -3870,10 +3919,12 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, dns_forwarders_t *forwarders = NULL; unsigned int labels; dns_name_t *fwdname = name; + dns_name_t suffix; /* - * DS records are found in the parent server. - * Strip label to get the correct forwarder (if any). + * DS records are found in the parent server. Strip one + * leading label from the name (to be used in finding + * the forwarder). */ if (dns_rdatatype_atparent(fctx->type) && dns_name_countlabels(name) > 1) { @@ -3882,6 +3933,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, dns_name_getlabelsequence(name, 1, labels - 1, &suffix); fwdname = &suffix; } + + /* Find the forwarder for this name. */ dns_fixedname_init(&fixed); domain = dns_fixedname_name(&fixed); result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname, @@ -7170,6 +7223,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { if (fctx->res->exiting) { result = ISC_R_SHUTTINGDOWN; + FCTXTRACE("resolver shutting down"); goto done; } @@ -7224,6 +7278,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { no_response = ISC_TRUE; } } + FCTXTRACE3("dispatcher failure", devent->result); goto done; } @@ -7231,14 +7286,18 @@ resquery_response(isc_task_t *task, isc_event_t *event) { if (query->tsig != NULL) { result = dns_message_setquerytsig(message, query->tsig); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { + FCTXTRACE3("unable to set query tsig", result); goto done; + } } if (query->tsigkey) { result = dns_message_settsigkey(message, query->tsigkey); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { + FCTXTRACE3("unable to set tsig key", result); goto done; + } } if ((options & DNS_FETCHOPT_TCP) == 0) { @@ -7250,6 +7309,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { } result = dns_message_parse(message, &devent->buffer, 0); if (result != ISC_R_SUCCESS) { + FCTXTRACE3("message failed to parse", result); switch (result) { case ISC_R_UNEXPECTEDEND: if (!message->question_ok || @@ -7338,6 +7398,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { */ resend = ISC_TRUE; /* XXXMPA log it */ + FCTXTRACE("bad sit"); goto done; } #endif @@ -7348,8 +7409,10 @@ resquery_response(isc_task_t *task, isc_event_t *event) { * returns success anyway. */ result = dns_message_checksig(message, fctx->res->view); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { + FCTXTRACE3("signature check failed", result); goto done; + } /* * The dispatcher should ensure we only get responses with QR set. @@ -7453,6 +7516,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { options |= DNS_FETCHOPT_TCP; resend = ISC_TRUE; } + FCTXTRACE3("message truncated", result); goto done; } @@ -7463,6 +7527,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { /* XXXRTH Log */ broken_server = DNS_R_UNEXPECTEDOPCODE; keep_trying = ISC_TRUE; + FCTXTRACE("invalid message opcode"); goto done; } @@ -7497,6 +7562,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) { */ if (message->rcode != dns_rcode_noerror && message->rcode != dns_rcode_nxdomain) { + isc_buffer_t b; + char code[64]; #ifdef ISC_PLATFORM_USESIT unsigned char sit[64]; @@ -7623,6 +7690,11 @@ resquery_response(isc_task_t *task, isc_event_t *event) { INSIST(broken_server != ISC_R_SUCCESS); keep_trying = ISC_TRUE; } + + isc_buffer_init(&b, code, sizeof(code) - 1); + dns_rcode_totext(fctx->rmessage->rcode, &b); + code[isc_buffer_usedlength(&b)] = '\0'; + FCTXTRACE2("remote server broken: returned ", code); goto done; } @@ -7634,6 +7706,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { /* XXXRTH Log */ if (result == DNS_R_FORMERR) keep_trying = ISC_TRUE; + FCTXTRACE3("response did not match question", result); goto done; } @@ -7654,6 +7727,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { isc_result_totext(result)); broken_server = DNS_R_LAME; keep_trying = ISC_TRUE; + FCTXTRACE("lame server"); goto done; } @@ -7706,22 +7780,32 @@ resquery_response(isc_task_t *task, isc_event_t *event) { */ if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 || ISFORWARDER(query->addrinfo)) + { result = answer_response(fctx); - else if (iscname(fctx) && + if (result != ISC_R_SUCCESS) + FCTXTRACE3("answer_response (AA/fwd)", result); + } else if (iscname(fctx) && fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_cname) { + fctx->type != dns_rdatatype_cname) + { /* * A BIND8 server could return a non-authoritative * answer when a CNAME is followed. We should treat * it as a valid answer. */ result = answer_response(fctx); + if (result != ISC_R_SUCCESS) + FCTXTRACE3("answer_response (!ANY/!CNAME)", + result); } else if (fctx->type != dns_rdatatype_ns && !betterreferral(fctx)) { /* * Lame response !!!. */ result = answer_response(fctx); + if (result != ISC_R_SUCCESS) + FCTXTRACE("answer_response (!NS)"); + FCTXTRACE3("answer_response (!NS)", result); } else { if (fctx->type == dns_rdatatype_ns) { /* @@ -7734,6 +7818,9 @@ resquery_response(isc_task_t *task, isc_event_t *event) { */ result = noanswer_response(fctx, NULL, LOOK_FOR_NS_IN_ANSWER); + if (result != ISC_R_SUCCESS) + FCTXTRACE3("noanswer_response (NS)", + result); } else { /* * Some other servers may still somehow include @@ -7749,6 +7836,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) { */ result = noanswer_response(fctx, NULL, LOOK_FOR_GLUE_IN_ANSWER); + if (result != ISC_R_SUCCESS) + FCTXTRACE3("noanswer_response", result); } if (result != DNS_R_DELEGATION) { /* @@ -7813,6 +7902,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { */ if (result == DNS_R_FORMERR) keep_trying = ISC_TRUE; + FCTXTRACE3("noanswer_response", result); goto done; } } else { @@ -7822,6 +7912,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { /* XXXRTH Log */ broken_server = DNS_R_UNEXPECTEDRCODE; keep_trying = ISC_TRUE; + FCTXTRACE("broken server: unexpected rcode"); goto done; } @@ -7836,8 +7927,10 @@ resquery_response(isc_task_t *task, isc_event_t *event) { */ if (WANTCACHE(fctx)) { result = cache_message(fctx, query->addrinfo, now); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { + FCTXTRACE3("cache_message complete", result); goto done; + } } /* @@ -7855,6 +7948,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) { * Cache any negative cache entries in the message. */ result = ncache_message(fctx, query->addrinfo, covers, now); + if (result != ISC_R_SUCCESS) + FCTXTRACE3("ncache_message complete", result); } done: @@ -7864,6 +7959,10 @@ resquery_response(isc_task_t *task, isc_event_t *event) { */ addrinfo = query->addrinfo; + FCTXTRACE4("query canceled in response(); ", + no_response ? "no response" : "responding", + result); + /* * Cancel the query. * @@ -8616,6 +8715,10 @@ log_fetch(dns_name_t *name, dns_rdatatype_t type) { char typebuf[DNS_RDATATYPE_FORMATSIZE]; int level = ISC_LOG_DEBUG(1); + /* + * If there's no chance of logging it, don't render (format) the + * name and RDATA type (further below), and return early. + */ if (! isc_log_wouldlog(dns_lctx, level)) return; @@ -9022,6 +9125,11 @@ dns_resolver_flushbadcache(dns_resolver_t *resolver, dns_name_t *name) { unsigned int i; dns_badcache_t *bad, *prev, *next; + /* + * Drop all entries that match the name, and also all expired + * entries from the badcache. + */ + REQUIRE(VALID_RESOLVER(resolver)); LOCK(&resolver->lock); @@ -9066,6 +9174,8 @@ dns_resolver_flushbadnames(dns_resolver_t *resolver, dns_name_t *name) { isc_time_t now; isc_result_t result; + /* Drop all expired entries from the badcache. */ + REQUIRE(VALID_RESOLVER(resolver)); REQUIRE(name != NULL); @@ -9105,6 +9215,13 @@ resizehash(dns_resolver_t *resolver, isc_time_t *now, isc_boolean_t grow) { dns_badcache_t **new, *bad, *next; unsigned int i; + /* + * The number of buckets in the hashtable is modified in this + * function. Afterwards, all the entries are remapped into the + * corresponding new slot. Rehashing (hash computation) is + * unnecessary as the hash values had been saved. + */ + if (grow) newsize = resolver->badhash * 2 + 1; else @@ -9115,6 +9232,13 @@ resizehash(dns_resolver_t *resolver, isc_time_t *now, isc_boolean_t grow) { if (new == NULL) return; memset(new, 0, sizeof(*resolver->badcache) * newsize); + + /* + * Because the hashtable implements a simple modulus mapping + * from hash to bucket (no extendible hashing is used), every + * name in the hashtable has to be remapped to its new slot. + * Entries that have expired (time) are dropped. + */ for (i = 0; i < resolver->badhash; i++) { for (bad = resolver->badcache[i]; bad != NULL; bad = next) { next = bad->next; @@ -9143,6 +9267,18 @@ dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name, unsigned int i, hashval; dns_badcache_t *bad, *prev, *next; + /* + * The badcache is implemented as a hashtable keyed on the name, + * and each bucket slot points to a linked list (separate + * chaining). + * + * To avoid long list chains, if the number of entries in the + * hashtable goes over number-of-buckets * 8, the + * number-of-buckets is doubled. Similarly, if the number of + * entries goes below number-of-buckets * 2, the number-of-buckets + * is halved. See resizehash(). + */ + REQUIRE(VALID_RESOLVER(resolver)); LOCK(&resolver->lock); @@ -9167,6 +9303,7 @@ dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name, next = bad->next; if (bad->type == type && dns_name_equal(name, &bad->name)) break; + /* Drop expired entries when walking the chain. */ if (isc_time_compare(&bad->expire, &now) < 0) { if (prev == NULL) resolver->badcache[i] = bad->next; @@ -9179,6 +9316,12 @@ dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name, prev = bad; } if (bad == NULL) { + /* + * Insert the name into the badcache hashtable at the + * head of the linked list at the appropriate slot. The + * name data follows right after the allocation for the + * linked list node. + */ isc_buffer_t buffer; bad = isc_mem_get(resolver->mctx, sizeof(*bad) + name->length); if (bad == NULL) @@ -9337,6 +9480,12 @@ dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name, isc_result_t result; dns_rbtnode_t *node = NULL; + /* + * Whether an algorithm is disabled (or not) is stored in a + * per-name bitfield that is stored as the node data of an + * RBT. + */ + REQUIRE(VALID_RESOLVER(resolver)); if (alg > 255) return (ISC_R_RANGE); @@ -9358,7 +9507,17 @@ dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name, if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) { algorithms = node->data; + /* + * If algorithms is set, algorithms[0] contains its + * length. + */ if (algorithms == NULL || len > *algorithms) { + /* + * If no bitfield exists in the node data, or if + * it is not long enough, allocate a new + * bitfield and copy the old (smaller) bitfield + * into it if one exists. + */ new = isc_mem_get(resolver->mctx, len); if (new == NULL) { result = ISC_R_NOMEMORY; @@ -9368,8 +9527,10 @@ dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name, if (algorithms != NULL) memmove(new, algorithms, *algorithms); new[len-1] |= mask; + /* new[0] should contain the length of new. */ *new = len; node->data = new; + /* Free the older bitfield. */ if (algorithms != NULL) isc_mem_put(resolver->mctx, algorithms, *algorithms); @@ -9451,6 +9612,11 @@ dns_resolver_disable_ds_digest(dns_resolver_t *resolver, dns_name_t *name, isc_result_t result; dns_rbtnode_t *node = NULL; + /* + * Whether a digest is disabled (or not) is stored in a per-name + * bitfield that is stored as the node