Index: head/contrib/bind9/CHANGES =================================================================== --- head/contrib/bind9/CHANGES (revision 205291) +++ head/contrib/bind9/CHANGES (revision 205292) @@ -1,8538 +1,8541 @@ + --- 9.6.2-P1 released --- + +2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] --- 9.6.2 released --- 2850. [bug] If isc_heap_insert() failed due to memory shortage the heap would have corrupted entries. [RT #20951] 2849. [bug] Don't treat errors from the xml2 library as fatal. [RT #20945] 2846. [bug] EOF on unix domain sockets was not being handled correctly. [RT #20731] 2844. [doc] notify-delay default in ARM was wrong. It should have been five (5) seconds. --- 9.6.2rc1 released --- 2838. [func] Backport support for SHA-2 DNSSEC algorithms, RSASHA256 and RSASHA512, from BIND 9.7. (This incorporates changes 2726 and 2738 from that release branch.) [RT #20871] 2837. [port] Prevent Linux spurious warnings about fwrite(). [RT #20812] 2831. [security] Do not attempt to validate or cache out-of-bailiwick data returned with a secure answer; it must be re-fetched from its original source and validated in that context. [RT #20819] 2828. [security] Cached CNAME or DNAME RR could be returned to clients without DNSSEC validation. [RT #20737] 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] 2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that was in the process of being created was not properly recorded in the zone. [RT #20786] 2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781] 2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define [RT #20771] 2818. [cleanup] rndc could return an incorrect error code when a zone was not found. [RT #20767] 2815. [bug] Exclusively lock the task when freezing a zone. [RT #19838] 2814. [func] Provide a definitive error message when a master zone is not loaded. [RT #20757] --- 9.6.2b1 released --- 2797. [bug] Don't decrement the dispatch manager's maxbuffers. [RT #20613] 2790. [bug] Handle DS queries to stub zones. [RT #20440] 2789. [bug] Fixed an INSIST in dispatch.c [RT #20576] 2786. [bug] Additional could be promoted to answer. [RT #20663] 2784. [bug] TC was not always being set when required glue was dropped. [RT #20655] 2783. [func] Return minimal responses to EDNS/UDP queries with a UDP buffer size of 512 or less. [RT #20654] 2782. [port] win32: use getaddrinfo() for hostname lookups. [RT #20650] 2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong. 2772. [security] When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] 2765. [bug] Skip masters for which the TSIG key cannot be found. [RT #20595] 2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533] 2759. [doc] Add information about .jbk/.jnw files to the ARM. [RT #20303] 2758. [bug] win32: Added a workaround for a windows 2008 bug that could cause the UDP client handler to shut down. [RT #19176] 2757. [bug] dig: assertion failure could occur in connect timeout. [RT #20599] 2755. [doc] Clarify documentation of keyset- files in dnssec-signzone man page. [RT #19810] 2754. [bug] Secure-to-insecure transitions failed when zone was signed with NSEC3. [RT #20587] 2750. [bug] dig: assertion failure could occur when a server didn't have an address. [RT #20579] 2749. [bug] ixfr-from-differences generated a non-minimal ixfr for NSEC3 signed zones. [RT #20452] 2747. [bug] Journal roll forwards failed to set the re-signing time of RRSIGs correctly. [RT #20541] 2743. [bug] RRSIG could be incorrectly set in the NSEC3 record for a insecure delegation. 2729. [func] When constructing a CNAME from a DNAME use the DNAME TTL. [RT #20451] 2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and isc_base64_totext(), didn't always mark regions of memory as fully consumed after conversion. [RT #20445] 2722. [bug] Ensure that the memory associated with the name of a node in a rbt tree is not altered during the life of the node. [RT #20431] 2721. [port] Have dst__entropy_status() prime the random number generator. [RT #20369] 2718. [bug] The space calculations in opensslrsa_todns() were incorrect. [RT #20394] 2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414] 2715. [bug] Require OpenSSL support to be explicitly disabled. [RT #20288] 2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler flags. 2713. [bug] powerpc: atomic operations missing asm("ics") / __isync() calls. 2706. [bug] Loading a zone with a very large NSEC3 salt could trigger an assert. [RT #20368] 2705. [bug] Reconcile the XML stats version number with a later BIND9 release, by adding a "name" attribute to "cache" elements and increasing the version number to 2.2. (This is a minor version change, but may affect XML parsers if they assume the cache element doesn't take an attribute.) 2704. [bug] Serial of dynamic and stub zones could be inconsistent with their SOA serial. [RT #19387] 2701. [doc] Correction to ARM: hmac-md5 is no longer the only supported TSIG key algorithm. [RT #18046] 2700. [doc] The match-mapped-addresses option is discouraged. [RT #12252] 2699. [bug] Missing lock in rbtdb.c. [RT #20037] 2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and S_IFREG are defined after including . [RT #20309] 2696. [bug] named failed to successfully process some valid acl constructs. [RT #20308] 2692. [port] win32: 32/64 bit cleanups. [RT #20335] 2690. [bug] win32: fix isc_thread_key_getspecific() prototype. [RT #20315] 2689. [bug] Correctly handle snprintf result. [RT #20306] 2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT, to decide to fetch the destination address. [RT #20305] 2686. [bug] dnssec-signzone should clean the old NSEC chain when signing with NSEC3 and vice versa. [RT #20301] 2683. [bug] dnssec-signzone should clean out old NSEC3 chains when the NSEC3 parameters used to sign the zone change. [RT #20246] 2681. [bug] IPSECKEY RR of gateway type 3 was not correctly decoded. [RT #20269] 2678. [func] Treat DS queries as if "minimal-response yes;" was set. [RT #20258] 2672. [bug] Don't enable searching in 'host' when doing reverse lookups. [RT #20218] 2670. [bug] Unexpected connect failures failed to log enough information to be useful. [RT #20205] 2663. [func] win32: allow named to run as a service using "NT AUTHORITY\LocalService" as the account. [RT #19977] 2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr() returned a misleading error code when lwresd was down. [RT #20028] 2661. [bug] Check whether socket fd exceeds FD_SETSIZE when creating lwres context. [RT #20029] 2659. [doc] Clarify dnssec-keygen doc: key name must match zone name for DNSSEC keys. [RT #19938] 2656. [func] win32: add a "tools only" check box to the installer which causes it to only install dig, host, nslookup, nsupdate and relevant DLLs. [RT #19998] 2655. [doc] Document that key-directory does not affect rndc.key. [RT #20155] 2653. [bug] Treat ENGINE_load_private_key() failures as key not found rather than out of memory. [RT #18033] 2649. [bug] Set the domain for forward only zones. [RT #19944] 2648. [port] win32: isc_time_seconds() was broken. [RT #19900] 2647. [bug] Remove unnecessary SOA updates when a new KSK is added. [RT #19913] 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987] 2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms which default to 64 bits. [RT #19927] 2643. [bug] Stub zones interacted badly with NSEC3 support. [RT #19777] 2642. [bug] nsupdate could dump core on solaris when reading improperly formatted key files. [RT #20015] 2640. [security] A specially crafted update packet will cause named to exit. [RT #20000] 2639. [bug] Silence compiler warnings in gssapi code. [RT #19954] 2637. [func] Rationalize dnssec-signzone's signwithkey() calling. [RT #19959] 2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses. [RT #19716] 2633. [bug] Handle 15 bit rand() functions. [RT #19783] 2632. [func] util/kit.sh: warn if documentation appears to be out of date. [RT #19922] 2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865] 2623. [bug] Named started seaches for DS non-optimally. [RT #19915] 2621. [doc] Made copyright boilterplate consistent. [RT #19833] 2920. [bug] Delay thawing the zone until the reload of it has completed successfully. [RT #19750] 2618. [bug] The sdb and sdlz db_interator_seek() methods could loop infinitely. [RT #19847] 2617. [bug] ifconfig.sh failed to emit an error message when run from the wrong location. [RT #19375] 2616. [bug] 'host' used the nameservers from resolv.conf even when a explicit nameserver was specified. [RT #19852] 2615. [bug] "__attribute__((unused))" was in the wrong place for ia64 gcc builds. [RT #19854] 2614. [port] win32: 'named -v' should automatically be executed in the foreground. [RT #19844] 2613. [bug] Option argument validation was missing for dnssec-dsfromkey. [RT #19828] 2610. [port] sunos: Change #2363 was not complete. [RT #19796] 2608. [func] Perform post signing verification checks in dnssec-signzone. These can be disabled with -P. The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key. That all revoked KSK keys are self signed. That all records in the zone are signed by the algorithm. [RT #19653] 2601. [doc] Mention file creation mode mask in the named manual page. 2593. [bug] Improve a corner source of SERVFAILs [RT #19632] 2589. [bug] dns_db_unregister() failed to clear '*dbimp'. [RT #19626] 2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection. Requires MySQL 5.0.19 or later. [RT #19084] 2580. [bug] UpdateRej statistics counter could be incremented twice for one rejection. [RT #19476] 2533. [doc] ARM: document @ (at-sign). [RT #17144] 2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent function. [RT #18582] --- 9.6.1 released --- 2607. [bug] named could incorrectly delete NSEC3 records for empty nodes when processing a update request. [RT #19749] 2606. [bug] "delegation-only" was not being accepted in delegation-only type zones. [RT #19717] 2605. [bug] Accept DS responses from delegation only zones. [RT # 19296] 2603. [port] win32: handle .exe extension of named-checkzone and named-comilezone argv[0] names under windows. [RT #19767] 2602. [port] win32: fix debugging command line build of libisccfg. [RT #19767] --- 9.6.1rc1 released --- 2599. [bug] Address rapid memory growth when validation fails. [RT #19654] 2597. [bug] Handle a validation failure with a insecure delegation from a NSEC3 signed master/slave zone. [RT #19464] 2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay long, leading to inefficient memory usage or rejecting newer cache entries in the worst case. [RT #19563] 2595. [bug] Fix unknown extended rcodes in dig. [RT #19625] 2592. [bug] Treat "any" as a type in nsupdate. [RT #19455] 2591. [bug] named could die when processing a update in removed_orphaned_ds(). [RT #19507] 2588. [bug] SO_REUSEADDR could be set unconditionally after failure of bind(2) call. This should be rare and mostly harmless, but may cause interference with other processes that happen to use the same port. [RT #19642] 2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB or SDB. [RT #19577] 2585. [bug] Uninitialized socket name could be referenced via a statistics channel, triggering an assertion failure in XML rendering. [RT #19427] 2584. [bug] alpha: gcc optimization could break atomic operations. [RT #19227] 2583. [port] netbsd: provide a control to not add the compile date to the version string, -DNO_VERSION_DATE. 2582. [bug] Don't emit warning log message when we attempt to remove non-existent journal. [RT #19516] 2579. [bug] DNSSEC lookaside validation failed to handle unknown algorithms. [RT #19479] 2578. [bug] Changed default sig-signing-type to 65534, because 65535 turns out to be reserved. [RT #19477] 2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash. [RT #18837] --- 9.6.1b1 released --- 2577. [doc] Clarified some statistics counters. [RT #19454] 2576. [bug] NSEC record were not being correctly signed when a zone transitions from insecure to secure. Handle such incorrectly signed zones. [RT #19114] 2574. [doc] Document nsupdate -g and -o. [RT #19351] 2573. [bug] Replacing a non-CNAME record with a CNAME record in a single transaction in a signed zone failed. [RT #19397] 2568. [bug] Report when the write to indicate a otherwise successful start fails. [RT #19360] 2567. [bug] dst__privstruct_writefile() could miss write errors. write_public_key() could miss write errors. dnssec-dsfromkey could miss write errors. [RT #19360] 2564. [bug] Only take EDNS fallback steps when processing timeouts. [RT #19405] 2563. [bug] Dig could leak a socket causing it to wait forever to exit. [RT #19359] 2562. [doc] ARM: miscellaneous improvements, reorganization, and some new content. 2561. [doc] Add isc-config.sh(1) man page. [RT #16378] 2560. [bug] Add #include to iptable.c. [RT #18258] 2559. [bug] dnssec-dsfromkey could compute bad DS records when reading from a K* files. [RT #19357] 2557. [cleanup] PCI compliance: * new libisc log module file * isc_dir_chroot() now also changes the working directory to "/". * additional INSISTs * additional logging when files can't be removed. 2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the error checks in the correct order resulting in the wrong error code sometimes being returned. [RT #19249] 2554. [bug] Validation of uppercase queries from NSEC3 zones could fail. [RT #19297] 2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291] 2552. [bug] zero-no-soa-ttl-cache was not being honoured. [RT #19340] 2551. [bug] Potential Reference leak on return. [RT #19341] 2550. [bug] Check --with-openssl= finds . [RT #19343] 2549. [port] linux: define NR_OPEN if not currently defined. [RT #19344] 2548. [bug] Install iterated_hash.h. [RT #19335] 2547. [bug] openssl_link.c:mem_realloc() could reference an out-of-range area of the source buffer. New public function isc_mem_reallocate() was introduced to address this bug. [RT #19313] 2545. [doc] ARM: Legal hostname checking (check-names) is for SRV RDATA too. [RT #19304] 2544. [cleanup] Removed unused structure members in adb.c. [RT #19225] 2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113] 2542. [doc] Update the description of dig +adflag. [RT #19290] 2541. [bug] Conditionally update dispatch manager statistics. [RT #19247] 2539. [security] Update the interaction between recursion, allow-query, allow-query-cache and allow-recursion. [RT #19198] 2538. [bug] cache/ADB memory could grow over max-cache-size, especially with threads and smaller max-cache-size values. [RT #19240] 2537. [experimental] Added more statistics counters including those on socket I/O events and query RTT histograms. [RT #18802] 2536. [cleanup] Silence some warnings when -Werror=format-security is specified. [RT #19083] 2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091] 2532. [bug] dig: check the question section of the response to see if it matches the asked question. [RT #18495] 2531. [bug] Change #2207 was incomplete. [RT #19098] 2530. [bug] named failed to reject insecure to secure transitions via UPDATE. [RT #19101] 2529. [cleanup] Upgrade libtool to silence complaints from recent version of autoconf. [RT #18657] 2528. [cleanup] Silence spurious configure warning about --datarootdir [RT #19096] 2527. [bug] named could reuse cache on reload with enabling/disabling validation. [RT #19119] 2525. [experimental] New logging category "query-errors" to provide detailed internal information about query failures, especially about server failures. [RT #19027] 2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129] 2523. [bug] Random type rdata freed by dns_nsec_typepresent(). [RT #19112] 2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal(). 2521. [bug] Improve epoll cross compilation support. [RT #19047] 2519. [bug] dig/host with -4 or -6 didn't work if more than two nameserver addresses of the excluded address family preceded in resolv.conf. [RT #19081] 2517. [bug] dig +trace with -4 or -6 failed when it chose a nameserver address of the excluded address type. [RT #18843] 2516. [bug] glue sort for responses was performed even when not needed. [RT #19039] 2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains a nameserver of the excluded address family. [RT #18848] 2511. [cleanup] dns_rdata_tofmttext() add const to linebreak. [RT #18885] 2506. [port] solaris: Check at configure time if hack_shutup_pthreadonceinit is needed. [RT #19037] 2505. [port] Treat amd64 similarly to x86_64 when determining atomic operation support. [RT #19031] 2503. [port] linux: improve compatibility with Linux Standard Base. [RT #18793] 2502. [cleanup] isc_radix: Improve compliance with coding style, document function in . [RT #18534] --- 9.6.0 released --- 2520. [bug] Update xml statistics version number to 2.0 as change #2388 made the schema incompatible to the previous version. [RT #19080] --- 9.6.0rc2 released --- 2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel. [RT #19063] 2513. [bug] Fix windows cli build. [RT #19062] 2510. [bug] "dig +sigchase" could trigger REQUIRE failures. [RT #19033] 2509. [bug] Specifying a fixed query source port was broken. [RT #19051] 2504. [bug] Address race condition in the socket code. [RT #18899] --- 9.6.0rc1 released --- 2498. [bug] Removed a bogus function argument used with ISC_SOCKET_USE_POLLWATCH: it could cause compiler warning or crash named with the debug 1 level of logging. [RT #18917] 2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure delegation. 2496. [bug] Add sanity length checks to NSID option. [RT #18813] 2495. [bug] Tighten RRSIG checks. [RT #18795] 2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being installed. [RT #18826] 2493. [bug] The linux capabilities code was not correctly cleaning up after itself. [RT #18767] 2492. [func] Rndc status now reports the number of cpus discovered and the number of worker threads when running multi-threaded. [RT #18273] 2491. [func] Attempt to re-use a local port if we are already using the port. [RT #18548] 2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO is cleared when IPV6_V6ONLY is set. [RT #18785] 2489. [port] solaris: Workaround Solaris's kernel bug about /dev/poll: http://bugs.opensolaris.org/view_bug.do?bug_id=6724237 Define ISC_SOCKET_USE_POLLWATCH at build time to enable this workaround. [RT #18870] 2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records from keyset and .key files. [RT #18694] 2487. [bug] Give TCP connections longer to complete. [RT #18675] 2486. [func] The default locations for named.pid and lwresd.pid are now /var/run/named/named.pid and /var/run/lwresd/lwresd.pid respectively. This allows the owner of the containing directory to be set, for "named -u" support, and allows there to be a permanent symbolic link in the path, for "named -t" support. [RT #18306] 2485. [bug] Change update's the handling of obscured RRSIG records. Not all orphaned DS records were being removed. [RT #18828] 2484. [bug] It was possible to trigger a REQUIRE failure when adding NSEC3 proofs to the response in query_addwildcardproof(). [RT #18828] 2483. [port] win32: chroot() is not supported. [RT #18805] 2482. [port] libxml2: support versions 2.7.* in addition to 2.6.*. [RT #18806] --- 9.6.0b1 released --- 2481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain collisions. [RT #18812] 2480. [bug] named could fail to emit all the required NSEC3 records. [RT #18812] 2479. [bug] xfrout:covers was not properly initialized. [RT #18801] 2478. [bug] 'addresses' could be used uninitialized in configure_forward(). [RT #18800] 2477. [bug] dig: the global option to print the command line is +cmd not print_cmd. Update the output to reflect this. [RT #17008] 2476. [doc] ARM: improve documentation for max-journal-size and ixfr-from-differences. [RT #15909] [RT #18541] 2475. [bug] LRU cache cleanup under overmem condition could purge particular entries more aggressively. [RT #17628] 2474. [bug] ACL structures could be allocated with insufficient space, causing an array overrun. [RT #18765] 2473. [port] linux: raise the limit on open files to the possible maximum value before spawning threads; 'files' specified in named.conf doesn't seem to work with threads as expected. [RT #18784] 2472. [port] linux: check the number of available cpu's before calling chroot as it depends on "/proc". [RT #16923] 2471. [bug] named-checkzone was not reporting missing mandatory glue when sibling checks were disabled. [RT #18768] 2470. [bug] Elements of the isc_radix_node_t could be incorrectly overwritten. [RT# 18719] 2469. [port] solaris: Work around Solaris's select() limitations. [RT #18769] 2468. [bug] Resolver could try unreachable servers multiple times. [RT #18739] 2467. [bug] Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740] 2466. [doc] ARM: explain max-cache-ttl 0 SERVFAIL issue. [RT #18302] 2465. [bug] Adb's handling of lame addresses was different for IPv4 and IPv6. [RT #18738] 2464. [port] linux: check that a capability is present before trying to set it. [RT #18135] 2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket API and glibc hides parts of the IPv6 Advanced Socket API as a result. This is stupid as it breaks how the two halves (Basic and Advanced) of the IPv6 Socket API were designed to be used but we have to live with it. Define _GNU_SOURCE to pull in the IPv6 Advanced Socket API. [RT #18388] 2462. [doc] Document -m (enable memory usage debugging) option for dig. [RT #18757] 2461. [port] sunos: Change #2363 was not complete. [RT #17513] --- 9.6.0a1 released --- 2460. [bug] Don't call dns_db_getnsec3parameters() on the cache. [RT #18697] 2459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448] 2458. [doc] ARM: update and correction for max-cache-size. [RT #18294] 2457. [tuning] max-cache-size is reverted to 0, the previous default. It should be safe because expired cache entries are also purged. [RT #18684] 2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any address, regardless of family. They now correctly distinguish IPv4 from IPv6. [RT #18559] 2455. [bug] Stop metadata being transferred via axfr/ixfr. [RT #18639] 2454. [func] nsupdate: you can now set a default ttl. [RT #18317] 2453. [bug] Remove NULL pointer dereference in dns_journal_print(). [RT #18316] 2452. [func] Improve bin/test/journalprint. [RT #18316] 2451. [port] solaris: handle runtime linking better. [RT #18356] 2450. [doc] Fix lwresd docbook problem for manual page. [RT #18672] 2449. [placeholder] 2448. [func] Add NSEC3 support. [RT #15452] 2447. [cleanup] libbind has been split out as a separate product. 2446. [func] Add a new log message about build options on startup. A new command-line option '-V' for named is also provided to show this information. [RT# 18645] 2445. [doc] ARM out-of-date on empty reverse zones (list includes RFC1918 address, but these are not yet compiled in). [RT #18578] 2444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery (clear DF) for UDP responses and requests. 2443. [bug] win32: UDP connect() would not generate an event, and so connected UDP sockets would never clean up. Fix this by doing an immediate WSAConnect() rather than an io completion port type for UDP. 2442. [bug] A lock could be destroyed twice. [RT# 18626] 2441. [bug] isc_radix_insert() could copy radix tree nodes incompletely. [RT #18573] 2440. [bug] named-checkconf used an incorrect test to determine if an ACL was set to none. 2439. [bug] Potential NULL dereference in dns_acl_isanyornone(). [RT #18559] 2438. [bug] Timeouts could be logged incorrectly under win32. 2437. [bug] Sockets could be closed too early, leading to inconsistent states in the socket module. [RT #18298] 2436. [security] win32: UDP client handler can be shutdown. [RT #18576] 2435. [bug] Fixed an ACL memory leak affecting win32. 2434. [bug] Fixed a minor error-reporting bug in lib/isc/win32/socket.c. 2433. [tuning] Set initial timeout to 800ms. 2432. [bug] More Windows socket handling improvements. Stop using I/O events and use IO Completion Ports throughout. Rewrite the receive path logic to make it easier to support multiple simultaneous requesters in the future. Add stricter consistency checking as a compile-time option (define ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off). 2431. [bug] Acl processing could leak memory. [RT #18323] 2430. [bug] win32: isc_interval_set() could round down to zero if the input was less than NS_INTERVAL nanoseconds. Round up instead. [RT #18549] 2429. [doc] nsupdate should be in section 1 of the man pages. [RT #18283] 2428. [bug] dns_iptable_merge() mishandled merges of negative tables. [RT #18409] 2427. [func] Treat DNSKEY queries as if "minimal-response yes;" was set. [RT #18528] 2426. [bug] libbind: inet_net_pton() can sometimes return the wrong value if excessively large net masks are supplied. [RT #18512] 2425. [bug] named didn't detect unavailable query source addresses at load time. [RT #18536] 2424. [port] configure now probes for a working epoll implementation. Allow the use of kqueue, epoll and /dev/poll to be selected at compile time. [RT #18277] 2423. [security] Randomize server selection on queries, so as to make forgery a little more difficult. Instead of always preferring the server with the lowest RTT, pick a server with RTT within the same 128 millisecond band. [RT #18441] 2422. [bug] Handle the special return value of a empty node as if it was a NXRRSET in the validator. [RT #18447] 2421. [func] Add new command line option '-S' for named to specify the max number of sockets. [RT #18493] Use caution: this option may not work for some operating systems without rebuilding named. 2420. [bug] Windows socket handling cleanup. Let the io completion event send out canceled read/write done events, which keeps us from writing to memory we no longer have ownership of. Add debugging socket_log() function. Rework TCP socket handling to not leak sockets. 2419. [cleanup] Document that isc_socket_create() and isc_socket_open() should not be used for isc_sockettype_fdwatch sockets. [RT #18521] 2418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure [RT #18430] 2417. [bug] Connecting UDP sockets for outgoing queries could unexpectedly fail with an 'address already in use' error. [RT #18411] 2416. [func] Log file descriptors that cause exceeding the internal maximum. [RT #18460] 2415. [bug] 'rndc dumpdb' could trigger various assertion failures in rbtdb.c. [RT #18455] 2414. [bug] A masterdump context held the database lock too long, causing various troubles such as dead lock and recursive lock acquisition. [RT #18311, #18456] 2413. [bug] Fixed an unreachable code path in socket.c. [RT #18442] 2412. [bug] win32: address a resource leak. [RT #18374] 2411. [bug] Allow using a larger number of sockets than FD_SETSIZE for select(). To enable this, set ISC_SOCKET_MAXSOCKETS at compilation time. [RT #18433] Note: with changes #2469 and #2421 above, there is no need to tweak ISC_SOCKET_MAXSOCKETS at compilation time any more. 2410. [bug] Correctly delete m_versionInfo. [RT #18432] 2409. [bug] Only log that we disabled EDNS processing if we were subsequently successful. [RT #18029] 2408. [bug] A duplicate TCP dispatch event could be sent, which could then trigger an assertion failure in resquery_response(). [RT #18275] 2407. [port] hpux: test for sys/dyntune.h. [RT #18421] 2406. [placeholder] 2405. [cleanup] The default value for dnssec-validation was changed to "yes" in 9.5.0-P1 and all subsequent releases; this was inadvertently omitted from CHANGES at the time. 2404. [port] hpux: files unlimited support. 2403. [bug] TSIG context leak. [RT #18341] 2402. [port] Support Solaris 2.11 and over. [RT #18362] 2401. [bug] Expect to get E[MN]FILE errno internal_accept() (from accept() or fcntl() system calls). [RT #18358] 2400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails. [RT #18297] 2399. [placeholder] 2398. [bug] Improve file descriptor management. New, temporary, named.conf option reserved-sockets, default 512. [RT #18344] 2397. [bug] gssapi_functions had too many elements. [RT #18355] 2396. [bug] Don't set SO_REUSEADDR for randomized ports. [RT #18336] 2395. [port] Avoid warning and no effect from "files unlimited" on Linux when running as root. [RT #18335] 2394. [bug] Default configuration options set the limit for open files to 'unlimited' as described in the documentation. [RT #18331] 2393. [bug] nested acls containing keys could trigger an assertion in acl.c. [RT #18166] 2392. [bug] remove 'grep -q' from acl test script, some platforms don't support it. [RT #18253] 2391. [port] hpux: cover additional recvmsg() error codes. [RT #18301] 2390. [bug] dispatch.c could make a false warning on 'odd socket'. [RT #18301]. 2389. [bug] Move the "working directory writable" check to after the ns_os_changeuser() call. [RT #18326] 2388. [bug] Avoid using tables for layout purposes in statistics XSL [RT #18159]. 2387. [bug] Silence compiler warnings in lib/isc/radix.c. [RT #18147] [RT #18258] 2386. [func] Add warning about too small 'open files' limit. [RT #18269] 2385. [bug] A condition variable in socket.c could leak in rare error handling [RT #17968]. 2384. [security] Fully randomize UDP query ports to improve forgery resilience. [RT #17949, #18098] 2383. [bug] named could double queries when they resulted in SERVFAIL due to overkilling EDNS0 failure detection. [RT #18182] 2382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP to ARM. 2381. [port] dlz/mysql: support multiple install layouts for mysql. /include/{,mysql/}mysql.h and /lib/{,mysql/}. [RT #18152] 2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET proofs which, in turn, caused validation failures for insecure zones immediately below a secure zone the server was authoritative for. [RT #18112] 2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant TLDs and supported RRs with TTLs [RT #17972] 2378. [bug] gssapi_functions{} had a redundant member in BIND 9.5. [RT #18169] 2377. [bug] Address race condition in dnssec-signzone. [RT #18142] 2376. [bug] Change #2144 was not complete. 2375. [placeholder] 2374. [bug] "blackhole" ACLs could cause named to segfault due to some uninitialized memory. [RT #18095] 2373. [bug] Default values of zone ACLs were re-parsed each time a new zone was configured, causing an overconsumption of memory. [RT #18092] 2372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047] 2371. [doc] Add +nsid option to dig man page. [RT #18039] 2370. [bug] "rndc freeze" could trigger an assertion in named when called on a nonexistent zone. [RT #18050] 2369. [bug] libbind: Array bounds overrun on read in bitncmp(). [RT #18054] 2368. [port] Linux: use libcap for capability management if possible. [RT# 18026] 2367. [bug] Improve counting of dns_resstatscounter_retry [RT #18030] 2366. [bug] Adb shutdown race. [RT #18021] 2365. [bug] Fix a bug that caused dns_acl_isany() to return spurious results. [RT #18000] 2364. [bug] named could trigger a assertion when serving a malformed signed zone. [RT #17828] 2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;". [RT #17513] 2362. [cleanup] Make "rrset-order fixed" a compile-time option. settable by "./configure --enable-fixed-rrset". Disabled by default. [RT #17977] 2361. [bug] "recursion" statistics counter could be counted multiple times for a single query. [RT #17990] 2360. [bug] Fix a condition where we release a database version (which may acquire a lock) while holding the lock. 2359. [bug] Fix NSID bug. [RT #17942] 2358. [doc] Update host's default query description. [RT #17934] 2357. [port] Don't use OpenSSL's engine support in versions before OpenSSL 0.9.7f. [RT #17922] 2356. [bug] Built in mutex profiler was not scalable enough. [RT #17436] 2355. [func] Extend the number statistics counters available. [RT #17590] 2354. [bug] Failed to initialize some rdatasetheader_t elements. [RT #17927] 2353. [func] Add support for Name Server ID (RFC 5001). 'dig +nsid' requests NSID from server. 'request-nsid yes;' causes recursive server to send NSID requests to upstream servers. Server responds to NSID requests with the string configured by 'server-id' option. [RT #17091] 2352. [bug] Various GSS_API fixups. [RT #17729] 2351. [bug] convertxsl.pl generated very long lines. [RT #17906] 2350. [port] win32: IPv6 support. [RT #17797] 2349. [func] Provide incremental re-signing support for secure dynamic zones. [RT #1091] 2348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support. Documentation is in the new README.pkcs11 file. New tool, dnssec-keyfromlabel, which takes the label of a key pair in a HSM and constructs a DNS key pair for use by named and dnssec-signzone. [RT #16844] 2347. [bug] Delete now traverses the RB tree in the canonical order. [RT #17451] 2346. [func] Memory statistics now cover all active memory contexts in increased detail. [RT #17580] 2345. [bug] named-checkconf failed to detect when forwarders were set at both the options/view level and in a root zone. [RT #17671] 2344. [bug] Improve "logging{ file ...; };" documentation. [RT #17888] 2343. [bug] (Seemingly) duplicate IPv6 entries could be created in ADB. [RT #17837] 2342. [func] Use getifaddrs() if available under Linux. [RT #17224] 2341. [bug] libbind: add missing -I../include for off source tree builds. [RT #17606] 2340. [port] openbsd: interface configuration. [RT #17700] 2339. [port] tru64: support for libbind. [RT #17589] 2338. [bug] check_ds() could be called with a non DS rdataset. [RT #17598] 2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614] 2336. [func] If "named -6" is specified then listen on all IPv6 interfaces if there are not listen-on-v6 clauses in named.conf. [RT #17581] 2335. [port] sunos: libbind and *printf() support for long long. [RT #17513] 2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one bug in fromstruct_txt(). [RT #17609] 2333. [bug] Fix off by one error in isc_time_nowplusinterval(). [RT #17608] 2332. [contrib] query-loc-0.4.0. [RT #17602] 2331. [bug] Failure to regenerate any signatures was not being reported nor being past back to the UPDATE client. [RT #17570] 2330. [bug] Remove potential race condition when handling over memory events. [RT #17572] WARNING: API CHANGE: over memory callback function now needs to call isc_mem_waterack(). See for details. 2329. [bug] Clearer help text for dig's '-x' and '-i' options. 2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET, F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET, J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and M.ROOT-SERVERS.NET. 2327. [bug] It was possible to dereference a NULL pointer in rbtdb.c. Implement dead node processing in zones as we do for caches. [RT #17312] 2326. [bug] It was possible to trigger a INSIST in the acache processing. 2325. [port] Linux: use capset() function if available. [RT #17557] 2324. [bug] Fix IPv6 matching against "any;". [RT #17533] 2323. [port] tru64: namespace clash. [RT #17547] 2322. [port] MacOS: work around the limitation of setrlimit() for RLIMIT_NOFILE. [RT #17526] 2321. [placeholder] 2320. [func] Make statistics counters thread-safe for platforms that support certain atomic operations. [RT #17466] 2319. [bug] Silence Coverity warnings in lib/dns/rdata/in_1/apl_42.c. [RT #17469] 2318. [port] sunos fixes for libbind. [RT #17514] 2317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518] 2316. [port] Missing #include in lib/dns/gssapictx.c. [RT #17513] 2315. [bug] Used incorrect address family for mapped IPv4 addresses in acl.c. [RT #17519] 2314. [bug] Uninitialized memory use on error path in bin/named/lwdnoop.c. [RT #17476] 2313. [cleanup] Silence Coverity warnings. Handle private stacks. [RT #17447] [RT #17478] 2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c. [RT #17458] 2311. [bug] IPv6 addresses could match IPv4 ACL entries and vice versa. [RT #17462] 2310. [bug] dig, host, nslookup: flush stdout before emitting debug/fatal messages. [RT #17501] 2309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c. [RT #17455] 2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c. [RT #17495] 2307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496] 2306. [bug] Remove potential race from lib/dns/resolver.c. [RT #17470] 2305. [security] inet_network() buffer overflow. CVE-2008-0122. 2304. [bug] Check returns from all dns_rdata_tostruct() calls. [RT #17460] 2303. [bug] Remove unnecessary code from bin/named/lwdgnba.c. [RT #17471] 2302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472] 2301. [bug] Remove resource leak and fix error messages in bin/tests/system/lwresd/lwtest.c. [RT #17474] 2300. [bug] Fixed failure to close open file in bin/tests/names/t_names.c. [RT #17473] 2299. [bug] Remove unnecessary NULL check in bin/nsupdate/nsupdate.c. [RT #17475] 2298. [bug] isc_mutex_lock() failure not caught in bin/tests/timers/t_timers.c. [RT #17468] 2297. [bug] isc_entropy_createfilesource() failure not caught in bin/tests/dst/t_dst.c. [RT #17467] 2296. [port] Allow docbook stylesheet location to be specified to configure. [RT #17457] 2295. [bug] Silence static overrun error in bin/named/lwaddr.c. [RT #17459] 2294. [func] Allow the experimental statistics channels to have multiple connections and ACL. Note: the stats-server and stats-server-v6 options available in the previous beta releases are replaced with the generic statistics-channels statement. 2293. [func] Add ACL regression test. [RT #17375] 2292. [bug] Log if the working directory is not writable. [RT #17312] 2291. [bug] PR_SET_DUMPABLE may be set too late. Also report failure to set PR_SET_DUMPABLE. [RT #17312] 2290. [bug] Let AD in the query signal that the client wants AD set in the response. [RT #17301] 2289. [func] named-checkzone now reports the out-of-zone CNAME found. [RT #17309] 2288. [port] win32: mark service as running when we have finished loading. [RT #17441] 2287. [bug] Use 'volatile' if the compiler supports it. [RT #17413] 2286. [func] Allow a TCP connection to be used as a weak authentication method for reverse zones. New update-policy methods tcp-self and 6to4-self. [RT #17378] 2285. [func] Test framework for client memory context management. [RT #17377] 2284. [bug] Memory leak in UPDATE prerequisite processing. [RT #17377] 2283. [bug] TSIG keys were not attaching to the memory context. TSIG keys should use the rings memory context rather than the clients memory context. [RT #17377] 2282. [bug] Acl code fixups. [RT #17346] [RT #17374] 2281. [bug] Attempts to use undefined acls were not being logged. [RT #17307] 2280. [func] Allow the experimental http server to be reached over IPv6 as well as IPv4. [RT #17332] 2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available, to protect applications from receiving spurious SIGPIPE signals when using the resolver. 2278. [bug] win32: handle the case where Windows returns no search list or DNS suffix. [RT #17354] 2277. [bug] Empty zone names were not correctly being caught at in the post parse checks. [RT #17357] 2276. [bug] Install . [RT# 17359] 2275. [func] Add support to dig to perform IXFR queries over UDP. [RT #17235] 2274. [func] Log zone transfer statistics. [RT #17336] 2273. [bug] Adjust log level to WARNING when saving inconsistent stub/slave master and journal files. [RT# 17279] 2272. [bug] Handle illegal dnssec-lookaside trust-anchor names. [RT #17262] 2271. [bug] Fix a memory leak in http server code [RT #17100] 2270. [bug] dns_db_closeversion() version->writer could be reset before it is tested. [RT #17290] 2269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232] 2268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones list. --- 9.5.0b1 released --- 2267. [bug] Radix tree node_num value could be set incorrectly, causing positive ACL matches to look like negative ones. [RT #17311] 2266. [bug] client.c:get_clientmctx() returned the same mctx once the pool of mctx's was filled. [RT #17218] 2265. [bug] Test that the memory context's basic_table is non NULL before freeing. [RT #17265] 2264. [bug] Server prefix length was being ignored. [RT #17308] 2263. [bug] "named-checkconf -z" failed to set default value for "check-integrity". [RT #17306] 2262. [bug] Error status from all but the last view could be lost. [RT #17292] 2261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272] 2260. [bug] Reported wrong clients-per-query when increasing the value. [RT #17236] 2259. [placeholder] --- 9.5.0a7 released --- 2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken. [RT #17241] 2257. [bug] win32: Use the full path to vcredist_x86.exe when calling it. [RT #17222] 2256. [bug] win32: Correctly register the installation location of bindevt.dll. [RT #17159] 2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42. 2254. [bug] timer.c:dispatch() failed to lock timer->lock when reading timer->idle allowing it to see intermediate values as timer->idle was reset by isc_timer_touch(). [RT #17243] 2253. [func] "max-cache-size" defaults to 32M. "max-acache-size" defaults to 16M. 2252. [bug] Fixed errors in sortlist code [RT #17216] 2251. [placeholder] 2250. [func] New flag 'memstatistics' to state whether the memory statistics file should be written or not. Additionally named's -m option will cause the statistics file to be written. [RT #17113] 2249. [bug] Only set Authentic Data bit if client requested DNSSEC, per RFC 3655 [RT #17175] 2248. [cleanup] Fix several errors reported by Coverity. [RT #17160] 2247. [doc] Sort doc/misc/options. [RT #17067] 2246. [bug] Make the startup of test servers (ans.pl) more robust. [RT #17147] 2245. [bug] Validating lack of DS records at trust anchors wasn't working. [RT #17151] 2244. [func] Allow the check of nameserver names against the SOA MNAME field to be disabled by specifying 'notify-to-soa yes;'. [RT #17073] 2243. [func] Configuration files without a newline at the end now parse without error. [RT #17120] 2242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos library could require a source of random data. [RT #17127] 2241. [func] nsupdate: add a interactive 'help' command. [RT #17099] 2240. [bug] Cleanup nsupdates GSS-TSIG support. Convert a number of INSIST()s into plain fatal() errors which report the triggering result code. The 'key' command wasn't disabling GSS-TSIG. [RT #17099] 2239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114] 2238. [bug] It was possible to trigger a REQUIRE when a validation was canceled. [RT #17106] 2237. [bug] libbind: res_init() was not thread aware. [RT #17123] 2236. [bug] dnssec-signzone failed to preserve the case of of wildcard owner names. [RT #17085] 2235. [bug] was not being installed. [RT #17135] 2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134] 2233. [func] Add support for O(1) ACL processing, based on radix tree code originally written by Kevin Brintnall. [RT #16288] 2232. [bug] dns_adb_findaddrinfo() could fail and return ISC_R_SUCCESS. [RT #17137] 2231. [bug] Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken. [RT #17088] 2230. [bug] We could INSIST reading a corrupted journal. [RT #17132] 2229. [bug] Null pointer dereference on query pool creation failure. [RT #17133] 2228. [contrib] contrib: Change 2188 was incomplete. 2227. [cleanup] Tidied up the FAQ. [RT #17121] 2226. [placeholder] 2225. [bug] More support for systems with no IPv4 addresses. [RT #17111] 2224. [bug] Defer journal compaction if a xfrin is in progress. [RT #17119] 2223. [bug] Make a new journal when compacting. [RT #17119] 2222. [func] named-checkconf now checks server key references. [RT #17097] 2221. [bug] Set the event result code to reflect the actual record turned to caller when a cache update is rejected due to a more credible answer existing. [RT #17017] 2220. [bug] win32: Address a race condition in final shutdown of the Windows socket code. [RT #17028] 2219. [bug] Apply zone consistency checks to additions, not removals, when updating. [RT #17049] 2218. [bug] Remove unnecessary REQUIRE from dns_validator_create(). [RT #16976] 2217. [func] Adjust update log levels. [RT #17092] 2216. [cleanup] Fix a number of errors reported by Coverity. [RT #17094] 2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094] 2214. [bug] Deregister OpenSSL lock callback when cleaning up. Reorder OpenSSL cleanup so that RAND_cleanup() is called before the locks are destroyed. [RT #17098] 2213. [bug] SIG0 diagnostic failure messages were looking at the wrong status code. [RT #17101] 2212. [func] 'host -m' now causes memory statistics and active memory to be printed at exit. [RT 17028] 2211. [func] Update "dynamic update temporarily disabled" message. [RT #17065] 2210. [bug] Deleting class specific records via UPDATE could fail. [RT #17074] 2209. [port] osx: linking against user supplied static OpenSSL libraries failed as the system ones were still being found. [RT #17078] 2208. [port] win32: make sure both build methods produce the same output. [RT #17058] 2207. [port] Some implementations of getaddrinfo() fail to set ai_canonname correctly. [RT #17061] --- 9.5.0a6 released --- 2206. [security] "allow-query-cache" and "allow-recursion" now cross inherit from each other. If allow-query-cache is not set in named.conf then allow-recursion is used if set, otherwise allow-query is used if set, otherwise the default (localnets; localhost;) is used. If allow-recursion is not set in named.conf then allow-query-cache is used if set, otherwise allow-query is used if set, otherwise the default (localnets; localhost;) is used. [RT #16987] 2205. [bug] libbind: change #2119 broke thread support. [RT #16982] 2204. [bug] "rndc flushanme name unknown-view" caused named to crash. [RT #16984] 2203. [security] Query id generation was cryptographically weak. [RT # 16915] 2202. [security] The default acls for allow-query-cache and allow-recursion were not being applied. [RT #16960] 2201. [bug] The build failed in a separate object directory. [RT #16943] 2200. [bug] The search for cached NSEC records was stopping to early leading to excessive DLV queries. [RT #16930] 2199. [bug] win32: don't call WSAStartup() while loading dlls. [RT #16911] 2198. [bug] win32: RegCloseKey() could be called when RegOpenKeyEx() failed. [RT #16911] 2197. [bug] Add INSIST to catch negative responses which are not setting the event result code appropriately. [RT #16909] 2196. [port] win32: yield processor while waiting for once to to complete. [RT #16958] 2195. [func] dnssec-keygen now defaults to nametype "ZONE" when generating DNSKEYs. [RT #16954] 2194. [bug] Close journal before calling 'done' in xfrin.c. --- 9.5.0a5 released --- 2193. [port] win32: BINDInstall.exe is now linked statically. [RT #16906] 2192. [port] win32: use vcredist_x86.exe to install Visual Studio's redistributable dlls if building with Visual Stdio 2005 or later. 2191. [func] named-checkzone now allows dumping to stdout (-). named-checkconf now has -h for help. named-checkzone now has -h for help. rndc now has -h for help. Better handling of '-?' for usage summaries. [RT #16707] 2190. [func] Make fallback to plain DNS from EDNS due to timeouts more visible. New logging category "edns-disabled". [RT #16871] 2189. [bug] Handle socket() returning EINTR. [RT #15949] 2188. [contrib] queryperf: autoconf changes to make the search for libresolv or libbind more robust. [RT #16299] 2187. [bug] query_addds(), query_addwildcardproof() and query_addnxrrsetnsec() should take a version argument. [RT #16368] 2186. [port] cygwin: libbind: check for struct sockaddr_storage independently of IPv6. [RT #16482] 2185. [port] sunos: libbind: check for ssize_t, memmove() and memchr(). [RT #16463] 2184. [bug] bind9.xsl.h didn't build out of the source tree. [RT #16830] 2183. [bug] dnssec-signzone didn't handle offline private keys well. [RT #16832] 2182. [bug] dns_dispatch_createtcp() and dispatch_createudp() could return ISC_R_SUCCESS when they ran out of memory. [RT #16365] 2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462] 2180. [cleanup] Remove bit test from 'compress_test' as they are no longer needed. [RT #16497] 2179. [func] 'rndc command zone' will now find 'zone' if it is unique to all the views. [RT #16821] 2178. [bug] 'rndc reload' of a slave or stub zone resulted in a reference leak. [RT #16867] 2177. [bug] Array bounds overrun on read (rcodetext) at debug level 10+. [RT #16798] 2176. [contrib] dbus update to handle race condition during initialization (Bugzilla 235809). [RT #16842] 2175. [bug] win32: windows broadcast condition variable support was broken. [RT #16592] 2174. [bug] I/O errors should always be fatal when reading master files. [RT #16825] 2173. [port] win32: When compiling with MSVS 2005 SP1 we also need to ship Microsoft.VC80.MFCLOC. --- 9.5.0a4 released --- 2172. [bug] query_addsoa() was being called with a non zone db. [RT #16834] 2171. [bug] Handle breaks in DNSSEC trust chains where the parent servers are not DS aware (DS queries to the parent return a referral to the child). 2170. [func] Add acache processing to test suite. [RT #16711] 2169. [bug] host, nslookup: when reporting NXDOMAIN report the given name and not the last name searched for. [RT #16763] 2168. [bug] nsupdate: in non-interactive mode treat syntax errors as fatal errors. [RT #16785] 2167. [bug] When re-using a automatic zone named failed to attach it to the new view. [RT #16786] --- 9.5.0a3 released --- 2166. [bug] When running in batch mode, dig could misinterpret a server address as a name to be looked up, causing unexpected output. [RT #16743] 2165. [func] Allow the destination address of a query to determine if we will answer the query or recurse. allow-query-on, allow-recursion-on and allow-query-cache-on. [RT #16291] 2164. [bug] The code to determine how named-checkzone / named-compilezone was called failed under windows. [RT #16764] 2163. [bug] If only one of query-source and query-source-v6 specified a port the query pools code broke (change 2129). [RT #16768] 2162. [func] Allow "rrset-order fixed" to be disabled at compile time. [RT #16665] 2161. [bug] Fix which log messages are emitted for 'rndc flush'. [RT #16698] 2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned from getifaddrs(). [RT #16708] --- 9.5.0a2 released --- 2159. [bug] Array bounds overrun in acache processing. [RT #16710] 2158. [bug] ns_client_isself() failed to initialize key leading to a REQUIRE failure. [RT #16688] 2157. [func] dns_db_transfernode() created. [RT #16685] 2156. [bug] Fix node reference leaks in lookup.c:lookup_find(), resolver.c:validated() and resolver.c:cache_name(). Fix a memory leak in rbtdb.c:free_noqname(). Make lookup.c:lookup_find() robust against event leaks. [RT #16685] 2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com. [RT #16694] 2154. [func] Scoped (e.g. IPv6 link-local) addresses may now be matched in acls by omitting the scope. [RT #16599] 2153. [bug] nsupdate could leak memory. [RT #16691] 2152. [cleanup] Use sizeof(buf) instead of fixed number in dighost.c:get_trusted_key(). [RT #16678] 2151. [bug] Missing newline in usage message for journalprint. [RT #16679] 2150. [bug] 'rrset-order cyclic' uniformly distribute the starting point for the first response for a given RRset. [RT #16655] 2149. [bug] isc_mem_checkdestroyed() failed to abort on if there were still active memory contexts. [RT #16672] 2148. [func] Add positive logging for rndc commands. [RT #14623] 2147. [bug] libbind: remove potential buffer overflow from hmac_link.c. [RT #16437] 2146. [cleanup] Silence Linux's spurious "obsolete setsockopt SO_BSDCOMPAT" message. [RT #16641] 2145. [bug] Check DS/DLV digest lengths for known digests. [RT #16622] 2144. [cleanup] Suppress logging of SERVFAIL from forwarders. [RT #16619] 2143. [bug] We failed to restart the IPv6 client when the kernel failed to return the destination the packet was sent to. [RT #16613] 2142. [bug] Handle master files with a modification time that matches the epoch. [RT# 16612] 2141. [bug] dig/host should not be setting IDN_ASCCHECK (IDN equivalent of LDH checks). [RT #16609] 2140. [bug] libbind: missing unlock on pthread_key_create() failures. [RT #16654] 2139. [bug] dns_view_find() was being called with wrong type in adb.c. [RT #16670] 2138. [bug] Lock order reversal in resolver.c. [RT #16653] 2137. [port] Mips little endian and/or mips 64 bit are now supported for atomic operations. [RT#16648] 2136. [bug] nslookup/host looped if there was no search list and the host didn't exist. [RT #16657] 2135. [bug] Uninitialized rdataset in sdlz.c. [RT# 16656] 2134. [func] Additional statistics support. [RT #16666] 2133. [port] powerpc: Support both IBM and MacOS Power PC assembler syntaxes. [RT #16647] 2132. [bug] Missing unlock on out of memory in dns_dispatchmgr_setudp(). 2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630] 2130. [func] Log if CD or DO were set. [RT #16640] 2129. [func] Provide a pool of UDP sockets for queries to be made over. See use-queryport-pool, queryport-pool-ports and queryport-pool-updateinterval. [RT #16415] 2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635] 2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563] 2126. [security] Serialize validation of type ANY responses. [RT #16555] 2125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ was defined. [RT #16574] 2124. [security] It was possible to dereference a freed fetch context. [RT #16584] --- 9.5.0a1 released --- 2123. [func] Use Doxygen to generate internal documentation. [RT #11398] 2122. [func] Experimental http server and statistics support for named via xml. 2121. [func] Add a 10 slot dead masters cache (LRU) with a 600 second timeout. [RT #16553] 2120. [doc] Fix markup on nsupdate man page. [RT #16556] 2119. [compat] libbind: allow res_init() to succeed enough to return the default domain even if it was unable to allocate memory. 2118. [bug] Handle response with long chains of domain name compression pointers which point to other compression pointers. [RT #16427] 2117. [bug] DNSSEC fixes: named could fail to cache NSEC records which could lead to validation failures. named didn't handle negative DS responses that were in the process of being validated. Check CNAME bit before accepting NODATA proof. To be able to ignore a child NSEC there must be SOA (and NS) set in the bitmap. [RT #16399] 2116. [bug] 'rndc reload' could cause the cache to continually be cleaned. [RT #16401] 2115. [bug] 'rndc reconfig' could trigger a INSIST if the number of masters for a zone was reduced. [RT #16444] 2114. [bug] dig/host/nslookup: searches for names with multiple labels were failing. [RT #16447] 2113. [bug] nsupdate: if a zone is specified it should be used for server discover. [RT# 16455] 2112. [security] Warn if weak RSA exponent is used. [RT #16460] 2111. [bug] Fix a number of errors reported by Coverity. [RT #16507] 2110. [bug] "minimal-responses yes;" interacted badly with BIND 8 priming queries. [RT #16491] 2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502] 2108. [func] DHCID support. [RT #16456] 2107. [bug] dighost.c: more cleanup of buffers. [RT #16499] 2106. [func] 'rndc status' now reports named's version. [RT #16426] 2105. [func] GSS-TSIG support (RFC 3645). 2104. [port] Fix Solaris SMF error message. 2103. [port] Add /usr/sfw to list of locations for OpenSSL under Solaris. 2102. [port] Silence Solaris 10 warnings. 2101. [bug] OpenSSL version checks were not quite right. [RT #16476] 2100. [port] win32: copy libeay32.dll to Build\Debug. Copy Debug\named-checkzone to Debug\named-compilezone. 2099. [port] win32: more manifest issues. 2098. [bug] Race in rbtdb.c:no_references(), which occasionally triggered an INSIST failure about the node lock reference. [RT #16411] 2097. [bug] named could reference a destroyed memory context after being reloaded / reconfigured. [RT #16428] 2096. [bug] libbind: handle applications that fail to detect res_init() failures better. 2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and net_cidr_ntop_ipv6(). [RT #16388] 2094. [contrib] Update named-bootconf. [RT# 16404] 2093. [bug] named-checkzone -s was broken. 2092. [bug] win32: dig, host, nslookup. Use registry config if resolv.conf does not exist or no nameservers listed. [RT #15877] 2091. [port] dighost.c: race condition on cleanup. [RT #16417] 2090. [port] win32: Visual C++ 2005 command line manifest support. [RT #16417] 2089. [security] Raise the minimum safe OpenSSL versions to OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions prior to these have known security flaws which are (potentially) exploitable in named. [RT #16391] 2088. [security] Change the default RSA exponent from 3 to 65537. [RT #16391] 2087. [port] libisc failed to compile on OS's w/o a vsnprintf. [RT #16382] 2086. [port] libbind: FreeBSD now has get*by*_r() functions. [RT #16403] 2085. [doc] win32: added index.html and README to zip. [RT #16201] 2084. [contrib] dbus update for 9.3.3rc2. 2083. [port] win32: Visual C++ 2005 support. 2082. [doc] Document 'cache-file' as a test only option. 2081. [port] libbind: minor 64-bit portability fix in memcluster.c. [RT #16360] 2080. [port] libbind: res_init.c did not compile on older versions of Solaris. [RT #16363] 2079. [bug] The lame cache was not handling multiple types correctly. [RT #16361] 2078. [bug] dnssec-checkzone output style "default" was badly named. It is now called "relative". [RT #16326] 2077. [bug] 'dnssec-signzone -O raw' wasn't outputting the complete signed zone. [RT #16326] 2076. [bug] Several files were missing #include causing build failures on OSF. [RT #16341] 2075. [bug] The spillat timer event hander could leak memory. [RT #16357] 2074. [bug] dns_request_createvia2(), dns_request_createvia3(), dns_request_createraw2() and dns_request_createraw3() failed to send multiple UDP requests. [RT #16349] 2073. [bug] Incorrect semantics check for update policy "wildcard". [RT #16353] 2072. [bug] We were not generating valid HMAC SHA digests. [RT #16320] 2071. [port] Test whether gcc accepts -fno-strict-aliasing. [RT #16324] 2070. [bug] The remote address was not always displayed when reporting dispatch failures. [RT #16315] 2069. [bug] Cross compiling was not working. [RT #16330] 2068. [cleanup] Lower incremental tuning message to debug 1. [RT #16319] 2067. [bug] 'rndc' could close the socket too early triggering a INSIST under Windows. [RT #16317] 2066. [security] Handle SIG queries gracefully. [RT #16300] 2065. [bug] libbind: probe for HPUX prototypes for endprotoent_r() and endservent_r(). [RT 16313] 2064. [bug] libbind: silence AIX compiler warnings. [RT #16218] 2063. [bug] Change #1955 introduced a bug which caused the first 'rndc flush' call to not free memory. [RT #16244] 2062. [bug] 'dig +nssearch' was reusing a buffer before it had been returned by the socket code. [RT #16307] 2061. [bug] Accept expired wildcard message reversed. [RT #16296] 2060. [bug] Enabling DLZ support could leave views partially configured. [RT #16295] 2059. [bug] Search into cache rbtdb could trigger an INSIST failure while cleaning up a stale rdataset. [RT #16292] 2058. [bug] Adjust how we calculate rtt estimates in the presence of authoritative servers that drop EDNS and/or CD requests. Also fallback to EDNS/512 and plain DNS faster for zones with less than 3 servers. [RT #16187] 2057. [bug] Make setting "ra" dependent on both allow-query-cache and allow-recursion. [RT #16290] 2056. [bug] dig: ixfr= was not being treated case insensitively at all times. [RT #15955] 2055. [bug] Missing goto after dropping multicast query. [RT #15944] 2054. [port] freebsd: do not explicitly link against -lpthread. [RT #16170] 2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220] 2052. [bug] 'rndc' improve connect failed message to report the failing address. [RT #15978] 2051. [port] More strtol() fixes. [RT #16249] 2050. [bug] Parsing of NSAP records was not case insensitive. [RT #16287] 2049. [bug] Restore SOA before AXFR when falling back from a attempted IXFR when transferring in a zone. Allow a initial SOA query before attempting a AXFR to be requested. [RT #16156] 2048. [bug] It was possible to loop forever when using avoid-v4-udp-ports / avoid-v6-udp-ports when the OS always returned the same local port. [RT #16182] 2047. [bug] Failed to initialize the interface flags to zero. [RT #16245] 2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate cleanup [RT #16247]. 2045. [func] Use lock buckets for acache entries to limit memory consumption. [RT #16183] 2044. [port] Add support for atomic operations for Itanium. [RT #16179] 2043. [port] nsupdate/nslookup: Force the flushing of the prompt for interactive sessions. [RT#16148] 2042. [bug] named-checkconf was incorrectly rejecting the logging category "config". [RT #16117] 2041. [bug] "configure --with-dlz-bdb=yes" produced a bad set of libraries to be linked. [RT #16129] 2040. [bug] rbtdb no_references() could trigger an INSIST failure with --enable-atomic. [RT #16022] 2039. [func] Check that all buffers passed to the socket code have been retrieved when the socket event is freed. [RT #16122] 2038. [bug] dig/nslookup/host was unlinking from wrong list when handling errors. [RT #16122] 2037. [func] When unlinking the first or last element in a list check that the list head points to the element to be unlinked. [RT #15959] 2036. [bug] 'rndc recursing' could cause trigger a REQUIRE. [RT #16075] 2035. [func] Make falling back to TCP on UDP refresh failure optional. Default "try-tcp-refresh yes;" for BIND 8 compatibility. [RT #16123] 2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124] 2033. [bug] We weren't creating multiple client memory contexts on demand as expected. [RT #16095] 2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074] 2031. [bug] Emit a error message when "rndc refresh" is called on a non slave/stub zone. [RT # 16073] 2030. [bug] We were being overly conservative when disabling openssl engine support. [RT #16030] 2029. [bug] host printed out the server multiple times when specified on the command line. [RT #15992] 2028. [port] linux: socket.c compatibility for old systems. [RT #16015] 2027. [port] libbind: Solaris x86 support. [RT #16020] 2026. [bug] Rate limit the two recursive client exceeded messages. [RT #16044] 2025. [func] Update "zone serial unchanged" message. [RT #16026] 2024. [bug] named emitted spurious "zone serial unchanged" messages on reload. [RT #16027] 2023. [bug] "make install" should create ${localstatedir}/run and ${sysconfdir} if they do not exist. [RT #16033] 2022. [bug] If dnssec validation is disabled only assert CD if CD was requested. [RT #16037] 2021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037] 2020. [bug] rdataset_setadditional() could leak memory. [RT #16034] 2019. [tuning] Reduce the amount of work performed per quantum when cleaning the cache. [RT #15986] 2018. [bug] Checking if the HMAC MD5 private file was broken. [RT #15960] 2017. [bug] allow-query default was not correct. [RT #15946] 2016. [bug] Return a partial answer if recursion is not allowed but requested and we had the answer to the original qname. [RT #15945] 2015. [cleanup] use-additional-cache is now acache-enable for consistency. Default acache-enable off in BIND 9.4 as it requires memory usage to be configured. It may be enabled by default in BIND 9.5 once we have more experience with it. 2014. [func] Statistics about acache now recorded and sent to log. [RT #15976] 2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR responses more gracefully. [RT #15941] 2012. [func] Don't insert new acache entries if acache is full. [RT #15970] 2011. [func] dnssec-signzone can now update the SOA record of the signed zone, either as an increment or as the system time(). [RT #15633] 2010. [placeholder] rt15958 2009. [bug] libbind: Coverity fixes. [RT #15808] 2008. [func] It is now possible to enable/disable DNSSEC validation from rndc. This is useful for the mobile hosts where the current connection point breaks DNSSEC (firewall/proxy). [RT #15592] rndc validation newstate [view] 2007. [func] It is now possible to explicitly enable DNSSEC validation. default dnssec-validation no; to be changed to yes in 9.5.0. [RT #15674] 2006. [security] Allow-query-cache and allow-recursion now default to the built in acls "localnets" and "localhost". This is being done to make caching servers less attractive as reflective amplifying targets for spoofed traffic. This still leave authoritative servers exposed. The best fix is for full BCP 38 deployment to remove spoofed traffic. 2005. [bug] libbind: Retransmission timeouts should be based on which attempt it is to the nameserver and not the nameserver itself. [RT #13548] 2004. [bug] dns_tsig_sign() could pass a NULL pointer to dst_context_destroy() when cleaning up after a error. [RT #15835] 2003. [bug] libbind: The DNS name/address lookup functions could occasionally follow a random pointer due to structures not being completely zeroed. [RT #15806] 2002. [bug] libbind: tighten the constraints on when struct addrinfo._ai_pad exists. [RT #15783] 2001. [func] Check the KSK flag when updating a secure dynamic zone. New zone option "update-check-ksk yes;". [RT #15817] 2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812] 1999. [func] Implement "rrset-order fixed". [RT #13662] 1998. [bug] Restrict handling of fifos as sockets to just SunOS. This allows named to connect to entropy gathering daemons that use fifos instead of sockets. [RT #15840] 1997. [bug] Named was failing to replace negative cache entries when a positive one for the type was learnt. [RT #15818] 1996. [bug] nsupdate: if a zone has been specified it should appear in the output of 'show'. [RT #15797] 1995. [bug] 'host' was reporting multiple "is an alias" messages. [RT #15702] 1994. [port] OpenSSL 0.9.8 support. [RT #15694] 1993. [bug] Log messages, via syslog, were missing the space after the timestamp if "print-time yes" was specified. [RT #15844] 1992. [bug] Not all incoming zone transfer messages included the view. [RT #15825] 1991. [cleanup] The configuration data, once read, should be treated as read only. Expand the use of const to enforce this at compile time. [RT #15813] 1990. [bug] libbind: isc's override of broken gettimeofday() implementations was not always effective. [RT #15709] 1989. [bug] win32: don't check the service password when re-installing. [RT #15882] 1988. [bug] Remove a bus error from the SHA256/SHA512 support. [RT #15878] 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] 1986. [func] Report when a zone is removed. [RT #15849] 1985. [protocol] DLV has now been assigned a official type code of 32769. [RT #15807] Note: care should be taken to ensure you upgrade both named and dnssec-signzone at the same time for zones with DLV records where named is the master server for the zone. Also any zones that contain DLV records should be removed when upgrading a slave zone. You do not however have to upgrade all servers for a zone with DLV records simultaneously. 