mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 10:10:06 +00:00
Code Issues Releases Wiki Activity

remove "sortlist"

Browse Source 
this commit removes the deprecated "sortlist" option. the option
is now marked as ancient; it is a fatal error to use it in
named.conf.

the sortlist system test has been removed, and other tests that
referenced the option have been modified.

the enabling functions, dns_message_setsortorder() and
dns_rdataset_towiresorted(), have also been removed.
This commit is contained in:
Evan Hunt 2024-12-05 13:16:02 -08:00
parent ef6dc36e53
commit 3394aa9c25
31 changed files with 44 additions and 822 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bin/named/config.c
View File

@ -193,7 +193,6 @@ options {\n\
require-server-cookie no;\n\
root-key-sentinel yes;\n\
servfail-ttl 1;\n\
# sortlist <none>\n\
stale-answer-client-timeout off;\n\
stale-answer-enable false;\n\
stale-answer-ttl 30; /* 30 seconds */\n\

51
bin/named/server.c
View File

@ -584,51 +584,6 @@ configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
return result;
}
/*%
* Configure a sortlist at '*aclp'. Essentially the same as
* configure_view_acl() except it calls cfg_acl_fromconfig with a
* nest_level value of 2.
*/
static isc_result_t
configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
cfg_aclconfctx_t *actx, isc_mem_t *mctx,
dns_acl_t **aclp) {
isc_result_t result;
const cfg_obj_t *maps[3];
const cfg_obj_t *aclobj = NULL;
int i = 0;
if (*aclp != NULL) {
dns_acl_detach(aclp);
}
if (vconfig != NULL) {
maps[i++] = cfg_tuple_get(vconfig, "options");
}
if (config != NULL) {
const cfg_obj_t *options = NULL;
(void)cfg_map_get(config, "options", &options);
if (options != NULL) {
maps[i++] = options;
}
}
maps[i] = NULL;
(void)named_config_get(maps, "sortlist", &aclobj);
if (aclobj == NULL) {
return ISC_R_SUCCESS;
}
/*
* Use a nest level of 3 for the "top level" of the sortlist;
* this means each entry in the top three levels will be stored
* as lists of separate, nested ACLs, rather than merged together
* into IP tables as is usually done with ACLs.
*/
result = cfg_acl_fromconfig(aclobj, config, actx, mctx, 3, aclp);
return result;
}
static isc_result_t
configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
const char *confname, const char *conftuplename,
@ -5121,12 +5076,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
"except-from", named_g_mctx,
&view->answernames_exclude));
/*
* Configure sortlist, if set
*/
CHECK(configure_view_sortlist(vconfig, config, actx, named_g_mctx,
&view->sortlist));
/*
* Configure default allow-update and allow-update-forwarding ACLs,
* so they can be inherited by zones. (XXX: These are not

1
bin/tests/system/Makefile.am
View File

@ -150,7 +150,6 @@ TESTS = \
sfcache \
shutdown \
smartsign \
sortlist \
spf \
staticstub \
statistics \

2
bin/tests/system/checkconf/deprecated.conf
View File

@ -14,8 +14,6 @@
options {
dnssec-validation yes;
max-zone-ttl 600;
sortlist { };
};
trust-anchors {

1
bin/tests/system/checkconf/tests.sh
View File

@ -184,7 +184,6 @@ echo_i "checking named-checkconf deprecate warnings ($n)"
ret=0
$CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 || ret=1
grep "option 'max-zone-ttl' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'sortlist' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# set -i to ignore deprecate warnings

37
bin/tests/system/sortlist/ns1/example.db
View File

@ -1,37 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA ns1.example. hostmaster.example. (
2000042795 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
example. NS ns1.example.
ns1.example. A 10.53.0.1
; Let's see what the sortlist picks out of this...
a A 1.1.1.1
a A 1.1.1.5
a A 1.1.1.2
a A 192.168.3.1
a A 1.1.1.3
a A 192.168.1.1
a A 1.1.1.4
b A 10.53.0.1
b A 10.53.0.2
b A 10.53.0.3
b A 10.53.0.4
b A 10.53.0.5

46
bin/tests/system/sortlist/ns1/named.conf.in
View File

@ -1,46 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
dnssec-validation no;
notify yes;
sortlist {
{ 10.53.0.1; // IF 10.53.0.1
{
!1.1.1.4; !1.1.1.2; !1.1.1.3; !1.1.1.1; // sort these last,
192.168.3/24; // this first
{ 192.168.2/24; 192.168.1/24; }; }; }; // and these next
{ { 10.53.0.2; 10.53.0.3; }; }; // Prefer self
10.53.0.4; // BIND 8 compat
{ 10.53.0.5; 10.53.0.5; }; // BIND 8 compat
};
};
zone "." {
type primary;
file "root.db";
};
zone "example" {
type primary;
file "example.db";
};