data of an RBT. + */ + REQUIRE(VALID_RESOLVER(resolver)); if (digest_type > 255) return (ISC_R_RANGE); @@ -9472,7 +9638,14 @@ dns_resolver_disable_ds_digest(dns_resolver_t *resolver, dns_name_t *name, if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) { digests = node->data; + /* If digests is set, digests[0] contains its length. */ if (digests == NULL || len > *digests) { + /* + * If no bitfield exists in the node data, or if + * it is not long enough, allocate a new + * bitfield and copy the old (smaller) bitfield + * into it if one exists. + */ new = isc_mem_get(resolver->mctx, len); if (new == NULL) { result = ISC_R_NOMEMORY; @@ -9482,8 +9655,10 @@ dns_resolver_disable_ds_digest(dns_resolver_t *resolver, dns_name_t *name, if (digests != NULL) memmove(new, digests, *digests); new[len-1] |= mask; + /* new[0] should contain the length of new. */ *new = len; node->data = new; + /* Free the older bitfield. */ if (digests != NULL) isc_mem_put(resolver->mctx, digests, *digests); From 25c5d8e89efc6e6299a351eabcf55ac7e6005ebf Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 29 Aug 2014 16:17:35 +1000 Subject: [PATCH 09/92] #include isc/print.h> --- bin/named/query.c | 1 + 1 file changed, 1 insertion(+) diff --git a/bin/named/query.c b/bin/named/query.c index 7239ce8bca..babccd0071 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -23,6 +23,7 @@ #include #include +#include #include #include #include From 3278ff814d2babe5ba1aa61e7995cfddb1895b4f Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Fri, 29 Aug 2014 23:45:22 +0000 Subject: [PATCH 10/92] update copyright notice --- bin/tests/system/geoip/ns2/named10.conf | 2 +- bin/tests/system/geoip/ns2/named14.conf | 2 +- lib/bind9/check.c | 28 ++++++++++++------------- lib/dns/acl.c | 4 ++-- lib/dns/geoip.c | 10 ++++----- lib/dns/include/dns/acl.h | 4 ++-- lib/isc/radix.c | 6 +++--- 7 files changed, 28 insertions(+), 28 deletions(-) diff --git a/bin/tests/system/geoip/ns2/named10.conf b/bin/tests/system/geoip/ns2/named10.conf index 29d9d43459..3594f615ab 100644 --- a/bin/tests/system/geoip/ns2/named10.conf +++ b/bin/tests/system/geoip/ns2/named10.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/bin/tests/system/geoip/ns2/named14.conf b/bin/tests/system/geoip/ns2/named14.conf index bce55dc0ef..10c6d9becb 100644 --- a/bin/tests/system/geoip/ns2/named14.conf +++ b/bin/tests/system/geoip/ns2/named14.conf @@ -28,7 +28,7 @@ options { listen-on-v6 { none; }; recursion no; geoip-directory "../data"; - geoip-use-ecs no; + geoip-use-ecs no; }; key rndc_key { diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 38c1b244ed..e1081a5647 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1201,16 +1201,16 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, } #ifdef ISC_PLATFORM_USESIT - obj = NULL; - (void) cfg_map_get(options, "sit-secret", &obj); - if (obj != NULL) { - isc_buffer_t b; + obj = NULL; + (void) cfg_map_get(options, "sit-secret", &obj); + if (obj != NULL) { + isc_buffer_t b; unsigned char secret[32]; - memset(secret, 0, sizeof(secret)); - isc_buffer_init(&b, secret, sizeof(secret)); - tresult = isc_hex_decodestring(cfg_obj_asstring(obj), &b); - if (tresult == ISC_R_NOSPACE) { + memset(secret, 0, sizeof(secret)); + isc_buffer_init(&b, secret, sizeof(secret)); + tresult = isc_hex_decodestring(cfg_obj_asstring(obj), &b); + if (tresult == ISC_R_NOSPACE) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "sit-secret: too long"); } else if (tresult != ISC_R_SUCCESS) { @@ -1220,15 +1220,15 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, if (tresult != ISC_R_SUCCESS) result = tresult; #ifdef AES_SIT - if (tresult == ISC_R_SUCCESS && + if (tresult == ISC_R_SUCCESS && isc_buffer_usedlength(&b) != ISC_AES128_KEYLENGTH) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "AES sit-secret must be on 128 bits"); + "AES sit-secret must be on 128 bits"); result = ISC_R_RANGE; } #endif #ifdef HMAC_SHA1_SIT - if (tresult == ISC_R_SUCCESS && + if (tresult == ISC_R_SUCCESS && isc_buffer_usedlength(&b) != ISC_SHA1_DIGESTLENGTH) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "SHA1 sit-secret must be on 160 bits"); @@ -1236,14 +1236,14 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, } #endif #ifdef HMAC_SHA256_SIT - if (tresult == ISC_R_SUCCESS && + if (tresult == ISC_R_SUCCESS && isc_buffer_usedlength(&b) != ISC_SHA256_DIGESTLENGTH) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "SHA256 sit-secret must be on 256 bits"); + "SHA256 sit-secret must be on 256 bits"); result = ISC_R_RANGE; } #endif - } + } #endif return (result); diff --git a/lib/dns/acl.c b/lib/dns/acl.c index 11efa50e35..41c865585a 100644 --- a/lib/dns/acl.c +++ b/lib/dns/acl.c @@ -199,7 +199,7 @@ dns_acl_match(const isc_netaddr_t *reqaddr, isc_result_t dns_acl_match2(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, - const isc_netaddr_t *ecs, + const isc_netaddr_t *ecs, isc_uint8_t ecslen, isc_uint8_t *scope, const dns_acl_t *acl, @@ -444,7 +444,7 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr, isc_boolean_t dns_aclelement_match2(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, - const isc_netaddr_t *ecs, + const isc_netaddr_t *ecs, isc_uint8_t ecslen, isc_uint8_t *scope, const dns_aclelement_t *e, diff --git a/lib/dns/geoip.c b/lib/dns/geoip.c index e375e33819..42109fedcb 100644 --- a/lib/dns/geoip.c +++ b/lib/dns/geoip.c @@ -259,7 +259,7 @@ country_lookup(GeoIP *db, dns_geoip_subtype_t subtype, memcmp(prev_state->ipnum6.s6_addr, ipnum6->s6_addr, 16) == 0))) { text = prev_state->text; - if (scope != NULL) + if (scope != NULL) *scope = prev_state->scope; } @@ -418,7 +418,7 @@ city_lookup(GeoIP *db, dns_geoip_subtype_t subtype, memcmp(prev_state->ipnum6.s6_addr, ipnum6->s6_addr, 16) == 0))) { record = prev_state->record; - if (scope != NULL) + if (scope != NULL) *scope = record->netmask; } @@ -499,7 +499,7 @@ region_lookup(GeoIP *db, dns_geoip_subtype_t subtype, is_region(prev_state->subtype)) { region = prev_state->region; - if (scope != NULL) + if (scope != NULL) *scope = prev_state->scope; } @@ -539,7 +539,7 @@ name_lookup(GeoIP *db, dns_geoip_subtype_t subtype, prev_state->subtype == subtype) { name = prev_state->name; - if (scope != NULL) + if (scope != NULL) *scope = prev_state->scope; } @@ -579,7 +579,7 @@ netspeed_lookup(GeoIP *db, dns_geoip_subtype_t subtype, if (prev_state != NULL && prev_state->ipnum == ipnum && prev_state->subtype == subtype) { id = prev_state->id; - if (scope != NULL) + if (scope != NULL) *scope = prev_state->scope; found = ISC_TRUE; } diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h index d44af1ec7d..b2860e55bd 100644 --- a/lib/dns/include/dns/acl.h +++ b/lib/dns/include/dns/acl.h @@ -217,7 +217,7 @@ dns_acl_match(const isc_netaddr_t *reqaddr, isc_result_t dns_acl_match2(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, - const isc_netaddr_t *ecs, + const isc_netaddr_t *ecs, isc_uint8_t ecslen, isc_uint8_t *scope, const dns_acl_t *acl, @@ -265,7 +265,7 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr, isc_boolean_t dns_aclelement_match2(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, - const isc_netaddr_t *ecs, + const isc_netaddr_t *ecs, isc_uint8_t ecslen, isc_uint8_t *scope, const dns_aclelement_t *e, diff --git a/lib/isc/radix.c b/lib/isc/radix.c index ebe277048e..47e13b7856 100644 --- a/lib/isc/radix.c +++ b/lib/isc/radix.c @@ -361,7 +361,7 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, int next = ++radix->num_added_node; if (fam == AF_UNSPEC) { /* "any" or "none" */ - for (i = 0; i < 4; i++) + for (i = 0; i < 4; i++) node->node_num[i] = next; } else { node->node_num[ISC_RADIX_OFF(prefix)] = next; @@ -484,7 +484,7 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, int next = ++radix->num_added_node; if (fam == AF_UNSPEC) { /* "any" or "none" */ - for (i = 0; i < 4; i++) + for (i = 0; i < 4; i++) node->node_num[i] = next; } else { node->node_num[ISC_RADIX_OFF(prefix)] = next; @@ -535,7 +535,7 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, int next = ++radix->num_added_node; if (fam == AF_UNSPEC) { /* "any" or "none" */ - for (i = 0; i < 4; i++) + for (i = 0; i < 4; i++) new_node->node_num[i] = next; } else { new_node->node_num[ISC_RADIX_OFF(prefix)] = next; From f4aaffb53c250c94423fff392f9f2112ba4a220f Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 29 Aug 2014 18:16:57 -0700 Subject: [PATCH 11/92] [master] fix xml error --- doc/arm/Bv9ARM-book.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 8d34bf0b4f..1512c9894c 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -16280,7 +16280,7 @@ zone "example.com" { will be matched against that address prefix. Otherwise, they are matched against the source address of the query. To prevent GeoIP ACLs from matching against ECS options, set - the geoip-use-ecs to no. + the geoip-use-ecs to no. Some example GeoIP ACLs: From 1a63fb1d1448ed3f8fd7227ae57be67c2e71279e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 30 Aug 2014 12:27:49 +1000 Subject: [PATCH 12/92] update copyrights --- bin/tests/system/acl/ns2/named6.conf | 2 +- bin/tests/system/acl/ns2/named7.conf | 2 +- bin/tests/system/geoip/ns2/named1.conf | 2 +- bin/tests/system/geoip/ns2/named11.conf | 2 +- bin/tests/system/geoip/ns2/named12.conf | 2 +- bin/tests/system/sit/bad-sit-badhex.conf | 16 ++++++++++++++++ bin/tests/system/sit/bad-sit-toolong.conf | 16 ++++++++++++++++ lib/dns/include/dns/geoip.h | 2 +- lib/dns/include/dns/iptable.h | 2 +- lib/dns/iptable.c | 2 +- lib/isccfg/include/isccfg/namedconf.h | 2 +- util/copyrights | 22 +++++++++++++--------- 12 files changed, 54 insertions(+), 18 deletions(-) diff --git a/bin/tests/system/acl/ns2/named6.conf b/bin/tests/system/acl/ns2/named6.conf index 1e384fb0d8..1a5cd8dfad 100644 --- a/bin/tests/system/acl/ns2/named6.conf +++ b/bin/tests/system/acl/ns2/named6.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/bin/tests/system/acl/ns2/named7.conf b/bin/tests/system/acl/ns2/named7.conf index 1f1c9f333a..1adb71b4b8 100644 --- a/bin/tests/system/acl/ns2/named7.conf +++ b/bin/tests/system/acl/ns2/named7.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/bin/tests/system/geoip/ns2/named1.conf b/bin/tests/system/geoip/ns2/named1.conf index d9356c45e1..2679b47962 100644 --- a/bin/tests/system/geoip/ns2/named1.conf +++ b/bin/tests/system/geoip/ns2/named1.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/bin/tests/system/geoip/ns2/named11.conf b/bin/tests/system/geoip/ns2/named11.conf index 1ceece41cf..7770619205 100644 --- a/bin/tests/system/geoip/ns2/named11.conf +++ b/bin/tests/system/geoip/ns2/named11.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/bin/tests/system/geoip/ns2/named12.conf b/bin/tests/system/geoip/ns2/named12.conf index 85c0d32c34..a5025022a9 100644 --- a/bin/tests/system/geoip/ns2/named12.conf +++ b/bin/tests/system/geoip/ns2/named12.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/bin/tests/system/sit/bad-sit-badhex.conf b/bin/tests/system/sit/bad-sit-badhex.conf index 6b84d8a6a1..f61ea93fd4 100644 --- a/bin/tests/system/sit/bad-sit-badhex.conf +++ b/bin/tests/system/sit/bad-sit-badhex.conf @@ -1,3 +1,19 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + options { sit-secret "012345678901234567890123456789012345678901234567890123456789012"; }; diff --git a/bin/tests/system/sit/bad-sit-toolong.conf b/bin/tests/system/sit/bad-sit-toolong.conf index aec4d252c8..812f9d808e 100644 --- a/bin/tests/system/sit/bad-sit-toolong.conf +++ b/bin/tests/system/sit/bad-sit-toolong.conf @@ -1,3 +1,19 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + options { sit-secret "01234567890123456789012345678901234567890123456789012345678901234567890"; }; diff --git a/lib/dns/include/dns/geoip.h b/lib/dns/include/dns/geoip.h index a656783223..dd3e34775a 100644 --- a/lib/dns/include/dns/geoip.h +++ b/lib/dns/include/dns/geoip.