diff options
64 files changed, 1934 insertions, 295 deletions
@@ -1,4 +1,67 @@ + --- 9.6.0rc1 released --- + +2498. [bug] Removed a bogus function argument used with + ISC_SOCKET_USE_POLLWATCH: it could cause compiler + warning or crash named with the debug 1 level + of logging. [RT #18917] + +2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure + delegation. + +2496. [bug] Add sanity length checks to NSID option. [RT #18813] + +2495. [bug] Tighten RRSIG checks. [RT #18795] + +2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being + installed. [RT #18826] + +2493. [bug] The linux capabilities code was not correctly cleaning + up after itself. [RT #18767] + +2492. [func] Rndc status now reports the number of cpus discovered + and the number of worker threads when running + multi-threaded. [RT #18273] + +2491. [func] Attempt to re-use a local port if we are already using + the port. [RT #18548] + +2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO + is cleared when IPV6_V6ONLY is set. [RT #18785] + +2489. [port] solaris: Workaround Solaris's kernel bug about + /dev/poll: + http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 + Define ISC_SOCKET_USE_POLLWATCH at build time to enable + this workaround. [RT #18870] + +2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records + from keyset and .key files. [RT #18694] + +2487. [bug] Give TCP connections longer to complete. [RT #18675] + +2486. [func] The default locations for named.pid and lwresd.pid + are now /var/run/named/named.pid and + /var/run/lwresd/lwresd.pid respectively. + + This allows the owner of the containing directory + to be set, for "named -u" support, and allows there + to be a permanent symbolic link in the path, for + "named -t" support. [RT #18306] + +2485. [bug] Change update's the handling of obscured RRSIG + records. Not all orphaned DS records were being + removed. [RT #18828] + +2484. [bug] It was possible to trigger a REQUIRE failure when + adding NSEC3 proofs to the response in + query_addwildcardproof(). [RT #18828] + +2483. [port] win32: chroot() is not supported. [RT #18805] + +2482. [port] libxml2: support versions 2.7.* in addition + to 2.6.*. [RT #18806] + --- 9.6.0b1 released --- 2481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain @@ -7,9 +70,9 @@ 2480. [bug] named could fail to emit all the required NSEC3 records. [RT #18812] -2479. [bug] xfrout:covers was not properly initalized. [RT #18801] +2479. [bug] xfrout:covers was not properly initialized. [RT #18801] -2478. [bug] 'addresses' could be used uninitalized in +2478. [bug] 'addresses' could be used uninitialized in configure_forward(). [RT #18800] 2477. [bug] dig: the global option to print the command line is @@ -59,7 +122,8 @@ 2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket API and glibc hides parts of the IPv6 Advanced Socket API as a result. This is stupid as it breaks how the - two halves (Basic and Advanced) of the IPv6 Socket API were designed to be used but we have to live with it. + two halves (Basic and Advanced) of the IPv6 Socket API + were designed to be used but we have to live with it. Define _GNU_SOURCE to pull in the IPv6 Advanced Socket API. [RT #18388] @@ -198,7 +262,7 @@ operating systems without rebuilding named. 2420. [bug] Windows socket handling cleanup. Let the io - completion event send out cancelled read/write + completion event send out canceled read/write done events, which keeps us from writing to memory we no longer have ownership of. Add debugging socket_log() function. Rework TCP socket handling @@ -227,7 +291,7 @@ 2413. [bug] Fixed an unreachable code path in socket.c. [RT #18442] -2412. [bug] win32: address a resourse leak. [RT #18374] +2412. [bug] win32: address a resource leak. [RT #18374] 2411. [bug] Allow using a larger number of sockets than FD_SETSIZE for select(). To enable this, set ISC_SOCKET_MAXSOCKETS @@ -1605,7 +1669,7 @@ 1966. [bug] Don't set CD when we have fallen back to plain DNS. [RT #15727] -1965. [func] Suppress spurious "recusion requested but not +1965. [func] Suppress spurious "recursion requested but not available" warning with 'dig +qr'. [RT #15780]. 1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723] @@ -4609,7 +4673,7 @@ 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645] 962. [bug] libbind: bad "#undef", don't attempt to install - non-existant nlist.h. [RT #1640] + non-existent nlist.h. [RT #1640] 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6 was not defined. [RT #1482] @@ -7247,7 +7311,7 @@ 188. [func] Log a warning message when an incoming zone transfer contains out-of-zone data. - 187. [func] isc_ratelimter_enqueue() has an additional argument + 187. [func] isc_ratelimiter_enqueue() has an additional argument 'task'. 186. [func] dns_request_getresponse() has an additional argument @@ -7390,7 +7454,7 @@ masters [ port xxx ] { y.y.y.y [ port zzz ] ; } - 149. [cleanup] Removed usused argument 'olist' from + 149. [cleanup] Removed unused argument 'olist' from dns_c_view_unsetordering(). 148. [cleanup] Stop issuing some warnings about some configuration @@ -7466,7 +7530,7 @@ 128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of ISC_LANG_ENDDECLS at end of header. - 127. [cleanup] The contracts for the comparision routines + 127. [cleanup] The contracts for the comparison routines dns_name_fullcompare(), dns_name_compare(), dns_name_rdatacompare(), and dns_rdata_compare() now specify that the order value returned is < 0, 0, or > 0 @@ -56,6 +56,9 @@ BIND 9.6.0 The BIND 8 resolver library, libbind, has been removed from the BIND 9 distribution and is now available as a separate download. + Change the default pid file location from /var/run to + /var/run/{named,lwresd} for improved chroot/setuid support. + BIND 9.5.0 BIND 9.5.0 has a number of new features over 9.4, @@ -451,6 +454,13 @@ Building To disable the default check set. -DCHECK_SIBLING=0 named-checkzone checks out-of-zone addresses by default. To disable this default set. -DCHECK_LOCAL=0 + To create the default pid files in ${localstatedir}/run rather + than ${localstatedir}/run/{named,lwresd}/ set. + -DNS_RUN_PID_DIR=0 + Enable workaround for Solaris kernel bug about /dev/poll + -DISC_SOCKET_USE_POLLWATCH=1 + The watch timeout is also configurable, e.g., + -DISC_SOCKET_POLLWATCH_TIMEOUT=20 LDFLAGS Linker flags. Defaults to empty string. diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in index fe3edb49..d59a38fb 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.34 2008/04/01 23:47:10 tbox Exp $ +# $Id: Makefile.in,v 1.35 2008/11/07 02:28:49 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -40,22 +40,27 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ # Alphabetically TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \ - dnssec-keyfromlabel@EXEEXT@ + dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ OBJS = dnssectool.@O@ -SRCS = dnssec-keyfromlabel.c dnssec-keygen.c dnssec-signzone.c \ - dnssectool.c +SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \ + dnssec-signzone.c dnssectool.c -MANPAGES = dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-signzone.8 +MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \ + dnssec-signzone.8 -HTMLPAGES = dnssec-keyfromlabel.html dnssec-keygen.html \ - dnssec-signzone.html +HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \ + dnssec-keygen.html dnssec-signzone.html MANOBJS = ${MANPAGES} ${HTMLPAGES} @BIND9_MAKE_RULES@ +dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-dsfromkey.@O@ ${OBJS} ${LIBS} + dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ dnssec-keyfromlabel.@O@ ${OBJS} ${LIBS} diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8 new file mode 100644 index 00000000..4d4cbc96 --- /dev/null +++ b/bin/dnssec/dnssec-dsfromkey.8 @@ -0,0 +1,124 @@ +.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +.\" +.\" Permission to use, copy, modify, and/or distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $Id: dnssec-dsfromkey.8,v 1.5 2008/11/08 01:11:47 tbox Exp $ +.\" +.hy 0 +.ad l +.\" Title: dnssec\-dsfromkey +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: November 29, 2008 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" +.TH "DNSSEC\-DSFROMKEY" "8" "November 29, 2008" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +dnssec\-dsfromkey \- DNSSEC DS RR generation tool +.SH "SYNOPSIS" +.HP 17 +\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] {keyfile} +.HP 17 +\fBdnssec\-dsfromkey\fR {\-s} [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdir\fR\fR] {dnsname} +.SH "DESCRIPTION" +.PP +\fBdnssec\-dsfromkey\fR +outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s). +.SH "OPTIONS" +.PP +\-1 +.RS 4 +Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256). +.RE +.PP +\-2 +.RS 4 +Use SHA\-256 as the digest algorithm. +.RE +.PP +\-a \fIalgorithm\fR +.RS 4 +Select the digest algorithm. The value of +\fBalgorithm\fR +must be one of SHA\-1 (SHA1) or SHA\-256 (SHA256). These values are case insensitive. +.RE +.PP +\-v \fIlevel\fR +.RS 4 +Sets the debugging level. +.RE +.PP +\-s +.RS 4 +Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode. +.RE +.PP +\-c \fIclass\fR +.RS 4 +Specifies the DNS class (default is IN), useful only in the keyset mode. +.RE +.PP +\-d \fIdirectory\fR +.RS 4 +Look for +\fIkeyset\fR +files in +\fBdirectory\fR +as the directory, ignored when not in the keyset mode. +.RE +.SH "EXAMPLE" +.PP +To build the SHA\-256 DS RR from the +\fBKexample.com.+003+26160\fR +keyfile name, the following command would be issued: +.PP +\fBdnssec\-dsfromkey \-2 Kexample.com.+003+26160\fR +.PP +The command would print something like: +.PP +\fBexample.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR +.SH "FILES" +.PP +The keyfile can be designed by the key identification +\fIKnnnn.+aaa+iiiii\fR +or the full file name +\fIKnnnn.+aaa+iiiii.key\fR +as generated by +dnssec\-keygen(8). +.PP +The keyset file name is built from the +\fBdirectory\fR, the string +\fIkeyset\-\fR +and the +\fBdnsname\fR. +.SH "CAVEAT" +.PP +A keyfile error can give a "file not found" even if the file exists. +.SH "SEE ALSO" +.PP +\fBdnssec\-keygen\fR(8), +\fBdnssec\-signzone\fR(8), +BIND 9 Administrator Reference Manual, +RFC 3658, +RFC 4509. +.SH "AUTHOR" +.PP +Internet Systems Consortium +.SH "COPYRIGHT" +Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC") +.br diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c new file mode 100644 index 00000000..d3d1d06f --- /dev/null +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -0,0 +1,388 @@ +/* + * Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: dnssec-dsfromkey.c,v 1.2 2008/11/07 02:28:49 marka Exp $ */ + +/*! \file */ + +#include <config.h> + +#include <stdlib.h> + +#include <isc/buffer.h> +#include <isc/commandline.h> +#include <isc/entropy.h> +#include <isc/hash.h> +#include <isc/mem.h> +#include <isc/print.h> +#include <isc/string.h> +#include <isc/util.h> + +#include <dns/db.h> +#include <dns/dbiterator.h> +#include <dns/ds.h> +#include <dns/fixedname.h> +#include <dns/log.h> +#include <dns/name.h> +#include <dns/rdata.h> +#include <dns/rdataclass.h> +#include <dns/rdataset.h> +#include <dns/rdatasetiter.h> +#include <dns/rdatatype.h> +#include <dns/result.h> + +#include <dst/dst.h> + +#include "dnssectool.h" + +const char *program = "dnssec-dsfromkey"; +int verbose; + +static dns_rdataclass_t rdclass; +static dns_fixedname_t fixed; +static dns_name_t *name = NULL; +static dns_db_t *db = NULL; +static dns_dbnode_t *node = NULL; +static dns_rdataset_t keyset; +static isc_mem_t *mctx = NULL; + +static void +loadkeys(char *dirname, char *setname) +{ + isc_result_t result; + char filename[1024]; + isc_buffer_t buf; + + dns_rdataset_init(&keyset); + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + + isc_buffer_init(&buf, setname, strlen(setname)); + isc_buffer_add(&buf, strlen(setname)); + result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL); + if (result != ISC_R_SUCCESS) + fatal("can't convert DNS name %s", setname); + + isc_buffer_init(&buf, filename, sizeof(filename)); + if (dirname != NULL) { + isc_buffer_putstr(&buf, dirname); + if (dirname[strlen(dirname) - 1] != '/') + isc_buffer_putstr(&buf, "/"); + } + isc_buffer_putstr(&buf, "keyset-"); + result = dns_name_tofilenametext(name, ISC_FALSE, &buf); + check_result(result, "dns_name_tofilenametext()"); + if (isc_buffer_availablelength(&buf) == 0) + fatal("name %s too long", setname); + isc_buffer_putuint8(&buf, 0); + + result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, + rdclass, 0, NULL, &db); + if (result != ISC_R_SUCCESS) + fatal("can't create database"); + + result = dns_db_load(db, filename); + if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) + fatal("can't load %s: %s", filename, isc_result_totext(result)); + + result = dns_db_findnode(db, name, ISC_FALSE, &node); + if (result != ISC_R_SUCCESS) + fatal("can't find %s node in %s", setname, filename); + + result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, + 0, 0, &keyset, NULL); + if (result == ISC_R_NOTFOUND) + fatal("no DNSKEY RR for %s in %s", setname, filename); + else if (result != ISC_R_SUCCESS) + fatal("dns_db_findrdataset"); +} + +static void +loadkey(char *filename, dns_rdata_t *rdata) +{ + isc_result_t result; + dst_key_t *key = NULL; + unsigned char key_buf[DST_KEY_MAXSIZE]; + isc_buffer_t keyb; + isc_region_t r; + + dns_rdataset_init(&keyset); + dns_rdata_init(rdata); + + isc_buffer_init(&keyb, key_buf, sizeof(key_buf)); + + result = dst_key_fromnamedfile(filename, DST_TYPE_PUBLIC, mctx, &key); + if (result != ISC_R_SUCCESS) + fatal("invalid keyfile name %s: %s", + filename, isc_result_totext(result)); + + if (verbose > 2) { + char keystr[KEY_FORMATSIZE]; + + key_format(key, keystr, sizeof(keystr)); + fprintf(stderr, "%s: %s\n", program, keystr); + } + + result = dst_key_todns(key, &keyb); + if (result != ISC_R_SUCCESS) + fatal("can't decode key"); + + isc_buffer_usedregion(&keyb, &r); + dns_rdata_fromregion(rdata, dst_key_class(key), + dns_rdatatype_dnskey, &r); + + rdclass = dst_key_class(key); + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + result = dns_name_copy(dst_key_name(key), name, NULL); + if (result != ISC_R_SUCCESS) + fatal("can't copy name"); + + dst_key_free(&key); +} + +static void +logkey(dns_rdata_t *rdata) +{ + isc_result_t result; + dst_key_t *key = NULL; + isc_buffer_t buf; + char keystr[KEY_FORMATSIZE]; + + isc_buffer_init(&buf, rdata->data, rdata->length); + isc_buffer_add(&buf, rdata->length); + result = dst_key_fromdns(name, rdclass, &buf, mctx, &key); + if (result != ISC_R_SUCCESS) + return; + + key_format(key, keystr, sizeof(keystr)); + fprintf(stderr, "%s: %s\n", program, keystr); + + dst_key_free(&key); +} + +static void +emitds(unsigned int dtype, dns_rdata_t *rdata) +{ + isc_result_t result; + unsigned char buf[DNS_DS_BUFFERSIZE]; + char text_buf[DST_KEY_MAXTEXTSIZE]; + char class_buf[10]; + isc_buffer_t textb, classb; + isc_region_t r; + dns_rdata_t ds; + + isc_buffer_init(&textb, text_buf, sizeof(text_buf)); + isc_buffer_init(&classb, class_buf, sizeof(class_buf)); + + dns_rdata_init(&ds); + + result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds); + if (result != ISC_R_SUCCESS) + fatal("can't build DS"); + + result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb); + if (result != ISC_R_SUCCESS) + fatal("can't print DS rdata"); + + result = dns_rdataclass_totext(rdclass, &classb); + if (result != ISC_R_SUCCESS) + fatal("can't print DS class"); + + result = dns_name_print(name, stdout); + if (result != ISC_R_SUCCESS) + fatal("can't print DS name"); + + putchar(' '); + + isc_buffer_usedregion(&classb, &r); + fwrite(r.base, 1, r.length, stdout); + + printf(" DS "); + + isc_buffer_usedregion(&textb, &r); + fwrite(r.base, 1, r.length, stdout); + putchar('\n'); +} + +static void +usage(void) { + fprintf(stderr, "Usage:\n"); + fprintf(stderr, " %s options keyfile\n\n", program); + fprintf(stderr, " %s options [-c class] [-d dir] -s dnsname\n\n", + program); + fprintf(stderr, "Version: %s\n", VERSION); + fprintf(stderr, "Options:\n"); + fprintf(stderr, " -v <verbose level>\n"); + fprintf(stderr, " -1: use SHA-1\n"); + fprintf(stderr, " -2: use SHA-256\n"); + fprintf(stderr, " -a algorithm: use algorithm\n"); + fprintf(stderr, "Keyset options:\n"); + fprintf(stderr, " -s: keyset mode\n"); + fprintf(stderr, " -c class\n"); + fprintf(stderr, " -d directory\n"); + fprintf(stderr, "Output: DS RRs\n"); + + exit (-1); +} + +int +main(int argc, char **argv) { + char *algname = NULL, *classname = NULL, *dirname = NULL; + char *endp; + int ch; + unsigned int dtype = DNS_DSDIGEST_SHA1; + isc_boolean_t both = ISC_TRUE; + isc_boolean_t usekeyset = ISC_FALSE; + isc_result_t result; + isc_log_t *log = NULL; + isc_entropy_t *ectx = NULL; + dns_rdata_t rdata; + + dns_rdata_init(&rdata); + + if (argc == 1) + usage(); + + result = isc_mem_create(0, 0, &mctx); + if (result != ISC_R_SUCCESS) + fatal("out of memory"); + + dns_result_register(); + + isc_commandline_errprint = ISC_FALSE; + + while ((ch = isc_commandline_parse(argc, argv, + "12a:c:d:sv:h")) != -1) { + switch (ch) { + case '1': + dtype = DNS_DSDIGEST_SHA1; + both = ISC_FALSE; + break; + case '2': + dtype = DNS_DSDIGEST_SHA256; + both = ISC_FALSE; + break; + case 'a': + algname = isc_commandline_argument; + both = ISC_FALSE; + break; + case 'c': + classname = isc_commandline_argument; + break; + case 'd': + dirname = isc_commandline_argument; + break; + case 's': + usekeyset = ISC_TRUE; + break; + case 'v': + verbose = strtol(isc_commandline_argument, &endp, 0); + if (*endp != '\0') + fatal("-v must be followed by a number"); + break; + case '?': + if (isc_commandline_option != '?') + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); + /* Falls into */ + case 'h': + usage(); + + default: + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); + } + } + + if (algname != NULL) { + if (strcasecmp(algname, "SHA1") == 0 || + strcasecmp(algname, "SHA-1") == 0) + dtype = DNS_DSDIGEST_SHA1; + else if (strcasecmp(algname, "SHA256") == 0 || + strcasecmp(algname, "SHA-256") == 0) + dtype = DNS_DSDIGEST_SHA256; + else + fatal("unknown algorithm %s", algname); + } + + rdclass = strtoclass(classname); + + if (argc < isc_commandline_index + 1) + fatal("the key file name was not specified"); + if (argc > isc_commandline_index + 1) + fatal("extraneous arguments"); + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); + result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); + if (result != ISC_R_SUCCESS) + fatal("could not initialize hash"); + result = dst_lib_init(mctx, ectx, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + fatal("could not initialize dst"); + isc_entropy_stopcallbacksources(ectx); + + setup_logging(verbose, mctx, &log); + + if (usekeyset) { + loadkeys(dirname, argv[isc_commandline_index]); + + for (result = dns_rdataset_first(&keyset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&keyset)) { + dns_rdata_init(&rdata); + dns_rdataset_current(&keyset, &rdata); + + if (verbose > 2) + logkey(&rdata); + + if (both) { + emitds(DNS_DSDIGEST_SHA1, &rdata); + emitds(DNS_DSDIGEST_SHA256, &rdata); + } else + emitds(dtype, &rdata); + } + } else { + loadkey(argv[isc_commandline_index], &rdata); + + if (both) { + emitds(DNS_DSDIGEST_SHA1, &rdata); + emitds(DNS_DSDIGEST_SHA256, &rdata); + } else + emitds(dtype, &rdata); + } + + if (dns_rdataset_isassociated(&keyset)) + dns_rdataset_disassociate(&keyset); + if (node != NULL) + dns_db_detachnode(db, &node); + if (db != NULL) + dns_db_detach(&db); + cleanup_logging(&log); + dst_lib_destroy(); + isc_hash_destroy(); + cleanup_entropy(&ectx); + dns_name_destroy(); + if (verbose > 10) + isc_mem_stats(mctx, stdout); + isc_mem_destroy(&mctx); + + return (0); +} diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook new file mode 100644 index 00000000..c2c6b853 --- /dev/null +++ b/bin/dnssec/dnssec-dsfromkey.docbook @@ -0,0 +1,214 @@ +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" + [<!ENTITY mdash "—">]> +<!-- + - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: dnssec-dsfromkey.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ --> +<refentry id="man.dnssec-dsfromkey"> + <refentryinfo> + <date>November 29, 2008</date> + </refentryinfo> + + <refmeta> + <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo>BIND9</refmiscinfo> + </refmeta> + + <refnamediv> + <refname><application>dnssec-dsfromkey</application></refname> + <refpurpose>DNSSEC DS RR generation tool</refpurpose> + </refnamediv> + + <docinfo> + <copyright> + <year>2008</year> + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + </docinfo> + + <refsynopsisdiv> + <cmdsynopsis> + <command>dnssec-dsfromkey</command> + <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> + <arg><option>-1</option></arg> + <arg><option>-2</option></arg> + <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg> + <arg choice="req">keyfile</arg> + </cmdsynopsis> + <cmdsynopsis> + <command>dnssec-dsfromkey</command> + <arg choice="req">-s</arg> + <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> + <arg><option>-1</option></arg> + <arg><option>-2</option></arg> + <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg> + <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> + <arg><option>-d <replaceable class="parameter">dir</replaceable></option></arg> + <arg choice="req">dnsname</arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>DESCRIPTION</title> + <para><command>dnssec-dsfromkey</command> + outputs the Delegation Signer (DS) resource record (RR), as defined in + RFC 3658 and RFC 4509, for the given key(s). + </para> + </refsect1> + + <refsect1> + <title>OPTIONS</title> + + <variablelist> + <varlistentry> + <term>-1</term> + <listitem> + <para> + Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-2</term> + <listitem> + <para> + Use SHA-256 as the digest algorithm. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-a <replaceable class="parameter">algorithm</replaceable></term> + <listitem> + <para> + Select the digest algorithm. The value of + <option>algorithm</option> must be one of SHA-1 (SHA1) or + SHA-256 (SHA256). These values are case insensitive. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-v <replaceable class="parameter">level</replaceable></term> + <listitem> + <para> + Sets the debugging level. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-s</term> + <listitem> + <para> + Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. Following options make sense + only in this mode. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-c <replaceable class="parameter">class</replaceable></term> + <listitem> + <para> + Specifies the DNS class (default is IN), useful only + in the keyset mode. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-d <replaceable class="parameter">directory</replaceable></term> + <listitem> + <para> + Look for <filename>keyset</filename> files in + <option>directory</option> as the directory, ignored when + not in the keyset mode. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1> + <title>EXAMPLE</title> + <para> + To build the SHA-256 DS RR from the + <userinput>Kexample.com.+003+26160</userinput> + keyfile name, the following command would be issued: + </para> + <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput> + </para> + <para> + The command would print something like: + </para> + <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput> + </para> + </refsect1> + + <refsect1> + <title>FILES</title> + <para> + The keyfile can be designed by the key identification + <filename>Knnnn.+aaa+iiiii</filename> or the full file name + <filename>Knnnn.+aaa+iiiii.key</filename> as generated by + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>. + </para> + <para> + The keyset file name is built from the <option>directory</option>, + the string <filename>keyset-</filename> and the + <option>dnsname</option>. + </para> + </refsect1> + + <refsect1> + <title>CAVEAT</title> + <para> + A keyfile error can give a "file not found" even if the file exists. + </para> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + <para><citerefentry> + <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citetitle>BIND 9 Administrator Reference Manual</citetitle>, + <citetitle>RFC 3658</citetitle>, + <citetitle>RFC 4509</citetitle>. + </para> + </refsect1> + + <refsect1> + <title>AUTHOR</title> + <para><corpauthor>Internet Systems Consortium</corpauthor> + </para> + </refsect1> + +</refentry><!-- + - Local variables: + - mode: sgml + - End: +--> diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html new file mode 100644 index 00000000..72dfd3a5 --- /dev/null +++ b/bin/dnssec/dnssec-dsfromkey.html @@ -0,0 +1,133 @@ +<!-- + - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: dnssec-dsfromkey.html,v 1.5 2008/11/08 01:11:47 tbox Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>dnssec-dsfromkey</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] {keyfile}</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2543424"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">dnssec-dsfromkey</strong></span> + outputs the Delegation Signer (DS) resource record (RR), as defined in + RFC 3658 and RFC 4509, for the given key(s). + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543435"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-1</span></dt> +<dd><p> + Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). + </p></dd> +<dt><span class="term">-2</span></dt> +<dd><p> + Use SHA-256 as the digest algorithm. + </p></dd> +<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> +<dd><p> + Select the digest algorithm. The value of + <code class="option">algorithm</code> must be one of SHA-1 (SHA1) or + SHA-256 (SHA256). These values are case insensitive. + </p></dd> +<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> +<dd><p> + Sets the debugging level. + </p></dd> +<dt><span class="term">-s</span></dt> +<dd><p> + Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. Following options make sense + only in this mode. + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> +<dd><p> + Specifies the DNS class (default is IN), useful only + in the keyset mode. + </p></dd> +<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt> +<dd><p> + Look for <code class="filename">keyset</code> files in + <code class="option">directory</code> as the directory, ignored when + not in the keyset mode. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2543563"></a><h2>EXAMPLE</h2> +<p> + To build the SHA-256 DS RR from the + <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> + keyfile name, the following command would be issued: + </p> +<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong> + </p> +<p> + The command would print something like: + </p> +<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543593"></a><h2>FILES</h2> +<p> + The keyfile can be designed by the key identification + <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name + <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by + <span class="refentrytitle">dnssec-keygen</span>(8). + </p> +<p> + The keyset file name is built from the <code class="option">directory</code>, + the string <code class="filename">keyset-</code> and the + <code class="option">dnsname</code>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543628"></a><h2>CAVEAT</h2> +<p> + A keyfile error can give a "file not found" even if the file exists. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543638"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>, + <em class="citetitle">RFC 3658</em>, + <em class="citetitle">RFC 4509</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543674"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8 index 91d80ac7..62220582 100644 --- a/bin/dnssec/dnssec-keyfromlabel.8 +++ b/bin/dnssec/dnssec-keyfromlabel.8 @@ -12,18 +12,18 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keyfromlabel.8,v 1.5 2008/10/15 01:11:35 tbox Exp $ +.\" $Id: dnssec-keyfromlabel.8,v 1.6 2008/11/08 01:11:47 tbox Exp $ .\" .hy 0 .ad l .\" Title: dnssec\-keyfromlabel .\" Author: .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> -.\" Date: february 8, 2008 +.\" Date: February 8, 2008 .\" Manual: BIND9 .\" Source: BIND9 .