mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 06:25:31 +00:00
option to disable validation under specified names
- added new 'validate-except' option, which configures an NTA with expiry of 0xffffffff. NTAs with that value in the expiry field do not expire, are are not written out when saving the NTA table and are not dumped by rndc secroots
This commit is contained in:
Evan Hunt
142
lib/dns/nta.c
142
lib/dns/nta.c
@@ -547,20 +547,28 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, isc_buffer_t **buf) {
|
||||
dns_name_t *name;
|
||||
isc_time_t t;
|
||||
|
||||
name = dns_fixedname_initname(&fn);
|
||||
dns_rbt_fullnamefromnode(node, name);
|
||||
dns_name_format(name, nbuf, sizeof(nbuf));
|
||||
isc_time_set(&t, n->expiry, 0);
|
||||
isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
|
||||
/*
|
||||
* Skip "validate-except" entries.
|
||||
*/
|
||||
if (n->expiry != 0xffffffffU) {
|
||||
name = dns_fixedname_initname(&fn);
|
||||
dns_rbt_fullnamefromnode(node, name);
|
||||
dns_name_format(name, nbuf, sizeof(nbuf));
|
||||
isc_time_set(&t, n->expiry, 0);
|
||||
isc_time_formattimestamp(&t, tbuf,
|
||||
sizeof(tbuf));
|
||||
|
||||
snprintf(obuf, sizeof(obuf), "%s%s: %s %s",
|
||||
first ? "" : "\n", nbuf,
|
||||
n->expiry <= now ? "expired" : "expiry",
|
||||
tbuf);
|
||||
first = false;
|
||||
result = putstr(buf, obuf);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto cleanup;
|
||||
snprintf(obuf, sizeof(obuf), "%s%s: %s %s",
|
||||
first ? "" : "\n", nbuf,
|
||||
n->expiry <= now
|
||||
? "expired"
|
||||
: "expiry",
|
||||
tbuf);
|
||||
first = false;
|
||||
result = putstr(buf, obuf);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
result = dns_rbtnodechain_next(&chain, NULL, NULL);
|
||||
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
|
||||
@@ -576,56 +584,6 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, isc_buffer_t **buf) {
|
||||
return (result);
|
||||
}
|
||||
|
||||
#if 0
|
||||
isc_result_t
|
||||
dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
|
||||
isc_result_t result;
|
||||
dns_rbtnode_t *node;
|
||||
dns_rbtnodechain_t chain;
|
||||
isc_stdtime_t now;
|
||||
|
||||
REQUIRE(VALID_NTATABLE(ntatable));
|
||||
|
||||
isc_stdtime_get(&now);
|
||||
|
||||
RWLOCK(&ntatable->rwlock, isc_rwlocktype_read);
|
||||
dns_rbtnodechain_init(&chain, ntatable->view->mctx);
|
||||
result = dns_rbtnodechain_first(&chain, ntatable->table, NULL, NULL);
|
||||
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
|
||||
goto cleanup;
|
||||
for (;;) {
|
||||
dns_rbtnodechain_current(&chain, NULL, NULL, &node);
|
||||
if (node->data != NULL) {
|
||||
dns_nta_t *n = (dns_nta_t *) node->data;
|
||||
char nbuf[DNS_NAME_FORMATSIZE], tbuf[80];
|
||||
dns_fixedname_t fn;
|
||||
dns_name_t *name;
|
||||
isc_time_t t;
|
||||
|
||||
name = dns_fixedname_initname(&fn);
|
||||
dns_rbt_fullnamefromnode(node, name);
|
||||
dns_name_format(name, nbuf, sizeof(nbuf));
|
||||
isc_time_set(&t, n->expiry, 0);
|
||||
isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
|
||||
fprintf(fp, "%s: %s %s\n", nbuf,
|
||||
n->expiry <= now ? "expired" : "expiry",
|
||||
tbuf);
|
||||
}
|
||||
result = dns_rbtnodechain_next(&chain, NULL, NULL);
|
||||
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
|
||||
if (result == ISC_R_NOMORE)
|
||||
result = ISC_R_SUCCESS;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
cleanup:
|
||||
dns_rbtnodechain_invalidate(&chain);
|
||||
RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
|
||||
return (result);
|
||||
}
|
||||
#endif
|
||||
|
||||
isc_result_t
|
||||
dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
|
||||
isc_result_t result;
|
||||
@@ -674,35 +632,41 @@ dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp) {
|
||||
for (;;) {
|
||||
dns_rbtnodechain_current(&chain, NULL, NULL, &node);
|
||||
if (node->data != NULL) {
|
||||
isc_buffer_t b;
|
||||
char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
|
||||
dns_fixedname_t fn;
|
||||
dns_name_t *name;
|
||||
dns_nta_t *n = (dns_nta_t *) node->data;
|
||||
if (n->expiry > now) {
|
||||
isc_buffer_t b;
|
||||
char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
|
||||
dns_fixedname_t fn;
|
||||
dns_name_t *name;
|
||||
|
||||
name = dns_fixedname_initname(&fn);
|
||||
dns_rbt_fullnamefromnode(node, name);
|
||||
|
||||
isc_buffer_init(&b, nbuf, sizeof(nbuf));
|
||||
result = dns_name_totext(name, false, &b);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto skip;
|
||||
|
||||
/* Zero terminate. */
|
||||
isc_buffer_putuint8(&b, 0);
|
||||
|
||||
isc_buffer_init(&b, tbuf, sizeof(tbuf));
|
||||
dns_time32_totext(n->expiry, &b);
|
||||
|
||||
/* Zero terminate. */
|
||||
isc_buffer_putuint8(&b, 0);
|
||||
|
||||
fprintf(fp, "%s %s %s\n", nbuf,
|
||||
n->forced ? "forced" : "regular",
|
||||
tbuf);
|
||||
written = true;
|
||||
/*
|
||||
* Skip this node if the expiry is already in the
|
||||
* past, or if this is a "validate-except" entry.
|
||||
*/
|
||||
if (n->expiry <= now || n->expiry == 0xffffffffU) {
|
||||
goto skip;
|
||||
}
|
||||
|
||||
name = dns_fixedname_initname(&fn);
|
||||
dns_rbt_fullnamefromnode(node, name);
|
||||
|
||||
isc_buffer_init(&b, nbuf, sizeof(nbuf));
|
||||
result = dns_name_totext(name, false, &b);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto skip;
|
||||
|
||||
/* Zero terminate. */
|
||||
isc_buffer_putuint8(&b, 0);
|
||||
|
||||
isc_buffer_init(&b, tbuf, sizeof(tbuf));
|
||||
dns_time32_totext(n->expiry, &b);
|
||||
|
||||
/* Zero terminate. */
|
||||
isc_buffer_putuint8(&b, 0);
|
||||
|
||||
fprintf(fp, "%s %s %s\n", nbuf,
|
||||
n->forced ? "forced" : "regular",
|
||||
tbuf);
|
||||
written = true;
|
||||
}
|
||||
skip:
|
||||
result = dns_rbtnodechain_next(&chain, NULL, NULL);
|
||||
|
||||
Reference in New Issue
Block a user