24
bin/tests/system/sortlist/ns1/root.db
View File

@ -1,24 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
example. NS ns2.example.
ns2.example. A 10.53.0.2

16
bin/tests/system/sortlist/setup.sh
View File

@ -1,16 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
. ../conf.sh
copy_setports ns1/named.conf.in ns1/named.conf

53
bin/tests/system/sortlist/tests_sortlist.py
View File

@ -1,53 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
import dns.message
import pytest
import isctest
def test_sortlist():
"""Test two-element sortlist statement"""
msg = dns.message.make_query("a.example.", "A")
resp = isctest.query.tcp(msg, "10.53.0.1", source="10.53.0.1")
sortlist = [
"192.168.3.1",
"192.168.1.1",
"1.1.1.5",
"1.1.1.1",
"1.1.1.3",
"1.1.1.2",
"1.1.1.4",
]
rrset = dns.rrset.from_text_list("a.example.", 300, "IN", "A", sortlist)
assert len(resp.answer) == 1
assert resp.answer[0] == rrset
assert list(resp.answer[0].items) == list(rrset.items)
@pytest.mark.parametrize(
"source_ip,possible_results",
[
("10.53.0.2", ["10.53.0.2", "10.53.0.3"]),
("10.53.0.3", ["10.53.0.2", "10.53.0.3"]),
("10.53.0.4", ["10.53.0.4"]),
("10.53.0.5", ["10.53.0.5"]),
],
)
def test_sortlist_compat(possible_results, source_ip):
"""Test one-element sortlist statement and undocumented BIND 8 features"""
msg = dns.message.make_query("b.example.", "A")
resp = isctest.query.tcp(msg, "10.53.0.1", source=source_ip)
assert (
resp.answer[0][0].to_text() in possible_results
), f"{possible_results} not found"

97
doc/arm/reference.rst
View File

@ -240,7 +240,7 @@ Definition and Usage
Address match lists are primarily used to determine access control for
various server operations. They are also used in the :any:`listen-on` and
:any:`sortlist` statements. The elements which constitute an address match
:any:`listen-on-v6` statements. The elements which constitute an address match
list can be any of the following:
- :term:`ip_address`: an IP address (IPv4 or IPv6)
@ -269,8 +269,8 @@ comparisons require that the list of keys be traversed until a matching
key is found, and therefore may be somewhat slower.
The interpretation of a match depends on whether the list is being used
for access control, defining :any:`listen-on` ports, or in a :any:`sortlist`,
and whether the element was negated.
for access control or for defining :any:`listen-on` ports, and whether
the element was negated.
When used as an access control list, a non-negated match allows access
and a negated match denies access. If there is no match, access is
@ -3948,94 +3948,6 @@ Periodic Task Intervals
gone away. For convenience, TTL-style time-unit suffixes may be used to
specify the value. It also accepts ISO 8601 duration formats.
The :any:`sortlist` Statement
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The response to a DNS query may consist of multiple resource records
(RRs) forming a resource record set (RRset). The name server
normally returns the RRs within the RRset in an indeterminate order (but
see the :any:`rrset-order` statement in :ref:`rrset_ordering`). The client resolver code should
rearrange the RRs as appropriate: that is, using any addresses on the
local net in preference to other addresses. However, not all resolvers
can do this or are correctly configured. When a client is using a local
server, the sorting can be performed in the server, based on the
client's address. This only requires configuring the name servers, not
all the clients.
.. namedconf:statement:: sortlist
:tags: query, deprecated
:short: Controls the ordering of RRs returned to the client, based on the client's IP address.
This option is deprecated and will be removed in a future release.
The :any:`sortlist` statement (see below) takes an :term:`address_match_list` and
interprets it in a special way. Each top-level statement in the :any:`sortlist`
must itself be an explicit :term:`address_match_list` with one or two elements. The
first element (which may be an IP address, an IP prefix, an ACL name, or a nested
:term:`address_match_list`) of each top-level list is checked against the source
address of the query until a match is found. When the addresses in the first
element overlap, the first rule to match is selected.
Once the source address of the query has been matched, if the top-level
statement contains only one element, the actual primitive element that
matched the source address is used to select the address in the response
to move to the beginning of the response. If the statement is a list of
two elements, then the second element is interpreted as a topology
preference list. Each top-level element is assigned a distance, and the
address in the response with the minimum distance is moved to the
beginning of the response.
In the following example, any queries received from any of the addresses
of the host itself get responses preferring addresses on any of the
locally connected networks. Next most preferred are addresses on the
192.168.1/24 network, and after that either the 192.168.2/24 or
192.168.3/24 network, with no preference shown between these two
networks. Queries received from a host on the 192.168.1/24 network
prefer other addresses on that network to the 192.168.2/24 and
192.168.3/24 networks. Queries received from a host on the 192.168.4/24
or the 192.168.5/24 network only prefer other addresses on their
directly connected networks.
::
sortlist {
// IF the local host
// THEN first fit on the following nets
{ localhost;
{ localnets;
192.168.1/24;
{ 192.168.2/24; 192.168.3/24; }; }; };
// IF on class C 192.168.1 THEN use .1, or .2 or .3
{ 192.168.1/24;
{ 192.168.1/24;
{ 192.168.2/24; 192.168.3/24; }; }; };
// IF on class C 192.168.2 THEN use .2, or .1 or .3
{ 192.168.2/24;
{ 192.168.2/24;
{ 192.168.1/24; 192.168.3/24; }; }; };
// IF on class C 192.168.3 THEN use .3, or .1 or .2
{ 192.168.3/24;
{ 192.168.3/24;
{ 192.168.1/24; 192.168.2/24; }; }; };
// IF .4 or .5 THEN prefer that net
{ { 192.168.4/24; 192.168.5/24; };
};
};
The following example illustrates reasonable behavior for the local host
and hosts on directly connected networks. Responses sent to queries from the
local host favor any of the directly connected networks. Responses
sent to queries from any other hosts on a directly connected network
prefer addresses on that same network. Responses to other queries
are not sorted.
::
sortlist {
{ localhost; localnets; };
{ localnets; };
};
.. _rrset_ordering:
RRset Ordering
@ -4053,8 +3965,7 @@ RRset Ordering
:short: Defines the order in which equal RRs (RRsets) are returned.
The :any:`rrset-order` statement permits configuration of the ordering of
the records in a multiple-record response. See also:
:any:`sortlist`.
the records in a multiple-record response.
Each rule in an :any:`rrset-order` statement is defined as follows:

