mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 01:59:26 +00:00
Code Issues Releases Wiki Activity

[master] delve

Browse Source 
3741.	[func]		"delve" (domain entity lookup and validation engine):
			A new tool with dig-like semantics for performing DNS
			lookups, with internal DNSSEC validation, using the
			same resolver and validator logic as named. This
			allows easy validation of DNSSEC data in environments
			with untrustworthy resolvers, and assists with
			troubleshooting of DNSSEC problems. (Note: not yet
			available on win32.) [RT #32406]
This commit is contained in:
Evan Hunt 2014-02-16 13:03:17 -08:00
parent 14bf4702f3
commit 1d761cb453
40 changed files with 3918 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGES
View File

@ -1,3 +1,12 @@
3741. [func] "delve" (domain entity lookup and validation engine):
A new tool with dig-like semantics for performing DNS
lookups, with internal DNSSEC validation, using the
same resolver and validator logic as named. This
allows easy validation of DNSSEC data in environments
with untrustworthy resolvers, and assists with
troubleshooting of DNSSEC problems. (Note: not yet
available on win32.) [RT #32406]
3740. [contrib] Minor fixes to configure --with-dlz-bdb,
--with-dlz-postgres and --with-dlz-odbc. [RT #35340]

5
Makefile.in
View File

@ -23,6 +23,7 @@ top_srcdir = @top_srcdir@
SUBDIRS = make unit lib bin doc @LIBEXPORT@
TARGETS =
PREREQS = bind.keys.h
MANPAGES = isc-config.sh.1
@ -32,6 +33,9 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/util/bindkeys.pl
${PERL} ${srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
distclean::
rm -f config.cache config.h config.log config.status TAGS
rm -f libtool isc-config.sh configure.lineno
@ -41,6 +45,7 @@ distclean::
# to make it.
maintainer-clean::
rm -f configure
rm -f bind.keys.h
docclean manclean maintainer-clean::
rm -f ${MANOBJS}

2
bin/Makefile.in
View File

@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig dnssec tools tests nsupdate \
SUBDIRS = named rndc dig delve dnssec tools tests nsupdate \
check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
TARGETS =

84
bin/delve/Makefile.in Normal file
View File

@ -0,0 +1,84 @@
# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
${IRS_INCLUDES} ${ISCCFG_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\" -DSYSCONFDIR=\"${sysconfdir}\"
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
IRSLIBS = ../../lib/irs/libirs.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
IRSDEPLIBS = ../../lib/irs/libirs.@A@
DEPLIBS = ${DNSDEPLIBS} ${IRSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
SUBDIRS =
TARGETS = delve@EXEEXT@
OBJS = delve.@O@
SRCS = delve.c
MANPAGES = delve.1
HTMLPAGES = delve.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
delve@EXEEXT@: delve.@O@ ${DEPLIBS}
export BASEOBJS="delve.@O@"; \
export LIBS0="${DNSLIBS}"; \
${FINALBUILDCMD}
# ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
# delve.@O@ ${LIBS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: delve@EXEEXT@
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
delve@EXEEXT@ ${DESTDIR}${bindir}
${INSTALL_DATA} ${srcdir}/delve.1 ${DESTDIR}${mandir}/man1
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
clean distclean maintainer-clean::
rm -f ${TARGETS}

388
bin/delve/delve.1 Normal file
View File

@ -0,0 +1,388 @@
.\" Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: delve
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: February 12, 2014
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DELVE" "1" "February 12, 2014" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
delve \- DNS lookup and validation utility
.SH "SYNOPSIS"
.HP 6
\fBdelve\fR [@server] [\fB\-4\fR] [\fB\-6\fR] [\fB\-a\ \fR\fB\fIanchor\-file\fR\fR] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIlevel\fR\fR] [\fB\-i\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [name] [type] [class] [queryopt...]
.HP 6
\fBdelve\fR [\fB\-h\fR]
.HP 6
\fBdelve\fR [queryopt...] [query...]
.SH "DESCRIPTION"
.PP
\fBdelve\fR
(Domain Entity Lookup & Validation Engine) is a tool for sending DNS queries and validating the results, using the the same internal resolver and validator logic as
\fBnamed\fR.
.PP
\fBdelve\fR
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding.
.PP
By default, responses are validated using built\-in DNSSEC trust anchors for the root zone (".") and for the ISC DNSSEC lookaside validation zone ("dlv.isc.org"). Records returned by
\fBdelve\fR
are either fully validated or were not signed. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail. Because
\fBdelve\fR
does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy.
.PP
Unless it is told to query a specific name server,
\fBdelve\fR
will try each of the servers listed in
\fI/etc/resolv.conf\fR. If no usable server addresses are found,
\fBdelve\fR
will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).
.PP
When no command line arguments or options are given,
\fBdelve\fR
will perform an NS query for "." (the root zone).
.SH "SIMPLE USAGE"
.PP
A typical invocation of
\fBdelve\fR
looks like:
.sp
.RS 4
.nf
delve @server name type
.fi
.RE
.sp
where:
.PP
\fBserver\fR
.RS 4
is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
\fIserver\fR
argument is a hostname,
\fBdelve\fR
resolves that name before querying that name server (note, however, that this initial lookup is
\fInot\fR
validated by DNSSEC).
.sp
If no
\fIserver\fR
argument is provided,
\fBdelve\fR
consults
\fI/etc/resolv.conf\fR; if an address is found there, it queries the name server at that address. If either of the
\fB\-4\fR
or
\fB\-6\fR
options are in use, then only addresses for the corresponding transport will be tried. If no usable addresses are found,
\fBdelve\fR
will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).
.RE
.PP
\fBname\fR
.RS 4
is the domain name to be looked up.
.RE
.PP
\fBtype\fR
.RS 4
indicates what type of query is required \(em ANY, A, MX, etc.
\fItype\fR
can be any valid query type. If no
\fItype\fR
argument is supplied,
\fBdelve\fR
will perform a lookup for an A record.
.RE
.SH "OPTIONS"
.PP
\-a
.RS 4
Specifies a file from which to read DNSSEC trust anchors. The default is
\fI/etc/bind.keys\fR, which is included with
BIND
9 and contains trust anchors for the root zone (".") and for the ISC DNSSEC lookaside validation zone ("dlv.isc.org").
.sp
Keys that do not match the root or DLV trust\-anchor names are ignored; these key names can be overridden using the
\fB+dlv=NAME\fR
or
\fB+root=NAME\fR
options.
.sp
Note: When reading the trust anchor file,
\fBdelve\fR
treats
\fBmanaged\-keys\fR
statements and
\fBtrusted\-keys\fR
statements identically. That is, for a managed key, it is the
\fIinitial\fR
key that is trusted; RFC 5011 key management is not supported.
\fBdelve\fR
will not consult the managed\-keys database maintained by
\fBnamed\fR. This means that if either of the keys in
\fI/etc/bind.keys\fR
is revoked and rolled over, it will be necessary to update
\fI/etc/bind.keys\fR
to use DNSSEC validation in
\fBdelve\fR.
.RE
.PP
\-b
.RS 4
Sets the source IP address of the query to
\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional source port may be specified by appending "#<port>"
.RE
.PP
\-c
.RS 4
Sets the query class for the requested data. Currently, only class "IN" is supported in
\fBdelve\fR
and any other value is ignored.
.RE
.PP
\-i
.RS 4
Insecure mode. This disables internal DNSSEC validation. (Note, however, this does not set the CD bit on upstream queries. If the server being queried is performing DNSSEC validation, then it will not return invalid data; this can cause
\fBdelve\fR
to time out. When it is necessary to examine invalid data to debug a DNSSEC problem, use
\fBdig +cd\fR.)
.RE
.PP
\-m
.RS 4
Enables memory usage debugging.
.RE
.PP
\-p
.RS 4
Specifies a destination port to use for queries instead of the standard DNS port number 53. This option would be used with a name server that has been configured to listen for queries on a non\-standard port number.
.RE
.PP
\-4
.RS 4
Forces
\fBdelve\fR
to only use IPv4.
.RE
.PP
\-6
.RS 4
Forces
\fBdelve\fR
to only use IPv6.
.RE
.PP
\-q
.RS 4
Sets the query name to
\fIname\fR. While the query name can be specified without using the
\fB\-q\fR, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH).
.RE
.PP
\-t
.RS 4
Sets the query type to
\fItype\fR, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR. As with
\fB\-q\fR, this is useful to distinguish query name type or class when they are ambiguous. it is sometimes necessary to disambiguate names from types.
.sp
The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup, in which case it is "PTR".
.RE
.PP
\-x
.RS 4
Performs a reverse lookup, mapping an addresses to a name.
\fIaddr\fR
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When
\fB\-x\fR
is used, there is no need to provide the
\fIname\fR
or
\fItype\fR
arguments.
\fBdelve\fR
automatically performs a lookup for a name like
11.12.13.10.in\-addr.arpa
and sets the query type to PTR. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain.
.RE
.SH "QUERY OPTIONS"
.PP
\fBdelve\fR
provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed.
.PP
Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string
no
to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
\fB+keyword=value\fR. The query options are:
.PP
\fB+[no]cdflag\fR
.RS 4
Controls whether to set the CD (checking disabled) bit in queries sent by
\fBdelve\fR. This may be useful when troubleshooting DNSSEC problems from behind a validating resolver. A validating resolver will block invalid responses, making it difficult to retrieve them for analysis. Setting the CD flag on queries will cause the resolver to return invalid responses, which
\fBdelve\fR
can then validate internally and report the errors in detail.
.RE
.PP
\fB+[no]class\fR
.RS 4
Controls whether to display the CLASS when printing a record. The default is to display the CLASS.
.RE
.PP
\fB+[no]ttl\fR
.RS 4
Controls whether to display the TTL when printing a record. The default is to display the TTL.
.RE
.PP
\fB+[no]rtrace\fR
.RS 4
Toggle resolver fetch logging. This reports the name and type of each query sent by
\fBdelve\fR
in the process of carrying out the resolution and validation process: this includes including the original query and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation.
.sp
This is equivalent to setting the debug level to 1 in the "resolver" logging category. Setting the systemwide debug level to 1 using the
\fB\-d\fR
option will product the same output (but will affect other logging categories as well).
.RE
.PP
\fB+[no]mtrace\fR
.RS 4
Toggle message logging. This produces a detailed dump of the responses received by
\fBdelve\fR
in the process of carrying out the resolution and validation process.
.sp
This is equivalent to setting the debug level to 10 for the the "packets" module of the "resolver" logging category. Setting the systemwide debug level to 10 using the
\fB\-d\fR
option will produce the same output (but will affect other logging categories as well).
.RE
.PP
\fB+[no]vtrace\fR
.RS 4
Toggle validation logging. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid.
.sp
This is equivalent to setting the debug level to 3 for the the "validator" module of the "dnssec" logging category. Setting the systemwide debug level to 3 using the
\fB\-d\fR
option will produce the same output (but will affect other logging categories as well).
.RE
.PP
\fB+[no]short\fR
.RS 4
Provide a terse answer. The default is to print the answer in a verbose form.
.RE
.PP
\fB+[no]comments\fR
.RS 4
Toggle the display of comment lines in the output. The default is to print comments.
.RE
.PP
\fB+[no]rrcomments\fR
.RS 4
Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records). The default is to print per\-record comments.
.RE
.PP
\fB+[no]crypto\fR
.RS 4
Toggle the display of cryptographic fields in DNSSEC records. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures. The default is to display the fields. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e.g. "[ key id = value ]".
.RE
.PP
\fB+[no]trust\fR
.RS 4
Controls whether to display the trust level when printing a record. The default is to display the trust level.
.RE
.PP
\fB+[no]split[=W]\fR
.RS 4
Split long hex\- or base64\-formatted fields in resource records into chunks of
\fIW\fR
characters (where
\fIW\fR
is rounded up to the nearest multiple of 4).
\fI+nosplit\fR
or
\fI+split=0\fR
causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active.
.RE
.PP
\fB+[no]all\fR
.RS 4
Set or clear the display options
\fB+[no]comments\fR,
\fB+[no]rrcomments\fR, and
\fB+[no]trust\fR
as a group.
.RE
.PP
\fB+[no]multiline\fR
.RS 4
Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
\fBdelve\fR
output.
.RE
.PP
\fB+[no]dnssec\fR
.RS 4
Indicates whether to display RRSIG records in the
\fBdelve\fR
output. The default is to do so. Note that (unlike in
\fBdig\fR) this does
\fInot\fR
control whether to request DNSSEC records or whether to validate them. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
\fB\-i\fR
or
\fB+noroot\fR
and
\fB+nodlv\fR.
.RE
.PP
\fB+[no]root[=ROOT]\fR
.RS 4
Indicates whether to perform conventional (non\- lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor. The default is to validate using a trust anchor of "." (the root zone), for which there is a built\-in key. If specifying a different trust anchor, then
\fB\-a\fR
must be used to specify a file containing the key.
.RE
.PP
\fB+[no]dlv[=DLV]\fR
.RS 4
Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor. The default is to perform lookaside validation using a trust anchor of "dlv.isc.org", for which there is a built\-in key. If specifying a different name, then
\fB\-a\fR
must be used to specify a file containing the DLV key.
.RE
.SH "FILES"
.PP
\fI/etc/bind.keys\fR
.PP
\fI/etc/resolv.conf\fR
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBnamed\fR(8),
RFC4034,
RFC4035,
RFC4431,
RFC5074,
RFC5155.
.SH "COPYRIGHT"
Copyright \(co 2014 Internet Systems Consortium, Inc. ("ISC")
.br