1984. [func] dig, nslookup and host now advertise a 4096 byte EDNS UDP buffer size by default. [RT #15855] 1983. [func] Two new update policies. "selfsub" and "selfwild". [RT #12895] 1982. [bug] DNSKEY was being accepted on the parent side of a delegation. KEY is still accepted there for RFC 3007 validated updates. [RT #15620] 1981. [bug] win32: condition.c:wait() could fail to reattain the mutex lock. 1980. [func] dnssec-signzone: output the SOA record as the first record in the signed zone. [RT #15758] 1979. [port] linux: allow named to drop core after changing user ids. [RT #15753] 1978. [port] Handle systems which have a broken recvmsg(). [RT #15742] 1977. [bug] Silence noisy log message. [RT #15704] 1976. [bug] Handle systems with no IPv4 addresses. [RT #15695] 1975. [bug] libbind: isc_gethexstring() could misparse multi-line hex strings with comments. [RT #15814] 1974. [doc] List each of the zone types and associated zone options separately in the ARM. 1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and HMACSHA512 support. [RT #13606] 1972. [contrib] DBUS dynamic forwarders integration from Jason Vas Dias . 1971. [port] linux: make detection of missing IF_NAMESIZE more robust. [RT #15443] 1970. [bug] nsupdate: adjust UDP timeout when falling back to unsigned SOA query. [RT #15775] 1969. [bug] win32: the socket code was freeing the socket structure too early. [RT #15776] 1968. [bug] Missing lock in resolver.c:validated(). [RT #15739] 1967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779] 1966. [bug] Don't set CD when we have fallen back to plain DNS. [RT #15727] 1965. [func] Suppress spurious "recursion requested but not available" warning with 'dig +qr'. [RT #15780]. 1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723] 1963. [port] Tru64 4.0E doesn't support send() and recv(). [RT #15586] 1962. [bug] Named failed to clear old update-policy when it was removed. [RT #15491] 1961. [bug] Check the port and address of responses forwarded to dispatch. [RT #15474] 1960. [bug] Update code should set NSEC ttls from SOA MINIMUM. [RT #15465] 1959. [func] Control the zeroing of the negative response TTL to a soa query. Defaults "zero-no-soa-ttl yes;" and "zero-no-soa-ttl-cache no;". [RT #15460] 1958. [bug] Named failed to update the zone's secure state until the zone was reloaded. [RT #15412] 1957. [bug] Dig mishandled responses to class ANY queries. [RT #15402] 1956. [bug] Improve cross compile support, 'gen' is now built by native compiler. See README for additional cross compile support information. [RT #15148] 1955. [bug] Pre-allocate the cache cleaning iterator. [RT #14998] 1954. [func] Named now falls back to advertising EDNS with a 512 byte receive buffer if the initial EDNS queries fail. [RT #14852] 1953. [func] The maximum EDNS UDP response named will send can now be set in named.conf (max-udp-size). This is independent of the advertised receive buffer (edns-udp-size). [RT #14852] 1952. [port] hpux: tell the linker to build a runtime link path "-Wl,+b:". [RT #14816]. 1951. [security] Drop queries from particular well known ports. Don't return FORMERR to queries from particular well known ports. [RT #15636] 1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect() a TCP socket. This prevents the source address being set for TCP connections. [RT #15628] 1949. [func] Addition memory leakage checks. [RT #15544] 1948. [bug] If was possible to trigger a REQUIRE failure in xfrin.c:maybe_free() if named ran out of memory. [RT #15568] 1947. [func] It is now possible to configure named to accept expired RRSIGs. Default "dnssec-accept-expired no;". Setting "dnssec-accept-expired yes;" leaves named vulnerable to replay attacks. [RT #14685] 1946. [bug] resume_dslookup() could trigger a REQUIRE failure when using forwarders. [RT #15549] 1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended. To generate a RSAMD5 key you must explicitly request RSAMD5. [RT #13780] 1944. [cleanup] isc_hash_create() does not need a read/write lock. [RT #15522] 1943. [bug] Set the loadtime after rolling forward the journal. [RT #15647] 1942. [bug] If the name of a DNSKEY match that of one in trusted-keys do not attempt to validate the DNSKEY using the parents DS RRset. [RT #15649] 1941. [bug] ncache_adderesult() should set eresult even if no rdataset is passed to it. [RT #15642] 1940. [bug] Fixed a number of error conditions reported by Coverity. 1939. [bug] The resolver could dereference a null pointer after validation if all the queries have timed out. [RT #15528] 1938. [bug] The validator was not correctly handling unsecure negative responses at or below a SEP. [RT #15528] 1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564] 1936. [bug] The validator could leak memory. [RT #15544] 1935. [bug] 'acache' was DO sensitive. [RT #15430] 1934. [func] Validate pending NS RRsets, in the authority section, prior to returning them if it can be done without requiring DNSKEYs to be fetched. [RT #15430] 1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534] 1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530] 1931. [bug] Per-client mctx could require a huge amount of memory, particularly for a busy caching server. [RT #15519] 1930. [port] HPUX: ia64 support. [RT #15473] 1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM. 1928. [bug] Race in rbtdb.c:currentversion(). [RT #15517] 1927. [bug] Access to soanode or nsnode in rbtdb violated the lock order rule and could cause a dead lock. [RT# 15518] 1926. [bug] The Windows installer did not check for empty passwords. BINDinstall was being installed in the wrong place. [RT #15483] 1925. [port] All outer level AC_TRY_RUNs need cross compiling defaults. [RT #15469] 1924. [port] libbind: hpux ia64 support. [RT #15473] 1923. [bug] ns_client_detach() called too early. [RT #15499] 1922. [bug] check-tool.c:setup_logging() missing call to dns_log_setcontext(). 1921. [bug] Client memory contexts were not using internal malloc. [RT# 15434] 1920. [bug] The cache rbtdb lock array was too small to have the desired performance characteristics. [RT #15454] 1919. [contrib] queryperf: a set of new features: collecting/printing response delays, printing intermediate results, and adjusting query rate for the "target" qps. 1918. [bug] Memory leak when checking acls. [RT #15391] 1917. [doc] funcsynopsisinfo wasn't being treated as verbatim when generating man pages. [RT #15385] 1916. [func] Integrate contributed IDN code from JPNIC. [RT #15383] 1915. [bug] dig +ndots was broken. [RT #15215] 1914. [protocol] DS is required to accept mnemonic algorithms (RFC 4034). Still emit numeric algorithms for compatibility with RFC 3658. [RT #15354] 1913. [func] Integrate contributed DLZ code into named. [RT #11382] 1912. [port] aix: atomic locking for powerpc. [RT #15020] 1911. [bug] Update windows socket code. [RT #14965] 1910. [bug] dig's +sigchase code overhauled. [RT #14933] 1909. [bug] The DLV code has been re-worked to make no longer query order sensitive. [RT #14933] 1908. [func] dig now warns if 'RA' is not set in the answer when 'RD' was set in the query. host/nslookup skip servers that fail to set 'RA' when 'RD' is set unless a server is explicitly set. [RT #15005] 1907. [func] host/nslookup now continue (default)/fail on SERVFAIL. [RT #15006] 1906. [func] dig now has a '-q queryname' and '+showsearch' options. [RT #15034] 1905. [bug] Strings returned from cfg_obj_asstring() should be treated as read-only. The prototype for cfg_obj_asstring() has been updated to reflect this. [RT #15256] 1904. [func] Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC 1918 zones are not yet covered by this but are likely to be in a future release. New options: empty-server, empty-contact, empty-zones-enable and disable-empty-zone. 1903. [func] ISC string copy API. 1902. [func] Attempt to make the amount of work performed in a iteration self tuning. The covers nodes clean from the cache per iteration, nodes written to disk when rewriting a master file and nodes destroyed per iteration when destroying a zone or a cache. [RT #14996] 1901. [cleanup] Don't add DNSKEY records to the additional section. 1900. [bug] ixfr-from-differences failed to ensure that the serial number increased. [RT #15036] 1899. [func] named-checkconf now validates update-policy entries. [RT #14963] 1898. [bug] Extend ISC_SOCKADDR_FORMATSIZE and ISC_NETADDR_FORMATSIZE to allow for scope details. 1897. [func] x86 and x86_64 now have separate atomic locking implementations. 1896. [bug] Recursive clients soft quota support wasn't working as expected. [RT #15103] 1895. [bug] A escaped character is, potentially, converted to the output character set too early. [RT #14666] 1894. [doc] Review ARM for BIND 9.4. 1893. [port] Use uintptr_t if available. [RT #14606] 1892. [func] Support for SPF rdata type. [RT #15033] 1891. [port] freebsd: pthread_mutex_init can fail if it runs out of memory. [RT #14995] 1890. [func] Raise the UDP receive buffer size to 32k if it is less than 32k. [RT #14953] 1889. [port] sunos: non blocking i/o support. [RT #14951] 1888. [func] Support for IPSECKEY rdata type. [RT #14967] 1887. [bug] The cache could delete expired records too fast for clients with a virtual time in the past. [RT #14991] 1886. [bug] fctx_create() could return success even though it failed. [RT #14993] 1885. [func] dig: report the number of extra bytes still left in the packet after processing all the records. 1884. [cleanup] dighost.c: move external declarations into . 1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug levels. [RT #14962] 1882. [func] Limit the number of recursive clients that can be waiting for a single query () to resolve. New options clients-per-query and max-clients-per-query. 1881. [func] Add a system test for named-checkconf. [RT #14931] 1880. [func] The lame cache is now done on a basis as some servers only appear to be lame for certain query types. [RT #14916] 1879. [func] "USE INTERNAL MALLOC" is now runtime selectable. [RT #14892] 1878. [func] Detect duplicates of UDP queries we are recursing on and drop them. New stats category "duplicate". [RT #2471] 1877. [bug] Fix unreasonably low quantum on call to dns_rbt_destroy2(). Remove unnecessary unhash_node() call. [RT #14919] 1876. [func] Additional memory debugging support to track size and mctx arguments. [RT #14814] 1875. [bug] process_dhtkey() was using the wrong memory context to free some memory. [RT #14890] 1874. [port] sunos: portability fixes. [RT #14814] 1873. [port] win32: isc__errno2result() now reports its caller. [RT #13753] 1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753] 1871. [placeholder] 1870. [func] Added framework for handling multiple EDNS versions. [RT #14873] 1869. [func] dig can now specify the EDNS version when making a query. [RT #14873] 1868. [func] edns-udp-size can now be overridden on a per server basis. [RT #14851] 1867. [bug] It was possible to trigger a INSIST in dlv_validatezonekey(). [RT #14846] 1866. [bug] resolv.conf parse errors were being ignored by dig/host/nslookup. [RT #14841] 1865. [bug] Silently ignore nameservers in /etc/resolv.conf with bad addresses. [RT #14841] 1864. [bug] Don't try the alternative transfer source if you got a answer / transfer with the main source address. [RT #14802] 1863. [bug] rrset-order "fixed" error messages not complete. 1862. [func] Add additional zone data constancy checks. named-checkzone has extended checking of NS, MX and SRV record and the hosts they reference. named has extended post zone load checks. New zone options: check-mx and integrity-check. [RT #4940] 1861. [bug] dig could trigger a INSIST on certain malformed responses. [RT #14801] 1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was incorrectly set. [RT #14775] 1859. [func] Add support for CH A record. [RT #14695] 1858. [bug] The flush-zones-on-shutdown option wasn't being parsed. [RT #14686] 1857. [bug] named could trigger a INSIST() if reconfigured / reloaded too fast. [RT #14673] 1856. [doc] Switch Docbook toolchain from DSSSL to XSL. [RT #11398] 1855. [bug] ixfr-from-differences was failing to detect changes of ttl due to dns_diff_subtract() was ignoring the ttl of records. [RT #14616] 1854. [bug] lwres also needs to know the print format for (long long). [RT #13754] 1853. [bug] Rework how DLV interacts with proveunsecure(). [RT #13605] 1852. [cleanup] Remove last vestiges of dnssec-signkey and dnssec-makekeyset (removed from Makefile years ago). 1851. [doc] Doxygen comment markup. [RT #11398] 1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591] 1849. [doc] All forms of the man pages (docbook, man, html) should have consistent copyright dates. 1848. [bug] Improve SMF integration. [RT #13238] 1847. [bug] isc_ondestroy_init() is called too late in dns_rbtdb_create()/dns_rbtdb64_create(). [RT #13661] 1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer . 1845. [bug] Improve error reporting to distinguish between accept()/fcntl() and socket()/fcntl() errors. [RT #13745] 1844. [bug] inet_pton() accepted more that 4 hexadecimal digits for each 16 bit piece of the IPv6 address. The text representation of a IPv6 address has been tightened to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt). [RT #5662] 1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps when CFLAGS contains "-I /usr/local/include" resulting in old header files being used. 1842. [port] cmsg_len() could produce incorrect results on some platform. [RT #13744] 1841. [bug] "dig +nssearch" now makes a recursive query to find the list of nameservers to query. [RT #13694] 1840. [func] dnssec-signzone can now randomize signature end times (dnssec-signzone -j jitter). [RT #13609] 1839. [bug] was not being installed. 1838. [cleanup] Don't allow Linux capabilities to be inherited. [RT #13707] 1837. [bug] Compile time option ISC_FACILITY was not effective for 'named -u '. [RT #13714] 1836. [cleanup] Silence compiler warnings in hash_test.c. 1835. [bug] Update dnssec-signzone's usage message. [RT #13657] 1834. [bug] Bad memset in rdata_test.c. [RT #13658] 1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660] 1832. [bug] named fails to return BADKEY on unknown TSIG algorithm. [RT #13620] 1831. [doc] Update named-checkzone documentation. [RT#13604] 1830. [bug] adb lame cache has sence of test reversed. [RT #13600] 1829. [bug] win32: "pid-file none;" broken. [RT #13563] 1828. [bug] isc_rwlock_init() failed to properly cleanup if it encountered a error. [RT #13549] 1827. [bug] host: update usage message for '-a'. [RT #37116] 1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out of memory error. [RT #13537] 1825. [bug] Missing UNLOCK() on out of memory error from in rbtdb.c:subtractrdataset(). [RT #13519] 1824. [bug] Memory leak on dns_zone_setdbtype() failure. [RT #13510] 1823. [bug] Wrong macro used to check for point to point interface. [RT#13418] 1822. [bug] check-names test for RT was reversed. [RT #13382] 1821. [placeholder] 1820. [bug] Gracefully handle acl loops. [RT #13659] 1819. [bug] The validator needed to check both the algorithm and digest types of the DS to determine if it could be used to introduce a secure zone. [RT #13593] 1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599] 1817. [func] Add support for additional zone file formats for improving loading performance. The masterfile-format option in named.conf can be used to specify a non-default format. A separate command named-compilezone was provided to generate zone files in the new format. Additionally, the -I and -O options for dnssec-signzone specify the input and output formats. 1816. [port] UnixWare: failed to compile lib/isc/unix/net.c. [RT #13597] 1815. [bug] nsupdate triggered a REQUIRE if the server was set without also setting the zone and it encountered a CNAME and was using TSIG. [RT #13086] 1814. [func] UNIX domain controls are now supported. 1813. [func] Restructured the data locking framework using architecture dependent atomic operations (when available), improving response performance on multi-processor machines significantly. x86, x86_64, alpha, powerpc, and mips are currently supported. 1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect. [RT #13453] 1811. [func] Preserve the case of domain names in rdata during zone transfers. [RT #13547] 1810. [bug] configure, lib/bind/configure make different default decisions about whether to do a threaded build. [RT #13212] 1809. [bug] "make distclean" failed for libbind if the platform is not supported. 1808. [bug] zone.c:notify_zone() contained a race condition, zone->db could change underneath it. [RT #13511] 1807. [bug] When forwarding (forward only) set the active domain from the forward zone name. [RT #13526] 1806. [bug] The resolver returned the wrong result when a CNAME / DNAME was encountered when fetching glue from a secure namespace. [RT #13501] 1805. [bug] Pending status was not being cleared when DLV was active. [RT #13501] 1804. [bug] Ensure that if we are queried for glue that it fits in the additional section or TC is set to tell the client to retry using TCP. [RT #10114] 1803. [bug] dnssec-signzone sometimes failed to remove old RRSIGs. [RT #13483] 1802. [bug] Handle connection resets better. [RT #11280] 1801. [func] Report differences between hints and real NS rrset and associated address records. 1800. [bug] Changes #1719 allowed a INSIST to be triggered. [RT #13428] 1799. [bug] 'rndc flushname' failed to flush negative cache entries. [RT #13438] 1798. [func] The server syntax has been extended to support a range of servers. [RT #11132] 1797. [func] named-checkconf now check acls to verify that they only refer to existing acls. [RT #13101] 1796. [func] "rndc freeze/thaw" now freezes/thaws all zones. 1795. [bug] "rndc dumpdb" was not fully documented. Minor formating issues with "rndc dumpdb -all". [RT #13396] 1794. [func] Named and named-checkzone can now both check for non-terminal wildcard records. 1793. [func] Extend adjusting TTL warning messages. [RT #13378] 1792. [func] New zone option "notify-delay". Specify a minimum delay between sets of NOTIFY messages. 1791. [bug] 'host -t a' still printed out AAAA and MX records. [RT #13230] 1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should allow parallel make to succeed. 1789. [bug] Prerequisite test for tkey and dnssec could fail with "configure --with-libtool". 1788. [bug] libbind9.la/libbind9.so needs to link against libisccfg.la/libisccfg.so. 1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings. 1786. [port] AIX: libt_api needs to be taught to look for T_testlist in the main executable (--with-libtool). [RT #13239] 1785. [bug] libbind9.la/libbind9.so needs to link against libisc.la/libisc.so. 1784. [cleanup] "libtool -allow-undefined" is the default. Leave hooks in configure to allow it to be set if needed in the future. 1783. [cleanup] We only need one copy of libtool.m4, ltmain.sh in the source tree. 1782. [port] OSX: --with-libtool + --enable-libbind broke on __evOptMonoTime. [RT #13219] 1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810] 1780. [bug] Update libtool to 1.5.10. 1779. [port] OSF 5.1: libtool didn't handle -pthread correctly. 1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT macros. 1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT macros. 1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT macros. 1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205] 1774. [port] Aix: Silence compiler warnings / build failures. [RT #13154] 1773. [bug] Fast retry on host / net unreachable. [RT #13153] 1772. [placeholder] 1771. [placeholder] 1770. [bug] named-checkconf failed to report missing a missing file clause for rbt{64} master/hint zones. [RT#13009] 1769. [port] win32: change compiler flags /MTd ==> /MDd, /MT ==> /MD. 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC rdataset. [RT #12907] 1767. [port] Builds on IPv6 platforms without IPv6 Advanced API support for (struct in6_pktinfo) failed. [RT #13077] 1766. [bug] Update the master file timestamp on successful refresh as well as the journal's timestamp. [RT# 13062] 1765. [bug] configure --with-openssl=auto failed. [RT #12937] 1764. [bug] dns_zone_replacedb failed to emit a error message if there was no SOA record in the replacement db. [RT #13016] 1763. [func] Perform sanity checks on NS records which refer to 'in zone' names. [RT #13002] 1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS even when it failed. [RT #12995] 1761. [bug] 'rndc dumpdb' didn't report unassociated entries. [RT #12971] 1760. [bug] Host / net unreachable was not penalising rtt estimates. [RT #12970] 1759. [bug] Named failed to startup if the OS supported IPv6 but had no IPv6 interfaces configured. [RT #12942] 1758. [func] Don't send notify messages to self. [RT #12933] 1757. [func] host now can turn on memory debugging flags with '-m'. 1756. [func] named-checkconf now checks the logging configuration. [RT #12352] 1755. [func] allow-update is now settable at the options / view level. [RT #6636] 1754. [bug] We weren't always attempting to query the parent server for the DS records at the zone cut. [RT #12774] 1753. [bug] Don't serve a slave zone which has no NS records. [RT #12894] 1752. [port] Move isc_app_start() to after ns_os_daemonise() as some fork() implementations unblock the signals that are blocked by isc_app_start(). [RT #12810] 1751. [bug] --enable-getifaddrs failed under linux. [RT #12867] 1750. [port] lib/bind/make/rules.in:subdirs was not bash friendly. [RT #12864] 1749. [bug] 'check-names response ignore;' failed to ignore. [RT #12866] 1748. [func] dig now returns the byte count for axfr/ixfr. 1747. [bug] BIND 8 compatibility: named/named-checkconf failed to parse "host-statistics-max" in named.conf. 1746. [func] Make public the function to read a key file, dst_key_read_public(). [RT #12450] 1745. [bug] Dig/host/nslookup accept replies from link locals regardless of scope if no scope was specified when query was sent. [RT #12745] 1744. [bug] If tuple2msgname() failed to convert a tuple to a name a REQUIRE could be triggered. [RT #12796] 1743. [bug] If isc_taskmgr_create() was not able to create the requested number of worker threads then destruction of the manager would trigger an INSIST() failure. [RT #12790] 1742. [bug] Deleting all records at a node then adding a previously existing record, in a single UPDATE transaction, failed to leave / regenerate the associated RRSIG records. [RT #12788] 1741. [bug] Deleting all records at a node in a secure zone using a update-policy grant failed. [RT #12787] 1740. [bug] Replace rbt's hash algorithm as it performed badly with certain zones. [RT #12729] NOTE: a hash context now needs to be established via isc_hash_create() if the application was not already doing this. 1739. [bug] dns_rbt_deletetree() could incorrectly return ISC_R_QUOTA. [RT #12695] 1738. [bug] Enable overrun checking by default. [RT #12695] 1737. [bug] named failed if more than 16 masters were specified. [RT #12627] 1736. [bug] dst_key_fromnamedfile() could fail to read a public key. [RT #12687] 1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure. [RE #12688] 1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path. [RT #12588] 1733. [bug] Return non-zero exit status on initial load failure. [RT #12658] 1732. [bug] 'rrset-order name "*"' wasn't being applied to ".". [RT #12467] 1731. [port] darwin: relax version test in ifconfig.sh. [RT #12581] 1730. [port] Determine the length type used by the socket API. [RT #12581] 1729. [func] Improve check-names error messages. 1728. [doc] Update check-names documentation. 1727. [bug] named-checkzone: check-names support didn't match documentation. 1726. [port] aix5: add support for aix5. 1725. [port] linux: update error message on interaction of threads, capabilities and setuid support (named -u). [RT #12541] 1724. [bug] Look for DNSKEY records with "dig +sigtrace". [RT #12557] 1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493] 1722. [bug] Don't commit the journal on malformed ixfr streams. [RT #12519] 1721. [bug] Error message from the journal processing were not always identifying the relevant journal. [RT #12519] 1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1 negative response. [RT #12506] 1719. [bug] named was not correctly caching a RFC 2308 Type 1 negative response. [RT #12506] 1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative responses when looking for the zone / master server. [RT #12506] 1717. [port] solaris: ifconfig.sh did not support Solaris 10. "ifconfig.sh down" didn't work for Solaris 9. 1716. [doc] named.conf(5) was being installed in the wrong location. [RT# 12441] 1715. [func] 'dig +trace' now randomly selects the next servers to try. Report if there is a bad delegation. 1714. [bug] dig/host/nslookup were only trying the first address when a nameserver was specified by name. [RT #12286] 1713. [port] linux: extend capset failure message to say: please ensure that the capset kernel module is loaded. see insmod(8) 1712. [bug] Missing FULLCHECK for "trusted-key" in dig. 1711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'. 1710. [func] 'rndc notify zone [class [view]]' resend the NOTIFY messages for the specified zone. [RT #9479] 1709. [port] solaris: add SMF support from Sun. 1708. [cleanup] Replaced dns_fullname_hash() with dns_name_fullhash() for conformance to the name space convention. Binary backward compatibility to the old function name is provided. [RT #12376] 1707. [contrib] sdb/ldap updated to version 1.0-beta. 1706. [bug] 'rndc stop' failed to cause zones to be flushed sometimes. [RT #12328] 1705. [func] Allow the journal's name to be changed via named.conf. 1704. [port] lwres needed a snprintf() implementation for platforms without snprintf(). Add missing "#include ". [RT #12321] 1703. [bug] named would loop sending NOTIFY messages when it failed to receive a response. [RT #12322] 1702. [bug] also-notify should not be applied to built in zones. [RT #12323] 1701. [doc] A minimal named.conf man page. 1700. [func] nslookup is no longer to be treated as deprecated. Remove "deprecated" warning message. Add man page. 1699. [bug] dnssec-signzone can generate "not exact" errors when resigning. [RT #12281] 1698. [doc] Use reserved IPv6 documentation prefix. 1697. [bug] xxx-source{,-v6} was not effective when it specified one of listening addresses and a different port than the listening port. [RT #12257] 1696. [bug] dnssec-signzone failed to clean out nodes that consisted of only NSEC and RRSIG records. [RT #12154] 1695. [bug] DS records when forwarding require special handling. [RT #12133] 1694. [bug] Report if the builtin views of "_default" / "_bind" are defined in named.conf. [RT #12023] 1693. [bug] max-journal-size was not effective for master zones with ixfr-from-differences set. [RT# 12024] 1692. [bug] Don't set -I, -L and -R flags when libcrypto is in /usr/lib. [RT #11971] 1691. [bug] sdb's attachversion was not complete. [RT #11990] 1690. [bug] Delay detaching view from the client until UPDATE processing completes when shutting down. [RT #11714] 1689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros contained gratuitous semicolons. [RT #11707] 1688. [bug] LDFLAGS was not supported. 1687. [bug] Race condition in dispatch. [RT #10272] 1686. [bug] Named sent a extraneous NOTIFY when it received a redundant UPDATE request. [RT #11943] 1685. [bug] Change #1679 loop tests weren't quite right. 1684. [func] ixfr-from-differences now takes master and slave in addition to yes and no at the options and view levels. 1683. [bug] dig +sigchase could leak memory. [RT #11445] 1682. [port] Update configure test for (long long) printf format. [RT #5066] 1681. [bug] Only set SO_REUSEADDR when a port is specified in isc_socket_bind(). [RT #11742] 1680. [func] rndc: the source address can now be specified. 1679. [bug] When there was a single nameserver with multiple addresses for a zone not all addresses were tried. [RT #11706] 1678. [bug] RRSIG should use TYPEXXXXX for unknown types. 1677. [bug] dig: +aaonly didn't work, +aaflag undocumented. 1676. [func] New option "allow-query-cache". This lets allow-query be used to specify the default zone access level rather than having to have every zone override the global value. allow-query-cache can be set at both the options and view levels. If allow-query-cache is not set allow-query applies. 1675. [bug] named would sometimes add extra NSEC records to the authority section. 1674. [port] linux: increase buffer size used to scan /proc/net/if_inet6. 1673. [port] linux: issue a error messages if IPv6 interface scans fails. 1672. [cleanup] Tests which only function in a threaded build now return R:THREADONLY (rather than R:UNTESTED) in a non-threaded build. 1671. [contrib] queryperf: add NAPTR to the list of known types. 1670. [func] Log UPDATE requests to slave zones without an acl as "disabled" at debug level 3. [RT# 11657] 1669. [placeholder] 1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core. 1667. [port] linux: not all versions have IF_NAMESIZE. 1666. [bug] The optional port on hostnames in dual-stack-servers was being ignored. 1665. [func] rndc now allows addresses to be set in the server clauses. 1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY. 1663. [func] Look for OpenSSL by default. 1662. [bug] Change #1658 failed to change one use of 'type' to 'keytype'. 1661. [bug] Restore dns_name_concatenate() call in adb.c:set_target(). [RT #11582] 1660. [bug] win32: connection_reset_fix() was being called unconditionally. [RT #11595] 1659. [cleanup] Cleanup some messages that were referring to KEY vs DNSKEY, NXT vs NSEC and SIG vs RRSIG. 1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5 and DH. Tighten which options apply to KEY and DNSKEY records. 1657. [doc] ARM: document query log output. 1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC DNSKEY and RRSIG. [RT #11542] 1655. [bug] Logging multiple versions w/o a size was broken. [RT #11446] 1654. [bug] isc_result_totext() contained array bounds read error. 1653. [func] Add key type checking to dst_key_fromfilename(), DST_TYPE_KEY should be used to read TSIG, TKEY and SIG(0) keys. 1652. [bug] TKEY still uses KEY. 1651. [bug] dig: process multiple dash options. 1650. [bug] dig, nslookup: flush standard out after each command. 1649. [bug] Silence "unexpected non-minimal diff" message. [RT #11206] 1648. [func] Update dnssec-lookaside named.conf syntax to support multiple dnssec-lookaside namespaces (not yet implemented). 1647. [bug] It was possible trigger a INSIST when chasing a DS record that required walking back over a empty node. [RT #11445] 1646. [bug] win32: logging file versions didn't work with non-UNC filenames. [RT#11486] 1645. [bug] named could trigger a REQUIRE failure if multiple masters with keys are specified. 1644. [bug] Update the journal modification time after a successful refresh query. [RT #11436] 1643. [bug] dns_db_closeversion() could leak memory / node references. [RT #11163] 1642. [port] Support OpenSSL implementations which don't have DSA support. [RT #11360] 1641. [bug] Update the check-names description in ARM. [RT #11389] 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was incorrectly closing the socket. [RT #11291] 1639. [func] Initial dlv system test. 1638. [bug] "ixfr-from-differences" could generate a REQUIRE failure if the journal open failed. [RT #11347] 1637. [bug] Node reference leak on error in addnoqname(). 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if a error had occurred. The database version no longer matched the version of the database that was dumped. 1635. [bug] Memory leak on error in query_addds(). 1634. [bug] named didn't supply a useful error message when it detected duplicate views. [RT #11208] 1633. [bug] named should return NOTIMP to update requests to a slaves without a allow-update-forwarding acl specified. [RT #11331] 1632. [bug] nsupdate failed to send prerequisite only UPDATE messages. [RT #11288] 1631. [bug] dns_journal_compact() could sometimes corrupt the journal. [RT #11124] 1630. [contrib] queryperf: add support for IPv6 transport. 1629. [func] dig now supports IPv6 scoped addresses with the extended format in the local-server part. [RT #8753] 1628. [bug] Typo in Compaq Trucluster support. [RT# 11264] 1627. [bug] win32: sockets were not being closed when the last external reference was removed. [RT# 11179] 1626. [bug] --enable-getifaddrs was broken. [RT#11259] 1625. [bug] named failed to load/transfer RFC2535 signed zones which contained CNAMES. [RT# 11237] 1624. [bug] zonemgr_putio() call should be locked. [RT# 11163] 1623. [bug] A serial number of zero was being displayed in the "sending notifies" log message when also-notify was used. [RT #11177] 1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is available, and suppress wildcard binding if not. 1621. [bug] match-destinations did not work for IPv6 TCP queries. [RT# 11156] 1620. [func] When loading a zone report if it is signed. [RT #11149] 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). [RT# 11118] 1618. [bug] Fencepost errors in dns_name_ishostname() and dns_name_ismailbox() could trigger a INSIST(). 1617. [port] win32: VC++ 6.0 support. 1616. [compat] Ensure that named's version is visible in the core dump. [RT #11127] 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if it is defined. 1614. [port] win32: silence resource limit messages. [RT# 11101] 1613. [bug] Builds would fail on machines w/o a if_nametoindex(). Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif. [RT #11119] 1612. [bug] check-names at the option/view level could trigger an INSIST. [RT# 11116] 1611. [bug] solaris: IPv6 interface scanning failed to cope with no active IPv6 interfaces. 1610. [bug] On dual stack machines "dig -b" failed to set the address type to be looked up with "@server". [RT #11069] 1609. [func] dig now has support to chase DNSSEC signature chains. Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. DNSSEC validation code in dig coded by Olivier Courtay (olivier.courtay@irisa.fr) for the IDsA project (http://idsa.irisa.fr). 1608. [func] dig and host now accept -4/-6 to select IP transport to use when making queries. 1607. [bug] dig, host and nslookup were still using random() to generate query ids. [RT# 11013] 1606. [bug] DLV insecurity proof was failing. 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. 1604. [bug] A xfrout_ctx_create() failure would result in xfrout_ctx_destroy() being called with a partially initialized structure. 1603. [bug] nsupdate: set interactive based on isatty(). [RT# 10929] 1602. [bug] Logging to a file failed unless a size was specified. [RT# 10925] 1601. [bug] Silence spurious warning 'both "recursion no;" and "allow-recursion" active' warning from view "_bind". [RT# 10920] 1600. [bug] Duplicate zone pre-load checks were not case insensitive. 1599. [bug] Fix memory leak on error path when checking named.conf. 1598. [func] Specify that certain parts of the namespace must be secure (dnssec-must-be-secure). 1597. [func] Allow notify-source and query-source to be specified on a per server basis similar to transfer-source. [RT #6496] 1596. [func] Accept 'notify-source' style syntax for query-source. 1595. [func] New notify type 'master-only'. Enable notify for master zones only. 1594. [bug] 'rndc dumpdb' could prevent named from answering queries while the dump was in progress. [RT #10565] 1593. [bug] rndc should return "unknown command" to unknown commands. [RT# 10642] 1592. [bug] configure_view() could leak a dispatch. [RT# 10675] 1591. [bug] libbind: updated to BIND 8.4.5. 1590. [port] netbsd: update thread support. 1589. [func] DNSSEC lookaside validation. 1588. [bug] win32: TCP sockets could become blocked. [RT #10115] 1587. [bug] dns_message_settsigkey() failed to clear existing key. [RT #10590] 1586. [func] "check-names" is now implemented. 1585. [placeholder] 1584. [bug] "make test" failed with a read only source tree. [RT #10461] 1583. [bug] Records add via UPDATE failed to get the correct trust level. [RT #10452] 1582. [bug] rrset-order failed to work on RRsets with more than 32 elements. [RT #10381] 1581. [func] Disable DNSSEC support by default. To enable DNSSEC specify "dnssec-enable yes;" in named.conf. 1580. [bug] Zone destruction on final detach takes a long time. [RT #3746] 1579. [bug] Multiple task managers could not be created. 1578. [bug] Don't use CLASS E IPv4 addresses when resolving. [RT #10346] 1577. [bug] Use isc_uint32_t in ultrasparc optimizer bug workaround code. [RT #10331] 1576. [bug] Race condition in dns_dispatch_addresponse(). [RT# 10272] 1575. [func] Log TSIG name on TSIG verify failure. [RT #4404] 1574. [bug] Don't attempt to open the controls socket(s) when running tests. [RT #9091] 1573. [port] linux: update to libtool 1.5.2 so that "make install DESTDIR=/xx" works with "configure --with-libtool". [RT #9941] 1572. [bug] nsupdate: sign the soa query to find the enclosing zone if the server is specified. [RT #10148] 1571. [bug] rbt:hash_node() could fail leaving the hash table in an inconsistent state. [RT #10208] 1570. [bug] nsupdate failed to handle classes other than IN. New keyword 'class' which sets the default class. [RT #10202] 1569. [func] nsupdate new command 'answer' which displays the complete answer message to the last update. 1568. [bug] nsupdate now reports that the update failed in interactive mode. [RT# 10236] 1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201. 1566. [port] Support for the cmsg framework on Solaris and HP/UX. This also solved the problem that match-destinations for IPv6 addresses did not work on these systems. [RT #10221] 1565. [bug] CD flag should be copied to outgoing queries unless the query is under a secure entry point in which case CD should be set. 1564. [func] Attempt to provide a fallback entropy source to be used if named is running chrooted and named is unable to open entropy source within the chroot area. [RT #10133] 1563. [bug] Gracefully fail when unable to obtain neither an IPv4 nor an IPv6 dispatch. [RT #10230] 1562. [bug] isc_socket_create() and isc_socket_accept() could leak memory under error conditions. [RT #10230] 1561. [bug] It was possible to release the same name twice if named ran out of memory. [RT #10197] 1560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA and EAI_NONAME to the same value. 1559. [port] named should ignore SIGFSZ. 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into child zones for which we don't have a supported algorithm. Such child zones are treated as unsigned. 1557. [func] Implement missing DNSSEC tests for * NOQNAME proof with wildcard answers. * NOWILDARD proof with NXDOMAIN. Cache and return NOQNAME with wildcard answers. 1556. [bug] nsupdate now treats all names as fully qualified. [RT #6427] 1555. [func] 'rrset-order cyclic' no longer has a random starting point per query. [RT #7572] 1554. [bug] dig, host, nslookup failed when no nameservers were specified in /etc/resolv.conf. [RT #8232] 1553. [bug] The windows socket code could stop accepting connections. [RT#10115] 1552. [bug] Accept NOTIFY requests from mapped masters if matched-mapped is set. [RT #10049] 1551. [port] Open "/dev/null" before calling chroot(). 1550. [port] Call tzset(), if available, before calling chroot(). 1549. [func] named-checkzone can now write out the zone contents in a easily parsable format (-D and -o). 1548. [bug] When parsing APL records it was possible to silently accept out of range ADDRESSFAMILY values. [RT# 9979] 1547. [bug] Named wasted memory recording duplicate lame zone entries. [RT #9341] 1546. [bug] We were rejecting valid secure CNAME to negative answers. 1545. [bug] It was possible to leak memory if named was unable to bind to the specified transfer source and TSIG was being used. [RT #10120] 1544. [bug] Named would logged a single entry to a file despite it being over the specified size limit. 1543. [bug] Logging using "versions unlimited" did not work. 1542. [placeholder] 1541. [func] NSEC now uses new bitmap format. 1540. [bug] "rndc reload " was silently accepted. [RT #8934] 1539. [bug] Open UDP sockets for notify-source and transfer-source that use reserved ports at startup. [RT #9475] 1538. [placeholder] rt9997 1537. [func] New option "querylog". If set specify whether query logging is to be enabled or disabled at startup. 1536. [bug] Windows socket code failed to log a error description when returning ISC_R_UNEXPECTED. [RT #9998] 1535. [placeholder] 1534. [bug] Race condition when priming cache. [RT# 9940] 1533. [func] Warn if both "recursion no;" and "allow-recursion" are active. [RT# 4389] 1532. [port] netbsd: the configure test for requires . 1531. [port] AIX more libtool fixes. 1530. [bug] It was possible to trigger a INSIST() failure if a slave master file was removed at just the correct moment. [RT #9462] 1529. [bug] "notify explicit;" failed to log that NOTIFY messages were being sent for the zone. [RT# 9442] 1528. [cleanup] Simplify some dns_name_ functions based on the deprecation of bitstring labels. 1527. [cleanup] Reduce the number of gettimeofday() calls without losing necessary timer granularity. 1526. [func] Implemented "additional section caching (or acache)", an internal cache framework for additional section content to improve response performance. Several configuration options were provided to control the behavior. 1525. [bug] dns_cache_create() could trigger a REQUIRE failure in isc_mem_put() during error cleanup. [RT# 9360] 1524. [port] AIX needs to be able to resolve all symbols when creating shared libraries (--with-libtool). 1523. [bug] Fix race condition in rbtdb. [RT# 9189] 1522. [bug] dns_db_findnode() relax the requirements on 'name'. [RT# 9286] 1521. [bug] dns_view_createresolver() failed to check the result from isc_mem_create(). [RT# 9294] 1520. [protocol] Add SSHFP (SSH Finger Print) type. 1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong length of the new bitmap. 1518. [bug] dns_nsec_buildrdata(), and hence dns_nsec_build(), contained a off-by-one error when working out the number of octets in the bitmap. 1517. [port] Support for IPv6 interface scanning on HP/UX and TrueUNIX 5.1. 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY. 1515. [func] Allow transfer source to be set in a server statement. [RT #6496] 1514. [bug] named: isc_hash_destroy() was being called too early. [RT #9160] 1513. [doc] Add "US" to root-delegation-only exclude list. 1512. [bug] Extend the delegation-only logging to return query type, class and responding nameserver. 1511. [bug] delegation-only was generating false positives on negative answers from sub-zones. 1510. [func] New view option "root-delegation-only". Apply delegation-only check to all TLDs and root. Note there are some TLDs that are NOT delegation only (e.g. DE, LV, US and MUSEUM) these can be excluded from the checks by using exclude. root-delegation-only exclude { "DE"; "LV"; "US"; "MUSEUM"; }; 1509. [bug] Hint zones should accept delegation-only. Forward zone should not accept delegation-only. 1508. [bug] Don't apply delegation-only checks to answers from forwarders. 1507. [bug] Handle BIND 8 style returns to NS queries to parents when making delegation-only checks. 1506. [bug] Wrong return type for dns_view_isdelegationonly(). 1505. [bug] Uninitialized rdataset in sdb. [RT #8750] 1504. [func] New zone type "delegation-only". 1503. [port] win32: install libeay32.dll outside of system32. 1502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP. 1501. [func] Allow TCP queue length to be specified via named.conf, tcp-listen-queue. 1500. [bug] host failed to lookup MX records. Also look up AAAA records. 1499. [bug] isc_random need to be seeded better if arc4random() is not used. 1498. [port] bsdos: 5.x support. 1497. [placeholder] 1496. [port] test for pthread_attr_setstacksize(). 1495. [cleanup] Replace hash functions with universal hash. 1494. [security] Turn on RSA BLINDING as a precaution. 1493. [placeholder] 1492. [cleanup] Preserve rwlock quota context when upgrading / downgrading. [RT #5599] 1491. [bug] dns_master_dump*() would produce extraneous $ORIGIN lines. [RT #6206] 1490. [bug] Accept reading state as well as working state in ns_client_next(). [RT #6813] 1489. [compat] Treat 'allow-update' on slave zones as a warning. [RT #3469] 1488. [bug] Don't override trust levels for glue addresses. [RT #5764] 1487. [bug] A REQUIRE() failure could be triggered if a zone was queued for transfer and the zone was then removed. [RT #6189] 1486. [bug] isc_print_snprintf() '%%' consumed one too many format characters. [RT# 8230] 1485. [bug] gen failed to handle high type values. [RT #6225] 1484. [bug] The number of records reported after a AXFR was wrong. [RT #6229] 1483. [bug] dig axfr failed if the message id in the answer failed to match that in the request. Only the id in the first message is required to match. [RT #8138] 1482. [bug] named could fail to start if the kernel supports IPv6 but no interfaces are configured. Similarly for IPv4. [RT #6229] 1481. [bug] Refresh and stub queries failed to use masters keys if specified. [RT #7391] 1480. [bug] Provide replay protection for rndc commands. Full replay protection requires both rndc and named to be updated. Partial replay protection (limited exposure after restart) is provided if just named is updated. 1479. [bug] cfg_create_tuple() failed to handle out of memory cleanup. parse_list() would leak memory on syntax errors. 1478. [port] ifconfig.sh didn't account for other virtual interfaces. It now takes a optional argument to specify the first interface number. [RT #3907] 1477. [bug] memory leak using stub zones and TSIG. 1476. [placeholder] 1475. [port] Probe for old sprintf(). 1474. [port] Provide strtoul() and memmove() for platforms without them. 1473. [bug] create_map() and create_string() failed to handle out of memory cleanup. [RT #6813] 1472. [contrib] idnkit-1.0 from JPNIC, replaces mdnkit. 1471. [bug] libbind: updated to BIND 8.4.0. 1470. [bug] Incorrect length passed to snprintf. [RT #5966] 1469. [func] Log end of outgoing zone transfer at same level as the start of transfer is logged. [RT #4441] 1468. [func] Internal zones are no longer counted for 'rndc status'. [RT #4706] 1467. [func] $GENERATES now supports optional class and ttl. 1466. [bug] lwresd configuration errors resulted in memory and lock leaks. [RT #5228] 1465. [bug] isc_base64_decodestring() and isc_base64_tobuffer() failed to check that trailing bits were zero allowing some invalid base64 strings to be accepted. [RT #5397] 1464. [bug] Preserve "out of zone" data for outgoing zone transfers. [RT #5192] 1463. [bug] dns_rdata_from{wire,struct}() failed to catch bad NXT bit maps. [RT #5577] 1462. [bug] parse_sizeval() failed to check the token type. [RT #5586] 1461. [bug] Remove deadlock from rbtdb code. [RT #5599] 1460. [bug] inet_pton() failed to reject certain malformed IPv6 literals. 1459. [placeholder] 1458. [cleanup] sprintf() -> snprintf(). 1457. [port] Provide strlcat() and strlcpy() for platforms without them. 1456. [contrib] gen-data-queryperf.py from Stephane Bortzmeyer. 1455. [bug] missing from server grammar in doc/misc/options. [RT #5616] 1454. [port] Use getifaddrs() if available for interface scanning. --disable-getifaddrs to override. Glibc currently has a getifaddrs() that does not support IPv6. Use --enable-getifaddrs=glibc to force the use of this version under linux machines. 1453. [doc] ARM: $GENERATE example wasn't accurate. [RT #5298] 1452. [placeholder] 1451. [bug] rndc-confgen didn't exit with a error code for all failures. [RT #5209] 1450. [bug] Fetching expired glue failed under certain circumstances. [RT #5124] 1449. [bug] query_addbestns() didn't handle running out of memory gracefully. 1448. [bug] Handle empty wildcards labels. 1447. [bug] We were casting (unsigned int) to and from (void *). rdataset->private4 is now rdataset->privateuint4 to reflect a type change. 1446. [func] Implemented undocumented alternate transfer sources from BIND 8. See use-alt-transfer-source, alt-transfer-source and alt-transfer-source-v6. SECURITY: use-alt-transfer-source is ENABLED unless you are using views. This may cause a security risk resulting in accidental disclosure of wrong zone content if the master supplying different source content based on IP address. If you are not certain ISC recommends setting use-alt-transfer-source no; 1445. [bug] DNS_ADBFIND_STARTATROOT broke stub zones. This has been replaced with DNS_ADBFIND_STARTATZONE which causes the search to start using the closest zone. 1444. [func] dns_view_findzonecut2() allows you to specify if the cache should be searched for zone cuts. 1443. [func] Masters lists can now be specified and referenced in zone masters clauses and other masters lists. 1442. [func] New functions for manipulating port lists: dns_portlist_create(), dns_portlist_add(), dns_portlist_remove(), dns_portlist_match(), dns_portlist_attach() and dns_portlist_detach(). 1441. [func] It is now possible to tell dig to bind to a specific source port. 1440. [func] It is now possible to tell named to avoid using certain source ports (avoid-v4-udp-ports, avoid-v6-udp-ports). 1439. [bug] Named could return NOERROR with certain NOTIFY failures. Return NOTAUTH if the NOTIFY zone is not being served. 1438. [func] Log TSIG (if any) when logging NOTIFY requests. 1437. [bug] Leave space for stdio to work in. [RT #5033] 1436. [func] dns_zonemgr_resumexfrs() can be used to restart stalled transfers. 1435. [bug] zmgr_resume_xfrs() was being called read locked rather than write locked. zmgr_resume_xfrs() was not being called if the zone was being shutdown. 1434. [bug] "rndc reconfig" failed to initiate the initial zone transfer of new slave zones. 1433. [bug] named could trigger a REQUIRE failure if it could not get a file descriptor when attempting to write a master file. [RT #4347] 1432. [func] The advertised EDNS UDP buffer size can now be set via named.conf (edns-udp-size). 1431. [bug] isc_print_snprintf() "%s" with precision could walk off end of argument. [RT #5191] 1430. [port] linux: IPv6 interface scanning support. 1429. [bug] Prevent the cache getting locked to old servers. 1428. [placeholder] 1427. [bug] Race condition in adb with threaded build. 1426. [placeholder] 1425. [port] linux/libbind: define __USE_MISC when testing *_r() function prototypes in netdb.h. [RT #4921] 1424. [bug] EDNS version not being correctly printed. 1423. [contrib] queryperf: added A6 and SRV. 1422. [func] Log name/type/class when denying a query. [RT #4663] 1421. [func] Differentiate updates that don't succeed due to prerequisites (unsuccessful) vs other reasons (failed). 1420. [port] solaris: work around gcc optimizer bug. 1419. [port] openbsd: use /dev/arandom. [RT #4950] 1418. [bug] 'rndc reconfig' did not cause new slaves to load. 1417. [func] ID.SERVER/CHAOS is now a built in zone. See "server-id" for how to configure. 1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN. [RT #4715] 1415. [func] DS TTL now derived from NS ttl. NXT TTL now derived from SOA MINIMUM. 1414. [func] Support for KSK flag. 1413. [func] Explicitly request the (re-)generation of DS records from keysets (dnssec-signzone -g). 1412. [func] You can now specify servers to be tried if a nameserver has IPv6 address and you only support IPv4 or the reverse. See dual-stack-servers. 1411. [bug] empty nodes should stop wildcard matches. [RT #4802] 1410. [func] Handle records that live in the parent zone, e.g. DS. 1409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC. 1408. [bug] "make distclean" was not complete. [RT #4700] 1407. [bug] lfsr incorrectly implements the shift register. [RT #4617] 1406. [bug] dispatch initializes one of the LFSR's with a incorrect polynomial. [RT #4617] 1405. [func] Use arc4random() if available. 1404. [bug] libbind: ns_name_ntol() could overwrite a zero length buffer. 1403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset dnssec-signkey now report their version in the usage message. 1402. [cleanup] A6 has been moved to experimental and is no longer fully supported. 1401. [bug] adb wasn't clearing state when the timer expired. 1400. [bug] Block the addition of wildcard NS records by IXFR or UPDATE. [RT #3502] 1399. [bug] Use serial number arithmetic when testing SIG timestamps. [RT #4268] 1398. [doc] ARM: notify-also should have been also-notify. [RT #4345] 1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30. 1396. [func] dnssec-signzone: adjust the default signing time by 1 hour to allow for clock skew. 1395. [port] OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't have a working implementation. [RT #4079] 1394. [func] It is now possible to check if a particular element is in a acl. Remove duplicate entries from the localnets acl. 1393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY is not available in the kernel to prevent accidently listening on IPv4 interfaces. 1392. [bug] named-checkzone: update usage. 1391. [func] Add support for IPv6 scoped addresses in named. 1390. [func] host now supports ixfr. 1389. [bug] named could fail to rotate long log files. [RT #3666] 1388. [port] irix: check for sys/sysctl.h and NET_RT_IFLIST before defining HAVE_IFLIST_SYSCTL. [RT #3770] 1387. [bug] named could crash due to an access to invalid memory space (which caused an assertion failure) in incremental cleaning. [RT #3588] 1386. [bug] named-checkzone -z stopped on errors in a zone. [RT #3653] 1385. [bug] Setting serial-query-rate to 10 would trigger a REQUIRE failure. 1384. [bug] host was incompatible with BIND 8 in its exit code and in the output with the -l option. [RT #3536] 1383. [func] Track the serial number in a IXFR response and log if a mismatch occurs. This is a more specific error than "not exact". [RT #3445] 1382. [bug] make install failed with --enable-libbind. [RT #3656] 1381. [bug] named failed to correctly process answers that contained DNAME records where the resulting CNAME resulted in a negative answer. 1380. [func] 'rndc recursing' dump recursing queries to 'recursing-file = "named.recursing";'. 1379. [func] 'rndc status' now reports tcp and recursion quota states. 1378. [func] Improved positive feedback for 'rndc {reload|refresh}. 1377. [func] dns_zone_load{new}() now reports if the zone was loaded, queued for loading to up to date. 1376. [func] New function dns_zone_logc() to log to specified category. 1375. [func] 'rndc dumpdb' now dumps the adb cache along with the data cache. 1374. [func] dns_adb_dump() now logs the lame zones associated with each server. 1373. [bug] Recovery from expired glue failed under certain circumstances. 1372. [bug] named crashes with an assertion failure on exit when sharing the same port for listening and querying, and changing listening addresses several times. [RT# 3509] 1371. [bug] notify-source-v6, transfer-source-v6 and query-source-v6 with explicit addresses and using the same ports as named was listening on could interfere with named's ability to answer queries sent to those addresses. 1370. [bug] dig '+[no]recurse' was incorrectly documented. 1369. [bug] Adding an NS record as the lexicographically last record in a secure zone didn't work. 1368. [func] remove support for bitstring labels. 1367. [func] Use response times to select forwarders. 1366. [contrib] queryperf usage was incomplete. Add '-h' for help. 1365. [func] "localhost" and "localnets" acls now include IPv6 addresses / prefixes. 1364. [func] Log file name when unable to open memory statistics and dump database files. [RT# 3437] 1363. [func] Listen-on-v6 now supports specific addresses. 1362. [bug] remove IFF_RUNNING test when scanning interfaces. 1361. [func] log the reason for rejecting a server when resolving queries. 1360. [bug] --enable-libbind would fail when not built in the source tree for certain OS's. 1359. [security] Support patches OpenSSL libraries. http://www.cert.org/advisories/CA-2002-23.html 1358. [bug] It was possible to trigger a INSIST when debugging large dynamic updates. [RT #3390] 1357. [bug] nsupdate was extremely wasteful of memory. 1356. [tuning] Reduce the number of events / quantum for zone tasks. 1355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME. 1354. [doc] lwres man pages had illegal nroff. 1353. [contrib] sdb/ldap to version 0.9. 1352. [bug] dig, host, nslookup when falling back to TCP use the current search entry (if any). [RT #3374] 1351. [bug] lwres_getipnodebyname() returned the wrong name when given a IPv4 literal, af=AF_INET6 and AI_MAPPED was set. 1350. [bug] dns_name_fromtext() failed to handle too many labels gracefully. 1349. [security] Minimum OpenSSL version now 0.9.6e (was 0.9.5a). http://www.cert.org/advisories/CA-2002-23.html 1348. [port] win32: Rewrote code to use I/O Completion Ports in socket.c and eliminating a host of socket errors. Performance is enhanced. 1347. [placeholder] 1346. [placeholder] 1345. [port] Use a explicit -Wformat with gcc. Not all versions include it in -Wall. 1344. [func] Log if the serial number on the master has gone backwards. If you have multiple machines specified in the masters clause you may want to set 'multi-master yes;' to suppress this warning. 1343. [func] Log successful notifies received (info). Adjust log level for failed notifies to notice. 1342. [func] Log remote address with TCP dispatch failures. 1341. [func] Allow a rate limiter to be stalled. 1340. [bug] Delay and spread out the startup refresh load. 1339. [func] dig, host and nslookup now use IP6.ARPA for nibble lookups. Bit string lookups are no longer attempted. 1338. [placeholder] 1337. [placeholder] 1336. [func] Nibble lookups under IP6.ARPA are now supported by dns_byaddr_create(). dns_byaddr_createptrname() is deprecated, use dns_byaddr_createptrname2() instead. 1335. [bug] When performing a nonexistence proof, the validator should discard parent NXTs from higher in the DNS. 1334. [bug] When signing/verifying rdatasets, duplicate rdatas need to be suppressed. 1333. [contrib] queryperf now reports a summary of returned rcodes (-c), rcodes are printed in mnemonic form (-v). 1332. [func] Report the current serial with periodic commits when rolling forward the journal. 1331. [func] Generate DNSSEC wildcard proofs. 1330. [bug] When processing events (non-threaded) only allow the task one chance to use to use its quantum. 1329. [func] named-checkzone will now check if nameservers that appear to be IP addresses. Available modes "fail", "warn" (default) and "ignore" the results of the check. 1328. [bug] The validator could incorrectly verify an invalid negative proof. 1327. [bug] The validator would incorrectly mark data as insecure when seeing a bogus signature before a correct signature. 1326. [bug] DNAME/CNAME signatures were not being cached when validation was not being performed. [RT #3284] 1325. [bug] If the tcpquota was exhausted it was possible to to trigger a INSIST() failure. 1324. [port] darwin: ifconfig.sh now supports darwin. 1323. [port] linux: Slackware 4.0 needs . [RT #3205] 1322. [bug] dnssec-signzone usage message was misleading. 1321. [bug] If the last RRset in a zone is glue, dnssec-signzone would incorrectly duplicate its output and sign it. 1320. [doc] query-source-v6 was missing from options section. [RT #3218] 1319. [func] libbind: log attempts to exploit #1318. 1318. [bug] libbind: Remote buffer overrun. 1317. [port] libbind: TrueUNIX 5.1 does not like __align as a element name. 1316. [bug] libbind: gethostans() could get out of sync parsing the response if there was a very long CNAME chain. 1315. [bug] Options should apply to the internal _bind view. 1314. [port] Handle ECONNRESET from sendmsg() [unix]. 1313. [func] Query log now says if the query was signed (S) or if EDNS was used (E). 1312. [func] Log TSIG key used w/ outgoing zone transfers. 1311. [bug] lwres_getrrsetbyname leaked memory. [RT #3159] 1310. [bug] 'rndc stop' failed to cause zones to be flushed sometimes. [RT #3157] 1309. [func] Log that a zone transfer was covered by a TSIG. 1308. [func] DS (delegation signer) support. 1307. [bug] nsupdate: allow white space base64 key data. 1306. [bug] Badly encoded LOC record when the size, horizontal precision or vertical precision was 0.1m. 1305. [bug] Document that internal zones are included in the rndc status results. 1304. [func] New function: dns_zone_name(). 1303. [func] Option 'flush-zones-on-shutdown ;'. 1302. [func] Extended rndc dumpdb to support dumping of zones and view selection: 'dumpdb [-all|-zones|-cache] [view]'. 1301. [func] New category 'update-security'. 1300. [port] Compaq Trucluster support. 1299. [bug] Set AI_ADDRCONFIG when looking up addresses via getaddrinfo() (affects dig, host, nslookup, rndc and nsupdate). 1298. [bug] The CINCLUDES macro in lib/dns/sec/dst/Makefile could be left with a trailing "\" after configure has been run. 1297. [port] linux: make handling EINVAL from socket() no longer conditional on #ifdef LINUX. 1296. [bug] isc_log_closefilelogs() needed to lock the log context. 1295. [bug] isc_log_setdebuglevel() needed to lock the log context. 1294. [func] libbind: no longer attempts bit string labels for IPv6 reverse resolution. Try IP6.ARPA then IP6.INT for nibble style resolution. 1293. [func] Entropy can now be retrieved from EGDs. [RT #2438] 1292. [func] Enable IPv6 support when using ioctl style interface scanning and OS supports SIOCGLIFADDR using struct if_laddrreq. 1291. [func] Enable IPv6 support when using sysctl style interface scanning. 1290. [func] "dig axfr" now reports the number of messages as well as the number of records. 1289. [port] See if -ldl is required for OpenSSL? [RT #2672] 1288. [bug] Adjusted REQUIRE's in lib/dns/name.c to better reflect written requirements. 1287. [bug] REQUIRE that DNS_DBADD_MERGE only be set when adding a rdataset to a zone db in the rbtdb implementation of addrdataset. 1286. [bug] dns_name_downcase() enforce requirement that target != NULL or name->buffer != NULL. 1285. [func] lwres: probe the system to see what address families are currently in use. 1284. [bug] The RTT estimate on unused servers was not aged. [RT #2569] 1283. [func] Use "dataready" accept filter if available. 1282. [port] libbind: hpux 11.11 interface scanning. 1281. [func] Log zone when unable to get private keys to update zone. Log zone when NXT records are missing from secure zone. 1280. [bug] libbind: escape '(' and ')' when converting to presentation form. 1279. [port] Darwin uses (unsigned long) for size_t. [RT #2590] 1278. [func] dig: now supports +[no]cl +[no]ttlid. 1277. [func] You can now create your own customized printing styles: dns_master_stylecreate() and dns_master_styledestroy(). 1276. [bug] libbind: const pointer conflicts in res_debug.c. 1275. [port] libbind: hpux: treat all hpux systems as BIG_ENDIAN. 1274. [bug] Memory leak in lwres_gnbarequest_parse(). 1273. [port] libbind: solaris: 64 bit binary compatibility. 1272. [contrib] Berkeley DB 4.0 sdb implementation from Nuno Miguel Rodrigues . 1271. [bug] "recursion available: {denied,approved}" was too confusing. 1270. [bug] Check that system inet_pton() and inet_ntop() support AF_INET6. 1269. [port] Openserver: ifconfig.sh support. 1268. [port] Openserver: the value FD_SETSIZE depends on whether is included or not. Be consistent. 1267. [func] isc_file_openunique() now creates file using mode 0666 rather than 0600. 1266. [bug] ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE, __ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE are not C++ compatible, use *_TYPE versions instead. 1265. [bug] libbind: LINK_INIT and UNLINK were not compatible with C++, use LINK_INIT_TYPE and UNLINK_TYPE instead. 1264. [placeholder] 1263. [bug] Reference after free error if dns_dispatchmgr_create() failed. 1262. [bug] ns_server_destroy() failed to set *serverp to NULL. 1261. [func] libbind: ns_sign2() and ns_sign_tcp() now provide support for compressed TSIG owner names. 1260. [func] libbind: res_update can now update IPv6 servers, new function res_findzonecut2(). 1259. [bug] libbind: get_salen() IPv6 support was broken for OSs w/o sa_len. 1258. [bug] libbind: res_nametotype() and res_nametoclass() were broken. 1257. [bug] Failure to write pid-file should not be fatal on reload. [RT #2861] 1256. [contrib] 'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support. 1255. [bug] When verifying that an NXT proves nonexistence, check the rcode of the message and only do the matching NXT check. That is, for NXDOMAIN responses, check that the name is in the range between the NXT owner and next name, and for NOERROR NODATA responses, check that the type is not present in the NXT bitmap. 1254. [func] preferred-glue option from BIND 8.3. 1253. [bug] The dnssec system test failed to remove the correct files. 1252. [bug] Dig, host and nslookup were not checking the address the answer was coming from against the address it was sent to. [RT# 2692] 1251. [port] win32: a make file contained absolute version specific references. 1250. [func] Nsupdate will report the address the update was sent to. 1249. [bug] Missing masters clause was not handled gracefully. [RT #2703] 1248. [bug] DESTDIR was not being propagated between makes. 1247. [bug] Don't reset the interface index for link/site local addresses. [RT #2576] 1246. [func] New functions isc_sockaddr_issitelocal(), isc_sockaddr_islinklocal(), isc_netaddr_issitelocal() and isc_netaddr_islinklocal(). 1245. [bug] Treat ENOBUFS, ENOMEM and ENFILE as soft errors for accept(). 1244. [bug] Receiving a TCP message from a blackhole address would prevent further messages being received over that interface. 