diff options
| author | Internet Software Consortium, Inc <@isc.org> | 2007-09-07 14:08:27 -0600 |
|---|---|---|
| committer | LaMont Jones <lamont@debian.org> | 2007-09-07 14:08:27 -0600 |
| commit | 4089379c19b6316e701952cb731eda71c9cfd8bb (patch) | |
| tree | 79f73ec56e23bac2ff8fb637eb7d07741542a04b | |
| parent | a587bb7b9841ad0f25e3ac75930b866a4da4983e (diff) | |
| download | bind9-4089379c19b6316e701952cb731eda71c9cfd8bb.tar.gz | |
9.0.0rc2
66 files changed, 2984 insertions, 1405 deletions
@@ -1,4 +1,99 @@ + --- 9.0.0rc2 released --- + + 377. [bug] When additional data lookups were refused due to + "allow-query", the databases were still being + attached causing reference leaks. + + 376. [bug] The server should always use good entropy when + performing cryptographic functions needing entropy. + + 375. [bug] Per-zone allow-query did not properly override the + view/global one for CNAME targets and additional + data [RT #220]. + + 374. [bug] SOA in authoritative negative responses had wrong TTL. + + 373. [func] nslookup is now installed by "make install". + + 372. [bug] Deal with Microsoft DNS servers appending two bytes of + garbage to zone transfer requests. + + 371. [bug] At high debug levels, doing an outgoing zone transfer + of a very large RRset could cause an assertion failure + during logging. + + 370. [bug] The error messages for rollforward failures were + overly terse. + + 367. [bug] Allow proper selection of server on nslookup command + line. + + 365. [bug] nsupdate -k leaked memory. + + 362. [bug] rndc no longer aborts if the configuration file is + missing an options statement. [RT #209] + + 359. [bug] dnssec-signzone occasionally signed glue records. + + 357. [bug] The zone file parser crashed if the argument + to $INCLUDE was a quoted string. + + 354. [doc] Man pages for the dnssec tools are now included in + the distribution, in doc/man/dnssec. + + 353. [bug] double increment in lwres/gethost.c:copytobuf(). + (RT# 187) + + 352. [bug] Race condition in dns_client_t startup could cause + an assertion failure. + + 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG + signed query could crash the server. + + 350. [bug] Also-notify lists specified in the global options + block were not correctly reference counted, causing + a memory leak. + + 349. [bug] Processing a query with the CD bit set now works + as expected. + + 344. [bug] When shutting down, lwresd sometimes tried + to shut down its client tasks twice, + triggering an assertion. + + 343. [bug] Although zone maintenance SOA queries and + notify requests were signed with TSIG keys + when configured for the server in case, + the TSIG was not verified on the response. + + 342. [bug] The wrong name was being passed to + dns_name_dup() when generating a TSIG + key using TKEY. + + 340. [bug] The top-level COPYRIGHT file was missing from + the distribution. + + 339. [bug] DNSSEC validation of the response to an ANY + query at a name with a CNAME RR in a secure + zone triggered an assertion failure. + + 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type + on the command line. + + 336. [bug] "dig -f" used 64 k of memory for each line in + the file. It now uses much less, though still + proportionally to the file size. + + 335. [bug] named would occasionally attempt recursion when + it was disallowed or undesired. + + 333. [bug] The resolver incorrectly accepted referrals to + domains that were not parents of the query name, + causing assertion failures. + + 331. [bug] Only log "recursion denied" if RD is set. (RT #178) + --- 9.0.0rc1 released --- 329. [func] omapi_auth_register() now takes a size_t argument for diff --git a/COPYRIGHT b/COPYRIGHT new file mode 100644 index 00000000..3e34fdc4 --- /dev/null +++ b/COPYRIGHT @@ -0,0 +1,14 @@ +Copyright (C) 1996-2000 Internet Software Consortium. + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS +ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE +CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL +DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR +PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS +ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS +SOFTWARE. diff --git a/Makefile.in b/Makefile.in index ae87d784..e87e9a8c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -13,7 +13,7 @@ # ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS # SOFTWARE. -# $Id: Makefile.in,v 1.21.2.4 2000/07/12 17:06:01 gson Exp $ +# $Id: Makefile.in,v 1.21.2.6 2000/07/27 01:48:49 gson Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -23,14 +23,14 @@ top_srcdir = @top_srcdir@ SUBDIRS = make lib bin TARGETS = -DISTFILES = CHANGES Makefile.in README \ +DISTFILES = CHANGES COPYRIGHT Makefile.in README \ acconfig.h aclocal.m4 config.guess config.h.in config.h.win32 \ config.status.win32 config.sub configure configure.in \ isc-config.sh.in install-sh libtool.m4 ltconfig ltmain.sh \ lib make contrib \ version DOCDISTFILES = arm draft misc rfc -DOCMANDISTFILES = bin +DOCMANDISTFILES = bin dnssec BINDISTFILES = Makefile.in dig dnssec named nsupdate rndc tests @BIND9_MAKE_RULES@ @@ -68,19 +68,19 @@ BIND 9 Stichting NLnet - NLnet Foundation -BIND 9.0.0rc1 +BIND 9.0.0rc2 - BIND 9.0.0rc1 is a release candidate for the upcoming + BIND 9.0.0rc2 is a release candidate for the upcoming 9.0.0 release. The only changes expected between - rc1 and the final release are bug fixes and documentation + rc2 and the final release are bug fixes and documentation updates. The 9.0.0 release, and this release candidate, is aimed at early adopters and those who wish to make use of new 9.0 features, such as IPv6 and DNSSEC secure resolution support. - We are running 9.0.0rc1 in production, and it has been - used as a root name server. + We are running BIND 9 in production, and it has been used + as a root name server. The distribution includes a new lightweight resolver library and associated resolver daemon. These should still be considered @@ -89,23 +89,11 @@ BIND 9.0.0rc1 The server-side support for DNSSEC secured zones is stable and complete with the exception of the handling of wildcard records. The support for secure resolution is still to be considered - experimental. - - There have been some changes since beta 5; the highlights are: - - The communication between "rndc" and "named" is now - authenticated using digital signatures. Because of - this, rndc now requires a configuration file "rndc.conf" - containing a shared secret, with a corresponding - "controls" clause in named.conf. - - When the server is chrooted using the -t option, - it no longer needs copies of the passwd and group - files in the chroot environment. + experimental. For detailed information about the state of the + DNSSEC implementation, see the file doc/misc/dnssec. - Various bug fixes and cleanups, especially - in the dig, host, nslookup, and nsupdate - programs. + Several bugs found in rc1 have been fixed. For a detailed + list of user-visible changes, see the CHANGES file. There are a few known bugs: @@ -128,12 +116,16 @@ BIND 9.0.0rc1 for unknown reasons, but the server itself seems to run fine. + On FreeBSD systems, the server logs error messages + like "fcntl(8, F_SETFL, 4): Inappropriate ioctl for + device". This is due to a bug in the FreeSBD + /dev/random device. The bug has been reported + to the FreeBSD maintainers. A similar problem is + reported to exist on OpenBSD. + If you are upgrading from BIND 8, please read the migration notes in doc/misc/migration. - For a detailed list of user-visible changes since beta 5, see - the CHANGES file. - Building @@ -152,6 +144,11 @@ Building Red Hat Linux 6.0, 6.1, 6.2 Solaris 2.6, 7, 8 (beta) + We have received reports of success from users of the + following additional platforms: + + Solaris 2.8 + To build, just ./configure diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in index bbe6e809..9b8b32b5 100644 --- a/bin/dig/Makefile.in +++ b/bin/dig/Makefile.in @@ -13,7 +13,7 @@ # ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS # SOFTWARE. -# $Id: Makefile.in,v 1.10.2.1 2000/06/28 16:33:42 tale Exp $ +# $Id: Makefile.in,v 1.10.2.2 2000/08/08 00:17:59 gson Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -67,6 +67,7 @@ installdirs: mkdir ${DESTDIR}${bindir}; \ fi -install:: dig host installdirs +install:: dig host nslookup installdirs ${LIBTOOL} ${INSTALL_PROGRAM} dig ${DESTDIR}${bindir} ${LIBTOOL} ${INSTALL_PROGRAM} host ${DESTDIR}${bindir} + ${LIBTOOL} ${INSTALL_PROGRAM} nslookup ${DESTDIR}${bindir} diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 19146b0e..f8219371 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: dig.c,v 1.51.2.4 2000/07/12 17:56:23 gson Exp $ */ +/* $Id: dig.c,v 1.51.2.5 2000/07/17 19:40:50 gson Exp $ */ #include <config.h> #include <stdlib.h> @@ -1046,7 +1046,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { strcpy(lookup->rttext, "ptr"); strcpy(lookup->rctext, "in"); lookup->namespace[0] = 0; - lookup->sendspace[0] = 0; + lookup->sendspace = NULL; lookup->sendmsg = NULL; lookup->name = NULL; lookup->oname = NULL; @@ -1111,7 +1111,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { lookup->rttext[0] = 0; lookup->rctext[0] = 0; lookup->namespace[0] = 0; - lookup->sendspace[0] = 0; + lookup->sendspace = NULL; lookup->sendmsg = NULL; lookup->name = NULL; lookup->oname = NULL; @@ -1188,7 +1188,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { lookup->pending = ISC_FALSE; lookup->rctext[0] = 0; lookup->namespace[0] = 0; - lookup->sendspace[0] = 0; + lookup->sendspace = NULL; lookup->sendmsg = NULL; lookup->name = NULL; lookup->oname = NULL; diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index cfcc0fc1..947ecc7b 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: dighost.c,v 1.58.2.5 2000/07/12 00:52:57 gson Exp $ */ +/* $Id: dighost.c,v 1.58.2.9 2000/08/07 23:50:13 gson Exp $ */ /* * Notice to programmers: Do not use this code as an example of how to @@ -102,7 +102,7 @@ isc_buffer_t *namebuf = NULL; dns_tsigkey_t *key = NULL; isc_boolean_t validated = ISC_TRUE; isc_entropy_t *entp = NULL; - +isc_mempool_t *commctx = NULL; extern isc_boolean_t isc_mem_debugging; isc_boolean_t debugging = ISC_FALSE; char *progname = NULL; @@ -141,7 +141,6 @@ hex_dump(isc_buffer_t *b) { printf("\n"); } - void fatal(const char *format, ...) { va_list args; @@ -185,6 +184,26 @@ check_result(isc_result_t result, const char *msg) { } } +/* + * Create a server structure, which is part of the lookup structure. + * This is little more than a linked list of servers to query in hopes + * of finding the answer the user is looking for + */ +dig_server_t * +make_server(const char *servname) { + dig_server_t *srv; + + REQUIRE(servname != NULL); + + debug("make_server(%s)",servname); + srv = isc_mem_allocate(mctx, sizeof(struct dig_server)); + if (srv == NULL) + fatal("Memory allocation failure in %s:%d", + __FILE__, __LINE__); + strncpy(srv->servername, servname, MXNAME); + return (srv); +} + isc_boolean_t isclass(char *text) { /* @@ -215,7 +234,7 @@ istype(char *text) { "wks", "ptr", "hinfo", "minfo", "mx", "txt", "rp", "afsdb", "x25", "isdn", "rt", "nsap", - "nsap_ptr", "sig", "key", "px", + "nsap-ptr", "sig", "key", "px", "gpos", "aaaa", "loc", "nxt", "srv", "naptr", "kx", "cert", "a6", "dname", "opt", "unspec", @@ -252,7 +271,7 @@ requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { strncpy(looknew->rttext, lookold-> rttext, 32); strncpy(looknew->rctext, lookold-> rctext, 32); looknew->namespace[0] = 0; - looknew->sendspace[0] = 0; + looknew->sendspace = NULL; looknew->sendmsg = NULL; looknew->name = NULL; looknew->oname = NULL; @@ -566,6 +585,16 @@ setup_libs(void) { result = dst_lib_init(mctx, entp, 0); check_result(result, "dst_lib_init"); is_dst_up = ISC_TRUE; + + result = isc_mempool_create(mctx, COMMSIZE, &commctx); + check_result(result, "isc_mempool_create"); + isc_mempool_setname(commctx, "COMMPOOL"); + /* + * 6 and 2 set as reasonable parameters for 3 or 4 nameserver + * systems. + */ + isc_mempool_setfreemax(commctx, 6); + isc_mempool_setfillcount(commctx, 2); } static void @@ -1079,6 +1108,10 @@ setup_lookup(dig_lookup_t *lookup) { lookup->querysig = NULL; } + lookup->sendspace = isc_mempool_get(commctx); + if (lookup->sendspace == NULL) + fatal("memory allocation failure"); + debug("starting to render the message"); isc_buffer_init(&lookup->sendbuf, lookup->sendspace, COMMSIZE); result = dns_message_renderbegin(lookup->sendmsg, &lookup->sendbuf); @@ -1122,6 +1155,9 @@ setup_lookup(dig_lookup_t *lookup) { ISC_LIST_INIT(query->recvlist); ISC_LIST_INIT(query->lengthlist); query->sock = NULL; + query->recvspace = isc_mempool_get(commctx); + if (query->recvspace == NULL) + fatal("memory allocation failure"); isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE); isc_buffer_init(&query->lengthbuf, query->lengthspace, 2); @@ -1765,7 +1801,8 @@ recv_done(isc_task_t *task, isc_event_t *event) { * outages won't cause the XFR to abort */ if ((timeout != INT_MAX) && - (query->lookup->timer != NULL)) { + (query->lookup->timer != NULL) && + query->lookup->doing_xfr ) { if (timeout == 0) { if (query->lookup->tcp_mode) local_timeout = TCP_TIMEOUT; @@ -2148,6 +2185,8 @@ free_lists(void) { if (ISC_LINK_LINKED(&q->lengthbuf, link)) ISC_LIST_DEQUEUE(q->lengthlist, &q->lengthbuf, link); + INSIST(q->recvspace != NULL); + isc_mempool_put(commctx, q->recvspace); isc_buffer_invalidate(&q->recvbuf); isc_buffer_invalidate(&q->lengthbuf); ptr = q; @@ -2167,6 +2206,8 @@ free_lists(void) { } if (l->sendmsg != NULL) dns_message_destroy(&l->sendmsg); + if (l->sendspace != NULL) + isc_mempool_put(commctx, l->sendspace); if (l->querysig != NULL) { debug("freeing buffer %p", l->querysig); isc_buffer_free(&l->querysig); @@ -2190,4 +2231,8 @@ free_lists(void) { debug("detach from entropy"); isc_entropy_detach(&entp); } + if (commctx != NULL) { + debug("freeing commctx"); + isc_mempool_destroy(&commctx); + } } diff --git a/bin/dig/host.c b/bin/dig/host.c index e156880c..8c2df26a 100644 --- a/bin/dig/host.c +++ b/bin/dig/host.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: host.c,v 1.29.2.3 2000/07/10 19:11:37 bwelling Exp $ */ +/* $Id: host.c,v 1.29.2.4 2000/07/17 19:40:53 gson Exp $ */ #include <config.h> #include <stdlib.h> @@ -661,7 +661,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { strncpy(lookup->rttext, querytype, 32); strncpy(lookup->rctext, queryclass, 32); lookup->namespace[0] = 0; - lookup->sendspace[0] = 0; + lookup->sendspace = NULL; lookup->sendmsg = NULL; lookup->name = NULL; lookup->oname = NULL; diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h index 959d30c8..fa85a9c7 100644 --- a/bin/dig/include/dig/dig.h +++ b/bin/dig/include/dig/dig.h @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: dig.h,v 1.25.2.2 2000/07/10 19:11:40 bwelling Exp $ */ +/* $Id: dig.h,v 1.25.2.4 2000/08/07 23:50:17 gson Exp $ */ #ifndef DIG_H #define DIG_H @@ -99,7 +99,7 @@ struct dig_lookup { isc_buffer_t namebuf; isc_buffer_t onamebuf; isc_buffer_t sendbuf; - char sendspace[COMMSIZE]; + char *sendspace; dns_name_t *name; isc_timer_t *timer; isc_interval_t interval; @@ -139,7 +139,7 @@ struct dig_query { isc_buffer_t recvbuf, lengthbuf, slbuf; - char recvspace[COMMSIZE], + char *recvspace, lengthspace[4], slspace[4]; isc_socket_t *sock; @@ -209,6 +209,8 @@ free_lists(void); dig_lookup_t * requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers); +dig_server_t * +make_server(const char *servname); /* * Routines needed in dig.c and host.c. diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c index b4d95e28..dc5e3f39 100644 --- a/bin/dig/nslookup.c +++ b/bin/dig/nslookup.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: nslookup.c,v 1.20.2.1 2000/07/10 19:11:38 bwelling Exp $ */ +/* $Id: nslookup.c,v 1.20.2.4 2000/08/07 23:56:33 gson Exp $ */ #include <config.h> @@ -59,6 +59,7 @@ extern int lookup_counter; extern char fixeddomain[MXNAME]; extern int exitcode; extern isc_taskmgr_t *taskmgr; +extern isc_mempool_t *commctx; extern char *progname; isc_boolean_t short_form = ISC_TRUE, printcmd = ISC_TRUE, @@ -218,7 +219,8 @@ printsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers, rdataset = ISC_LIST_NEXT(rdataset, link)) { loopresult = dns_rdataset_first(rdataset); while (loopresult == ISC_R_SUCCESS) { - dns_rdataset_current(rdataset, &rdata); switch (rdata.type) { + dns_rdataset_current(rdataset, &rdata); + switch (rdata.type) { case dns_rdatatype_a: if (section != DNS_SECTION_ANSWER) goto def_short_section; @@ -585,6 +587,7 @@ show_settings(isc_boolean_t full) { static void setoption(char *opt) { + dig_server_t *srv; if (strncasecmp(opt,"all",4) == 0) { show_settings(ISC_TRUE); @@ -635,10 +638,14 @@ setoption(char *opt) { debugging = ISC_FALSE; } else if (strncasecmp(opt, "sil",3) == 0) { deprecation_msg = ISC_FALSE; + } else { + srv = make_server(opt); + debug("server is %s", srv->servername); + ISC_LIST_APPEND(server_list, srv, link); } } -static void +static dig_lookup_t* addlookup(char *opt) { dig_lookup_t *lookup; @@ -651,7 +658,7 @@ addlookup(char *opt) { strncpy (lookup->rttext, deftype, MXNAME); strncpy (lookup->rctext, defclass, MXNAME); lookup->namespace[0]=0; - lookup->sendspace[0]=0; + lookup->sendspace = NULL; lookup->sendmsg=NULL; lookup->name=NULL; lookup->oname=NULL; @@ -687,6 +694,7 @@ addlookup(char *opt) { lookup->origin = NULL; ISC_LIST_INIT(lookup->my_server_list); debug("looking up %s", lookup->textname); + return (lookup); } static void @@ -751,6 +759,7 @@ get_next_command(void) { static void parse_args(int argc, char **argv) { dig_lookup_t *lookup = NULL; + isc_boolean_t have_lookup = ISC_FALSE; for (argc--, argv++; argc > 0; argc--, argv++) { debug ("main parsing %s", argv[0]); @@ -762,10 +771,13 @@ parse_args(int argc, char **argv) { } if (argv[0][1] != 0) setoption(&argv[0][1]); + else + have_lookup = ISC_TRUE; } else { - if (lookup == NULL) { + if (!have_lookup) { + have_lookup = ISC_TRUE; in_use = ISC_TRUE; - addlookup(argv[0]); + lookup = addlookup(argv[0]); } else setsrv(argv[0]); @@ -795,6 +807,8 @@ flush_lookup_list(void) { if (ISC_LINK_LINKED(&q->lengthbuf, link)) ISC_LIST_DEQUEUE(q->lengthlist, &q->lengthbuf, link); + INSIST(q->recvspace != NULL); + isc_mempool_put(commctx, q->recvspace); isc_buffer_invalidate(&q->recvbuf); isc_buffer_invalidate(&q->lengthbuf); qp = q; @@ -814,6 +828,8 @@ flush_lookup_list(void) { } if (l->sendmsg != NULL) dns_message_destroy(&l->sendmsg); + if (l->sendspace != NULL) + isc_mempool_put(commctx, l->sendspace); if (l->timer != NULL) isc_timer_detach(&l->timer); lp = l; diff --git a/bin/dnssec/dnssec-makekeyset.c b/bin/dnssec/dnssec-makekeyset.c index a4497fa8..7387a36c 100644 --- a/bin/dnssec/dnssec-makekeyset.c +++ b/bin/dnssec/dnssec-makekeyset.c @@ -17,7 +17,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-makekeyset.c,v 1.28 2000/06/22 21:49:02 tale Exp $ */ +/* $Id: dnssec-makekeyset.c,v 1.28.2.1 2000/08/02 21:59:30 gson Exp $ */ #include <config.h> @@ -146,7 +146,7 @@ main(int argc, char *argv[]) { dns_result_register(); - while ((ch = isc_commandline_parse(argc, argv, "s:e:t:r:v:")) != -1) + while ((ch = isc_commandline_parse(argc, argv, "s:e:t:r:v:h")) != -1) { switch (ch) { case 's': diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index cf056783..619f891d 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -17,7 +17,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.81 2000/06/22 21:49:04 tale Exp $ */ +/* $Id: dnssec-signzone.c,v 1.81.2.2 2000/08/02 22:33:03 gson Exp $ */ #include <config.h> @@ -519,6 +519,9 @@ importparentsig(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, dns_rdata_t rdata, newrdata; isc_result_t result; + dns_rdataset_init(&newset); + dns_rdataset_init(&sigset); + isc_buffer_init(&b, filename, sizeof(filename) - 10); result = dns_name_totext(name, ISC_FALSE, &b); check_result(result, "dns_name_totext()"); @@ -533,8 +536,6 @@ importparentsig(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, result = dns_db_findnode(newdb, name, ISC_FALSE, &newnode); if (result != ISC_R_SUCCESS) goto failure; - dns_rdataset_init(&newset); - dns_rdataset_init(&sigset); result = dns_db_findrdataset(newdb, newnode, NULL, dns_rdatatype_key, 0, 0, &newset, &sigset); if (result != ISC_R_SUCCESS) @@ -570,10 +571,12 @@ importparentsig(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, result = dns_db_addrdataset(db, node, version, 0, &sigset, 0, NULL); check_result(result, "dns_db_addrdataset"); - dns_rdataset_disassociate(&newset); - dns_rdataset_disassociate(&sigset); failure: + if (dns_rdataset_isassociated(&newset)) + dns_rdataset_disassociate(&newset); + if (dns_rdataset_isassociated(&sigset)) + dns_rdataset_disassociate(&sigset); if (newnode != NULL) dns_db_detachnode(newdb, &newnode); if (newdb != NULL) @@ -1011,7 +1014,7 @@ signzone(dns_db_t *db, dns_dbversion_t *version) { nextnode = NULL; curnode = NULL; dns_dbiterator_current(dbiter, &curnode, curname); - if (!dns_name_equal(name, dns_db_origin(db))) { + if (!dns_name_equal(curname, dns_db_origin(db))) { dns_rdatasetiter_t *rdsiter = NULL; dns_rdataset_t set; diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index fd051995..0249c3da 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: dnssectool.c,v 1.12 2000/06/22 21:49:05 tale Exp $ */ +/* $Id: dnssectool.c,v 1.12.2.1 2000/08/07 16:41:38 gson Exp $ */ #include <config.h> @@ -201,7 +201,8 @@ kbdstop(isc_entropysource_t *source, void *arg) { UNUSED(source); - fprintf(stderr, "stop typing.\r\n"); + if (!isc_keyboard_canceled(kbd)) + fprintf(stderr, "stop typing.