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/lib/dns/include/dns/iptable.h b/lib/dns/include/dns/iptable.h index 512e73da06..527e133cb6 100644 --- a/lib/dns/include/dns/iptable.h +++ b/lib/dns/include/dns/iptable.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2007, 2012, 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/lib/dns/iptable.c b/lib/dns/iptable.c index 9413774947..b90ff22481 100644 --- a/lib/dns/iptable.c +++ b/lib/dns/iptable.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2009, 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2007-2009, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h index 67cca35bbc..d77cd0bcd8 100644 --- a/lib/isccfg/include/isccfg/namedconf.h +++ b/lib/isccfg/include/isccfg/namedconf.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010, 2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any diff --git a/util/copyrights b/util/copyrights index a1cc91e696..73ec70351b 100644 --- a/util/copyrights +++ b/util/copyrights @@ -727,6 +727,8 @@ ./bin/tests/system/acl/ns2/named3.conf CONF-C 2008 ./bin/tests/system/acl/ns2/named4.conf CONF-C 2008 ./bin/tests/system/acl/ns2/named5.conf CONF-C 2013 +./bin/tests/system/acl/ns2/named6.conf CONF-C 2014 +./bin/tests/system/acl/ns2/named7.conf CONF-C 2014 ./bin/tests/system/acl/setup.sh SH 2008,2012,2014 ./bin/tests/system/acl/tests.sh SH 2008,2012,2013,2014 ./bin/tests/system/additional/clean.sh SH 2013 @@ -1287,8 +1289,8 @@ ./bin/tests/system/geoip/.gitignore X 2013 ./bin/tests/system/geoip/Makefile.in MAKE 2013 ./bin/tests/system/geoip/clean.sh SH 2013,2014 -./bin/tests/system/geoip/data/GeoIP.csv X 2013 -./bin/tests/system/geoip/data/GeoIP.dat X 2013 +./bin/tests/system/geoip/data/GeoIP.csv X 2013,2014 +./bin/tests/system/geoip/data/GeoIP.dat X 2013,2014 ./bin/tests/system/geoip/data/GeoIPASNum.csv X 2013 ./bin/tests/system/geoip/data/GeoIPASNum.dat X 2013 ./bin/tests/system/geoip/data/GeoIPASNumv6.csv X 2013 @@ -1312,10 +1314,10 @@ ./bin/tests/system/geoip/data/README TXT.BRIEF 2013,2014 ./bin/tests/system/geoip/geoip.c C 2013 ./bin/tests/system/geoip/ns2/example.db.in ZONE 2013 -./bin/tests/system/geoip/ns2/named1.conf CONF-C 2013 +./bin/tests/system/geoip/ns2/named1.conf CONF-C 2013,2014 ./bin/tests/system/geoip/ns2/named10.conf CONF-C 2014 -./bin/tests/system/geoip/ns2/named11.conf CONF-C 2013 -./bin/tests/system/geoip/ns2/named12.conf CONF-C 2013 +./bin/tests/system/geoip/ns2/named11.conf CONF-C 2013,2014 +./bin/tests/system/geoip/ns2/named12.conf CONF-C 2013,2014 ./bin/tests/system/geoip/ns2/named13.conf CONF-C 2014 ./bin/tests/system/geoip/ns2/named14.conf CONF-C 2014 ./bin/tests/system/geoip/ns2/named2.conf CONF-C 2013 @@ -1711,6 +1713,8 @@ ./bin/tests/system/send.pl PERL 2001,2004,2007,2011,2012 ./bin/tests/system/setup.sh SH 2000,2001,2004,2007,2012,2014 ./bin/tests/system/sit/.gitignore X 2014 +./bin/tests/system/sit/bad-sit-badhex.conf CONF-C 2014 +./bin/tests/system/sit/bad-sit-toolong.conf CONF-C 2014 ./bin/tests/system/sit/clean.sh SH 2014 ./bin/tests/system/sit/ns1/example.db ZONE 2014 ./bin/tests/system/sit/ns1/named.conf CONF-C 2014 @@ -2970,8 +2974,8 @@ ./lib/dns/include/dns/events.h C 1999,2000,2001,2002,2004,2005,2006,2007,2009,2010,2011 ./lib/dns/include/dns/fixedname.h C 1999,2000,2001,2004,2005,2006,2007 ./lib/dns/include/dns/forward.h C 2000,2001,2004,2005,2006,2007,2009,2013 -./lib/dns/include/dns/geoip.h C 2013 -./lib/dns/include/dns/iptable.h C 2007,2012 +./lib/dns/include/dns/geoip.h C 2013,2014 +./lib/dns/include/dns/iptable.h C 2007,2012,2014 ./lib/dns/include/dns/journal.h C 1999,2000,2001,2004,2005,2006,2007,2008,2009,2011,2013 ./lib/dns/include/dns/keydata.h C 2009 ./lib/dns/include/dns/keyflags.h C 1999,2000,2001,2004,2005,2006,2007 @@ -3037,7 +3041,7 @@ ./lib/dns/include/dst/gssapi.h C 2000,2001,2004,2005,2006,2007,2009,2010,2011,2013 ./lib/dns/include/dst/lib.h C 1999,2000,2001,2004,2005,2006,2007 ./lib/dns/include/dst/result.h C 1999,2000,2001,2004,2005,2006,2007,2008,2012,2014 -./lib/dns/iptable.c C 2007,2008,2009,2013 +./lib/dns/iptable.c C 2007,2008,2009,2013,2014 ./lib/dns/journal.c C 1999,2000,2001,2002,2004,2005,2007,2008,2009,2010,2011,2013,2014 ./lib/dns/key.c C 2001,2004,2005,2006,2007,2011 ./lib/dns/keydata.c C 2009,2014 @@ -3748,7 +3752,7 @@ ./lib/isccfg/include/isccfg/dnsconf.h C 2009 ./lib/isccfg/include/isccfg/grammar.h C 2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2013,2014 ./lib/isccfg/include/isccfg/log.h C 2001,2004,2005,2006,2007,2009 -./lib/isccfg/include/isccfg/namedconf.h C 2002,2004,2005,2006,2007,2009,2010 +./lib/isccfg/include/isccfg/namedconf.h C 2002,2004,2005,2006,2007,2009,2010,2014 ./lib/isccfg/include/isccfg/version.h C 2001,2004,2005,2006,2007 ./lib/isccfg/log.c C 2001,2004,2005,2006,2007 ./lib/isccfg/namedconf.c C 2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014 From 22e0fcb0553b531d70c577d7fedb4ccf9ebac2cf Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 30 Aug 2014 15:47:25 +1000 Subject: [PATCH 13/92] conditional UNUSED(task) --- bin/named/interfacemgr.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c index a0c0eda085..c263c997aa 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -177,6 +177,10 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, isc_result_t result; ns_interfacemgr_t *mgr; +#ifndef USE_ROUTE_SOCKET + UNUSED(task); +#endif + REQUIRE(mctx != NULL); REQUIRE(mgrp != NULL); REQUIRE(*mgrp == NULL); From 3547641f765f28bb613aa23c86b9d622fb6f8661 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 30 Aug 2014 20:26:48 +1000 Subject: [PATCH 14/92] error message was not being returned --- bin/named/server.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index eb7d02a0de..22cdd68f65 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -10047,10 +10047,11 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t *text) { isc_buffer_putuint8(text, 0); } - if (msg != NULL) - (void) putstr(text, msg); - cleanup: + if (msg != NULL) { + (void) putstr(text, msg); + (void) putnull(text); + } if (excl) isc_task_endexclusive(server->task); if (ntatable != NULL) From 92a649d81463b3f8e77e9aeeb7e2bd796ee66490 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 30 Aug 2014 20:37:20 +1000 Subject: [PATCH 15/92] complete conversion to FCTXTRACE3 --- lib/dns/resolver.c | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 12a8fd567d..2ca80ba925 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -7804,7 +7804,6 @@ resquery_response(isc_task_t *task, isc_event_t *event) { */ result = answer_response(fctx); if (result != ISC_R_SUCCESS) - FCTXTRACE("answer_response (!NS)"); FCTXTRACE3("answer_response (!NS)", result); } else { if (fctx->type == dns_rdatatype_ns) { From c5379f197647b6e20d5bf48276c8c3b9f676c447 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sat, 30 Aug 2014 11:55:23 -0700 Subject: [PATCH 16/92] [master] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 6e122d2d1d..34f0d24172 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +3938. [placeholder] + 3937. [func] Added some debug logging to better indicate the conditions causing SERVFAILs when resolving. [RT #35538] From c8d27399fb4e69cb76ede4b3604212a13cbc23ef Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Sun, 31 Aug 2014 01:40:55 +0000 Subject: [PATCH 17/92] remove embrionic paragraph --- doc/arm/Bv9ARM-book.xml | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 1512c9894c..906c890eca 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -16166,8 +16166,6 @@ HOST-127.EXAMPLE. MX 0 . used to sign the request, if any; and 3) an address prefix encoded in an EDNS Client Subnet option, if any. - - ACLs Here is an example of ACLs based on client addresses: From aa1905addf2f33d90aa020080e4e77a8651e829a Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Sun, 31 Aug 2014 01:47:15 +0000 Subject: [PATCH 18/92] regen master --- doc/arm/Bv9ARM.ch04.html | 110 +++++++------- doc/arm/Bv9ARM.ch06.html | 209 +++++++++++-------------- doc/arm/Bv9ARM.ch07.html | 161 ++++++++++++++++++-- doc/arm/Bv9ARM.ch08.html | 16 +- doc/arm/Bv9ARM.ch09.html | 218 +++++++++++++-------------- doc/arm/Bv9ARM.html | 126 ++++++++-------- doc/arm/man.arpaname.html | 6 +- doc/arm/man.ddns-confgen.html | 8 +- doc/arm/man.delv.html | 12 +- doc/arm/man.dig.html | 18 +-- doc/arm/man.dnssec-checkds.html | 8 +- doc/arm/man.dnssec-coverage.html | 8 +- doc/arm/man.dnssec-dsfromkey.html | 14 +- doc/arm/man.dnssec-importkey.html | 12 +- doc/arm/man.dnssec-keyfromlabel.html | 12 +- doc/arm/man.dnssec-keygen.html | 14 +- doc/arm/man.dnssec-revoke.html | 8 +- doc/arm/man.dnssec-settime.html | 12 +- doc/arm/man.dnssec-signzone.html | 10 +- doc/arm/man.dnssec-verify.html | 8 +- doc/arm/man.genrandom.html | 8 +- doc/arm/man.host.html | 8 +- doc/arm/man.isc-hmac-fixup.html | 8 +- doc/arm/man.named-checkconf.html | 10 +- doc/arm/man.named-checkzone.html | 10 +- doc/arm/man.named-journalprint.html | 6 +- doc/arm/man.named-rrchecker.html | 4 +- doc/arm/man.named.html | 14 +- doc/arm/man.nsec3hash.html | 8 +- doc/arm/man.nsupdate.html | 12 +- doc/arm/man.rndc-confgen.html | 10 +- doc/arm/man.rndc.conf.html | 10 +- doc/arm/man.rndc.html | 12 +- doc/misc/options | 1 + 34 files changed, 601 insertions(+), 510 deletions(-) diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 5c24645407..af56793cec 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -70,39 +70,39 @@
DNSSEC, Dynamic Zones, and Automatic Signing
-
Converting from insecure to secure
-
Dynamic DNS update method
-
Fully automatic zone signing
-
Private-type records
-
DNSKEY rollovers
-
Dynamic DNS update method
-
Automatic key rollovers
-
NSEC3PARAM rollovers via UPDATE
-
Converting from NSEC to NSEC3
-
Converting from NSEC3 to NSEC
-
Converting from secure to insecure
-
Periodic re-signing
-
NSEC3 and OPTOUT
+
Converting from insecure to secure
+
Dynamic DNS update method
+
Fully automatic zone signing
+
Private-type records
+
DNSKEY rollovers
+
Dynamic DNS update method
+
Automatic key rollovers
+
NSEC3PARAM rollovers via UPDATE
+
Converting from NSEC to NSEC3
+
Converting from NSEC3 to NSEC
+
Converting from secure to insecure
+
Periodic re-signing
+
NSEC3 and OPTOUT
Dynamic Trust Anchor Management
-
Validating Resolver
-
Authoritative Server
+
Validating Resolver
+
Authoritative Server
PKCS#11 (Cryptoki) support
-
Prerequisites
-
Native PKCS#11
-
OpenSSL-based PKCS#11
-
PKCS#11 Tools
-
Using the HSM
-
Specifying the engine on the command line
-
Running named with automatic zone re-signing
+
Prerequisites
+
Native PKCS#11
+
OpenSSL-based PKCS#11
+
PKCS#11 Tools
+
Using the HSM
+
Specifying the engine on the command line
+
Running named with automatic zone re-signing
DLZ (Dynamically Loadable Zones)
-
Configuring DLZ
-
Sample DLZ Driver
+
Configuring DLZ
+
Sample DLZ Driver
IPv6 Support in BIND 9
@@ -1080,7 +1080,7 @@ options { from insecure to signed and back again. A secure zone can use either NSEC or NSEC3 chains.

