diff --git a/CHANGES b/CHANGES index 1aec100132..1d90e05b30 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,10 @@ +3949. [experimental] Experimental support for draft-andrews-edns1 by sending + EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when + building). Add support for limiting the EDNS version + advertised to servers: server { edns-version 0; }; + Log the EDNS version received in the query log. + [RT #35864] + 3948. [port] solaris: RCVBUFSIZE was too large on Solaris with --with-tuning=large. [RT #37059] diff --git a/bin/named/client.c b/bin/named/client.c index 515ae579e7..bd48f0ab0e 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -41,6 +41,7 @@ #include #include #include +#include #include #include #include @@ -1885,7 +1886,7 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { * XXXRTH need library support for this! */ client->ednsversion = (opt->ttl & 0x00FF0000) >> 16; - if (client->ednsversion > 0) { + if (client->ednsversion > DNS_EDNS_VERSION) { isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_badednsver); result = ns_client_addopt(client, client->message, diff --git a/bin/named/query.c b/bin/named/query.c index 933d43afc4..e820b993f2 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -8265,6 +8265,7 @@ log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) { char typename[DNS_RDATATYPE_FORMATSIZE]; char classname[DNS_RDATACLASS_FORMATSIZE]; char onbuf[ISC_NETADDR_FORMATSIZE]; + char ednsbuf[sizeof("E(255)")] = { 0 }; dns_rdataset_t *rdataset; int level = ISC_LOG_INFO; @@ -8278,11 +8279,14 @@ log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) { dns_rdatatype_format(rdataset->type, typename, sizeof(typename)); isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf)); + if (client->ednsversion >= 0) + snprintf(ednsbuf, sizeof(ednsbuf), "E(%d)", + client->ednsversion); + ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY, level, "query: %s %s %s %s%s%s%s%s%s (%s)", namebuf, classname, typename, WANTRECURSION(client) ? "+" : "-", - (client->signer != NULL) ? "S" : "", - (client->ednsversion >= 0) ? "E" : "", + (client->signer != NULL) ? "S" : "", ednsbuf, ((client->attributes & NS_CLIENTATTR_TCP) != 0) ? "T" : "", ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "", diff --git a/bin/named/server.c b/bin/named/server.c index bede9162f0..443a050e1e 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1225,6 +1225,15 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize)); } + obj = NULL; + (void)cfg_map_get(cpeer, "edns-version", &obj); + if (obj != NULL) { + isc_uint32_t ednsversion = cfg_obj_asuint32(obj); + if (ednsversion > 255) + ednsversion = 255; + CHECK(dns_peer_setednsversion(peer, (isc_uint8_t)ednsversion)); + } + obj = NULL; (void)cfg_map_get(cpeer, "max-udp-size", &obj); if (obj != NULL) { diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in index 53c6f6cd9b..a4ce2fd1e9 100644 --- a/bin/tests/system/Makefile.in +++ b/bin/tests/system/Makefile.in @@ -21,7 +21,8 @@ top_srcdir = @top_srcdir@ @BIND9_MAKE_INCLUDES@ -SUBDIRS = builtin dlzexternal filter-aaaa geoip lwresd rpz rsabigexponent tkey tsiggss +SUBDIRS = builtin dlzexternal filter-aaaa geoip lwresd resolver rpz \ + rsabigexponent tkey tsiggss TARGETS = @BIND9_MAKE_RULES@ diff --git a/bin/tests/system/resolver/.gitignore b/bin/tests/system/resolver/.gitignore new file mode 100644 index 0000000000..d2be402ef5 --- /dev/null +++ b/bin/tests/system/resolver/.gitignore @@ -0,0 +1 @@ +edns-version diff --git a/bin/tests/system/resolver/Makefile.in b/bin/tests/system/resolver/Makefile.in new file mode 100644 index 0000000000..c83612dfab --- /dev/null +++ b/bin/tests/system/resolver/Makefile.in @@ -0,0 +1,52 @@ +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${ISC_INCLUDES} ${DNS_INCLUDES} + +CDEFINES = +CWARNINGS = + +DNSLIBS = +ISCLIBS = + +DNSDEPLIBS = +ISCDEPLIBS = + +DEPLIBS = + +LIBS = @LIBS@ + +TARGETS = edns-version@EXEEXT@ + +EDNSVERSIONOBJS = edns-version.