\r\n"); (void)isc_keyboard_close(kbd, 3); } diff --git a/bin/named/client.c b/bin/named/client.c index ad5fa814..003db202 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: client.c,v 1.98 2000/06/22 23:48:07 marka Exp $ */ +/* $Id: client.c,v 1.98.2.3 2000/07/26 23:51:31 bwelling Exp $ */ #include <config.h> @@ -163,6 +163,8 @@ static void clientmgr_destroy(ns_clientmgr_t *manager); static isc_boolean_t exit_check(ns_client_t *client); static void ns_client_endrequest(ns_client_t *client); static void ns_client_checkactive(ns_client_t *client); +static void client_start(isc_task_t *task, isc_event_t *event); +static void client_request(isc_task_t *task, isc_event_t *event); /* * Enter the inactive state. @@ -432,6 +434,45 @@ exit_check(ns_client_t *client) { } /* + * The client's task has received the client's control event + * as part of the startup process. + */ +static void +client_start(isc_task_t *task, isc_event_t *event) { + ns_client_t *client = (ns_client_t *) event->ev_arg; + isc_result_t result; + + INSIST(task == client->task); + + UNUSED(task); + + if (TCP_CLIENT(client)) { + client_accept(client); + } else { + result = dns_dispatch_addrequest(client->dispatch, + client->task, + client_request, + client, + &client->dispentry); + + if (result != ISC_R_SUCCESS) { + ns_client_log(client, + DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, + ISC_LOG_DEBUG(3), + "dns_dispatch_addrequest() " + "failed: %s", + isc_result_totext(result)); + /* + * Not much we can do here but log the failure; + * the client will effectively go idle. + */ + } + } +} + + +/* * The client's task has received a shutdown event. */ static void @@ -559,14 +600,14 @@ client_senddone(isc_task_t *task, isc_event_t *event) { ns_client_t *client; isc_socketevent_t *sevent = (isc_socketevent_t *) event; - UNUSED(task); - REQUIRE(sevent != NULL); REQUIRE(sevent->ev_type == ISC_SOCKEVENT_SENDDONE); client = sevent->ev_arg; REQUIRE(NS_CLIENT_VALID(client)); REQUIRE(task == client->task); + UNUSED(task); + CTRACE("senddone"); if (sevent->result != ISC_R_SUCCESS) @@ -816,6 +857,7 @@ client_request(isc_task_t *task, isc_event_t *event) { dns_view_t *view; dns_rdataset_t *opt; isc_boolean_t ra; /* Recursion available. */ + isc_boolean_t rd; /* Recursion desired. */ REQUIRE(event != NULL); client = event->ev_arg; @@ -1041,16 +1083,19 @@ client_request(isc_task_t *task, isc_event_t *event) { * responses to ordinary queries. */ ra = ISC_FALSE; + rd = ISC_TF((client->message->flags & DNS_MESSAGEFLAG_RD) != 0); if (client->view->resolver != NULL && client->view->recursion == ISC_TRUE && /* XXX this will log too much too early */ ns_client_checkacl(client, "recursion", client->view->recursionacl, - ISC_TRUE, ISC_TRUE) == ISC_R_SUCCESS) + ISC_TRUE, rd) == ISC_R_SUCCESS) ra = ISC_TRUE; if (ra == ISC_TRUE) client->attributes |= NS_CLIENTATTR_RA; + else + client->attributes &= ~NS_CLIENTATTR_RA; /* * Dispatch the request. @@ -1191,6 +1236,9 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) client->recursionquota = NULL; client->interface = NULL; client->peeraddr_valid = ISC_FALSE; + ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL, + NS_EVENT_CLIENTCONTROL, client_start, client, client, + NULL, NULL); ISC_LINK_INIT(client, link); client->list = NULL; @@ -1268,7 +1316,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { UNUSED(task); INSIST(client->state == NS_CLIENTSTATE_READY); - + INSIST(client->naccepts == 1); client->naccepts--; @@ -1525,6 +1573,7 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n, LOCK(&manager->lock); for (i = 0; i < n; i++) { + isc_event_t *ev; /* * Allocate a client. First try to get a recycled one; * if that fails, make a new one. @@ -1549,30 +1598,16 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n, client->attributes |= NS_CLIENTATTR_TCP; isc_socket_attach(ifp->tcpsocket, &client->tcplistener); - client_accept(client); } else { dns_dispatch_attach(ifp->udpdispatch, &client->dispatch); - result = dns_dispatch_addrequest(client->dispatch, - client->task, - client_request, - client, - &client->dispentry); - if (result != ISC_R_SUCCESS) { - ns_client_log(client, - DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, - ISC_LOG_DEBUG(3), - "dns_dispatch_addrequest() " - "failed: %s", - isc_result_totext(result)); - isc_task_shutdown(client->task); - break; - } } client->manager = manager; ISC_LIST_APPEND(manager->active, client, link); client->list = &manager->active; + + ev = &client->ctlevent; + isc_task_send(client->task, &ev); } if (i != 0) { /* diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h index 922ce2ad..37ef28d6 100644 --- a/bin/named/include/named/client.h +++ b/bin/named/include/named/client.h @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: client.h,v 1.37 2000/06/22 21:49:38 tale Exp $ */ +/* $Id: client.h,v 1.37.2.1 2000/07/26 23:51:33 bwelling Exp $ */ #ifndef NAMED_CLIENT_H #define NAMED_CLIENT_H 1 @@ -122,6 +122,7 @@ struct ns_client { isc_sockaddr_t peeraddr; isc_boolean_t peeraddr_valid; struct in6_pktinfo pktinfo; + isc_event_t ctlevent; ISC_LINK(ns_client_t) link; /* * The list 'link' is part of, or NULL if not on any list. diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h index a6712103..3ac8ce0d 100644 --- a/bin/named/include/named/query.h +++ b/bin/named/include/named/query.h @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: query.h,v 1.17 2000/06/22 21:49:50 tale Exp $ */ +/* $Id: query.h,v 1.17.2.1 2000/07/28 17:56:09 gson Exp $ */ #ifndef NAMED_QUERY_H #define NAMED_QUERY_H 1 @@ -42,6 +42,7 @@ struct ns_query { dns_name_t * origqname; dns_rdataset_t * qrdataset; unsigned int dboptions; + unsigned int fetchoptions; dns_db_t * gluedb; dns_fetch_t * fetch; dns_a6context_t a6ctx; diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index 427c1d5f..e7ff95fd 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: server.h,v 1.32 2000/06/22 21:49:51 tale Exp $ */ +/* $Id: server.h,v 1.32.2.1 2000/07/26 23:51:35 bwelling Exp $ */ #ifndef NAMED_SERVER_H #define NAMED_SERVER_H 1 @@ -30,6 +30,7 @@ #define NS_EVENTCLASS ISC_EVENTCLASS(0x4E43) #define NS_EVENT_RELOAD (NS_EVENTCLASS + 0) +#define NS_EVENT_CLIENTCONTROL (NS_EVENTCLASS + 1) /* * Name server state. Better here than in lots of separate global variables. diff --git a/bin/named/lwresd.c b/bin/named/lwresd.c index aa89ea11..c1b2f189 100644 --- a/bin/named/lwresd.c +++ b/bin/named/lwresd.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: lwresd.c,v 1.8.2.2 2000/06/28 00:19:05 gson Exp $ */ +/* $Id: lwresd.c,v 1.8.2.3 2000/07/21 22:46:47 gson Exp $ */ /* * Main program for the Lightweight Resolver Daemon. @@ -89,15 +89,11 @@ mem_free(void *arg, void *mem, size_t size) { static void shutdown_lwresd(isc_task_t *task, isc_event_t *event) { ns_lwresd_t *lwresd = event->ev_arg; - unsigned int i; UNUSED(task); dns_dispatchmgr_destroy(&lwresd->dispmgr); - for (i = 0; i < lwresd->ntasks; i++) - isc_task_shutdown(lwresd->cmgr[i].task); - /* * Wait for everything to die off by waiting for the sockets * to be detached. diff --git a/bin/named/omapiconf.c b/bin/named/omapiconf.c index b3e29388..b46d83f2 100644 --- a/bin/named/omapiconf.c +++ b/bin/named/omapiconf.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: omapiconf.c,v 1.4.2.3 2000/07/12 16:37:06 gson Exp $ */ +/* $Id: omapiconf.c,v 1.4.2.4 2000/07/28 04:23:14 gson Exp $ */ /* * Principal Author: DCL @@ -199,7 +199,7 @@ register_keys(dns_c_ctrl_t *control, dns_c_kdeflist_t *keydeflist, { dns_c_kid_t *keyid; dns_c_kdef_t *keydef; - const char secret[1024]; + char secret[1024]; isc_buffer_t b; isc_result_t result; diff --git a/bin/named/query.c b/bin/named/query.c index 39466a1b..4bd1cedb 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: query.c,v 1.109.2.4 2000/07/10 21:59:34 gson Exp $ */ +/* $Id: query.c,v 1.109.2.10 2000/08/08 19:30:13 bwelling Exp $ */ #include <config.h> @@ -29,6 +29,7 @@ #include <dns/rdatalist.h> #include <dns/rdataset.h> #include <dns/rdatasetiter.h> +#include <dns/rdatastruct.h> #include <dns/rdatatype.h> #include <dns/resolver.h> #include <dns/result.h> @@ -169,6 +170,7 @@ query_reset(ns_client_t *client, isc_boolean_t everything) { client->query.qname = NULL; client->query.qrdataset = NULL; client->query.dboptions = 0; + client->query.fetchoptions = 0; client->query.gluedb = NULL; } @@ -449,6 +451,11 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, dns_acl_t *queryacl; ns_dbversion_t *dbversion; unsigned int ztoptions; + dns_zone_t *zone = NULL; + dns_db_t *db = NULL; + + REQUIRE(zonep != NULL && *zonep == NULL); + REQUIRE(dbp != NULL && *dbp == NULL); /* * Find a zone database to answer the query. @@ -457,12 +464,12 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, DNS_ZTFIND_NOEXACT : 0; result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL, - zonep); + &zone); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) - result = dns_zone_getdb(*zonep, dbp); + result = dns_zone_getdb(zone, &db); if (result != ISC_R_SUCCESS) - return (result); + goto fail; /* * If the zone has an ACL, we'll check it, otherwise @@ -478,19 +485,21 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, /* * Get the current version of this database. */ - dbversion = query_findversion(client, *dbp, &new_zone); - if (dbversion == NULL) - return (DNS_R_SERVFAIL); + dbversion = query_findversion(client, db, &new_zone); + if (dbversion == NULL) { + result = DNS_R_SERVFAIL; + goto fail; + } *versionp = dbversion->version; if (new_zone) { - queryacl = dns_zone_getqueryacl(*zonep); check_acl = ISC_TRUE; } else if (!dbversion->queryok) { - return (DNS_R_REFUSED); + goto refuse; } else { check_acl = ISC_FALSE; } + queryacl = dns_zone_getqueryacl(zone); if (queryacl == NULL) { queryacl = client->view->queryacl; if ((client->query.attributes & @@ -504,7 +513,7 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, check_acl = ISC_FALSE; if ((client->query.attributes & NS_QUERYATTR_QUERYOK) == 0) - return (DNS_R_REFUSED); + goto refuse; } else { /* * We haven't evaluated the view's queryacl yet. @@ -517,6 +526,7 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); result = ns_client_checkacl(client, "query", queryacl, ISC_TRUE, log); + if (queryacl == client->view->queryacl) { if (result == ISC_R_SUCCESS) { /* @@ -532,38 +542,56 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, * the NS_QUERYATTR_QUERYOK attribute is now valid. */ client->query.attributes |= NS_QUERYATTR_QUERYOKVALID; - } - } else - result = ISC_R_SUCCESS; + } + + if (result != ISC_R_SUCCESS) + goto refuse; + } + + /* Approved. */ /* * Remember the result of the ACL check so we * don't have to check again. */ - if (result == ISC_R_SUCCESS) - dbversion->queryok = ISC_TRUE; - - return (result); -} + dbversion->queryok = ISC_TRUE; + /* Transfer ownership. */ + *zonep = zone; + *dbp = db; + + return (ISC_R_SUCCESS); + + refuse: + result = DNS_R_REFUSED; + fail: + if (zone != NULL) + dns_zone_detach(&zone); + if (db != NULL) + dns_db_detach(&db); + return (result); +} static inline isc_result_t query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options) { isc_result_t result; isc_boolean_t check_acl; + dns_db_t *db = NULL; + + REQUIRE(dbp != NULL && *dbp == NULL); /* * Find a cache database to answer the query. - * This may fail with ISC_R_REFUSED if the client + * This may fail with DNS_R_REFUSED if the client * is not allowed to use the cache. */ if (!USECACHE(client)) return (DNS_R_REFUSED); - dns_db_attach(client->view->cachedb, dbp); - + dns_db_attach(client->view->cachedb, &db); + if ((client->query.attributes & NS_QUERYATTR_QUERYOKVALID) != 0) { /* @@ -575,14 +603,14 @@ query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options) check_acl = ISC_FALSE; if ((client->query.attributes & NS_QUERYATTR_QUERYOK) == 0) - return (DNS_R_REFUSED); + goto refuse; } else { /* * We haven't evaluated the view's queryacl yet. */ check_acl = ISC_TRUE; } - + if (check_acl) { isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); result = ns_client_checkacl(client, "query", client->view->queryacl, @@ -601,9 +629,23 @@ query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options) * the NS_QUERYATTR_QUERYOK attribute is now valid. */ client->query.attributes |= NS_QUERYATTR_QUERYOKVALID; - - } else - result = ISC_R_SUCCESS; + + if (result != ISC_R_SUCCESS) + goto refuse; + } + + /* Approved. */ + + /* Transfer ownership. */ + *dbp = db; + + return (ISC_R_SUCCESS); + + refuse: + result = DNS_R_REFUSED; + + if (db != NULL) + dns_db_detach(&db); return (result); } @@ -1414,7 +1456,8 @@ query_addsoa(ns_client_t *client, dns_db_t *db) { /* * Find the SOA. */ - result = dns_db_find(db, name, NULL, dns_rdatatype_soa, 0, 0, &node, + result = dns_db_find(db, name, NULL, dns_rdatatype_soa, + client->query.dboptions, 0, &node, fname, rdataset, sigrdataset); if (result != ISC_R_SUCCESS) { /* @@ -1423,6 +1466,24 @@ query_addsoa(ns_client_t *client, dns_db_t *db) { */ eresult = DNS_R_SERVFAIL; } else { + /* + * Extract the SOA MINIMUM. + */ + dns_rdata_soa_t soa; + dns_rdata_t rdata; + result = dns_rdataset_first(rdataset); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdataset_current(rdataset, &rdata); + dns_rdata_tostruct(&rdata, &soa, NULL); + + /* + * Add the SOA and its SIG to the response, with the + * TTLs adjusted per RFC2308 section 3. + */ + if (rdataset->ttl > soa.minimum) + rdataset->ttl = soa.minimum; + if (sigrdataset->ttl > soa.minimum) + sigrdataset->ttl = soa.minimum; query_addrrset(client, &name, &rdataset, &sigrdataset, NULL, DNS_SECTION_AUTHORITY); } @@ -1479,7 +1540,8 @@ query_addns(ns_client_t *client, dns_db_t *db) { * Find the NS rdataset. */ CTRACE("query_addns: calling dns_db_find"); - result = dns_db_find(db, name, NULL, dns_rdatatype_ns, 0, 0, &node, + result = dns_db_find(db, name, NULL, dns_rdatatype_ns, + client->query.dboptions, 0, &node, fname, rdataset, sigrdataset); CTRACE("query_addns: dns_db_find complete"); if (result != ISC_R_SUCCESS) { @@ -1621,7 +1683,7 @@ query_addbestns(ns_client_t *client) { */ if (is_zone) { result = dns_db_find(db, client->query.qname, version, - dns_rdatatype_ns, 0, + dns_rdatatype_ns, client->query.dboptions, client->now, &node, fname, rdataset, sigrdataset); if (result != DNS_R_DELEGATION) @@ -1640,7 +1702,8 @@ query_addbestns(ns_client_t *client) { goto db_find; } } else { - result = dns_db_findzonecut(db, client->query.qname, 0, + result = dns_db_findzonecut(db, client->query.qname, + client->query.dboptions, client->now, &node, fname, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) { @@ -1681,8 +1744,9 @@ query_addbestns(ns_client_t *client) { zsigrdataset = NULL; } - if ((client->message->flags & DNS_MESSAGEFLAG_CD) == 0 && - rdataset->trust == dns_trust_pending) + if ((client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0 && + (rdataset->trust == dns_trust_pending || + sigrdataset->trust == dns_trust_pending)) goto cleanup; query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf, @@ -1814,7 +1878,6 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, { isc_result_t result; dns_rdataset_t *rdataset, *sigrdataset; - unsigned int options = 0; /* * We are about to recurse, which means that this client will @@ -1856,7 +1919,8 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, result = dns_resolver_createfetch(client->view->resolver, client->query.qname, qtype, qdomain, nameservers, - NULL, options, client->task, + NULL, client->query.fetchoptions, + client->task, query_resume, client, rdataset, sigrdataset, &client->query.fetch); @@ -1916,7 +1980,8 @@ query_findparentkey(ns_client_t *client, dns_name_t *name, goto cleanup; } - result = dns_db_find(pdb, name, pversion, dns_rdatatype_key, 0, + result = dns_db_find(pdb, name, pversion, dns_rdatatype_key, + client->query.dboptions, client->now, &pnode, dns_fixedname_name(&pfoundname), &prdataset, &psigrdataset); @@ -2150,9 +2215,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) { /* * Now look for an answer in the database. */ - result = dns_db_find(db, client->query.qname, version, type, 0, - client->now, &node, fname, rdataset, - sigrdataset); + result = dns_db_find(db, client->query.qname, version, type, + client->query.dboptions, client->now, + &node, fname, rdataset, sigrdataset); /* * We interrupt our normal query processing to bring you this special @@ -2951,6 +3016,16 @@ ns_query_start(ns_client_t *client) { } /* + * If the client has requested that DNSSEC checking be disabled, + * allow lookups to return pending data and instruct the resolver + * to return data before validation has completed. + */ + if (message->flags & DNS_MESSAGEFLAG_CD) { + client->query.dboptions |= DNS_DBFIND_PENDINGOK; + client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; + } + + /* * This is an ordinary query. */ result = dns_message_reply(message, ISC_TRUE); @@ -2968,9 +3043,6 @@ ns_query_start(ns_client_t *client) { /* * Set AD. We need only clear it if we add "pending" data to * a response. - * - * Note: as currently written, the server does not return "pending" - * data even if a client says it's OK to do so. */ message->flags |= DNS_MESSAGEFLAG_AD; diff --git a/bin/named/server.c b/bin/named/server.c index 08edfe82..c7f391a4 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: server.c,v 1.200.2.2 2000/07/11 17:23:06 gson Exp $ */ +/* $Id: server.c,v 1.200.2.4 2000/08/08 19:25:50 gson Exp $ */ #include <config.h> @@ -1149,7 +1149,7 @@ load_configuration(const char *filename, ns_server_t *server, configure_server_quota(cctx, dns_c_ctx_gettcpclients, &server->tcpquota, 100); configure_server_quota(cctx, dns_c_ctx_getrecursiveclients, - &server->recursionquota, 100); + &server->recursionquota, 1000); /* * Configure the zone manager. @@ -1576,7 +1576,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { ISC_R_NOMEMORY : ISC_R_SUCCESS, "allocating reload event"); - CHECKFATAL(dst_lib_init(ns_g_mctx, ns_g_entropy, 0), + CHECKFATAL(dst_lib_init(ns_g_mctx, ns_g_entropy, ISC_ENTROPY_GOODONLY), "initializing DST"); server->tkeyctx = NULL; diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c index 6412267b..6a4ab864 100644 --- a/bin/named/xfrout.c +++ b/bin/named/xfrout.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: xfrout.c,v 1.68 2000/06/15 04:41:59 marka Exp $ */ +/* $Id: xfrout.c,v 1.68.2.1 2000/08/07 22:04:31 gson Exp $ */ #include <config.h> @@ -263,15 +263,16 @@ log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) { result = dns_rdataset_totext(&rds, name, ISC_FALSE, ISC_FALSE, &buf); - /* Get rid of final newline. */ - INSIST(buf.used >= 1 && ((char *) buf.base)[buf.used-1] == '\n'); - buf.used--; - /* * We could use xfrout_log(), but that would produce * very long lines with a repetitive prefix. */ if (result == ISC_R_SUCCESS) { + /* Get rid of final newline. */ + INSIST(buf.used >= 1 && + ((char *) buf.base)[buf.used-1] == '\n'); + buf.used--; + isc_buffer_usedregion(&buf, &r); isc_log_write(XFROUT_DEBUG_LOGARGS(8), "%.*s", (int) r.length, (char *) r.base); diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index b2b41df1..5b85a10a 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: nsupdate.c,v 1.8.2.3 2000/07/10 17:23:25 bwelling Exp $ */ +/* $Id: nsupdate.c,v 1.8.2.4 2000/08/02 22:19:06 gson Exp $ */ #include <config.h> @@ -245,6 +245,9 @@ setup_key() { result = dns_tsigkeyring_create(mctx, &keyring); check_result(result, "dns_tsigkeyringcreate"); + dns_fixedname_init(&fkeyname); + keyname = dns_fixedname_name(&fkeyname); + if (keystr != NULL) { isc_buffer_t keynamesrc; char *secretstr; @@ -259,9 +262,6 @@ setup_key() { fatal("key option must specify keyname:secret\n"); secretstr = s + 1; - dns_fixedname_init(&fkeyname); - keyname = dns_fixedname_name(&fkeyname); - isc_buffer_init(&keynamesrc, keystr, s - keystr); isc_buffer_add(&keynamesrc, s - keystr); @@ -317,7 +317,11 @@ setup_key() { keyfile, isc_result_totext(result)); goto failure; } - keyname = dst_key_name(dstkey); + result = dns_name_concatenate(dst_key_name(dstkey), NULL, + keyname, NULL); + check_result(result, "dns_name_concatenate"); + dst_key_free(&dstkey); + } debug("keycreate"); diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index e07de3e5..32c04c3c 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: rndc.c,v 1.12.2.5 2000/07/12 01:18:55 gson Exp $ */ +/* $Id: rndc.c,v 1.12.2.6 2000/08/02 20:59:13 gson Exp $ */ /* * Principal Author: DCL @@ -361,7 +361,7 @@ main(int argc, char **argv) { (void)dns_c_ndcctx_getoptions(config, &configopts); - if (servername == NULL) + if (servername == NULL && configopts != NULL) result = dns_c_ndcopts_getdefserver(configopts, &servername); if (servername != NULL) @@ -369,7 +369,7 @@ main(int argc, char **argv) { else { fprintf(stderr, "%s: no server specified and no default\n", progname); - exit (1); + exit(1); } /* diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 0e154813..ffde9ff3 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS # SOFTWARE. -# $Id: tests.sh,v 1.15.2.4 2000/07/11 00:43:45 bwelling Exp $ +# $Id: tests.sh,v 1.15.2.5 2000/07/19 20:39:01 gson Exp $ # # Perform tests @@ -65,8 +65,8 @@ status=`expr $status + $ret` echo "I:checking multi-stage positive validation" ret=0 -$DIG $DIGOPTS a.secure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS a.secure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.secure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.secure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c index a1c5ceb5..0894ad40 100644 --- a/bin/tests/system/lwresd/lwtest.c +++ b/bin/tests/system/lwresd/lwtest.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: lwtest.c,v 1.6.2.3 2000/07/10 04:52:01 gson Exp $ */ +/* $Id: lwtest.c,v 1.6.2.4 2000/08/02 21:01:44 gson Exp $ */ #include <config.h> @@ -254,8 +254,8 @@ test_gethostbyname(const char *name, const char *address) { char outbuf[16]; (void)inet_ntop(AF_INET, hp->h_addr_list[0], outbuf, sizeof(outbuf)); - printf("I:gethostbyname(%s) returned %s, expected %s\n", - name, outbuf, address); + printf("I:gethostbyname(%s) returned %s, " + "expected %s\n", name, outbuf, address); fails++; return; } @@ -301,8 +301,8 @@ test_gethostbyname2(const char *name, const char *address, int af) { char outbuf[16]; (void)inet_ntop(af, hp->h_addr_list[0], outbuf, sizeof(outbuf)); - printf("I:gethostbyname(%s) returned %s, expected %s\n", - name, outbuf, address); + printf("I:gethostbyname(%s) returned %s, " + "expected %s\n", name, outbuf, address); fails++; return; } @@ -312,7 +312,7 @@ test_gethostbyname2(const char *name, const char *address, int af) { static void test_gethostbyaddr(const char *address, int af, const char *name) { struct hostent *hp; - unsigned char addrbuf[16]; + char addrbuf[16]; int len, ret; if (af == AF_INET) @@ -340,8 +340,8 @@ test_gethostbyaddr(const char *address, int af, const char *name) { } } else { if (strcmp(hp->h_name, name) != 0) { - printf("I:gethostbyname(%s) returned %s, expected %s\n", - address, hp->h_name, name); + printf("I:gethostbyname(%s) returned %s, " + "expected %s\n", address, hp->h_name, name); fails++; return; } @@ -399,8 +399,8 @@ test_getaddrinfo(const char *name, int af, int v4ok, int v6ok, char outbuf[16]; (void)inet_ntop(af, ai->ai_addr, outbuf, sizeof(outbuf)); - printf("I:getaddrinfo(%s) returned %db, expected %db\n", - name, ai->ai_addrlen, len); + printf("I:getaddrinfo(%s) returned %db, " + "expected %db\n", name, ai->ai_addrlen, len); fails++; return; } else if (af == AF_INET) { @@ -482,8 +482,8 @@ test_getnameinfo(const char *address, int af, const char *name) { } } else { if (name == NULL) { - printf("I:getaddrinfo(%s) returned %s, expected NULL\n", - address, host); + printf("I:getaddrinfo(%s) returned %s, " + "expected NULL\n", address, host); fails++; return; } else if (strcmp(host, name) != 0) { @@ -526,17 +526,22 @@ main(void) { test_gabn("a3", LWRES_R_INCOMPLETE, NULL, LWRES_ADDRTYPE_V4); test_gabn("b.example1", LWRES_R_SUCCESS, - "eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff", LWRES_ADDRTYPE_V6); + "eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff", + LWRES_ADDRTYPE_V6); test_gabn("b.example1.", LWRES_R_SUCCESS, - "eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff", LWRES_ADDRTYPE_V6); + "eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff", + LWRES_ADDRTYPE_V6); test_gabn("b.example2", LWRES_R_SUCCESS, - "eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff", LWRES_ADDRTYPE_V6); + "eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff", + LWRES_ADDRTYPE_V6); test_gabn("b.example2.", LWRES_R_SUCCESS, - "eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff", LWRES_ADDRTYPE_V6); + "eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff", + LWRES_ADDRTYPE_V6); test_gabn("b.example3", LWRES_R_NOTFOUND, NULL, LWRES_ADDRTYPE_V6); test_gabn("b.example3.", LWRES_R_NOTFOUND, NULL, LWRES_ADDRTYPE_V6); test_gabn("b", LWRES_R_SUCCESS, - "eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff", LWRES_ADDRTYPE_V6); + "eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff", + LWRES_ADDRTYPE_V6); test_gabn("b.", LWRES_R_NOTFOUND, NULL, LWRES_ADDRTYPE_V6); test_gabn("d.example1", LWRES_R_NOTFOUND, NULL, LWRES_ADDRTYPE_V6); @@ -15,7 +15,7 @@ # ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS # SOFTWARE. -# From configure.in Revision: 1.165.2.2 +# From configure.in Revision: 1.165.2.3 ## libtool.m4 - Configure libtool for the target system. -*-Shell-script-*- ## Copyright (C) 1996-1999 Free Software Foundation, Inc. @@ -2645,505 +2645,6 @@ fi # -# Networking specifics. -# -case "$host" in - *-dec-osf*) - # Turn on 4.4BSD style sa_len support. - cat >> confdefs.h <<\EOF -#define _SOCKADDR_LEN 1 -EOF - - ;; -esac - -# -# Look for a 4.4BSD-style sa_len member in struct sockaddr. -# -echo $ac_n "checking for sa_len in struct sockaddr""... $ac_c" 1>&6 -echo "configure:2665: checking for sa_len in struct sockaddr" >&5 -cat > conftest.$ac_ext <<EOF -#line 2667 "configure" -#include "confdefs.h" - -#include <sys/types.h> -#include <sys/socket.h> -int main() { -struct sockaddr sa; sa.sa_len = 0; return (0); -; return 0; } -EOF -if { (eval echo configure:2676: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - echo "$ac_t""yes" 1>&6 - ISC_PLATFORM_HAVESALEN="#define ISC_PLATFORM_HAVESALEN 1" - LWRES_PLATFORM_HAVESALEN="#define LWRES_PLATFORM_HAVESALEN 1" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""no" 1>&6 - ISC_PLATFORM_HAVESALEN="#undef ISC_PLATFORM_HAVESALEN" - LWRES_PLATFORM_HAVESALEN="#undef LWRES_PLATFORM_HAVESALEN" -fi -rm -f conftest* - - - -# -# Look for a 4.4BSD or 4.3BSD struct msghdr -# -echo $ac_n "checking for struct msghdr flavor""... $ac_c" 1>&6 -echo "configure:2697: checking for struct msghdr flavor" >&5 -cat > conftest.$ac_ext <<EOF -#line 2699 "configure" -#include "confdefs.h" - -#include <sys/types.h> -#include <sys/socket.h> -int main() { -struct msghdr msg; msg.msg_flags = 0; return (0); -; return 0; } -EOF -if { (eval echo configure:2708: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - echo "$ac_t""4.4BSD" 1>&6 - ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""4.3BSD" 1>&6 - ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD43MSGHDR 1" -fi -rm -f conftest* - - -# -# Look for in_port_t. -# -echo $ac_n "checking for type in_port_t""... $ac_c" 1>&6 -echo "configure:2726: checking for type in_port_t" >&5 -cat > conftest.$ac_ext <<EOF -#line 2728 "configure" -#include "confdefs.h" - -#include <sys/types.h> -#include <netinet/in.h> -int main() { -in_port_t port = 25; return (0); -; return 0; } -EOF -if { (eval echo configure:2737: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - echo "$ac_t""yes" 1>&6 - ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""no" 1>&6 - ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1" -fi -rm -f conftest* - - -# -# Check for addrinfo -# -echo $ac_n "checking for struct addrinfo""... $ac_c" 1>&6 -echo "configure:2755: checking for struct addrinfo" >&5 -cat > conftest.