Replace the "mirror" zone option with "type mirror;"

Use a zone's 'type' field instead of the value of its DNS_ZONEOPT_MIRROR
option for checking whether it is a mirror zone.  This makes said zone
option and its associated helper function, dns_zone_mirror(), redundant,
so remove them.  Remove a check specific to mirror zones from
named_zone_reusable() since another check in that function ensures that
changing a zone's type prevents it from being reused during
reconfiguration.

bin/named/server.c

@@ -6978,6 +6978,9 @@ removed(dns_zone_t *zone, void *uap) {
 	case dns_zone_slave:
 		type = "slave";
 		break;
+	case dns_zone_mirror:
+		type = "mirror";
+		break;
 	case dns_zone_stub:
 		type = "stub";
 		break;
@@ -14043,7 +14046,10 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex,
 		type = "master";
 		break;
 	case dns_zone_slave:
-		type = dns_zone_ismirror(zone) ? "mirror" : "slave";
+		type = "slave";
+		break;
+	case dns_zone_mirror:
+		type = "mirror";
 		break;
 	case dns_zone_stub:
 		type = "stub";

bin/named/zoneconf.c

@@ -1700,8 +1700,26 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	 * Configure slave functionality.
 	 */
 	switch (ztype) {
-	case dns_zone_slave:
 	case dns_zone_mirror:
+		/*
+		 * Disable outgoing zone transfers for mirror zones unless they
+		 * are explicitly enabled by zone configuration.
+		 */
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "allow-transfer", &obj);
+		if (obj == NULL) {
+			dns_acl_t *none;
+			RETERR(dns_acl_none(mctx, &none));
+			dns_zone_setxfracl(zone, none);
+			dns_acl_detach(&none);
+		}
+		/*
+		 * Only allow "also-notify".
+		 */
+		notifytype = dns_notifytype_explicit;
+		dns_zone_setnotifytype(zone, notifytype);
+		/* FALLTHROUGH */
+	case dns_zone_slave:
 	case dns_zone_stub:
 	case dns_zone_redirect:
 		count = 0;
@@ -1733,35 +1751,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		}
 		dns_zone_setoption(mayberaw, DNS_ZONEOPT_MULTIMASTER, multi);
 
-		obj = NULL;
-		(void)cfg_map_get(zoptions, "mirror", &obj);
-		if (obj != NULL) {
-			bool mirror = cfg_obj_asboolean(obj);
-			dns_zone_setoption(mayberaw, DNS_ZONEOPT_MIRROR,
-					   mirror);
-			if (mirror) {
-				/*
-				 * Disable outgoing zone transfers unless they
-				 * are explicitly enabled by zone
-				 * configuration.
-				 */
-				obj = NULL;
-				(void)cfg_map_get(zoptions, "allow-transfer",
-						  &obj);
-				if (obj == NULL) {
-					dns_acl_t *none;
-					RETERR(dns_acl_none(mctx, &none));
-					dns_zone_setxfracl(zone, none);
-					dns_acl_detach(&none);
-				}
-				/*
-				 * Only allow "also-notify".
-				 */
-				notifytype = dns_notifytype_explicit;
-				dns_zone_setnotifytype(zone, notifytype);
-			}
-		}
-
 		obj = NULL;
 		result = named_config_get(maps, "max-transfer-time-in", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
@@ -1901,7 +1890,7 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 	const char *cfilename;
 	const char *zfilename;
 	dns_zone_t *raw = NULL;
-	bool has_raw, mirror;
+	bool has_raw;
 	dns_zonetype_t ztype;
 
 	zoptions = cfg_tuple_get(zconfig, "options");
@@ -1941,21 +1930,6 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 		return (false);
 	}
 
-	/*
-	 * Do not reuse a zone whose "mirror" setting was changed.
-	 */
-	obj = NULL;
-	mirror = false;
-	(void)cfg_map_get(zoptions, "mirror", &obj);
-	if (obj != NULL) {
-		mirror = cfg_obj_asboolean(obj);
-	}
-	if (dns_zone_ismirror(zone) != mirror) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "not reusable: mirror setting changed");
-		return (false);
-	}
-
 	if (zonetype_fromconfig(zoptions) != ztype) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "not reusable: type mismatch");

bin/tests/system/mirror/README

@@ -0,0 +1,17 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+This test checks whether zones configured with "type mirror;" behave as
+expected.
+
+ns1 is an authoritative-only server.  It only serves the root zone, which is
+mirrored by ns3.
+
+ns2 is an authoritative-only server.  It serves a number of zones, some of which
+are delegated to it by ns1 and used in recursive resolution tests aimed at ns3
+while others are only served so that ns3 has a primary server to mirror zones
+from during various tests of the mirror zone implementation.
+
+ns3 is a recursive resolver.  It has a number of mirror zones configured.  This
+is the only server whose behavior is being examined by this system test.