2
doc/arm/zones.inc.rst
View File

@ -29,7 +29,7 @@ of RRs in a set is not significant and need not be preserved by name
servers, resolvers, or other parts of the DNS. However, sorting of
multiple RRs is permitted for optimization purposes: for example, to
specify that a particular nearby server be tried first. See
:any:`sortlist` and :ref:`rrset_ordering`.
:ref:`rrset_ordering`.
The components of a Resource Record are:

2
doc/misc/options
View File

@ -278,7 +278,6 @@ options {
sig-validity-interval <integer> [ <integer> ]; // obsolete
sig0checks-quota <integer>; // experimental
sig0checks-quota-exempt { <address_match_element>; ... }; // experimental
sortlist { <address_match_element>; ... }; // deprecated
stale-answer-client-timeout ( disabled | off | <integer> );
stale-answer-enable <boolean>;
stale-answer-ttl <duration>;
@ -574,7 +573,6 @@ view <string> [ <class> ] {
sig-signing-signatures <integer>;
sig-signing-type <integer>;
sig-validity-interval <integer> [ <integer> ]; // obsolete
sortlist { <address_match_element>; ... }; // deprecated
stale-answer-client-timeout ( disabled | off | <integer> );
stale-answer-enable <boolean>;
stale-answer-ttl <duration>;

BIN
fuzz/isc_lex_getmastertoken.in/named.conf
View File

Binary file not shown.

16
fuzz/isc_lex_gettoken.in/named.conf
View File

@ -167,22 +167,6 @@ options {
interface - interval 1002;
statistics - interval 1003;
topology {
10 / 8;
!1.2.3 / 24;
{
1.2 / 16;
3 / 8;
};
};
sortlist {
10 / 8;
11 / 8;
};
tkey - domain "foo.com";
tkey - dhkey "xyz" 666;

3
lib/dns/include/dns/acl.h
View File

@ -233,8 +233,7 @@ dns_acl_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner,
const dns_acl_t *acl, dns_aclenv_t *env, int *match,
const dns_aclelement_t **matchelt);
/*%<
* General, low-level ACL matching. This is expected to
* be useful even for weird stuff like the topology and sortlist statements.
* General, low-level ACL matching.
*
* Match the address 'reqaddr', and optionally the key name 'reqsigner',
* against 'acl'. 'reqsigner' may be NULL.