$ac_ext <<EOF -#line 2757 "configure" -#include "confdefs.h" - -#include <netdb.h> -int main() { -struct addrinfo a; return (0); -; return 0; } -EOF -if { (eval echo configure:2765: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - echo "$ac_t""yes" 1>&6 - ISC_LWRES_NEEDADDRINFO="#undef ISC_LWRES_NEEDADDRINFO" - cat >> confdefs.h <<\EOF -#define HAVE_ADDRINFO 1 -EOF - -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""no" 1>&6 - ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1" -fi -rm -f conftest* - - -echo $ac_n "checking for int sethostent""... $ac_c" 1>&6 -echo "configure:2784: checking for int sethostent" >&5 -cat > conftest.$ac_ext <<EOF -#line 2786 "configure" -#include "confdefs.h" - -#include <netdb.h> -int main() { -int i = sethostent(0); return(0); -; return 0; } -EOF -if { (eval echo configure:2794: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - echo "$ac_t""yes" 1>&6 - ISC_LWRES_SETHOSTENTINT="#define ISC_LWRES_SETHOSTENTINT 1" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""no" 1>&6 - ISC_LWRES_SETHOSTENTINT="#undef ISC_LWRES_SETHOSTENTINT" -fi -rm -f conftest* - - -echo $ac_n "checking for int endhostent""... $ac_c" 1>&6 -echo "configure:2809: checking for int endhostent" >&5 -cat > conftest.$ac_ext <<EOF -#line 2811 "configure" -#include "confdefs.h" - -#include <netdb.h> -int main() { -int i = endhostent(); return(0); -; return 0; } -EOF -if { (eval echo configure:2819: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - echo "$ac_t""yes" 1>&6 - ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""no" 1>&6 - ISC_LWRES_ENDHOSTENTINT="#undef ISC_LWRES_ENDHOSTENTINT" -fi -rm -f conftest* - - -echo $ac_n "checking for getnetbyaddr(in_addr_t, ...)""... $ac_c" 1>&6 -echo "configure:2834: checking for getnetbyaddr(in_addr_t, ...)" >&5 -cat > conftest.$ac_ext <<EOF -#line 2836 "configure" -#include "confdefs.h" - -#include <netdb.h> -struct netent *getnetbyaddr(in_addr_t, int); -int main() { - -; return 0; } -EOF -if { (eval echo configure:2845: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - echo "$ac_t""yes" 1>&6 - ISC_LWRES_GETNETBYADDRINADDR="#define ISC_LWRES_GETNETBYADDRINADDR 1" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""no" 1>&6 - ISC_LWRES_GETNETBYADDRINADDR="#undef ISC_LWRES_GETNETBYADDRINADDR" -fi -rm -f conftest* - - -echo $ac_n "checking for int setnetent""... $ac_c" 1>&6 -echo "configure:2860: checking for int setnetent" >&5 -cat > conftest.$ac_ext <<EOF -#line 2862 "configure" -#include "confdefs.h" - -#include <netdb.h> -int main() { -int i = setnetent(0); return(0); -; return 0; } -EOF -if { (eval echo configure:2870: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - echo "$ac_t""yes" 1>&6 - ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""no" 1>&6 - ISC_LWRES_SETNETENTINT="#undef ISC_LWRES_SETNETENTINT" -fi -rm -f conftest* - - -echo $ac_n "checking for int endnetent""... $ac_c" 1>&6 -echo "configure:2885: checking for int endnetent" >&5 -cat > conftest.$ac_ext <<EOF -#line 2887 "configure" -#include "confdefs.h" - -#include <netdb.h> -int main() { -int i = endnetent(); return(0); -; return 0; } -EOF -if { (eval echo configure:2895: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - echo "$ac_t""yes" 1>&6 - ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""no" 1>&6 - ISC_LWRES_ENDNETENTINT="#undef ISC_LWRES_ENDNETENTINT" -fi -rm -f conftest* - - -echo $ac_n "checking for gethostbyadd(const void *, size_t, ...)""... $ac_c" 1>&6 -echo "configure:2910: checking for gethostbyadd(const void *, size_t, ...)" >&5 -cat > conftest.$ac_ext <<EOF -#line 2912 "configure" -#include "confdefs.h" - -#include <netdb.h> -struct hostent *gethostbyaddr(const void *, size_t, int); -int main() { -return(0); -; return 0; } -EOF -if { (eval echo configure:2921: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - echo "$ac_t""yes" 1>&6 - ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""no" 1>&6 - ISC_LWRES_GETHOSTBYADDRVOID="#undef ISC_LWRES_GETHOSTBYADDRVOID" -fi -rm -f conftest* - - -echo $ac_n "checking for h_errno in netdb.h""... $ac_c" 1>&6 -echo "configure:2936: checking for h_errno in netdb.h" >&5 -cat > conftest.$ac_ext <<EOF -#line 2938 "configure" -#include "confdefs.h" - -#include <netdb.h> -int main() { -h_errno = 1; return(0); -; return 0; } -EOF -if { (eval echo configure:2946: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - echo "$ac_t""yes" 1>&6 - ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""no" 1>&6 - ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1" -fi -rm -f conftest* - - -echo $ac_n "checking for getipnodebyname""... $ac_c" 1>&6 -echo "configure:2961: checking for getipnodebyname" >&5 -if eval "test \"`echo '$''{'ac_cv_func_getipnodebyname'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext <<EOF -#line 2966 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getipnodebyname(); below. */ -#include <assert.h> -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getipnodebyname(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getipnodebyname) || defined (__stub___getipnodebyname) -choke me -#else -getipnodebyname(); -#endif - -; return 0; } -EOF -if { (eval echo configure:2989: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_func_getipnodebyname=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_func_getipnodebyname=no" -fi -rm -f conftest* -fi - -if eval "test \"`echo '$ac_cv_func_'getipnodebyname`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO" -else - echo "$ac_t""no" 1>&6 -ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1" -fi - -echo $ac_n "checking for getnameinfo""... $ac_c" 1>&6 -echo "configure:3010: checking for getnameinfo" >&5 -if eval "test \"`echo '$''{'ac_cv_func_getnameinfo'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext <<EOF -#line 3015 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getnameinfo(); below. */ -#include <assert.h> -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getnameinfo(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getnameinfo) || defined (__stub___getnameinfo) -choke me -#else -getnameinfo(); -#endif - -; return 0; } -EOF -if { (eval echo configure:3038: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_func_getnameinfo=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_func_getnameinfo=no" -fi -rm -f conftest* -fi - -if eval "test \"`echo '$ac_cv_func_'getnameinfo`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO" -else - echo "$ac_t""no" 1>&6 -ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1" -fi - -echo $ac_n "checking for getaddrinfo""... $ac_c" 1>&6 -echo "configure:3059: checking for getaddrinfo" >&5 -if eval "test \"`echo '$''{'ac_cv_func_getaddrinfo'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext <<EOF -#line 3064 "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char getaddrinfo(); below. */ -#include <assert.h> -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char getaddrinfo(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_getaddrinfo) || defined (__stub___getaddrinfo) -choke me -#else -getaddrinfo(); -#endif - -; return 0; } -EOF -if { (eval echo configure:3087: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_func_getaddrinfo=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_func_getaddrinfo=no" -fi -rm -f conftest* -fi - -if eval "test \"`echo '$ac_cv_func_'getaddrinfo`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO" - cat >> confdefs.h <<\EOF -#define HAVE_GETADDRINFO 1 -EOF - -else - echo "$ac_t""no" 1>&6 -ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1" -fi - - - - - -# -# Look for a sysctl call to get the list of network interfaces. -# -echo $ac_n "checking for interface list sysctl""... $ac_c" 1>&6 -echo "configure:3119: checking for interface list sysctl" >&5 -cat > conftest.$ac_ext <<EOF -#line 3121 "configure" -#include "confdefs.h" - -#include <sys/param.h> -#include <sys/sysctl.h> -#include <sys/socket.h> -#ifdef NET_RT_IFLIST -found_rt_iflist -#endif - -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "found_rt_iflist" >/dev/null 2>&1; then - rm -rf conftest* - echo "$ac_t""yes" 1>&6 - cat >> confdefs.h <<\EOF -#define HAVE_IFLIST_SYSCTL 1 -EOF - -else - rm -rf conftest* - echo "$ac_t""no" 1>&6 -fi -rm -f conftest* - - -# # GNU libtool support # # Check whether --with-libtool or --without-libtool was given. @@ -3227,7 +2728,7 @@ else fi echo $ac_n "checking build system type""... $ac_c" 1>&6 -echo "configure:3231: checking build system type" >&5 +echo "configure:2732: checking build system type" >&5 build_alias=$build case "$build_alias" in @@ -3256,7 +2757,7 @@ ac_prog=ld if test "$ac_cv_prog_gcc" = yes; then # Check if gcc -print-prog-name=ld gives a path. echo $ac_n "checking for ld used by GCC""... $ac_c" 1>&6 -echo "configure:3260: checking for ld used by GCC" >&5 +echo "configure:2761: checking for ld used by GCC" >&5 ac_prog=`($CC -print-prog-name=ld) 2>&5` case "$ac_prog" in # Accept absolute paths. @@ -3280,10 +2781,10 @@ echo "configure:3260: checking for ld used by GCC" >&5 esac elif test "$with_gnu_ld" = yes; then echo $ac_n "checking for GNU ld""... $ac_c" 1>&6 -echo "configure:3284: checking for GNU ld" >&5 +echo "configure:2785: checking for GNU ld" >&5 else echo $ac_n "checking for non-GNU ld""... $ac_c" 1>&6 -echo "configure:3287: checking for non-GNU ld" >&5 +echo "configure:2788: checking for non-GNU ld" >&5 fi if eval "test \"`echo '$''{'ac_cv_path_LD'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -3319,7 +2820,7 @@ fi test -z "$LD" && { echo "configure: error: no acceptable ld found in \$PATH" 1>&2; exit 1; } echo $ac_n "checking if the linker ($LD) is GNU ld""... $ac_c" 1>&6 -echo "configure:3323: checking if the linker ($LD) is GNU ld" >&5 +echo "configure:2824: checking if the linker ($LD) is GNU ld" >&5 if eval "test \"`echo '$''{'ac_cv_prog_gnu_ld'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3335,7 +2836,7 @@ echo "$ac_t""$ac_cv_prog_gnu_ld" 1>&6 echo $ac_n "checking for BSD-compatible nm""... $ac_c" 1>&6 -echo "configure:3339: checking for BSD-compatible nm" >&5 +echo "configure:2840: checking for BSD-compatible nm" >&5 if eval "test \"`echo '$''{'ac_cv_path_NM'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3372,7 +2873,7 @@ echo "$ac_t""$NM" 1>&6 echo $ac_n "checking whether ln -s works""... $ac_c" 1>&6 -echo "configure:3376: checking whether ln -s works" >&5 +echo "configure:2877: checking whether ln -s works" >&5 if eval "test \"`echo '$''{'ac_cv_prog_LN_S'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3416,8 +2917,8 @@ test x"$silent" = xyes && libtool_flags="$libtool_flags --silent" case "$host" in *-*-irix6*) # Find out which ABI we are using. - echo '#line 3420 "configure"' > conftest.$ac_ext - if { (eval echo configure:3421: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + echo '#line 2921 "configure"' > conftest.$ac_ext + if { (eval echo configure:2922: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then case "`/usr/bin/file conftest.o`" in *32-bit*) LD="${LD-ld} -32" @@ -3438,19 +2939,19 @@ case "$host" in SAVE_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -belf" echo $ac_n "checking whether the C compiler needs -belf""... $ac_c" 1>&6 -echo "configure:3442: checking whether the C compiler needs -belf" >&5 +echo "configure:2943: checking whether the C compiler needs -belf" >&5 if eval "test \"`echo '$''{'lt_cv_cc_needs_belf'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <<EOF -#line 3447 "configure" +#line 2948 "configure" #include "confdefs.h" int main() { ; return 0; } EOF -if { (eval echo configure:3454: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2955: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* lt_cv_cc_needs_belf=yes else @@ -3587,9 +3088,9 @@ fi case "$enable_ipv6" in yes|''|autodetect) echo $ac_n "checking for IPv6 structures""... $ac_c" 1>&6 -echo "configure:3591: checking for IPv6 structures" >&5 +echo "configure:3092: checking for IPv6 structures" >&5 cat > conftest.$ac_ext <<EOF -#line 3593 "configure" +#line 3094 "configure" #include "confdefs.h" #include <sys/types.h> @@ -3599,7 +3100,7 @@ int main() { struct sockaddr_in6 sin6; return (0); ; return 0; } EOF -if { (eval echo configure:3603: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3104: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 found_ipv6=yes @@ -3622,7 +3123,7 @@ esac # This is done before other IPv6 linking tests to LIBS is properly set. # echo $ac_n "checking for Kame IPv6 support""... $ac_c" 1>&6 -echo "configure:3626: checking for Kame IPv6 support" >&5 +echo "configure:3127: checking for Kame IPv6 support" >&5 # Check whether --with-kame or --without-kame was given. if test "${with_kame+set}" = set; then withval="$with_kame" @@ -3710,9 +3211,9 @@ case "$found_ipv6" in LWRES_PLATFORM_HAVEIPV6="#define LWRES_PLATFORM_HAVEIPV6 1" echo $ac_n "checking for in6addr_any""... $ac_c" 1>&6 -echo "configure:3714: checking for in6addr_any" >&5 +echo "configure:3215: checking for in6addr_any" >&5 cat > conftest.$ac_ext <<EOF -#line 3716 "configure" +#line 3217 "configure" #include "confdefs.h" #include <sys/types.h> @@ -3723,7 +3224,7 @@ int main() { struct in6_addr in6; in6 = in6addr_any; return (0); ; return 0; } EOF -if { (eval echo configure:3727: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3228: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6 ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY" @@ -3739,9 +3240,9 @@ fi rm -f conftest* echo $ac_n "checking for sin6_scope_id in struct sockaddr_in6""... $ac_c" 1>&6 -echo "configure:3743: checking for sin6_scope_id in struct sockaddr_in6" >&5 +echo "configure:3244: checking for sin6_scope_id in struct sockaddr_in6" >&5 cat > conftest.$ac_ext <<EOF -#line 3745 "configure" +#line 3246 "configure" #include "confdefs.h" #include <sys/types.h> @@ -3754,7 +3255,7 @@ int main() { struct sockaddr_in6 xyzzy; xyzzy.sin6_scope_id = 0; return (0); ; return 0; } EOF -if { (eval echo configure:3758: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3259: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 result="#define LWRES_HAVE_SIN6_SCOPE_ID 1" @@ -3769,9 +3270,9 @@ rm -f conftest* LWRES_HAVE_SIN6_SCOPE_ID="$result" echo $ac_n "checking for in6_pktinfo""... $ac_c" 1>&6 -echo "configure:3773: checking for in6_pktinfo" >&5 +echo "configure:3274: checking for in6_pktinfo" >&5 cat > conftest.$ac_ext <<EOF -#line 3775 "configure" +#line 3276 "configure" #include "confdefs.h" #include <sys/types.h> @@ -3784,7 +3285,7 @@ int main() { struct in6_pktinfo xyzzy; return (0); ; return 0; } EOF -if { (eval echo configure:3788: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3289: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1" @@ -3831,9 +3332,9 @@ esac # the files. # echo $ac_n "checking for inet_ntop""... $ac_c" 1>&6 -echo "configure:3835: checking for inet_ntop" >&5 +echo "configure:3336: checking for inet_ntop" >&5 cat > conftest.$ac_ext <<EOF -#line 3837 "configure" +#line 3338 "configure" #include "confdefs.h" #include <sys/types.h> @@ -3843,7 +3344,7 @@ int main() { inet_ntop(0, 0, 0, 0); return (0); ; return 0; } EOF -if { (eval echo configure:3847: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3348: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6 ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP" @@ -3858,9 +3359,9 @@ else fi rm -f conftest* echo $ac_n "checking for inet_pton""... $ac_c" 1>&6 -echo "configure:3862: checking for inet_pton" >&5 +echo "configure:3363: checking for inet_pton" >&5 cat > conftest.$ac_ext <<EOF -#line 3864 "configure" +#line 3365 "configure" #include "confdefs.h" #include <sys/types.h> @@ -3870,7 +3371,7 @@ int main() { inet_pton(0, 0, 0); return (0); ; return 0; } EOF -if { (eval echo configure:3874: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3375: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6 ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON" @@ -3885,9 +3386,9 @@ else fi rm -f conftest* echo $ac_n "checking for inet_aton""... $ac_c" 1>&6 -echo "configure:3889: checking for inet_aton" >&5 +echo "configure:3390: checking for inet_aton" >&5 cat > conftest.$ac_ext <<EOF -#line 3891 "configure" +#line 3392 "configure" #include "confdefs.h" #include <sys/types.h> @@ -3897,7 +3398,7 @@ int main() { struct in_addr in; inet_aton(0, &in); return (0); ; return 0; } EOF -if { (eval echo configure:3901: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:3402: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6 ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON" @@ -3916,6 +3417,505 @@ rm -f conftest* +# +# Networking specifics. +# +case "$host" in + *-dec-osf*) + # Turn on 4.4BSD style sa_len support. + cat >> confdefs.h <<\EOF +#define _SOCKADDR_LEN 1 +EOF + + ;; +esac + +# +# Look for a 4.4BSD-style sa_len member in struct sockaddr. +# +echo $ac_n "checking for sa_len in struct sockaddr""... $ac_c" 1>&6 +echo "configure:3438: checking for sa_len in struct sockaddr" >&5 +cat > conftest.$ac_ext <<EOF +#line 3440 "configure" +#include "confdefs.h" + +#include <sys/types.h> +#include <sys/socket.h> +int main() { +struct sockaddr sa; sa.sa_len = 0; return (0); +; return 0; } +EOF +if { (eval echo configure:3449: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6 + ISC_PLATFORM_HAVESALEN="#define ISC_PLATFORM_HAVESALEN 1" + LWRES_PLATFORM_HAVESALEN="#define LWRES_PLATFORM_HAVESALEN 1" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6 + ISC_PLATFORM_HAVESALEN="#undef ISC_PLATFORM_HAVESALEN" + LWRES_PLATFORM_HAVESALEN="#undef LWRES_PLATFORM_HAVESALEN" +fi +rm -f conftest* + + + +# +# Look for a 4.4BSD or 4.3BSD struct msghdr +# +echo $ac_n "checking for struct msghdr flavor""... $ac_c" 1>&6 +echo "configure:3470: checking for struct msghdr flavor" >&5 +cat > conftest.$ac_ext <<EOF +#line 3472 "configure" +#include "confdefs.h" + +#include <sys/types.h> +#include <sys/socket.h> +int main() { +struct msghdr msg; msg.msg_flags = 0; return (0); +; return 0; } +EOF +if { (eval echo configure:3481: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + echo "$ac_t""4.4BSD" 1>&6 + ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""4.3BSD" 1>&6 + ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD43MSGHDR 1" +fi +rm -f conftest* + + +# +# Look for in_port_t. +# +echo $ac_n "checking for type in_port_t""... $ac_c" 1>&6 +echo "configure:3499: checking for type in_port_t" >&5 +cat > conftest.$ac_ext <<EOF +#line 3501 "configure" +#include "confdefs.h" + +#include <sys/types.h> +#include <netinet/in.h> +int main() { +in_port_t port = 25; return (0); +; return 0; } +EOF +if { (eval echo configure:3510: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6 + ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6 + ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1" +fi +rm -f conftest* + + +# +# Check for addrinfo +# +echo $ac_n "checking for struct addrinfo""... $ac_c" 1>&6 +echo "configure:3528: checking for struct addrinfo" >&5 +cat > conftest.$ac_ext <<EOF +#line 3530 "configure" +#include "confdefs.h" + +#include <netdb.h> +int main() { +struct addrinfo a; return (0); +; return 0; } +EOF +if { (eval echo configure:3538: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6 + ISC_LWRES_NEEDADDRINFO="#undef ISC_LWRES_NEEDADDRINFO" + cat >> confdefs.h <<\EOF +#define HAVE_ADDRINFO 1 +EOF + +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6 + ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1" +fi +rm -f conftest* + + +echo $ac_n "checking for int sethostent""... $ac_c" 1>&6 +echo "configure:3557: checking for int sethostent" >&5 +cat > conftest.$ac_ext <<EOF +#line 3559 "configure" +#include "confdefs.h" + +#include <netdb.h> +int main() { +int i = sethostent(0); return(0); +; return 0; } +EOF +if { (eval echo configure:3567: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6 + ISC_LWRES_SETHOSTENTINT="#define ISC_LWRES_SETHOSTENTINT 1" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6 + ISC_LWRES_SETHOSTENTINT="#undef ISC_LWRES_SETHOSTENTINT" +fi +rm -f conftest* + + +echo $ac_n "checking for int endhostent""... $ac_c" 1>&6 +echo "configure:3582: checking for int endhostent" >&5 +cat > conftest.$ac_ext <<EOF +#line 3584 "configure" +#include "confdefs.h" + +#include <netdb.h> +int main() { +int i = endhostent(); return(0); +; return 0; } +EOF +if { (eval echo configure:3592: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6 + ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6 + ISC_LWRES_ENDHOSTENTINT="#undef ISC_LWRES_ENDHOSTENTINT" +fi +rm -f conftest* + + +echo $ac_n "checking for getnetbyaddr(in_addr_t, ...)""... $ac_c" 1>&6 +echo "configure:3607: checking for getnetbyaddr(in_addr_t, ...)" >&5 +cat > conftest.$ac_ext <<EOF +#line 3609 "configure" +#include "confdefs.h" + +#include <netdb.h> +struct netent *getnetbyaddr(in_addr_t, int); +int main() { + +; return 0; } +EOF +if { (eval echo configure:3618: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6 + ISC_LWRES_GETNETBYADDRINADDR="#define ISC_LWRES_GETNETBYADDRINADDR 1" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6 + ISC_LWRES_GETNETBYADDRINADDR="#undef ISC_LWRES_GETNETBYADDRINADDR" +fi +rm -f conftest* + + +echo $ac_n "checking for int setnetent""... $ac_c" 1>&6 +echo "configure:3633: checking for int setnetent" >&5 +cat > conftest.$ac_ext <<EOF +#line 3635 "configure" +#include "confdefs.h" + +#include <netdb.h> +int main() { +int i = setnetent(0); return(0); +; return 0; } +EOF +if { (eval echo configure:3643: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6 + ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6 + ISC_LWRES_SETNETENTINT="#undef ISC_LWRES_SETNETENTINT" +fi +rm -f conftest* + + +echo $ac_n "checking for int endnetent""... $ac_c" 1>&6 +echo "configure:3658: checking for int endnetent" >&5 +cat > conftest.$ac_ext <<EOF +#line 3660 "configure" +#include "confdefs.h" + +#include <netdb.h> +int main() { +int i = endnetent(); return(0); +; return 0; } +EOF +if { (eval echo configure:3668: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6 + ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6 + ISC_LWRES_ENDNETENTINT="#undef ISC_LWRES_ENDNETENTINT" +fi +rm -f conftest* + + +echo $ac_n "checking for gethostbyadd(const void *, size_t, ...)""... $ac_c" 1>&6 +echo "configure:3683: checking for gethostbyadd(const void *, size_t, ...)" >&5 +cat > conftest.$ac_ext <<EOF +#line 3685 "configure" +#include "confdefs.h" + +#include <netdb.h> +struct hostent *gethostbyaddr(const void *, size_t, int); +int main() { +return(0); +; return 0; } +EOF +if { (eval echo configure:3694: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6 + ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6 + ISC_LWRES_GETHOSTBYADDRVOID="#undef ISC_LWRES_GETHOSTBYADDRVOID" +fi +rm -f conftest* + + +echo $ac_n "checking for h_errno in netdb.h""... $ac_c" 1>&6 +echo "configure:3709: checking for h_errno in netdb.h" >&5 +cat > conftest.$ac_ext <<EOF +#line 3711 "configure" +#include "confdefs.h" + +#include <netdb.h> +int main() { +h_errno = 1; return(0); +; return 0; } +EOF +if { (eval echo configure:3719: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6 + ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6 + ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1" +fi +rm -f conftest* + + +echo $ac_n "checking for getipnodebyname""... $ac_c" 1>&6 +echo "configure:3734: checking for getipnodebyname" >&5 +if eval "test \"`echo '$''{'ac_cv_func_getipnodebyname'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 3739 "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char getipnodebyname(); below. */ +#include <assert.h> +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char getipnodebyname(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_getipnodebyname) || defined (__stub___getipnodebyname) +choke me +#else +getipnodebyname(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3762: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_getipnodebyname=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_getipnodebyname=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'getipnodebyname`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO" +else + echo "$ac_t""no" 1>&6 +ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1" +fi + +echo $ac_n "checking for getnameinfo""... $ac_c" 1>&6 +echo "configure:3783: checking for getnameinfo" >&5 +if eval "test \"`echo '$''{'ac_cv_func_getnameinfo'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 3788 "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char getnameinfo(); below. */ +#include <assert.h> +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char getnameinfo(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_getnameinfo) || defined (__stub___getnameinfo) +choke me +#else +getnameinfo(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3811: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_getnameinfo=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_getnameinfo=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'getnameinfo`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO" +else + echo "$ac_t""no" 1>&6 +ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1" +fi + +echo $ac_n "checking for getaddrinfo""... $ac_c" 1>&6 +echo "configure:3832: checking for getaddrinfo" >&5 +if eval "test \"`echo '$''{'ac_cv_func_getaddrinfo'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 3837 "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char getaddrinfo(); below. */ +#include <assert.h> +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char getaddrinfo(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_getaddrinfo) || defined (__stub___getaddrinfo) +choke me +#else +getaddrinfo(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3860: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_getaddrinfo=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_getaddrinfo=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'getaddrinfo`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO" + cat >> confdefs.h <<\EOF +#define HAVE_GETADDRINFO 1 +EOF + +else + echo "$ac_t""no" 1>&6 +ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1" +fi + + + + + +# +# Look for a sysctl call to get the list of network interfaces. +# +echo $ac_n "checking for interface list sysctl""... $ac_c" 1>&6 +echo "configure:3892: checking for interface list sysctl" >&5 +cat > conftest.