-Converting from insecure to secure

+Converting from insecure to secure

Changing a zone from insecure to secure can be done in two ways: using a dynamic DNS update, or the auto-dnssec zone option.

@@ -1106,7 +1106,7 @@ options { well. An NSEC chain will be generated as part of the initial signing process.

-Dynamic DNS update method

+Dynamic DNS update method

To insert the keys via dynamic update:

         % nsupdate
@@ -1142,7 +1142,7 @@ options {
 
While the initial signing and NSEC/NSEC3 chain generation
   is happening, other updates are possible as well.

 

-Fully automatic zone signing

+Fully automatic zone signing
 
To enable automatic signing, add the 
   auto-dnssec option to the zone statement in 
   named.conf. 
@@ -1198,7 +1198,7 @@ options {
   configuration. If this has not been done, the configuration will
   fail.

 

-Private-type records

+Private-type records
 
The state of the signing process is signaled by
   private-type records (with a default type value of 65534). When
   signing is complete, these records will have a nonzero value for
@@ -1239,12 +1239,12 @@ options {
 

   

 

-DNSKEY rollovers

+DNSKEY rollovers
 
As with insecure-to-secure conversions, rolling DNSSEC
   keys can be done in two ways: using a dynamic DNS update, or the 
   auto-dnssec zone option.

 

-Dynamic DNS update method

+Dynamic DNS update method
 
 To perform key rollovers via dynamic update, you need to add
   the K* files for the new keys so that 
   named can find them. You can then add the new
@@ -1266,7 +1266,7 @@ options {
   named will clean out any signatures generated
   by the old key after the update completes.

 

-Automatic key rollovers

+Automatic key rollovers
 
When a new key reaches its activation date (as set by
   dnssec-keygen or dnssec-settime),
   if the auto-dnssec zone option is set to 
@@ -1281,27 +1281,27 @@ options {
   completes in 30 days, after which it will be safe to remove the
   old key from the DNSKEY RRset.

 

-NSEC3PARAM rollovers via UPDATE

+NSEC3PARAM rollovers via UPDATE
 
Add the new NSEC3PARAM record via dynamic update. When the
   new NSEC3 chain has been generated, the NSEC3PARAM flag field
   will be zero. At this point you can remove the old NSEC3PARAM
   record. The old chain will be removed after the update request
   completes.

 

-Converting from NSEC to NSEC3

+Converting from NSEC to NSEC3
 
To do this, you just need to add an NSEC3PARAM record. When
   the conversion is complete, the NSEC chain will have been removed
   and the NSEC3PARAM record will have a zero flag field. The NSEC3
   chain will be generated before the NSEC chain is
   destroyed.

 

-Converting from NSEC3 to NSEC

+Converting from NSEC3 to NSEC
 
To do this, use nsupdate to
   remove all NSEC3PARAM records with a zero flag
   field. The NSEC chain will be generated before the NSEC3 chain is
   removed.

 

-Converting from secure to insecure

+Converting from secure to insecure
 
To convert a signed zone to unsigned using dynamic DNS,
   delete all the DNSKEY records from the zone apex using
   nsupdate. All signatures, NSEC or NSEC3 chains,
@@ -1316,14 +1316,14 @@ options {
   allow instead (or it will re-sign).
   

 

-Periodic re-signing

+Periodic re-signing
 
In any secure zone which supports dynamic updates, named
   will periodically re-sign RRsets which have not been re-signed as
   a result of some update action. The signature lifetimes will be
   adjusted so as to spread the re-sign load over time rather than
   all at once.

 

-NSEC3 and OPTOUT

+NSEC3 and OPTOUT
 

   named only supports creating new NSEC3 chains
   where all the NSEC3 records in the zone have the same OPTOUT
@@ -1345,7 +1345,7 @@ options {
   configuration files.

 

 

-Validating Resolver

+Validating Resolver

 
To configure a validating resolver to use RFC 5011 to
     maintain a trust anchor, configure the trust anchor using a 
     managed-keys statement. Information about
@@ -1356,7 +1356,7 @@ options {
 
 

 

-Authoritative Server

+Authoritative Server

 
To set up an authoritative zone for RFC 5011 trust anchor
     maintenance, generate two (or more) key signing keys (KSKs) for
     the zone. Sign the zone with one of them; this is the "active"
@@ -1452,7 +1452,7 @@ $ dnssec-signzone -S -K keys example.net<
   

 

 

-Prerequisites

+Prerequisites

 

       See the documentation provided by your HSM vendor for
       information about installing, initializing, testing and
@@ -1461,7 +1461,7 @@ $ dnssec-signzone -S -K keys example.net<
 
 

 

-Native PKCS#11

+Native PKCS#11

 

       Native PKCS#11 mode will only work with an HSM capable of carrying
       out every cryptographic operation BIND 9 may
@@ -1495,7 +1495,7 @@ $ ./configure --enable-native-pkcs11 \
 
 

 

-OpenSSL-based PKCS#11

+OpenSSL-based PKCS#11

 

       OpenSSL-based PKCS#11 mode uses a modified version of the
       OpenSSL library; stock OpenSSL does not fully support PKCS#11.
@@ -1553,7 +1553,7 @@ $ ./configure --enable-native-pkcs11 \
     

 

 

-Patching OpenSSL

+Patching OpenSSL

 
 $ wget http://www.openssl.org/source/openssl-0.9.8y.tar.gz
   

@@ -1586,7 +1586,7 @@ $ patch -p1 -d openssl-0.9.8y \
 
 

 

-Building OpenSSL for the AEP Keyper on Linux

+Building OpenSSL for the AEP Keyper on Linux

 

         The AEP Keyper is a highly secure key storage device,
         but does not provide hardware cryptographic acceleration. It
@@ -1628,7 +1628,7 @@ $ ./Configure linux-generic32 -m32 -pthread \
 
 

 

-Building OpenSSL for the SCA 6000 on Solaris

+Building OpenSSL for the SCA 6000 on Solaris

 

         The SCA-6000 PKCS#11 provider is installed as a system
         library, libpkcs11. It is a true crypto accelerator, up to 4
@@ -1657,7 +1657,7 @@ $ ./Configure solaris64-x86_64-cc \
 
 

 

-Building OpenSSL for SoftHSM

+Building OpenSSL for SoftHSM

 

         SoftHSM is a software library provided by the OpenDNSSEC
         project (http://www.opendnssec.org) which provides a PKCS#11
@@ -1730,7 +1730,7 @@ $ ./Configure linux-x86_64 -pthread \
     

 

 

-Configuring BIND 9 for Linux with the AEP Keyper

+Configuring BIND 9 for Linux with the AEP Keyper

 

         To link with the PKCS#11 provider, threads must be
         enabled in the BIND 9 build.
@@ -1750,7 +1750,7 @@ $ ./configure CC="gcc -m32" --enable-threads \
 
 

 

-Configuring BIND 9 for Solaris with the SCA 6000

+Configuring BIND 9 for Solaris with the SCA 6000

 

         To link with the PKCS#11 provider, threads must be
         enabled in the BIND 9 build.
@@ -1772,7 +1772,7 @@ $ ./configure CC="cc -xarch=amd64" --enable-thre
 
 

 

-Configuring BIND 9 for SoftHSM

+Configuring BIND 9 for SoftHSM

 
 $ cd ../bind9
 $ ./configure --enable-threads \
@@ -1793,7 +1793,7 @@ $ ./configure --enable-threads \
 
 

 

-PKCS#11 Tools

+PKCS#11 Tools

 

       BIND 9 includes a minimal set of tools to operate the
       HSM, including 
@@ -1816,7 +1816,7 @@ $ ./configure --enable-threads \
 
 

 

-Using the HSM

+Using the HSM

 

       For OpenSSL-based PKCS#11, we must first set up the runtime
       environment so the OpenSSL and PKCS#11 libraries can be loaded:
@@ -1937,7 +1937,7 @@ example.net.signed
 
 

 

-Specifying the engine on the command line

+Specifying the engine on the command line

 

       When using OpenSSL-based PKCS#11, the "engine" to be used by
       OpenSSL can be specified in named and all of
@@ -1969,7 +1969,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Running named with automatic zone re-signing

+Running named with automatic zone re-signing

 

       If you want named to dynamically re-sign zones
       using HSM keys, and/or to to sign new records inserted via nsupdate,
@@ -2056,7 +2056,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Configuring DLZ

+Configuring DLZ

 

       A DLZ database is configured with a dlz
       statement in named.conf:
@@ -2105,7 +2105,7 @@ $ dnssec-signzone -E '' -S example.net
 

 

-Sample DLZ Driver

+Sample DLZ Driver

 

       For guidance in implementation of DLZ modules, the directory
       contrib/dlz/example contains a basic
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index f3122b292d..a685497947 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -55,51 +55,51 @@
 
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

 
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Definition
             and Usage

-
managed-keys Statement Grammar

+
managed-keys Statement Grammar

 
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
@@ -960,64 +960,10 @@ -

- When BIND 9 is built with GeoIP support, - ACLs can also be used for geographic access restrictions. - This is done by specifying an ACL element of the form: - geoip [db database] field value -

-

- The field indicates which field - to search for a match. Available fields are "country", - "region", "city", "continent", "postal" (postal code), - "metro" (metro code), "area" (area code), "tz" (timezone), - "isp", "org", "asnum", "domain" and "netspeed". -

-

- value is the value to searched for - within the database. A string may be quoted if it contains - spaces or other special characters. If this is a "country" - search and the string is two characters long, then it must be a - standard ISO-3166-1 two-letter country code, and if it is three - characters long then it must be an ISO-3166-1 three-letter - country code; otherwise it is the full name of the country. - Similarly, if this is a "region" search and the string is - two characters long, then it must be a standard two-letter state - or province abbreviation; otherwise it is the full name of the - state or province. -

-

- The database field indicates which - GeoIP database to search for a match. In most cases this is - unnecessary, because most search fields can only be found in - a single database. However, searches for country can be - answered from the "city", "region", or "country" databases, - and searches for region (i.e., state or province) can be - answered from the "city" or "region" databases. For these - search types, specifying a database - will force the query to be answered from that database and no - other. If database is not - specified, then these queries will be answered from the "city", - database if it is installed, or the "region" database if it is - installed, or the "country" database, in that order. -

-

- Some example GeoIP ACLs: -

-
geoip country US;
-geoip country JAP;
-geoip db country country Canada;
-geoip db region region WA;
-geoip city "San Francisco";
-geoip region Oklahoma;
-geoip postal 95062;
-geoip tz "America/Los_Angeles";
-geoip org "Internet Systems Consortium";
-

-controls Statement Grammar

+controls Statement Grammar
controls {
    [ inet ( ip_addr | * ) [ port ip_port ]
                 allow {  address_match_list  }
@@ -1141,12 +1087,12 @@ geoip org "Internet Systems Consortium";
 
 

 

-include Statement Grammar

+include Statement Grammar

 
include filename;

 
 

 

-include Statement Definition and
+include Statement Definition and
           Usage

 

           The include statement inserts the
@@ -1161,7 +1107,7 @@ geoip org "Internet Systems Consortium";
 

 

 