1607
bin/delve/delve.c Normal file
View File

File diff suppressed because it is too large Load Diff

639
bin/delve/delve.docbook Normal file
View File

@ -0,0 +1,639 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<refentry id="man.delve">
<refentryinfo>
<date>February 12, 2014</date>
</refentryinfo>
<refmeta>
<refentrytitle>delve</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname>delve</refname>
<refpurpose>DNS lookup and validation utility</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2014</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>delve</command>
<arg choice="opt">@server</arg>
<arg><option>-4</option></arg>
<arg><option>-6</option></arg>
<arg><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
<arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-i</option></arg>
<arg><option>-m</option></arg>
<arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
<arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
<arg choice="opt">name</arg>
<arg choice="opt">type</arg>
<arg choice="opt">class</arg>
<arg choice="opt" rep="repeat">queryopt</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>delve</command>
<arg><option>-h</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>delve</command>
<arg choice="opt" rep="repeat">queryopt</arg>
<arg choice="opt" rep="repeat">query</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>delve</command>
(Domain Entity Lookup &amp; Validation Engine) is a tool for sending
DNS queries and validating the results, using the the same internal
resolver and validator logic as <command>named</command>.
</para>
<para>
<command>delve</command> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
forwarding.
</para>
<para>
By default, responses are validated using built-in DNSSEC trust
anchors for the root zone (".") and for the ISC DNSSEC lookaside
validation zone ("dlv.isc.org"). Records returned by
<command>delve</command> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
can be traced in detail. Because <command>delve</command> does
not rely on an external server to carry out validation, it can
be used to check the validity of DNS responses in environments
where local name servers may not be trustworthy.
</para>
<para>
Unless it is told to query a specific name server,
<command>delve</command> will try each of the servers listed in
<filename>/etc/resolv.conf</filename>. If no usable server
addresses are found, <command>delve</command> will send
queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
</para>
<para>
When no command line arguments or options are given,
<command>delve</command> will perform an NS query for "."
(the root zone).
</para>
</refsect1>
<refsect1>
<title>SIMPLE USAGE</title>
<para>
A typical invocation of <command>delve</command> looks like:
<programlisting> delve @server name type </programlisting>
where:
<variablelist>
<varlistentry>
<term><constant>server</constant></term>
<listitem>
<para>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<parameter>server</parameter> argument is a hostname,
<command>delve</command> resolves that name before
querying that name server (note, however, that this
initial lookup is <emphasis>not</emphasis> validated
by DNSSEC).
</para>
<para>
If no <parameter>server</parameter> argument is
provided, <command>delve</command> consults
<filename>/etc/resolv.conf</filename>; if an
address is found there, it queries the name server at
that address. If either of the <option>-4</option> or
<option>-6</option> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<command>delve</command> will send queries to
the localhost addresses (127.0.0.1 for IPv4,
::1 for IPv6).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>name</constant></term>
<listitem>
<para>
is the domain name to be looked up.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>type</constant></term>
<listitem>
<para>
indicates what type of query is required &mdash;
ANY, A, MX, etc.
<parameter>type</parameter> can be any valid query
type. If no
<parameter>type</parameter> argument is supplied,
<command>delve</command> will perform a lookup for an
A record.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a</term>
<listitem>
<para>
Specifies a file from which to read DNSSEC trust anchors.
The default is <filename>/etc/bind.keys</filename>, which
is included with <acronym>BIND</acronym> 9 and contains
trust anchors for the root zone (".") and for the ISC
DNSSEC lookaside validation zone ("dlv.isc.org").
</para>
<para>
Keys that do not match the root or DLV trust-anchor
names are ignored; these key names can be overridden
using the <option>+dlv=NAME</option> or
<option>+root=NAME</option> options.
</para>
<para>
Note: When reading the trust anchor file,
<command>delve</command> treats <option>managed-keys</option>
statements and <option>trusted-keys</option> statements
identically. That is, for a managed key, it is the
<emphasis>initial</emphasis> key that is trusted; RFC 5011
key management is not supported. <command>delve</command>
will not consult the managed-keys database maintained by
<command>named</command>. This means that if either of the
keys in <filename>/etc/bind.keys</filename> is revoked
and rolled over, it will be necessary to update
<filename>/etc/bind.keys</filename> to use DNSSEC
validation in <command>delve</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b</term>
<listitem>
<para>
Sets the source IP address of the query to
<parameter>address</parameter>. This must be a valid address
on one of the host's network interfaces or "0.0.0.0" or "::".
An optional source port may be specified by appending
"#&lt;port&gt;"
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c</term>
<listitem>
<para>
Sets the query class for the requested data. Currently,
only class "IN" is supported in <command>delve</command>
and any other value is ignored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i</term>
<listitem>
<para>
Insecure mode. This disables internal DNSSEC validation.
(Note, however, this does not set the CD bit on upstream
queries. If the server being queried is performing DNSSEC
validation, then it will not return invalid data; this
can cause <command>delve</command> to time out. When it
is necessary to examine invalid data to debug a DNSSEC
problem, use <command>dig +cd</command>.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m</term>
<listitem>
<para>
Enables memory usage debugging.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Specifies a destination port to use for queries instead of
the standard DNS port number 53. This option would be used
with a name server that has been configured to listen
for queries on a non-standard port number.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-4</term>
<listitem>
<para>
Forces <command>delve</command> to only use IPv4.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-6</term>
<listitem>
<para>
Forces <command>delve</command> to only use IPv6.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Sets the query name to <parameter>name</parameter>.
While the query name can be specified without using the
<option>-q</option>, it is sometimes necessary to disambiguate
names from types or classes (for example, when looking up the
name "ns", which could be misinterpreted as the type NS,
or "ch", which could be misinterpreted as class CH).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t</term>
<listitem>
<para>
Sets the query type to <parameter>type</parameter>, which
can be any valid query type supported in BIND 9 except
for zone transfer types AXFR and IXFR. As with
<option>-q</option>, this is useful to distinguish
query name type or class when they are ambiguous.
it is sometimes necessary to disambiguate names from types.
</para>
<para>
The default query type is "A", unless the <option>-x</option>
option is supplied to indicate a reverse lookup, in which case
it is "PTR".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>
<para>
Performs a reverse lookup, mapping an addresses to
a name. <parameter>addr</parameter> is an IPv4 address in
dotted-decimal notation, or a colon-delimited IPv6 address.
When <option>-x</option> is used, there is no need to provide
the <parameter>name</parameter> or <parameter>type</parameter>
arguments. <command>delve</command> automatically performs a
lookup for a name like <literal>11.12.13.10.in-addr.arpa</literal>
and sets the query type to PTR. IPv6 addresses are looked up
using nibble format under the IP6.ARPA domain.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>QUERY OPTIONS</title>
<para><command>delve</command>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
</para>
<para>
Each query option is identified by a keyword preceded by a plus sign
(<literal>+</literal>). Some keywords set or reset an
option. These may be preceded by the string
<literal>no</literal> to negate the meaning of that keyword.
Other keywords assign values to options like the timeout interval.
They have the form <option>+keyword=value</option>.
The query options are:
<variablelist>
<varlistentry>
<term><option>+[no]cdflag</option></term>
<listitem>
<para>
Controls whether to set the CD (checking disabled) bit in
queries sent by <command>delve</command>. This may be useful
when troubleshooting DNSSEC problems from behind a validating
resolver. A validating resolver will block invalid responses,
making it difficult to retrieve them for analysis. Setting
the CD flag on queries will cause the resolver to return
invalid responses, which <command>delve</command> can then
validate internally and report the errors in detail.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]class</option></term>
<listitem>
<para>
Controls whether to display the CLASS when printing
a record. The default is to display the CLASS.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]ttl</option></term>
<listitem>
<para>
Controls whether to display the TTL when printing
a record. The default is to display the TTL.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]rtrace</option></term>
<listitem>
<para>
Toggle resolver fetch logging. This reports the
name and type of each query sent by <command>delve</command>
in the process of carrying out the resolution and validation
process: this includes including the original query and
all subsequent queries to follow CNAMEs and to establish a
chain of trust for DNSSEC validation.
</para>
<para>
This is equivalent to setting the debug level to 1 in
the "resolver" logging category. Setting the systemwide
debug level to 1 using the <option>-d</option> option will
product the same output (but will affect other logging
categories as well).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]mtrace</option></term>
<listitem>
<para>
Toggle message logging. This produces a detailed dump of
the responses received by <command>delve</command> in the
process of carrying out the resolution and validation process.
</para>
<para>
This is equivalent to setting the debug level to 10
for the the "packets" module of the "resolver" logging
category. Setting the systemwide debug level to 10 using
the <option>-d</option> option will produce the same output
(but will affect other logging categories as well).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]vtrace</option></term>
<listitem>
<para>
Toggle validation logging. This shows the internal
process of the validator as it determines whether an
answer is validly signed, unsigned, or invalid.
</para>
<para>
This is equivalent to setting the debug level to 3
for the the "validator" module of the "dnssec" logging
category. Setting the systemwide debug level to 3 using
the <option>-d</option> option will produce the same output
(but will affect other logging categories as well).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]short</option></term>
<listitem>
<para>
Provide a terse answer. The default is to print the answer in a
verbose form.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]comments</option></term>
<listitem>
<para>
Toggle the display of comment lines in the output. The default
is to print comments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]rrcomments</option></term>
<listitem>
<para>
Toggle the display of per-record comments in the output (for
example, human-readable key information about DNSKEY records).
The default is to print per-record comments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]crypto</option></term>
<listitem>
<para>
Toggle the display of cryptographic fields in DNSSEC records.
The contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see
the common failures. The default is to display the fields.
When omitted they are replaced by the string "[omitted]" or
in the DNSKEY case the key id is displayed as the replacement,
e.g. "[ key id = value ]".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]trust</option></term>
<listitem>
<para>
Controls whether to display the trust level when printing
a record. The default is to display the trust level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]split[=W]</option></term>
<listitem>
<para>
Split long hex- or base64-formatted fields in resource
records into chunks of <parameter>W</parameter> characters
(where <parameter>W</parameter> is rounded up to the nearest
multiple of 4).
<parameter>+nosplit</parameter> or
<parameter>+split=0</parameter> causes fields not to be
split at all. The default is 56 characters, or 44 characters
when multiline mode is active.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]all</option></term>
<listitem>
<para>
Set or clear the display options
<option>+[no]comments</option>,
<option>+[no]rrcomments</option>, and
<option>+[no]trust</option> as a group.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]multiline</option></term>
<listitem>
<para>
Print long records (such as RRSIG, DNSKEY, and SOA records)
in a verbose multi-line format with human-readable comments.
The default is to print each record on a single line, to
facilitate machine parsing of the <command>delve</command>
output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]dnssec</option></term>
<listitem>
<para>
Indicates whether to display RRSIG records in the
<command>delve</command> output. The default is to
do so. Note that (unlike in <command>dig</command>)
this does <emphasis>not</emphasis> control whether to
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<option>-i</option> or <option>+noroot</option> and
<option>+nodlv</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]root[=ROOT]</option></term>
<listitem>
<para>
Indicates whether to perform conventional (non-
lookaside) DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
a built-in key. If specifying a different trust anchor,
then <option>-a</option> must be used to specify a file
containing the key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]dlv[=DLV]</option></term>
<listitem>
<para>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The default is to perform lookaside validation using
a trust anchor of "dlv.isc.org", for which there is a
built-in key. If specifying a different name, then
<option>-a</option> must be used to specify a file
containing the DLV key.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para><filename>/etc/bind.keys</filename></para>
<para><filename>/etc/resolv.conf</filename></para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>RFC4034</citetitle>,
<citetitle>RFC4035</citetitle>,
<citetitle>RFC4431</citetitle>,
<citetitle>RFC5074</citetitle>,
<citetitle>RFC5155</citetitle>.
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

