mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

merged filter-aaaa-on-v6 (ATT SoW)

Browse Source 
3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
			to 'filter-aaaa-on-v4' but applies to IPv6
			connections.  (Use "configure --enable-filter-aaaa"
			to enable this option.)  [RT #27308]
This commit is contained in:
Evan Hunt 2012-05-14 11:50:00 -07:00
parent bc626b81d7
commit d878b8d87c
30 changed files with 1334 additions and 387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -1,3 +1,8 @@
3327. [func] Added 'filter-aaaa-on-v6' option; this is similar
to 'filter-aaaa-on-v4' but applies to IPv6
connections. (Use "configure --enable-filter-aaaa"
to enable this option.) [RT #27308]
3326. [func] Added task list statistics: task model, worker
threads, quantum, tasks running, tasks ready.
[RT #27678]

9
bin/named/client.c
View File

@ -941,10 +941,11 @@ ns_client_send(ns_client_t *client) {
preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
}
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
/*
* filter-aaaa-on-v4 yes or break-dnssec option to suppress
* AAAA records
* AAAA records.
*
* We already know that request came via IPv4,
* that we have both AAAA and A records,
* and that we either have no signatures that the client wants
@ -2120,8 +2121,8 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
client->recursionquota = NULL;
client->interface = NULL;
client->peeraddr_valid = ISC_FALSE;
#ifdef ALLOW_FILTER_AAAA_ON_V4
client->filter_aaaa = dns_v4_aaaa_ok;
#ifdef ALLOW_FILTER_AAAA
client->filter_aaaa = dns_aaaa_ok;
#endif
ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
NS_EVENT_CLIENTCONTROL, client_start, client, client,

3
bin/named/config.c
View File

@ -162,8 +162,9 @@ options {\n\
nsec3-test-zone no;\n\
allow-new-zones no;\n\
"
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
" filter-aaaa-on-v4 no;\n\
filter-aaaa-on-v6 no;\n\
filter-aaaa { any; };\n\
"
#endif

6
bin/named/include/named/client.h
View File

@ -141,8 +141,8 @@ struct ns_client {
isc_netaddr_t destaddr;
struct in6_pktinfo pktinfo;
isc_event_t ctlevent;
#ifdef ALLOW_FILTER_AAAA_ON_V4
dns_v4_aaaa_t filter_aaaa;
#ifdef ALLOW_FILTER_AAAA
dns_aaaa_t filter_aaaa;
#endif
/*%
* Information about recent FORMERR response(s), for
@ -173,7 +173,7 @@ typedef ISC_LIST(ns_client_t) client_list_t;
#define NS_CLIENTATTR_MULTICAST 0x08 /*%< recv'd from multicast */
#define NS_CLIENTATTR_WANTDNSSEC 0x10 /*%< include dnssec records */
#define NS_CLIENTATTR_WANTNSID 0x20 /*%< include nameserver ID */
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
#define NS_CLIENTATTR_FILTER_AAAA 0x40 /*%< suppress AAAAs */
#define NS_CLIENTATTR_FILTER_AAAA_RC 0x80 /*%< recursing for A against AAAA */
#endif