-key Statement Grammar

+key Statement Grammar

 
key key_id {
     algorithm string;
     secret string;
@@ -1170,7 +1116,7 @@ geoip org "Internet Systems Consortium";
 
 

 

-key Statement Definition and Usage

+key Statement Definition and Usage

 

           The key statement defines a shared
           secret key for use with TSIG (see the section called “TSIG”)
@@ -1217,7 +1163,7 @@ geoip org "Internet Systems Consortium";
 
 

 

-logging Statement Grammar

+logging Statement Grammar

 
logging {
    [ channel channel_name {
      ( file path_name
@@ -1241,7 +1187,7 @@ geoip org "Internet Systems Consortium";
 
 

 

-logging Statement Definition and
+logging Statement Definition and
           Usage

 

           The logging statement configures a
@@ -1275,7 +1221,7 @@ geoip org "Internet Systems Consortium";
         

 

 

-The channel Phrase

+The channel Phrase

 

             All log output goes to one or more channels;
             you can make as many of them as you want.
@@ -1888,7 +1834,7 @@ category notify { null; };
 
 

 

-The query-errors Category

+The query-errors Category

 

             The query-errors category is
             specifically intended for debugging purposes: To identify
@@ -2116,7 +2062,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-lwres Statement Grammar

+lwres Statement Grammar

 

            This is the grammar of the lwres
           statement in the named.conf file:
@@ -2134,7 +2080,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-lwres Statement Definition and Usage

+lwres Statement Definition and Usage

 

           The lwres statement configures the
           name
@@ -2210,7 +2156,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-masters Statement Grammar

+masters Statement Grammar

 
 masters name [port ip_port] [dscp ip_dscp] { ( masters_list | 
       ip_addr [port ip_port] [key key] ) ; [...] };
@@ -2218,7 +2164,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-masters Statement Definition and
+masters Statement Definition and
           Usage

 
masters
           lists allow for a common set of masters to be easily used by
@@ -2228,7 +2174,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 

 

 

-options Statement Grammar

+options Statement Grammar

 

           This is the grammar of the options
           statement in the named.conf file:
@@ -2315,6 +2261,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     [ allow-update { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
     [ automatic-interface-scan { yes_or_no }; ]
+    [ geoip-use-ecs yes_or_no;]
     [ update-check-ksk yes_or_no; ]
     [ dnssec-update-mode ( maintain | no-resign ); ]
     [ dnssec-dnskey-kskonly yes_or_no; ]
@@ -3489,6 +3436,15 @@ options {
                   is
                   flush-zones-on-shutdown no.
                 

+
geoip-use-ecs

+

+                  When BIND is compiled with GeoIP support and configured
+                  with "geoip" ACL elements, this option indicates whether
+                  the EDNS Client Subnet option, if present in a request,
+                  should be used for matching against the GeoIP database.
+                  The default is 
+                  geoip-use-ecs yes.
+                

 
has-old-clients

 

                   This option was incorrectly implemented
@@ -3629,7 +3585,10 @@ options {
                   If set, this is a shared secret used for generating
                   and verifying Source Identity Token EDNS options
                   within a anycast cluster.  If not set the system
-                  will generate a random secret at startup.
+                  will generate a random secret at startup.  The
+                  shared secret is encoded as a hex string and needs
+                  to be 128 bits for AES128, 160 bits for SHA1 and
+                  256 bits for SHA256.
                 

 
rfc2308-type1

 

@@ -4149,7 +4108,7 @@ options {
 
 

 

-Forwarding

+Forwarding

 

             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -4193,7 +4152,7 @@ options {
 
 

 

-Dual-stack Servers

+Dual-stack Servers

 

             Dual-stack servers are used as servers of last resort to work
             around
@@ -4461,7 +4420,7 @@ options {
 
 

 

-Interfaces

+Interfaces

 

             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -4926,7 +4885,7 @@ avoid-v6-udp-ports {};
 
 

 

-UDP Port Lists

+UDP Port Lists

 

             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -4968,7 +4927,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 

             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -5129,7 +5088,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 

@@ -6170,7 +6129,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 

 

 

-Content Filtering

+Content Filtering

 

             BIND 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -6293,7 +6252,7 @@ deny-answer-aliases { "example.net"; };
 
 

 

-Response Policy Zone (RPZ) Rewriting

+Response Policy Zone (RPZ) Rewriting

 

             BIND 9 includes a limited
             mechanism to modify DNS responses for requests
@@ -6664,7 +6623,7 @@ example.com                 CNAME   rpz-tcp-only.
 
 

 

-Response Rate Limiting

+Response Rate Limiting

 

             Excessive almost identical UDP responses
             can be controlled by configuring a
@@ -7221,7 +7180,7 @@ rate-limit {
 
 

 

-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage

 

           The statistics-channels statement
@@ -7337,7 +7296,7 @@ rate-limit {
 

 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -7381,7 +7340,7 @@ rate-limit {
 

 

 

-managed-keys Statement Grammar

+managed-keys Statement Grammar

 
managed-keys {
     name initial-key flags protocol algorithm key-data ;
     [ name initial-key flags protocol algorithm key-data ; [...]]
@@ -7519,7 +7478,7 @@ rate-limit {
 
 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -7841,10 +7800,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 
@@ -8162,7 +8121,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -8184,7 +8143,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
allow-notify

 

@@ -9115,7 +9074,7 @@ example.com. NS ns2.example.net.
 

 

 

-Multiple views

+Multiple views

 

               When multiple views are in use, a zone may be
               referenced by more than one of them. Often, the views
@@ -9166,7 +9125,7 @@ view external {
 
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -9179,7 +9138,7 @@ view external {
           

 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -9916,7 +9875,7 @@ view external {
 
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -10119,7 +10078,7 @@ view external {
 
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -10374,7 +10333,7 @@ view external {
 
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -10435,7 +10394,7 @@ view external {
 
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -10450,7 +10409,7 @@ view external {
           

 

 

-The @ (at-sign)

+The @ (at-sign)

 

               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -10461,7 +10420,7 @@ view external {
 
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -10490,7 +10449,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -10526,7 +10485,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -10545,7 +10504,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
@@ -10988,7 +10947,7 @@ HOST-127.EXAMPLE. MX 0 .
           

 

 

-Name Server Statistics Counters

+Name Server Statistics Counters

 

 
 

@@ -11584,7 +11543,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

 
 

 
 
@@ -11738,7 +11697,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Resolver Statistics Counters

+Resolver Statistics Counters

 
 

 
 
@@ -12121,7 +12080,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -12276,7 +12235,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 13cb548639..54588bbb53 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -46,10 +46,10 @@
 
Table of Contents

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -59,11 +59,11 @@
 Access Control Lists

           Access Control Lists (ACLs) are address match lists that
-          you can set up and nickname for future use in allow-notify,
-          allow-query, allow-query-on,
-          allow-recursion, allow-recursion-on,
+          you can set up and nickname for future use in
+          allow-notify, allow-query,
+          allow-query-on, allow-recursion,
           blackhole, allow-transfer,
-          etc.
+          match-clients, etc.
         

           Using ACLs allows you to have finer control over who can access
@@ -73,11 +73,17 @@
 

           It is a good idea to use ACLs, and to
           control access to your server. Limiting access to your server by
-          outside parties can help prevent spoofing and denial of service (DoS) attacks against
-          your server.
+          outside parties can help prevent spoofing and denial of service
+          (DoS) attacks against your server.
         

-          Here is an example of how to properly apply ACLs:
+          ACLs match clients on the basis of up to three characteristics:
+          1) The client's IP address; 2) the TSIG or SIG(0) key that was
+          used to sign the request, if any; and 3) an address prefix
+          encoded in an EDNS Client Subnet option, if any.
+        

+

+          Here is an example of ACLs based on client addresses:
         
 // Set up an ACL named "bogusnets" that will block
@@ -108,13 +114,138 @@ zone "example.com" {
 };
 

-          This allows recursive queries of the server from the outside
-          unless recursion has been previously disabled.
+          This allows authoritative queries for "example.com" from any
+          address, but recursive queries only from the networks specified
+          in "our-nets", and no queries at all from the networks
+          specified in "bogusnets".
+        

+

+          In addition to network addresses and prefixes, which are
+          matched against the source address of the DNS request, ACLs
+          may include key elements, which specify the
+          name of a TSIG or SIG(0) key, or ecs
+          elements, which specify a network prefix but are only matched
+          if that prefix matches an EDNS client subnet option included
+          in the request.
+        

+

+          The EDNS Client Subnet (ECS) option is used by a recursive
+          resolver to inform an authoritative name server of the network
+          address block from which the original query was received, enabling
+          authoritative servers to give different answers to the same
+          resolver for different resolver clients.  An ACL containing
+          an element of the form
+          ecs prefix
+          will match if a request arrives in containing an ECS option
+          encoding an address within that prefix.  If the request has no
+          ECS option, then "ecs" elements are simply ignored.  Addresses
+          in ACLs that are not prefixed with "ecs" are matched only
+          against the source address.
+        

+

+          When BIND 9 is built with GeoIP support,
+          ACLs can also be used for geographic access restrictions.
+          This is done by specifying an ACL element of the form:
+          geoip [db database] field value
+        

+

+          The field indicates which field
+          to search for a match.  Available fields are "country",
+          "region", "city", "continent", "postal" (postal code),
+          "metro" (metro code), "area" (area code), "tz" (timezone),
+          "isp", "org", "asnum", "domain" and "netspeed".
+        

+

+          value is the value to search
+          for within the database.  A string may be quoted if it
+          contains spaces or other special characters.  If this is
+          an "asnum" search, then the leading "ASNNNN" string can be
+          used, otherwise the full description must be used (e.g.
+          "ASNNNN Example Company Name").  If this is a "country"
+          search and the string is two characters long, then it must
+          be a standard ISO-3166-1 two-letter country code, and if it
+          is three characters long then it must be an ISO-3166-1
+          three-letter country code; otherwise it is the full name
+          of the country.  Similarly, if this is a "region" search
+          and the string is two characters long, then it must be a
+          standard two-letter state or province abbreviation;
+          otherwise it is the full name of the state or province.
+        

+

+          The database field indicates which
+          GeoIP database to search for a match.  In most cases this is
+          unnecessary, because most search fields can only be found in
+          a single database.  However, searches for country can be
+          answered from the "city", "region", or "country" databases,
+          and searches for region (i.e., state or province) can be
+          answered from the "city" or "region" databases.  For these
+          search types, specifying a database
+          will force the query to be answered from that database and no
+          other.  If database is not
+          specified, then these queries will be answered from the "city",
+          database if it is installed, or the "region" database if it is
+          installed, or the "country" database, in that order.
+        

+

+          By default, if a DNS query includes an EDNS Client Subnet (ECS)
+          option which encodes a non-zero address prefix, then GeoIP ACLs
+          will be matched against that address prefix.  Otherwise, they
+          are matched against the source address of the query.  To
+          prevent GeoIP ACLs from matching against ECS options, set
+          the geoip-use-ecs to no.
+        

+

+          Some example GeoIP ACLs:
+        

+
geoip country US;
+geoip country JAP;
+geoip db country country Canada;
+geoip db region region WA;
+geoip city "San Francisco";
+geoip region Oklahoma;
+geoip postal 95062;
+geoip tz "America/Los_Angeles";
+geoip org "Internet Systems Consortium";
+

+

+          ACLs use a "first-match" logic rather than "best-match":
+          if an address prefix matches an ACL element, then that ACL
+          is considered to have matched even if a later element would
+          have matched more specifically.  For example, the ACL
+           { 10/8; !10.0.0.1; } would actually
+          match a query from 10.0.0.1, because the first element
+          indicated that the query should be accepted, and the second
+          element is ignored.
+        

+

+          When using "nested" ACLs (that is, ACLs included or referenced
+          within other ACLs), a negative match of a nested ACL will
+          the containing ACL to continue looking for matches.  This
+          enables complex ACLs to be constructed, in which multiple
+          client characteristics can be checked at the same time. For
+          example, to construct an ACL which allows queries only when
+          it originates from a particular network and
+          only when it is signed with a particular key, use:
+        

+
+allow-query { !{ !10/8; any; }; key example; };
+

+

+          Within the nested ACL, any address that is
+          not in the 10/8 network prefix will
+          be rejected, and this will terminate processing of the
+          ACL.  Any address that is in the 10/8
+          network prefix will be accepted, but this causes a negative
+          match of the nested ACL, so the containing ACL continues
+          processing. The query will then be accepted if it is signed
+          by the key "example", and rejected otherwise.  The ACL, then,
+          will only matches when both conditions
+          are true.
         

