diff --git a/CHANGES b/CHANGES
index e162d87aff..e7c9c89b54 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+3935. [bug] "geoip asnum" ACL elements would not match unless
+ the full organization name was specified. They
+ can now match against the AS number alone (e.g.,
+ AS1234). [RT #36945]
+
3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve
sit-secret documentation. [RT #36980]
diff --git a/bin/tests/system/geoip/ns2/named10.conf b/bin/tests/system/geoip/ns2/named10.conf
index 1ceece41cf..29d9d43459 100644
--- a/bin/tests/system/geoip/ns2/named10.conf
+++ b/bin/tests/system/geoip/ns2/named10.conf
@@ -40,7 +40,7 @@ controls {
};
view one {
- match-clients { geoip domain one.de; };
+ match-clients { geoip asnum "AS100001"; };
zone "example" {
type master;
file "example1.db";
@@ -48,7 +48,7 @@ view one {
};
view two {
- match-clients { geoip domain two.com; };
+ match-clients { geoip asnum "AS100002"; };
zone "example" {
type master;
file "example2.db";
@@ -56,7 +56,7 @@ view two {
};
view three {
- match-clients { geoip domain three.com; };
+ match-clients { geoip asnum "AS100003"; };
zone "example" {
type master;
file "example3.db";
@@ -64,7 +64,7 @@ view three {
};
view four {
- match-clients { geoip domain four.com; };
+ match-clients { geoip asnum "AS100004"; };
zone "example" {
type master;
file "example4.db";
@@ -72,7 +72,7 @@ view four {
};
view five {
- match-clients { geoip domain five.es; };
+ match-clients { geoip asnum "AS100005"; };
zone "example" {
type master;
file "example5.db";
@@ -80,7 +80,7 @@ view five {
};
view six {
- match-clients { geoip domain six.it; };
+ match-clients { geoip asnum "AS100006"; };
zone "example" {
type master;
file "example6.db";
@@ -88,7 +88,7 @@ view six {
};
view seven {
- match-clients { geoip domain seven.org; };
+ match-clients { geoip asnum "AS100007"; };
zone "example" {
type master;
file "example7.db";
diff --git a/bin/tests/system/geoip/ns2/named11.conf b/bin/tests/system/geoip/ns2/named11.conf
index 85c0d32c34..1ceece41cf 100644
--- a/bin/tests/system/geoip/ns2/named11.conf
+++ b/bin/tests/system/geoip/ns2/named11.conf
@@ -40,7 +40,7 @@ controls {
};
view one {
- match-clients { geoip netspeed 0; };
+ match-clients { geoip domain one.de; };
zone "example" {
type master;
file "example1.db";
@@ -48,7 +48,7 @@ view one {
};
view two {
- match-clients { geoip netspeed 1; };
+ match-clients { geoip domain two.com; };
zone "example" {
type master;
file "example2.db";
@@ -56,7 +56,7 @@ view two {
};
view three {
- match-clients { geoip netspeed 2; };
+ match-clients { geoip domain three.com; };
zone "example" {
type master;
file "example3.db";
@@ -64,13 +64,37 @@ view three {
};
view four {
- match-clients { geoip netspeed 3; };
+ match-clients { geoip domain four.com; };
zone "example" {
type master;
file "example4.db";
};
};
+view five {
+ match-clients { geoip domain five.es; };
+ zone "example" {
+ type master;
+ file "example5.db";
+ };
+};
+
+view six {
+ match-clients { geoip domain six.it; };
+ zone "example" {
+ type master;
+ file "example6.db";
+ };
+};
+
+view seven {
+ match-clients { geoip domain seven.org; };
+ zone "example" {
+ type master;
+ file "example7.db";
+ };
+};
+
view none {
match-clients { any; };
zone "example" {
diff --git a/bin/tests/system/geoip/ns2/named12.conf b/bin/tests/system/geoip/ns2/named12.conf
index a650a635d2..85c0d32c34 100644
--- a/bin/tests/system/geoip/ns2/named12.conf
+++ b/bin/tests/system/geoip/ns2/named12.conf
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -18,10 +18,6 @@
controls { /* empty */ };
-acl blocking {
- geoip db country country AU;
-};
-
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
@@ -32,7 +28,6 @@ options {
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
- blackhole { blocking; };
};
key rndc_key {
@@ -43,3 +38,43 @@ key rndc_key {
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
+
+view one {