$ac_ext <<EOF +#line 3894 "configure" +#include "confdefs.h" + +#include <sys/param.h> +#include <sys/sysctl.h> +#include <sys/socket.h> +#ifdef NET_RT_IFLIST +found_rt_iflist +#endif + +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "found_rt_iflist" >/dev/null 2>&1; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define HAVE_IFLIST_SYSCTL 1 +EOF + +else + rm -rf conftest* + echo "$ac_t""no" 1>&6 +fi +rm -f conftest* + + # Check for some other useful functions that are not ever-present. echo $ac_n "checking for strsep""... $ac_c" 1>&6 echo "configure:3922: checking for strsep" >&5 @@ -4525,21 +4525,6 @@ s%@MKDEPCC@%$MKDEPCC%g s%@MKDEPCFLAGS@%$MKDEPCFLAGS%g s%@MKDEPPROG@%$MKDEPPROG%g s%@IRIX_DNSSEC_WARNINGS_HACK@%$IRIX_DNSSEC_WARNINGS_HACK%g -s%@ISC_PLATFORM_HAVESALEN@%$ISC_PLATFORM_HAVESALEN%g -s%@LWRES_PLATFORM_HAVESALEN@%$LWRES_PLATFORM_HAVESALEN%g -s%@ISC_PLATFORM_MSGHDRFLAVOR@%$ISC_PLATFORM_MSGHDRFLAVOR%g -s%@ISC_PLATFORM_NEEDPORTT@%$ISC_PLATFORM_NEEDPORTT%g -s%@ISC_LWRES_NEEDADDRINFO@%$ISC_LWRES_NEEDADDRINFO%g -s%@ISC_LWRES_SETHOSTENTINT@%$ISC_LWRES_SETHOSTENTINT%g -s%@ISC_LWRES_ENDHOSTENTINT@%$ISC_LWRES_ENDHOSTENTINT%g -s%@ISC_LWRES_GETNETBYADDRINADDR@%$ISC_LWRES_GETNETBYADDRINADDR%g -s%@ISC_LWRES_SETNETENTINT@%$ISC_LWRES_SETNETENTINT%g -s%@ISC_LWRES_ENDNETENTINT@%$ISC_LWRES_ENDNETENTINT%g -s%@ISC_LWRES_GETHOSTBYADDRVOID@%$ISC_LWRES_GETHOSTBYADDRVOID%g -s%@ISC_LWRES_NEEDHERRNO@%$ISC_LWRES_NEEDHERRNO%g -s%@ISC_LWRES_GETIPNODEPROTO@%$ISC_LWRES_GETIPNODEPROTO%g -s%@ISC_LWRES_GETADDRINFOPROTO@%$ISC_LWRES_GETADDRINFOPROTO%g -s%@ISC_LWRES_GETNAMEINFOPROTO@%$ISC_LWRES_GETNAMEINFOPROTO%g s%@build@%$build%g s%@build_alias@%$build_alias%g s%@build_cpu@%$build_cpu%g @@ -4569,6 +4554,21 @@ s%@LWRES_HAVE_SIN6_SCOPE_ID@%$LWRES_HAVE_SIN6_SCOPE_ID%g s%@ISC_PLATFORM_NEEDNTOP@%$ISC_PLATFORM_NEEDNTOP%g s%@ISC_PLATFORM_NEEDPTON@%$ISC_PLATFORM_NEEDPTON%g s%@ISC_PLATFORM_NEEDATON@%$ISC_PLATFORM_NEEDATON%g +s%@ISC_PLATFORM_HAVESALEN@%$ISC_PLATFORM_HAVESALEN%g +s%@LWRES_PLATFORM_HAVESALEN@%$LWRES_PLATFORM_HAVESALEN%g +s%@ISC_PLATFORM_MSGHDRFLAVOR@%$ISC_PLATFORM_MSGHDRFLAVOR%g +s%@ISC_PLATFORM_NEEDPORTT@%$ISC_PLATFORM_NEEDPORTT%g +s%@ISC_LWRES_NEEDADDRINFO@%$ISC_LWRES_NEEDADDRINFO%g +s%@ISC_LWRES_SETHOSTENTINT@%$ISC_LWRES_SETHOSTENTINT%g +s%@ISC_LWRES_ENDHOSTENTINT@%$ISC_LWRES_ENDHOSTENTINT%g +s%@ISC_LWRES_GETNETBYADDRINADDR@%$ISC_LWRES_GETNETBYADDRINADDR%g +s%@ISC_LWRES_SETNETENTINT@%$ISC_LWRES_SETNETENTINT%g +s%@ISC_LWRES_ENDNETENTINT@%$ISC_LWRES_ENDNETENTINT%g +s%@ISC_LWRES_GETHOSTBYADDRVOID@%$ISC_LWRES_GETHOSTBYADDRVOID%g +s%@ISC_LWRES_NEEDHERRNO@%$ISC_LWRES_NEEDHERRNO%g +s%@ISC_LWRES_GETIPNODEPROTO@%$ISC_LWRES_GETIPNODEPROTO%g +s%@ISC_LWRES_GETADDRINFOPROTO@%$ISC_LWRES_GETADDRINFOPROTO%g +s%@ISC_LWRES_GETNAMEINFOPROTO@%$ISC_LWRES_GETNAMEINFOPROTO%g s%@ISC_PLATFORM_NEEDSTRSEP@%$ISC_PLATFORM_NEEDSTRSEP%g s%@ISC_PLATFORM_NEEDVSNPRINTF@%$ISC_PLATFORM_NEEDVSNPRINTF%g s%@ISC_EXTRA_OBJS@%$ISC_EXTRA_OBJS%g diff --git a/configure.in b/configure.in index d1e24b5c..08fea6e7 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.165.2.2 $) +AC_REVISION($Revision: 1.165.2.3 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.13) @@ -432,177 +432,6 @@ AC_SUBST(MKDEPPROG) AC_SUBST(IRIX_DNSSEC_WARNINGS_HACK) # -# Networking specifics. -# -case "$host" in - *-dec-osf*) - # Turn on 4.4BSD style sa_len support. - AC_DEFINE(_SOCKADDR_LEN) - ;; -esac - -# -# Look for a 4.4BSD-style sa_len member in struct sockaddr. -# -AC_MSG_CHECKING(for sa_len in struct sockaddr) -AC_TRY_COMPILE([ -#include <sys/types.h> -#include <sys/socket.h>], -[struct sockaddr sa; sa.sa_len = 0; return (0);], - [AC_MSG_RESULT(yes) - ISC_PLATFORM_HAVESALEN="#define ISC_PLATFORM_HAVESALEN 1" - LWRES_PLATFORM_HAVESALEN="#define LWRES_PLATFORM_HAVESALEN 1"], - [AC_MSG_RESULT(no) - ISC_PLATFORM_HAVESALEN="#undef ISC_PLATFORM_HAVESALEN" - LWRES_PLATFORM_HAVESALEN="#undef LWRES_PLATFORM_HAVESALEN"]) -AC_SUBST(ISC_PLATFORM_HAVESALEN) -AC_SUBST(LWRES_PLATFORM_HAVESALEN) - -# -# Look for a 4.4BSD or 4.3BSD struct msghdr -# -AC_MSG_CHECKING(for struct msghdr flavor) -AC_TRY_COMPILE([ -#include <sys/types.h> -#include <sys/socket.h>], -[struct msghdr msg; msg.msg_flags = 0; return (0);], - [AC_MSG_RESULT(4.4BSD) - ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1"], - [AC_MSG_RESULT(4.3BSD) - ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD43MSGHDR 1"]) -AC_SUBST(ISC_PLATFORM_MSGHDRFLAVOR) - -# -# Look for in_port_t. -# -AC_MSG_CHECKING(for type in_port_t) -AC_TRY_COMPILE([ -#include <sys/types.h> -#include <netinet/in.h>], -[in_port_t port = 25; return (0);], - [AC_MSG_RESULT(yes) - ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"], - [AC_MSG_RESULT(no) - ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"]) -AC_SUBST(ISC_PLATFORM_NEEDPORTT) - -# -# Check for addrinfo -# -AC_MSG_CHECKING(for struct addrinfo) -AC_TRY_COMPILE([ -#include <netdb.h>], -[struct addrinfo a; return (0);], - [AC_MSG_RESULT(yes) - ISC_LWRES_NEEDADDRINFO="#undef ISC_LWRES_NEEDADDRINFO" - AC_DEFINE(HAVE_ADDRINFO)], - [AC_MSG_RESULT(no) - ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1"]) -AC_SUBST(ISC_LWRES_NEEDADDRINFO) - -AC_MSG_CHECKING(for int sethostent) -AC_TRY_COMPILE([ -#include <netdb.h>], -[int i = sethostent(0); return(0);], - [AC_MSG_RESULT(yes) - ISC_LWRES_SETHOSTENTINT="#define ISC_LWRES_SETHOSTENTINT 1"], - [AC_MSG_RESULT(no) - ISC_LWRES_SETHOSTENTINT="#undef ISC_LWRES_SETHOSTENTINT"]) -AC_SUBST(ISC_LWRES_SETHOSTENTINT) - -AC_MSG_CHECKING(for int endhostent) -AC_TRY_COMPILE([ -#include <netdb.h>], -[int i = endhostent(); return(0);], - [AC_MSG_RESULT(yes) - ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1"], - [AC_MSG_RESULT(no) - ISC_LWRES_ENDHOSTENTINT="#undef ISC_LWRES_ENDHOSTENTINT"]) -AC_SUBST(ISC_LWRES_ENDHOSTENTINT) - -AC_MSG_CHECKING(for getnetbyaddr(in_addr_t, ...)) -AC_TRY_COMPILE([ -#include <netdb.h> -struct netent *getnetbyaddr(in_addr_t, int);], -[], - [AC_MSG_RESULT(yes) - ISC_LWRES_GETNETBYADDRINADDR="#define ISC_LWRES_GETNETBYADDRINADDR 1"], - [AC_MSG_RESULT(no) - ISC_LWRES_GETNETBYADDRINADDR="#undef ISC_LWRES_GETNETBYADDRINADDR"]) -AC_SUBST(ISC_LWRES_GETNETBYADDRINADDR) - -AC_MSG_CHECKING(for int setnetent) -AC_TRY_COMPILE([ -#include <netdb.h>], -[int i = setnetent(0); return(0);], - [AC_MSG_RESULT(yes) - ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1"], - [AC_MSG_RESULT(no) - ISC_LWRES_SETNETENTINT="#undef ISC_LWRES_SETNETENTINT"]) -AC_SUBST(ISC_LWRES_SETNETENTINT) - -AC_MSG_CHECKING(for int endnetent) -AC_TRY_COMPILE([ -#include <netdb.h>], -[int i = endnetent(); return(0);], - [AC_MSG_RESULT(yes) - ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1"], - [AC_MSG_RESULT(no) - ISC_LWRES_ENDNETENTINT="#undef ISC_LWRES_ENDNETENTINT"]) -AC_SUBST(ISC_LWRES_ENDNETENTINT) - -AC_MSG_CHECKING(for gethostbyadd(const void *, size_t, ...)) -AC_TRY_COMPILE([ -#include <netdb.h> -struct hostent *gethostbyaddr(const void *, size_t, int);], -[return(0);], - [AC_MSG_RESULT(yes) - ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1"], - [AC_MSG_RESULT(no) - ISC_LWRES_GETHOSTBYADDRVOID="#undef ISC_LWRES_GETHOSTBYADDRVOID"]) -AC_SUBST(ISC_LWRES_GETHOSTBYADDRVOID) - -AC_MSG_CHECKING(for h_errno in netdb.h) -AC_TRY_COMPILE([ -#include <netdb.h>], -[h_errno = 1; return(0);], - [AC_MSG_RESULT(yes) - ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO"], - [AC_MSG_RESULT(no) - ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1"]) -AC_SUBST(ISC_LWRES_NEEDHERRNO) - -AC_CHECK_FUNC(getipnodebyname, - [ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"], - [ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"]) -AC_CHECK_FUNC(getnameinfo, - [ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"], - [ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"]) -AC_CHECK_FUNC(getaddrinfo, - [ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO" - AC_DEFINE(HAVE_GETADDRINFO)], - [ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"]) -AC_SUBST(ISC_LWRES_GETIPNODEPROTO) -AC_SUBST(ISC_LWRES_GETADDRINFOPROTO) -AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO) - -# -# Look for a sysctl call to get the list of network interfaces. -# -AC_MSG_CHECKING(for interface list sysctl) -AC_EGREP_CPP(found_rt_iflist, [ -#include <sys/param.h> -#include <sys/sysctl.h> -#include <sys/socket.h> -#ifdef NET_RT_IFLIST -found_rt_iflist -#endif -], - [AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_IFLIST_SYSCTL)], - [AC_MSG_RESULT(no)]) - -# # GNU libtool support # AC_ARG_WITH(libtool, @@ -865,6 +694,177 @@ AC_SUBST(ISC_PLATFORM_NEEDNTOP) AC_SUBST(ISC_PLATFORM_NEEDPTON) AC_SUBST(ISC_PLATFORM_NEEDATON) +# +# Networking specifics. +# +case "$host" in + *-dec-osf*) + # Turn on 4.4BSD style sa_len support. + AC_DEFINE(_SOCKADDR_LEN) + ;; +esac + +# +# Look for a 4.4BSD-style sa_len member in struct sockaddr. +# +AC_MSG_CHECKING(for sa_len in struct sockaddr) +AC_TRY_COMPILE([ +#include <sys/types.h> +#include <sys/socket.h>], +[struct sockaddr sa; sa.sa_len = 0; return (0);], + [AC_MSG_RESULT(yes) + ISC_PLATFORM_HAVESALEN="#define ISC_PLATFORM_HAVESALEN 1" + LWRES_PLATFORM_HAVESALEN="#define LWRES_PLATFORM_HAVESALEN 1"], + [AC_MSG_RESULT(no) + ISC_PLATFORM_HAVESALEN="#undef ISC_PLATFORM_HAVESALEN" + LWRES_PLATFORM_HAVESALEN="#undef LWRES_PLATFORM_HAVESALEN"]) +AC_SUBST(ISC_PLATFORM_HAVESALEN) +AC_SUBST(LWRES_PLATFORM_HAVESALEN) + +# +# Look for a 4.4BSD or 4.3BSD struct msghdr +# +AC_MSG_CHECKING(for struct msghdr flavor) +AC_TRY_COMPILE([ +#include <sys/types.h> +#include <sys/socket.h>], +[struct msghdr msg; msg.msg_flags = 0; return (0);], + [AC_MSG_RESULT(4.4BSD) + ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1"], + [AC_MSG_RESULT(4.3BSD) + ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD43MSGHDR 1"]) +AC_SUBST(ISC_PLATFORM_MSGHDRFLAVOR) + +# +# Look for in_port_t. +# +AC_MSG_CHECKING(for type in_port_t) +AC_TRY_COMPILE([ +#include <sys/types.h> +#include <netinet/in.h>], +[in_port_t port = 25; return (0);], + [AC_MSG_RESULT(yes) + ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"], + [AC_MSG_RESULT(no) + ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"]) +AC_SUBST(ISC_PLATFORM_NEEDPORTT) + +# +# Check for addrinfo +# +AC_MSG_CHECKING(for struct addrinfo) +AC_TRY_COMPILE([ +#include <netdb.h>], +[struct addrinfo a; return (0);], + [AC_MSG_RESULT(yes) + ISC_LWRES_NEEDADDRINFO="#undef ISC_LWRES_NEEDADDRINFO" + AC_DEFINE(HAVE_ADDRINFO)], + [AC_MSG_RESULT(no) + ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1"]) +AC_SUBST(ISC_LWRES_NEEDADDRINFO) + +AC_MSG_CHECKING(for int sethostent) +AC_TRY_COMPILE([ +#include <netdb.h>], +[int i = sethostent(0); return(0);], + [AC_MSG_RESULT(yes) + ISC_LWRES_SETHOSTENTINT="#define ISC_LWRES_SETHOSTENTINT 1"], + [AC_MSG_RESULT(no) + ISC_LWRES_SETHOSTENTINT="#undef ISC_LWRES_SETHOSTENTINT"]) +AC_SUBST(ISC_LWRES_SETHOSTENTINT) + +AC_MSG_CHECKING(for int endhostent) +AC_TRY_COMPILE([ +#include <netdb.h>], +[int i = endhostent(); return(0);], + [AC_MSG_RESULT(yes) + ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1"], + [AC_MSG_RESULT(no) + ISC_LWRES_ENDHOSTENTINT="#undef ISC_LWRES_ENDHOSTENTINT"]) +AC_SUBST(ISC_LWRES_ENDHOSTENTINT) + +AC_MSG_CHECKING(for getnetbyaddr(in_addr_t, ...)) +AC_TRY_COMPILE([ +#include <netdb.h> +struct netent *getnetbyaddr(in_addr_t, int);], +[], + [AC_MSG_RESULT(yes) + ISC_LWRES_GETNETBYADDRINADDR="#define ISC_LWRES_GETNETBYADDRINADDR 1"], + [AC_MSG_RESULT(no) + ISC_LWRES_GETNETBYADDRINADDR="#undef ISC_LWRES_GETNETBYADDRINADDR"]) +AC_SUBST(ISC_LWRES_GETNETBYADDRINADDR) + +AC_MSG_CHECKING(for int setnetent) +AC_TRY_COMPILE([ +#include <netdb.h>], +[int i = setnetent(0); return(0);], + [AC_MSG_RESULT(yes) + ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1"], + [AC_MSG_RESULT(no) + ISC_LWRES_SETNETENTINT="#undef ISC_LWRES_SETNETENTINT"]) +AC_SUBST(ISC_LWRES_SETNETENTINT) + +AC_MSG_CHECKING(for int endnetent) +AC_TRY_COMPILE([ +#include <netdb.h>], +[int i = endnetent(); return(0);], + [AC_MSG_RESULT(yes) + ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1"], + [AC_MSG_RESULT(no) + ISC_LWRES_ENDNETENTINT="#undef ISC_LWRES_ENDNETENTINT"]) +AC_SUBST(ISC_LWRES_ENDNETENTINT) + +AC_MSG_CHECKING(for gethostbyadd(const void *, size_t, ...)) +AC_TRY_COMPILE([ +#include <netdb.h> +struct hostent *gethostbyaddr(const void *, size_t, int);], +[return(0);], + [AC_MSG_RESULT(yes) + ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1"], + [AC_MSG_RESULT(no) + ISC_LWRES_GETHOSTBYADDRVOID="#undef ISC_LWRES_GETHOSTBYADDRVOID"]) +AC_SUBST(ISC_LWRES_GETHOSTBYADDRVOID) + +AC_MSG_CHECKING(for h_errno in netdb.h) +AC_TRY_COMPILE([ +#include <netdb.h>], +[h_errno = 1; return(0);], + [AC_MSG_RESULT(yes) + ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO"], + [AC_MSG_RESULT(no) + ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1"]) +AC_SUBST(ISC_LWRES_NEEDHERRNO) + +AC_CHECK_FUNC(getipnodebyname, + [ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"], + [ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"]) +AC_CHECK_FUNC(getnameinfo, + [ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"], + [ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"]) +AC_CHECK_FUNC(getaddrinfo, + [ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO" + AC_DEFINE(HAVE_GETADDRINFO)], + [ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"]) +AC_SUBST(ISC_LWRES_GETIPNODEPROTO) +AC_SUBST(ISC_LWRES_GETADDRINFOPROTO) +AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO) + +# +# Look for a sysctl call to get the list of network interfaces. +# +AC_MSG_CHECKING(for interface list sysctl) +AC_EGREP_CPP(found_rt_iflist, [ +#include <sys/param.h> +#include <sys/sysctl.h> +#include <sys/socket.h> +#ifdef NET_RT_IFLIST +found_rt_iflist +#endif +], + [AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_IFLIST_SYSCTL)], + [AC_MSG_RESULT(no)]) + # Check for some other useful functions that are not ever-present. AC_CHECK_FUNC(strsep, [ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"], diff --git a/doc/arm/Bv9ARM.6.html b/doc/arm/Bv9ARM.6.html index 9b308ba7..b91f3b05 100644 --- a/doc/arm/Bv9ARM.6.html +++ b/doc/arm/Bv9ARM.6.html @@ -16,7 +16,7 @@ - SOFTWARE. --> -<!-- $Id: Bv9ARM.6.html,v 1.5.2.3 2000/07/12 17:57:45 gson Exp $ --> +<!-- $Id: Bv9ARM.6.html,v 1.5.2.5 2000/07/26 23:20:17 bwelling Exp $ --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML EXPERIMENTAL 970324//EN"> <HTML> @@ -3090,7 +3090,7 @@ recursive-clients</CODE> <A NAME="pgfId=1040062"> </A> The maximum number of simultaneous recursive lookups the server will perform on behalf of clients. The default is <EM CLASS="grammar_literal"> -100</EM> +1000</EM> .</P> </TD> </TR> @@ -3886,7 +3886,7 @@ view</CODE> <PRE CLASS="2Level-fixed"><A NAME="pgfId=1038409"></A> <KBD CLASS="Literal-user-input"> view </KBD><EM CLASS="variable">view name</EM><KBD CLASS="Literal-user-input"> {</KBD> - <KBD CLASS="Literal-user-input">match_clients {</KBD> <EM CLASS="variable">address_match_list</EM><KBD CLASS="Literal-user-input"> } ; </KBD> + <KBD CLASS="Literal-user-input">match-clients {</KBD> <EM CLASS="variable">address_match_list</EM><KBD CLASS="Literal-user-input"> } ; </KBD> <EM CLASS="Optional-meta-syntax">[</EM><CODE CLASS="grammar_literal">view_option</CODE><KBD CLASS="Literal-user-input">;</KBD><EM CLASS="Optional-meta-syntax"> ...]</EM> <EM CLASS="Optional-meta-syntax">[</EM><CODE CLASS="grammar_literal">zone_statement</CODE><KBD CLASS="Literal-user-input">;</KBD><EM CLASS="Optional-meta-syntax"> ...]]</EM> <KBD CLASS="Literal-user-input">};</KBD> @@ -3964,18 +3964,7 @@ zone</CODE> statements must occur inside <CODE CLASS="Program-Process"> view</CODE> statements.</P> -<P CLASS="3LevelContinued"> -<A NAME="pgfId=1107611"> -</A> -A <CODE CLASS="Program-Process"> -zone</CODE> - statement of type <EM CLASS="variable"> -hint</EM> - for the root zone (`<EM CLASS="grammar_literal"> -.</EM> -') does not strictly define a zone. Therefore, it should not be included in a <CODE CLASS="Program-Process"> -view</CODE> - statement.</P> + <P CLASS="3LevelContinued"> <A NAME="pgfId=1038608"> </A> diff --git a/doc/arm/Bv9ARM.txt b/doc/arm/Bv9ARM.txt index 884c7761..e99004b0 100644 --- a/doc/arm/Bv9ARM.txt +++ b/doc/arm/Bv9ARM.txt @@ -734,9 +734,7 @@ The key{} statement has two clauses: algorithm and secret. While the configuration parser will accept any string as the argument to algorithm, currently only the string "hmac-md5" has any meaning. The secret is a base-64 encoded string, typically generated with either dnssec-keygen or -mmencode. The parser will happily accept an invalid base-64 string, but it -will never work with the server because the server validates the -base-64 of the secret for itself when loading its own configuration file. +mmencode. The server{} statement uses the key clause to associate a key{}-defined key with a server. The argument to the server{} statement is a host name or @@ -2589,7 +2587,7 @@ description of size_spec in Configuration File Elements for more details. recursive-clients The maximum number of simultaneous recursive lookups the server will perform on behalf of clients. The default is - 100. + 1000. stacksize The maximum amount of stack memory the server may use. The default is default. Not yet implemented in BIND 9. @@ -2920,7 +2918,7 @@ representation of the key data. 6.2.17 view Statement Grammar view view name { - match_clients { address_match_list } ; + match-clients { address_match_list } ; [view_option; ...] [zone_statement; ...]] }; @@ -2958,9 +2956,6 @@ statements specified on the top level of the configuration file are considered to be part of this default view. If any explicit view statements are present, all zone statements must occur inside view statements. -A zone statement of type hint for the root zone ('.') does not strictly -define a zone. Therefore, it should not be included in a view statement. - Here is an example of a typical split DNS setup implemented using view statements. diff --git a/doc/man/bin/lwresd.8 b/doc/man/bin/lwresd.8 new file mode 100644 index 00000000..7163b0c6 --- /dev/null +++ b/doc/man/bin/lwresd.8 @@ -0,0 +1,166 @@ +.\" +.\" Copyright (C) 2000 Internet Software Consortium. +.\" +.\" Permission to use, copy, modify, and distribute this document for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM +.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL +.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING +.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $Id: lwresd.8,v 1.4 2000/07/17 17:49:25 gson Exp $ +.\" +.Dd Jun 30, 2000 +.Dt LWRESD 8 +.Os BIND9 9 +.ds vT BIND 9 Programmer's Manual +.Sh NAME +.Nm lwresd +.Nd lightweight resolver daemon +.Sh SYNOPSIS +.Nm lwresd +.Op Fl C Ar config-file +.Op Fl d Ar debuglevel +.Op Fl f g s +.Op Fl i Ar pid-file +.Op Fl n Ar #cpus +.Op Fl P Ar query-port# +.Op Fl p Ar port# +.Op Fl t Ar directory +.Op Fl u Ar user-id +.Sh DESCRIPTION +.Nm lwresd +is the daemon providing name lookup services to clients that use +the BIND 9 lightweight resolver library. +It is essentially a stripped-down, caching-only name server that +answers queries using the BIND 9 lightweight resolver protocol +rather than the DNS protocol. +.Pp +.Nm lwresd +listens for resolver queries on a UDP port on the IPv4 loopback +interface, 127.0.0.1. +This means that +.Nm lwresd +can only be used by processes running on the local machine. +By default UDP port number 921 is used for lightweight resolver +requests and responses. +.Pp +Incoming lightweight resolver requests are decoded by +.Nm lwresd +which then resolves them using the DNS protocol. +When the DNS lookup completes, +.Nm lwresd +encodes the answers from the name servers in the lightweight +resolver format and returns them to the client that made the original +request. +.Pp +If +.Pa /etc/resolv.conf +contains any +.Sy nameserver +entries, +.Nm lwresd +sends recursive DNS queries to those servers. This +is similar to the use of forwarders in a chaching name +server. If no +.Sy nameserver +entries are present, or if forwarding fails, +.Nm lwresd +resolves the queries autonomously starting at the +root name servers, using a compiled-in list of root +servers hints. +.Pp +The options to +.Nm lwresd +are as follows: +.Bl -tag -width Ds +.It Fl C +use +.Ar config-file +as the configuration file instead of the default, +.Pa /etc/resolv.conf . +.It Fl d +set the daemon's debug level to +.Ar debuglevel . +Debugging traces from +.Nm lwresd +become more verbose as the debug level increases. +.It Fl f +run +.Nm lwresd +in the foreground. +.It Fl g +run +.Nm lwresd +in the foreground and force all logging to +.Dv stderr . +.It Fl i +write the daemon's process id to +.Ar pid-file +instead of the default pathname. +.It Fl n +create +.Ar #cpus +worker threads to take advantage of multiple CPUs. +If no option is given, +.Nm lwresd +will try to determine the number of CPUs present and create +one thread per CPU. If +.Nm lwresd +is unable to determine the number of CPUs, a single worker thread +is created. +.It Fl P +send DNS lookups to port number +.Ar query-port# +when querying name servers. +This provides a way of testing the lightweight resolver daemon with a +name server that listens for queries on a non-standard port number. +.It Fl p +listen for lightweight resolver queries on the loopback interface +using UDP port +.Ar port# +instead of the default port number, 921. +.It Fl s +write memory usage statistics to +.Dv stdout +on exit. +This option is only of interest to BIND 9 developers and may be +removed or changed in a future release. +.It Fl t +tells +.Nm lwresd +to chroot() to +.Ar directory +immediately after reading its configuration file. +.It Fl u +run +.Nm lwresd +as +.Ar user-id , +which is a user name or numeric id that must be present in the +password file. +The lightweight resolver daemon will change its user-id after it has +carried out any privileged operations, such as writing the process-id +file or binding a socket to a privileged port (typically any port +less than 1024). +.El +.Sh FILES +.Bl -tag -width /var/run/lwresd.pid -compact +.It Pa /etc/resolv.conf +default configuration file +.It Pa /var/run/lwresd.pid +default process-id file +.El +.Sh SEE ALSO +.Xr named 8 , +.Xr lwres 3 . +.Sh NOTES +.Nm lwresd +is a daemon for lightweight resolvers, not a lightweight daemon +for resolvers. diff --git a/doc/man/dnssec/dnssec-keygen.8 b/doc/man/dnssec/dnssec-keygen.8 new file mode 100644 index 00000000..899d865e --- /dev/null +++ b/doc/man/dnssec/dnssec-keygen.8 @@ -0,0 +1,304 @@ +.\" +.\" Copyright (C) 2000 Internet Software Consortium. +.\" +.\" Permission to use, copy, modify, and distribute this document for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM +.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL +.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING +.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $Id: dnssec-keygen.8,v 1.5 2000/07/26 18:52:05 gson Exp $ +.