1243. [bug] It was possible to trigger a REQUIRE() in dns_message_findtype(). [RT #2659] 1242. [bug] named-checkzone failed if a journal existed. [RT #2657] 1241. [bug] Drop received UDP messages with a zero source port as these are invariably forged. [RT #2621] 1240. [bug] It was possible to leak zone references by specifying an incorrect zone to rndc. 1239. [bug] Under certain circumstances named could continue to use a name after it had been freed triggering INSIST() failures. [RT #2614] 1238. [bug] It is possible to lockup the server when shutting down if notifies were being processed. [RT #2591] 1237. [bug] nslookup: "set q=type" failed. 1236. [bug] dns_rdata{class,type}_fromtext() didn't handle non NULL terminated text regions. [RT #2588] 1235. [func] Report 'out of memory' errors from openssl. 1234. [bug] contrib/sdb: 'zonetodb' failed to call dns_result_register(). DNS_R_SEENINCLUDE should not be fatal. 1233. [bug] The flags field of a KEY record can be expressed in hex as well as decimal. 1232. [bug] unix/errno2result() didn't handle EADDRNOTAVAIL. 1231. [port] HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL. 1230. [bug] isccc_cc_isreply() and isccc_cc_isack() were broken. 1229. [bug] named would crash if it received a TSIG signed query as part of an AXFR response. [RT #2570] 1228. [bug] 'make install' did not depend on 'make all'. [RT #2559] 1227. [bug] dns_lex_getmastertoken() now returns ISC_R_BADNUMBER if a number was expected and some other token was found. [RT#2532] 1226. [func] Use EDNS for zone refresh queries. [RT #2551] 1225. [func] dns_message_setopt() no longer requires that dns_message_renderbegin() to have been called. 1224. [bug] 'rrset-order' and 'sortlist' should be additive not exclusive. 1223. [func] 'rrset-order' partially works 'cyclic' and 'random' are supported. 1222. [bug] Specifying 'port *' did not always result in a system selected (non-reserved) port being used. [RT #2537] 1221. [bug] Zone types 'master', 'slave' and 'stub' were not being compared case insensitively. [RT #2542] 1220. [func] Support for APL rdata type. 1219. [func] Named now reports the TSIG extended error code when signature verification fails. [RT #1651] 1218. [bug] Named incorrectly returned SERVFAIL rather than NOTAUTH when there was a TSIG BADTIME error. [RT #2519] 1217. [func] Report locations of previous key definition when a duplicate is detected. 1216. [bug] Multiple server clauses for the same server were not reported. [RT #2514] 1215. [port] solaris: add support to ifconfig.sh for x86 2.5.1 1214. [bug] Win32: isc_file_renameunique() could leave zero length files behind. 1213. [func] Report view associated with client if it is not a standard view (_default or _bind). 1212. [port] libbind: 64k answer buffers were causing stack space to be exceeded for certain OS. Use heap space instead. 1211. [bug] dns_name_fromtext() incorrectly handled certain valid octal bitlabels. [RT #2483] 1210. [bug] libbind: getnameinfo() failed to lookup IPv4 mapped / compatible addresses. [RT #2461] 1209. [bug] Dig, host, nslookup were not checking the message ids on the responses. [RT #2454] 1208. [bug] dns_master_load*() failed to log a error message if an error was detected when parsing the ownername of a record. [RT #2448] 1207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with an invalid pointer. 1206. [bug] SERVFAIL and NOTIMP responses to an EDNS query should trigger a non-EDNS retry. 1205. [bug] OPT, TSIG and TKEY cannot be used to set the "class" of the message. [RT #2449] 1204. [bug] libbind: res_nupdate() failed to update the name server addresses before sending the update. 1203. [func] Report locations of previous acl and zone definitions when a duplicate is detected. 1202. [func] New functions: cfg_obj_line() and cfg_obj_file(). 1201. [bug] Require that if 'callbacks' is passed to dns_rdata_fromtext(), callbacks->error and callbacks->warn are initialized. 1200. [bug] Log 'errno' that we are unable to convert to isc_result_t. [RT #2404] 1199. [doc] ARM reference to RFC 2157 should have been RFC 1918. [RT #2436] 1198. [bug] OPT printing style was not consistent with the way the header fields are printed. The DO bit was not reported if set. Report if any of the MBZ bits are set. 1197. [bug] Attempts to define the same acl multiple times were not detected. 1196. [contrib] update mdnkit to 2.2.3. 1195. [bug] Attempts to redefine builtin acls should be caught. [RT #2403] 1194. [bug] Not all duplicate zone definitions were being detected at the named.conf checking stage. [RT #2431] 1193. [bug] dig +besteffort parsing didn't handle packet truncation. dns_message_parse() has new flag DNS_MESSAGE_IGNORETRUNCATION. 1192. [bug] The seconds fields in LOC records were restricted to three decimal places. More decimal places should be allowed but warned about. 1191. [bug] A dynamic update removing the last non-apex name in a secure zone would fail. [RT #2399] 1190. [func] Add the "rndc freeze" and "rndc unfreeze" commands. [RT #2394] 1189. [bug] On some systems, malloc(0) returns NULL, which could cause the caller to report an out of memory error. [RT #2398] 1188. [bug] Dynamic updates of a signed zone would fail if some of the zone private keys were unavailable. 1187. [bug] named was incorrectly returning DNSSEC records in negative responses when the DO bit was not set. 1186. [bug] isc_hex_tobuffer(,,length = 0) failed to unget the EOL token when reading to end of line. 1185. [bug] libbind: don't assume statp->_u._ext.ext is valid unless RES_INIT is set when calling res_*init(). 1184. [bug] libbind: call res_ndestroy() if RES_INIT is set when res_*init() is called. 1183. [bug] Handle ENOSR error when writing to the internal control pipe. [RT #2395] 1182. [bug] The server could throw an assertion failure when constructing a negative response packet. 1181. [func] Add the "key-directory" configuration statement, which allows the server to look for online signing keys in alternate directories. 1180. [func] dnssec-keygen should always generate keys with protocol 3 (DNSSEC), since it's less confusing that way. 1179. [func] Add SIG(0) support to nsupdate. 1178. [bug] Follow and cache (if appropriate) A6 and other data chains to completion in the additional section. 1177. [func] Report view when loading zones if it is not a standard view (_default or _bind). [RT #2270] 1176. [doc] Document that allow-v6-synthesis is only performed for clients that are supplied recursive service. [RT #2260] 1175. [bug] named-checkzone and named-checkconf failed to call dns_result_register() at startup which could result in runtime exceptions when printing "out of memory" errors. [RT #2335] 1174. [bug] Win32: add WSAECONNRESET to the expected errors from connect(). [RT #2308] 1173. [bug] Potential memory leaks in isc_log_create() and isc_log_settag(). [RT #2336] 1172. [doc] Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to table of RR types in ARM. 1171. [func] Added function isc_region_compare(), updated files in lib/dns to use this function instead of local one. 1170. [bug] Don't attempt to print the token when a I/O error occurs when parsing named.conf. [RT #2275] 1169. [func] Identify recursive queries in the query log. 1168. [bug] Empty also-notify clauses were not handled. [RT #2309] 1167. [contrib] nslint-2.1a3 (from author). 1166. [bug] "Not Implemented" should be reported as NOTIMP, not NOTIMPL. [RT #2281] 1165. [bug] We were rejecting notify-source{-v6} in zone clauses. 1164. [bug] Empty masters clauses in slave / stub zones were not handled gracefully. [RT #2262] 1163. [func] isc_time_formattimestamp() now includes the year. 1162. [bug] The allow-notify option was not accepted in slave zone statements. 1161. [bug] named-checkzone looped on unbalanced brackets. [RT #2248] 1160. [bug] Generating Diffie-Hellman keys longer than 1024 bits could fail. [RT #2241] 1159. [bug] MD and MF are not permitted to be loaded by RFC1123. 1158. [func] Report the client's address when logging notify messages. 1157. [func] match-clients and match-destinations now accept keys. [RT #2045] 1156. [port] The configure test for strsep() incorrectly succeeded on certain patched versions of AIX 4.3.3. [RT #2190] 1155. [func] Recover from master files being removed from under us. 1154. [bug] Don't attempt to obtain the netmask of a interface if there is no address configured. [RT #2176] 1153. [func] 'rndc {stop|halt} -p' now reports the process id of the instance of named being shutdown. 1152. [bug] libbind: read buffer overflows. 1151. [bug] nslookup failed to check that the arguments to the port, timeout, and retry options were valid integers and in range. [RT #2099] 1150. [bug] named incorrectly accepted TTL values containing plus or minus signs, such as 1d+1h-1s. 1149. [func] New function isc_parse_uint32(). 1148. [func] 'rndc-confgen -a' now provides positive feedback. 1147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by the OS. listen-on-v6 { any; }; should no longer result in IPv4 queries be accepted. Similarly control { inet :: ... }; should no longer result in IPv4 connections being accepted. This can be overridden at compile time by defining ISC_ALLOW_MAPPED=1. 1146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if supported by the OS by a new function isc_socket_ipv6only(). 1145. [func] "host" no longer reports a NOERROR/NODATA response by printing nothing. [RT #2065] 1144. [bug] rndc-confgen would crash if both the -a and -t options were specified. [RT #2159] 1143. [bug] When a trusted-keys statement was present and named was built without crypto support, it would leak memory. 1142. [bug] dnssec-signzone would fail to delete temporary files in some failure cases. [RT #2144] 1141. [bug] When named rejected a control message, it would leak a file descriptor and memory. It would also fail to respond, causing rndc to hang. [RT #2139, #2164] 1140. [bug] rndc-confgen did not accept IPv6 addresses as arguments to the -s option. [RT #2138] 1139. [func] It is now possible to flush a given name from the cache(s) via 'rndc flushname name [view]'. [RT #2051] 1138. [func] It is now possible to flush a given name from the cache by calling the new function dns_cache_flushname(). 1137. [func] It is now possible to flush a given name from the ADB by calling the new function dns_adb_flushname(). 1136. [bug] CNAME records synthesized from DNAMEs did not have a TTL of zero as required by RFC2672. [RT #2129] 1135. [func] You can now override the default syslog() facility for named/lwresd at compile time. [RT #1982] 1134. [bug] Multi-threaded servers could deadlock in ferror() when reloading zone files. [RT #1951, #1998] 1133. [bug] IN6_IS_ADDR_LOOPBACK was not portably defined on platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106] 1132. [func] Improve UPDATE prerequisite failure diagnostic messages. 1131. [bug] The match-destinations view option did not work with IPv6 destinations. [RT #2073, #2074] 1130. [bug] Log messages reporting an out-of-range serial number did not include the out-of-range number but the following token. [RT #2076] 1129. [bug] Multi-threaded servers could crash under heavy resolution load due to a race condition. [RT #2018] 1128. [func] sdb drivers can now provide RR data in either text or wire format, the latter using the new functions dns_sdb_putrdata() and dns_sdb_putnamedrdata(). 1127. [func] rndc: If the server to contact has multiple addresses, try all of them. 1126. [bug] The server could access a freed event if shut down while a client start event was pending delivery. [RT #2061] 1125. [bug] rndc: -k option was missing from usage message. [RT #2057] 1124. [doc] dig: +[no]dnssec, +[no]besteffort and +[no]fail are now documented. [RT #2052] 1123. [bug] dig +[no]fail did not match description. [RT #2052] 1122. [tuning] Resolution timeout reduced from 90 to 30 seconds. [RT #2046] 1121. [bug] The server could attempt to access a NULL zone table if shut down while resolving. [RT #1587, #2054] 1120. [bug] Errors in options were not fatal. [RT #2002] 1119. [func] Added support in Win32 for NTFS file/directory ACL's for access control. 1118. [bug] On multi-threaded servers, a race condition could cause an assertion failure in resolver.c during resolver shutdown. [RT #2029] 1117. [port] The configure check for in6addr_loopback incorrectly succeeded on AIX 4.3 when compiling with -O2 because the test code was optimized away. [RT #2016] 1116. [bug] Setting transfers in a server clause, transfers-in, or transfers-per-ns to a value greater than 2147483647 disabled transfers. [RT #2002] 1115. [func] Set maximum values for cleaning-interval, heartbeat-interval, interface-interval, max-transfer-idle-in, max-transfer-idle-out, max-transfer-time-in, max-transfer-time-out, statistics-interval of 28 days and sig-validity-interval of 3660 days. [RT #2002] 1114. [port] Ignore more accept() errors. [RT #2021] 1113. [bug] The allow-update-forwarding option was ignored when specified in a view. [RT #2014] 1112. [placeholder] 1111. [bug] Multi-threaded servers could deadlock processing recursive queries due to a locking hierarchy violation in adb.c. [RT #2017] 1110. [bug] dig should only accept valid abbreviations of +options. [RT #2003] 1109. [bug] nsupdate accepted illegal ttl values. 1108. [bug] On Win32, rndc was hanging when named was not running due to failure to select for exceptional conditions in select(). [RT #1870] 1107. [bug] nsupdate could catch an assertion failure if an invalid domain name was given as the argument to the "zone" command. 1106. [bug] After seeing an out of range TTL, nsupdate would treat all TTLs as out of range. [RT #2001] 1105. [port] OpenUNIX 8 enable threads by default. [RT #1970] 1104. [bug] Invalid arguments to the transfer-format option could cause an assertion failure. [RT #1995] 1103. [port] OpenUNIX 8 support (ifconfig.sh). [RT #1970] 1102. [doc] Note that query logging is enabled by directing the queries category to a channel. 1101. [bug] Array bounds read error in lwres_gai_strerror. 1100. [bug] libbind: DNSSEC key ids were computed incorrectly. 1099. [cleanup] libbind: defining REPORT_ERRORS in lib/bind/dst caused compile time errors. 1098. [bug] libbind: HMAC-MD5 key files are now mode 0600. 1097. [func] libbind: RES_PRF_TRUNC for dig. 1096. [func] libbind: "DNSSEC OK" (DO) support. 1095. [func] libbind: resolver option: no-tld-query. disables trying unqualified as a tld. no_tld_query is also supported for FreeBSD compatibility. 1094. [func] libbind: add support gcc's format string checking. 1093. [doc] libbind: miscellaneous nroff fixes. 1092. [bug] libbind: get*by*() failed to check if res_init() had been called. 1091. [bug] libbind: misplaced va_end(). 1090. [bug] libbind: dns_ho.c:add_hostent() was not returning the amount of memory consumed resulting in garbage address being returned. Alignment calculations were wasting space. We weren't suppressing duplicate addresses. 1089. [func] libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6 support. 1088. [port] libbind: MPE/iX C.70 (incomplete) 1087. [bug] libbind: struct __res_state too large on 64 bit arch. 1086. [port] libbind: sunos: old sprintf. 1085. [port] libbind: solaris: sys_nerr and sys_errlist do not exist when compiling in 64 bit mode. 1084. [cleanup] libbind: gai_strerror() rewritten. 1083. [bug] The default control channel listened on the wildcard address, not the loopback as documented. [RT #1975] 1082. [bug] The -g option to named incorrectly caused logging to be sent to syslog in addition to stderr. [RT #1974] 1081. [bug] Multicast queries were incorrectly identified based on the source address, not the destination address. 1080. [bug] BIND 8 compatibility: accept bare IP prefixes as the second element of a two-element top level sort list statement. [RT #1964] 1079. [bug] BIND 8 compatibility: accept bare elements at top level of sort list treating them as if they were a single element list. [RT #1963] 1078. [bug] We failed to correct bad tv_usec values in one case. [RT #1966] 1077. [func] Do not accept further recursive clients when the total number of recursive lookups being processed exceeds max-recursive-clients, even if some of the lookups are internally generated. [RT #1915, #1938] 1076. [bug] A badly defined global key could trigger an assertion on load/reload if views were used. [RT #1947] 1075. [bug] Out-of-range network prefix lengths were not reported. [RT #1954] 1074. [bug] Running out of memory in dump_rdataset() could cause an assertion failure. [RT #1946] 1073. [bug] The ADB cache cleaning should also be space driven. [RT #1915, #1938] 1072. [bug] The TCP client quota could be exceeded when recursion occurred. [RT #1937] 1071. [bug] Sockets listening for TCP DNS connections specified an excessive listen backlog. [RT #1937] 1070. [bug] Copy DNSSEC OK (DO) to response as specified by draft-ietf-dnsext-dnssec-okbit-03.txt. 1069. [placeholder] 1068. [bug] errno could be overwritten by catgets(). [RT #1921] 1067. [func] Allow quotas to be soft, isc_quota_soft(). 1066. [bug] Provide a thread safe wrapper for strerror(). [RT #1689] 1065. [func] Runtime support to select new / old style interface scanning using ioctls. 1064. [bug] Do not shut down active network interfaces if we are unable to scan the interface list. [RT #1921] 1063. [bug] libbind: "make install" was failing on IRIX. [RT #1919] 1062. [bug] If the control channel listener socket was shut down before server exit, the listener object could be freed twice. [RT #1916] 1061. [bug] If periodic cache cleaning happened to start while cleaning due to reaching the configured maximum cache size was in progress, the server could catch an assertion failure. [RT #1912] 1060. [func] Move refresh, stub and notify UDP retry processing into dns_request. 1059. [func] dns_request now support will now retry UDP queries, dns_request_createvia2() and dns_request_createraw2(). 1058. [func] Limited lifetime ticker timers are now available, isc_timertype_limited. 1057. [bug] Reloading the server after adding a "file" clause to a zone statement could cause the server to crash due to a typo in change 1016. 1056. [bug] Rndc could catch an assertion failure on SIGINT due to an uninitialized variable. [RT #1908] 1055. [func] Version and hostname queries can now be disabled using "version none;" and "hostname none;", respectively. 1054. [bug] On Win32, cfg_categories and cfg_modules need to be exported from the libisccfg DLL. 1053. [bug] Dig did not increase its timeout when receiving AXFRs unless the +time option was used. [RT #1904] 1052. [bug] Journals were not being created in binary mode resulting in "journal format not recognized" error under Win32. [RT #1889] 1051. [bug] Do not ignore a network interface completely just because it has a noncontiguous netmask. Instead, omit it from the localnets ACL and issue a warning. [RT #1891] 1050. [bug] Log messages reporting malformed IP addresses in address lists such as that of the forwarders option failed to include the correct error code, file name, and line number. [RT #1890] 1049. [func] "pid-file none;" will disable writing a pid file. [RT #1848] 1048. [bug] Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1 didn't work. 1047. [bug] named was incorrectly refusing all requests signed with a TSIG key derived from an unsigned TKEY negotiation with a NOERROR response. [RT #1886] 1046. [bug] The help message for the --with-openssl configure option was inaccurate. [RT #1880] 1045. [bug] It was possible to skip saving glue for a nameserver for a stub zone. 1044. [bug] Specifying allow-transfer, notify-source, or notify-source-v6 in a stub zone was not treated as an error. 1043. [bug] Specifying a transfer-source or transfer-source-v6 option in the zone statement for a master zone was not treated as an error. [RT #1876] 1042. [bug] The "config" logging category did not work properly. [RT #1873] 1041. [bug] Dig/host/nslookup could catch an assertion failure on SIGINT due to an uninitialized variable. [RT #1867] 1040. [bug] Multiple listen-on-v6 options with different ports were not accepted. [RT #1875] 1039. [bug] Negative responses with CNAMEs in the answer section were cached incorrectly. [RT #1862] 1038. [bug] In servers configured with a tkey-domain option, TKEY queries with an owner name other than the root could cause an assertion failure. [RT #1866, #1869] 1037. [bug] Negative responses whose authority section contain SOA or NS records whose owner names are not equal equal to or parents of the query name should be rejected. [RT #1862] 1036. [func] Silently drop requests received via multicast as long as there is no final multicast DNS standard. 1035. [bug] If we respond to multicast queries (which we currently do not), respond from a unicast address as specified in RFC 1123. [RT #137] 1034. [bug] Ignore the RD bit on multicast queries as specified in RFC 1123. [RT #137] 1033. [bug] Always respond to requests with an unsupported opcode with NOTIMP, even if we don't have a matching view or cannot determine the class. 1032. [func] hostname.bind/txt/chaos now returns the name of the machine hosting the nameserver. This is useful in diagnosing problems with anycast servers. 1031. [bug] libbind.a: isc__gettimeofday() infinite recursion. [RT #1858] 1030. [bug] On systems with no resolv.conf file, nsupdate exited with an error rather than defaulting to using the loopback address. [RT #1836] 1029. [bug] Some named.conf errors did not cause the loading of the configuration file to return a failure status even though they were logged. [RT #1847] 1028. [bug] On Win32, dig/host/nslookup looked for resolv.conf in the wrong directory. [RT #1833] 1027. [bug] RRs having the reserved type 0 should be rejected. [RT #1471] 1026. [placeholder] 1025. [bug] Don't use multicast addresses to resolve iterative queries. [RT #101] 1024. [port] Compilation failed on HP-UX 11.11 due to incompatible use of the SIOCGLIFCONF macro name. [RT #1831] 1023. [func] Accept hints without TTLs. 1022. [bug] Don't report empty root hints as "extra data". [RT #1802] 1021. [bug] On Win32, log message timestamps were one month later than they should have been, and the server would exhibit unspecified behavior in December. 1020. [bug] IXFR log messages did not distinguish between true IXFRs, AXFR-style IXFRs, and mere version polls. [RT #1811] 1019. [bug] The value of the lame-ttl option was limited to 18000 seconds, not 1800 seconds as documented. [RT #1803] 1018. [bug] The default log channel was not always initialized correctly. [RT #1813] 1017. [bug] When specifying TSIG keys to dig and nsupdate using the -k option, they must be HMAC-MD5 keys. [RT #1810] 1016. [bug] Slave zones with no backup file were re-transferred on every server reload. 1015. [bug] Log channels that had a "versions" option but no "size" option failed to create numbered log files. [RT #1783] 1014. [bug] Some queries would cause statistics counters to increment more than once or not at all. [RT #1321] 1013. [bug] It was possible to cancel a query twice when marking a server as bogus or by having a blackhole acl. [RT #1776] 1012. [bug] The -p option to named did not behave as documented. 1011. [cleanup] Removed isc_dir_current(). 1010. [bug] The server could attempt to execute a command channel command after initiating server shutdown, causing an assertion failure. [RT #1766] 1009. [port] OpenUNIX 8 support. [RT #1728] 1008. [port] libtool.m4, ltmain.sh from libtool-1.4.2. 1007. [port] config.guess, config.sub from autoconf-2.52. 1006. [bug] If a KEY RR was found missing during DNSSEC validation, an assertion failure could subsequently be triggered in the resolver. [RT #1763] 1005. [bug] Don't copy nonzero RCODEs from request to response. [RT #1765] 1004. [port] Deal with recvfrom() returning EHOSTDOWN. [RT #1770] 1003. [func] Add the +retry option to dig. 1002. [bug] When reporting an unknown class name in named.conf, including the file name and line number. [RT #1759] 1001. [bug] win32 socket code doio_recv was not catching a WSACONNRESET error when a client was timing out the request and closing its socket. [RT #1745] 1000. [bug] BIND 8 compatibility: accept "HESIOD" as an alias for class "HS". [RT #1759] 999. [func] "rndc retransfer zone [class [view]]" added. [RT #1752] 998. [func] named-checkzone now has arguments to specify the chroot directory (-t) and working directory (-w). [RT #1755] 997. [func] Add support for RSA-SHA1 keys (RFC3110). 996. [func] Issue warning if the configuration filename contains the chroot path. 995. [bug] dig, host, nslookup: using a raw IPv6 address as a target address should be fatal on a IPv4 only system. 994. [func] Treat non-authoritative responses to queries for type NS as referrals even if the NS records are in the answer section, because BIND 8 servers incorrectly send them that way. This is necessary for DNSSEC validation of the NS records of a secure zone to succeed when the parent is a BIND 8 server. [RT #1706] 993. [func] dig: -v now reports the version. 992. [doc] dig: ~/.digrc is now documented. 991. [func] Lower UDP refresh timeout messages to level debug 1. 990. [bug] The rndc-confgen man page was not installed. 989. [bug] Report filename if $INCLUDE fails for file related errors. [RT #1736] 988. [bug] 'additional-from-auth no;' did not work reliably in the case of queries answered from the cache. [RT #1436] 987. [bug] "dig -help" didn't show "+[no]stats". 986. [bug] "dig +noall" failed to clear stats and command printing. 985. [func] Consider network interfaces to be up iff they have a nonzero IP address rather than based on the IFF_UP flag. [RT #1160] 984. [bug] Multi-threading should be enabled by default on Solaris 2.7 and newer, but it wasn't. 983. [func] The server now supports generating IXFR difference sequences for non-dynamic zones by comparing zone versions, when enabled using the new config option "ixfr-from-differences". [RT #1727] 982. [func] If "memstatistics-file" is set in options the memory statistics will be written to it. 981. [func] The dnssec tools can now take multiple '-r randomfile' arguments. 980. [bug] Incoming zone transfers restarting after an error could trigger an assertion failure. [RT #1692] 979. [func] Incremental master file dumping. dns_master_dumpinc(), dns_master_dumptostreaminc(), dns_dumpctx_attach(), dns_dumpctx_detach(), dns_dumpctx_cancel(), dns_dumpctx_db() and dns_dumpctx_version(). 978. [bug] dns_db_attachversion() had an invalid REQUIRE() condition. 977. [bug] Improve "not at top of zone" error message. 976. [func] named-checkconf can now test load master zones (named-checkconf -z). [RT #1468] 975. [bug] "max-cache-size default;" as a view option caused an assertion failure. 974. [bug] "max-cache-size unlimited;" as a global option was not accepted. 973. [bug] Failed to log the question name when logging: "bad zone transfer request: non-authoritative zone (NOTAUTH)". 972. [bug] The file modification time code in zone.c was using the wrong epoch. [RT #1667] 971. [placeholder] 970. [func] 'max-journal-size' can now be used to set a target size for a journal. 969. [func] dig now supports the undocumented dig 8 feature of allowing arbitrary labels, not just dotted decimal quads, with the -x option. This can be used to conveniently look up RFC2317 names as in "dig -x 10.0.0.0-127". [RT #827, #1576, #1598] 968. [bug] On win32, the isc_time_now() function was unnecessarily calling strtime(). [RT #1671] 967. [bug] On win32, the link for bindevt was not including the required resource file to enable the event viewer to interpret the error messages in the event log, [RT #1668] 966. [placeholder] 965. [bug] Including data other than root server NS and A records in the root hint file could cause a rbtdb node reference leak. [RT #1581, #1618] 964. [func] Warn if data other than root server NS and A records are found in the root hint file. [RT #1581, #1618] 963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645] 962. [bug] libbind: bad "#undef", don't attempt to install non-existent nlist.h. [RT #1640] 961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6 was not defined. [RT #1482] 960. [port] liblwres failed to build on systems with support for getrrsetbyname() in the OS. [RT #1592] 959. [port] On FreeBSD, determine the number of CPUs by calling sysctlbyname(). [RT #1584] 958. [port] ssize_t is not available on all platforms. [RT #1607] 957. [bug] sys/select.h inclusion was broken on older platforms. [RT #1607] 956. [bug] ns_g_autorndcfile changed to ns_g_keyfile in named/win32/os.c due to code changes in change #953. win32 .make file for rndc-confgen updated to add include path for os.h header. --- 9.2.0rc1 released --- 955. [bug] When using views, the zone's class was not being inherited from the view's class. [RT #1583] 954. [bug] When requesting AXFRs or IXFRs using dig, host, or nslookup, the RD bit should not be set as zone transfers are inherently non-recursive. [RT #1575] 953. [func] The /var/run/named.key file from change #843 has been replaced by /etc/rndc.key. Both named and rndc will look for this file and use it to configure a default control channel key if not already configured using a different method (rndc.conf / controls). Unlike named.key, rndc.key is not created automatically; it must be created by manually running "rndc-confgen -a". 952. [bug] The server required manual intervention to serve the affected zones if it died between creating a journal and committing the first change to it. 951. [bug] CFLAGS was not passed to the linker when linking some of the test programs under bin/tests. [RT #1555]. 950. [bug] Explicit TTLs did not properly override $TTL due to a bug in change 834. [RT #1558] 949. [bug] host was unable to print records larger than 512 bytes. [RT #1557] --- 9.2.0b2 released --- 948. [port] Integrated support for building on Windows NT / Windows 2000. 947. [bug] dns_rdata_soa_t had a badly named element "mname" which was really the RNAME field from RFC1035. To avoid confusion and silent errors that would occur it the "origin" and "mname" elements were given their correct names "mname" and "rname" respectively, the "mname" element is renamed to "contact". 946. [cleanup] doc/misc/options is now machine-generated from the configuration parser syntax tables, and therefore more likely to be correct. 945. [func] Add the new view-specific options "match-destinations" and "match-recursive-only". 944. [func] Check for expired signatures on load. 943. [bug] The server could crash when receiving a command via rndc if the configuration file listed only nonexistent keys in the controls statement. [RT #1530] 942. [port] libbind: GETNETBYADDR_ADDR_T was not correctly defined on some platforms. 941. [bug] The configuration checker crashed if a slave zone didn't contain a masters statement. [RT #1514] 940. [bug] Double zone locking failure on error path. [RT #1510] --- 9.2.0b1 released --- 939. [port] Add the --disable-linux-caps option to configure for systems that manage capabilities outside of named. [RT #1503] 938. [placeholder] 937. [bug] A race when shutting down a zone could trigger a INSIST() failure. [RT #1034] 936. [func] Warn about IPv4 addresses that are not complete dotted quads. [RT #1084] 935. [bug] inet_pton failed to reject leading zeros. 934. [port] Deal with systems where accept() spuriously returns ECONNRESET. 933. [bug] configure failed doing libbind on platforms not supported by BIND 8. [RT #1496] --- 9.2.0a3 released --- 932. [bug] Use INSTALL_SCRIPT, not INSTALL_PROGRAM, when installing isc-config.sh. [RT #198, #1466] 931. [bug] The controls statement only attempted to verify messages using the first key in the key list. (9.2.0a1/a2 only). 930. [func] Query performance testing tool added as contrib/queryperf. 929. [placeholder] 928. [bug] nsupdate would send empty update packets if the send (or empty line) command was run after another send but before any new updates or prerequisites were specified. It should simply ignore this command. 927. [bug] Don't hold the zone lock for the entire dump to disk. [RT #1423] 926. [bug] The resolver could deadlock with the ADB when shutting down (multi-threaded builds only). [RT #1324] 925. [cleanup] Remove openssl from the distribution; require that --with-openssl be specified if DNSSEC is needed. 924. [port] Extend support for pre-RFC2133 IPv6 implementation. [RT #987] 923. [bug] Multiline TSIG secrets (and other multiline strings) were not accepted in named.conf. [RT #1469] 922. [func] Added two new lwres_getrrsetbyname() result codes, ERR_NONAME and ERR_NODATA. 921. [bug] lwres returned an incorrect error code if it received a truncated message. 920. [func] Increase the lwres receive buffer size to 16K. [RT #1451] 919. [placeholder] 918. [func] In nsupdate, TSIG errors are no longer treated as fatal errors. 917. [func] New nsupdate command 'key', allowing TSIG keys to be specified in the nsupdate command stream rather than the command line. 916. [bug] Specifying type ixfr to dig without specifying a serial number failed in unexpected ways. 915. [func] The named-checkconf and named-checkzone programs now have a '-v' option for printing their version. [RT #1151] 914. [bug] Global 'server' statements were rejected when using views, even though they were accepted in 9.1. [RT #1368] 913. [bug] Cache cleaning was not sufficiently aggressive. [RT #1441, #1444] 912. [bug] Attempts to set the 'additional-from-cache' or 'additional-from-auth' option to 'no' in a server with recursion enabled will now be ignored and cause a warning message. [RT #1145] 911. [placeholder] 910. [port] Some pre-RFC2133 IPv6 implementations do not define IN6ADDR_ANY_INIT. [RT #1416] 909. [placeholder] 908. [func] New program, rndc-confgen, to simplify setting up rndc. 907. [func] The ability to get entropy from either the random device, a user-provided file or from the keyboard was migrated from the DNSSEC tools to libisc as isc_entropy_usebestsource(). 906. [port] Separated the system independent portion of lib/isc/unix/entropy.c into lib/isc/entropy.c and added lib/isc/win32/entropy.c. 905. [bug] Configuring a forward "zone" for the root domain did not work. [RT #1418] 904. [bug] The server would leak memory if attempting to use an expired TSIG key. [RT #1406] 903. [bug] dig should not crash when receiving a TCP packet of length 0. 902. [bug] The -d option was ignored if both -t and -g were also specified. 901. [placeholder] 900. [bug] A config.guess update changed the system identification string of FreeBSD systems; configure and bin/tests/system/ifconfig.sh now recognize the new string. --- 9.2.0a2 released --- 899. [bug] lib/dns/soa.c failed to compile on many platforms due to inappropriate use of a void value. [RT #1372, #1373, #1386, #1387, #1395] 898. [bug] "dig" failed to set a nonzero exit status on UDP query timeout. [RT #1323] 897. [bug] A config.guess update changed the system identification string of UnixWare systems; configure now recognizes the new string. 896. [bug] If a configuration file is set on named's command line and it has a relative pathname, the current directory (after any possible jailing resulting from named -t) will be prepended to it so that reloading works properly even when a directory option is present. 895. [func] New function, isc_dir_current(), akin to POSIX's getcwd(). 894. [bug] When using the DNSSEC tools, a message intended to warn when the keyboard was being used because of the lack of a suitable random device was not being printed. 893. [func] Removed isc_file_test() and added isc_file_exists() for the basic functionality that was being added with isc_file_test(). 892. [placeholder] 891. [bug] Return an error when a SIG(0) signed response to an unsigned query is seen. This should actually do the verification, but it's not currently possible. [RT #1391] 890. [cleanup] The man pages no longer require the mandoc macros and should now format cleanly using most versions of nroff, and HTML versions of the man pages have been added. Both are generated from DocBook source. 889. [port] Eliminated blank lines before .TH in nroff man pages since they cause problems with some versions of nroff. [RT #1390] 888. [bug] Don't die when using TKEY to delete a nonexistent TSIG key. [RT #1392] 887. [port] Detect broken compilers that can't call static functions from inline functions. [RT #1212] 886. [placeholder] 885. [placeholder] 884. [placeholder] 883. [placeholder] 882. [placeholder] 881. [placeholder] 880. [placeholder] 879. [placeholder] 878. [placeholder] 877. [placeholder] 876. [placeholder] 875. [placeholder] 874. [placeholder] 873. [placeholder] 872. [placeholder] 871. [placeholder] 870. [placeholder] 869. [placeholder] 868. [placeholder] 867. [placeholder] 866. [func] Close debug only file channels when debug is set to zero. [RT #1246] 865. [bug] The new configuration parser did not allow the optional debug level in a "severity debug" clause of a logging channel to be omitted. This is now allowed and treated as "severity debug 1;" like it does in BIND 8.2.4, not as "severity debug 0;" like it did in BIND 9.1. [RT #1367] 864. [cleanup] Multi-threading is now enabled by default on OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX. 863. [bug] If an error occurred while an outgoing zone transfer was starting up, the server could access a domain name that had already been freed when logging a message saying that the transfer was starting. [RT #1383] 862. [bug] Use after realloc(), non portable pointer arithmetic in grmerge(). 861. [port] Add support for Mac OS X, by making it equivalent to Darwin. This was derived from the config.guess file shipped with Mac OS X. [RT #1355] 860. [func] Drop cross class glue in zone transfers. 859. [bug] Cache cleaning now won't swamp the CPU if there is a persistent over limit condition. 858. [func] isc_mem_setwater() no longer requires that when the callback function is non-NULL then its hi_water argument must be greater than its lo_water argument (they can now be equal) or that they be non-zero. 857. [cleanup] Use ISC_MAGIC() to define all magic numbers for structs, for our friends in EBCDIC-land. 856. [func] Allow partial rdatasets to be returned in answer and authority sections to help non-TCP capable clients recover from truncation. [RT #1301] 855. [bug] Stop spurious "using RFC 1035 TTL semantics" warnings. 854. [bug] The config parser didn't properly handle config options that were specified in units of time other than seconds. [RT #1372] 853. [bug] configure_view_acl() failed to detach existing acls. [RT #1374] 852. [bug] Handle responses from servers which do not know about IXFR. 851. [cleanup] The obsolete support-ixfr option was not properly ignored. --- 9.2.0a1 released --- 850. [bug] dns_rbt_findnode() would not find nodes that were split on a bitstring label somewhere other than in the last label of the node. [RT #1351] 849. [func] will ensure INADDR_LOOPBACK is defined. 848. [func] A minimum max-cache-size of two megabytes is enforced by the cache cleaner. 847. [func] Added isc_file_test(), which currently only has some very basic functionality to test for the existence of a file, whether a pathname is absolute, or whether a pathname is the fundamental representation of the current directory. It is intended that this function can be expanded to test other things a programmer might want to know about a file. 846. [func] A non-zero 'param' to dst_key_generate() when making an hmac-md5 key means that good entropy is not required. 845. [bug] The access rights on the public file of a symmetric key are now restricted as soon as the file is opened, rather than after it has been written and closed. 844. [func] will ensure INADDR_LOOPBACK is defined, just as does. 843. [func] If no controls statement is present in named.conf, or if any inet phrase of a controls statement is lacking a keys clause, then a key will be automatically generated by named and an rndc.conf-style file named named.key will be written that uses it. rndc will use this file only if its normal configuration file, or one provided on the command line, does not exist. 842. [func] 'rndc flush' now takes an optional view. 841. [bug] When sdb modules were not declared threadsafe, their create and destroy functions were not serialized. 840. [bug] The config file parser could print the wrong file name if an error was detected after an included file was parsed. [RT #1353] 839. [func] Dump packets for which there was no view or that the class could not be determined to category "unmatched". 838. [port] UnixWare 7.x.x is now suported by bin/tests/system/ifconfig.sh. 837. [cleanup] Multi-threading is now enabled by default only on OSF1, Solaris 2.7 and newer, and AIX. 836. [func] Upgraded libtool to 1.4. 835. [bug] The dispatcher could enter a busy loop if it got an I/O error receiving on a UDP socket. [RT #1293] 834. [func] Accept (but warn about) master files beginning with an SOA record without an explicit TTL field and lacking a $TTL directive, by using the SOA MINTTL as a default TTL. This is for backwards compatibility with old versions of BIND 8, which accepted such files without warning although they are illegal according to RFC1035. 833. [cleanup] Moved dns_soa_*() from to , and extended them to support all the integer-valued fields of the SOA RR. 832. [bug] The default location for named.conf in named-checkconf should depend on --sysconfdir like it does in named. [RT #1258] 831. [placeholder] 830. [func] Implement 'rndc status'. 829. [bug] The DNS_R_ZONECUT result code should only be returned when an ANY query is made with DNS_DBFIND_GLUEOK set. In all other ANY query cases, returning the delegation is better. 828. [bug] The errno value from recvfrom() could be overwritten by logging code. [RT #1293] 827. [bug] When an IXFR protocol error occurs, the slave should retry with AXFR. 826. [bug] Some IXFR protocol errors were not detected. 825. [bug] zone.c:ns_query() detached from the wrong zone reference. [RT #1264] 824. [bug] Correct line numbers reported by dns_master_load(). [RT #1263] 823. [func] The output of "dig -h" now goes to stdout so that it can easily be piped through "more". [RT #1254] 822. [bug] Sending nxrrset prerequisites would crash nsupdate. [RT #1248] 821. [bug] The program name used when logging to syslog should be stripped of leading path components. [RT #1178, #1232] 820. [bug] Name server address lookups failed to follow A6 chains into the glue of local authoritative zones. 819. [bug] In certain cases, the resolver's attempts to restart an address lookup at the root could cause the fetch to deadlock (with itself) instead of restarting. [RT #1225] 818. [bug] Certain pathological responses to ANY queries could cause an assertion failure. [RT #1218] 817. [func] Adjust timeouts for dialup zone queries. 816. [bug] Report potential problems with log file accessibility at configuration time, since such problems can't reliably be reported at the time they actually occur. 815. [bug] If a log file was specified with a path separator character (i.e. "/") in its name and the directory did not exist, the log file's name was treated as though it were the directory name. [RT #1189] 814. [bug] Socket objects left over from accept() failures were incorrectly destroyed, causing corruption of socket manager data structures. 813. [bug] File descriptors exceeding FD_SETSIZE were handled badly. [RT #1192] 812. [bug] dig sometimes printed incomplete IXFR responses due to an uninitialized variable. [RT #1188] 811. [bug] Parentheses were not quoted in zone dumps. [RT #1194] 810. [bug] The signer name in SIG records was not properly down-cased when signing/verifying records. [RT #1186] 809. [bug] Configuring a non-local address as a transfer-source could cause an assertion failure during load. 808. [func] Add 'rndc flush' to flush the server's cache. 807. [bug] When setting up TCP connections for incoming zone transfers, the transfer-source port was not ignored like it should be. 806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up the calling stack to the zone maintenance level, causing zones to not reload when an included file was touched but the top-level zone file was not. 805. [bug] When using "forward only", missing root hints should not cause queries to fail. [RT #1143] 804. [bug] Attempting to obtain entropy could fail in some situations. This would be most common on systems with user-space threads. [RT #1131] 803. [bug] Treat all SIG queries as if they have the CD bit set, otherwise no data will be returned [RT #749] 802. [bug] DNSSEC key tags were computed incorrectly in almost all cases. [RT #1146] 801. [bug] nsupdate should treat lines beginning with ';' as comments. [RT #1139] 800. [bug] dnssec-signzone produced incorrect statistics for large zones. [RT #1133] 799. [bug] The ADB didn't find AAAA glue in a zone unless A6 glue was also present. 798. [bug] nsupdate should be able to reject bad input lines and continue. [RT #1130] 797. [func] Issue a warning if the 'directory' option contains a relative path. [RT #269] 796. [func] When a size limit is associated with a log file, only roll it when the size is reached, not every time the log file is opened. [RT #1096] 795. [func] Add the +multiline option to dig. [RT #1095] 794. [func] Implement the "port" and "default-port" statements in rndc.conf. 793. [cleanup] The DNSSEC tools could create filenames that were illegal or contained shell meta-characters. They now use a different text encoding of names that doesn't have these problems. [RT #1101] 792. [cleanup] Replace the OMAPI command channel protocol with a simpler one. 791. [bug] The command channel now works over IPv6. 790. [bug] Wildcards created using dynamic update or IXFR could fail to match. [RT #1111] 789. [bug] The "localhost" and "localnets" ACLs did not match when used as the second element of a two-element sortlist item. 788. [func] Add the "match-mapped-addresses" option, which causes IPv6 v4mapped addresses to be treated as IPv4 addresses for the purpose of acl matching. 787. [bug] The DNSSEC tools failed to downcase domain names when mapping them into file names. 786. [bug] When DNSSEC signing/verifying data, owner names were not properly down-cased. 785. [bug] A race condition in the resolver could cause an assertion failure. [RT #673, #872, #1048] 784. [bug] nsupdate and other programs would not quit properly if some signals were blocked by the caller. [RT #1081] 783. [bug] Following CNAMEs could cause an assertion failure when either using an sdb database or under very rare conditions. 782. [func] Implement the "serial-query-rate" option. 781. [func] Avoid error packet loops by dropping duplicate FORMERR responses. [RT #1006] 780. [bug] Error handling code dealing with out of memory or other rare errors could lead to assertion failures by calling functions on uninitialized names. [RT #1065] 779. [func] Added the "minimal-responses" option. 778. [bug] When starting cache cleaning, cleaning_timer_action() returned without first pausing the iterator, which could cause deadlock. [RT #998] 777. [bug] An empty forwarders list in a zone failed to override global forwarders. [RT #995] 776. [func] Improved error reporting in denied messages. [RT #252] 775. [placeholder] 774. [func] max-cache-size is implemented. 773. [func] Added isc_rwlock_trylock() to attempt to lock without blocking. 772. [bug] Owner names could be incorrectly omitted from cache dumps in the presence of negative caching entries. [RT #991] 771. [cleanup] TSIG errors related to unsynchronized clocks are logged better. [RT #919] 770. [func] Add the "edns yes_or_no" statement to the server clause. [RT #524] 769. [func] Improved error reporting when parsing rdata. [RT #740] 768. [bug] The server did not emit an SOA when a CNAME or DNAME chain ended in NXDOMAIN in an authoritative zone. 767. [placeholder] 766. [bug] A few cases in query_find() could leak fname. This would trigger the mpctx->allocated == 0 assertion when the server exited. [RT #739, #776, #798, #812, #818, #821, #845, #892, #935, #966] 765. [func] ACL names are once again case insensitive, like in BIND 8. [RT #252] 764. [func] Configuration files now allow "include" directives in more places, such as inside the "view" statement. [RT #377, #728, #860] 763. [func] Configuration files no longer have reserved words. [RT #731, #753] 762. [cleanup] The named.conf and rndc.conf file parsers have been completely rewritten. 761. [bug] _REENTRANT was still defined when building with --disable-threads. 760. [contrib] Significant enhancements to the pgsql sdb driver. 759. [bug] The resolver didn't turn off "avoid fetches" mode when restarting, possibly causing resolution to fail when it should not. This bug only affected platforms which support both IPv4 and IPv6. [RT #927] 758. [bug] The "avoid fetches" code did not treat negative cache entries correctly, causing fetches that would be useful to be avoided. This bug only affected platforms which support both IPv4 and IPv6. [RT #927] 757. [func] Log zone transfers. 756. [bug] dns_zone_load() could "return" success when no master file was configured. 755. [bug] Fix incorrectly formatted log messages in zone.c. 754. [bug] Certain failure conditions sending UDP packets could cause the server to retry the transmission indefinitely. [RT #902] 753. [bug] dig, host, and nslookup would fail to contact a remote server if getaddrinfo() returned an IPv6 address on a system that doesn't support IPv6. [RT #917] 752. [func] Correct bad tv_usec elements returned by gettimeofday(). 751. [func] Log successful zone loads / transfers. [RT #898] 750. [bug] A query should not match a DNAME whose trust level is pending. [RT #916] 749. [bug] When a query matched a DNAME in a secure zone, the server did not return the signature of the DNAME. [RT #915] 748. [doc] List supported RFCs in doc/misc/rfc-compliance. [RT #781] 747. [bug] The code to determine whether an IXFR was possible did not properly check for a database that could not have a journal. [RT #865, #908] 746. [bug] The sdb didn't clone rdatasets properly, causing a crash when the server followed delegations. [RT #905] 745. [func] Report the owner name of records that fail semantic checks while loading. 744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the result of an ANY or SIG query, the resolver failed to setup the return event's rdatasets, causing an assertion failure in the query code. [RT #881] 743. [bug] Receiving a large number of certain malformed answers could cause named to stop responding. [RT #861] 742. [placeholder] 741. [port] Support openssl-engine. [RT #709] 740. [port] Handle openssl library mismatches slightly better. 739. [port] Look for /dev/random in configure, rather than assuming it will be there for only a predefined set of OSes. 738. [bug] If a non-threadsafe sdb driver supported AXFR and received an AXFR request, it would deadlock or die with an assertion failure. [RT #852] 737. [port] stdtime.c failed to compile on certain platforms. 736. [func] New functions isc_task_{begin,end}exclusive(). 735. [doc] Add BIND 4 migration notes. 734. [bug] An attempt to re-lock the zone lock could occur if the server was shutdown during a zone transfer. [RT #830] 733. [bug] Reference counts of dns_acl_t objects need to be locked but were not. [RT #801, #821] 732. [bug] Glue with 0 TTL could also cause SERVFAIL. [RT #828] 731. [bug] Certain zone errors could cause named-checkzone to fail ungracefully. [RT #819] 730. [bug] lwres_getaddrinfo() returns the correct result when it fails to contact a server. [RT #768] 729. [port] pthread_setconcurrency() needs to be called on Solaris. 728. [bug] Fix comment processing on master file directives. [RT# 757] 727. [port] Work around OS bug where accept() succeeds but fails to fill in the peer address of the accepted connection, by treating it as an error rather than an assertion failure. [RT #809] 726. [func] Implement the "trace" and "notrace" commands in rndc. 725. [bug] Installing man pages could fail. 724. [func] New libisc functions isc_netaddr_any(), isc_netaddr_any6(). 723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver to return DNS_R_SERVFAIL. [RT #783] 722. [func] Allow incremental loads to be canceled. 721. [cleanup] Load manager and dns_master_loadfilequota() are no more. 720. [bug] Server could enter infinite loop in dispatch.c:do_cancel(). [RT #733] 719. [bug] Rapid reloads could trigger an assertion failure. [RT #743, #763] 718. [cleanup] "internal" is no longer a reserved word in named.conf. [RT #753, #731] 717. [bug] Certain TKEY processing failure modes could reference an uninitialized variable, causing the server to crash. [RT #750] 716. [bug] The first line of a $INCLUDE master file was lost if an origin was specified. [RT #744] 715. [bug] Resolving some A6 chains could cause an assertion failure in adb.c. [RT #738] 714. [bug] Preserve interval timers across reloads unless changed. [RT# 729] 713. [func] named-checkconf takes '-t directory' similar to named. [RT #726] 712. [bug] Sending a large signed update message caused an assertion failure. [RT #718] 711. [bug] The libisc and liblwres implementations of inet_ntop contained an off by one error. 710. [func] The forwarders statement now takes an optional port. [RT #418] 709. [bug] ANY or SIG queries for data with a TTL of 0 would return SERVFAIL. [RT #620] 708. [bug] When building with --with-openssl, the openssl headers included with BIND 9 should not be used. [RT #702] 707. [func] The "filename" argument to named-checkzone is no longer optional, to reduce confusion. [RT #612] 706. [bug] Zones with an explicit "allow-update { none; };" were considered dynamic and therefore not reloaded on SIGHUP or "rndc reload". 705. [port] Work out resource limit type for use where rlim_t is not available. [RT #695] 704. [port] RLIMIT_NOFILE is not available on all platforms. [RT #695] 703. [port] sys/select.h is needed on older platforms. [RT #695] 702. [func] If the address 0.0.0.0 is seen in resolv.conf, use 127.0.0.1 instead. [RT #693] 701. [func] Root hints are now fully optional. Class IN views use compiled-in hints by default, as before. Non-IN views with no root hints now provide authoritative service but not recursion. A warning is logged if a view has neither root hints nor authoritative data for the root. [RT #696] 700. [bug] $GENERATE range check was wrong. [RT #688] 699. [bug] The lexer mishandled empty quoted strings. [RT #694] 698. [bug] Aborting nsupdate with ^C would lead to several race conditions. 697. [bug] nsupdate was not compatible with the undocumented BIND 8 behavior of ignoring TTLs in "update delete" commands. [RT #693] 696. [bug] lwresd would die with an assertion failure when passed a zero-length name. [RT #692] 695. [bug] If the resolver attempted to query a blackholed or bogus server, the resolution would fail immediately. 694. [bug] $GENERATE did not produce the last entry. [RT #682, #683] 693. [bug] An empty lwres statement in named.conf caused the server to crash while loading. 692. [bug] Deal with systems that have getaddrinfo() but not gai_strerror(). [RT #679] 691. [bug] Configuring per-view forwarders caused an assertion failure. [RT #675, #734] 690. [func] $GENERATE now supports DNAME. [RT #654] 689. [doc] man pages are now installed. [RT #210] 688. [func] "make tags" now works on systems with the "Exuberant Ctags" etags. 687. [bug] Only say we have IPv6, with sufficient functionality, if it has actually been tested. [RT #586] 686. [bug] dig and nslookup can now be properly aborted during blocking operations. [RT #568] 685. [bug] nslookup should use the search list/domain options from resolv.conf by default. [RT #405, #630] 684. [bug] Memory leak with view forwarders. [RT #656] 683. [bug] File descriptor leak in isc_lex_openfile(). 682. [bug] nslookup displayed SOA records incorrectly. [RT #665] 681. [bug] $GENERATE specifying output format was broken. [RT #653] 680. [bug] dns_rdata_fromstruct() mishandled options bigger than 255 octets. 679. [bug] $INCLUDE could leak memory and file descriptors on reload. [RT #639] 678. [bug] "transfer-format one-answer;" could trigger an assertion failure. [RT #646] 677. [bug] dnssec-signzone would occasionally use the wrong ttl for database operations and fail. [RT #643] 676. [bug] Log messages about lame servers to category 'lame-servers' rather than 'resolver', so as not to be gratuitously incompatible with BIND 8. 675. [bug] TKEY queries could cause the server to leak memory. 674. [func] Allow messages to be TSIG signed / verified using a offset from the current time. 673. [func] The server can now convert RFC1886-style recursive lookup requests into RFC2874-style lookups, when enabled using the new option "allow-v6-synthesis". 672. [bug] The wrong time was in the "time signed" field when replying with BADTIME error. 671. [bug] The message code was failing to parse a message with no question section and a TSIG record. [RT #628] 670. [bug] The lwres replacements for getaddrinfo and getipnodebyname didn't properly check for the existence of the sockaddr sa_len field. 669. [bug] dnssec-keygen now makes the public key file non-world-readable for symmetric keys. [RT #403] 668. [func] named-checkzone now reports multiple errors in master files. 667. [bug] On Linux, running named with the -u option and a non-world-readable configuration file didn't work. [RT #626] 666. [bug] If a request sent by dig is longer than 512 bytes, use TCP. 665. [bug] Signed responses were not sent when the size of the TSIG + question exceeded the maximum message size. [RT #628] 664. [bug] The t_tasks and t_timers module tests are now skipped when building without threads, since they require threads. 663. [func] Accept a size_spec, not just an integer, in the (unimplemented and ignored) max-ixfr-log-size option for compatibility with recent versions of BIND 8. [RT #613] 662. [bug] dns_rdata_fromtext() failed to log certain errors. 661. [bug] Certain UDP IXFR requests caused an assertion failure (mpctx->allocated == 0). [RT #355, #394, #623] 660. [port] Detect multiple CPUs on HP-UX and IRIX. 659. [performance] Rewrite the name compression code to be much faster. 658. [cleanup] Remove all vestiges of 16 bit global compression. 657. [bug] When a listen-on statement in an lwres block does not specify a port, use 921, not 53. Also update the listen-on documentation. [RT #616] 656. [func] Treat an unescaped newline in a quoted string as an error. This means that TXT records with missing close quotes should have meaningful errors printed. 655. [bug] Improve error reporting on unexpected eof when loading zones. [RT #611] 654. [bug] Origin was being forgotten in TCP retries in dig. [RT #574] 653. [bug] +defname option in dig was reversed in sense. [RT #549] 652. [bug] zone_saveunique() did not report the new name. 651. [func] The AD bit in responses now has the meaning specified in . 650. [bug] SIG(0) records were being generated and verified incorrectly. [RT #606] 649. [bug] It was possible to join to an already running fctx after it had "cloned" its events, but before it sent them. In this case, the event of the newly joined fetch would not contain the answer, and would trigger the INSIST() in fctx_sendevents(). In BIND 9.0, this bug did not trigger an INSIST(), but caused the fetch to fail with a SERVFAIL result. [RT #588, #597, #605, #607] 648. [port] Add support for pre-RFC2133 IPv6 implementations. 647. [bug] Resolver queries sent after following multiple referrals had excessively long retransmission timeouts due to incorrectly counting the referrals as "restarts". 646. [bug] The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h didn't _cleanly_ fix the problem it was trying to fix. 645. [port] BSD/OS 3.0 needs pthread_init(). [RT #603] 644. [bug] #622 needed more work. [RT #562] 643. [bug] xfrin error messages made more verbose, added class of the zone. [RT# 599] 642. [bug] Break the exit_check() race in the zone module. [RT #598] --- 9.1.0b2 released --- 641. [bug] $GENERATE caused a uninitialized link to be used. [RT #595] 640. [bug] Memory leak in error path could cause "mpctx->allocated == 0" failure. [RT #584] 639. [bug] Reading entropy from the keyboard would sometimes fail. [RT #591] 638. [port] lib/isc/random.c needed to explicitly include time.h to get a prototype for time() when pthreads was not being used. [RT #592] 637. [port] Use isc_u?int64_t instead of (unsigned) long long in lib/isc/print.c. Also allow lib/isc/print.c to be compiled even if the platform does not need it. [RT #592] 636. [port] Shut up MSVC++ about a possible loss of precision in the ISC__BUFFER_PUTUINT*() macros. [RT #592] 635. [bug] Reloading a server with a configured blackhole list would cause an assertion. [RT #590] 634. [bug] A log file will completely stop being written when it reaches the maximum size in all cases, not just when versioning is also enabled. [RT #570] 633. [port] Cope with rlim_t missing on BSD/OS systems. [RT #575] 632. [bug] The index array of the journal file was corrupted as it was written to disk. 631. [port] Build without thread support on systems without pthreads. 630. [bug] Locking failure in zone code. [RT #582] 629. [bug] 9.1.0b1 dereferenced a null pointer and crashed when responding to a UDP IXFR request. 628. [bug] If the root hints contained only AAAA addresses, named would be unable to perform resolution. 627. [bug] The EDNS0 blackhole detection code of change 324 waited for three retransmissions to each server, which takes much too long when a domain has many name servers and all of them drop EDNS0 queries. Now we retry without EDNS0 after three consecutive timeouts, even if they are all from different servers. [RT #143] 626. [bug] The lightweight resolver daemon no longer crashes when asked for a SIG rrset. [RT #558] 625. [func] Zones now inherit their class from the enclosing view. 624. [bug] The zone object could get timer events after it had been destroyed, causing a server crash. [RT #571] 623. [func] Added "named-checkconf" and "named-checkzone" program for syntax checking named.conf files and zone files, respectively. 622. [bug] A canceled request could be destroyed before dns_request_destroy() was called. [RT #562] 621. [port] Disable IPv6 at runtime if IPv6 sockets are unusable. This mostly affects Red Hat Linux 7.0, which has conflicts between libc and the kernel. 620. [bug] dns_master_load*inc() now require 'task' and 'load' to be non-null. Also 'done' will not be called if dns_master_load*inc() fails immediately. [RT #565] 619. [placeholder] 618. [bug] Queries to a signed zone could sometimes cause an assertion failure. 617. [bug] When using dynamic update to add a new RR to an existing RRset with a different TTL, the journal entries generated from the update did not include explicit deletions and re-additions of the existing RRs to update their TTL to the new value. 616. [func] dnssec-signzone -t output now includes performance statistics. 615. [bug] dnssec-signzone did not like child keysets signed by multiple keys. 614. [bug] Checks for uninitialized link fields were prone to false positives, causing assertion failures. The checks are now disabled by default and may be re-enabled by defining ISC_LIST_CHECKINIT. 613. [bug] "rndc reload zone" now reloads primary zones. It previously only updated slave and stub zones, if an SOA query indicated an out of date serial. 612. [cleanup] Shutup a ridiculously noisy HP-UX compiler that complains relentlessly about how its treatment of 'const' has changed as well as how casting sometimes tightens alignment constraints. 611. [func] allow-notify can be used to permit processing of notify messages from hosts other than a slave's masters. 610. [func] rndc dumpdb is now supported. 609. [bug] getrrsetbyname() would crash lwresd if the server found more SIGs than answers. [RT #554] 608. [func] dnssec-signzone now adds a comment to the zone with the time the file was signed. 607. [bug] nsupdate would fail if it encountered a CNAME or DNAME in a response to an SOA query. [RT #515] 606. [bug] Compiling with --disable-threads failed due to isc_thread_self() being incorrectly defined as an integer rather than a function. 605. [func] New function isc_lex_getlasttokentext(). 604. [bug] The named.conf parser could print incorrect line numbers when long comments were present. 603. [bug] Make dig handle multiple types or classes on the same query more correctly. 602. [func] Cope automatically with UnixWare's broken IN6_IS_ADDR_* macros. [RT #539] 601. [func] Return a non-zero exit code if an update fails in nsupdate. 600. [bug] Reverse lookups sometimes failed in dig, etc... 599. [func] Added four new functions to the libisc log API to support i18n messages. isc_log_iwrite(), isc_log_ivwrite(), isc_log_iwrite1() and isc_log_ivwrite1() were added. 598. [bug] An update-policy statement would cause the server to assert while loading. [RT #536] 597. [func] dnssec-signzone is now multi-threaded. 596. [bug] DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are not mutually exclusive. 595. [port] On Linux 2.2, socket() returns EINVAL when it should return EAFNOSUPPORT. Work around this. [RT #531] 594. [func] sdb drivers are now assumed to not be thread-safe unless the DNS_SDBFLAG_THREADSAFE flag is supplied. 593. [bug] If a secure zone was missing all its NXTs and a dynamic update was attempted, the server entered an infinite loop. 592. [bug] The sig-validity-interval option now specifies a number of days, not seconds. This matches the documentation. [RT #529] --- 9.1.0b1 released --- 591. [bug] Work around non-reentrancy in openssl by disabling pre-computation in keys. 590. [doc] There are now man pages for the lwres library in doc/man/lwres. 589. [bug] The server could deadlock if a zone was updated while being transferred out. 588. [bug] ctx->in_use was not being correctly initialized when when pushing a file for $INCLUDE. [RT #523] 587. [func] A warning is now printed if the "allow-update" option allows updates based on the source IP address, to alert users to the fact that this is insecure and becoming increasingly so as servers capable of update forwarding are being deployed. 586. [bug] multiple views with the same name were fatal. [RT #516] 585. [func] dns_db_addrdataset() and and dns_rdataslab_merge() now support 'exact' additions in a similar manner to dns_db_subtractrdataset() and dns_rdataslab_subtract(). 