445
bin/delve/delve.html Normal file
View File

@ -0,0 +1,445 @@
<!--
- Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>delve</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.delve"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>delve &#8212; DNS lookup and validation utility</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">delve</code> [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
<div class="cmdsynopsis"><p><code class="command">delve</code> [<code class="option">-h</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">delve</code> [queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543478"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">delve</strong></span>
(Domain Entity Lookup &amp; Validation Engine) is a tool for sending
DNS queries and validating the results, using the the same internal
resolver and validator logic as <span><strong class="command">named</strong></span>.
</p>
<p>
<span><strong class="command">delve</strong></span> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
forwarding.
</p>
<p>
By default, responses are validated using built-in DNSSEC trust
anchors for the root zone (".") and for the ISC DNSSEC lookaside
validation zone ("dlv.isc.org"). Records returned by
<span><strong class="command">delve</strong></span> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
can be traced in detail. Because <span><strong class="command">delve</strong></span> does
not rely on an external server to carry out validation, it can
be used to check the validity of DNS responses in environments
where local name servers may not be trustworthy.
</p>
<p>
Unless it is told to query a specific name server,
<span><strong class="command">delve</strong></span> will try each of the servers listed in
<code class="filename">/etc/resolv.conf</code>. If no usable server
addresses are found, <span><strong class="command">delve</strong></span> will send
queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
</p>
<p>
When no command line arguments or options are given,
<span><strong class="command">delve</strong></span> will perform an NS query for "."
(the root zone).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543531"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">delve</strong></span> looks like:
</p>
<pre class="programlisting"> delve @server name type </pre>
<p>
where:
</p>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">server</code></span></dt>
<dd>
<p>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<em class="parameter"><code>server</code></em> argument is a hostname,
<span><strong class="command">delve</strong></span> resolves that name before
querying that name server (note, however, that this
initial lookup is <span class="emphasis"><em>not</em></span> validated
by DNSSEC).
</p>
<p>
If no <em class="parameter"><code>server</code></em> argument is
provided, <span><strong class="command">delve</strong></span> consults
<code class="filename">/etc/resolv.conf</code>; if an
address is found there, it queries the name server at
that address. If either of the <code class="option">-4</code> or
<code class="option">-6</code> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<span><strong class="command">delve</strong></span> will send queries to
the localhost addresses (127.0.0.1 for IPv4,
::1 for IPv6).
</p>
</dd>
<dt><span class="term"><code class="constant">name</code></span></dt>
<dd><p>
is the domain name to be looked up.
</p></dd>
<dt><span class="term"><code class="constant">type</code></span></dt>
<dd><p>
indicates what type of query is required &#8212;
ANY, A, MX, etc.
<em class="parameter"><code>type</code></em> can be any valid query
type. If no
<em class="parameter"><code>type</code></em> argument is supplied,
<span><strong class="command">delve</strong></span> will perform a lookup for an
A record.
</p></dd>
</dl></div>
<p>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543640"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
<p>
Specifies a file from which to read DNSSEC trust anchors.
The default is <code class="filename">/etc/bind.keys</code>, which
is included with <acronym class="acronym">BIND</acronym> 9 and contains
trust anchors for the root zone (".") and for the ISC
DNSSEC lookaside validation zone ("dlv.isc.org").
</p>
<p>
Keys that do not match the root or DLV trust-anchor
names are ignored; these key names can be overridden
using the <code class="option">+dlv=NAME</code> or
<code class="option">+root=NAME</code> options.
</p>
<p>
Note: When reading the trust anchor file,
<span><strong class="command">delve</strong></span> treats <code class="option">managed-keys</code>
statements and <code class="option">trusted-keys</code> statements
identically. That is, for a managed key, it is the
<span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
key management is not supported. <span><strong class="command">delve</strong></span>
will not consult the managed-keys database maintained by
<span><strong class="command">named</strong></span>. This means that if either of the
keys in <code class="filename">/etc/bind.keys</code> is revoked
and rolled over, it will be necessary to update
<code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span><strong class="command">delve</strong></span>.
</p>
</dd>
<dt><span class="term">-b</span></dt>
<dd><p>
Sets the source IP address of the query to
<em class="parameter"><code>address</code></em>. This must be a valid address
on one of the host's network interfaces or "0.0.0.0" or "::".
An optional source port may be specified by appending
"#&lt;port&gt;"
</p></dd>
<dt><span class="term">-c</span></dt>
<dd><p>
Sets the query class for the requested data. Currently,
only class "IN" is supported in <span><strong class="command">delve</strong></span>
and any other value is ignored.
</p></dd>
<dt><span class="term">-i</span></dt>
<dd><p>
Insecure mode. This disables internal DNSSEC validation.
(Note, however, this does not set the CD bit on upstream
queries. If the server being queried is performing DNSSEC
validation, then it will not return invalid data; this
can cause <span><strong class="command">delve</strong></span> to time out. When it
is necessary to examine invalid data to debug a DNSSEC
problem, use <span><strong class="command">dig +cd</strong></span>.)
</p></dd>
<dt><span class="term">-m</span></dt>
<dd><p>
Enables memory usage debugging.
</p></dd>
<dt><span class="term">-p</span></dt>
<dd><p>
Specifies a destination port to use for queries instead of
the standard DNS port number 53. This option would be used
with a name server that has been configured to listen
for queries on a non-standard port number.
</p></dd>
<dt><span class="term">-4</span></dt>
<dd><p>
Forces <span><strong class="command">delve</strong></span> to only use IPv4.
</p></dd>
<dt><span class="term">-6</span></dt>
<dd><p>
Forces <span><strong class="command">delve</strong></span> to only use IPv6.
</p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Sets the query name to <em class="parameter"><code>name</code></em>.
While the query name can be specified without using the
<code class="option">-q</code>, it is sometimes necessary to disambiguate
names from types or classes (for example, when looking up the
name "ns", which could be misinterpreted as the type NS,
or "ch", which could be misinterpreted as class CH).
</p></dd>
<dt><span class="term">-t</span></dt>
<dd>
<p>
Sets the query type to <em class="parameter"><code>type</code></em>, which
can be any valid query type supported in BIND 9 except
for zone transfer types AXFR and IXFR. As with
<code class="option">-q</code>, this is useful to distinguish
query name type or class when they are ambiguous.
it is sometimes necessary to disambiguate names from types.
</p>
<p>
The default query type is "A", unless the <code class="option">-x</code>
option is supplied to indicate a reverse lookup, in which case
it is "PTR".
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd><p>
Performs a reverse lookup, mapping an addresses to
a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in
dotted-decimal notation, or a colon-delimited IPv6 address.
When <code class="option">-x</code> is used, there is no need to provide
the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
arguments. <span><strong class="command">delve</strong></span> automatically performs a
lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
and sets the query type to PTR. IPv6 addresses are looked up
using nibble format under the IP6.ARPA domain.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544042"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">delve</strong></span>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
</p>
<p>
Each query option is identified by a keyword preceded by a plus sign
(<code class="literal">+</code>). Some keywords set or reset an
option. These may be preceded by the string
<code class="literal">no</code> to negate the meaning of that keyword.
Other keywords assign values to options like the timeout interval.
They have the form <code class="option">+keyword=value</code>.
The query options are:
</p>
<div class="variablelist"><dl>
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
<dd><p>
Controls whether to set the CD (checking disabled) bit in
queries sent by <span><strong class="command">delve</strong></span>. This may be useful
when troubleshooting DNSSEC problems from behind a validating
resolver. A validating resolver will block invalid responses,
making it difficult to retrieve them for analysis. Setting
the CD flag on queries will cause the resolver to return
invalid responses, which <span><strong class="command">delve</strong></span> can then
validate internally and report the errors in detail.
</p></dd>
<dt><span class="term"><code class="option">+[no]class</code></span></dt>
<dd><p>
Controls whether to display the CLASS when printing
a record. The default is to display the CLASS.
</p></dd>
<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
<dd><p>
Controls whether to display the TTL when printing
a record. The default is to display the TTL.
</p></dd>
<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
<dd>
<p>
Toggle resolver fetch logging. This reports the
name and type of each query sent by <span><strong class="command">delve</strong></span>
in the process of carrying out the resolution and validation
process: this includes including the original query and
all subsequent queries to follow CNAMEs and to establish a
chain of trust for DNSSEC validation.
</p>
<p>
This is equivalent to setting the debug level to 1 in
the "resolver" logging category. Setting the systemwide
debug level to 1 using the <code class="option">-d</code> option will
product the same output (but will affect other logging
categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
<dd>
<p>
Toggle message logging. This produces a detailed dump of
the responses received by <span><strong class="command">delve</strong></span> in the
process of carrying out the resolution and validation process.
</p>
<p>
This is equivalent to setting the debug level to 10
for the the "packets" module of the "resolver" logging
category. Setting the systemwide debug level to 10 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
<dd>
<p>
Toggle validation logging. This shows the internal
process of the validator as it determines whether an
answer is validly signed, unsigned, or invalid.
</p>
<p>
This is equivalent to setting the debug level to 3
for the the "validator" module of the "dnssec" logging
category. Setting the systemwide debug level to 3 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
<dd><p>
Provide a terse answer. The default is to print the answer in a
verbose form.
</p></dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd><p>
Toggle the display of comment lines in the output. The default
is to print comments.
</p></dd>
<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
<dd><p>
Toggle the display of per-record comments in the output (for
example, human-readable key information about DNSKEY records).
The default is to print per-record comments.
</p></dd>
<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
<dd><p>
Toggle the display of cryptographic fields in DNSSEC records.
The contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see
the common failures. The default is to display the fields.
When omitted they are replaced by the string "[omitted]" or
in the DNSKEY case the key id is displayed as the replacement,
e.g. "[ key id = value ]".
</p></dd>
<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
<dd><p>
Controls whether to display the trust level when printing
a record. The default is to display the trust level.
</p></dd>
<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
<dd><p>
Split long hex- or base64-formatted fields in resource
records into chunks of <em class="parameter"><code>W</code></em> characters
(where <em class="parameter"><code>W</code></em> is rounded up to the nearest
multiple of 4).
<em class="parameter"><code>+nosplit</code></em> or
<em class="parameter"><code>+split=0</code></em> causes fields not to be
split at all. The default is 56 characters, or 44 characters
when multiline mode is active.
</p></dd>
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
<dd><p>
Set or clear the display options
<code class="option">+[no]comments</code>,
<code class="option">+[no]rrcomments</code>, and
<code class="option">+[no]trust</code> as a group.
</p></dd>
<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
<dd><p>
Print long records (such as RRSIG, DNSKEY, and SOA records)
in a verbose multi-line format with human-readable comments.
The default is to print each record on a single line, to
facilitate machine parsing of the <span><strong class="command">delve</strong></span>
output.
</p></dd>
<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
<dd><p>
Indicates whether to display RRSIG records in the
<span><strong class="command">delve</strong></span> output. The default is to
do so. Note that (unlike in <span><strong class="command">dig</strong></span>)
this does <span class="emphasis"><em>not</em></span> control whether to
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<code class="option">-i</code> or <code class="option">+noroot</code> and
<code class="option">+nodlv</code>.
</p></dd>
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
<dd><p>
Indicates whether to perform conventional (non-
lookaside) DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
a built-in key. If specifying a different trust anchor,
then <code class="option">-a</code> must be used to specify a file
containing the key.
</p></dd>
<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
<dd><p>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The default is to perform lookaside validation using
a trust anchor of "dlv.isc.org", for which there is a
built-in key. If specifying a different name, then
<code class="option">-a</code> must be used to specify a file
containing the DLV key.
</p></dd>
</dl></div>
<p>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544529"></a><h2>FILES</h2>
<p><code class="filename">/etc/bind.keys</code></p>
<p><code class="filename">/etc/resolv.conf</code></p>
</div>
<div class="refsect1" lang="en">
<a name="id2544544"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<em class="citetitle">RFC4034</em>,
<em class="citetitle">RFC4035</em>,
<em class="citetitle">RFC4431</em>,
<em class="citetitle">RFC5074</em>,
<em class="citetitle">RFC5155</em>.
</p>
</div>
</div></body>
</html>