\" +.Dd Jun 30, 2000 +.Dt DNSSEC-KEYGEN 8 +.Os BIND9 9 +.ds vT BIND9 Programmer's Manual +.Sh NAME +.Nm dnssec-keygen +.Nd key generation tool for DNSSEC +.Sh SYNOPSIS +.Nm dnssec-keygen +.Fl a Ar algorithm +.Fl b Ar keysize +.Op Fl e +.Op Fl g Ar generator +.Op Fl h +.Fl n Ar nametype +.Op Fl p Ar protocol-value +.Op Fl r Ar randomdev +.Op Fl s Ar strength-value +.Op Fl t Ar type +.Op Fl v Ar level +.Ar name +.Sh DESCRIPTION +.Nm dnssec-keygen +generates keys for DNSSEC, Secure DNS, as defined in RFC2535. +It also generates keys for use in Transaction Signatures, TSIG, which +is defined in RFC2845. +.Pp +A short summary of the options and arguments to +.Nm dnssec-keygen +is printed by the +.Fl h +(help) option. +.Pp +The +.Fl a , +.Fl b , +and +.Fl n +options and their arguments must be supplied when generating keys. +The domain name that the key has to be generated for is given by +.Ar name . +.Pp +The choice of encryption algorithm is selected by the +.Fl a +option to +.Nm dnssec-keygen . +.Ar algorithm +must be one of +.Dv RSAMD5 , +.Dv DH , +.Dv DSA +or +.Dv HMAC-MD5 +to indicate that an RSA, Diffie-Hellman, Digital Signature +Algorithm or HMAC-MD5 key is required. +An argument of +.Dv RSA +can also be given, which is equivalent to +.Dv RSAMD5 . +The argument identifying the encryption algorithm is case-insensitive. +DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one. +Implementations of TSIG must support HMAC-MD5. +.Pp +The number of bits in the key is determined by the +.Ar keysize +argument following the +.Fl b +option. +The choice of key size depends on the algorithm that is used. +RSA keys must be between 512 and 2048 bits. +Diffie-Hellman keys must be between 128 and 4096 bits. +For DSA, the key size must be between 512 and 1024 bits and a multiple +of 64. +The length of an HMAC-MD5 key can be between 1 and 512 bits. +.Pp +The +.Fl n +option specifies how the generated key will be used. +.Ar nametype +can be either +.Dv ZONE , +.Dv HOST , +.Dv ENTITY , +or +.Dv USER +to indicate that the key will be used for signing a zone, host, +entity or user respectively. +In this context +.Dv HOST +and +.Dv ENTITY +are identical. +.Ar nametype +is case-insensitive. +.Pp +The +.Fl e +option can only be used when generating RSA keys. +It tells +.Nm dnssec-keygen +to use a large exponent. +When creating Diffie-Hellman keys, the +.Fl g +option selects the Diffie-Hellman generator +.Ar generator +that is to be used. +The only supported values value of +.Ar generator +are 2 and 5. +If no Diffie-Hellman generator is supplied, a known prime +from RFC2539 will be used if possible; otherwise 2 will be used as the +generator. +.Pp +The +.Fl p +option sets the protocol value for the generated key to +.Ar protocol-value . +The default is 2 (email) for keys of type +.Dv USER +and 3 (DNSSEC) for all other key types. +Other possible values for this argument are listed in RFC2535 and its +successors. +.Pp +.Nm dnssec-keygen +uses random numbers to seed the process +of generating keys. +If the system does not have a +.Pa /dev/random +device that can be used for generating random numbers, +.Nm dnssec-keygen +will prompt for keyboard input and use the time intervals between +keystrokes to provide randomness. +The +.Fl r +option overrides this behaviour, making +.Nm dnssec-keygen +use +.Ar randomdev +as a source of random data. +.Pp +The key's strength value can be set with the +.Fl s +option. +The generated key will sign DNS resource records +with a strength value of +.Ar strength-value . +It should be a number between 0 and 15. +The default strength is zero. +The key strength field currently has no defined purpose in DNSSEC. +.Pp +The +.Fl t +option indicates if the key is to be used for authentication or +confidentiality. +.Ar type +can be one of +.Dv AUTHCONF , +.Dv NOAUTHCONF , +.Dv NOAUTH +or +.Dv NOCONF . +The default is +.Dv AUTHCONF . +If type is +.Dv AUTHCONF +the key can be used for authentication and confidentialty. +Setting +.Ar type +to +.Dv NOAUTHCONF +indicates that the key cannot be used for authentication or confidentialty. +A value of +.Dv NOAUTH +means the key can be used for confidentiality but not for +authentication. +Similarly, +.Dv NOCONF +defines that the key cannot be used for confidentiality though it can +be used for authentication. +.Pp +The +.Fl v +option can be used to make +.Nm dnssec-keygen +more verbose. +As the debugging/tracing level +.Ar level +increases, +.Nm dnssec-keygen +generates increasingly detailed reports about what it is doing. +The default level is zero. +.Sh GENERATED KEYS +When +.Nm dnssec-keygen +completes it prints a string of the form +.Ar Knnnn.+aaa+iiiii +on the standard output. +This is an identification string for the key it has generated. +These strings can be supplied as arguments to +.Xr dnssec-makekeyset 8 . +.Pp +The +.Ar nnnn. +part is the dot-terminated domain name given by +.Ar name . +The DNSSEC algorithm identifier is indicated by +.Ar aaa - +001 for RSA, 002 for Diffie-Hellman, 003 for DSA or 157 for HMAC-MD5. +.Ar iiiii +is a five-digit number identifying the key. +.Pp +.Nm dnssec-keygen +creates two files. +The file names are adapted from the key identification string above. +They have names of the form: +.Ar Knnnn.+aaa+iiiii.key +and +.Ar Knnnn.+aaa+iiiii.private . +These contain the public and private parts of the key respectively. +The files generated by +.Nm dnssec-keygen +obey this naming convention to +make it easy for the signing tool +.Xr dnssec-signzone 8 +to identify which file(s) have to be read to find the necessary +key(s) for generating or validating signatures. +.Pp +The +.Ar .key +file contains a KEY resource record that can be inserted into a zone file +with a +.Dv $INCLUDE +statement. +The private part of the key is in the +.Ar .private +file. +It contains details of the encryption algorithm that was used and any +relevant parameters: prime number, exponent, modulus, subprime, etc. +For obvious security reasons, this file does not have general read +permission. +The private part of the key is used by +.Xr dnssec-signzone 8 +to generate signatures and the public part is used to verify the +signatures. +Both +.Ar .key +and +.Ar .private +key files are generated for symmetric encryption algorithm such as +HMAC-MD5, even though the public and private key are equivalent. +.Sh EXAMPLE +To generate a 768-bit DSA key for the domain +.Dv example.com , +the following command would be issued: +.Pp +.Dl # dnssec-keygen -a DSA -b 768 -n ZONE example.com +.Dl Kexample.com.+003+26160 +.Pp +.Nm dnssec-keygen +has printed the key identification string +.Dv Kexample.com.+003+26160 , +indicating a DSA key with identifier 26160. +It will also have created the files +.Pa Kexample.com.+003+26160.key +and +.Pa Kexample.com.+003+26160.private +containing respectively the public and private keys for the generated +DSA key. +.Sh FILES +.Pa /dev/random +.Sh SEE ALSO +.Xr RFC2535, +.Xr RFC2845, +.Xr RFC2539, +.Xr dnssec-makekeyset 8 , +.Xr dnssec-signkey 8 , +.Xr dnssec-signzone 8 . +.Sh BUGS +The naming convention for the public and private key files is a little +clumsy. +It won't work for domain names that are longer than 236 characters +because of the +.Ar .+aaa+iiiii.private +suffix results in filenames that are too long for most +.Ux +systems. diff --git a/doc/man/dnssec/dnssec-makekeyset.8 b/doc/man/dnssec/dnssec-makekeyset.8 new file mode 100644 index 00000000..f6fd33df --- /dev/null +++ b/doc/man/dnssec/dnssec-makekeyset.8 @@ -0,0 +1,211 @@ +.\" +.\" Copyright (C) 2000 Internet Software Consortium. +.\" +.\" Permission to use, copy, modify, and distribute this document for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM +.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL +.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING +.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $Id: dnssec-makekeyset.8,v 1.4.2.1 2000/08/02 22:10:10 gson Exp $ +.\" +.Dd Jun 30, 2000 +.Dt DNSSEC-MAKEKEYSET 8 +.Os BIND9 9 +.ds vT BIND9 Programmer's Manual +.Sh NAME +.Nm dnssec-makekeyset +.Nd produce a set of DNSSEC keys +.Sh SYNOPSIS +.Nm dnssec-makekeyset +.Op Fl h +.Op Fl s Ar start-time +.Op Fl e Ar end-time +.Op Fl t Ar TTL +.Op Fl r Ar randomdev +.Op Fl p +.Op Fl v Ar level +.Ar keyfile .... +.Sh DESCRIPTION +.Nm dnssec-makekeyset +generates a key set from one or more keys created by +.Xr dnssec-keygen 8 . +It creates a file containing KEY and SIG records for some zone which +can then be signed by the zone's parent if the parent zone is +DNSSEC-aware. +.Ar keyfile +should be a key identification string as reported by +.Xr dnssec-keygen 8 : +i.e. +.Ar Knnnn.+aaa+iiiii +where +.Ar nnnn +is the name of the key, +.Ar aaa +is the encryption algorithm and +.Ar iiiii +is the key identifier. +Multiple +.Ar keyfile +arguments can be supplied when there are several keys to be combined +by +.Nm dnssec-makekeyset +into a key set. +.Pp +For any SIG records that are in the key set, the start time when the +SIG records become valid is specified with the +.Fl s +option. +.Ar start-time +can either be an absolute or relative date. +An absolute start time is indicated by a number in YYYYMMDDHHMMSS +notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. +A relative start time is supplied when +.Ar start-time +is given as +N: N seconds from the current time. +If no +.Fl s +option is supplied, the current date and time is used for the start +time of the SIG records. +.Pp +The expiry date for the SIG records can be set by the +.Fl e +option. +Note that in this context, the expiry date specifies when the SIG +records are no longer valid, not when they are deleted from caches on name +servers. +.Ar end-date +also represents an absolute or relative date. +YYYYMMDDHHMMSS notation is used as before to indicate an absolute date +and time. +When +.Ar end-date +is +N, +it indicates that the SIG records will expire in N seconds after their +start date. +If +.Ar end-date +is written as now+N, +the SIG records will expire in N seconds after the current time. +When no expiry date is set for the SIG records, +.Nm dnssec-makekeyset +defaults to an expire time of 30 days from the start time of the SIG +records. +.Pp +An alternate source of random data can be specified with the +.Fl r +option. +.Ar randomdev +is the name of the file to use to obtain random data. +By default +.Pa /dev/random +is used if this device is available. +If it is not provided by the operating system and no +.Fl r +option is used, +.Nm dnssec-makekeyset +will prompt the user for input from the keyboard and use the time +between keystrokes to derive some random data. +.Pp +The +.Fl p +option instructs +.Nm dnssec-makekeyset +to use pseudo-random data when self-signing the keyset. This is faster, but +less secure, than using genuinely random data for signing. +This option may be useful when the entropy source is limited. +.Pp +The +.Fl t +option is followed by a time-to-live argument +.Ar TTL +which indicates the TTL value that will be assigned to the assembled KEY +and SIG records in the output file. +.Ar TTL +is expressed in seconds. +If no +.Fl t +option is provided, +.Nm dnssec-makekeyset +prints a warning and uses a default TTL of 3600 seconds. +.Pp +The +.Fl v +option can be used to make +.Nm dnssec-makekeyset +more verbose. +As the debugging/tracing level +.Ar level +increases, +.Nm dnssec-makekeyset +generates increasingly detailed reports about what it is doing. +The default level is zero. +.Pp +The +.Fl h +option makes +.Nm dnssec-makekeyset +to print a short summary of its options and arguments. +.Pp +If +.Nm dnssec-makekeyset +is successful, it creates a file name of the form +.Ar nnnn.keyset . +This file contains the KEY and SIG records for domain +.Dv nnnn , +the domain name part from the key file identifier produced when +.Nm dnssec-keygen +created the domain's public and private keys. +The +.Ar .keyset +file can then be transferred to the DNS administrator of the parent +zone for them to sign the contents with +.Xr dnssec-signkey 8 . +.Sh EXAMPLE +The following command generates a key set for the DSA key for +.Dv example.com +that was shown in the +.Xr dnssec-keygen 8 +man page. +The backslash is for typographic reasons and would not be provided on +the command line when running +.Nm dnssec-makekeyset . +.nf +.Dl # dnssec-makekeyset -t 86400 -s 20000701120000 \e\p +.Dl -e +2592000 Kexample.com.+003+26160 +.fi +.Pp +.Nm dnssec-makekeyset +will create a file called +.Pa example.com.keyset +containing a SIG and KEY record for +.Dv example.com. +These records will have a TTL of 86400 seconds (1 day). +The SIG record becomes valid at noon UTC on July 1st 2000 and expires +30 days (2592000 seconds) later. +.Pp +The DNS administrator for +.Dv example.com +could then send +.Pa example.com.keyset +to the DNS administrator for +.Dv .com +so that they could sign the resource records in the file. +This assumes that the +.Dv .com +zone is DNSSEC-aware and the administrators of the two zones have some +mechanism for authenticating each other and exchanging the keys and +signatures securely. +.Sh FILES +.Pa /dev/random . +.Sh SEE ALSO +.Xr RFC2535 , +.Xr dnssec-keygen 8 , +.Xr dnssec-signkey 8 . diff --git a/doc/man/dnssec/dnssec-signkey.8 b/doc/man/dnssec/dnssec-signkey.8 new file mode 100644 index 00000000..927abd36 --- /dev/null +++ b/doc/man/dnssec/dnssec-signkey.8 @@ -0,0 +1,160 @@ +.\" +.\" Copyright (C) 2000 Internet Software Consortium. +.\" +.\" Permission to use, copy, modify, and distribute this document for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM +.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL +.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING +.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $Id: dnssec-signkey.8,v 1.5.2.1 2000/08/02 22:10:12 gson Exp $ +.\" +.Dd Jun 30, 2000 +.Dt DNSSEC-SIGNKEY 8 +.Os BIND9 9 +.ds vT BIND9 Programmer's Manual +.Sh NAME +.Nm dnssec-signkey +.Nd DNSSEC keyset signing tool +.Sh SYNOPSIS +.Nm dnssec-signkey +.Op Fl h +.Op Fl p +.Op Fl r Ar randomdev +.Op Fl v Ar level +.Ar keyset +.Ar keyfile ... +.Sh DESCRIPTION +.Nm dnssec-signkey +is used to sign a key set for a child zone. +Typically this would be provided by a +.Ar .keyset +file generated by +.Xr dnssec-makekeyset 8 . +This provides a mechanism for a DNSSEC-aware zone to sign the keys of +any DNSSEC-aware child zones. +The child zone's key set gets signed with the zone keys for its parent +zone. +.Ar keyset +will be the pathname of the child zone's +.Ar .keyset +file. +Each +.Ar keyfile +argument will be a key identification string as reported by +.Xr dnssec-keygen 8 +for the parent zone. +This allows the child's keys to be signed by more than one +parent zone key. +.Pp +The +.Fl h +option makes +.Nm dnssec-signkey +print a short summary of its command line options +and arguments. +.Pp +.Nm dnssec-signkey +may need random numbers in the process of generating keys. +If the system does not have a +.Pa /dev/random +device that can be used for generating random numbers, +.Nm dnssec-signkey +will prompt for keyboard input and use the time intervals between +keystrokes to provide randomness. +The +.Fl r +option overrides this behaviour, making +.Nm dnssec-signkey +use +.Ar randomdev +as a source of random data. +.Pp +The +.Fl p +option instructs +.Nm dnssec-signkey +to use pseudo-random data when signing the keys. This is faster, but +less secure, than using genuinely random data for signing. +This option may be useful when there are many child zone keysets to +sign or if the entropy source is limited. +It could also be used for short-lived keys and signatures that don't +require as much protection against cryptanalysis, such as when the key +will be discarded long before it could be compromised. +.Pp +The +.Fl v +option can be used to make +.Nm dnssec-signkey +more verbose. +As the debugging/tracing level +.Ar level +increases, +.Nm dnssec-signkey +generates increasingly detailed reports about what it is doing. +The default level is zero. +.Pp +When +.Nm dnssec-signkey +completes successfully, it generates a file called +.Ar nnnn.signedkey +containing the signed keys for child zone +.Ar nnnn . +The keys from the +.Ar keyset +file will have been signed by the parent zone's key or keys which were +supplied as +.Ar keyfile +arguments. +This file should be sent to the DNS administrator of the child zone. +They arrange for its contents to be incorporated into the zone file +when it next gets signed with +.Xr dnssec-signzone 8 . +A copy of the generated +.Ar signedkey +file should be kept by the parent zone's DNS administrator, since +it will be needed when signing the parent zone. +.Sh EXAMPLE +The DNS administrator for a DNSSEC-aware +.Dv .com +zone would use the following command to make +.Nm dnssec-signkey +sign the +.Ar .keyset +file for +.Dv example.com +created in the example shown in the man page for +.Xr dnssec-makekeyset 8 : +.Pp +.Dl # dnssec-signkey example.com.keyset Kcom.+003+51944 +.Pp +where +.Dv Kcom.+003+51944 +was a key file identifier that was produced when +.Xr dnssec-keygen 8 +generated a key for the +.Dv .com +zone. +.Pp +.Nm dnssec-signkey +will produce a file called +.Dv example.com.signedkey +which has the keys for +.Dv example.com +signed by the +.Dv com +zone's zone key. +.Sh FILES +.Pa /dev/random +.Sh SEE ALSO +.Xr RFC2535, +.Xr dnssec-keygen 8 , +.Xr dnssec-makekeyset 8 , +.Xr dnssec-signzone 8 . diff --git a/doc/man/dnssec/dnssec-signzone.8 b/doc/man/dnssec/dnssec-signzone.8 new file mode 100644 index 00000000..5928f221 --- /dev/null +++ b/doc/man/dnssec/dnssec-signzone.8 @@ -0,0 +1,263 @@ +.\" +.\" Copyright (C) 2000 Internet Software Consortium. +.\" +.\" Permission to use, copy, modify, and distribute this document for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM +.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL +.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING +.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $Id: dnssec-signzone.8,v 1.7.2.1 2000/08/02 22:10:13 gson Exp $ +.\" +.Dd Jun 30, 2000 +.Dt DNSSEC-SIGNZONE 8 +.Os BIND9 9 +.ds vT BIND9 Programmer's Manual +.Sh NAME +.Nm dnssec-signzone +.Nd DNSSEC zone signing tool +.Sh SYNOPSIS +.Nm dnssec-signzone +.Op Fl a +.Op Fl c Ar cycle-time +.Op Fl s Ar start-time +.Op Fl e Ar end-time +.Op Fl o Ar origin +.Op Fl f Ar output-file +.Op Fl p +.Op Fl r Ar randomdev +.Op Fl v Ar level +.Ar zonefile +.Op keyfile .... +.Sh DESCRIPTION +.Pp +.Nm dnssec-signzone +is used to sign a zone. +Any +.Ar .signedkey +files for the zone to be signed should be present in the current +directory, along with the keys that will be used to sign the zone. +If no +.Ar keyfile +arguments are supplied, the default behaviour is to use all of the zone's +keys that are present in the current directory. +Providing specific +.Ar keyfile +arguments constrains +.Nm dnssec-signzone +to only use those keys for signing the zone. +Each +.Ar keyfile +argument would be an identification string for a key created with +.Xr dnssec-keygen 8 . +If the zone to be signed has any secure subzones, the +.Ar .signedkey +files for those subzones need to be available in the +current working directory used by +.Nm dnssec-signzone . +.Pp +.Ar zonefile +is the name of the unsigned zone file. +Unless the file name is the same as the name of the zone, the +.Fl o +option should be given. +.Ar origin +will be the fully qualified domain origin for the zone. +.Pp +.Nm dnssec-signzone +will generate NXT and SIG records for the zone and produce a signed +version of the zone. +If there is a +.Ar signedkey +file from the zone's parent, the parent's signatures will be +incorporated into the generated signed zone file. +The security status of delegations from the the signed zone +- i.e. whether the child zones are DNSSEC-aware or not - is +set according to the presence or absence of a +.Ar signedkey +file for the child in case. +.Pp +By default, +.Nm dnssec-signzone +generates a file called +.Ar zonefile.signed +containing the signed zone file. +The output file name can be overridden usign the +.Fl f +option. +.\" Don't hyphenate YYYYMMDDHHMMSS +.nh YYYYMMDDHHMMSS +.Pp +.Nm dnssec-signzone +does not verify the signatures by default. +The +.Fl a +option makes it verify the signatures it generated. +.Pp +The date and time when the generated +SIG records become valid can be specified with the +.Fl s +option. +.Ar start-time +can either be an absolute or relative date. +An absolute start time is indicated by a number in YYYYMMDDHHMMSS +notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. +A relative start time is supplied when +.Ar start-time +is given as +N: N seconds from the current time. +If no +.Fl s +option is supplied, the current date and time is used for the start +time of the SIG records. +.Pp +The expiry date for the SIG records can be set by the +.Fl e +option. +Note that in this context, the expiry date specifies when the SIG +records are no longer valid, not when they are deleted from caches on name +servers. +.Ar end-date +also represents an absolute or relative date. +YYYYMMDDHHMMSS notation is used as before to indicate an absolute date +and time. +When +.Ar end-date +is +N, +it indicates that the SIG records will expire in N seconds after their +start date. +If +.Ar end-date +is supplied as now+N, +the SIG records will expire in N seconds after the current time. +When no expiry date is set for the SIG records, +.Nm dnssec-signzone +defaults to an expire time of 30 days from the start time of the SIG +records. +.Pp +When a previously signed zone is passed as input to +.Nm dnssec-signzone , +records may be resigned. Whether or not to resign records is configurable +by using the +.Fl c +option, which specifies the cycle period as an offset from the current time +(in seconds). If a SIG record expires after the cycle period, it is retained. +Otherwise, it is considered to be expiring soon, and +.Nm dnssec-signzone +will remove it and generate a new SIG record to replace it. +.Pp +The default cycle period is one quarter of the difference between the +specified signature end and start dates. So if the +.Fl e +and +.Fl s +options are not specified, +.Nm dnssec-signzone +generates signatures that are valid for 30 days from the current date +by default, with a cycle period of 7.5 days. Therefore, if any SIG records +are due to expire in less than 7.5 days, they would be replaced +with new ones. +.Pp +.Nm dnssec-signzone +may need random numbers in the process of signing the zone. +If the system does not have a +.Pa /dev/random +device that can be used for generating random numbers, +.Nm dnssec-signzone +will prompt for keyboard input and use the time intervals between +keystrokes to provide randomness. +The +.Fl r +option overrides this behaviour, making +.Nm dnssec-signzone +use +.Ar randomdev +as a source of random data. +.Pp +The +.Fl p +option instructs +.Nm dnssec-signkey +to use pseudo-random data when signing the keys. This is faster, but +less secure, than using genuinely random data for signing. +This option may be useful when there are many child zone keysets to +sign or if the entropy source is limited. +It could also be used for short-lived keys and signatures that don't +require as much protection against cryptanalysis, such as when the key +will be discarded long before it could be compromised. +.Pp +An option of +.Fl h +makes +.Nm dnssec-signzone +print a short summary of its command line options +and arguments. +.Pp +The +.Fl v +option can be used to make +.Nm dnssec-signzone +more verbose. +As the debugging/tracing level +.Ar level +increases, +.Nm dnssec-signzone +generates increasingly detailed reports about what it is doing. +The default level is zero. +.Sh EXAMPLE +The example below shows how +.Nm dnssec-signzone +could be used to sign the +.Dv example.com +zone with the key that was generated in the example given in the +man page for +.Xr dnssec-keygen 8 . +The zone file for this zone is +.Dv example.com , +which is the same as the origin, so there is no need to use the +.Fl o +option to set the origin. +This zone file contains the keyset for +.Dv example.com +that was created by +.Xr dnssec-makekeyset 8 . +The zone's keys were either appended to the zone file or +incorporated using a +.Dv $INCLUDE +statement. +If there was a +.Ar .signedkey +file from the parent zone - i.e. +.Dv example.com.signedkey +- it should be present in the current directory. +This allows the parent zone's signature to be included in the signed +version of the +.Dv example.com +zone. +.Pp +.Dl # dnssec-signzone example.com Kexample.com.