mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-24 19:18:50 +00:00
Code Issues Releases Wiki Activity

allow configuration of dnsrps library path

Browse Source 
for testing purposes, we need to be able to specify a library path from
which to load the dnsrps implementation. this can now be done with the
"dnsrps-library" option.

DNSRPS can now be enabled in configure regardless of whether librpz.so
is currently installed on the system.
This commit is contained in:
Evan Hunt 2023-03-13 14:13:39 -07:00
parent bd7f85c7e1
commit f2855cb664
10 changed files with 76 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bin/named/config.c
View File

@ -149,6 +149,9 @@ options {\n\
clients-per-query 10;\n\ clients-per-query 10;\n\
dnssec-accept-expired no;\n\ dnssec-accept-expired no;\n\
dnssec-validation " VALIDATION_DEFAULT "; \n" dnssec-validation " VALIDATION_DEFAULT "; \n"
#ifdef USE_DNSRPS
" dnsrps-library \"" DNSRPS_LIBRPZ_PATH "\";\n"
#endif /* ifdef USE_DNSRPS */
#ifdef HAVE_DNSTAP #ifdef HAVE_DNSTAP
" dnstap-identity hostname;\n" " dnstap-identity hostname;\n"
#endif /* ifdef HAVE_DNSTAP */ #endif /* ifdef HAVE_DNSTAP */

15
bin/named/include/named/server.h
View File

@ -50,16 +50,15 @@ struct named_server {
char *statsfile; /*%< Statistics file name */ char *statsfile; /*%< Statistics file name */
char *dumpfile; /*%< Dump file name */ char *dumpfile; /*%< Dump file name */
char *secrootsfile; /*%< Secroots file name */ char *secrootsfile; /*%< Secroots file name */
char *bindkeysfile; /*%< bind.keys file name char *bindkeysfile; /*%< bind.keys file name */
* */
char *recfile; /*%< Recursive file name */ char *recfile; /*%< Recursive file name */
bool version_set; /*%< User has set version bool version_set; /*%< User has set version */
* */
char *version; /*%< User-specified version */ char *version; /*%< User-specified version */
bool hostname_set; /*%< User has set hostname bool hostname_set; /*%< User has set hostname */
* */ char *hostname; /*%< User-specified hostname */
char *hostname; /*%< User-specified hostname #ifdef USE_DNSRPS
* */ char *dnsrpslib;
#endif /* ifdef USE_DNSRPS */
/* Server data structures. */ /* Server data structures. */
dns_loadmgr_t *loadmgr; dns_loadmgr_t *loadmgr;

41
bin/named/server.c
View File

@ -2025,7 +2025,7 @@ conf_dnsrps_sadd(conf_dnsrps_ctx_t *ctx, const char *p, ...) {
} }
/* /*
* Get an DNSRPS configuration value using the global and view options * Get a DNSRPS configuration value using the global and view options
* for the default. Return false upon failure. * for the default. Return false upon failure.
*/ */
static bool static bool
@ -9079,6 +9079,35 @@ load_configuration(const char *filename, named_server_t *server,
server->kasplist = kasplist; server->kasplist = kasplist;
kasplist = tmpkasplist; kasplist = tmpkasplist;
#ifdef USE_DNSRPS
/*
* Find the path to the DNSRPS implementation library.
*/
obj = NULL;
if (named_config_get(maps, "dnsrps-library", &obj) == ISC_R_SUCCESS) {
if (server->dnsrpslib != NULL) {
dns_dnsrps_server_destroy();
isc_mem_free(server->mctx, server->dnsrpslib);
server->dnsrpslib = NULL;
}
setstring(server, &server->dnsrpslib, cfg_obj_asstring(obj));
result = dns_dnsrps_server_create(server->dnsrpslib);
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
"initializing DNSRPS RPZ provider '%s': %s",
server->dnsrpslib, isc_result_totext(result));
/*
* It's okay if librpz isn't available. We'll complain
* later if it turns out to be needed for a view with
* "dnsrps-enable yes".
*/
if (result == ISC_R_FILENOTFOUND) {
result = ISC_R_SUCCESS;
}
CHECKFATAL(result, "initializing RPZ service interface");
}
#endif /* ifdef USE_DNSRPS */
/* /*
* Configure the views. * Configure the views.
*/ */
@ -10135,18 +10164,13 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
.recfile = isc_mem_strdup(mctx, "named.recursing"), .recfile = isc_mem_strdup(mctx, "named.recursing"),
}; };
#ifdef USE_DNSRPS
CHECKFATAL(dns_dnsrps_server_create(), "initializing RPZ service "
"interface");
#endif /* ifdef USE_DNSRPS */
/* Initialize server data structures. */ /* Initialize server data structures. */
ISC_LIST_INIT(server->kasplist); ISC_LIST_INIT(server->kasplist);
ISC_LIST_INIT(server->viewlist); ISC_LIST_INIT(server->viewlist);
/* Must be first. */ /* Must be first. */
CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), "initializing " CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine),
"DST"); "initializing DST");
CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL, CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
&server->in_roothints), &server->in_roothints),
@ -10218,6 +10242,7 @@ named_server_destroy(named_server_t **serverp) {
#ifdef USE_DNSRPS #ifdef USE_DNSRPS
dns_dnsrps_server_destroy(); dns_dnsrps_server_destroy();
isc_mem_free(server->mctx, server->dnsrpslib);
#endif /* ifdef USE_DNSRPS */ #endif /* ifdef USE_DNSRPS */
named_controls_destroy(&server->controls); named_controls_destroy(&server->controls);