\" -.TH "DNSSEC\-KEYFROMLABEL" "8" "february 8, 2008" "BIND9" "BIND9" +.TH "DNSSEC\-KEYFROMLABEL" "8" "February 8, 2008" "BIND9" "BIND9" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index e2b6cf96..2bcf0a48 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -17,10 +17,10 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keyfromlabel.docbook,v 1.5 2008/10/14 14:32:50 jreed Exp $ --> +<!-- $Id: dnssec-keyfromlabel.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ --> <refentry id="man.dnssec-keyfromlabel"> <refentryinfo> - <date>february 8, 2008</date> + <date>February 8, 2008</date> </refentryinfo> <refmeta> diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 9af08dd5..f446ef34 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.208 2008/09/26 01:27:08 marka Exp $ */ +/* $Id: dnssec-signzone.c,v 1.209 2008/11/14 22:53:46 marka Exp $ */ /*! \file */ @@ -2784,6 +2784,9 @@ main(int argc, char *argv[]) { fatal("cannot load dnskey %s: %s", argv[i], isc_result_totext(result)); + if (!dns_name_equal(gorigin, dst_key_name(newkey))) + fatal("key %s not at origin\n", argv[i]); + key = ISC_LIST_HEAD(keylist); while (key != NULL) { dst_key_t *dkey = key->key; @@ -2821,6 +2824,9 @@ main(int argc, char *argv[]) { fatal("cannot load dnskey %s: %s", dskeyfile[i], isc_result_totext(result)); + if (!dns_name_equal(gorigin, dst_key_name(newkey))) + fatal("key %s not at origin\n", dskeyfile[i]); + key = ISC_LIST_HEAD(keylist); while (key != NULL) { dst_key_t *dkey = key->key; diff --git a/bin/named/client.c b/bin/named/client.c index 756d3c84..164af7cf 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.258 2008/06/23 19:41:18 jinmei Exp $ */ +/* $Id: client.c,v 1.259 2008/11/16 20:57:54 marka Exp $ */ #include <config.h> @@ -1222,7 +1222,7 @@ client_addopt(ns_client_t *client) { * + 2 bytes for NSID length * + NSID itself */ - char nsid[BUFSIZ]; + char nsid[BUFSIZ], *nsidp; isc_buffer_t *buffer = NULL; if (ns_g_server->server_usehostname) { @@ -1231,19 +1231,19 @@ client_addopt(ns_client_t *client) { if (result != ISC_R_SUCCESS) { goto no_nsid; } - } else { - strncpy(nsid, ns_g_server->server_id, sizeof(nsid)); - } + nsidp = nsid; + } else + nsidp = ns_g_server->server_id; - rdata->length = strlen(nsid) + 4; + rdata->length = strlen(nsidp) + 4; result = isc_buffer_allocate(client->mctx, &buffer, rdata->length); if (result != ISC_R_SUCCESS) goto no_nsid; isc_buffer_putuint16(buffer, DNS_OPT_NSID); - isc_buffer_putuint16(buffer, strlen(nsid)); - isc_buffer_putstr(buffer, nsid); + isc_buffer_putuint16(buffer, strlen(nsidp)); + isc_buffer_putstr(buffer, nsidp); rdata->data = buffer->base; dns_message_takebuffer(client->message, &buffer); } else { diff --git a/bin/named/config.c b/bin/named/config.c index a85be69c..96b071d1 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.92 2008/09/27 23:35:31 jinmei Exp $ */ +/* $Id: config.c,v 1.93 2008/11/06 05:30:24 marka Exp $ */ /*! \file */ @@ -69,7 +69,7 @@ options {\n\ memstatistics-file \"named.memstats\";\n\ multiple-cnames no;\n\ # named-xfer <obsolete>;\n\ -# pid-file \"" NS_LOCALSTATEDIR "/named.pid\"; /* or /lwresd.pid */\n\ +# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\ port 53;\n\ recursing-file \"named.recursing\";\n\ " diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index 0beef48b..6040dc30 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: globals.h,v 1.77 2008/10/24 01:08:21 marka Exp $ */ +/* $Id: globals.h,v 1.80 2008/11/16 22:49:18 marka Exp $ */ #ifndef NAMED_GLOBALS_H #define NAMED_GLOBALS_H 1 @@ -42,6 +42,10 @@ #define INIT(v) #endif +#ifndef NS_RUN_PID_DIR +#define NS_RUN_PID_DIR 1 +#endif + EXTERN isc_mem_t * ns_g_mctx INIT(NULL); EXTERN unsigned int ns_g_cpus INIT(0); EXTERN isc_taskmgr_t * ns_g_taskmgr INIT(NULL); @@ -108,10 +112,20 @@ EXTERN const char * ns_g_chrootdir INIT(NULL); EXTERN isc_boolean_t ns_g_foreground INIT(ISC_FALSE); EXTERN isc_boolean_t ns_g_logstderr INIT(ISC_FALSE); +#if NS_RUN_PID_DIR +EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR + "/run/named/" + "named.pid"); +EXTERN const char * lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR + "/run/lwresd/" + "lwresd.pid"); +#else EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR "/run/named.pid"); EXTERN const char * lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR - "/run/lwresd.pid"); + "/run/lwresd.pid"); +#endif + EXTERN const char * ns_g_username INIT(NULL); EXTERN int ns_g_listen INIT(3); diff --git a/bin/named/lwresd.8 b/bin/named/lwresd.8 index f950f85e..2c4e3bc3 100644 --- a/bin/named/lwresd.8 +++ b/bin/named/lwresd.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwresd.8,v 1.28 2008/09/25 04:45:04 tbox Exp $ +.\" $Id: lwresd.8,v 1.29 2008/11/07 01:11:19 tbox Exp $ .\" .hy 0 .ad l @@ -125,7 +125,7 @@ Run the server in the foreground and force all logging to Use \fIpid\-file\fR as the PID file instead of the default, -\fI/var/run/lwresd.pid\fR. +\fI/var/run/lwresd/lwresd.pid\fR. .RE .PP \-m \fIflag\fR diff --git a/bin/named/lwresd.docbook b/bin/named/lwresd.docbook index 6d737826..3e72fd3d 100644 --- a/bin/named/lwresd.docbook +++ b/bin/named/lwresd.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: lwresd.docbook,v 1.17 2008/09/25 04:02:38 tbox Exp $ --> +<!-- $Id: lwresd.docbook,v 1.18 2008/11/06 05:30:24 marka Exp $ --> <refentry> <refentryinfo> <date>June 30, 2000</date> @@ -199,7 +199,7 @@ <para> Use <replaceable class="parameter">pid-file</replaceable> as the PID file instead of the default, - <filename>/var/run/lwresd.pid</filename>. + <filename>/var/run/lwresd/lwresd.pid</filename>. </para> </listitem> </varlistentry> diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html index 3d384ebb..65f65e32 100644 --- a/bin/named/lwresd.html +++ b/bin/named/lwresd.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: lwresd.html,v 1.24 2008/09/25 04:45:04 tbox Exp $ --> +<!-- $Id: lwresd.html,v 1.25 2008/11/07 01:11:19 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -115,7 +115,7 @@ <dd><p> Use <em class="replaceable"><code>pid-file</code></em> as the PID file instead of the default, - <code class="filename">/var/run/lwresd.pid</code>. + <code class="filename">/var/run/lwresd/lwresd.pid</code>. </p></dd> <dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt> <dd><p> diff --git a/bin/named/named.8 b/bin/named/named.8 index cfd63509..34084036 100644 --- a/bin/named/named.8 +++ b/bin/named/named.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.8,v 1.37 2008/09/24 01:12:39 tbox Exp $ +.\" $Id: named.8,v 1.38 2008/11/07 01:11:19 tbox Exp $ .\" .hy 0 .ad l @@ -231,7 +231,7 @@ BIND 9 Administrator Reference Manual. The default configuration file. .RE .PP -\fI/var/run/named.pid\fR +\fI/var/run/named/named.pid\fR .RS 4 The default process\-id file. .RE diff --git a/bin/named/named.docbook b/bin/named/named.docbook index 3fe94396..f47eae1e 100644 --- a/bin/named/named.docbook +++ b/bin/named/named.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.docbook,v 1.22 2008/09/23 17:25:47 jinmei Exp $ --> +<!-- $Id: named.docbook,v 1.23 2008/11/06 05:30:24 marka Exp $ --> <refentry id="man.named"> <refentryinfo> <date>June 30, 2000</date> @@ -391,7 +391,7 @@ </varlistentry> <varlistentry> - <term><filename>/var/run/named.pid</filename></term> + <term><filename>/var/run/named/named.pid</filename></term> <listitem> <para> The default process-id file. diff --git a/bin/named/named.html b/bin/named/named.html index a1985cd6..23c9a7c3 100644 --- a/bin/named/named.html +++ b/bin/named/named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: named.html,v 1.29 2008/09/24 01:12:39 tbox Exp $ --> +<!-- $Id: named.html,v 1.30 2008/11/07 01:11:19 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -256,7 +256,7 @@ <dd><p> The default configuration file. </p></dd> -<dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt> +<dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt> <dd><p> The default process-id file. </p></dd> diff --git a/bin/named/query.c b/bin/named/query.c index fb48f599..cacd70ac 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.312 2008/10/15 02:37:11 marka Exp $ */ +/* $Id: query.c,v 1.313 2008/11/03 23:57:22 marka Exp $ */ /*! \file */ @@ -2863,12 +2863,22 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, if (!dns_rdataset_isassociated(rdataset)) { /* - * fname contains the closest encloser. + * No NSEC proof available, return NSEC3 proofs instead. */ dns_fixedname_init(&cfixed); cname = dns_fixedname_name(&cfixed); - dns_name_copy(fname, cname, NULL); - + /* + * Find the closest encloser. + */ + dns_name_copy(name, cname, NULL); + while (result == DNS_R_NXDOMAIN) { + labels = dns_name_countlabels(cname) - 1; + dns_name_split(cname, labels, NULL, cname); + result = dns_db_find(db, cname, version, + dns_rdatatype_nsec, + options, 0, NULL, fname, + NULL, NULL); + } /* * Add closest (provable) encloser NSEC3. */ @@ -2879,6 +2889,9 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf, DNS_SECTION_AUTHORITY); + /* + * Replace resources which were consumed by query_addrrset. + */ if (fname == NULL) { dbuf = query_getnamebuf(client); if (dbuf == NULL) @@ -2918,7 +2931,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, goto cleanup; /* - * Add the no wildcard proof. + * Replace resources which were consumed by query_addrrset. */ if (fname == NULL) { dbuf = query_getnamebuf(client); @@ -2939,6 +2952,9 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, if (fname == NULL || rdataset == NULL || sigrdataset == NULL) goto cleanup; + /* + * Add the no wildcard proof. + */ result = dns_name_concatenate(dns_wildcardname, cname, wname, NULL); if (result != ISC_R_SUCCESS) diff --git a/bin/named/server.c b/bin/named/server.c index 304d003f..31b27614 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.518 2008/10/28 05:17:40 marka Exp $ */ +/* $Id: server.c,v 1.520 2008/11/14 23:47:32 tbox Exp $ */ /*! \file */ @@ -5091,9 +5091,14 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { DNS_ZONESTATE_XFERDEFERRED); soaqueries = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_SOAQUERY); + n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), "version: %s%s%s%s\n" +#ifdef ISC_PLATFORM_USETHREADS + "CPUs found: %u\n" + "worker threads: %u\n" +#endif "number of zones: %u\n" "debug level: %d\n" "xfers running: %u\n" @@ -5104,6 +5109,9 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) { "tcp clients: %d/%d\n" "server is up and running", ns_g_version, ob, alt, cb, +#ifdef ISC_PLATFORM_USETHREADS + ns_g_cpus_detected, ns_g_cpus, +#endif zonecount, ns_g_debuglevel, xferrunning, xferdeferred, soaqueries, server->log_queries ? "ON" : "OFF", server->recursionquota.used, server->recursionquota.soft, diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c index 6fb6a63f..d3b2ff3a 100644 --- a/bin/named/unix/os.c +++ b/bin/named/unix/os.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.87 2008/10/24 01:44:48 tbox Exp $ */ +/* $Id: os.c,v 1.89 2008/11/14 05:08:48 marka Exp $ */ /*! \file */ @@ -196,7 +196,7 @@ linux_setcaps(cap_t caps) { do { \ capval = (flag); \ cap_flag_value_t curval; \ - err = cap_get_flag(cap_get_proc(), capval, CAP_PERMITTED, &curval); \ + err = cap_get_flag(curcaps, capval, CAP_PERMITTED, &curval); \ if (err != -1 && curval) { \ err = cap_set_flag(caps, CAP_EFFECTIVE, 1, &capval, CAP_SET); \ if (err == -1) { \ @@ -218,16 +218,27 @@ linux_setcaps(cap_t caps) { isc__strerror(errno, strbuf, sizeof(strbuf)); \ ns_main_earlyfatal("cap_init failed: %s", strbuf); \ } \ + curcaps = cap_get_proc(); \ + if (curcaps == NULL) { \ + isc__strerror(errno, strbuf, sizeof(strbuf)); \ + ns_main_earlyfatal("cap_get_proc failed: %s", strbuf); \ + } \ + } while (0) +#define FREE_CAP \ + { \ + cap_free(caps); \ + cap_free(curcaps); \ } while (0) #else -#define SET_CAP(flag) { caps |= (1 << (flag)); } -#define INIT_CAP { caps = 0; } +#define SET_CAP(flag) do { caps |= (1 << (flag)); } while (0) +#define INIT_CAP do { caps = 0; } while (0) #endif /* HAVE_LIBCAP */ static void linux_initialprivs(void) { cap_t caps; #ifdef HAVE_LIBCAP + cap_t curcaps; cap_value_t capval; char strbuf[ISC_STRERRORSIZE]; int err; @@ -281,12 +292,17 @@ linux_initialprivs(void) { SET_CAP(CAP_SYS_RESOURCE); linux_setcaps(caps); + +#ifdef HAVE_LIBCAP + FREE_CAP; +#endif } static void linux_minprivs(void) { cap_t caps; #ifdef HAVE_LIBCAP + cap_t curcaps; cap_value_t capval; char strbuf[ISC_STRERRORSIZE]; int err; @@ -313,6 +329,10 @@ linux_minprivs(void) { SET_CAP(CAP_SYS_RESOURCE); linux_setcaps(caps); + +#ifdef HAVE_LIBCAP + FREE_CAP; +#endif } #ifdef HAVE_SYS_PRCTL_H @@ -645,6 +665,9 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time) { pid_t pid; char strbuf[ISC_STRERRORSIZE]; void (*report)(const char *, ...); + unsigned int mode; + char *slash; + int n; /* * The caller must ensure any required synchronization. @@ -667,6 +690,27 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time) { /* This is safe. */ strcpy(pidfile, filename); + /* + * Make the containing directory if it doesn't exist. + */ + slash = strrchr(pidfile, '/'); + if (slash != NULL && slash != pidfile) { + *slash = '\0'; + mode = S_IRUSR | S_IWUSR | S_IXUSR; /* u=rwx */ + mode |= S_IRGRP | S_IXGRP; /* g=rx */ + mode |= S_IROTH | S_IXOTH; /* o=rx */ + n = mkdir(pidfile, mode); + if (n == -1 && errno != EEXIST) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + (*report)("couldn't mkdir %s': %s", filename, + strbuf); + free(pidfile); + pidfile = NULL; + return; + } + *slash = '/'; + } + fd = safe_open(filename, ISC_FALSE); if (fd < 0) { isc__strerror(errno, strbuf, sizeof(strbuf)); diff --git a/bin/named/update.c b/bin/named/update.c index da74fb36..4285e2c7 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.148 2008/09/24 03:16:57 tbox Exp $ */ +/* $Id: update.c,v 1.151 2008/11/19 06:21:45 marka Exp $ */ #include <config.h> @@ -678,6 +678,45 @@ rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, } /*% + * Set '*visible' to true if the RRset exists and is part of the + * visible zone. Otherwise '*visible' is set to false unless a + * error occurs. + */ +static isc_result_t +rrset_visible(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, + dns_rdatatype_t type, isc_boolean_t *visible) +{ + isc_result_t result; + dns_fixedname_t