bin/tests/system/mirror/ns3/named.conf.in

@@ -37,62 +37,54 @@ zone "." {
 };
 
 zone "." {
-	type slave;
+	type mirror;
 	masters { 10.53.0.1; };
-	mirror yes;
 	file "root.db.mirror";
 };
 
 zone "initially-unavailable" {
-	type slave;
+	type mirror;
 	masters { 10.53.0.2; };
-	mirror yes;
 	file "initially-unavailable.db.mirror";
 	use-alt-transfer-source no;
 };
 
 zone "verify-axfr" {
-	type slave;
+	type mirror;
 	masters { 10.53.0.2; };
-	mirror yes;
 	file "verify-axfr.db.mirror";
 };
 
 zone "verify-ixfr" {
-	type slave;
+	type mirror;
 	masters { 10.53.0.2; };
-	mirror yes;
 	file "verify-ixfr.db.mirror";
 	masterfile-format text;
 };
 
 zone "verify-load" {
-	type slave;
+	type mirror;
 	masters { 10.53.0.2; };
-	mirror yes;
 	file "verify-load.db.mirror";
 	masterfile-format text;
 };
 
 zone "verify-reconfig" {
-	type slave;
+	type mirror;
 	masters { 10.53.0.2; };
-	mirror yes;
 	file "verify-reconfig.db.mirror";
 	masterfile-format text;
 };
 
 zone "verify-unsigned" {
-	type slave;
+	type mirror;
 	masters { 10.53.0.2; };
-	mirror yes;
 	file "verify-unsigned.db.mirror";
 };
 
 zone "verify-untrusted" {
-	type slave;
+	type mirror;
 	masters { 10.53.0.2; };
-	mirror yes;
 	file "verify-untrusted.db.mirror";
 };
 

bin/tests/system/mirror/setup.sh

@@ -21,6 +21,4 @@ copy_setports ns3/named.conf.in ns3/named.conf
 ( cd ns1 && $SHELL -e sign.sh )
 
 cat ns2/verify-axfr.db.bad.signed > ns2/verify-axfr.db.signed
-cat ns2/verify-ixfr.db.original.signed > ns2/verify-ixfr.db.signed
 cat ns2/verify-load.db.bad.signed > ns3/verify-load.db.mirror
-cat ns2/verify-untrusted.db.original.signed > ns2/verify-untrusted.db.signed

bin/tests/system/mirror/tests.sh

@@ -380,7 +380,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that \"rndc reconfig\" properly handles a yes -> no \"mirror\" setting change ($n)"
+echo_i "checking that \"rndc reconfig\" properly handles a mirror -> slave zone type change ($n)"
 ret=0
 # Sanity check before we start.
 $DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.1 2>&1 || ret=1
@@ -390,13 +390,13 @@ grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1
 # Reconfigure the zone so that it is no longer a mirror zone.
 # (NOTE: Keep the embedded newline in the sed function list below.)
 sed '/^zone "verify-reconfig" {$/,/^};$/ {
-	s/mirror yes;/mirror no;/
+	s/type mirror;/type slave;/
 }' ns3/named.conf > ns3/named.conf.modified
 mv ns3/named.conf.modified ns3/named.conf
 nextpart ns3/named.run > /dev/null
 $RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1
-# Zones whose "mirror" setting was changed should not be reusable, which means
-# the tested zone should have been reloaded from disk.
+# Zones whose type was changed should not be reusable, which means the tested
+# zone should have been reloaded from disk.
 wait_for_load verify-reconfig ${ORIGINAL_SERIAL} ns3/named.run
 # Ensure responses sourced from the reconfigured zone have AA=1 and AD=0.
 $DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.2 2>&1 || ret=1
@@ -407,7 +407,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "checking that \"rndc reconfig\" properly handles a no -> yes \"mirror\" setting change ($n)"
+echo_i "checking that \"rndc reconfig\" properly handles a slave -> mirror zone type change ($n)"
 ret=0
 # Put an incorrectly signed version of the zone in the zone file used by ns3.
 nextpart ns3/named.run > /dev/null
@@ -415,7 +415,7 @@ cat ns2/verify-reconfig.db.bad.signed > ns3/verify-reconfig.db.mirror
 # Reconfigure the zone so that it is a mirror zone again.
 # (NOTE: Keep the embedded newline in the sed function list below.)
 sed '/^zone "verify-reconfig" {$/,/^};$/ {
-	s/mirror no;/mirror yes;/
+	s/type slave;/type mirror;/
 }' ns3/named.conf > ns3/named.conf.modified
 mv ns3/named.conf.modified ns3/named.conf
 $RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1

lib/dns/include/dns/zone.h

@@ -83,7 +83,6 @@ typedef enum {
 	DNS_ZONEOPT_CHECKSPF         = 1<<27, /*%< check SPF records */
 	DNS_ZONEOPT_CHECKTTL         = 1<<28, /*%< check max-zone-ttl */
 	DNS_ZONEOPT_AUTOEMPTY        = 1<<29, /*%< automatic empty zone */
-	DNS_ZONEOPT_MIRROR           = 1<<30, /*%< mirror zone */
 } dns_zoneopt_t;
 
