diff options
| author | Internet Software Consortium, Inc <@isc.org> | 2013-10-29 14:54:54 -0600 |
|---|---|---|
| committer | Internet Software Consortium, Inc <@isc.org> | 2013-10-29 14:55:01 -0600 |
| commit | 66e6eb1d4417635aa5431ab6e66ada4ff33ecc98 (patch) | |
| tree | 79b7e8f2232da09558fd63abad4f237614b1f638 | |
| parent | 816cb5580f04b5989e0f952510d64201a16d0494 (diff) | |
| download | bind9-66e6eb1d4417635aa5431ab6e66ada4ff33ecc98.tar.gz | |
9.9.4rc2
56 files changed, 994 insertions, 306 deletions
@@ -1,3 +1,36 @@ + --- 9.9.4rc2 released --- + +3637. [bug] 'allow-query-on' was checking the source address + rather than the destination address. [RT #34590] + +3636. [bug] Automatic empty zones now behave better with + forward only "zones" beneath them. [RT #34583] + +3635. [bug] Signatures were not being removed from a zone with + only KSK keys for a algorithm. [RT #24439] + +3634. [func] Report build-id in rndc status. Report build-id + when building from a git repository. [RT #20422] + +3633. [cleanup] Refactor OPT processing in named to make it easier + to support new EDNS options. [RT #34414] + +3632. [bug] Signature from newly inactive keys were not being + removed. [RT #32178] + +3631. [bug] Remove spurious warning about missing signatures when + qtype is SIG. [RT #34600] + +3630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033] + +3627. [bug] RPZ changes were not effective on slaves. [RT #34450] + +3625. [bug] Don't send notify messages to machines outside of the + test setup. + +3623. [bug] zone-statistics was only effective in new statistics. + [RT #34466] + --- 9.9.4rc1 released --- 3621. [security] Incorrect bounds checking on private type 'keydata' @@ -70,7 +103,8 @@ 3586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706] 3584. [security] Caching data from an incompletely signed zone could - trigger an assertion failure in resolver.c [RT #33690] + trigger an assertion failure in resolver.c + (CVE-2013-3919). [RT #33690] 3583. [bug] Address memory leak in GSS-API processing [RT #33574] @@ -54,9 +54,10 @@ BIND 9 BIND 9.9.4 BIND 9.9.4 is a maintenance release, and patches the security - flaw described in CVE-2013-3919. It also introduces DNS - Response Rate Limiting (DNS RRL) as a compile-time option. - to use this feature, configure with the "--enable-rrl" option. + flaws described in CVE-2013-3919 and CVE-2013-4854. It also + introduces DNS Response Rate Limiting (DNS RRL) as a + compile-time option. to use this feature, configure with + the "--enable-rrl" option. BIND 9.9.3 diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 7c8c6ce2..5f5f7d88 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -319,11 +319,35 @@ strtotime(const char *str, isc_int64_t now, isc_int64_t base) { isc_result_t result; const char *orig = str; char *endp; + int n; if ((str[0] == '0' || str[0] == '-') && str[1] == '\0') return ((isc_stdtime_t) 0); - if (strncmp(str, "now", 3) == 0) { + /* + * We accept times in the following formats: + * now([+-]offset) + * YYYYMMDD([+-]offset) + * YYYYMMDDhhmmss([+-]offset) + * [+-]offset + */ + n = strspn(str, "0123456789"); + if ((n == 8 || n == 14) && + (str[n] == '\0' || str[n] == '-' || str[n] == '+')) + { + char timestr[15]; + + strlcpy(timestr, str, sizeof(timestr)); + timestr[n] = 0; + if (n == 8) + strlcat(timestr, "000000", sizeof(timestr)); + result = dns_time64_fromtext(timestr, &val); + if (result != ISC_R_SUCCESS) + fatal("time value %s is invalid: %s", orig, + isc_result_totext(result)); + base = val; + str += n; + } else if (strncmp(str, "now", 3) == 0) { base = now; str += 3; } @@ -338,21 +362,8 @@ strtotime(const char *str, isc_int64_t now, isc_int64_t base) { offset = strtol(str + 1, &endp, 0); offset = time_units((isc_stdtime_t) offset, endp, orig); val = base - offset; - } else if (strlen(str) == 8U) { - char timestr[15]; - sprintf(timestr, "%s000000", str); - result = dns_time64_fromtext(timestr, &val); - if (result != ISC_R_SUCCESS) - fatal("time value %s is invalid: %s", orig, - isc_result_totext(result)); - } else if (strlen(str) > 14U) { + } else fatal("time value %s is invalid", orig); - } else { - result = dns_time64_fromtext(str, &val); - if (result != ISC_R_SUCCESS) - fatal("time value %s is invalid: %s", orig, - isc_result_totext(result)); - } return ((isc_stdtime_t) val); } diff --git a/bin/named/client.c b/bin/named/client.c index 2642f99b..9adf36b5 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -1243,62 +1243,30 @@ ns_client_error(ns_client_t *client, isc_result_t result) { static inline isc_result_t client_addopt(ns_client_t *client) { - dns_rdataset_t *rdataset; - dns_rdatalist_t *rdatalist; - dns_rdata_t *rdata; + char nsid[BUFSIZ], *nsidp; isc_result_t result; dns_view_t *view; dns_resolver_t *resolver; isc_uint16_t udpsize; + dns_ednsopt_t ednsopts[2]; + int count = 0; + unsigned int flags; REQUIRE(client->opt == NULL); /* XXXRTH free old. */ - rdatalist = NULL; - result = dns_message_gettemprdatalist(client->message, &rdatalist); - if (result != ISC_R_SUCCESS) - return (result); - rdata = NULL; - result = dns_message_gettemprdata(client->message, &rdata); - if (result != ISC_R_SUCCESS) - return (result); - rdataset = NULL; - result = dns_message_gettemprdataset(client->message, &rdataset); - if (result != ISC_R_SUCCESS) - return (result); - dns_rdataset_init(rdataset); - - rdatalist->type = dns_rdatatype_opt; - rdatalist->covers = 0; - - /* - * Set the maximum UDP buffer size. - */ view = client->view; resolver = (view != NULL) ? view->resolver : NULL; if (resolver != NULL) udpsize = dns_resolver_getudpsize(resolver); else udpsize = ns_g_udpsize; - rdatalist->rdclass = udpsize; - /* - * Set EXTENDED-RCODE, VERSION and Z to 0. - */ - rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE); + flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE; /* Set EDNS options if applicable */ - if (client->attributes & NS_CLIENTATTR_WANTNSID && + if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 && (ns_g_server->server_id != NULL || ns_g_server->server_usehostname)) { - /* - * Space required for NSID data: - * 2 bytes for opt code - * + 2 bytes for NSID length - * + NSID itself - */ - char nsid[BUFSIZ], *nsidp; - isc_buffer_t *buffer = NULL; - if (ns_g_server->server_usehostname) { isc_result_t result; result = ns_os_gethostname(nsid, sizeof(nsid)); @@ -1309,35 +1277,15 @@ client_addopt(ns_client_t *client) { } else nsidp = ns_g_server->server_id; - rdata->length = strlen(nsidp) + 4; - result = isc_buffer_allocate(client->mctx, &buffer, - rdata->length); - if (result != ISC_R_SUCCESS) - goto no_nsid; - - isc_buffer_putuint16(buffer, DNS_OPT_NSID); - isc_buffer_putuint16(buffer, strlen(nsidp)); - isc_buffer_putstr(buffer, nsidp); - rdata->data = buffer->base; - dns_message_takebuffer(client->message, &buffer); - } else { -no_nsid: - rdata->data = NULL; - rdata->length = 0; + ednsopts[count].code = DNS_OPT_NSID; + ednsopts[count].length = strlen(nsidp); + ednsopts[count].value = (unsigned char *)nsidp; + count++; } - - rdata->rdclass = rdatalist->rdclass; - rdata->type = rdatalist->type; - rdata->flags = 0; - - ISC_LIST_INIT(rdatalist->rdata); - ISC_LIST_APPEND(rdatalist->rdata, rdata, link); - RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) - == ISC_R_SUCCESS); - - client->opt = rdataset; - - return (ISC_R_SUCCESS); + no_nsid: + result = dns_message_buildopt(client->message, &client->opt, 0, + udpsize, flags, ednsopts, count); + return (result); } static inline isc_boolean_t @@ -1418,6 +1366,83 @@ ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey, return (ISC_TF(view == myview)); } +static isc_result_t +process_opt(ns_client_t *client, dns_rdataset_t *opt) { + dns_rdata_t