73
bin/named/query.c
View File

@ -1381,7 +1381,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
}
if (qtype == dns_rdatatype_a) {
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
isc_boolean_t have_a = ISC_FALSE;
#endif
@ -1423,7 +1423,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
}
if (result == ISC_R_SUCCESS) {
mname = NULL;
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
have_a = ISC_TRUE;
#endif
if (!query_isduplicate(client, fname,
@ -1475,10 +1475,10 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
/*
* There's an A; check whether we're filtering AAAA
*/
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
if (have_a &&
(client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
(client->filter_aaaa == dns_v4_aaaa_filter &&
(client->filter_aaaa == dns_aaaa_break_dnssec ||
(client->filter_aaaa == dns_aaaa_filter &&
(!WANTDNSSEC(client) || sigrdataset == NULL ||
!dns_rdataset_isassociated(sigrdataset)))))
goto addname;
@ -5190,7 +5190,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
return;
}
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
static isc_boolean_t
is_v4_client(ns_client_t *client) {
if (isc_sockaddr_pf(&client->peeraddr) == AF_INET)
@ -5200,6 +5200,14 @@ is_v4_client(ns_client_t *client) {
return (ISC_TRUE);
return (ISC_FALSE);
}
static isc_boolean_t
is_v6_client(ns_client_t *client) {
if (isc_sockaddr_pf(&client->peeraddr) == AF_INET6 &&
!IN6_IS_ADDR_V4MAPPED(&client->peeraddr.type.sin6.sin6_addr))
return (ISC_TRUE);
return (ISC_FALSE);
}
#endif
static isc_uint32_t
@ -6699,25 +6707,36 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
need_wildcardproof = ISC_TRUE;
}
#ifdef ALLOW_FILTER_AAAA_ON_V4
if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
is_v4_client(client) &&
ns_client_checkaclsilent(client, NULL,
client->view->v4_aaaa_acl,
ISC_TRUE) == ISC_R_SUCCESS)
client->filter_aaaa = client->view->v4_aaaa;
else
client->filter_aaaa = dns_v4_aaaa_ok;
#ifdef ALLOW_FILTER_AAAA
/*
* The filter-aaaa-on-v4 option should suppress AAAAs for IPv4
* clients if there is an A; filter-aaaa-on-v6 option does the same
* for IPv6 clients.
*/
client->filter_aaaa = dns_aaaa_ok;
if (client->view->v4_aaaa != dns_aaaa_ok ||
client->view->v6_aaaa != dns_aaaa_ok)
{
result = ns_client_checkaclsilent(client, NULL,
client->view->aaaa_acl,
ISC_TRUE);
if (result == ISC_R_SUCCESS &&
client->view->v4_aaaa != dns_aaaa_ok &&
is_v4_client(client))
client->filter_aaaa = client->view->v4_aaaa;
else if (result == ISC_R_SUCCESS &&
client->view->v6_aaaa != dns_aaaa_ok &&
is_v6_client(client))
client->filter_aaaa = client->view->v6_aaaa;
}
#endif
if (type == dns_rdatatype_any) {
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
isc_boolean_t have_aaaa, have_a, have_sig;
/*
* The filter-aaaa-on-v4 option should
* suppress AAAAs for IPv4 clients if there is an A.
* If we are not authoritative, assume there is a A
* even in if it is not in our cache. This assumption could
* be wrong but it is a good bet.
@ -6754,12 +6773,12 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
result = dns_rdatasetiter_first(rdsiter);
while (result == ISC_R_SUCCESS) {
dns_rdatasetiter_current(rdsiter, rdataset);
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
/*
* Notice the presence of A and AAAAs so
* that AAAAs can be hidden from IPv4 clients.
*/
if (client->filter_aaaa != dns_v4_aaaa_ok) {
if (client->filter_aaaa != dns_aaaa_ok) {
if (rdataset->type == dns_rdatatype_aaaa)
have_aaaa = ISC_TRUE;
else if (rdataset->type == dns_rdatatype_a)
@ -6777,7 +6796,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
dns_rdataset_disassociate(rdataset);
} else if ((qtype == dns_rdatatype_any ||
rdataset->type == qtype) && rdataset->type != 0) {
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
if (dns_rdatatype_isdnssec(rdataset->type))
have_sig = ISC_TRUE;
#endif
@ -6811,14 +6830,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
result = dns_rdatasetiter_next(rdsiter);
}
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
/*
* Filter AAAAs if there is an A and there is no signature
* or we are supposed to break DNSSEC.
*/
if (client->filter_aaaa == dns_v4_aaaa_break_dnssec)
if (client->filter_aaaa == dns_aaaa_break_dnssec)
client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
else if (client->filter_aaaa != dns_v4_aaaa_ok &&
else if (client->filter_aaaa != dns_aaaa_ok &&
have_aaaa && have_a &&
(!have_sig || !WANTDNSSEC(client)))
client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
@ -6873,7 +6892,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* we know the answer.
*/
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
/*
* Optionally hide AAAAs from IPv4 clients if there is an A.
* We add the AAAAs now, but might refuse to render them later
@ -6882,8 +6901,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* so fundamentally wrong, unavoidably inaccurate, and
* unneeded that it is best to keep it as short as possible.
*/
if (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
(client->filter_aaaa == dns_v4_aaaa_filter &&
if (client->filter_aaaa == dns_aaaa_break_dnssec ||
(client->filter_aaaa == dns_aaaa_filter &&
(!WANTDNSSEC(client) || sigrdataset == NULL ||
!dns_rdataset_isassociated(sigrdataset))))
{

