diff --git a/bin/named/config.c b/bin/named/config.c index 8aef22dddb..23df890193 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -331,7 +331,7 @@ dnssec-policy \"insecure\" {\n\ "# END TRUST ANCHORS\n\ \n\ -primaries " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\ +remote-servers " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\ 2801:1b8:10::b; # b.root-servers.net\n\ 2001:500:2::c; # c.root-servers.net\n\ 2001:500:2f::f; # f.root-servers.net\n\ @@ -503,9 +503,9 @@ named_config_getzonetype(const cfg_obj_t *zonetypeobj) { return ztype; } -static isc_result_t -getremotesdef(const cfg_obj_t *cctx, const char *list, const char *name, - const cfg_obj_t **ret) { +isc_result_t +named_config_getremotesdef(const cfg_obj_t *cctx, const char *list, + const char *name, const cfg_obj_t **ret) { isc_result_t result; const cfg_obj_t *obj = NULL; const cfg_listelt_t *elt; @@ -532,23 +532,6 @@ getremotesdef(const cfg_obj_t *cctx, const char *list, const char *name, return ISC_R_NOTFOUND; } -isc_result_t -named_config_getremotesdef(const cfg_obj_t *cctx, const char *list, - const char *name, const cfg_obj_t **ret) { - isc_result_t result; - - if (strcmp(list, "parental-agents") == 0) { - return getremotesdef(cctx, list, name, ret); - } else if (strcmp(list, "primaries") == 0) { - result = getremotesdef(cctx, list, name, ret); - if (result != ISC_R_SUCCESS) { - result = getremotesdef(cctx, "masters", name, ret); - } - return result; - } - return ISC_R_NOTFOUND; -} - static isc_result_t named_config_getname(isc_mem_t *mctx, const cfg_obj_t *obj, dns_name_t **namep) { @@ -597,10 +580,12 @@ named_config_getname(isc_mem_t *mctx, const cfg_obj_t *obj, oldlen = newlen; \ } +static const char *remotesnames[4] = { "remote-servers", "parental-agents", + "primaries", "masters" }; + isc_result_t -named_config_getipandkeylist(const cfg_obj_t *config, const char *listtype, - const cfg_obj_t *list, isc_mem_t *mctx, - dns_ipkeylist_t *ipkl) { +named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, + isc_mem_t *mctx, dns_ipkeylist_t *ipkl) { uint32_t addrcount = 0, srccount = 0; uint32_t keycount = 0, tlscount = 0; uint32_t listcount = 0, l = 0, i = 0; @@ -683,8 +668,6 @@ newlist: isc_sockaddr_any6(&src6); } - result = ISC_R_NOMEMORY; - element = cfg_list_first(addrlist); resume: for (; element != NULL; element = cfg_list_next(element)) { @@ -715,17 +698,22 @@ resume: continue; } list = NULL; - tresult = named_config_getremotesdef(config, listtype, - listname, &list); + tresult = ISC_R_NOTFOUND; + for (size_t n = 0; n < ARRAY_SIZE(remotesnames); n++) { + tresult = named_config_getremotesdef( + config, remotesnames[n], listname, + &list); + if (tresult == ISC_R_SUCCESS) { + break; + } + } if (tresult == ISC_R_NOTFOUND) { cfg_obj_log(addr, ISC_LOG_ERROR, - "%s \"%s\" not found", listtype, + "remote-servers \"%s\" not found", listname); - - result = tresult; - goto cleanup; } if (tresult != ISC_R_SUCCESS) { + result = tresult; goto cleanup; } lists[l++].name = listname; diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h index c6ba4eae96..0be3b12b9b 100644 --- a/bin/named/include/named/config.h +++ b/bin/named/include/named/config.h @@ -57,9 +57,8 @@ named_config_getremotesdef(const cfg_obj_t *cctx, const char *list, const char *name, const cfg_obj_t **ret); isc_result_t -named_config_getipandkeylist(const cfg_obj_t *config, const char *listtype, - const cfg_obj_t *list, isc_mem_t *mctx, - dns_ipkeylist_t *ipkl); +named_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, + isc_mem_t *mctx, dns_ipkeylist_t *ipkl); isc_result_t named_config_getport(const cfg_obj_t *config, const char *type, diff --git a/bin/named/server.c b/bin/named/server.c index cb78911a8a..e52e60f11f 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -2779,8 +2779,8 @@ configure_catz_zone(dns_view_t *view, dns_view_t *pview, obj = cfg_tuple_get(catz_obj, "default-primaries"); } if (obj != NULL && cfg_obj_istuple(obj)) { - result = named_config_getipandkeylist( - config, "primaries", obj, view->mctx, &opts->masters); + result = named_config_getipandkeylist(config, obj, view->mctx, + &opts->masters); } obj = cfg_tuple_get(catz_obj, "in-memory"); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 0699fdb6b6..2e9b754f2f 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1273,8 +1273,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_ipkeylist_t