rdata; + isc_buffer_t optbuf; + isc_result_t result; + isc_uint16_t optcode; + isc_uint16_t optlen; + + /* + * Set the client's UDP buffer size. + */ + client->udpsize = opt->rdclass; + + /* + * If the requested UDP buffer size is less than 512, + * ignore it and use 512. + */ + if (client->udpsize < 512) + client->udpsize = 512; + + /* + * Get the flags out of the OPT record. + */ + client->extflags = (isc_uint16_t)(opt->ttl & 0xFFFF); + + /* + * Do we understand this version of EDNS? + * + * XXXRTH need library support for this! + */ + client->ednsversion = (opt->ttl & 0x00FF0000) >> 16; + if (client->ednsversion > 0) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_badednsver); + result = client_addopt(client); + if (result == ISC_R_SUCCESS) + result = DNS_R_BADVERS; + ns_client_error(client, result); + goto cleanup; + } + + /* Check for NSID request */ + result = dns_rdataset_first(opt); + if (result == ISC_R_SUCCESS) { + dns_rdata_init(&rdata); + dns_rdataset_current(opt, &rdata); + isc_buffer_init(&optbuf, rdata.data, rdata.length); + isc_buffer_add(&optbuf, rdata.length); + while (isc_buffer_remaininglength(&optbuf) >= 4) { + optcode = isc_buffer_getuint16(&optbuf); + optlen = isc_buffer_getuint16(&optbuf); + switch (optcode) { + case DNS_OPT_NSID: + client->attributes |= NS_CLIENTATTR_WANTNSID; + isc_buffer_forward(&optbuf, optlen); + break; + default: + isc_buffer_forward(&optbuf, optlen); + break; + } + } + } + + isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_edns0in); + + /* + * Create an OPT for our reply. + */ + result = client_addopt(client); + if (result != ISC_R_SUCCESS) { + ns_client_error(client, result); + goto cleanup; + } + cleanup: + return (result); +} + /* * Handle an incoming request event from the socket (UDP case) * or tcpmsg (TCP case). @@ -1439,8 +1464,6 @@ client_request(isc_task_t *task, isc_event_t *event) { dns_messageid_t id; unsigned int flags; isc_boolean_t notimp; - dns_rdata_t rdata; - isc_uint16_t optcode; REQUIRE(event != NULL); client = event->ev_arg; @@ -1640,67 +1663,9 @@ client_request(isc_task_t *task, isc_event_t *event) { */ opt = dns_message_getopt(client->message); if (opt != NULL) { - /* - * Set the client's UDP buffer size. - */ - client->udpsize = opt->rdclass; - - /* - * If the requested UDP buffer size is less than 512, - * ignore it and use 512. - */ - if (client->udpsize < 512) - client->udpsize = 512; - - /* - * Get the flags out of the OPT record. - */ - client->extflags = (isc_uint16_t)(opt->ttl & 0xFFFF); - - /* - * Do we understand this version of EDNS? - * - * XXXRTH need library support for this! - */ - client->ednsversion = (opt->ttl & 0x00FF0000) >> 16; - if (client->ednsversion > 0) { - isc_stats_increment(ns_g_server->nsstats, - dns_nsstatscounter_badednsver); - result = client_addopt(client); - if (result == ISC_R_SUCCESS) - result = DNS_R_BADVERS; - ns_client_error(client, result); - goto cleanup; - } - - /* Check for NSID request */ - result = dns_rdataset_first(opt); - if (result == ISC_R_SUCCESS) { - dns_rdata_init(&rdata); - dns_rdataset_current(opt, &rdata); - if (rdata.length >= 2) { - isc_buffer_t nsidbuf; - isc_buffer_init(&nsidbuf, - rdata.data, rdata.length); - isc_buffer_add(&nsidbuf, rdata.length); - optcode = isc_buffer_getuint16(&nsidbuf); - if (optcode == DNS_OPT_NSID) - client->attributes |= - NS_CLIENTATTR_WANTNSID; - } - } - - isc_stats_increment(ns_g_server->nsstats, - dns_nsstatscounter_edns0in); - - /* - * Create an OPT for our reply. - */ - result = client_addopt(client); - if (result != ISC_R_SUCCESS) { - ns_client_error(client, result); + result = process_opt(client, opt); + if (result != ISC_R_SUCCESS) goto cleanup; - } } if (client->message->rdclass == 0) { diff --git a/bin/named/query.c b/bin/named/query.c index c3d63a20..3e3b8778 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -800,7 +800,7 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name, if (queryonacl == NULL) queryonacl = client->view->queryonacl; - result = ns_client_checkaclsilent(client, NULL, + result = ns_client_checkaclsilent(client, &client->destaddr, queryonacl, ISC_TRUE); if ((options & DNS_GETDB_NOLOG) == 0 && result != ISC_R_SUCCESS) @@ -7155,7 +7155,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) goto addauth; } - if (dns_db_issecure(db)) { + if (qtype == dns_rdatatype_rrsig && + dns_db_issecure(db)) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(client->query.qname, namebuf, diff --git a/bin/named/server.c b/bin/named/server.c index 15df8499..fa02f9a3 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -77,11 +77,13 @@ #include <dns/private.h> #include <dns/rbt.h> #include <dns/rdataclass.h> +#include <dns/rdatalist.h> #include <dns/rdataset.h> #include <dns/rdatastruct.h> #include <dns/resolver.h> #include <dns/rootns.h> #include <dns/secalg.h> +#include <dns/soa.h> #include <dns/stats.h> #include <dns/tkey.h> #include <dns/tsig.h> @@ -1803,6 +1805,234 @@ configure_rrl(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *map) { } #endif /* USE_RRL */ +static isc_result_t +add_soa(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, + dns_name_t *origin, dns_name_t *contact) +{ + dns_dbnode_t *node = NULL; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdatalist_t rdatalist; + dns_rdataset_t rdataset; + isc_result_t result; + unsigned char buf[DNS_SOA_BUFFERSIZE]; + + dns_rdataset_init(&rdataset); + dns_rdatalist_init(&rdatalist); + CHECK(dns_soa_buildrdata(origin, contact, dns_db_class(db), + 0, 28800, 7200, 604800, 86400, buf, &rdata)); + rdatalist.type = rdata.type; + rdatalist.covers = 0; + rdatalist.rdclass = rdata.rdclass; + rdatalist.ttl = 86400; + ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); + CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset)); + CHECK(dns_db_findnode(db, name, ISC_TRUE, &node)); + CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL)); + cleanup: + if (node != NULL) + dns_db_detachnode(db, &node); + return (result); +} + +static isc_result_t +add_ns(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, + dns_name_t *nsname) +{ + dns_dbnode_t *node = NULL; + dns_rdata_ns_t ns; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdatalist_t rdatalist; + dns_rdataset_t rdataset; + isc_result_t result; + isc_buffer_t b; + unsigned char buf[DNS_NAME_MAXWIRE]; + + isc_buffer_init(&b, buf, sizeof(buf)); + + dns_rdataset_init(&rdataset); + dns_rdatalist_init(&rdatalist); + ns.common.rdtype = dns_rdatatype_ns; + ns.common.rdclass = dns_db_class(db); + ns.mctx = NULL; + dns_name_init(&ns.name, NULL); + dns_name_clone(nsname, &ns.name); + CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_ns, + &ns, &b)); + rdatalist.type = rdata.type; + rdatalist.covers = 0; + rdatalist.rdclass = rdata.rdclass; + rdatalist.ttl = 86400; + ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); + CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset)); + CHECK(dns_db_findnode(db, name, ISC_TRUE, &node)); + CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL)); + cleanup: + if (node != NULL) + dns_db_detachnode(db, &node); + return (result); +} + +static isc_result_t +create_empty_zone(dns_zone_t *zone, dns_name_t *name, dns_view_t *view, + const cfg_obj_t *zonelist, const char **empty_dbtype, + int empty_dbtypec, dns_zonestat_level_t statlevel) +{ + char namebuf[DNS_NAME_FORMATSIZE]; + const cfg_listelt_t *element; + const cfg_obj_t *obj; + const cfg_obj_t *zconfig; + const cfg_obj_t *zoptions; + const char *rbt_dbtype[4] = { "rbt" }; + const char *sep = ": view "; + const char *str; + const char *viewname = view->name; + dns_db_t *db = NULL; + dns_dbversion_t *version = NULL; + dns_fixedname_t cfixed; + dns_fixedname_t fixed; + dns_fixedname_t