2
bin/dig/dig.c
View File

@ -1637,7 +1637,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
debug("main parsing %s", rv[0]);
if (strncmp(rv[0], "%", 1) == 0)
break;
if (strncmp(rv[0], "@", 1) == 0) {
if (argv[0][0] == '@') {
addresscount = getaddresses(lookup, &rv[0][1], NULL);
} else if (rv[0][0] == '+') {
plus_option(&rv[0][1], is_batchfile,

6
bin/named/Makefile.in
View File

@ -132,10 +132,7 @@ main.@O@: main.c
-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/bindkeys.pl
${PERL} ${srcdir}/bindkeys.pl < ${top_srcdir}/bind.keys > $@
config.@O@: config.c bind.keys.h
config.@O@: config.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-DSRCID=\"${SRCID}\" \
@ -161,7 +158,6 @@ clean distclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
maintainer-clean::
rm -f bind.keys.h
bind9.xsl.h: bind9.xsl ${srcdir}/convertxsl.pl
${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h

2
bin/named/config.c
View File

@ -47,7 +47,7 @@
#include <named/config.h>
#include <named/globals.h>
#include "bind.keys.h"
#include <bind.keys.h>
/*% default configuration */
static char defaultconf[] = "\

7
bin/named/server.c
View File

@ -5358,9 +5358,10 @@ load_configuration(const char *filename, ns_server_t *server,
maps[i] = NULL;
/*
* If bind.keys exists, load it. If "dnssec-lookaside auto"
* is turned on, the keys found there will be used as default
* trust anchors.
* If bind.keys exists, load it. If "dnssec-validation auto"
* is turned on, the root key found there will be used as a
* default trust anchor, and if "dnssec-lookaside auto" is
* turned on, then the DLV key found there will too.
*/
obj = NULL;
result = ns_config_get(maps, "bindkeys-file", &obj);

0
bin/named/bind.keys.h → bind.keys.h
View File

7
configure vendored
View File

@ -670,6 +670,7 @@ BIND9_MAJOR
BIND9_VERSION
BIND9_DESCRIPTION
BIND9_PRODUCT
BIND9_IRS_BUILDINCLUDE
BIND9_BIND9_BUILDINCLUDE
BIND9_LWRES_BUILDINCLUDE
BIND9_DNS_BUILDINCLUDE
@ -19753,6 +19754,7 @@ BIND9_TOP_BUILDDIR=`pwd`
if test "X$srcdir" != "X"; then
BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
@ -19760,6 +19762,7 @@ if test "X$srcdir" != "X"; then
BIND9_DNS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns/include"
BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
else
BIND9_ISC_BUILDINCLUDE=""
BIND9_ISCCC_BUILDINCLUDE=""
@ -19767,6 +19770,7 @@ else
BIND9_DNS_BUILDINCLUDE=""
BIND9_LWRES_BUILDINCLUDE=""
BIND9_BIND9_BUILDINCLUDE=""
BIND9_IRS_BUILDINCLUDE=""
fi
@ -20992,7 +20996,7 @@ ac_config_commands="$ac_config_commands chmod"
# elsewhere if there's a good reason for doing so.
#
ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dlzredir/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delve/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dlzredir/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
#
@ -21992,6 +21996,7 @@ do
"bin/check/Makefile") CONFIG_FILES="$CONFIG_FILES bin/check/Makefile" ;;
"bin/confgen/Makefile") CONFIG_FILES="$CONFIG_FILES bin/confgen/Makefile" ;;
"bin/confgen/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/confgen/unix/Makefile" ;;
"bin/delve/Makefile") CONFIG_FILES="$CONFIG_FILES bin/delve/Makefile" ;;
"bin/dig/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dig/Makefile" ;;
"bin/dnssec/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dnssec/Makefile" ;;
"bin/named/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/Makefile" ;;

4
configure.in
View File

@ -3664,6 +3664,7 @@ AC_SUBST(BIND9_ISCCFG_BUILDINCLUDE)
AC_SUBST(BIND9_DNS_BUILDINCLUDE)
AC_SUBST(BIND9_LWRES_BUILDINCLUDE)
AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
AC_SUBST(BIND9_IRS_BUILDINCLUDE)
if test "X$srcdir" != "X"; then
BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
@ -3671,6 +3672,7 @@ if test "X$srcdir" != "X"; then
BIND9_DNS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns/include"
BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
else
BIND9_ISC_BUILDINCLUDE=""
BIND9_ISCCC_BUILDINCLUDE=""
@ -3678,6 +3680,7 @@ else
BIND9_DNS_BUILDINCLUDE=""
BIND9_LWRES_BUILDINCLUDE=""
BIND9_BIND9_BUILDINCLUDE=""
BIND9_IRS_BUILDINCLUDE=""
fi
AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
@ -4042,6 +4045,7 @@ AC_CONFIG_FILES([
bin/check/Makefile
bin/confgen/Makefile
bin/confgen/unix/Makefile
bin/delve/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
bin/named/Makefile