ipkl; dns_ipkeylist_init(&ipkl); - CHECK(named_config_getipandkeylist(config, "primaries", - obj, mctx, &ipkl)); + CHECK(named_config_getipandkeylist(config, obj, mctx, + &ipkl)); dns_zone_setalsonotify(zone, ipkl.addrs, ipkl.sources, ipkl.keys, ipkl.tlss, ipkl.count); @@ -1679,9 +1679,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, if (parentals != NULL) { dns_ipkeylist_t ipkl; dns_ipkeylist_init(&ipkl); - CHECK(named_config_getipandkeylist( - config, "parental-agents", parentals, mctx, - &ipkl)); + CHECK(named_config_getipandkeylist(config, parentals, + mctx, &ipkl)); dns_zone_setparentals(zone, ipkl.addrs, ipkl.sources, ipkl.keys, ipkl.tlss, ipkl.count); dns_ipkeylist_clear(mctx, &ipkl); @@ -1861,8 +1860,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_ipkeylist_t ipkl; dns_ipkeylist_init(&ipkl); - CHECK(named_config_getipandkeylist(config, "primaries", - obj, mctx, &ipkl)); + CHECK(named_config_getipandkeylist(config, obj, mctx, + &ipkl)); dns_zone_setprimaries(mayberaw, ipkl.addrs, ipkl.sources, ipkl.keys, ipkl.tlss, ipkl.count); diff --git a/bin/tests/system/addzone/ns3/named1.conf.in b/bin/tests/system/addzone/ns3/named1.conf.in index ba7476be93..e05ce211f2 100644 --- a/bin/tests/system/addzone/ns3/named1.conf.in +++ b/bin/tests/system/addzone/ns3/named1.conf.in @@ -34,6 +34,6 @@ zone "." { file "redirect.db"; }; -primaries "test" { +remote-servers "test" { 10.53.0.99; }; diff --git a/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf b/bin/tests/system/checkconf/bad-duplicate-remote-servers-synonyms.conf similarity index 92% rename from bin/tests/system/checkconf/bad-duplicate-primaries-1.conf rename to bin/tests/system/checkconf/bad-duplicate-remote-servers-synonyms.conf index 3bbabded18..f2de15ba98 100644 --- a/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf +++ b/bin/tests/system/checkconf/bad-duplicate-remote-servers-synonyms.conf @@ -11,5 +11,5 @@ * information regarding copyright ownership. */ -primaries duplicate { 1.2.3.4; }; +remote-servers duplicate { 1.2.3.4; }; primaries duplicate { 4.3.2.1; }; diff --git a/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf b/bin/tests/system/checkconf/bad-duplicate-remote-servers.conf similarity index 84% rename from bin/tests/system/checkconf/bad-duplicate-primaries-2.conf rename to bin/tests/system/checkconf/bad-duplicate-remote-servers.conf index 1d1c6f007f..dc35ee96c0 100644 --- a/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf +++ b/bin/tests/system/checkconf/bad-duplicate-remote-servers.conf @@ -11,5 +11,5 @@ * information regarding copyright ownership. */ -masters duplicate { 1.2.3.4; }; -primaries duplicate { 4.3.2.1; }; +remote-servers duplicate { 1.2.3.4; }; +remote-servers duplicate { 4.3.2.1; }; diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf b/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf index aa65a4d2aa..c0312a539c 100644 --- a/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf +++ b/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf @@ -12,7 +12,7 @@ */ view "test" { - parental-agents "net" { + remote-servers "net" { 192.168.1.2; }; zone "example.net" { diff --git a/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf b/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf index 7ca88f73e2..c5e1f1268b 100644 --- a/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf +++ b/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf @@ -11,11 +11,11 @@ * information regarding copyright ownership. */ -parental-agents "net" { +remote-servers "net" { 192.168.1.1; }; -parental-agents "net" { +remote-servers "net" { 192.168.1.2; }; diff --git a/bin/tests/system/checkconf/bad-parental-agents-empty.conf b/bin/tests/system/checkconf/bad-parental-agents-empty.conf index f61de06a62..0bd52a9082 100644 --- a/bin/tests/system/checkconf/bad-parental-agents-empty.conf +++ b/bin/tests/system/checkconf/bad-parental-agents-empty.conf @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -parental-agents "net" { }; +remote-servers "net" { }; zone "example.net" { type primary; diff --git a/bin/tests/system/checkconf/bad-parental-agents-notfound.conf b/bin/tests/system/checkconf/bad-parental-agents-notfound.conf index 98075c437b..40fd75c2e0 100644 --- a/bin/tests/system/checkconf/bad-parental-agents-notfound.conf +++ b/bin/tests/system/checkconf/bad-parental-agents-notfound.conf @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -parental-agents "com" { +remote-servers "com" { 192.168.1.2; }; diff --git a/bin/tests/system/checkconf/bad-primaries-notfound.conf b/bin/tests/system/checkconf/bad-primaries-notfound.conf index 464009824d..543d97c265 100644 --- a/bin/tests/system/checkconf/bad-primaries-notfound.conf +++ b/bin/tests/system/checkconf/bad-primaries-notfound.conf @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -primaries "net" { +remote-servers "net" { 192.168.1.2; }; diff --git a/bin/tests/system/checkconf/good-multiple-remote-servers-synonyms.conf b/bin/tests/system/checkconf/good-multiple-remote-servers-synonyms.conf new file mode 100644 index 0000000000..891538c131 --- /dev/null +++ b/bin/tests/system/checkconf/good-multiple-remote-servers-synonyms.