29
lib/dns/include/dns/message.h
View File

@ -257,12 +257,6 @@ typedef enum dns_message_intent {
typedef struct dns_msgblock dns_msgblock_t;
struct dns_sortlist_arg {
dns_aclenv_t *env;
dns_acl_t *acl;
const dns_aclelement_t *element;
};
typedef struct dns_minttl {
bool is_set;
dns_ttl_t ttl;
@ -354,9 +348,6 @@ struct dns_message {
*/
isc_stdtime_t fuzztime;
dns_rdatasetorderfunc_t order;
dns_sortlist_arg_t order_arg;
dns_indent_t indent;
dns_minttl_t minttl[DNS_SECTION_MAX];
@ -1388,26 +1379,6 @@ dns_message_getrawmessage(dns_message_t *msg);
* a pointer to a region which refers the dns message.
*/
void
dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
dns_aclenv_t *env, dns_acl_t *acl,
const dns_aclelement_t *element);
/*%<
* Define the order in which RR sets get rendered by
* dns_message_rendersection() to be the ascending order
* defined by the integer value returned by 'order' when
* given each RR and a ns_sortlist_arg_t constructed from 'env',
* 'acl', and 'element' as arguments.
*
* If 'order' is NULL, a default order is used.
*
* Requires:
*\li msg be a valid message.
*\li If 'env' is NULL, 'order' must be NULL.
*\li If 'env' is not NULL, 'order' must not be NULL and at least one of
* 'acl' and 'element' must also not be NULL.
*/
void
dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
/*%<

22
lib/dns/include/dns/rdataset.h
View File

@ -481,31 +481,13 @@ dns_rdataset_towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
* dns_name_towire().
*/
isc_result_t
dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
const dns_name_t *owner_name, dns_compress_t *cctx,
isc_buffer_t *target, dns_rdatasetorderfunc_t order,
const void *order_arg, unsigned int options,
unsigned int *countp);
/*%<
* Like dns_rdataset_towire(), but sorting the rdatasets according to
* the integer value returned by 'order' when called with the rdataset
* and 'order_arg' as arguments.
*
* Requires:
*\li All the requirements of dns_rdataset_towire(), and
* that order_arg is NULL if and only if order is NULL.
*/
isc_result_t
dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
const dns_name_t *owner_name, dns_compress_t *cctx,
isc_buffer_t *target, dns_rdatasetorderfunc_t order,
const void *order_arg, unsigned int options,
isc_buffer_t *target, unsigned int options,
unsigned int *countp, void **state);
/*%<
* Like dns_rdataset_towiresorted() except that a partial rdataset
* may be written.
* Like dns_rdataset_towire() except that a partial rdataset may be written.
*
* Requires:
*\li All the requirements of dns_rdataset_towiresorted().

1
lib/dns/include/dns/types.h
View File

@ -153,7 +153,6 @@ typedef struct dns_signature dns_signature_t;
typedef struct dns_skr dns_skr_t;
typedef struct dns_slabheader dns_slabheader_t;
typedef ISC_LIST(dns_slabheader_t) dns_slabheaderlist_t;
typedef struct dns_sortlist_arg dns_sortlist_arg_t;
typedef struct dns_ssurule dns_ssurule_t;
typedef struct dns_ssutable dns_ssutable_t;
typedef struct dns_stats dns_stats_t;

1
lib/dns/include/dns/view.h
View File

@ -132,7 +132,6 @@ struct dns_view {
dns_acl_t *queryonacl;
dns_acl_t *recursionacl;
dns_acl_t *recursiononacl;
dns_acl_t *sortlist;
dns_acl_t *notifyacl;
dns_acl_t *transferacl;
dns_acl_t *updateacl;