10
configure.ac
View File

@ -1478,10 +1478,10 @@ AC_COMPILE_IFELSE(
AC_ARG_ENABLE([dnsrps-dl], AC_ARG_ENABLE([dnsrps-dl],
[AS_HELP_STRING([--enable-dnsrps-dl], [AS_HELP_STRING([--enable-dnsrps-dl],
[DNS Response Policy Service delayed link [DNS Response Policy Service delayed link
[default=$librpz_dl]])], [default=yes]])],
[enable_librpz_dl="$enableval"], [enable_librpz_dl="$with_dlopen"]) [enable_dnsprs_dl="$enableval"], [enable_dnsrps_dl="yes"])
AS_IF([test "$enable_librpz_dl" = "yes" -a "$with_dlopen" = "no"], AS_IF([test "$enable_dnsprs_dl" = "yes" -a "$with_dlopen" = "no"],
[AC_MSG_ERROR([DNS Response Policy Service delayed link requires dlopen to be enabled])]) [AC_MSG_ERROR([DNS Response Policy Service delayed link requires dlopen to be enabled])])
# [pairwise: skip] # [pairwise: skip]
@ -1497,7 +1497,7 @@ AC_ARG_WITH([dnsrps-dir],
[librpz_path="$withval/$librpz_name"], [librpz_path="$librpz_name"]) [librpz_path="$withval/$librpz_name"], [librpz_path="$librpz_name"])
AC_DEFINE_UNQUOTED([DNSRPS_LIBRPZ_PATH], ["$librpz_path"], AC_DEFINE_UNQUOTED([DNSRPS_LIBRPZ_PATH], ["$librpz_path"],
[dnsrps $librpz_name]) [dnsrps $librpz_name])
AS_IF([test "$enable_librpz_dl" = "yes"], AS_IF([test "$enable_dnsrps_dl" = "yes"],
[ [
dnsrps_lib_open=2 dnsrps_lib_open=2
],[ ],[
@ -1517,8 +1517,6 @@ AC_ARG_ENABLE([dnsrps],
[enable_dnsrps=$enableval], [enable_dnsrps=no]) [enable_dnsrps=$enableval], [enable_dnsrps=no])
AS_IF([test "$enable_dnsrps" != "no"],[ AS_IF([test "$enable_dnsrps" != "no"],[
AS_IF([test "$dnsrps_avail" != "yes"],
[AC_MSG_ERROR([dlopen and librpz.so needed for DNSRPS])])
AS_IF([test "$dnsrps_lib_open" = "0"], AS_IF([test "$dnsrps_lib_open" = "0"],
[AC_MSG_ERROR([dlopen and librpz.so needed for DNSRPS])]) [AC_MSG_ERROR([dlopen and librpz.so needed for DNSRPS])])
AC_DEFINE([USE_DNSRPS], [1], [Enable DNS Response Policy Service API]) AC_DEFINE([USE_DNSRPS], [1], [Enable DNS Response Policy Service API])