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
@@ -140,7 +271,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

             In order for a chroot environment
             to
@@ -168,7 +299,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index e8ef6c0e7d..f9b801b3ca 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

-Common Problems

+Common Problems

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 512357019c..379285ba2d 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -45,31 +45,31 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 A Brief History of the DNS and BIND
@@ -172,7 +172,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -260,17 +260,17 @@
           

 

 

-Bibliography

+Bibliography

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -278,42 +278,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -322,19 +322,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -342,146 +342,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -497,47 +497,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -551,39 +551,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -604,14 +604,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
@@ -648,7 +648,7 @@
 
 

 

-Prerequisite

+Prerequisite

 
GNU make is required to build the export libraries (other
   part of BIND 9 can still be built with other types of make). In
   the reminder of this document, "make" means GNU make. Note that
@@ -657,7 +657,7 @@
 
 

 

-Compilation

+Compilation

 
 $ ./configure --enable-exportlib [other flags]
 $ make
@@ -672,7 +672,7 @@ $ make
 
 

 

-Installation

+Installation

 
 $ cd lib/export
 $ make install
@@ -694,7 +694,7 @@ $ make install
 
 

 

-Known Defects/Restrictions

+Known Defects/Restrictions

 
    
 
  • Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -734,7 +734,7 @@ $ make
 

 

 

-The dns.conf File

+The dns.conf File

 
The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -752,14 +752,14 @@ $ make
 
 

 

-Sample Applications

+Sample Applications

 
Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   

 

 

-sample: a simple stub resolver utility

+sample: a simple stub resolver utility

 

   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -823,7 +823,7 @@ $ make
 
 

 

-sample-async: a simple stub resolver, working asynchronously

+sample-async: a simple stub resolver, working asynchronously

 

   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -864,7 +864,7 @@ $ make
 
 

 

-sample-request: a simple DNS transaction client

+sample-request: a simple DNS transaction client

 

   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -905,7 +905,7 @@ $ make
 
 

 

-sample-gai: getaddrinfo() and getnameinfo() test code

+sample-gai: getaddrinfo() and getnameinfo() test code

 

   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -922,7 +922,7 @@ $ make
 
 

 

-sample-update: a simple dynamic update client program

+sample-update: a simple dynamic update client program

 

   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -1017,7 +1017,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-nsprobe: domain/name server checker in terms of RFC 4074

+nsprobe: domain/name server checker in terms of RFC 4074

 

   It checks a set
   of domains to see the name servers of the domains behave
@@ -1074,7 +1074,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-Library References

+Library References

 
As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index edfe1d93c3..eb46313cdb 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -113,39 +113,39 @@
 
 
DNSSEC, Dynamic Zones, and Automatic Signing

 

-
Converting from insecure to secure

-
Dynamic DNS update method

-
Fully automatic zone signing

-
Private-type records

-
DNSKEY rollovers

-
Dynamic DNS update method

-
Automatic key rollovers

-
NSEC3PARAM rollovers via UPDATE

-
Converting from NSEC to NSEC3

-
Converting from NSEC3 to NSEC

-
Converting from secure to insecure

-
Periodic re-signing

-
NSEC3 and OPTOUT

+
Converting from insecure to secure

+
Dynamic DNS update method

+
Fully automatic zone signing

+
Private-type records

+
DNSKEY rollovers

+
Dynamic DNS update method

+
Automatic key rollovers

+
NSEC3PARAM rollovers via UPDATE

+
Converting from NSEC to NSEC3

+
Converting from NSEC3 to NSEC

+
Converting from secure to insecure

+
Periodic re-signing

+
NSEC3 and OPTOUT

 

 
Dynamic Trust Anchor Management

 

-
Validating Resolver

-
Authoritative Server

+
Validating Resolver

+
Authoritative Server

 

 
PKCS#11 (Cryptoki) support

 

-
Prerequisites

-
Native PKCS#11

-
OpenSSL-based PKCS#11

-
PKCS#11 Tools

-
Using the HSM

-
Specifying the engine on the command line

-
Running named with automatic zone re-signing

+
Prerequisites

+
Native PKCS#11

+
OpenSSL-based PKCS#11

+
PKCS#11 Tools

+
Using the HSM

+
Specifying the engine on the command line

+
Running named with automatic zone re-signing

 

 
DLZ (Dynamically Loadable Zones)

 

-
Configuring DLZ

-
Sample DLZ Driver

+
Configuring DLZ

+
Sample DLZ Driver

 

 
IPv6 Support in BIND 9

 

@@ -170,51 +170,51 @@
 
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

 
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Definition
             and Usage

-
managed-keys Statement Grammar

+
managed-keys Statement Grammar

 
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -223,41 +223,41 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 
I. Manual pages

diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 7679d48a64..71c41966de 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -50,20 +50,20 @@
 
arpaname  {ipaddress ...}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       arpaname translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 9ea8342ec6..e37c44526e 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -51,7 +51,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-q] [-r randomfile] [ -s name  |   -z zone ]

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       tsig-keygen and ddns-confgen
       are invocation methods for a utility that generates keys for use
@@ -87,7 +87,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -159,7 +159,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -167,7 +167,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index 2f602a7edb..af1f9a790d 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -53,7 +53,7 @@
 
delv  [queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
delv
       (Domain Entity Lookup & Validation) is a tool for sending
       DNS queries and validating the results, using the the same internal
@@ -96,7 +96,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of delv looks like:
       

@@ -151,7 +151,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a anchor-file

 

@@ -285,7 +285,7 @@
 

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
delv
       provides a number of query options which affect the way results are
       displayed, and in some cases the way lookups are performed.
@@ -465,12 +465,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/bind.keys

 
/etc/resolv.conf

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8),
       RFC4034,
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 5118533ecf..e5c6aa6411 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -152,7 +152,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -260,7 +260,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -655,7 +655,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -701,7 +701,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -715,14 +715,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -730,7 +730,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 1b049c52ab..5a0c6c4c54 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -51,7 +51,7 @@
 
dnssec-dsfromkey  [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-checkds
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f file

 

@@ -88,14 +88,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-dsfromkey(8),
       dnssec-keygen(8),
       dnssec-signzone(8),
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 91e3226388..b266fb4934 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -50,7 +50,7 @@
 
dnssec-coverage  [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-coverage
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-K directory

 

@@ -192,7 +192,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-checkds(8),
       dnssec-dsfromkey(8),
@@ -201,7 +201,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 741508b549..4070cff2b4 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -52,14 +52,14 @@
 
dnssec-dsfromkey  [-h] [-V]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -144,7 +144,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -159,7 +159,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -173,13 +173,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -189,7 +189,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index fa68c37a08..ee6ae4f791 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -51,7 +51,7 @@
 
dnssec-importkey  {-f filename} [-K directory] [-L ttl] [-P date/offset] [-D date/offset] [-h] [-v level] [-V] [dnsname]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-importkey
       reads a public DNSKEY record and generates a pair of
       .key/.private files.  The DNSKEY record may be read from an
@@ -71,7 +71,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f filename

 

@@ -114,7 +114,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -142,7 +142,7 @@
 

 
 

-
FILES

+
FILES

 

       A keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -151,7 +151,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -159,7 +159,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 14d9295cc3..26b660d2ca 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -243,7 +243,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -315,7 +315,7 @@
 

 
 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -354,7 +354,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -363,7 +363,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 23b9fd2ca1..eac6eaeb41 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -50,7 +50,7 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -285,7 +285,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -359,7 +359,7 @@
 

 
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -405,7 +405,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -426,7 +426,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -435,7 +435,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index ebcbf68b37..2140e2e29c 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -109,14 +109,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 7bb6a45173..64f4a291bc 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -50,7 +50,7 @@
 
dnssec-settime  [-f] [-K directory] [-L ttl] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-V] [-v level] [-E engine] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -76,7 +76,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f

 

@@ -131,7 +131,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -210,7 +210,7 @@
 

 
 

-
PRINTING OPTIONS

+
PRINTING OPTIONS

 

       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -236,7 +236,7 @@
 

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -244,7 +244,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 8fdb5fd51f..61e826d81f 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-D] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-L serial] [-l domain] [-M domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-P] [-p] [-Q] [-R] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -512,7 +512,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -542,14 +542,14 @@ db.example.com.signed
 %

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033, RFC 4641.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 29fab13ab7..995b222ad4 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -50,7 +50,7 @@
 
dnssec-verify  [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-verify
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-c class

 

@@ -138,7 +138,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -146,7 +146,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 1797584c3a..6ee5ba0538 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -50,7 +50,7 @@
 
genrandom  [-n number] {size} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       genrandom
       generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
-n number

 

@@ -77,14 +77,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       rand(3),
       arc4random(3)
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 7ec0fe4d1e..dd92994836 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] [-v] [-V] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -214,7 +214,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -228,12 +228,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index 506836869f..ca4d5a2175 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -50,7 +50,7 @@
 
isc-hmac-fixup  {algorithm} {secret}

 

 

-
DESCRIPTION

+
DESCRIPTION

 

       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
     

 

 

-
SECURITY CONSIDERATIONS

+
SECURITY CONSIDERATIONS

 

       Secrets that have been converted by isc-hmac-fixup
       are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 2104.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 0b9f777c70..ab1dd90961 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -50,7 +50,7 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-x] [-z]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a
       named configuration file.  The file is parsed
@@ -70,7 +70,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -119,21 +119,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index b04ad62af8..2125e71a11 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -305,14 +305,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -320,7 +320,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index ad1d46f7b2..ae04fa86ea 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -50,7 +50,7 @@
 
named-journalprint  {journal}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       named-journalprint
       prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       named(8),
       nsupdate(8),
@@ -84,7 +84,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 5be195928f..6cb7641876 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -50,7 +50,7 @@
 
named-rrchecker  [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-rrchecker
      read a individual DNS resource record from standard input and checks if it
      is syntactically correct.
@@ -78,7 +78,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 1034,
       RFC 1035,
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 5067adb260..721fdae43b 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-D string] [-E engine-name] [-f] [-g] [-L logfile] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-U #listeners] [-u user] [-v] [-V] [-x cache-file]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -281,7 +281,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -302,7 +302,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -319,7 +319,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -332,7 +332,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -345,7 +345,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 3e8c89199c..2d9563d501 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -48,7 +48,7 @@
 
nsec3hash  {salt} {algorithm} {iterations} {domain}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       nsec3hash generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
     

 

 

-
ARGUMENTS

+
ARGUMENTS

 

 
salt

 

@@ -80,14 +80,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual,
       RFC 5155.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 5d8bab1e04..5e96c8507b 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [-T] [-P] [-V] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -236,7 +236,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -538,7 +538,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -592,7 +592,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -615,7 +615,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       RFC 2136,
       RFC 3007,
@@ -630,7 +630,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 5d78e22383..41f84b89d2 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -50,7 +50,7 @@
 
rndc-confgen  [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -180,7 +180,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -197,7 +197,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -205,7 +205,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index f1ad9d33c2..ee47f5520b 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -136,7 +136,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -210,7 +210,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -220,7 +220,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -228,7 +228,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 258a3f0773..d44230959b 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -81,7 +81,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -152,7 +152,7 @@
 

 

 

-
COMMANDS

+
COMMANDS

 

       A list of commands supported by rndc can
       be seen by running rndc without arguments.
@@ -599,7 +599,7 @@
 

 
 

-
LIMITATIONS

+
LIMITATIONS

 

       There is currently no way to provide the shared secret for a
       key_id without using the configuration file.
@@ -609,7 +609,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -619,7 +619,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/misc/options b/doc/misc/options
index 6f4d1d7b48..96d37b4259 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -150,6 +150,7 @@ options {
         forwarders [ port  ] [ dscp  ] { ( 
             |  ) [ port  ] [ dscp  ]; ... };
         geoip-directory (  | none ); // not configured
+        geoip-use-ecs (  | none ); // not configured
         has-old-clients ; // obsolete
         heartbeat-interval ;
         host-statistics ; // not implemented

From 2548678376b5171567c902ef2d1768d2fc57f233 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 2 Sep 2014 12:56:54 -0700
Subject: [PATCH 19/92] [master] note libGeoIP requirement in CHANGES

---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index 34f0d24172..7b30a34c81 100644
--- a/CHANGES
+++ b/CHANGES
@@ -17,6 +17,9 @@
 			then it will be used instead of the client source
 			address when matching "geoip" ACL elements.  This
 			behavior can be overridden with "geoip-use-ecs no;".
+			(Note: to enable "geoip" ACLs, use "configure
+			--with-geoip". This requires libGeoIP version
+			1.5.0 or higher.)
 