1
doc/arm/Bv9ARM-book.xml
View File

@ -17529,6 +17529,7 @@ zone "example.com" {
<title>Manual pages</title>
<xi:include href="../../bin/dig/dig.docbook"/>
<xi:include href="../../bin/dig/host.docbook"/>
<xi:include href="../../bin/delve/delve.docbook"/>
<xi:include href="../../bin/python/dnssec-checkds.docbook"/>
<xi:include href="../../bin/python/dnssec-coverage.docbook"/>
<xi:include href="../../bin/dnssec/dnssec-dsfromkey.docbook"/>

483
doc/arm/man.delve.html Normal file
View File

@ -0,0 +1,483 @@
<!--
- Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>delve</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
<link rel="prev" href="man.host.html" title="host">
<link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center">delve</th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.host.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="refentry" lang="en">
<a name="man.delve"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>delve &#8212; DNS lookup and validation utility</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">delve</code> [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
<div class="cmdsynopsis"><p><code class="command">delve</code> [<code class="option">-h</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">delve</code> [queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2614254"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">delve</strong></span>
(Domain Entity Lookup &amp; Validation Engine) is a tool for sending
DNS queries and validating the results, using the the same internal
resolver and validator logic as <span><strong class="command">named</strong></span>.
</p>
<p>
<span><strong class="command">delve</strong></span> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
forwarding.
</p>
<p>
By default, responses are validated using built-in DNSSEC trust
anchors for the root zone (".") and for the ISC DNSSEC lookaside
validation zone ("dlv.isc.org"). Records returned by
<span><strong class="command">delve</strong></span> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
can be traced in detail. Because <span><strong class="command">delve</strong></span> does
not rely on an external server to carry out validation, it can
be used to check the validity of DNS responses in environments
where local name servers may not be trustworthy.
</p>
<p>
Unless it is told to query a specific name server,
<span><strong class="command">delve</strong></span> will try each of the servers listed in
<code class="filename">/etc/resolv.conf</code>. If no usable server
addresses are found, <span><strong class="command">delve</strong></span> will send
queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
</p>
<p>
When no command line arguments or options are given,
<span><strong class="command">delve</strong></span> will perform an NS query for "."
(the root zone).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2614327"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">delve</strong></span> looks like:
</p>
<pre class="programlisting"> delve @server name type </pre>
<p>
where:
</p>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">server</code></span></dt>
<dd>
<p>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<em class="parameter"><code>server</code></em> argument is a hostname,
<span><strong class="command">delve</strong></span> resolves that name before
querying that name server (note, however, that this
initial lookup is <span class="emphasis"><em>not</em></span> validated
by DNSSEC).
</p>
<p>
If no <em class="parameter"><code>server</code></em> argument is
provided, <span><strong class="command">delve</strong></span> consults
<code class="filename">/etc/resolv.conf</code>; if an
address is found there, it queries the name server at
that address. If either of the <code class="option">-4</code> or
<code class="option">-6</code> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<span><strong class="command">delve</strong></span> will send queries to
the localhost addresses (127.0.0.1 for IPv4,
::1 for IPv6).
</p>
</dd>
<dt><span class="term"><code class="constant">name</code></span></dt>
<dd><p>
is the domain name to be looked up.
</p></dd>
<dt><span class="term"><code class="constant">type</code></span></dt>
<dd><p>
indicates what type of query is required &#8212;
ANY, A, MX, etc.
<em class="parameter"><code>type</code></em> can be any valid query
type. If no
<em class="parameter"><code>type</code></em> argument is supplied,
<span><strong class="command">delve</strong></span> will perform a lookup for an
A record.
</p></dd>
</dl></div>
<p>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2614800"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
<p>
Specifies a file from which to read DNSSEC trust anchors.
The default is <code class="filename">/etc/bind.keys</code>, which
is included with <acronym class="acronym">BIND</acronym> 9 and contains
trust anchors for the root zone (".") and for the ISC
DNSSEC lookaside validation zone ("dlv.isc.org").
</p>
<p>
Keys that do not match the root or DLV trust-anchor
names are ignored; these key names can be overridden
using the <code class="option">+dlv=NAME</code> or
<code class="option">+root=NAME</code> options.
</p>
<p>
Note: When reading the trust anchor file,
<span><strong class="command">delve</strong></span> treats <code class="option">managed-keys</code>
statements and <code class="option">trusted-keys</code> statements
identically. That is, for a managed key, it is the
<span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
key management is not supported. <span><strong class="command">delve</strong></span>
will not consult the managed-keys database maintained by
<span><strong class="command">named</strong></span>. This means that if either of the
keys in <code class="filename">/etc/bind.keys</code> is revoked
and rolled over, it will be necessary to update
<code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span><strong class="command">delve</strong></span>.
</p>
</dd>
<dt><span class="term">-b</span></dt>
<dd><p>
Sets the source IP address of the query to
<em class="parameter"><code>address</code></em>. This must be a valid address
on one of the host's network interfaces or "0.0.0.0" or "::".
An optional source port may be specified by appending
"#&lt;port&gt;"
</p></dd>
<dt><span class="term">-c</span></dt>
<dd><p>
Sets the query class for the requested data. Currently,
only class "IN" is supported in <span><strong class="command">delve</strong></span>
and any other value is ignored.
</p></dd>
<dt><span class="term">-i</span></dt>
<dd><p>
Insecure mode. This disables internal DNSSEC validation.
(Note, however, this does not set the CD bit on upstream
queries. If the server being queried is performing DNSSEC
validation, then it will not return invalid data; this
can cause <span><strong class="command">delve</strong></span> to time out. When it
is necessary to examine invalid data to debug a DNSSEC
problem, use <span><strong class="command">dig +cd</strong></span>.)
</p></dd>
<dt><span class="term">-m</span></dt>
<dd><p>
Enables memory usage debugging.
</p></dd>
<dt><span class="term">-p</span></dt>
<dd><p>
Specifies a destination port to use for queries instead of
the standard DNS port number 53. This option would be used
with a name server that has been configured to listen
for queries on a non-standard port number.
</p></dd>
<dt><span class="term">-4</span></dt>
<dd><p>
Forces <span><strong class="command">delve</strong></span> to only use IPv4.
</p></dd>
<dt><span class="term">-6</span></dt>
<dd><p>
Forces <span><strong class="command">delve</strong></span> to only use IPv6.
</p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Sets the query name to <em class="parameter"><code>name</code></em>.
While the query name can be specified without using the
<code class="option">-q</code>, it is sometimes necessary to disambiguate
names from types or classes (for example, when looking up the
name "ns", which could be misinterpreted as the type NS,
or "ch", which could be misinterpreted as class CH).
</p></dd>
<dt><span class="term">-t</span></dt>
<dd>
<p>
Sets the query type to <em class="parameter"><code>type</code></em>, which
can be any valid query type supported in BIND 9 except
for zone transfer types AXFR and IXFR. As with
<code class="option">-q</code>, this is useful to distinguish
query name type or class when they are ambiguous.
it is sometimes necessary to disambiguate names from types.
</p>
<p>
The default query type is "A", unless the <code class="option">-x</code>
option is supplied to indicate a reverse lookup, in which case
it is "PTR".
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd><p>
Performs a reverse lookup, mapping an addresses to
a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in
dotted-decimal notation, or a colon-delimited IPv6 address.
When <code class="option">-x</code> is used, there is no need to provide
the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
arguments. <span><strong class="command">delve</strong></span> automatically performs a
lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
and sets the query type to PTR. IPv6 addresses are looked up
using nibble format under the IP6.ARPA domain.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2670131"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">delve</strong></span>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
</p>
<p>
Each query option is identified by a keyword preceded by a plus sign
(<code class="literal">+</code>). Some keywords set or reset an
option. These may be preceded by the string
<code class="literal">no</code> to negate the meaning of that keyword.
Other keywords assign values to options like the timeout interval.
They have the form <code class="option">+keyword=value</code>.
The query options are:
</p>
<div class="variablelist"><dl>
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
<dd><p>
Controls whether to set the CD (checking disabled) bit in
queries sent by <span><strong class="command">delve</strong></span>. This may be useful
when troubleshooting DNSSEC problems from behind a validating
resolver. A validating resolver will block invalid responses,
making it difficult to retrieve them for analysis. Setting
the CD flag on queries will cause the resolver to return
invalid responses, which <span><strong class="command">delve</strong></span> can then
validate internally and report the errors in detail.
</p></dd>
<dt><span class="term"><code class="option">+[no]class</code></span></dt>
<dd><p>
Controls whether to display the CLASS when printing
a record. The default is to display the CLASS.
</p></dd>
<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
<dd><p>
Controls whether to display the TTL when printing
a record. The default is to display the TTL.
</p></dd>
<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
<dd>
<p>
Toggle resolver fetch logging. This reports the
name and type of each query sent by <span><strong class="command">delve</strong></span>
in the process of carrying out the resolution and validation
process: this includes including the original query and
all subsequent queries to follow CNAMEs and to establish a
chain of trust for DNSSEC validation.
</p>
<p>
This is equivalent to setting the debug level to 1 in
the "resolver" logging category. Setting the systemwide
debug level to 1 using the <code class="option">-d</code> option will
product the same output (but will affect other logging
categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
<dd>
<p>
Toggle message logging. This produces a detailed dump of
the responses received by <span><strong class="command">delve</strong></span> in the
process of carrying out the resolution and validation process.
</p>
<p>
This is equivalent to setting the debug level to 10
for the the "packets" module of the "resolver" logging
category. Setting the systemwide debug level to 10 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
<dd>
<p>
Toggle validation logging. This shows the internal
process of the validator as it determines whether an
answer is validly signed, unsigned, or invalid.
</p>
<p>
This is equivalent to setting the debug level to 3
for the the "validator" module of the "dnssec" logging
category. Setting the systemwide debug level to 3 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
<dd><p>
Provide a terse answer. The default is to print the answer in a
verbose form.
</p></dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd><p>
Toggle the display of comment lines in the output. The default
is to print comments.
</p></dd>
<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
<dd><p>
Toggle the display of per-record comments in the output (for
example, human-readable key information about DNSKEY records).
The default is to print per-record comments.
</p></dd>
<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
<dd><p>
Toggle the display of cryptographic fields in DNSSEC records.
The contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see
the common failures. The default is to display the fields.
When omitted they are replaced by the string "[omitted]" or
in the DNSKEY case the key id is displayed as the replacement,
e.g. "[ key id = value ]".
</p></dd>
<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
<dd><p>
Controls whether to display the trust level when printing
a record. The default is to display the trust level.
</p></dd>
<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
<dd><p>
Split long hex- or base64-formatted fields in resource
records into chunks of <em class="parameter"><code>W</code></em> characters
(where <em class="parameter"><code>W</code></em> is rounded up to the nearest
multiple of 4).
<em class="parameter"><code>+nosplit</code></em> or
<em class="parameter"><code>+split=0</code></em> causes fields not to be
split at all. The default is 56 characters, or 44 characters
when multiline mode is active.
</p></dd>
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
<dd><p>
Set or clear the display options
<code class="option">+[no]comments</code>,
<code class="option">+[no]rrcomments</code>, and
<code class="option">+[no]trust</code> as a group.
</p></dd>
<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
<dd><p>
Print long records (such as RRSIG, DNSKEY, and SOA records)
in a verbose multi-line format with human-readable comments.
The default is to print each record on a single line, to
facilitate machine parsing of the <span><strong class="command">delve</strong></span>
output.
</p></dd>
<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
<dd><p>
Indicates whether to display RRSIG records in the
<span><strong class="command">delve</strong></span> output. The default is to
do so. Note that (unlike in <span><strong class="command">dig</strong></span>)
this does <span class="emphasis"><em>not</em></span> control whether to
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<code class="option">-i</code> or <code class="option">+noroot</code> and
<code class="option">+nodlv</code>.
</p></dd>
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
<dd><p>
Indicates whether to perform conventional (non-
lookaside) DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
a built-in key. If specifying a different trust anchor,
then <code class="option">-a</code> must be used to specify a file
containing the key.
</p></dd>
<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
<dd><p>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The default is to perform lookaside validation using
a trust anchor of "dlv.isc.org", for which there is a
built-in key. If specifying a different name, then
<code class="option">-a</code> must be used to specify a file
containing the DLV key.
</p></dd>
</dl></div>
<p>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2670647"></a><h2>FILES</h2>
<p><code class="filename">/etc/bind.keys</code></p>
<p><code class="filename">/etc/resolv.conf</code></p>
</div>
<div class="refsect1" lang="en">
<a name="id2670666"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<em class="citetitle">RFC4034</em>,
<em class="citetitle">RFC4035</em>,
<em class="citetitle">RFC4431</em>,
<em class="citetitle">RFC5074</em>,
<em class="citetitle">RFC5155</em>.
</p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.host.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">host </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <span class="application">dnssec-checkds</span>
</td>
</tr>
</table>
</div>
</body>
</html>

