diff options
| author | Internet Software Consortium, Inc <@isc.org> | 2011-11-01 14:44:50 -0600 |
|---|---|---|
| committer | Internet Software Consortium, Inc <@isc.org> | 2011-11-01 14:44:50 -0600 |
| commit | 15c17fb71db9b8f876da1be5e6ddbba25ce61aba (patch) | |
| tree | 8f808bcda25300ee1b2bbb66f7fb49ab3a01027a /bin | |
| parent | 0985d8a79623e77e4d2c801a661d1b1180f41285 (diff) | |
| download | bind9-15c17fb71db9b8f876da1be5e6ddbba25ce61aba.tar.gz | |
9.9.0a2
Diffstat (limited to 'bin')
53 files changed, 2184 insertions, 1451 deletions
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 78ac939c..75ea71ab 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-dsfromkey.c,v 1.22 2011-08-18 04:52:35 marka Exp $ */ +/* $Id: dnssec-dsfromkey.c,v 1.23 2011-09-03 05:51:29 each Exp $ */ /*! \file */ @@ -292,10 +292,10 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside, fatal("can't print class"); isc_buffer_usedregion(&nameb, &r); - printf("%.*s ", (int)r.length, r.base); + printf("%.*s ", (int)r.length, r.base); isc_buffer_usedregion(&classb, &r); - printf("%.*s", (int)r.length, r.base); + printf("%.*s", (int)r.length, r.base); if (lookaside == NULL) printf(" DS "); @@ -303,7 +303,7 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside, printf(" DLV "); isc_buffer_usedregion(&textb, &r); - printf("%.*s\n", (int)r.length, r.base); + printf("%.*s\n", (int)r.length, r.base); } ISC_PLATFORM_NORETURN_PRE static void diff --git a/bin/named/config.c b/bin/named/config.c index f04c7023..91e3eb2a 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.119 2011-07-01 02:25:47 marka Exp $ */ +/* $Id: config.c,v 1.121 2011-08-30 23:46:51 tbox Exp $ */ /*! \file */ @@ -199,6 +199,7 @@ options {\n\ sig-signing-nodes 100;\n\ sig-signing-signatures 10;\n\ sig-signing-type 65534;\n\ + inline-signing no;\n\ zone-statistics false;\n\ max-journal-size unlimited;\n\ ixfr-from-differences false;\n\ @@ -294,7 +295,8 @@ ns_checknames_get(const cfg_obj_t **maps, const char *which, if (maps[i] == NULL) return (ISC_R_NOTFOUND); checknames = NULL; - if (cfg_map_get(maps[i], "check-names", &checknames) == ISC_R_SUCCESS) { + if (cfg_map_get(maps[i], "check-names", + &checknames) == ISC_R_SUCCESS) { /* * Zone map entry is not a list. */ @@ -307,7 +309,8 @@ ns_checknames_get(const cfg_obj_t **maps, const char *which, element = cfg_list_next(element)) { value = cfg_listelt_value(element); type = cfg_tuple_get(value, "type"); - if (strcasecmp(cfg_obj_asstring(type), which) == 0) { + if (strcasecmp(cfg_obj_asstring(type), + which) == 0) { *obj = cfg_tuple_get(value, "mode"); return (ISC_R_SUCCESS); } diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h index 65cf72f9..463729c7 100644 --- a/bin/named/include/named/zoneconf.h +++ b/bin/named/include/named/zoneconf.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2010, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.h,v 1.28 2010-12-20 23:47:20 tbox Exp $ */ +/* $Id: zoneconf.h,v 1.30 2011-08-30 23:46:51 tbox Exp $ */ #ifndef NS_ZONECONF_H #define NS_ZONECONF_H 1 @@ -33,7 +33,7 @@ ISC_LANG_BEGINDECLS isc_result_t ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac, - dns_zone_t *zone); + dns_zone_t *zone, dns_zone_t *raw); /*%< * Configure or reconfigure a zone according to the named.conf * data in 'cctx' and 'czone'. diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index f1776fe0..71979ea3 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.conf.5,v 1.47 2011-05-09 01:14:45 tbox Exp $ +.\" $Id: named.conf.5,v 1.48 2011-09-07 01:14:42 tbox Exp $ .\" .hy 0 .ad l @@ -564,6 +564,7 @@ zone \fIstring\fR \fIoptional_class\fR { max\-refresh\-time \fIinteger\fR; min\-refresh\-time \fIinteger\fR; multi\-master \fIboolean\fR; + request\-ixfr \fIboolean\fR; sig\-validity\-interval \fIinteger\fR; transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index 72a47cdb..eb48d25a 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.conf.docbook,v 1.52 2011-05-06 21:23:50 each Exp $ --> +<!-- $Id: named.conf.docbook,v 1.53 2011-09-06 22:29:32 smann Exp $ --> <refentry> <refentryinfo> <date>Aug 13, 2004</date> @@ -630,6 +630,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> max-refresh-time <replaceable>integer</replaceable>; min-refresh-time <replaceable>integer</replaceable>; multi-master <replaceable>boolean</replaceable>; + request-ixfr <replaceable>boolean</replaceable>; sig-validity-interval <replaceable>integer</replaceable>; transfer-source ( <replaceable>ipv4_address</replaceable> | * ) diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index 82265c56..833eaedb 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -13,7 +13,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.conf.html,v 1.56 2011-05-09 01:14:45 tbox Exp $ --> +<!-- $Id: named.conf.html,v 1.57 2011-09-07 01:14:42 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -594,6 +594,7 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c max-refresh-time <em class="replaceable"><code>integer</code></em>;<br> min-refresh-time <em class="replaceable"><code>integer</code></em>;<br> multi-master <em class="replaceable"><code>boolean</code></em>;<br> + request-ixfr <em class="replaceable"><code>boolean</code></em>;<br> sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br> <br> transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br> @@ -622,12 +623,12 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2545678"></a><h2>FILES</h2> +<a name="id2545682"></a><h2>FILES</h2> <p><code class="filename">/etc/named.conf</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2545690"></a><h2>SEE ALSO</h2> +<a name="id2545693"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, diff --git a/bin/named/query.c b/bin/named/query.c index 5a0c30fb..96c01e98 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.367 2011-06-09 03:10:17 marka Exp $ */ +/* $Id: query.c,v 1.369 2011-09-02 23:46:31 tbox Exp $ */ /*! \file */ @@ -5771,7 +5771,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) case DNS_R_EMPTYNAME: case DNS_R_NXRRSET: - nxrrset: + iszone_nxrrset: INSIST(is_zone); #ifdef dns64_bis_return_excluded_addresses @@ -5838,6 +5838,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * Look for a NSEC3 record if we don't have a NSEC record. */ + nxrrset_rrsig: if (!dns_rdataset_isassociated(rdataset) && WANTDNSSEC(client)) { if ((fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) { @@ -5966,6 +5967,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) */ query_releasename(client, &fname); } + /* * Add SOA. If the query was for a SOA record force the * ttl to zero so that it is possible for clients to find @@ -6477,68 +6479,42 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (fname != NULL) dns_message_puttempname(client->message, &fname); - if (n == 0 && is_zone) { + if (n == 0) { /* - * We didn't match any rdatasets. + * No matching rdatasets found in cache. If we were + * searching for RRSIG/SIG, that's probably okay; + * otherwise this is an error condition. */ if ((qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) && result == ISC_R_NOMORE) { - /* - * XXXRTH If this is a secure zone and we - * didn't find any SIGs, we should generate - * an error unless we were searching for - * glue. Ugh. - */ if (!is_zone) { - /* - * Note: this is dead code because - * is_zone is always true due to the - * condition above. But naive - * recursion would cause infinite - * attempts of recursion because - * the answer to (RR)SIG queries - * won't be cached. Until we figure - * out what we should do and implement - * it we intentionally keep this code - * dead. - */ authoritative = ISC_FALSE; dns_rdatasetiter_destroy(&rdsiter); - if (RECURSIONOK(client)) { - result = query_recurse(client, - qtype, - client->query.qname, - NULL, NULL, - resuming); - if (result == ISC_R_SUCCESS) - client->query.attributes |= - NS_QUERYATTR_RECURSING; - else - RECURSE_ERROR(result); - } + client->attributes &= ~NS_CLIENTATTR_RA; goto addauth; } - /* - * We were searching for SIG records in - * a nonsecure zone. Send a "no error, - * no data" response. - */ - /* - * Add SOA. - */ - result = query_addsoa(client, db, version, - ISC_UINT32_MAX, - ISC_FALSE); - if (result == ISC_R_SUCCESS) - result = ISC_R_NOMORE; - } else { - /* - * Something went wrong. - */ + + if (dns_db_issecure(db)) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(client->query.qname, + namebuf, + sizeof(namebuf)); + ns_client_log(client, + DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, + ISC_LOG_WARNING, + "missing signature " + "for %s", namebuf); + } + + dns_rdatasetiter_destroy(&rdsiter); + fname = query_newname(client, dbuf, &b); + goto nxrrset_rrsig; + } else result = DNS_R_SERVFAIL; - } } + dns_rdatasetiter_destroy(&rdsiter); if (result != ISC_R_NOMORE) { QUERY_ERROR(DNS_R_SERVFAIL); @@ -6741,7 +6717,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } #endif if (is_zone) - goto nxrrset; + goto iszone_nxrrset; else goto ncache_nxrrset; } else if (result != ISC_R_SUCCESS) { diff --git a/bin/named/server.c b/bin/named/server.c index 66794466..74adc2c2 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.616 2011-08-02 20:36:11 each Exp $ */ +/* $Id: server.c,v 1.619 2011-09-06 22:29:32 smann Exp $ */ /*! \file */ @@ -39,6 +39,7 @@ #include <isc/parseint.h> #include <isc/portset.h> #include <isc/print.h> +#include <isc/refcount.h> #include <isc/resource.h> #include <isc/sha2.h> #include <isc/socket.h> @@ -215,6 +216,16 @@ struct cfg_context { cfg_aclconfctx_t * actx; }; +/*% + * Holds state information for the initial zone loading process. + * Uses the isc_refcount structure to count the number of views + * with pending zone loads, dereferencing as each view finishes. + */ +typedef struct { + ns_server_t *server; + isc_refcount_t refs; +} ns_zoneload_t; + /* * These zones should not leak onto the Internet. */ @@ -2540,11 +2551,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, ns_g_mctx, &view->upfwdacl)); obj = NULL; - result = ns_config_get(maps, "request-ixfr", &obj); - INSIST(result == ISC_R_SUCCESS); - view->requestixfr = cfg_obj_asboolean(obj); - - obj = NULL; result = ns_config_get(maps, "provide-ixfr", &obj); INSIST(result == ISC_R_SUCCESS); view->provideixfr = cfg_obj_asboolean(obj); @@ -3225,6 +3231,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, { dns_view_t *pview = NULL; /* Production view */ dns_zone_t *zone = NULL; /* New or reused zone */ + dns_zone_t *raw = NULL; /* New or reused raw zone */ dns_zone_t *dupzone = NULL; const cfg_obj_t *options = NULL; const cfg_obj_t *zoptions = NULL; @@ -3232,6 +3239,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *forwarders = NULL; const cfg_obj_t *forwardtype = NULL; const cfg_obj_t *only = NULL; + const cfg_obj_t *signing = NULL; isc_result_t result; isc_result_t tresult; isc_buffer_t buffer; @@ -3378,7 +3386,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, dns_zone_setstats(zone, ns_g_server->zonestats); } CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, - zone)); + zone, NULL)); dns_zone_attach(zone, &view->redirect); goto cleanup; } @@ -3469,10 +3477,30 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, */ dns_zone_setadded(zone, added); + signing = NULL; + if ((strcasecmp(ztypestr, "master") == 0 || + strcasecmp(ztypestr, "slave") == 0) && + cfg_map_get(zoptions, "inline-signing", &signing) == ISC_R_SUCCESS && + cfg_obj_asboolean(signing)) + { + dns_zone_getraw(zone, &raw); + if (raw == NULL) { + CHECK(dns_zone_create(&raw, mctx)); + CHECK(dns_zone_setorigin(raw, origin)); + dns_zone_setview(raw, view); + if (view->acache != NULL) + dns_zone_setacache(raw, view->acache); + CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, + raw)); + dns_zone_setstats(raw, ns_g_server->zonestats); + dns_zone_link(zone, raw); + } + } + /* * Configure the zone. */ - CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone)); + CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone, raw)); /* * Add the zone to its view in the new view list. @@ -3482,6 +3510,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, cleanup: if (zone != NULL) dns_zone_detach(&zone); + if (raw != NULL) + dns_zone_detach(&raw); if (pview != NULL) dns_view_detach(&pview); @@ -5192,34 +5222,87 @@ load_configuration(const char *filename, ns_server_t *server, } static isc_result_t -load_zones(ns_server_t *server, isc_boolean_t stop) { +view_loaded(void *arg) { + isc_result_t result; + ns_zoneload_t *zl = (ns_zoneload_t *) arg; + ns_server_t *server = zl->server; + unsigned int refs; + + + /* + * Force zone maintenance. Do this after loading + * so that we know when we need to force AXFR of + * slave zones whose master files are missing. + * + * We use the zoneload reference counter to let us + * know when all views are finished. + */ + isc_refcount_decrement(&zl->refs, &refs); + if (refs != 0) + return (ISC_R_SUCCESS); + + isc_refcount_destroy(&zl->refs); + isc_mem_put(server->mctx, zl, sizeof (*zl)); + + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, + ISC_LOG_NOTICE, "all zones loaded"); + CHECKFATAL(dns_zonemgr_forcemaint(server->zonemgr), + "forcing zone maintenance"); + + ns_os_started(); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, + ISC_LOG_NOTICE, "running"); + + return (ISC_R_SUCCESS); +} + +static isc_result_t +load_zones(ns_server_t *server) { isc_result_t result; dns_view_t *view; + ns_zoneload_t *zl; + unsigned int refs = 0; + + zl = isc_mem_get(server->mctx, sizeof (*zl)); + if (zl == NULL) + return (ISC_R_NOMEMORY); + zl->server = server; result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_refcount_init(&zl->refs, 1); + /* - * Load zone data from disk. + * Schedule zones to be loaded from disk. */ for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { - CHECK(dns_view_load(view, stop)); if (view->managed_keys != NULL) CHECK(dns_zone_load(view->managed_keys)); if (view->redirect != NULL) CHECK(dns_zone_load(view->redirect)); + isc_refcount_increment(&zl->refs, NULL); + CHECK(dns_view_asyncload(view, view_loaded, zl)); } - /* - * Force zone maintenance. Do this after loading - * so that we know when we need to force AXFR of - * slave zones whose master files are missing. - */ - CHECK(dns_zonemgr_forcemaint(server->zonemgr)); cleanup: + isc_refcount_decrement(&zl->refs, &refs); + if (result != ISC_R_SUCCESS || refs == 0) { + isc_refcount_destroy(&zl->refs); + isc_mem_put(server->mctx, zl, sizeof (*zl)); + } else { + /* + * Place the task manager into privileged mode. This + * ensures that after we leave task-exclusive mode, no + * other tasks will be able to run except for the ones + * that