584. [func] You can now say 'notify explicit'; to suppress notification of the servers listed in NS records and notify only those servers listed in the 'also-notify' option. 583. [func] "rndc querylog" will now toggle logging of queries, like "ndc querylog" in BIND 8. 582. [bug] dns_zone_idetach() failed to lock the zone. [RT #199, #463] 581. [bug] log severity was not being correctly processed. [RT #485] 580. [func] Ignore trailing garbage on incoming DNS packets, for interoperability with broken server implementations. [RT #491] 579. [bug] nsupdate did not take a filename to read update from. [RT #492] 578. [func] New config option "notify-source", to specify the source address for notify messages. 577. [func] Log illegal RDATA combinations. e.g. multiple singleton types, cname and other data. 576. [doc] isc_log_create() description did not match reality. 575. [bug] isc_log_create() was not setting internal state correctly to reflect the default channels created. 574. [bug] TSIG signed queries sent by the resolver would fail to have their responses validated and would leak memory. 573. [bug] The journal files of IXFRed slave zones were inadvertently discarded on server reload, causing "journal out of sync with zone" errors on subsequent reloads. [RT #482] 572. [bug] Quoted strings were not accepted as key names in address match lists. 571. [bug] It was possible to create an rdataset of singleton type which had more than one rdata. [RT #154] [RT #279] 570. [bug] rbtdb.c allowed zones containing nodes which had both a CNAME and "other data". [RT #154] 569. [func] The DNSSEC AD bit will not be set on queries which have not requested a DNSSEC response. 568. [func] Add sample simple database drivers in contrib/sdb. 567. [bug] Setting the zone transfer timeout to zero caused an assertion failure. [RT #302] 566. [func] New public function dns_timer_setidle(). 565. [func] Log queries more like BIND 8: query logging is now done to category "queries", level "info". [RT #169] 564. [func] Add sortlist support to lwresd. 563. [func] New public functions dns_rdatatype_format() and dns_rdataclass_format(), for convenient formatting of rdata type/class mnemonics in log messages. 562. [cleanup] Moved lib/dns/*conf.c to bin/named where they belong. 561. [func] The 'datasize', 'stacksize', 'coresize' and 'files' clauses of the options{} statement are now implemented. 560. [bug] dns_name_split did not properly the resulting prefix when a maximal length bitstring label was split which was preceded by another bitstring label. [RT #429] 559. [bug] dns_name_split did not properly create the suffix when splitting within a maximal length bitstring label. 558. [func] New functions, isc_resource_getlimit and isc_resource_setlimit. 557. [func] Symbolic constants for libisc integral types. 556. [func] The DNSSEC OK bit in the EDNS extended flags is now implemented. Responses to queries without this bit set will not contain any DNSSEC records. 555. [bug] A slave server attempting a zone transfer could crash with an assertion failure on certain malformed responses from the master. [RT #457] 554. [bug] In some cases, not all of the dnssec tools were properly installed. 553. [bug] Incoming zone transfers deferred due to quota were not started when quota was increased but only when a transfer in progress finished. [RT #456] 552. [bug] We were not correctly detecting the end of all c-style comments. [RT #455] 551. [func] Implemented the 'sortlist' option. 550. [func] Support unknown rdata types and classes. 549. [bug] "make" did not immediately abort the build when a subdirectory make failed [RT #450]. 548. [func] The lexer now ungets tokens more correctly. 547. [placeholder] 546. [func] Option 'lame-ttl' is now implemented. 545. [func] Name limit and counting options removed from dig; they didn't work properly, and cannot be correctly implemented without significant changes. 544. [func] Add statistics option, enable statistics-file option, add RNDC option "dump-statistics" to write out a query statistics file. 543. [doc] The 'port' option is now documented. 542. [func] Add support for update forwarding as required for full compliance with RFC2136. It is turned off by default and can be enabled using the 'allow-update-forwarding' option. 541. [func] Add bogus server support. 540. [func] Add dialup support. 539. [func] Support the blackhole option. 538. [bug] fix buffer overruns by 1 in lwres_getnameinfo(). 537. [placeholder] 536. [func] Use transfer-source{-v6} when sending refresh queries. Transfer-source{-v6} now take a optional port parameter for setting the UDP source port. The port parameter is ignored for TCP. 535. [func] Use transfer-source{-v6} when forwarding update requests. 534. [func] Ancestors have been removed from RBT chains. Ancestor information can be discerned via node parent pointers. 533. [func] Incorporated name hashing into the RBT database to improve search speed. 532. [func] Implement DNS UPDATE pseudo records using DNS_RDATA_UPDATE flag. 531. [func] Rdata really should be initialized before being assigned to (dns_rdata_fromwire(), dns_rdata_fromtext(), dns_rdata_clone(), dns_rdata_fromregion()), check that it is. 530. [func] New function dns_rdata_invalidate(). 529. [bug] 521 contained a bug which caused zones to always reload. [RT #410] 528. [func] The ISC_LIST_XXXX macros now perform sanity checks on their arguments. ISC_LIST_XXXXUNSAFE can be use to skip the checks however use with caution. 527. [func] New function dns_rdata_clone(). 526. [bug] nsupdate incorrectly refused to add RRs with a TTL of 0. 525. [func] New arguments 'options' for dns_db_subtractrdataset(), and 'flags' for dns_rdataslab_subtract() allowing you to request that the RR's must exist prior to deletion. DNS_R_NOTEXACT is returned if the condition is not met. 524. [func] The 'forward' and 'forwarders' statement in non-forward zones should work now. 523. [doc] The source to the Administrator Reference Manual is now an XML file using the DocBook DTD, and is included in the distribution. The plain text version of the ARM is temporarily unavailable while we figure out how to generate readable plain text from the XML. 522. [func] The lightweight resolver daemon can now use a real configuration file, and its functionality can be provided by a name server. Also, the -p and -P options to lwresd have been reversed. 521. [bug] Detect master files which contain $INCLUDE and always reload. [RT #196] 520. [bug] Upgraded libtool to 1.3.5, which makes shared library builds almost work on AIX (and possibly others). 519. [bug] dns_name_split() would improperly split some bitstring labels, zeroing a few of the least significant bits in the prefix part. When such an improperly created prefix was returned to the RBT database, the bogus label was dutifully stored, corrupting the tree. [RT #369] 518. [bug] The resolver did not realize that a DNAME which was "the answer" to the client's query was "the answer", and such queries would fail. [RT #399] 517. [bug] The resolver's DNAME code would trigger an assertion if there was more than one DNAME in the chain. [RT #399] 516. [bug] Cache lookups which had a NULL node pointer, e.g. those by dns_view_find(), and which would match a DNAME, would trigger an INSIST(!search.need_cleanup) assertion. [RT #399] 515. [bug] The ssu table was not being attached / detached by dns_zone_[sg]etssutable. [RT#397] 514. [func] Retry refresh and notify queries if they timeout. [RT #388] 513. [func] New functionality added to rdnc and server to allow individual zones to be refreshed or reloaded. 512. [bug] The zone transfer code could throw an exception with an invalid IXFR stream. 511. [bug] The message code could throw an assertion on an out of memory failure. [RT #392] 510. [bug] Remove spurious view notify warning. [RT #376] 509. [func] Add support for write of zone files on shutdown. 508. [func] dns_message_parse() can now do a best-effort attempt, which should allow dig to print more invalid messages. 507. [func] New functions dns_zone_flush(), dns_zt_flushanddetach() and dns_view_flushanddetach(). 506. [func] Do not fail to start on errors in zone files. 505. [bug] nsupdate was printing "unknown result code". [RT #373] 504. [bug] The zone was not being marked as dirty when updated via IXFR. 503. [bug] dumptime was not being set along with DNS_ZONEFLG_NEEDDUMP. 502. [func] On a SERVFAIL reply, DiG will now try the next server in the list, unless the +fail option is specified. 501. [bug] Incorrect port numbers were being displayed by nslookup. [RT #352] 500. [func] Nearly useless +details option removed from DiG. 499. [func] In DiG, specifying a class with -c or type with -t changes command-line parsing so that classes and types are only recognized if following -c or -t. This allows hosts with the same name as a class or type to be looked up. 498. [doc] There is now a man page for "dig" in doc/man/bin/dig.1. 497. [bug] The error messages printed when an IP match list contained a network address with a nonzero host part where not sufficiently detailed. [RT #365] 496. [bug] named didn't sanity check numeric parameters. [RT #361] 495. [bug] nsupdate was unable to handle large records. [RT #368] 494. [func] Do not cache NXDOMAIN responses for SOA queries. 493. [func] Return non-cachable (ttl = 0) NXDOMAIN responses for SOA queries. This makes it easier to locate the containing zone without polluting intermediate caches. 492. [bug] attempting to reload a zone caused the server fail to shutdown cleanly. [RT #360] 491. [bug] nsupdate would segfault when sending certain prerequisites with empty RDATA. [RT #356] 490. [func] When a slave/stub zone has not yet successfully obtained an SOA containing the zone's configured retry time, perform the SOA query retries using exponential backoff. [RT #337] 489. [func] The zone manager now has a "i/o" queue. 488. [bug] Locks weren't properly destroyed in some cases. 487. [port] flockfile() is not defined on all systems. 486. [bug] nslookup: "set all" and "server" commands showed the incorrect port number if a port other than 53 was specified. [RT #352] 485. [func] When dig had more than one server to query, it would send all of the messages at the same time. Add rate limiting of the transmitted messages. 484. [bug] When the server was reloaded after removing addresses from the named.conf "listen-on" statement, sockets were still listening on the removed addresses due to reference count loops. [RT #325] 483. [bug] nslookup: "set all" showed a "search" option but it was not settable. 482. [bug] nslookup: a plain "server" or "lserver" should be treated as a lookup. 481. [bug] nslookup:get_next_command() stack size could exceed per thread limit. 480. [bug] strtok() is not thread safe. [RT #349] 479. [func] The test suite can now be run by typing "make check" or "make test" at the top level. 478. [bug] "make install" failed if the directory specified with --prefix did not already exist. 477. [bug] The the isc-config.sh script could be installed before its directory was created. [RT #324] 476. [bug] A zone could expire while a zone transfer was in progress triggering a INSIST failure. [RT #329] 475. [bug] query_getzonedb() sometimes returned a non-null version on failure. This caused assertion failures when generating query responses where names subject to additional section processing pointed to a zone to which access had been denied by means of the allow-query option. [RT #336] 474. [bug] The mnemonic of the CHAOS class is CH according to RFC1035, but it was printed and read only as CHAOS. We now accept both forms as input, and print it as CH. [RT #305] 473. [bug] nsupdate overran the end of the list of name servers when no servers could be reached, typically causing it to print the error message "dns_request_create: not implemented". 472. [bug] Off-by-one error caused isc_time_add() to sometimes produce invalid time values. 471. [bug] nsupdate didn't compile on HP/UX 10.20 470. [func] $GENERATE is now supported. See also doc/misc/migration. 469. [bug] "query-source address * port 53;" now works. 468. [bug] dns_master_load*() failed to report file and line number in certain error conditions. 467. [bug] dns_master_load*() failed to log an error if pushfile() failed. 466. [bug] dns_master_load*() could return success when it failed. 465. [cleanup] Allow 0 to be set as an omapi_value_t value by omapi_value_storeint(). 464. [cleanup] Build with openssl's RSA code instead of dnssafe. 463. [bug] nsupdate sent malformed SOA queries to the second and subsequent name servers in resolv.conf if the query sent to the first one failed. 462. [bug] --disable-ipv6 should work now. 461. [bug] Specifying an unknown key in the "keys" clause of the "controls" statement caused a NULL pointer dereference. [RT #316] 460. [bug] Much of the DNSSEC code only worked with class IN. 459. [bug] Nslookup processed the "set" command incorrectly. 458. [bug] Nslookup didn't properly check class and type values. [RT #305] 457. [bug] Dig/host/hslookup didn't properly handle connect timeouts in certain situations, causing an unnecessary warning message to be printed. 456. [bug] Stub zones were not resetting the refresh and expire counters, loadtime or clearing the DNS_ZONE_REFRESH (refresh in progress) flag upon successful update. This disabled further refreshing of the stub zone, causing it to eventually expire. [RT #300] 455. [doc] Document IPv4 prefix notation does not require a dotted decimal quad but may be just dotted decimal. 454. [bug] Enforce dotted decimal and dotted decimal quad where documented as such in named.conf. [RT #304, RT #311] 453. [bug] Warn if the obsolete option "maintain-ixfr-base" is specified in named.conf. [RT #306] 452. [bug] Warn if the unimplemented option "statistics-file" is specified in named.conf. [RT #301] 451. [func] Update forwarding implemented. 450. [func] New function ns_client_sendraw(). 449. [bug] isc_bitstring_copy() only works correctly if the two bitstrings have the same lsb0 value, but this requirement was not documented, nor was there a REQUIRE for it. 448. [bug] Host output formatting change, to match v8. [RT #255] 447. [bug] Dig didn't properly retry in TCP mode after a truncated reply. [RT #277] 446. [bug] Confusing notify log message. [RT #298] 445. [bug] Doing a 0 bit isc_bitstring_copy() of an lsb0 bitstring triggered a REQUIRE statement. The REQUIRE statement was incorrect. [RT #297] 444. [func] "recursion denied" messages are always logged at debug level 1, now, rather than sometimes at ERROR. This silences these warnings in the usual case, where some clients set the RD bit in all queries. 443. [bug] When loading a master file failed because of an unrecognized RR type name, the error message did not include the file name and line number. [RT #285] 442. [bug] TSIG signed messages that did not match any view crashed the server. [RT #290] 441. [bug] Nodes obscured by a DNAME were inaccessible even when DNS_DBFIND_GLUEOK was set. 440. [func] New function dns_zone_forwardupdate(). 439. [func] New function dns_request_createraw(). 438. [func] New function dns_message_getrawmessage(). 437. [func] Log NOTIFY activity to the notify channel. 436. [bug] If recvmsg() returned EHOSTUNREACH or ENETUNREACH, which sometimes happens on Linux, named would enter a busy loop. Also, unexpected socket errors were not logged at a high enough logging level to be useful in diagnosing this situation. [RT #275] 435. [bug] dns_zone_dump() overwrote existing zone files rather than writing to a temporary file and renaming. This could lead to empty or partial zone files being left around in certain error conditions involving the initial transfer of a slave zone, interfering with subsequent server startup. [RT #282] 434. [func] New function isc_file_isabsolute(). 433. [func] isc_base64_decodestring() now accepts newlines within the base64 data. This makes it possible to break up the key data in a "trusted-keys" statement into multiple lines. [RT #284] 432. [func] Added refresh/retry jitter. The actual refresh/ retry time is now a random value between 75% and 100% of the configured value. 431. [func] Log at ISC_LOG_INFO when a zone is successfully loaded. 430. [bug] Rewrote the lightweight resolver client management code to handle shutdown correctly and general cleanup. 429. [bug] The space reserved for a TSIG record in a response was 2 bytes too short, leading to message generation failures. 428. [bug] rbtdb.c:find_closest_nxt() erroneously returned DNS_R_BADDB for nodes which had neither NXT nor SIG NXT (e.g. glue). This could cause SERVFAILs when generating negative responses in a secure zone. 427. [bug] Avoid going into an infinite loop when the validator gets a negative response to a key query where the records are signed by the missing key. 426. [bug] Attempting to generate an oversized RSA key could cause dnssec-keygen to dump core. 425. [bug] Warn about the auth-nxdomain default value change if there is no auth-nxdomain statement in the config file. [RT #287] 424. [bug] notify_createmessage() could trigger an assertion failure when creating the notify message failed, e.g. due to corrupt zones with multiple SOA records. [RT #279] 423. [bug] When responding to a recursive query, errors that occur after following a CNAME should cause the query to fail. [RT #274] 422. [func] get rid of isc_random_t, and make isc_random_get() and isc_random_jitter() use rand() internally instead of local state. Note that isc_random_*() functions are only for weak, non-critical "randomness" such as timing jitter and such. 421. [bug] nslookup would exit when given a blank line as input. 420. [bug] nslookup failed to implement the "exit" command. 419. [bug] The certificate type PKIX was misspelled as SKIX. 418. [bug] At debug levels >= 10, getting an unexpected socket receive error would crash the server while trying to log the error message. 417. [func] Add isc_app_block() and isc_app_unblock(), which allow an application to handle signals while blocking. 416. [bug] Slave zones with no master file tried to use a NULL pointer for a journal file name when they received an IXFR. [RT #273] 415. [bug] The logging code leaked file descriptors. 414. [bug] Server did not shut down until all incoming zone transfers were finished. 413. [bug] Notify could attempt to use the zone database after it had been unloaded. [RT#267] 412. [bug] named -v didn't print the version. 411. [bug] A typo in the HS A code caused an assertion failure. 410. [bug] lwres_gethostbyname() and company set lwres_h_errno to a random value on success. 409. [bug] If named was shut down early in the startup process, ns_omapi_shutdown() would attempt to lock an uninitialized mutex. [RT #262] 408. [bug] stub zones could leak memory and reference counts if all the masters were unreachable. 407. [bug] isc_rwlock_lock() would needlessly block readers when it reached the read quota even if no writers were waiting. 406. [bug] Log messages were occasionally lost or corrupted due to a race condition in isc_log_doit(). 405. [func] Add support for selective forwarding (forward zones) 404. [bug] The request library didn't completely work with IPv6. 403. [bug] "host" did not use the search list. 402. [bug] Treat undefined acls as errors, rather than warning and then later throwing an assertion. [RT #252] 401. [func] Added simple database API. 400. [bug] SIG(0) signing and verifying was done incorrectly. [RT #249] 399. [bug] When reloading the server with a config file containing a syntax error, it could catch an assertion failure trying to perform zone maintenance on, or sending notifies from, tentatively created zones whose views were never fully configured and lacked an address database and request manager. 398. [bug] "dig" sometimes caught an assertion failure when using TSIG, depending on the key length. 397. [func] Added utility functions dns_view_gettsig() and dns_view_getpeertsig(). 396. [doc] There is now a man page for "nsupdate" in doc/man/bin/nsupdate.8. 395. [bug] nslookup printed incorrect RR type mnemonics for RRs of type >= 21 [RT #237]. 394. [bug] Current name was not propagated via $INCLUDE. 393. [func] Initial answer while loading (awl) support. Entry points: dns_master_loadfileinc(), dns_master_loadstreaminc(), dns_master_loadbufferinc(). Note: calls to dns_master_load*inc() should be rate be rate limited so as to not use up all file descriptors. 392. [func] Add ISC_R_FAMILYNOSUPPORT. Returned when OS does not support the given address family requested. 391. [clarity] ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH. 390. [func] The function dns_zone_setdbtype() now takes an argc/argv style vector of words and sets both the zone database type and its arguments, making the functions dns_zone_adddbarg() and dns_zone_cleardbargs() unnecessary. 389. [bug] Attempting to send a request over IPv6 using dns_request_create() on a system without IPv6 support caused an assertion failure [RT #235]. 388. [func] dig and host can now do reverse ipv6 lookups. 387. [func] Add dns_byaddr_createptrname(), which converts an address into the name used by a PTR query. 386. [bug] Missing strdup() of ACL name caused random ACL matching failures [RT #228]. 385. [cleanup] Removed functions dns_zone_equal(), dns_zone_print(), and dns_zt_print(). 384. [bug] nsupdate was incorrectly limiting TTLs to 65535 instead of 2147483647. 383. [func] When writing a master file, print the SOA and NS records (and their SIGs) before other records. 382. [bug] named -u failed on many Linux systems where the libc provided kernel headers do not match the current kernel. 381. [bug] Check for IPV6_RECVPKTINFO and use it instead of IPV6_PKTINFO if found. [RT #229] 380. [bug] nsupdate didn't work with IPv6. 379. [func] New library function isc_sockaddr_anyofpf(). 378. [func] named and lwresd will log the command line arguments they were started with in the "starting ..." message. 377. [bug] When additional data lookups were refused due to "allow-query", the databases were still being attached causing reference leaks. 376. [bug] The server should always use good entropy when performing cryptographic functions needing entropy. 375. [bug] Per-zone "allow-query" did not properly override the view/global one for CNAME targets and additional data [RT #220]. 374. [bug] SOA in authoritative negative responses had wrong TTL. 373. [func] nslookup is now installed by "make install". 372. [bug] Deal with Microsoft DNS servers appending two bytes of garbage to zone transfer requests. 371. [bug] At high debug levels, doing an outgoing zone transfer of a very large RRset could cause an assertion failure during logging. 370. [bug] The error messages for roll-forward failures were overly terse. 369. [func] Support new named.conf options, view and zone statements: max-retry-time, min-retry-time, max-refresh-time, min-refresh-time. 368. [func] Restructure the internal ".bind" view so that more zones can be added to it. 367. [bug] Allow proper selection of server on nslookup command line. 366. [func] Allow use of '-' batch file in dig for stdin. 365. [bug] nsupdate -k leaked memory. 364. [func] Added additional-from-{cache,auth} 363. [placeholder] 362. [bug] rndc no longer aborts if the configuration file is missing an options statement. [RT #209] 361. [func] When the RBT find or chain functions set the name and origin for a node that stores the root label the name is now set to an empty name, instead of ".", to simplify later use of the name and origin by dns_name_concatenate(), dns_name_totext() or dns_name_format(). 360. [func] dns_name_totext() and dns_name_format() now allow an empty name to be passed, which is formatted as "@". 359. [bug] dnssec-signzone occasionally signed glue records. 358. [cleanup] Rename the intermediate files used by the dnssec programs. 357. [bug] The zone file parser crashed if the argument to $INCLUDE was a quoted string. 356. [cleanup] isc_task_send no longer requires event->sender to be non-null. 355. [func] Added isc_dir_createunique(), similar to mkdtemp(). 354. [doc] Man pages for the dnssec tools are now included in the distribution, in doc/man/dnssec. 353. [bug] double increment in lwres/gethost.c:copytobuf(). [RT# 187] 352. [bug] Race condition in dns_client_t startup could cause an assertion failure. 351. [bug] Constructing a response with rcode SERVFAIL to a TSIG signed query could crash the server. 350. [bug] Also-notify lists specified in the global options block were not correctly reference counted, causing a memory leak. 349. [bug] Processing a query with the CD bit set now works as expected. 348. [func] New boolean named.conf options 'additional-from-auth' and 'additional-from-cache' now supported in view and global options statement. 347. [bug] Don't crash if an argument is left off options in dig. 346. [placeholder] 345. [bug] Large-scale changes/cleanups to dig: * Significantly improve structure handling * Don't pre-load entire batch files * Add name/rr counting/limiting * Fix SIGINT handling * Shorten timeouts to match v8's behavior 344. [bug] When shutting down, lwresd sometimes tried to shut down its client tasks twice, triggering an assertion. 343. [bug] Although zone maintenance SOA queries and notify requests were signed with TSIG keys when configured for the server in case, the TSIG was not verified on the response. 342. [bug] The wrong name was being passed to dns_name_dup() when generating a TSIG key using TKEY. 341. [func] Support 'key' clause in named.conf zone masters statement to allow authentication via TSIG keys: masters { 10.0.0.1 port 5353 key "foo"; 10.0.0.2 ; }; 340. [bug] The top-level COPYRIGHT file was missing from the distribution. 339. [bug] DNSSEC validation of the response to an ANY query at a name with a CNAME RR in a secure zone triggered an assertion failure. 338. [bug] lwresd logged to syslog as named, not lwresd. 337. [bug] "dig" did not recognize "nsap-ptr" as an RR type on the command line. 336. [bug] "dig -f" used 64 k of memory for each line in the file. It now uses much less, though still proportionally to the file size. 335. [bug] named would occasionally attempt recursion when it was disallowed or undesired. 334. [func] Added hmac-md5 to libisc. 333. [bug] The resolver incorrectly accepted referrals to domains that were not parents of the query name, causing assertion failures. 332. [func] New function dns_name_reset(). 331. [bug] Only log "recursion denied" if RD is set. [RT #178] 330. [bug] Many debugging messages were partially formatted even when debugging was turned off, causing a significant decrease in query performance. 329. [func] omapi_auth_register() now takes a size_t argument for the length of a key's secret data. Previously OMAPI only stored secrets up to the first NUL byte. 328. [func] Added isc_base64_decodestring(). 327. [bug] rndc.conf parser wasn't correctly recognizing an IP address where a host specification was required. 326. [func] 'keys' in an 'inet' control statement is now required and must have at least one item in it. A "not supported" warning is now issued if a 'unix' control channel is defined. 325. [bug] isc_lex_gettoken was processing octal strings when ISC_LEXOPT_CNUMBER was not set. 324. [func] In the resolver, turn EDNS0 off if there is no response after a number of retransmissions. This is to allow queries some chance of succeeding even if all the authoritative servers of a zone silently discard EDNS0 requests instead of sending an error response like they ought to. 323. [bug] dns_rbt_findname() did not ignore empty rbt nodes. Because of this, servers authoritative for a parent and grandchild zone but not authoritative for the intervening child zone did not correctly issue referrals to the servers of the child zone. 322. [bug] Queries for KEY RRs are now sent to the parent server before the authoritative one, making DNSSEC insecurity proofs work in many cases where they previously didn't. 321. [bug] When synthesizing a CNAME RR for a DNAME response, query_addcname() failed to initialize the type and class of the CNAME dns_rdata_t, causing random failures. 320. [func] Multiple rndc changes: parses an rndc.conf file, uses authentication to talk to named, command line syntax changed. This will all be described in the ARM. 319. [func] The named.conf "controls" statement is now used to configure the OMAPI command channel. 318. [func] dns_c_ndcctx_destroy() could never return anything except ISC_R_SUCCESS; made it have void return instead. 317. [func] Use callbacks from libomapi to determine if a new connection is valid, and if a key requested to be used with that connection is valid. 316. [bug] Generate a warning if we detect an unexpected but treat as . 315. [bug] Handle non-empty blanks lines. [RT #163] 314. [func] The named.conf controls statement can now have more than one key specified for the inet clause. 313. [bug] When parsing resolv.conf, don't terminate on an error. Instead, parse as much as possible, but still return an error if one was found. 312. [bug] Increase the number of allowed elements in the resolv.conf search path from 6 to 8. If there are more than this, ignore the remainder rather than returning a failure in lwres_conf_parse. 311. [bug] lwres_conf_parse failed when the first line of resolv.conf was empty or a comment. 310. [func] Changes to named.conf "controls" statement (inet subtype only) - support "keys" clause controls { inet * port 1024 allow { any; } keys { "foo"; } } - allow "port xxx" to be left out of statement, in which case it defaults to omapi's default port of 953. 309. [bug] When sending a referral, the server did not look for name server addresses as glue in the zone holding the NS RRset in the case where this zone was not the same as the one where it looked for name server addresses as authoritative data. 308. [bug] Treat a SOA record not at top of zone as an error when loading a zone. [RT #154] 307. [bug] When canceling a query, the resolver didn't check for isc_socket_sendto() calls that did not yet have their completion events posted, so it could (rarely) end up destroying the query context and then want to use it again when the send event posted, triggering an assertion as it tried to cancel an already-canceled query. [RT #77] 306. [bug] Reading HMAC-MD5 private key files didn't work. 305. [bug] When reloading the server with a config file containing a syntax error, it could catch an assertion failure trying to perform zone maintenance on tentatively created zones whose views were never fully configured and lacked an address database. 304. [bug] If more than LWRES_CONFMAXNAMESERVERS servers are listed in resolv.conf, silently ignore them instead of returning failure. 303. [bug] Add additional sanity checks to differentiate a AXFR response vs a IXFR response. [RT #157] 302. [bug] In dig, host, and nslookup, MXNAME should be large enough to hold any legal domain name in presentation format + terminating NULL. 301. [bug] Uninitialized pointer in host:printmessage(). [RT #159] 300. [bug] Using both and didn't work on platforms lacking IPv6 because each included their own ipv6 header file for the missing definitions. Now each library's ipv6.h defines the wrapper symbol of the other (ISC_IPV6_H and LWRES_IPV6_H). 299. [cleanup] Get the user and group information before changing the root directory, so the administrator does not need to keep a copy of the user and group databases in the chroot'ed environment. Suggested by Hakan Olsson. 298. [bug] A mutex deadlock occurred during shutdown of the interface manager under certain conditions. Digital Unix systems were the most affected. 297. [bug] Specifying a key name that wasn't fully qualified in certain parts of the config file could cause an assertion failure. 296. [bug] "make install" from a separate build directory failed unless configure had been run in the source directory, too. 295. [bug] When invoked with type==CNAME and a message not constructed by dns_message_parse(), dns_message_findname() failed to find anything due to checking for attribute bits that are set only in dns_message_parse(). This caused an infinite loop when constructing the response to an ANY query at a CNAME in a secure zone. 294. [bug] If we run out of space in while processing glue when reading a master file and commit "current name" reverts to "name_current" instead of staying as "name_glue". 293. [port] Add support for FreeBSD 4.0 system tests. 292. [bug] Due to problems with the way some operating systems handle simultaneous listening on IPv4 and IPv6 addresses, the server no longer listens on IPv6 addresses by default. To revert to the previous behavior, specify "listen-on-v6 { any; };" in the config file. 291. [func] Caching servers no longer send outgoing queries over TCP just because the incoming recursive query was a TCP one. 290. [cleanup] +twiddle option to dig (for testing only) removed. 289. [cleanup] dig is now installed in $bindir instead of $sbindir. host is now installed in $bindir. (Be sure to remove any $sbindir/dig from a previous release.) 288. [func] rndc is now installed by "make install" into $sbindir. 287. [bug] rndc now works again as "rndc 127.1 reload" (for only that task). Parsing its configuration file and using digital signatures for authentication has been disabled until named supports the "controls" statement, post-9.0.0. 286. [bug] On Solaris 2, when named inherited a signal state where SIGHUP had the SIG_IGN action, SIGHUP would be ignored rather than causing the server to reload its configuration. 285. [bug] A change made to the dst API for beta4 inadvertently broke OMAPI's creation of a dst key from an incoming message, causing an assertion to be triggered. Fixed. 284. [func] The DNSSEC key generation and signing tools now generate randomness from keyboard input on systems that lack /dev/random. 283. [cleanup] The 'lwresd' program is now a link to 'named'. 282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is too big for an unsigned long. 281. [bug] Fixed list of recognized config file category names. 280. [func] Add isc-config.sh, which can be used to more easily build applications that link with our libraries. 279. [bug] Private omapi function symbols shared between two or more files in libomapi.a were not namespace protected using the ISC convention of starting with the library name and two underscores ("omapi__"...) 278. [bug] bin/named/logconf.c:category_fromconf() didn't take note of when isc_log_categorybyname() wasn't able to find the category name and would then apply the channel list of the unknown category to all categories. 277. [bug] isc_log_categorybyname() and isc_log_modulebyname() would fail to find the first member of any category or module array apart from the internal defaults. Thus, for example, the "notify" category was improperly configured by named. 276. [bug] dig now supports maximum sized TCP messages. 275. [bug] The definition of lwres_gai_strerror() was missing the lwres_ prefix. 274. [bug] TSIG AXFR verify failed when talking to a BIND 8 server. 273. [func] The default for the 'transfer-format' option is now 'many-answers'. This will break zone transfers to BIND 4.9.5 and older unless there is an explicit 'one-answer' configuration. 272. [bug] The sending of large TCP responses was canceled in mid-transmission due to a race condition caused by the failure to set the client object's "newstate" variable correctly when transitioning to the "working" state. 271. [func] Attempt to probe the number of cpus in named if unspecified rather than defaulting to 1. 270. [func] Allow maximum sized TCP answers. 269. [bug] Failed DNSSEC validations could cause an assertion failure by causing clone_results() to be called with with hevent->node == NULL. 268. [doc] A plain text version of the Administrator Reference Manual is now included in the distribution, as doc/arm/Bv9ARM.txt. 267. [func] Nsupdate is now provided in the distribution. 266. [bug] zone.c:save_nsrrset() node was not initialized. 265. [bug] dns_request_create() now works for TCP. 264. [func] Dispatch can not take TCP sockets in connecting state. Set DNS_DISPATCHATTR_CONNECTED when calling dns_dispatch_createtcp() for connected TCP sockets or call dns_dispatch_starttcp() when the socket is connected. 263. [func] New logging channel type 'stderr' channel some-name { stderr; severity error; } 262. [bug] 'master' was not initialized in zone.c:stub_callback(). 261. [func] Add dns_zone_markdirty(). 260. [bug] Running named as a non-root user failed on Linux kernels new enough to support retaining capabilities after setuid(). 259. [func] New random-device and random-seed-file statements for global options block of named.conf. Both accept a single string argument. 258. [bug] Fixed printing of lwres_addr_t.address field. 257. [bug] The server detached the last zone manager reference too early, while it could still be in use by queries. This manifested itself as assertion failures during the shutdown process for busy name servers. [RT #133] 256. [func] isc_ratelimiter_t now has attach/detach semantics, and isc_ratelimiter_shutdown guarantees that the rate limiter is detached from its task. 255. [func] New function dns_zonemgr_attach(). 254. [bug] Suppress "query denied" messages on additional data lookups. --- 9.0.0b4 released --- 253. [func] resolv.conf parser now recognizes ';' and '#' as comments (anywhere in line, not just as the beginning). 252. [bug] resolv.conf parser mishandled masks on sortlists. It also aborted when an unrecognized keyword was seen, now it silently ignores the entire line. 251. [bug] lwresd caught an assertion failure on startup. 250. [bug] fixed handling of size+unit when value would be too large for internal representation. 249. [cleanup] max-cache-size config option now takes a size-spec like 'datasize', except 'default' is not allowed. 248. [bug] global lame-ttl option was not being printed when config structures were written out. 247. [cleanup] Rename cache-size config option to max-cache-size. 246. [func] Rename global option cachesize to cache-size and add corresponding option to view statement. 245. [bug] If an uncompressed name will take more than 255 bytes and the buffer is sufficiently long, dns_name_fromwire should return DNS_R_FORMERR, not ISC_R_NOSPACE. This bug caused cause the server to catch an assertion failure when it received a query for a name longer than 255 bytes. 244. [bug] empty named.conf file and empty options statement are now parsed properly. 243. [func] new cachesize option for named.conf 242. [cleanup] fixed incorrect warning about auth-nxdomain usage. 241. [cleanup] nscount and soacount have been removed from the dns_master_*() argument lists. 240. [func] databases now come in three flavours: zone, cache and stub. 239. [func] If ISC_MEM_DEBUG is enabled, the variable isc_mem_debugging controls whether messages are printed or not. 238. [cleanup] A few more compilation warnings have been quieted: + missing sigwait prototype on BSD/OS 4.0/4.0.1. + PTHREAD_ONCE_INIT unbraced initializer warnings on Solaris 2.8. + IN6ADDR_ANY_INIT unbraced initializer warnings on BSD/OS 4.*, Linux and Solaris 2.8. 237. [bug] If connect() returned ENOBUFS when the resolver was initiating a TCP query, the socket didn't get destroyed, and the server did not shut down cleanly. 236. [func] Added new listen-on-v6 config file statement. 235. [func] Consider it a config file error if a listen-on statement has an IPv6 address in it, or a listen-on-v6 statement has an IPv4 address in it. 234. [bug] Allow a trusted-key's first field (domain-name) be either a quoted or an unquoted string, instead of requiring a quoted string. 233. [cleanup] Convert all config structure integer values to unsigned integer (isc_uint32_t) to match grammar. 232. [bug] Allow slave zones to not have a file. 231. [func] Support new 'port' clause in config file options section. Causes 'listen-on', 'masters' and 'also-notify' statements to use its value instead of default (53). 230. [func] Replace the dst sign/verify API with a cleaner one. 229. [func] Support config file sig-validity-interval statement in options, views and zone statements (master zones only). 228. [cleanup] Logging messages in config module stripped of trailing period. 227. [cleanup] The enumerated identifiers dns_rdataclass_*, dns_rcode_*, dns_opcode_*, and dns_trust_* are also now cast to their appropriate types, as with dns_rdatatype_* in item number 225 below. 226. [func] dns_name_totext() now always prints the root name as '.', even when omit_final_dot is true. 225. [cleanup] The enumerated dns_rdatatype_* identifiers are now cast to dns_rdatatype_t via macros of their same name so that they are of the proper integral type wherever a dns_rdatatype_t is needed. 224. [cleanup] The entire project builds cleanly with gcc's -Wcast-qual and -Wwrite-strings warnings enabled, which is now the default when using gcc. (Warnings from confparser.c, because of yacc's code, are unfortunately to be expected.) 223. [func] Several functions were re-prototyped to qualify one or more of their arguments with "const". Similarly, several functions that return pointers now have those pointers qualified with const. 222. [bug] The global 'also-notify' option was ignored. 221. [bug] An uninitialized variable was sometimes passed to dns_rdata_freestruct() when loading a zone, causing an assertion failure. 220. [cleanup] Set the default outgoing port in the view, and set it in sockaddrs returned from the ADB. [31-May-2000 explorer] 219. [bug] Signed truncated messages more correctly follow the respective specs. 218. [func] When an rdataset is signed, its ttl is normalized based on the signature validity period. 217. [func] Also-notify and trusted-keys can now be used in the 'view' statement. 216. [func] The 'max-cache-ttl' and 'max-ncache-ttl' options now work. 215. [bug] Failures at certain points in request processing could cause the assertion INSIST(client->lockview == NULL) to be triggered. 214. [func] New public function isc_netaddr_format(), for formatting network addresses in log messages. 213. [bug] Don't leak memory when reloading the zone if an update-policy clause was present in the old zone. 212. [func] Added dns_message_get/settsigkey, to make TSIG key management reasonable. 211. [func] The 'key' and 'server' statements can now occur inside 'view' statements. 210. [bug] The 'allow-transfer' option was ignored for slave zones, and the 'transfers-per-ns' option was was ignored for all zones. 209. [cleanup] Upgraded openssl files to new version 0.9.5a 208. [func] Added ISC_OFFSET_MAXIMUM for the maximum value of an isc_offset_t. 207. [func] The dnssec tools properly use the logging subsystem. 206. [cleanup] dst now stores the key name as a dns_name_t, not a char *. 205. [cleanup] On IRIX, turn off the mostly harmless warnings 1692 ("prototyped function redeclared without prototype") and 1552 ("variable ... set but not used") when compiling in the lib/dns/sec/{dnssafe,openssl} directories, which contain code imported from outside sources. 204. [cleanup] On HP/UX, pass +vnocompatwarnings to the linker to quiet the warnings that "The linked output may not run on a PA 1.x system." 203. [func] notify and zone soa queries are now tsig signed when appropriate. 202. [func] isc_lex_getsourceline() changed from returning int to returning unsigned long, the type of its underlying counter. 201. [cleanup] Removed the test/sdig program, it has been replaced by bin/dig/dig. --- 9.0.0b3 released --- 200. [bug] Failures in sending query responses to clients (e.g., running out of network buffers) were not logged. 199. [bug] isc_heap_delete() sometimes violated the heap invariant, causing timer events not to be posted when due. 198. [func] Dispatch managers hold memory pools which any managed dispatcher may use. This allows us to avoid dipping into the memory context for most allocations. [19-May-2000 explorer] 197. [bug] When an incoming AXFR or IXFR completes, the zone's internal state is refreshed from the SOA data. [19-May-2000 explorer] 196. [func] Dispatchers can be shared easily between views and/or interfaces. [19-May-2000 explorer] 195. [bug] Including the NXT record of the root domain in a negative response caused an assertion failure. 194. [doc] The PDF version of the Administrator's Reference Manual is no longer included in the ISC BIND9 distribution. 193. [func] changed dst_key_free() prototype. 192. [bug] Zone configuration validation is now done at end of config file parsing, and before loading callbacks. 191. [func] Patched to compile on UnixWare 7.x. This platform is not directly supported by the ISC. 190. [cleanup] The DNSSEC tools have been moved to a separate directory dnssec/ and given the following new, more descriptive names: dnssec-keygen dnssec-signzone dnssec-signkey dnssec-makekeyset Their command line arguments have also been changed to be more consistent. dnssec-keygen now prints the name of the generated key files (sans extension) on standard output to simplify its use in automated scripts. 189. [func] isc_time_secondsastimet(), a new function, will ensure that the number of seconds in an isc_time_t does not exceed the range of a time_t, or return ISC_R_RANGE. Similarly, isc_time_now(), isc_time_nowplusinterval(), isc_time_add() and isc_time_subtract() now check the range for overflow/underflow. In the case of isc_time_subtract, this changed a calling requirement (ie, something that could generate an assertion) into merely a condition that returns an error result. isc_time_add() and isc_time_subtract() were void- valued before but now return isc_result_t. 188. [func] Log a warning message when an incoming zone transfer contains out-of-zone data. 187. [func] isc_ratelimiter_enqueue() has an additional argument 'task'. 186. [func] dns_request_getresponse() has an additional argument 'preserve_order'. 185. [bug] Fixed up handling of ISC_MEMCLUSTER_LEGACY. Several public functions did not have an isc__ prefix, and referred to functions that had previously been renamed. 184. [cleanup] Variables/functions which began with two leading underscores were made to conform to the ANSI/ISO standard, which says that such names are reserved. 183. [func] ISC_LOG_PRINTTAG option for log channels. Useful for logging the program name or other identifier. 182. [cleanup] New command-line parameters for dnssec tools 181. [func] Added dst_key_buildfilename and dst_key_parsefilename 180. [func] New isc_result_t ISC_R_RANGE. Supersedes DNS_R_RANGE. 179. [func] options named.conf statement *must* now come before any zone or view statements. 178. [func] Post-load of named.conf check verifies a slave zone has non-empty list of masters defined. 177. [func] New per-zone boolean: enable-zone yes | no ; intended to let a zone be disabled without having to comment out the entire zone statement. 176. [func] New global and per-view option: max-cache-ttl number 175. [func] New global and per-view option: additional-data internal | minimal | maximal; 174. [func] New public function isc_sockaddr_format(), for formatting socket addresses in log messages. 173. [func] Keep a queue of zones waiting for zone transfer quota so that a new transfer can be dispatched immediately whenever quota becomes available. 172. [bug] $TTL directive was sometimes missing from dumped master files because totext_ctx_init() failed to initialize ctx->current_ttl_valid. 171. [cleanup] On NetBSD systems, the mit-pthreads or unproven-pthreads library is now always used unless --with-ptl2 is explicitly specified on the configure command line. The --with-mit-pthreads option is no longer needed and has been removed. 170. [cleanup] Remove inter server consistency checks from zone, these should return as a separate module in 9.1. dns_zone_checkservers(), dns_zone_checkparents(), dns_zone_checkchildren(), dns_zone_checkglue(). Remove dns_zone_setadb(), dns_zone_setresolver(), dns_zone_setrequestmgr() these should now be found via the view. 169. [func] ratelimiter can now process N events per interval. 168. [bug] include statements in named.conf caused syntax errors due to not consuming the semicolon ending the include statement before switching input streams. 167. [bug] Make lack of masters for a slave zone a soft error. 166. [bug] Keygen was overwriting existing keys if key_id conflicted, now it will retry, and non-null keys with key_id == 0 are not generated anymore. Key was not able to generate NOAUTHCONF DSA key, increased RSA key size to 2048 bits. 165. [cleanup] Silence "end-of-loop condition not reached" warnings from Solaris compiler. 164. [func] Added functions isc_stdio_open(), isc_stdio_close(), isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(), isc_stdio_flush(), isc_stdio_sync(), isc_file_remove() to encapsulate nonportable usage of errno and sync. 163. [func] Added result codes ISC_R_FILENOTFOUND and ISC_R_FILEEXISTS. 162. [bug] Ensure proper range for arguments to ctype.h functions. 161. [cleanup] error in yyparse prototype that only HPUX caught. 160. [cleanup] getnet*() are not going to be implemented at this stage. 159. [func] Redefinition of config file elements is now an error (instead of a warning). 158. [bug] Log channel and category list copy routines weren't assigning properly to output parameter. 157. [port] Fix missing prototype for getopt(). 156. [func] Support new 'database' statement in zone. database "quoted-string"; 155. [bug] ns_notify_start() was not detaching the found zone. 154. [func] The signer now logs libdns warnings to stderr even when not verbose, and in a nicer format. 153. [func] dns_rdata_tostruct() 'mctx' is now optional. If 'mctx' is NULL then you need to preserve the 'rdata' until you have finished using the structure as there may be references to the associated memory. If 'mctx' is non-NULL it is guaranteed that there are no references to memory associated with 'rdata'. dns_rdata_freestruct() must be called if 'mctx' was non-NULL and may safely be called if 'mctx' was NULL. 152. [bug] keygen dumped core if domain name argument was omitted from command line. 151. [func] Support 'disabled' statement in zone config (causes zone to be parsed and then ignored). Currently must come after the 'type' clause. 150. [func] Support optional ports in masters and also-notify statements: masters [ port xxx ] { y.y.y.y [ port zzz ] ; } 149. [cleanup] Removed unused argument 'olist' from dns_c_view_unsetordering(). 148. [cleanup] Stop issuing some warnings about some configuration file statements that were not implemented, but now are. 147. [bug] Changed yacc union size to be smaller for yaccs that put yacc-stack on the real stack. 146. [cleanup] More general redundant header file cleanup. Rather than continuing to itemize every header which changed, this changelog entry just notes that if a header file did not need another header file that it was including in order to provide its advertised functionality, the inclusion of the other header file was removed. See util/check-includes for how this was tested. 145. [cleanup] Added and ISC_LANG_BEGINDECLS/ ISC_LANG_ENDDECLS to header files that had function prototypes, and removed it from those that did not. 144. [cleanup] libdns header files too numerous to name were made to conform to the same style for multiple inclusion protection. 143. [func] Added function dns_rdatatype_isknown(). 142. [cleanup] does not need or . 141. [bug] Corrupt requests with multiple questions could cause an assertion failure. 140. [cleanup] does not need or . 139. [cleanup] now includes instead of and . 138. [cleanup] isc_strtouq moved from str.[ch] to string.[ch] and renamed isc_string_touint64. isc_strsep moved from strsep.c to string.c and renamed isc_string_separate. 137. [cleanup] , , , and made to conform to the same style for multiple inclusion protection. 136. [cleanup] , , and Win32's needed ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS. 135. [cleanup] Win32's did not need or , now uses in place of , and needed ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS. 134. [cleanup] does not need . 133. [cleanup] needs . 132. [cleanup] does not need , but does need . 131. [cleanup] and need for ISC_R_* codes used in macros. 130. [cleanup] does not need or , and now includes instead of . 129. [bug] The 'default_debug' log channel was not set up when 'category default' was present in the config file 128. [cleanup] had ISC_LANG_BEGINDECLS instead of ISC_LANG_ENDDECLS at end of header. 127. [cleanup] The contracts for the comparison routines dns_name_fullcompare(), dns_name_compare(), dns_name_rdatacompare(), and dns_rdata_compare() now specify that the order value returned is < 0, 0, or > 0 instead of -1, 0, or 1. 126. [cleanup] and need . 125. [cleanup] , , , , , , and do not need . 124. [func] signer now imports parent's zone key signature and creates null keys/sets zone status bit for children when necessary 123. [cleanup] does not need . 122. [cleanup] does not need or . 121. [cleanup] does not need or . Multiple inclusion protection symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H. isc_symtab_t moved to . 120. [cleanup] does not need , , , or . 119. [cleanup] structure definitions for generic rdata structures do not have _generic_ in their names. 118. [cleanup] libdns.a is now namespace-clean, on NetBSD, excepting YACC crust (yyparse, etc) [2000-apr-27 explorer] 117. [cleanup] libdns.a changes: dns_zone_clearnotify() and dns_zone_addnotify() are replaced by dns_zone_setnotifyalso(). dns_zone_clearmasters() and dns_zone_addmaster() are replaced by dns_zone_setmasters(). 116. [func] Added for isc_offset_t (aka off_t on Unix systems). 115. [port] Shut up the -Wmissing-declarations warning about 's __sputaux on BSD/OS pre-4.1. 114. [cleanup] does not need or . 113. [func] Utility programs dig and host added. 112. [cleanup] does not need . 111. [cleanup] does not need or . 110. [cleanup] does not need or . 109. [bug] "make depend" did nothing for bin/tests/{db,mem,sockaddr,tasks,timers}/. 108. [cleanup] DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from to and renamed to DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR. 107. [func] Add keysigner and keysettool. 106. [func] Allow dnssec verifications to ignore the validity period. Used by several of the dnssec tools. 105. [doc] doc/dev/coding.html expanded with other implicit conventions the developers have used. 104. [bug] Made compress_add and compress_find static to lib/dns/compress.c. 103. [func] libisc buffer API changes for : Added: isc_buffer_base(b) (pointer) isc_buffer_current(b) (pointer) isc_buffer_active(b) (pointer) isc_buffer_used(b) (pointer) isc_buffer_length(b) (int) isc_buffer_usedlength(b) (int) isc_buffer_consumedlength(b) (int) isc_buffer_remaininglength(b) (int) isc_buffer_activelength(b) (int) isc_buffer_availablelength(b) (int) Removed: ISC_BUFFER_USEDCOUNT(b) ISC_BUFFER_AVAILABLECOUNT(b) isc_buffer_type(b) Changed names: isc_buffer_used(b, r) -> isc_buffer_usedregion(b, r) isc_buffer_available(b, r) -> isc_buffer_available_region(b, r) isc_buffer_consumed(b, r) -> isc_buffer_consumedregion(b, r) isc_buffer_active(b, r) -> isc_buffer_activeregion(b, r) isc_buffer_remaining(b, r) -> isc_buffer_remainingregion(b, r) Buffer types were removed, so the ISC_BUFFERTYPE_* macros are no more, and the type argument to isc_buffer_init and isc_buffer_allocate were removed. isc_buffer_putstr is now void (instead of isc_result_t) and requires that the caller ensure that there is enough available buffer space for the string. 102. [port] Correctly detect inet_aton, inet_pton and inet_ptop on BSD/OS 4.1. 101. [cleanup] Quieted EGCS warnings from lib/isc/print.c. 100. [cleanup] does not need or . isc_random_t moved to . 99. [cleanup] Rate limiter now has separate shutdown() and destroy() functions, and it guarantees that all queued events are delivered even in the shutdown case. 98. [cleanup] does not need or unless ISC_PLATFORM_NEEDVSNPRINTF is defined. 97. [cleanup] does not need or . 96. [cleanup] does not need . 95. [cleanup] does not need . 94. [cleanup] Some installed header files did not compile as C++. 93. [cleanup] does not need . 92. [cleanup] does not need , , or . 91. [cleanup] does not need or . 90. [cleanup] Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS from . 89. [cleanup] does not need . 88. [cleanup] does not need or . isc_interface_t and isc_interfaceiter_t moved to . 87. [cleanup] does not need , or . 86. [cleanup] isc_bufferlist_t moved from to . 85. [cleanup] does not need , , , or . 84. [func] allow-query ACL checks now apply to all data added to a response. 83. [func] If the server is authoritative for both a delegating zone and its (nonsecure) delegatee, and a query is made for a KEY RR at the top of the delegatee, then the server will look for a KEY in the delegator if it is not found in the delegatee. 82. [cleanup] does not need . 81. [cleanup] and do not need . 80. [cleanup] does not need or . 79. [cleanup] does not need . 78. [cleanup] lwres_conftest renamed to lwresconf_test for consistency with other *_test programs. 77. [cleanup] typedef of isc_time_t and isc_interval_t moved from to . 76. [cleanup] Rewrote keygen. 75. [func] Don't load a zone if its database file is older than the last time the zone was loaded. 74. [cleanup] Removed mktemplate.o and ufile.o from libisc.a, subsumed by file.o. 73. [func] New "file" API in libisc, including new function isc_file_getmodtime, isc_mktemplate renamed to isc_file_mktemplate and isc_ufile renamed to isc_file_openunique. By no means an exhaustive API, it is just what's needed for now. 72. [func] DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS added for dns_rbt_findnode, the former to disable the setting of the chain to the predecessor, and the latter to make clear when no options are set. 71. [cleanup] Made explicit the implicit REQUIREs of isc_time_seconds, isc_time_nanoseconds, and isc_time_subtract. 70. [func] isc_time_set() added. 69. [bug] The zone object's master and also-notify lists grew longer with each server reload. 68. [func] Partial support for SIG(0) on incoming messages. 67. [performance] Allow use of alternate (compile-time supplied) OpenSSL libraries/headers. 66. [func] Data in authoritative zones should have a trust level beyond secure. 65. [cleanup] Removed obsolete typedef of dns_zone_callbackarg_t from . 64. [func] The RBT, DB, and zone table APIs now allow the caller find the most-enclosing superdomain of a name. 63. [func] Generate NOTIFY messages. 62. [func] Add UDP refresh support. 61. [cleanup] Use single quotes consistently in log messages. 60. [func] Catch and disallow singleton types on message parse. 59. [bug] Cause net/host unreachable to be a hard error when sending and receiving. 58. [bug] bin/named/query.c could sometimes trigger the (client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0 assertion in query_newname(). 57. [func] Added dns_nxt_typepresent() 56. [bug] SIG records were not properly returned in cached negative answers. 55. [bug] Responses containing multiple names in the authority section were not negatively cached. 54. [bug] If a fetch with sigrdataset==NULL joined one with sigrdataset!=NULL or vice versa, the resolver could catch an assertion or lose signature data, respectively. 53. [port] freebsd 4.0: lib/isc/unix/socket.c requires . 52. [bug] rndc: taskmgr and socketmgr were not initialized to NULL. 51. [cleanup] dns/compress.h and dns/zt.h did not need to include dns/rbt.h; it was needed only by compress.c and zt.c. 50. [func] RBT deletion no longer requires a valid chain to work, and dns_rbt_deletenode was added. 49. [func] Each cache now has its own mctx. 48. [func] isc_task_create() no longer takes an mctx. isc_task_mem() has been eliminated. 47. [func] A number of modules now use memory context reference counting. 46. [func] Memory contexts are now reference counted. Added isc_mem_inuse() and isc_mem_preallocate(). Renamed isc_mem_destroy_check() to isc_mem_setdestroycheck(). 45. [bug] The trusted-key statement incorrectly loaded keys. 44. [bug] Don't include authority data if it would force us to unset the AD bit in the message. 43. [bug] DNSSEC verification of cached rdatasets was failing. 42. [cleanup] Simplified logging of messages with embedded domain names by introducing a new convenience function dns_name_format(). 41. [func] Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later to allow 'named' to run as a non-root user while retaining the ability to bind() to privileged ports. 40. [func] Introduced new logging category "dnssec" and logging module "dns/validator". 39. [cleanup] Moved the typedefs for isc_region_t, isc_textregion_t, and isc_lex_t to . 38. [bug] TSIG signed incoming zone transfers work now. 37. [bug] If the first RR in an incoming zone transfer was not an SOA, the server died with an assertion failure instead of just reporting an error. 36. [cleanup] Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS 35. [performance] Log messages which are of a level too high to be logged by any channel in the logging configuration will not cause the log mutex to be locked. 34. [bug] Recursion was allowed even with 'recursion no'. 33. [func] The RBT now maintains a parent pointer at each node. 32. [cleanup] bin/lwresd/client.c needs for memset() prototype. 31. [bug] Use ${LIBTOOL} to compile bin/named/main.@O@. 30. [func] config file grammar change to support optional class type for a view. 29. [func] support new config file view options: auth-nxdomain recursion query-source query-source-v6 transfer-source transfer-source-v6 max-transfer-time-out max-transfer-idle-out transfer-format request-ixfr provide-ixfr cleaning-interval fetch-glue notify rfc2308-type1 lame-ttl max-ncache-ttl min-roots 28. [func] support lame-ttl, min-roots and serial-queries config global options. 27. [bug] Only include on BSD/OS 4.[01]*. Including it on other platforms (eg, NetBSD) can cause a forced #error from the C preprocessor. 26. [func] new match-clients statement in config file view. 25. [bug] make install failed to install and . 24. [cleanup] Eliminate some unnecessary #includes of header files from header files. 23. [cleanup] Provide more context in log messages about client requests, using a new function ns_client_log(). 22. [bug] SIGs weren't returned in the answer section when the query resulted in a fetch. 21. [port] Look at STD_CINCLUDES after CINCLUDES during compilation, so additional system include directories can be searched but header files in the bind9 source tree with conflicting names take precedence. This avoids issues with installed versions of dnssafe and openssl. 20. [func] Configuration file post-load validation of zones failed if there were no zones. 19. [bug] dns_zone_notifyreceive() failed to unlock the zone lock in certain error cases. 18. [bug] Use AC_TRY_LINK rather than AC_TRY_COMPILE in configure.in to check for presence of in6addr_any. 17. [func] Do configuration file post-load validation of zones. 16. [bug] put quotes around key names on config file output to avoid possible keyword clashes. 15. [func] Add dns_name_dupwithoffsets(). This function is improves comparison performance for duped names. 14. [bug] free_rbtdb() could have 'put' unallocated memory in an unlikely error path. 13. [bug] lib/dns/master.c and lib/dns/xfrin.c didn't ignore out-of-zone data. 12. [bug] Fixed possible uninitialized variable error. 11. [bug] axfr_rrstream_first() didn't check the result code of db_rr_iterator_first(), possibly causing an assertion to be triggered later. 10. [bug] A bug in the code which makes EDNS0 OPT records in bin/named/client.c and lib/dns/resolver.c could trigger an assertion. 9. [cleanup] replaced bit-setting code in confctx.c and replaced repeated code with macro calls. 8. [bug] Shutdown of incoming zone transfer accessed freed memory. 7. [cleanup] removed 'listen-on' from view statement. 6. [bug] quote RR names when generating config file to prevent possible clash with config file keywords (such as 'key'). 5. [func] syntax change to named.conf file: new ssu grant/deny statements must now be enclosed by an 'update-policy' block. 4. [port] bin/named/unix/os.c didn't compile on systems with linux 2.3 kernel includes due to conflicts between C library includes and the kernel includes. We now get only what we need from , and avoid pulling in other linux kernel .h files. 3. [bug] TKEYs go in the answer section of responses, not the additional section. 2. [bug] Generating cryptographic randomness failed on systems without /dev/random. 