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +remote-servers "one" { + 1.2.3.4; +}; + +parental-agents "two" { + 1.2.3.5; +}; + +primaries "three" { + 1.2.3.6; +}; + +masters "four" { + 1.2.3.7; +}; diff --git a/bin/tests/system/checkconf/good-masters-and-primaries.conf b/bin/tests/system/checkconf/good-multiple-remote-servers.conf similarity index 87% rename from bin/tests/system/checkconf/good-masters-and-primaries.conf rename to bin/tests/system/checkconf/good-multiple-remote-servers.conf index d84657fce5..f06c2bb2ed 100644 --- a/bin/tests/system/checkconf/good-masters-and-primaries.conf +++ b/bin/tests/system/checkconf/good-multiple-remote-servers.conf @@ -11,5 +11,5 @@ * information regarding copyright ownership. */ -masters a { 1.2.3.4; }; -primaries b { 1.2.3.4; }; +remote-servers a { 1.2.3.4; }; +remote-servers b { 1.2.3.4; }; diff --git a/bin/tests/system/checkconf/good.conf.in b/bin/tests/system/checkconf/good.conf.in index 18b35c9efb..876b086787 100644 --- a/bin/tests/system/checkconf/good.conf.in +++ b/bin/tests/system/checkconf/good.conf.in @@ -86,7 +86,7 @@ options { transfer-source 0.0.0.0; zone-statistics none; }; -parental-agents "parents" port 5353 source 10.10.10.10 source-v6 2001:db8::10 { +remote-servers "parents" port 5353 source 10.10.10.10 source-v6 2001:db8::10 { 10.10.10.11; 2001:db8::11; }; diff --git a/bin/tests/system/checkconf/inline-bad.conf b/bin/tests/system/checkconf/inline-bad.conf index 4662e5a900..34852914f4 100644 --- a/bin/tests/system/checkconf/inline-bad.conf +++ b/bin/tests/system/checkconf/inline-bad.conf @@ -12,8 +12,8 @@ */ acl "transferees" {}; -primaries "stealthPrimaries" {127.0.0.1;}; -primaries "publicSecondaries" {127.0.0.1;}; +remote-servers "stealthPrimaries" {127.0.0.1;}; +remote-servers "publicSecondaries" {127.0.0.1;}; zone "example.net" { type secondary; key-directory "/var/lib/bind/example.net"; diff --git a/bin/tests/system/checkconf/inline-good.conf b/bin/tests/system/checkconf/inline-good.conf index 88c403c2db..c290c93f5a 100644 --- a/bin/tests/system/checkconf/inline-good.conf +++ b/bin/tests/system/checkconf/inline-good.conf @@ -12,8 +12,8 @@ */ acl "transferees" {}; -primaries "stealthPrimaries" {127.0.0.1;}; -primaries "publicSecondaries" {127.0.0.1;}; +remote-servers "stealthPrimaries" {127.0.0.1;}; +remote-servers "publicSecondaries" {127.0.0.1;}; zone "example.net" { type secondary; file "/var/cache/bind/example.net.db"; diff --git a/bin/tests/system/checkconf/inline-no.conf b/bin/tests/system/checkconf/inline-no.conf index af7c14130f..44635e65c8 100644 --- a/bin/tests/system/checkconf/inline-no.conf +++ b/bin/tests/system/checkconf/inline-no.conf @@ -12,8 +12,8 @@ */ acl "transferees" {}; -primaries "stealthPrimaries" {127.0.0.1;}; -primaries "publicSecondaries" {127.0.0.1;}; +remote-servers "stealthPrimaries" {127.0.0.1;}; +remote-servers "publicSecondaries" {127.0.0.1;}; zone "example.net" { type secondary; key-directory "/var/lib/bind/example.net"; diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in index 0f2ec838e9..34d3a49979 100644 --- a/bin/tests/system/checkds/ns9/named.conf.in +++ b/bin/tests/system/checkds/ns9/named.conf.in @@ -37,7 +37,7 @@ controls { inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; -parental-agents "ns8" port @PORT@ { +remote-servers "ns8" port @PORT@ { 10.53.0.8; }; diff --git a/bin/tests/system/notify/ns2/named.conf.in b/bin/tests/system/notify/ns2/named.conf.in index f655551c8c..2c80fc3027 100644 --- a/bin/tests/system/notify/ns2/named.conf.in +++ b/bin/tests/system/notify/ns2/named.conf.in @@ -51,10 +51,8 @@ zone "example" { also-notify { /* empty */ }; }; -# use both 'primaries' and 'masters' to test that they -# can work correctly together. -primaries noport { 10.53.0.4; }; -masters x21 port @EXTRAPORT1@ { noport; }; +remote-servers noport { 10.53.0.4; }; +remote-servers x21 