48
lib/dns/message.c
View File

@ -441,10 +441,6 @@ msginit(dns_message_t *m) {
m->tcp_continuation = 0;
m->verified_sig = 0;
m->verify_attempted = 0;
m->order = NULL;
m->order_arg.env = NULL;
m->order_arg.acl = NULL;
m->order_arg.element = NULL;
m->query.base = NULL;
m->query.length = 0;
m->free_query = 0;
@ -662,13 +658,6 @@ msgreset(dns_message_t *msg, bool everything) {
dynbuf = next_dynbuf;
}
if (msg->order_arg.env != NULL) {
dns_aclenv_detach(&msg->order_arg.env);
}
if (msg->order_arg.acl != NULL) {
dns_acl_detach(&msg->order_arg.acl);
}
/*
* Set other bits to normal default values.
*/
@ -2104,19 +2093,16 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
0 &&
(rdataset->attributes & DNS_RDATASETATTR_RENDERED) == 0)
{
const void *order_arg = &msg->order_arg;
st = *(msg->buffer);
count = 0;
if (partial) {
result = dns_rdataset_towirepartial(
rdataset, name, msg->cctx, msg->buffer,
msg->order, order_arg, rd_options,
&count, NULL);
rd_options, &count, NULL);
} else {
result = dns_rdataset_towiresorted(
result = dns_rdataset_towire(
rdataset, name, msg->cctx, msg->buffer,
msg->order, order_arg, rd_options,
&count);
rd_options, &count);
}
total += count;
if (partial && result == ISC_R_NOSPACE) {
@ -2178,14 +2164,12 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
if (partial) {
result = dns_rdataset_towirepartial(
rdataset, name, msg->cctx,
msg->buffer, msg->order,
&msg->order_arg, rd_options,
&count, NULL);
msg->buffer, rd_options, &count,
NULL);
} else {
result = dns_rdataset_towiresorted(
result = dns_rdataset_towire(
rdataset, name, msg->cctx,
msg->buffer, msg->order,
&msg->order_arg, rd_options,
msg->buffer, rd_options,
&count);
}
@ -4722,24 +4706,6 @@ dns_message_getrawmessage(dns_message_t *msg) {
return &msg->saved;
}
void
dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
dns_aclenv_t *env, dns_acl_t *acl,
const dns_aclelement_t *elem) {
REQUIRE(DNS_MESSAGE_VALID(msg));
REQUIRE((order == NULL) == (env == NULL));
REQUIRE(env == NULL || (acl != NULL || elem != NULL));
msg->order = order;
if (env != NULL) {
dns_aclenv_attach(env, &msg->order_arg.env);
}
if (acl != NULL) {
dns_acl_attach(acl, &msg->order_arg.acl);
}
msg->order_arg.element = elem;
}
void
dns_message_settimeadjust(dns_message_t *msg, int timeadjust) {
REQUIRE(DNS_MESSAGE_VALID(msg));

58
lib/dns/rdataset.c
View File

@ -221,13 +221,6 @@ struct towire_sort {
dns_rdata_t *rdata;
};
static int
towire_compare(const void *av, const void *bv) {
const struct towire_sort *a = (const struct towire_sort *)av;
const struct towire_sort *b = (const struct towire_sort *)bv;
return a->key - b->key;
}
static void
swap_rdata(dns_rdata_t *in, unsigned int a, unsigned int b) {
dns_rdata_t rdata = in[a];
@ -236,9 +229,8 @@ swap_rdata(dns_rdata_t *in, unsigned int a, unsigned int b) {
}
static isc_result_t
towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
dns_compress_t *cctx, isc_buffer_t *target,
dns_rdatasetorderfunc_t order, const void *order_arg, bool partial,
towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
dns_compress_t *cctx, isc_buffer_t *target, bool partial,
unsigned int options, unsigned int *countp,
void **state ISC_ATTR_UNUSED) {
isc_region_t r;
@ -247,7 +239,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
isc_buffer_t savedbuffer, rdlen, rrbuffer;
unsigned int headlen;
bool question = false;
bool shuffle = false, sort = false;
bool shuffle = false;
bool want_random, want_cyclic;
dns_rdata_t in_fixed[MAX_SHUFFLE];
dns_rdata_t *in = in_fixed;
@ -297,28 +289,25 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
}
/*
* Do we want to sort and/or shuffle this answer?
* Do we want to shuffle this answer?
*/
if (!question && count > 1 && rdataset->type != dns_rdatatype_rrsig) {
if (order != NULL) {
sort = true;
}
if (want_random || want_cyclic) {
shuffle = true;
}
}
if (shuffle || sort) {
if (shuffle) {
if (count > MAX_SHUFFLE) {
in = isc_mem_cget(cctx->mctx, count, sizeof(*in));
out = isc_mem_cget(cctx->mctx, count, sizeof(*out));
if (in == NULL || out == NULL) {
shuffle = sort = false;
shuffle = false;
}
}
}
if (shuffle || sort) {
if (shuffle) {
uint32_t seed = 0;
unsigned int j = 0;
@ -353,18 +342,12 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
swap_rdata(in, j, j + seed % (count - j));
}
out[i].key = (sort) ? (*order)(&in[j], order_arg) : 0;
out[i].key = 0;
out[i].rdata = &in[j];
if (++j == count) {
j = 0;
}
}
/*
* Sortlist order.
*/
if (sort) {
qsort(out, count, sizeof(out[0]), towire_compare);
}
}
savedbuffer = *target;
@ -415,7 +398,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
/*
* Copy out the rdata
*/
if (shuffle || sort) {
if (shuffle) {
rdata = *(out[i].rdata);
} else {
dns_rdata_reset(&rdata);
@ -433,7 +416,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
added++;
}
if (shuffle || sort) {
if (shuffle) {
i++;
if (i == count) {
result = ISC_R_NOMORE;
@ -475,33 +458,22 @@ cleanup:
return result;
}
isc_result_t
dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
const dns_name_t *owner_name, dns_compress_t *cctx,
isc_buffer_t *target, dns_rdatasetorderfunc_t order,
const void *order_arg, unsigned int options,
unsigned int *countp) {
return towiresorted(rdataset, owner_name, cctx, target, order,
order_arg, false, options, countp, NULL);
}
isc_result_t
dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
const dns_name_t *owner_name, dns_compress_t *cctx,
isc_buffer_t *target, dns_rdatasetorderfunc_t order,
const void *order_arg, unsigned int options,
isc_buffer_t *target, unsigned int options,
unsigned int *countp, void **state) {
REQUIRE(state == NULL); /* XXX remove when implemented */
return towiresorted(rdataset, owner_name, cctx, target, order,
order_arg, true, options, countp, state);
return towire(rdataset, owner_name, cctx, target, true, options, countp,
state);
}
isc_result_t
dns_rdataset_towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
dns_compress_t *cctx, isc_buffer_t *target,
unsigned int options, unsigned int *countp) {
return towiresorted(rdataset, owner_name, cctx, target, NULL, NULL,
false, options, countp, NULL);
return towire(rdataset, owner_name, cctx, target, false, options,
countp, NULL);
}
isc_result_t