@O@ + +SRCS = edns-version.c + +@BIND9_MAKE_RULES@ + +all: edns-version@EXEEXT@ + +edns-version@EXEEXT@: ${EDNSVERSIONOBJS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${EDNSVERSIONOBJS} ${LIBS} + +clean distclean:: + rm -f ${TARGETS} diff --git a/bin/tests/system/resolver/edns-version.c b/bin/tests/system/resolver/edns-version.c new file mode 100644 index 0000000000..a241c8ec48 --- /dev/null +++ b/bin/tests/system/resolver/edns-version.c @@ -0,0 +1,13 @@ +#include +#include + +#include +#include + +int +main(int argc, char **argv) { + UNUSED(argc); + UNUSED(argv); + printf("%d\n", DNS_EDNS_VERSION); + return (0); +} diff --git a/bin/tests/system/resolver/ns4/tld1.db b/bin/tests/system/resolver/ns4/tld1.db index 7d017c4db4..5f034f597a 100644 --- a/bin/tests/system/resolver/ns4/tld1.db +++ b/bin/tests/system/resolver/ns4/tld1.db @@ -28,3 +28,8 @@ $TTL 5 to-be-removed NS ns.to-be-removed ns.to-be-removed A 10.53.0.6 fetch 10 TXT A short ttl +no-edns-version.tld. NS ns.no-edns-version.tld. +ns.no-edns-version.tld. A 10.53.0.6 +edns-version.tld. NS ns.edns-version.tld. +ns.edns-version.tld. A 10.53.0.7 + diff --git a/bin/tests/system/resolver/ns4/tld2.db b/bin/tests/system/resolver/ns4/tld2.db index 5231dbd7ea..338f61fbb7 100644 --- a/bin/tests/system/resolver/ns4/tld2.db +++ b/bin/tests/system/resolver/ns4/tld2.db @@ -28,3 +28,7 @@ fetch 10 TXT A short ttl fetchall 10 TXT A short ttl fetchall 10 A 1.2.3.4 fetchall 10 AAAA ::1 +no-edns-version.tld. NS ns.no-edns-version.tld. +ns.no-edns-version.tld. A 10.53.0.6 +edns-version.tld. NS ns.edns-version.tld. +ns.edns-version.tld. A 10.53.0.7 diff --git a/bin/tests/system/resolver/ns5/named.conf b/bin/tests/system/resolver/ns5/named.conf index 120d0fa481..05833a6d92 100644 --- a/bin/tests/system/resolver/ns5/named.conf +++ b/bin/tests/system/resolver/ns5/named.conf @@ -32,6 +32,10 @@ options { querylog yes; }; +server 10.53.0.7 { + edns-version 0; +}; + zone "." { type hint; file "root.hint"; diff --git a/bin/tests/system/resolver/ns6/named.conf b/bin/tests/system/resolver/ns6/named.conf index 728b56ecab..fad5353d2c 100644 --- a/bin/tests/system/resolver/ns6/named.conf +++ b/bin/tests/system/resolver/ns6/named.conf @@ -30,6 +30,7 @@ options { listen-on-v6 { none; }; recursion no; // minimal-responses yes; + querylog yes; }; zone "." { @@ -54,3 +55,8 @@ zone "broken" { file "broken.db"; allow-update { any; }; }; + +zone "no-edns-version.tld" { + type master; + file "no-edns-version.tld.db"; +}; diff --git a/bin/tests/system/resolver/ns6/no-edns-version.tld.db b/bin/tests/system/resolver/ns6/no-edns-version.tld.db new file mode 100644 index 0000000000..56d3cb1ed6 --- /dev/null +++ b/bin/tests/system/resolver/ns6/no-edns-version.tld.db @@ -0,0 +1,17 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/root.db b/bin/tests/system/resolver/ns6/root.db index d8ea5d3e72..6461f906dd 100644 --- a/bin/tests/system/resolver/ns6/root.db +++ b/bin/tests/system/resolver/ns6/root.db @@ -27,3 +27,12 @@ a.root-servers.nil. A 10.53.0.6 moves. NS ns.server. server. NS ns7.server. ns7.server. A 10.53.0.7 +; +; These two delegations are strictly not necessary as the test resolver (ns5) +; doesn't have this zone as its root. They