fixed; + + dns_fixedname_init(&fixed); + result = dns_db_find(db, name, ver, type, DNS_DBFIND_NOWILD, + (isc_stdtime_t) 0, NULL, + dns_fixedname_name(&fixed), NULL, NULL); + switch (result) { + case ISC_R_SUCCESS: + *visible = ISC_TRUE; + break; + /* + * Glue, obsured, deleted or replaced records. + */ + case DNS_R_DELEGATION: + case DNS_R_DNAME: + case DNS_R_CNAME: + case DNS_R_NXDOMAIN: + case DNS_R_NXRRSET: + case DNS_R_EMPTYNAME: + case DNS_R_COVERINGNSEC: + *visible = ISC_FALSE; + result = ISC_R_SUCCESS; + break; + default: + break; + } + return (result); +} + +/*% * Helper function for cname_incompatible_rrset_exists. */ static isc_result_t @@ -1084,6 +1123,16 @@ true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { } /*% + * Return true if the record is a RRSIG. + */ +static isc_boolean_t +rrsig_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { + UNUSED(update_rr); + return ((db_rr->type == dns_rdatatype_rrsig) ? + ISC_TRUE : ISC_FALSE); +} + +/*% * Return true iff the two RRs have identical rdata. */ static isc_boolean_t @@ -1527,37 +1576,8 @@ uniqify_name_list(dns_diff_t *list) { } static isc_result_t -is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - isc_boolean_t *flag) -{ - isc_result_t result; - dns_fixedname_t foundname; - dns_fixedname_init(&foundname); - result = dns_db_find(db, name, ver, dns_rdatatype_any, - DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD, - (isc_stdtime_t) 0, NULL, - dns_fixedname_name(&foundname), NULL, NULL); - if (result == ISC_R_SUCCESS) { - *flag = ISC_FALSE; - return (ISC_R_SUCCESS); - } else if (result == DNS_R_ZONECUT) { - /* - * We are at the zonecut. The name will have an NSEC, but - * non-delegation will be omitted from the type bit map. - */ - *flag = ISC_FALSE; - return (ISC_R_SUCCESS); - } else if (result == DNS_R_GLUE || result == DNS_R_DNAME) { - *flag = ISC_TRUE; - return (ISC_R_SUCCESS); - } else { - return (result); - } -} - -static isc_result_t is_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - isc_boolean_t *flag, isc_boolean_t *unsecure) + isc_boolean_t *flag, isc_boolean_t *cut, isc_boolean_t *unsecure) { isc_result_t result; dns_fixedname_t foundname; @@ -1569,11 +1589,13 @@ is_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, NULL, NULL); if (result == ISC_R_SUCCESS || result == DNS_R_EMPTYNAME) { *flag = ISC_TRUE; + *cut = ISC_FALSE; if (unsecure != NULL) *unsecure = ISC_FALSE; return (ISC_R_SUCCESS); } else if (result == DNS_R_ZONECUT) { *flag = ISC_TRUE; + *cut = ISC_TRUE; if (unsecure != NULL) { /* * We are at the zonecut. Check to see if there @@ -1591,10 +1613,18 @@ is_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, } else if (result == DNS_R_GLUE || result == DNS_R_DNAME || result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) { *flag = ISC_FALSE; + *cut = ISC_FALSE; if (unsecure != NULL) *unsecure = ISC_FALSE; return (ISC_R_SUCCESS); } else { + /* + * Silence compiler. + */ + *flag = ISC_FALSE; + *cut = ISC_FALSE; + if (unsecure != NULL) + *unsecure = ISC_FALSE; return (result); } } @@ -1867,7 +1897,7 @@ static isc_result_t add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, - isc_mem_t *mctx, isc_stdtime_t inception, isc_stdtime_t expire, + isc_stdtime_t inception, isc_stdtime_t expire, isc_boolean_t check_ksk) { isc_result_t result; @@ -1878,6 +1908,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, unsigned char data[1024]; /* XXX */ unsigned int i; isc_boolean_t added_sig = ISC_FALSE; + isc_mem_t *mctx = client->mctx; dns_rdataset_init(&rdataset); isc_buffer_init(&buffer, data, sizeof(data)); @@ -2003,6 +2034,73 @@ failure: return (result); } +static isc_result_t +add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, + dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t cut, + dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, + isc_stdtime_t inception, isc_stdtime_t expire, + isc_boolean_t check_ksk) +{ + isc_result_t result; + dns_dbnode_t *node; + dns_rdatasetiter_t *iter; + + node = NULL; + result = dns_db_findnode(db, name, ISC_FALSE, &node); + if (result == ISC_R_NOTFOUND) + return (ISC_R_SUCCESS); + if (result != ISC_R_SUCCESS) + return (result); + + iter = NULL; + result = dns_db_allrdatasets(db, node, ver, + (isc_stdtime_t) 0, &iter); + if (result != ISC_R_SUCCESS) + goto cleanup_node; + + for (result = dns_rdatasetiter_first(iter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(iter)) + { + dns_rdataset_t rdataset; + dns_rdatatype_t type; + isc_boolean_t flag; + + dns_rdataset_init(&rdataset); + dns_rdatasetiter_current(iter, &rdataset); + type = rdataset.type; + dns_rdataset_disassociate(&rdataset); + + /* + * We don't need to sign unsigned NSEC records at the cut + * as they are handled elsewhere. + */ + if ((type == dns_rdatatype_rrsig) || + (cut && type != dns_rdatatype_ds)) + continue; + result = rrset_exists(db, ver, name, dns_rdatatype_rrsig, + type, &flag); + if (result != ISC_R_SUCCESS) + goto cleanup_iterator; + if (flag) + continue;; + result = add_sigs(client, zone, db, ver, name, type, diff, + keys, nkeys, inception, expire, check_ksk); + if (result != ISC_R_SUCCESS) + goto cleanup_iterator; + } + if (result == ISC_R_NOMORE) + result = ISC_R_SUCCESS; + + cleanup_iterator: + dns_rdatasetiter_destroy(&iter); + + cleanup_node: + dns_db_detachnode(db, &node); + + return (result); +} + /*% * Update RRSIG, NSEC and NSEC3 records affected by an update. The original * update, including the SOA serial update but exluding the RRSIG & NSEC @@ -2039,6 +2137,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node = NULL; isc_boolean_t check_ksk; isc_boolean_t unsecure; + isc_boolean_t cut; dns_diff_init(client->mctx, &diffnames); dns_diff_init(client->mctx, &affected); @@ -2147,15 +2246,15 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, NULL, &sig_diff)); /* - * If this RRset still exists after the update, + * If this RRset is still visible after the update, * add a new signature for it. */ - CHECK(rrset_exists(db, newver, name, type, 0, &flag)); + CHECK(rrset_visible(db, newver, name, type, &flag)); if (flag) { CHECK(add_sigs(client, zone, db, newver, name, type, &sig_diff, zone_keys, - nkeys, client->mctx, inception, - expire, check_ksk)); + nkeys, inception, expire, + check_ksk)); } skip: /* Skip any other updates to the same RRset. */ @@ -2276,27 +2375,34 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, t = ISC_LIST_NEXT(t, link)) { isc_boolean_t exists; - CHECK(name_exists(db, newver, &t->name, &exists)); + dns_name_t *name = &t->name; + + CHECK(name_exists(db, newver, name, &exists)); if (! exists) continue; - CHECK(is_glue(db, newver, &t->name, &flag)); - if (flag) { + CHECK(is_active(db, newver, name, &flag, &cut, NULL)); + if (!flag) { /* * This name is obscured. Delete any * existing NSEC record. */ - CHECK(delete_if(true_p, db, newver, &t->name, + CHECK(delete_if(true_p, db, newver, name, dns_rdatatype_nsec, 0, NULL, &nsec_diff)); + CHECK(delete_if(rrsig_p, db, newver, name, + dns_rdatatype_any, 0, NULL, diff)); } else { /* * This name is not obscured. It should have a NSEC. */ - CHECK(rrset_exists(db, newver, &t->name, + CHECK(rrset_exists(db, newver, name, dns_rdatatype_nsec, 0, &flag)); if (! flag) - CHECK(add_placeholder_nsec(db, newver, &t->name, + CHECK(add_placeholder_nsec(db, newver, name, diff)); + CHECK(add_exposed_sigs(client, zone, db, newver, name, + cut, diff, zone_keys, nkeys, + inception, expire, check_ksk)); } } @@ -2357,8 +2463,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, } else if (t->op == DNS_DIFFOP_ADD) { CHECK(add_sigs(client, zone, db, newver, &t->name, dns_rdatatype_nsec, &sig_diff, - zone_keys, nkeys, client->mctx, - inception, expire, check_ksk)); + zone_keys, nkeys, inception, expire, + check_ksk)); } else { INSIST(0); } @@ -2447,12 +2553,17 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, dns_name_t *name = &t->name; unsecure = ISC_FALSE; /* Silence compiler warning. */ - CHECK(is_active(db, newver, name, &flag, &unsecure)); + CHECK(is_active(db, newver, name, &flag, &cut, &unsecure)); if (!flag) { + CHECK(delete_if(rrsig_p, db, newver, name, + dns_rdatatype_any, 0, NULL, diff)); CHECK(dns_nsec3_delnsec3s(db, newver, name, &nsec_diff)); } else { + CHECK(add_exposed_sigs(client, zone, db, newver, name, + cut, diff, zone_keys, nkeys, + inception, expire, check_ksk)); CHECK(dns_nsec3_addnsec3s(db, newver, name, nsecttl, unsecure, &nsec_diff)); } @@ -2485,8 +2596,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, CHECK(add_sigs(client, zone, db, newver, &t->name, dns_rdatatype_nsec3, &sig_diff, zone_keys, nkeys, - client->mctx, inception, expire, - check_ksk)); + inception, expire, check_ksk)); } else { INSIST(0); } @@ -2662,22 +2772,20 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { static isc_result_t remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) { isc_result_t result; - isc_boolean_t ns_exists, ds_exists; + isc_boolean_t ns_exists; dns_difftuple_t *t; for (t = ISC_LIST_HEAD(diff->tuples); t != NULL; t = ISC_LIST_NEXT(t, link)) { - if (t->op != DNS_DIFFOP_ADD || - t->rdata.type != dns_rdatatype_ns) + if (!((t->op == DNS_DIFFOP_DEL && + t->rdata.type == dns_rdatatype_ns) || + (t->op == DNS_DIFFOP_ADD && + t->rdata.type == dns_rdatatype_ds))) continue; CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0, &ns_exists)); - if (ns_exists) - continue; - CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ds, 0, - &ds_exists)); - if (!ds_exists) + if (ns_exists && !dns_name_equal(&t->name, dns_db_origin(db))) continue; CHECK(delete_if(true_p, db, newver, &t->name, dns_rdatatype_ds, 0, NULL, diff)); diff --git a/bin/named/win32/os.c b/bin/named/win32/os.c index 3f8af7c2..4df44431 100644 --- a/bin/named/win32/os.c +++ b/bin/named/win32/os.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.29 2008/10/24 01:24:54 marka Exp $ */ +/* $Id: os.c,v 1.31 2008/11/17 05:41:10 marka Exp $ */ #include <config.h> #include <stdarg.h> @@ -155,6 +155,8 @@ ns_os_closedevnull(void) { void ns_os_chroot(const char *root) { + if (root != NULL) + ns_main_earlyfatal("chroot(): isn't supported by Win32 API"); } void @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # -# $Id: configure,v 1.442 2008/10/21 02:43:08 marka Exp $ +# $Id: configure,v 1.443 2008/10/29 10:09:21 fdupont Exp $ # # Portions Copyright (C) 1996-2001 Nominum, Inc. # @@ -8672,7 +8672,7 @@ case "$use_libxml2" in ;; auto|yes) case X`(xml2-config --version) 2>/dev/null` in - X2.6.*) + X2.[67].*) libxml2_libs=`xml2-config --libs` libxml2_cflags=`xml2-config --cflags` ;; diff --git a/configure.in b/configure.in index 70fe29a0..2a1163a4 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.456 $) +AC_REVISION($Revision: 1.457 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.59) @@ -1000,7 +1000,7 @@ case "$use_libxml2" in ;; auto|yes) case X`(xml2-config --version) 2>/dev/null` in - X2.6.*) + X2.[[67]].*) libxml2_libs=`xml2-config --libs` libxml2_cflags=`xml2-config --cflags` ;; diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 275c0586..8c17589d 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- File: $Id: Bv9ARM-book.xml,v 1.377 2008/10/27 16:05:45 jreed Exp $ --> +<!-- File: $Id: Bv9ARM-book.xml,v 1.380 2008/11/07 02:28:49 marka Exp $ --> <book xmlns:xi="http://www.w3.org/2001/XInclude"> <title>BIND 9 Administrator Reference Manual</title> @@ -3735,7 +3735,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. <programlisting><command>logging</command> { [ <command>channel</command> <replaceable>channel_name</replaceable> { - ( <command>file</command> <replaceable>path name</replaceable> + ( <command>file</command> <replaceable>path_name</replaceable> [ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ] [ <command>size</command> <replaceable>size spec</replaceable> ] | <command>syslog</command> <replaceable>syslog_facility</replaceable> @@ -4327,7 +4327,7 @@ category notify { null; }; </entry> <entry colname="2"> <para> - Delegation only. Logs queries that have have + Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a <command>delegation-only</command> in a @@ -4797,7 +4797,8 @@ category notify { null; }; <listitem> <para> The pathname of the file the server writes its process ID - in. If not specified, the default is <filename>/var/run/named.pid</filename>. + in. If not specified, the default is + <filename>/var/run/named/named.pid</filename>. The pid-file is used by programs that want to send signals to the running name server. Specifying <command>pid-file none</command> disables the @@ -7760,7 +7761,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <para> Named will attempt to determine if a built in zone already exists or is active (covered by a forward-only forwarding declaration) - and will not not create a empty zone in that case. + and will not create a empty zone in that case. </para> <para> The current list of empty zones is: @@ -13217,7 +13218,7 @@ zone "example.com" { <pubdate>March 2005</pubdate> </biblioentry> <biblioentry> - <abbrev>RFC4044</abbrev> + <abbrev>RFC4034</abbrev> <authorgroup> <author> <firstname>R.</firstname> @@ -14181,6 +14182,7 @@ zone "example.com" { <title>Manual pages</title> <xi:include href="../../bin/dig/dig.docbook"/> <xi:include href="../../bin/dig/host.docbook"/> + <xi:include href="../../bin/dnssec/dnssec-dsfromkey.docbook"/> <xi:include href="../../bin/dnssec/dnssec-keyfromlabel.docbook"/> <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/> <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/> diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index e7db6d07..1f39b961 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.ch06.html,v 1.199 2008/10/28 01:11:26 tbox Exp $ --> +<!