are loading zones. + */ + isc_taskmgr_setmode(ns_g_taskmgr, isc_taskmgrmode_privileged); + } + isc_task_endexclusive(server->task); return (result); } @@ -5307,11 +5390,7 @@ run_server(isc_task_t *task, isc_event_t *event) { isc_hash_init(); - CHECKFATAL(load_zones(server, ISC_FALSE), "loading zones"); - - ns_os_started(); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, - ISC_LOG_NOTICE, "running"); + CHECKFATAL(load_zones(server), "loading zones"); } void @@ -5746,7 +5825,7 @@ reload(ns_server_t *server) { isc_result_t result; CHECK(loadconfig(server)); - result = load_zones(server, ISC_FALSE); + result = load_zones(server); if (result == ISC_R_SUCCESS) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, diff --git a/bin/named/update.c b/bin/named/update.c index 69562ad7..34243945 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.195 2011-07-01 02:25:47 marka Exp $ */ +/* $Id: update.c,v 1.197 2011-08-31 06:49:09 marka Exp $ */ #include <config.h> @@ -269,6 +269,11 @@ update_log(ns_client_t *client, dns_zone_t *zone, namebuf, classbuf, message); } +static void +update_log_cb(void *arg, dns_zone_t *zone, int level, const char *message) { + update_log(arg, zone, level, "%s", message); +} + /*% * Increment updated-related statistics counters. */ @@ -722,45 +727,6 @@ rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, } /*% - * Set '*visible' to true if the RRset exists and is part of the - * visible zone. Otherwise '*visible' is set to false unless a - * error occurs. - */ -static isc_result_t -rrset_visible(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - dns_rdatatype_t type, isc_boolean_t *visible) -{ - isc_result_t result; - dns_fixedname_t fixed; - - dns_fixedname_init(&fixed); - result = dns_db_find(db, name, ver, type, DNS_DBFIND_NOWILD, - (isc_stdtime_t) 0, NULL, - dns_fixedname_name(&fixed), NULL, NULL); - switch (result) { - case ISC_R_SUCCESS: - *visible = ISC_TRUE; - break; - /* - * Glue, obscured, deleted or replaced records. - */ - case DNS_R_DELEGATION: - case DNS_R_DNAME: - case DNS_R_CNAME: - case DNS_R_NXDOMAIN: - case DNS_R_NXRRSET: - case DNS_R_EMPTYNAME: - case DNS_R_COVERINGNSEC: - *visible = ISC_FALSE; - result = ISC_R_SUCCESS; - break; - default: - break; - } - return (result); -} - -/*% * Helper function for cname_incompatible_rrset_exists. */ static isc_result_t @@ -1175,16 +1141,6 @@ true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { } /*% - * Return true if the record is a RRSIG. - */ -static isc_boolean_t -rrsig_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { - UNUSED(update_rr); - return ((db_rr->type == dns_rdatatype_rrsig) ? - ISC_TRUE : ISC_FALSE); -} - -/*% * Return true iff the two RRs have identical rdata. */ static isc_boolean_t @@ -1498,1131 +1454,6 @@ check_soa_increment(dns_db_t *db, dns_dbversion_t *ver, } /**************************************************************************/ -/* - * Incremental updating of NSECs and RRSIGs. - */ - -#define MAXZONEKEYS 32 /*%< Maximum number of zone keys supported. */ - -/*% - * We abuse the dns_diff_t type to represent a set of domain names - * affected by the update. - */ -static isc_result_t -namelist_append_name(dns_diff_t *list, dns_name_t *name) { - isc_result_t result; - dns_difftuple_t *tuple = NULL; - static dns_rdata_t dummy_rdata = DNS_RDATA_INIT; - - CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0, - &dummy_rdata, &tuple)); - dns_diff_append(list, &tuple); - failure: - return (result); -} - -static isc_result_t -namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected) -{ - isc_result_t result; - dns_fixedname_t fixedname; - dns_name_t *child; - dns_dbiterator_t *dbit = NULL; - - dns_fixedname_init(&fixedname); - child = dns_fixedname_name(&fixedname); - - CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit)); - - for (result = dns_dbiterator_seek(dbit, name); - result == ISC_R_SUCCESS; - result = dns_dbiterator_next(dbit)) - { - dns_dbnode_t *node = NULL; - CHECK(dns_dbiterator_current(dbit, &node, child)); - dns_db_detachnode(db, &node); - if (! dns_name_issubdomain(child, name)) - break; - CHECK(namelist_append_name(affected, child)); - } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; - failure: - if (dbit != NULL) - dns_dbiterator_destroy(&dbit); - return (result); -} - - - -/*% - * Helper function for non_nsec_rrset_exists(). - */ -static isc_result_t -is_non_nsec_action(void *data, dns_rdataset_t *rrset) { - UNUSED(data); - if (!(rrset->type == dns_rdatatype_nsec || - rrset->type == dns_rdatatype_nsec3 || - (rrset->type == dns_rdatatype_rrsig && - (rrset->covers == dns_rdatatype_nsec || - rrset->covers == dns_rdatatype_nsec3)))) - return (ISC_R_EXISTS); - return (ISC_R_SUCCESS); -} - -/*% - * Check whether there is an rrset other than a NSEC or RRSIG NSEC, - * i.e., anything that justifies the continued existence of a name - * after a secure update. - * - * If such an rrset exists, set '*exists' to ISC_TRUE. - * Otherwise, set it to ISC_FALSE. - */ -static isc_result_t -non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, - dns_name_t *name, isc_boolean_t *exists) -{ - isc_result_t result; - result = foreach_rrset(db, ver, name, is_non_nsec_action, NULL); - RETURN_EXISTENCE_FLAG; -} - -/*% - * A comparison function for sorting dns_diff_t:s by name. - */ -static int -name_order(const void *av, const void *bv) { - dns_difftuple_t const * const *ap = av; - dns_difftuple_t const * const *bp = bv; - dns_difftuple_t const *a = *ap; - dns_difftuple_t const *b = *bp; - return (dns_name_compare(&a->name, &b->name)); -} - -static isc_result_t -uniqify_name_list(dns_diff_t *list) { - isc_result_t result; - dns_difftuple_t *p, *q; - - CHECK(dns_diff_sort(list, name_order)); - - p = ISC_LIST_HEAD(list->tuples); - while (p != NULL) { - do { - q = ISC_LIST_NEXT(p, link); - if (q == NULL || ! dns_name_equal(&p->name, &q->name)) - break; - ISC_LIST_UNLINK(list->tuples, q, link); - dns_difftuple_free(&q); - } while (1); - p = ISC_LIST_NEXT(p, link); - } - failure: - return (result); -} - -static isc_result_t -is_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - isc_boolean_t *flag, isc_boolean_t *cut, isc_boolean_t *unsecure) -{ - isc_result_t result; - dns_fixedname_t foundname; - dns_fixedname_init(&foundname); - result = dns_db_find(db, name, ver, dns_rdatatype_any, - DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD, - (isc_stdtime_t) 0, NULL, - dns_fixedname_name(&foundname), - NULL, NULL); - if (result == ISC_R_SUCCESS || result == DNS_R_EMPTYNAME) { - *flag = ISC_TRUE; - *cut = ISC_FALSE; - if (unsecure != NULL) - *unsecure = ISC_FALSE; - return (ISC_R_SUCCESS); - } else if (result == DNS_R_ZONECUT) { - *flag = ISC_TRUE; - *cut = ISC_TRUE; - if (unsecure != NULL) { - /* - * We are at the zonecut. Check to see if there - * is a DS RRset. - */ - if (dns_db_find(db, name, ver, dns_rdatatype_ds, 0, - (isc_stdtime_t) 0, NULL, - dns_fixedname_name(&foundname), - NULL, NULL) == DNS_R_NXRRSET) - *unsecure = ISC_TRUE; - else - *unsecure = ISC_FALSE; - } - return (ISC_R_SUCCESS); - } else if (result == DNS_R_GLUE || result == DNS_R_DNAME || - result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) { - *flag = ISC_FALSE; - *cut = ISC_FALSE; - if (unsecure != NULL) - *unsecure = ISC_FALSE; - return (ISC_R_SUCCESS); - } else { - /* - * Silence compiler. - */ - *flag = ISC_FALSE; - *cut = ISC_FALSE; - if (unsecure != NULL) - *unsecure = ISC_FALSE; - return (result); - } -} - -/*% - * Find the next/previous name that has a NSEC record. - * In other words, skip empty database nodes and names that - * have had their NSECs removed because they are obscured by - * a zone cut. - */ -static isc_result_t -next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, - dns_dbversion_t *ver, dns_name_t *oldname, dns_name_t *newname, - isc_boolean_t forward) -{ - isc_result_t result; - dns_dbiterator_t *dbit = NULL; - isc_boolean_t has_nsec = ISC_FALSE; - unsigned int wraps = 0; - isc_boolean_t secure = dns_db_issecure(db); - - CHECK(dns_db_createiterator(db, 0, &dbit)); - - CHECK(dns_dbiterator_seek(dbit, oldname)); - do { - dns_dbnode_t *node = NULL; - - if (forward) - result = dns_dbiterator_next(dbit); - else - result = dns_dbiterator_prev(dbit); - if (result == ISC_R_NOMORE) { - /* - * Wrap around. - */ - if (forward) - CHECK(dns_dbiterator_first(dbit)); - else - CHECK(dns_dbiterator_last(dbit)); - wraps++; - if (wraps == 2) { - update_log(client, zone, ISC_LOG_ERROR, - "secure zone with no NSECs"); - result = DNS_R_BADZONE; - goto failure; - } - } - CHECK(dns_dbiterator_current(dbit, &node, newname)); - dns_db_detachnode(db, &node); - - /* - * The iterator may hold the tree lock, and - * rrset_exists() calls dns_db_findnode() which - * may try to reacquire it. To avoid deadlock - * we must pause the iterator first. - */ - CHECK(dns_dbiterator_pause(dbit)); - if (secure) { - CHECK(rrset_exists(db, ver, newname, - dns_rdatatype_nsec, 0, &has_nsec)); - } else { - dns_fixedname_t ffound; - dns_name_t *found; - dns_fixedname_init(&ffound); - found = dns_fixedname_name(&ffound); - result = dns_db_find(db, newname, ver, - dns_rdatatype_soa, - DNS_DBFIND_NOWILD, 0, NULL, found, - NULL, NULL); - if (result == ISC_R_SUCCESS || - result == DNS_R_EMPTYNAME || - result == DNS_R_NXRRSET || - result == DNS_R_CNAME || - (result == DNS_R_DELEGATION && - dns_name_equal(newname, found))) { - has_nsec = ISC_TRUE; - result = ISC_R_SUCCESS; - } else if (result != DNS_R_NXDOMAIN) - break; - } - } while (! has_nsec); - failure: - if (dbit != NULL) - dns_dbiterator_destroy(&dbit); - - return (result); -} - -/*% - * Add a NSEC record for "name", recording the change in "diff". - * The existing NSEC is removed. - */ -static isc_result_t -add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, - dns_dbversion_t *ver, dns_name_t *name, dns_ttl_t nsecttl, - dns_diff_t *diff) -{ - isc_result_t result; - dns_dbnode_t *node = NULL; - unsigned char buffer[DNS_NSEC_BUFFERSIZE]; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_difftuple_t *tuple = NULL; - dns_fixedname_t fixedname; - dns_name_t *target; - - dns_fixedname_init(&fixedname); - target = dns_fixedname_name(&fixedname); - - /* - * Find the successor name, aka NSEC target. - */ - CHECK(next_active(client, zone, db, ver, name, target, ISC_TRUE)); - - /* - * Create the NSEC RDATA. - */ - CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); - dns_rdata_init(&rdata); - CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata)); - dns_db_detachnode(db, &node); - - /* - * Delete the old NSEC and record the change. - */ - CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nsec, 0, - NULL, diff)); - /* - * Add the new NSEC and record the change. - */ - CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, - nsecttl, &rdata, &tuple)); - CHECK(do_one_tuple(&tuple, db, ver, diff)); - INSIST(tuple == NULL); - - failure: - if (node != NULL) - dns_db_detachnode(db, &node); - return (result); -} - -/*% - * Add a placeholder NSEC record for "name", recording the change in "diff". - */ -static isc_result_t -add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - dns_diff_t *diff) -{ - isc_result_t result; - dns_difftuple_t *tuple = NULL; - isc_region_t r; - unsigned char data[1] = { 0 }; /* The root domain, no bits. */ - dns_rdata_t rdata = DNS_RDATA_INIT; - - r.base = data; - r.length = sizeof(data); - dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nsec, &r); - CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0, - &rdata, &tuple)); - CHECK(do_one_tuple(&tuple, db, ver, diff)); - failure: - return (result); -} - -static isc_result_t -find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, - isc_mem_t *mctx, unsigned int maxkeys, - dst_key_t **keys, unsigned int *nkeys) -{ - isc_result_t result; - dns_dbnode_t *node = NULL; - const char *directory = dns_zone_getkeydirectory(zone); - CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); - CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db), - directory, mctx, maxkeys, keys, nkeys)); - failure: - if (node != NULL) - dns_db_detachnode(db, &node); - return (result); -} - -/*% - * Add RRSIG records for an RRset, recording the change in "diff". - */ -static isc_result_t -add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, - dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type, - dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, - isc_stdtime_t inception, isc_stdtime_t expire, - isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly) -{ - isc_result_t result; - dns_dbnode_t *node = NULL; - dns_rdataset_t rdataset; - dns_rdata_t sig_rdata = DNS_RDATA_INIT; - isc_buffer_t buffer; - unsigned char data[1024]; /* XXX */ - unsigned int i, j; - isc_boolean_t added_sig = ISC_FALSE; - isc_mem_t *mctx = client->mctx; - - dns_rdataset_init(&rdataset); - isc_buffer_init(&buffer, data, sizeof(data)); - - /* Get the rdataset to sign. */ - if (type == dns_rdatatype_nsec3) - CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node)); - else - CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); - CHECK(dns_db_findrdataset(db, node, ver, type, 0, - (isc_stdtime_t) 0, &rdataset, NULL)); - dns_db_detachnode(db, &node); - -#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) -#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0) -#define ALG(x) dst_key_alg(x) - - /* - * If we are honoring KSK flags then we need to check that we - * have both KSK and non-KSK keys that are not revoked per - * algorithm. - */ - for (i = 0; i < nkeys; i++) { - isc_boolean_t both = ISC_FALSE; - - if (!dst_key_isprivate(keys[i])) - continue; - - if (check_ksk && !REVOKE(keys[i])) { - isc_boolean_t have_ksk, have_nonksk; - if (KSK(keys[i])) { - have_ksk = ISC_TRUE; - have_nonksk = ISC_FALSE; - } else { - have_ksk = ISC_FALSE; - have_nonksk = ISC_TRUE; - } - for (j = 0; j < nkeys; j++) { - if (j == i || ALG(keys[i]) != ALG(keys[j])) - continue; - if (REVOKE(keys[j])) - continue; - if (KSK(keys[j])) - have_ksk = ISC_TRUE; - else - have_nonksk = ISC_TRUE; - both = have_ksk && have_nonksk; - if (both) - break; - } - } - - if (both) { - if (type == dns_rdatatype_dnskey) { - if (!KSK(keys[i]) && keyset_kskonly) - continue; - } else if (KSK(keys[i])) - continue; - } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) - continue; - - /* Calculate the signature, creating a RRSIG RDATA. */ - CHECK(dns_dnssec_sign(name, &rdataset, keys[i], - &inception, &expire, - mctx, &buffer, &sig_rdata)); - - /* Update the database and journal with the RRSIG. */ - /* XXX inefficient - will cause dataset merging */ - CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name, - rdataset.ttl, &sig_rdata)); - dns_rdata_reset(&sig_rdata); - isc_buffer_init(&buffer, data, sizeof(data)); - added_sig = ISC_TRUE; - } - if (!added_sig) { - update_log(client, zone, ISC_LOG_ERROR, - "found no active private keys, " - "unable to generate any signatures"); - result = ISC_R_NOTFOUND; - } - - failure: - if (dns_rdataset_isassociated(&rdataset)) - dns_rdataset_disassociate(&rdataset); - if (node != NULL) - dns_db_detachnode(db, &node); - return (result); -} - -/* - * Delete expired RRsigs and any RRsigs we are about to re-sign. - * See also zone.c:del_sigs(). - */ -static isc_result_t -del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys) -{ - isc_result_t result; - dns_dbnode_t *node = NULL; - dns_rdataset_t rdataset; - dns_rdata_t rdata = DNS_RDATA_INIT; - unsigned int i; - dns_rdata_rrsig_t rrsig; - isc_boolean_t found; - - dns_rdataset_init(&rdataset); - - result = dns_db_findnode(db, name, ISC_FALSE, &node); - if (result == ISC_R_NOTFOUND) - return (ISC_R_SUCCESS); - if (result != ISC_R_SUCCESS) - goto failure; - result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig, - dns_rdatatype_dnskey, (isc_stdtime_t) 0, - &rdataset, NULL); - dns_db_detachnode(db, &node); - - if (result == ISC_R_NOTFOUND) - return (ISC_R_SUCCESS); - if (result != ISC_R_SUCCESS) - goto failure; - - for (result = dns_rdataset_first(&rdataset); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(&rdataset)) { - dns_rdataset_current(&rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &rrsig, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - found = ISC_FALSE; - for (i = 0; i < nkeys; i++) { - if (rrsig.keyid == dst_key_id(keys[i])) { - found = ISC_TRUE; - if (!dst_key_isprivate(keys[i])) { - /* - * The re-signing code in zone.c - * will mark this as offline. - * Just skip the record for now. - */ - break; - } - result = update_one_rr(db, ver, diff, - DNS_DIFFOP_DEL, name, - rdataset.ttl, &rdata); - break; - } - } - /* - * If there is not a matching DNSKEY then delete the RRSIG. - */ - if (!found) - result = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, - name, rdataset.ttl, &rdata); - dns_rdata_reset(&rdata); - if (result != ISC_R_SUCCESS) - break; - } - dns_rdataset_disassociate(&rdataset); - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; -failure: - if (node != NULL) - dns_db_detachnode(db, &node); - return (result); -} - -static isc_result_t -add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, - dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t cut, - dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, - isc_stdtime_t inception, isc_stdtime_t expire, - isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly) -{ - isc_result_t result; - dns_dbnode_t *node; - dns_rdatasetiter_t *iter; - - node = NULL; - result = dns_db_findnode(db, name, ISC_FALSE, &node); - if (result == ISC_R_NOTFOUND) - return (ISC_R_SUCCESS); - if (result != ISC_R_SUCCESS) - return (result); - - iter = NULL; - result = dns_db_allrdatasets(db, node, ver, - (isc_stdtime_t) 0, &iter); - if (result != ISC_R_SUCCESS) - goto cleanup_node; - - for (result = dns_rdatasetiter_first(iter); - result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(iter)) - { - dns_rdataset_t rdataset; - dns_rdatatype_t type; - isc_boolean_t flag; - - dns_rdataset_init(&rdataset); - dns_rdatasetiter_current(iter, &rdataset); - type = rdataset.type; - dns_rdataset_disassociate(&rdataset); - - /* - * We don't need to sign unsigned NSEC records at the cut - * as they are handled elsewhere. - */ - if ((type == dns_rdatatype_rrsig) || - (cut && type != dns_rdatatype_ds)) - continue; - result = rrset_exists(db, ver, name, dns_rdatatype_rrsig, - type, &flag); - if (result != ISC_R_SUCCESS) - goto cleanup_iterator; - if (flag) - continue;; - result = add_sigs(client, zone, db, ver, name, type, diff, - keys, nkeys, inception, expire, - check_ksk, keyset_kskonly); - if (result != ISC_R_SUCCESS) - goto cleanup_iterator; - } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; - - cleanup_iterator: - dns_rdatasetiter_destroy(&iter); - - cleanup_node: - dns_db_detachnode(db, &node); - - return (result); -} - -/*% - * Update RRSIG, NSEC and NSEC3 records affected by an update. The original - * update, including the SOA serial update but excluding the RRSIG & NSEC - * changes, is in "diff" and has already been applied to "newver" of "db". - * The database version prior to the update is "oldver". - * - * The necessary RRSIG, NSEC and NSEC3 changes will be applied to "newver" - * and added (as a minimal diff) to "diff". - * - * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds. - */ -static isc_result_t -update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, - dns_dbversion_t *oldver, dns_dbversion_t *newver, - dns_diff_t *diff, isc_uint32_t sigvalidityinterval) -{ - isc_result_t result; - dns_difftuple_t *t; - dns_diff_t diffnames; - dns_diff_t affected; - dns_diff_t sig_diff; - dns_diff_t nsec_diff; - dns_diff_t nsec_mindiff; - isc_boolean_t flag, build_nsec, build_nsec3; - dst_key_t *zone_keys[MAXZONEKEYS]; - unsigned int nkeys = 0; - unsigned int i; - isc_stdtime_t now, inception, expire; - dns_ttl_t nsecttl; - dns_rdata_soa_t soa; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdataset_t rdataset; - dns_dbnode_t *node = NULL; - isc_boolean_t check_ksk, keyset_kskonly; - isc_boolean_t unsecure; - isc_boolean_t cut; - dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); - - dns_diff_init(client->mctx, &diffnames); - dns_diff_init(client->mctx, &affected); - - dns_diff_init(client->mctx, &sig_diff); - sig_diff.resign = dns_zone_getsigresigninginterval(zone); - dns_diff_init(client->mctx, &nsec_diff); - dns_diff_init(client->mctx, &nsec_mindiff); - - result = find_zone_keys(zone, db, newver, client->mctx, - MAXZONEKEYS, zone_keys, &nkeys); - if (result != ISC_R_SUCCESS) { - update_log(client, zone, ISC_LOG_ERROR, - "could not get zone keys for secure dynamic update"); - goto failure; - } - - isc_stdtime_get(&now); - inception = now - 3600; /* Allow for some clock skew. */ - expire = now + sigvalidityinterval; - - /* - * Do we look at the KSK flag on the DNSKEY to determining which - * keys sign which RRsets? First check the zone option then - * check the keys flags to make sure at least one has a ksk set - * and one doesn't. - */ - check_ksk = ISC_TF((dns_zone_getoptions(zone) & - DNS_ZONEOPT_UPDATECHECKKSK) != 0); - keyset_kskonly = ISC_TF((dns_zone_getoptions(zone) & - DNS_ZONEOPT_DNSKEYKSKONLY) != 0); - - /* - * Get the NSEC/NSEC3 TTL from the SOA MINIMUM field. - */ - CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); - dns_rdataset_init(&rdataset); - CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa, 0, - (isc_stdtime_t) 0, &rdataset, NULL)); - CHECK(dns_rdataset_first(&rdataset)); - dns_rdataset_current(&rdataset, &rdata); - CHECK(dns_rdata_tostruct(&rdata, &soa, NULL)); - nsecttl = soa.minimum; - dns_rdataset_disassociate(&rdataset); - dns_db_detachnode(db, &node); - - /* - * Find all RRsets directly affected by the update, and - * update their RRSIGs. Also build a list of names affected - * by the update in "diffnames". - */ - CHECK(dns_diff_sort(diff, temp_order)); - - t = ISC_LIST_HEAD(diff->tuples); - while (t != NULL) { - dns_name_t *name = &t->name; - /* Now "name" is a new, unique name affected by the update. */ - - CHECK(namelist_append_name(&diffnames, name)); - - while (t != NULL && dns_name_equal(&t->name, name)) { - dns_rdatatype_t type; - type = t->rdata.type; - - /* - * Now "name" and "type" denote a new unique RRset - * affected by the update. - */ - - /* Don't sign RRSIGs. */ - if (type == dns_rdatatype_rrsig) - goto skip; - - /* - * Delete all old RRSIGs covering this type, since they - * are all invalid when the signed RRset has changed. - * We may not be able to recreate all of them - tough. - * Special case changes to the zone's DNSKEY records - * to support offline KSKs. - */ - if (type == dns_rdatatype_dnskey) - del_keysigs(db, newver, name, &sig_diff, - zone_keys, nkeys); - else - CHECK(delete_if(true_p, db, newver, name, - dns_rdatatype_rrsig, type, - NULL, &sig_diff)); - - /* - * If this RRset is still visible after the update, - * add a new signature for it. - */ - CHECK(rrset_visible(db, newver, name, type, &flag)); - if (flag) { - CHECK(add_sigs(client, zone, db, newver, name, - type, &sig_diff, zone_keys, - nkeys, inception, expire, - check_ksk, keyset_kskonly)); - } - skip: - /* Skip any other updates to the same RRset. */ - while (t != NULL && - dns_name_equal(&t->name, name) && - t->rdata.type == type) - { - t = ISC_LIST_NEXT(t, link); - } - } - } - update_log(client, zone, ISC_LOG_DEBUG(3), "updated data signatures"); - - /* Remove orphaned NSECs and RRSIG NSECs. */ - for (t = ISC_LIST_HEAD(diffnames.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - CHECK(non_nsec_rrset_exists(db, newver, &t->name, &flag)); - if (! flag) { - CHECK(delete_if(true_p, db, newver, &t->name, - dns_rdatatype_any, 0, - NULL, &sig_diff)); - } - } - update_log(client, zone, ISC_LOG_DEBUG(3), - "removed any orphaned NSEC records"); - - /* - * See if we need to build NSEC or NSEC3 chains. - */ - CHECK(dns_private_chains(db, newver, privatetype, &build_nsec, - &build_nsec3)); - if (!build_nsec) - goto update_nsec3; - - update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC chain"); - - /* - * When a name is created or deleted, its predecessor needs to - * have its NSEC updated. - */ - for (t = ISC_LIST_HEAD(diffnames.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - isc_boolean_t existed, exists; - dns_fixedname_t fixedname; - dns_name_t *prevname; - - dns_fixedname_init(&fixedname); - prevname = dns_fixedname_name(&fixedname); - - CHECK(name_exists(db, oldver, &t->name, &existed)); - CHECK(name_exists(db, newver, &t->name, &exists)); - if (exists == existed) - continue; - - /* - * Find the predecessor. - * When names become obscured or unobscured in this update - * transaction, we may find the wrong predecessor because - * the NSECs have not yet been updated to reflect the delegation - * change. This should not matter because in this case, - * the correct predecessor is either the delegation node or - * a newly unobscured node, and those nodes are on the - * "affected" list in any case. - */ - CHECK(next_active(client, zone, db, newver, - &t->name, prevname, ISC_FALSE)); - CHECK(namelist_append_name(&affected, prevname)); - } - - /* - * Find names potentially affected by delegation changes - * (obscured by adding an NS or DNAME, or unobscured by - * removing one). - */ - for (t = ISC_LIST_HEAD(diffnames.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - isc_boolean_t ns_existed, dname_existed; - isc_boolean_t ns_exists, dname_exists; - - CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_ns, 0, - &ns_existed)); - CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_dname, 0, - &dname_existed)); - CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0, - &ns_exists)); - CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_dname, 0, - &dname_exists)); - if ((ns_exists || dname_exists) == (ns_existed || dname_existed)) - continue; - /* - * There was a delegation change. Mark all subdomains - * of t->name as potentially needing a NSEC update. - */ - CHECK(namelist_append_subdomain(db, &t->name, &affected)); - } - - ISC_LIST_APPENDLIST(affected.tuples, diffnames.tuples, link); - INSIST(ISC_LIST_EMPTY(diffnames.tuples)); - - CHECK(uniqify_name_list(&affected)); - - /* - * Determine which names should have NSECs, and delete/create - * NSECs to make it so. We don't know the final NSEC targets yet, - * so we just create placeholder NSECs with arbitrary contents - * to indicate that their respective owner names should be part of - * the NSEC chain. - */ - for (t = ISC_LIST_HEAD(affected.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - isc_boolean_t exists; - dns_name_t *name = &t->name; - - CHECK(name_exists(db, newver, name, &exists)); - if (! exists) - continue; - CHECK(is_active(db, newver, name, &flag, &cut, NULL)); - if (!flag) { - /* - * This name is obscured. Delete any - * existing NSEC record. - */ - CHECK(delete_if(true_p, db, newver, name, - dns_rdatatype_nsec, 0, - NULL, &nsec_diff)); - CHECK(delete_if(rrsig_p, db, newver, name, - dns_rdatatype_any, 0, NULL, diff)); - } else { - /* - * This name is not obscured. It needs to have a - * NSEC unless it is the at the origin, in which - * case it should already exist if there is a complete - * NSEC chain and if there isn't a complete NSEC chain - * we don't want to add one as that would signal that - * there is a complete NSEC chain. - */ - if (!dns_name_equal(name, dns_db_origin(db))) { - CHECK(rrset_exists(db, newver, name, - dns_rdatatype_nsec, 0, - &flag)); - if (!flag) - CHECK(add_placeholder_nsec(db, newver, - name, diff)); - } - CHECK(add_exposed_sigs(client, zone, db, newver, name, - cut, &sig_diff, zone_keys, nkeys, - inception, expire, check_ksk, - keyset_kskonly)); - } - } - - /* - * Now we know which names are part of the NSEC chain. - * Make them all point at their correct targets. - */ - for (t = ISC_LIST_HEAD(affected.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - CHECK(rrset_exists(db, newver, &t->name, - dns_rdatatype_nsec, 0, &flag)); - if (flag) { - /* - * There is a NSEC, but we don't know if it is correct. - * Delete it and create a correct one to be sure. - * If the update was unnecessary, the diff minimization - * will take care of eliminating it from the journal, - * IXFRs, etc. - * - * The RRSIG bit should always be set in the NSECs - * we generate, because they will all get RRSIG NSECs. - * (XXX what if the zone keys are missing?). - * Because the RRSIG NSECs have not necessarily been - * created yet, the correctness of the bit mask relies - * on the assumption that NSECs are only created if - * there is other data, and if there is other data, - * there are other RRSIGs. - */ - CHECK(add_nsec(client, zone, db, newver, &t->name, - nsecttl, &nsec_diff)); - } - } - - /* - * Minimize the set of NSEC updates so that we don't - * have to regenerate the RRSIG NSECs for NSECs that were - * replaced with identical ones. - */ - while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) { - ISC_LIST_UNLINK(nsec_diff.tuples, t, link); - dns_diff_appendminimal(&nsec_mindiff, &t); - } - - update_log(client, zone, ISC_LOG_DEBUG(3), - "signing rebuilt NSEC chain"); - - /* Update RRSIG NSECs. */ - for (t = ISC_LIST_HEAD(nsec_mindiff.