1. [bug] The installdirs rule in lib/isc/unix/include/isc/Makefile.in had a typo which prevented the isc directory from being created if it didn't exist. --- 9.0.0b2 released --- # This tells Emacs to use hard tabs in this file. # Local Variables: # indent-tabs-mode: t # End: Index: head/contrib/bind9/bin/named/server.c =================================================================== --- head/contrib/bind9/bin/named/server.c (revision 205291) +++ head/contrib/bind9/bin/named/server.c (revision 205292) @@ -1,5537 +1,5539 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.520.12.11 2009/12/24 00:17:47 each Exp $ */ +/* $Id: server.c,v 1.520.12.11.8.2 2010/02/25 10:57:11 tbox Exp $ */ /*! \file */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef DLZ #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef HAVE_LIBSCF #include #include #endif /*% * Check an operation for failure. Assumes that the function * using it has a 'result' variable and a 'cleanup' label. */ #define CHECK(op) \ do { result = (op); \ if (result != ISC_R_SUCCESS) goto cleanup; \ } while (0) #define CHECKM(op, msg) \ do { result = (op); \ if (result != ISC_R_SUCCESS) { \ isc_log_write(ns_g_lctx, \ NS_LOGCATEGORY_GENERAL, \ NS_LOGMODULE_SERVER, \ ISC_LOG_ERROR, \ "%s: %s", msg, \ isc_result_totext(result)); \ goto cleanup; \ } \ } while (0) \ #define CHECKMF(op, msg, file) \ do { result = (op); \ if (result != ISC_R_SUCCESS) { \ isc_log_write(ns_g_lctx, \ NS_LOGCATEGORY_GENERAL, \ NS_LOGMODULE_SERVER, \ ISC_LOG_ERROR, \ "%s '%s': %s", msg, file, \ isc_result_totext(result)); \ goto cleanup; \ } \ } while (0) \ #define CHECKFATAL(op, msg) \ do { result = (op); \ if (result != ISC_R_SUCCESS) \ fatal(msg, result); \ } while (0) \ struct ns_dispatch { isc_sockaddr_t addr; unsigned int dispatchgen; dns_dispatch_t *dispatch; ISC_LINK(struct ns_dispatch) link; }; struct dumpcontext { isc_mem_t *mctx; isc_boolean_t dumpcache; isc_boolean_t dumpzones; FILE *fp; ISC_LIST(struct viewlistentry) viewlist; struct viewlistentry *view; struct zonelistentry *zone; dns_dumpctx_t *mdctx; dns_db_t *db; dns_db_t *cache; isc_task_t *task; dns_dbversion_t *version; }; struct viewlistentry { dns_view_t *view; ISC_LINK(struct viewlistentry) link; ISC_LIST(struct zonelistentry) zonelist; }; struct zonelistentry { dns_zone_t *zone; ISC_LINK(struct zonelistentry) link; }; /* * These zones should not leak onto the Internet. */ static const struct { const char *zone; isc_boolean_t rfc1918; } empty_zones[] = { #ifdef notyet /* RFC 1918 */ { "10.IN-ADDR.ARPA", ISC_TRUE }, { "16.172.IN-ADDR.ARPA", ISC_TRUE }, { "17.172.IN-ADDR.ARPA", ISC_TRUE }, { "18.172.IN-ADDR.ARPA", ISC_TRUE }, { "19.172.IN-ADDR.ARPA", ISC_TRUE }, { "20.172.IN-ADDR.ARPA", ISC_TRUE }, { "21.172.IN-ADDR.ARPA", ISC_TRUE }, { "22.172.IN-ADDR.ARPA", ISC_TRUE }, { "23.172.IN-ADDR.ARPA", ISC_TRUE }, { "24.172.IN-ADDR.ARPA", ISC_TRUE }, { "25.172.IN-ADDR.ARPA", ISC_TRUE }, { "26.172.IN-ADDR.ARPA", ISC_TRUE }, { "27.172.IN-ADDR.ARPA", ISC_TRUE }, { "28.172.IN-ADDR.ARPA", ISC_TRUE }, { "29.172.IN-ADDR.ARPA", ISC_TRUE }, { "30.172.IN-ADDR.ARPA", ISC_TRUE }, { "31.172.IN-ADDR.ARPA", ISC_TRUE }, { "168.192.IN-ADDR.ARPA", ISC_TRUE }, #endif /* RFC 3330 */ { "0.IN-ADDR.ARPA", ISC_FALSE }, /* THIS NETWORK */ { "127.IN-ADDR.ARPA", ISC_FALSE }, /* LOOPBACK */ { "254.169.IN-ADDR.ARPA", ISC_FALSE }, /* LINK LOCAL */ { "2.0.192.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET */ { "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE }, /* BROADCAST */ /* Local IPv6 Unicast Addresses */ { "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE }, { "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE }, /* LOCALLY ASSIGNED LOCAL ADDRESS SCOPE */ { "D.F.IP6.ARPA", ISC_FALSE }, { "8.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ { "9.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ { "A.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ { "B.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ { NULL, ISC_FALSE } }; static void fatal(const char *msg, isc_result_t result); static void ns_server_reload(isc_task_t *task, isc_event_t *event); static isc_result_t ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenelt_t **target); static isc_result_t ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenlist_t **target); static isc_result_t configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin, const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype); static isc_result_t configure_alternates(const cfg_obj_t *config, dns_view_t *view, const cfg_obj_t *alternates); static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, cfg_aclconfctx_t *aclconf); static void end_reserved_dispatches(ns_server_t *server, isc_boolean_t all); /*% * Configure a single view ACL at '*aclp'. Get its configuration from * 'vconfig' (for per-view configuration) and maybe from 'config' */ static isc_result_t configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config, const char *aclname, cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp) { isc_result_t result; const cfg_obj_t *maps[3]; const cfg_obj_t *aclobj = NULL; int i = 0; if (*aclp != NULL) dns_acl_detach(aclp); if (vconfig != NULL) maps[i++] = cfg_tuple_get(vconfig, "options"); if (config != NULL) { const cfg_obj_t *options = NULL; (void)cfg_map_get(config, "options", &options); if (options != NULL) maps[i++] = options; } maps[i] = NULL; (void)ns_config_get(maps, aclname, &aclobj); if (aclobj == NULL) /* * No value available. *aclp == NULL. */ return (ISC_R_SUCCESS); result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx, mctx, 0, aclp); return (result); } /*% * Configure a sortlist at '*aclp'. Essentially the same as * configure_view_acl() except it calls cfg_acl_fromconfig with a * nest_level value of 2. */ static isc_result_t configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config, cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp) { isc_result_t result; const cfg_obj_t *maps[3]; const cfg_obj_t *aclobj = NULL; int i = 0; if (*aclp != NULL) dns_acl_detach(aclp); if (vconfig != NULL) maps[i++] = cfg_tuple_get(vconfig, "options"); if (config != NULL) { const cfg_obj_t *options = NULL; (void)cfg_map_get(config, "options", &options); if (options != NULL) maps[i++] = options; } maps[i] = NULL; (void)ns_config_get(maps, "sortlist", &aclobj); if (aclobj == NULL) return (ISC_R_SUCCESS); /* * Use a nest level of 3 for the "top level" of the sortlist; * this means each entry in the top three levels will be stored * as lists of separate, nested ACLs, rather than merged together * into IP tables as is usually done with ACLs. */ result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx, mctx, 3, aclp); return (result); } static isc_result_t configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key, dns_keytable_t *keytable, isc_mem_t *mctx) { dns_rdataclass_t viewclass; dns_rdata_dnskey_t keystruct; isc_uint32_t flags, proto, alg; const char *keystr, *keynamestr; unsigned char keydata[4096]; isc_buffer_t keydatabuf; unsigned char rrdata[4096]; isc_buffer_t rrdatabuf; isc_region_t r; dns_fixedname_t fkeyname; dns_name_t *keyname; isc_buffer_t namebuf; isc_result_t result; dst_key_t *dstkey = NULL; flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags")); proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol")); alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm")); keyname = dns_fixedname_name(&fkeyname); keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); if (vconfig == NULL) viewclass = dns_rdataclass_in; else { const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class"); CHECK(ns_config_getclass(classobj, dns_rdataclass_in, &viewclass)); } keystruct.common.rdclass = viewclass; keystruct.common.rdtype = dns_rdatatype_dnskey; /* * The key data in keystruct is not dynamically allocated. */ keystruct.mctx = NULL; ISC_LINK_INIT(&keystruct.common, link); if (flags > 0xffff) CHECKM(ISC_R_RANGE, "key flags"); if (proto > 0xff) CHECKM(ISC_R_RANGE, "key protocol"); if (alg > 0xff) CHECKM(ISC_R_RANGE, "key algorithm"); keystruct.flags = (isc_uint16_t)flags; keystruct.protocol = (isc_uint8_t)proto; keystruct.algorithm = (isc_uint8_t)alg; isc_buffer_init(&keydatabuf, keydata, sizeof(keydata)); isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata)); keystr = cfg_obj_asstring(cfg_tuple_get(key, "key")); CHECK(isc_base64_decodestring(keystr, &keydatabuf)); isc_buffer_usedregion(&keydatabuf, &r); keystruct.datalen = r.length; keystruct.data = r.base; if ((keystruct.algorithm == DST_ALG_RSASHA1 || keystruct.algorithm == DST_ALG_RSAMD5) && r.length > 1 && r.base[0] == 1 && r.base[1] == 3) cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING, "trusted key '%s' has a weak exponent", keynamestr); CHECK(dns_rdata_fromstruct(NULL, keystruct.common.rdclass, keystruct.common.rdtype, &keystruct, &rrdatabuf)); dns_fixedname_init(&fkeyname); isc_buffer_init(&namebuf, keynamestr, strlen(keynamestr)); isc_buffer_add(&namebuf, strlen(keynamestr)); CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, ISC_FALSE, NULL)); CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf, mctx, &dstkey)); CHECK(dns_keytable_add(keytable, &dstkey)); INSIST(dstkey == NULL); return (ISC_R_SUCCESS); cleanup: if (result == DST_R_NOCRYPTO) { cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR, "ignoring trusted key for '%s': no crypto support", keynamestr); result = ISC_R_SUCCESS; } else { cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR, "configuring trusted key for '%s': %s", keynamestr, isc_result_totext(result)); result = ISC_R_FAILURE; } if (dstkey != NULL) dst_key_free(&dstkey); return (result); } /*% * Configure DNSSEC keys for a view. Currently used only for * the security roots. * * The per-view configuration values and the server-global defaults are read * from 'vconfig' and 'config'. The variable to be configured is '*target'. */ static isc_result_t configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config, isc_mem_t *mctx, dns_keytable_t **target) { isc_result_t result; const cfg_obj_t *keys = NULL; const cfg_obj_t *voptions = NULL; const cfg_listelt_t *element, *element2; const cfg_obj_t *keylist; const cfg_obj_t *key; dns_keytable_t *keytable = NULL; CHECK(dns_keytable_create(mctx, &keytable)); if (vconfig != NULL) voptions = cfg_tuple_get(vconfig, "options"); keys = NULL; if (voptions != NULL) (void)cfg_map_get(voptions, "trusted-keys", &keys); if (keys == NULL) (void)cfg_map_get(config, "trusted-keys", &keys); for (element = cfg_list_first(keys); element != NULL; element = cfg_list_next(element)) { keylist = cfg_listelt_value(element); for (element2 = cfg_list_first(keylist); element2 != NULL; element2 = cfg_list_next(element2)) { key = cfg_listelt_value(element2); CHECK(configure_view_dnsseckey(vconfig, key, keytable, mctx)); } } dns_keytable_detach(target); *target = keytable; /* Transfer ownership. */ keytable = NULL; result = ISC_R_SUCCESS; cleanup: return (result); } static isc_result_t mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) { const cfg_listelt_t *element; const cfg_obj_t *obj; const char *str; dns_fixedname_t fixed; dns_name_t *name; isc_boolean_t value; isc_result_t result; isc_buffer_t b; dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); for (element = cfg_list_first(mbs); element != NULL; element = cfg_list_next(element)) { obj = cfg_listelt_value(element); str = cfg_obj_asstring(cfg_tuple_get(obj, "name")); isc_buffer_init(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); CHECK(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL)); value = cfg_obj_asboolean(cfg_tuple_get(obj, "value")); CHECK(dns_resolver_setmustbesecure(resolver, name, value)); } result = ISC_R_SUCCESS; cleanup: return (result); } /*% * Get a dispatch appropriate for the resolver of a given view. */ static isc_result_t get_view_querysource_dispatch(const cfg_obj_t **maps, int af, dns_dispatch_t **dispatchp, isc_boolean_t is_firstview) { isc_result_t result; dns_dispatch_t *disp; isc_sockaddr_t sa; unsigned int attrs, attrmask; const cfg_obj_t *obj = NULL; unsigned int maxdispatchbuffers; /* * Make compiler happy. */ result = ISC_R_FAILURE; switch (af) { case AF_INET: result = ns_config_get(maps, "query-source", &obj); INSIST(result == ISC_R_SUCCESS); break; case AF_INET6: result = ns_config_get(maps, "query-source-v6", &obj); INSIST(result == ISC_R_SUCCESS); break; default: INSIST(0); } sa = *(cfg_obj_assockaddr(obj)); INSIST(isc_sockaddr_pf(&sa) == af); /* * If we don't support this address family, we're done! */ switch (af) { case AF_INET: result = isc_net_probeipv4(); break; case AF_INET6: result = isc_net_probeipv6(); break; default: INSIST(0); } if (result != ISC_R_SUCCESS) return (ISC_R_SUCCESS); /* * Try to find a dispatcher that we can share. */ attrs = 0; attrs |= DNS_DISPATCHATTR_UDP; switch (af) { case AF_INET: attrs |= DNS_DISPATCHATTR_IPV4; break; case AF_INET6: attrs |= DNS_DISPATCHATTR_IPV6; break; } if (isc_sockaddr_getport(&sa) == 0) { attrs |= DNS_DISPATCHATTR_EXCLUSIVE; maxdispatchbuffers = 4096; } else { INSIST(obj != NULL); if (is_firstview) { cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO, "using specific query-source port " "suppresses port randomization and can be " "insecure."); } maxdispatchbuffers = 1000; } attrmask = 0; attrmask |= DNS_DISPATCHATTR_UDP; attrmask |= DNS_DISPATCHATTR_TCP; attrmask |= DNS_DISPATCHATTR_IPV4; attrmask |= DNS_DISPATCHATTR_IPV6; disp = NULL; result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr, ns_g_taskmgr, &sa, 4096, maxdispatchbuffers, 32768, 16411, 16433, attrs, attrmask, &disp); if (result != ISC_R_SUCCESS) { isc_sockaddr_t any; char buf[ISC_SOCKADDR_FORMATSIZE]; switch (af) { case AF_INET: isc_sockaddr_any(&any); break; case AF_INET6: isc_sockaddr_any6(&any); break; } if (isc_sockaddr_equal(&sa, &any)) return (ISC_R_SUCCESS); isc_sockaddr_format(&sa, buf, sizeof(buf)); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "could not get query source dispatcher (%s)", buf); return (result); } *dispatchp = disp; return (ISC_R_SUCCESS); } static isc_result_t configure_order(dns_order_t *order, const cfg_obj_t *ent) { dns_rdataclass_t rdclass; dns_rdatatype_t rdtype; const cfg_obj_t *obj; dns_fixedname_t fixed; unsigned int mode = 0; const char *str; isc_buffer_t b; isc_result_t result; isc_boolean_t addroot; result = ns_config_getclass(cfg_tuple_get(ent, "class"), dns_rdataclass_any, &rdclass); if (result != ISC_R_SUCCESS) return (result); result = ns_config_gettype(cfg_tuple_get(ent, "type"), dns_rdatatype_any, &rdtype); if (result != ISC_R_SUCCESS) return (result); obj = cfg_tuple_get(ent, "name"); if (cfg_obj_isstring(obj)) str = cfg_obj_asstring(obj); else str = "*"; addroot = ISC_TF(strcmp(str, "*") == 0); isc_buffer_init(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); dns_fixedname_init(&fixed); result = dns_name_fromtext(dns_fixedname_name(&fixed), &b, dns_rootname, ISC_FALSE, NULL); if (result != ISC_R_SUCCESS) return (result); obj = cfg_tuple_get(ent, "ordering"); INSIST(cfg_obj_isstring(obj)); str = cfg_obj_asstring(obj); if (!strcasecmp(str, "fixed")) mode = DNS_RDATASETATTR_FIXEDORDER; else if (!strcasecmp(str, "random")) mode = DNS_RDATASETATTR_RANDOMIZE; else if (!strcasecmp(str, "cyclic")) mode = 0; else INSIST(0); /* * "*" should match everything including the root (BIND 8 compat). * As dns_name_matcheswildcard(".", "*.") returns FALSE add a * explicit entry for "." when the name is "*". */ if (addroot) { result = dns_order_add(order, dns_rootname, rdtype, rdclass, mode); if (result != ISC_R_SUCCESS) return (result); } return (dns_order_add(order, dns_fixedname_name(&fixed), rdtype, rdclass, mode)); } static isc_result_t configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { isc_netaddr_t na; dns_peer_t *peer; const cfg_obj_t *obj; const char *str; isc_result_t result; unsigned int prefixlen; cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen); peer = NULL; result = dns_peer_newprefix(mctx, &na, prefixlen, &peer); if (result != ISC_R_SUCCESS) return (result); obj = NULL; (void)cfg_map_get(cpeer, "bogus", &obj); if (obj != NULL) CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj))); obj = NULL; (void)cfg_map_get(cpeer, "provide-ixfr", &obj); if (obj != NULL) CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj))); obj = NULL; (void)cfg_map_get(cpeer, "request-ixfr", &obj); if (obj != NULL) CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj))); obj = NULL; (void)cfg_map_get(cpeer, "request-nsid", &obj); if (obj != NULL) CHECK(dns_peer_setrequestnsid(peer, cfg_obj_asboolean(obj))); obj = NULL; (void)cfg_map_get(cpeer, "edns", &obj); if (obj != NULL) CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj))); obj = NULL; (void)cfg_map_get(cpeer, "edns-udp-size", &obj); if (obj != NULL) { isc_uint32_t udpsize = cfg_obj_asuint32(obj); if (udpsize < 512) udpsize = 512; if (udpsize > 4096) udpsize = 4096; CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize)); } obj = NULL; (void)cfg_map_get(cpeer, "max-udp-size", &obj); if (obj != NULL) { isc_uint32_t udpsize = cfg_obj_asuint32(obj); if (udpsize < 512) udpsize = 512; if (udpsize > 4096) udpsize = 4096; CHECK(dns_peer_setmaxudp(peer, (isc_uint16_t)udpsize)); } obj = NULL; (void)cfg_map_get(cpeer, "transfers", &obj); if (obj != NULL) CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj))); obj = NULL; (void)cfg_map_get(cpeer, "transfer-format", &obj); if (obj != NULL) { str = cfg_obj_asstring(obj); if (strcasecmp(str, "many-answers") == 0) CHECK(dns_peer_settransferformat(peer, dns_many_answers)); else if (strcasecmp(str, "one-answer") == 0) CHECK(dns_peer_settransferformat(peer, dns_one_answer)); else INSIST(0); } obj = NULL; (void)cfg_map_get(cpeer, "keys", &obj); if (obj != NULL) { result = dns_peer_setkeybycharp(peer, cfg_obj_asstring(obj)); if (result != ISC_R_SUCCESS) goto cleanup; } obj = NULL; if (na.family == AF_INET) (void)cfg_map_get(cpeer, "transfer-source", &obj); else (void)cfg_map_get(cpeer, "transfer-source-v6", &obj); if (obj != NULL) { result = dns_peer_settransfersource(peer, cfg_obj_assockaddr(obj)); if (result != ISC_R_SUCCESS) goto cleanup; ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); } obj = NULL; if (na.family == AF_INET) (void)cfg_map_get(cpeer, "notify-source", &obj); else (void)cfg_map_get(cpeer, "notify-source-v6", &obj); if (obj != NULL) { result = dns_peer_setnotifysource(peer, cfg_obj_assockaddr(obj)); if (result != ISC_R_SUCCESS) goto cleanup; ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); } obj = NULL; if (na.family == AF_INET) (void)cfg_map_get(cpeer, "query-source", &obj); else (void)cfg_map_get(cpeer, "query-source-v6", &obj); if (obj != NULL) { result = dns_peer_setquerysource(peer, cfg_obj_assockaddr(obj)); if (result != ISC_R_SUCCESS) goto cleanup; ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); } *peerp = peer; return (ISC_R_SUCCESS); cleanup: dns_peer_detach(&peer); return (result); } static isc_result_t disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { isc_result_t result; const cfg_obj_t *algorithms; const cfg_listelt_t *element; const char *str; dns_fixedname_t fixed; dns_name_t *name; isc_buffer_t b; dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); str = cfg_obj_asstring(cfg_tuple_get(disabled, "name")); isc_buffer_init(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); CHECK(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL)); algorithms = cfg_tuple_get(disabled, "algorithms"); for (element = cfg_list_first(algorithms); element != NULL; element = cfg_list_next(element)) { isc_textregion_t r; dns_secalg_t alg; DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base); r.length = strlen(r.base); result = dns_secalg_fromtext(&alg, &r); if (result != ISC_R_SUCCESS) { isc_uint8_t ui; result = isc_parse_uint8(&ui, r.base, 10); alg = ui; } if (result != ISC_R_SUCCESS) { cfg_obj_log(cfg_listelt_value(element), ns_g_lctx, ISC_LOG_ERROR, "invalid algorithm"); CHECK(result); } CHECK(dns_resolver_disable_algorithm(resolver, name, alg)); } cleanup: return (result); } static isc_boolean_t on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) { const cfg_listelt_t *element; dns_fixedname_t fixed; dns_name_t *name; isc_result_t result; const cfg_obj_t *value; const char *str; isc_buffer_t b; dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); for (element = cfg_list_first(disablelist); element != NULL; element = cfg_list_next(element)) { value = cfg_listelt_value(element); str = cfg_obj_asstring(value); isc_buffer_init(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); result = dns_name_fromtext(name, &b, dns_rootname, ISC_TRUE, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (dns_name_equal(name, zonename)) return (ISC_TRUE); } return (ISC_FALSE); } static void check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv, isc_mem_t *mctx) { char **argv = NULL; unsigned int i; isc_result_t result; result = dns_zone_getdbtype(*zonep, &argv, mctx); if (result != ISC_R_SUCCESS) { dns_zone_detach(zonep); return; } /* * Check that all the arguments match. */ for (i = 0; i < dbtypec; i++) if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) { dns_zone_detach(zonep); break; } /* * Check that there are not extra arguments. */ if (i == dbtypec && argv[i] != NULL) dns_zone_detach(zonep); isc_mem_free(mctx, argv); } static isc_result_t setquerystats(dns_zone_t *zone, isc_mem_t *mctx, isc_boolean_t on) { isc_result_t result; isc_stats_t *zoneqrystats; zoneqrystats = NULL; if (on) { result = isc_stats_create(mctx, &zoneqrystats, dns_nsstatscounter_max); if (result != ISC_R_SUCCESS) return (result); } dns_zone_setrequeststats(zone, zoneqrystats); if (zoneqrystats != NULL) isc_stats_detach(&zoneqrystats); return (ISC_R_SUCCESS); } static isc_boolean_t cache_reusable(dns_view_t *originview, dns_view_t *view, isc_boolean_t new_zero_no_soattl) { if (originview->checknames != view->checknames || dns_resolver_getzeronosoattl(originview->resolver) != new_zero_no_soattl || originview->acceptexpired != view->acceptexpired || originview->enablevalidation != view->enablevalidation || originview->maxcachettl != view->maxcachettl || originview->maxncachettl != view->maxncachettl) { return (ISC_FALSE); } return (ISC_TRUE); } /* * Configure 'view' according to 'vconfig', taking defaults from 'config' * where values are missing in 'vconfig'. * * When configuring the default view, 'vconfig' will be NULL and the * global defaults in 'config' used exclusively. */ static isc_result_t configure_view(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *vconfig, isc_mem_t *mctx, cfg_aclconfctx_t *actx, isc_boolean_t need_hints) { const cfg_obj_t *maps[4]; const cfg_obj_t *cfgmaps[3]; const cfg_obj_t *options = NULL; const cfg_obj_t *voptions = NULL; const cfg_obj_t *forwardtype; const cfg_obj_t *forwarders; const cfg_obj_t *alternates; const cfg_obj_t *zonelist; #ifdef DLZ const cfg_obj_t *dlz; unsigned int dlzargc; char **dlzargv; #endif const cfg_obj_t *disabled; const cfg_obj_t *obj; const cfg_listelt_t *element; in_port_t port; dns_cache_t *cache = NULL; isc_result_t result; isc_uint32_t max_adb_size; isc_uint32_t max_cache_size; isc_uint32_t max_acache_size; isc_uint32_t lame_ttl; dns_tsig_keyring_t *ring; dns_view_t *pview = NULL; /* Production view */ isc_mem_t *cmctx; dns_dispatch_t *dispatch4 = NULL; dns_dispatch_t *dispatch6 = NULL; isc_boolean_t reused_cache = ISC_FALSE; int i; const char *str; dns_order_t *order = NULL; isc_uint32_t udpsize; unsigned int resopts = 0; dns_zone_t *zone = NULL; isc_uint32_t max_clients_per_query; const char *sep = ": view "; const char *viewname = view->name; const char *forview = " for view "; isc_boolean_t rfc1918; isc_boolean_t empty_zones_enable; const cfg_obj_t *disablelist = NULL; isc_stats_t *resstats = NULL; dns_stats_t *resquerystats = NULL; isc_boolean_t zero_no_soattl; REQUIRE(DNS_VIEW_VALID(view)); cmctx = NULL; if (config != NULL) (void)cfg_map_get(config, "options", &options); i = 0; if (vconfig != NULL) { voptions = cfg_tuple_get(vconfig, "options"); maps[i++] = voptions; } if (options != NULL) maps[i++] = options; maps[i++] = ns_g_defaults; maps[i] = NULL; i = 0; if (voptions != NULL) cfgmaps[i++] = voptions; if (config != NULL) cfgmaps[i++] = config; cfgmaps[i] = NULL; if (!strcmp(viewname, "_default")) { sep = ""; viewname = ""; forview = ""; } /* * Set the view's port number for outgoing queries. */ CHECKM(ns_config_getport(config, &port), "port"); dns_view_setdstport(view, port); /* * Create additional cache for this view and zones under the view * if explicitly enabled. * XXX950 default to on. */ obj = NULL; (void)ns_config_get(maps, "acache-enable", &obj); if (obj != NULL && cfg_obj_asboolean(obj)) { cmctx = NULL; CHECK(isc_mem_create(0, 0, &cmctx)); CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr, ns_g_timermgr)); isc_mem_setname(cmctx, "acache", NULL); isc_mem_detach(&cmctx); } if (view->acache != NULL) { obj = NULL; result = ns_config_get(maps, "acache-cleaning-interval", &obj); INSIST(result == ISC_R_SUCCESS); dns_acache_setcleaninginterval(view->acache, cfg_obj_asuint32(obj) * 60); obj = NULL; result = ns_config_get(maps, "max-acache-size", &obj); INSIST(result == ISC_R_SUCCESS); if (cfg_obj_isstring(obj)) { str = cfg_obj_asstring(obj); INSIST(strcasecmp(str, "unlimited") == 0); max_acache_size = ISC_UINT32_MAX; } else { isc_resourcevalue_t value; value = cfg_obj_asuint64(obj); if (value > ISC_UINT32_MAX) { cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "'max-acache-size " "%" ISC_PRINT_QUADFORMAT "d' is too large", value); result = ISC_R_RANGE; goto cleanup; } max_acache_size = (isc_uint32_t)value; } dns_acache_setcachesize(view->acache, max_acache_size); } /* * Configure the zones. */ zonelist = NULL; if (voptions != NULL) (void)cfg_map_get(voptions, "zone", &zonelist); else (void)cfg_map_get(config, "zone", &zonelist); for (element = cfg_list_first(zonelist); element != NULL; element = cfg_list_next(element)) { const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, mctx, view, actx)); } #ifdef DLZ /* * Create Dynamically Loadable Zone driver. */ dlz = NULL; if (voptions != NULL) (void)cfg_map_get(voptions, "dlz", &dlz); else (void)cfg_map_get(config, "dlz", &dlz); obj = NULL; if (dlz != NULL) { (void)cfg_map_get(cfg_tuple_get(dlz, "options"), "database", &obj); if (obj != NULL) { char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj)); if (s == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv); if (result != ISC_R_SUCCESS) { isc_mem_free(mctx, s); goto cleanup; } obj = cfg_tuple_get(dlz, "name"); result = dns_dlzcreate(mctx, cfg_obj_asstring(obj), dlzargv[0], dlzargc, dlzargv, &view->dlzdatabase); isc_mem_free(mctx, s); isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv)); if (result != ISC_R_SUCCESS) goto cleanup; } } #endif /* * Obtain configuration parameters that affect the decision of whether * we can reuse/share an existing cache. */ /* Check-names. */ obj = NULL; result = ns_checknames_get(maps, "response", &obj); INSIST(result == ISC_R_SUCCESS); str = cfg_obj_asstring(obj); if (strcasecmp(str, "fail") == 0) { resopts |= DNS_RESOLVER_CHECKNAMES | DNS_RESOLVER_CHECKNAMESFAIL; view->checknames = ISC_TRUE; } else if (strcasecmp(str, "warn") == 0) { resopts |= DNS_RESOLVER_CHECKNAMES; view->checknames = ISC_FALSE; } else if (strcasecmp(str, "ignore") == 0) { view->checknames = ISC_FALSE; } else INSIST(0); obj = NULL; result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj); INSIST(result == ISC_R_SUCCESS); zero_no_soattl = cfg_obj_asboolean(obj); obj = NULL; result = ns_config_get(maps, "dnssec-accept-expired", &obj); INSIST(result == ISC_R_SUCCESS); view->acceptexpired = cfg_obj_asboolean(obj); obj = NULL; result = ns_config_get(maps, "dnssec-validation", &obj); INSIST(result == ISC_R_SUCCESS); view->enablevalidation = cfg_obj_asboolean(obj); obj = NULL; result = ns_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); obj = NULL; result = ns_config_get(maps, "max-ncache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxncachettl = cfg_obj_asuint32(obj); if (view->maxncachettl > 7 * 24 * 3600) view->maxncachettl = 7 * 24 * 3600; /* * Configure the view's cache. Try to reuse an existing * cache if possible, otherwise create a new cache. * Note that the ADB is not preserved in either case. * When a matching view is found, the associated statistics are * also retrieved and reused. * * XXX Determining when it is safe to reuse a cache is tricky. * When the view's configuration changes, the cached data may become * invalid because it reflects our old view of the world. We check * some of the configuration parameters that could invalidate the cache, * but there are other configuration options that should be checked. * For example, if a view uses a forwarder, changes in the forwarder * configuration may invalidate the cache. At the moment, it's the * administrator's responsibility to ensure these configuration options * don't invalidate reusing. */ result = dns_viewlist_find(&ns_g_server->viewlist, view->name, view->rdclass, &pview); if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) goto cleanup; if (pview != NULL) { if (cache_reusable(pview, view, zero_no_soattl)) { INSIST(pview->cache != NULL); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(3), "reusing existing cache"); reused_cache = ISC_TRUE; dns_cache_attach(pview->cache, &cache); } else { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), "cache cannot be reused for view %s " "due to configuration parameter mismatch", view->name); } dns_view_getresstats(pview, &resstats); dns_view_getresquerystats(pview, &resquerystats); dns_view_detach(&pview); } if (cache == NULL) { CHECK(isc_mem_create(0, 0, &cmctx)); CHECK(dns_cache_create(cmctx, ns_g_taskmgr, ns_g_timermgr, view->rdclass, "rbt", 0, NULL, &cache)); isc_mem_setname(cmctx, "cache", NULL); } dns_view_setcache(view, cache); /* * cache-file cannot be inherited if views are present, but this * should be caught by the configuration checking stage. */ obj = NULL; result = ns_config_get(maps, "cache-file", &obj); if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) { CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj))); if (!reused_cache) CHECK(dns_cache_load(cache)); } obj = NULL; result = ns_config_get(maps, "cleaning-interval", &obj); INSIST(result == ISC_R_SUCCESS); dns_cache_setcleaninginterval(cache, cfg_obj_asuint32(obj) * 60); obj = NULL; result = ns_config_get(maps, "max-cache-size", &obj); INSIST(result == ISC_R_SUCCESS); if (cfg_obj_isstring(obj)) { str = cfg_obj_asstring(obj); INSIST(strcasecmp(str, "unlimited") == 0); max_cache_size = ISC_UINT32_MAX; } else { isc_resourcevalue_t value; value = cfg_obj_asuint64(obj); if (value > ISC_UINT32_MAX) { cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "'max-cache-size " "%" ISC_PRINT_QUADFORMAT "d' is too large", value); result = ISC_R_RANGE; goto cleanup; } max_cache_size = (isc_uint32_t)value; } dns_cache_setcachesize(cache, max_cache_size); dns_cache_detach(&cache); /* * Resolver. * * XXXRTH Hardwired number of tasks. */ CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4, ISC_TF(ISC_LIST_PREV(view, link) == NULL))); CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6, ISC_TF(ISC_LIST_PREV(view, link) == NULL))); if (dispatch4 == NULL && dispatch6 == NULL) { UNEXPECTED_ERROR(__FILE__, __LINE__, "unable to obtain neither an IPv4 nor" " an IPv6 dispatch"); result = ISC_R_UNEXPECTED; goto cleanup; } CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31, ns_g_socketmgr, ns_g_timermgr, resopts, ns_g_dispatchmgr, dispatch4, dispatch6)); if (resstats == NULL) { CHECK(isc_stats_create(mctx, &resstats, dns_resstatscounter_max)); } dns_view_setresstats(view, resstats); if (resquerystats == NULL) CHECK(dns_rdatatypestats_create(mctx, &resquerystats)); dns_view_setresquerystats(view, resquerystats); /* * Set the ADB cache size to 1/8th of the max-cache-size. */ max_adb_size = 0; if (max_cache_size != 0) { max_adb_size = max_cache_size / 8; if (max_adb_size == 0) max_adb_size = 1; /* Force minimum. */ } dns_adb_setadbsize(view->adb, max_adb_size); /* * Set resolver's lame-ttl. */ obj = NULL; result = ns_config_get(maps, "lame-ttl", &obj); INSIST(result == ISC_R_SUCCESS); lame_ttl = cfg_obj_asuint32(obj); if (lame_ttl > 1800) lame_ttl = 1800; dns_resolver_setlamettl(view->resolver, lame_ttl); /* * Set the resolver's EDNS UDP size. */ obj = NULL; result = ns_config_get(maps, "edns-udp-size", &obj); INSIST(result == ISC_R_SUCCESS); udpsize = cfg_obj_asuint32(obj); if (udpsize < 512) udpsize = 512; if (udpsize > 4096) udpsize = 4096; dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize); /* * Set the maximum UDP response size. */ obj = NULL; result = ns_config_get(maps, "max-udp-size", &obj); INSIST(result == ISC_R_SUCCESS); udpsize = cfg_obj_asuint32(obj); if (udpsize < 512) udpsize = 512; if (udpsize > 4096) udpsize = 4096; view->maxudp = udpsize; /* * Set supported DNSSEC algorithms. */ dns_resolver_reset_algorithms(view->resolver); disabled = NULL; (void)ns_config_get(maps, "disable-algorithms", &disabled); if (disabled != NULL) { for (element = cfg_list_first(disabled); element != NULL; element = cfg_list_next(element)) CHECK(disable_algorithms(cfg_listelt_value(element), view->resolver)); } /* * A global or view "forwarders" option, if present, * creates an entry for "." in the forwarding table. */ forwardtype = NULL; forwarders = NULL; (void)ns_config_get(maps, "forward", &forwardtype); (void)ns_config_get(maps, "forwarders", &forwarders); if (forwarders != NULL) CHECK(configure_forward(config, view, dns_rootname, forwarders, forwardtype)); /* * Dual Stack Servers. */ alternates = NULL; (void)ns_config_get(maps, "dual-stack-servers", &alternates); if (alternates != NULL) CHECK(configure_alternates(config, view, alternates)); /* * We have default hints for class IN if we need them. */ if (view->rdclass == dns_rdataclass_in && view->hints == NULL) dns_view_sethints(view, ns_g_server->in_roothints); /* * If we still have no hints, this is a non-IN view with no * "hints zone" configured. Issue a warning, except if this * is a root server. Root servers never need to consult * their hints, so it's no point requiring users to configure * them. */ if (view->hints == NULL) { dns_zone_t *rootzone = NULL; (void)dns_view_findzone(view, dns_rootname, &rootzone); if (rootzone != NULL) { dns_zone_detach(&rootzone); need_hints = ISC_FALSE; } if (need_hints) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, "no root hints for view '%s'", view->name); } /* * Configure the view's TSIG keys. */ ring = NULL; CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring)); dns_view_setkeyring(view, ring); /* * Configure the view's peer list. */ { const cfg_obj_t *peers = NULL; const cfg_listelt_t *element; dns_peerlist_t *newpeers = NULL; (void)ns_config_get(cfgmaps, "server", &peers); CHECK(dns_peerlist_new(mctx, &newpeers)); for (element = cfg_list_first(peers); element != NULL; element = cfg_list_next(element)) { const cfg_obj_t *cpeer = cfg_listelt_value(element); dns_peer_t *peer; CHECK(configure_peer(cpeer, mctx, &peer)); dns_peerlist_addpeer(newpeers, peer); dns_peer_detach(&peer); } dns_peerlist_detach(&view->peers); view->peers = newpeers; /* Transfer ownership. */ } /* * Configure the views rrset-order. */ { const cfg_obj_t *rrsetorder = NULL; const cfg_listelt_t *element; (void)ns_config_get(maps, "rrset-order", &rrsetorder); CHECK(dns_order_create(mctx, &order)); for (element = cfg_list_first(rrsetorder); element != NULL; element = cfg_list_next(element)) { const cfg_obj_t *ent = cfg_listelt_value(element); CHECK(configure_order(order, ent)); } if (view->order != NULL) dns_order_detach(&view->order); dns_order_attach(order, &view->order); dns_order_detach(&order); } /* * Copy the aclenv object. */ dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv); /* * Configure the "match-clients" and "match-destinations" ACL. */ CHECK(configure_view_acl(vconfig, config, "match-clients", actx, ns_g_mctx, &view->matchclients)); CHECK(configure_view_acl(vconfig, config, "match-destinations", actx, ns_g_mctx, &view->matchdestinations)); /* * Configure the "match-recursive-only" option. */ obj = NULL; (void)ns_config_get(maps, "match-recursive-only", &obj); if (obj != NULL && cfg_obj_asboolean(obj)) view->matchrecursiveonly = ISC_TRUE; else view->matchrecursiveonly = ISC_FALSE; /* * Configure other configurable data. */ obj = NULL; result = ns_config_get(maps, "recursion", &obj); INSIST(result == ISC_R_SUCCESS); view->recursion = cfg_obj_asboolean(obj); obj = NULL; result = ns_config_get(maps, "auth-nxdomain", &obj); INSIST(result == ISC_R_SUCCESS); view->auth_nxdomain = cfg_obj_asboolean(obj); obj = NULL; result = ns_config_get(maps, "minimal-responses", &obj); INSIST(result == ISC_R_SUCCESS); view->minimalresponses = cfg_obj_asboolean(obj); obj = NULL; result = ns_config_get(maps, "transfer-format", &obj); INSIST(result == ISC_R_SUCCESS); str = cfg_obj_asstring(obj); if (strcasecmp(str, "many-answers") == 0) view->transfer_format = dns_many_answers; else if (strcasecmp(str, "one-answer") == 0) view->transfer_format = dns_one_answer; else INSIST(0); /* * Set sources where additional data and CNAME/DNAME * targets for authoritative answers may be found. */ obj = NULL; result = ns_config_get(maps, "additional-from-auth", &obj); INSIST(result == ISC_R_SUCCESS); view->additionalfromauth = cfg_obj_asboolean(obj); if (view->recursion && ! view->additionalfromauth) { cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING, "'additional-from-auth no' is only supported " "with 'recursion no'"); view->additionalfromauth = ISC_TRUE; } obj = NULL; result = ns_config_get(maps, "additional-from-cache", &obj); INSIST(result == ISC_R_SUCCESS); view->additionalfromcache = cfg_obj_asboolean(obj); if (view->recursion && ! view->additionalfromcache) { cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING, "'additional-from-cache no' is only supported " "with 'recursion no'"); view->additionalfromcache = ISC_TRUE; } /* * Set "allow-query-cache", "allow-query-cache-on", * "allow-recursion", and "allow-recursion-on" acls if * configured in named.conf. */ CHECK(configure_view_acl(vconfig, config, "allow-query-cache", actx, ns_g_mctx, &view->queryacl)); CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", actx, ns_g_mctx, &view->queryonacl)); if (view->queryonacl == NULL) CHECK(configure_view_acl(NULL, ns_g_config, "allow-query-cache-on", actx, ns_g_mctx, &view->queryonacl)); if (strcmp(view->name, "_bind") != 0) { CHECK(configure_view_acl(vconfig, config, "allow-recursion", actx, ns_g_mctx, &view->recursionacl)); CHECK(configure_view_acl(vconfig, config, "allow-recursion-on", actx, ns_g_mctx, &view->recursiononacl)); } /* * "allow-query-cache" inherits from "allow-recursion" if set, * otherwise from "allow-query" if set. * "allow-recursion" inherits from "allow-query-cache" if set, * otherwise from "allow-query" if set. */ if (view->queryacl == NULL && view->recursionacl != NULL) dns_acl_attach(view->recursionacl, &view->queryacl); if (view->queryacl == NULL && view->recursion) CHECK(configure_view_acl(vconfig, config, "allow-query", actx, ns_g_mctx, &view->queryacl)); if (view->recursion && view->recursionacl == NULL && view->queryacl != NULL) dns_acl_attach(view->queryacl, &view->recursionacl); /* * Set default "allow-recursion", "allow-recursion-on" and * "allow-query-cache" acls. */ if (view->recursionacl == NULL && view->recursion) CHECK(configure_view_acl(NULL, ns_g_config, "allow-recursion", actx, ns_g_mctx, &view->recursionacl)); if (view->recursiononacl == NULL && view->recursion) CHECK(configure_view_acl(NULL, ns_g_config, "allow-recursion-on", actx, ns_g_mctx, &view->recursiononacl)); if (view->queryacl == NULL) { if (view->recursion) CHECK(configure_view_acl(NULL, ns_g_config, "allow-query-cache", actx, ns_g_mctx, &view->queryacl)); else { if (view->queryacl != NULL) dns_acl_detach(&view->queryacl); CHECK(dns_acl_none(ns_g_mctx, &view->queryacl)); } } /* * Configure sortlist, if set */ CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx, &view->sortlist)); /* * Configure default allow-transfer, allow-notify, allow-update * and allow-update-forwarding ACLs, if set, so they can be * inherited by zones. */ if (view->notifyacl == NULL) CHECK(configure_view_acl(NULL, ns_g_config, "allow-notify", actx, ns_g_mctx, &view->notifyacl)); if (view->transferacl == NULL) CHECK(configure_view_acl(NULL, ns_g_config, "allow-transfer", actx, ns_g_mctx, &view->transferacl)); if (view->updateacl == NULL) CHECK(configure_view_acl(NULL, ns_g_config, "allow-update", actx, ns_g_mctx, &view->updateacl)); if (view->upfwdacl == NULL) CHECK(configure_view_acl(NULL, ns_g_config, "allow-update-forwarding", actx, ns_g_mctx, &view->upfwdacl)); obj = NULL; result = ns_config_get(maps, "request-ixfr", &obj); INSIST(result == ISC_R_SUCCESS); view->requestixfr = cfg_obj_asboolean(obj); obj = NULL; result = ns_config_get(maps, "provide-ixfr", &obj); INSIST(result == ISC_R_SUCCESS); view->provideixfr = cfg_obj_asboolean(obj); obj = NULL; result = ns_config_get(maps, "request-nsid", &obj); INSIST(result == ISC_R_SUCCESS); view->requestnsid = cfg_obj_asboolean(obj); obj = NULL; result = ns_config_get(maps, "max-clients-per-query", &obj); INSIST(result == ISC_R_SUCCESS); max_clients_per_query = cfg_obj_asuint32(obj); obj = NULL; result = ns_config_get(maps, "clients-per-query", &obj); INSIST(result == ISC_R_SUCCESS); dns_resolver_setclientsperquery(view->resolver, cfg_obj_asuint32(obj), max_clients_per_query); obj = NULL; result = ns_config_get(maps, "dnssec-enable", &obj); INSIST(result == ISC_R_SUCCESS); view->enablednssec = cfg_obj_asboolean(obj); obj = NULL; result = ns_config_get(maps, "dnssec-lookaside", &obj); if (result == ISC_R_SUCCESS) { for (element = cfg_list_first(obj); element != NULL; element = cfg_list_next(element)) { const char *str; isc_buffer_t b; dns_name_t *dlv; obj = cfg_listelt_value(element); #if 0 dns_fixedname_t fixed; dns_name_t *name; /* * When we support multiple dnssec-lookaside * entries this is how to find the domain to be * checked. XXXMPA */ dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); str = cfg_obj_asstring(cfg_tuple_get(obj, "domain")); isc_buffer_init(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); CHECK(dns_name_fromtext(name, &b, dns_rootname, ISC_TRUE, NULL)); #endif str = cfg_obj_asstring(cfg_tuple_get(obj, "trust-anchor")); isc_buffer_init(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); dlv = dns_fixedname_name(&view->dlv_fixed); CHECK(dns_name_fromtext(dlv, &b, dns_rootname, ISC_TRUE, NULL)); view->dlv = dns_fixedname_name(&view->dlv_fixed); } } else view->dlv = NULL; /* * For now, there is only one kind of trusted keys, the * "security roots". */ CHECK(configure_view_dnsseckeys(vconfig, config, mctx, &view->secroots)); dns_resolver_resetmustbesecure(view->resolver); obj = NULL; result = ns_config_get(maps, "dnssec-must-be-secure", &obj); if (result == ISC_R_SUCCESS) CHECK(mustbesecure(obj, view->resolver)); obj = NULL; result = ns_config_get(maps, "preferred-glue", &obj); if (result == ISC_R_SUCCESS) { str = cfg_obj_asstring(obj); if (strcasecmp(str, "a") == 0) view->preferred_glue = dns_rdatatype_a; else if (strcasecmp(str, "aaaa") == 0) view->preferred_glue = dns_rdatatype_aaaa; else view->preferred_glue = 0; } else view->preferred_glue = 0; obj = NULL; result = ns_config_get(maps, "root-delegation-only", &obj); if (result == ISC_R_SUCCESS) { dns_view_setrootdelonly(view, ISC_TRUE); if (!cfg_obj_isvoid(obj)) { dns_fixedname_t fixed; dns_name_t *name; isc_buffer_t b; const char *str; const cfg_obj_t *exclude; dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); for (element = cfg_list_first(obj); element != NULL; element = cfg_list_next(element)) { exclude = cfg_listelt_value(element); str = cfg_obj_asstring(exclude); isc_buffer_init(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); CHECK(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL)); CHECK(dns_view_excludedelegationonly(view, name)); } } } else dns_view_setrootdelonly(view, ISC_FALSE); /* * Setup automatic empty zones. If recursion is off then * they are disabled by default. */ obj = NULL; (void)ns_config_get(maps, "empty-zones-enable", &obj); (void)ns_config_get(maps, "disable-empty-zone", &disablelist); if (obj == NULL && disablelist == NULL && view->rdclass == dns_rdataclass_in) { rfc1918 = ISC_FALSE; empty_zones_enable = view->recursion; } else if (view->rdclass == dns_rdataclass_in) { rfc1918 = ISC_TRUE; if (obj != NULL) empty_zones_enable = cfg_obj_asboolean(obj); else empty_zones_enable = view->recursion; } else { rfc1918 = ISC_FALSE; empty_zones_enable = ISC_FALSE; } if (empty_zones_enable) { const char *empty; int empty_zone = 0; dns_fixedname_t fixed; dns_name_t *name; isc_buffer_t buffer; const char *str; char server[DNS_NAME_FORMATSIZE + 1]; char contact[DNS_NAME_FORMATSIZE + 1]; isc_boolean_t logit; const char *empty_dbtype[4] = { "_builtin", "empty", NULL, NULL }; int empty_dbtypec = 4; isc_boolean_t zonestats_on; dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); obj = NULL; result = ns_config_get(maps, "empty-server", &obj); if (result == ISC_R_SUCCESS) { str = cfg_obj_asstring(obj); isc_buffer_init(&buffer, str, strlen(str)); isc_buffer_add(&buffer, strlen(str)); CHECK(dns_name_fromtext(name, &buffer, dns_rootname, ISC_FALSE, NULL)); isc_buffer_init(&buffer, server, sizeof(server) - 1); CHECK(dns_name_totext(name, ISC_FALSE, &buffer)); server[isc_buffer_usedlength(&buffer)] = 0; empty_dbtype[2] = server; } else empty_dbtype[2] = "@"; obj = NULL; result = ns_config_get(maps, "empty-contact", &obj); if (result == ISC_R_SUCCESS) { str = cfg_obj_asstring(obj); isc_buffer_init(&buffer, str, strlen(str)); isc_buffer_add(&buffer, strlen(str)); CHECK(dns_name_fromtext(name, &buffer, dns_rootname, ISC_FALSE, NULL)); isc_buffer_init(&buffer, contact, sizeof(contact) - 1); CHECK(dns_name_totext(name, ISC_FALSE, &buffer)); contact[isc_buffer_usedlength(&buffer)] = 0; empty_dbtype[3] = contact; } else empty_dbtype[3] = "."; obj = NULL; result = ns_config_get(maps, "zone-statistics", &obj); INSIST(result == ISC_R_SUCCESS); zonestats_on = cfg_obj_asboolean(obj); logit = ISC_TRUE; for (empty = empty_zones[empty_zone].zone; empty != NULL; empty = empty_zones[++empty_zone].zone) { dns_forwarders_t *forwarders = NULL; dns_view_t *pview = NULL; isc_buffer_init(&buffer, empty, strlen(empty)); isc_buffer_add(&buffer, strlen(empty)); /* * Look for zone on drop list. */ CHECK(dns_name_fromtext(name, &buffer, dns_rootname, ISC_FALSE, NULL)); if (disablelist != NULL && on_disable_list(disablelist, name)) continue; /* * This zone already exists. */ (void)dns_view_findzone(view, name, &zone); if (zone != NULL) { CHECK(setquerystats(zone, mctx, zonestats_on)); dns_zone_detach(&zone); continue; } /* * If we would forward this name don't add a * empty zone for it. */ result = dns_fwdtable_find(view->fwdtable, name, &forwarders); if (result == ISC_R_SUCCESS && forwarders->fwdpolicy == dns_fwdpolicy_only) continue; if (!rfc1918 && empty_zones[empty_zone].rfc1918) { if (logit) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, "Warning%s%s: " "'empty-zones-enable/" "disable-empty-zone' " "not set: disabling " "RFC 1918 empty zones", sep, viewname); logit = ISC_FALSE; } continue; } /* * See if we can re-use a existing zone. */ result = dns_viewlist_find(&ns_g_server->viewlist, view->name, view->rdclass, &pview); if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) goto cleanup; if (pview != NULL) { (void)dns_view_findzone(pview, name, &zone); dns_view_detach(&pview); if (zone != NULL) check_dbtype(&zone, empty_dbtypec, empty_dbtype, mctx); if (zone != NULL) { dns_zone_setview(zone, view); CHECK(dns_view_addzone(view, zone)); CHECK(setquerystats(zone, mctx, zonestats_on)); dns_zone_detach(&zone); continue; } } CHECK(dns_zone_create(&zone, mctx)); CHECK(dns_zone_setorigin(zone, name)); dns_zone_setview(zone, view); CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone)); dns_zone_setclass(zone, view->rdclass); dns_zone_settype(zone, dns_zone_master); dns_zone_setstats(zone, ns_g_server->zonestats); CHECK(dns_zone_setdbtype(zone, empty_dbtypec, empty_dbtype)); if (view->queryacl != NULL) dns_zone_setqueryacl(zone, view->queryacl); if (view->queryonacl != NULL) dns_zone_setqueryonacl(zone, view->queryonacl); dns_zone_setdialup(zone, dns_dialuptype_no); dns_zone_setnotifytype(zone, dns_notifytype_no); dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE); CHECK(setquerystats(zone, mctx, zonestats_on)); CHECK(dns_view_addzone(view, zone)); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "automatic empty zone%s%s: %s", sep, viewname, empty); dns_zone_detach(&zone); } } result = ISC_R_SUCCESS; cleanup: if (zone != NULL) dns_zone_detach(&zone); if (dispatch4 != NULL) dns_dispatch_detach(&dispatch4); if (dispatch6 != NULL) dns_dispatch_detach(&dispatch6); if (resstats != NULL) isc_stats_detach(&resstats); if (resquerystats != NULL) dns_stats_detach(&resquerystats); if (order != NULL) dns_order_detach(&order); if (cmctx != NULL) isc_mem_detach(&cmctx); if (cache != NULL) dns_cache_detach(&cache); return (result); } static isc_result_t configure_hints(dns_view_t *view, const char *filename) { isc_result_t result; dns_db_t *db; db = NULL; result = dns_rootns_create(view->mctx, view->rdclass, filename, &db); if (result == ISC_R_SUCCESS) { dns_view_sethints(view, db); dns_db_detach(&db); } return (result); } static isc_result_t configure_alternates(const cfg_obj_t *config, dns_view_t *view, const cfg_obj_t *alternates) { const cfg_obj_t *portobj; const cfg_obj_t *addresses; const cfg_listelt_t *element; isc_result_t result = ISC_R_SUCCESS; in_port_t port; /* * Determine which port to send requests to. */ if (ns_g_lwresdonly && ns_g_port != 0) port = ns_g_port; else CHECKM(ns_config_getport(config, &port), "port"); if (alternates != NULL) { portobj = cfg_tuple_get(alternates, "port"); if (cfg_obj_isuint32(portobj)) { isc_uint32_t val = cfg_obj_asuint32(portobj); if (val > ISC_UINT16_MAX) { cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR, "port '%u' out of range", val); return (ISC_R_RANGE); } port = (in_port_t) val; } } addresses = NULL; if (alternates != NULL) addresses = cfg_tuple_get(alternates, "addresses"); for (element = cfg_list_first(addresses); element != NULL; element = cfg_list_next(element)) { const cfg_obj_t *alternate = cfg_listelt_value(element); isc_sockaddr_t sa; if (!cfg_obj_issockaddr(alternate)) { dns_fixedname_t fixed; dns_name_t *name; const char *str = cfg_obj_asstring(cfg_tuple_get( alternate, "name")); isc_buffer_t buffer; in_port_t myport = port; isc_buffer_init(&buffer, str, strlen(str)); isc_buffer_add(&buffer, strlen(str)); dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); CHECK(dns_name_fromtext(name, &buffer, dns_rootname, ISC_FALSE, NULL)); portobj = cfg_tuple_get(alternate, "port"); if (cfg_obj_isuint32(portobj)) { isc_uint32_t val = cfg_obj_asuint32(portobj); if (val > ISC_UINT16_MAX) { cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR, "port '%u' out of range", val); return (ISC_R_RANGE); } myport = (in_port_t) val; } CHECK(dns_resolver_addalternate(view->resolver, NULL, name, myport)); continue; } sa = *cfg_obj_assockaddr(alternate); if (isc_sockaddr_getport(&sa) == 0) isc_sockaddr_setport(&sa, port); CHECK(dns_resolver_addalternate(view->resolver, &sa, NULL, 0)); } cleanup: return (result); } static isc_result_t configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin, const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype) { const cfg_obj_t *portobj; const cfg_obj_t *faddresses; const cfg_listelt_t *element; dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none; isc_sockaddrlist_t addresses; isc_sockaddr_t *sa; isc_result_t result; in_port_t port; ISC_LIST_INIT(addresses); /* * Determine which port to send forwarded requests to. */ if (ns_g_lwresdonly && ns_g_port != 0) port = ns_g_port; else CHECKM(ns_config_getport(config, &port), "port"); if (forwarders != NULL) { portobj = cfg_tuple_get(forwarders, "port"); if (cfg_obj_isuint32(portobj)) { isc_uint32_t val = cfg_obj_asuint32(portobj); if (val > ISC_UINT16_MAX) { cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR, "port '%u' out of range", val); return (ISC_R_RANGE); } port = (in_port_t) val; } } faddresses = NULL; if (forwarders != NULL) faddresses = cfg_tuple_get(forwarders, "addresses"); for (element = cfg_list_first(faddresses); element != NULL; element = cfg_list_next(element)) { const cfg_obj_t *forwarder = cfg_listelt_value(element); sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t)); if (sa == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } *sa = *cfg_obj_assockaddr(forwarder); if (isc_sockaddr_getport(sa) == 0) isc_sockaddr_setport(sa, port); ISC_LINK_INIT(sa, link); ISC_LIST_APPEND(addresses, sa, link); } if (ISC_LIST_EMPTY(addresses)) { if (forwardtype != NULL) cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING, "no forwarders seen; disabling " "forwarding"); fwdpolicy = dns_fwdpolicy_none; } else { if (forwardtype == NULL) fwdpolicy = dns_fwdpolicy_first; else { const char *forwardstr = cfg_obj_asstring(forwardtype); if (strcasecmp(forwardstr, "first") == 0) fwdpolicy = dns_fwdpolicy_first; else if (strcasecmp(forwardstr, "only") == 0) fwdpolicy = dns_fwdpolicy_only; else INSIST(0); } } result = dns_fwdtable_add(view->fwdtable, origin, &addresses, fwdpolicy); if (result != ISC_R_SUCCESS) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(origin, namebuf, sizeof(namebuf)); cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING, "could not set up forwarding for domain '%s': %s", namebuf, isc_result_totext(result)); goto cleanup; } result = ISC_R_SUCCESS; cleanup: while (!ISC_LIST_EMPTY(addresses)) { sa = ISC_LIST_HEAD(addresses); ISC_LIST_UNLINK(addresses, sa, link); isc_mem_put(view->mctx, sa, sizeof(isc_sockaddr_t)); } return (result); } /* * Create a new view and add it to the list. * * If 'vconfig' is NULL, create the default view. * * The view created is attached to '*viewp'. */ static isc_result_t create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist, dns_view_t **viewp) { isc_result_t result; const char *viewname; dns_rdataclass_t viewclass; dns_view_t *view = NULL; if (vconfig != NULL) { const cfg_obj_t *classobj = NULL; viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name")); classobj = cfg_tuple_get(vconfig, "class"); result = ns_config_getclass(classobj, dns_rdataclass_in, &viewclass); } else { viewname = "_default"; viewclass = dns_rdataclass_in; } result = dns_viewlist_find(viewlist, viewname, viewclass, &view); if (result == ISC_R_SUCCESS) return (ISC_R_EXISTS); if (result != ISC_R_NOTFOUND) return (result); INSIST(view == NULL); result = dns_view_create(ns_g_mctx, viewclass, viewname, &view); if (result != ISC_R_SUCCESS) return (result); ISC_LIST_APPEND(*viewlist, view, link); dns_view_attach(view, viewp); return (ISC_R_SUCCESS); } /* * Configure or reconfigure a zone. */ static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, cfg_aclconfctx_t *aclconf) { dns_view_t *pview = NULL; /* Production view */ dns_zone_t *zone = NULL; /* New or reused zone */ dns_zone_t *dupzone = NULL; const cfg_obj_t *options = NULL; const cfg_obj_t *zoptions = NULL; const cfg_obj_t *typeobj = NULL; const cfg_obj_t *forwarders = NULL; const cfg_obj_t *forwardtype = NULL; const cfg_obj_t *only = NULL; isc_result_t result; isc_result_t tresult; isc_buffer_t buffer; dns_fixedname_t fixorigin; dns_name_t *origin; const char *zname; dns_rdataclass_t zclass; const char *ztypestr; options = NULL; (void)cfg_map_get(config, "options", &options); zoptions = cfg_tuple_get(zconfig, "options"); /* * Get the zone origin as a dns_name_t. */ zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); isc_buffer_init(&buffer, zname, strlen(zname)); isc_buffer_add(&buffer, strlen(zname)); dns_fixedname_init(&fixorigin); CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin), &buffer, dns_rootname, ISC_FALSE, NULL)); origin = dns_fixedname_name(&fixorigin); CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"), view->rdclass, &zclass)); if (zclass != view->rdclass) { const char *vname = NULL; if (vconfig != NULL) vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name")); else vname = ""; isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "zone '%s': wrong class for view '%s'", zname, vname); result = ISC_R_FAILURE; goto cleanup; } (void)cfg_map_get(zoptions, "type", &typeobj); if (typeobj == NULL) { cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR, "zone '%s' 'type' not specified", zname); return (ISC_R_FAILURE); } ztypestr = cfg_obj_asstring(typeobj); /* * "hints zones" aren't zones. If we've got one, * configure it and return. */ if (strcasecmp(ztypestr, "hint") == 0) { const cfg_obj_t *fileobj = NULL; if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "zone '%s': 'file' not specified", zname); result = ISC_R_FAILURE; goto cleanup; } if (dns_name_equal(origin, dns_rootname)) { const char *hintsfile = cfg_obj_asstring(fileobj); result = configure_hints(view, hintsfile); if (result != ISC_R_SUCCESS) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "could not configure root hints " "from '%s': %s", hintsfile, isc_result_totext(result)); goto cleanup; } /* * Hint zones may also refer to delegation only points. */ only = NULL; tresult = cfg_map_get(zoptions, "delegation-only", &only); if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only)) CHECK(dns_view_adddelegationonly(view, origin)); } else { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, "ignoring non-root hint zone '%s'", zname); result = ISC_R_SUCCESS; } /* Skip ordinary zone processing. */ goto cleanup; } /* * "forward zones" aren't zones either. Translate this syntax into * the appropriate selective forwarding configuration and return. */ if (strcasecmp(ztypestr, "forward") == 0) { forwardtype = NULL; forwarders = NULL; (void)cfg_map_get(zoptions, "forward", &forwardtype); (void)cfg_map_get(zoptions, "forwarders", &forwarders); result = configure_forward(config, view, origin, forwarders, forwardtype); goto cleanup; } /* * "delegation-only zones" aren't zones either. */ if (strcasecmp(ztypestr, "delegation-only") == 0) { result = dns_view_adddelegationonly(view, origin); goto cleanup; } /* * Check for duplicates in the new zone table. */ result = dns_view_findzone(view, origin, &dupzone); if (result == ISC_R_SUCCESS) { /* * We already have this zone! */ cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR, "zone '%s' already exists", zname); dns_zone_detach(&dupzone); result = ISC_R_EXISTS; goto cleanup; } INSIST(dupzone == NULL); /* * See if we can reuse an existing zone. This is * only possible if all of these are true: * - The zone's view exists * - A zone with the right name exists in the view * - The zone is compatible with the config * options (e.g., an existing master zone cannot * be reused if the options specify a slave zone) */ result = dns_viewlist_find(&ns_g_server->viewlist, view->name, view->rdclass, &pview); if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) goto cleanup; if (pview != NULL) result = dns_view_findzone(pview, origin, &zone); if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) goto cleanup; if (zone != NULL && !ns_zone_reusable(zone, zconfig)) dns_zone_detach(&zone); if (zone != NULL) { /* * We found a reusable zone. Make it use the * new view. */ dns_zone_setview(zone, view); if (view->acache != NULL) dns_zone_setacache(zone, view->acache); } else { /* * We cannot reuse an existing zone, we have * to create a new one. */ CHECK(dns_zone_create(&zone, mctx)); CHECK(dns_zone_setorigin(zone, origin)); dns_zone_setview(zone, view); if (view->acache != NULL) dns_zone_setacache(zone, view->acache); CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone)); dns_zone_setstats(zone, ns_g_server->zonestats); } /* * If the zone contains a 'forwarders' statement, configure * selective forwarding. */ forwarders = NULL; if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS) { forwardtype = NULL; (void)cfg_map_get(zoptions, "forward", &forwardtype); CHECK(configure_forward(config, view, origin, forwarders, forwardtype)); } /* * Stub and forward zones may also refer to delegation only points. */ only = NULL; if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS) { if (cfg_obj_asboolean(only)) CHECK(dns_view_adddelegationonly(view, origin)); } /* * Configure the zone. */ CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone)); /* * Add the zone to its view in the new view list. */ CHECK(dns_view_addzone(view, zone)); cleanup: if (zone != NULL) dns_zone_detach(&zone); if (pview != NULL) dns_view_detach(&pview); return (result); } /* * Configure a single server quota. */ static void configure_server_quota(const cfg_obj_t **maps, const char *name, isc_quota_t *quota) { const cfg_obj_t *obj = NULL; isc_result_t result; result = ns_config_get(maps, name, &obj); INSIST(result == ISC_R_SUCCESS); isc_quota_max(quota, cfg_obj_asuint32(obj)); } /* * This function is called as soon as the 'directory' statement has been * parsed. This can be extended to support other options if necessary. */ static isc_result_t directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) { isc_result_t result; const char *directory; REQUIRE(strcasecmp("directory", clausename) == 0); UNUSED(arg); UNUSED(clausename); /* * Change directory. */ directory = cfg_obj_asstring(obj); if (! isc_file_ischdiridempotent(directory)) cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING, "option 'directory' contains relative path '%s'", directory); result = isc_dir_chdir(directory); if (result != ISC_R_SUCCESS) { cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "change directory to '%s' failed: %s", directory, isc_result_totext(result)); return (result); } return (ISC_R_SUCCESS); } static void scan_interfaces(ns_server_t *server, isc_boolean_t verbose) { isc_boolean_t match_mapped = server->aclenv.match_mapped; ns_interfacemgr_scan(server->interfacemgr, verbose); /* * Update the "localhost" and "localnets" ACLs to match the * current set of network interfaces. */ dns_aclenv_copy(&server->aclenv, ns_interfacemgr_getaclenv(server->interfacemgr)); server->aclenv.match_mapped = match_mapped; } static isc_result_t add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr, isc_boolean_t wcardport_ok) { ns_listenelt_t *lelt = NULL; dns_acl_t *src_acl = NULL; isc_result_t result; isc_sockaddr_t any_sa6; isc_netaddr_t netaddr; REQUIRE(isc_sockaddr_pf(addr) == AF_INET6); isc_sockaddr_any6(&any_sa6); if (!isc_sockaddr_equal(&any_sa6, addr) && (wcardport_ok || isc_sockaddr_getport(addr) != 0)) { isc_netaddr_fromin6(&netaddr, &addr->type.sin6.sin6_addr); result = dns_acl_create(mctx, 0, &src_acl); if (result != ISC_R_SUCCESS) return (result); result = dns_iptable_addprefix(src_acl->iptable, &netaddr, 128, ISC_TRUE); if (result != ISC_R_SUCCESS) goto clean; result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr), src_acl, &lelt); if (result != ISC_R_SUCCESS) goto clean; ISC_LIST_APPEND(list->elts, lelt, link); } return (ISC_R_SUCCESS); clean: INSIST(lelt == NULL); dns_acl_detach(&src_acl); return (result); } /* * Make a list of xxx-source addresses and call ns_interfacemgr_adjust() * to update the listening interfaces accordingly. * We currently only consider IPv6, because this only affects IPv6 wildcard * sockets. */ static void adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) { isc_result_t result; ns_listenlist_t *list = NULL; dns_view_t *view; dns_zone_t *zone, *next; isc_sockaddr_t addr, *addrp; result = ns_listenlist_create(mctx, &list); if (result != ISC_R_SUCCESS) return; for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { dns_dispatch_t *dispatch6; dispatch6 = dns_resolver_dispatchv6(view->resolver); if (dispatch6 == NULL) continue; result = dns_dispatch_getlocaladdress(dispatch6, &addr); if (result != ISC_R_SUCCESS) goto fail; /* * We always add non-wildcard address regardless of whether * the port is 'any' (the fourth arg is TRUE): if the port is * specific, we need to add it since it may conflict with a * listening interface; if it's zero, we'll dynamically open * query ports, and some of them may override an existing * wildcard IPv6 port. */ result = add_listenelt(mctx, list, &addr, ISC_TRUE); if (result != ISC_R_SUCCESS) goto fail; } zone = NULL; for (result = dns_zone_first(server->zonemgr, &zone); result == ISC_R_SUCCESS; next = NULL, result = dns_zone_next(zone, &next), zone = next) { dns_view_t *zoneview; /* * At this point the zone list may contain a stale zone * just removed from the configuration. To see the validity, * check if the corresponding view is in our current view list. * There may also be old zones that are still in the process * of shutting down and have detached from their old view * (zoneview == NULL). */ zoneview = dns_zone_getview(zone); if (zoneview == NULL) continue; for (view = ISC_LIST_HEAD(server->viewlist); view != NULL && view != zoneview; view = ISC_LIST_NEXT(view, link)) ; if (view == NULL) continue; addrp = dns_zone_getnotifysrc6(zone); result = add_listenelt(mctx, list, addrp, ISC_FALSE); if (result != ISC_R_SUCCESS) goto fail; addrp = dns_zone_getxfrsource6(zone); result = add_listenelt(mctx, list, addrp, ISC_FALSE); if (result != ISC_R_SUCCESS) goto fail; } ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE); clean: ns_listenlist_detach(&list); return; fail: /* * Even when we failed the procedure, most of other interfaces * should work correctly. We therefore just warn it. */ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, "could not adjust the listen-on list; " "some interfaces may not work"); goto clean; } /* * This event callback is invoked to do periodic network * interface scanning. */ static void interface_timer_tick(isc_task_t *task, isc_event_t *event) { isc_result_t result; ns_server_t *server = (ns_server_t *) event->ev_arg; INSIST(task == server->task); UNUSED(task); isc_event_free(&event); /* * XXX should scan interfaces unlocked and get exclusive access * only to replace ACLs. */ result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); scan_interfaces(server, ISC_FALSE); isc_task_endexclusive(server->task); } static void heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) { ns_server_t *server = (ns_server_t *) event->ev_arg; dns_view_t *view; UNUSED(task); isc_event_free(&event); view = ISC_LIST_HEAD(server->viewlist); while (view != NULL) { dns_view_dialup(view); view = ISC_LIST_NEXT(view, link); } } static void pps_timer_tick(isc_task_t *task, isc_event_t *event) { static unsigned int oldrequests = 0; unsigned int requests = ns_client_requests; UNUSED(task); isc_event_free(&event); /* * Don't worry about wrapping as the overflow result will be right. */ dns_pps = (requests - oldrequests) / 1200; oldrequests = requests; } /* * Replace the current value of '*field', a dynamically allocated * string or NULL, with a dynamically allocated copy of the * null-terminated string pointed to by 'value', or NULL. */ static isc_result_t setstring(ns_server_t *server, char **field, const char *value) { char *copy; if (value != NULL) { copy = isc_mem_strdup(server->mctx, value); if (copy == NULL) return (ISC_R_NOMEMORY); } else { copy = NULL; } if (*field != NULL) isc_mem_free(server->mctx, *field); *field = copy; return (ISC_R_SUCCESS); } /* * Replace the current value of '*field', a dynamically allocated * string or NULL, with another dynamically allocated string * or NULL if whether 'obj' is a string or void value, respectively. */ static isc_result_t setoptstring(ns_server_t *server, char **field, const cfg_obj_t *obj) { if (cfg_obj_isvoid(obj)) return (setstring(server, field, NULL)); else return (setstring(server, field, cfg_obj_asstring(obj))); } static void set_limit(const cfg_obj_t **maps, const char *configname, const char *description, isc_resource_t resourceid, isc_resourcevalue_t defaultvalue) { const cfg_obj_t *obj = NULL; const char *resource; isc_resourcevalue_t value; isc_result_t result; if (ns_config_get(maps, configname, &obj) != ISC_R_SUCCESS) return; if (cfg_obj_isstring(obj)) { resource = cfg_obj_asstring(obj); if (strcasecmp(resource, "unlimited") == 0) value = ISC_RESOURCE_UNLIMITED; else { INSIST(strcasecmp(resource, "default") == 0); value = defaultvalue; } } else value = cfg_obj_asuint64(obj); result = isc_resource_setlimit(resourceid, value); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, result == ISC_R_SUCCESS ? ISC_LOG_DEBUG(3) : ISC_LOG_WARNING, "set maximum %s to %" ISC_PRINT_QUADFORMAT "u: %s", description, value, isc_result_totext(result)); } #define SETLIMIT(cfgvar, resource, description) \ set_limit(maps, cfgvar, description, isc_resource_ ## resource, \ ns_g_init ## resource) static void set_limits(const cfg_obj_t **maps) { SETLIMIT("stacksize", stacksize, "stack size"); SETLIMIT("datasize", datasize, "data size"); SETLIMIT("coresize", coresize, "core size"); SETLIMIT("files", openfiles, "open files"); } static void portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports, isc_boolean_t positive) { const cfg_listelt_t *element; for (element = cfg_list_first(ports); element != NULL; element = cfg_list_next(element)) { const cfg_obj_t *obj = cfg_listelt_value(element); if (cfg_obj_isuint32(obj)) { in_port_t port = (in_port_t)cfg_obj_asuint32(obj); if (positive) isc_portset_add(portset, port); else isc_portset_remove(portset, port); } else { const cfg_obj_t *obj_loport, *obj_hiport; in_port_t loport, hiport; obj_loport = cfg_tuple_get(obj, "loport"); loport = (in_port_t)cfg_obj_asuint32(obj_loport); obj_hiport = cfg_tuple_get(obj, "hiport"); hiport = (in_port_t)cfg_obj_asuint32(obj_hiport); if (positive) isc_portset_addrange(portset, loport, hiport); else { isc_portset_removerange(portset, loport, hiport); } } } } static isc_result_t removed(dns_zone_t *zone, void *uap) { const char *type; if (dns_zone_getview(zone) != uap) return (ISC_R_SUCCESS); switch (dns_zone_gettype(zone)) { case dns_zone_master: type = "master"; break; case dns_zone_slave: type = "slave"; break; case dns_zone_stub: type = "stub"; break; default: type = "other"; break; } dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type); return (ISC_R_SUCCESS); } static isc_result_t load_configuration(const char *filename, ns_server_t *server, isc_boolean_t first_time) { cfg_aclconfctx_t aclconfctx; cfg_obj_t *config; cfg_parser_t *parser = NULL; const cfg_listelt_t *element; const cfg_obj_t *builtin_views; const cfg_obj_t *maps[3]; const cfg_obj_t *obj; const cfg_obj_t *options; const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports; const cfg_obj_t *views; dns_view_t *view = NULL; dns_view_t *view_next; dns_viewlist_t tmpviewlist; dns_viewlist_t viewlist; in_port_t listen_port, udpport_low, udpport_high; int i; isc_interval_t interval; isc_portset_t *v4portset = NULL; isc_portset_t *v6portset = NULL; isc_resourcevalue_t nfiles; isc_result_t result; isc_uint32_t heartbeat_interval; isc_uint32_t interface_interval; isc_uint32_t reserved; isc_uint32_t udpsize; unsigned int maxsocks; cfg_aclconfctx_init(&aclconfctx); ISC_LIST_INIT(viewlist); /* Ensure exclusive access to configuration data. */ result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); /* * Parse the global default pseudo-config file. */ if (first_time) { CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config)); RUNTIME_CHECK(cfg_map_get(ns_g_config, "options", &ns_g_defaults) == ISC_R_SUCCESS); } /* * Parse the configuration file using the new config code. */ result = ISC_R_FAILURE; config = NULL; /* * Unless this is lwresd with the -C option, parse the config file. */ if (!