11
doc/arm/reference.rst
View File

@ -5110,6 +5110,15 @@ done to discover problems at the authoritative server.
(DNSRPS) interface, if it has been compiled in :iscman:`named` using (DNSRPS) interface, if it has been compiled in :iscman:`named` using
``configure --enable-dnsrps``. ``configure --enable-dnsrps``.
.. namedconf:statement:: dnsrps-library
:tags: server, security
:short: Turns on the DNS Response Policy Service (DNSRPS) interface.
This option specifies the path to the DNSRPS provider library. Typically
this library is detected when building with ``configure --enable-dnsrps``
and does not need to be specified in ``named.conf``; the option exists
to override the default library for testing purposes.
.. namedconf:statement:: dnsrps-options .. namedconf:statement:: dnsrps-options
:tags: server, security :tags: server, security
:short: Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library. :short: Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library.
@ -5117,7 +5126,7 @@ done to discover problems at the authoritative server.
The block provides additional RPZ configuration The block provides additional RPZ configuration
settings, which are passed through to the DNSRPS provider library. settings, which are passed through to the DNSRPS provider library.
Multiple DNSRPS settings in an :any:`dnsrps-options` string should be Multiple DNSRPS settings in an :any:`dnsrps-options` string should be
separated with semi-colons (;). The DNSRPS provider, librpz, is passed a separated with semi-colons (;). The DNSRPS provider library is passed a
configuration string consisting of the :any:`dnsrps-options` text, configuration string consisting of the :any:`dnsrps-options` text,
concatenated with settings derived from the :any:`response-policy` concatenated with settings derived from the :any:`response-policy`
statement. statement.

1
doc/misc/options
View File

@ -112,6 +112,7 @@ options {
dns64-server <string>; dns64-server <string>;
dnskey-sig-validity <integer>; dnskey-sig-validity <integer>;
dnsrps-enable <boolean>; // not configured dnsrps-enable <boolean>; // not configured
dnsrps-library <quoted_string>; // not configured
dnsrps-options { <unspecified-text> }; // not configured dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>; dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>; dnssec-dnskey-kskonly <boolean>;

20
lib/dns/dnsrps.c
View File

@ -33,9 +33,9 @@
#include <dns/rdatasetiter.h> #include <dns/rdatasetiter.h>
#include <dns/rpz.h> #include <dns/rpz.h>
librpz_t *librpz; librpz_t *librpz = NULL;
librpz_emsg_t librpz_lib_open_emsg; librpz_emsg_t librpz_lib_open_emsg;
static void *librpz_handle; static void *librpz_handle = NULL;
#define RPSDB_MAGIC ISC_MAGIC('R', 'P', 'Z', 'F') #define RPSDB_MAGIC ISC_MAGIC('R', 'P', 'Z', 'F')
#define VALID_RPSDB(rpsdb) ((rpsdb)->common.impmagic == RPSDB_MAGIC) #define VALID_RPSDB(rpsdb) ((rpsdb)->common.impmagic == RPSDB_MAGIC)
@ -129,7 +129,7 @@ dnsrps_log_fnc(librpz_log_level_t level, void *ctxt, const char *buf) {
* This is not thread safe, but it is called by a single thread. * This is not thread safe, but it is called by a single thread.
*/ */
isc_result_t isc_result_t
dns_dnsrps_server_create(void) { dns_dnsrps_server_create(const char *librpz_path) {
librpz_emsg_t emsg; librpz_emsg_t emsg;
INSIST(clist == NULL); INSIST(clist == NULL);
@ -140,14 +140,9 @@ dns_dnsrps_server_create(void) {
* Notice if librpz is available. * Notice if librpz is available.
*/ */
librpz = librpz_lib_open(&librpz_lib_open_emsg, &librpz_handle, librpz = librpz_lib_open(&librpz_lib_open_emsg, &librpz_handle,
DNSRPS_LIBRPZ_PATH); librpz_path);
/*
* Stop now without complaining if librpz is not available.
* Complain later if and when librpz is needed for a view with
* "dnsrps-enable yes" (including the default view).
*/
if (librpz == NULL) { if (librpz == NULL) {
return (ISC_R_SUCCESS); return (ISC_R_FILENOTFOUND);
} }
isc_mutex_init(&dnsrps_mutex); isc_mutex_init(&dnsrps_mutex);
@ -176,7 +171,7 @@ dns_dnsrps_server_destroy(void) {
librpz->clist_detach(&clist); librpz->clist_detach(&clist);
} }
#ifdef LIBRPZ_USE_DLOPEN #if DNSRPS_LIB_OPEN == 2
if (librpz != NULL) { if (librpz != NULL) {
INSIST(librpz_handle != NULL); INSIST(librpz_handle != NULL);
if (dlclose(librpz_handle) != 0) { if (dlclose(librpz_handle) != 0) {
@ -185,8 +180,9 @@ dns_dnsrps_server_destroy(void) {
"dnsrps: dlclose(): %s", dlerror()); "dnsrps: dlclose(): %s", dlerror());
} }
librpz_handle = NULL; librpz_handle = NULL;
librpz = NULL;
} }
#endif /* ifdef LIBRPZ_USE_DLOPEN */ #endif
} }
/* /*