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - if (t->op == DNS_DIFFOP_DEL) { - CHECK(delete_if(true_p, db, newver, &t->name, - dns_rdatatype_rrsig, dns_rdatatype_nsec, - NULL, &sig_diff)); - } else if (t->op == DNS_DIFFOP_ADD) { - CHECK(add_sigs(client, zone, db, newver, &t->name, - dns_rdatatype_nsec, &sig_diff, - zone_keys, nkeys, inception, expire, - check_ksk, keyset_kskonly)); - } else { - INSIST(0); - } - } - - update_nsec3: - - /* Record our changes for the journal. */ - while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) { - ISC_LIST_UNLINK(sig_diff.tuples, t, link); - dns_diff_appendminimal(diff, &t); - } - while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) { - ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link); - dns_diff_appendminimal(diff, &t); - } - - INSIST(ISC_LIST_EMPTY(sig_diff.tuples)); - INSIST(ISC_LIST_EMPTY(nsec_diff.tuples)); - INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples)); - - if (!build_nsec3) { - update_log(client, zone, ISC_LOG_DEBUG(3), - "no NSEC3 chains to rebuild"); - goto failure; - } - - update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC3 chains"); - - dns_diff_clear(&diffnames); - dns_diff_clear(&affected); - - CHECK(dns_diff_sort(diff, temp_order)); - - /* - * Find names potentially affected by delegation changes - * (obscured by adding an NS or DNAME, or unobscured by - * removing one). - */ - t = ISC_LIST_HEAD(diff->tuples); - while (t != NULL) { - dns_name_t *name = &t->name; - - isc_boolean_t ns_existed, dname_existed; - isc_boolean_t ns_exists, dname_exists; - isc_boolean_t exists, existed; - - if (t->rdata.type == dns_rdatatype_nsec || - t->rdata.type == dns_rdatatype_rrsig) { - t = ISC_LIST_NEXT(t, link); - continue; - } - - CHECK(namelist_append_name(&affected, name)); - - CHECK(rrset_exists(db, oldver, name, dns_rdatatype_ns, 0, - &ns_existed)); - CHECK(rrset_exists(db, oldver, name, dns_rdatatype_dname, 0, - &dname_existed)); - CHECK(rrset_exists(db, newver, name, dns_rdatatype_ns, 0, - &ns_exists)); - CHECK(rrset_exists(db, newver, name, dns_rdatatype_dname, 0, - &dname_exists)); - - exists = ns_exists || dname_exists; - existed = ns_existed || dname_existed; - if (exists == existed) - goto nextname; - /* - * There was a delegation change. Mark all subdomains - * of t->name as potentially needing a NSEC3 update. - */ - CHECK(namelist_append_subdomain(db, name, &affected)); - - nextname: - while (t != NULL && dns_name_equal(&t->name, name)) - t = ISC_LIST_NEXT(t, link); - } - - for (t = ISC_LIST_HEAD(affected.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) { - dns_name_t *name = &t->name; - - unsecure = ISC_FALSE; /* Silence compiler warning. */ - CHECK(is_active(db, newver, name, &flag, &cut, &unsecure)); - - if (!flag) { - CHECK(delete_if(rrsig_p, db, newver, name, - dns_rdatatype_any, 0, NULL, diff)); - CHECK(dns_nsec3_delnsec3sx(db, newver, name, - privatetype, &nsec_diff)); - } else { - CHECK(add_exposed_sigs(client, zone, db, newver, name, - cut, &sig_diff, zone_keys, nkeys, - inception, expire, check_ksk, - keyset_kskonly)); - CHECK(dns_nsec3_addnsec3sx(db, newver, name, nsecttl, - unsecure, privatetype, - &nsec_diff)); - } - } - - /* - * Minimize the set of NSEC3 updates so that we don't - * have to regenerate the RRSIG NSEC3s for NSEC3s that were - * replaced with identical ones. - */ - while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) { - ISC_LIST_UNLINK(nsec_diff.tuples, t, link); - dns_diff_appendminimal(&nsec_mindiff, &t); - } - - update_log(client, zone, ISC_LOG_DEBUG(3), - "signing rebuilt NSEC3 chain"); - - /* Update RRSIG NSEC3s. */ - for (t = ISC_LIST_HEAD(nsec_mindiff.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - if (t->op == DNS_DIFFOP_DEL) { - CHECK(delete_if(true_p, db, newver, &t->name, - dns_rdatatype_rrsig, - dns_rdatatype_nsec3, - NULL, &sig_diff)); - } else if (t->op == DNS_DIFFOP_ADD) { - CHECK(add_sigs(client, zone, db, newver, &t->name, - dns_rdatatype_nsec3, - &sig_diff, zone_keys, nkeys, - inception, expire, check_ksk, - keyset_kskonly)); - } else { - INSIST(0); - } - } - - /* Record our changes for the journal. */ - while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) { - ISC_LIST_UNLINK(sig_diff.tuples, t, link); - dns_diff_appendminimal(diff, &t); - } - while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) { - ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link); - dns_diff_appendminimal(diff, &t); - } - - INSIST(ISC_LIST_EMPTY(sig_diff.tuples)); - INSIST(ISC_LIST_EMPTY(nsec_diff.tuples)); - INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples)); - - failure: - dns_diff_clear(&sig_diff); - dns_diff_clear(&nsec_diff); - dns_diff_clear(&nsec_mindiff); - - dns_diff_clear(&affected); - dns_diff_clear(&diffnames); - - for (i = 0; i < nkeys; i++) - dst_key_free(&zone_keys[i]); - - return (result); -} - - -/**************************************************************************/ /*% * The actual update code in all its glory. We try to follow * the RFC2136 pseudocode as closely as possible. @@ -2684,7 +1515,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { isc_result_t result; dns_name_t *zonename; dns_rdataset_t *zone_rdataset; - dns_zone_t *zone = NULL; + dns_zone_t *zone = NULL, *raw = NULL; /* * Interpret the zone section. @@ -2718,6 +1549,17 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { if (result != ISC_R_SUCCESS) FAILC(DNS_R_NOTAUTH, "not authoritative for update zone"); + /* + * If there is a raw (unsigned) zone associated with this + * zone then it processes the UPDATE request. + */ + dns_zone_getraw(zone, &raw); + if (raw != NULL) { + dns_zone_detach(&zone); + dns_zone_attach(raw, &zone); + dns_zone_detach(&raw); + } + switch(dns_zone_gettype(zone)) { case dns_zone_master: case dns_zone_dlz: @@ -4229,9 +3071,14 @@ update_action(isc_task_t *task, isc_event_t *event) { &diff)); } else if (has_dnskey && isdnssec(db, ver, privatetype)) { isc_uint32_t interval; + dns_update_log_t log; + interval = dns_zone_getsigvalidityinterval(zone); - result = update_signatures(client, zone, db, oldver, - ver, &diff, interval); + log.func = update_log_cb; + log.arg = client; + result = dns_update_signatures(&log, zone, db, oldver, + ver, &diff, interval); + if (result != ISC_R_SUCCESS) { update_log(client, zone, ISC_LOG_ERROR, @@ -4499,6 +3346,12 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) { isc_task_t *zonetask = NULL; ns_client_t *evclient; + /* + * This may take some time so replace this client. + */ + if (!client->mortal && (client->attributes & NS_CLIENTATTR_TCP) == 0) + CHECK(ns_client_replace(client)); + event = (update_event_t *) isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL, sizeof(*event)); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index e440fbcc..3173074b 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.c,v 1.178 2011-07-01 02:25:47 marka Exp $ */ +/* $Id: zoneconf.c,v 1.182 2011-09-06 22:29:32 smann Exp $ */ /*% */ @@ -786,7 +786,7 @@ checknames(dns_zonetype_t ztype, const cfg_obj_t **maps, isc_result_t ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac, - dns_zone_t *zone) + dns_zone_t *zone, dns_zone_t *raw) { isc_result_t result; const char *zname; @@ -820,6 +820,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, isc_stats_t *zoneqrystats; isc_boolean_t zonestats_on; int seconds; + dns_zone_t *mayberaw = (raw != NULL) ? raw : zone; i = 0; if (zconfig != NULL) { @@ -851,9 +852,16 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, RETERR(ns_config_getclass(cfg_tuple_get(zconfig, "class"), vclass, &zclass)); dns_zone_setclass(zone, zclass); + if (raw != NULL) + dns_zone_setclass(raw, zclass); ztype = zonetype_fromconfig(zoptions); - dns_zone_settype(zone, ztype); + if (raw != NULL) { + dns_zone_settype(raw, ztype); + dns_zone_settype(zone, dns_zone_master); + } else + dns_zone_settype(zone, ztype); + obj = NULL; result = cfg_map_get(zoptions, "database", &obj); @@ -914,18 +922,40 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, else INSIST(0); } - RETERR(dns_zone_setfile2(zone, filename, masterformat)); + + if (raw != NULL) { +#define SIGNED ".signed" + size_t signedlen = strlen(filename) + sizeof(SIGNED); + char *signedname; + + RETERR(dns_zone_setfile2(raw, filename, masterformat)); + signedname = isc_mem_get(mctx, signedlen); + if (signedname == NULL) + return (ISC_R_NOMEMORY); + + (void)snprintf(signedname, signedlen, "%s" SIGNED, filename); + result = dns_zone_setfile2(zone, signedname, + dns_masterformat_raw); + isc_mem_put(mctx, signedname, signedlen); + if (result != ISC_R_SUCCESS) + return (result); + } else + RETERR(dns_zone_setfile2(zone, filename, masterformat)); obj = NULL; result = cfg_map_get(zoptions, "journal", &obj); if (result == ISC_R_SUCCESS) - RETERR(dns_zone_setjournal(zone, cfg_obj_asstring(obj))); + RETERR(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj))); + /* + * Notify messages are processed by the raw zone if it exists. + */ if (ztype == dns_zone_slave) RETERR(configure_zone_acl(zconfig, vconfig, config, - allow_notify, ac, zone, + allow_notify, ac, mayberaw, dns_zone_setnotifyacl, dns_zone_clearnotifyacl)); + /* * XXXAG This probably does not make sense for stubs. */ @@ -955,6 +985,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, else INSIST(0); } + if (raw != NULL) + dns_zone_setdialup(raw, dialup); dns_zone_setdialup(zone, dialup); obj = NULL; @@ -994,6 +1026,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, else INSIST(0); } + if (raw != NULL) + dns_zone_setnotifytype(raw, dns_notifytype_no); dns_zone_setnotifytype(zone, notifytype); obj = NULL; @@ -1052,6 +1086,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, obj = NULL; result = ns_config_get(maps, "max-journal-size", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); + if (raw != NULL) + dns_zone_setjournalsize(raw, -1); dns_zone_setjournalsize(zone, -1); if (cfg_obj_isstring(obj)) { const char *str = cfg_obj_asstring(obj); @@ -1071,6 +1107,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } journal_size = (isc_uint32_t)value; } + if (raw != NULL) + dns_zone_setjournalsize(raw, journal_size); dns_zone_setjournalsize(zone, journal_size); obj = NULL; @@ -1086,7 +1124,19 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, ixfrdiff = ISC_TRUE; else ixfrdiff = ISC_FALSE; - dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, ixfrdiff); + if (raw != NULL) { + dns_zone_setoption(raw, DNS_ZONEOPT_IXFRFROMDIFFS, + ISC_TRUE); + dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, + ISC_FALSE); + } else + dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, + ixfrdiff); + + obj = NULL; + result = ns_config_get(maps, "request-ixfr", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_zone_setrequestixfr(zone, cfg_obj_asboolean(obj)); checknames(ztype, maps, &obj); INSIST(obj != NULL); @@ -1099,8 +1149,21 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, fail = check = ISC_FALSE; } else INSIST(0); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, check); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL, fail); + if (raw != NULL) { + dns_zone_setoption(raw, DNS_ZONEOPT_CHECKNAMES, + check); + dns_zone_setoption(raw, DNS_ZONEOPT_CHECKNAMESFAIL, + fail); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, + ISC_FALSE); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL, + ISC_FALSE); + } else { + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, + check); + dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL, + fail); + } obj = NULL; result = ns_config_get(maps, "notify-delay", &obj); @@ -1159,11 +1222,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_acl_t *updateacl; RETERR(configure_zone_acl(zconfig, vconfig, config, - allow_update, ac, zone, + allow_update, ac, mayberaw, dns_zone_setupdateacl, dns_zone_clearupdateacl)); - updateacl = dns_zone_getupdateacl(zone); + updateacl = dns_zone_getupdateacl(mayberaw); if (updateacl != NULL && dns_acl_isinsecure(updateacl)) isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, @@ -1171,7 +1234,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, "address, which is insecure", zname); - RETERR(configure_zone_ssutable(zoptions, zone, zname)); + RETERR(configure_zone_ssutable(zoptions, mayberaw, zname)); + } + + if (ztype == dns_zone_master || raw != NULL) { + isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE; obj = NULL; result = ns_config_get(maps, "sig-validity-interval", &obj); @@ -1236,10 +1303,28 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, INSIST(result == ISC_R_SUCCESS && obj != NULL); RETERR(dns_zone_setrefreshkeyinterval(zone, cfg_obj_asuint32(obj))); - } else if (ztype == dns_zone_slave) { + + obj = NULL; + result = cfg_map_get(zoptions, "auto-dnssec", &obj); + if (result == ISC_R_SUCCESS) { + const char *arg = cfg_obj_asstring(obj); + if (strcasecmp(arg, "allow") == 0) + allow = ISC_TRUE; + else if (strcasecmp(arg, "maintain") == 0) + allow = maint = ISC_TRUE; + else if (strcasecmp(arg, "off") == 0) + ; + else + INSIST(0); + dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow); + dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint); + } + } + + if (ztype == dns_zone_slave) { RETERR(configure_zone_acl(zconfig, vconfig, config, - allow_update_forwarding, ac, zone, - dns_zone_setforwardacl, + allow_update_forwarding, ac, + mayberaw, dns_zone_setforwardacl, dns_zone_clearforwardacl)); } @@ -1247,15 +1332,13 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, * Primary master functionality. */ if (ztype == dns_zone_master) { - isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE; - obj = NULL; result = ns_config_get(maps, "check-wildcard", &obj); if (result == ISC_R_SUCCESS) check = cfg_obj_asboolean(obj); else check = ISC_FALSE; - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKWILDCARD, check); + dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKWILDCARD, check); obj = NULL; result = ns_config_get(maps, "check-dup-records", &obj); @@ -1269,8 +1352,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, fail = check = ISC_FALSE; } else INSIST(0); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKDUPRR, check); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKDUPRRFAIL, fail); + dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRR, check); + dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRRFAIL, fail); obj = NULL; result = ns_config_get(maps, "check-mx", &obj); @@ -1284,13 +1367,13 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, fail = check = ISC_FALSE; } else INSIST(0); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMX, check); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMXFAIL, fail); + dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMX, check); + dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMXFAIL, fail); obj = NULL; result = ns_config_get(maps, "check-integrity", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY, + dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKINTEGRITY, cfg_obj_asboolean(obj)); obj = NULL; @@ -1305,8 +1388,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, warn = ignore = ISC_TRUE; } else INSIST(0); - dns_zone_setoption(zone, DNS_ZONEOPT_WARNMXCNAME, warn); - dns_zone_setoption(zone, DNS_ZONEOPT_IGNOREMXCNAME, ignore); + dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNMXCNAME, warn); + dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNOREMXCNAME, ignore); obj = NULL; result = ns_config_get(maps, "check-srv-cname", &obj); @@ -1320,32 +1403,17 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, warn = ignore = ISC_TRUE; } else INSIST(0); - dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn); - dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore); + dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNSRVCNAME, warn); + dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNORESRVCNAME, + ignore); obj = NULL; result = ns_config_get(maps, "dnssec-secure-to-insecure", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setoption(zone, DNS_ZONEOPT_SECURETOINSECURE, + dns_zone_setoption(mayberaw, DNS_ZONEOPT_SECURETOINSECURE, cfg_obj_asboolean(obj)); obj = NULL; - result = cfg_map_get(zoptions, "auto-dnssec", &obj); - if (result == ISC_R_SUCCESS) { - const char *arg = cfg_obj_asstring(obj); - if (strcasecmp(arg, "allow") == 0) - allow = ISC_TRUE; - else if (strcasecmp(arg, "maintain") == 0) - allow = maint = ISC_TRUE; - else if (strcasecmp(arg, "off") == 0) - ; - else - INSIST(0); - dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow); - dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint); - } - - obj = NULL; result = cfg_map_get(zoptions, "dnssec-update-mode", &obj); if (result == ISC_R_SUCCESS) { const char *arg = cfg_obj_asstring(obj); @@ -1385,12 +1453,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, RETERR(ns_config_getipandkeylist(config, obj, mctx, &addrs, &keynames, &count)); - result = dns_zone_setmasterswithkeys(zone, addrs, + result = dns_zone_setmasterswithkeys(mayberaw, addrs, keynames, count); ns_config_putipandkeylist(mctx, &addrs, &keynames, count); } else - result = dns_zone_setmasters(zone, NULL, 0); + result = dns_zone_setmasters(mayberaw, NULL, 0); RETERR(result); multi = ISC_FALSE; @@ -1400,59 +1468,63 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, INSIST(result == ISC_R_SUCCESS && obj != NULL); multi = cfg_obj_asboolean(obj); } - dns_zone_setoption(zone, DNS_ZONEOPT_MULTIMASTER, multi); + dns_zone_setoption(mayberaw, DNS_ZONEOPT_MULTIMASTER, multi); obj = NULL; result = ns_config_get(maps, "max-transfer-time-in", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setmaxxfrin(zone, cfg_obj_asuint32(obj) * 60); + dns_zone_setmaxxfrin(mayberaw, cfg_obj_asuint32(obj) * 60); obj = NULL; result = ns_config_get(maps, "max-transfer-idle-in", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setidlein(zone, cfg_obj_asuint32(obj) * 60); + dns_zone_setidlein(mayberaw, cfg_obj_asuint32(obj) * 60); obj = NULL; result = ns_config_get(maps, "max-refresh-time", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setmaxrefreshtime(zone, cfg_obj_asuint32(obj)); + dns_zone_setmaxrefreshtime(mayberaw, cfg_obj_asuint32(obj)); obj = NULL; result = ns_config_get(maps, "min-refresh-time", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setminrefreshtime(zone, cfg_obj_asuint32(obj)); + dns_zone_setminrefreshtime(mayberaw, cfg_obj_asuint32(obj)); obj = NULL; result = ns_config_get(maps, "max-retry-time", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setmaxretrytime(zone, cfg_obj_asuint32(obj)); + dns_zone_setmaxretrytime(mayberaw, cfg_obj_asuint32(obj)); obj = NULL; result = ns_config_get(maps, "min-retry-time", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setminretrytime(zone, cfg_obj_asuint32(obj)); + dns_zone_setminretrytime(mayberaw, cfg_obj_asuint32(obj)); obj = NULL; result = ns_config_get(maps, "transfer-source", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setxfrsource4(zone, cfg_obj_assockaddr(obj))); + RETERR(dns_zone_setxfrsource4(mayberaw, + cfg_obj_assockaddr(obj))); ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); obj = NULL; result = ns_config_get(maps, "transfer-source-v6", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setxfrsource6(zone, cfg_obj_assockaddr(obj))); + RETERR(dns_zone_setxfrsource6(mayberaw, + cfg_obj_assockaddr(obj))); ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); obj = NULL; result = ns_config_get(maps, "alt-transfer-source", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setaltxfrsource4(zone, cfg_obj_assockaddr(obj))); + RETERR(dns_zone_setaltxfrsource4(mayberaw, + cfg_obj_assockaddr(obj))); obj = NULL; result = ns_config_get(maps, "alt-transfer-source-v6", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setaltxfrsource6(zone, cfg_obj_assockaddr(obj))); + RETERR(dns_zone_setaltxfrsource6(mayberaw, + cfg_obj_assockaddr(obj))); obj = NULL; (void)ns_config_get(maps, "use-alt-transfer-source", &obj); @@ -1468,11 +1540,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, alt = ISC_FALSE; } else alt = cfg_obj_asboolean(obj); - dns_zone_setoption(zone, DNS_ZONEOPT_USEALTXFRSRC, alt); + dns_zone_setoption(mayberaw, DNS_ZONEOPT_USEALTXFRSRC, alt); obj = NULL; (void)ns_config_get(maps, "try-tcp-refresh", &obj); - dns_zone_setoption(zone, DNS_ZONEOPT_TRYTCPREFRESH, + dns_zone_setoption(mayberaw, DNS_ZONEOPT_TRYTCPREFRESH, cfg_obj_asboolean(obj)); break; @@ -1540,7 +1612,18 @@ ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { if (!((cfilename == NULL && zfilename == NULL) || (cfilename != NULL && zfilename != NULL && strcmp(cfilename, zfilename) == 0))) - return (ISC_FALSE); + return (ISC_FALSE); + + obj = NULL; + (void)cfg_map_get(zoptions, "signing", &obj); + if (obj == NULL || !cfg_obj_asboolean(obj)) { + dns_zone_t *raw = NULL; + dns_zone_getraw(zone, &raw); + if (raw != NULL) { + dns_zone_detach(&raw); + return (ISC_FALSE); + } + } return (ISC_TRUE); } diff --git a/bin/tests/adb_test.c b/bin/tests/adb_test.c index dc1f16ac..1bbe02a3 100644 --- a/bin/tests/adb_test.c +++ b/bin/tests/adb_test.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: adb_test.c,v 1.70 2009-09-02 23:48:01 tbox Exp $ */ +/* $Id: adb_test.c,v 1.73 2011-08-30 23:46:51 tbox Exp $ */ /*! \file */ @@ -264,9 +264,8 @@ lookup(const char *target) { result = dns_adb_createfind(adb, t2, lookup_callback, client, &client->name, dns_rootname, 0, options, now, NULL, view->dstport, &client->find); -#if 0 - check_result(result, "dns_adb_createfind()"); -#endif + if (result != ISC_R_SUCCESS) + printf("DNS_ADB_CREATEFIND -> %s\n", dns_result_totext(result)); dns_adb_dumpfind(client->find, stderr); if ((client->find->options & DNS_ADBFIND_WANTEVENT) != 0) { @@ -414,7 +413,9 @@ main(int argc, char **argv) { dns_view_detach(&view); adb = NULL; + fprintf(stderr, "Destroying socket manager\n"); isc_socketmgr_destroy(&socketmgr); + fprintf(stderr, "Destroying timer manager\n"); isc_timermgr_destroy(&timermgr); fprintf(stderr, "Destroying task manager\n"); diff --git a/bin/tests/cfg_test.c b/bin/tests/cfg_test.c index 9fb74cf3..461b80ab 100644 --- a/bin/tests/cfg_test.c +++ b/bin/tests/cfg_test.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001, 2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: cfg_test.c,v 1.23 2010-01-11 23:48:37 tbox Exp $ */ +/* $Id: cfg_test.c,v 1.25 2011-09-05 23:46:54 tbox Exp $ */ /*! \file */ @@ -49,7 +49,7 @@ check_result(isc_result_t result, const char *format, ...) { static void output(void *closure, const char *text, int textlen) { UNUSED(closure); - (void) isc_util_fwrite(text, 1, textlen, stdout); + (void) fwrite(text, 1, textlen, stdout); } static void diff --git a/bin/tests/db_test.c b/bin/tests/db_test.c index d2e81cfb..c742ae9f 100644 --- a/bin/tests/db_test.c +++ b/bin/tests/db_test.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: db_test.c,v 1.68 2009-09-02 23:48:01 tbox Exp $ */ +/* $Id: db_test.c,v 1.70 2011-08-29 23:46:44 tbox Exp $ */ /*! \file * \author @@ -70,14 +70,10 @@ static isc_boolean_t ascending = ISC_TRUE; static void print_result(const char *message, isc_result_t result) { - size_t len; - if (message == NULL) { - len = 0; + if (message == NULL) message = ""; - } - len = strlen(message); - printf("%s%sresult %08x: %s\n", message, (len == 0U) ? "" : " ", + printf("%s%sresult %08x: %s\n", message, (*message == '\0') ? "" : " ", result, isc_result_totext(result)); } @@ -449,6 +445,7 @@ main(int argc, char *argv[]) { argc -= isc_commandline_index; argv += isc_commandline_index; + POST(argv); if (argc != 0) printf("ignoring trailing arguments\n"); diff --git a/bin/tests/dst/gsstest.c b/bin/tests/dst/gsstest.c index 505d471b..b9aee2ce 100755 --- a/bin/tests/dst/gsstest.c +++ b/bin/tests/dst/gsstest.c @@ -14,12 +14,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: gsstest.c,v 1.16 2011-03-28 05:14:51 marka Exp $ */ +/* $Id: gsstest.c,v 1.18 2011-09-05 17:39:37 each Exp $ */ #include <config.h> #include <stdlib.h> #include <string.h> +#include <time.h> #include <isc/app.h> #include <isc/base64.h> @@ -146,14 +147,14 @@ recvresponse(isc_task_t *task, isc_event_t *event) { REQUIRE(reqev != NULL); + query = reqev->ev_arg; + if (reqev->result != ISC_R_SUCCESS) { fprintf(stderr, "I:request event result: %s\n", isc_result_totext(reqev->result)); goto end; } - query = reqev->ev_arg; - response = NULL; result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response); CHECK("dns_message_create", result); @@ -174,7 +175,7 @@ recvresponse(isc_task_t *task, isc_event_t *event) { if (response) dns_message_destroy(&response); -end: + end: if (query) dns_message_destroy(&query); @@ -220,6 +221,8 @@ sendquery(isc_task_t *task, isc_event_t *event) CHECK("dns_name_fromtext", result); result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &message); + if (result != ISC_R_SUCCESS) + goto end; message->opcode = dns_opcode_query; message->rdclass = dns_rdataclass_in; @@ -256,13 +259,13 @@ sendquery(isc_task_t *task, isc_event_t *event) return; - end: - if (qname != NULL) - dns_message_puttempname(message, &qname); - if (qrdataset != NULL) - dns_message_puttemprdataset(message, &qrdataset); - if (message != NULL) - dns_message_destroy(&message); + end: + if (qname != NULL) + dns_message_puttempname(message, &qname); + if (qrdataset != NULL) + dns_message_puttemprdataset(message, &qrdataset); + if (message != NULL) + dns_message_destroy(&message); } static void @@ -280,14 +283,14 @@ initctx2(isc_task_t *task, isc_event_t *event) { REQUIRE(reqev != NULL); + query = reqev->ev_arg; + if (reqev->result != ISC_R_SUCCESS) { fprintf(stderr, "I:request event result: %s\n", isc_result_totext(reqev->result)); goto end; } - query = reqev->ev_arg; - response = NULL; result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response); CHECK("dns_message_create", result); @@ -331,7 +334,7 @@ initctx2(isc_task_t *task, isc_event_t *event) { if (response) dns_message_destroy(&response); -end: + end: if (query) dns_message_destroy(&query); @@ -406,7 +409,7 @@ initctx1(isc_task_t *task, isc_event_t *event) { CHECK("dns_request_create", result); return; -end: + end: event = isc_event_allocate(mctx, (void *)1, 1, console, NULL, sizeof(*event)); isc_task_send(task, &event);return; diff --git a/bin/tests/log_test.c b/bin/tests/log_test.c index 25aaa949..b6735b3c 100644 --- a/bin/tests/log_test.c +++ b/bin/tests/log_test.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log_test.c,v 1.28 2011-01-14 00:51:43 tbox Exp $ */ +/* $Id: log_test.c,v 1.29 2011-08-28 23:46:51 marka Exp $ */ /* Principal Authors: DCL */ @@ -27,6 +27,7 @@ #include <isc/commandline.h> #include <isc/mem.h> #include <isc/string.h> +#include <isc/util.h> #include <dns/log.h> @@ -94,6 +95,7 @@ main(int argc, char **argv) { argc -= isc_commandline_index; argv += isc_commandline_index; + POST(argv); if (argc > 0) { fprintf(stderr, usage, progname); diff --git a/bin/tests/nsecify.c b/bin/tests/nsecify.c index b4b43c55..243cc724 100644 --- a/bin/tests/nsecify.c +++ b/bin/tests/nsecify.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007-2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsecify.c,v 1.10 2009-09-02 23:48:01 tbox Exp $ */ +/* $Id: nsecify.c,v 1.12 2011-08-29 23:46:44 tbox Exp $ */ #include <config.h> @@ -157,6 +157,7 @@ nsecify(char *filename) { result = dns_db_createiterator(db, 0, &dbiter); check_result(result, "dns_db_createiterator()"); result = dns_dbiterator_first(dbiter); + check_result(result, "dns_dbiterator_first()"); node = NULL; result = next_active(db, wversion, dbiter, name, &node); while (result == ISC_R_SUCCESS) { diff --git a/bin/tests/printmsg.c b/bin/tests/printmsg.c index e12f3ab6..b0279ee7 100644 --- a/bin/tests/printmsg.c +++ b/bin/tests/printmsg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: printmsg.c,v 1.29 2007-06-19 23:46:59 tbox Exp $ */ +/* $Id: printmsg.c,v 1.31 2011-08-25 23:46:42 tbox Exp $ */ #include <config.h> @@ -77,7 +77,9 @@ printsection(dns_message_t *msg, dns_section_t sectionid, isc_region_t r; dns_name_t empty_name; char t[65536]; +#ifdef USEINITALWS isc_boolean_t first; +#endif isc_boolean_t no_rdata; if (sectionid == DNS_SECTION_QUESTION) @@ -100,7 +102,9 @@ printsection(dns_message_t *msg, dns_section_t sectionid, dns_message_currentname(msg, sectionid, &name); isc_buffer_init(&target, t, sizeof(t)); +#ifdef USEINITALWS first = ISC_TRUE; +#endif print_name = name; for (rdataset = ISC_LIST_HEAD(name->list); @@ -159,7 +163,6 @@ printrdata(dns_message_t *msg, dns_rdataset_t *rdataset, dns_name_t *owner, isc_result_t printmessage(dns_message_t *msg) { - isc_boolean_t did_flag = ISC_FALSE; isc_result_t result; dns_rdataset_t *opt, *tsig; dns_name_t *tsigname; @@ -169,35 +172,21 @@ printmessage(dns_message_t *msg) { printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n", opcodetext[msg->opcode], rcodetext[msg->rcode], msg->id); - printf(";; flags: "); - if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) { - printf("qr"); - did_flag = ISC_TRUE; - } - if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) { - printf("%saa", did_flag ? " " : ""); - did_flag = ISC_TRUE; - } - if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) { - printf("%stc", did_flag ? " " : ""); - did_flag = ISC_TRUE; - } - if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) { - printf("%srd", did_flag ? " " : ""); - did_flag = ISC_TRUE; - } - if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) { - printf("%sra", did_flag ? " " : ""); - did_flag = ISC_TRUE; - } - if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) { - printf("%sad", did_flag ? " " : ""); - did_flag = ISC_TRUE; - } - if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) { - printf("%scd", did_flag ? " " : ""); - did_flag = ISC_TRUE; - } + printf(";; flags:"); + if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) + printf(" qr"); + if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) + printf(" aa"); + if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) + printf(" tc"); + if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) + printf(" rd"); + if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) + printf(" ra"); + if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) + printf(" ad"); + if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) + printf(" cd"); printf("; QUERY: %u, ANSWER: %u, AUTHORITY: %u, ADDITIONAL: %u\n", msg->counts[DNS_SECTION_QUESTION], msg->counts[DNS_SECTION_ANSWER], diff --git a/bin/tests/rbt_test.c b/bin/tests/rbt_test.c index 1324a811..35fe3f0f 100644 --- a/bin/tests/rbt_test.c +++ b/bin/tests/rbt_test.