nsfixed; + dns_name_t *contact; + dns_name_t *ns; + dns_name_t *zname; + dns_zone_t *myzone = NULL; + int rbt_dbtypec = 1; + isc_result_t result; + dns_namereln_t namereln; + int order; + unsigned int nlabels; + + dns_fixedname_init(&fixed); + zname = dns_fixedname_name(&fixed); + dns_fixedname_init(&nsfixed); + ns = dns_fixedname_name(&nsfixed); + dns_fixedname_init(&cfixed); + contact = dns_fixedname_name(&cfixed); + + /* + * Look for forward "zones" beneath this empty zone and if so + * create a custom db for the empty zone. + */ + for (element = cfg_list_first(zonelist); + element != NULL; + element = cfg_list_next(element)) { + + zconfig = cfg_listelt_value(element); + str = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); + CHECK(dns_name_fromstring(zname, str, 0, NULL)); + namereln = dns_name_fullcompare(zname, name, &order, &nlabels); + if (namereln != dns_namereln_subdomain) + continue; + + zoptions = cfg_tuple_get(zconfig, "options"); + + obj = NULL; + (void)cfg_map_get(zoptions, "type", &obj); + INSIST(obj != NULL); + if (strcasecmp(cfg_obj_asstring(obj), "forward") != 0) + continue; + + obj = NULL; + (void)cfg_map_get(zoptions, "forward", &obj); + if (obj == NULL) + continue; + if (strcasecmp(cfg_obj_asstring(obj), "only") != 0) + continue; + if (db == NULL) { + CHECK(dns_db_create(view->mctx, "rbt", name, + dns_dbtype_zone, view->rdclass, + 0, NULL, &db)); + CHECK(dns_db_newversion(db, &version)); + if (strcmp(empty_dbtype[2], "@") == 0) + dns_name_clone(name, ns); + else + CHECK(dns_name_fromstring(ns, empty_dbtype[2], + 0, NULL)); + CHECK(dns_name_fromstring(contact, empty_dbtype[3], + 0, NULL)); + CHECK(add_soa(db, version, name, ns, contact)); + CHECK(add_ns(db, version, name, ns)); + } + CHECK(add_ns(db, version, zname, dns_rootname)); + } + + /* + * Is the existing zone the ok to use? + */ + if (zone != NULL) { + if (db != NULL) + check_dbtype(&zone, rbt_dbtypec, rbt_dbtype, + view->mctx); + else + check_dbtype(&zone, empty_dbtypec, empty_dbtype, + view->mctx); + if (zone != NULL && dns_zone_gettype(zone) != dns_zone_master) + zone = NULL; + if (zone != NULL && dns_zone_getfile(zone) != NULL) + zone = NULL; + if (zone != NULL) { + dns_zone_getraw(zone, &myzone); + if (myzone != NULL) { + dns_zone_detach(&myzone); + zone = NULL; + } + } + } + + if (zone == NULL) { + CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &myzone)); + zone = myzone; + CHECK(dns_zone_setorigin(zone, name)); + CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone)); + if (db == NULL) + CHECK(dns_zone_setdbtype(zone, empty_dbtypec, + empty_dbtype)); + dns_zone_setclass(zone, view->rdclass); + dns_zone_settype(zone, dns_zone_master); + dns_zone_setstats(zone, ns_g_server->zonestats); + } + + dns_zone_setoption(zone, ~DNS_ZONEOPT_NOCHECKNS, ISC_FALSE); + dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE); + dns_zone_setnotifytype(zone, dns_notifytype_no); + dns_zone_setdialup(zone, dns_dialuptype_no); + if (view->queryacl) + dns_zone_setqueryacl(zone, view->queryacl); + else + dns_zone_clearqueryacl(zone); + if (view->queryonacl) + dns_zone_setqueryonacl(zone, view->queryonacl); + else + dns_zone_clearqueryonacl(zone); + dns_zone_clearupdateacl(zone); + dns_zone_clearxfracl(zone); + + CHECK(setquerystats(zone, view->mctx, statlevel)); + if (db != NULL) { + dns_db_closeversion(db, &version, ISC_TRUE); + CHECK(dns_zone_replacedb(zone, db, ISC_FALSE)); + } + dns_zone_setview(zone, view); + CHECK(dns_view_addzone(view, zone)); + + if (!strcmp(viewname, "_default")) { + sep = ""; + viewname = ""; + } + dns_name_format(name, namebuf, sizeof(namebuf)); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, + ISC_LOG_INFO, "automatic empty zone%s%s: %s", + sep, viewname, namebuf); + + cleanup: + if (myzone != NULL) + dns_zone_detach(&myzone); + if (version != NULL) + dns_db_closeversion(db, &version, ISC_FALSE); + if (db != NULL) + dns_db_detach(&db); + return (result); +} + /* * Configure 'view' according to 'vconfig', taking defaults from 'config' * where values are missing in 'vconfig'. @@ -1855,9 +2085,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, unsigned int resopts = 0; dns_zone_t *zone = NULL; isc_uint32_t max_clients_per_query; - const char *sep = ": view "; - const char *viewname = view->name; - const char *forview = " for view "; isc_boolean_t empty_zones_enable; const cfg_obj_t *disablelist = NULL; isc_stats_t *resstats = NULL; @@ -1899,13 +2126,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, cfgmaps[k++] = config; cfgmaps[k] = NULL; - if (!strcmp(viewname, "_default")) { - sep = ""; - viewname = ""; - forview = ""; - POST(forview); - } - /* * Set the view's port number for outgoing queries. */ @@ -3165,45 +3385,13 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, if (pview != NULL) { (void)dns_view_findzone(pview, name, &zone); dns_view_detach(&pview); - if (zone != NULL) - check_dbtype(&zone, empty_dbtypec, - empty_dbtype, mctx); - if (zone != NULL) { - dns_zone_setview(zone, view); - CHECK(dns_view_addzone(view, zone)); - CHECK(setquerystats(zone, mctx, - statlevel)); - dns_zone_detach(&zone); - continue; - } } - CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, - &zone)); - CHECK(dns_zone_setorigin(zone, name)); - dns_zone_setview(zone, view); - CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, - zone)); - dns_zone_setclass(zone, view->rdclass); - dns_zone_settype(zone, dns_zone_master); - dns_zone_setstats(zone, ns_g_server->zonestats); - CHECK(dns_zone_setdbtype(zone, empty_dbtypec, - empty_dbtype)); - if (view->queryacl != NULL) - dns_zone_setqueryacl(zone, view->queryacl); - if (view->queryonacl != NULL) - dns_zone_setqueryonacl(zone, view->queryonacl); - dns_zone_setdialup(zone, dns_dialuptype_no); - dns_zone_setnotifytype(zone, dns_notifytype_no); - dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, - ISC_TRUE); - CHECK(setquerystats(zone, mctx, statlevel)); - CHECK(dns_view_addzone(view, zone)); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "automatic empty zone%s%s: %s", - sep, viewname, empty); - dns_zone_detach(&zone); + CHECK(create_empty_zone(zone, name, view, zonelist, + empty_dbtype, empty_dbtypec, + statlevel)); + if (zone != NULL) + dns_zone_detach(&zone); } } @@ -7381,7 +7569,7 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), - "version: %s%s%s%s\n" + "version: %s%s%s%s <id:%s>\n" #ifdef ISC_PLATFORM_USETHREADS "CPUs found: %u\n" "worker threads: %u\n" @@ -7396,7 +7584,7 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { "recursive clients: %d/%d/%d\n" "tcp clients: %d/%d\n" "server is up and running", - ns_g_version, ob, alt, cb, + ns_g_version, ob, alt, cb, ns_g_srcid, #ifdef ISC_PLATFORM_USETHREADS ns_g_cpus_detected, ns_g_cpus, ns_g_udpdisp, #endif diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c index b1372e30..37e98a8e 100644 --- a/bin/named/statschannel.c +++ b/bin/named/statschannel.c @@ -978,10 +978,15 @@ zone_xmlrender(dns_zone_t *zone, void *arg) { isc_uint32_t serial; xmlTextWriterPtr writer = arg; isc_stats_t *zonestats; + dns_zonestat_level_t statlevel; isc_uint64_t nsstat_values[dns_nsstatscounter_max]; int xmlrc; isc_result_t result; + statlevel = dns_zone_getstatlevel(zone); + if (statlevel == dns_zonestat_none) + return (ISC_R_SUCCESS); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone")); dns_zone_name(zone, buf, sizeof(buf)); diff --git a/bin/tests/system/acl/ns2/named5.conf b/bin/tests/system/acl/ns2/named5.conf new file mode 100644 index 00000000..09e81cbc --- /dev/null +++ b/bin/tests/system/acl/ns2/named5.conf @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named1.conf,v 1.2 2008/01/10 01:10:01 marka Exp $ */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; + allow-query-on { 10.53.0.2; }; +}; + +include "../../common/controls.conf"; + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db"; +}; + +zone "tsigzone" { + type master; + file "tsigzone.db"; + allow-transfer { !key one; any; }; +}; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index f74a5544..82625678 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -140,5 +140,14 @@ $DIG $DIGOPTS tsigzone. \ @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } +echo "I:testing allow-query-on ACL processing" +cp -f ns2/named5.