2
lib/dns/include/dns/dnsrps.h
View File

@ -79,7 +79,7 @@ dns_dnsrps_type2trig(dns_rpz_type_t type);
* Start dnsrps for the entire server. * Start dnsrps for the entire server.
*/ */
isc_result_t isc_result_t
dns_dnsrps_server_create(void); dns_dnsrps_server_create(const char *librpz_path);
/* /*
* Stop dnsrps for the entire server. * Stop dnsrps for the entire server.

8
lib/dns/include/dns/librpz.h
View File

@ -845,7 +845,7 @@ extern librpz_0_t librpz_def_0;
typedef librpz_0_t librpz_t; typedef librpz_0_t librpz_t;
extern librpz_t *librpz; extern librpz_t *librpz;
#if LIBRPZ_LIB_OPEN == 2 #if DNSRPS_LIB_OPEN == 2
#include <dlfcn.h> #include <dlfcn.h>
/** /**
@ -932,13 +932,13 @@ librpz_lib_open(librpz_emsg_t *emsg, void **dl_handle, const char *path) {
*dl_handle = NULL; *dl_handle = NULL;
} }
#if LIBRPZ_LIB_OPEN == 1 #if DNSRPS_LIB_OPEN == 1
emsg->c[0] = '\0'; emsg->c[0] = '\0';
return (&LIBRPZ_DEF); return (&LIBRPZ_DEF);
#else /* if LIBRPZ_LIB_OPEN == 1 */ #else /* if DNSRPS_LIB_OPEN == 1 */
snprintf(emsg->c, sizeof(librpz_emsg_t), snprintf(emsg->c, sizeof(librpz_emsg_t),
"librpz not available via ./configure"); "librpz not available via ./configure");
return (NULL); return (NULL);
#endif /* LIBRPZ_LIB_OPEN */ #endif /* DNSRPS_LIB_OPEN */
} }
#endif /* LIBRPZ_LIB_OPEN */ #endif /* LIBRPZ_LIB_OPEN */

5
lib/isccfg/namedconf.c
View File

@ -1206,6 +1206,11 @@ static cfg_clausedef_t options_clauses[] = {
{ "datasize", &cfg_type_size, CFG_CLAUSEFLAG_ANCIENT }, { "datasize", &cfg_type_size, CFG_CLAUSEFLAG_ANCIENT },
{ "deallocate-on-exit", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "deallocate-on-exit", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK }, { "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
#ifdef USE_DNSRPS
{ "dnsrps-library", &cfg_type_qstring, 0 },
#else /* ifdef USE_DNSRPS */
{ "dnsrps-library", &cfg_type_qstring, CFG_CLAUSEFLAG_NOTCONFIGURED },
#endif /* ifdef USE_DNSRPS */
#ifdef HAVE_DNSTAP #ifdef HAVE_DNSTAP
{ "dnstap-output", &cfg_type_dnstapoutput, 0 }, { "dnstap-output", &cfg_type_dnstapoutput, 0 },
{ "dnstap-identity", &cfg_type_serverid, 0 }, { "dnstap-identity", &cfg_type_serverid, 0 },