+ match-clients { geoip netspeed 0; };
+ zone "example" {
+ type master;
+ file "example1.db";
+ };
+};
+
+view two {
+ match-clients { geoip netspeed 1; };
+ zone "example" {
+ type master;
+ file "example2.db";
+ };
+};
+
+view three {
+ match-clients { geoip netspeed 2; };
+ zone "example" {
+ type master;
+ file "example3.db";
+ };
+};
+
+view four {
+ match-clients { geoip netspeed 3; };
+ zone "example" {
+ type master;
+ file "example4.db";
+ };
+};
+
+view none {
+ match-clients { any; };
+ zone "example" {
+ type master;
+ file "example.db.in";
+ };
+};
diff --git a/bin/tests/system/geoip/ns2/named13.conf b/bin/tests/system/geoip/ns2/named13.conf
index f92d25216c..a650a635d2 100644
--- a/bin/tests/system/geoip/ns2/named13.conf
+++ b/bin/tests/system/geoip/ns2/named13.conf
@@ -18,6 +18,10 @@
controls { /* empty */ };
+acl blocking {
+ geoip db country country AU;
+};
+
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
@@ -28,6 +32,7 @@ options {
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
+ blackhole { blocking; };
};
key rndc_key {
@@ -38,75 +43,3 @@ key rndc_key {
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
-
-acl gAU { geoip db country country AU; };
-acl gUS { geoip db country country US; };
-acl gGB { geoip db country country GB; };
-acl gCA { geoip db country country CA; };
-acl gCL { geoip db country country CL; };
-acl gDE { geoip db country country DE; };
-acl gEH { geoip db country country EH; };
-
-view one {
- match-clients { gAU; };
- zone "example" {
- type master;
- file "example1.db";
- };
-};
-
-view two {
- match-clients { gUS; };
- zone "example" {
- type master;
- file "example2.db";
- };
-};
-
-view three {
- match-clients { gGB; };
- zone "example" {
- type master;
- file "example3.db";
- };
-};
-
-view four {
- match-clients { gCA; };
- zone "example" {
- type master;
- file "example4.db";
- };
-};
-
-view five {
- match-clients { gCL; };
- zone "example" {
- type master;
- file "example5.db";
- };
-};
-
-view six {
- match-clients { gDE; };
- zone "example" {
- type master;
- file "example6.db";
- };
-};
-
-view seven {
- match-clients { gEH; };
- zone "example" {
- type master;
- file "example7.db";
- };
-};
-
-view none {
- match-clients { any; };
- zone "example" {
- type master;
- file "example.db.in";
- };
-};
diff --git a/bin/tests/system/geoip/ns2/named14.conf b/bin/tests/system/geoip/ns2/named14.conf
new file mode 100644
index 0000000000..f92d25216c
--- /dev/null
+++ b/bin/tests/system/geoip/ns2/named14.conf
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ recursion no;
+ geoip-directory "../data";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};
+
+acl gAU { geoip db country country AU; };
+acl gUS { geoip db country country US; };
+acl gGB { geoip db country country GB; };
+acl gCA { geoip db country country CA; };
+acl gCL { geoip db country country CL; };
+acl gDE { geoip db country country DE; };
+acl gEH { geoip db country country EH; };
+
+view one {
+ match-clients { gAU; };
+ zone "example" {
+ type master;
+ file "example1.db";
+ };
+};
+
+view two {
+ match-clients { gUS; };
+ zone "example" {
+ type master;
+ file "example2.db";
+ };
+};
+
+view three {
+ match-clients { gGB; };
+ zone "example" {
+ type master;
+ file "example3.db";
+ };
+};
+
+view four {
+ match-clients { gCA; };
+ zone "example" {
+ type master;
+ file "example4.db";
+ };
+};
+
+view five {
+ match-clients { gCL; };
+ zone "example" {
+ type master;
+ file "example5.db";
+ };
+};
+
+view six {
+ match-clients { gDE; };
+ zone "example" {
+ type master;
+ file "example6.db";
+ };
+};
+
+view seven {
+ match-clients { gEH; };
+ zone "example" {
+ type master;
+ file "example7.db";
+ };
+};
+
+view none {
+ match-clients { any; };
+ zone "example" {
+ type master;
+ file "example.db.in";
+ };
+};
diff --git a/bin/tests/system/geoip/tests.sh b/bin/tests/system/geoip/tests.sh
index e7ab56a57b..3e916aed31 100644