27
bin/named/server.c
View File

@ -2572,24 +2572,41 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
cfg_obj_asuint32(obj),
max_clients_per_query);
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
obj = NULL;
result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_isboolean(obj)) {
if (cfg_obj_asboolean(obj))
view->v4_aaaa = dns_v4_aaaa_filter;
view->v4_aaaa = dns_aaaa_filter;
else
view->v4_aaaa = dns_v4_aaaa_ok;
view->v4_aaaa = dns_aaaa_ok;
} else {
const char *v4_aaaastr = cfg_obj_asstring(obj);
if (strcasecmp(v4_aaaastr, "break-dnssec") == 0)
view->v4_aaaa = dns_v4_aaaa_break_dnssec;
view->v4_aaaa = dns_aaaa_break_dnssec;
else
INSIST(0);
}
obj = NULL;
result = ns_config_get(maps, "filter-aaaa-on-v6", &obj);
INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_isboolean(obj)) {
if (cfg_obj_asboolean(obj))
view->v6_aaaa = dns_aaaa_filter;
else
view->v6_aaaa = dns_aaaa_ok;
} else {
const char *v6_aaaastr = cfg_obj_asstring(obj);
if (strcasecmp(v6_aaaastr, "break-dnssec") == 0)
view->v6_aaaa = dns_aaaa_break_dnssec;
else
INSIST(0);
}
CHECK(configure_view_acl(vconfig, config, "filter-aaaa", NULL,
actx, ns_g_mctx, &view->v4_aaaa_acl));
actx, ns_g_mctx, &view->aaaa_acl));
#endif
obj = NULL;

8
bin/tests/system/filter-aaaa/clean.sh
View File

@ -20,20 +20,20 @@ rm -f ns1/K*
rm -f ns1/*.signed
rm -f ns1/signer.err
rm -f ns1/dsset-*
rm -f ns1/named.run
rm -f ns1/named.run ns1/named.conf
rm -f ns1/named.memstats
rm -f ns2/named.run
rm -f ns2/named.run ns2/named.conf
rm -f ns2/named.memstats
rm -f ns3/named.run
rm -f ns3/named.run ns3/named.conf
rm -f ns3/named.memstats
rm -f ns4/K*
rm -f ns4/*.signed
rm -f ns4/signer.err
rm -f ns4/dsset-*
rm -f ns4/named.run
rm -f ns4/named.run ns4/named.conf
rm -f ns4/named.memstats
rm -f random.data

2
bin/tests/system/filter-aaaa/filter-aaaa.c
View File

@ -25,7 +25,7 @@ main(int argc, char **argv) {
UNUSED(argc);
UNUSED(argv);
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
return (0);
#else
return (1);

12
bin/tests/system/filter-aaaa/ns1/named.conf → bin/tests/system/filter-aaaa/ns1/named1.conf
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2010/06/22 03:58:37 marka Exp $ */
/* $Id: named1.conf,v 1.1.2.1 2012/01/07 03:32:15 each Exp $ */
controls { /* empty */ };
@ -32,6 +32,16 @@ options {
filter-aaaa { 10.53.0.1; };
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
};
zone "." { type master; file "root.db"; };
zone "signed" { type master; file "signed.db.signed"; };
zone "unsigned" { type master; file "unsigned.db"; };

46
bin/tests/system/filter-aaaa/ns1/named2.conf Normal file
View File

@ -0,0 +1,46 @@
/*
* Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named2.conf,v 1.1.2.1 2012/01/07 03:32:15 each Exp $ */
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { fd92:7065:b8e:ffff::1; };
recursion no;
notify yes;
filter-aaaa-on-v6 yes;
filter-aaaa { fd92:7065:b8e:ffff::1; };
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
};
zone "." { type master; file "root.db"; };
zone "signed" { type master; file "signed.db.signed"; };
zone "unsigned" { type master; file "unsigned.db"; };