6
lib/dns/adb.c
View File

@ -2515,9 +2515,9 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
result = isc_taskmgr_excltask(adb->taskmgr, &adb->excl);
if (result != ISC_R_SUCCESS) {
DP(ISC_LOG_INFO, "adb: task-exclusive mode unavailable, "
"intializing table sizes to %u\n",
nbuckets[11]);
DP(DEF_LEVEL, "adb: task-exclusive mode unavailable, "
"intializing table sizes to %u\n",
nbuckets[11]);
adb->nentries = nbuckets[11];
adb->nnames= nbuckets[11];

82
lib/dns/client.c
View File

@ -21,6 +21,7 @@
#include <stddef.h>
#include <isc/app.h>
#include <isc/buffer.h>
#include <isc/mem.h>
#include <isc/mutex.h>
#include <isc/sockaddr.h>
@ -123,6 +124,8 @@ typedef struct resctx {
isc_mutex_t lock;
dns_client_t *client;
isc_boolean_t want_dnssec;
isc_boolean_t want_validation;
isc_boolean_t want_cdflag;
/* Locked */
ISC_LINK(struct resctx) link;
@ -300,12 +303,12 @@ getudpdispatch(int family, dns_dispatchmgr_t *dispatchmgr,
}
static isc_result_t
dns_client_createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
unsigned int options, isc_taskmgr_t *taskmgr,
unsigned int ntasks, isc_socketmgr_t *socketmgr,
isc_timermgr_t *timermgr, dns_dispatchmgr_t *dispatchmgr,
dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
dns_view_t **viewp)
createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
unsigned int options, isc_taskmgr_t *taskmgr,
unsigned int ntasks, isc_socketmgr_t *socketmgr,
isc_timermgr_t *timermgr, dns_dispatchmgr_t *dispatchmgr,
dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
dns_view_t **viewp)
{
isc_result_t result;
dns_view_t *view = NULL;
@ -322,9 +325,9 @@ dns_client_createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
return (result);
}
result = dns_view_createresolver(view, taskmgr, ntasks, 1, socketmgr,
timermgr, 0, dispatchmgr,
dispatchv4, dispatchv6);
result = dns_view_createresolver(view, taskmgr, ntasks, 1,
socketmgr, timermgr, 0,
dispatchmgr, dispatchv4, dispatchv6);
if (result != ISC_R_SUCCESS) {
dns_view_detach(&view);
return (result);
@ -506,10 +509,9 @@ dns_client_createx2(isc_mem_t *mctx, isc_appctx_t *actx,
}
/* Create the default view for class IN */
result = dns_client_createview(mctx, dns_rdataclass_in, options,
taskmgr, 31, socketmgr, timermgr,
dispatchmgr, dispatchv4, dispatchv6,
&view);
result = createview(mctx, dns_rdataclass_in, options, taskmgr, 31,
socketmgr, timermgr, dispatchmgr,
dispatchv4, dispatchv6, &view);
if (result != ISC_R_SUCCESS)
goto cleanup;
ISC_LIST_INIT(client->viewlist);
@ -674,6 +676,46 @@ dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
return (result);
}
isc_result_t
dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass,
const char *dlvname)
{
isc_result_t result;
isc_buffer_t b;
dns_view_t *view = NULL;
REQUIRE(DNS_CLIENT_VALID(client));
LOCK(&client->lock);
result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
rdclass, &view);
UNLOCK(&client->lock);
if (result != ISC_R_SUCCESS)
goto cleanup;
if (dlvname == NULL)
view->dlv = NULL;
else {
dns_name_t *newdlv;
isc_buffer_constinit(&b, dlvname, strlen(dlvname));
isc_buffer_add(&b, strlen(dlvname));
newdlv = dns_fixedname_name(&view->dlv_fixed);
result = dns_name_fromtext(newdlv, &b, dns_rootname,
DNS_NAME_DOWNCASE, NULL);
if (result != ISC_R_SUCCESS)
goto cleanup;
view->dlv = dns_fixedname_name(&view->dlv_fixed);
}
cleanup:
if (view != NULL)
dns_view_detach(&view);
return (result);
}
static isc_result_t
getrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
dns_rdataset_t *rdataset;
@ -724,6 +766,7 @@ fetch_done(isc_task_t *task, isc_event_t *event) {
static inline isc_result_t
start_fetch(resctx_t *rctx) {
isc_result_t result;
int fopts = 0;
/*
* The caller must be holding the rctx's lock.
@ -731,10 +774,15 @@ start_fetch(resctx_t *rctx) {
REQUIRE(rctx->fetch == NULL);
if (!rctx->want_cdflag)
fopts |= DNS_FETCHOPT_NOCDFLAG;
if (!rctx->want_validation)
fopts |= DNS_FETCHOPT_NOVALIDATE;
result = dns_resolver_createfetch(rctx->view->resolver,
dns_fixedname_name(&rctx->name),
rctx->type,
NULL, NULL, NULL, 0,
NULL, NULL, NULL, fopts,
rctx->task, fetch_done, rctx,
rctx->rdataset,
rctx->sigrdataset,
@ -1277,7 +1325,7 @@ dns_client_startresolve(dns_client_t *client, dns_name_t *name,
isc_mem_t *mctx;
isc_result_t result;
dns_rdataset_t *rdataset, *sigrdataset;
isc_boolean_t want_dnssec;
isc_boolean_t want_dnssec, want_validation, want_cdflag;
REQUIRE(DNS_CLIENT_VALID(client));
REQUIRE(transp != NULL && *transp == NULL);
@ -1293,6 +1341,8 @@ dns_client_startresolve(dns_client_t *client, dns_name_t *name,
rdataset = NULL;
sigrdataset = NULL;
want_dnssec = ISC_TF((options & DNS_CLIENTRESOPT_NODNSSEC) == 0);
want_validation = ISC_TF((options & DNS_CLIENTRESOPT_NOVALIDATE) == 0);
want_cdflag = ISC_TF((options & DNS_CLIENTRESOPT_NOCDFLAG) == 0);
/*
* Prepare some intermediate resources
@ -1348,6 +1398,8 @@ dns_client_startresolve(dns_client_t *client, dns_name_t *name,
rctx->restarts = 0;
rctx->fetch = NULL;
rctx->want_dnssec = want_dnssec;
rctx->want_validation = want_validation;
rctx->want_cdflag = want_cdflag;
ISC_LIST_INIT(rctx->namelist);
rctx->event = event;

26
lib/dns/include/dns/client.h
View File

@ -77,10 +77,14 @@ ISC_LANG_BEGINDECLS
/*%
* Optional flags for dns_client_(start)resolve.
*/
/*%< Disable DNSSEC validation. */
/*%< Do not return DNSSEC data (e.g. RRSIGS) with response. */
#define DNS_CLIENTRESOPT_NODNSSEC 0x01
/*%< Allow running external context. */
#define DNS_CLIENTRESOPT_ALLOWRUN 0x02
/*%< Don't validate responses. */
#define DNS_CLIENTRESOPT_NOVALIDATE 0x04
/*%< Don't set the CD flag on upstream queries. */
#define DNS_CLIENTRESOPT_NOCDFLAG 0x08
/*%
* Optional flags for dns_client_(start)request.
@ -261,6 +265,26 @@ dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
*\li Anything else Failure.
*/
isc_result_t
dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass,
const char *dlvname);
/*%<
* Specify a name to use for DNSSEC lookaside validation (e.g.,
* "dlv.isc.org"). If a trusted key has been added for that name,
* then DLV will be used during validation. If 'dlvname' is NULL,
* then DLV will no longer be used for this client.
*
* Requires:
*
*\li 'client' is a valid client.
*
* Returns:
*
*\li #ISC_R_SUCCESS On success.
*
*\li Anything else Failure.
*/
isc_result_t
dns_client_resolve(dns_client_t *client, dns_name_t *name,
dns_rdataclass_t rdclass, dns_rdatatype_t type,