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 5 +t=`expr $t + 1` +$DIG +tcp soa example. \ + @10.53.0.2 -b 10.53.0.3 -p 5300 > dig.out +grep "status: NOERROR" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 27522c64..9d72fed8 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -44,14 +44,18 @@ showprivate () { # check that signing records are marked as complete checkprivate () { - ret=0 + _ret=0 + expected="${3:-0}" x=`showprivate "$@"` - echo $x | grep incomplete >&- 2>&- && ret=1 - [ $ret = 1 ] && { - echo "$x" - echo "I:failed" - } - return $ret + echo $x | grep incomplete > /dev/null && _ret=1 + + if [ $_ret = $expected ]; then + return 0 + fi + + echo "$x" + echo "I:failed" + return 1 } # @@ -208,6 +212,7 @@ ret=0 missing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key` $JOURNALPRINT ns3/nozsk.example.db.jnl | \ awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1 +n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -216,24 +221,23 @@ ret=0 inactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key` $JOURNALPRINT ns3/inaczsk.example.db.jnl | \ awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1 +n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` -echo "I:checking that non-replaceable RRSIGs are logged only once ($n)" +echo "I:checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)" ret=0 loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l` [ "$loglines" -eq 1 ] || ret=1 -loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l` -[ "$loglines" -eq 1 ] || ret=1 +n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` -echo "I:checking serial is not incremented when signatures are unchanged ($n)" +echo "I:checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)" ret=0 -newserial=`$DIG $DIGOPTS +short soa nozsk.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'` -[ "$newserial" -eq 2 ] || ret=1 -newserial=`$DIG $DIGOPTS +short soa inaczsk.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'` -[ "$newserial" -eq 2 ] || ret=1 +loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l` +[ "$loglines" -eq 1 ] || ret=1 +n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -943,7 +947,7 @@ checkprivate oldsigs.example 10.53.0.3 || ret=1 checkprivate optout.example 10.53.0.3 || ret=1 checkprivate optout.nsec3.example 10.53.0.3 || ret=1 checkprivate optout.optout.example 10.53.0.3 || ret=1 -checkprivate prepub.example 10.53.0.3 || ret=1 +checkprivate prepub.example 10.53.0.3 1 || ret=1 checkprivate rsasha256.example 10.53.0.3 || ret=1 checkprivate rsasha512.example 10.53.0.3 || ret=1 checkprivate secure.example 10.53.0.3 || ret=1 diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh index e8caddcd..bd2eeac4 100644 --- a/bin/tests/system/dlzexternal/tests.sh +++ b/bin/tests/system/dlzexternal/tests.sh @@ -54,8 +54,8 @@ status=`expr $status + $ret` echo "I:testing passing client info into DLZ driver" ret=0 -out=`$DIG $DIGOPTS +short -t txt -q source-addr.example.nil` -addr=`eval echo $out | cut -f1 -d'#'` +out=`$DIG $DIGOPTS +short -t txt -q source-addr.example.nil | grep -v '^;'` +addr=`eval echo "$out" | cut -f1 -d'#'` [ "$addr" = "10.53.0.1" ] || ret=1 [ "$ret" -eq 0 ] || echo "I:failed" status=`expr $status + $ret` diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 383892f2..0f333409 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -56,6 +56,7 @@ rm -f ns4/named.conf rm -f ns4/managed-keys.bind* rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db rm -f ns3/secure.below-cname.example.db +rm -f ns3/publish-inactive.example.db rm -f signer/example.db.after signer/example.db.before rm -f signer/example.db.changed rm -f signer/nsec3param.out diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index a23c6f87..dc00ef67 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006-2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -33,6 +33,7 @@ options { notify yes; dnssec-enable yes; dnssec-validation yes; + session-keyfile "session.key"; }; key rndc_key { @@ -262,4 +263,11 @@ zone "inline.example" { auto-dnssec maintain; }; +zone "publish-inactive.example" { + type master; + file "publish-inactive.example.db"; + auto-dnssec maintain; + update-policy local; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in new file mode 100644 index 00000000..a96b406d --- /dev/null +++ b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in @@ -0,0 +1,31 @@ +; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: insecure.example.db,v 1.9 2007/06/19 23:47:02 tbox Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 36c8d30c..24b0fed7 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -1,6 +1,6 @@ #!/bin/sh -e # -# Copyright (C) 2004, 2006-2012 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2006-2013 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -437,3 +437,17 @@ $CHECKZONE -D nosign.example nosign.example.db.signed 2>&- | \ zone=inline.example. kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` + +# +# publish a new key while deactivating another key at the same time. +# +zone=publish-inactive.example +infile=publish-inactive.example.db.in +zonefile=publish-inactive.example.db +now=`date -u +%Y%m%d%H%M%S` +kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` +kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone` +kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +cp $infile $zonefile +$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index c8c169c6..bb7452f8 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2260,5 +2260,25 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)" +ret=0 +cnt=0 +while : +do +$DIG $DIGOPTS publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n +keys=`awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l` +test $keys -gt 2 && break +cnt=`expr $cnt + 1` +test $cnt -gt 120 && break +sleep 1 +done +test $keys -gt 2 || ret=1 +sigs=`grep RRSIG dig.out.ns3.test$n | wc -l` +sigs=`expr $sigs + 0` +n=`expr $n + 1` +test $sigs -eq 2 || ret=1 +if test $ret != 0 ; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/forward/ns2/named.conf b/bin/tests/system/forward/ns2/named.conf index d310bf24..8860f44f 100644 --- a/bin/tests/system/forward/ns2/named.conf +++ b/bin/tests/system/forward/ns2/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -54,3 +54,8 @@ zone "example4." { type master; file "example.db"; }; + +zone "1.0.10.in-addr.arpa." { + type master; + file "example.db"; +}; diff --git a/bin/tests/system/forward/ns4/named.conf b/bin/tests/system/forward/ns4/named.conf index f817b8a3..6fb7ae2e 100644 --- a/bin/tests/system/forward/ns4/named.conf +++ b/bin/tests/system/forward/ns4/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -50,3 +50,9 @@ zone "example5." { forward only; forwarders { 10.53.0.2; }; }; + +zone "1.0.10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.53.0.2; }; +}; diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh index e9f587ee..f7ab5e2f 100644 --- a/bin/tests/system/forward/tests.sh +++ b/bin/tests/system/forward/tests.sh @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011-2013 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -101,5 +101,14 @@ $PERL ../start.pl --restart --noclean . ns4 || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking that forward only zone overrides empty zone" +ret=0 +$DIG 1.0.10.in-addr.arpa TXT @10.53.0.4 -p 5300 > dig.out.f2 +grep "status: NOERROR" dig.out.f2 > /dev/null || ret=1 +$DIG 2.0.10.in-addr.arpa TXT @10.53.0.4 -p 5300 > dig.out.f2 +grep "status: NXDOMAIN" dig.out.f2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh index 45d69843..ad17c452 100644 --- a/bin/tests/system/inline/clean.sh +++ b/bin/tests/system/inline/clean.sh @@ -52,6 +52,10 @@ rm -f ns3/expired.db rm -f ns3/expired.db.jnl rm -f ns3/expired.db.signed rm -f ns3/expired.db.signed.jnl +rm -f ns3/nsec3.db +rm -f ns3/nsec3.db.jnl +rm -f ns3/nsec3.db.signed +rm -f ns3/nsec3.db.signed.jnl rm -f ns3/retransfer.bk rm -f ns3/retransfer.bk.jnl rm -f ns3/retransfer.bk.signed diff --git a/bin/tests/system/inline/ns1/root.db.in b/bin/tests/system/inline/ns1/root.db.in index 404541f3..24299023 100644 --- a/bin/tests/system/inline/ns1/root.db.in +++ b/bin/tests/system/inline/ns1/root.db.in @@ -1,4 +1,4 @@ -; Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above @@ -47,3 +47,6 @@ ns3.expired. A 10.53.0.3 retransfer. NS ns3.retransfer. ns3.retransfer. A 10.53.0.3 + +nsec3. NS ns3.nsec3. +ns3.nsec3. A 10.53.0.3 diff --git a/bin/tests/system/inline/ns3/named.conf b/bin/tests/system/inline/ns3/named.conf index 6aa0b201..acde7ba2 100644 --- a/bin/tests/system/inline/ns3/named.conf +++ b/bin/tests/system/inline/ns3/named.conf @@ -95,3 +95,11 @@ zone "retransfer" { auto-dnssec maintain; file "retransfer.bk"; }; + +zone "nsec3" { + type master; + inline-signing yes; + auto-dnssec maintain; + allow-update { any; }; + file "nsec3.db"; +}; diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index 9e21ad29..04e61f34 100644 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -74,6 +74,12 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +zone=nsec3 +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone` +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + for s in a c d h k l m q z do zone=test-$s diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh index 7ba3246b..3ac82f50 100644 --- a/bin/tests/system/inline/setup.sh +++ b/bin/tests/system/inline/setup.sh @@ -1,4 +1,4 @@ -# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -28,6 +28,7 @@ cp ns3/master.db.in ns3/master.db cp ns3/master.db.in ns3/dynamic.db cp ns3/master.db.in ns3/updated.db cp ns3/master.db.in ns3/expired.db +cp ns3/master.db.in ns3/nsec3.db touch ns4/trusted.conf cp ns4/noixfr.db.in ns4/noixfr.db diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index 6529235d..27a1329a 100644 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -25,6 +25,24 @@ RANDFILE=random.data status=0 n=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - nsec3 + +for i in 1 2 3 4 5 6 7 8 9 0 +do + nsec3param=`$DIG +short @10.53.0.3 -p 5300 nsec3param nsec3.` + test -n "$nsec3param" && break + sleep 1 +done + +n=`expr $n + 1` +echo "I:checking that rrsigs are replaced with ksk only" +ret=0 +$DIG @10.53.0.3 -p 5300 axfr nsec3. | + awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1 +#$DIG @10.53.0.3 -p 5300 axfr nsec3. | grep -w NSEC | grep -v "IN.RRSIG.NSEC" +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + n=`expr $n + 1` echo "I:checking that the zone is signed on initial transfer ($n)" ret=0 diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh index d0c47976..ed10bcda 100644 --- a/bin/tests/system/rpz/clean.sh +++ b/bin/tests/system/rpz/clean.sh @@ -19,7 +19,7 @@ # Clean up after rpz tests. rm -f proto.* dsset-* random.data trusted.conf dig.out* nsupdate.tmp ns*/*tmp -rm -f ns*/*.key ns*/*.private ns2/tld2s.db +rm -f ns*/*.key ns*/*.private ns2/tld2s.db ns2/bl.tld2.db rm -f ns3/bl*.db ns*/*switch ns5/requests ns5/example.db ns5/bl.db ns5/*.perf rm -f */named.memstats */named.run */named.stats */session.key rm -f */*.jnl */*.core */*.pid diff --git a/bin/tests/system/rpz/ns2/bl.tld2.db.in b/bin/tests/system/rpz/ns2/bl.tld2.db.in new file mode 100644 index 00000000..84116807 --- /dev/null +++ b/bin/tests/system/rpz/ns2/bl.tld2.db.in @@ -0,0 +1,28 @@ +; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id$ + + + +; master for slave RPZ zone + +$TTL 3600 +@ SOA rpz.tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +32.1.7.168.192.rpz-ip CNAME . diff --git a/bin/tests/system/rpz/ns2/blv2.tld2.db.in b/bin/tests/system/rpz/ns2/blv2.tld2.db.in new file mode 100644 index 00000000..bd5a4844 --- /dev/null +++ b/bin/tests/system/rpz/ns2/blv2.tld2.db.in @@ -0,0 +1,26 @@ +; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id$ + + + +; master for slave RPZ zone + +$TTL 3600 +@ SOA rpz.tld2. hostmaster.ns.tld2. ( 2 3600 1200 604800 60 ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/rpz/ns2/blv3.tld2.db.in b/bin/tests/system/rpz/ns2/blv3.tld2.db.in new file mode 100644 index 00000000..a4797b01 --- /dev/null +++ b/bin/tests/system/rpz/ns2/blv3.tld2.db.in @@ -0,0 +1,28 @@ +; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id$ + + + +; master for slave RPZ zone + +$TTL 3600 +@ SOA rpz.tld2. hostmaster.ns.tld2. ( 3 3600 1200 604800 60 ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +32.1.7.168.192.rpz-ip CNAME . diff --git a/bin/tests/system/rpz/ns2/named.conf b/bin/tests/system/rpz/ns2/named.conf index c2235af2..2b3d65a7 100644 --- a/bin/tests/system/rpz/ns2/named.conf +++ b/bin/tests/system/rpz/ns2/named.conf @@ -32,6 +32,14 @@ options { notify no; }; +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + include "../trusted.conf"; zone "." { type hint; file "hints"; }; @@ -44,3 +52,5 @@ zone "sub3.tld2." {type master; file "tld2.db";}; zone "subsub.sub3.tld2." {type master; file "tld2.db";}; zone "tld2s." {type master; file "tld2s.db";}; + +zone "bl.tld2." {type master; file "bl.tld2.db"; notify yes; notify-delay 1;}; diff --git a/bin/tests/system/rpz/ns2/tld2.db b/bin/tests/system/rpz/ns2/tld2.db index eeb43153..03484123 100644 --- a/bin/tests/system/rpz/ns2/tld2.db +++ b/bin/tests/system/rpz/ns2/tld2.db @@ -121,3 +121,6 @@ a6-1 A 192.168.6.1 TXT "a6-1 tld2 text" a6-2 A 192.168.6.2 TXT "a6-2 tld2 text" + +a7-1 A 192.168.7.1 + TXT "a7-1 tld2 text" diff --git a/bin/tests/system/rpz/ns3/named.conf b/bin/tests/system/rpz/ns3/named.conf index 2acb9774..4553b970 100644 --- a/bin/tests/system/rpz/ns3/named.conf +++ b/bin/tests/system/rpz/ns3/named.conf @@ -46,6 +46,7 @@ options { zone "bl-cname" policy cname txt-only.tld2.; zone "bl-wildcname" policy cname *.tld4.; zone "bl-garden" policy cname a12.tld2.; + zone "bl.tld2"; } min-ns-dots 0; }; @@ -84,5 +85,8 @@ zone "bl-wildcname." {type master; file "bl-wildcname.db"; zone "bl-garden." {type master; file "bl-garden.db"; allow-update {any;};}; +zone "bl.tld2." {type slave; file "bl.tld2.db"; masters {10.53.0.2;}; + request-ixfr no; masterfile-format text;}; + zone "crash1.tld2" {type master; file "crash1";}; zone "crash2.tld3." {type master; file "crash2";}; diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 5a0f9046..d5b02c73 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -110,3 +110,5 @@ $PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) { printf("host-%05d.example.tld5 A\n", $val); $val = ($val * 9 + 32771) % 65536; }' >ns5/requests + +cp ns2/bl.tld2.db.in ns2/bl.tld2.db diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 5b6c4bf5..34365949 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -57,11 +57,13 @@ comment () { RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s" digcmd () { - digcmd_args="+noadd +time=1 +tries=1 -p 5300 $*" - expr "$digcmd_args" : '.*@' >/dev/null || \ - digcmd_args="$digcmd_args @$ns3" - expr "$digcmd_args" : '.