11
bin/tests/system/filter-aaaa/ns2/named.conf → bin/tests/system/filter-aaaa/ns2/named1.conf
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2010/06/22 03:58:38 marka Exp $ */
/* $Id: named1.conf,v 1.1.2.1 2012/01/07 03:32:16 each Exp $ */
controls { /* empty */ };
@ -32,4 +32,13 @@ options {
filter-aaaa { 10.53.0.2; };
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
zone "." { type hint; file "hints"; };

44
bin/tests/system/filter-aaaa/ns2/named2.conf Normal file
View File

@ -0,0 +1,44 @@
/*
* Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named2.conf,v 1.1.2.1 2012/01/07 03:32:16 each Exp $ */
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { fd92:7065:b8e:ffff::2; };
recursion yes;
notify yes;
filter-aaaa-on-v6 yes;
filter-aaaa { fd92:7065:b8e:ffff::2; };
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
zone "." { type hint; file "hints"; };

11
bin/tests/system/filter-aaaa/ns3/named.conf → bin/tests/system/filter-aaaa/ns3/named1.conf
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2010/06/22 03:58:38 marka Exp $ */
/* $Id: named1.conf,v 1.1.2.1 2012/01/07 03:32:16 each Exp $ */
controls { /* empty */ };
@ -32,4 +32,13 @@ options {
filter-aaaa { 10.53.0.3; };
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
zone "." { type hint; file "hints"; };

44
bin/tests/system/filter-aaaa/ns3/named2.conf Normal file
View File

@ -0,0 +1,44 @@
/*
* Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named2.conf,v 1.1.2.1 2012/01/07 03:32:16 each Exp $ */
controls { /* empty */ };
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { fd92:7065:b8e:ffff::3; };
recursion yes;
notify yes;
filter-aaaa-on-v6 break-dnssec;
filter-aaaa { fd92:7065:b8e:ffff::3; };
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
zone "." { type hint; file "hints"; };

11
bin/tests/system/filter-aaaa/ns4/named.conf → bin/tests/system/filter-aaaa/ns4/named1.conf
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2010/06/22 03:58:38 marka Exp $ */
/* $Id: named1.conf,v 1.1.2.1 2012/01/07 03:32:16 each Exp $ */
controls { /* empty */ };
@ -32,6 +32,15 @@ options {
filter-aaaa { 10.53.0.4; };
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
};
zone "." { type master; file "root.db"; };
zone "signed" { type master; file "signed.db.signed"; };
zone "unsigned" { type master; file "unsigned.db"; };

46
bin/tests/system/filter-aaaa/ns4/named2.conf Normal file
View File

@ -0,0 +1,46 @@
/*
* Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named2.conf,v 1.1.2.1 2012/01/07 03:32:16 each Exp $ */
controls { /* empty */ };
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { fd92:7065:b8e:ffff::4; };
recursion no;
notify yes;
filter-aaaa-on-v6 break-dnssec;
filter-aaaa { fd92:7065:b8e:ffff::4; };
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
};
zone "." { type master; file "root.db"; };
zone "signed" { type master; file "signed.db.signed"; };
zone "unsigned" { type master; file "unsigned.db"; };

5
bin/tests/system/filter-aaaa/setup.sh
View File

@ -20,5 +20,10 @@ sh clean.sh
../../../tools/genrandom 400 random.data
cp ns1/named1.conf ns1/named.conf
cp ns2/named1.conf ns2/named.conf
cp ns3/named1.conf ns3/named.conf
cp ns4/named1.conf ns4/named.conf
(cd ns1 && sh -e sign.sh)
(cd ns4 && sh -e sign.sh)