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbt_test.c,v 1.50 2009-09-02 23:48:01 tbox Exp $ */ +/* $Id: rbt_test.c,v 1.52 2011-08-28 23:46:41 tbox Exp $ */ #include <config.h> @@ -88,7 +88,7 @@ delete_name(void *data, void *arg) { UNUSED(arg); name = data; - isc_mem_put(mctx, data, sizeof(dns_name_t) + DNSNAMELEN); + isc_mem_put(mctx, name, sizeof(*name) + DNSNAMELEN); } static void @@ -280,6 +280,7 @@ main(int argc, char **argv) { argc -= isc_commandline_index; argv += isc_commandline_index; + POST(argv); if (argc > 1) { printf("Usage: %s [-m]\n", progname); diff --git a/bin/tests/rdata_test.c b/bin/tests/rdata_test.c index bb28484d..937a38d7 100644 --- a/bin/tests/rdata_test.c +++ b/bin/tests/rdata_test.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdata_test.c,v 1.51 2011-08-16 03:00:02 marka Exp $ */ +/* $Id: rdata_test.c,v 1.52 2011-08-28 09:10:41 marka Exp $ */ #include <config.h> @@ -988,6 +988,15 @@ main(int argc, char *argv[]) { type = token.value.as_ulong; isc_buffer_init(&tbuf, outbuf, sizeof(outbuf)); result = dns_rdatatype_totext(type, &tbuf); + if (result != ISC_R_SUCCESS) { + fprintf(stdout, + "dns_rdatatype_totext " + "returned %s(%d)\n", + dns_result_totext(result), result); + fflush(stdout); + need_eol = 1; + continue; + } fprintf(stdout, "type = %.*s(%d)\n", (int)tbuf.used, (char*)tbuf.base, type); } else if (token.type == isc_tokentype_string) { @@ -1020,6 +1029,14 @@ main(int argc, char *argv[]) { class = token.value.as_ulong; isc_buffer_init(&tbuf, outbuf, sizeof(outbuf)); result = dns_rdatatype_totext(class, &tbuf); + if (result != ISC_R_SUCCESS) { + fprintf(stdout, "dns_rdatatype_totext " + "returned %s(%d)\n", + dns_result_totext(result), result); + fflush(stdout); + need_eol = 1; + continue; + } fprintf(stdout, "class = %.*s(%d)\n", (int)tbuf.used, (char*)tbuf.base, class); } else if (token.type == isc_tokentype_string) { diff --git a/bin/tests/shutdown_test.c b/bin/tests/shutdown_test.c index 9e10723d..0264f7ef 100644 --- a/bin/tests/shutdown_test.c +++ b/bin/tests/shutdown_test.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: shutdown_test.c,v 1.23 2007-06-19 23:46:59 tbox Exp $ */ +/* $Id: shutdown_test.c,v 1.25 2011-08-28 23:46:41 tbox Exp $ */ #include <config.h> @@ -168,7 +168,7 @@ new_task(isc_mem_t *mctx, const char *name) { int main(int argc, char *argv[]) { unsigned int workers; - t_info *t1, *t2, *t3; + t_info *t1, *t2; isc_task_t *task; isc_mem_t *mctx, *mctx2; @@ -197,7 +197,7 @@ main(int argc, char *argv[]) { /* * Test run-triggered shutdown. */ - t3 = new_task(mctx2, "foo"); + (void)new_task(mctx2, "foo"); /* * Test implicit shutdown. diff --git a/bin/tests/startperf/README b/bin/tests/startperf/README index 0f350c2e..0b8185b9 100644 --- a/bin/tests/startperf/README +++ b/bin/tests/startperf/README @@ -1,9 +1,17 @@ These scripts generate a named.conf file with an arbitrary number of small zones, for testing startup performance. -To generate a test server with 1000 zones, run: +To generate a test server with 1000 zones each of which contains 5 A +records, run: - $ sh setup.sh 1000 > named.conf + $ sh setup.sh 1000 5 > named.conf -Zones are generated with random names, and all of them load from the same -file: smallzone.db. +Zones are generated with random names, and the zone files are created +in the subdirectory "zones". + +Or, to generate a test server with 100 zones which all load from the same +generic file (smallzone.db): + + $ sh setup.sh -s 100 > named.conf + +The "number of records" argument is ignored if -s is used. diff --git a/bin/tests/startperf/clean.sh b/bin/tests/startperf/clean.sh new file mode 100644 index 00000000..507f7779 --- /dev/null +++ b/bin/tests/startperf/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: clean.sh,v 1.3 2011-09-02 23:46:31 tbox Exp $ + +rm -rf zones +rm -f named.conf diff --git a/bin/tests/startperf/makenames.pl b/bin/tests/startperf/makenames.pl index abc1124f..149bc938 100644 --- a/bin/tests/startperf/makenames.pl +++ b/bin/tests/startperf/makenames.pl @@ -14,17 +14,19 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: makenames.pl,v 1.2 2011-07-06 05:05:51 each Exp $ +# $Id: makenames.pl,v 1.3 2011-09-02 21:15:35 each Exp $ use strict; -die "Usage: makenames.pl <num>" if (@ARGV == 0); +die "Usage: makenames.pl <num> [<len>]" if (@ARGV == 0 || @ARGV > 2); +my $len = 10; +$len = @ARGV[1] if (@ARGV == 2); my @chars = split("", "abcdefghijklmnopqrstuvwxyz123456789"); srand; for (my $i = 0; $i < @ARGV[0]; $i++) { my $name = ""; - for (my $j = 0; $j < 10; $j++) { + for (my $j = 0; $j < $len; $j++) { my $r = rand 35; $name .= $chars[$r]; } diff --git a/bin/tests/startperf/mkzonefile.pl b/bin/tests/startperf/mkzonefile.pl new file mode 100644 index 00000000..8c4b8f2a --- /dev/null +++ b/bin/tests/startperf/mkzonefile.pl @@ -0,0 +1,51 @@ +#!/usr/bin/perl +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: mkzonefile.pl,v 1.2 2011-09-02 21:15:35 each Exp $ +use strict; + +die "Usage: makenames.pl zonename num_records" if (@ARGV != 2); +my $zname = @ARGV[0]; +my $nrecords = @ARGV[1]; + +my @chars = split("", "abcdefghijklmnopqrstuvwxyz"); + +print"\$TTL 300 ; 5 minutes +\$ORIGIN $zname. +@ IN SOA mname1. . ( + 2011080201 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3\n"; + +srand; +for (my $i = 0; $i < $nrecords; $i++) { + my $name = ""; + for (my $j = 0; $j < 8; $j++) { + my $r = rand 25; + $name .= $chars[$r]; + } + print "$name" . "\tIN\tA\t"; + my $x = int rand 254; + my $y = int rand 254; + my $z = int rand 254; + print "10.$x.$y.$z\n"; +} + diff --git a/bin/tests/startperf/setup.sh b/bin/tests/startperf/setup.sh index c5fade97..c3f500be 100644 --- a/bin/tests/startperf/setup.sh +++ b/bin/tests/startperf/setup.sh @@ -14,13 +14,30 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.3 2011-07-07 23:47:49 tbox Exp $ +# $Id: setup.sh,v 1.4 2011-09-02 21:15:35 each Exp $ -if [ "$#" -ne 1 ]; then - echo "Usage: $0 <number of zones>" +usage () { + echo "Usage: $0 [-s] <number of zones> [<records per zone>]" + echo " -s: use the same zone file all zones" exit 1 +} + +if [ "$#" -lt 1 -o "$#" -gt 3 ]; then + usage +fi + +single_file="" +if [ $1 = "-s" ]; then + single_file=yes + shift fi +nzones=$1 +shift + +nrecords=5 +[ "$#" -eq 1 ] && nrecords=$1 + . ../system/conf.sh cat << EOF @@ -59,6 +76,12 @@ logging { EOF -$PERL makenames.pl $1 | while read zonename; do +$PERL makenames.pl $nzones | while read zonename; do + if [ $single_file ]; then echo "zone $zonename { type master; file \"smallzone.db\"; };" + else + [ -d zones ] || mkdir zones + $PERL mkzonefile.pl $zonename $nrecords > zones/$zonename.db + echo "zone $zonename { type master; file \"zones/$zonename.db\"; };" + fi done diff --git a/bin/tests/system/cacheclean/tests.sh b/bin/tests/system/cacheclean/tests.sh index d5802a02..744377b9 100644 --- a/bin/tests/system/cacheclean/tests.sh +++ b/bin/tests/system/cacheclean/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.8 2011-08-23 00:59:23 each Exp $ +# $Id: tests.sh,v 1.10 2011-09-01 05:28:14 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -32,22 +32,24 @@ load_cache () { $RNDC $RNDCOPTS flush # load the positive cache entries - $DIG $DIGOPTS txt top1.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt second1.top1.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt third1.second1.top1.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt third2.second1.top1.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt second2.top1.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt second3.top1.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt second1.top2.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt second2.top2.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt second3.top2.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt top3.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt second1.top3.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt third1.second1.top3.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt third2.second1.top3.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt third1.second2.top3.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt third2.second2.top3.flushtest.example > /dev/null 2>1 - $DIG $DIGOPTS txt second3.top3.flushtest.example > /dev/null 2>1 + $DIG $DIGOPTS -f - << EOF > /dev/null 2>1 +txt top1.flushtest.example +txt second1.top1.flushtest.example +txt third1.second1.top1.flushtest.example +txt third2.second1.top1.flushtest.example +txt second2.top1.flushtest.example +txt second3.top1.flushtest.example +txt second1.top2.flushtest.example +txt second2.top2.flushtest.example +txt second3.top2.flushtest.example +txt top3.flushtest.example +txt second1.top3.flushtest.example +txt third1.second1.top3.flushtest.example +txt third2.second1.top3.flushtest.example +txt third1.second2.top3.flushtest.example +txt third2.second2.top3.flushtest.example +txt second3.top3.flushtest.example +EOF # load the negative cache entries # nxrrset: @@ -57,8 +59,8 @@ load_cache () { # empty nonterminal: $DIG $DIGOPTS txt second2.top3.flushtest.example > /dev/null - # sleep one second ensure the TTLs will be lower on cached data - sleep 1 + # sleep 2 seconds ensure the TTLs will be lower on cached data + sleep 2 } dump_cache () { @@ -75,10 +77,10 @@ in_cache () { ttl=`$DIG $DIGOPTS "$@" | awk '{print $2}'` [ -z "$ttl" ] && { ttl=`$DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}'` - [ "$ttl" -eq 3600 ] && return 1 + [ "$ttl" -ge 3599 ] && return 1 return 0 } - [ "$ttl" -eq 3600 ] && return 1 + [ "$ttl" -ge 3599 ] && return 1 return 0 } @@ -106,7 +108,7 @@ nrecords=`grep flushtest.example ns2/named_dump.db | grep -v '^;' | wc -l` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` -echo "I:check flushing of individual nodes" +echo "I:check flushing of individual nodes (interior node)" ret=0 clear_cache load_cache @@ -114,12 +116,20 @@ load_cache in_cache txt top1.flushtest.example || ret=1 $RNDC $RNDCOPTS flushname top1.flushtest.example in_cache txt top1.flushtest.example && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` +echo "I:check flushing of individual nodes (leaf node, under the interior node)" +ret=0 # leaf node, under the interior node (should still exist) in_cache txt third2.second1.top1.flushtest.example || ret=1 $RNDC $RNDCOPTS flushname third2.second1.top1.flushtest.example in_cache txt third2.second1.top1.flushtest.example && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` +echo "I:check flushing of individual nodes (another leaf node, with both positive and negative cache entries)" +ret=0 # another leaf node, with both positive and negative cache entries in_cache a third1.second1.top1.flushtest.example || ret=1 in_cache txt third1.second1.top1.flushtest.example || ret=1 diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index f2bb61b4..2aa3239b 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: conf.sh.in,v 1.68 2011-08-09 02:24:28 marka Exp $ +# $Id: conf.sh.in,v 1.69 2011-08-30 05:16:11 marka Exp $ # # Common configuration data for system tests, to be sourced into @@ -54,7 +54,7 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint # v6synth SUBDIRS="acl allow_query addzone autosign builtin cacheclean checkconf checknames checkzone database dlv dlvauto dlz dlzexternal - dname dns64 dnssec forward glue gost ixfr limits + dname dns64 dnssec forward glue gost ixfr inline limits logfileconfig lwresd masterfile masterformat metadata notify nsupdate pending pkcs11 redirect resolver rndc rpz rrsetorder sortlist smartsign staticstub stub tkey tsig tsiggss unknown diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 895dac0a..9ddd5184 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.92 2011-07-08 01:43:26 each Exp $ +# $Id: tests.sh,v 1.93 2011-09-02 21:55:16 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -1082,6 +1082,9 @@ $DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 a > /dev/null || ret=1 ans=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.4 rrsig` || ret=1 expect=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ` || ret=1 test "$ans" = "$expect" || ret=1 +# also check that RA is set +$DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -1092,6 +1095,9 @@ echo "I:checking RRSIG query not in cache ($n)" ret=0 ans=`$DIG $DIGOPTS +short rrsigonly.secure.example. @10.53.0.4 rrsig` || ret=1 test -z "$ans" || ret=1 +# also check that RA is cleared +$DIG $DIGOPTS rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh new file mode 100644 index 00000000..f36b1d12 --- /dev/null +++ b/bin/tests/system/inline/clean.sh @@ -0,0 +1,27 @@ +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: clean.sh,v 1.2 2011-08-30 23:46:52 tbox Exp $ + +rm -f */named.memstats +rm -f */named.run +rm -f */trusted.conf +rm -f ns2/bits.db +rm -f ns3/K* +rm -f ns3/bits.bk +rm -f ns3/bits.bk.jnl +rm -f ns3/bits.bk.signed +rm -f ns3/bits.bk.signed.jnl +rm -f ns4/noixfr.db +rm -f random.data diff --git a/bin/tests/system/inline/ns1/named.conf b/bin/tests/system/inline/ns1/named.conf new file mode 100644 index 00000000..61209758 --- /dev/null +++ b/bin/tests/system/inline/ns1/named.conf @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2011-08-30 23:46:52 tbox Exp $ */ + +// NS1 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +zone "." { + type master; + file "root.db.signed"; +}; + +// include "trusted.conf"; diff --git a/bin/tests/system/inline/ns2/bits.db.in b/bin/tests/system/inline/ns2/bits.db.in new file mode 100644 index 00000000..0d469e29 --- /dev/null +++ b/bin/tests/system/inline/ns2/bits.db.in @@ -0,0 +1,134 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: bits.db.in,v 1.2 2011-08-30 23:46:52 tbox Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA ns2 . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 + +update-nsec3 NS ns.update-nsec3 +ns.update-nsec3 A 10.53.0.3 + +auto-nsec NS ns.auto-nsec +ns.auto-nsec A 10.53.0.3 + +auto-nsec3 NS ns.auto-nsec3 +ns.auto-nsec3 A 10.53.0.3 + + +below-cname CNAME some.where.else. + +insecure.below-cname NS ns.insecure.below-cname +ns.insecure.below-cname A 10.53.0.3 + +secure.below-cname NS ns.secure.below-cname +ns.secure.below-cname A 10.53.0.3 + +ttlpatch NS ns.ttlpatch +ns.ttlpatch A 10.53.0.3 + +split-dnssec NS ns.split-dnssec +ns.split-dnssec A 10.53.0.3 + +split-smart NS ns.split-smart +ns.split-smart A 10.53.0.3 diff --git a/bin/tests/system/inline/ns2/named.conf b/bin/tests/system/inline/ns2/named.conf new file mode 100644 index 00000000..2623fe68 --- /dev/null +++ b/bin/tests/system/inline/ns2/named.conf @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2011-08-30 23:46:52 tbox Exp $ */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + notify-delay 0; +}; + +zone "bits" { + type master; + file "bits.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/inline/ns3/named.conf b/bin/tests/system/inline/ns3/named.conf new file mode 100644 index 00000000..e39580bb --- /dev/null +++ b/bin/tests/system/inline/ns3/named.conf @@ -0,0 +1,55 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2011-08-30 23:46:52 tbox Exp $ */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + try-tcp-refresh no; + notify-delay 0; +}; + +zone "bits" { + type slave; + masters { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + allow-update-forwarding { any; }; + file "bits.bk"; +}; + +server 10.53.0.4 { request-ixfr no; }; + +zone "noixfr" { + type slave; + masters { 10.53.0.4; }; + inline-signing yes; + auto-dnssec maintain; + allow-update-forwarding { any; }; + file "noixfr.bk"; +}; diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh new file mode 100644 index 00000000..fd185cd2 --- /dev/null +++ b/bin/tests/system/inline/ns3/sign.sh @@ -0,0 +1,34 @@ +#!/bin/sh -e +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: sign.sh,v 1.2 2011-08-30 23:46:52 tbox Exp $ + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=bits +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` + +zone=noixfr +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` diff --git a/bin/tests/system/inline/ns4/named.conf b/bin/tests/system/inline/ns4/named.conf new file mode 100644 index 00000000..df9d9b6f --- /dev/null +++ b/bin/tests/system/inline/ns4/named.conf @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2011-08-30 23:46:52 tbox Exp $ */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + notify-delay 0; +}; + +zone "noixfr" { + type master; + file "noixfr.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/inline/ns4/noixfr.db.in b/bin/tests/system/inline/ns4/noixfr.db.in new file mode 100644 index 00000000..8fb44da1 --- /dev/null +++ b/bin/tests/system/inline/ns4/noixfr.db.in @@ -0,0 +1,134 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: noixfr.db.in,v 1.2 2011-08-30 23:46:52 tbox Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA ns4 . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns4 A 10.53.0.4 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 + +update-nsec3 NS ns.update-nsec3 +ns.update-nsec3 A 10.53.0.3 + +auto-nsec NS ns.auto-nsec +ns.auto-nsec A 10.53.0.3 + +auto-nsec3 NS ns.auto-nsec3 +ns.auto-nsec3 A 10.53.0.3 + + +below-cname CNAME some.where.else. + +insecure.below-cname NS ns.insecure.below-cname +ns.insecure.below-cname A 10.53.0.3 + +secure.below-cname NS ns.secure.below-cname +ns.secure.below-cname A 10.53.0.3 + +ttlpatch NS ns.ttlpatch +ns.ttlpatch A 10.53.0.3 + +split-dnssec NS ns.split-dnssec +ns.split-dnssec A 10.53.0.3 + +split-smart NS ns.split-smart +ns.split-smart A 10.53.0.3 diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh new file mode 100644 index 00000000..c1007d77 --- /dev/null +++ b/bin/tests/system/inline/setup.sh @@ -0,0 +1,39 @@ +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: setup.sh,v 1.2 2011-08-30 23:46:52 tbox Exp $ + +sh clean.sh + +touch ns2/trusted.conf +cp ns2/bits.db.in ns2/bits.db +rm -f ns2/bits.db.jnl + +rm -f ns3/bits.bk +rm -f ns3/bits.bk.jnl +rm -f ns3/bits.bk.signed +rm -f ns3/bits.bk.signed.jnl + +touch ns4/trusted.conf +cp ns4/noixfr.db.in ns4/noixfr.db +rm -f ns4/noixfr.db.jnl + +rm -f ns3/noixfr.bk +rm -f ns3/noixfr.bk.jnl +rm -f ns3/noixfr.bk.signed +rm -f ns3/noixfr.bk.signed.jnl + +../../../tools/genrandom 400 random.data + +(cd ns3; sh -e sign.sh) diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh new file mode 100644 index 00000000..73bf5262 --- /dev/null +++ b/bin/tests/system/inline/tests.sh @@ -0,0 +1,329 @@ +#!/bin/sh +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: tests.sh,v 1.2 2011-08-30 23:46:52 tbox Exp $ + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +dnssec" + +status=0 +n=0 + +n=`expr $n + 1` +echo "I:checking that the zone is signed on initial transfer ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 + records=`grep "TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001" dig.out.ns3.test$n | wc -l` + [ $records = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +$NSUPDATE << EOF +zone bits +server 10.53.0.2 5300 +update add added.bits 0 A 1.2.3.4 +send +EOF + +n=`expr $n + 1` +echo "I:checking that the record is added on the hidden master ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -p 5300 added.bits A > dig.out.ns2.test$n +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that update has been transfered and has been signed ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 added.bits A > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +$NSUPDATE << EOF +zone bits +server 10.53.0.2 5300 +update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600 +send +EOF + +n=`expr $n + 1` +echo "I:checking YYYYMMDDVV (2011072400) serial on hidden master ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking YYYYMMDDVV (2011072400) serial in signed zone ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo "I:checking that the zone is signed on initial transfer, noixfr ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr TYPE65534 > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 + records=`grep "TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001" dig.out.ns3.test$n | wc -l` + [ $records = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +$NSUPDATE << EOF +zone noixfr +server 10.53.0.4 5300 +update add added.noixfr 0 A 1.2.3.4 +send +EOF + +n=`expr $n + 1` +echo "I:checking that the record is added on the hidden master, noixfr ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.4 -p 5300 added.noixfr A > dig.out.ns4.test$n +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that update has been transfered and has been signed, noixfr ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 added.noixfr A > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +$NSUPDATE << EOF +zone noixfr +server 10.53.0.4 5300 +update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600 +send +EOF + +n=`expr $n + 1` +echo "I:checking YYYYMMDDVV (2011072400) serial on hidden master, noixfr ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:stop bump in the wire signer server ($n)" +ret=0 +$PERL ../stop.pl . ns3 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:restart bump in the wire signer server ($n)" +ret=0 +$PERL ../start.pl --noclean . ns3 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +$NSUPDATE << EOF +zone bits +server 10.53.0.2 5300 +update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600 +send +EOF + +n=`expr $n + 1` +echo "I:checking YYYYMMDDVV (2011072450) serial on hidden master ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking YYYYMMDDVV (2011072450) serial in signed zone ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +$NSUPDATE << EOF +zone noixfr +server 10.53.0.4 5300 +update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600 +send +EOF + +n=`expr $n + 1` +echo "I:checking YYYYMMDDVV (2011072450) serial on hidden master, noixfr ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +$NSUPDATE << EOF +zone bits +server 10.53.0.3 5300 +update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600 +send +EOF + +n=`expr $n + 1` +echo "I:checking forwarded update on hidden master ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -p 5300 bits SOA > dig.out.ns2.test$n +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking forwarded update on signed zone ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 bits SOA > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +$NSUPDATE << EOF +zone noixfr +server 10.53.0.3 5300 +update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600 +send +EOF + +n=`expr $n + 1` +echo "I:checking forwarded update on hidden master, noixfr ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.4 -p 5300 noixfr SOA > dig.out.ns4.test$n +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking forwarded update on signed zone, noixfr ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 noixfr SOA > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +exit $status diff --git a/bin/tests/system/ixfr/clean.sh b/bin/tests/system/ixfr/clean.sh index 91e28b84..3846e433 100644 --- a/bin/tests/system/ixfr/clean.sh +++ b/bin/tests/system/ixfr/clean.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,9 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.6 2007-09-26 03:22:43 marka Exp $ +# $Id: clean.sh,v 1.8 2011-09-06 23:46:27 tbox Exp $ rm -f ns1/named.conf ns1/myftp.db +rm -f ns3/*.jnl ns3/mytest.db ns3/subtest.db +rm -f ns4/*.jnl ns4/*.db rm -f */named.memstats diff --git a/bin/tests/system/ixfr/ns3/mytest0.db b/bin/tests/system/ixfr/ns3/mytest0.db new file mode 100644 index 00000000..c964c6df --- /dev/null +++ b/bin/tests/system/ixfr/ns3/mytest0.db @@ -0,0 +1,31 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: mytest0.db,v 1.3 2011-09-07 23:46:27 tbox Exp $ + +$ORIGIN test. +$TTL 15 +test. 15 IN SOA ns1.test. hostmaster.test. ( + 1 ; serial + 3H ; refresh + 15 ; retry + 1w ; expire + 3h ; minimum + ) + IN NS ns1.test. + IN NS ns2.test. +ns1 IN A 10.53.0.3 +ns2 IN A 10.53.0.4 +host1 IN A 192.168.10.3 +host2 IN A 192.168.10.4 diff --git a/bin/tests/system/ixfr/ns3/mytest1.db b/bin/tests/system/ixfr/ns3/mytest1.db new file mode 100644 index 00000000..36ae69bc --- /dev/null +++ b/bin/tests/system/ixfr/ns3/mytest1.db @@ -0,0 +1,31 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: mytest1.db,v 1.3 2011-09-07 23:46:27 tbox Exp $ + +$ORIGIN test. +$TTL 15 +test. 15 IN SOA ns1.test. hostmaster.test. ( + 2 ; serial + 3H ; refresh + 15 ; retry + 1w ; expire + 3h ; minimum + ) + IN NS ns1.test. + IN NS ns2.test. +ns1 IN A 10.53.0.3 +ns2 IN A 10.53.0.4 +host1 IN A 192.168.10.13 +host2 IN A 192.168.10.4 diff --git a/bin/tests/system/ixfr/ns3/mytest2.db b/bin/tests/system/ixfr/ns3/mytest2.db new file mode 100644 index 00000000..ca4e4264 --- /dev/null +++ b/bin/tests/system/ixfr/ns3/mytest2.db @@ -0,0 +1,31 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: mytest2.db,v 1.3 2011-09-07 23:46:27 tbox Exp $ + +$ORIGIN test. +$TTL 15 +test. 15 IN SOA ns1.test. hostmaster.test. ( + 4 ; serial + 3H ; refresh + 15 ; retry + 1w ; expire + 3h ; minimum + ) + IN NS ns1.test. + IN NS ns2.test. +ns1 IN A 10.53.0.3 +ns2 IN A 10.53.0.4 +host1 IN A 192.168.10.13 +host2 IN A 192.168.10.14 diff --git a/bin/tests/system/ixfr/ns3/named.conf b/bin/tests/system/ixfr/ns3/named.conf new file mode 100644 index 00000000..225df371 --- /dev/null +++ b/bin/tests/system/ixfr/ns3/named.conf @@ -0,0 +1,53 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.3 2011-09-07 23:46:27 tbox Exp $ */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + allow-transfer { any; }; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; + +controls { + inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; +}; + +view "primary" { + ixfr-from-differences yes; + request-ixfr yes; + zone "test" IN { + type master; + file "mytest.db"; + }; + zone "sub.test" IN { + type master; + file "subtest.db"; + request-ixfr no; + }; +}; diff --git a/bin/tests/system/ixfr/ns3/subtest0.db b/bin/tests/system/ixfr/ns3/subtest0.db new file mode 100644 index 00000000..5bbeca42 --- /dev/null +++ b/bin/tests/system/ixfr/ns3/subtest0.db @@ -0,0 +1,29 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: subtest0.db,v 1.3 2011-09-07 23:46:27 tbox Exp $ + +$ORIGIN sub.test. +$TTL 15 +sub.test. 15 IN SOA ns1.test. hostmaster.test. ( + 1 ; serial + 3H ; refresh + 15 ; retry + 1w ; expire + 3h ; minimum + ) + IN NS ns1.test. + IN NS ns2.test. +host3 IN A 192.168.10.23 +host4 IN A 192.168.10.24 diff --git a/bin/tests/system/ixfr/ns3/subtest1.db b/bin/tests/system/ixfr/ns3/subtest1.db new file mode 100644 index 00000000..49b719d9 --- /dev/null +++ b/bin/tests/system/ixfr/ns3/subtest1.db @@ -0,0 +1,29 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: subtest1.db,v 1.3 2011-09-07 23:46:27 tbox Exp $ + +$ORIGIN sub.test. +$TTL 15 +sub.test. 15 IN SOA ns1.test. hostmaster.test. ( + 3 ; serial + 3H ; refresh + 15 ; retry + 1w ; expire + 3h ; minimum + ) + IN NS ns1.test. + IN NS ns2.test. +host3 IN A 192.168.10.123 +host4 IN A 192.168.10.24 diff --git a/bin/tests/system/ixfr/ns4/named.conf b/bin/tests/system/ixfr/ns4/named.conf new file mode 100644 index 00000000..8b5e0b45 --- /dev/null +++ b/bin/tests/system/ixfr/ns4/named.conf @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.3 2011-09-07 23:46:28 tbox Exp $ */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; + +controls { + inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; }; +}; + +view "primary" { + ixfr-from-differences yes; + request-ixfr yes; + zone "test" IN { + type slave; + file "mytest.db"; + masters { 10.53.0.3; }; + }; + zone "sub.test" IN { + type slave; + file "subtest.db"; + request-ixfr no; + masters { 10.53.0.3; }; + }; +}; diff --git a/bin/tests/system/ixfr/setup.sh b/bin/tests/system/ixfr/setup.sh index 820dd4e9..45259a80 100644 --- a/bin/tests/system/ixfr/setup.sh +++ b/bin/tests/system/ixfr/setup.