*+[no]*auth' >/dev/null || \ - digcmd_args="+noauth $digcmd_args" + # Default to +noauth and @$ns3 + # Also default to -bX where X is the @value so that OS X will choose + # the right IP source address. + digcmd_args=`echo "+noadd +time=1 +tries=1 -p 5300 $*" | \ + sed -e "/@/!s/.*/& @$ns3/" \ + -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/' \ + -e '/+n?o?auth/!s/.*/+noauth &/'` #echo I:dig $digcmd_args 1>&2 $DIG $digcmd_args } @@ -135,6 +137,7 @@ ckalive () { # check that statistics for $1 in $2 = $3 ckstats () { + rm -f $2/named.stats $RNDCCMD $1 stats CNT=`sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ $2/named.stats` @@ -309,6 +312,30 @@ addr 14.14.14.14 a5-4.tld2 # 13 prefer QNAME to IP nochange a5-4.tld2 +norecurse # 14 check that RD=1 is required nochange a4-4.tld2 # 15 PASSTHRU nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c +ckstats $ns3 ns3 29 +nxdomain a7-1.tld2 # 17 slave policy zone (RT34450) +cp ns2/blv2.tld2.db.in ns2/bl.tld2.db +$RNDCCMD 10.53.0.2 reload bl.tld2 +goodsoa="rpz.tld2. hostmaster.ns.tld2. 2 3600 1200 604800 60" +for i in 0 1 2 3 4 5 6 7 8 9 10 +do + soa=`$DIG -p 5300 +short soa bl.tld2 @10.53.0.3 -b10.53.0.3` + test "$soa" = "$goodsoa" && break + sleep 1 +done +nochange a7-1.tld2 # 18 PASSTHRU +sleep 1 # ensure that a clock tick has occured so that the reload takes effect +cp ns2/blv3.tld2.db.in ns2/bl.tld2.db +goodsoa="rpz.tld2. hostmaster.ns.tld2. 3 3600 1200 604800 60" +$RNDCCMD 10.53.0.2 reload bl.tld2 +for i in 0 1 2 3 4 5 6 7 8 9 10 +do + soa=`$DIG -p 5300 +short soa bl.tld2 @10.53.0.3 -b10.53.0.3` + test "$soa" = "$goodsoa" && break + sleep 1 +done +nxdomain a7-1.tld2 # 19 slave policy zone (RT34450) +ckstats $ns3 ns3 31 end_group # check that IP addresses for previous group were deleted from the radix tree @@ -463,8 +490,7 @@ else echo "I:performance not checked; queryperf not available" fi - -ckstats $ns3 ns3 55 +ckstats $ns3 ns3 57 # restart the main test RPZ server to see if that creates a core file if test -z "$HAVE_CORE"; then diff --git a/bin/tests/system/rrsetorder/ns1/named.conf b/bin/tests/system/rrsetorder/ns1/named.conf index f228a07b..88f01a46 100644 --- a/bin/tests/system/rrsetorder/ns1/named.conf +++ b/bin/tests/system/rrsetorder/ns1/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2006, 2007, 2013 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -27,7 +27,7 @@ options { listen-on { 10.53.0.1; }; listen-on-v6 { none; }; recursion no; - notify yes; + notify no; rrset-order { name "fixed.example" order fixed; name "random.example" order random; @@ -40,4 +40,6 @@ options { zone "." { type master; file "root.db"; + notify explicit; + also-notify { 10.53.0.2; }; }; @@ -19580,7 +19580,7 @@ BIND9_MAKE_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules -. $srcdir/version +. "$srcdir/version" BIND9_PRODUCT="PRODUCT=\"${PRODUCT}\"" BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\"" @@ -19589,12 +19589,15 @@ BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASE BIND9_SRCID="SRCID=unset" -if test -f $srcdir/srcid; then - . $srcdir/srcid +if test -f "${srcdir}/srcid"; then + . "${srcdir}/srcid" BIND9_SRCID="SRCID=$SRCID" +elif test -d "${srcdir}/.git"; then + BIND9_SRCID="SRCID="`(cd "${srcdir}";git log -n 1 --format=%h)` fi + if test -z "$ac_configure_args"; then BIND9_CONFIGARGS="defaults" else @@ -19608,25 +19611,25 @@ BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}" -LIBISC_API=$srcdir/lib/isc/api +LIBISC_API="$srcdir/lib/isc/api" -LIBISCCC_API=$srcdir/lib/isccc/api +LIBISCCC_API="$srcdir/lib/isccc/api" -LIBISCCFG_API=$srcdir/lib/isccfg/api +LIBISCCFG_API="$srcdir/lib/isccfg/api" -LIBDNS_API=$srcdir/lib/dns/api +LIBDNS_API="$srcdir/lib/dns/api" -LIBBIND9_API=$srcdir/lib/bind9/api +LIBBIND9_API="$srcdir/lib/bind9/api" -LIBLWRES_API=$srcdir/lib/lwres/api +LIBLWRES_API="$srcdir/lib/lwres/api" -LIBIRS_API=$srcdir/lib/irs/api +LIBIRS_API="$srcdir/lib/irs/api" # # Configure any DLZ drivers. @@ -22965,7 +22968,7 @@ fi /*) ;; *) srcdir="../../$srcdir";; esac - ${SHELL} ${srcdir}${srcdir:+/unit/atf-src/}./configure MISSING=: --prefix $atfdir; + ${SHELL} "${srcdir}${srcdir:+/unit/atf-src/}./configure" MISSING=: --prefix $atfdir; ) ;; "chmod":C) chmod a+x isc-config.sh doc/doxygen/doxygen-input-filter ;; @@ -23049,7 +23052,7 @@ test "$want_symtable" = "minimal" && \ echo " Use symbol table for backtrace, named only (--enable-symtable)" test "$want_symtable" = "yes" -o "$want_symtable" = "all" && \ echo " Use symbol table for backtrace, all binaries (--enable-symtable=all)" -test "$use_pkcs11" = "no" || echo " PKCS#11/Cryptoki support (--with-pks11)" +test "$use_pkcs11" = "no" || echo " PKCS#11/Cryptoki support (--with-pkcs11)" # these lines are only printed if run with --enable-full-report @@ -23094,7 +23097,7 @@ test "$enable_filter" = "yes" || \ test "$use_gssapi" = "no" && echo " GSS-API (--with-gssapi)" test "$want_backtrace" = "yes" || \ echo " Print backtrace on crash (--enable-backtrace)" -test "$use_pkcs11" = "no" && echo " PKCS#11/Cryptoki support (--with-pks11)" +test "$use_pkcs11" = "no" && echo " PKCS#11/Cryptoki support (--with-pkcs11)" test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" && \ echo " IPv6 support (--enable-ipv6)" diff --git a/configure.in b/configure.in index 691faca1..6f4618ca 100644 --- a/configure.in +++ b/configure.in @@ -3325,7 +3325,7 @@ if test "$atf" = yes; then /*) ;; *) srcdir="../../$srcdir";; esac - ${SHELL} ${srcdir}${srcdir:+/unit/atf-src/}./configure MISSING=: --prefix $atfdir; + ${SHELL} "${srcdir}${srcdir:+/unit/atf-src/}./configure" MISSING=: --prefix $atfdir; ) ], [atfdir=`pwd`/unit/atf]) AC_MSG_RESULT(building ATF from bind9/unit/atf-src) @@ -3383,7 +3383,7 @@ BIND9_MAKE_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes AC_SUBST_FILE(BIND9_MAKE_RULES) BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules -. $srcdir/version +. "$srcdir/version" BIND9_PRODUCT="PRODUCT=\"${PRODUCT}\"" AC_SUBST(BIND9_PRODUCT) BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\"" @@ -3392,10 +3392,13 @@ BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASE AC_SUBST(BIND9_VERSION) BIND9_SRCID="SRCID=unset" -if test -f $srcdir/srcid; then - . $srcdir/srcid +if test -f "${srcdir}/srcid"; then + . "${srcdir}/srcid" BIND9_SRCID="SRCID=$SRCID" +elif test -d "${srcdir}/.git"; then + BIND9_SRCID="SRCID="`(cd "${srcdir}";git log -n 1 --format=%h)` fi + AC_SUBST(BIND9_SRCID) if test -z "$ac_configure_args"; then @@ -3411,25 +3414,25 @@ BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}" AC_SUBST(BIND9_CONFIGARGS) AC_SUBST_FILE(LIBISC_API) -LIBISC_API=$srcdir/lib/isc/api +LIBISC_API="$srcdir/lib/isc/api" AC_SUBST_FILE(LIBISCCC_API) -LIBISCCC_API=$srcdir/lib/isccc/api +LIBISCCC_API="$srcdir/lib/isccc/api" AC_SUBST_FILE(LIBISCCFG_API) -LIBISCCFG_API=$srcdir/lib/isccfg/api +LIBISCCFG_API="$srcdir/lib/isccfg/api" AC_SUBST_FILE(LIBDNS_API) -LIBDNS_API=$srcdir/lib/dns/api +LIBDNS_API="$srcdir/lib/dns/api" AC_SUBST_FILE(LIBBIND9_API) -LIBBIND9_API=$srcdir/lib/bind9/api +LIBBIND9_API="$srcdir/lib/bind9/api" AC_SUBST_FILE(LIBLWRES_API) -LIBLWRES_API=$srcdir/lib/lwres/api +LIBLWRES_API="$srcdir/lib/lwres/api" AC_SUBST_FILE(LIBIRS_API) -LIBIRS_API=$srcdir/lib/irs/api +LIBIRS_API="$srcdir/lib/irs/api" # # Configure any DLZ drivers. @@ -3869,7 +3872,7 @@ test "$want_symtable" = "minimal" && \ echo " Use symbol table for backtrace, named only (--enable-symtable)" test "$want_symtable" = "yes" -o "$want_symtable" = "all" && \ echo " Use symbol table for backtrace, all binaries (--enable-symtable=all)" -test "$use_pkcs11" = "no" || echo " PKCS#11/Cryptoki support (--with-pks11)" +test "$use_pkcs11" = "no" || echo " PKCS#11/Cryptoki support (--with-pkcs11)" # these lines are only printed if run with --enable-full-report @@ -3914,7 +3917,7 @@ test "$enable_filter" = "yes" || \ test "$use_gssapi" = "no" && echo " GSS-API (--with-gssapi)" test "$want_backtrace" = "yes" || \ echo " Print backtrace on crash (--enable-backtrace)" -test "$use_pkcs11" = "no" && echo " PKCS#11/Cryptoki support (--with-pks11)" +test "$use_pkcs11" = "no" && echo " PKCS#11/Cryptoki support (--with-pkcs11)" test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" && \ echo " IPv6 support (--enable-ipv6)" diff --git a/doc/misc/options b/doc/misc/options index 2c9cddde..8cd0adb7 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -199,7 +199,6 @@ options { recursion <boolean>; recursive-clients <integer>; request-ixfr <boolean>; - request-ixfr <boolean>; request-nsid <boolean>; reserved-sockets <integer>; resolver-query-timeout <integer>; @@ -412,7 +411,6 @@ view <string> <optional_class> { queryport-pool-updateinterval <integer>; // obsolete recursion <boolean>; request-ixfr <boolean>; - request-ixfr <boolean>; request-nsid <boolean>; resolver-query-timeout <integer>; response-policy { zone <quoted_string> [ policy ( given | disabled diff --git a/lib/dns/api b/lib/dns/api index 60d0c931..a0eb7b21 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -4,6 +4,6 @@ # 9.8: 80-89, 120-129 # 9.9: 90-109 # 9.9-sub: 130-139 -LIBINTERFACE = 100 +LIBINTERFACE = 101 LIBREVISION = 1 -LIBAGE = 0 +LIBAGE = 1 diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index d00c99b4..a1c5c691 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -764,6 +764,7 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, * If a key is marked inactive, skip it */ if (!key_active(keys[count], now)) { + dst_key_setinactive(pubkey, ISC_TRUE); dst_key_free(&keys[count]); keys[count] = pubkey; pubkey = NULL; diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 98607246..93dda089 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -1349,10 +1349,27 @@ get_key_struct(dns_name_t *name, unsigned int alg, key->times[i] = 0; key->timeset[i] = ISC_FALSE; } + key->inactive = ISC_FALSE; key->magic = KEY_MAGIC; return (key); } +isc_boolean_t +dst_key_inactive(const dst_key_t *key) { + + REQUIRE(VALID_KEY(key)); + + return (key->inactive); +} + +void +dst_key_setinactive(dst_key_t *key, isc_boolean_t inactive) { + + REQUIRE(VALID_KEY(key)); + + key->inactive = inactive; +} + /*% * Reads a public key from disk */ diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index c3e8e29a..48ce9b85 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -126,6 +126,8 @@ struct dst_key { isc_boolean_t timeset[DST_MAX_TIMES + 1]; /*%< data set? */ isc_stdtime_t nums[DST_MAX_NUMERIC + 1]; /*%< numeric metadata */ isc_boolean_t numset[DST_MAX_NUMERIC + 1]; /*%< data set? */ + isc_boolean_t inactive; /*%< private key not present as it is + inactive */ int fmt_major; /*%< private key format, major version */ int fmt_minor; /*%< private key format, minor version */ diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index f91801f6..9efa1e72 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -2086,6 +2086,12 @@ dns_zone_rpz_enable(dns_zone_t *zone); * Set the response policy associated with a zone. */ +isc_result_t +dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db); +/*% + * If a zone is a response policy zone, mark its new database. + */ + isc_boolean_t dns_zone_get_rpz(dns_zone_t *zone); diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 4724fc64..a59ed121 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -923,6 +923,23 @@ dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags, unsigned int protocol, dns_rdataclass_t rdclass, isc_mem_t *mctx, const char *keystr, dst_key_t **keyp); +isc_boolean_t +dst_key_inactive(const dst_key_t *key); +/*%< + * Determines if the private key is missing due the key being deemed inactive. + * + * Requires: + * 'key' to be valid. + */ + +void +dst_key_setinactive(dst_key_t *key, isc_boolean_t inactive); +/*%< + * Set key inactive state. + * + * Requires: + * 'key' to be valid. + */ ISC_LANG_ENDDECLS diff --git a/lib/dns/rdata/generic/dnskey_48.c b/lib/dns/rdata/generic/dnskey_48.c index 688e7ac5..aa705cab 100644 --- a/lib/dns/rdata/generic/dnskey_48.c +++ b/lib/dns/rdata/generic/dnskey_48.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -32,6 +32,7 @@ static inline isc_result_t fromtext_dnskey(ARGS_FROMTEXT) { + isc_result_t result; isc_token_t token; dns_secalg_t alg; dns_secproto_t proto; @@ -67,7 +68,15 @@ fromtext_dnskey(ARGS_FROMTEXT) { if ((flags & 0xc000) == 0xc000) return (ISC_R_SUCCESS); - return (isc_base64_tobuffer(lexer, target, -1)); + result = isc_base64_tobuffer(lexer, target, -1); + if (result != ISC_R_SUCCESS) + return (result); + + /* Ensure there's at least enough data to compute a key ID for MD5 */ + if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 7) + return (ISC_R_UNEXPECTEDEND); + + return (ISC_R_SUCCESS); } static inline isc_result_t @@ -185,6 +194,15 @@ fromwire_dnskey(ARGS_FROMWIRE) { dns_name_init(&name, NULL); RETERR(dns_name_fromwire(&name, source, dctx, options, target)); } + + /* + * RSAMD5 computes key ID differently from other + * algorithms: we need to ensure there's enough data + * present for the computation + */ + if (algorithm == DST_ALG_RSAMD5 && sr.length < 3) + return (ISC_R_UNEXPECTEDEND); + isc_buffer_activeregion(source, &sr); isc_buffer_forward(source, sr.length); return (mem_tobuffer(target, sr.base, sr.length)); diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c index 1d0ba83a..f55401e1 100644 --- a/lib/dns/rdata/generic/key_25.c +++ b/lib/dns/rdata/generic/key_25.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -32,6 +32,7 @@ static inline isc_result_t fromtext_key(ARGS_FROMTEXT) { + isc_result_t result; isc_token_t token; dns_secalg_t alg; dns_secproto_t proto; @@ -67,7 +68,15 @@ fromtext_key(ARGS_FROMTEXT) { if ((flags & 0xc000) == 0xc000) return (ISC_R_SUCCESS); - return (isc_base64_tobuffer(lexer, target, -1)); + result = isc_base64_tobuffer(lexer, target, -1); + if (result != ISC_R_SUCCESS) + return (result); + + /* Ensure there's at least enough data to compute a key ID for MD5 */ + if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 7) + return (ISC_R_UNEXPECTEDEND); + + return (ISC_R_SUCCESS); } static inline isc_result_t @@ -176,6 +185,15 @@ fromwire_key(ARGS_FROMWIRE) { dns_name_init(&name, NULL); RETERR(dns_name_fromwire(&name, source, dctx, options, target)); } + + /* + * RSAMD5 computes key ID differently from other + * algorithms: we need to ensure there's enough data + * present for the computation + */ + if (algorithm == DST_ALG_RSAMD5 && sr.length < 3) + return (ISC_R_UNEXPECTEDEND); + isc_buffer_activeregion(source, &sr); isc_buffer_forward(source, sr.length); return (mem_tobuffer(target, sr.base, sr.length)); diff --git a/lib/dns/rdata/generic/keydata_65533.c b/lib/dns/rdata/generic/keydata_65533.c index f1fe45e4..03ad1ed7 100644 --- a/lib/dns/rdata/generic/keydata_65533.c +++ b/lib/dns/rdata/generic/keydata_65533.c @@ -25,6 +25,7 @@ static inline isc_result_t fromtext_keydata(ARGS_FROMTEXT) { + isc_result_t result; isc_token_t token; dns_secalg_t alg; dns_secproto_t proto; @@ -79,7 +80,15 @@ fromtext_keydata(ARGS_FROMTEXT) { if ((flags & 0xc000) == 0xc000) return (ISC_R_SUCCESS); - return (isc_base64_tobuffer(lexer, target, -1)); + result = isc_base64_tobuffer(lexer, target, -1); + if (result != ISC_R_SUCCESS) + return (result); + + /* Ensure there's at least enough data to compute a key ID for MD5 */ + if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 19) + return (ISC_R_UNEXPECTEDEND); + + return (ISC_R_SUCCESS); } static inline isc_result_t @@ -185,6 +194,7 @@ totext_keydata(ARGS_TOTEXT) { static inline isc_result_t