port @EXTRAPORT1@ { noport; }; zone x1 { type primary; diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in index 56d95f5c1f..7b5194f70d 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in @@ -94,7 +94,7 @@ zone "other.nil" { allow-transfer { any; }; }; -primaries others { +remote-servers others { 10.53.0.2 port @PORT@; 10.53.0.2 port @PORT@ key altkey; }; diff --git a/bin/tests/system/xfer/ns2/named.conf.in b/bin/tests/system/xfer/ns2/named.conf.in index 761e112893..2835715eea 100644 --- a/bin/tests/system/xfer/ns2/named.conf.in +++ b/bin/tests/system/xfer/ns2/named.conf.in @@ -61,7 +61,7 @@ zone "tsigzone" { allow-transfer { tzkey; }; }; -primaries "ns1" port @PORT@ source 10.53.0.2 { +remote-servers "ns1" port @PORT@ source 10.53.0.2 { 10.53.0.1; }; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 1679d3388f..66b3ffc30d 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -364,8 +364,8 @@ file documentation: ``portrange`` A list of a :term:`port` or a port range. A port range is specified in the form of ``range`` followed by two :term:`port` s, ``port_low`` and ``port_high``, which represents port numbers from ``port_low`` through ``port_high``, inclusive. ``port_low`` must not be larger than ``port_high``. For example, ``range 1024 65535`` represents ports from 1024 through 65535. The asterisk (``*``) character is not allowed as a valid :term:`port` or as a port range boundary. - ``remote-servers`` - A named list of one or more :term:`ip_address` es with optional :term:`tls_id`, :term:`server_key`, and/or :term:`port`. A ``remote-servers`` list may include other ``remote-servers`` lists. See :any:`primaries` block. + ``server-list`` + A named list of one or more :term:`ip_address` es with optional :term:`tls_id`, :term:`server_key`, and/or :term:`port`. A ``server-list`` list may include other ``server-list`` lists. ``server_key`` A :term:`domain_name` representing the name of a shared key, to be used for @@ -413,17 +413,11 @@ The following blocks are supported: :any:`logging` Specifies what information the server logs and where the log messages are sent. - ``masters`` - Synonym for :any:`primaries`. - :namedconf:ref:`options` Controls global server configuration options and sets defaults for other statements. - :any:`parental-agents` - Defines a named list of servers for inclusion in primary and secondary zones' :any:`parental-agents` lists. - - :any:`primaries` - Defines a named list of servers for inclusion in stub and secondary zones' :any:`primaries` or :any:`also-notify` lists. (Note: this is a synonym for the original keyword ``masters``, which can still be used, but is no longer the preferred terminology.) + :namedconf:ref:`remote-servers` + Defines a named list of servers for inclusion in various zone statements such as :any:`parental-agents`, :any:`primaries` or :any:`also-notify` lists. :namedconf:ref:`server` Sets certain configuration options on a per-server basis. @@ -1048,34 +1042,20 @@ At ``debug`` level 4 or higher, the detailed context information logged at ``debug`` level 2 is logged for errors other than SERVFAIL and for negative responses such as NXDOMAIN. -:any:`parental-agents` Block Grammar +``remote-servers`` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.. namedconf:statement:: parental-agents - :tags: zone - :short: Defines a list of delegation agents to be used by primary and secondary zones. +.. namedconf:statement:: remote-servers + :tags: server + :short: Defines a list of servers to be used by primary and secondary zones. -:any:`parental-agents` Block Definition and Usage -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +This specifies a list that allows for a common set of servers to be easily used +by multiple zones. The following options may reference to a list of +remote servers: :any:`parental-agents`, :any:`primaries`, and :any:`also-notify`. -:any:`parental-agents` lists allow for a common set of parental agents to be -easily used by multiple primary and secondary zones. A "parental agent" is a -trusted DNS server that is queried to check whether DS records for a given zones -are up-to-date. +A "parental agent" is a trusted DNS server that is queried to check whether DS +records for a given zones are up-to-date. -:any:`primaries` Block Grammar -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.. namedconf:statement:: primaries - :tags: zone - :short: Defines one or more primary servers for a zone. - -:any:`primaries` Block