--- a/bin/tests/system/geoip/tests.sh
+++ b/bin/tests/system/geoip/tests.sh
@@ -197,7 +197,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
-echo "I:checking GeoIP domain database ($n)"
+echo "I:checking GeoIP asnum database - ASNNNN only ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
@@ -216,10 +216,10 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
-echo "I:checking GeoIP netspeed database ($n)"
+echo "I:checking GeoIP domain database ($n)"
ret=0
lret=0
-for i in 1 2 3 4; do
+for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
@@ -234,6 +234,25 @@ cp -f ns2/named12.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
+n=`expr $n + 1`
+echo "I:checking GeoIP netspeed database ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4; do
+ $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+ j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+ [ "$i" = "$j" ] || lret=1
+ [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo "I:failed"
+status=`expr $status + $ret`
+
+echo "I:reloading server"
+cp -f ns2/named13.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
+sleep 3
+
n=`expr $n + 1`
echo "I:checking GeoIP blackhole ACL ($n)"
ret=0
@@ -243,7 +262,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 status 2>&1 > rndc.out.ns2.tes
status=`expr $status + $ret`
echo "I:reloading server"
-cp -f ns2/named13.conf ns2/named.conf
+cp -f ns2/named14.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 01f2c207c3..e0cf9264f4 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2564,10 +2564,10 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
lwres statement in named.conf.
- The number of client queries that the lwresd
- daemon is able to serve can be set using the
- and
- statements in the configuration.
+ The number of client queries that the lwresd
+ daemon is able to serve can be set using the
+ and
+ statements in the configuration.
@@ -3459,17 +3459,20 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
"isp", "org", "asnum", "domain" and "netspeed".
- value is the value to searched for
- within the database. A string may be quoted if it contains
- spaces or other special characters. If this is a "country"
- search and the string is two characters long, then it must be a
- standard ISO-3166-1 two-letter country code, and if it is three
- characters long then it must be an ISO-3166-1 three-letter
- country code; otherwise it is the full name of the country.
- Similarly, if this is a "region" search and the string is
- two characters long, then it must be a standard two-letter state
- or province abbreviation; otherwise it is the full name of the
- state or province.
+ value is the value to search
+ for within the database. A string may be quoted if it
+ contains spaces or other special characters. If this is
+ an "asnum" search, then the leading "ASNNNN" string can be
+ used, otherwise the full description must be used (e.g.
+ "ASNNNN Example Company Name"). If this is a "country"
+ search and the string is two characters long, then it must
+ be a standard ISO-3166-1 two-letter country code, and if it
+ is three characters long then it must be an ISO-3166-1
+ three-letter country code; otherwise it is the full name
+ of the country. Similarly, if this is a "region" search
+ and the string is two characters long, then it must be a
+ standard two-letter state or province abbreviation;
+ otherwise it is the full name of the state or province.
The database field indicates which
@@ -4718,32 +4721,32 @@ badresp:1,adberr:0,findfail:0,valfail:0]
minimum
number of dots in a relative domain name that should result in an
exact match lookup before search path elements are appended.
-
-
- The statement specifies the number
- of worker threads the lightweight resolver will dedicate to serving
- clients. By default the number is the same as the number of CPUs on
- the system; this can be overridden using the
- command line option when starting the server.