-- $Id: Bv9ARM.ch06.html,v 1.201 2008/11/07 01:11:19 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -1107,7 +1107,7 @@ <a name="id2575202"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"><span><strong class="command">logging</strong></span> { [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> { - ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em> + ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em> [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ] [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ] | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em> @@ -1670,7 +1670,7 @@ category notify { null; }; </td> <td> <p> - Delegation only. Logs queries that have have + Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a <span><strong class="command">delegation-only</strong></span> in a @@ -2078,7 +2078,8 @@ category notify { null; }; <dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt> <dd><p> The pathname of the file the server writes its process ID - in. If not specified, the default is <code class="filename">/var/run/named.pid</code>. + in. If not specified, the default is + <code class="filename">/var/run/named/named.pid</code>. The pid-file is used by programs that want to send signals to the running name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the @@ -4421,7 +4422,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <p> Named will attempt to determine if a built in zone already exists or is active (covered by a forward-only forwarding declaration) - and will not not create a empty zone in that case. + and will not create a empty zone in that case. </p> <p> The current list of empty zones is: diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index e8745c5f..c9737343 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.ch07.html,v 1.176 2008/10/28 01:11:26 tbox Exp $ --> +<!-- $Id: Bv9ARM.ch07.html,v 1.178 2008/11/07 01:11:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index dbe0e1c9..d25df0bc 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.ch08.html,v 1.176 2008/10/28 01:11:26 tbox Exp $ --> +<!-- $Id: Bv9ARM.ch08.html,v 1.178 2008/11/07 01:11:20 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index a4c3d620..f16f4c6e 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.ch09.html,v 1.179 2008/10/28 01:11:26 tbox Exp $ --> +<!-- $Id: Bv9ARM.ch09.html,v 1.180 2008/11/05 01:11:19 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -323,7 +323,7 @@ <a name="id2599118"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p> </div> <div class="biblioentry"> -<a name="id2599184"></a><p>[<abbr class="abbrev">RFC4044</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p> +<a name="id2599184"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p> </div> <div class="biblioentry"> <a name="id2599249"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index c12606e8..3fa321a3 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.ch10.html,v 1.10 2008/06/18 01:12:16 tbox Exp $ --> +<!-- $Id: Bv9ARM.ch10.html,v 1.11 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -55,6 +55,9 @@ <span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> — DNS lookup utility</span> </dt> <dt> +<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> — DNSSEC DS RR generation tool</span> +</dt> +<dt> <span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> — DNSSEC key generation tool</span> </dt> <dt> diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 08f13b36..79ebc74f 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: Bv9ARM.html,v 1.190 2008/10/28 01:11:26 tbox Exp $ --> +<!-- $Id: Bv9ARM.html,v 1.193 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -220,6 +220,9 @@ <span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> — DNS lookup utility</span> </dt> <dt> +<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> — DNSSEC DS RR generation tool</span> +</dt> +<dt> <span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> — DNSSEC key generation tool</span> </dt> <dt> diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index b60bb00f..6a3ff6f2 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.dig.html,v 1.90 2008/10/28 01:11:27 tbox Exp $ --> +<!-- $Id: man.dig.html,v 1.93 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -52,7 +52,7 @@ <div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2563833"></a><h2>DESCRIPTION</h2> +<a name="id2563841"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -98,7 +98,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2563928"></a><h2>SIMPLE USAGE</h2> +<a name="id2563936"></a><h2>SIMPLE USAGE</h2> <p> A typical invocation of <span><strong class="command">dig</strong></span> looks like: </p> @@ -144,7 +144,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2570797"></a><h2>OPTIONS</h2> +<a name="id2570805"></a><h2>OPTIONS</h2> <p> The <code class="option">-b</code> option sets the source IP address of the query to <em class="parameter"><code>address</code></em>. This must be a valid @@ -248,7 +248,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2628620"></a><h2>QUERY OPTIONS</h2> +<a name="id2628628"></a><h2>QUERY OPTIONS</h2> <p><span><strong class="command">dig</strong></span> provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -571,7 +571,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2629553"></a><h2>MULTIPLE QUERIES</h2> +<a name="id2629560"></a><h2>MULTIPLE QUERIES</h2> <p> The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports @@ -617,7 +617,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2629774"></a><h2>IDN SUPPORT</h2> +<a name="id2629782"></a><h2>IDN SUPPORT</h2> <p> If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -631,14 +631,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2629803"></a><h2>FILES</h2> +<a name="id2629811"></a><h2>FILES</h2> <p><code class="filename">/etc/resolv.conf</code> </p> <p><code class="filename">${HOME}/.digrc</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2629825"></a><h2>SEE ALSO</h2> +<a name="id2629832"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, @@ -646,7 +646,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr </p> </div> <div class="refsect1" lang="en"> -<a name="id2629930"></a><h2>BUGS</h2> +<a name="id2629938"></a><h2>BUGS</h2> <p> There are probably too many query options. </p> diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html new file mode 100644 index 00000000..347c421a --- /dev/null +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -0,0 +1,170 @@ +<!-- + - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $Id: man.dnssec-dsfromkey.html,v 1.6 2008/11/09 01:11:56 tbox Exp $ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>dnssec-dsfromkey</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> +<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages"> +<link rel="prev" href="man.host.html" title="host"> +<link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center"><span class="application">dnssec-dsfromkey</span></th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="man.host.html">Prev</a> </td> +<th width="60%" align="center">Manual pages</th> +<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="refentry" lang="en"> +<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] {keyfile}</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2602709"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">dnssec-dsfromkey</strong></span> + outputs the Delegation Signer (DS) resource record (RR), as defined in + RFC 3658 and RFC 4509, for the given key(s). + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2602723"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-1</span></dt> +<dd><p> + Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). + </p></dd> +<dt><span class="term">-2</span></dt> +<dd><p> + Use SHA-256 as the digest algorithm. + </p></dd> +<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> +<dd><p> + Select the digest algorithm. The value of + <code class="option">algorithm</code> must be one of SHA-1 (SHA1) or + SHA-256 (SHA256). These values are case insensitive. + </p></dd> +<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> +<dd><p> + Sets the debugging level. + </p></dd> +<dt><span class="term">-s</span></dt> +<dd><p> + Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. Following options make sense + only in this mode. + </p></dd> +<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> +<dd><p> + Specifies the DNS class (default is IN), useful only + in the keyset mode. + </p></dd> +<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt> +<dd><p> + Look for <code class="filename">keyset</code> files in + <code class="option">directory</code> as the directory, ignored when + not in the keyset mode. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2602989"></a><h2>EXAMPLE</h2> +<p> + To build the SHA-256 DS RR from the + <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> + keyfile name, the following command would be issued: + </p> +<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong> + </p> +<p> + The command would print something like: + </p> +<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong> + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2603026"></a><h2>FILES</h2> +<p> + The keyfile can be designed by the key identification + <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name + <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by + <span class="refentrytitle">dnssec-keygen</span>(8). + </p> +<p> + The keyset file name is built from the <code class="option">directory</code>, + the string <code class="filename">keyset-</code> and the + <code class="option">dnsname</code>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2603067"></a><h2>CAVEAT</h2> +<p> + A keyfile error can give a "file not found" even if the file exists. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2603418"></a><h2>SEE ALSO</h2> +<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, + <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>, + <em class="citetitle">RFC 3658</em>, + <em class="citetitle">RFC 4509</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2603454"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="man.host.html">Prev</a> </td> +<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td> +<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top">host </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> <span class="application">dnssec-keyfromlabel</span> +</td> +</tr> +</table> +</div> +</body> +</html> diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index b49e48f0..ca9f3dad 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.dnssec-keyfromlabel.html,v 1.27 2008/10/28 01:11:26 tbox Exp $ --> +<!-- $Id: man.dnssec-keyfromlabel.html,v 1.31 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -22,7 +22,7 @@ <meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages"> -<link rel="prev" href="man.host.html" title="host"> +<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey"> <link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> @@ -31,7 +31,7 @@ <tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr> <tr> <td width="20%" align="left"> -<a accesskey="p" href="man.host.html">Prev</a> </td> +<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td> <th width="60%" align="center">Manual pages</th> <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a> </td> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2602585"></a><h2>DESCRIPTION</h2> +<a name="id2603227"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-keyfromlabel</strong></span> gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -58,7 +58,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2602599"></a><h2>OPTIONS</h2> +<a name="id2603241"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> @@ -131,7 +131,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2602864"></a><h2>GENERATED KEY FILES</h2> +<a name="id2603642"></a><h2>GENERATED KEY FILES</h2> <p> When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes successfully, @@ -172,7 +172,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2602957"></a><h2>SEE ALSO</h2> +<a name="id2603873"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -182,7 +182,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2602997"></a><h2>AUTHOR</h2> +<a name="id2603912"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> @@ -192,13 +192,14 @@ <table width="100%" summary="Navigation footer"> <tr> <td width="40%" align="left"> -<a accesskey="p" href="man.host.html">Prev</a> </td> +<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td> <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td> <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a> </td> </tr> <tr> -<td width="40%" align="left" valign="top">host </td> +<td width="40%" align="left" valign="top"> +<span class="application">dnssec-dsfromkey</span> </td> <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> <td width="40%" align="right" valign="top"> <span class="application">dnssec-keygen</span> </td> diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 33bc4f97..35fe7431 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.dnssec-keygen.html,v 1.94 2008/10/28 01:11:26 tbox Exp $ --> +<!-- $Id: man.dnssec-keygen.html,v 1.97 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2603370"></a><h2>DESCRIPTION</h2> +<a name="id2604490"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -58,7 +58,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2603384"></a><h2>OPTIONS</h2> +<a name="id2604504"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> @@ -166,7 +166,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2603728"></a><h2>GENERATED KEYS</h2> +<a name="id2604848"></a><h2>GENERATED KEYS</h2> <p> When <span><strong class="command">dnssec-keygen</strong></span> completes successfully, @@ -212,7 +212,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2606088"></a><h2>EXAMPLE</h2> +<a name="id2607208"></a><h2>EXAMPLE</h2> <p> To generate a 768-bit DSA key for the domain <strong class="userinput"><code>example.com</code></strong>, the following command would be @@ -233,7 +233,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2606145"></a><h2>SEE ALSO</h2> +<a name="id2607333"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2539</em>, @@ -242,7 +242,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2606176"></a><h2>AUTHOR</h2> +<a name="id2607364"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index b8ef336c..237d19d0 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.dnssec-signzone.html,v 1.91 2008/10/28 01:11:27 tbox Exp $ --> +<!