Definition and Usage -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -:any:`primaries` lists allow for a common set of primary servers to be easily -used by multiple stub and secondary zones in their :any:`primaries` or -:any:`also-notify` lists. (Note: :any:`primaries` is a synonym for the original -keyword ``masters``, which can still be used, but is no longer the -preferred terminology.) +A "primary server" is where a secondary server can request zone transfers from. To force the zone transfer requests to be sent over TLS, use :any:`tls` keyword, e.g. ``primaries { 192.0.2.1 tls tls-configuration-name; };``, @@ -3388,6 +3368,19 @@ options apply to zone transfers. per second. The lowest possible rate is one per second; when set to zero, it is silently raised to one. +.. namedconf:statement:: primaries + :tags: transfer, zone + :short: Defines one or more servers that zone transfer can be requested from. + + This specifies a list of one or more IP addresses of primary servers that + the secondary contacts to update its copy of the zone. Primaries list + elements can also be names of :any:`remote-servers` blocks. + + By default, transfers are made from port 53 on the servers; this can be + changed for all servers by specifying a port number before the list of IP + addresses, or on a per-server basis after the IP address. Authentication to + the primary can also be done with per-server TSIG keys. + .. namedconf:statement:: startup-notify-rate :tags: transfer, zone :short: Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added. @@ -6476,6 +6469,18 @@ old DNSSEC key. trust relationship with the parental agent. For example, use TSIG to authenticate the parental agent, or point to a validating resolver. +.. namedconf:statement:: parental-agents + :tags: dnssec + + This specifies a list of one or more IP addresses of parental agents that + are used to query the zone's DS records during a KSK rollover. The list of + parental agents can also contain the names of :any:`remote-servers` blocks. + + By default, DS queries are sent from port 53 on the servers; this can be + changed for all servers by specifying a port number before the list of IP + addresses, or on a per-server basis after the IP address. Authentication to + the primary can also be done with per-server TSIG keys. + The following options apply to DS queries sent to :any:`parental-agents`: .. namedconf:statement:: checkds @@ -6662,33 +6667,22 @@ Zone Types :tags: zone :short: Contains a duplicate of the data for a zone that has been transferred from a primary server. - A secondary zone is a replica of a primary zone. Type ``slave`` is a - synonym for :any:`secondary `. The :any:`primaries` list specifies one or more IP - addresses of primary servers that the secondary contacts to update - its copy of the zone. Primaries list elements can - also be names of other primaries lists. By default, - transfers are made from port 53 on the servers; - this can be changed for all servers by specifying - a port number before the list of IP addresses, - or on a per-server basis after the IP address. - Authentication to the primary can also be done with - per-server TSIG keys. If a file is specified, then the - replica is written to this file - whenever the zone - is changed, and reloaded from this file on a server - restart. Use of a file is recommended, since it - often speeds server startup and eliminates a - needless waste of bandwidth. Note that for large - numbers (in the tens or hundreds of thousands) of - zones per server, it is best to use a two-level - naming scheme for zone filenames. For example, - a secondary server for the zone - ``example.com`` might place - the zone contents into a file called - ``ex/example.com``, where - ``ex/`` is just the first two - letters of the zone name. (Most operating systems - behave very slowly if there are 100,000 files in a single directory.) + A secondary zone is a replica of a primary zone. Type ``slave`` is a + synonym for :any:`secondary `. The :any:`primaries` list + specifies one or more IP addresses of primary servers that the secondary + contacts to update its copy of the zone. + + If a file is + specified, then the replica is written to this file whenever the zone + is changed, and reloaded from this file on a server restart. Use of a file + is recommended, since it often speeds server startup and eliminates a + needless waste of bandwidth. Note that for large numbers (in the tens or + hundreds