+003+26160 +.Pp +.Nm dnssec-signzone +will create a file called +.Dv example.com.signed , +the signed version of the +.Dv example.com +zone. +This file can then be referenced in a +.Dv zone{} +statement in +.Pa /etc/named.conf +so that it can be loaded by the name server. +.Sh FILES +.Pa /dev/random +.Sh SEE ALSO +.Xr RFC2535, +.Xr dnssec-keygen 8 , +.Xr dnssec-makekeyset 8 , +.Xr dnssec-signkey 8 . diff --git a/doc/misc/dnssec b/doc/misc/dnssec index 599a6ada..f079f142 100644 --- a/doc/misc/dnssec +++ b/doc/misc/dnssec @@ -15,7 +15,7 @@ in doc/arm/Bv9ARM.4.html and the man pages. The random data used in generating DNSSEC keys and signatures comes from either /dev/random (if the OS supports it) or keyboard input. Alternatively, -the a device or file containing entropy/random data can be specified. +a device or file containing entropy/random data can be specified. Serving secure zones @@ -49,12 +49,13 @@ successfully even if it does not contain the NXT records to prove the nonexistence of a matching wildcard. Proof of insecure status for insecure zones delegated from secure -zones has been partially implemented, and will work when the -subzones are insecure, but not when they are privately secured. +zones works when the zones are completely insecure. Privately +secured zones delegated from secure zones will not work in all cases, +such as when the privately secured zone is served by the same server +as an ancestor (but not parent) zone. -Handling of the CD bit in queries is not yet fully implemented; -validation is currently attempted for all recursive queries, even if -CD is set. +Handling of the CD bit in queries is now fully implemented. Validation +is not attempted for recursive queries if CD is set. Secure dynamic update @@ -65,4 +66,4 @@ an update occurs. Advanced access control is possible using the "update-policy" statement in the zone definition. -$Id: dnssec,v 1.4.2.2 2000/07/13 02:45:07 bwelling Exp $ +$Id: dnssec,v 1.4.2.3 2000/07/29 00:26:48 gson Exp $ diff --git a/doc/misc/migration b/doc/misc/migration index d1253fbc..0e57e76e 100644 --- a/doc/misc/migration +++ b/doc/misc/migration @@ -25,6 +25,22 @@ warning message. A message is also logged about each option whose default has changed unless the option is set explicitly in named.conf. +1.2. Logging + +The set of logging categories in BIND 9 is different from that +in BIND 8. If you have customized your logging on a per-category +basis, you need to modify your logging statement to use the +new categories. + +Another difference is that the "logging" statement only takes effect +after the entire named.conf file has been read. This means that when +the server starts up, any messages about errors in the configuration +file are always logged to the default destination (syslog) when the +server first starts up, regardless of the contents of the "logging" +statement. In BIND 8, the new logging configuration took effect +immediately after the "logging" statement was read. + + 2. Zone File Compatibility 2.1. Strict RFC1035 Interpretation of TTLs in Zone Files @@ -79,4 +95,4 @@ completely. We have contacted the manufacturer of the name server in case and are trying to resolve the issue with them. -$Id: migration,v 1.1.2.1 2000/07/12 05:05:10 gson Exp $ +$Id: migration,v 1.1.2.2 2000/07/27 01:39:11 gson Exp $ diff --git a/lib/dns/config/confctx.c b/lib/dns/config/confctx.c index 8f65b0f9..6b023c75 100644 --- a/lib/dns/config/confctx.c +++ b/lib/dns/config/confctx.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: confctx.c,v 1.70.2.2 2000/07/12 16:37:09 gson Exp $ */ +/* $Id: confctx.c,v 1.70.2.3 2000/07/26 16:32:50 gson Exp $ */ #include <config.h> @@ -194,6 +194,7 @@ PVT_CONCAT(dns_c_ctx_unset, FUNC)(dns_c_ctx_t *cfg) \ } \ \ isc_mem_free(cfg->options->mem, cfg->options->FIELD); \ + cfg->options->FIELD = NULL; \ \ return (ISC_R_SUCCESS); \ } diff --git a/lib/dns/config/confndc.c b/lib/dns/config/confndc.c index c07708ca..3330f096 100644 --- a/lib/dns/config/confndc.c +++ b/lib/dns/config/confndc.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: confndc.c,v 1.18.2.2 2000/07/12 17:25:49 gson Exp $ */ +/* $Id: confndc.c,v 1.18.2.4 2000/07/27 21:47:19 gson Exp $ */ /* ** options { @@ -1099,7 +1099,7 @@ parse_serverstmt(ndcpcontext *pctx, dns_c_ndcserver_t **server) { if (keyname == NULL) { parser_error(pctx, ISC_FALSE, - "server statement requiresult a key value"); + "server statement requires a key value"); result = ISC_R_FAILURE; goto done; } @@ -1381,7 +1381,7 @@ parser_setup(ndcpcontext *pctx, isc_mem_t *mem, const char *filename) { pctx->thecontext = NULL; pctx->errors = 0; pctx->warnings = 0; - pctx->debug_lexer = ISC_TF(getenv("DEBUG_LEXER") != NULL); + pctx->debug_lexer = ISC_FALSE; pctx->prevtok = pctx->currtok = 0; @@ -1610,9 +1610,6 @@ getnexttoken(ndcpcontext *pctx) { case ISC_R_SUCCESS: switch (token.type) { case isc_tokentype_unknown: - if (pctx->debug_lexer) - fprintf(stderr, "unknown token\n"); - result = ISC_R_FAILURE; break; @@ -1629,12 +1626,6 @@ getnexttoken(ndcpcontext *pctx) { tokstr[CONF_MAX_IDENT - 1] = '\0'; } - if (pctx->debug_lexer) - fprintf(stderr, "lexer token: %s : %s\n", - (token.type == isc_tokentype_special ? - "special" : "string"), - tokstr); - result = isc_symtab_lookup(pctx->thekeywords, tokstr, KEYWORD_SYM_TYPE, &keywordtok); @@ -1659,11 +1650,6 @@ getnexttoken(ndcpcontext *pctx) { pctx->currtok = L_INTEGER; sprintf(pctx->tokstr, "%lu", (unsigned long)pctx->intval); - - if(pctx->debug_lexer) - fprintf(stderr, "lexer token: number : %lu\n", - (unsigned long)pctx->intval); - break; case isc_tokentype_qstring: @@ -1672,12 +1658,6 @@ getnexttoken(ndcpcontext *pctx) { CONF_MAX_IDENT); pctx->tokstr[CONF_MAX_IDENT - 1] = '\0'; pctx->currtok = L_QSTRING; - - if (pctx->debug_lexer) - fprintf(stderr, - "lexer token: qstring : \"%s\"\n", - pctx->tokstr); - break; case isc_tokentype_eof: @@ -1690,39 +1670,23 @@ getnexttoken(ndcpcontext *pctx) { * The only way to tell that we closed the * main file and not an included file. */ - if (pctx->debug_lexer) - fprintf(stderr, "lexer token: EOF\n"); - pctx->currtok = L_END_INPUT; } else { - if (pctx->debug_lexer) - fprintf(stderr, - "lexer token: EOF (main)\n"); - pctx->currtok = L_END_INCLUDE; } result = ISC_R_SUCCESS; break; case isc_tokentype_initialws: - if (pctx->debug_lexer) - fprintf(stderr, "lexer token: initial ws\n"); - result = ISC_R_FAILURE; break; case isc_tokentype_eol: - if (pctx->debug_lexer) - fprintf(stderr, "lexer token: eol\n"); - result = ISC_R_FAILURE; break; case isc_tokentype_nomore: - if (pctx->debug_lexer) - fprintf(stderr, "lexer token: nomore\n"); - result = ISC_R_FAILURE; break; } diff --git a/lib/dns/config/confparser.y b/lib/dns/config/confparser.y index cac47eb2..25eaa572 100644 --- a/lib/dns/config/confparser.y +++ b/lib/dns/config/confparser.y @@ -16,7 +16,7 @@ * SOFTWARE. */ -/* $Id: confparser.y,v 1.99.2.2 2000/07/11 21:31:48 gson Exp $ */ +/* $Id: confparser.y,v 1.99.2.3 2000/07/26 22:32:23 gson Exp $ */ #include <config.h> @@ -122,7 +122,6 @@ static isc_lexspecials_t specials; static isc_result_t tmpres; -static int debug_lexer; static in_port_t default_port; int yyparse(void); @@ -5351,12 +5350,6 @@ dns_c_parse_namedconf(const char *filename, isc_mem_t *mem, INSIST(keywords == NULL); INSIST(callbacks == NULL); -#if 1 - if (getenv("DEBUG_LEXER") != NULL) { /* XXX debug */ - debug_lexer++; - } -#endif - specials['{'] = 1; specials['}'] = 1; specials[';'] = 1; @@ -5515,6 +5508,7 @@ yylex(void) isc_result_t res; int options = (ISC_LEXOPT_EOF | ISC_LEXOPT_NUMBER | + ISC_LEXOPT_CNUMBER | ISC_LEXOPT_QSTRING | ISC_LEXOPT_NOMORE); @@ -5764,10 +5758,6 @@ token_value(isc_token_t *token, isc_symtab_t *symtable) switch (token->type) { case isc_tokentype_unknown: - if (debug_lexer) { - fprintf(stderr, "unknown lexer token\n"); - } - res = -1; break; @@ -5789,24 +5779,11 @@ token_value(isc_token_t *token, isc_symtab_t *symtable) } else { res = keywordtok.as_integer; } - - if (debug_lexer) { - fprintf(stderr, "lexer token: %s : %s (%d)\n", - (token->type == isc_tokentype_special ? - "special" : "string"), tokstring, res); - } - break; case isc_tokentype_number: yylval.ul_int = (isc_uint32_t)token->value.as_ulong; res = L_INTEGER; - - if(debug_lexer) { - fprintf(stderr, "lexer token: number : %lu\n", - (unsigned long)yylval.ul_int); - } - break; case isc_tokentype_qstring: @@ -5817,12 +5794,6 @@ token_value(isc_token_t *token, isc_symtab_t *symtable) } else { res = L_QSTRING; } - - if (debug_lexer) { - fprintf(stderr, "lexer token: qstring : \"%s\"\n", - yylval.text); - } - break; case isc_tokentype_eof: @@ -5833,36 +5804,21 @@ token_value(isc_token_t *token, isc_symtab_t *symtable) /* the only way to tell that we * closed the main file and not an included file */ - if (debug_lexer) { - fprintf(stderr, "lexer token: EOF\n"); - } res = 0; } else { - if (debug_lexer) { - fprintf(stderr, "lexer token: EOF (main)\n"); - } res = L_END_INCLUDE; } break; case isc_tokentype_initialws: - if (debug_lexer) { - fprintf(stderr, "lexer token: initial ws\n"); - } res = -1; break; case isc_tokentype_eol: - if (debug_lexer) { - fprintf(stderr, "lexer token: eol\n"); - } res = -1; break; case isc_tokentype_nomore: - if (debug_lexer) { - fprintf(stderr, "lexer token: nomore\n"); - } res = -1; break; } diff --git a/lib/dns/config/confview.c b/lib/dns/config/confview.c index d06a57ce..ebe189ca 100644 --- a/lib/dns/config/confview.c +++ b/lib/dns/config/confview.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: confview.c,v 1.36 2000/06/09 22:13:23 brister Exp $ */ +/* $Id: confview.c,v 1.36.2.1 2000/07/25 22:47:37 gson Exp $ */ #include <config.h> @@ -1052,10 +1052,12 @@ dns_c_view_getalsonotify(dns_c_view_t *view, { REQUIRE(DNS_C_VIEW_VALID(view)); REQUIRE(ipl != NULL); - - *ipl = view->also_notify; - return (*ipl == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS); + if (view->also_notify == NULL) + return (ISC_R_NOTFOUND); + + dns_c_iplist_attach(view->also_notify, ipl); + return (ISC_R_SUCCESS); } diff --git a/lib/dns/config/confzone.c b/lib/dns/config/confzone.c index 057ff831..0ce89971 100644 --- a/lib/dns/config/confzone.c +++ b/lib/dns/config/confzone.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: confzone.c,v 1.47 2000/06/05 09:17:09 brister Exp $ */ +/* $Id: confzone.c,v 1.47.2.1 2000/07/25 22:47:39 gson Exp $ */ #include <config.h> @@ -1665,7 +1665,7 @@ dns_c_zone_getalsonotify(dns_c_zone_t *zone, dns_c_iplist_t **retval) { } if (p != NULL) { - *retval = p; + dns_c_iplist_attach(p, retval); res = ISC_R_SUCCESS; } else { res = ISC_R_NOTFOUND; diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index e5db7787..32f0583b 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -16,7 +16,7 @@ */ /* - * $Id: dnssec.c,v 1.43 2000/06/06 22:00:47 bwelling Exp $ + * $Id: dnssec.c,v 1.43.2.1 2000/07/27 22:15:21 gson Exp $ * Principal Author: Brian Wellington */ @@ -322,7 +322,7 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, REQUIRE(mctx != NULL); REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_sig); - ret = dns_rdata_tostruct(sigrdata, &sig, mctx); + ret = dns_rdata_tostruct(sigrdata, &sig, NULL); if (ret != ISC_R_SUCCESS) return (ret); @@ -599,6 +599,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) { isc_buffer_init(&sigbuf, sig.signature, sig.siglen); RETERR(dst_context_sign(ctx, &sigbuf)); + dst_context_destroy(&ctx); rdata = NULL; RETERR(dns_message_gettemprdata(msg, &rdata)); @@ -671,7 +672,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, RETERR(dns_rdataset_first(msg->sig0)); dns_rdataset_current(msg->sig0, &rdata); - RETERR(dns_rdata_tostruct(&rdata, &sig, mctx)); + RETERR(dns_rdata_tostruct(&rdata, &sig, NULL)); signeedsfree = ISC_TRUE; if (sig.labels != 0) { @@ -691,7 +692,11 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, goto failure; } - /* XXXBEW ensure that sig.signer refers to this key */ + if (!dns_name_equal(dst_key_name(key), &sig.signer)) { + result = DNS_R_SIGINVALID; + msg->sig0status = dns_tsigerror_badkey; + goto failure; + } RETERR(dst_context_create(key, mctx, &ctx)); @@ -751,6 +756,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, msg->verified_sig = 1; + dst_context_destroy(&ctx); dns_rdata_freestruct(&sig); return (ISC_R_SUCCESS); diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h index ae94e1ed..139511e9 100644 --- a/lib/dns/include/dns/db.h +++ b/lib/dns/include/dns/db.h @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: db.h,v 1.50 2000/06/22 21:55:33 tale Exp $ */ +/* $Id: db.h,v 1.50.2.1 2000/07/24 23:23:16 gson Exp $ */ #ifndef DNS_DB_H #define DNS_DB_H 1 @@ -1109,10 +1109,6 @@ dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node, * * If 'covers' != 0, 'type' must be SIG. * - * Ensures: - * - * On success, 'rdataset' is associated with the found rdataset. - * * Returns: * * ISC_R_SUCCESS diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index 0b5fc371..67e1c520 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: dnssec.h,v 1.15 2000/06/22 21:55:37 tale Exp $ */ +/* $Id: dnssec.h,v 1.15.2.1 2000/07/27 22:15:22 gson Exp $ */ #ifndef DNS_DNSSEC_H #define DNS_DNSSEC_H 1 @@ -154,6 +154,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, * ISC_R_SUCCESS * ISC_R_NOMEMORY * ISC_R_NOTFOUND - no SIG(0) was found + * DNS_R_SIGINVALID - the SIG record is not well-formed or + * was not generated by the key. * DST_R_* */ diff --git a/lib/dns/include/dns/journal.h b/lib/dns/include/dns/journal.h index 04d49ad6..70d37337 100644 --- a/lib/dns/include/dns/journal.h +++ b/lib/dns/include/dns/journal.h @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: journal.h,v 1.17 2000/06/22 21:55:40 tale Exp $ */ +/* $Id: journal.h,v 1.17.2.1 2000/08/06 22:11:47 gson Exp $ */ #ifndef DNS_JOURNAL_H #define DNS_JOURNAL_H 1 @@ -475,6 +475,7 @@ dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename); * Returns: * DNS_R_NOJOURNAL when journal does not exist. * ISC_R_NOTFOUND when current serial in not in journal. + * ISC_R_RANGE when current serial in not in journals range. * ISC_R_SUCCESS journal has been applied successfully to database. * others */ diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h index 1763b4fc..cc374681 100644 --- a/lib/dns/include/dns/resolver.h +++ b/lib/dns/include/dns/resolver.h @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: resolver.h,v 1.27 2000/06/22 21:56:06 tale Exp $ */ +/* $Id: resolver.h,v 1.27.2.1 2000/07/27 21:27:02 gson Exp $ */ #ifndef DNS_RESOLVER_H #define DNS_RESOLVER_H 1 @@ -89,6 +89,7 @@ typedef struct dns_fetchevent { #define DNS_FETCHOPT_RECURSIVE 0x04 /* Set RD? */ #define DNS_FETCHOPT_NOEDNS0 0x08 /* Do not use EDNS. */ #define DNS_FETCHOPT_FORWARDONLY 0x10 /* Only use forwarders. */ +#define DNS_FETCHOPT_NOVALIDATE 0x20 /* Disable validation. */ /* * XXXRTH Should this API be made semi-private? (I.e. diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h index 4bff2e0d..d6ccea3f 100644 --- a/lib/dns/include/dns/tsig.h +++ b/lib/dns/include/dns/tsig.h @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: tsig.h,v 1.24 2000/06/22 21:56:17 tale Exp $ */ +/* $Id: tsig.h,v 1.24.2.4 2000/07/28 23:39:23 gson Exp $ */ #ifndef DNS_TSIG_H #define DNS_TSIG_H 1 @@ -42,7 +42,7 @@ extern dns_name_t *dns_tsig_hmacmd5_name; #define DNS_TSIG_FUDGE 300 struct dns_tsig_keyring { - ISC_LIST(dns_tsigkey_t) keys; + dns_rbt_t *keys; isc_rwlock_t lock; isc_mem_t *mctx; }; @@ -61,10 +61,8 @@ struct dns_tsigkey { dns_tsig_keyring_t *ring; /* the enclosing keyring */ isc_mutex_t lock; /* Locked */ - isc_boolean_t deleted; /* has this been deleted? */ isc_uint32_t refs; /* reference counter */ /* Unlocked */ - ISC_LINK(dns_tsigkey_t) link; }; #define dns_tsigkey_empty(tsigkey) ((tsigkey)->key == NULL) @@ -84,16 +82,19 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, * not NULL, *key will contain a copy of the key. The keys validity * period is specified by (inception, expire), and will not expire if * inception == expire. If the key was generated, the creating identity, - * if there is one, should be in the creator parameter. + * if there is one, should be in the creator parameter. Specifying an + * unimplemented algorithm will cause failure only if length > 0; this + * allows a transient key with an invalid algorithm to exist long enough + * to generate a BADKEY response. * * Requires: * 'name' is a valid dns_name_t * 'algorithm' is a valid dns_name_t * 'secret' is a valid pointer - * 'length' is an integer greater than 0 + * 'length' is an integer >= 0 * 'creator' points to a valid dns_name_t or is NULL * 'mctx' is a valid memory context - * 'ring' is a valid TSIG keyring + * 'ring' is a valid TSIG keyring or NULL * 'key' or '*key' must be NULL * * Returns: @@ -116,25 +117,25 @@ dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp); */ void -dns_tsigkey_detach(dns_tsigkey_t **key); +dns_tsigkey_detach(dns_tsigkey_t **keyp); /* * Detaches from the tsig key structure pointed to by '*key'. * * Requires: - * 'key' not NULL and '*key' is a valid TSIG key + * 'keyp' is not NULL and '*keyp' is a valid TSIG key * * Ensures: - * 'key' points to NULL + * 'keyp' points to NULL */ void dns_tsigkey_setdeleted(dns_tsigkey_t *key); /* - * Marks this key as deleted. It will be deleted when no references - * exist. + * Prevents this key from being used again. It will be deleted when + * no references * exist. * * Requires: - * 'key' is a valid TSIG key + * 'key' is a valid TSIG key on a keyring */ isc_result_t @@ -157,7 +158,7 @@ dns_tsig_sign(dns_message_t *msg); isc_result_t dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, - dns_tsig_keyring_t *sring, dns_tsig_keyring_t *dring); + dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2); /* * Verifies the TSIG record in this message * @@ -167,8 +168,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, * 'msg->tsigkey' is a valid TSIG key if this is a response * 'msg->tsig' is NULL * 'msg->querytsig' is not NULL if this is a response - * 'sring' is a valid keyring or NULL - * 'dring' is a valid keyring or NULL + * 'ring1' and 'ring2' are each either a valid keyring or NULL * * Returns: * ISC_R_SUCCESS @@ -201,13 +201,13 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name, isc_result_t -dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ring); +dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp); /* * Create an empty TSIG key ring. * * Requires: * 'mctx' is not NULL - * 'ring' is not NULL, and '*ring' is NULL + * 'ringp' is not NULL, and '*ringp' is NULL * * Returns: * ISC_R_SUCCESS @@ -216,12 +216,12 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ring); void -dns_tsigkeyring_destroy(dns_tsig_keyring_t **ring); +dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp); /* * Destroy a TSIG key ring. * * Requires: - * 'ring' is not NULL + * 'ringp' is not NULL */ ISC_LANG_ENDDECLS diff --git a/lib/dns/master.c b/lib/dns/master.c index f4bd9056..ec0141eb 100644 --- a/lib/dns/master.c +++ b/lib/dns/master.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: master.c,v 1.54.2.3 2000/07/10 19:17:35 gson Exp $ */ +/* $Id: master.c,v 1.54.2.4 2000/08/02 21:22:27 gson Exp $ */ #include <config.h> @@ -120,6 +120,8 @@ on_list(dns_rdatalist_t *this, dns_rdata_t *rdata); default: \ goto error_cleanup; \ } \ + if ((token)->type == isc_tokentype_special) \ + goto error_cleanup; \ } while (0) #define WARNUNEXPECTEDEOF(lexer) \ @@ -335,7 +337,8 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin, isc_lex_getsourceline(lex)); goto cleanup; } - GETTOKEN(lex, 0, &token, ISC_FALSE); + GETTOKEN(lex, ISC_LEXOPT_QSTRING, &token, + ISC_FALSE); if (include_file != NULL) isc_mem_free(mctx, include_file); include_file = isc_mem_strdup(mctx, diff --git a/lib/dns/message.c b/lib/dns/message.c index 4cb3f956..6462897d 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: message.c,v 1.131.2.2 2000/07/03 17:20:43 gson Exp $ */ +/* $Id: message.c,v 1.131.2.6 2000/08/07 22:07:09 gson Exp $ */ /*** *** Imports @@ -30,6 +30,7 @@ #include <dns/dnssec.h> #include <dns/keyvalues.h> +#include <dns/log.h> #include <dns/message.h> #include <dns/rdata.h> #include <dns/rdatalist.h> @@ -396,6 +397,8 @@ msgresetnames(dns_message_t *msg, unsigned int first_section) { isc_mempool_put(msg->rdspool, rds); rds = next_rds; } + if (dns_name_dynamic(name)) + dns_name_free(name, msg->mctx); isc_mempool_put(msg->namepool, name); name = next_name; } @@ -440,9 +443,10 @@ msgresetsigs(dns_message_t *msg, isc_boolean_t replying) { isc_mempool_put(msg->namepool, msg->tsigname); msg->tsig = NULL; msg->tsigname = NULL; - } else if (msg->querytsig != NULL) { + } else if (msg->querytsig != NULL && !replying) { dns_rdataset_disassociate(msg->querytsig); isc_mempool_put(msg->rdspool, msg->querytsig); + msg->querytsig = NULL; } if (msg->sig0 != NULL) { INSIST(dns_rdataset_isassociated(msg->sig0)); @@ -738,7 +742,7 @@ dns_message_destroy(dns_message_t **msgp) { } static isc_result_t -simple_findname(dns_name_t **foundname, dns_name_t *target, +findname(dns_name_t **foundname, dns_name_t *target, dns_namelist_t *section) { dns_name_t *curr; @@ -756,26 +760,6 @@ simple_findname(dns_name_t **foundname, dns_name_t *target, return (ISC_R_NOTFOUND); } -static isc_result_t -findname(dns_name_t **foundname, dns_name_t *target, unsigned int attributes, - dns_namelist_t *section) -{ - dns_name_t *curr; - - for (curr = ISC_LIST_TAIL(*section) ; - curr != NULL ; - curr = ISC_LIST_PREV(curr, link)) { - if (dns_name_equal(curr, target) && - (curr->attributes & attributes) == attributes) { - if (foundname != NULL) - *foundname = curr; - return (ISC_R_SUCCESS); - } - } - - return (ISC_R_NOTFOUND); -} - isc_result_t dns_message_findtype(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers, dns_rdataset_t **rdataset) @@ -952,7 +936,7 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx) * name since we no longer need it, and set our name pointer * to point to the name we found. */ - result = findname(&name2, name, 0, section); + result = findname(&name2, name, section); /* * If it is the first name in the section, accept it. @@ -1077,7 +1061,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, dns_section_t sectionid, isc_boolean_t preserve_order) { isc_region_t r; - unsigned int count, rdatalen, attributes; + unsigned int count, rdatalen; dns_name_t *name; dns_name_t *name2; dns_rdataset_t *rdataset; @@ -1232,32 +1216,18 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, result = ISC_R_NOMEMORY; goto cleanup; } - attributes = 0; - if (rdtype != dns_rdatatype_tsig) { - if (rdtype == dns_rdatatype_cname) { - name->attributes |= DNS_NAMEATTR_CNAME; - attributes = DNS_NAMEATTR_CNAME; - skip_name_search = ISC_TRUE; - } else if (rdtype == dns_rdatatype_dname) { - name->attributes |= DNS_NAMEATTR_DNAME; - attributes = DNS_NAMEATTR_DNAME; - skip_name_search = ISC_TRUE; - } - result = getrdata(source, msg, dctx, msg->rdclass, - rdtype, rdatalen, rdata); - } else + if (rdtype == dns_rdatatype_tsig) result = getrdata(source, msg, dctx, rdclass, rdtype, rdatalen, rdata); + else + result = getrdata(source, msg, dctx, msg->rdclass, + rdtype, rdatalen, rdata); if (result != ISC_R_SUCCESS) goto cleanup; rdata->rdclass = rdclass; if (rdtype == dns_rdatatype_sig && rdata->length > 0) { covers = dns_rdata_covers(rdata); - if (covers == dns_rdatatype_cname) - attributes = DNS_NAMEATTR_CNAME; - else if (covers == dns_rdatatype_dname) - attributes = DNS_NAMEATTR_DNAME; - else if (covers == 0 && + if (covers == 0 && sectionid == DNS_SECTION_ADDITIONAL) { if (msg->sig0 != NULL) { @@ -1292,7 +1262,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, * allocated name since we no longer need it, and set * our name pointer to point to the name we found. */ - result = findname(&name2, name, attributes, section); + result = findname(&name2, name, section); /* * If it is a new name, append to the section. @@ -1515,8 +1485,15 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, return (ret); isc_buffer_remainingregion(source, &r); - if (r.length != 0) - return (DNS_R_FORMERR); + if (r.length != 0) { + if (r.length == 2 && r.base[0] == 'M' && r.base[1] == 'S') { + isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_MESSAGE, ISC_LOG_INFO, + "message has nonstandard Microsoft tag"); + } else { + return (DNS_R_FORMERR); + } + } if (msg->tsig != NULL || msg->tsigkey != NULL || msg->sig0 != NULL) { msg->saved = isc_mem_get(msg->mctx, sizeof(isc_region_t)); @@ -2021,39 +1998,9 @@ dns_message_findname(dns_message_t *msg, dns_section_t section, REQUIRE(*rdataset == NULL); } - if (msg->from_to_wire == DNS_MESSAGE_INTENTPARSE) { - dns_rdatatype_t atype; - unsigned int attributes; - - /* - * Figure out what attributes we should look for. - */ - if (type == dns_rdatatype_sig) - atype = covers; - else - atype = type; - attributes = 0; - if (atype == dns_rdatatype_cname) - attributes = DNS_NAMEATTR_CNAME; - else if (atype == dns_rdatatype_dname) - attributes = DNS_NAMEATTR_DNAME; + result = findname(&foundname, target, + &msg->sections[section]); - /* - * Search through, looking for the name. - */ - result = findname(&foundname, target, attributes, - &msg->sections[section]); - } else { - /* - * The message was not built by dns_message_parse() - * and therefore does not have CNAMEs and DNAMEs - * as separate names, and no DNS_NAMEATTR_CNAME - * and DNS_NAMEATTR_DNAME attributes are maintained. - * Therefore, we should not compare attributes. - */ - result = simple_findname(&foundname, target, - &msg->sections[section]); - } if (result == ISC_R_NOTFOUND) return (DNS_R_NXDOMAIN); else if (result != ISC_R_SUCCESS) @@ -2122,6 +2069,8 @@ dns_message_puttempname(dns_message_t *msg, dns_name_t **item) { REQUIRE(DNS_MESSAGE_VALID(msg)); REQUIRE(item != NULL && *item != NULL); + if (dns_name_dynamic(*item)) + dns_name_free(*item, msg->mctx); isc_mempool_put(msg->namepool, *item); *item = NULL; } @@ -2752,7 +2701,7 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section, omit_final_dot = ISC_TF((flags & DNS_MESSAGETEXTFLAG_OMITDOT) != 0); if (ISC_LIST_EMPTY(msg->sections[section])) - return ISC_R_SUCCESS; + return (ISC_R_SUCCESS); if (section == DNS_SECTION_QUESTION) no_rdata = ISC_TRUE; @@ -2892,24 +2841,21 @@ dns_message_totext(dns_message_t *msg, dns_messagetextflag_t flags, ADD_STRING(target, "cd "); if (msg->opcode != dns_opcode_update) { ADD_STRING(target, "; QUESTION: "); - } - else { + } else { ADD_STRING(target, "; ZONE: "); } sprintf(buf, "%1u", msg->counts[DNS_SECTION_QUESTION]); ADD_STRING(target, buf); if (msg->opcode != dns_opcode_update) { ADD_STRING(target, ", ANSWER: "); - } - else { + } else { ADD_STRING(target, ", PREREQ: "); } sprintf(buf, "%1u", msg->counts[DNS_SECTION_ANSWER]); ADD_STRING(target, buf); if (msg->opcode != dns_opcode_update) { ADD_STRING(target, ", AUTHORITY: "); - } - else { + } else { ADD_STRING(target, ", UPDATE: "); } sprintf(buf, "%1u", msg->counts[DNS_SECTION_AUTHORITY]); diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c index dab89632..8459d0fb 100644 --- a/lib/dns/rdata/generic/key_25.c +++ b/lib/dns/rdata/generic/key_25.