-- $Id: man.dnssec-signzone.html,v 1.94 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2604487"></a><h2>DESCRIPTION</h2> +<a name="id2606153"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-signzone</strong></span> signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2604506"></a><h2>OPTIONS</h2> +<a name="id2606172"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a</span></dt> <dd><p> @@ -276,7 +276,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2658219"></a><h2>EXAMPLE</h2> +<a name="id2657291"></a><h2>EXAMPLE</h2> <p> The following command signs the <strong class="userinput"><code>example.com</code></strong> zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span> @@ -305,14 +305,14 @@ db.example.com.signed %</pre> </div> <div class="refsect1" lang="en"> -<a name="id2658292"></a><h2>SEE ALSO</h2> +<a name="id2657364"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 4033</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2658316"></a><h2>AUTHOR</h2> +<a name="id2657388"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 4c2f842c..7d1fa9e1 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.host.html,v 1.89 2008/10/28 01:11:27 tbox Exp $ --> +<!-- $Id: man.host.html,v 1.93 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -23,7 +23,7 @@ <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages"> <link rel="prev" href="man.dig.html" title="dig"> -<link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel"> +<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> <div class="navheader"> @@ -33,7 +33,7 @@ <td width="20%" align="left"> <a accesskey="p" href="man.dig.html">Prev</a> </td> <th width="60%" align="center">Manual pages</th> -<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a> +<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a> </td> </tr> </table> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2601854"></a><h2>DESCRIPTION</h2> +<a name="id2601862"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">host</strong></span> is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -202,7 +202,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2602437"></a><h2>IDN SUPPORT</h2> +<a name="id2602513"></a><h2>IDN SUPPORT</h2> <p> If <span><strong class="command">host</strong></span> has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -216,12 +216,12 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2602466"></a><h2>FILES</h2> +<a name="id2602541"></a><h2>FILES</h2> <p><code class="filename">/etc/resolv.conf</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2602480"></a><h2>SEE ALSO</h2> +<a name="id2602555"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>. </p> @@ -234,13 +234,13 @@ <td width="40%" align="left"> <a accesskey="p" href="man.dig.html">Prev</a> </td> <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td> -<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a> +<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a> </td> </tr> <tr> <td width="40%" align="left" valign="top">dig </td> <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> -<td width="40%" align="right" valign="top"> <span class="application">dnssec-keyfromlabel</span> +<td width="40%" align="right" valign="top"> <span class="application">dnssec-dsfromkey</span> </td> </tr> </table> diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index f365c0cd..5c6adcd7 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.named-checkconf.html,v 1.89 2008/10/28 01:11:27 tbox Exp $ --> +<!-- $Id: man.named-checkconf.html,v 1.92 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,14 +50,14 @@ <div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2605330"></a><h2>DESCRIPTION</h2> +<a name="id2606791"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">named-checkconf</strong></span> checks the syntax, but not the semantics, of a named configuration file. </p> </div> <div class="refsect1" lang="en"> -<a name="id2605344"></a><h2>OPTIONS</h2> +<a name="id2606805"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-h</span></dt> <dd><p> @@ -92,21 +92,21 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2605460"></a><h2>RETURN VALUES</h2> +<a name="id2606921"></a><h2>RETURN VALUES</h2> <p><span><strong class="command">named-checkconf</strong></span> returns an exit status of 1 if errors were detected and 0 otherwise. </p> </div> <div class="refsect1" lang="en"> -<a name="id2606225"></a><h2>SEE ALSO</h2> +<a name="id2606935"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2606254"></a><h2>AUTHOR</h2> +<a name="id2606965"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 88f0d99c..70b029fe 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.named-checkzone.html,v 1.95 2008/10/28 01:11:27 tbox Exp $ --> +<!-- $Id: man.named-checkzone.html,v 1.98 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -51,7 +51,7 @@ <div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2607131"></a><h2>DESCRIPTION</h2> +<a name="id2608388"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">named-checkzone</strong></span> checks the syntax and integrity of a zone file. It performs the same checks as <span><strong class="command">named</strong></span> does when loading a @@ -71,7 +71,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2661044"></a><h2>OPTIONS</h2> +<a name="id2608438"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-d</span></dt> <dd><p> @@ -257,14 +257,14 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2661918"></a><h2>RETURN VALUES</h2> +<a name="id2658192"></a><h2>RETURN VALUES</h2> <p><span><strong class="command">named-checkzone</strong></span> returns an exit status of 1 if errors were detected and 0 otherwise. </p> </div> <div class="refsect1" lang="en"> -<a name="id2661932"></a><h2>SEE ALSO</h2> +<a name="id2658205"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>, <em class="citetitle">RFC 1035</em>, @@ -272,7 +272,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2661965"></a><h2>AUTHOR</h2> +<a name="id2658238"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index b213b9d4..f01124d4 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.named.html,v 1.96 2008/10/28 01:11:27 tbox Exp $ --> +<!-- $Id: man.named.html,v 1.99 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2607651"></a><h2>DESCRIPTION</h2> +<a name="id2609180"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">named</strong></span> is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2607682"></a><h2>OPTIONS</h2> +<a name="id2609211"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-4</span></dt> <dd><p> @@ -238,7 +238,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2609988"></a><h2>SIGNALS</h2> +<a name="id2611108"></a><h2>SIGNALS</h2> <p> In routine operation, signals should not be used to control the nameserver; <span><strong class="command">rndc</strong></span> should be used @@ -259,7 +259,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2610038"></a><h2>CONFIGURATION</h2> +<a name="id2611158"></a><h2>CONFIGURATION</h2> <p> The <span><strong class="command">named</strong></span> configuration file is too complex to describe in detail here. A complete description is provided @@ -268,20 +268,20 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2610057"></a><h2>FILES</h2> +<a name="id2611177"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt> <dd><p> The default configuration file. </p></dd> -<dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt> +<dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt> <dd><p> The default process-id file. </p></dd> </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2610101"></a><h2>SEE ALSO</h2> +<a name="id2611221"></a><h2>SEE ALSO</h2> <p><em class="citetitle">RFC 1033</em>, <em class="citetitle">RFC 1034</em>, <em class="citetitle">RFC 1035</em>, @@ -294,7 +294,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2610171"></a><h2>AUTHOR</h2> +<a name="id2611291"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 85bc103e..40ab5a0a 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -1,20 +1,20 @@ <!-- - - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") - - - - Permission to use, copy, modify, and/or distribute this software for any + - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: man.nsupdate.html,v 1.18 2008/10/28 01:11:27 tbox Exp $ --> +<!-- $Id: man.nsupdate.html,v 1.22 2008/11/09 01:11:56 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2608755"></a><h2>DESCRIPTION</h2> +<a name="id2609806"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">nsupdate</strong></span> is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. @@ -186,7 +186,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2609203"></a><h2>INPUT FORMAT</h2> +<a name="id2610186"></a><h2>INPUT FORMAT</h2> <p><span><strong class="command">nsupdate</strong></span> reads input from <em class="parameter"><code>filename</code></em> @@ -450,7 +450,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2662664"></a><h2>EXAMPLES</h2> +<a name="id2659005"></a><h2>EXAMPLES</h2> <p> The examples below show how <span><strong class="command">nsupdate</strong></span> @@ -504,7 +504,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2662714"></a><h2>FILES</h2> +<a name="id2659056"></a><h2>FILES</h2> <div class="variablelist"><dl> <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt> <dd><p> @@ -523,7 +523,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2662784"></a><h2>SEE ALSO</h2> +<a name="id2659125"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>, <span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>, <span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>, @@ -536,7 +536,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2662922"></a><h2>BUGS</h2> +<a name="id2659264"></a><h2>BUGS</h2> <p> The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 93cd9acc..5768d6ba 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.rndc-confgen.html,v 1.99 2008/10/28 01:11:26 tbox Exp $ --> +<!-- $Id: man.rndc-confgen.html,v 1.102 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -48,7 +48,7 @@ <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2611492"></a><h2>DESCRIPTION</h2> +<a name="id2623125"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">rndc-confgen</strong></span> generates configuration files for <span><strong class="command">rndc</strong></span>. It can be used as a @@ -64,7 +64,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2620296"></a><h2>OPTIONS</h2> +<a name="id2623191"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a</span></dt> <dd> @@ -171,7 +171,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2626007"></a><h2>EXAMPLES</h2> +<a name="id2633066"></a><h2>EXAMPLES</h2> <p> To allow <span><strong class="command">rndc</strong></span> to be used with no manual configuration, run @@ -188,7 +188,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2632685"></a><h2>SEE ALSO</h2> +<a name="id2633942"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, @@ -196,7 +196,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2632792"></a><h2>AUTHOR</h2> +<a name="id2633980"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 1ce86245..59f915c9 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.rndc.conf.html,v 1.100 2008/10/28 01:11:27 tbox Exp $ --> +<!-- $Id: man.rndc.conf.html,v 1.103 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div> </div> <div class="refsect1" lang="en"> -<a name="id2606572"></a><h2>DESCRIPTION</h2> +<a name="id2612061"></a><h2>DESCRIPTION</h2> <p><code class="filename">rndc.conf</code> is the configuration file for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +135,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2611045"></a><h2>EXAMPLE</h2> +<a name="id2614213"></a><h2>EXAMPLE</h2> <pre class="programlisting"> options { default-server localhost; @@ -209,7 +209,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2611166"></a><h2>NAME SERVER CONFIGURATION</h2> +<a name="id2614403"></a><h2>NAME SERVER CONFIGURATION</h2> <p> The name server must be configured to accept rndc connections and to recognize the key specified in the <code class="filename">rndc.conf</code> @@ -219,7 +219,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2611192"></a><h2>SEE ALSO</h2> +<a name="id2630812"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>, @@ -227,7 +227,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2611230"></a><h2>AUTHOR</h2> +<a name="id2630851"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 1b2e4715..1c49af49 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: man.rndc.html,v 1.98 2008/10/28 01:11:27 tbox Exp $ --> +<!-- $Id: man.rndc.html,v 1.101 2008/11/07 04:08:43 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -50,7 +50,7 @@ <div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2609478"></a><h2>DESCRIPTION</h2> +<a name="id2610666"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">rndc</strong></span> controls the operation of a name server. It supersedes the <span><strong class="command">ndc</strong></span> utility @@ -79,7 +79,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2609528"></a><h2>OPTIONS</h2> +<a name="id2610716"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt> <dd><p> @@ -151,7 +151,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2610299"></a><h2>LIMITATIONS</h2> +<a name="id2611692"></a><h2>LIMITATIONS</h2> <p><span><strong class="command">rndc</strong></span> does not yet support all the commands of the BIND 8 <span><strong class="command">ndc</strong></span> utility. @@ -165,7 +165,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2610330"></a><h2>SEE ALSO</h2> +<a name="id2611723"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, @@ -175,7 +175,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2610386"></a><h2>AUTHOR</h2> +<a name="id2611779"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/lib/bind9/api b/lib/bind9/api index 8459d423..2240cdda 100644 --- a/lib/bind9/api +++ b/lib/bind9/api @@ -1,3 +1,3 @@ LIBINTERFACE = 50 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/bind9/check.c b/lib/bind9/check.c index f067e530..f4756910 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.93 2008/09/12 06:02:31 each Exp $ */ +/* $Id: check.c,v 1.95 2008/11/19 05:38:49 marka Exp $ */ /*! \file */ @@ -792,6 +792,19 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) { } } + /* + * Check that server-id is not too long. + * 1024 bytes should be big enough. + */ + obj = NULL; + (void)cfg_map_get(options, "server-id", &obj); + if (obj != NULL && cfg_obj_isstring(obj) && + strlen(cfg_obj_asstring(obj)) > 1024U) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "'server-id' too big (>1024 bytes)"); + result = ISC_R_FAILURE; + } + return (result); } diff --git a/lib/dns/api b/lib/dns/api index 8459d423..2240cdda 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -1,3 +1,3 @@ LIBINTERFACE = 50 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c index 2c7add37..4ab2f3ee 100644 --- a/lib/dns/dispatch.c +++ b/lib/dns/dispatch.