 /*
@@ -2486,12 +2485,6 @@ dns_zone_isloaded(const dns_zone_t *zone);
  * false otherwise.
  */
 
-bool
-dns_zone_ismirror(const dns_zone_t *zone);
-/*%<
- * Return true if 'zone' is a mirror zone, return false otherwise.
- */
-
 isc_result_t
 dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver);
 /*%<

lib/dns/win32/libdns.def.in

@@ -1201,7 +1201,6 @@ dns_zone_idetach
 dns_zone_isdynamic
 dns_zone_isforced
 dns_zone_isloaded
-dns_zone_ismirror
 dns_zone_keydone
 dns_zone_link
 dns_zone_load

lib/dns/zone.c

@@ -19446,13 +19446,6 @@ dns_zone_isloaded(const dns_zone_t *zone) {
 	return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED));
 }
 
-bool
-dns_zone_ismirror(const dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MIRROR));
-}
-
 isc_result_t
 dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
 	dns_dbversion_t *version = NULL;
@@ -19466,7 +19459,7 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(db != NULL);
 
-	if (!dns_zone_ismirror(zone)) {
+	if (dns_zone_gettype(zone) != dns_zone_mirror) {
 		return (ISC_R_SUCCESS);
 	}
 

lib/dns/zt.c

@@ -181,7 +181,8 @@ dns_zt_find(dns_zt_t *zt, const dns_name_t *name, unsigned int options,
 		 * instead of returning a SERVFAIL.
 		 */
 		if ((options & DNS_ZTFIND_MIRROR) != 0 &&
-		    dns_zone_ismirror(dummy) && !dns_zone_isloaded(dummy))
+		    dns_zone_gettype(dummy) == dns_zone_mirror &&
+		    !dns_zone_isloaded(dummy))
 		{
 			result = ISC_R_NOTFOUND;
 		} else {

lib/isccfg/namedconf.c

@@ -2152,9 +2152,6 @@ zone_clauses[] = {
 	{ "min-retry-time", &cfg_type_uint32,
 		CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB
 	},
-	{ "mirror", &cfg_type_boolean,
-		CFG_ZONE_SLAVE
-	},
 	{ "multi-master", &cfg_type_boolean,
 		CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB
 	},

lib/ns/query.c

@@ -1095,7 +1095,7 @@ query_validatezonedb(ns_client_t *client, const dns_name_t *name,
 	/*
 	 * Mirror zone data is treated as cache data.
 	 */
-	if (dns_zone_ismirror(zone)) {
+	if (dns_zone_gettype(zone) == dns_zone_mirror) {
 		return (query_checkcacheaccess(client, name, qtype, options));
 	}
 
@@ -5382,7 +5382,7 @@ ns__query_start(query_ctx_t *qctx) {
 	if (qctx->is_zone) {
 		qctx->authoritative = true;
 		if (qctx->zone != NULL) {
-			if (dns_zone_ismirror(qctx->zone)) {
+			if (dns_zone_gettype(qctx->zone) == dns_zone_mirror) {
 				qctx->authoritative = false;
 			}
 			if (dns_zone_gettype(qctx->zone) ==
@@ -7920,7 +7920,8 @@ query_zone_delegation(query_ctx_t *qctx) {
 
 	if (USECACHE(qctx->client) &&
 	    (RECURSIONOK(qctx->client) ||
-	     (qctx->zone != NULL && dns_zone_ismirror(qctx->zone))))
+	     (qctx->zone != NULL &&
+	      dns_zone_gettype(qctx->zone) == dns_zone_mirror)))
 	{
 		/*
 		 * We might have a better answer or delegation in the

util/copyrights

@@ -1537,6 +1537,7 @@
 ./bin/tests/system/metadata/parent.db		ZONE	2009,2016,2018
 ./bin/tests/system/metadata/setup.sh		SH	2009,2011,2012,2014,2016,2017,2018
 ./bin/tests/system/metadata/tests.sh		SH	2009,2011,2012,2013,2014,2016,2017,2018
+./bin/tests/system/mirror/README		TXT.BRIEF	2018
 ./bin/tests/system/mirror/clean.sh		SH	2018
 ./bin/tests/system/mirror/ns1/named.conf.in	CONF-C	2018
 ./bin/tests/system/mirror/ns1/root.db.in	ZONE	2018