-
-
- The specifies
- the number of client objects per thread the lightweight
- resolver should create to serve client queries.
- By default, if the lightweight resolver runs as a part
- of named, 256 client objects are
- created for each task; if it runs as lwresd,
- 1024 client objects are created for each thread. The maximum
- value is 32768; higher values will be silently ignored and
- the maximum will be used instead.
- Note that setting too high a value may overconsume
- system resources.
-
-
- The maximum number of client queries that the lightweight
- resolver can handle at any one time equals
- times .
-
+
+
+ The statement specifies the number
+ of worker threads the lightweight resolver will dedicate to serving
+ clients. By default the number is the same as the number of CPUs on
+ the system; this can be overridden using the
+ command line option when starting the server.
+
+
+ The specifies
+ the number of client objects per thread the lightweight
+ resolver should create to serve client queries.
+ By default, if the lightweight resolver runs as a part
+ of named, 256 client objects are
+ created for each task; if it runs as lwresd,
+ 1024 client objects are created for each thread. The maximum
+ value is 32768; higher values will be silently ignored and
+ the maximum will be used instead.
+ Note that setting too high a value may overconsume
+ system resources.
+
+
+ The maximum number of client queries that the lightweight
+ resolver can handle at any one time equals
+ times .
+ <command>masters</command> Statement Grammar
@@ -5793,7 +5796,7 @@ options {
For convenience, TTL-style time unit suffixes can be
used to specify the NTA lifetime in seconds, minutes
or hours. defaults to
- one hour. It cannot exceed one day.
+ one hour. It cannot exceed one day.
@@ -5802,31 +5805,31 @@ options {
nta-recheck
- Species how often to check whether negative
- trust anchors added via rndc nta
- are still necessary.
+ Species how often to check whether negative
+ trust anchors added via rndc nta
+ are still necessary.
- A negative trust anchor is normally used when a
- domain has stopped validating due to operator error;
- it temporarily disables DNSSEC validation for that
- domain. In the interest of ensuring that DNSSEC
- validation is turned back on as soon as possible,
- named will periodically send a
- query to the domain, ignoring negative trust anchors,
- to find out whether it can now be validated. If so,
- the negative trust anchor is allowed to expire early.
+ A negative trust anchor is normally used when a
+ domain has stopped validating due to operator error;
+ it temporarily disables DNSSEC validation for that
+ domain. In the interest of ensuring that DNSSEC
+ validation is turned back on as soon as possible,
+ named will periodically send a
+ query to the domain, ignoring negative trust anchors,
+ to find out whether it can now be validated. If so,
+ the negative trust anchor is allowed to expire early.
- Validity checks can be disabled for an individual
- NTA by using rndc nta -f, or
- for all NTA's by setting
- to zero.
+ Validity checks can be disabled for an individual
+ NTA by using rndc nta -f, or
+ for all NTA's by setting
+ to zero.
For convenience, TTL-style time unit suffixes can be
- used to specify the NTA recheck interval in seconds,
- minutes or hours. The default is five minutes.
+ used to specify the NTA recheck interval in seconds,
+ minutes or hours. The default is five minutes.
@@ -9020,24 +9023,24 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
masterfile-style
-
- Specifies the formatting of zone files during dump
- when the is
- text. (This option is ignored
- with any other .)
-
-
- When set to relative,
- records are printed in a multi-line format with owner
- names expressed relative to a shared origin. When set
- to full, records are printed in
- a single-line format with absolute owner names.
- The full format is most suitable
- when a zone file needs to be processed automatically
- by a script. The relative format
- is more human-readable, and is thus suitable when a
- zone is to be edited by hand. The default is
- relative.
+
+ Specifies the formatting of zone files during dump
+ when the is
+ text. (This option is ignored
+ with any other .)
+
+
+ When set to relative,
+ records are printed in a multi-line format with owner
+ names expressed relative to a shared origin. When set
+ to full, records are printed in
+ a single-line format with absolute owner names.