655
bin/tests/system/filter-aaaa/tests.sh
View File

@ -200,7 +200,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6 ($n)"
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6 ($n)"
if $TESTSOCK6 fd92:7065:b8e:ffff::1
then
ret=0
@ -368,7 +368,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6, with break-dnssec ($n)"
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6, with break-dnssec ($n)"
if $TESTSOCK6 fd92:7065:b8e:ffff::4
then
ret=0
@ -535,7 +535,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6 ($n)"
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6 ($n)"
if $TESTSOCK6 fd92:7065:b8e:ffff::2
then
ret=0
@ -702,7 +702,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6, recursive with break-dnssec ($n)"
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6, recursive with break-dnssec ($n)"
if $TESTSOCK6 fd92:7065:b8e:ffff::3
then
ret=0
@ -714,5 +714,652 @@ else
echo "I: skipped."
fi
$TESTSOCK6 fd92:7065:b8e:ffff::1 || {
echo "I:IPv6 address not configured; skipping IPv6 query tests"
echo "I:exit status: $status"
exit $status
}
# Reconfiguring for IPv6 tests
echo "I:reconfiguring servers"
cp -f ns1/named2.conf ns1/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reconfig 2>&1 | sed 's/^/I:ns1 /'
cp -f ns2/named2.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig 2>&1 | sed 's/^/I:ns2 /'
cp -f ns3/named2.conf ns3/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reconfig 2>&1 | sed 's/^/I:ns3 /'
cp -f ns4/named2.conf ns4/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
# BEGIN IPv6 TESTS
#
# Authoritative tests against:
# filter-aaaa-on-v6 yes;
# filter-aaaa { fd92:7065:b8e:ffff::1; };
#
n=`expr $n + 1`
echo "I:checking that AAAA is returned when only AAAA record exists, signed ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep ::2 dig.out.ns1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when only AAAA record exists, unsigned ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep ::5 dig.out.ns1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep ::3 dig.out.ns1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep ::6 dig.out.ns1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)"
ret=0
$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1
grep "::3" dig.out.ns1.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)"
ret=0
$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1
grep "::6" dig.out.ns1.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)"
ret=0
$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep ::3 dig.out.ns1.test$n > /dev/null || ret=1
grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)"
ret=0
$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1
grep "::6" dig.out.ns1.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)"
ret=0
$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1
grep ::6 dig.out.ns1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4 ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=NS ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1
grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, signed ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4 ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
#
# Authoritative tests against:
# filter-aaaa-on-v6 break-dnssec;
# filter-aaaa { fd92:7065:b8e:ffff::4; };
#
n=`expr $n + 1`
echo "I:checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep ::2 dig.out.ns4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep ::5 dig.out.ns4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep ::6 dig.out.ns4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1
grep "::3" dig.out.ns4.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1
grep "::6" dig.out.ns4.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1
grep ::3 dig.out.ns4.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1
grep "::6" dig.out.ns4.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1
grep ::6 dig.out.ns4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4 with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4, with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
#
# Recursive tests against:
# filter-aaaa-on-v6 yes;
# filter-aaaa { fd92:7065:b8e:ffff::2; };
#
n=`expr $n + 1`
echo "I:checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep ::2 dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep ::5 dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep ::6 dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)"
ret=0
$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
grep "::3" dig.out.ns2.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)"
ret=0
$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1
grep "::6" dig.out.ns2.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)"
ret=0
$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)"
ret=0
$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1
grep "::6" dig.out.ns2.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)"
ret=0
$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1
grep ::6 dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4, recursive ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=NS ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, signed ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4 ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
#
# Recursive tests against:
# filter-aaaa-on-v6 yes;
# filter-aaaa { fd92:7065:b8e:ffff::3; };
#
n=`expr $n + 1`
echo "I:checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep ::2 dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep ::5 dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep ::6 dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1
grep "::3" dig.out.ns3.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1
grep "::6" dig.out.ns3.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1
grep ::3 dig.out.ns3.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1
grep "::6" dig.out.ns3.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1
grep ::6 dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status

3
bin/tests/system/statistics/tests.sh
View File

@ -84,8 +84,7 @@ status=`expr $status + $ret`
ret=0
echo "I: verifying active sockets output"
nsock1=`grep "UDP/IPv4 sockets active" ns3/named.stats | awk '{print $1}'`
[ "$nsock0" -eq 2 ] || ret=1
[ "$nsock1" -eq 3 ] || ret=1
[ `expr $nsock1 - $nsock0` -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo "I: failed"; fi
status=`expr $status + $ret`