are just done for consistancy with +; the delegations in ns4/tld. +; +no-edns-version.tld. NS ns.no-edns-version.tld. +ns.no-edns-version.tld. A 10.53.0.6 +edns-version.tld. NS ns.edns-version.tld. +ns.edns-version.tld. A 10.53.0.7 diff --git a/bin/tests/system/resolver/ns7/edns-version.tld.db b/bin/tests/system/resolver/ns7/edns-version.tld.db new file mode 100644 index 0000000000..b231cb6634 --- /dev/null +++ b/bin/tests/system/resolver/ns7/edns-version.tld.db @@ -0,0 +1,17 @@ +; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.7 diff --git a/bin/tests/system/resolver/ns7/named1.conf b/bin/tests/system/resolver/ns7/named1.conf index bf522e4110..5572cf8646 100644 --- a/bin/tests/system/resolver/ns7/named1.conf +++ b/bin/tests/system/resolver/ns7/named1.conf @@ -30,6 +30,7 @@ options { empty-zones-enable yes; disable-empty-zone 20.172.in-addr.arpa; prefetch 0; + querylog yes; }; key rndc_key { @@ -51,3 +52,8 @@ zone "server" { file "server.db"; allow-update { any; }; }; + +zone "edns-version.tld" { + type master; + file "edns-version.tld.db"; +}; diff --git a/bin/tests/system/resolver/ns7/named2.conf b/bin/tests/system/resolver/ns7/named2.conf index b8daee05bf..daebe3d0e3 100644 --- a/bin/tests/system/resolver/ns7/named2.conf +++ b/bin/tests/system/resolver/ns7/named2.conf @@ -30,6 +30,7 @@ options { empty-zones-enable yes; disable-empty-zone 20.172.in-addr.arpa; prefetch 0; + querylog yes; }; key rndc_key { @@ -51,3 +52,8 @@ zone "server" { file "server.db"; allow-update { any; }; }; + +zone "edns-version.tld" { + type master; + file "edns-version.tld.db"; +}; diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh index b80f19c23d..8bde7df345 100755 --- a/bin/tests/system/resolver/tests.sh +++ b/bin/tests/system/resolver/tests.sh @@ -476,6 +476,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` n=`expr $n + 1` + echo "I:check that E was logged on EDNS queries in the query log (${n})" ret=0 $DIG @10.53.0.5 -p 5300 +edns edns.fetchall.tld any > dig.out.2.${n} || ret=1 @@ -500,5 +501,31 @@ grep ';1\.0\.0\.127\.in-addr\.arpa\..*IN.*PTR$' dig.out.3.${n} > /dev/null || re if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +edns=`./edns-version` + +n=`expr $n + 1` +echo "I:check that EDNS version is logged (${n})" +ret=0 +$DIG @10.53.0.5 -p 5300 +edns edns0.fetchall.tld any > dig.out.2.${n} || ret=1 +grep "query: edns0.fetchall.tld IN ANY +E(0)" ns5/named.run > /dev/null || ret=1 +if test ${edns:-0} != 0; then + $DIG @10.53.0.5 -p 5300 +edns=1 edns1.fetchall.tld any > dig.out.2.${n} || ret=1 + grep "query: edns1.fetchall.tld IN ANY +E(1)" ns5/named.run > /dev/null || ret=1 +fi +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +if test ${edns:-0} != 0; then + n=`expr $n + 1` + echo "I:check that edns-version is honoured (${n})" + ret=0 + $DIG @10.53.0.5 -p 5300 +edns no-edns-version.tld > dig.out.1.${n} || ret=1 + grep "query: no-edns-version.tld IN A -E(1)" ns6/named.run > /dev/null || ret=1 + $DIG @10.53.0.5 -p 5300 +edns edns-version.tld > dig.out.2.${n} || ret=1 + grep "query: edns-version.tld IN A -E(0)" ns7/named.run > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:exit status: $status" exit $status diff --git a/configure b/configure index 0767035bde..d6c970526f 100755 --- a/configure +++ b/configure @@ -21688,7 +21688,7 @@ ac_config_commands="$ac_config_commands chmod" # elsewhere if there's a good reason for doing so. # -ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/builtin/Makefile bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/sit/prereq.sh bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/tests/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh" +ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/builtin/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/resolver/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/sit/prereq.sh bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/tests/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh" # @@ -22740,9 +22740,10 @@ do "bin/tests/system/geoip/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/geoip/Makefile" ;; "bin/tests/system/inline/checkdsa.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/inline/checkdsa.sh" ;; "bin/tests/system/lwresd/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/lwresd/Makefile" ;; - "bin/tests/system/sit/prereq.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/sit/prereq.sh" ;; + "bin/tests/system/resolver/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/resolver/Makefile" ;; "bin/tests/system/rpz/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/rpz/Makefile" ;; "bin/tests/system/rsabigexponent/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/rsabigexponent/Makefile" ;; + "bin/tests/system/sit/prereq.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/sit/prereq.sh" ;; "bin/tests/system/tkey/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/tkey/Makefile" ;; "bin/tests/system/tsiggss/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/tsiggss/Makefile" ;; "bin/tests/tasks/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/tasks/Makefile" ;; diff --git a/configure.in b/configure.in index f40f98a585..4334143c6d 100644 --- a/configure.in +++ b/configure.in @@ -4503,8 +4503,8 @@ AC_CONFIG_FILES([ bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile - bin/tests/system/conf.sh bin/tests/system/builtin/Makefile + bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf @@ -4512,9 +4512,10 @@ AC_CONFIG_FILES([ bin/tests/system/geoip/Makefile bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile - bin/tests/system/sit/prereq.sh + bin/tests/system/resolver/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile + bin/tests/system/sit/prereq.sh bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index f8bc668b98..1feaa130b5 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -10433,6 +10433,7 @@ rate-limit { request-sit yes_or_no ; edns yes_or_no ; edns-udp-size number ; + edns-version number ; nosit-udp-size number ; max-udp-size number ; transfers number ; @@ -10553,23 +10554,40 @@ rate-limit { - The edns-udp-size option sets the EDNS UDP size - that is advertised by named when querying the remote server. - Valid values are 512 to 4096 bytes (values outside this range will be - silently adjusted to the nearest value within it). This option is - useful when you wish to - advertises a different value to this server than the value you - advertise globally, for example, when there is a firewall at the - remote site that is blocking large replies. + The edns-udp-size option sets the + EDNS UDP size that is advertised by named + when querying the remote server. Valid values are 512 + to 4096 bytes (values outside this range will be silently + adjusted to the nearest value within it). This option + is useful when you wish to advertise a different value + to this server than the value you advertise globally, + for example, when there is a firewall at the remote + site that is blocking large replies. + + + + The edns-version option sets the + maximum EDNS VERSION that will be sent to the server(s) + by the resolver. The actual EDNS version sent is still + subject to