+ The full format is most suitable
+ when a zone file needs to be processed automatically
+ by a script. The relative format
+ is more human-readable, and is thus suitable when a
+ zone is to be edited by hand. The default is
+ relative.
@@ -9050,8 +9053,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
initial value (minimum) and maximum number of recursive
simultaneous clients for any given query
(<qname,qtype,qclass>) that the server will accept
- before dropping additional clients.
- named will attempt to
+ before dropping additional clients.
+ named will attempt to
self tune this value and changes will be logged. The
default values are 10 and 100.
@@ -10564,15 +10567,15 @@ rate-limit {
The request-expire clause determines
- whether the local server, when acting as a slave, will
- request the EDNS EXPIRE value. The EDNS EXPIRE value
- indicates the remaining time before the zone data will
- expire and need to be be refreshed. This is used
- when a secondary server transfers a zone from another
- secondary server; when transferring from the primary, the
- expiration timer is set from the EXPIRE field of the SOA
- record instead.
- The default is yes.
+ whether the local server, when acting as a slave, will
+ request the EDNS EXPIRE value. The EDNS EXPIRE value
+ indicates the remaining time before the zone data will
+ expire and need to be be refreshed. This is used
+ when a secondary server transfers a zone from another
+ secondary server; when transferring from the primary, the
+ expiration timer is set from the EXPIRE field of the SOA
+ record instead.
+ The default is yes.
@@ -12459,11 +12462,11 @@ example.com. NS ns2.example.net.
When set to
serial-update-method date;, the
- new SOA serial number will be the current date
- in the form "YYYYMMDD", followed by two zeroes,
- unless the existing serial number is already greater
- than or equal to that value, in which case it is
- incremented by one.
+ new SOA serial number will be the current date
+ in the form "YYYYMMDD", followed by two zeroes,
+ unless the existing serial number is already greater
+ than or equal to that value, in which case it is
+ incremented by one.
diff --git a/lib/dns/geoip.c b/lib/dns/geoip.c
index 291b0d05e9..ec6beb7acb 100644
--- a/lib/dns/geoip.c
+++ b/lib/dns/geoip.c
@@ -766,8 +766,21 @@ dns_geoip_match(const isc_netaddr_t *reqaddr,
return (ISC_FALSE);
s = name_lookup(db, subtype, ipnum);
- if (s != NULL && strcasecmp(elt->as_string, s) == 0)
- return (ISC_TRUE);
+ if (s != NULL) {
+ size_t l;
+ if (strcasecmp(elt->as_string, s) == 0)
+ return (ISC_TRUE);
+ if (subtype != dns_geoip_as_asnum)
+ break;
+ /*
+ * Just check if the ASNNNN value matches.
+ */
+ l = strlen(elt->as_string);
+ if (l > 0U && strchr(elt->as_string, ' ') == NULL &&
+ strncasecmp(elt->as_string, s, l) == 0 &&
+ s[l] == ' ')
+ return (ISC_TRUE);
+ }
break;
case dns_geoip_netspeed_id:
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c
index 76f6ad4a9a..83d5ae6509 100644
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@@ -482,6 +482,7 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
const char *stype, *search;
dns_geoip_subtype_t subtype;
dns_aclelement_t de;
+ size_t len;
REQUIRE(dep != NULL);
@@ -493,35 +494,52 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
stype = cfg_obj_asstring(cfg_tuple_get(obj, "subtype"));
search = cfg_obj_asstring(cfg_tuple_get(obj, "search"));
+ len = strlen(search);
- if (strcasecmp(stype, "country") == 0 && strlen(search) == 2) {
+ if (len == 0) {
+ cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+ "zero-length geoip search field");
+ return (ISC_R_FAILURE);
+ }
+
+ if (strcasecmp(stype, "country") == 0 && len == 2) {
/* Two-letter country code */
subtype = dns_geoip_countrycode;
- strncpy(de.geoip_elem.as_string, search, 2);
- } else if (strcasecmp(stype, "country") == 0 && strlen(search) == 3) {
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
+ } else if (strcasecmp(stype, "country") == 0 && len == 3) {