7
config.h.in
View File

@ -1,6 +1,6 @@
/* config.h.in. Generated from configure.in by autoheader. */
/*
* Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2005, 2007, 2008, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -150,8 +150,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if building universal (internal helper macro) */
#undef AC_APPLE_UNIVERSAL_BUILD
/* Define to enable the "filter-aaaa-on-v4" option. */
#undef ALLOW_FILTER_AAAA_ON_V4
/* Define to enable the "filter-aaaa-on-v4" and "filter-aaaa-on-v6" options.
*/
#undef ALLOW_FILTER_AAAA
/* define if ATF unit tests are to be built. */
#undef ATF_TEST

537
configure vendored
View File

File diff suppressed because it is too large Load Diff

8
configure.in
View File

@ -2882,17 +2882,17 @@ case "$enable_nsdname" in
esac
#
# Activate "filter-aaaa-on-v4" or not?
# Activate "filter-aaaa-on-v4/v6" or not?
#
AC_ARG_ENABLE(filter-aaaa,
[ --enable-filter-aaaa enable filtering of AAAA records over IPv4
[ --enable-filter-aaaa enable filtering of AAAA records
[[default=no]]],
enable_filter="$enableval",
enable_filter="no")
case "$enable_filter" in
yes)
AC_DEFINE(ALLOW_FILTER_AAAA_ON_V4, 1,
[Define to enable the "filter-aaaa-on-v4" option.])
AC_DEFINE(ALLOW_FILTER_AAAA, 1,
[Define to enable the "filter-aaaa-on-v4" and "filter-aaaa-on-v6" options.])
;;
no)
;;

13
doc/arm/Bv9ARM-book.xml
View File

@ -5300,6 +5300,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
<optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
<optional> filter-aaaa-on-v4 ( <replaceable>yes_or_no</replaceable> | <replaceable>break-dnssec</replaceable> ); </optional>
<optional> filter-aaaa-on-v6 ( <replaceable>yes_or_no</replaceable> | <replaceable>break-dnssec</replaceable> ); </optional>
<optional> filter-aaaa { <replaceable>address_match_list</replaceable> }; </optional>
<optional> dns64 <replaceable>IPv6-prefix</replaceable> {
<optional> clients { <replaceable>address_match_list</replaceable> }; </optional>
@ -6765,6 +6766,18 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>filter-aaaa-on-v6</command></term>
<listitem>
<para>
Identical to <command>filter-aaaa-on-v4</command>,
excppt it filters AAAA responses to queries from IPv6
clients instead of IPv4 clients. To filter all
responses, set both options to <userinput>yes</userinput>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>ixfr-from-differences</command></term>
<listitem>