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: key_25.c,v 1.26 2000/06/01 18:26:11 tale Exp $ */ +/* $Id: key_25.c,v 1.26.2.2 2000/08/07 19:25:27 gson Exp $ */ /* * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley. diff --git a/lib/dns/request.c b/lib/dns/request.c index 4a9c6192..f875f4cf 100644 --- a/lib/dns/request.c +++ b/lib/dns/request.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: request.c,v 1.26 2000/06/22 21:54:44 tale Exp $ */ +/* $Id: request.c,v 1.26.2.2 2000/07/28 05:37:34 gson Exp $ */ #include <config.h> @@ -493,7 +493,8 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message, request->event->ev_sender = task; request->event->request = request; request->event->result = ISC_R_FAILURE; - request->tsigkey = key; + if (key != NULL) + dns_tsigkey_attach(key, &request->tsigkey); use_tcp: if ((options & DNS_REQUESTOPT_TCP) != 0) { @@ -734,6 +735,8 @@ isc_result_t dns_request_getresponse(dns_request_t *request, dns_message_t *message, isc_boolean_t preserve_order) { + isc_result_t result; + REQUIRE(VALID_REQUEST(request)); REQUIRE(request->answer != NULL); @@ -742,7 +745,12 @@ dns_request_getresponse(dns_request_t *request, dns_message_t *message, dns_message_setquerytsig(message, request->tsig); dns_message_settsigkey(message, request->tsigkey); - return (dns_message_parse(message, request->answer, preserve_order)); + result = dns_message_parse(message, request->answer, preserve_order); + if (result != ISC_R_SUCCESS) + return (result); + if (request->tsigkey != NULL) + result = dns_tsig_verify(request->answer, message, NULL, NULL); + return (result); } isc_boolean_t @@ -927,6 +935,8 @@ req_destroy(dns_request_t *request) { isc_timer_detach(&request->timer); if (request->tsig != NULL) isc_buffer_free(&request->tsig); + if (request->tsigkey != NULL) + dns_tsigkey_detach(&request->tsigkey); requestmgr_detach(&request->requestmgr); mctx = request->mctx; isc_mem_put(mctx, request, sizeof(*request)); diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index b6cd8e36..8e10bf6b 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: resolver.c,v 1.137.2.3 2000/07/11 00:06:07 gson Exp $ */ +/* $Id: resolver.c,v 1.137.2.9 2000/07/28 22:45:52 gson Exp $ */ #include <config.h> @@ -170,7 +170,6 @@ struct fetchctx { dns_adbaddrinfolist_t forwaddrs; isc_sockaddrlist_t forwarders; isc_sockaddrlist_t bad; - dns_validator_t * validator; /* * # of events we're waiting for. */ @@ -672,7 +671,6 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, if (result != ISC_R_SUCCESS) return (result); - INSIST(fctx->validator == NULL); /* Validator needs rmessage. */ dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE); query = isc_mem_get(res->mctx, sizeof *query); @@ -1687,7 +1685,6 @@ fctx_destroy(fetchctx_t *fctx) { REQUIRE(fctx->pending == 0); REQUIRE(fctx->validating == 0); REQUIRE(fctx->references == 0); - REQUIRE(fctx->validator == NULL); FCTXTRACE("destroy"); @@ -2040,7 +2037,6 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, ISC_LIST_INIT(fctx->forwaddrs); ISC_LIST_INIT(fctx->forwarders); ISC_LIST_INIT(fctx->bad); - fctx->validator = NULL; fctx->find = NULL; fctx->pending = 0; fctx->validating = 0; @@ -2255,63 +2251,94 @@ validated(isc_task_t *task, isc_event_t *event) { isc_result_t result = ISC_R_SUCCESS; isc_result_t eresult = ISC_R_SUCCESS; isc_stdtime_t now; - fetchctx_t *fctx; - dns_validatorevent_t *vevent; + fetchctx_t *fctx; + dns_validatorevent_t *vevent; dns_fetchevent_t *hevent; dns_rdataset_t *ardataset = NULL; dns_rdataset_t *asigrdataset = NULL; dns_dbnode_t *node = NULL; + isc_boolean_t negative; + isc_boolean_t sentresponse; - UNUSED(task); /* for now */ + UNUSED(task); /* for now */ - REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE); - fctx = event->ev_arg; - REQUIRE(VALID_FCTX(fctx)); - REQUIRE(fctx->validating > 0); + REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE); + fctx = event->ev_arg; + REQUIRE(VALID_FCTX(fctx)); + REQUIRE(fctx->validating > 0); - vevent = (dns_validatorevent_t *)event; - INSIST(vevent->validator == fctx->validator); + vevent = (dns_validatorevent_t *)event; - fctx->validating--; + FCTXTRACE("received validation completion event"); - INSIST(fctx->validating == 0); - /* * Destroy the validator early so that we can * destroy the fctx if necessary. */ - dns_validator_destroy(&fctx->validator); + dns_validator_destroy(&vevent->validator); + + fctx->validating--; - /* - * If shutting down, ignore the results. Check to see if we're - * done waiting for validator completions and ADB pending events; if - * so, destroy the fctx. + negative = ISC_TF(vevent->rdataset == NULL); + + sentresponse = ISC_TF((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0); + + /* + * If shutting down, ignore the results. Check to see if we're + * done waiting for validator completions and ADB pending events; if + * so, destroy the fctx. */ - if (SHUTTINGDOWN(fctx)) { + if (SHUTTINGDOWN(fctx) && !sentresponse ) { maybe_destroy(fctx); goto cleanup_event; } /* - * We're not shutting down. - */ - FCTXTRACE("received validation completion event"); + * Either we're not shutting down, or we are shutting down but want + * to cache the result anyway (if this was a validation started by + * a query with cd set) + */ hevent = ISC_LIST_HEAD(fctx->events); if (hevent != NULL) { - ardataset = hevent->rdataset; - asigrdataset = hevent->sigrdataset; + if (!negative && + (fctx->type == dns_rdatatype_any || + fctx->type == dns_rdatatype_sig)) { + /* + * Don't bind rdatasets; the caller + * will iterate the node. + */ + } else { + ardataset = hevent->rdataset; + asigrdataset = hevent->sigrdataset; + } } - if (vevent->result != ISC_R_SUCCESS) { + if (vevent->result != ISC_R_SUCCESS) { FCTXTRACE("validation failed"); + if (vevent->rdataset != NULL) { + result = dns_db_findnode(fctx->res->view->cachedb, + vevent->name, ISC_TRUE, + &node); + if (result != ISC_R_SUCCESS) + goto noanswer_response; + (void)dns_db_deleterdataset(fctx->res->view->cachedb, + node, NULL, + vevent->type, 0); + if (vevent->sigrdataset != NULL) + (void)dns_db_deleterdataset( + fctx->res->view->cachedb, + node, NULL, + dns_rdatatype_sig, + vevent->type); + } result = vevent->result; goto noanswer_response; } isc_stdtime_get(&now); - if (vevent->rdataset == NULL) { + if (negative) { dns_rdatatype_t covers; FCTXTRACE("nonexistence validation OK"); @@ -2365,7 +2392,30 @@ validated(isc_task_t *task, isc_event_t *event) { result != DNS_R_UNCHANGED) goto noanswer_response; } - + + if (sentresponse) { + /* + * If we only deferred the destroy because we wanted to cache + * the data, destroy now. + */ + if (SHUTTINGDOWN(fctx)) + maybe_destroy(fctx); + + goto cleanup_event; + } + + if (fctx->validating > 0) { + INSIST(!negative); + INSIST(fctx->type == dns_rdatatype_any || + fctx->type == dns_rdatatype_sig); + /* + * Don't send a response yet - we have + * more rdatasets that still need to + * be validated. + */ + goto cleanup_event; + } + result = ISC_R_SUCCESS; answer_response: @@ -2405,11 +2455,12 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { dns_db_t **adbp; dns_name_t *aname; dns_resolver_t *res; - isc_boolean_t need_validation, have_answer; + isc_boolean_t need_validation, secure_domain, have_answer; isc_result_t result, eresult; dns_fetchevent_t *event; unsigned int options; isc_task_t *task; + dns_validator_t *validator; /* * The appropriate bucket lock must be held. @@ -2417,19 +2468,23 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { res = fctx->res; need_validation = ISC_FALSE; + secure_domain = ISC_FALSE; have_answer = ISC_FALSE; eresult = ISC_R_SUCCESS; + task = res->buckets[fctx->bucketnum].task; /* * Is DNSSEC validation required for this name? */ result = dns_keytable_issecuredomain(res->view->secroots, name, - &need_validation); + &secure_domain); if (result != ISC_R_SUCCESS) return (result); - if (need_validation) { - - } + + if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) + need_validation = ISC_FALSE; + else + need_validation = secure_domain; adbp = NULL; aname = NULL; @@ -2483,7 +2538,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { * If this rrset is in a secure domain, do DNSSEC validation * for it, unless it is glue. */ - if (need_validation && rdataset->trust != dns_trust_glue) { + if (secure_domain && rdataset->trust != dns_trust_glue) { /* * SIGs are validated as part of validating the * type they cover. @@ -2501,7 +2556,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { break; } if (sigrdataset == NULL) { - if (!ANSWER(rdataset)) { + if (!ANSWER(rdataset) && need_validation) { /* * Ignore non-answer rdatasets that * are missing signatures. @@ -2526,34 +2581,74 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { rdataset->trust = dns_trust_pending; if (sigrdataset != NULL) sigrdataset->trust = dns_trust_pending; + if (!need_validation) + addedrdataset = ardataset; + else + addedrdataset = NULL; result = dns_db_addrdataset(res->view->cachedb, node, NULL, now, - rdataset, 0, NULL); + rdataset, 0, + addedrdataset); if (result == DNS_R_UNCHANGED) result = ISC_R_SUCCESS; if (result != ISC_R_SUCCESS) break; if (sigrdataset != NULL) { + if (!need_validation) + addedrdataset = asigrdataset; + else + addedrdataset = NULL; result = dns_db_addrdataset(res->view->cachedb, node, NULL, now, sigrdataset, 0, - NULL); + addedrdataset); if (result == DNS_R_UNCHANGED) result = ISC_R_SUCCESS; if (result != ISC_R_SUCCESS) break; - } - if (ANSWER(rdataset)) { - /* - * This is the answer. We will - * validate it, but first we cache - * the rest of the response - it may - * contain useful keys. - */ - INSIST(valrdataset == NULL && - valsigrdataset == NULL); - valrdataset = rdataset; - valsigrdataset = sigrdataset; + } else if (!ANSWER(rdataset)) + continue; + + if (ANSWER(rdataset) && need_validation) { + if (fctx->type != dns_rdatatype_any && + fctx->type != dns_rdatatype_sig) { + /* + * This is The Answer. We will + * validate it, but first we cache + * the rest of the response - it may + * contain useful keys. + */ + INSIST(valrdataset == NULL && + valsigrdataset == NULL); + valrdataset = rdataset; + valsigrdataset = sigrdataset; + } else { + /* + * This is one of (potentially) + * multiple answers to an ANY + * or SIG query. To keep things + * simple, we just start the + * validator right away rather + * than caching first and + * having to remember which + * rdatasets needed validation. + */ + validator = NULL; + result = dns_validator_create( + res->view, + name, + rdataset->type, + rdataset, + sigrdataset, + fctx->rmessage, + 0, + task, + validated, + fctx, + &validator); + if (result == ISC_R_SUCCESS) + fctx->validating++; + } } } else if (!EXTERNAL(rdataset)) { /* @@ -2618,7 +2713,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { } if (valrdataset != NULL) { - task = res->buckets[fctx->bucketnum].task; + validator = NULL; result = dns_validator_create(res->view, name, fctx->type, @@ -2629,11 +2724,10 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { task, validated, fctx, - &fctx->validator); + &validator); if (result == ISC_R_SUCCESS) fctx->validating++; } - if (result == ISC_R_SUCCESS && have_answer) { fctx->attributes |= FCTX_ATTR_HAVEANSWER; @@ -2748,7 +2842,7 @@ ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) { dns_db_t **adbp; dns_dbnode_t *node, **anodep; dns_rdataset_t *ardataset; - isc_boolean_t need_validation; + isc_boolean_t need_validation, secure_domain; dns_name_t *aname; dns_fetchevent_t *event; @@ -2758,6 +2852,7 @@ ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) { res = fctx->res; need_validation = ISC_FALSE; + secure_domain = ISC_FALSE; eresult = ISC_R_SUCCESS; name = &fctx->name; @@ -2765,22 +2860,61 @@ ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) { * Is DNSSEC validation required for this name? */ result = dns_keytable_issecuredomain(res->view->secroots, name, - &need_validation); + &secure_domain); if (result != ISC_R_SUCCESS) return (result); + + if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) + need_validation = ISC_FALSE; + else + need_validation = secure_domain; + + if (secure_domain) { + /* + * Mark all rdatasets as pending. + */ + dns_rdataset_t *trdataset; + dns_name_t *tname; + + result = dns_message_firstname(fctx->rmessage, + DNS_SECTION_AUTHORITY); + while (result == ISC_R_SUCCESS) { + tname = NULL; + dns_message_currentname(fctx->rmessage, + DNS_SECTION_AUTHORITY, + &tname); + for (trdataset = ISC_LIST_HEAD(tname->list); + trdataset != NULL; + trdataset = ISC_LIST_NEXT(trdataset, link)) + trdataset->trust = dns_trust_pending; + result = dns_message_nextname(fctx->rmessage, + DNS_SECTION_AUTHORITY); + } + if (result != ISC_R_NOMORE) + return (result); + + } + if (need_validation) { /* * Do negative response validation. */ - isc_task_t *task = res->buckets[fctx->bucketnum].task; - result = dns_validator_create(res->view, name, fctx->type, + dns_validator_t *validator = NULL; + isc_task_t *task = res->buckets[fctx->bucketnum].task; + + result = dns_validator_create(res->view, name, fctx->type, NULL, NULL, - fctx->rmessage, 0, task, - validated, fctx, - &fctx->validator); - if (result != ISC_R_SUCCESS) - return (result); - fctx->validating++; + fctx->rmessage, 0, task, + validated, fctx, + &validator); + if (result != ISC_R_SUCCESS) + return (result); + fctx->validating++; + /* + * If validation is necessary, return now. Otherwise continue + * to process the message, letting the validation complete + * in its own good time. + */ return (ISC_R_SUCCESS); } @@ -3142,12 +3276,23 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) { */ if (!negative_response && ns_name != NULL && oqname == NULL) { /* + * We already know ns_name is a subdomain of fctx->domain. * If ns_name is equal to fctx->domain, we're not making * progress. We return DNS_R_FORMERR so that we'll keep * keep trying other servers. */ if (dns_name_equal(ns_name, &fctx->domain)) return (DNS_R_FORMERR); + + /* + * If the referral name is not a parent of the query + * name, consider the responder insane. + */ + if (! dns_name_issubdomain(&fctx->name, ns_name)) { + FCTXTRACE("referral to non-parent"); + return (DNS_R_FORMERR); + } + /* * Mark any additional data related to this rdataset. * It's important that we do this before we change the @@ -3196,7 +3341,7 @@ answer_response(fetchctx_t *fctx) { dns_name_t *name, *qname, tname; dns_rdataset_t *rdataset; isc_boolean_t done, external, chaining, aa, found, want_chaining; - isc_boolean_t have_answer; + isc_boolean_t have_answer, found_cname, found_type; unsigned int aflag; dns_rdatatype_t type; dns_fixedname_t dname; @@ -3211,6 +3356,8 @@ answer_response(fetchctx_t *fctx) { */ done = ISC_FALSE; + found_cname = ISC_FALSE; + found_type = ISC_FALSE; chaining = ISC_FALSE; have_answer = ISC_FALSE; want_chaining = ISC_FALSE; @@ -3232,24 +3379,35 @@ answer_response(fetchctx_t *fctx) { found = ISC_FALSE; want_chaining = ISC_FALSE; aflag = 0; - if (rdataset->type == type || - type == dns_rdatatype_any) { + if (rdataset->type == type && !found_cname) { /* * We've found an ordinary answer. */ found = ISC_TRUE; + found_type = ISC_TRUE; done = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWER; + } else if (type == dns_rdatatype_any) { + /* + * We've found an answer matching + * an ANY query. There may be + * more. + */ + found = ISC_TRUE; + aflag = DNS_RDATASETATTR_ANSWER; } else if (rdataset->type == dns_rdatatype_sig - && rdataset->covers == type) { + && rdataset->covers == type + && !found_cname) { /* * We've found a signature that * covers the type we're looking for. */ found = ISC_TRUE; + found_type = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWERSIG; } else if (rdataset->type == - dns_rdatatype_cname) { + dns_rdatatype_cname + && !found_type) { /* * We're looking for something else, * but we found a CNAME. @@ -3262,6 +3420,7 @@ answer_response(fetchctx_t *fctx) { type == dns_rdatatype_nxt) return (DNS_R_FORMERR); found = ISC_TRUE; + found_cname = ISC_TRUE; want_chaining = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWER; result = cname_target(rdataset, @@ -3270,12 +3429,14 @@ answer_response(fetchctx_t *fctx) { return (result); } else if (rdataset->type == dns_rdatatype_sig && rdataset->covers == - dns_rdatatype_cname) { + dns_rdatatype_cname + && !found_type) { /* * We're looking for something else, * but we found a SIG CNAME. */ found = ISC_TRUE; + found_cname = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWERSIG; } @@ -3433,7 +3594,9 @@ answer_response(fetchctx_t *fctx) { } result = dns_message_nextname(message, DNS_SECTION_ANSWER); } - if (result != ISC_R_NOMORE) + if (result == ISC_R_NOMORE) + result = ISC_R_SUCCESS; + if (result != ISC_R_SUCCESS) return (result); /* @@ -3520,10 +3683,10 @@ answer_response(fetchctx_t *fctx) { } result = dns_message_nextname(message, DNS_SECTION_AUTHORITY); } - if (result != ISC_R_NOMORE) - return (result); + if (result == ISC_R_NOMORE) + result = ISC_R_SUCCESS; - return (ISC_R_SUCCESS); + return (result); } static void diff --git a/lib/dns/result.c b/lib/dns/result.c index 1160b6b2..9699762d 100644 --- a/lib/dns/result.c +++ b/lib/dns/result.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: result.c,v 1.63.2.1 2000/07/05 20:49:04 gson Exp $ */ +/* $Id: result.c,v 1.63.2.2 2000/07/28 19:41:16 gson Exp $ */ #include <config.h> @@ -65,7 +65,7 @@ static const char *text[DNS_R_NRESULTS] = { "more data", /* 36 */ "up to date", /* 37 */ "tsig verify failure", /* 38 */ - "tsig error set in query", /* 39 */ + "tsig indicates error", /* 39 */ "SIG failed to verify", /* 40 */ "SIG has expired", /* 41 */ "SIG validity period has not begun", /* 42 */ diff --git a/lib/dns/sec/dnssafe/LICENSE_RSA b/lib/dns/sec/dnssafe/LICENSE_RSA new file mode 100644 index 00000000..e448039b --- /dev/null +++ b/lib/dns/sec/dnssafe/LICENSE_RSA @@ -0,0 +1,43 @@ + DNSSAFE LICENSE TERMS + +This BIND software includes the DNSsafe software from RSA Data +Security, Inc., which is copyrighted software that can only be +distributed under the terms of this license agreement. + +The DNSsafe software cannot be used or distributed separately from the +BIND software. You only have the right to use it or distribute it as +a bundled, integrated product. + +The DNSsafe software can ONLY be used to provide authentication for +resource records in the Domain Name System, as specified in RFC 2065 +and successors. You cannot modify the BIND software to use the +DNSsafe software for other purposes, or to make its cryptographic +functions available to end-users for other uses. + +If you modify the DNSsafe software itself, you cannot modify its +documented API, and you must grant RSA Data Security the right to use, +modify, and distribute your modifications, including the right to use +any patents or other intellectual property that your modifications +depend upon. + +You must not remove, alter, or destroy any of RSA's copyright notices +or license information. When distributing the software to the Federal +Government, it must be licensed to them as "commercial computer +software" protected under 48 CFR 12.212 of the FAR, or 48 CFR +227.7202.1 of the DFARS. + +You must not violate United States export control laws by distributing +the DNSsafe software or information about it, when such distribution +is prohibited by law. + +THE DNSSAFE SOFTWARE IS PROVIDED "AS IS" WITHOUT ANY WARRANTY +WHATSOEVER. RSA HAS NO OBLIGATION TO SUPPORT, CORRECT, UPDATE OR +MAINTAIN THE RSA SOFTWARE. RSA DISCLAIMS ALL WARRANTIES, EXPRESS, +IMPLIED OR STATUTORY, AS TO ANY MATTER WHATSOEVER, INCLUDING ALL +IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +PURPOSE AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS. + +If you desire to use DNSsafe in ways that these terms do not permit, +please contact RSA Data Security, Inc., 100 Marine Parkway, Redwood +City, California 94065, USA, to discuss alternate licensing +arrangements. diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 53793d9d..1ef9808e 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -16,7 +16,7 @@ */ /* - * $Id: tsig.c,v 1.72 2000/06/23 00:48:28 bwelling Exp $ + * $Id: tsig.c,v 1.72.2.8 2000/08/01 15:06:22 gson Exp $ * Principal Author: Brian Wellington */ @@ -30,7 +30,9 @@ #include <isc/util.h> #include <dns/keyvalues.h> +#include <dns/log.h> #include <dns/message.h> +#include <dns/rbt.h> #include <dns/rdata.h> #include <dns/rdatalist.h> #include <dns/rdataset.h> @@ -47,11 +49,23 @@ static isc_once_t once = ISC_ONCE_INIT; static dns_name_t hmacmd5_name; -dns_name_t *dns_tsig_hmacmd5_name = NULL; +dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5_name; static isc_result_t tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg); +static void +dns_tsig_inithmac(void) { + isc_constregion_t r; + const char *str = "\010HMAC-MD5\007SIG-ALG\003REG\003INT"; + + dns_name_init(&hmacmd5_name, NULL); + r.base = str; + r.length = strlen(str) + 1; + dns_name_fromregion(&hmacmd5_name, (isc_region_t *)&r); + dns_tsig_hmacmd5_name = &hmacmd5_name; +} + isc_result_t dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, unsigned char *secret, int length, isc_boolean_t generated, @@ -72,8 +86,13 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, REQUIRE(secret != NULL); REQUIRE(mctx != NULL); - if (!dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) - return (ISC_R_NOTFOUND); + RUNTIME_CHECK(isc_once_do(&once, dns_tsig_inithmac) == ISC_R_SUCCESS); + if (!dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { + if (length != 0) + return (ISC_R_NOTIMPLEMENTED); + else + alg = 0; + } else alg = DST_ALG_HMACMD5; @@ -100,7 +119,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, goto cleanup_algorithm; } dns_name_init(tkey->creator, NULL); - ret = dns_name_dup(algorithm, mctx, tkey->creator); + ret = dns_name_dup(creator, mctx, tkey->creator); if (ret != ISC_R_SUCCESS) { isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t)); goto cleanup_algorithm; @@ -110,10 +129,10 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, tkey->creator = NULL; tkey->key = NULL; - tkey->ring = NULL; - if (length > 0) { - dns_tsigkey_t *tmp; + tkey->ring = ring; + tkey->refs = 0; + if (length > 0) { isc_buffer_init(&b, secret, length); isc_buffer_add(&b, length); ret = dst_key_frombuffer(name, alg, @@ -123,32 +142,23 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, if (ret != ISC_R_SUCCESS) goto cleanup_algorithm; - ISC_LINK_INIT(tkey, link); - isc_rwlock_lock(&ring->lock, isc_rwlocktype_write); - tmp = ISC_LIST_HEAD(ring->keys); - while (tmp != NULL) { - if (dns_name_equal(&tkey->name, &tmp->name) && - !tmp->deleted) - { - ret = ISC_R_EXISTS; - isc_rwlock_unlock(&ring->lock, - isc_rwlocktype_write); + if (ring != NULL) { + RWLOCK(&ring->lock, isc_rwlocktype_write); + ret = dns_rbt_addname(ring->keys, name, tkey); + if (ret != ISC_R_SUCCESS) { + RWUNLOCK(&ring->lock, isc_rwlocktype_write); goto cleanup_algorithm; } - tmp = ISC_LIST_NEXT(tmp, link); + tkey->refs++; + RWUNLOCK(&ring->lock, isc_rwlocktype_write); } - ISC_LIST_APPEND(ring->keys, tkey, link); - isc_rwlock_unlock(&ring->lock, isc_rwlocktype_write); - tkey->ring = ring; } - tkey->refs = 0; if (key != NULL) tkey->refs++; tkey->generated = generated; tkey->inception = inception; tkey->expire = expire; - tkey->deleted = ISC_FALSE; tkey->mctx = mctx; ret = isc_mutex_init(&tkey->lock); if (ret != ISC_R_SUCCESS) { @@ -170,7 +180,7 @@ cleanup_algorithm: cleanup_name: dns_name_free(&tkey->name, mctx); cleanup_key: - isc_mem_put(mctx, *key, sizeof(dns_tsigkey_t)); + isc_mem_put(mctx, tkey, sizeof(dns_tsigkey_t)); return (ret); } @@ -180,25 +190,17 @@ dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp) { REQUIRE(VALID_TSIG_KEY(source)); REQUIRE(targetp != NULL && *targetp == NULL); - isc_mutex_lock(&source->lock); + LOCK(&source->lock); source->refs++; - isc_mutex_unlock(&source->lock); + UNLOCK(&source->lock); *targetp = source; } static void tsigkey_free(dns_tsigkey_t *key) { - dns_tsig_keyring_t *ring; - REQUIRE(VALID_TSIG_KEY(key)); - ring = key->ring; key->magic = 0; - if (key->key != NULL) { - isc_rwlock_lock(&ring->lock, isc_rwlocktype_write); - ISC_LIST_UNLINK(ring->keys, key, link); - isc_rwlock_unlock(&ring->lock, isc_rwlocktype_write); - } dns_name_free(&key->name, key->mctx); dns_name_free(&key->algorithm, key->mctx); if (key->key != NULL) @@ -211,30 +213,32 @@ tsigkey_free(dns_tsigkey_t *key) { } void -dns_tsigkey_detach(dns_tsigkey_t **key) { - dns_tsigkey_t *tkey; - - REQUIRE(key != NULL); - REQUIRE(VALID_TSIG_KEY(*key)); - tkey = *key; - *key = NULL; - - isc_mutex_lock(&tkey->lock); - tkey->refs--; - if (tkey->refs > 0 || (!tkey->deleted && tkey->key != NULL)) { - isc_mutex_unlock(&tkey->lock); - return; - } - isc_mutex_unlock(&tkey->lock); - tsigkey_free(tkey); +dns_tsigkey_detach(dns_tsigkey_t **keyp) { + dns_tsigkey_t *key; + isc_boolean_t should_free = ISC_FALSE; + + REQUIRE(keyp != NULL); + REQUIRE(VALID_TSIG_KEY(*keyp)); + key = *keyp; + *keyp = NULL; + + LOCK(&key->lock); + key->refs--; + if (key->refs == 0) + should_free = ISC_TRUE; + UNLOCK(&key->lock); + if (should_free) + tsigkey_free(key); } void dns_tsigkey_setdeleted(dns_tsigkey_t *key) { - INSIST(VALID_TSIG_KEY(key)); - isc_mutex_lock(&key->lock); - key->deleted = ISC_TRUE; - isc_mutex_unlock(&key->lock); + REQUIRE(VALID_TSIG_KEY(key)); + REQUIRE(key->ring != NULL); + + RWLOCK(&key->ring->lock, isc_rwlocktype_write); + (void)dns_rbt_deletename(key->ring->keys, &key->name, ISC_FALSE); + RWUNLOCK(&key->ring->lock, isc_rwlocktype_write); } isc_result_t @@ -537,7 +541,7 @@ cleanup_other: isc_result_t dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, - dns_tsig_keyring_t *sring, dns_tsig_keyring_t *dring) + dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2) { dns_rdata_any_tsig_t tsig, querytsig; isc_region_t r, source_r, header_r, sig_r; @@ -624,20 +628,18 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, */ if (tsigkey == NULL) { ret = ISC_R_NOTFOUND; - if (sring != NULL) + if (ring1 != NULL) ret = dns_tsigkey_find(&tsigkey, keyname, - &tsig.algorithm, sring); - if (ret == ISC_R_NOTFOUND && dring != NULL) + &tsig.algorithm, ring1); + if (ret == ISC_R_NOTFOUND && ring2 != NULL) ret = dns_tsigkey_find(&tsigkey, keyname, - &tsig.algorithm, dring); + &tsig.algorithm, ring2); if (ret != ISC_R_SUCCESS) { - if (dring == NULL) - return (DNS_R_TSIGVERIFYFAILURE); msg->tsigstatus = dns_tsigerror_badkey; ret = dns_tsigkey_create(keyname, &tsig.algorithm, NULL, 0, ISC_FALSE, NULL, now, now, - mctx, dring, &msg->tsigkey); + mctx, NULL, &msg->tsigkey); if (ret != ISC_R_SUCCESS) return (ret); return (DNS_R_TSIGVERIFYFAILURE); @@ -783,14 +785,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, msg->tsigstatus = dns_rcode_noerror; - if (tsig.error != dns_rcode_noerror) { - if (is_response(msg)) { - /* XXXBEW Log a message */ - return (ISC_R_SUCCESS); - } - else - return (DNS_R_TSIGERRORSET); - } + if (tsig.error != dns_rcode_noerror) + return (DNS_R_TSIGERRORSET); msg->verified_sig = 1; @@ -1014,6 +1010,7 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name, { dns_tsigkey_t *key; isc_stdtime_t now; + isc_result_t result; REQUIRE(tsigkey != NULL); REQUIRE(*tsigkey == NULL); @@ -1021,93 +1018,97 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name, REQUIRE(ring != NULL); isc_stdtime_get(&now); - isc_rwlock_lock(&ring->lock, isc_rwlocktype_read); - key = ISC_LIST_HEAD(ring->keys); - while (key != NULL) { - if (dns_name_equal(&key->name, name) && - (algorithm == NULL || - dns_name_equal(&key->algorithm, algorithm)) && - !key->deleted) - { - if (key->inception != key->expire && - key->expire < now) - { - /* - * The key has expired. - */ - key->deleted = ISC_TRUE; - continue; - } - isc_mutex_lock(&key->lock); - key->refs++; - isc_mutex_unlock(&key->lock); - *tsigkey = key; - isc_rwlock_unlock(&ring->lock, isc_rwlocktype_read); - return (ISC_R_SUCCESS); - } - key = ISC_LIST_NEXT(key, link); + RWLOCK(&ring->lock, isc_rwlocktype_read); + key = NULL; + result = dns_rbt_findname(ring->keys, name, 0, NULL, (void *)&key); + if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) { + RWUNLOCK(&ring->lock, isc_rwlocktype_read); + return (ISC_R_NOTFOUND); + } + if (algorithm != NULL && !dns_name_equal(&key->algorithm, algorithm)) { + RWUNLOCK(&ring->lock, isc_rwlocktype_read); + return (ISC_R_NOTFOUND); + } + if (key->inception != key->expire && key->expire < now) { + /* + * The key has expired. + */ + RWUNLOCK(&ring->lock, isc_rwlocktype_read); + LOCK(&key->lock); + key->refs--; + UNLOCK(&key->lock); + RWLOCK(&ring->lock, isc_rwlocktype_write); + (void) dns_rbt_deletename(ring->keys, name, ISC_FALSE); + RWUNLOCK(&ring->lock, isc_rwlocktype_write); + return (ISC_R_NOTFOUND); } - isc_rwlock_unlock(&ring->lock, isc_rwlocktype_read); - *tsigkey = NULL; - return (ISC_R_NOTFOUND); + + LOCK(&key->lock); + key->refs++; + UNLOCK(&key->lock); + RWUNLOCK(&ring->lock, isc_rwlocktype_read); + *tsigkey = key; + return (ISC_R_SUCCESS); } static void -dns_tsig_inithmac(void) { - isc_constregion_t r; - const char *str = "\010HMAC-MD5\007SIG-ALG\003REG\003INT"; +free_tsignode(void *node, void *_unused) { + dns_tsigkey_t *key; - dns_name_init(&hmacmd5_name, NULL); - r.base = str; - r.length = strlen(str) + 1; - dns_name_fromregion(&hmacmd5_name, (isc_region_t *)&r); - dns_tsig_hmacmd5_name = &hmacmd5_name; + UNUSED(_unused); + + REQUIRE(node != NULL); + + key = node; + dns_tsigkey_detach(&key); } isc_result_t -dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ring) { - isc_result_t ret; +dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) { + isc_result_t result; + dns_tsig_keyring_t *ring; REQUIRE(mctx != NULL); - REQUIRE(ring != NULL); - REQUIRE(*ring == NULL); + REQUIRE(ringp != NULL); + REQUIRE(*ringp == NULL); - RUNTIME_CHECK(isc_once_do(&once, dns_tsig_inithmac) == ISC_R_SUCCESS); - *ring = isc_mem_get(mctx, sizeof(dns_tsig_keyring_t)); + ring = isc_mem_get(mctx, sizeof(dns_tsig_keyring_t)); if (ring == NULL) return (ISC_R_NOMEMORY); - ret = isc_rwlock_init(&(*ring)->lock, 0, 0); - if (ret != ISC_R_SUCCESS) { + result = isc_rwlock_init(&ring->lock, 0, 0); + if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_rwlock_init() failed: %s", - isc_result_totext(ret)); + isc_result_totext(result)); return (ISC_R_UNEXPECTED); } - ISC_LIST_INIT((*ring)->keys); + ring->keys = NULL; + result = dns_rbt_create(mctx, free_tsignode, NULL, &ring->keys); + if (result != ISC_R_SUCCESS) { + isc_rwlock_destroy(&ring->lock); + isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t)); + return (result); + } - (*ring)->mctx = mctx; + ring->mctx = mctx; + *ringp = ring; return (ISC_R_SUCCESS); } void -dns_tsigkeyring_destroy(dns_tsig_keyring_t **ring) { - isc_mem_t *mctx; +dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp) { + dns_tsig_keyring_t *ring; - REQUIRE(ring != NULL); - REQUIRE(*ring != NULL); + REQUIRE(ringp != NULL); + REQUIRE(*ringp != NULL); - while (!ISC_LIST_EMPTY((*ring)->keys)) { - dns_tsigkey_t *key = ISC_LIST_HEAD((*ring)->keys); - key->refs = 0; - key->deleted = ISC_TRUE; - tsigkey_free(key); - } - isc_rwlock_destroy(&(*ring)->lock); - mctx = (*ring)->mctx; - isc_mem_put(mctx, *ring, sizeof(dns_tsig_keyring_t)); + ring = *ringp; + *ringp = NULL; - *ring = NULL; + dns_rbt_destroy(&ring->keys); + isc_rwlock_destroy(&ring->lock); + isc_mem_put(ring->mctx, ring, sizeof(dns_tsig_keyring_t)); } diff --git a/lib/dns/tsigconf.c b/lib/dns/tsigconf.c index 3b0763b9..eb80a50f 100644 --- a/lib/dns/tsigconf.c +++ b/lib/dns/tsigconf.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: tsigconf.c,v 1.7 2000/06/22 21:54:51 tale Exp $ */ +/* $Id: tsigconf.c,v 1.7.2.1 2000/07/28 00:05:41 gson Exp $ */ #include <config.h> @@ -43,13 +43,12 @@ add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring, key = ISC_LIST_HEAD(list->keydefs); while (key != NULL) { dns_name_t keyname; - dns_name_t alg; + dns_name_t *alg, tempalg; char keynamedata[1024], algdata[1024]; isc_buffer_t keynamesrc, keynamebuf, algsrc, algbuf; isc_buffer_t secretsrc, secretbuf; dns_name_init(&keyname, NULL); - dns_name_init(&alg, NULL); /* * Create the key name. @@ -66,16 +65,19 @@ add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring, * Create the algorithm. */ if (strcasecmp(key->algorithm, "hmac-md5") == 0) - alg = *dns_tsig_hmacmd5_name; + alg = dns_tsig_hmacmd5_name; else { + dns_name_init(&tempalg, NULL); isc_buffer_init(&algsrc, key->algorithm, strlen(key->algorithm)); isc_buffer_add(&algsrc, strlen(key->algorithm)); isc_buffer_init(&algbuf, algdata, sizeof(algdata)); - ret = dns_name_fromtext(&alg, &algsrc, dns_rootname, + ret = dns_name_fromtext(&tempalg, &algsrc, + dns_rootname, ISC_TRUE, &algbuf); if (ret != ISC_R_SUCCESS) goto failure; + alg = &tempalg; } if (strlen(key->secret) % 4 != 0) { @@ -105,7 +107,7 @@ add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring, isc_lex_destroy(&lex); isc_stdtime_get(&now); - ret = dns_tsigkey_create(&keyname, &alg, secret, secretlen, + ret = dns_tsigkey_create(&keyname, alg, secret, secretlen, ISC_FALSE, NULL, now, now, mctx, ring, NULL); isc_mem_put(mctx, secret, secretalloc); diff --git a/lib/dns/validator.c b/lib/dns/validator.c index dc2d8120..b7274b4c 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -5,17 +5,17 @@ * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE - * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL - * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR - * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS - * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS - * SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM + * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL + * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING + * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION + * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.63.2.1 2000/07/11 00:43:01 gson Exp $ */ +/* $Id: validator.c,v 1.63.2.3 2000/07/27 22:50:02 gson Exp $ */ #include <config.h> @@ -72,6 +72,7 @@ struct dns_validator { #define VALATTR_SHUTDOWN 0x01 #define VALATTR_FOUNDNONEXISTENCE 0x02 +#define VALATTR_TRIEDVERIFY 0x04 #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0) static void @@ -117,6 +118,28 @@ validator_done(dns_validator_t *val, isc_result_t result) { } static void +auth_nonpending(dns_message_t *message) { + isc_result_t result; + dns_name_t *name; + dns_rdataset_t *rdataset; + + for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); + result == ISC_R_SUCCESS; + result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) + { + name = NULL; + dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) + { + if (rdataset->trust == dns_trust_pending) + rdataset->trust = dns_trust_authauthority; + } + } +} + +static void fetch_callback_validator(isc_task_t *task, isc_event_t *event) { dns_fetchevent_t *devent; dns_validator_t *val; @@ -418,7 +441,9 @@ authvalidated(isc_task_t *task, isc_event_t *event) { validator_log(val, ISC_LOG_DEBUG(3), "authvalidated: got %s", dns_result_totext(eresult)); - validator_done(val, eresult); + result = nxtvalidate(val, ISC_TRUE); + if (result != DNS_R_WAIT) + validator_done(val, result); } else { if (rdataset->type == dns_rdatatype_nxt && nxtprovesnonexistence(val, devent->name, rdataset, @@ -458,6 +483,7 @@ negauthvalidated(isc_task_t *task, isc_event_t *event) { val->attributes |= VALATTR_FOUNDNONEXISTENCE; validator_log(val, ISC_LOG_DEBUG(3), "nonexistence proof found"); + auth_nonpending(val->event->message); validator_done(val, ISC_R_SUCCESS); } else { validator_log(val, ISC_LOG_DEBUG(3), @@ -922,6 +948,7 @@ validate(dns_validator_t *val, isc_boolean_t resume) { } do { + val->attributes |= VALATTR_TRIEDVERIFY; result = dns_dnssec_verify(event->name, event->rdataset, val->key, ISC_FALSE, @@ -1026,14 +1053,8 @@ nxtvalidate(dns_validator_t *val, isc_boolean_t resume) { val->currentset = NULL; resume = ISC_FALSE; } - else { - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; - rdataset = ISC_LIST_NEXT(rdataset, link)) - rdataset->trust = dns_trust_pending; - + else rdataset = ISC_LIST_HEAD(name->list); - } for (; rdataset != NULL; @@ -1269,6 +1290,8 @@ validator_start(isc_task_t *task, isc_event_t *event) { LOCK(&val->lock); if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) { + isc_result_t saved_result; + /* * This looks like a simple validation. We say "looks like" * because we don't know if wildcards are involved yet so it @@ -1278,6 +1301,16 @@ validator_start(isc_task_t *task, isc_event_t *event) { "attempting positive response validation"); result = validate(val, ISC_FALSE); + if (result == DNS_R_NOVALIDSIG && + (val->attributes & VALATTR_TRIEDVERIFY) == 0) + { + saved_result = result; + validator_log(val, ISC_LOG_DEBUG(3), + "falling back to insecurity proof"); + result = proveunsecure(val, ISC_FALSE); + if (result == DNS_R_NOTINSECURE) + result = saved_result; + } } else if (val->event->rdataset != NULL) { /* * This is either an unsecure subdomain or a response from @@ -1511,6 +1544,7 @@ static void validator_log(dns_validator_t *val, int level, const char *fmt, ...) { va_list ap; + va_start(ap, fmt); validator_logv(val, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_VALIDATOR, level, fmt, ap); diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index 16400b02..10c2516d 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: xfrin.c,v 1.79.2.2 2000/07/05 20:50:33 bwelling Exp $ */ +/* $Id: xfrin.c,v 1.79.2.4 2000/07/27 22:56:38 gson Exp $ */ #include <config.h> @@ -653,7 +653,9 @@ xfrin_create(isc_mem_t *mctx, xfr->nmsg = 0; - xfr->tsigkey = tsigkey; + xfr->tsigkey = NULL; + if (tsigkey != NULL) + dns_tsigkey_attach(tsigkey, &xfr->tsigkey); xfr->lasttsig = NULL; xfr->tsigctx = NULL; xfr->sincetsig = 0; @@ -865,6 +867,12 @@ xfrin_send_request(dns_xfrin_ctx_t *xfr) { CHECK(render(msg, &xfr->qbuffer)); /* + * Free the last tsig, if there is one. + */ + if (xfr->lasttsig != NULL) + isc_buffer_free(&xfr->lasttsig); + + /* * Save the query TSIG and don't let message_destroy free it. */ CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig)); @@ -1154,6 +1162,9 @@ maybe_free(dns_xfrin_ctx_t *xfr) { if (xfr->task != NULL) isc_task_detach(&xfr->task); + if (xfr->tsigkey != NULL) + dns_tsigkey_detach(&xfr->tsigkey); + if (xfr->lasttsig != NULL) isc_buffer_free(&xfr->lasttsig); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 90db03b6..c7908298 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: zone.c,v 1.152.2.2 2000/07/10 22:43:38 gson Exp $ */ +/* $Id: zone.c,v 1.152.2.5 2000/08/06 22:07:25 gson Exp $ */ #include <config.h> @@ -698,9 +698,14 @@ dns_zone_load(dns_zone_t *zone) { result = dns_journal_rollforward(zone->mctx, db, zone->journal); if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND && - result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL) + result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL && + result != ISC_R_RANGE) { + zone_log(zone, me, ISC_LOG_ERROR, + "dns_journal_rollforward returned: %s", + dns_result_totext(result)); goto cleanup; - if (result == ISC_R_NOTFOUND) { + } + if (result == ISC_R_NOTFOUND || result == ISC_R_RANGE) { zone_log(zone, me, ISC_LOG_ERROR, "journal out of sync with zone"); goto cleanup; @@ -735,17 +740,15 @@ dns_zone_load(dns_zone_t *zone) { case dns_zone_master: case dns_zone_slave: case dns_zone_stub: - if (soacount != 1 || nscount == 0) { - if (soacount != 1) - zone_log(zone, me, ISC_LOG_ERROR, - "has %d SOA record%s", soacount, - (soacount != 0) ? "s" : ""); - if (nscount == 0) - zone_log(zone, me, ISC_LOG_ERROR, - "no NS records"); + if (soacount != 1) { + zone_log(zone, me, ISC_LOG_ERROR, + "has %d SOA record%s", soacount, + (soacount != 0) ? "s" : ""); result = DNS_R_BADZONE; goto cleanup; } + if (nscount == 0) + zone_log(zone, me, ISC_LOG_ERROR, "no NS records"); if (zone->db != NULL) { if (!isc_serial_ge(serial, zone->serial)) { zone_log(zone, me, ISC_LOG_ERROR, @@ -836,7 +839,12 @@ zone_count_ns_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdataset_init(&rdataset); result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns, dns_rdatatype_none, 0, &rdataset, NULL); - if (result != ISC_R_SUCCESS) + if (result == ISC_R_NOTFOUND) { + *nscount = 0; + result = ISC_R_SUCCESS; + goto invalidate_rdataset; + } + else if (result != ISC_R_SUCCESS) goto invalidate_rdataset; count = 0; @@ -1791,6 +1799,8 @@ notify_send_toaddr(isc_task_t *task, isc_event_t *event) { notify->zone->task, notify_done, notify, ¬ify->request); + if (key != NULL) + dns_tsigkey_detach(&key); dns_message_destroy(&message); cleanup: if (result != ISC_R_SUCCESS) @@ -2650,6 +2660,8 @@ soa_query(isc_task_t *task, isc_event_t *event) { dns_result_totext(result)); goto cleanup; } + if (key != NULL) + dns_tsigkey_detach(&key); dns_message_destroy(&message); isc_event_free(&event); dns_zone_idetach(&zone); @@ -3952,6 +3964,9 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) { */ if (result != ISC_R_SUCCESS) zone_xfrdone(zone, result); + + if (tsigkey != NULL) + dns_tsigkey_detach(&tsigkey); isc_event_free(&event); diff --git a/lib/dns/zoneconf.c b/lib/dns/zoneconf.c index ab070238..b3bbcc58 100644 --- a/lib/dns/zoneconf.c +++ b/lib/dns/zoneconf.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: zoneconf.c,v 1.43 2000/06/22 21:54:57 tale Exp $ */ +/* $Id: zoneconf.c,v 1.43.2.1 2000/07/25 22:47:35 gson Exp $ */ #include <config.h> @@ -189,10 +189,14 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_c_view_t *cview, result = dns_c_view_getalsonotify(cview, &iplist); if (result != ISC_R_SUCCESS) result = dns_c_ctx_getalsonotify(cctx, &iplist); - if (result == ISC_R_SUCCESS) - RETERR(dns_zone_setalsonotify(zone, iplist->ips, - iplist->nextidx)); - else + if (result == ISC_R_SUCCESS) { + result = dns_zone_setalsonotify(zone, iplist->ips, + iplist->nextidx); + dns_c_iplist_detach(&iplist); + if (result != ISC_R_SUCCESS) + return (result); + + } else RETERR(dns_zone_setalsonotify(zone, NULL, 0)); RETERR(configure_zone_acl(czone, cctx, cview, ac, zone, diff --git a/lib/isc/unix/include/isc/keyboard.h b/lib/isc/unix/include/isc/keyboard.h index fee72129..2c7eaac6 100644 --- a/lib/isc/unix/include/isc/keyboard.h +++ b/lib/isc/unix/include/isc/keyboard.h @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: keyboard.h,v 1.2 2000/06/22 00:25:33 explorer Exp $ */ +/* $Id: keyboard.h,v 1.2.2.1 2000/08/07 16:39:59 gson Exp $ */ #ifndef ISC_KEYBOARD_H #define ISC_KEYBOARD_H 1 @@ -30,6 +30,7 @@ ISC_LANG_BEGINDECLS typedef struct { int fd; struct termios saved_mode; + isc_result_t result; } isc_keyboard_t; isc_result_t @@ -41,6 +42,9 @@ isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleepseconds); isc_result_t isc_keyboard_getchar(isc_keyboard_t *keyboard, unsigned char *cp); +isc_boolean_t +isc_keyboard_canceled(isc_keyboard_t *keyboard); + ISC_LANG_ENDDECLS #endif /* ISC_KEYBOARD_H */ diff --git a/lib/isc/unix/keyboard.c b/lib/isc/unix/keyboard.c index 223c510f..97a07631 100644 --- a/lib/isc/unix/keyboard.c +++ b/lib/isc/unix/keyboard.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: keyboard.c,v 1.4 2000/06/22 21:58:42 tale Exp $ */ +/* $Id: keyboard.c,v 1.4.2.1 2000/08/03 19:54:42 gson Exp $ */ #include <config.h> @@ -69,6 +69,8 @@ isc_keyboard_open(isc_keyboard_t *keyboard) { goto errout; } + keyboard->result = ISC_R_SUCCESS; + return (ISC_R_SUCCESS); errout: @@ -81,7 +83,7 @@ isc_result_t isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleeptime) { REQUIRE(keyboard != NULL); - if (sleeptime > 0) + if (sleeptime > 0 && keyboard->result != ISC_R_CANCELED) (void)sleep(sleeptime); (void)tcsetattr(keyboard->fd, TCSAFLUSH, &keyboard->saved_mode); @@ -96,15 +98,29 @@ isc_result_t isc_keyboard_getchar(isc_keyboard_t *keyboard, unsigned char *cp) { ssize_t cc; unsigned char c; + cc_t *controlchars; REQUIRE(keyboard != NULL); REQUIRE(cp != NULL); cc = read(keyboard->fd, &c, 1); - if (cc < 0) - return (ISC_R_IOERROR); + if (cc < 0) { + keyboard->result = ISC_R_IOERROR; + return (keyboard->result); + } + + controlchars = keyboard->saved_mode.c_cc; + if (c == controlchars[VINTR] || c == controlchars[VQUIT]) { + keyboard->result = ISC_R_CANCELED; + return (keyboard->result); + } *cp = c; return (ISC_R_SUCCESS); } + +isc_boolean_t +isc_keyboard_canceled(isc_keyboard_t *keyboard) { + return (ISC_TF(keyboard->result == ISC_R_CANCELED)); +} diff --git a/lib/lwres/getaddrinfo.c b/lib/lwres/getaddrinfo.c index 1364cfdd..16c2e9f1 100644 --- a/lib/lwres/getaddrinfo.c +++ b/lib/lwres/getaddrinfo.c @@ -19,7 +19,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: getaddrinfo.c,v 1.23.2.3 2000/07/10 21:02:42 gson Exp $ */ +/* $Id: getaddrinfo.c,v 1.23.2.4 2000/08/03 20:23:01 gson Exp $ */ #include <config.h> @@ -230,15 +230,17 @@ lwres_getaddrinfo(const char *hostname, const char *servname, (family == 0 || (flags & AI_NUMERICHOST) != 0)) { char abuf[sizeof(struct in6_addr)]; char nbuf[NI_MAXHOST]; - char ntmp[NI_MAXHOST]; int addrsize, addroff; -#if defined(LWRES_HAVE_SIN6_SCOPE_ID) +#ifdef LWRES_HAVE_SIN6_SCOPE_ID char *p, *ep; + char ntmp[NI_MAXHOST]; lwres_uint32_t scopeid; #endif -#if defined(LWRES_HAVE_SIN6_SCOPE_ID) - /* scope identifier portion */ +#ifdef LWRES_HAVE_SIN6_SCOPE_ID + /* + * Scope identifier portion. + */ ntmp[0] = '\0'; if (strchr(hostname, '%') != NULL) { strncpy(ntmp, hostname, sizeof(ntmp) - 1); @@ -247,7 +249,7 @@ lwres_getaddrinfo(const char *hostname, const char *servname, ep = NULL; /* - * vendors may want to support non-numeric + * Vendors may want to support non-numeric * scopeid around here. */ @@ -279,6 +281,7 @@ lwres_getaddrinfo(const char *hostname, const char *servname, addroff = (char *)(&SIN(0)->sin_addr) - (char *)0; family = AF_INET; goto common; +#ifdef LWRES_HAVE_SIN6_SCOPE_ID } else if (ntmp[0] && lwres_net_pton(AF_INET6, ntmp, abuf)) { if (family && family != AF_INET6) return (EAI_NONAME); @@ -286,6 +289,7 @@ lwres_getaddrinfo(const char *hostname, const char *servname, addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0; family = AF_INET6; goto common; +#endif } else if (lwres_net_pton(AF_INET6, hostname, abuf)) { if (family && family != AF_INET6) return (EAI_NONAME); diff --git a/lib/lwres/gethost.c b/lib/lwres/gethost.c index 2a5397cf..2e500f5e 100644 --- a/lib/lwres/gethost.c +++ b/lib/lwres/gethost.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: gethost.c,v 1.17.2.1 2000/06/27 23:43:43 gson Exp $ */ +/* $Id: gethost.c,v 1.17.2.2 2000/07/27 00:11:38 gson Exp $ */ #include <config.h> @@ -197,11 +197,10 @@ copytobuf(struct hostent *he, struct hostent *hptr, char *buf, int buflen) { * Copy address list. */ hptr->h_addr_list = ptr; - for (i = 0; he->h_addr_list[i]; i++ , ptr++) { + for (i = 0; he->h_addr_list[i]; i++, ptr++) { memcpy(cp, he->h_addr_list[i], n); hptr->h_addr_list[i] = cp; cp += n; - i++; } hptr->h_addr_list[i] = NULL; ptr++; @@ -218,7 +217,7 @@ copytobuf(struct hostent *he, struct hostent *hptr, char *buf, int buflen) { * Copy aliases. */ hptr->h_aliases = ptr; - for (i = 0 ; he->h_aliases[i]; i++) { + for (i = 0; he->h_aliases[i]; i++) { n = strlen(he->h_aliases[i]) + 1; strcpy(cp, he->h_aliases[i]); hptr->h_aliases[i] = cp; @@ -1,4 +1,4 @@ -# $Id: version,v 1.15.2.3 2000/06/30 21:15:49 gson Exp $ +# $Id: version,v 1.15.2.4 2000/07/13 03:43:20 gson Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -7,4 +7,4 @@ MAJORVER=9 MINORVER=0 PATCHVER=0 RELEASETYPE=rc -RELEASEVER=1 +RELEASEVER=2 |