/* Three-letter country code */
subtype = dns_geoip_countrycode3;
- strncpy(de.geoip_elem.as_string, search, 3);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "country") == 0) {
/* Country name */
subtype = dns_geoip_countryname;
- strncpy(de.geoip_elem.as_string, search, 255);
- } else if (strcasecmp(stype, "region") == 0 && strlen(search) == 2) {
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
+ } else if (strcasecmp(stype, "region") == 0 && len == 2) {
/* Two-letter region code */
subtype = dns_geoip_region;
- strncpy(de.geoip_elem.as_string, search, 2);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "region") == 0) {
/* Region name */
subtype = dns_geoip_regionname;
- strncpy(de.geoip_elem.as_string, search, 255);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "city") == 0) {
/* City name */
subtype = dns_geoip_city_name;
- strncpy(de.geoip_elem.as_string, search, 255);
- } else if (strcasecmp(stype, "postal") == 0 && strlen(search) < 7) {
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
+ } else if (strcasecmp(stype, "postal") == 0 && len < 7) {
subtype = dns_geoip_city_postalcode;
- strncpy(de.geoip_elem.as_string, search, 6);
- de.geoip_elem.as_string[6] = '\0';
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
+ } else if (strcasecmp(stype, "postal") == 0) {
+ cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+ "geoiop postal code (%s) too long", search);
+ return (ISC_R_FAILURE);
} else if (strcasecmp(stype, "metro") == 0) {
subtype = dns_geoip_city_metrocode;
de.geoip_elem.as_int = atoi(search);
@@ -530,23 +548,33 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
de.geoip_elem.as_int = atoi(search);
} else if (strcasecmp(stype, "tz") == 0) {
subtype = dns_geoip_city_timezonecode;
- strncpy(de.geoip_elem.as_string, search, 255);
- } else if (strcasecmp(stype, "continent") == 0 && strlen(search) == 2) {
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
+ } else if (strcasecmp(stype, "continent") == 0 && len == 2) {
/* Two-letter continent code */
subtype = dns_geoip_city_continentcode;
- strncpy(de.geoip_elem.as_string, search, 2);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
+ } else if (strcasecmp(stype, "continent") == 0) {
+ cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+ "geoiop continent code (%s) too long", search);
+ return (ISC_R_FAILURE);
} else if (strcasecmp(stype, "isp") == 0) {
subtype = dns_geoip_isp_name;
- strncpy(de.geoip_elem.as_string, search, 255);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "asnum") == 0) {
subtype = dns_geoip_as_asnum;
- strncpy(de.geoip_elem.as_string, search, 255);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "org") == 0) {
subtype = dns_geoip_org_name;
- strncpy(de.geoip_elem.as_string, search, 255);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "domain") == 0) {
subtype = dns_geoip_domain_name;
- strncpy(de.geoip_elem.as_string, search, 255);
+ strlcpy(de.geoip_elem.as_string, search,
+ sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "netspeed") == 0) {
subtype = dns_geoip_netspeed_id;
de.geoip_elem.as_int = atoi(search);
diff --git a/util/copyrights b/util/copyrights
index d43244f545..a1cc91e696 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1313,10 +1313,11 @@
./bin/tests/system/geoip/geoip.c C 2013
./bin/tests/system/geoip/ns2/example.db.in ZONE 2013
./bin/tests/system/geoip/ns2/named1.conf CONF-C 2013
-./bin/tests/system/geoip/ns2/named10.conf CONF-C 2013
+./bin/tests/system/geoip/ns2/named10.conf CONF-C 2014
./bin/tests/system/geoip/ns2/named11.conf CONF-C 2013
-./bin/tests/system/geoip/ns2/named12.conf CONF-C 2014
+./bin/tests/system/geoip/ns2/named12.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named13.conf CONF-C 2014
+./bin/tests/system/geoip/ns2/named14.conf CONF-C 2014
./bin/tests/system/geoip/ns2/named2.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named3.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named4.conf CONF-C 2013