86
lib/bind9/check.c
View File

@ -598,29 +598,12 @@ check_filteraaaa(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
const char *viewname, const cfg_obj_t *config,
isc_log_t *logctx, isc_mem_t *mctx)
{
const cfg_obj_t *options, *aclobj, *obj = NULL;
const cfg_obj_t *options, *aclobj, *obj;
dns_acl_t *acl = NULL;
isc_result_t result = ISC_R_SUCCESS, tresult;
dns_v4_aaaa_t filter;
isc_result_t result = ISC_R_SUCCESS;
dns_aaaa_t filter4, filter6;
const char *forview = " for view ";
if (voptions != NULL)
cfg_map_get(voptions, "filter-aaaa-on-v4", &obj);
if (obj == NULL && config != NULL) {
options = NULL;
cfg_map_get(config, "options", &options);
if (options != NULL)
cfg_map_get(options, "filter-aaaa-on-v4", &obj);
}
if (obj == NULL)
filter = dns_v4_aaaa_ok; /* default */
else if (cfg_obj_isboolean(obj))
filter = cfg_obj_asboolean(obj) ? dns_v4_aaaa_filter :
dns_v4_aaaa_ok;
else
filter = dns_v4_aaaa_break_dnssec; /* break-dnssec */
if (viewname == NULL) {
viewname = "";
forview = "";
@ -640,25 +623,66 @@ check_filteraaaa(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
if (aclobj == NULL)
return (result);
tresult = cfg_acl_fromconfig(aclobj, config, logctx,
result = cfg_acl_fromconfig(aclobj, config, logctx,
actx, mctx, 0, &acl);
if (result != ISC_R_SUCCESS)
goto failure;
if (tresult != ISC_R_SUCCESS) {
result = tresult;
} else if (filter != dns_v4_aaaa_ok && dns_acl_isnone(acl)) {
obj = NULL;
if (voptions != NULL)
cfg_map_get(voptions, "filter-aaaa-on-v4", &obj);
if (obj == NULL && config != NULL) {
options = NULL;
cfg_map_get(config, "options", &options);
if (options != NULL)
cfg_map_get(options, "filter-aaaa-on-v4", &obj);
}
if (obj == NULL)
filter4 = dns_aaaa_ok; /* default */
else if (cfg_obj_isboolean(obj))
filter4 = cfg_obj_asboolean(obj) ? dns_aaaa_filter :
dns_aaaa_ok;
else
filter4 = dns_aaaa_break_dnssec; /* break-dnssec */
obj = NULL;
if (voptions != NULL)
cfg_map_get(voptions, "filter-aaaa-on-v6", &obj);
if (obj == NULL && config != NULL) {
options = NULL;
cfg_map_get(config, "options", &options);
if (options != NULL)
cfg_map_get(options, "filter-aaaa-on-v6", &obj);
}
if (obj == NULL)
filter6 = dns_aaaa_ok; /* default */
else if (cfg_obj_isboolean(obj))
filter6 = cfg_obj_asboolean(obj) ? dns_aaaa_filter :
dns_aaaa_ok;
else
filter6 = dns_aaaa_break_dnssec; /* break-dnssec */
if ((filter4 != dns_aaaa_ok || filter6 != dns_aaaa_ok) &&
dns_acl_isnone(acl))
{
cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
"both \"filter-aaaa-on-v4 %s;\" and "
"\"filter-aaaa\" is 'none;'%s%s",
filter == dns_v4_aaaa_break_dnssec ?
"break-dnssec" : "yes", forview, viewname);
"\"filter-aaaa\" is 'none;' but "
"either filter-aaaa-on-v4 or filter-aaaa-on-v6 "
"is enabled%s%s", forview, viewname);
result = ISC_R_FAILURE;
} else if (filter == dns_v4_aaaa_ok && !dns_acl_isnone(acl)) {
} else if (filter4 == dns_aaaa_ok && filter6 == dns_aaaa_ok &&
!dns_acl_isnone(acl))
{
cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
"both \"filter-aaaa-on-v4 no;\" and "
"\"filter-aaaa\" is set%s%s", forview, viewname);
"\"filter-aaaa\" is set but "
"neither filter-aaaa-on-v4 or filter-aaaa-on-v6 "
"is enabled%s%s", forview, viewname);
result = ISC_R_FAILURE;
}
failure:
if (acl != NULL)
dns_acl_detach(&acl);

2
lib/dns/include/dns/message.h
View File

@ -175,7 +175,7 @@ typedef int dns_messagetextflag_t;
additional section. */
#define DNS_MESSAGERENDER_PREFER_AAAA 0x0010 /*%< prefer AAAA records in
additional section. */
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
#define DNS_MESSAGERENDER_FILTER_AAAA 0x0020 /*%< filter AAAA records */
#endif

8
lib/dns/include/dns/types.h
View File

@ -192,10 +192,10 @@ typedef enum {
} dns_masterformat_t;
typedef enum {
dns_v4_aaaa_ok = 0,
dns_v4_aaaa_filter = 1,
dns_v4_aaaa_break_dnssec = 2
} dns_v4_aaaa_t;
dns_aaaa_ok = 0,
dns_aaaa_filter = 1,
dns_aaaa_break_dnssec = 2
} dns_aaaa_t;
/*
* These are generated by gen.c.