1
lib/dns/include/dns/log.h
View File

@ -77,6 +77,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
#define DNS_LOGMODULE_DLZ (&dns_modules[26])
#define DNS_LOGMODULE_DNSSEC (&dns_modules[27])
#define DNS_LOGMODULE_CRYPTO (&dns_modules[28])
#define DNS_LOGMODULE_PACKETS (&dns_modules[29])
ISC_LANG_BEGINDECLS

9
lib/dns/include/dns/masterdump.h
View File

@ -103,6 +103,10 @@ typedef struct dns_master_style dns_master_style_t;
/*% Don't printout the cryptographic parts of DNSSEC records. */
#define DNS_STYLEFLAG_NOCRYPTO 0x08000000U
/*% Comment out data by prepending with ";" */
#define DNS_STYLEFLAG_COMMENTDATA 0x10000000U
ISC_LANG_BEGINDECLS
/***
@ -151,6 +155,11 @@ LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_simple;
*/
LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_debug;
/*%
* Similar to dns_master_style_debug but data is prepended with ";"
*/
LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_comment;
/*%
* The style used for dumping "key" zones.
*/

7
lib/dns/include/dns/message.h
View File

@ -139,6 +139,7 @@ typedef int dns_messagetextflag_t;
#define DNS_MESSAGETEXTFLAG_NOHEADERS 0x0002
#define DNS_MESSAGETEXTFLAG_ONESOA 0x0004
#define DNS_MESSAGETEXTFLAG_OMITSOA 0x0008
#define DNS_MESSAGETEXTFLAG_COMMENTDATA 0x0010
/*
* Dynamic update names for these sections.
@ -1356,10 +1357,16 @@ dns_message_gettimeadjust(dns_message_t *msg);
* Requires:
*\li msg be a valid message.
*/
void
dns_message_logpacket(dns_message_t *message, const char *description,
isc_logcategory_t *category, isc_logmodule_t *module,
int level, isc_mem_t *mctx);
void
dns_message_logfmtpacket(dns_message_t *message, const char *description,
isc_logcategory_t *category, isc_logmodule_t *module,
const dns_master_style_t *style, int level,
isc_mem_t *mctx);
/*%<
* Log 'message' at the specified logging parameters.
* 'description' will be emitted at the start of the message and will

5
lib/dns/include/dns/resolver.h
View File

@ -95,8 +95,9 @@ typedef struct dns_fetchevent {
#define DNS_FETCHOPT_NOVALIDATE 0x020 /*%< Disable validation. */
#define DNS_FETCHOPT_EDNS512 0x040 /*%< Advertise a 512 byte
UDP buffer. */
#define DNS_FETCHOPT_WANTNSID 0x080 /*%< Request NSID */
#define DNS_FETCHOPT_PREFETCH 0x100 /*%< Request NSID */
#define DNS_FETCHOPT_WANTNSID 0x080 /*%< Request NSID */
#define DNS_FETCHOPT_PREFETCH 0x100 /*%< Request NSID */
#define DNS_FETCHOPT_NOCDFLAG 0x200 /*%< Don't set CD flag. */
#define DNS_FETCHOPT_EDNSVERSIONSET 0x00800000
#define DNS_FETCHOPT_EDNSVERSIONMASK 0xff000000

5
lib/dns/include/dns/validator.h
View File

@ -170,8 +170,9 @@ struct dns_validator {
/*%
* dns_validator_create() options.
*/
#define DNS_VALIDATOR_DLV 1U
#define DNS_VALIDATOR_DEFER 2U
#define DNS_VALIDATOR_DLV 0x0001U
#define DNS_VALIDATOR_DEFER 0x0002U
#define DNS_VALIDATOR_NOCDFLAG 0x0004U
ISC_LANG_BEGINDECLS

1
lib/dns/log.c
View File

@ -83,6 +83,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
{ "dns/dlz", 0 },
{ "dns/dnssec", 0 },
{ "dns/crypto", 0 },
{ "dns/packets", 0 },
{ NULL, 0 }
};

26
lib/dns/masterdump.c
View File

@ -174,6 +174,18 @@ dns_master_style_debug = {
24, 32, 40, 48, 80, 8, UINT_MAX
};
/*%
* Similar, but with each line commented out.
*/
LIBDNS_EXTERNAL_DATA const dns_master_style_t
dns_master_style_comment = {
DNS_STYLEFLAG_REL_OWNER |
DNS_STYLEFLAG_MULTILINE |
DNS_STYLEFLAG_RRCOMMENT |
DNS_STYLEFLAG_COMMENTDATA,
24, 32, 40, 48, 80, 8, UINT_MAX
};
#define N_SPACES 10
static char spaces[N_SPACES+1] = " ";
@ -305,6 +317,14 @@ totext_ctx_init(const dns_master_style_t *style, dns_totext_ctx_t *ctx) {
r.base[0] = '\n';
isc_buffer_add(&buf, 1);
if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0) {
isc_buffer_availableregion(&buf, &r);
if (r.length < 1)
return (DNS_R_TEXTTOOLONG);
r.base[0] = ';';
isc_buffer_add(&buf, 1);
}
result = indent(&col, ctx->style.rdata_column,
ctx->style.tab_width, &buf);
/*
@ -441,6 +461,12 @@ rdataset_totext(dns_rdataset_t *rdataset,
while (result == ISC_R_SUCCESS) {
column = 0;
/*
* Comment?
*/
if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0)
isc_buffer_putstr(target, ";");
/*
* Owner name.
*/

13
lib/dns/message.c
View File

@ -3464,6 +3464,16 @@ void
dns_message_logpacket(dns_message_t *message, const char *description,
isc_logcategory_t *category, isc_logmodule_t *module,
int level, isc_mem_t *mctx)
{
dns_message_logfmtpacket(message, description, category, module,
&dns_master_style_debug, level, mctx);
}
void
dns_message_logfmtpacket(dns_message_t *message, const char *description,
isc_logcategory_t *category, isc_logmodule_t *module,
const dns_master_style_t *style, int level,
isc_mem_t *mctx)
{
isc_buffer_t buffer;
char *buf = NULL;
@ -3483,8 +3493,7 @@ dns_message_logpacket(dns_message_t *message, const char *description,
if (buf == NULL)
break;
isc_buffer_init(&buffer, buf, len);
result = dns_message_totext(message, &dns_master_style_debug,
0, &buffer);
result = dns_message_totext(message, style, 0, &buffer);
if (result == ISC_R_NOSPACE) {
isc_mem_put(mctx, buf, len);
len += 1024;

44
lib/dns/resolver.c
View File

@ -1827,13 +1827,17 @@ resquery_send(resquery_t *query) {
fctx->qmessage->flags |= DNS_MESSAGEFLAG_RD;
/*
* Set CD if the client says don't validate or the question is
* under a secure entry point and it is not a recursive query.
* Set CD if the client says not to validate, or if the
* question is under a secure entry point and this is a
* recursive/forward query -- unless the client said not to.
*/
if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
if ((query->options & DNS_FETCHOPT_NOCDFLAG) != 0)
/* Do nothing */
;
else if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0)
fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
} else if (res->view->enablevalidation &&
(fctx->qmessage->flags & DNS_MESSAGEFLAG_RD) != 0) {
else if (res->view->enablevalidation &&
((fctx->qmessage->flags & DNS_MESSAGEFLAG_RD) != 0)) {
result = dns_view_issecuredomain(res->view, &fctx->name,
&secure_domain);
if (result != ISC_R_SUCCESS)
@ -2509,8 +2513,8 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
"error (%s%s%s) resolving '%s/%s/%s': %s",
dns_result_totext(reason), spc, code,
"%s%s%s resolving '%s/%s/%s': %s",
code, spc, dns_result_totext(reason),
namebuf, typebuf, classbuf, addrbuf);
}
@ -4711,6 +4715,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
}
}
if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0)
valoptions |= DNS_VALIDATOR_NOCDFLAG;
if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
need_validation = ISC_FALSE;
else
@ -5243,6 +5250,9 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
}
}
if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0)
valoptions |= DNS_VALIDATOR_NOCDFLAG;
if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
need_validation = ISC_FALSE;
else
@ -6736,7 +6746,8 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
FCTXTRACE("continuing to look for parent's NS records");
result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
dns_rdatatype_ns, domain,
nsrdataset, NULL, 0, task,
nsrdataset, NULL,
fctx->options, task,
resume_dslookup, fctx,
&fctx->nsrrset, NULL,
&fctx->nsfetch);
@ -6900,7 +6911,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
case DNS_OPT_NSID:
if (query->options & DNS_FETCHOPT_WANTNSID)
log_nsid(&optbuf, optlen, query,
ISC_LOG_INFO,
ISC_LOG_DEBUG(3),
query->fctx->res->mctx);
isc_buffer_forward(&optbuf, optlen);
break;
@ -7106,10 +7117,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
/*
* Log the incoming packet.
*/
dns_message_logpacket(message, "received packet:\n",
DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_RESOLVER,
ISC_LOG_DEBUG(10), fctx->res->mctx);
dns_message_logfmtpacket(message, "received packet:\n",
DNS_LOGCATEGORY_RESOLVER,
DNS_LOGMODULE_PACKETS,
&dns_master_style_comment,
ISC_LOG_DEBUG(10),
fctx->res->mctx);
/*
* Process receive opt record.
*/
@ -7700,7 +7713,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
dns_rdatatype_ns,
NULL, NULL, NULL, 0, task,
NULL, NULL, NULL,
fctx->options, task,
resume_dslookup, fctx,
&fctx->nsrrset, NULL,
&fctx->nsfetch);
@ -8349,7 +8363,7 @@ log_fetch(dns_name_t *name, dns_rdatatype_t type) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
DNS_LOGMODULE_RESOLVER, level,
"createfetch: %s %s", namebuf, typebuf);
"fetch: %s/%s", namebuf, typebuf);
}
isc_result_t