of thousands) of zones per server, it is best to use a two-level + naming scheme for zone filenames. For example, a secondary server for the + zone ``example.com`` might place the zone contents into a file called + ``ex/example.com``, where ``ex/`` is just the first two letters of the zone + name. (Most operating systems behave very slowly if there are 100,000 files + in a single directory.) .. namedconf:statement:: type mirror :tags: zone @@ -7056,6 +7050,15 @@ Zone Options :any:`notify-to-soa` See the description of :any:`notify-to-soa` in :ref:`boolean_options`. +:any:`parental-agents` + This option is only meaningful if the zone is DNSSEC signed. When performing + a key rollover, BIND will query the parental agents to see if the new DS is + actually published before withdrawing the old DNSSEC key. + +:any:`primaries` + For secondary zones, these are the name servers to request zone transfers + from. + :any:`zone-statistics` See the description of :any:`zone-statistics` in :namedconf:ref:`options`. diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst index 9a2501eea3..eee428172f 100644 --- a/doc/dnssec-guide/signing.rst +++ b/doc/dnssec-guide/signing.rst @@ -898,7 +898,7 @@ presence. Let's look at the following configuration excerpt: :: - parental-agents "net" { + remote-servers "net" { 10.53.0.11; 10.53.0.12; }; diff --git a/doc/misc/mirror.zoneopt b/doc/misc/mirror.zoneopt index 72e90083bb..99f1212643 100644 --- a/doc/misc/mirror.zoneopt +++ b/doc/misc/mirror.zoneopt @@ -5,7 +5,7 @@ zone [ ] { allow-query-on { ; ... }; allow-transfer [ port ] [ transport ] { ; ... }; allow-update-forwarding { ; ... }; - also-notify [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; + also-notify [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; check-names ( fail | warn | ignore ); database ; file ; @@ -31,7 +31,7 @@ zone [ ] { notify-delay ; notify-source ( | * ); notify-source-v6 ( | * ); - primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; + primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; request-expire ; request-ixfr ; request-ixfr-max-diffs ; diff --git a/doc/misc/options b/doc/misc/options index 4c253ed286..baa4e3696f 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -78,14 +78,14 @@ options { allow-transfer [ port ] [ transport ] { ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; - also-notify [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; + also-notify [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; answer-cookie ; attach-cache ; auth-nxdomain ; automatic-interface-scan ; bindkeys-file ; // test only blackhole { ; ... }; - catalog-zones { zone [ default-primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; + catalog-zones { zone [ default-primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity ; check-mx ( fail | warn | ignore ); @@ -319,11 +319,9 @@ options { zone-statistics ( full | terse | none | ); }; -parental-agents [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; // may occur multiple times - plugin ( query ) [ { } ]; // may occur multiple times -primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; // may occur multiple times +remote-servers [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; // may occur multiple times server { bogus ; @@ -385,10 +383,10 @@ view [ ] { allow-transfer [ port ] [ transport ] { ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; - also-notify [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; + also-notify [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; attach-cache ; auth-nxdomain ; - catalog-zones { zone [ default-primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; + catalog-zones { zone [ default-primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity ; check-mx ( fail | warn | ignore ); diff --git a/doc/misc/primary.zoneopt b/doc/misc/primary.zoneopt index 9993bfed73..dfa2b79661 100644 --- a/doc/misc/primary.zoneopt +++ b/doc/misc/primary.zoneopt @@ -4,7 +4,7 @@ zone [ ] { allow-query-on { ; ... }; allow-transfer [ port ] [ transport ] { ; ... }; allow-update { ; ... }; - also-notify [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; + also-notify [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity ; check-mx ( fail | warn | ignore ); @@ -48,7 +48,7 @@ zone [ ] { notify-source-v6 ( | * ); notify-to-soa ; nsec3-test-zone ; // test only - parental-agents [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; + parental-agents [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; parental-source ( | * ); parental-source-v6 ( | * ); send-report-channel ; diff --git a/doc/misc/redirect.zoneopt b/doc/misc/redirect.zoneopt index 5faa1e6ddd..f457c807c9 100644 --- a/doc/misc/redirect.zoneopt +++ b/doc/misc/redirect.zoneopt @@ -10,6 +10,6 @@ zone [ ] { max-records-per-type ; max-types-per-name ; max-zone-ttl ( unlimited | ); // deprecated - primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; + primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; zone-statistics ( full | terse | none | ); }; diff --git a/doc/misc/secondary.zoneopt b/doc/misc/secondary.zoneopt index 3fef812cb7..e5bbb1816c 100644 --- a/doc/misc/secondary.zoneopt +++ b/doc/misc/secondary.zoneopt @@ -5,7 +5,7 @@ zone [ ] { allow-query-on { ; ... }; allow-transfer [ port ] [ transport ] { ; ... }; allow-update-forwarding { ; ... }; - also-notify [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; + also-notify [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; check-names ( fail | warn | ignore ); checkds ( explicit | ); database ; @@ -45,10 +45,10 @@ zone [ ] { notify-source-v6 ( | * ); notify-to-soa ; nsec3-test-zone ; // test only - parental-agents [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; + parental-agents [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; parental-source ( | * ); parental-source-v6 ( | * ); - primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; + primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; request-expire ; request-ixfr ; request-ixfr-max-diffs ; diff --git a/doc/misc/stub.zoneopt b/doc/misc/stub.zoneopt index 04ab240f25..4781f4d720 100644 --- a/doc/misc/stub.zoneopt +++ b/doc/misc/stub.zoneopt @@ -19,7 +19,7 @@ zone [ ] { min-refresh-time ; min-retry-time ; multi-master ; - primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; + primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; transfer-source ( | * ); transfer-source-v6 ( | * ); zone-statistics ( full | terse | none | ); diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index ee4dfbfb94..78b51c1c5e 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -2098,10 +2098,10 @@ check_remoteserverlist(const cfg_obj_t *cctx, const char *list, } /* - * Check primaries lists for duplicates. + * Check remote-server lists for duplicates. */ static isc_result_t -check_primarylists(const cfg_obj_t *cctx, isc_mem_t *mctx) { +check_remoteserverlists(const cfg_obj_t *cctx, isc_mem_t *mctx) { isc_result_t result, tresult; isc_symtab_t *symtab = NULL; @@ -2109,6 +2109,15 @@ check_primarylists(const cfg_obj_t *cctx, isc_mem_t *mctx) { if (result != ISC_R_SUCCESS) { return result; } + tresult = check_remoteserverlist(cctx, "remote-servers", symtab, mctx); + if (tresult != ISC_R_SUCCESS) { + result = tresult; + } + /* parental-agents, primaries, masters are treated as synonyms */ + tresult = check_remoteserverlist(cctx, "parental-agents", symtab, mctx); + if (tresult != ISC_R_SUCCESS) { + result = tresult; + } tresult = check_remoteserverlist(cctx, "primaries", symtab, mctx); if (tresult != ISC_R_SUCCESS) { result = tresult; @@ -2121,26 +2130,6 @@ check_primarylists(const cfg_obj_t *cctx, isc_mem_t *mctx) { return result; } -/* - * Check parental-agents lists for duplicates. - */ -static isc_result_t -check_parentalagentlists(const cfg_obj_t *cctx, isc_mem_t *mctx) { - isc_result_t result, tresult; - isc_symtab_t *symtab = NULL; - - result = isc_symtab_create(mctx, 100, freekey, mctx, false, &symtab); - if (result != ISC_R_SUCCESS) { - return result; - } - tresult = check_remoteserverlist(cctx, "parental-agents", symtab, mctx); - if (tresult != ISC_R_SUCCESS) { - result = tresult; - } - isc_symtab_destroy(&symtab); - return result; -} - #if HAVE_LIBNGHTTP2 static isc_result_t check_httpserver(const cfg_obj_t *http, isc_symtab_t *symtab) { @@ -2435,24 +2424,28 @@ get_remotes(const cfg_obj_t *cctx, const char *list, const char *name, } static isc_result_t -get_remoteservers_def(const char *list, const char *name, const cfg_obj_t *cctx, +get_remoteservers_def(const char *name, const cfg_obj_t *cctx, const cfg_obj_t **ret) { - isc_result_t result = ISC_R_NOTFOUND; + isc_result_t result; - if (strcmp(list, "primaries") == 0) { - result = get_remotes(cctx, "primaries", name, ret); - if (result != ISC_R_SUCCESS) { - result = get_remotes(cctx, "masters", name, ret); - } - } else if (strcmp(list, "parental-agents") == 0) { - result = get_remotes(cctx, "parental-agents", name, ret); + result = get_remotes(cctx, "remote-servers", name, ret); + if (result == ISC_R_SUCCESS) { + return result; } - return result; + result = get_remotes(cctx, "primaries", name, ret); + if (result == ISC_R_SUCCESS) { + return result; + } + result = get_remotes(cctx, "parental-agents", name, ret); + if (result == ISC_R_SUCCESS) { + return result; + } + return get_remotes(cctx, "masters", name, ret); } static isc_result_t -validate_remotes(const char *list, const cfg_obj_t *obj, - const cfg_obj_t *config, uint32_t *countp, isc_mem_t *mctx) { +validate_remotes(const cfg_obj_t *obj, const cfg_obj_t *config, + uint32_t *countp, isc_mem_t *mctx) { isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult; uint32_t count = 0; @@ -2555,13 +2548,13 @@ resume: if (tresult == ISC_R_EXISTS) { continue; } - tresult = get_remoteservers_def(list, listname, config, &obj); + tresult = get_remoteservers_def(listname, config, &obj); if (tresult != ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS) { result = tresult; } cfg_obj_log(addr, ISC_LOG_ERROR, - "unable to find %s list '%s'", list, + "unable to find remote-servers list '%s'", listname); continue; } @@ -3444,8 +3437,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } if (tresult == ISC_R_SUCCESS && donotify) { uint32_t count; - tresult = validate_remotes("primaries", obj, config, - &count, mctx); + tresult = validate_remotes(obj, config, &count, mctx); if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS) { result = tresult; @@ -3487,8 +3479,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, result = ISC_R_FAILURE; } else { uint32_t count; - tresult = validate_remotes("primaries", obj, config, - &count, mctx); + tresult = validate_remotes(obj, config, &count, mctx); if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS) { result = tresult; @@ -3512,8 +3503,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, (void)cfg_map_get(zoptions, "parental-agents", &obj); if (obj != NULL) { uint32_t count; - tresult = validate_remotes("parental-agents", obj, - config, &count, mctx); + tresult = validate_remotes(obj, config, &count, mctx); if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS) { result = tresult; @@ -5911,11 +5901,7 @@ isccfg_check_namedconf(const cfg_obj_t *config, unsigned int flags, result = ISC_R_FAILURE; } - if (check_primarylists(config, mctx) != ISC_R_SUCCESS) { - result = ISC_R_FAILURE; - } - - if (check_parentalagentlists(config, mctx) != ISC_R_SUCCESS) { + if (check_remoteserverlists(config, mctx) != ISC_R_SUCCESS) { result = ISC_R_FAILURE; } diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 24dd3596ee..e6bef96e3c 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -234,9 +234,9 @@ static cfg_tuplefielddef_t remotes_fields[] = { { NULL, NULL, 0 } }; -static cfg_type_t cfg_type_remoteservers = { "remote-servers", cfg_parse_tuple, - cfg_print_tuple, cfg_doc_tuple, - &cfg_rep_tuple, remotes_fields }; +static cfg_type_t cfg_type_serverlist = { "server-list", cfg_parse_tuple, + cfg_print_tuple, cfg_doc_tuple, + &cfg_rep_tuple, remotes_fields }; /*% * "sockaddrkeylist", a list of socket addresses with optional keys @@ -1140,11 +1140,14 @@ static cfg_clausedef_t namedconf_clauses[] = { { "key-store", &cfg_type_keystore, CFG_CLAUSEFLAG_MULTI }, { "logging", &cfg_type_logging, 0 }, { "lwres", NULL, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT }, - { "masters", &cfg_type_remoteservers, + { "masters", &cfg_type_serverlist, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_NODOC }, { "options", &cfg_type_options, 0 }, - { "parental-agents", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI }, - { "primaries", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI }, + { "parental-agents", &cfg_type_serverlist, + CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_NODOC }, + { "primaries", &cfg_type_serverlist, + CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_NODOC }, + { "remote-servers", &cfg_type_serverlist, CFG_CLAUSEFLAG_MULTI }, #if defined(HAVE_LIBXML2) || defined(HAVE_JSON_C) { "statistics-channels", &cfg_type_statschannels, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OPTIONAL }, @@ -3740,7 +3743,7 @@ static void doc_remoteselement(cfg_printer_t *pctx, const cfg_type_t *type) { UNUSED(type); cfg_print_cstr(pctx, "( "); - cfg_print_cstr(pctx, ""); + cfg_print_cstr(pctx, ""); cfg_print_cstr(pctx, " | "); cfg_print_cstr(pctx, ""); cfg_print_cstr(pctx, " ");