5
lib/dns/include/dns/view.h
View File

@ -158,8 +158,9 @@ struct dns_view {
dns_name_t * dlv;
dns_fixedname_t dlv_fixed;
isc_uint16_t maxudp;
dns_v4_aaaa_t v4_aaaa;
dns_acl_t * v4_aaaa_acl;
dns_aaaa_t v4_aaaa;
dns_aaaa_t v6_aaaa;
dns_acl_t * aaaa_acl;
dns_dns64list_t dns64;
unsigned int dns64cnt;
ISC_LIST(dns_rpz_zone_t) rpz_zones;

4
lib/dns/message.c
View File

@ -1803,7 +1803,7 @@ wrong_priority(dns_rdataset_t *rds, int pass, dns_rdatatype_t preferred_glue) {
return (ISC_TRUE);
}
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
/*
* Decide whether to not answer with an AAAA record and its RRSIG
*/
@ -1960,7 +1960,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
preferred_glue))
goto next;
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
/*
* Suppress AAAAs if asked and we are
* not doing DNSSEC or are breaking DNSSEC.

9
lib/dns/view.c
View File

@ -191,8 +191,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view->flush = ISC_FALSE;
view->dlv = NULL;
view->maxudp = 0;
view->v4_aaaa = dns_v4_aaaa_ok;
view->v4_aaaa_acl = NULL;
view->v4_aaaa = dns_aaaa_ok;
view->v6_aaaa = dns_aaaa_ok;
view->aaaa_acl = NULL;
ISC_LIST_INIT(view->rpz_zones);
dns_fixedname_init(&view->dlv_fixed);
view->managed_keys = NULL;
@ -374,8 +375,8 @@ destroy(dns_view_t *view) {
dns_acl_detach(&view->upfwdacl);
if (view->denyansweracl != NULL)
dns_acl_detach(&view->denyansweracl);
if (view->v4_aaaa_acl != NULL)
dns_acl_detach(&view->v4_aaaa_acl);
if (view->aaaa_acl != NULL)
dns_acl_detach(&view->aaaa_acl);
if (view->answeracl_exclude != NULL)
dns_rbt_destroy(&view->answeracl_exclude);
if (view->denyanswernames != NULL)

21
lib/isccfg/namedconf.c
View File

@ -122,7 +122,7 @@ static cfg_type_t cfg_type_zone;
static cfg_type_t cfg_type_zoneopts;
static cfg_type_t cfg_type_dynamically_loadable_zones;
static cfg_type_t cfg_type_dynamically_loadable_zones_opts;
static cfg_type_t cfg_type_v4_aaaa;
static cfg_type_t cfg_type_filter_aaaa;
/*
* Clauses that can be found in a 'dynamically loadable zones' statement
@ -1282,13 +1282,16 @@ view_clauses[] = {
{ "transfer-format", &cfg_type_transferformat, 0 },
{ "use-queryport-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
#ifdef ALLOW_FILTER_AAAA_ON_V4
#ifdef ALLOW_FILTER_AAAA
{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
{ "filter-aaaa-on-v4", &cfg_type_v4_aaaa, 0 },
{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa, 0 },
{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa, 0 },
#else
{ "filter-aaaa", &cfg_type_bracketed_aml,
CFG_CLAUSEFLAG_NOTCONFIGURED },
{ "filter-aaaa-on-v4", &cfg_type_v4_aaaa,
{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa,
CFG_CLAUSEFLAG_NOTCONFIGURED },
{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa,
CFG_CLAUSEFLAG_NOTCONFIGURED },
#endif
{ "response-policy", &cfg_type_rpz, 0 },
@ -1898,15 +1901,15 @@ static cfg_type_t cfg_type_ixfrdifftype = {
&cfg_rep_string, ixfrdiff_enums,
};
static const char *v4_aaaa_enums[] = { "break-dnssec", NULL };
static const char *filter_aaaa_enums[] = { "break-dnssec", NULL };
static isc_result_t
parse_v4_aaaa(cfg_parser_t *pctx, const cfg_type_t *type,
parse_filter_aaaa(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret) {
return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
}
static cfg_type_t cfg_type_v4_aaaa = {
"v4_aaaa", parse_v4_aaaa, cfg_print_ustring,
doc_enum_or_other, &cfg_rep_string, v4_aaaa_enums,
static cfg_type_t cfg_type_filter_aaaa = {
"filter_aaaa", parse_filter_aaaa, cfg_print_ustring,
doc_enum_or_other, &cfg_rep_string, filter_aaaa_enums,
};
static keyword_type_t key_kw = { "key", &cfg_type_astring };