 			When "ecs" or "geoip" ACL elements are used to
 			select a view for a query, the response will include

From 74717eef53ba5d6aefc80eb262bbb090ff4bb3b5 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 4 Sep 2014 10:37:45 +1000
Subject: [PATCH 20/92] 3939.   [func]          Improve UPDATE forwarding
 performance by allowing TCP                         connections to be shared.
 [RT #37039]

---
 CHANGES                                       |   3 +
 bin/tests/system/nsupdate/clean.sh            |   2 +
 bin/tests/system/nsupdate/ns1/many.test.db.in |  25 +++++
 bin/tests/system/nsupdate/ns1/named.conf      |   6 +
 bin/tests/system/nsupdate/ns3/named.conf      |   9 +-
 bin/tests/system/nsupdate/setup.sh            |   3 +
 bin/tests/system/nsupdate/tests.sh            |  26 +++++
 lib/dns/dispatch.c                            | 104 +++++++++++++++++-
 lib/dns/include/dns/dispatch.h                |  15 +++
 lib/dns/request.c                             |  44 +++++---
 lib/dns/win32/libdns.def.in                   |   2 +
 lib/dns/zone.c                                |  12 +-
 12 files changed, 227 insertions(+), 24 deletions(-)
 create mode 100644 bin/tests/system/nsupdate/ns1/many.test.db.in

diff --git a/CHANGES b/CHANGES
index 7b30a34c81..43ed8c5199 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3939.	[func]		Improve UPDATE forwarding performance by allowing TCP
+			connections to be shared. [RT #37039]
+
 3938.	[placeholder]
 
 3937.	[func]		Added some debug logging to better indicate the
diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
index 424cdf40c6..d4c1113fa2 100644
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -36,3 +36,5 @@ rm -f dig.out.*
 rm -f jp.out.ns3.*
 rm -f Kxxx.*
 rm -f typelist.out.*
+rm -f ns1/many.test.db ns3/many.test.db.jnl
+rm -f ns3/many.test.bk ns3/many.test.bk.jnl
diff --git a/bin/tests/system/nsupdate/ns1/many.test.db.in b/bin/tests/system/nsupdate/ns1/many.test.db.in
new file mode 100644
index 0000000000..955e95dd48
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns1/many.test.db.in
@@ -0,0 +1,25 @@
+; Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+many.test 	IN SOA	ns1.example.nil. hostmaster.example.nil. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+many.test		NS	ns1.example.nil.
+many.test		NS	ns2.example.nil.
diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf
index f9e3b20d30..4263e381e4 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf
+++ b/bin/tests/system/nsupdate/ns1/named.conf
@@ -127,3 +127,9 @@ zone "keytests.nil" {
 	    grant sha512-key name sha512.keytests.nil. ANY;
 	};
 };
+
+zone "many.test" {
+        type master;
+        allow-update { any; };
+        file "many.test.db";
+};
diff --git a/bin/tests/system/nsupdate/ns3/named.conf b/bin/tests/system/nsupdate/ns3/named.conf
index 2abd522510..8606b53f7d 100644
--- a/bin/tests/system/nsupdate/ns3/named.conf
+++ b/bin/tests/system/nsupdate/ns3/named.conf
@@ -16,7 +16,7 @@
 
 /* $Id: named.conf,v 1.5 2011/02/03 12:18:11 tbox Exp $ */
 
-// NS1
+// NS3
 
 controls { /* empty */ };
 
@@ -60,3 +60,10 @@ zone "dnskey.test" {
 	allow-update { any; };
 	file "dnskey.test.db.signed";
 };
+
+zone "many.test" {
+	type slave;
+	masters { 10.53.0.1; };
+	allow-update-forwarding { any; };
+	file "many.test.bk";
+};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index e3528dbf7e..eb048976eb 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -62,3 +62,6 @@ $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha384 -k sha384-key -z keytests.nil > ns1/
 $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha512 -k sha512-key -z keytests.nil > ns1/sha512.key
 
 (cd ns3; $SHELL -e sign.sh)
+
+cp -f ns1/many.test.db.in ns1/many.test.db
+rm -f ns1/many.test.db.jnl
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 7dad50fef3..309aa6b514 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -597,5 +597,31 @@ serial=`$DIG +short yyyymmddvv.nil. soa @10.53.0.1 -p 5300 | awk '{print $3}'` |
 [ "$serial" -eq "$now" ] || ret=1
 [ $ret = 0 ] || { echo I:failed; status=1; }
 
+n=`expr $n + 1`
+echo "I:send many simultaneous updates via a update forwarder ($n)"
+ret=0
+for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+do
+(
+    for j in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
+    do
+    (
+	$NSUPDATE << EOF
+server 10.53.0.3 5300
+zone many.test
+update add $i-$j.many.test 0 IN A 1.2.3.4
+send
+EOF
+    ) &
+    done
+    wait
+) &
+done
+wait
+dig axfr many.test @10.53.0.1 -p 5300 > dig.out.test$n
+lines=`awk '$4 == "A" { l++ } END { print l }' dig.out.test$n`
+test ${lines:-0} -eq 289 || ret=1
+[ $ret = 0 ] || { echo I:failed; status=1; }
+
 echo "I:exit status: $status"
 exit $status
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 5a90ee5e7b..9bfd6b9837 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -218,6 +218,7 @@ struct dns_dispatch {
 	isc_socket_t	       *socket;		/*%< isc socket attached to */
 	isc_sockaddr_t		local;		/*%< local address */
 	in_port_t		localport;	/*%< local UDP port */
+	isc_sockaddr_t		peer;		/*%< peer address (TCP) */
 	isc_dscp_t		dscp;		/*%< "listen-on" DSCP value */
 	unsigned int		maxrequests;	/*%< max requests */
 	isc_event_t	       *ctlevent;
@@ -2126,7 +2127,6 @@ dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp) {
 
 	LOCK(&mgr->lock);
 	mgr->state |= MGR_SHUTTINGDOWN;
-
 	killit = destroy_mgr_ok(mgr);
 	UNLOCK(&mgr->lock);
 
@@ -2400,6 +2400,7 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
 	disp->refcount = 1;
 	disp->recv_pending = 0;
 	memset(&disp->local, 0, sizeof(disp->local));
+	memset(&disp->peer, 0, sizeof(disp->peer));
 	disp->localport = 0;
 	disp->shutting_down = 0;
 	disp->shutdown_out = 0;
@@ -2507,6 +2508,23 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
 		       unsigned int buckets, unsigned int increment,
 		       unsigned int attributes, dns_dispatch_t **dispp)
 {
+
+	attributes |= DNS_DISPATCHATTR_PRIVATE;  /* XXXMLG */
+
+	return (dns_dispatch_createtcp2(mgr, sock, taskmgr, NULL, NULL,
+					buffersize, maxbuffers, maxrequests,
+					buckets, increment, attributes,
+					dispp));
+}
+
+isc_result_t
+dns_dispatch_createtcp2(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+		        isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
+			isc_sockaddr_t *destaddr, unsigned int buffersize,
+		        unsigned int maxbuffers, unsigned int maxrequests,
+		        unsigned int buckets, unsigned int increment,
+		        unsigned int attributes, dns_dispatch_t **dispp)
+{
 	isc_result_t result;
 	dns_dispatch_t *disp;
 
@@ -2518,7 +2536,8 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
 	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) != 0);
 	REQUIRE((attributes & DNS_DISPATCHATTR_UDP) == 0);
 
-	attributes |= DNS_DISPATCHATTR_PRIVATE;  /* XXXMLG */
+	if (destaddr == NULL)
+		attributes |= DNS_DISPATCHATTR_PRIVATE;  /* XXXMLG */
 
 	LOCK(&mgr->lock);
 
@@ -2565,6 +2584,23 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
 
 	disp->attributes = attributes;
 
+	if (localaddr == NULL) {
+		if (destaddr != NULL) {
+			switch (isc_sockaddr_pf(destaddr)) {
+			case AF_INET:
+				isc_sockaddr_any(&disp->local);
+				break;
+			case AF_INET6:
+				isc_sockaddr_any6(&disp->local);
+				break;
+			}
+		}
+	} else
+		disp->local = *localaddr;
+
+	if (destaddr != NULL)
+		disp->peer = *destaddr;
+
 	/*
 	 * Append it to the dispatcher list.
 	 */
@@ -2573,7 +2609,6 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
 
 	mgr_log(mgr, LVL(90), "created TCP dispatcher %p", disp);
 	dispatch_log(disp, LVL(90), "created task %p", disp->task[0]);
-
 	*dispp = disp;
 
 	return (ISC_R_SUCCESS);
@@ -2593,6 +2628,69 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
 	return (result);
 }
 
+isc_result_t
+dns_dispatch_gettcp(dns_dispatchmgr_t *mgr, isc_sockaddr_t *destaddr,
+		    isc_sockaddr_t *localaddr, dns_dispatch_t **dispp)
+{
+	dns_dispatch_t *disp;
+	isc_result_t result;
+	isc_sockaddr_t peeraddr;
+	isc_sockaddr_t sockname;
+	isc_sockaddr_t any;
+	unsigned int attributes, mask;
+	isc_boolean_t match = ISC_FALSE;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(destaddr != NULL);
+	REQUIRE(dispp != NULL && *dispp == NULL);
+
+	attributes = DNS_DISPATCHATTR_TCP;
+	mask = DNS_DISPATCHATTR_TCP | DNS_DISPATCHATTR_PRIVATE |
+	       DNS_DISPATCHATTR_EXCLUSIVE;
+
+	if (localaddr == NULL) {
+		switch (isc_sockaddr_pf(destaddr)) {
+		case AF_INET:
+			isc_sockaddr_any(&any);
+			break;
+		case AF_INET6:
+			isc_sockaddr_any6(&any);
+			break;
+		default:
+			return (ISC_R_NOTFOUND);
+		}
+		localaddr = &any;
+	}
+
+	LOCK(&mgr->lock);
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL && !match) {
+		LOCK(&disp->lock);
+		if ((disp->shutting_down == 0) &&
+		    ATTRMATCH(disp->attributes, attributes, mask) &&
+		    (localaddr == NULL ||
+		     isc_sockaddr_eqaddr(localaddr, &disp->local))) {
+			result = isc_socket_getsockname(disp->socket,
+							&sockname);
+			if (result == ISC_R_SUCCESS)
+				result = isc_socket_getpeername(disp->socket,
+								&peeraddr);
+			if (result == ISC_R_SUCCESS &&
+			    isc_sockaddr_equal(destaddr, &peeraddr) &&
+			    isc_sockaddr_eqaddr(localaddr, &sockname)) {
+				/* attach */
+				disp->refcount++;
+				*dispp = disp;
+				match = ISC_TRUE;
+			}
+		}
+		UNLOCK(&disp->lock);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+	UNLOCK(&mgr->lock);
+	return (match ? ISC_R_SUCCESS : ISC_R_NOTFOUND);
+}
+
 isc_result_t
 dns_dispatch_getudp_dup(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h
index ef5b9179dd..358a85984b 100644
--- a/lib/dns/include/dns/dispatch.h
+++ b/lib/dns/include/dns/dispatch.h
@@ -298,6 +298,13 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
 		       unsigned int maxbuffers, unsigned int maxrequests,
 		       unsigned int buckets, unsigned int increment,
 		       unsigned int attributes, dns_dispatch_t **dispp);
+isc_result_t
+dns_dispatch_createtcp2(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+                        isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
+                        isc_sockaddr_t *destaddr, unsigned int buffersize,
+                        unsigned int maxbuffers, unsigned int maxrequests,
+                        unsigned int buckets, unsigned int increment,
+                        unsigned int attributes, dns_dispatch_t **dispp);
 /*%<
  * Create a new dns_dispatch and attach it to the provided isc_socket_t.
  *
@@ -369,6 +376,14 @@ dns_dispatch_starttcp(dns_dispatch_t *disp);
  *\li	'disp' is valid.
  */
 