3
lib/dns/view.c
View File

@ -324,9 +324,6 @@ destroy(dns_view_t *view) {
if (view->recursiononacl != NULL) {
dns_acl_detach(&view->recursiononacl);
}
if (view->sortlist != NULL) {
dns_acl_detach(&view->sortlist);
}
if (view->transferacl != NULL) {
dns_acl_detach(&view->transferacl);
}

7
lib/isccfg/aclconf.c
View File

@ -812,9 +812,8 @@ cfg_acl_fromconfig(const cfg_obj_t *acl_data, const cfg_obj_t *cctx,
/*
* If we're nesting ACLs, put the nested
* ACL onto the elements list; otherwise
* merge it into *this* ACL. We nest ACLs
* in two cases: 1) sortlist, 2) if the
* nested ACL contains negated members.
* merge it into *this* ACL. We nest the
* ACL if it contains negated members.
*/
if (inneracl != NULL) {
dns_acl_detach(&inneracl);
@ -953,7 +952,7 @@ cfg_acl_fromconfig(const cfg_obj_t *acl_data, const cfg_obj_t *cctx,
/*
* This should only be reached for localhost, localnets
* and keyname elements, and nested ACLs if nest_level is
* nonzero (i.e., in sortlists).
* nonzero.
*/
if (de->nestedacl != NULL &&
de->type != dns_aclelementtype_nestedacl)

18
lib/isccfg/check.c
View File

@ -547,17 +547,13 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
isc_result_t result = ISC_R_SUCCESS, tresult;
int i = 0;
static const char *acls[] = { "allow-proxy",
"allow-proxy-on",
"allow-query",
"allow-query-on",
"allow-query-cache",
"allow-query-cache-on",
"blackhole",
"match-clients",
"match-destinations",
"sortlist",
NULL };
static const char *acls[] = {
"allow-proxy", "allow-proxy-on",
"allow-query", "allow-query-on",
"allow-query-cache", "allow-query-cache-on",
"blackhole", "match-clients",
"match-destinations", NULL
};
while (acls[i] != NULL) {
tresult = checkacl(acls[i++], actx, NULL, voptions, config,

2
lib/isccfg/namedconf.c
View File

@ -2119,7 +2119,7 @@ static cfg_clausedef_t view_clauses[] = {
{ "rrset-order", &cfg_type_rrsetorder, 0 },
{ "send-cookie", &cfg_type_boolean, 0 },
{ "servfail-ttl", &cfg_type_duration, 0 },
{ "sortlist", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_DEPRECATED },
{ "sortlist", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_ANCIENT },
{ "stale-answer-enable", &cfg_type_boolean, 0 },
{ "stale-answer-client-timeout", &cfg_type_staleanswerclienttimeout,
0 },

2
lib/ns/Makefile.am
View File

@ -15,7 +15,6 @@ libns_la_HEADERS = \
include/ns/notify.h \
include/ns/query.h \
include/ns/server.h \
include/ns/sortlist.h \
include/ns/stats.h \
include/ns/types.h \
include/ns/update.h \
@ -31,7 +30,6 @@ libns_la_SOURCES = \
probes.d \
query.c \
server.c \
sortlist.c \
stats.c \
update.c \
xfrout.c