(ns_g_lwresdonly && lwresd_g_useresolvconf)) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "loading configuration from '%s'", filename); CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser)); cfg_parser_setcallback(parser, directory_callback, NULL); result = cfg_parse_file(parser, filename, &cfg_type_namedconf, &config); } /* * If this is lwresd with the -C option, or lwresd with no -C or -c * option where the above parsing failed, parse resolv.conf. */ if (ns_g_lwresdonly && (lwresd_g_useresolvconf || (!ns_g_conffileset && result == ISC_R_FILENOTFOUND))) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "loading configuration from '%s'", lwresd_g_resolvconffile); if (parser != NULL) cfg_parser_destroy(&parser); CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser)); result = ns_lwresd_parseeresolvconf(ns_g_mctx, parser, &config); } CHECK(result); /* * Check the validity of the configuration. */ CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx)); /* * Fill in the maps array, used for resolving defaults. */ i = 0; options = NULL; result = cfg_map_get(config, "options", &options); if (result == ISC_R_SUCCESS) maps[i++] = options; maps[i++] = ns_g_defaults; maps[i++] = NULL; /* * Set process limits, which (usually) needs to be done as root. */ set_limits(maps); /* * Check if max number of open sockets that the system allows is * sufficiently large. Failing this condition is not necessarily fatal, * but may cause subsequent runtime failures for a busy recursive * server. */ result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &maxsocks); if (result != ISC_R_SUCCESS) maxsocks = 0; result = isc_resource_getcurlimit(isc_resource_openfiles, &nfiles); if (result == ISC_R_SUCCESS && (isc_resourcevalue_t)maxsocks > nfiles) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, "max open files (%" ISC_PRINT_QUADFORMAT "u)" " is smaller than max sockets (%u)", nfiles, maxsocks); } /* * Set the number of socket reserved for TCP, stdio etc. */ obj = NULL; result = ns_config_get(maps, "reserved-sockets", &obj); INSIST(result == ISC_R_SUCCESS); reserved = cfg_obj_asuint32(obj); if (maxsocks != 0) { if (maxsocks < 128U) /* Prevent underflow. */ reserved = 0; else if (reserved > maxsocks - 128U) /* Minimum UDP space. */ reserved = maxsocks - 128; } /* Minimum TCP/stdio space. */ if (reserved < 128U) reserved = 128; if (reserved + 128U > maxsocks && maxsocks != 0) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, "less than 128 UDP sockets available after " "applying 'reserved-sockets' and 'maxsockets'"); } isc__socketmgr_setreserved(ns_g_socketmgr, reserved); /* * Configure various server options. */ configure_server_quota(maps, "transfers-out", &server->xfroutquota); configure_server_quota(maps, "tcp-clients", &server->tcpquota); configure_server_quota(maps, "recursive-clients", &server->recursionquota); if (server->recursionquota.max > 1000) isc_quota_soft(&server->recursionquota, server->recursionquota.max - 100); else isc_quota_soft(&server->recursionquota, 0); CHECK(configure_view_acl(NULL, config, "blackhole", &aclconfctx, ns_g_mctx, &server->blackholeacl)); if (server->blackholeacl != NULL) dns_dispatchmgr_setblackhole(ns_g_dispatchmgr, server->blackholeacl); obj = NULL; result = ns_config_get(maps, "match-mapped-addresses", &obj); INSIST(result == ISC_R_SUCCESS); server->aclenv.match_mapped = cfg_obj_asboolean(obj); CHECKM(ns_statschannels_configure(ns_g_server, config, &aclconfctx), "configuring statistics server(s)"); /* * Configure sets of UDP query source ports. */ CHECKM(isc_portset_create(ns_g_mctx, &v4portset), "creating UDP port set"); CHECKM(isc_portset_create(ns_g_mctx, &v6portset), "creating UDP port set"); usev4ports = NULL; usev6ports = NULL; avoidv4ports = NULL; avoidv6ports = NULL; (void)ns_config_get(maps, "use-v4-udp-ports", &usev4ports); if (usev4ports != NULL) portset_fromconf(v4portset, usev4ports, ISC_TRUE); else { CHECKM(isc_net_getudpportrange(AF_INET, &udpport_low, &udpport_high), "get the default UDP/IPv4 port range"); if (udpport_low == udpport_high) isc_portset_add(v4portset, udpport_low); else { isc_portset_addrange(v4portset, udpport_low, udpport_high); } isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "using default UDP/IPv4 port range: [%d, %d]", udpport_low, udpport_high); } (void)ns_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports); if (avoidv4ports != NULL) portset_fromconf(v4portset, avoidv4ports, ISC_FALSE); (void)ns_config_get(maps, "use-v6-udp-ports", &usev6ports); if (usev6ports != NULL) portset_fromconf(v6portset, usev6ports, ISC_TRUE); else { CHECKM(isc_net_getudpportrange(AF_INET6, &udpport_low, &udpport_high), "get the default UDP/IPv6 port range"); if (udpport_low == udpport_high) isc_portset_add(v6portset, udpport_low); else { isc_portset_addrange(v6portset, udpport_low, udpport_high); } isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "using default UDP/IPv6 port range: [%d, %d]", udpport_low, udpport_high); } (void)ns_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports); if (avoidv6ports != NULL) portset_fromconf(v6portset, avoidv6ports, ISC_FALSE); dns_dispatchmgr_setavailports(ns_g_dispatchmgr, v4portset, v6portset); /* * Set the EDNS UDP size when we don't match a view. */ obj = NULL; result = ns_config_get(maps, "edns-udp-size", &obj); INSIST(result == ISC_R_SUCCESS); udpsize = cfg_obj_asuint32(obj); if (udpsize < 512) udpsize = 512; if (udpsize > 4096) udpsize = 4096; ns_g_udpsize = (isc_uint16_t)udpsize; /* * Configure the zone manager. */ obj = NULL; result = ns_config_get(maps, "transfers-in", &obj); INSIST(result == ISC_R_SUCCESS); dns_zonemgr_settransfersin(server->zonemgr, cfg_obj_asuint32(obj)); obj = NULL; result = ns_config_get(maps, "transfers-per-ns", &obj); INSIST(result == ISC_R_SUCCESS); dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj)); obj = NULL; result = ns_config_get(maps, "serial-query-rate", &obj); INSIST(result == ISC_R_SUCCESS); dns_zonemgr_setserialqueryrate(server->zonemgr, cfg_obj_asuint32(obj)); /* * Determine which port to use for listening for incoming connections. */ if (ns_g_port != 0) listen_port = ns_g_port; else CHECKM(ns_config_getport(config, &listen_port), "port"); /* * Find the listen queue depth. */ obj = NULL; result = ns_config_get(maps, "tcp-listen-queue", &obj); INSIST(result == ISC_R_SUCCESS); ns_g_listen = cfg_obj_asuint32(obj); if (ns_g_listen < 3) ns_g_listen = 3; /* * Configure the interface manager according to the "listen-on" * statement. */ { const cfg_obj_t *clistenon = NULL; ns_listenlist_t *listenon = NULL; clistenon = NULL; /* * Even though listen-on is present in the default * configuration, we can't use it here, since it isn't * used if we're in lwresd mode. This way is easier. */ if (options != NULL) (void)cfg_map_get(options, "listen-on", &clistenon); if (clistenon != NULL) { result = ns_listenlist_fromconfig(clistenon, config, &aclconfctx, ns_g_mctx, &listenon); } else if (!ns_g_lwresdonly) { /* * Not specified, use default. */ CHECK(ns_listenlist_default(ns_g_mctx, listen_port, ISC_TRUE, &listenon)); } if (listenon != NULL) { ns_interfacemgr_setlistenon4(server->interfacemgr, listenon); ns_listenlist_detach(&listenon); } } /* * Ditto for IPv6. */ { const cfg_obj_t *clistenon = NULL; ns_listenlist_t *listenon = NULL; if (options != NULL) (void)cfg_map_get(options, "listen-on-v6", &clistenon); if (clistenon != NULL) { result = ns_listenlist_fromconfig(clistenon, config, &aclconfctx, ns_g_mctx, &listenon); } else if (!ns_g_lwresdonly) { isc_boolean_t enable; /* * Not specified, use default. */ enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS); CHECK(ns_listenlist_default(ns_g_mctx, listen_port, enable, &listenon)); } if (listenon != NULL) { ns_interfacemgr_setlistenon6(server->interfacemgr, listenon); ns_listenlist_detach(&listenon); } } /* * Rescan the interface list to pick up changes in the * listen-on option. It's important that we do this before we try * to configure the query source, since the dispatcher we use might * be shared with an interface. */ scan_interfaces(server, ISC_TRUE); /* * Arrange for further interface scanning to occur periodically * as specified by the "interface-interval" option. */ obj = NULL; result = ns_config_get(maps, "interface-interval", &obj); INSIST(result == ISC_R_SUCCESS); interface_interval = cfg_obj_asuint32(obj) * 60; if (interface_interval == 0) { CHECK(isc_timer_reset(server->interface_timer, isc_timertype_inactive, NULL, NULL, ISC_TRUE)); } else if (server->interface_interval != interface_interval) { isc_interval_set(&interval, interface_interval, 0); CHECK(isc_timer_reset(server->interface_timer, isc_timertype_ticker, NULL, &interval, ISC_FALSE)); } server->interface_interval = interface_interval; /* * Configure the dialup heartbeat timer. */ obj = NULL; result = ns_config_get(maps, "heartbeat-interval", &obj); INSIST(result == ISC_R_SUCCESS); heartbeat_interval = cfg_obj_asuint32(obj) * 60; if (heartbeat_interval == 0) { CHECK(isc_timer_reset(server->heartbeat_timer, isc_timertype_inactive, NULL, NULL, ISC_TRUE)); } else if (server->heartbeat_interval != heartbeat_interval) { isc_interval_set(&interval, heartbeat_interval, 0); CHECK(isc_timer_reset(server->heartbeat_timer, isc_timertype_ticker, NULL, &interval, ISC_FALSE)); } server->heartbeat_interval = heartbeat_interval; isc_interval_set(&interval, 1200, 0); CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL, &interval, ISC_FALSE)); /* * Configure and freeze all explicit views. Explicit * views that have zones were already created at parsing * time, but views with no zones must be created here. */ views = NULL; (void)cfg_map_get(config, "view", &views); for (element = cfg_list_first(views); element != NULL; element = cfg_list_next(element)) { const cfg_obj_t *vconfig = cfg_listelt_value(element); view = NULL; CHECK(create_view(vconfig, &viewlist, &view)); INSIST(view != NULL); CHECK(configure_view(view, config, vconfig, ns_g_mctx, &aclconfctx, ISC_TRUE)); dns_view_freeze(view); dns_view_detach(&view); } /* * Make sure we have a default view if and only if there * were no explicit views. */ if (views == NULL) { /* * No explicit views; there ought to be a default view. * There may already be one created as a side effect * of zone statements, or we may have to create one. * In either case, we need to configure and freeze it. */ CHECK(create_view(NULL, &viewlist, &view)); CHECK(configure_view(view, config, NULL, ns_g_mctx, &aclconfctx, ISC_TRUE)); dns_view_freeze(view); dns_view_detach(&view); } /* * Create (or recreate) the built-in views. Currently * there is only one, the _bind view. */ builtin_views = NULL; RUNTIME_CHECK(cfg_map_get(ns_g_config, "view", &builtin_views) == ISC_R_SUCCESS); for (element = cfg_list_first(builtin_views); element != NULL; element = cfg_list_next(element)) { const cfg_obj_t *vconfig = cfg_listelt_value(element); CHECK(create_view(vconfig, &viewlist, &view)); CHECK(configure_view(view, config, vconfig, ns_g_mctx, &aclconfctx, ISC_FALSE)); dns_view_freeze(view); dns_view_detach(&view); view = NULL; } /* * Swap our new view list with the production one. */ tmpviewlist = server->viewlist; server->viewlist = viewlist; viewlist = tmpviewlist; /* * Load the TKEY information from the configuration. */ if (options != NULL) { dns_tkeyctx_t *t = NULL; CHECKM(ns_tkeyctx_fromconfig(options, ns_g_mctx, ns_g_entropy, &t), "configuring TKEY"); if (server->tkeyctx != NULL) dns_tkeyctx_destroy(&server->tkeyctx); server->tkeyctx = t; } /* * Bind the control port(s). */ CHECKM(ns_controls_configure(ns_g_server->controls, config, &aclconfctx), "binding control channel(s)"); /* * Bind the lwresd port(s). */ CHECKM(ns_lwresd_configure(ns_g_mctx, config), "binding lightweight resolver ports"); /* * Open the source of entropy. */ if (first_time) { obj = NULL; result = ns_config_get(maps, "random-device", &obj); if (result != ISC_R_SUCCESS) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "no source of entropy found"); } else { const char *randomdev = cfg_obj_asstring(obj); result = isc_entropy_createfilesource(ns_g_entropy, randomdev); if (result != ISC_R_SUCCESS) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "could not open entropy source " "%s: %s", randomdev, isc_result_totext(result)); #ifdef PATH_RANDOMDEV if (ns_g_fallbackentropy != NULL) { if (result != ISC_R_SUCCESS) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "using pre-chroot entropy source " "%s", PATH_RANDOMDEV); isc_entropy_detach(&ns_g_entropy); isc_entropy_attach(ns_g_fallbackentropy, &ns_g_entropy); } isc_entropy_detach(&ns_g_fallbackentropy); } #endif } } /* * Relinquish root privileges. */ if (first_time) ns_os_changeuser(); /* * Check that the working directory is writable. */ if (access(".", W_OK) != 0) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "the working directory is not writable"); } /* * Configure the logging system. * * Do this after changing UID to make sure that any log * files specified in named.conf get created by the * unprivileged user, not root. */ if (ns_g_logstderr) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "ignoring config file logging " "statement due to -g option"); } else { const cfg_obj_t *logobj = NULL; isc_logconfig_t *logc = NULL; CHECKM(isc_logconfig_create(ns_g_lctx, &logc), "creating new logging configuration"); logobj = NULL; (void)cfg_map_get(config, "logging", &logobj); if (logobj != NULL) { CHECKM(ns_log_configure(logc, logobj), "configuring logging"); } else { CHECKM(ns_log_setdefaultchannels(logc), "setting up default logging channels"); CHECKM(ns_log_setunmatchedcategory(logc), "setting up default 'category unmatched'"); CHECKM(ns_log_setdefaultcategory(logc), "setting up default 'category default'"); } result = isc_logconfig_use(ns_g_lctx, logc); if (result != ISC_R_SUCCESS) { isc_logconfig_destroy(&logc); CHECKM(result, "installing logging configuration"); } isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), "now using logging configuration from " "config file"); } /* * Set the default value of the query logging flag depending * whether a "queries" category has been defined. This is * a disgusting hack, but we need to do this for BIND 8 * compatibility. */ if (first_time) { const cfg_obj_t *logobj = NULL; const cfg_obj_t *categories = NULL; obj = NULL; if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) { server->log_queries = cfg_obj_asboolean(obj); } else { (void)cfg_map_get(config, "logging", &logobj); if (logobj != NULL) (void)cfg_map_get(logobj, "category", &categories); if (categories != NULL) { const cfg_listelt_t *element; for (element = cfg_list_first(categories); element != NULL; element = cfg_list_next(element)) { const cfg_obj_t *catobj; const char *str; obj = cfg_listelt_value(element); catobj = cfg_tuple_get(obj, "name"); str = cfg_obj_asstring(catobj); if (strcasecmp(str, "queries") == 0) server->log_queries = ISC_TRUE; } } } } obj = NULL; if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS) if (cfg_obj_isvoid(obj)) ns_os_writepidfile(NULL, first_time); else ns_os_writepidfile(cfg_obj_asstring(obj), first_time); else if (ns_g_lwresdonly) ns_os_writepidfile(lwresd_g_defaultpidfile, first_time); else ns_os_writepidfile(ns_g_defaultpidfile, first_time); obj = NULL; if (options != NULL && cfg_map_get(options, "memstatistics", &obj) == ISC_R_SUCCESS) ns_g_memstatistics = cfg_obj_asboolean(obj); else ns_g_memstatistics = ISC_TF((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0); obj = NULL; if (ns_config_get(maps, "memstatistics-file", &obj) == ISC_R_SUCCESS) ns_main_setmemstats(cfg_obj_asstring(obj)); else if (ns_g_memstatistics) ns_main_setmemstats("named.memstats"); else ns_main_setmemstats(NULL); obj = NULL; result = ns_config_get(maps, "statistics-file", &obj); INSIST(result == ISC_R_SUCCESS); CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)), "strdup"); obj = NULL; result = ns_config_get(maps, "dump-file", &obj); INSIST(result == ISC_R_SUCCESS); CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)), "strdup"); obj = NULL; result = ns_config_get(maps, "recursing-file", &obj); INSIST(result == ISC_R_SUCCESS); CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)), "strdup"); obj = NULL; result = ns_config_get(maps, "version", &obj); if (result == ISC_R_SUCCESS) { CHECKM(setoptstring(server, &server->version, obj), "strdup"); server->version_set = ISC_TRUE; } else { server->version_set = ISC_FALSE; } obj = NULL; result = ns_config_get(maps, "hostname", &obj); if (result == ISC_R_SUCCESS) { CHECKM(setoptstring(server, &server->hostname, obj), "strdup"); server->hostname_set = ISC_TRUE; } else { server->hostname_set = ISC_FALSE; } obj = NULL; result = ns_config_get(maps, "server-id", &obj); server->server_usehostname = ISC_FALSE; if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) { /* The parser translates "hostname" to ISC_TRUE */ server->server_usehostname = cfg_obj_asboolean(obj); result = setstring(server, &server->server_id, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); } else if (result == ISC_R_SUCCESS) { /* Found a quoted string */ CHECKM(setoptstring(server, &server->server_id, obj), "strdup"); } else { result = setstring(server, &server->server_id, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); } obj = NULL; result = ns_config_get(maps, "flush-zones-on-shutdown", &obj); if (result == ISC_R_SUCCESS) { server->flushonshutdown = cfg_obj_asboolean(obj); } else { server->flushonshutdown = ISC_FALSE; } result = ISC_R_SUCCESS; cleanup: if (v4portset != NULL) isc_portset_destroy(ns_g_mctx, &v4portset); if (v6portset != NULL) isc_portset_destroy(ns_g_mctx, &v6portset); cfg_aclconfctx_destroy(&aclconfctx); if (parser != NULL) { if (config != NULL) cfg_obj_destroy(parser, &config); cfg_parser_destroy(&parser); } if (view != NULL) dns_view_detach(&view); /* * This cleans up either the old production view list * or our temporary list depending on whether they * were swapped above or not. */ for (view = ISC_LIST_HEAD(viewlist); view != NULL; view = view_next) { view_next = ISC_LIST_NEXT(view, link); ISC_LIST_UNLINK(viewlist, view, link); if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) (void)dns_zt_apply(view->zonetable, ISC_FALSE, removed, view); dns_view_detach(&view); } /* * Adjust the listening interfaces in accordance with the source * addresses specified in views and zones. */ if (isc_net_probeipv6() == ISC_R_SUCCESS) adjust_interfaces(server, ns_g_mctx); /* Relinquish exclusive access to configuration data. */ isc_task_endexclusive(server->task); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), "load_configuration: %s", isc_result_totext(result)); return (result); } static isc_result_t load_zones(ns_server_t *server, isc_boolean_t stop) { isc_result_t result; dns_view_t *view; result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); /* * Load zone data from disk. */ for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { CHECK(dns_view_load(view, stop)); } /* * Force zone maintenance. Do this after loading * so that we know when we need to force AXFR of * slave zones whose master files are missing. */ CHECK(dns_zonemgr_forcemaint(server->zonemgr)); cleanup: isc_task_endexclusive(server->task); return (result); } static isc_result_t load_new_zones(ns_server_t *server, isc_boolean_t stop) { isc_result_t result; dns_view_t *view; result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); /* * Load zone data from disk. */ for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { CHECK(dns_view_loadnew(view, stop)); } /* * Force zone maintenance. Do this after loading * so that we know when we need to force AXFR of * slave zones whose master files are missing. */ dns_zonemgr_resumexfrs(server->zonemgr); cleanup: isc_task_endexclusive(server->task); return (result); } static void run_server(isc_task_t *task, isc_event_t *event) { isc_result_t result; ns_server_t *server = (ns_server_t *)event->ev_arg; INSIST(task == server->task); isc_event_free(&event); CHECKFATAL(dns_dispatchmgr_create(ns_g_mctx, ns_g_entropy, &ns_g_dispatchmgr), "creating dispatch manager"); dns_dispatchmgr_setstats(ns_g_dispatchmgr, server->resolverstats); CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_socketmgr, ns_g_dispatchmgr, &server->interfacemgr), "creating interface manager"); CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive, NULL, NULL, server->task, interface_timer_tick, server, &server->interface_timer), "creating interface timer"); CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive, NULL, NULL, server->task, heartbeat_timer_tick, server, &server->heartbeat_timer), "creating heartbeat timer"); CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive, NULL, NULL, server->task, pps_timer_tick, server, &server->pps_timer), "creating pps timer"); CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser), "creating default configuration parser"); if (ns_g_lwresdonly) CHECKFATAL(load_configuration(lwresd_g_conffile, server, ISC_TRUE), "loading configuration"); else CHECKFATAL(load_configuration(ns_g_conffile, server, ISC_TRUE), "loading configuration"); isc_hash_init(); CHECKFATAL(load_zones(server, ISC_FALSE), "loading zones"); ns_os_started(); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_NOTICE, "running"); } void ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) { REQUIRE(NS_SERVER_VALID(server)); server->flushonshutdown = flush; } static void shutdown_server(isc_task_t *task, isc_event_t *event) { isc_result_t result; dns_view_t *view, *view_next; ns_server_t *server = (ns_server_t *)event->ev_arg; isc_boolean_t flush = server->flushonshutdown; UNUSED(task); INSIST(task == server->task); result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "shutting down%s", flush ? ": flushing changes" : ""); ns_statschannels_shutdown(server); ns_controls_shutdown(server->controls); end_reserved_dispatches(server, ISC_TRUE); cfg_obj_destroy(ns_g_parser, &ns_g_config); cfg_parser_destroy(&ns_g_parser); for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = view_next) { view_next = ISC_LIST_NEXT(view, link); ISC_LIST_UNLINK(server->viewlist, view, link); if (flush) dns_view_flushanddetach(&view); else dns_view_detach(&view); } isc_timer_detach(&server->interface_timer); isc_timer_detach(&server->heartbeat_timer); isc_timer_detach(&server->pps_timer); ns_interfacemgr_shutdown(server->interfacemgr); ns_interfacemgr_detach(&server->interfacemgr); dns_dispatchmgr_destroy(&ns_g_dispatchmgr); dns_zonemgr_shutdown(server->zonemgr); if (server->blackholeacl != NULL) dns_acl_detach(&server->blackholeacl); dns_db_detach(&server->in_roothints); isc_task_endexclusive(server->task); isc_task_detach(&server->task); isc_event_free(&event); } void ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { isc_result_t result; ns_server_t *server = isc_mem_get(mctx, sizeof(*server)); if (server == NULL) fatal("allocating server object", ISC_R_NOMEMORY); server->mctx = mctx; server->task = NULL; /* Initialize configuration data with default values. */ result = isc_quota_init(&server->xfroutquota, 10); RUNTIME_CHECK(result == ISC_R_SUCCESS); result = isc_quota_init(&server->tcpquota, 10); RUNTIME_CHECK(result == ISC_R_SUCCESS); result = isc_quota_init(&server->recursionquota, 100); RUNTIME_CHECK(result == ISC_R_SUCCESS); result = dns_aclenv_init(mctx, &server->aclenv); RUNTIME_CHECK(result == ISC_R_SUCCESS); /* Initialize server data structures. */ server->zonemgr = NULL; server->interfacemgr = NULL; ISC_LIST_INIT(server->viewlist); server->in_roothints = NULL; server->blackholeacl = NULL; CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL, &server->in_roothints), "setting up root hints"); CHECKFATAL(isc_mutex_init(&server->reload_event_lock), "initializing reload event lock"); server->reload_event = isc_event_allocate(ns_g_mctx, server, NS_EVENT_RELOAD, ns_server_reload, server, sizeof(isc_event_t)); CHECKFATAL(server->reload_event == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, "allocating reload event"); CHECKFATAL(dst_lib_init(ns_g_mctx, ns_g_entropy, ISC_ENTROPY_GOODONLY), "initializing DST"); server->tkeyctx = NULL; CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, &server->tkeyctx), "creating TKEY context"); /* * Setup the server task, which is responsible for coordinating * startup and shutdown of the server. */ CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task), "creating server task"); isc_task_setname(server->task, "server", server); CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server), "isc_task_onshutdown"); CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server), "isc_app_onrun"); server->interface_timer = NULL; server->heartbeat_timer = NULL; server->pps_timer = NULL; server->interface_interval = 0; server->heartbeat_interval = 0; CHECKFATAL(dns_zonemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_timermgr, ns_g_socketmgr, &server->zonemgr), "dns_zonemgr_create"); server->statsfile = isc_mem_strdup(server->mctx, "named.stats"); CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, "isc_mem_strdup"); server->nsstats = NULL; server->rcvquerystats = NULL; server->opcodestats = NULL; server->zonestats = NULL; server->resolverstats = NULL; server->sockstats = NULL; CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats, isc_sockstatscounter_max), "isc_stats_create"); isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats); server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db"); CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, "isc_mem_strdup"); server->recfile = isc_mem_strdup(server->mctx, "named.recursing"); CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, "isc_mem_strdup"); server->hostname_set = ISC_FALSE; server->hostname = NULL; server->version_set = ISC_FALSE; server->version = NULL; server->server_usehostname = ISC_FALSE; server->server_id = NULL; CHECKFATAL(isc_stats_create(ns_g_mctx, &server->nsstats, dns_nsstatscounter_max), "dns_stats_create (server)"); CHECKFATAL(dns_rdatatypestats_create(ns_g_mctx, &server->rcvquerystats), "dns_stats_create (rcvquery)"); CHECKFATAL(dns_opcodestats_create(ns_g_mctx, &server->opcodestats), "dns_stats_create (opcode)"); CHECKFATAL(isc_stats_create(ns_g_mctx, &server->zonestats, dns_zonestatscounter_max), "dns_stats_create (zone)"); CHECKFATAL(isc_stats_create(ns_g_mctx, &server->resolverstats, dns_resstatscounter_max), "dns_stats_create (resolver)"); server->flushonshutdown = ISC_FALSE; server->log_queries = ISC_FALSE; server->controls = NULL; CHECKFATAL(ns_controls_create(server, &server->controls), "ns_controls_create"); server->dispatchgen = 0; ISC_LIST_INIT(server->dispatches); ISC_LIST_INIT(server->statschannels); server->magic = NS_SERVER_MAGIC; *serverp = server; } void ns_server_destroy(ns_server_t **serverp) { ns_server_t *server = *serverp; REQUIRE(NS_SERVER_VALID(server)); ns_controls_destroy(&server->controls); isc_stats_detach(&server->nsstats); dns_stats_detach(&server->rcvquerystats); dns_stats_detach(&server->opcodestats); isc_stats_detach(&server->zonestats); isc_stats_detach(&server->resolverstats); isc_stats_detach(&server->sockstats); isc_mem_free(server->mctx, server->statsfile); isc_mem_free(server->mctx, server->dumpfile); isc_mem_free(server->mctx, server->recfile); if (server->version != NULL) isc_mem_free(server->mctx, server->version); if (server->hostname != NULL) isc_mem_free(server->mctx, server->hostname); if (server->server_id != NULL) isc_mem_free(server->mctx, server->server_id); dns_zonemgr_detach(&server->zonemgr); if (server->tkeyctx != NULL) dns_tkeyctx_destroy(&server->tkeyctx); dst_lib_destroy(); isc_event_free(&server->reload_event); INSIST(ISC_LIST_EMPTY(server->viewlist)); dns_aclenv_destroy(&server->aclenv); isc_quota_destroy(&server->recursionquota); isc_quota_destroy(&server->tcpquota); isc_quota_destroy(&server->xfroutquota); server->magic = 0; isc_mem_put(server->mctx, server, sizeof(*server)); *serverp = NULL; } static void fatal(const char *msg, isc_result_t result) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_CRITICAL, "%s: %s", msg, isc_result_totext(result)); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_CRITICAL, "exiting (due to fatal error)"); exit(1); } static void start_reserved_dispatches(ns_server_t *server) { REQUIRE(NS_SERVER_VALID(server)); server->dispatchgen++; } static void end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) { ns_dispatch_t *dispatch, *nextdispatch; REQUIRE(NS_SERVER_VALID(server)); for (dispatch = ISC_LIST_HEAD(server->dispatches); dispatch != NULL; dispatch = nextdispatch) { nextdispatch = ISC_LIST_NEXT(dispatch, link); if (!all && server->dispatchgen == dispatch-> dispatchgen) continue; ISC_LIST_UNLINK(server->dispatches, dispatch, link); dns_dispatch_detach(&dispatch->dispatch); isc_mem_put(server->mctx, dispatch, sizeof(*dispatch)); } } void ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) { ns_dispatch_t *dispatch; in_port_t port; char addrbuf[ISC_SOCKADDR_FORMATSIZE]; isc_result_t result; unsigned int attrs, attrmask; REQUIRE(NS_SERVER_VALID(server)); port = isc_sockaddr_getport(addr); if (port == 0 || port >= 1024) return; for (dispatch = ISC_LIST_HEAD(server->dispatches); dispatch != NULL; dispatch = ISC_LIST_NEXT(dispatch, link)) { if (isc_sockaddr_equal(&dispatch->addr, addr)) break; } if (dispatch != NULL) { dispatch->dispatchgen = server->dispatchgen; return; } dispatch = isc_mem_get(server->mctx, sizeof(*dispatch)); if (dispatch == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } dispatch->addr = *addr; dispatch->dispatchgen = server->dispatchgen; dispatch->dispatch = NULL; attrs = 0; attrs |= DNS_DISPATCHATTR_UDP; switch (isc_sockaddr_pf(addr)) { case AF_INET: attrs |= DNS_DISPATCHATTR_IPV4; break; case AF_INET6: attrs |= DNS_DISPATCHATTR_IPV6; break; default: result = ISC_R_NOTIMPLEMENTED; goto cleanup; } attrmask = 0; attrmask |= DNS_DISPATCHATTR_UDP; attrmask |= DNS_DISPATCHATTR_TCP; attrmask |= DNS_DISPATCHATTR_IPV4; attrmask |= DNS_DISPATCHATTR_IPV6; result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr, ns_g_taskmgr, &dispatch->addr, 4096, 1000, 32768, 16411, 16433, attrs, attrmask, &dispatch->dispatch); if (result != ISC_R_SUCCESS) goto cleanup; ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link); return; cleanup: if (dispatch != NULL) isc_mem_put(server->mctx, dispatch, sizeof(*dispatch)); isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf)); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, "unable to create dispatch for reserved port %s: %s", addrbuf, isc_result_totext(result)); } static isc_result_t loadconfig(ns_server_t *server) { isc_result_t result; start_reserved_dispatches(server); result = load_configuration(ns_g_lwresdonly ? lwresd_g_conffile : ns_g_conffile, server, ISC_FALSE); if (result == ISC_R_SUCCESS) { end_reserved_dispatches(server, ISC_FALSE); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "reloading configuration succeeded"); } else { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "reloading configuration failed: %s", isc_result_totext(result)); } return (result); } static isc_result_t reload(ns_server_t *server) { isc_result_t result; CHECK(loadconfig(server)); result = load_zones(server, ISC_FALSE); if (result == ISC_R_SUCCESS) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "reloading zones succeeded"); else isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "reloading zones failed: %s", isc_result_totext(result)); cleanup: return (result); } static void reconfig(ns_server_t *server) { isc_result_t result; CHECK(loadconfig(server)); result = load_new_zones(server, ISC_FALSE); if (result == ISC_R_SUCCESS) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "any newly configured zones are now loaded"); else isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "loading new zones failed: %s", isc_result_totext(result)); cleanup: ; } /* * Handle a reload event (from SIGHUP). */ static void ns_server_reload(isc_task_t *task, isc_event_t *event) { ns_server_t *server = (ns_server_t *)event->ev_arg; INSIST(task = server->task); UNUSED(task); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "received SIGHUP signal to reload zones"); (void)reload(server); LOCK(&server->reload_event_lock); INSIST(server->reload_event == NULL); server->reload_event = event; UNLOCK(&server->reload_event_lock); } void ns_server_reloadwanted(ns_server_t *server) { LOCK(&server->reload_event_lock); if (server->reload_event != NULL) isc_task_send(server->task, &server->reload_event); UNLOCK(&server->reload_event_lock); } static char * next_token(char **stringp, const char *delim) { char *res; do { res = strsep(stringp, delim); if (res == NULL) break; } while (*res == '\0'); return (res); } /* * Find the zone specified in the control channel command 'args', * if any. If a zone is specified, point '*zonep' at it, otherwise * set '*zonep' to NULL. */ static isc_result_t zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) { char *input, *ptr; const char *zonetxt; char *classtxt; const char *viewtxt = NULL; dns_fixedname_t name; isc_result_t result; isc_buffer_t buf; dns_view_t *view = NULL; dns_rdataclass_t rdclass; REQUIRE(zonep != NULL && *zonep == NULL); input = args; /* Skip the command name. */ ptr = next_token(&input, " \t"); if (ptr == NULL) return (ISC_R_UNEXPECTEDEND); /* Look for the zone name. */ zonetxt = next_token(&input, " \t"); if (zonetxt == NULL) return (ISC_R_SUCCESS); /* Look for the optional class name. */ classtxt = next_token(&input, " \t"); if (classtxt != NULL) { /* Look for the optional view name. */ viewtxt = next_token(&input, " \t"); } isc_buffer_init(&buf, zonetxt, strlen(zonetxt)); isc_buffer_add(&buf, strlen(zonetxt)); dns_fixedname_init(&name); result = dns_name_fromtext(dns_fixedname_name(&name), &buf, dns_rootname, ISC_FALSE, NULL); if (result != ISC_R_SUCCESS) goto fail1; if (classtxt != NULL) { isc_textregion_t r; r.base = classtxt; r.length = strlen(classtxt); result = dns_rdataclass_fromtext(&rdclass, &r); if (result != ISC_R_SUCCESS) goto fail1; } else rdclass = dns_rdataclass_in; if (viewtxt == NULL) { result = dns_viewlist_findzone(&server->viewlist, dns_fixedname_name(&name), ISC_TF(classtxt == NULL), rdclass, zonep); } else { result = dns_viewlist_find(&server->viewlist, viewtxt, rdclass, &view); if (result != ISC_R_SUCCESS) goto fail1; result = dns_zt_find(view->zonetable, dns_fixedname_name(&name), 0, NULL, zonep); dns_view_detach(&view); } /* Partial match? */ if (result != ISC_R_SUCCESS && *zonep != NULL) dns_zone_detach(zonep); if (result == DNS_R_PARTIALMATCH) result = ISC_R_NOTFOUND; fail1: return (result); } /* * Act on a "retransfer" command from the command channel. */ isc_result_t ns_server_retransfercommand(ns_server_t *server, char *args) { isc_result_t result; dns_zone_t *zone = NULL; dns_zonetype_t type; result = zone_from_args(server, args, &zone); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) return (ISC_R_UNEXPECTEDEND); type = dns_zone_gettype(zone); if (type == dns_zone_slave || type == dns_zone_stub) dns_zone_forcereload(zone); else result = ISC_R_NOTFOUND; dns_zone_detach(&zone); return (result); } /* * Act on a "reload" command from the command channel. */ isc_result_t ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) { isc_result_t result; dns_zone_t *zone = NULL; dns_zonetype_t type; const char *msg = NULL; result = zone_from_args(server, args, &zone); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) { result = reload(server); if (result == ISC_R_SUCCESS) msg = "server reload successful"; } else { type = dns_zone_gettype(zone); if (type == dns_zone_slave || type == dns_zone_stub) { dns_zone_refresh(zone); dns_zone_detach(&zone); msg = "zone refresh queued"; } else { result = dns_zone_load(zone); dns_zone_detach(&zone); switch (result) { case ISC_R_SUCCESS: msg = "zone reload successful"; break; case DNS_R_CONTINUE: msg = "zone reload queued"; result = ISC_R_SUCCESS; break; case DNS_R_UPTODATE: msg = "zone reload up-to-date"; result = ISC_R_SUCCESS; break; default: /* failure message will be generated by rndc */ break; } } } if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text)) isc_buffer_putmem(text, (const unsigned char *)msg, strlen(msg) + 1); return (result); } /* * Act on a "reconfig" command from the command channel. */ isc_result_t ns_server_reconfigcommand(ns_server_t *server, char *args) { UNUSED(args); reconfig(server); return (ISC_R_SUCCESS); } /* * Act on a "notify" command from the command channel. */ isc_result_t ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) { isc_result_t result; dns_zone_t *zone = NULL; const unsigned char msg[] = "zone notify queued"; result = zone_from_args(server, args, &zone); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) return (ISC_R_UNEXPECTEDEND); dns_zone_notify(zone); dns_zone_detach(&zone); if (sizeof(msg) <= isc_buffer_availablelength(text)) isc_buffer_putmem(text, msg, sizeof(msg)); return (ISC_R_SUCCESS); } /* * Act on a "refresh" command from the command channel. */ isc_result_t ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) { isc_result_t result; dns_zone_t *zone = NULL; const unsigned char msg1[] = "zone refresh queued"; const unsigned char msg2[] = "not a slave or stub zone"; dns_zonetype_t type; result = zone_from_args(server, args, &zone); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) return (ISC_R_UNEXPECTEDEND); type = dns_zone_gettype(zone); if (type == dns_zone_slave || type == dns_zone_stub) { dns_zone_refresh(zone); dns_zone_detach(&zone); if (sizeof(msg1) <= isc_buffer_availablelength(text)) isc_buffer_putmem(text, msg1, sizeof(msg1)); return (ISC_R_SUCCESS); } dns_zone_detach(&zone); if (sizeof(msg2) <= isc_buffer_availablelength(text)) isc_buffer_putmem(text, msg2, sizeof(msg2)); return (ISC_R_FAILURE); } isc_result_t ns_server_togglequerylog(ns_server_t *server) { server->log_queries = server->log_queries ? ISC_FALSE : ISC_TRUE; isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "query logging is now %s", server->log_queries ? "on" : "off"); return (ISC_R_SUCCESS); } static isc_result_t ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenlist_t **target) { isc_result_t result; const cfg_listelt_t *element; ns_listenlist_t *dlist = NULL; REQUIRE(target != NULL && *target == NULL); result = ns_listenlist_create(mctx, &dlist); if (result != ISC_R_SUCCESS) return (result); for (element = cfg_list_first(listenlist); element != NULL; element = cfg_list_next(element)) { ns_listenelt_t *delt = NULL; const cfg_obj_t *listener = cfg_listelt_value(element); result = ns_listenelt_fromconfig(listener, config, actx, mctx, &delt); if (result != ISC_R_SUCCESS) goto cleanup; ISC_LIST_APPEND(dlist->elts, delt, link); } *target = dlist; return (ISC_R_SUCCESS); cleanup: ns_listenlist_detach(&dlist); return (result); } /* * Create a listen list from the corresponding configuration * data structure. */ static isc_result_t ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenelt_t **target) { isc_result_t result; const cfg_obj_t *portobj; in_port_t port; ns_listenelt_t *delt = NULL; REQUIRE(target != NULL && *target == NULL); portobj = cfg_tuple_get(listener, "port"); if (!cfg_obj_isuint32(portobj)) { if (ns_g_port != 0) { port = ns_g_port; } else { result = ns_config_getport(config, &port); if (result != ISC_R_SUCCESS) return (result); } } else { if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) { cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR, "port value '%u' is out of range", cfg_obj_asuint32(portobj)); return (ISC_R_RANGE); } port = (in_port_t)cfg_obj_asuint32(portobj); } result = ns_listenelt_create(mctx, port, NULL, &delt); if (result != ISC_R_SUCCESS) return (result); result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"), config, ns_g_lctx, actx, mctx, 0, &delt->acl); if (result != ISC_R_SUCCESS) { ns_listenelt_destroy(delt); return (result); } *target = delt; return (ISC_R_SUCCESS); } isc_result_t ns_server_dumpstats(ns_server_t *server) { isc_result_t result; FILE *fp = NULL; CHECKMF(isc_stdio_open(server->statsfile, "a", &fp), "could not open statistics dump file", server->statsfile); result = ns_stats_dump(server, fp); CHECK(result); cleanup: if (fp != NULL) (void)isc_stdio_close(fp); if (result == ISC_R_SUCCESS) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "dumpstats complete"); else isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "dumpstats failed: %s", dns_result_totext(result)); return (result); } static isc_result_t add_zone_tolist(dns_zone_t *zone, void *uap) { struct dumpcontext *dctx = uap; struct zonelistentry *zle; zle = isc_mem_get(dctx->mctx, sizeof *zle); if (zle == NULL) return (ISC_R_NOMEMORY); zle->zone = NULL; dns_zone_attach(zone, &zle->zone); ISC_LINK_INIT(zle, link); ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link); return (ISC_R_SUCCESS); } static isc_result_t add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) { struct viewlistentry *vle; isc_result_t result = ISC_R_SUCCESS; /* * Prevent duplicate views. */ for (vle = ISC_LIST_HEAD(dctx->viewlist); vle != NULL; vle = ISC_LIST_NEXT(vle, link)) if (vle->view == view) return (ISC_R_SUCCESS); vle = isc_mem_get(dctx->mctx, sizeof *vle); if (vle == NULL) return (ISC_R_NOMEMORY); vle->view = NULL; dns_view_attach(view, &vle->view); ISC_LINK_INIT(vle, link); ISC_LIST_INIT(vle->zonelist); ISC_LIST_APPEND(dctx->viewlist, vle, link); if (dctx->dumpzones) result = dns_zt_apply(view->zonetable, ISC_TRUE, add_zone_tolist, dctx); return (result); } static void dumpcontext_destroy(struct dumpcontext *dctx) { struct viewlistentry *vle; struct zonelistentry *zle; vle = ISC_LIST_HEAD(dctx->viewlist); while (vle != NULL) { ISC_LIST_UNLINK(dctx->viewlist, vle, link); zle = ISC_LIST_HEAD(vle->zonelist); while (zle != NULL) { ISC_LIST_UNLINK(vle->zonelist, zle, link); dns_zone_detach(&zle->zone); isc_mem_put(dctx->mctx, zle, sizeof *zle); zle = ISC_LIST_HEAD(vle->zonelist); } dns_view_detach(&vle->view); isc_mem_put(dctx->mctx, vle, sizeof *vle); vle = ISC_LIST_HEAD(dctx->viewlist); } if (dctx->version != NULL) dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE); if (dctx->db != NULL) dns_db_detach(&dctx->db); if (dctx->cache != NULL) dns_db_detach(&dctx->cache); if (dctx->task != NULL) isc_task_detach(&dctx->task); if (dctx->fp != NULL) (void)isc_stdio_close(dctx->fp); if (dctx->mdctx != NULL) dns_dumpctx_detach(&dctx->mdctx); isc_mem_put(dctx->mctx, dctx, sizeof *dctx); } static void dumpdone(void *arg, isc_result_t result) { struct dumpcontext *dctx = arg; char buf[1024+32]; const dns_master_style_t *style; if (result != ISC_R_SUCCESS) goto cleanup; if (dctx->mdctx != NULL) dns_dumpctx_detach(&dctx->mdctx); if (dctx->view == NULL) { dctx->view = ISC_LIST_HEAD(dctx->viewlist); if (dctx->view == NULL) goto done; INSIST(dctx->zone == NULL); } else goto resume; nextview: fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name); resume: if (dctx->zone == NULL && dctx->cache == NULL && dctx->dumpcache) { style = &dns_master_style_cache; /* start cache dump */ if (dctx->view->view->cachedb != NULL) dns_db_attach(dctx->view->view->cachedb, &dctx->cache); if (dctx->cache != NULL) { fprintf(dctx->fp, ";\n; Cache dump of view '%s'\n;\n", dctx->view->view->name); result = dns_master_dumptostreaminc(dctx->mctx, dctx->cache, NULL, style, dctx->fp, dctx->task, dumpdone, dctx, &dctx->mdctx); if (result == DNS_R_CONTINUE) return; if (result == ISC_R_NOTIMPLEMENTED) fprintf(dctx->fp, "; %s\n", dns_result_totext(result)); else if (result != ISC_R_SUCCESS) goto cleanup; } } if (dctx->cache != NULL) { dns_adb_dump(dctx->view->view->adb, dctx->fp); + dns_resolver_printbadcache(dctx->view->view->resolver, + dctx->fp); dns_db_detach(&dctx->cache); } if (dctx->dumpzones) { style = &dns_master_style_full; nextzone: if (dctx->version != NULL) dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE); if (dctx->db != NULL) dns_db_detach(&dctx->db); if (dctx->zone == NULL) dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist); else dctx->zone = ISC_LIST_NEXT(dctx->zone, link); if (dctx->zone != NULL) { /* start zone dump */ dns_zone_name(dctx->zone->zone, buf, sizeof(buf)); fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf); result = dns_zone_getdb(dctx->zone->zone, &dctx->db); if (result != ISC_R_SUCCESS) { fprintf(dctx->fp, "; %s\n", dns_result_totext(result)); goto nextzone; } dns_db_currentversion(dctx->db, &dctx->version); result = dns_master_dumptostreaminc(dctx->mctx, dctx->db, dctx->version, style, dctx->fp, dctx->task, dumpdone, dctx, &dctx->mdctx); if (result == DNS_R_CONTINUE) return; if (result == ISC_R_NOTIMPLEMENTED) { fprintf(dctx->fp, "; %s\n", dns_result_totext(result)); result = ISC_R_SUCCESS; goto nextzone; } if (result != ISC_R_SUCCESS) goto cleanup; } } if (dctx->view != NULL) dctx->view = ISC_LIST_NEXT(dctx->view, link); if (dctx->view != NULL) goto nextview; done: fprintf(dctx->fp, "; Dump complete\n"); result = isc_stdio_flush(dctx->fp); if (result == ISC_R_SUCCESS) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "dumpdb complete"); cleanup: if (result != ISC_R_SUCCESS) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "dumpdb failed: %s", dns_result_totext(result)); dumpcontext_destroy(dctx); } isc_result_t ns_server_dumpdb(ns_server_t *server, char *args) { struct dumpcontext *dctx = NULL; dns_view_t *view; isc_result_t result; char *ptr; const char *sep; /* Skip the command name. */ ptr = next_token(&args, " \t"); if (ptr == NULL) return (ISC_R_UNEXPECTEDEND); dctx = isc_mem_get(server->mctx, sizeof(*dctx)); if (dctx == NULL) return (ISC_R_NOMEMORY); dctx->mctx = server->mctx; dctx->dumpcache = ISC_TRUE; dctx->dumpzones = ISC_FALSE; dctx->fp = NULL; ISC_LIST_INIT(dctx->viewlist); dctx->view = NULL; dctx->zone = NULL; dctx->cache = NULL; dctx->mdctx = NULL; dctx->db = NULL; dctx->cache = NULL; dctx->task = NULL; dctx->version = NULL; isc_task_attach(server->task, &dctx->task); CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp), "could not open dump file", server->dumpfile); sep = (args == NULL) ? "" : ": "; isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "dumpdb started%s%s", sep, (args != NULL) ? args : ""); ptr = next_token(&args, " \t"); if (ptr != NULL && strcmp(ptr, "-all") == 0) { dctx->dumpzones = ISC_TRUE; dctx->dumpcache = ISC_TRUE; ptr = next_token(&args, " \t"); } else if (ptr != NULL && strcmp(ptr, "-cache") == 0) { dctx->dumpzones = ISC_FALSE; dctx->dumpcache = ISC_TRUE; ptr = next_token(&args, " \t"); } else if (ptr != NULL && strcmp(ptr, "-zones") == 0) { dctx->dumpzones = ISC_TRUE; dctx->dumpcache = ISC_FALSE; ptr = next_token(&args, " \t"); } nextview: for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { if (ptr != NULL && strcmp(view->name, ptr) != 0) continue; CHECK(add_view_tolist(dctx, view)); } if (ptr != NULL) { ptr = next_token(&args, " \t"); if (ptr != NULL) goto nextview; } dumpdone(dctx, ISC_R_SUCCESS); return (ISC_R_SUCCESS); cleanup: if (dctx != NULL) dumpcontext_destroy(dctx); return (result); } isc_result_t ns_server_dumprecursing(ns_server_t *server) { FILE *fp = NULL; isc_result_t result; CHECKMF(isc_stdio_open(server->recfile, "w", &fp), "could not open dump file", server->recfile); fprintf(fp,";\n; Recursing Queries\n;\n"); ns_interfacemgr_dumprecursing(fp, server->interfacemgr); fprintf(fp, "; Dump complete\n"); cleanup: if (fp != NULL) result = isc_stdio_close(fp); if (result == ISC_R_SUCCESS) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "dumprecursing complete"); else isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "dumprecursing failed: %s", dns_result_totext(result)); return (result); } isc_result_t ns_server_setdebuglevel(ns_server_t *server, char *args) { char *ptr; char *levelstr; char *endp; long newlevel; UNUSED(server); /* Skip the command name. */ ptr = next_token(&args, " \t"); if (ptr == NULL) return (ISC_R_UNEXPECTEDEND); /* Look for the new level name. */ levelstr = next_token(&args, " \t"); if (levelstr == NULL) { if (ns_g_debuglevel < 99) ns_g_debuglevel++; } else { newlevel = strtol(levelstr, &endp, 10); if (*endp != '\0' || newlevel < 0 || newlevel > 99) return (ISC_R_RANGE); ns_g_debuglevel = (unsigned int)newlevel; } isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "debug level is now %d", ns_g_debuglevel); return (ISC_R_SUCCESS); } isc_result_t ns_server_validation(ns_server_t *server, char *args) { char *ptr, *viewname; dns_view_t *view; isc_boolean_t changed = ISC_FALSE; isc_result_t result; isc_boolean_t enable; /* Skip the command name. */ ptr = next_token(&args, " \t"); if (ptr == NULL) return (ISC_R_UNEXPECTEDEND); /* Find out what we are to do. */ ptr = next_token(&args, " \t"); if (ptr == NULL) return (ISC_R_UNEXPECTEDEND); if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") || !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true")) enable = ISC_TRUE; else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") || !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false")) enable = ISC_FALSE; else return (DNS_R_SYNTAX); /* Look for the view name. */ viewname = next_token(&args, " \t"); result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { if (viewname != NULL && strcasecmp(viewname, view->name) != 0) continue; result = dns_view_flushcache(view); if (result != ISC_R_SUCCESS) goto out; view->enablevalidation = enable; changed = ISC_TRUE; } if (changed) result = ISC_R_SUCCESS; else result = ISC_R_FAILURE; out: isc_task_endexclusive(server->task); return (result); } isc_result_t ns_server_flushcache(ns_server_t *server, char *args) { char *ptr, *viewname; dns_view_t *view; isc_boolean_t flushed; isc_boolean_t found; isc_result_t result; /* Skip the command name. */ ptr = next_token(&args, " \t"); if (ptr == NULL) return (ISC_R_UNEXPECTEDEND); /* Look for the view name. */ viewname = next_token(&args, " \t"); result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); flushed = ISC_TRUE; found = ISC_FALSE; for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { if (viewname != NULL && strcasecmp(viewname, view->name) != 0) continue; found = ISC_TRUE; result = dns_view_flushcache(view); if (result != ISC_R_SUCCESS) { flushed = ISC_FALSE; isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "flushing cache in view '%s' failed: %s", view->name, isc_result_totext(result)); } } if (flushed && found) { if (viewname != NULL) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "flushing cache in view '%s' succeeded", viewname); else isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "flushing caches in all views succeeded"); result = ISC_R_SUCCESS; } else { if (!found) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "flushing cache in view '%s' failed: " "view not found", viewname); result = ISC_R_NOTFOUND; } else result = ISC_R_FAILURE; } isc_task_endexclusive(server->task); return (result); } isc_result_t ns_server_flushname(ns_server_t *server, char *args) { char *ptr, *target, *viewname; dns_view_t *view; isc_boolean_t flushed; isc_boolean_t found; isc_result_t result; isc_buffer_t b; dns_fixedname_t fixed; dns_name_t *name; /* Skip the command name. */ ptr = next_token(&args, " \t"); if (ptr == NULL) return (ISC_R_UNEXPECTEDEND); /* Find the domain name to flush. */ target = next_token(&args, " \t"); if (target == NULL) return (ISC_R_UNEXPECTEDEND); isc_buffer_init(&b, target, strlen(target)); isc_buffer_add(&b, strlen(target)); dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL); if (result != ISC_R_SUCCESS) return (result); /* Look for the view name. */ viewname = next_token(&args, " \t"); result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); flushed = ISC_TRUE; found = ISC_FALSE; for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { if (viewname != NULL && strcasecmp(viewname, view->name) != 0) continue; found = ISC_TRUE; result = dns_view_flushname(view, name); if (result != ISC_R_SUCCESS) { flushed = ISC_FALSE; isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "flushing name '%s' in cache view '%s' " "failed: %s", target, view->name, isc_result_totext(result)); } } if (flushed && found) { if (viewname != NULL) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "flushing name '%s' in cache view '%s' " "succeeded", target, viewname); else isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "flushing name '%s' in all cache views " "succeeded", target); result = ISC_R_SUCCESS; } else { if (!found) isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "flushing name '%s' in cache view '%s' " "failed: view not found", target, viewname); result = ISC_R_FAILURE; } isc_task_endexclusive(server->task); return (result); } isc_result_t ns_server_status(ns_server_t *server, isc_buffer_t *text) { int zonecount, xferrunning, xferdeferred, soaqueries; unsigned int n; const char *ob = "", *cb = "", *alt = ""; if (ns_g_server->version_set) { ob = " ("; cb = ")"; if (ns_g_server->version == NULL) alt = "version.bind/txt/ch disabled"; else alt = ns_g_server->version; } zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY); xferrunning = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_XFERRUNNING); xferdeferred = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_XFERDEFERRED); soaqueries = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_SOAQUERY); n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), "version: %s%s%s%s\n" #ifdef ISC_PLATFORM_USETHREADS "CPUs found: %u\n" "worker threads: %u\n" #endif "number of zones: %u\n" "debug level: %d\n" "xfers running: %u\n" "xfers deferred: %u\n" "soa queries in progress: %u\n" "query logging is %s\n" "recursive clients: %d/%d/%d\n" "tcp clients: %d/%d\n" "server is up and running", ns_g_version, ob, alt, cb, #ifdef ISC_PLATFORM_USETHREADS ns_g_cpus_detected, ns_g_cpus, #endif zonecount, ns_g_debuglevel, xferrunning, xferdeferred, soaqueries, server->log_queries ? "ON" : "OFF", server->recursionquota.used, server->recursionquota.soft, server->recursionquota.max, server->tcpquota.used, server->tcpquota.max); if (n >= isc_buffer_availablelength(text)) return (ISC_R_NOSPACE); isc_buffer_add(text, n); return (ISC_R_SUCCESS); } static isc_result_t delete_keynames(dns_tsig_keyring_t *ring, char *target, unsigned int *foundkeys) { char namestr[DNS_NAME_FORMATSIZE]; isc_result_t result; dns_rbtnodechain_t chain; dns_name_t foundname; dns_fixedname_t fixedorigin; dns_name_t *origin; dns_rbtnode_t *node; dns_tsigkey_t *tkey; dns_name_init(&foundname, NULL); dns_fixedname_init(&fixedorigin); origin = dns_fixedname_name(&fixedorigin); again: dns_rbtnodechain_init(&chain, ring->mctx); result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin); if (result == ISC_R_NOTFOUND) { dns_rbtnodechain_invalidate(&chain); return (ISC_R_SUCCESS); } if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) { dns_rbtnodechain_invalidate(&chain); return (result); } for (;;) { node = NULL; dns_rbtnodechain_current(&chain, &foundname, origin, &node); tkey = node->data; if (tkey != NULL) { if (!tkey->generated) goto nextkey; dns_name_format(&tkey->name, namestr, sizeof(namestr)); if (strcmp(namestr, target) == 0) { (*foundkeys)++; dns_rbtnodechain_invalidate(&chain); (void)dns_rbt_deletename(ring->keys, &tkey->name, ISC_FALSE); goto again; } } nextkey: result = dns_rbtnodechain_next(&chain, &foundname, origin); if (result == ISC_R_NOMORE) break; if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) { dns_rbtnodechain_invalidate(&chain); return (result); } } return (ISC_R_SUCCESS); } isc_result_t ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text) { isc_result_t result; unsigned int n; dns_view_t *view; unsigned int foundkeys = 0; char *target; char *viewname; (void)next_token(&command, " \t"); /* skip command name */ target = next_token(&command, " \t"); if (target == NULL) return (ISC_R_UNEXPECTEDEND); viewname = next_token(&command, " \t"); result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { if (viewname == NULL || strcmp(view->name, viewname) == 0) { RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write); result = delete_keynames(view->dynamickeys, target, &foundkeys); RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_write); if (result != ISC_R_SUCCESS) { isc_task_endexclusive(server->task); return (result); } } } isc_task_endexclusive(server->task); n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), "%d tsig keys deleted.\n", foundkeys); if (n >= isc_buffer_availablelength(text)) { isc_task_endexclusive(server->task); return (ISC_R_NOSPACE); } isc_buffer_add(text, n); return (ISC_R_SUCCESS); } static isc_result_t list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text, unsigned int *foundkeys) { char namestr[DNS_NAME_FORMATSIZE]; char creatorstr[DNS_NAME_FORMATSIZE]; isc_result_t result; dns_rbtnodechain_t chain; dns_name_t foundname; dns_fixedname_t fixedorigin; dns_name_t *origin; dns_rbtnode_t *node; dns_tsigkey_t *tkey; unsigned int n; const char *viewname; if (view != NULL) viewname = view->name; else viewname = "(global)"; dns_name_init(&foundname, NULL); dns_fixedname_init(&fixedorigin); origin = dns_fixedname_name(&fixedorigin); dns_rbtnodechain_init(&chain, ring->mctx); result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin); if (result == ISC_R_NOTFOUND) { dns_rbtnodechain_invalidate(&chain); return (ISC_R_SUCCESS); } if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) { dns_rbtnodechain_invalidate(&chain); return (result); } for (;;) { node = NULL; dns_rbtnodechain_current(&chain, &foundname, origin, &node); tkey = node->data; if (tkey != NULL) { (*foundkeys)++; dns_name_format(&tkey->name, namestr, sizeof(namestr)); if (tkey->generated) { dns_name_format(tkey->creator, creatorstr, sizeof(creatorstr)); n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), "view \"%s\"; type \"dynamic\"; key \"%s\"; creator \"%s\";\n", viewname, namestr, creatorstr); } else { n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), "view \"%s\"; type \"static\"; key \"%s\";\n", viewname, namestr); } if (n >= isc_buffer_availablelength(text)) { dns_rbtnodechain_invalidate(&chain); return (ISC_R_NOSPACE); } isc_buffer_add(text, n); } result = dns_rbtnodechain_next(&chain, &foundname, origin); if (result == ISC_R_NOMORE) break; if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) { dns_rbtnodechain_invalidate(&chain); return (result); } } return (ISC_R_SUCCESS); } isc_result_t ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) { isc_result_t result; unsigned int n; dns_view_t *view; unsigned int foundkeys = 0; result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { RWLOCK(&view->statickeys->lock, isc_rwlocktype_read); result = list_keynames(view, view->statickeys, text, &foundkeys); RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read); if (result != ISC_R_SUCCESS) { isc_task_endexclusive(server->task); return (result); } RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read); result = list_keynames(view, view->dynamickeys, text, &foundkeys); RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read); if (result != ISC_R_SUCCESS) { isc_task_endexclusive(server->task); return (result); } } isc_task_endexclusive(server->task); if (foundkeys == 0) { n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), "no tsig keys found.\n"); if (n >= isc_buffer_availablelength(text)) { isc_task_endexclusive(server->task); return (ISC_R_NOSPACE); } isc_buffer_add(text, n); } return (ISC_R_SUCCESS); } /* * Act on a "freeze" or "thaw" command from the command channel. */ isc_result_t ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args, isc_buffer_t *text) { isc_result_t result, tresult; dns_zone_t *zone = NULL; dns_zonetype_t type; char classstr[DNS_RDATACLASS_FORMATSIZE]; char zonename[DNS_NAME_FORMATSIZE]; dns_view_t *view; char *journal; const char *vname, *sep; isc_boolean_t frozen; const char *msg = NULL; result = zone_from_args(server, args, &zone); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) { result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); tresult = ISC_R_SUCCESS; for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { result = dns_view_freezezones(view, freeze); if (result != ISC_R_SUCCESS && tresult == ISC_R_SUCCESS) tresult = result; } isc_task_endexclusive(server->task); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "%s all zones: %s", freeze ? "freezing" : "thawing", isc_result_totext(tresult)); return (tresult); } type = dns_zone_gettype(zone); if (type != dns_zone_master) { dns_zone_detach(&zone); return (ISC_R_NOTFOUND); } result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); frozen = dns_zone_getupdatedisabled(zone); if (freeze) { if (frozen) { msg = "WARNING: The zone was already frozen.\n" "Someone else may be editing it or " "it may still be re-loading."; result = DNS_R_FROZEN; } if (result == ISC_R_SUCCESS) { result = dns_zone_flush(zone); if (result != ISC_R_SUCCESS) msg = "Flushing the zone updates to " "disk failed."; } if (result == ISC_R_SUCCESS) { journal = dns_zone_getjournal(zone); if (journal != NULL) (void)isc_file_remove(journal); } if (result == ISC_R_SUCCESS) dns_zone_setupdatedisabled(zone, freeze); } else { if (frozen) { result = dns_zone_loadandthaw(zone); switch (result) { case ISC_R_SUCCESS: case DNS_R_UPTODATE: msg = "The zone reload and thaw was " "successful."; result = ISC_R_SUCCESS; break; case DNS_R_CONTINUE: msg = "A zone reload and thaw was started.