fromwire_keydata(ARGS_FROMWIRE) { isc_region_t sr; + unsigned char algorithm; REQUIRE(type == 65533); @@ -197,6 +207,15 @@ fromwire_keydata(ARGS_FROMWIRE) { if (sr.length < 16) return (ISC_R_UNEXPECTEDEND); + /* + * RSAMD5 computes key ID differently from other + * algorithms: we need to ensure there's enough data + * present for the computation + */ + algorithm = sr.base[15]; + if (algorithm == DST_ALG_RSAMD5 && sr.length < 19) + return (ISC_R_UNEXPECTEDEND); + isc_buffer_forward(source, sr.length); return (mem_tobuffer(target, sr.base, sr.length)); } diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 27d15b93..afc588c6 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -1132,6 +1132,10 @@ log_edns(fetchctx_t *fctx) { if (fctx->reason == NULL) return; + /* + * We do not know if fctx->domain is the actual domain the record + * lives in or a parent domain so we have a '?' after it. + */ dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED, DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, diff --git a/lib/dns/update.c b/lib/dns/update.c index 14ffcc22..713fa87f 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -1211,7 +1211,9 @@ del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, for (i = 0; i < nkeys; i++) { if (rrsig.keyid == dst_key_id(keys[i])) { found = ISC_TRUE; - if (!dst_key_isprivate(keys[i])) { + if (!dst_key_isprivate(keys[i]) && + !dst_key_inactive(keys[i])) + { /* * The re-signing code in zone.c * will mark this as offline. diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def index 46327635..7661f807 100644 --- a/lib/dns/win32/libdns.def +++ b/lib/dns/win32/libdns.def @@ -677,6 +677,7 @@ dns_secalg_fromtext dns_secalg_totext dns_secproto_fromtext dns_secproto_totext +dns_soa_buildrdata dns_soa_getminimum dns_soa_getserial dns_soa_setserial @@ -1006,6 +1007,7 @@ dst_key_getprivateformat dst_key_gettime dst_key_getttl dst_key_id +dst_key_inactive dst_key_isnullkey dst_key_isprivate dst_key_iszonekey @@ -1018,6 +1020,7 @@ dst_key_rid dst_key_secretsize dst_key_setbits dst_key_setflags +dst_key_setinactive dst_key_setprivateformat dst_key_settime dst_key_setttl diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index 813f616e..9ad8960a 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -270,13 +270,18 @@ axfr_init(dns_xfrin_ctx_t *xfr) { static isc_result_t axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp) { - return (dns_db_create(xfr->mctx, /* XXX */ - "rbt", /* XXX guess */ - &xfr->name, - dns_dbtype_zone, - xfr->rdclass, - 0, NULL, /* XXX guess */ - dbp)); + isc_result_t result; + + result = dns_db_create(xfr->mctx, /* XXX */ + "rbt", /* XXX guess */ + &xfr->name, + dns_dbtype_zone, + xfr->rdclass, + 0, NULL, /* XXX guess */ + dbp); + if (result == ISC_R_SUCCESS) + result = dns_zone_rpz_enable_db(xfr->zone, *dbp); + return (result); } static isc_result_t diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 6e9f49af..3bdbc3e0 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -729,8 +729,6 @@ static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, dns_name_t *name, dns_diff_t *diff); static void zone_rekey(dns_zone_t *zone); -static isc_boolean_t delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, - dst_key_t **keys, unsigned int nkeys); static isc_result_t zone_send_securedb(dns_zone_t *zone, isc_boolean_t locked, dns_db_t *db); @@ -1534,6 +1532,18 @@ dns_zone_get_rpz(dns_zone_t *zone) { return (zone->is_rpz); } +/* + * If a zone is a response policy zone, mark its new database. + */ +isc_result_t +dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db) { +#ifdef BIND9 + if (zone->is_rpz) + return (dns_db_rpz_enabled(db, NULL)); +#endif + return (ISC_R_SUCCESS); +} + static isc_result_t zone_load(dns_zone_t *zone, unsigned int flags) { isc_result_t result; @@ -1987,14 +1997,9 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) { isc_result_t tresult; unsigned int options; -#ifdef BIND9 - if (zone->is_rpz) { - result = dns_db_rpz_enabled(db, NULL); - if (result != ISC_R_SUCCESS) - return (result); - } -#endif - + result = dns_zone_rpz_enable_db(zone, db); + if (result != ISC_R_SUCCESS) + return (result); options = get_master_options(zone); if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS)) options |= DNS_MASTER_MANYERRORS; @@ -5271,19 +5276,39 @@ set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now) * have no new key. */ static isc_boolean_t -delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys) { +delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys, + isc_boolean_t *warn) +{ unsigned int i = 0; + isc_boolean_t have_ksk = ISC_FALSE, have_zsk = ISC_FALSE; + isc_boolean_t have_pksk = ISC_FALSE, have_pzsk = ISC_FALSE; - /* - * It's okay to delete a signature if there is an active ZSK - * with the same algorithm - */ for (i = 0; i < nkeys; i++) { - if (rrsig_ptr->algorithm == dst_key_alg(keys[i]) && - (dst_key_isprivate(keys[i])) && !KSK(keys[i])) - return (ISC_TRUE); + if (rrsig_ptr->algorithm != dst_key_alg(keys[i])) + continue; + if (dst_key_isprivate(keys[i])) { + if (KSK(keys[i])) + have_ksk = have_pksk = ISC_TRUE; + else + have_zsk = have_pzsk = ISC_TRUE; + } else { + if (KSK(keys[i])) + have_ksk = ISC_TRUE; + else + have_zsk = ISC_TRUE; + } } + if (have_zsk && have_ksk && !have_pzsk) + *warn = ISC_TRUE; + + /* + * It's okay to delete a signature if there is an active key + * with the same algorithm to replace it. + */ + if (have_pksk || have_pzsk) + return (ISC_TRUE); + /* * Failing that, it is *not* okay to delete a signature * if the associated public key is still in the DNSKEY RRset @@ -5351,7 +5376,8 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, RUNTIME_CHECK(result == ISC_R_SUCCESS); if (type != dns_rdatatype_dnskey) { - if (delsig_ok(&rrsig, keys, nkeys)) { + isc_boolean_t warn = ISC_FALSE, deleted = ISC_FALSE; + if (delsig_ok(&rrsig, keys, nkeys, &warn)) { result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_DELRESIGN, name, rdataset.ttl, &rdata); @@ -5359,7 +5385,9 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, changed = ISC_TRUE; if (result != ISC_R_SUCCESS) break; - } else { + deleted = ISC_TRUE; + } + if (warn) { /* * At this point, we've got an RRSIG, * which is signed by an inactive key. @@ -5369,7 +5397,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, * offline will prevent us spinning waiting * for the private part. */ - if (incremental) { + if (incremental && !deleted) { result = offline(db, ver, zonediff, name, rdataset.ttl, &rdata); @@ -5417,7 +5445,9 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, * We want the earliest offline expire time * iff there is a new offline signature. */ - if (!dst_key_isprivate(keys[i])) { + if (!dst_key_inactive(keys[i]) && + !dst_key_isprivate(keys[i])) + { isc_int64_t timeexpire = dns_time64_from32(rrsig.timeexpire); if (warn != 0 && warn > timeexpire) diff --git a/lib/isccfg/api b/lib/isccfg/api index 864bdc90..a27437f4 100644 --- a/lib/isccfg/api +++ b/lib/isccfg/api @@ -5,5 +5,5 @@ # 9.9: 90-109 # 9.9-sub: 130-139 LIBINTERFACE = 90 -LIBREVISION = 6 +LIBREVISION = 7 LIBAGE = 0 diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 15fd5549..be28ea71 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1434,7 +1434,6 @@ view_clauses[] = { { "queryport-pool-updateinterval", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE }, { "recursion", &cfg_type_boolean, 0 }, - { "request-ixfr", &cfg_type_boolean, 0 }, { "request-nsid", &cfg_type_boolean, 0 }, { "resolver-query-timeout", &cfg_type_uint32, 0 }, { "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI }, @@ -1 +1 @@ -SRCID=9d031335 +SRCID=2d1fd70e @@ -9,4 +9,4 @@ MAJORVER=9 MINORVER=9 PATCHVER=4 RELEASETYPE=rc -RELEASEVER=1 +RELEASEVER=2 |