33
lib/dns/validator.c
View File

@ -1125,6 +1125,8 @@ static inline isc_result_t
create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
isc_taskaction_t callback, const char *caller)
{
unsigned int fopts = 0;
if (dns_rdataset_isassociated(&val->frdataset))
dns_rdataset_disassociate(&val->frdataset);
if (dns_rdataset_isassociated(&val->fsigrdataset))
@ -1136,9 +1138,12 @@ create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
return (DNS_R_NOVALIDSIG);
}
if ((val->options & DNS_VALIDATOR_NOCDFLAG) != 0)
fopts |= DNS_FETCHOPT_NOCDFLAG;
validator_logcreate(val, name, type, caller, "fetch");
return (dns_resolver_createfetch(val->view->resolver, name, type,
NULL, NULL, NULL, 0,
NULL, NULL, NULL, fopts,
val->event->ev_sender,
callback, val,
&val->frdataset,
@ -1155,6 +1160,7 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
isc_taskaction_t action, const char *caller)
{
isc_result_t result;
unsigned int vopts = 0;
if (check_deadlock(val, name, type, rdataset, sigrdataset)) {
validator_log(val, ISC_LOG_DEBUG(3),
@ -1162,9 +1168,12 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
return (DNS_R_NOVALIDSIG);
}
/* OK to clear other options, but preserve NOCDFLAG */
vopts |= (val->options & DNS_VALIDATOR_NOCDFLAG);
validator_logcreate(val, name, type, caller, "validator");
result = dns_validator_create(val->view, name, type,
rdataset, sigrdataset, NULL, 0,
rdataset, sigrdataset, NULL, vopts,
val->task, action, val,
&val->subvalidator);
if (result == ISC_R_SUCCESS) {
@ -1545,7 +1554,7 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
*/
static isc_result_t
validate(dns_validator_t *val, isc_boolean_t resume) {
isc_result_t result;
isc_result_t result, vresult = DNS_R_NOVALIDSIG;
dns_validatorevent_t *event;
dns_rdata_t rdata = DNS_RDATA_INIT;
@ -1610,9 +1619,9 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
}
do {
result = verify(val, val->key, &rdata,
vresult = verify(val, val->key, &rdata,
val->siginfo->keyid);
if (result == ISC_R_SUCCESS)
if (vresult == ISC_R_SUCCESS)
break;
if (val->keynode != NULL) {
dns_keynode_t *nextnode = NULL;
@ -1636,7 +1645,7 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
break;
}
} while (1);
if (result != ISC_R_SUCCESS)
if (vresult != ISC_R_SUCCESS)
validator_log(val, ISC_LOG_DEBUG(3),
"failed to verify rdataset");
else {
@ -1670,12 +1679,12 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
validator_log(val, ISC_LOG_DEBUG(3),
"looking for noqname proof");
return (nsecvalidate(val, ISC_FALSE));
} else if (result == ISC_R_SUCCESS) {
} else if (vresult == ISC_R_SUCCESS) {
marksecure(event);
validator_log(val, ISC_LOG_DEBUG(3),
"marking as secure, "
"noqname proof not needed");
return (result);
return (ISC_R_SUCCESS);
} else {
validator_log(val, ISC_LOG_DEBUG(3),
"verify failure: %s",
@ -1691,7 +1700,7 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
}
validator_log(val, ISC_LOG_INFO, "no valid signature found");
return (DNS_R_NOVALIDSIG);
return (vresult);
}
/*%
@ -3886,7 +3895,7 @@ dns_validator_destroy(dns_validator_t **validatorp) {
LOCK(&val->lock);
val->attributes |= VALATTR_SHUTDOWN;
validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
validator_log(val, ISC_LOG_DEBUG(4), "dns_validator_destroy");
want_destroy = exit_check(val);
@ -3919,8 +3928,8 @@ validator_logv(dns_validator_t *val, isc_logcategory_t *category,
dns_rdatatype_format(val->event->type, typebuf,
sizeof(typebuf));
isc_log_write(dns_lctx, category, module, level,
"%.*svalidating @%p: %s %s: %s", depth, spaces,
val, namebuf, typebuf, msgbuf);
"%.*svalidating %s/%s: %s", depth, spaces,
namebuf, typebuf, msgbuf);
} else {
isc_log_write(dns_lctx, category, module, level,
"%.*svalidator @%p: %s", depth, spaces,

6
lib/isc/include/isc/log.h
View File

@ -67,8 +67,9 @@
#define ISC_LOG_PRINTLEVEL 0x0002
#define ISC_LOG_PRINTCATEGORY 0x0004
#define ISC_LOG_PRINTMODULE 0x0008
#define ISC_LOG_PRINTTAG 0x0010
#define ISC_LOG_PRINTALL 0x001F
#define ISC_LOG_PRINTTAG 0x0010 /* tag and ":" */
#define ISC_LOG_PRINTPREFIX 0x0020 /* tag only, no colon */
#define ISC_LOG_PRINTALL 0x003F
#define ISC_LOG_DEBUGONLY 0x1000
#define ISC_LOG_OPENERR 0x8000 /* internal */
/*@}*/
@ -167,6 +168,7 @@ LIBISC_EXTERNAL_DATA extern isc_logmodule_t isc_modules[];
#define ISC_LOGMODULE_INTERFACE (&isc_modules[2])
#define ISC_LOGMODULE_TIMER (&isc_modules[3])
#define ISC_LOGMODULE_FILE (&isc_modules[4])
#define ISC_LOGMODULE_OTHER (&isc_modules[5])
ISC_LANG_BEGINDECLS

20
lib/isc/log.c
View File

@ -205,6 +205,7 @@ LIBISC_EXTERNAL_DATA isc_logmodule_t isc_modules[] = {
{ "interface", 0 },
{ "timer", 0 },
{ "file", 0 },
{ "other", 0 },
{ NULL, 0 }
};
@ -1413,7 +1414,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
const char *iformat;
struct stat statbuf;
isc_boolean_t matched = ISC_FALSE;
isc_boolean_t printtime, printtag;
isc_boolean_t printtime, printtag, printcolon;
isc_boolean_t printcategory, printmodule, printlevel;
isc_logconfig_t *lcfg;
isc_logchannel_t *channel;
@ -1642,7 +1643,10 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
printtime = ISC_TF((channel->flags & ISC_LOG_PRINTTIME)
!= 0);
printtag = ISC_TF((channel->flags & ISC_LOG_PRINTTAG)
printtag = ISC_TF((channel->flags &
(ISC_LOG_PRINTTAG|ISC_LOG_PRINTPREFIX))
!= 0 && lcfg->tag != NULL);
printcolon = ISC_TF((channel->flags & ISC_LOG_PRINTTAG)
!= 0 && lcfg->tag != NULL);
printcategory = ISC_TF((channel->flags & ISC_LOG_PRINTCATEGORY)
!= 0);
@ -1696,11 +1700,12 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
/* FALLTHROUGH */
case ISC_LOG_TOFILEDESC:
fprintf(FILE_STREAM(channel), "%s%s%s%s%s%s%s%s%s%s\n",
fprintf(FILE_STREAM(channel),
"%s%s%s%s%s%s%s%s%s%s\n",
printtime ? time_string : "",
printtime ? " " : "",
printtag ? lcfg->tag : "",
printtag ? ": " : "",
printcolon ? ": " : "",
printcategory ? category->name : "",
printcategory ? ": " : "",
printmodule ? (module != NULL ? module->name
@ -1743,11 +1748,12 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
printtime ? time_string : "",
printtime ? " " : "",
printtag ? lcfg->tag : "",
printtag ? ": " : "",
printcolon ? ": " : "",
printcategory ? category->name : "",
printcategory ? ": " : "",
printmodule ? (module != NULL ? module->name
: "no_module")
printmodule ? (module != NULL
? module->name
: "no_module")
: "",
printmodule ? ": " : "",
printlevel ? level_string : "",

1
lib/isc/unix/app.c
View File

@ -220,7 +220,6 @@ isc__app_ctxstart(isc_appctx_t *ctx0) {
sigset_t sset;
char strbuf[ISC_STRERRORSIZE];
REQUIRE(VALID_APPCTX(ctx));
/*

1
lib/samples/.gitignore vendored
View File

@ -1,4 +1,5 @@
Makefile-postinstall
delve
nsprobe
process
resolve

11
lib/samples/Makefile.in
View File

@ -26,7 +26,7 @@ CINCLUDES = -I${srcdir}/include -I../dns/include \
-I${top_srcdir}/lib/irs/include \
-I../../irs/include
CDEFINES =
CDEFINES = -DVERSION=\"${VERSION}\" -DSYSCONFDIR=\"${sysconfdir}\"
CWARNINGS =
ISCLIBS = ../isc/libisc.@A@
@ -45,15 +45,18 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
SUBDIRS =
TARGETS = resolve@EXEEXT@ sample-async@EXEEXT@ sample-gai@EXEEXT@ \
TARGETS = resolve@EXEEXT@ \
sample-async@EXEEXT@ sample-gai@EXEEXT@ \
sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@
OBJS = resolve.@O@ sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
OBJS = resolve.@O@ \
sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
sample-request.@O@ nsprobe.@O@
UOBJS =
SRCS = resolve.c sample-async.c sample-gai.c sample-update.c \
SRCS = resolve.c \
sample-async.c sample-gai.c sample-update.c \
sample-request.c nsprobe.c
MANPAGES =

2
lib/samples/resolve.c
View File

@ -116,7 +116,7 @@ set_key(dns_client_t *client, char *keynamestr, char *keystr,
result = isc_mem_create(0, 0, mctxp);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "failed to crate mctx\n");
fprintf(stderr, "failed to create mctx\n");
exit(1);
}

3
make/includes.in
View File

@ -37,6 +37,9 @@ ISCCFG_INCLUDES = @BIND9_ISCCFG_BUILDINCLUDE@ \
DNS_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
-I${top_srcdir}/lib/dns/include
IRS_INCLUDES = @BIND9_IRS_BUILDINCLUDE@ \
-I${top_srcdir}/lib/irs/include
LWRES_INCLUDES = @BIND9_LWRES_BUILDINCLUDE@ \
-I${top_srcdir}/lib/lwres/unix/include \
-I${top_srcdir}/lib/lwres/include

3
make/rules.in
View File

@ -46,9 +46,10 @@ top_builddir = @BIND9_TOP_BUILDDIR@
### All
###
### Makefile may define:
### PREREQS
### TARGETS
all: subdirs ${TARGETS} testdirs
all: ${PREREQS} subdirs ${TARGETS} testdirs
###
### Subdirectories

0
bin/named/bindkeys.pl → util/bindkeys.pl
View File

4
util/kit.sh
View File

@ -149,8 +149,8 @@ rm -rf TODO EXCLUDED conftools doc/design doc/dev doc/draft doc/expired \
lib/lwres/man/resolver.5 contrib/zkt/doc/rfc5011.txt \
bin/tests/system/relay lib/cfg
# Remove everything but mksymtbl.pl from util
find util -name mksymtbl.pl -prune -o -type f -print | xargs rm -f
# Remove everything but mksymtbl.pl and bindkeys.pl from util
find util -name bindkeys.pl -o -name mksymtbl.pl -prune -o -type f -print | xargs rm -f
find util -depth -type d -print | xargs rmdir 2>/dev/null
# Remove all .gitignore files