\n" "Check the logs to see the result."; result = ISC_R_SUCCESS; break; } } } isc_task_endexclusive(server->task); if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text)) isc_buffer_putmem(text, (const unsigned char *)msg, strlen(msg) + 1); view = dns_zone_getview(zone); if (strcmp(view->name, "_bind") == 0 || strcmp(view->name, "_default") == 0) { vname = ""; sep = ""; } else { vname = view->name; sep = " "; } dns_rdataclass_format(dns_zone_getclass(zone), classstr, sizeof(classstr)); dns_name_format(dns_zone_getorigin(zone), zonename, sizeof(zonename)); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "%s zone '%s/%s'%s%s: %s", freeze ? "freezing" : "thawing", zonename, classstr, sep, vname, isc_result_totext(result)); dns_zone_detach(&zone); return (result); } #ifdef HAVE_LIBSCF /* * This function adds a message for rndc to echo if named * is managed by smf and is also running chroot. */ isc_result_t ns_smf_add_message(isc_buffer_t *text) { unsigned int n; n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), "use svcadm(1M) to manage named"); if (n >= isc_buffer_availablelength(text)) return (ISC_R_NOSPACE); isc_buffer_add(text, n); return (ISC_R_SUCCESS); } #endif /* HAVE_LIBSCF */ Index: head/contrib/bind9/doc/arm/Bv9ARM-book.xml =================================================================== --- head/contrib/bind9/doc/arm/Bv9ARM-book.xml (revision 205291) +++ head/contrib/bind9/doc/arm/Bv9ARM-book.xml (revision 205292) @@ -1,14767 +1,14774 @@ ]> - + BIND 9 Administrator Reference Manual 2004 2005 2006 2007 2008 2009 2010 Internet Systems Consortium, Inc. ("ISC") 2000 2001 2002 2003 Internet Software Consortium. Introduction The Internet Domain Name System (DNS) consists of the syntax to specify the names of entities in the Internet in a hierarchical manner, the rules used for delegating authority over names, and the system implementation that actually maps names to Internet addresses. DNS data is maintained in a group of distributed hierarchical databases. Scope of Document The Berkeley Internet Name Domain (BIND) implements a domain name server for a number of operating systems. This document provides basic information about the installation and care of the Internet Systems Consortium (ISC) BIND version 9 software package for system administrators. This version of the manual corresponds to BIND version 9.6. Organization of This Document In this document, Chapter 1 introduces the basic DNS and BIND concepts. Chapter 2 describes resource requirements for running BIND in various environments. Information in Chapter 3 is task-oriented in its presentation and is organized functionally, to aid in the process of installing the BIND 9 software. The task-oriented section is followed by Chapter 4, which contains more advanced concepts that the system administrator may need for implementing certain options. Chapter 5 describes the BIND 9 lightweight resolver. The contents of Chapter 6 are organized as in a reference manual to aid in the ongoing maintenance of the software. Chapter 7 addresses security considerations, and Chapter 8 contains troubleshooting help. The main body of the document is followed by several appendices which contain useful reference information, such as a bibliography and historic information related to BIND and the Domain Name System. Conventions Used in This Document In this document, we use the following general typographic conventions: To describe: We use the style: a pathname, filename, URL, hostname, mailing list name, or new term or concept Fixed width literal user input Fixed Width Bold program output Fixed Width The following conventions are used in descriptions of the BIND configuration file: To describe: We use the style: keywords Fixed Width variables Fixed Width Optional input Text is enclosed in square brackets The Domain Name System (<acronym>DNS</acronym>) The purpose of this document is to explain the installation and upkeep of the BIND (Berkeley Internet Name Domain) software package, and we begin by reviewing the fundamentals of the Domain Name System (DNS) as they relate to BIND. DNS Fundamentals The Domain Name System (DNS) is a hierarchical, distributed database. It stores information for mapping Internet host names to IP addresses and vice versa, mail routing information, and other data used by Internet applications. Clients look up information in the DNS by calling a resolver library, which sends queries to one or more name servers and interprets the responses. The BIND 9 software distribution contains a name server, named, and a resolver library, liblwres. The older libbind resolver library is also available from ISC as a separate download. Domains and Domain Names The data stored in the DNS is identified by domain names that are organized as a tree according to organizational or administrative boundaries. Each node of the tree, called a domain, is given a label. The domain name of the node is the concatenation of all the labels on the path from the node to the root node. This is represented in written form as a string of labels listed from right to left and separated by dots. A label need only be unique within its parent domain. For example, a domain name for a host at the company Example, Inc. could be ourhost.example.com, where com is the top level domain to which ourhost.example.com belongs, example is a subdomain of com, and ourhost is the name of the host. For administrative purposes, the name space is partitioned into areas called zones, each starting at a node and extending down to the leaf nodes or to nodes where other zones start. The data for each zone is stored in a name server, which answers queries about the zone using the DNS protocol. The data associated with each domain name is stored in the form of resource records (RRs). Some of the supported resource record types are described in . For more detailed information about the design of the DNS and the DNS protocol, please refer to the standards documents listed in . Zones To properly operate a name server, it is important to understand the difference between a zone and a domain. As stated previously, a zone is a point of delegation in the DNS tree. A zone consists of those contiguous parts of the domain tree for which a name server has complete information and over which it has authority. It contains all domain names from a certain point downward in the domain tree except those which are delegated to other zones. A delegation point is marked by one or more NS records in the parent zone, which should be matched by equivalent NS records at the root of the delegated zone. For instance, consider the example.com domain which includes names such as host.aaa.example.com and host.bbb.example.com even though the example.com zone includes only delegations for the aaa.example.com and bbb.example.com zones. A zone can map exactly to a single domain, but could also include only part of a domain, the rest of which could be delegated to other name servers. Every name in the DNS tree is a domain, even if it is terminal, that is, has no subdomains. Every subdomain is a domain and every domain except the root is also a subdomain. The terminology is not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to gain a complete understanding of this difficult and subtle topic. Though BIND is called a "domain name server", it deals primarily in terms of zones. The master and slave declarations in the named.conf file specify zones, not domains. When you ask some other site if it is willing to be a slave server for your domain, you are actually asking for slave service for some collection of zones. Authoritative Name Servers Each zone is served by at least one authoritative name server, which contains the complete data for the zone. To make the DNS tolerant of server and network failures, most zones have two or more authoritative servers, on different networks. Responses from authoritative servers have the "authoritative answer" (AA) bit set in the response packets. This makes them easy to identify when debugging DNS configurations using tools like dig (). The Primary Master The authoritative server where the master copy of the zone data is maintained is called the primary master server, or simply the primary. Typically it loads the zone contents from some local file edited by humans or perhaps generated mechanically from some other local file which is edited by humans. This file is called the zone file or master file. In some cases, however, the master file may not be edited by humans at all, but may instead be the result of dynamic update operations. Slave Servers The other authoritative servers, the slave servers (also known as secondary servers) load the zone contents from another server using a replication process known as a zone transfer. Typically the data are transferred directly from the primary master, but it is also possible to transfer it from another slave. In other words, a slave server may itself act as a master to a subordinate slave server. Stealth Servers Usually all of the zone's authoritative servers are listed in NS records in the parent zone. These NS records constitute a delegation of the zone from the parent. The authoritative servers are also listed in the zone file itself, at the top level or apex of the zone. You can list servers in the zone's top-level NS records that are not in the parent's NS delegation, but you cannot list servers in the parent's delegation that are not present at the zone's top level. A stealth server is a server that is authoritative for a zone but is not listed in that zone's NS records. Stealth servers can be used for keeping a local copy of a zone to speed up access to the zone's records or to make sure that the zone is available even if all the "official" servers for the zone are inaccessible. A configuration where the primary master server itself is a stealth server is often referred to as a "hidden primary" configuration. One use for this configuration is when the primary master is behind a firewall and therefore unable to communicate directly with the outside world. Caching Name Servers The resolver libraries provided by most operating systems are stub resolvers, meaning that they are not capable of performing the full DNS resolution process by themselves by talking directly to the authoritative servers. Instead, they rely on a local name server to perform the resolution on their behalf. Such a server is called a recursive name server; it performs recursive lookups for local clients. To improve performance, recursive servers cache the results of the lookups they perform. Since the processes of recursion and caching are intimately connected, the terms recursive server and caching server are often used synonymously. The length of time for which a record may be retained in the cache of a caching name server is controlled by the Time To Live (TTL) field associated with each resource record. Forwarding Even a caching name server does not necessarily perform the complete recursive lookup itself. Instead, it can forward some or all of the queries that it cannot satisfy from its cache to another caching name server, commonly referred to as a forwarder. There may be one or more forwarders, and they are queried in turn until the list is exhausted or an answer is found. Forwarders are typically used when you do not wish all the servers at a given site to interact directly with the rest of the Internet servers. A typical scenario would involve a number of internal DNS servers and an Internet firewall. Servers unable to pass packets through the firewall would forward to the server that can do it, and that server would query the Internet DNS servers on the internal server's behalf. Name Servers in Multiple Roles The BIND name server can simultaneously act as a master for some zones, a slave for other zones, and as a caching (recursive) server for a set of local clients. However, since the functions of authoritative name service and caching/recursive name service are logically separate, it is often advantageous to run them on separate server machines. A server that only provides authoritative name service (an authoritative-only server) can run with recursion disabled, improving reliability and security. A server that is not authoritative for any zones and only provides recursive service to local clients (a caching-only server) does not need to be reachable from the Internet at large and can be placed inside a firewall. <acronym>BIND</acronym> Resource Requirements Hardware requirements DNS hardware requirements have traditionally been quite modest. For many installations, servers that have been pensioned off from active duty have performed admirably as DNS servers. The DNSSEC features of BIND 9 may prove to be quite CPU intensive however, so organizations that make heavy use of these features may wish to consider larger systems for these applications. BIND 9 is fully multithreaded, allowing full utilization of multiprocessor systems for installations that need it. CPU Requirements CPU requirements for BIND 9 range from i486-class machines for serving of static zones without caching, to enterprise-class machines if you intend to process many dynamic updates and DNSSEC signed zones, serving many thousands of queries per second. Memory Requirements The memory of the server has to be large enough to fit the cache and zones loaded off disk. The max-cache-size option can be used to limit the amount of memory used by the cache, at the expense of reducing cache hit rates and causing more DNS traffic. Additionally, if additional section caching () is enabled, the max-acache-size option can be used to limit the amount of memory used by the mechanism. It is still good practice to have enough memory to load all zone and cache data into memory — unfortunately, the best way to determine this for a given installation is to watch the name server in operation. After a few weeks the server process should reach a relatively stable size where entries are expiring from the cache as fast as they are being inserted. Name Server Intensive Environment Issues For name server intensive environments, there are two alternative configurations that may be used. The first is where clients and any second-level internal name servers query a main name server, which has enough memory to build a large cache. This approach minimizes the bandwidth used by external name lookups. The second alternative is to set up second-level internal name servers to make queries independently. In this configuration, none of the individual machines needs to have as much memory or CPU power as in the first alternative, but this has the disadvantage of making many more external queries, as none of the name servers share their cached data. Supported Operating Systems ISC BIND 9 compiles and runs on a large number of Unix-like operating systems and on NT-derived versions of Microsoft Windows such as Windows 2000 and Windows XP. For an up-to-date list of supported systems, see the README file in the top level directory of the BIND 9 source distribution. Name Server Configuration In this chapter we provide some suggested configurations along with guidelines for their use. We suggest reasonable values for certain option settings. Sample Configurations A Caching-only Name Server The following sample configuration is appropriate for a caching-only name server for use by clients internal to a corporation. All queries from outside clients are refused using the allow-query option. Alternatively, the same effect could be achieved using suitable firewall rules. // Two corporate subnets we wish to allow queries from. acl corpnets { 192.168.4.0/24; 192.168.7.0/24; }; options { directory "/etc/namedb"; // Working directory allow-query { corpnets; }; }; // Provide a reverse mapping for the loopback address 127.0.0.1 zone "0.0.127.in-addr.arpa" { type master; file "localhost.rev"; notify no; }; An Authoritative-only Name Server This sample configuration is for an authoritative-only server that is the master server for "example.com" and a slave for the subdomain "eng.example.com". options { directory "/etc/namedb"; // Working directory allow-query-cache { none; }; // Do not allow access to cache allow-query { any; }; // This is the default recursion no; // Do not provide recursive service }; // Provide a reverse mapping for the loopback address 127.0.0.1 zone "0.0.127.in-addr.arpa" { type master; file "localhost.rev"; notify no; }; // We are the master server for example.com zone "example.com" { type master; file "example.com.db"; // IP addresses of slave servers allowed to transfer example.com allow-transfer { 192.168.4.14; 192.168.5.53; }; }; // We are a slave server for eng.example.com zone "eng.example.com" { type slave; file "eng.example.com.bk"; // IP address of eng.example.com master server masters { 192.168.4.12; }; }; Load Balancing A primitive form of load balancing can be achieved in the DNS by using multiple records (such as multiple A records) for one name. For example, if you have three WWW servers with network addresses of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the following means that clients will connect to each machine one third of the time: Name TTL CLASS TYPE Resource Record (RR) Data www 600 IN A 10.0.0.1 600 IN A 10.0.0.2 600 IN A 10.0.0.3 When a resolver queries for these records, BIND will rotate them and respond to the query with the records in a different order. In the example above, clients will randomly receive records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients will use the first record returned and discard the rest. For more detail on ordering responses, check the rrset-order substatement in the options statement, see . Name Server Operations Tools for Use With the Name Server Daemon This section describes several indispensable diagnostic, administrative and monitoring tools available to the system administrator for controlling and debugging the name server daemon. Diagnostic Tools The dig, host, and nslookup programs are all command line tools for manually querying name servers. They differ in style and output format. dig The domain information groper (dig) is the most versatile and complete of these lookup tools. It has two modes: simple interactive mode for a single query, and batch mode which executes a query for each in a list of several query lines. All query options are accessible from the command line. dig @server domain query-type query-class +query-option -dig-option %comment The usual simple use of dig will take the form dig @server domain query-type query-class For more information and a list of available commands and options, see the dig man page. host The host utility emphasizes simplicity and ease of use. By default, it converts between host names and Internet addresses, but its functionality can be extended with the use of options. host -aCdlnrsTwv -c class -N ndots -t type -W timeout -R retries -m flag -4 -6 hostname server For more information and a list of available commands and options, see the host man page. nslookup nslookup has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non-interactive mode is used to print just the name and requested information for a host or domain. nslookup -option host-to-find - server Interactive mode is entered when no arguments are given (the default name server will be used) or when the first argument is a hyphen (`-') and the second argument is the host name or Internet address of a name server. Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server. Due to its arcane user interface and frequently inconsistent behavior, we do not recommend the use of nslookup. Use dig instead. Administrative Tools Administrative tools play an integral part in the management of a server. named-checkconf The named-checkconf program checks the syntax of a named.conf file. named-checkconf -jvz -t directory filename named-checkzone The named-checkzone program checks a master file for syntax and consistency. named-checkzone -djqvD -c class -o output -t directory -w directory -k (ignore|warn|fail) -n (ignore|warn|fail) -W (ignore|warn) zone filename named-compilezone Similar to named-checkzone, but it always dumps the zone content to a specified file (typically in a different format). rndc The remote name daemon control (rndc) program allows the system administrator to control the operation of a name server. Since BIND 9.2, rndc supports all the commands of the BIND 8 ndc utility except ndc start and ndc restart, which were also not supported in ndc's channel mode. If you run rndc without any options it will display a usage message as follows: rndc -c config -s server -p port -y key command command The command is one of the following: reload Reload configuration file and zones. reload zone class view Reload the given zone. refresh zone class view Schedule zone maintenance for the given zone. retransfer zone class view Retransfer the given zone from the master. freeze zone class view Suspend updates to a dynamic zone. If no zone is specified, then all zones are suspended. This allows manual edits to be made to a zone normally updated by dynamic update. It also causes changes in the journal file to be synced into the master and the journal file to be removed. All dynamic update attempts will be refused while the zone is frozen. thaw zone class view Enable updates to a frozen dynamic zone. If no zone is specified, then all frozen zones are enabled. This causes the server to reload the zone from disk, and re-enables dynamic updates after the load has completed. After a zone is thawed, dynamic updates will no longer be refused. notify zone class view Resend NOTIFY messages for the zone. reconfig Reload the configuration file and load new zones, but do not reload existing zone files even if they have changed. This is faster than a full reload when there is a large number of zones because it avoids the need to examine the modification times of the zones files. stats Write server statistics to the statistics file. querylog Toggle query logging. Query logging can also be enabled by explicitly directing the queries category to a channel in the logging section of named.conf or by specifying querylog yes; in the options section of named.conf. dumpdb -all|-cache|-zone view ... Dump the server's caches (default) and/or zones to the dump file for the specified views. If no view is specified, all views are dumped. stop -p Stop the server, making sure any recent changes made through dynamic update or IXFR are first saved to the master files of the updated zones. If is specified named's process id is returned. This allows an external process to determine when named had completed stopping. halt -p Stop the server immediately. Recent changes made through dynamic update or IXFR are not saved to the master files, but will be rolled forward from the journal files when the server is restarted. If is specified named's process id is returned. This allows an external process to determine when named had completed halting. trace Increment the servers debugging level by one. trace level Sets the server's debugging level to an explicit value. notrace Sets the server's debugging level to 0. flush Flushes the server's cache. flushname name Flushes the given name from the server's cache. status Display status of the server. Note that the number of zones includes the internal bind/CH zone and the default ./IN hint zone if there is not an explicit root zone configured. recursing Dump the list of queries named is currently recursing on. validation on|off view ... Enable or disable DNSSEC validation. Note dnssec-enable also needs to be set to yes to be effective. It defaults to enabled. A configuration file is required, since all communication with the server is authenticated with digital signatures that rely on a shared secret, and there is no way to provide that secret other than with a configuration file. The default location for the rndc configuration file is /etc/rndc.conf, but an alternate location can be specified with the option. If the configuration file is not found, rndc will also look in /etc/rndc.key (or whatever sysconfdir was defined when the BIND build was configured). The rndc.key file is generated by running rndc-confgen -a as described in . The format of the configuration file is similar to that of named.conf, but limited to only four statements, the options, key, server and include statements. These statements are what associate the secret keys to the servers with which they are meant to be shared. The order of statements is not significant. The options statement has three clauses: default-server, default-key, and default-port. default-server takes a host name or address argument and represents the server that will be contacted if no option is provided on the command line. default-key takes the name of a key as its argument, as defined by a key statement. default-port specifies the port to which rndc should connect if no port is given on the command line or in a server statement. The key statement defines a key to be used by rndc when authenticating with named. Its syntax is identical to the key statement in named.conf. The keyword key is followed by a key name, which must be a valid domain name, though it need not actually be hierarchical; thus, a string like "rndc_key" is a valid name. The key statement has two clauses: algorithm and secret. While the configuration parser will accept any string as the argument to algorithm, currently only the string "hmac-md5" has any meaning. The secret is a base-64 encoded string as specified in RFC 3548. The server statement associates a key defined using the key statement with a server. The keyword server is followed by a host name or address. The server statement has two clauses: key and port. The key clause specifies the name of the key to be used when communicating with this server, and the port clause can be used to specify the port rndc should connect to on the server. A sample minimal configuration file is as follows: key rndc_key { algorithm "hmac-md5"; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; options { default-server 127.0.0.1; default-key rndc_key; }; This file, if installed as /etc/rndc.conf, would allow the command: $ rndc reload to connect to 127.0.0.1 port 953 and cause the name server to reload, if a name server on the local machine were running with following controls statements: controls { inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; }; and it had an identical key statement for rndc_key. Running the rndc-confgen program will conveniently create a rndc.conf file for you, and also display the corresponding controls statement that you need to add to named.conf. Alternatively, you can run rndc-confgen -a to set up a rndc.key file and not modify named.conf at all. Signals Certain UNIX signals cause the name server to take specific actions, as described in the following table. These signals can be sent using the kill command. SIGHUP Causes the server to read named.conf and reload the database. SIGTERM Causes the server to clean up and exit. SIGINT Causes the server to clean up and exit. Advanced DNS Features Notify DNS NOTIFY is a mechanism that allows master servers to notify their slave servers of changes to a zone's data. In response to a NOTIFY from a master server, the slave will check to see that its version of the zone is the current version and, if not, initiate a zone transfer. For more information about DNS NOTIFY, see the description of the notify option in and the description of the zone option also-notify in . The NOTIFY protocol is specified in RFC 1996. As a slave zone can also be a master to other slaves, named, by default, sends NOTIFY messages for every zone it loads. Specifying notify master-only; will cause named to only send NOTIFY for master zones that it loads. Dynamic Update Dynamic Update is a method for adding, replacing or deleting records in a master server by sending it a special form of DNS messages. The format and meaning of these messages is specified in RFC 2136. Dynamic update is enabled by including an allow-update or update-policy clause in the zone statement. The tkey-gssapi-credential and tkey-domain clauses in the options statement enable the server to negotiate keys that can be matched against those in update-policy or allow-update. Updating of secure zones (zones using DNSSEC) follows RFC 3007: RRSIG, NSEC and NSEC3 records affected by updates are automatically regenerated by the server using an online zone key. Update authorization is based on transaction signatures and an explicit server policy. The journal file All changes made to a zone using dynamic update are stored in the zone's journal file. This file is automatically created by the server when the first dynamic update takes place. The name of the journal file is formed by appending the extension .jnl to the name of the corresponding zone file unless specifically overridden. The journal file is in a binary format and should not be edited manually. The server will also occasionally write ("dump") the complete contents of the updated zone to its zone file. This is not done immediately after each dynamic update, because that would be too slow when a large zone is updated frequently. Instead, the dump is delayed by up to 15 minutes, allowing additional updates to take place. During the dump process, transient files will be created with the extensions .jnw and .jbk; under ordinary circumstances, these will be removed when the dump is complete, and can be safely ignored. When a server is restarted after a shutdown or crash, it will replay the journal file to incorporate into the zone any updates that took place after the last zone dump. Changes that result from incoming incremental zone transfers are also journalled in a similar way. The zone files of dynamic zones cannot normally be edited by hand because they are not guaranteed to contain the most recent dynamic changes — those are only in the journal file. The only way to ensure that the zone file of a dynamic zone is up to date is to run rndc stop. If you have to make changes to a dynamic zone manually, the following procedure will work: Disable dynamic updates to the zone using rndc freeze zone. This will also remove the zone's .jnl file and update the master file. Edit the zone file. Run rndc thaw zone to reload the changed zone and re-enable dynamic updates. Incremental Zone Transfers (IXFR) The incremental zone transfer (IXFR) protocol is a way for slave servers to transfer only changed data, instead of having to transfer the entire zone. The IXFR protocol is specified in RFC 1995. See . When acting as a master, BIND 9 supports IXFR for those zones where the necessary change history information is available. These include master zones maintained by dynamic update and slave zones whose data was obtained by IXFR. For manually maintained master zones, and for slave zones obtained by performing a full zone transfer (AXFR), IXFR is supported only if the option ixfr-from-differences is set to yes. When acting as a slave, BIND 9 will attempt to use IXFR unless it is explicitly disabled. For more information about disabling IXFR, see the description of the request-ixfr clause of the server statement. Split DNS Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a Split DNS setup. There are several reasons an organization would want to set up its DNS this way. One common reason for setting up a DNS system this way is to hide "internal" DNS information from "external" clients on the Internet. There is some debate as to whether or not this is actually useful. Internal DNS information leaks out in many ways (via email headers, for example) and most savvy "attackers" can find the information they need using other means. However, since listing addresses of internal servers that external clients cannot possibly reach can result in connection delays and other annoyances, an organization may choose to use a Split DNS to present a consistent view of itself to the outside world. Another common reason for setting up a Split DNS system is to allow internal networks that are behind filters or in RFC 1918 space (reserved IP space, as documented in RFC 1918) to resolve DNS on the Internet. Split DNS can also be used to allow mail from outside back in to the internal network. Example split DNS setup Let's say a company named Example, Inc. (example.com) has several corporate sites that have an internal network with reserved Internet Protocol (IP) space and an external demilitarized zone (DMZ), or "outside" section of a network, that is available to the public. Example, Inc. wants its internal clients to be able to resolve external hostnames and to exchange mail with people on the outside. The company also wants its internal resolvers to have access to certain internal-only zones that are not available at all outside of the internal network. In order to accomplish this, the company will set up two sets of name servers. One set will be on the inside network (in the reserved IP space) and the other set will be on bastion hosts, which are "proxy" hosts that can talk to both sides of its network, in the DMZ. The internal servers will be configured to forward all queries, except queries for site1.internal, site2.internal, site1.example.com, and site2.example.com, to the servers in the DMZ. These internal servers will have complete sets of information for site1.example.com, site2.example.com, site1.internal, and site2.internal. To protect the site1.internal and site2.internal domains, the internal name servers must be configured to disallow all queries to these domains from any external hosts, including the bastion hosts. The external servers, which are on the bastion hosts, will be configured to serve the "public" version of the site1 and site2.example.com zones. This could include things such as the host records for public servers (www.example.com and ftp.example.com), and mail exchange (MX) records (a.mx.example.com and b.mx.example.com). In addition, the public site1 and site2.example.com zones should have special MX records that contain wildcard (`*') records pointing to the bastion hosts. This is needed because external mail servers do not have any other way of looking up how to deliver mail to those internal hosts. With the wildcard records, the mail will be delivered to the bastion host, which can then forward it on to internal hosts. Here's an example of a wildcard MX record: * IN MX 10 external1.example.com. Now that they accept mail on behalf of anything in the internal network, the bastion hosts will need to know how to deliver mail to internal hosts. In order for this to work properly, the resolvers on the bastion hosts will need to be configured to point to the internal name servers for DNS resolution. Queries for internal hostnames will be answered by the internal servers, and queries for external hostnames will be forwarded back out to the DNS servers on the bastion hosts. In order for all this to work properly, internal clients will need to be configured to query only the internal name servers for DNS queries. This could also be enforced via selective filtering on the network. If everything has been set properly, Example, Inc.'s internal clients will now be able to: Look up any hostnames in the site1 and site2.example.com zones. Look up any hostnames in the site1.internal and site2.internal domains. Look up any hostnames on the Internet. Exchange mail with both internal and external people. Hosts on the Internet will be able to: Look up any hostnames in the site1 and site2.example.com zones. Exchange mail with anyone in the site1 and site2.example.com zones. Here is an example configuration for the setup we just described above. Note that this is only configuration information; for information on how to configure your zone files, see . Internal DNS server config: acl internals { 172.16.72.0/24; 192.168.1.0/24; }; acl externals { bastion-ips-go-here; }; options { ... ... forward only; forwarders { // forward to external servers bastion-ips-go-here; }; allow-transfer { none; }; // sample allow-transfer (no one) allow-query { internals; externals; }; // restrict query access allow-recursion { internals; }; // restrict recursion ... ... }; zone "site1.example.com" { // sample master zone type master; file "m/site1.example.com"; forwarders { }; // do normal iterative // resolution (do not forward) allow-query { internals; externals; }; allow-transfer { internals; }; }; zone "site2.example.com" { // sample slave zone type slave; file "s/site2.example.com"; masters { 172.16.72.3; }; forwarders { }; allow-query { internals; externals; }; allow-transfer { internals; }; }; zone "site1.internal" { type master; file "m/site1.internal"; forwarders { }; allow-query { internals; }; allow-transfer { internals; } }; zone "site2.internal" { type slave; file "s/site2.internal"; masters { 172.16.72.3; }; forwarders { }; allow-query { internals }; allow-transfer { internals; } }; External (bastion host) DNS server config: acl internals { 172.16.72.0/24; 192.168.1.0/24; }; acl externals { bastion-ips-go-here; }; options { ... ... allow-transfer { none; }; // sample allow-transfer (no one) allow-query { any; }; // default query access allow-query-cache { internals; externals; }; // restrict cache access allow-recursion { internals; externals; }; // restrict recursion ... ... }; zone "site1.example.com" { // sample slave zone type master; file "m/site1.foo.com"; allow-transfer { internals; externals; }; }; zone "site2.example.com" { type slave; file "s/site2.foo.com"; masters { another_bastion_host_maybe; }; allow-transfer { internals; externals; } }; In the resolv.conf (or equivalent) on the bastion host(s): search ... nameserver 172.16.72.2 nameserver 172.16.72.3 nameserver 172.16.72.4 TSIG This is a short guide to setting up Transaction SIGnatures (TSIG) based transaction security in BIND. It describes changes to the configuration file as well as what changes are required for different features, including the process of creating transaction keys and using transaction signatures with BIND. BIND primarily supports TSIG for server to server communication. This includes zone transfer, notify, and recursive query messages. Resolvers based on newer versions of BIND 8 have limited support for TSIG. TSIG can also be useful for dynamic update. A primary server for a dynamic zone should control access to the dynamic update service, but IP-based access control is insufficient. The cryptographic access control provided by TSIG is far superior. The nsupdate program supports TSIG via the and command line options or inline by use of the key. Generate Shared Keys for Each Pair of Hosts A shared secret is generated to be shared between host1 and host2. An arbitrary key name is chosen: "host1-host2.". The key name must be the same on both hosts. Automatic Generation The following command will generate a 128-bit (16 byte) HMAC-SHA256 key as described above. Longer keys are better, but shorter keys are easier to read. Note that the maximum key length is the digest length, here 256 bits. dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2. The key is in the file Khost1-host2.+163+00000.private. Nothing directly uses this file, but the base-64 encoded string following "Key:" can be extracted from the file and used as a shared secret: Key: La/E5CjG9O+os1jq0a2jdA== The string "La/E5CjG9O+os1jq0a2jdA==" can be used as the shared secret. Manual Generation The shared secret is simply a random sequence of bits, encoded in base-64. Most ASCII strings are valid base-64 strings (assuming the length is a multiple of 4 and only valid characters are used), so the shared secret can be manually generated. Also, a known string can be run through mmencode or a similar program to generate base-64 encoded data. Copying the Shared Secret to Both Machines This is beyond the scope of DNS. A secure transport mechanism should be used. This could be secure FTP, ssh, telephone, etc. Informing the Servers of the Key's Existence Imagine host1 and host 2 are both servers. The following is added to each server's named.conf file: key host1-host2. { algorithm hmac-sha256; secret "La/E5CjG9O+os1jq0a2jdA=="; }; The secret is the one generated above. Since this is a secret, it is recommended that either named.conf be non-world readable, or the key directive be added to a non-world readable file that is included by named.conf. At this point, the key is recognized. This means that if the server receives a message signed by this key, it can verify the signature. If the signature is successfully verified, the response is signed by the same key. Instructing the Server to Use the Key Since keys are shared between two hosts only, the server must be told when keys are to be used. The following is added to the named.conf file for host1, if the IP address of host2 is 10.1.2.3: server 10.1.2.3 { keys { host1-host2. ;}; }; Multiple keys may be present, but only the first is used. This directive does not contain any secrets, so it may be in a world-readable file. If host1 sends a message that is a request to that address, the message will be signed with the specified key. host1 will expect any responses to signed messages to be signed with the same key. A similar statement must be present in host2's configuration file (with host1's address) for host2 to sign request messages to host1. TSIG Key Based Access Control BIND allows IP addresses and ranges to be specified in ACL definitions and allow-{ query | transfer | update } directives. This has been extended to allow TSIG keys also. The above key would be denoted key host1-host2. An example of an allow-update directive would be: allow-update { key host1-host2. ;}; This allows dynamic updates to succeed only if the request was signed by a key named "host1-host2.". You may want to read about the more powerful update-policy statement in . Errors The processing of TSIG signed messages can result in several errors. If a signed message is sent to a non-TSIG aware server, a FORMERR (format error) will be returned, since the server will not understand the record. This is a result of misconfiguration, since the server must be explicitly configured to send a TSIG signed message to a specific server. If a TSIG aware server receives a message signed by an unknown key, the response will be unsigned with the TSIG extended error code set to BADKEY. If a TSIG aware server receives a message with a signature that does not validate, the response will be unsigned with the TSIG extended error code set to BADSIG. If a TSIG aware server receives a message with a time outside of the allowed range, the response will be signed with the TSIG extended error code set to BADTIME, and the time values will be adjusted so that the response can be successfully verified. In any of these cases, the message's rcode (response code) is set to NOTAUTH (not authenticated). TKEY TKEY is a mechanism for automatically generating a shared secret between two hosts. There are several "modes" of TKEY that specify how the key is generated or assigned. BIND 9 implements only one of these modes, the Diffie-Hellman key exchange. Both hosts are required to have a Diffie-Hellman KEY record (although this record is not required to be present in a zone). The TKEY process must use signed messages, signed either by TSIG or SIG(0). The result of TKEY is a shared secret that can be used to sign messages with TSIG. TKEY can also be used to delete shared secrets that it had previously generated. The TKEY process is initiated by a client or server by sending a signed TKEY query (including any appropriate KEYs) to a TKEY-aware server. The server response, if it indicates success, will contain a TKEY record and any appropriate keys. After this exchange, both participants have enough information to determine the shared secret; the exact process depends on the TKEY mode. When using the Diffie-Hellman TKEY mode, Diffie-Hellman keys are exchanged, and the shared secret is derived by both participants. SIG(0) BIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC 2931. SIG(0) uses public/private keys to authenticate messages. Access control is performed in the same manner as TSIG keys; privileges can be granted or denied based on the key name. When a SIG(0) signed message is received, it will only be verified if the key is known and trusted by the server; the server will not attempt to locate and/or validate the key. SIG(0) signing of multiple-message TCP streams is not supported. The only tool shipped with BIND 9 that generates SIG(0) signed messages is nsupdate. DNSSEC Cryptographic authentication of DNS information is possible through the DNS Security (DNSSEC-bis) extensions, defined in RFC 4033, RFC 4034, and RFC 4035. This section describes the creation and use of DNSSEC signed zones. In order to set up a DNSSEC secure zone, there are a series of steps which must be followed. BIND 9 ships with several tools that are used in this process, which are explained in more detail below. In all cases, the option prints a full list of parameters. Note that the DNSSEC tools require the keyset files to be in the working directory or the directory specified by the option, and that the tools shipped with BIND 9.2.x and earlier are not compatible with the current ones. There must also be communication with the administrators of the parent and/or child zone to transmit keys. A zone's security status must be indicated by the parent zone for a DNSSEC capable resolver to trust its data. This is done through the presence or absence of a DS record at the delegation point. For other servers to trust data in this zone, they must either be statically configured with this zone's zone key or the zone key of another zone above this one in the DNS tree. Generating Keys The dnssec-keygen program is used to generate keys. A secure zone must contain one or more zone keys. The zone keys will sign all other records in the zone, as well as the zone keys of any secure delegated zones. Zone keys must have the same name as the zone, a name type of ZONE, and must be usable for authentication. It is recommended that zone keys use a cryptographic algorithm designated as "mandatory to implement" by the IETF; currently the only one is RSASHA1. The following command will generate a 768-bit RSASHA1 key for the child.example zone: dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example. Two output files will be produced: Kchild.example.+005+12345.key and Kchild.example.+005+12345.private (where 12345 is an example of a key tag). The key filenames contain the key name (child.example.), algorithm (3 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case). The private key (in the .private file) is used to generate signatures, and the public key (in the .key file) is used for signature verification. To generate another key with the same properties (but with a different key tag), repeat the above command. The dnssec-keyfromlabel program is used to get a key pair from a crypto hardware and build the key files. Its usage is similar to dnssec-keygen. The public keys should be inserted into the zone file by including the .key files using $INCLUDE statements. Signing the Zone The dnssec-signzone program is used to sign a zone. Any keyset files corresponding to secure subzones should be present. The zone signer will generate NSEC, NSEC3 and RRSIG records for the zone, as well as DS for the child zones if '-g' is specified. If '-g' is not specified, then DS RRsets for the secure child zones need to be added manually. The following command signs the zone, assuming it is in a file called zone.child.example. By default, all zone keys which have an available private key are used to generate signatures. dnssec-signzone -o child.example zone.child.example One output file is produced: zone.child.example.signed. This file should be referenced by named.conf as the input file for the zone. dnssec-signzone will also produce a keyset and dsset files and optionally a dlvset file. These are used to provide the parent zone administrators with the DNSKEYs (or their corresponding DS records) that are the secure entry point to the zone. Configuring Servers To enable named to respond appropriately to DNS requests from DNSSEC aware clients, dnssec-enable must be set to yes. (This is the default setting.) To enable named to validate answers from other servers, the dnssec-enable and dnssec-validation options must both be set to yes (the default setting in BIND 9.5 and later), and at least one trust anchor must be configured with a trusted-keys statement in named.conf. trusted-keys are copies of DNSKEY RRs for zones that are used to form the first link in the cryptographic chain of trust. All keys listed in trusted-keys (and corresponding zones) are deemed to exist and only the listed keys will be used to validated the DNSKEY RRset that they are from. trusted-keys are described in more detail later in this document. Unlike BIND 8, BIND 9 does not verify signatures on load, so zone keys for authoritative zones do not need to be specified in the configuration file. After DNSSEC gets established, a typical DNSSEC configuration will look something like the following. It has a one or more public keys for the root. This allows answers from outside the organization to be validated. It will also have several keys for parts of the namespace the organization controls. These are here to ensure that named is immune to compromises in the DNSSEC components of the security of parent zones. trusted-keys { /* Root Key */ "." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/ E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3 zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3"; /* Key for our organization's forward zone */ example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn SCThlHf3xiYleDbt/o1OTQ09A0="; /* Key for our reverse zone. */ 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0 tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0 yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06 zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib"; }; options { ... dnssec-enable yes; dnssec-validation yes; }; None of the keys listed in this example are valid. In particular, the root key is not valid. When DNSSEC validation is enabled and properly configured, the resolver will reject any answers from signed, secure zones which fail to validate, and will return SERVFAIL to the client. Responses may fail to validate for any of several reasons, including missing, expired, or invalid signatures, a key which does not match the DS RRset in the parent zone, or an insecure response from a zone which, according to its parent, should have been secure. When the validator receives a response from an unsigned zone that has a signed parent, it must confirm with the parent that the zone was intentionally left unsigned. It does this by verifying, via signed and validated NSEC/NSEC3 records, that the parent zone contains no DS records for the child. If the validator can prove that the zone is insecure, then the response is accepted. However, if it cannot, then it must assume an insecure response to be a forgery; it rejects the response and logs an error. The logged error reads "insecurity proof failed" and "got insecure response; parent indicates it should be secure". (Prior to BIND 9.7, the logged error was "not insecure". This referred to the zone, not the response.) IPv6 Support in <acronym>BIND</acronym> 9 BIND 9 fully supports all currently defined forms of IPv6 name to address and address to name lookups. It will also use IPv6 addresses to make queries when running on an IPv6 capable system. For forward lookups, BIND 9 supports only AAAA records. RFC 3363 deprecated the use of A6 records, and client-side support for A6 records was accordingly removed from BIND 9. However, authoritative BIND 9 name servers still load zone files containing A6 records correctly, answer queries for A6 records, and accept zone transfer for a zone containing A6 records. For IPv6 reverse lookups, BIND 9 supports the traditional "nibble" format used in the ip6.arpa domain, as well as the older, deprecated ip6.int domain. Older versions of BIND 9 supported the "binary label" (also known as "bitstring") format, but support of binary labels has been completely removed per RFC 3363. Many applications in BIND 9 do not understand the binary label format at all any more, and will return an error if given. In particular, an authoritative BIND 9 name server will not load a zone file containing binary labels. For an overview of the format and structure of IPv6 addresses, see . Address Lookups Using AAAA Records The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the deprecated A6 record, specifies the entire IPv6 address in a single record. For example, $ORIGIN example.com. host 3600 IN AAAA 2001:db8::1 Use of IPv4-in-IPv6 mapped addresses is not recommended. If a host has an IPv4 address, use an A record, not a AAAA, with ::ffff:192.168.42.1 as the address. Address to Name Lookups Using Nibble Format When looking up an address in nibble format, the address components are simply reversed, just as in IPv4, and ip6.arpa. is appended to the resulting name. For example, the following would provide reverse name lookup for a host with address 2001:db8::1. $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com. The <acronym>BIND</acronym> 9 Lightweight Resolver The Lightweight Resolver Library Traditionally applications have been linked with a stub resolver library that sends recursive DNS queries to a local caching name server. IPv6 once introduced new complexity into the resolution process, such as following A6 chains and DNAME records, and simultaneous lookup of IPv4 and IPv6 addresses. Though most of the complexity was then removed, these are hard or impossible to implement in a traditional stub resolver. BIND 9 therefore can also provide resolution services to local clients using a combination of a lightweight resolver library and a resolver daemon process running on the local host. These communicate using a simple UDP-based protocol, the "lightweight resolver protocol" that is distinct from and simpler than the full DNS protocol. Running a Resolver Daemon To use the lightweight resolver interface, the system must run the resolver daemon lwresd or a local name server configured with a lwres statement. By default, applications using the lightweight resolver library will make UDP requests to the IPv4 loopback address (127.0.0.1) on port 921. The address can be overridden by lwserver lines in /etc/resolv.conf. The daemon currently only looks in the DNS, but in the future it may use other sources such as /etc/hosts, NIS, etc. The lwresd daemon is essentially a caching-only name server that responds to requests using the lightweight resolver protocol rather than the DNS protocol. Because it needs to run on each host, it is designed to require no or minimal configuration. Unless configured otherwise, it uses the name servers listed on nameserver lines in /etc/resolv.conf as forwarders, but is also capable of doing the resolution autonomously if none are specified. The lwresd daemon may also be configured with a named.conf style configuration file, in /etc/lwresd.conf by default. A name server may also be configured to act as a lightweight resolver daemon using the lwres statement in named.conf. <acronym>BIND</acronym> 9 Configuration Reference BIND 9 configuration is broadly similar to BIND 8; however, there are a few new areas of configuration, such as views. BIND 8 configuration files should work with few alterations in BIND 9, although more complex configurations should be reviewed to check if they can be more efficiently implemented using the new features found in BIND 9. BIND 4 configuration files can be converted to the new format using the shell script contrib/named-bootconf/named-bootconf.sh. Configuration File Elements Following is a list of elements used throughout the BIND configuration file documentation: acl_name The name of an address_match_list as defined by the acl statement. address_match_list A list of one or more ip_addr, ip_prefix, key_id, or acl_name elements, see . masters_list A named list of one or more ip_addr with optional key_id and/or ip_port. A masters_list may include other masters_lists. domain_name A quoted string which will be used as a DNS name, for example "my.test.domain". dotted_decimal One to four integers valued 0 through 255 separated by dots (`.'), such as 123, 45.67 or 89.123.45.67. ip4_addr An IPv4 address with exactly four elements in dotted_decimal notation. ip6_addr An IPv6 address, such as 2001:db8::1234. IPv6 scoped addresses that have ambiguity on their scope zones must be disambiguated by an appropriate zone ID with the percent character (`%') as delimiter. It is strongly recommended to use string zone names rather than numeric identifiers, in order to be robust against system configuration changes. However, since there is no standard mapping for such names and identifier values, currently only interface names as link identifiers are supported, assuming one-to-one mapping between interfaces and links. For example, a link-local address fe80::1 on the link attached to the interface ne0 can be specified as fe80::1%ne0. Note that on most systems link-local addresses always have the ambiguity, and need to be disambiguated. ip_addr An ip4_addr or ip6_addr. ip_port An IP port number. The number is limited to 0 through 65535, with values below 1024 typically restricted to use by processes running as root. In some cases, an asterisk (`*') character can be used as a placeholder to select a random high-numbered port. ip_prefix An IP network specified as an ip_addr, followed by a slash (`/') and then the number of bits in the netmask. Trailing zeros in a ip_addr may omitted. For example, 127/8 is the network 127.0.0.0 with netmask 255.0.0.0 and 1.2.3.0/28 is network 1.2.3.0 with netmask 255.255.255.240. When specifying a prefix involving a IPv6 scoped address the scope may be omitted. In that case the prefix will match packets from any scope. key_id A domain_name representing the name of a shared key, to be used for transaction security. key_list A list of one or more key_ids, separated by semicolons and ending with a semicolon. number A non-negative 32-bit integer (i.e., a number between 0 and 4294967295, inclusive). Its acceptable value might further be limited by the context in which it is used. path_name A quoted string which will be used as a pathname, such as zones/master/my.test.domain. port_list A list of an ip_port or a port range. A port range is specified in the form of range followed by two ip_ports, port_low and port_high, which represents port numbers from port_low through port_high, inclusive. port_low must not be larger than port_high. For example, range 1024 65535 represents ports from 1024 through 65535. In either case an asterisk (`*') character is not allowed as a valid ip_port. size_spec A number, the word unlimited, or the word default. An unlimited size_spec requests unlimited use, or the maximum available amount. A default size_spec uses the limit that was in force when the server was started. A number can optionally be followed by a scaling factor: K or k for kilobytes, M or m for megabytes, and G or g for gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively. The value must be representable as a 64-bit unsigned integer (0 to 18446744073709551615, inclusive). Using unlimited is the best way to safely set a really large number. yes_or_no Either yes or no. The words true and false are also accepted, as are the numbers 1 and 0. dialup_option One of yes, no, notify, notify-passive, refresh or passive. When used in a zone, notify-passive, refresh, and passive are restricted to slave and stub zones. Address Match Lists Syntax address_match_list = address_match_list_element ; address_match_list_element; ... address_match_list_element = ! (ip_address /length | key key_id | acl_name | { address_match_list } ) Definition and Usage Address match lists are primarily used to determine access control for various server operations. They are also used in the listen-on and sortlist statements. The elements which constitute an address match list can be any of the following: an IP address (IPv4 or IPv6) an IP prefix (in `/' notation) a key ID, as defined by the key statement the name of an address match list defined with the acl statement a nested address match list enclosed in braces Elements can be negated with a leading exclamation mark (`!'), and the match list names "any", "none", "localhost", and "localnets" are predefined. More information on those names can be found in the description of the acl statement. The addition of the key clause made the name of this syntactic element something of a misnomer, since security keys can be used to validate access without regard to a host or network address. Nonetheless, the term "address match list" is still used throughout the documentation. When a given IP address or prefix is compared to an address match list, the comparison takes place in approximately O(1) time. However, key comparisons require that the list of keys be traversed until a matching key is found, and therefore may be somewhat slower. The interpretation of a match depends on whether the list is being used for access control, defining listen-on ports, or in a sortlist, and whether the element was negated. When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match, access is denied. The clauses allow-notify, allow-recursion, allow-recursion-on, allow-query, allow-query-on, allow-query-cache, allow-query-cache-on, allow-transfer, allow-update, allow-update-forwarding, and blackhole all use address match lists. Similarly, the listen-on option will cause the server to refuse queries on any of the machine's addresses which do not match the list. Order of insertion is significant. If more than one element in an ACL is found to match a given IP address or prefix, preference will be given to the one that came first in the ACL definition. Because of this first-match behavior, an element that defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example, in 1.2.3/24; ! 1.2.3.13; the 1.2.3.13 element is completely useless because the algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24 element. Using ! 1.2.3.13; 1.2.3/24 fixes that problem by having 1.2.3.13 blocked by the negation, but all other 1.2.3.