From 2cb9e8a0209d6fe30afd2c303ffb284e5e7e185c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 9 Oct 2018 10:54:51 +0200 Subject: [PATCH] Replace the "mirror" zone option with "type mirror;" Use a zone's 'type' field instead of the value of its DNS_ZONEOPT_MIRROR option for checking whether it is a mirror zone. This makes said zone option and its associated helper function, dns_zone_mirror(), redundant, so remove them. Remove a check specific to mirror zones from named_zone_reusable() since another check in that function ensures that changing a zone's type prevents it from being reused during reconfiguration. --- bin/named/server.c | 8 ++- bin/named/zoneconf.c | 66 +++++++---------------- bin/tests/system/mirror/README | 17 ++++++ bin/tests/system/mirror/ns3/named.conf.in | 24 +++------ bin/tests/system/mirror/setup.sh | 2 - bin/tests/system/mirror/tests.sh | 12 ++--- lib/dns/include/dns/zone.h | 7 --- lib/dns/win32/libdns.def.in | 1 - lib/dns/zone.c | 9 +--- lib/dns/zt.c | 3 +- lib/isccfg/namedconf.c | 3 -- lib/ns/query.c | 7 +-- util/copyrights | 1 + 13 files changed, 66 insertions(+), 94 deletions(-) create mode 100644 bin/tests/system/mirror/README diff --git a/bin/named/server.c b/bin/named/server.c index 26019992aa..0c6224fd84 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -6978,6 +6978,9 @@ removed(dns_zone_t *zone, void *uap) { case dns_zone_slave: type = "slave"; break; + case dns_zone_mirror: + type = "mirror"; + break; case dns_zone_stub: type = "stub"; break; @@ -14043,7 +14046,10 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex, type = "master"; break; case dns_zone_slave: - type = dns_zone_ismirror(zone) ? "mirror" : "slave"; + type = "slave"; + break; + case dns_zone_mirror: + type = "mirror"; break; case dns_zone_stub: type = "stub"; diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 57ace8a0da..36a29ece17 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1700,8 +1700,26 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, * Configure slave functionality. */ switch (ztype) { - case dns_zone_slave: case dns_zone_mirror: + /* + * Disable outgoing zone transfers for mirror zones unless they + * are explicitly enabled by zone configuration. + */ + obj = NULL; + (void)cfg_map_get(zoptions, "allow-transfer", &obj); + if (obj == NULL) { + dns_acl_t *none; + RETERR(dns_acl_none(mctx, &none)); + dns_zone_setxfracl(zone, none); + dns_acl_detach(&none); + } + /* + * Only allow "also-notify". + */ + notifytype = dns_notifytype_explicit; + dns_zone_setnotifytype(zone, notifytype); + /* FALLTHROUGH */ + case dns_zone_slave: case dns_zone_stub: case dns_zone_redirect: count = 0; @@ -1733,35 +1751,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } dns_zone_setoption(mayberaw, DNS_ZONEOPT_MULTIMASTER, multi); - obj = NULL; - (void)cfg_map_get(zoptions, "mirror", &obj); - if (obj != NULL) { - bool mirror = cfg_obj_asboolean(obj); - dns_zone_setoption(mayberaw, DNS_ZONEOPT_MIRROR, - mirror); - if (mirror) { - /* - * Disable outgoing zone transfers unless they - * are explicitly enabled by zone - * configuration. - */ - obj = NULL; - (void)cfg_map_get(zoptions, "allow-transfer", - &obj); - if (obj == NULL) { - dns_acl_t *none; - RETERR(dns_acl_none(mctx, &none)); - dns_zone_setxfracl(zone, none); - dns_acl_detach(&none); - } - /* - * Only allow "also-notify". - */ - notifytype = dns_notifytype_explicit; - dns_zone_setnotifytype(zone, notifytype); - } - } - obj = NULL; result = named_config_get(maps, "max-transfer-time-in", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); @@ -1901,7 +1890,7 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { const char *cfilename; const char *zfilename; dns_zone_t *raw = NULL; - bool has_raw, mirror; + bool has_raw; dns_zonetype_t ztype; zoptions = cfg_tuple_get(zconfig, "options"); @@ -1941,21 +1930,6 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { return (false); } - /* - * Do not reuse a zone whose "mirror" setting was changed. - */ - obj = NULL; - mirror = false; - (void)cfg_map_get(zoptions, "mirror", &obj); - if (obj != NULL) { - mirror = cfg_obj_asboolean(obj); - } - if (dns_zone_ismirror(zone) != mirror) { - dns_zone_log(zone, ISC_LOG_DEBUG(1), - "not reusable: mirror setting changed"); - return (false); - } - if (zonetype_fromconfig(zoptions) != ztype) { dns_zone_log(zone, ISC_LOG_DEBUG(1), "not reusable: type mismatch"); diff --git a/bin/tests/system/mirror/README b/bin/tests/system/mirror/README new file mode 100644 index 0000000000..1cb7bdd422 --- /dev/null +++ b/bin/tests/system/mirror/README @@ -0,0 +1,17 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +This test checks whether zones configured with "type mirror;" behave as +expected. + +ns1 is an authoritative-only server. It only serves the root zone, which is +mirrored by ns3. + +ns2 is an authoritative-only server. It serves a number of zones, some of which +are delegated to it by ns1 and used in recursive resolution tests aimed at ns3 +while others are only served so that ns3 has a primary server to mirror zones +from during various tests of the mirror zone implementation. + +ns3 is a recursive resolver. It has a number of mirror zones configured. This +is the only server whose behavior is being examined by this system test. diff --git a/bin/tests/system/mirror/ns3/named.conf.in b/bin/tests/system/mirror/ns3/named.conf.in index 9eec0acf89..4b14e8d9a7 100644 --- a/bin/tests/system/mirror/ns3/named.conf.in +++ b/bin/tests/system/mirror/ns3/named.conf.in @@ -37,62 +37,54 @@ zone "." { }; zone "." { - type slave; + type mirror; masters { 10.53.0.1; }; - mirror yes; file "root.db.mirror"; }; zone "initially-unavailable" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "initially-unavailable.db.mirror"; use-alt-transfer-source no; }; zone "verify-axfr" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "verify-axfr.db.mirror"; }; zone "verify-ixfr" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "verify-ixfr.db.mirror"; masterfile-format text; }; zone "verify-load" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "verify-load.db.mirror"; masterfile-format text; }; zone "verify-reconfig" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "verify-reconfig.db.mirror"; masterfile-format text; }; zone "verify-unsigned" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "verify-unsigned.db.mirror"; }; zone "verify-untrusted" { - type slave; + type mirror; masters { 10.53.0.2; }; - mirror yes; file "verify-untrusted.db.mirror"; }; diff --git a/bin/tests/system/mirror/setup.sh b/bin/tests/system/mirror/setup.sh index 4a1413dfa1..da81617675 100644 --- a/bin/tests/system/mirror/setup.sh +++ b/bin/tests/system/mirror/setup.sh @@ -21,6 +21,4 @@ copy_setports ns3/named.conf.in ns3/named.conf ( cd ns1 && $SHELL -e sign.sh ) cat ns2/verify-axfr.db.bad.signed > ns2/verify-axfr.db.signed -cat ns2/verify-ixfr.db.original.signed > ns2/verify-ixfr.db.signed cat ns2/verify-load.db.bad.signed > ns3/verify-load.db.mirror -cat ns2/verify-untrusted.db.original.signed > ns2/verify-untrusted.db.signed diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh index 73b01f7ae4..1768847d6a 100644 --- a/bin/tests/system/mirror/tests.sh +++ b/bin/tests/system/mirror/tests.sh @@ -380,7 +380,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking that \"rndc reconfig\" properly handles a yes -> no \"mirror\" setting change ($n)" +echo_i "checking that \"rndc reconfig\" properly handles a mirror -> slave zone type change ($n)" ret=0 # Sanity check before we start. $DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.1 2>&1 || ret=1 @@ -390,13 +390,13 @@ grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 # Reconfigure the zone so that it is no longer a mirror zone. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-reconfig" {$/,/^};$/ { - s/mirror yes;/mirror no;/ + s/type mirror;/type slave;/ }' ns3/named.conf > ns3/named.conf.modified mv ns3/named.conf.modified ns3/named.conf nextpart ns3/named.run > /dev/null $RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1 -# Zones whose "mirror" setting was changed should not be reusable, which means -# the tested zone should have been reloaded from disk. +# Zones whose type was changed should not be reusable, which means the tested +# zone should have been reloaded from disk. wait_for_load verify-reconfig ${ORIGINAL_SERIAL} ns3/named.run # Ensure responses sourced from the reconfigured zone have AA=1 and AD=0. $DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.2 2>&1 || ret=1 @@ -407,7 +407,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking that \"rndc reconfig\" properly handles a no -> yes \"mirror\" setting change ($n)" +echo_i "checking that \"rndc reconfig\" properly handles a slave -> mirror zone type change ($n)" ret=0 # Put an incorrectly signed version of the zone in the zone file used by ns3. nextpart ns3/named.run > /dev/null @@ -415,7 +415,7 @@ cat ns2/verify-reconfig.db.bad.signed > ns3/verify-reconfig.db.mirror # Reconfigure the zone so that it is a mirror zone again. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-reconfig" {$/,/^};$/ { - s/mirror no;/mirror yes;/ + s/type slave;/type mirror;/ }' ns3/named.conf > ns3/named.conf.modified mv ns3/named.conf.modified ns3/named.conf $RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1 diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index aaa4a1e435..e2ad6314a5 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -83,7 +83,6 @@ typedef enum { DNS_ZONEOPT_CHECKSPF = 1<<27, /*%< check SPF records */ DNS_ZONEOPT_CHECKTTL = 1<<28, /*%< check max-zone-ttl */ DNS_ZONEOPT_AUTOEMPTY = 1<<29, /*%< automatic empty zone */ - DNS_ZONEOPT_MIRROR = 1<<30, /*%< mirror zone */ } dns_zoneopt_t; /* @@ -2486,12 +2485,6 @@ dns_zone_isloaded(const dns_zone_t *zone); * false otherwise. */ -bool -dns_zone_ismirror(const dns_zone_t *zone); -/*%< - * Return true if 'zone' is a mirror zone, return false otherwise. - */ - isc_result_t dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver); /*%< diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index e8ac6af323..83a77856bc 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -1201,7 +1201,6 @@ dns_zone_idetach dns_zone_isdynamic dns_zone_isforced dns_zone_isloaded -dns_zone_ismirror dns_zone_keydone dns_zone_link dns_zone_load diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 27dda5ab9f..e4f1d3f4e3 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -19446,13 +19446,6 @@ dns_zone_isloaded(const dns_zone_t *zone) { return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)); } -bool -dns_zone_ismirror(const dns_zone_t *zone) { - REQUIRE(DNS_ZONE_VALID(zone)); - - return (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MIRROR)); -} - isc_result_t dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) { dns_dbversion_t *version = NULL; @@ -19466,7 +19459,7 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) { REQUIRE(DNS_ZONE_VALID(zone)); REQUIRE(db != NULL); - if (!dns_zone_ismirror(zone)) { + if (dns_zone_gettype(zone) != dns_zone_mirror) { return (ISC_R_SUCCESS); } diff --git a/lib/dns/zt.c b/lib/dns/zt.c index 6b9e7d3277..62b0e4a053 100644 --- a/lib/dns/zt.c +++ b/lib/dns/zt.c @@ -181,7 +181,8 @@ dns_zt_find(dns_zt_t *zt, const dns_name_t *name, unsigned int options, * instead of returning a SERVFAIL. */ if ((options & DNS_ZTFIND_MIRROR) != 0 && - dns_zone_ismirror(dummy) && !dns_zone_isloaded(dummy)) + dns_zone_gettype(dummy) == dns_zone_mirror && + !dns_zone_isloaded(dummy)) { result = ISC_R_NOTFOUND; } else { diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 960e03d308..3e537a3a60 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2152,9 +2152,6 @@ zone_clauses[] = { { "min-retry-time", &cfg_type_uint32, CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, - { "mirror", &cfg_type_boolean, - CFG_ZONE_SLAVE - }, { "multi-master", &cfg_type_boolean, CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, diff --git a/lib/ns/query.c b/lib/ns/query.c index ba45b6667e..20ed367495 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -1095,7 +1095,7 @@ query_validatezonedb(ns_client_t *client, const dns_name_t *name, /* * Mirror zone data is treated as cache data. */ - if (dns_zone_ismirror(zone)) { + if (dns_zone_gettype(zone) == dns_zone_mirror) { return (query_checkcacheaccess(client, name, qtype, options)); } @@ -5382,7 +5382,7 @@ ns__query_start(query_ctx_t *qctx) { if (qctx->is_zone) { qctx->authoritative = true; if (qctx->zone != NULL) { - if (dns_zone_ismirror(qctx->zone)) { + if (dns_zone_gettype(qctx->zone) == dns_zone_mirror) { qctx->authoritative = false; } if (dns_zone_gettype(qctx->zone) == @@ -7920,7 +7920,8 @@ query_zone_delegation(query_ctx_t *qctx) { if (USECACHE(qctx->client) && (RECURSIONOK(qctx->client) || - (qctx->zone != NULL && dns_zone_ismirror(qctx->zone)))) + (qctx->zone != NULL && + dns_zone_gettype(qctx->zone) == dns_zone_mirror))) { /* * We might have a better answer or delegation in the diff --git a/util/copyrights b/util/copyrights index 0a2cc0e0f7..b7fb76b013 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1537,6 +1537,7 @@ ./bin/tests/system/metadata/parent.db ZONE 2009,2016,2018 ./bin/tests/system/metadata/setup.sh SH 2009,2011,2012,2014,2016,2017,2018 ./bin/tests/system/metadata/tests.sh SH 2009,2011,2012,2013,2014,2016,2017,2018 +./bin/tests/system/mirror/README TXT.BRIEF 2018 ./bin/tests/system/mirror/clean.sh SH 2018 ./bin/tests/system/mirror/ns1/named.conf.in CONF-C 2018 ./bin/tests/system/mirror/ns1/root.db.in ZONE 2018