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dispatch.c,v 1.154 2008/09/04 00:23:14 jinmei Exp $ */ +/* $Id: dispatch.c,v 1.155 2008/11/12 23:10:57 marka Exp $ */ /*! \file */ @@ -49,9 +49,12 @@ typedef ISC_LIST(dns_dispentry_t) dns_displist_t; -typedef struct dispsocket dispsocket_t; +typedef struct dispsocket dispsocket_t; typedef ISC_LIST(dispsocket_t) dispsocketlist_t; +typedef struct dispportentry dispportentry_t; +typedef ISC_LIST(dispportentry_t) dispportlist_t; + /* ARC4 Random generator state */ typedef struct arc4ctx { isc_uint8_t i; @@ -172,7 +175,8 @@ struct dispsocket { isc_socket_t *socket; dns_dispatch_t *disp; isc_sockaddr_t host; - in_port_t localport; + in_port_t localport; /* XXX: should be removed later */ + dispportentry_t *portentry; dns_dispentry_t *resp; isc_task_t *task; ISC_LINK(dispsocket_t) link; @@ -180,6 +184,21 @@ struct dispsocket { ISC_LINK(dispsocket_t) blink; }; +/*% + * A port table entry. We remember every port we first open in a table with a + * reference counter so that we can 'reuse' the same port (with different + * destination addresses) using the SO_REUSEADDR socket option. + */ +struct dispportentry { + in_port_t port; + unsigned int refs; + ISC_LINK(struct dispportentry) link; +}; + +#ifndef DNS_DISPATCH_PORTTABLESIZE +#define DNS_DISPATCH_PORTTABLESIZE 1024 +#endif + #define INVALID_BUCKET (0xffffdead) /*% @@ -229,6 +248,8 @@ struct dns_dispatch { dns_tcpmsg_t tcpmsg; /*%< for tcp streams */ dns_qid_t *qid; arc4ctx_t arc4ctx; /*%< for QID/UDP port num */ + dispportlist_t *port_table; /*%< hold ports 'owned' by us */ + isc_mempool_t *portpool; /*%< port table entries */ }; #define QID_MAGIC ISC_MAGIC('Q', 'i', 'd', ' ') @@ -679,6 +700,64 @@ destroy_disp(isc_task_t *task, isc_event_t *event) { } /*% + * Manipulate port table per dispatch: find an entry for a given port number, + * create a new entry, and decrement a given entry with possible clean-up. + */ +static dispportentry_t * +port_search(dns_dispatch_t *disp, in_port_t port) { + dispportentry_t *portentry; + + REQUIRE(disp->port_table != NULL); + + portentry = ISC_LIST_HEAD(disp->port_table[port % + DNS_DISPATCH_PORTTABLESIZE]); + while (portentry != NULL) { + if (portentry->port == port) + return (portentry); + portentry = ISC_LIST_NEXT(portentry, link); + } + + return (NULL); +} + +static dispportentry_t * +new_portentry(dns_dispatch_t *disp, in_port_t port) { + dispportentry_t *portentry; + + REQUIRE(disp->port_table != NULL); + + portentry = isc_mempool_get(disp->portpool); + if (portentry == NULL) + return (portentry); + + portentry->port = port; + portentry->refs = 0; + ISC_LINK_INIT(portentry, link); + ISC_LIST_APPEND(disp->port_table[port % DNS_DISPATCH_PORTTABLESIZE], + portentry, link); + + return (portentry); +} + +static void +deref_portentry(dns_dispatch_t *disp, dispportentry_t **portentryp) { + dispportentry_t *portentry = *portentryp; + + REQUIRE(disp->port_table != NULL); + REQUIRE(portentry != NULL && portentry->refs > 0); + + portentry->refs--; + if (portentry->refs == 0) { + ISC_LIST_UNLINK(disp->port_table[portentry->port % + DNS_DISPATCH_PORTTABLESIZE], + portentry, link); + isc_mempool_put(disp->portpool, portentry); + } + + *portentryp = NULL; +} + +/*% * Find a dispsocket for socket address 'dest', and port number 'port'. * Return NULL if no such entry exists. */ @@ -694,7 +773,7 @@ socket_search(dns_qid_t *qid, isc_sockaddr_t *dest, in_port_t port, while (dispsock != NULL) { if (isc_sockaddr_equal(dest, &dispsock->host) && - dispsock->localport == port) + dispsock->portentry->port == port) return (dispsock); dispsock = ISC_LIST_NEXT(dispsock, blink); } @@ -722,6 +801,8 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest, dispsocket_t *dispsock; unsigned int nports; in_port_t *ports; + unsigned int bindoptions = 0; + dispportentry_t *portentry = NULL; if (isc_sockaddr_pf(&disp->local) == AF_INET) { nports = disp->mgr->nv4ports; @@ -747,6 +828,7 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest, dispsock->socket = NULL; dispsock->disp = disp; dispsock->resp = NULL; + dispsock->portentry = NULL; isc_random_get(&r); dispsock->task = NULL; isc_task_attach(disp->task[r % disp->ntasks], &dispsock->task); @@ -769,16 +851,28 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest, bucket = dns_hash(qid, dest, 0, port); if (socket_search(qid, dest, port, bucket) != NULL) continue; - - result = open_socket(sockmgr, &localaddr, 0, &sock); - if (result == ISC_R_SUCCESS || result != ISC_R_ADDRINUSE) + portentry = port_search(disp, port); + if (portentry != NULL) + bindoptions |= ISC_SOCKET_REUSEADDRESS; + result = open_socket(sockmgr, &localaddr, bindoptions, &sock); + if (result == ISC_R_SUCCESS) { + if (portentry == NULL) { + portentry = new_portentry(disp, port); + if (portentry == NULL) { + result = ISC_R_NOMEMORY; + break; + } + } + portentry->refs++; + break; + } else if (result != ISC_R_ADDRINUSE) break; } if (result == ISC_R_SUCCESS) { dispsock->socket = sock; dispsock->host = *dest; - dispsock->localport = port; + dispsock->portentry = portentry; dispsock->bucket = bucket; ISC_LIST_APPEND(qid->sock_table[bucket], dispsock, blink); *dispsockp = dispsock; @@ -815,6 +909,8 @@ destroy_dispsocket(dns_dispatch_t *disp, dispsocket_t **dispsockp) { disp->nsockets--; dispsock->magic = 0; + if (dispsock->portentry != NULL) + deref_portentry(disp, &dispsock->portentry); if (dispsock->socket != NULL) isc_socket_detach(&dispsock->socket); if (ISC_LINK_LINKED(dispsock, blink)) { @@ -849,6 +945,9 @@ deactivate_dispsocket(dns_dispatch_t *disp, dispsocket_t *dispsock) { dispsock->resp->dispsocket = NULL; } + INSIST(dispsock->portentry != NULL); + deref_portentry(disp, &dispsock->portentry); + if (disp->nsockets > DNS_DISPATCH_POOLSOCKS) destroy_dispsocket(disp, &dispsock); else { @@ -2289,6 +2388,8 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests, ISC_LIST_INIT(disp->inactivesockets); disp->nsockets = 0; dispatch_arc4init(&disp->arc4ctx, mgr->entropy, NULL); + disp->port_table = NULL; + disp->portpool = NULL; result = isc_mutex_init(&disp->lock); if (result != ISC_R_SUCCESS) @@ -2325,6 +2426,7 @@ dispatch_free(dns_dispatch_t **dispp) { dns_dispatch_t *disp; dns_dispatchmgr_t *mgr; + int i; REQUIRE(VALID_DISPATCH(*dispp)); disp = *dispp; @@ -2349,6 +2451,18 @@ dispatch_free(dns_dispatch_t **dispp) if (disp->qid != NULL) qid_destroy(mgr->mctx, &disp->qid); + + if (disp->port_table != NULL) { + for (i = 0; i < DNS_DISPATCH_PORTTABLESIZE; i++) + INSIST(ISC_LIST_EMPTY(disp->port_table[i])); + isc_mem_put(mgr->mctx, disp->port_table, + sizeof(disp->port_table[0]) * + DNS_DISPATCH_PORTTABLESIZE); + } + + if (disp->portpool != NULL) + isc_mempool_destroy(&disp->portpool); + disp->mgr = NULL; DESTROYLOCK(&disp->lock); disp->magic = 0; @@ -2669,6 +2783,21 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr, if (result != ISC_R_SUCCESS) goto deallocate_dispatch; } + + disp->port_table = isc_mem_get(mgr->mctx, + sizeof(disp->port_table[0]) * + DNS_DISPATCH_PORTTABLESIZE); + if (disp->port_table == NULL) + goto deallocate_dispatch; + for (i = 0; i < DNS_DISPATCH_PORTTABLESIZE; i++) + ISC_LIST_INIT(disp->port_table[i]); + + result = isc_mempool_create(mgr->mctx, sizeof(dispportentry_t), + &disp->portpool); + if (result != ISC_R_SUCCESS) + goto deallocate_dispatch; + isc_mempool_setname(disp->portpool, "disp_portpool"); + isc_mempool_setfreemax(disp->portpool, 128); } disp->socktype = isc_sockettype_udp; disp->socket = sock; diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 98d7579a..f06d715c 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -16,7 +16,7 @@ */ /* - * $Id: dnssec.c,v 1.91 2007/09/14 04:32:50 marka Exp $ + * $Id: dnssec.c,v 1.93 2008/11/14 23:47:33 tbox Exp $ */ /*! \file */ @@ -366,6 +366,9 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, if (ret != ISC_R_SUCCESS) return (ret); + if (set->type != sig.covered) + return (DNS_R_SIGINVALID); + if (isc_serial_lt(sig.timeexpire, sig.timesigned)) return (DNS_R_SIGINVALID); @@ -382,6 +385,27 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, } /* + * NS, SOA and DNSSKEY records are signed by their owner. + * DS records are signed by the parent. + */ + switch (set->type) { + case dns_rdatatype_ns: + case dns_rdatatype_soa: + case dns_rdatatype_dnskey: + if (!dns_name_equal(name, &sig.signer)) + return (DNS_R_SIGINVALID); + break; + case dns_rdatatype_ds: + if (dns_name_equal(name, &sig.signer)) + return (DNS_R_SIGINVALID); + /* FALLTHROUGH */ + default: + if (!dns_name_issubdomain(name, &sig.signer)) + return (DNS_R_SIGINVALID); + break; + } + + /* * Is the key allowed to sign data? */ flags = dst_key_flags(key); @@ -407,7 +431,7 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, dns_fixedname_init(&fnewname); labels = dns_name_countlabels(name) - 1; RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname), - NULL) == ISC_R_SUCCESS); + NULL) == ISC_R_SUCCESS); if (labels - sig.labels > 0) dns_name_split(dns_fixedname_name(&fnewname), sig.labels + 1, NULL, dns_fixedname_name(&fnewname)); @@ -487,9 +511,9 @@ cleanup_struct: dns_rdata_freestruct(&sig); if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) { - if (wild != NULL) + if (wild != NULL) RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, - dns_fixedname_name(&fnewname), + dns_fixedname_name(&fnewname), wild, NULL) == ISC_R_SUCCESS); ret = DNS_R_FROMWILDCARD; } @@ -541,6 +565,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, if (!is_zone_key(pubkey) || (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0) goto next; + /* Corrupted .key file? */ + if (!dns_name_equal(name, dst_key_name(pubkey))) + goto next; keys[count] = NULL; result = dst_key_fromfile(dst_key_name(pubkey), dst_key_id(pubkey), @@ -802,7 +829,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, RETERR(dst_context_create(key, mctx, &ctx)); /* - * Digest the SIG(0) record, except for the signature. + * Digest the SIG(0) record, except for the signature. */ dns_rdata_toregion(&rdata, &r); r.length -= sig.siglen; diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 4bfcfe8d..32f894d5 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -31,7 +31,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_api.c,v 1.15 2008/09/24 02:46:22 marka Exp $ + * $Id: dst_api.c,v 1.16 2008/11/14 22:53:46 marka Exp $ */ /*! \file */ @@ -997,6 +997,13 @@ dst_key_read_public(const char *filename, int type, NEXTTOKEN(lex, opt, &token); if (token.type != isc_tokentype_string) BADTOKEN(); + + /* + * We don't support "@" in .key files. + */ + if (!strcmp(DST_AS_STR(token), "@")) + BADTOKEN(); + dns_fixedname_init(&name); isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token))); isc_buffer_add(&b, strlen(DST_AS_STR(token))); diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c index 2216c962..0dd27bbe 100644 --- a/lib/dns/gssapi_link.c +++ b/lib/dns/gssapi_link.c @@ -16,7 +16,7 @@ */ /* - * $Id: gssapi_link.c,v 1.11 2008/07/23 10:26:54 marka Exp $ + * $Id: gssapi_link.c,v 1.12 2008/11/11 03:55:01 marka Exp $ */ #include <config.h> @@ -291,7 +291,8 @@ static dst_func_t gssapi_functions = { NULL, /*%< fromdns */ NULL, /*%< tofile */ NULL, /*%< parse */ - NULL /*%< cleanup */ + NULL, /*%< cleanup */ + NULL /*%< fromlabel */ }; isc_result_t diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in index 7397d56d..e9e049e2 100644 --- a/lib/dns/include/dns/Makefile.in +++ b/lib/dns/include/dns/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.53 2007/09/12 01:09:08 each Exp $ +# $Id: Makefile.in,v 1.55 2008/11/14 23:47:33 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -23,14 +23,14 @@ top_srcdir = @top_srcdir@ HEADERS = acl.h adb.h byaddr.h cache.h callbacks.h \ cert.h compress.h \ - db.h dbiterator.h dbtable.h diff.h dispatch.h \ + db.h dbiterator.h dbtable.h diff.h dispatch.h dlz.h \ dnssec.h ds.h events.h fixedname.h iptable.h journal.h keyflags.h \ keytable.h keyvalues.h lib.h log.h master.h masterdump.h \ message.h name.h ncache.h \ nsec.h peer.h portlist.h rbt.h rcode.h \ rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \ rdataslab.h rdatatype.h request.h resolver.h result.h \ - rootns.h sdb.h secalg.h secproto.h soa.h ssu.h \ + rootns.