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,9 +15,9 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.4 2007-06-19 23:47:03 tbox Exp $ +# $Id: setup.sh,v 1.6 2011-09-06 23:46:27 tbox Exp $ -rm -f ns1/*.db ns1/*.jnl +rm -f ns1/*.db ns1/*.jnl ns3/*.jnl ns4/*.jnl cat <<EOF >ns1/named.conf options { @@ -41,3 +41,7 @@ controls { inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; }; }; EOF + +# Setup initial db files for ns3 +cp ns3/mytest0.db ns3/mytest.db +cp ns3/subtest0.db ns3/subtest.db diff --git a/bin/tests/system/ixfr/tests.sh b/bin/tests/system/ixfr/tests.sh index e3d6aa7c..c304d616 100644 --- a/bin/tests/system/ixfr/tests.sh +++ b/bin/tests/system/ixfr/tests.sh @@ -15,7 +15,13 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.7 2011-03-05 23:52:29 tbox Exp $ +# $Id: tests.sh,v 1.8 2011-09-06 22:29:32 smann Exp $ + + +# WARNING: The test labelled "testing request-ixfr option in view vs zone" +# is fragile because it depends upon counting instances of records +# in the log file - need a better approach <sdm> - until then, +# if you add any tests above that point, you will break the test. SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -132,5 +138,67 @@ $DIGCMD nil. TXT | grep 'fallback AXFR' >/dev/null || { status=1 } +echo "I:testing ixfr-from-differences option" +# ns3 is master; ns4 is slave +$CHECKZONE test. ns3/mytest.db > /dev/null 2>&1 +if [ $? -ne 0 ] +then + echo "I:named-checkzone returned failure on ns3/mytest.db" +fi +# modify the master +#echo "I: digging against master: " +#$DIG $DIGOPTS @10.53.0.3 -p 5300 a host1.test. +#echo "I: digging against slave: " +#$DIG $DIGOPTS @10.53.0.4 -p 5300 a host1.test. + +cp ns3/mytest1.db ns3/mytest.db +$RNDC -s 10.53.0.3 -p 9953 -c ../common/rndc.conf reload +sleep 2 + +# slave should have gotten notify and updated + +INCR=`grep "test/IN/primary" ns4/named.run|grep "got incremental"|wc -l` +if [ $INCR -ne 1 ] +then + echo "I:failed to get incremental response" + status=1 +fi + +echo "I:testing request-ixfr option in view vs zone" +# There's a view with 2 zones. In the view, "request-ixfr yes" +# but in the zone "sub.test", request-ixfr no" +# we want to make sure that a change to sub.test results in AXFR, while +# changes to test. result in IXFR + +echo "I: this result should be AXFR" +cp ns3/subtest1.db ns3/subtest.db # change to sub.test zone, should be AXFR +$RNDC -s 10.53.0.3 -p 9953 -c ../common/rndc.conf reload +sleep 2 + +echo "I: this result should be AXFR" +NONINCR=`grep 'sub\.test/IN/primary' ns4/named.run|grep "got nonincremental" | wc -l` +if [ $NONINCR -ne 2 ] +then + echo "I:failed to get nonincremental response in 2nd AXFR test" + status=1 +else + echo "I: success: AXFR it was" +fi + +echo "I: this result should be IXFR" +cp ns3/mytest2.db ns3/mytest.db # change to test zone, should be IXFR +$RNDC -s 10.53.0.3 -p 9953 -c ../common/rndc.conf reload +sleep 2 + +INCR=`grep "test/IN/primary" ns4/named.run|grep "got incremental"|wc -l` +if [ $INCR -ne 2 ] +then + echo "I:failed to get incremental response in 2nd IXFR test" + status=1 +else + echo "I: success: IXFR it was" +fi + + echo "I:exit status: $status" exit $status diff --git a/bin/tests/system/upforwd/ans4/ans.pl b/bin/tests/system/upforwd/ans4/ans.pl new file mode 100644 index 00000000..b5aebc51 --- /dev/null +++ b/bin/tests/system/upforwd/ans4/ans.pl @@ -0,0 +1,351 @@ +#!/usr/bin/perl +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: ans.pl,v 1.2 2011-08-31 06:49:10 marka Exp $ + +# +# This is the name server from hell. It provides canned +# responses based on pattern matching the queries, and +# can be reprogrammed on-the-fly over a TCP connection. +# +# The server listens for control connections on port 5301. +# A control connection is a TCP stream of lines like +# +# /pattern/ +# name ttl type rdata +# name ttl type rdata +# ... +# /pattern/ +# name ttl type rdata +# name ttl type rdata +# ... +# +# There can be any number of patterns, each associated +# with any number of response RRs. Each pattern is a +# Perl regular expression. +# +# Each incoming query is converted into a string of the form +# "qname qtype" (the printable query domain name, space, +# printable query type) and matched against each pattern. +# +# The first pattern matching the query is selected, and +# the RR following the pattern line are sent in the +# answer section of the response. +# +# Each new control connection causes the current set of +# patterns and responses to be cleared before adding new +# ones. +# +# The server handles UDP and TCP queries. Zone transfer +# responses work, but must fit in a single 64 k message. +# +# Now you can add TSIG, just specify key/key data with: +# +# /pattern <key> <key_data>/ +# name ttl type rdata +# name ttl type rdata +# +# Note that this data will still be sent with any request for +# pattern, only this data will be signed. Currently, this is only +# done for TCP. + + +use IO::File; +use IO::Socket; +use Data::Dumper; +use Net::DNS; +use Net::DNS::Packet; +use strict; + +# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early +local $SIG{PIPE} = 'IGNORE'; + +# Flush logged output after every line +local $| = 1; + +my $server_addr = "10.53.0.4"; + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => 5300, Proto => "udp", Reuse => 1) or die "$!"; + +my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => 5300, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +print "listening on $server_addr:5300.\n"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!";; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +#my @answers = (); +my @rules; +sub handleUDP { + my ($buf) = @_; + + my ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + + $packet->header->qr(1); + $packet->header->aa(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + # get the existing signature if any, and clear the additional section + my $prev_tsig; + while (my $rr = $packet->pop("additional")) { + if ($rr->type eq "TSIG") { + $prev_tsig = $rr; + } + } + + my $r; + foreach $r (@rules) { + my $pattern = $r->{pattern}; + my($dbtype, $key_name, $key_data) = split(/ /,$pattern); + print "[handleUDP] $dbtype, $key_name, $key_data \n"; + if ("$qname $qtype" =~ /$dbtype/) { + my $a; + foreach $a (@{$r->{answer}}) { + $packet->push("answer", $a); + } + if(defined($key_name) && defined($key_data)) { + # Sign the packet + print " Signing the response with " . + "$key_name/$key_data\n"; + my $tsig = Net::DNS::RR-> + new("$key_name TSIG $key_data"); + + # These kluges are necessary because Net::DNS + # doesn't know how to sign responses. We + # clear compnames so that the TSIG key and + # algorithm name won't be compressed, and + # add one to arcount because the signing + # function will attempt to decrement it, + # which is incorrect in a response. Finally + # we set request_mac to the previous digest. + $packet->{"compnames"} = {}; + $packet->{"header"}{"arcount"} += 1; + if (defined($prev_tsig)) { + my $rmac = pack('n H*', + $prev_tsig->mac_size, + $prev_tsig->mac); + $tsig->{"request_mac"} = + unpack("H*", $rmac); + } + + $packet->sign_tsig($tsig); + } + last; + } + } + #$packet->print; + + return $packet->data; +} + +# namelen: +# given a stream of data, reads a DNS-formatted name and returns its +# total length, thus making it possible to skip past it. +sub namelen { + my ($data) = @_; + my $len = 0; + my $label_len = 0; + do { + $label_len = unpack("c", $data); + $data = substr($data, $label_len + 1); + $len += $label_len + 1; + } while ($label_len != 0); + return ($len); +} + +# packetlen: +# given a stream of data, reads a DNS wire-format packet and returns +# its total length, making it possible to skip past it. +sub packetlen { + my ($data) = @_; + my $q; + my $rr; + + my ($header, $offset) = Net::DNS::Header->parse(\$data); + for (1 .. $header->qdcount) { + ($q, $offset) = Net::DNS::Question->parse(\$data, $offset); + } + for (1 .. $header->ancount) { + ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + for (1 .. $header->nscount) { + ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + for (1 .. $header->arcount) { + ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + return $offset; +} + +# sign_tcp_continuation: +# This is a hack to correct the problem that Net::DNS has no idea how +# to sign multiple-message TCP responses. Several data that are included +# in the digest when signing a query or the first message of a response are +# omitted when signing subsequent messages in a TCP stream. +# +# Net::DNS::Packet->sign_tsig() has the ability to use a custom signing +# function (specified by calling Packet->sign_func()). We use this +# function as the signing function for TCP continuations, and it removes +# the unwanted data from the digest before calling the default sign_hmac +# function. +sub sign_tcp_continuation { + my ($key, $data) = @_; + + # copy out first two bytes: size of the previous MAC + my $rmacsize = unpack("n", $data); + $data = substr($data, 2); + + # copy out previous MAC + my $rmac = substr($data, 0, $rmacsize); + $data = substr($data, $rmacsize); + + # try parsing out the packet information + my $plen = packetlen($data); + my $pdata = substr($data, 0, $plen); + $data = substr($data, $plen); + + # remove the keyname, ttl, class, and algorithm name + $data = substr($data, namelen($data)); + $data = substr($data, 6); + $data = substr($data, namelen($data)); + + # preserve the TSIG data + my $tdata = substr($data, 0, 8); + + # prepare a new digest and sign with it + $data = pack("n", $rmacsize) . $rmac . $pdata . $tdata; + return Net::DNS::RR::TSIG::sign_hmac($key, $data); +} + +sub handleTCP { + my ($buf) = @_; + + my ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + + $packet->header->qr(1); + $packet->header->aa(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + # get the existing signature if any, and clear the additional section + my $prev_tsig; + my $signer; + while (my $rr = $packet->pop("additional")) { + if ($rr->type eq "TSIG") { + $prev_tsig = $rr; + } + } + + my @results = (); + my $count_these = 0; + + my $r; + foreach $r (@rules) { + my $pattern = $r->{pattern}; + my($dbtype, $key_name, $key_data) = split(/ /,$pattern); + print "[handleTCP] $dbtype, $key_name, $key_data \n"; + if ("$qname $qtype" =~ /$dbtype/) { + $count_these++; + my $a; + foreach $a (@{$r->{answer}}) { + $packet->push("answer", $a); + } + if(defined($key_name) && defined($key_data)) { + # sign the packet + print " Signing the data with " . + "$key_name/$key_data\n"; + + my $tsig = Net::DNS::RR-> + new("$key_name TSIG $key_data"); + + # These kluges are necessary because Net::DNS + # doesn't know how to sign responses. We + # clear compnames so that the TSIG key and + # algorithm name won't be compressed, and + # add one to arcount because the signing + # function will attempt to decrement it, + # which is incorrect in a response. Finally + # we set request_mac to the previous digest. + $packet->{"compnames"} = {}; + $packet->{"header"}{"arcount"} += 1; + if (defined($prev_tsig)) { + my $rmac = pack('n H*', + $prev_tsig->mac_size, + $prev_tsig->mac); + $tsig->{"request_mac"} = + unpack("H*", $rmac); + } + + $tsig->sign_func($signer) if defined($signer); + $packet->sign_tsig($tsig); + $signer = \&sign_tcp_continuation; + + my $copy = + Net::DNS::Packet->new(\($packet->data)); + $prev_tsig = $copy->pop("additional"); + } + #$packet->print; + push(@results,$packet->data); + $packet = new Net::DNS::Packet(\$buf, 0); + $packet->header->qr(1); + $packet->header->aa(1); + } + } + print " A total of $count_these patterns matched\n"; + return \@results; +} + +# Main +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($tcpsock), 1) = 1; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($udpsock), 1)) { + printf "UDP request\n"; + my $buf; + $udpsock->recv($buf, 512); + } elsif (vec($rout, fileno($tcpsock), 1)) { + my $conn = $tcpsock->accept; + my $buf; + for (;;) { + my $lenbuf; + my $n = $conn->sysread($lenbuf, 2); + last unless $n == 2; + my $len = unpack("n", $lenbuf); + $n = $conn->sysread($buf, $len); + } + sleep(1); + } +} diff --git a/bin/tests/system/upforwd/ns3/named.conf b/bin/tests/system/upforwd/ns3/named.conf index c634871e..61af892d 100644 --- a/bin/tests/system/upforwd/ns3/named.conf +++ b/bin/tests/system/upforwd/ns3/named.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.10 2007-06-18 23:47:31 tbox Exp $ */ +/* $Id: named.conf,v 1.13 2011-09-02 02:25:07 marka Exp $ */ controls { /* empty */ }; @@ -38,3 +38,10 @@ zone "example" { allow-update-forwarding { any; }; masters { 10.53.0.1; }; }; + +zone "nomaster" { + type slave; + file "nomaster1.db"; + allow-update-forwarding { any; }; + masters { 10.53.0.4; }; +}; diff --git a/bin/tests/system/upforwd/ns3/nomaster.db b/bin/tests/system/upforwd/ns3/nomaster.db new file mode 100644 index 00000000..07748deb --- /dev/null +++ b/bin/tests/system/upforwd/ns3/nomaster.db @@ -0,0 +1,19 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: nomaster.db,v 1.3 2011-08-31 23:46:44 tbox Exp $ + +@ 0 SOA . . 141235 3600 1200 86400 1200 +@ 0 NS ns4 +ns4 0 A 10.53.0.4 diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh index 77838efe..a972febf 100644 --- a/bin/tests/system/upforwd/setup.sh +++ b/bin/tests/system/upforwd/setup.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,8 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.8 2007-06-19 23:47:06 tbox Exp $ +# $Id: setup.sh,v 1.10 2011-09-02 23:46:32 tbox Exp $ cp -f ns1/example1.db ns1/example.db rm -f ns1/example.db.jnl ns2/example.bk ns2/example.bk.jnl +cp -f ns3/nomaster.db ns3/nomaster1.db diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh index 2eb3b30e..cc12e26b 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.10 2007-06-19 23:47:06 tbox Exp $ +# $Id: tests.sh,v 1.12 2011-08-31 23:46:43 tbox Exp $ # ns1 = stealth master # ns2 = slave with update forwarding disabled; not currently used @@ -99,5 +99,26 @@ $PERL ../digcomp.pl knowngood.after2 dig.out.ns1 || status=1 $PERL ../digcomp.pl knowngood.after2 dig.out.ns2 || status=1 $PERL ../digcomp.pl knowngood.after2 dig.out.ns3 || status=1 +echo "I:checking update forwarding to dead master" +count=0 +ret=0 +while [ $count -lt 5 -a $ret -eq 0 ] +do +( +$NSUPDATE -- - <<EOF +server 10.53.0.3 5300 +zone nomaster +update add unsigned.nomaster. 600 A 10.10.10.1 +update add unsigned.nomaster. 600 TXT Foo +send +EOF +) > /dev/null 2>&1 & + $DIG +notcp +noadd +noauth nomaster.\ + @10.53.0.3 soa -p 5300 > dig.out.ns3 || ret=1 + grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 + count=`expr $count + 1` +done +if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi + echo "I:exit status: $status" exit $status |