normal EDNS version negotiation rules (see + RFC 6891), the maximum EDNS version supported by the + server, and any other heuristics that indicate that a + lower version should be sent. This option is intended + to be used when a remote server reacts badly to a given + EDNS version or higher; it should be set to the highest + version the remote server is known to support. Valid + values are 0 to 255; higher values will be silently + adjusted. This option will not be needed until higher + EDNS versions than 0 are in use. The max-udp-size option sets the - maximum EDNS UDP message size named will send. Valid - values are 512 to 4096 bytes (values outside this range will - be silently adjusted). This option is useful when you - know that there is a firewall that is blocking large - replies from named. + maximum EDNS UDP message size named + will send. Valid values are 512 to 4096 bytes (values + outside this range will be silently adjusted). This + option is useful when you know that there is a firewall + that is blocking large replies from named. diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in index 667db7140c..0825ee10f5 100644 --- a/lib/dns/include/dns/Makefile.in +++ b/lib/dns/include/dns/Makefile.in @@ -25,7 +25,7 @@ HEADERS = acache.h acl.h adb.h bit.h byaddr.h cache.h callbacks.h cert.h \ client.h clientinfo.h compress.h \ db.h dbiterator.h dbtable.h diff.h dispatch.h \ dlz.h dlz_dlopen.h dns64.h dnssec.h ds.h dsdigest.h \ - ecdb.h events.h fixedname.h forward.h geoip.h iptable.h \ + edns.h ecdb.h events.h fixedname.h forward.h geoip.h iptable.h \ journal.h keydata.h keyflags.h keytable.h keyvalues.h \ lib.h lookup.h log.h master.h masterdump.h message.h \ name.h ncache.h nsec.h nsec3.h opcode.h order.h \ diff --git a/lib/dns/include/dns/edns.h b/lib/dns/include/dns/edns.h new file mode 100644 index 0000000000..f02402fcb4 --- /dev/null +++ b/lib/dns/include/dns/edns.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef DNS_EDNS_H +#define DNS_EDNS_H 1 + +/*% + * The maximum version on EDNS supported by this build. + */ +#define DNS_EDNS_VERSION 0 +#ifdef DRAFT_ANDREWS_EDNS1 +#undef DNS_EDNS_VERSION +/* + * Warning: this currently disables sending SIT requests in resolver.c + */ +#define DNS_EDNS_VERSION 1 /* draft-andrews-edns1 */ +#endif + +#endif diff --git a/lib/dns/include/dns/peer.h b/lib/dns/include/dns/peer.h index 52ea86ef43..007a998454 100644 --- a/lib/dns/include/dns/peer.h +++ b/lib/dns/include/dns/peer.h @@ -85,6 +85,7 @@ struct dns_peer { isc_dscp_t query_dscp; isc_uint16_t udpsize; /* receive size */ isc_uint16_t maxudp; /* transmit size */ + isc_uint8_t ednsversion; /* edns version */ isc_uint32_t bitflags; @@ -248,6 +249,12 @@ dns_peer_setquerydscp(dns_peer_t *peer, isc_dscp_t dscp); isc_result_t dns_peer_getquerydscp(dns_peer_t *peer, isc_dscp_t *dscpp); + +isc_result_t +dns_peer_setednsversion(dns_peer_t *peer, isc_uint8_t ednsversion); + +isc_result_t +dns_peer_getednsversion(dns_peer_t *peer, isc_uint8_t *ednsversion); ISC_LANG_ENDDECLS #endif /* DNS_PEER_H */ diff --git a/lib/dns/peer.c b/lib/dns/peer.c index 4f55f0cdbd..6e05de80df 100644 --- a/lib/dns/peer.c +++ b/lib/dns/peer.c @@ -48,6 +48,7 @@ #define TRANSFER_DSCP_BIT 11 #define QUERY_DSCP_BIT 12 #define REQUEST_EXPIRE_BIT 13 +#define EDNS_VERSION_BIT 14 static void peerlist_delete(dns_peerlist_t **list); @@ -838,3 +839,25 @@ dns_peer_getquerydscp(dns_peer_t *peer, isc_dscp_t *dscpp) { } return (ISC_R_NOTFOUND); } + +isc_result_t +dns_peer_setednsversion(dns_peer_t *peer, isc_uint8_t ednsversion) { + REQUIRE(DNS_PEER_VALID(peer)); + + peer->ednsversion = ednsversion; + DNS_BIT_SET(EDNS_VERSION_BIT, &peer->bitflags); + + return (ISC_R_SUCCESS); +} + +isc_result_t +dns_peer_getednsversion(dns_peer_t *peer, isc_uint8_t *ednsversion) { + REQUIRE(DNS_PEER_VALID(peer)); + REQUIRE(ednsversion != NULL); + + if (DNS_BIT_CHECK(EDNS_VERSION_BIT, &peer->bitflags)) { + *ednsversion = peer->ednsversion; + return (ISC_R_SUCCESS); + } else + return (ISC_R_NOTFOUND); +} diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index 5c53656d27..8ad824b118 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -1039,8 +1039,6 @@ unsigned int dns_rdatatype_attributes(dns_rdatatype_t type) { RDATATYPE_ATTRIBUTE_SW - if (type >= (dns_rdatatype_t)128 && type < (dns_rdatatype_t)255) - return (DNS_RDATATYPEATTR_UNKNOWN | DNS_RDATATYPEATTR_META); return (DNS_RDATATYPEATTR_UNKNOWN); } diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 96f758696a..43c746dbb7 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include @@ -2052,7 +2053,7 @@ resquery_send(resquery_t *query) { */ if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) { if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) { - unsigned int version = 0; /* Default version. */ + unsigned int version = DNS_EDNS_VERSION; unsigned int flags = query->addrinfo->flags; isc_boolean_t reqnsid = res->view->requestnsid; #ifdef ISC_PLATFORM_USESIT @@ -2099,12 +2100,18 @@ resquery_send(resquery_t *query) { version >>= DNS_FETCHOPT_EDNSVERSIONSHIFT; } - /* Request NSID/SIT for current view or peer? */ + /* Request NSID/SIT/VERSION for current peer? */ if (peer != NULL) { + isc_uint8_t ednsversion; (void) dns_peer_getrequestnsid(peer, &reqnsid); #ifdef ISC_PLATFORM_USESIT (void) dns_peer_getrequestsit(peer, &reqsit); #endif + result = dns_peer_getednsversion(peer, + &ednsversion); + if (result == ISC_R_SUCCESS && + ednsversion < version) + version = ednsversion; } #ifdef ISC_PLATFORM_USESIT if (NOSIT(query->addrinfo)) @@ -2118,6 +2125,15 @@ resquery_send(resquery_t *query) { ednsopt++; } #ifdef ISC_PLATFORM_USESIT +#if DNS_EDNS_VERSION > 0 + /* + * Some EDNS(0) servers don't ignore unknown options + * as it was not a explict requirement of RFC 2671. + * Only send SIT to EDNS(1) servers. + */ + if (version < 1) + reqsit = ISC_FALSE; +#endif if (reqsit) { INSIST(ednsopt < DNS_EDNSOPTIONS); ednsopts[ednsopt].code = DNS_OPT_SIT; @@ -7630,7 +7646,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { } else if (message->rcode == dns_rcode_badvers) { unsigned int flags, mask; unsigned int version; -#ifdef ISC_PLATFORM_USESIT +#if defined(ISC_PLATFORM_USESIT) && DNS_EDNS_VERSION == 0 unsigned char sit[64]; /* @@ -7665,17 +7681,15 @@ resquery_response(isc_task_t *task, isc_event_t *event) { FCTX_ADDRINFO_EDNSOK); } /* - * Record the supported EDNS version. + * XXXMPA we should really test against the version of + * EDNS we sent in the request. */ - switch (version) { - case 0: + if (version < DNS_EDNS_VERSION) { dns_adb_changeflags(fctx->adb, query->addrinfo, flags, mask); - break; - default: + } else { broken_server = DNS_R_BADVERS; keep_trying = ISC_TRUE; - break; } } else { /* diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index e802dc0595..09711e2b7f 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1825,6 +1825,7 @@ server_clauses[] = { { "bogus", &cfg_type_boolean, 0 }, { "edns", &cfg_type_boolean, 0 }, { "edns-udp-size", &cfg_type_uint32, 0 }, + { "edns-version", &cfg_type_uint32, 0 }, { "keys", &cfg_type_server_key_kludge, 0 }, { "max-udp-size", &cfg_type_uint32, 0 }, { "notify-source", &cfg_type_sockaddr4wild, 0 },