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \ tcpmsg.h time.h tkey.h \ tsig.h ttl.h types.h validator.h version.h view.h xfrin.h \ zone.h zonekey.h zt.h diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c index edcd1fd2..54a6993e 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsec3.c,v 1.5 2008/09/26 01:24:55 marka Exp $ */ +/* $Id: nsec3.c,v 1.6 2008/11/17 23:46:42 marka Exp $ */ #include <config.h> @@ -152,7 +152,9 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version, if (rdataset.type > max_type) max_type = rdataset.type; set_bit(bm, rdataset.type, 1); - found = ISC_TRUE; + /* Don't set RRSIG for insecure delegation. */ + if (rdataset.type != dns_rdatatype_ns) + found = ISC_TRUE; } dns_rdataset_disassociate(&rdataset); } diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 8d0010e5..5cdbcad9 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.269 2008/10/29 05:53:12 marka Exp $ */ +/* $Id: rbtdb.c,v 1.270 2008/11/14 14:07:48 marka Exp $ */ /*! \file */ @@ -3082,7 +3082,7 @@ static inline isc_result_t find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_rbt_t *tree, - isc_boolean_t need_sig) + dns_db_secure_t secure) { dns_rbtnode_t *node; rdatasetheader_t *header, *header_next, *found, *foundsig; @@ -3093,6 +3093,7 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep, dns_rdatatype_t type; rbtdb_rdatatype_t sigtype; isc_boolean_t wraps; + isc_boolean_t need_sig = ISC_TF(secure == dns_db_secure); if (tree == search->rbtdb->nsec3) { type = dns_rdatatype_nsec3; @@ -3351,7 +3352,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, * If we're here, then the name does not exist, is not * beneath a zonecut, and there's no matching wildcard. */ - if ((search.rbtversion->secure && + if ((search.rbtversion->secure == dns_db_secure && !search.rbtversion->havensec3) || (search.options & DNS_DBFIND_FORCENSEC) != 0 || (search.options & DNS_DBFIND_FORCENSEC3) != 0) @@ -3592,7 +3593,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, * The desired type doesn't exist. */ result = DNS_R_NXRRSET; - if (search.rbtversion->secure && + if (search.rbtversion->secure == dns_db_secure && !search.rbtversion->havensec3 && (nsecheader == NULL || nsecsig == NULL)) { /* @@ -3628,7 +3629,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, new_reference(search.rbtdb, node); *nodep = node; } - if ((search.rbtversion->secure && + if ((search.rbtversion->secure == dns_db_secure && !search.rbtversion->havensec3) || (search.options & DNS_DBFIND_FORCENSEC) != 0) { @@ -6963,7 +6964,7 @@ dns_rbtdb_create free_rbtdb(rbtdb, ISC_FALSE, NULL); return (ISC_R_NOMEMORY); } - rbtdb->current_version->secure = ISC_FALSE; + rbtdb->current_version->secure = dns_db_insecure; rbtdb->current_version->havensec3 = ISC_FALSE; rbtdb->current_version->flags = 0; rbtdb->current_version->iterations = 0; diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 5c9f348a..9d1c2feb 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.382 2008/10/17 21:58:09 jinmei Exp $ */ +/* $Id: resolver.c,v 1.384 2008/11/07 00:52:34 marka Exp $ */ /*! \file */ @@ -552,14 +552,13 @@ fctx_stoptimer(fetchctx_t *fctx) { static inline isc_result_t -fctx_startidletimer(fetchctx_t *fctx) { +fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) { /* * Start the idle timer for fctx. The lifetime timer continues * to be in effect. */ return (isc_timer_reset(fctx->timer, isc_timertype_once, - &fctx->expires, &fctx->interval, - ISC_FALSE)); + &fctx->expires, interval, ISC_FALSE)); } /* @@ -1121,7 +1120,7 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) { unsigned int us; /* - * We retry every .5 seconds the first two times through the address + * We retry every .8 seconds the first two times through the address * list, and then we do exponential back-off. */ if (fctx->restarts < 3) @@ -1173,7 +1172,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, srtt = 1000000; fctx_setretryinterval(fctx, srtt); - result = fctx_startidletimer(fctx); + result = fctx_startidletimer(fctx, &fctx->interval); if (result != ISC_R_SUCCESS) return (result); @@ -1771,6 +1770,7 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { isc_socketevent_t *sevent = (isc_socketevent_t *)event; resquery_t *query = event->ev_arg; isc_boolean_t retry = ISC_FALSE; + isc_interval_t interval; isc_result_t result; unsigned int attrs; fetchctx_t *fctx; @@ -1803,6 +1803,20 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { } else { switch (sevent->result) { case ISC_R_SUCCESS: + + /* + * Extend the idle timer for TCP. 20 seconds + * should be long enough for a TCP connection to be + * established, a single DNS request to be sent, + * and the response received. + */ + isc_interval_set(&interval, 20, 0); + result = fctx_startidletimer(query->fctx, &interval); + if (result != ISC_R_SUCCESS) { + fctx_cancelquery(&query, NULL, NULL, ISC_FALSE); + fctx_done(fctx, result); + break; + } /* * We are connected. Create a dispatcher and * send the query. @@ -1835,8 +1849,7 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { result = resquery_send(query); if (result != ISC_R_SUCCESS) { - fctx_cancelquery(&query, NULL, NULL, - ISC_FALSE); + fctx_cancelquery(&query, NULL, NULL, ISC_FALSE); fctx_done(fctx, result); } break; diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 1aa194dc..74a7af32 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -16,7 +16,7 @@ */ /* - * $Id: tsig.c,v 1.135 2008/04/02 02:37:42 marka Exp $ + * $Id: tsig.c,v 1.136 2008/11/04 21:23:14 marka Exp $ */ /*! \file */ #include <config.h> @@ -445,7 +445,6 @@ cleanup_ring(dns_tsig_keyring_t *ring) dns_rbtnodechain_current(&chain, &foundname, origin, &node); tkey = node->data; if (tkey != NULL) { - tsig_log(tkey, 2, "tsig expire: generated=%d, refs=%d, expire=%d)", tkey->generated, isc_refcount_current(&tkey->refs), now - tkey->expire); if (tkey->generated && isc_refcount_current(&tkey->refs) == 1 && tkey->inception != tkey->expire diff --git a/lib/dns/validator.c b/lib/dns/validator.c index cd6de2d3..39c17d57 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.162 2008/09/24 02:46:22 marka Exp $ */ +/* $Id: validator.c,v 1.164 2008/11/14 23:47:33 tbox Exp $ */ #include <config.h> @@ -1544,6 +1544,23 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { */ if (dns_rdatatype_atparent(val->event->rdataset->type)) return (DNS_R_CONTINUE); + } else { + /* + * SOA and NS RRsets can only be signed by a key with + * the same name. + */ + if (val->event->rdataset->type == dns_rdatatype_soa || + val->event->rdataset->type == dns_rdatatype_ns) { + const char *typename; + + if (val->event->rdataset->type == dns_rdatatype_soa) + typename = "SOA"; + else + typename = "NS"; + validator_log(val, ISC_LOG_DEBUG(3), + "%s signer mismatch", typename); + return (DNS_R_CONTINUE); + } } /* @@ -2115,6 +2132,10 @@ validatezonekey(dns_validator_t *val) { &sigrdata); result = dns_rdata_tostruct(&sigrdata, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); + + if (!dns_name_equal(val->event->name, &sig.signer)) + continue; + result = dns_keytable_findkeynode(val->keytable, val->event->name, sig.algorithm, @@ -2355,7 +2376,11 @@ validatezonekey(dns_validator_t *val) { if (ds.key_tag != sig.keyid || ds.algorithm != sig.algorithm) continue; - + if (!dns_name_equal(val->event->name, &sig.signer)) { + validator_log(val, ISC_LOG_DEBUG(3), + "DNSKEY signer mismatch"); + continue; + } dstkey = NULL; result = dns_dnssec_keyfromrdata(val->event->name, &keyrdata, diff --git a/lib/isc/api b/lib/isc/api index 8459d423..2240cdda 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -1,3 +1,3 @@ LIBINTERFACE = 50 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/isc/include/isc/Makefile.in b/lib/isc/include/isc/Makefile.in index ea8e2e48..236865df 100644 --- a/lib/isc/include/isc/Makefile.in +++ b/lib/isc/include/isc/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001, 2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.62 2007/06/19 23:47:18 tbox Exp $ +# $Id: Makefile.in,v 1.64 2008/11/14 23:47:33 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -35,7 +35,7 @@ HEADERS = app.h assertions.h base64.h bitstring.h boolean.h buffer.h \ lfsr.h lib.h list.h log.h \ magic.h md5.h mem.h msgcat.h msgs.h \ mutexblock.h netaddr.h ondestroy.h os.h parseint.h \ - print.h quota.h random.h ratelimiter.h \ + print.h quota.h radix.h random.h ratelimiter.h \ refcount.h region.h resource.h \ result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \ sockaddr.h socket.h stdio.h stdlib.h string.h \ diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c index 67f34c8d..98d0ab6e 100644 --- a/lib/isc/unix/socket.c +++ b/lib/isc/unix/socket.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.304 2008/10/17 21:49:23 jinmei Exp $ */ +/* $Id: socket.c,v 1.308 2008/11/20 00:04:17 jinmei Exp $ */ /*! \file */ @@ -148,6 +148,35 @@ struct isc_socketwait { #endif /* __APPLE__ */ #endif /* USE_SELECT */ +#ifdef ISC_SOCKET_USE_POLLWATCH +/*% + * If this macro is defined, enable workaround for a Solaris /dev/poll kernel + * bug: DP_POLL ioctl could keep sleeping even if socket I/O is possible for + * some of the specified FD. The idea is based on the observation that it's + * likely for a busy server to keep receiving packets. It specifically works + * as follows: the socket watcher is first initialized with the state of + * "poll_idle". While it's in the idle state it keeps sleeping until a socket + * event occurs. When it wakes up for a socket I/O event, it moves to the + * poll_active state, and sets the poll timeout to a short period + * (ISC_SOCKET_POLLWATCH_TIMEOUT msec). If timeout occurs in this state, the + * watcher goes to the poll_checking state with the same timeout period. + * In this state, the watcher tries to detect whether this is a break + * during intermittent events or the kernel bug is triggered. If the next + * polling reports an event within the short period, the previous timeout is + * likely to be a kernel bug, and so the watcher goes back to the active state. + * Otherwise, it moves to the idle state again. + * + * It's not clear whether this is a thread-related bug, but since we've only + * seen this with threads, this workaround is used only when enabling threads. + */ + +typedef enum { poll_idle, poll_active, poll_checking } pollstate_t; + +#ifndef ISC_SOCKET_POLLWATCH_TIMEOUT +#define ISC_SOCKET_POLLWATCH_TIMEOUT 10 +#endif /* ISC_SOCKET_POLLWATCH_TIMEOUT */ +#endif /* ISC_SOCKET_USE_POLLWATCH */ + /*% * Size of per-FD lock buckets. */ @@ -464,6 +493,38 @@ socket_log(isc_socket_t *sock, isc_sockaddr_t *address, } } +#if defined(_AIX) && defined(ISC_NET_BSD44MSGHDR) && \ + defined(USE_CMSG) && defined(IPV6_RECVPKTINFO) +/* + * AIX has a kernel bug where IPV6_RECVPKTINFO gets cleared by + * setting IPV6_V6ONLY. + */ +static void +FIX_IPV6_RECVPKTINFO(isc_socket_t *sock) +{ + char strbuf[ISC_STRERRORSIZE]; + int on = 1; + + if (sock->pf != AF_INET6 || sock->type != isc_sockettype_udp) + return; + + if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO, + (void *)&on, sizeof(on)) < 0) { + + UNEXPECTED_ERROR(__FILE__, __LINE__, + "setsockopt(%d, IPV6_RECVPKTINFO) " + "%s: %s", sock->fd, + isc_msgcat_get(isc_msgcat, + ISC_MSGSET_GENERAL, + ISC_MSG_FAILED, + "failed"), + strbuf); + } +} +#else +#define FIX_IPV6_RECVPKTINFO(sock) (void)0 +#endif + static inline isc_result_t watch_fd(isc_socketmgr_t *manager, int fd, int msg) { isc_result_t result = ISC_R_SUCCESS; @@ -1256,15 +1317,17 @@ dump_msg(struct msghdr *msg) { unsigned int i; printf("MSGHDR %p\n", msg); - printf("\tname %p, namelen %d\n", msg->msg_name, msg->msg_namelen); - printf("\tiov %p, iovlen %d\n", msg->msg_iov, msg->msg_iovlen); + printf("\tname %p, namelen %ld\n", msg->msg_name, + (long) msg->msg_namelen); + printf("\tiov %p, iovlen %ld\n", msg->msg_iov, + (long) msg->msg_iovlen); for (i = 0; i < (unsigned int)msg->msg_iovlen; i++) - printf("\t\t%d\tbase %p, len %d\n", i, + printf("\t\t%d\tbase %p, len %ld\n", i, msg->msg_iov[i].iov_base, - msg->msg_iov[i].iov_len); + (long) msg->msg_iov[i].iov_len); #ifdef ISC_NET_BSD44MSGHDR - printf("\tcontrol %p, controllen %d\n", msg->msg_control, - msg->msg_controllen); + printf("\tcontrol %p, controllen %ld\n", msg->msg_control, + (long) msg->msg_controllen); #endif } #endif @@ -3230,6 +3293,9 @@ watcher(void *uap) { int maxfd; #endif char strbuf[ISC_STRERRORSIZE]; +#ifdef ISC_SOCKET_USE_POLLWATCH + pollstate_t pollstate = poll_idle; +#endif /* * Get the control fd here. This will never change. @@ -3247,7 +3313,14 @@ watcher(void *uap) { #elif defined(USE_DEVPOLL) dvp.dp_fds = manager->events; dvp.dp_nfds = manager->nevents; +#ifndef ISC_SOCKET_USE_POLLWATCH dvp.dp_timeout = -1; +#else + if (pollstate == poll_idle) + dvp.dp_timeout = -1; + else + dvp.dp_timeout = ISC_SOCKET_POLLWATCH_TIMEOUT; +#endif /* ISC_SOCKET_USE_POLLWATCH */ cc = ioctl(manager->devpoll_fd, DP_POLL, &dvp); #elif defined(USE_SELECT) LOCK(&manager->lock); @@ -3271,6 +3344,32 @@ watcher(void *uap) { ISC_MSG_FAILED, "failed"), strbuf); } + +#if defined(USE_DEVPOLL) && defined(ISC_SOCKET_USE_POLLWATCH) + if (cc == 0) { + if (pollstate == poll_active) + pollstate = poll_checking; + else if (pollstate == poll_checking) + pollstate = poll_idle; + } else if (cc > 0) { + if (pollstate == poll_checking) { + /* + * XXX: We'd like to use a more + * verbose log level as it's actually an + * unexpected event, but the kernel bug + * reportedly happens pretty frequently + * (and it can also be a false positive) + * so it would be just too noisy. + */ + manager_log(manager, + ISC_LOGCATEGORY_GENERAL, + ISC_LOGMODULE_SOCKET, + ISC_LOG_DEBUG(1), + "unexpected POLL timeout"); + } + pollstate = poll_active; + } +#endif } while (cc < 0); #if defined(USE_KQUEUE) || defined (USE_EPOLL) || defined (USE_DEVPOLL) @@ -5022,9 +5121,21 @@ isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) { #ifdef IPV6_V6ONLY if (sock->pf == AF_INET6) { - (void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY, - (void *)&onoff, sizeof(onoff)); + if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY, + (void *)&onoff, sizeof(int)) < 0) { + char strbuf[ISC_STRERRORSIZE]; + + UNEXPECTED_ERROR(__FILE__, __LINE__, + "setsockopt(%d, IPV6_V6ONLY) " + "%s: %s", sock->fd, + isc_msgcat_get(isc_msgcat, + ISC_MSGSET_GENERAL, + ISC_MSG_FAILED, + "failed"), + strbuf); + } } + FIX_IPV6_RECVPKTINFO(sock); /* AIX */ #endif } diff --git a/lib/isc/win32/dir.c b/lib/isc/win32/dir.c index 3d0ae609..93cc650e 100644 --- a/lib/isc/win32/dir.c +++ b/lib/isc/win32/dir.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,15 +15,10 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dir.c,v 1.14 2007/06/19 23:47:19 tbox Exp $ */ +/* $Id: dir.c,v 1.16 2008/11/02 23:47:01 tbox Exp $ */ /* Principal Authors: DCL */ -/* - * isc_dir_chroot is currently stubbed out for Win32 - * This will need to be revisited - */ - #include <config.h> #include <string.h> @@ -242,7 +237,7 @@ isc_dir_chdir(const char *dirname) { isc_result_t isc_dir_chroot(const char *dirname) { - return (ISC_R_SUCCESS); + return (ISC_R_NOTIMPLEMENTED); } isc_result_t @@ -1,4 +1,4 @@ -# $Id: version,v 1.42 2008/10/29 05:04:18 marka Exp $ +# $Id: version,v 1.43 2008/11/16 21:16:48 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -6,5 +6,5 @@ MAJORVER=9 MINORVER=6 PATCHVER=0 -RELEASETYPE=b +RELEASETYPE=rc RELEASEVER=1 |