68
lib/ns/include/ns/sortlist.h
View File

@ -1,68 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file */
#include <isc/types.h>
#include <dns/acl.h>
#include <dns/types.h>
/*%
* Type for callback functions that rank addresses.
*/
typedef int (*dns_addressorderfunc_t)(const isc_netaddr_t *address,
const void *arg);
/*%
* Return value type for setup_sortlist.
*/
typedef enum {
NS_SORTLISTTYPE_NONE,
NS_SORTLISTTYPE_1ELEMENT,
NS_SORTLISTTYPE_2ELEMENT
} ns_sortlisttype_t;
ns_sortlisttype_t
ns_sortlist_setup(dns_acl_t *acl, dns_aclenv_t *env, isc_netaddr_t *clientaddr,
void **argp);
/*%<
* Find the sortlist statement in 'acl' (for ACL environment 'env')
* that applies to 'clientaddr', if any.
*
* If a 1-element sortlist item applies, return NS_SORTLISTTYPE_1ELEMENT and
* make '*argp' point to the matching subelement.
*
* If a 2-element sortlist item applies, return NS_SORTLISTTYPE_2ELEMENT and
* make '*argp' point to ACL that forms the second element.
*
* If no sortlist item applies, return NS_SORTLISTTYPE_NONE and set '*argp'
* to NULL.
*/
int
ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg);
/*%<
* Find the sort order of 'addr' in 'arg', the matching element
* of a 1-element top-level sortlist statement.
*/
int
ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg);
/*%<
* Find the sort order of 'addr' in 'arg', a topology-like
* ACL forming the second element in a 2-element top-level
* sortlist statement.
*/

100
lib/ns/query.c
View File

@ -69,7 +69,6 @@
#include <ns/hooks.h>
#include <ns/interfacemgr.h>
#include <ns/server.h>
#include <ns/sortlist.h>
#include <ns/stats.h>
#include <ns/xfrout.h>
@ -4396,35 +4395,6 @@ rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult,
return true;
}
/*
* Extract a network address from the RDATA of an A or AAAA
* record.
*
* Returns:
* ISC_R_SUCCESS
* ISC_R_NOTIMPLEMENTED The rdata is not a known address type.
*/
static isc_result_t
rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
struct in_addr ina;
struct in6_addr in6a;
switch (rdata->type) {
case dns_rdatatype_a:
INSIST(rdata->length == 4);
memmove(&ina.s_addr, rdata->data, 4);
isc_netaddr_fromin(netaddr, &ina);
return ISC_R_SUCCESS;
case dns_rdatatype_aaaa:
INSIST(rdata->length == 16);
memmove(in6a.s6_addr, rdata->data, 16);
isc_netaddr_fromin6(netaddr, &in6a);
return ISC_R_SUCCESS;
default:
return ISC_R_NOTIMPLEMENTED;
}
}
static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 };
static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 };
static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 };
@ -11354,72 +11324,6 @@ query_addauth(query_ctx_t *qctx) {
}
}
/*
* Find the sort order of 'rdata' in the topology-like
* ACL forming the second element in a 2-element top-level
* sortlist statement.
*/
static int
query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) {
isc_netaddr_t netaddr;
if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) {
return INT_MAX;
}
return ns_sortlist_addrorder2(&netaddr, arg);
}
/*
* Find the sort order of 'rdata' in the matching element
* of a 1-element top-level sortlist statement.
*/
static int
query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) {
isc_netaddr_t netaddr;
if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) {
return INT_MAX;
}
return ns_sortlist_addrorder1(&netaddr, arg);
}
/*
* Find the sortlist statement that applies to 'client' and set up
* the sortlist info in in client->message appropriately.
*/
static void
query_setup_sortlist(query_ctx_t *qctx) {
isc_netaddr_t netaddr;
ns_client_t *client = qctx->client;
dns_aclenv_t *env = client->manager->aclenv;
dns_acl_t *acl = NULL;
dns_aclelement_t *elt = NULL;
void *order_arg = NULL;
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
switch (ns_sortlist_setup(client->view->sortlist, env, &netaddr,
&order_arg))
{
case NS_SORTLISTTYPE_1ELEMENT:
elt = order_arg;
dns_message_setsortorder(client->message,
query_sortlist_order_1element, env,
NULL, elt);
break;
case NS_SORTLISTTYPE_2ELEMENT:
acl = order_arg;
dns_message_setsortorder(client->message,
query_sortlist_order_2element, env,
acl, NULL);
dns_acl_detach(&acl);
break;
case NS_SORTLISTTYPE_NONE:
break;
default:
UNREACHABLE();
}
}
/*
* When sending a referral, if the answer to the question is
* in the glue, sort it to the start of the additional section.
@ -11582,13 +11486,11 @@ ns_query_done(query_ctx_t *qctx) {
}
/*
* We are done. Set up sortlist data for the message
* rendering code, sort the answer to the front of the
* We are done. Sort the answer to the front of the
* additional section if necessary, make a final tweak
* to the AA bit if the auth-nxdomain config option
* says so, then render and send the response.
*/
query_setup_sortlist(qctx);
query_glueanswer(qctx);
if (qctx->client->message->rcode == dns_rcode_nxdomain &&