+isc_result_t
+dns_dispatch_gettcp(dns_dispatchmgr_t *mgr, isc_sockaddr_t *destaddr,
+                    isc_sockaddr_t *localaddr, dns_dispatch_t **dispp);
+/*
+ * Attempt to connect to a existing TCP connection.
+ */
+
+
 isc_result_t
 dns_dispatch_addresponse2(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 			  isc_task_t *task, isc_taskaction_t action, void *arg,
diff --git a/lib/dns/request.c b/lib/dns/request.c
index b21786875c..be8072c632 100644
--- a/lib/dns/request.c
+++ b/lib/dns/request.c
@@ -525,7 +525,7 @@ isblackholed(dns_dispatchmgr_t *dispatchmgr, isc_sockaddr_t *destaddr) {
 static isc_result_t
 create_tcp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
 		    isc_sockaddr_t *destaddr, isc_dscp_t dscp,
-		    dns_dispatch_t **dispatchp)
+		    isc_boolean_t *connected, dns_dispatch_t **dispatchp)
 {
 	isc_result_t result;
 	isc_socket_t *socket = NULL;
@@ -533,6 +533,17 @@ create_tcp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
 	unsigned int attrs;
 	isc_sockaddr_t bind_any;
 
+	result = dns_dispatch_gettcp(requestmgr->dispatchmgr, destaddr,
+				     srcaddr, dispatchp);
+	if (result == ISC_R_SUCCESS) {
+		*connected = ISC_TRUE;
+		char peer[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_format(destaddr, peer, sizeof(peer));
+		req_log(ISC_LOG_DEBUG(1), "attached to existing TCP "
+			"connection to %s", peer);
+		return (result);
+	}
+
 	result = isc_socket_create(requestmgr->socketmgr,
 				   isc_sockaddr_pf(destaddr),
 				   isc_sockettype_tcp, &socket);
@@ -554,7 +565,6 @@ create_tcp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
 
 	attrs = 0;
 	attrs |= DNS_DISPATCHATTR_TCP;
-	attrs |= DNS_DISPATCHATTR_PRIVATE;
 	if (isc_sockaddr_pf(destaddr) == AF_INET)
 		attrs |= DNS_DISPATCHATTR_IPV4;
 	else
@@ -562,10 +572,11 @@ create_tcp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
 	attrs |= DNS_DISPATCHATTR_MAKEQUERY;
 
 	isc_socket_dscp(socket, dscp);
-	result = dns_dispatch_createtcp(requestmgr->dispatchmgr,
-					socket, requestmgr->taskmgr,
-					4096, 2, 1, 1, 3, attrs,
-					dispatchp);
+	result = dns_dispatch_createtcp2(requestmgr->dispatchmgr,
+					 socket, requestmgr->taskmgr,
+					 srcaddr, destaddr,
+					 4096, 32768, 32768, 16411, 16433,
+					 attrs, dispatchp);
 cleanup:
 	isc_socket_detach(&socket);
 	return (result);
@@ -627,12 +638,15 @@ find_udp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
 static isc_result_t
 get_dispatch(isc_boolean_t tcp, dns_requestmgr_t *requestmgr,
 	     isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-	     isc_dscp_t dscp, dns_dispatch_t **dispatchp)
+	     isc_dscp_t dscp, isc_boolean_t *connected,
+	     dns_dispatch_t **dispatchp)
 {
 	isc_result_t result;
+
 	if (tcp)
 		result = create_tcp_dispatch(requestmgr, srcaddr,
-					     destaddr, dscp, dispatchp);
+					     destaddr, dscp, connected,
+					     dispatchp);
 	else
 		result = find_udp_dispatch(requestmgr, srcaddr,
 					   destaddr, dispatchp);
@@ -719,6 +733,7 @@ dns_request_createraw4(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 	dns_messageid_t	id;
 	isc_boolean_t tcp = ISC_FALSE;
 	isc_region_t r;
+	isc_boolean_t connected = ISC_FALSE;
 
 	REQUIRE(VALID_REQUESTMGR(requestmgr));
 	REQUIRE(msgbuf != NULL);
@@ -781,7 +796,7 @@ dns_request_createraw4(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 		tcp = ISC_TRUE;
 
 	result = get_dispatch(tcp, requestmgr, srcaddr, destaddr, dscp,
-			      &request->dispatch);
+			      &connected, &request->dispatch);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -828,14 +843,14 @@ dns_request_createraw4(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 		goto unlink;
 
 	request->destaddr = *destaddr;
-	if (tcp) {
+	if (tcp && !connected) {
 		result = isc_socket_connect(socket, destaddr, task,
 					    req_connected, request);
 		if (result != ISC_R_SUCCESS)
 			goto unlink;
 		request->flags |= DNS_REQUEST_F_CONNECTING|DNS_REQUEST_F_TCP;
 	} else {
-		result = req_send(request, task, destaddr);
+		result = req_send(request, task, connected ? NULL : destaddr);
 		if (result != ISC_R_SUCCESS)
 			goto unlink;
 	}
@@ -935,6 +950,7 @@ dns_request_createvia4(dns_requestmgr_t *requestmgr, dns_message_t *message,
 	dns_messageid_t	id;
 	isc_boolean_t tcp;
 	isc_boolean_t setkey = ISC_TRUE;
+	isc_boolean_t connected = ISC_FALSE;
 
 	REQUIRE(VALID_REQUESTMGR(requestmgr));
 	REQUIRE(message != NULL);
@@ -994,7 +1010,7 @@ dns_request_createvia4(dns_requestmgr_t *requestmgr, dns_message_t *message,
  use_tcp:
 	tcp = ISC_TF((options & DNS_REQUESTOPT_TCP) != 0);
 	result = get_dispatch(tcp, requestmgr, srcaddr, destaddr, dscp,
-			      &request->dispatch);
+			      &connected, &request->dispatch);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -1050,14 +1066,14 @@ dns_request_createvia4(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		goto unlink;
 
 	request->destaddr = *destaddr;
-	if (tcp) {
+	if (tcp && !connected) {
 		result = isc_socket_connect(socket, destaddr, task,
 					    req_connected, request);
 		if (result != ISC_R_SUCCESS)
 			goto unlink;
 		request->flags |= DNS_REQUEST_F_CONNECTING|DNS_REQUEST_F_TCP;
 	} else {
-		result = req_send(request, task, destaddr);
+		result = req_send(request, task, connected ? NULL : destaddr);
 		if (result != ISC_R_SUCCESS)
 			goto unlink;
 	}
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index 422f21c3ee..7cb9b7665d 100644
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -209,10 +209,12 @@ dns_dispatch_attach
 dns_dispatch_cancel
 dns_dispatch_changeattributes
 dns_dispatch_createtcp
+dns_dispatch_createtcp2
 dns_dispatch_detach
 dns_dispatch_getdscp
 dns_dispatch_getlocaladdress
 dns_dispatch_getsocket
+dns_dispatch_gettcp
 dns_dispatch_getudp
 dns_dispatch_getudp_dup
 dns_dispatch_importrecv
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index b1c0f544e8..709d5f8dd4 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -14927,12 +14927,12 @@ sendtomaster(dns_forward_t *forward) {
 		goto unlock;
 	}
 	result = dns_request_createraw4(forward->zone->view->requestmgr,
-				       forward->msgbuf,
-				       &src, &forward->addr, dscp,
-				       DNS_REQUESTOPT_TCP, 15 /* XXX */,
-				       0, 0, forward->zone->task,
-				       forward_callback, forward,
-				       &forward->request);
+				        forward->msgbuf,
+				        &src, &forward->addr, dscp,
+				        DNS_REQUESTOPT_TCP, 15 /* XXX */,
+				        0, 0, forward->zone->task,
+				        forward_callback, forward,
+				        &forward->request);
 	if (result == ISC_R_SUCCESS) {
 		if (!ISC_LINK_LINKED(forward, link))
 			ISC_LIST_APPEND(forward->zone->forwards, forward, link);

From 3d066288ad6c6fe2ec2a54475f541a305a085068 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 3 Sep 2014 19:00:03 -0700
Subject: [PATCH 21/92] [master] [rt37069] update NTA limit to a week

3940.	[func]		"rndc nta" now allows negative trust anchors to be
			set for up to one week. [RT #37069]
---
 CHANGES                        | 3 +++
 bin/named/server.c             | 4 ++--
 bin/rndc/rndc.docbook          | 2 +-
 bin/tests/system/rndc/tests.sh | 6 ++++++
 doc/arm/Bv9ARM-book.xml        | 2 +-
 5 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 43ed8c5199..a8f9db11e7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3940.	[func]		"rndc nta" now allows negative trust anchors to be
+			set for up to one week. [RT #37069]
+
 3939.	[func]		Improve UPDATE forwarding performance by allowing TCP
 			connections to be shared. [RT #37039]
 
diff --git a/bin/named/server.c b/bin/named/server.c
index 22cdd68f65..c1b06e3771 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -9921,8 +9921,8 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t *text) {
 				CHECK(result);
 			}
 
-			if (ntattl > 86400) {
-				msg = "NTA lifetime cannot exceed one day";
+			if (ntattl > 604800) {
+				msg = "NTA lifetime cannot exceed one week";
 				CHECK(ISC_R_RANGE);
 			}
 
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index b26f765ff4..daf299ed77 100644
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -608,7 +608,7 @@
             .  The default lifetime is
             configured in named.conf via the
             , and defaults to
-            one hour.  The lifetime cannot exceed one day.
+            one hour.  The lifetime cannot exceed one week.
           
           
             A negative trust anchor selectively disables
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
index 8a22990eb3..8cc8992c14 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -378,5 +378,11 @@ grep "query: foo9876.bind CH TXT" ns4/named.run > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:testing rndc nta time limits"
+ret=0
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf nta -l 2h nta1.example 2>&1 | grep "Negative trust anchor added" > /dev/null || ret=1
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf nta -l 1d nta2.example 2>&1 | grep "Negative trust anchor added" > /dev/null || ret=1
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf nta -l 1w nta3.example 2>&1 | grep "Negative trust anchor added" > /dev/null || ret=1
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf nta -l 8d nta4.example 2>&1 | grep "NTA lifetime cannot exceed one week" > /dev/null || ret=1
 echo "I:exit status: $status"
 exit $status
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 906c890eca..a76c19673c 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5737,7 +5737,7 @@ options {
 		  For convenience, TTL-style time unit suffixes can be
 		  used to specify the NTA lifetime in seconds, minutes
 		  or hours.   defaults to
-		  one hour.  It cannot exceed one day.
+		  one hour.  It cannot exceed one week.
 		
 	    
 	  

From 7ae9399897c55d35cb6764277bce4b91d052e0dc Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 3 Sep 2014 20:29:24 -0700
Subject: [PATCH 22/92] [master] add version number to ARM

3941.	[doc]		Include the BIND version number in the ARM. [RT #37067]
---
 CHANGES                          | 2 ++
 doc/arm/Bv9ARM-book.xml          | 1 +
 doc/arm/Makefile.in              | 4 +++-
 doc/xsl/isc-docbook-chunk.xsl.in | 4 ++++
 doc/xsl/isc-docbook-html.xsl.in  | 4 ++++
 5 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index a8f9db11e7..b9c06a05e6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3941.	[doc]		Include the BIND version number in the ARM. [RT #37067]
+
 3940.	[func]		"rndc nta" now allows negative trust anchors to be
 			set for up to one week. [RT #37069]
 
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index a76c19673c..8e3da639c8 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -43,6 +43,7 @@
       2003
       Internet Software Consortium.
     
+    
   
 
   
diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in
index 3ecf4af90b..e1f7514473 100644
--- a/doc/arm/Makefile.in
+++ b/doc/arm/Makefile.in
@@ -67,5 +67,7 @@ Bv9ARM.pdf: Bv9ARM.tex releaseinfo.xml
 	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
 	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
 
-releaseinfo.xml:
+FORCE:
+
+releaseinfo.xml: FORCE
 	echo >$@ 'BIND Version ${VERSION}'
diff --git a/doc/xsl/isc-docbook-chunk.xsl.in b/doc/xsl/isc-docbook-chunk.xsl.in
index a766c05336..c136b11266 100644
--- a/doc/xsl/isc-docbook-chunk.xsl.in
+++ b/doc/xsl/isc-docbook-chunk.xsl.in
@@ -56,6 +56,10 @@
     

   
 
+  
+    
BIND Version @PACKAGE_VERSION@

+  
+