150
lib/ns/sortlist.c
View File

@ -1,150 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/util.h>
#include <dns/acl.h>
#include <dns/message.h>
#include <ns/server.h>
#include <ns/sortlist.h>
ns_sortlisttype_t
ns_sortlist_setup(dns_acl_t *acl, dns_aclenv_t *env, isc_netaddr_t *clientaddr,
void **argp) {
if (acl == NULL) {
goto dont_sort;
}
for (size_t i = 0; i < acl->length; i++) {
/*
* 'e' refers to the current 'top level statement'
* in the sortlist (see ARM).
*/
dns_aclelement_t *e = &acl->elements[i];
dns_aclelement_t *try_elt;
dns_aclelement_t *order_elt = NULL;
dns_aclelement_t *matched_elt = NULL;
if (e->type == dns_aclelementtype_nestedacl) {
dns_acl_t *inner = e->nestedacl;
if (inner->length == 0) {
try_elt = e;
} else if (inner->length > 2) {
goto dont_sort;
} else if (inner->elements[0].negative) {
goto dont_sort;
} else {
try_elt = &inner->elements[0];
if (inner->length == 2) {
order_elt = &inner->elements[1];
}
}
} else {
/*
* BIND 8 allows bare elements at the top level
* as an undocumented feature.
*/
try_elt = e;
}
if (!dns_aclelement_match(
clientaddr, NULL, try_elt, env,
(const dns_aclelement_t **)&matched_elt))
{
continue;
}
if (order_elt == NULL) {
INSIST(matched_elt != NULL);
*argp = matched_elt;
return NS_SORTLISTTYPE_1ELEMENT;
}
if (order_elt->type == dns_aclelementtype_nestedacl) {
dns_acl_t *inner = NULL;
dns_acl_attach(order_elt->nestedacl, &inner);
*argp = inner;
return NS_SORTLISTTYPE_2ELEMENT;
}
if (order_elt->type == dns_aclelementtype_localhost) {
rcu_read_lock();
dns_acl_t *inner = rcu_dereference(env->localhost);
if (inner != NULL) {
*argp = dns_acl_ref(inner);
rcu_read_unlock();
return NS_SORTLISTTYPE_2ELEMENT;
}
rcu_read_unlock();
}
if (order_elt->type == dns_aclelementtype_localnets) {
rcu_read_lock();
dns_acl_t *inner = rcu_dereference(env->localhost);
if (inner != NULL) {
*argp = dns_acl_ref(inner);
rcu_read_unlock();
return NS_SORTLISTTYPE_2ELEMENT;
}
rcu_read_unlock();
}
/*
* BIND 8 allows a bare IP prefix as
* the 2nd element of a 2-element
* sortlist statement.
*/
*argp = order_elt;
return NS_SORTLISTTYPE_1ELEMENT;
}
dont_sort:
*argp = NULL;
return NS_SORTLISTTYPE_NONE;
}
int
ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg) {
const dns_sortlist_arg_t *sla = (const dns_sortlist_arg_t *)arg;
dns_aclenv_t *env = sla->env;
const dns_acl_t *sortacl = sla->acl;
int match;
(void)dns_acl_match(addr, NULL, sortacl, env, &match, NULL);
if (match > 0) {
return match;
} else if (match < 0) {
return INT_MAX - (-match);
} else {
return INT_MAX / 2;
}
}
int
ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg) {
const dns_sortlist_arg_t *sla = (const dns_sortlist_arg_t *)arg;
dns_aclenv_t *env = sla->env;
const dns_aclelement_t *element = sla->element;
if (dns_aclelement_match(addr, NULL, element, env, NULL)) {
return 0;
}
return INT_MAX;
}

1
tests/ns/query_test.c
View File

@ -1383,7 +1383,6 @@ run_hookasync_e2e_test(const ns__query_hookasync_e2e_test_params_t *test) {
result = ns_test_qctx_create(&qctx_params, &qctx);
INSIST(result == ISC_R_SUCCESS);
isc_sockaddr_any(&qctx->client->peeraddr); /* for sortlist */
qctx->client->sendcb = send_noop;
/* Load a zone. it should have ns.foo/A */