* hosts fall through. Comment Syntax The BIND 9 comment syntax allows for comments to appear anywhere that whitespace may appear in a BIND configuration file. To appeal to programmers of all kinds, they can be written in the C, C++, or shell/perl style. Syntax /* This is a BIND comment as in C */ // This is a BIND comment as in C++ # This is a BIND comment as in common UNIX shells and perl Definition and Usage Comments may appear anywhere that whitespace may appear in a BIND configuration file. C-style comments start with the two characters /* (slash, star) and end with */ (star, slash). Because they are completely delimited with these characters, they can be used to comment only a portion of a line or to span multiple lines. C-style comments cannot be nested. For example, the following is not valid because the entire comment ends with the first */: /* This is the start of a comment. This is still part of the comment. /* This is an incorrect attempt at nesting a comment. */ This is no longer in any comment. */ C++-style comments start with the two characters // (slash, slash) and continue to the end of the physical line. They cannot be continued across multiple physical lines; to have one logical comment span multiple lines, each line must use the // pair. For example: // This is the start of a comment. The next line // is a new comment, even though it is logically // part of the previous comment. Shell-style (or perl-style, if you prefer) comments start with the character # (number sign) and continue to the end of the physical line, as in C++ comments. For example: # This is the start of a comment. The next line # is a new comment, even though it is logically # part of the previous comment. You cannot use the semicolon (`;') character to start a comment such as you would in a zone file. The semicolon indicates the end of a configuration statement. Configuration File Grammar A BIND 9 configuration consists of statements and comments. Statements end with a semicolon. Statements and comments are the only elements that can appear without enclosing braces. Many statements contain a block of sub-statements, which are also terminated with a semicolon. The following statements are supported: acl defines a named IP address matching list, for access control and other uses. controls declares control channels to be used by the rndc utility. include includes a file. key specifies key information for use in authentication and authorization using TSIG. logging specifies what the server logs, and where the log messages are sent. lwres configures named to also act as a light-weight resolver daemon (lwresd). masters defines a named masters list for inclusion in stub and slave zone masters clauses. options controls global server configuration options and sets defaults for other statements. server sets certain configuration options on a per-server basis. statistics-channels declares communication channels to get access to named statistics. trusted-keys defines trusted DNSSEC keys. view defines a view. zone defines a zone. The logging and options statements may only occur once per configuration. <command>acl</command> Statement Grammar acl acl-name { address_match_list }; <command>acl</command> Statement Definition and Usage The acl statement assigns a symbolic name to an address match list. It gets its name from a primary use of address match lists: Access Control Lists (ACLs). Note that an address match list's name must be defined with acl before it can be used elsewhere; no forward references are allowed. The following ACLs are built-in: any Matches all hosts. none Matches no hosts. localhost Matches the IPv4 and IPv6 addresses of all network interfaces on the system. localnets Matches any host on an IPv4 or IPv6 network for which the system has an interface. Some systems do not provide a way to determine the prefix lengths of local IPv6 addresses. In such a case, localnets only matches the local IPv6 addresses, just like localhost. <command>controls</command> Statement Grammar controls { [ inet ( ip_addr | * ) [ port ip_port ] allow { address_match_list } keys { key_list }; ] [ inet ...; ] [ unix path perm number owner number group number keys { key_list }; ] [ unix ...; ] }; <command>controls</command> Statement Definition and Usage The controls statement declares control channels to be used by system administrators to control the operation of the name server. These control channels are used by the rndc utility to send commands to and retrieve non-DNS results from a name server. An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of * (asterisk) is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, use an ip_addr of ::. If you will only use rndc on the local host, using the loopback address (127.0.0.1 or ::1) is recommended for maximum security. If no port is specified, port 953 is used. The asterisk "*" cannot be used for ip_port. The ability to issue commands over the control channel is restricted by the allow and keys clauses. Connections to the control channel are permitted based on the address_match_list. This is for simple IP address based filtering only; any key_id elements of the address_match_list are ignored. A unix control channel is a UNIX domain socket listening at the specified path in the file system. Access to the socket is specified by the perm, owner and group clauses. Note on some platforms (SunOS and Solaris) the permissions (perm) are applied to the parent directory as the permissions on the socket itself are ignored. The primary authorization mechanism of the command channel is the key_list, which contains a list of key_ids. Each key_id in the key_list is authorized to execute commands over the control channel. See in ) for information about configuring keys in rndc. If no controls statement is present, named will set up a default control channel listening on the loopback address 127.0.0.1 and its IPv6 counterpart ::1. In this case, and also when the controls statement is present but does not have a keys clause, named will attempt to load the command channel key from the file rndc.key in /etc (or whatever sysconfdir was specified as when BIND was built). To create a rndc.key file, run rndc-confgen -a. The rndc.key feature was created to ease the transition of systems from BIND 8, which did not have digital signatures on its command channel messages and thus did not have a keys clause. It makes it possible to use an existing BIND 8 configuration file in BIND 9 unchanged, and still have rndc work the same way ndc worked in BIND 8, simply by executing the command rndc-confgen -a after BIND 9 is installed. Since the rndc.key feature is only intended to allow the backward-compatible usage of BIND 8 configuration files, this feature does not have a high degree of configurability. You cannot easily change the key name or the size of the secret, so you should make a rndc.conf with your own key if you wish to change those things. The rndc.key file also has its permissions set such that only the owner of the file (the user that named is running as) can access it. If you desire greater flexibility in allowing other users to access rndc commands, then you need to create a rndc.conf file and make it group readable by a group that contains the users who should have access. To disable the command channel, use an empty controls statement: controls { };. <command>include</command> Statement Grammar include filename; <command>include</command> Statement Definition and Usage The include statement inserts the specified file at the point where the include statement is encountered. The include statement facilitates the administration of configuration files by permitting the reading or writing of some things but not others. For example, the statement could include private keys that are readable only by the name server. <command>key</command> Statement Grammar key key_id { algorithm string; secret string; }; <command>key</command> Statement Definition and Usage The key statement defines a shared secret key for use with TSIG (see ) or the command channel (see ). The key statement can occur at the top level of the configuration file or inside a view statement. Keys defined in top-level key statements can be used in all views. Keys intended for use in a controls statement (see ) must be defined at the top level. The key_id, also known as the key name, is a domain name uniquely identifying the key. It can be used in a server statement to cause requests sent to that server to be signed with this key, or in address match lists to verify that incoming requests have been signed with a key matching this name, algorithm, and secret. The algorithm_id is a string that specifies a security/authentication algorithm. Named supports hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512 TSIG authentication. Truncated hashes are supported by appending the minimum number of required bits preceded by a dash, e.g. hmac-sha1-80. The secret_string is the secret to be used by the algorithm, and is treated as a base-64 encoded string. <command>logging</command> Statement Grammar logging { [ channel channel_name { ( file path_name [ versions ( number | unlimited ) ] [ size size spec ] | syslog syslog_facility | stderr | null ); [ severity ( | | | | | [ level ] | ); ] [ print-category or ; ] [ print-severity or ; ] [ print-time or ; ] }; ] [ category category_name { channel_name ; [ channel_name ; ... ] }; ] ... }; <command>logging</command> Statement Definition and Usage The logging statement configures a wide variety of logging options for the name server. Its channel phrase associates output methods, format options and severity levels with a name that can then be used with the category phrase to select how various classes of messages are logged. Only one logging statement is used to define as many channels and categories as are wanted. If there is no logging statement, the logging configuration will be: logging { category default { default_syslog; default_debug; }; category unmatched { null; }; }; In BIND 9, the logging configuration is only established when the entire configuration file has been parsed. In BIND 8, it was established as soon as the logging statement was parsed. When the server is starting up, all logging messages regarding syntax errors in the configuration file go to the default channels, or to standard error if the "" option was specified. The <command>channel</command> Phrase All log output goes to one or more channels; you can make as many of them as you want. Every channel definition must include a destination clause that says whether messages selected for the channel go to a file, to a particular syslog facility, to the standard error stream, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (the default is info), and whether to include a named-generated time stamp, the category name and/or severity level (the default is not to include any). The null destination clause causes all messages sent to the channel to be discarded; in that case, other options for the channel are meaningless. The file destination clause directs the channel to a disk file. It can include limitations both on how large the file is allowed to become, and how many versions of the file will be saved each time the file is opened. If you use the versions log file option, then named will retain that many backup versions of the file by renaming them when opening. For example, if you choose to keep three old versions of the file lamers.log, then just before it is opened lamers.log.1 is renamed to lamers.log.2, lamers.log.0 is renamed to lamers.log.1, and lamers.log is renamed to lamers.log.0. You can say versions unlimited to not limit the number of versions. If a size option is associated with the log file, then renaming is only done when the file being opened exceeds the indicated size. No backup versions are kept by default; any existing log file is simply appended. The size option for files is used to limit log growth. If the file ever exceeds the size, then named will stop writing to the file unless it has a versions option associated with it. If backup versions are kept, the files are rolled as described above and a new one begun. If there is no versions option, no more data will be written to the log until some out-of-band mechanism removes or truncates the log to less than the maximum size. The default behavior is not to limit the size of the file. Example usage of the size and versions options: channel an_example_channel { file "example.log" versions 3 size 20m; print-time yes; print-category yes; }; The syslog destination clause directs the channel to the system log. Its argument is a syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities are supported on all operating systems. How syslog will handle messages sent to this facility is described in the syslog.conf man page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, then this clause is silently ignored. The severity clause works like syslog's "priorities", except that they can also be used if you are writing straight to a file rather than using syslog. Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted. If you are using syslog, then the syslog.conf priorities will also determine what eventually passes through. For example, defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would print all messages it received from the channel. The stderr destination clause directs the channel to the server's standard error stream. This is intended for use when the server is running as a foreground process, for example when debugging a configuration. The server can supply extensive debugging information when it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug level is set either by starting the named server with the flag followed by a positive integer, or by running rndc trace. The global debug level can be set to zero, and debugging mode turned off, by running rndc notrace. All debugging messages in the server have a debug level, and higher debug levels give more detailed output. Channels that specify a specific debug severity, for example: channel specific_debug_level { file "foo"; severity debug 3; }; will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging level. Channels with dynamic severity use the server's global debug level to determine what messages to print. If print-time has been turned on, then the date and time will be logged. print-time may be specified for a syslog channel, but is usually pointless since syslog also logs the date and time. If print-category is requested, then the category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may be used in any combination, and will always be printed in the following order: time, category, severity. Here is an example where all three print- options are on: 28-Feb-2000 15:05:32.863 general: notice: running There are four predefined channels that are used for named's default logging as follows. How they are used is described in . channel default_syslog { syslog daemon; // send to syslog's daemon // facility severity info; // only send priority info // and higher }; channel default_debug { file "named.run"; // write to named.run in // the working directory // Note: stderr is used instead // of "named.run" // if the server is started // with the '-f' option. severity dynamic; // log at the server's // current debug level }; channel default_stderr { stderr; // writes to stderr severity info; // only send priority info // and higher }; channel null { null; // toss anything sent to // this channel }; The default_debug channel has the special property that it only produces output when the server's debug level is nonzero. It normally writes to a file called named.run in the server's working directory. For security reasons, when the "" command line option is used, the named.run file is created only after named has changed to the new UID, and any debug output generated while named is starting up and still running as root is discarded. If you need to capture this output, you must run the server with the "" option and redirect standard error to a file. Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify the default logging by pointing categories at channels you have defined. The <command>category</command> Phrase There are many categories, so you can send the logs you want to see wherever you want, without seeing logs you don't want. If you don't specify a list of channels for a category, then log messages in that category will be sent to the default category instead. If you don't specify a default category, the following "default default" is used: category default { default_syslog; default_debug; }; As an example, let's say you want to log security events to a file, but you also want keep the default logging behavior. You'd specify the following: channel my_security_channel { file "my_security_file"; severity info; }; category security { my_security_channel; default_syslog; default_debug; }; To discard all messages in a category, specify the null channel: category xfer-out { null; }; category notify { null; }; Following are the available categories and brief descriptions of the types of log information they contain. More categories may be added in future BIND releases. default The default category defines the logging options for those categories where no specific configuration has been defined. general The catch-all. Many things still aren't classified into categories, and they all end up here. database Messages relating to the databases used internally by the name server to store zone and cache data. security Approval and denial of requests. config Configuration file parsing and processing. resolver DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server. xfer-in Zone transfers the server is receiving. xfer-out Zone transfers the server is sending. notify The NOTIFY protocol. client Processing of client requests. unmatched Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel. network Network operations. update Dynamic updates. update-security Approval and denial of update requests. queries Specify where queries should be logged to. At startup, specifying the category queries will also enable query logging unless querylog option has been specified. The query log entry reports the client's IP address and port number, and the query name, class and type. It also reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). client 127.0.0.1#62536: query: www.example.com IN AAAA +SE client ::1#62537: query: www.example.net IN AAAA -SE query-errors Information about queries that resulted in some failure. dispatch Dispatching of incoming packets to the server modules where they are to be processed. dnssec DNSSEC and TSIG protocol processing. lame-servers Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution. delegation-only Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a hint or stub zone declaration. edns-disabled Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand. Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports. Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned. The <command>query-errors</command> Category The query-errors category is specifically intended for debugging purposes: To identify why and how specific queries result in responses which indicate an error. Messages of this category are therefore only logged with debug levels. At the debug levels of 1 or higher, each response with the rcode of SERVFAIL is logged as follows: client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880 This means an error resulting in SERVFAIL was detected at line 3880 of source file query.c. Log messages of this level will particularly help identify the cause of SERVFAIL for an authoritative server. At the debug levels of 2 or higher, detailed context information of recursive resolutions that resulted in SERVFAIL is logged. The log message will look like as follows: fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0] The first part before the colon shows that a recursive resolution for AAAA records of www.example.com completed in 30.000183 seconds and the final result that led to the SERVFAIL was determined at line 2970 of source file resolver.c. The following part shows the detected final result and the latest result of DNSSEC validation. The latter is always success when no validation attempt is made. In this example, this query resulted in SERVFAIL probably because all name servers are down or unreachable, leading to a timeout in 30 seconds. DNSSEC validation was probably not attempted. The last part enclosed in square brackets shows statistics information collected for this particular resolution attempt. The domain field shows the deepest zone that the resolver reached; it is the zone where the error was finally detected. The meaning of the other fields is summarized in the following table. referral The number of referrals the resolver received throughout the resolution process. In the above example this is 2, which are most likely com and example.com. restart The number of cycles that the resolver tried remote servers at the domain zone. In each cycle the resolver sends one query (possibly resending it, depending on the response) to each known name server of the domain zone. qrysent The number of queries the resolver sent at the domain zone. timeout The number of timeouts since the resolver received the last response. lame The number of lame servers the resolver detected at the domain zone. A server is detected to be lame either by an invalid response or as a result of lookup in BIND9's address database (ADB), where lame servers are cached. neterr The number of erroneous results that the resolver encountered in sending queries at the domain zone. One common case is the remote server is unreachable and the resolver receives an ICMP unreachable error message. badresp The number of unexpected responses (other than lame) to queries sent by the resolver at the domain zone. adberr Failures in finding remote server addresses of the domain zone in the ADB. One common case of this is that the remote server's name does not have any address records. findfail Failures of resolving remote server addresses. This is a total number of failures throughout the resolution process. valfail Failures of DNSSEC validation. Validation failures are counted throughout the resolution process (not limited to the domain zone), but should only happen in domain. At the debug levels of 3 or higher, the same messages as those at the debug 1 level are logged for other errors than SERVFAIL. Note that negative responses such as NXDOMAIN are not regarded as errors here. At the debug levels of 4 or higher, the same messages as those at the debug 2 level are logged for other errors than SERVFAIL. Unlike the above case of level 3, messages are logged for negative responses. This is because any unexpected results can be difficult to debug in the recursion case. <command>lwres</command> Statement Grammar This is the grammar of the lwres statement in the named.conf file: lwres { listen-on { ip_addr port ip_port ; ip_addr port ip_port ; ... }; view view_name; search { domain_name ; domain_name ; ... }; ndots number; }; <command>lwres</command> Statement Definition and Usage The lwres statement configures the name server to also act as a lightweight resolver server. (See .) There may be multiple lwres statements configuring lightweight resolver servers with different properties. The listen-on statement specifies a list of addresses (and ports) that this instance of a lightweight resolver daemon should accept requests on. If no port is specified, port 921 is used. If this statement is omitted, requests will be accepted on 127.0.0.1, port 921. The view statement binds this instance of a lightweight resolver daemon to a view in the DNS namespace, so that the response will be constructed in the same manner as a normal DNS query matching this view. If this statement is omitted, the default view is used, and if there is no default view, an error is triggered. The search statement is equivalent to the search statement in /etc/resolv.conf. It provides a list of domains which are appended to relative names in queries. The ndots statement is equivalent to the ndots statement in /etc/resolv.conf. It indicates the minimum number of dots in a relative domain name that should result in an exact match lookup before search path elements are appended. <command>masters</command> Statement Grammar masters name port ip_port { ( masters_list | ip_addr port ip_port key key ) ; ... }; <command>masters</command> Statement Definition and Usage masters lists allow for a common set of masters to be easily used by multiple stub and slave zones. <command>options</command> Statement Grammar This is the grammar of the options statement in the named.conf file: options { version version_string; hostname hostname_string; server-id server_id_string; directory path_name; key-directory path_name; named-xfer path_name; tkey-gssapi-credential principal; tkey-domain domainname; tkey-dhkey key_name key_tag; cache-file path_name; dump-file path_name; memstatistics yes_or_no; memstatistics-file path_name; pid-file path_name; recursing-file path_name; statistics-file path_name; zone-statistics yes_or_no; auth-nxdomain yes_or_no; deallocate-on-exit yes_or_no; dialup dialup_option; fake-iquery yes_or_no; fetch-glue yes_or_no; flush-zones-on-shutdown yes_or_no; has-old-clients yes_or_no; host-statistics yes_or_no; host-statistics-max number; minimal-responses yes_or_no; multiple-cnames yes_or_no; notify yes_or_no | explicit | master-only; recursion yes_or_no; rfc2308-type1 yes_or_no; use-id-pool yes_or_no; maintain-ixfr-base yes_or_no; ixfr-from-differences (yes_or_no | master | slave); dnssec-enable yes_or_no; dnssec-validation yes_or_no; dnssec-lookaside domain trust-anchor domain; dnssec-must-be-secure domain yes_or_no; dnssec-accept-expired yes_or_no; forward ( only | first ); forwarders { ip_addr port ip_port ; ... }; dual-stack-servers port ip_port { ( domain_name port ip_port | ip_addr port ip_port ) ; ... }; check-names ( master | slave | response ) ( warn | fail | ignore ); check-mx ( warn | fail | ignore ); check-wildcard yes_or_no; check-integrity yes_or_no; check-mx-cname ( warn | fail | ignore ); check-srv-cname ( warn | fail | ignore ); check-sibling yes_or_no; allow-notify { address_match_list }; allow-query { address_match_list }; allow-query-on { address_match_list }; allow-query-cache { address_match_list }; allow-query-cache-on { address_match_list }; allow-transfer { address_match_list }; allow-recursion { address_match_list }; allow-recursion-on { address_match_list }; allow-update { address_match_list }; allow-update-forwarding { address_match_list }; update-check-ksk yes_or_no; try-tcp-refresh yes_or_no; allow-v6-synthesis { address_match_list }; blackhole { address_match_list }; use-v4-udp-ports { port_list }; avoid-v4-udp-ports { port_list }; use-v6-udp-ports { port_list }; avoid-v6-udp-ports { port_list }; listen-on port ip_port { address_match_list }; listen-on-v6 port ip_port { address_match_list }; query-source ( ( ip4_addr | * ) port ( ip_port | * ) | address ( ip4_addr | * ) port ( ip_port | * ) ) ; query-source-v6 ( ( ip6_addr | * ) port ( ip_port | * ) | address ( ip6_addr | * ) port ( ip_port | * ) ) ; use-queryport-pool yes_or_no; queryport-pool-ports number; queryport-pool-updateinterval number; max-transfer-time-in number; max-transfer-time-out number; max-transfer-idle-in number; max-transfer-idle-out number; tcp-clients number; reserved-sockets number; recursive-clients number; serial-query-rate number; serial-queries number; tcp-listen-queue number; transfer-format ( one-answer | many-answers ); transfers-in number; transfers-out number; transfers-per-ns number; transfer-source (ip4_addr | *) port ip_port ; transfer-source-v6 (ip6_addr | *) port ip_port ; alt-transfer-source (ip4_addr | *) port ip_port ; alt-transfer-source-v6 (ip6_addr | *) port ip_port ; use-alt-transfer-source yes_or_no; notify-delay seconds ; notify-source (ip4_addr | *) port ip_port ; notify-source-v6 (ip6_addr | *) port ip_port ; notify-to-soa yes_or_no ; also-notify { ip_addr port ip_port ; ip_addr port ip_port ; ... }; max-ixfr-log-size number; max-journal-size size_spec; coresize size_spec ; datasize size_spec ; files size_spec ; stacksize size_spec ; cleaning-interval number; heartbeat-interval number; interface-interval number; statistics-interval number; topology { address_match_list }; sortlist { address_match_list }; rrset-order { order_spec ; order_spec ; ... }; lame-ttl number; max-ncache-ttl number; max-cache-ttl number; sig-validity-interval number number ; sig-signing-nodes number ; sig-signing-signatures number ; sig-signing-type number ; min-roots number; use-ixfr yes_or_no ; provide-ixfr yes_or_no; request-ixfr yes_or_no; treat-cr-as-space yes_or_no ; min-refresh-time number ; max-refresh-time number ; min-retry-time number ; max-retry-time number ; port ip_port; additional-from-auth yes_or_no ; additional-from-cache yes_or_no ; random-device path_name ; max-cache-size size_spec ; match-mapped-addresses yes_or_no; preferred-glue ( A | AAAA | NONE ); edns-udp-size number; max-udp-size number; root-delegation-only exclude { namelist } ; querylog yes_or_no ; disable-algorithms domain { algorithm; algorithm; }; acache-enable yes_or_no ; acache-cleaning-interval number; max-acache-size size_spec ; clients-per-query number ; max-clients-per-query number ; masterfile-format (text|raw) ; empty-server name ; empty-contact name ; empty-zones-enable yes_or_no ; disable-empty-zone zone_name ; zero-no-soa-ttl yes_or_no ; zero-no-soa-ttl-cache yes_or_no ; }; <command>options</command> Statement Definition and Usage The options statement sets up global options to be used by BIND. This statement may appear only once in a configuration file. If there is no options statement, an options block with each option set to its default will be used. directory The working directory of the server. Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files (e.g. named.run) is this directory. If a directory is not specified, the working directory defaults to `.', the directory from which the server was started. The directory specified should be an absolute path. key-directory When performing dynamic update of secure zones, the directory where the public and private DNSSEC key files should be found, if different than the current working directory. The directory specified must be an absolute path. (Note that this option has no effect on the paths for files containing non-DNSSEC keys such as the rndc.key. named-xfer This option is obsolete. It was used in BIND 8 to specify the pathname to the named-xfer program. In BIND 9, no separate named-xfer program is needed; its functionality is built into the name server. tkey-gssapi-credential The security credential with which the server should authenticate keys requested by the GSS-TSIG protocol. Currently only Kerberos 5 authentication is available and the credential is a Kerberos principal which the server can acquire through the default system key file, normally /etc/krb5.keytab. Normally this principal is of the form "dns/server.domain". To use GSS-TSIG, tkey-domain must also be set. tkey-domain The domain appended to the names of all shared keys generated with TKEY. When a client requests a TKEY exchange, it may or may not specify the desired name for the key. If present, the name of the shared key will be client specified part + tkey-domain. Otherwise, the name of the shared key will be random hex digits + tkey-domain. In most cases, the domainname should be the server's domain name, or an otherwise non-existent subdomain like "_tkey.domainname". If you are using GSS-TSIG, this variable must be defined. tkey-dhkey The Diffie-Hellman key used by the server to generate shared keys with clients using the Diffie-Hellman mode of TKEY. The server must be able to load the public and private keys from files in the working directory. In most cases, the keyname should be the server's host name. cache-file This is for testing only. Do not use. dump-file The pathname of the file the server dumps the database to when instructed to do so with rndc dumpdb. If not specified, the default is named_dump.db. memstatistics-file The pathname of the file the server writes memory usage statistics to on exit. If not specified, the default is named.memstats. pid-file The pathname of the file the server writes its process ID in. If not specified, the default is /var/run/named/named.pid. The PID file is used by programs that want to send signals to the running name server. Specifying pid-file none disables the use of a PID file — no file will be written and any existing one will be removed. Note that none is a keyword, not a filename, and therefore is not enclosed in double quotes. recursing-file The pathname of the file the server dumps the queries that are currently recursing when instructed to do so with rndc recursing. If not specified, the default is named.recursing. statistics-file The pathname of the file the server appends statistics to when instructed to do so using rndc stats. If not specified, the default is named.stats in the server's current directory. The format of the file is described in . port The UDP/TCP port number the server uses for receiving and sending DNS protocol traffic. The default is 53. This option is mainly intended for server testing; a server using a port other than 53 will not be able to communicate with the global DNS. random-device The source of entropy to be used by the server. Entropy is primarily needed for DNSSEC operations, such as TKEY transactions and dynamic update of signed zones. This options specifies the device (or file) from which to read entropy. If this is a file, operations requiring entropy will fail when the file has been exhausted. If not specified, the default value is /dev/random (or equivalent) when present, and none otherwise. The random-device option takes effect during the initial configuration load at server startup time and is ignored on subsequent reloads. preferred-glue If specified, the listed type (A or AAAA) will be emitted before other glue in the additional section of a query response. The default is not to prefer any type (NONE). root-delegation-only Turn on enforcement of delegation-only in TLDs (top level domains) and root zones with an optional exclude list. DS queries are expected to be made to and be answered by delegation only zones. Such queries and responses are treated as a exception to delegation-only processing and are not converted to NXDOMAIN responses provided a CNAME is not discovered at the query name. If a delegation only zone server also serves a child zone it is not always possible to determine whether a answer comes from the delegation only zone or the child zone. SOA NS and DNSKEY records are apex only records and a matching response that contains these records or DS is treated as coming from a child zone. RRSIG records are also examined to see if they are signed by a child zone or not. The authority section is also examined to see if there is evidence that the answer is from the child zone. Answers that are determined to be from a child zone are not converted to NXDOMAIN responses. Despite all these checks there is still a possibility of false negatives when a child zone is being served. Similarly false positives can arise from empty nodes (no records at the name) in the delegation only zone when the query type is not ANY. Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM"). This list is not exhaustive. options { root-delegation-only exclude { "de"; "lv"; "us"; "museum"; }; }; disable-algorithms Disable the specified DNSSEC algorithms at and below the specified name. Multiple disable-algorithms statements are allowed. Only the most specific will be applied. dnssec-lookaside When set, dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest dnssec-lookaside, and the normal DNSSEC validation has left the key untrusted, the trust-anchor will be append to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV record validates a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted. dnssec-must-be-secure Specify hierarchies which must be or may not be secure (signed and validated). If yes, then named will only accept answers if they are secure. If no, then normal DNSSEC validation applies allowing for insecure answers to be accepted. The specified domain must be under a trusted-key or dnssec-lookaside must be active. Boolean Options auth-nxdomain If yes, then the AA bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is no; this is a change from BIND 8. If you are using very old DNS software, you may need to set it to yes. deallocate-on-exit This option was used in BIND 8 to enable checking for memory leaks on exit. BIND 9 ignores the option and always performs the checks. memstatistics Write memory statistics to the file specified by memstatistics-file at exit. The default is no unless '-m record' is specified on the command line in which case it is yes. dialup If yes, then the server treats all zones as if they are doing zone transfers across a dial-on-demand dialup link, which can be brought up by traffic originating from this server. This has different effects according to zone type and concentrates the zone maintenance so that it all happens in a short interval, once every heartbeat-interval and hopefully during the one call. It also suppresses some of the normal zone maintenance traffic. The default is no. The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup option. If the zone is a master zone, then the server will send out a NOTIFY request to all the slaves (default). This should trigger the zone serial number check in the slave (providing it supports NOTIFY) allowing the slave to verify the zone while the connection is active. The set of servers to which NOTIFY is sent can be controlled by notify and also-notify. If the zone is a slave or stub zone, then the server will suppress the regular "zone up to date" (refresh) queries and only perform them when the heartbeat-interval expires in addition to sending NOTIFY requests. Finer control can be achieved by using notify which only sends NOTIFY messages, notify-passive which sends NOTIFY messages and suppresses the normal refresh queries, refresh which suppresses normal refresh processing and sends refresh queries when the heartbeat-interval expires, and passive which just disables normal refresh processing. dialup mode normal refresh heart-beat refresh heart-beat notify no (default) yes no no yes no yes yes notify yes no yes refresh no yes no passive no no no notify-passive no no yes Note that normal NOTIFY processing is not affected by dialup. fake-iquery In BIND 8, this option enabled simulating the obsolete DNS query type IQUERY. BIND 9 never does IQUERY simulation. fetch-glue This option is obsolete. In BIND 8, fetch-glue yes caused the server to attempt to fetch glue resource records it didn't have when constructing the additional data section of a response. This is now considered a bad idea and BIND 9 never does it. flush-zones-on-shutdown When the nameserver exits due receiving SIGTERM, flush or do not flush any pending zone writes. The default is flush-zones-on-shutdown no. has-old-clients This option was incorrectly implemented in BIND 8, and is ignored by BIND 9. To achieve the intended effect of has-old-clients yes, specify the two separate options auth-nxdomain yes and rfc2308-type1 no instead. host-statistics In BIND 8, this enables keeping of statistics for every host that the name server interacts with. Not implemented in BIND 9. maintain-ixfr-base This option is obsolete. It was used in BIND 8 to determine whether a transaction log was kept for Incremental Zone Transfer. BIND 9 maintains a transaction log whenever possible. If you need to disable outgoing incremental zone transfers, use provide-ixfr no. minimal-responses If yes, then when generating responses the server will only add records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This may improve the performance of the server. The default is no. multiple-cnames This option was used in BIND 8 to allow a domain name to have multiple CNAME records in violation of the DNS standards. BIND 9.2 onwards always strictly enforces the CNAME rules both in master files and dynamic updates. notify If yes (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes, see . The messages are sent to the servers listed in the zone's NS records (except the master server identified in the SOA MNAME field), and to any servers listed in the also-notify option. If master-only, notifies are only sent for master zones. If explicit, notifies are sent only to servers explicitly listed using also-notify. If no, no notifies are sent. The notify option may also be specified in the zone statement, in which case it overrides the options notify statement. It would only be necessary to turn off this option if it caused slaves to crash. notify-to-soa If yes do not check the nameservers in the NS RRset against the SOA MNAME. Normally a NOTIFY message is not sent to the SOA MNAME (SOA ORIGIN) as it is supposed to contain the name of the ultimate master. Sometimes, however, a slave is listed as the SOA MNAME in hidden master configurations and in that case you would want the ultimate master to still send NOTIFY messages to all the nameservers listed in the NS RRset. recursion If yes, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is off and the server does not already know the answer, it will return a referral response. The default is yes. Note that setting recursion no does not prevent clients from getting data from the server's cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect the server's internal operation, such as NOTIFY address lookups. See also fetch-glue above. rfc2308-type1 Setting this to yes will cause the server to send NS records along with the SOA record for negative answers. The default is no. Not yet implemented in BIND 9. use-id-pool This option is obsolete. BIND 9 always allocates query IDs from a pool. zone-statistics If yes, the server will collect statistical data on all zones (unless specifically turned off on a per-zone basis by specifying zone-statistics no in the zone statement). These statistics may be accessed using rndc stats, which will dump them to the file listed in the statistics-file. See also . use-ixfr This option is obsolete. If you need to disable IXFR to a particular server or servers, see the information on the provide-ixfr option in . See also . provide-ixfr See the description of provide-ixfr in . request-ixfr See the description of request-ixfr in . treat-cr-as-space This option was used in BIND 8 to make the server treat carriage return ("\r") characters the same way as a space or tab character, to facilitate loading of zone files on a UNIX system that were generated on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines are always accepted, and the option is ignored. additional-from-auth additional-from-cache These options control the behavior of an authoritative server when answering queries which have additional data, or when following CNAME and DNAME chains. When both of these options are set to yes (the default) and a query is being answered from authoritative data (a zone configured into the server), the additional data section of the reply will be filled in using data from other authoritative zones and from the cache. In some situations this is undesirable, such as when there is concern over the correctness of the cache, or in servers where slave zones may be added and modified by untrusted third parties. Also, avoiding the search for this additional data will speed up server operations at the possible expense of additional queries to resolve what would otherwise be provided in the additional section. For example, if a query asks for an MX record for host foo.example.com, and the record found is "MX 10 mail.example.net", normally the address records (A and AAAA) for mail.example.net will be provided as well, if known, even though they are not in the example.com zone. Setting these options to no disables this behavior and makes the server only search for additional data in the zone it answers from. These options are intended for use in authoritative-only servers, or in authoritative-only views. Attempts to set them to no without also specifying recursion no will cause the server to ignore the options and log a warning message. Specifying additional-from-cache no actually disables the use of the cache not only for additional data lookups but also when looking up the answer. This is usually the desired behavior in an authoritative-only server where the correctness of the cached data is an issue. When a name server is non-recursively queried for a name that is not below the apex of any served zone, it normally answers with an "upwards referral" to the root servers or the servers of some other known parent of the query name. Since the data in an upwards referral comes from the cache, the server will not be able to provide upwards referrals when additional-from-cache no has been specified. Instead, it will respond to such queries with REFUSED. This should not cause any problems since upwards referrals are not required for the resolution process. match-mapped-addresses If yes, then an IPv4-mapped IPv6 address will match any address match list entries that match the corresponding IPv4 address. This option was introduced to work around a kernel quirk in some operating systems that causes IPv4 TCP connections, such as zone transfers, to be accepted on an IPv6 socket using mapped addresses. This caused address match lists designed for IPv4 to fail to match. However, named now solves this problem internally. The use of this option is discouraged. ixfr-from-differences When yes and the server loads a new version of a master zone from its zone file or receives a new version of a slave file by a non-incremental zone transfer, it will compare the new version to the previous one and calculate a set of differences. The differences are then logged in the zone's journal file such that the changes can be transmitted to downstream slaves as an incremental zone transfer. By allowing incremental zone transfers to be used for non-dynamic zones, this option saves bandwidth at the expense of increased CPU and memory consumption at the master. In particular, if the new version of a zone is completely different from the previous one, the set of differences will be of a size comparable to the combined size of the old and new zone version, and the server will need to temporarily allocate memory to hold this complete difference set. ixfr-from-differences also accepts master and slave at the view and options levels which causes ixfr-from-differences to be enabled for all master or slave zones respectively. It is off by default. multi-master This should be set when you have multiple masters for a zone and the addresses refer to different machines. If yes, named will not log when the serial number on the master is less than what named currently has. The default is no. dnssec-enable Enable DNSSEC support in named. Unless set to yes, named behaves as if it does not support DNSSEC. The default is yes. dnssec-validation Enable DNSSEC validation in named. Note dnssec-enable also needs to be set to yes to be effective. The default is yes. dnssec-accept-expired Accept expired signatures when verifying DNSSEC signatures. The default is no. Setting this option to "yes" leaves named vulnerable to replay attacks. querylog Specify whether query logging should be started when named starts. If querylog is not specified, then the query logging is determined by the presence of the logging category queries. check-names This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to usage area. For master zones the default is fail. For slave zones the default is warn. For answers received from the network (response) the default is ignore. The rules for legal hostnames and mail domains are derived from RFC 952 and RFC 821 as modified by RFC 1123. check-names applies to the owner names of A, AAAA and MX records. It also applies to the domain names in the RDATA of NS, SOA, MX, and SRV records. It also applies to the RDATA of PTR records where the owner name indicated that it is a reverse lookup of a hostname (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT). check-mx Check whether the MX record appears to refer to a IP address. The default is to warn. Other possible values are fail and ignore. check-wildcard This option is used to check for non-terminal wildcards. The use of non-terminal wildcards is almost always as a result of a failure to understand the wildcard matching algorithm (RFC 1034). This option affects master zones. The default (yes) is to check for non-terminal wildcards and issue a warning. check-integrity Perform post load zone integrity checks on master zones. This checks that MX and SRV records refer to address (A or AAAA) records and that glue address records exist for delegated zones. For MX and SRV records only in-zone hostnames are checked (for out-of-zone hostnames use named-checkzone). For NS records only names below top of zone are checked (for out-of-zone names and glue consistency checks use named-checkzone). The default is yes. check-mx-cname If check-integrity is set then fail, warn or ignore MX records that refer to CNAMES. The default is to warn. check-srv-cname If check-integrity is set then fail, warn or ignore SRV records that refer to CNAMES. The default is to warn. check-sibling When performing integrity checks, also check that sibling glue exists. The default is yes. zero-no-soa-ttl When returning authoritative negative responses to SOA queries set the TTL of the SOA record returned in the authority section to zero. The default is yes. zero-no-soa-ttl-cache When caching a negative response to a SOA query set the TTL to zero. The default is no. update-check-ksk When regenerating the RRSIGs following a UPDATE request to a secure zone, check the KSK flag on the DNSKEY RR to determine if this key should be used to generate the RRSIG. This flag is ignored if there are not DNSKEY RRs both with and without a KSK. The default is yes. try-tcp-refresh Try to refresh the zone using TCP if UDP queries fail. For BIND 8 compatibility, the default is yes. Forwarding The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache. forward This option is only meaningful if the forwarders list is not empty. A value of first, the default, causes the server to query the forwarders first — and if that doesn't answer the question, the server will then look for the answer itself. If only is specified, the server will only query the forwarders. forwarders Specifies the IP addresses to be used for forwarding. The default is the empty list (no forwarding). Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways. You can set particular domains to use different forwarders, or have a different forward only/first behavior, or not forward at all, see . Dual-stack Servers Dual-stack servers are used as servers of last resort to work around problems in reachability due the lack of support for either IPv4 or IPv6 on the host machine. dual-stack-servers Specifies host names or addresses of machines with access to both IPv4 and IPv6 transports. If a hostname is used, the server must be able to resolve the name using only the transport it has. If the machine is dual stacked, then the dual-stack-servers have no effect unless access to a transport has been disabled on the command line (e.g. named -4). Access Control Access to the server can be restricted based on the IP address of the requesting system. See for details on how to specify IP address lists. allow-notify Specifies which hosts are allowed to notify this server, a slave, of zone changes in addition to the zone masters. allow-notify may also be specified in the zone statement, in which case it overrides the options allow-notify statement. It is only meaningful for a slave zone. If not specified, the default is to process notify messages only from a zone's master. allow-query Specifies which hosts are allowed to ask ordinary DNS questions. allow-query may also be specified in the zone statement, in which case it overrides the options allow-query statement. If not specified, the default is to allow queries from all hosts. allow-query-cache is now used to specify access to the cache. allow-query-on Specifies which local addresses can accept ordinary DNS questions. This makes it possible, for instance, to allow queries on internal-facing interfaces but disallow them on external-facing ones, without necessarily knowing the internal network's addresses. allow-query-on may also be specified in the zone statement, in which case it overrides the options allow-query-on statement. If not specified, the default is to allow queries on all addresses. allow-query-cache is used to specify access to the cache. allow-query-cache Specifies which hosts are allowed to get answers from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used. allow-query-cache-on Specifies which local addresses can give answers from the cache. If not specified, the default is to allow cache queries on any address, localnets and localhost. allow-recursion Specifies which hosts are allowed to make recursive queries through this server. If allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query is used if set, otherwise the default (localnets; localhost;) is used. allow-recursion-on Specifies which local addresses can accept recursive queries. If not specified, the default is to allow recursive queries on all addresses. allow-update Specifies which hosts are allowed to submit Dynamic DNS updates for master zones. The default is to deny updates from all hosts. Note that allowing updates based on the requestor's IP address is insecure; see for details. allow-update-forwarding Specifies which hosts are allowed to submit Dynamic DNS updates to slave zones to be forwarded to the master. The default is { none; }, which means that no update forwarding will be performed. To enable update forwarding, specify allow-update-forwarding { any; };. Specifying values other than { none; } or { any; } is usually counterproductive, since the responsibility for update access control should rest with the master server, not the slaves. Note that enabling the update forwarding feature on a slave server may expose master servers relying on insecure IP address based access control to attacks; see for more details. allow-v6-synthesis This option was introduced for the smooth transition from AAAA to A6 and from "nibble labels" to binary labels. However, since both A6 and binary labels were then deprecated, this option was also deprecated. It is now ignored with some warning messages. allow-transfer Specifies which hosts are allowed to receive zone transfers from the server. allow-transfer may also be specified in the zone statement, in which case it overrides the options allow-transfer statement. If not specified, the default is to allow transfers to all hosts. blackhole Specifies a list of addresses that the server will not accept queries from or use to resolve a query. Queries from these addresses will not be responded to. The default is none. Interfaces The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes an optional port and an address_match_list. The server will listen on all interfaces allowed by the address match list. If a port is not specified, port 53 will be used. Multiple listen-on statements are allowed. For example, listen-on { 5.6.7.8; }; listen-on port 1234 { !1.2.3.4; 1.2/16; }; will enable the name server on port 53 for the IP address 5.6.7.8, and on port 1234 of an address on the machine in net 1.2 that is not 1.2.3.4. If no listen-on is specified, the server will listen on port 53 on all IPv4 interfaces. The listen-on-v6 option is used to specify the interfaces and the ports on which the server will listen for incoming queries sent using IPv6. When { any; } is specified as the address_match_list for the listen-on-v6 option, the server does not bind a separate socket to each IPv6 interface address as it does for IPv4 if the operating system has enough API support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542). Instead, it listens on the IPv6 wildcard address. If the system only has incomplete API support for IPv6, however, the behavior is the same as that for IPv4. A list of particular IPv6 addresses can also be specified, in which case the server listens on a separate socket for each specified address, regardless of whether the desired API is supported by the system. Multiple listen-on-v6 options can be used. For example, listen-on-v6 { any; }; listen-on-v6 port 1234 { !2001:db8::/32; any; }; will enable the name server on port 53 for any IPv6 addresses (with a single wildcard socket), and on port 1234 of IPv6 addresses that is not in the prefix 2001:db8::/32 (with separate sockets for each matched address.) To make the server not listen on any IPv6 address, use listen-on-v6 { none; }; If no listen-on-v6 option is specified, the server will not listen on any IPv6 address unless -6 is specified when named is invoked. If -6 is specified then named will listen on port 53 on all IPv6 interfaces by default. Query Address If the server doesn't know the answer to a question, it will query other name servers. query-source specifies the address and port used for such queries. For queries sent over IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) will be used. If port is * or is omitted, a random port number from a pre-configured range is picked up and will be used for each query. The port range(s) is that specified in the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) options, excluding the ranges specified in the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively. The defaults of the query-source and query-source-v6 options are: query-source address * port *; query-source-v6 address * port *; If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating system provides a programming interface to retrieve the system's default range for ephemeral ports. If such an interface is available, named will use the corresponding system default range; otherwise, it will use its own defaults: use-v4-udp-ports { range 1024 65535; }; use-v6-udp-ports { range 1024 65535; }; Note: make sure the ranges be sufficiently large for security. A desirable size depends on various parameters, but we generally recommend it contain at least 16384 ports (14 bits of entropy). Note also that the system's default range when used may be too small for this purpose, and that the range may even be changed while named is running; the new range will automatically be applied when named is reloaded. It is encouraged to configure use-v4-udp-ports and use-v6-udp-ports explicitly so that the ranges are sufficiently large and are reasonably independent from the ranges used by other applications. Note: the operational configuration where named runs may prohibit the use of some ports. For example, UNIX systems will not allow named running without a root privilege to use ports less than 1024. If such ports are included in the specified (or detected) set of query ports, the corresponding query attempts will fail, resulting in resolution failures or delay. It is therefore important to configure the set of ports that can be safely used in the expected operational environment. The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options are: avoid-v4-udp-ports {}; avoid-v6-udp-ports {}; Note: BIND 9.5.0 introduced the use-queryport-pool option to support a pool of such random ports, but this option is now obsolete because reusing the same ports in the pool may not be sufficiently secure. For the same reason, it is generally strongly discouraged to specify a particular port for the query-source or query-source-v6 options; it implicitly disables the use of randomized port numbers. use-queryport-pool This option is obsolete. queryport-pool-ports This option is obsolete. queryport-pool-updateinterval This option is obsolete. The address specified in the query-source option is used for both UDP and TCP queries, but the port applies only to UDP queries. TCP queries always use a random unprivileged port. Solaris 2.5.1 and earlier does not support setting the source address for TCP sockets. See also transfer-source and notify-source. Zone Transfers BIND has mechanisms in place to facilitate zone transfers and set limits on the amount of load that transfers place on the system. The following options apply to zone transfers. also-notify Defines a global list of IP addresses of name servers that are also sent NOTIFY messages whenever a fresh copy of the zone is loaded, in addition to the servers listed in the zone's NS records. This helps to ensure that copies of the zones will quickly converge on stealth servers. Optionally, a port may be specified with each also-notify address to send the notify messages to a port other than the default of 53. If an also-notify list is given in a zone statement, it will override the options also-notify statement. When a zone notify statement is set to no, the IP addresses in the global also-notify list will not be sent NOTIFY messages for that zone. The default is the empty list (no global notification list). max-transfer-time-in Inbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes). max-transfer-idle-in Inbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes). max-transfer-time-out Outbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes). max-transfer-idle-out Outbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes). serial-query-rate Slave servers will periodically query master servers to find out if zone serial numbers have changed. Each such query uses a minute amount of the slave server's network bandwidth. To limit the amount of bandwidth used, BIND 9 limits the rate at which queries are sent. The value of the serial-query-rate option, an integer, is the maximum number of queries sent per second. The default is 20. serial-queries In BIND 8, the serial-queries option set the maximum number of concurrent serial number queries allowed to be outstanding at any given time. BIND 9 does not limit the number of outstanding serial queries and ignores the serial-queries option. Instead, it limits the rate at which the queries are sent as defined using the serial-query-rate option. transfer-format Zone transfers can be sent using two different formats, one-answer and many-answers. The transfer-format option is used on the master server to determine which format it sends. one-answer uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only supported by relatively new slave servers, such as BIND 9, BIND 8.x and BIND 4.9.5 onwards. The many-answers format is also supported by recent Microsoft Windows nameservers. The default is many-answers. transfer-format may be overridden on a per-server basis by using the server statement. transfers-in The maximum number of inbound zone transfers that can be running concurrently. The default value is 10. Increasing transfers-in may speed up the convergence of slave zones, but it also may increase the load on the local system. transfers-out The maximum number of outbound zone transfers that can be running concurrently. Zone transfer requests in excess of the limit will be refused. The default value is 10. transfers-per-ns The maximum number of inbound zone transfers that can be concurrently transferring from a given remote name server. The default value is 2. Increasing transfers-per-ns may speed up the convergence of slave zones, but it also may increase the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement. transfer-source transfer-source determines which local address will be bound to IPv4 TCP connections used to fetch zones transferred inbound by the server. It also determines the source IPv4 address, and optionally the UDP port, used for the refresh queries and forwarded dynamic updates. If not set, it defaults to a system controlled value which will usually be the address of the interface "closest to" the remote end. This address must appear in the remote end's allow-transfer option for the zone being transferred, if one is specified. This statement sets the transfer-source for all zones, but can be overridden on a per-view or per-zone basis by including a transfer-source statement within the view or zone block in the configuration file. Solaris 2.5.1 and earlier does not support setting the source address for TCP sockets. transfer-source-v6 The same as transfer-source, except zone transfers are performed using IPv6. alt-transfer-source An alternate transfer source if the one listed in transfer-source fails and use-alt-transfer-source is set. If you do not wish the alternate transfer source to be used, you should set use-alt-transfer-source appropriately and you should not depend upon getting an answer back to the first refresh query. alt-transfer-source-v6 An alternate transfer source if the one listed in transfer-source-v6 fails and use-alt-transfer-source is set. use-alt-transfer-source Use the alternate transfer sources or not. If views are specified this defaults to no otherwise it defaults to yes (for BIND 8 compatibility). notify-source notify-source determines which local source address, and optionally UDP port, will be used to send NOTIFY messages. This address must appear in the slave server's masters zone clause or in an allow-notify clause. This statement sets the notify-source for all zones, but can be overridden on a per-zone or per-view basis by including a notify-source statement within the zone or view block in the configuration file. Solaris 2.5.1 and earlier does not support setting the source address for TCP sockets. notify-source-v6 Like notify-source, but applies to notify messages sent to IPv6 addresses. UDP Port Lists use-v4-udp-ports, avoid-v4-udp-ports, use-v6-udp-ports, and avoid-v6-udp-ports specify a list of IPv4 and IPv6 UDP ports that will be used or not used as source ports for UDP messages. See about how the available ports are determined. For example, with the following configuration use-v6-udp-ports { range 32768 65535; }; avoid-v6-udp-ports { 40000; range 50000 60000; }; UDP ports of IPv6 messages sent from named will be in one of the following ranges: 32768 to 39999, 40001 to 49999, and 60001 to 65535. avoid-v4-udp-ports and avoid-v6-udp-ports can be used to prevent named from choosing as its random source port a port that is blocked by your firewall or a port that is used by other applications; if a query went out with a source port blocked by a firewall, the answer would not get by the firewall and the name server would have to query again. Note: the desired range can also be represented only with use-v4-udp-ports and use-v6-udp-ports, and the avoid- options are redundant in that sense; they are provided for backward compatibility and to possibly simplify the port specification. Operating System Resource Limits The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For example, 1G can be used instead of 1073741824 to specify a limit of one gigabyte. unlimited requests unlimited use, or the maximum available amount. default uses the limit that was in force when the server was started. See the description of size_spec in . The following options set operating system resource limits for the name server process. Some operating systems don't support some or any of the limits. On such systems, a warning will be issued if the unsupported limit is used. coresize The maximum size of a core dump. The default is default. datasize The maximum amount of data memory the server may use. The default is default. This is a hard limit on server memory usage. If the server attempts to allocate memory in excess of this limit, the allocation will fail, which may in turn leave the server unable to perform DNS service. Therefore, this option is rarely useful as a way of limiting the amount of memory used by the server, but it can be used to raise an operating system data size limit that is too small by default. If you wish to limit the amount of memory used by the server, use the max-cache-size and recursive-clients options instead. files The maximum number of files the server may have open concurrently. The default is unlimited. stacksize The maximum amount of stack memory the server may use. The default is default. Server Resource Limits The following options set limits on the server's resource consumption that are enforced internally by the server rather than the operating system. max-ixfr-log-size This option is obsolete; it is accepted and ignored for BIND 8 compatibility. The option max-journal-size performs a similar function in BIND 9. max-journal-size Sets a maximum size for each journal file (see ). When the journal file approaches the specified size, some of the oldest transactions in the journal will be automatically removed. The default is unlimited. This may also be set on a per-zone basis. host-statistics-max In BIND 8, specifies the maximum number of host statistics entries to be kept. Not implemented in BIND 9. recursive-clients The maximum number of simultaneous recursive lookups the server will perform on behalf of clients. The default is 1000. Because each recursing client uses a fair bit of memory, on the order of 20 kilobytes, the value of the recursive-clients option may have to be decreased on hosts with limited memory. tcp-clients The maximum number of simultaneous client TCP connections that the server will accept. The default is 100. reserved-sockets The number of file descriptors reserved for TCP, stdio, etc. This needs to be big enough to cover the number of interfaces named listens on, tcp-clients as well as to provide room for outgoing TCP queries and incoming zone transfers. The default is 512. The minimum value is 128 and the maximum value is 128 less than maxsockets (-S). This option may be removed in the future. This option has little effect on Windows. max-cache-size The maximum amount of memory to use for the server's cache, in bytes. When the amount of data in the cache reaches this limit, the server will cause records to expire prematurely based on an LRU based strategy so that the limit is not exceeded. A value of 0 is special, meaning that records are purged from the cache only when their TTLs expire. Another special keyword unlimited means the maximum value of 32-bit unsigned integers (0xffffffff), which may not have the same effect as 0 on machines that support more than 32 bits of memory space. Any positive values less than 2MB will be ignored reset to 2MB. In a server with multiple views, the limit applies separately to the cache of each view. The default is 0. tcp-listen-queue The listen queue depth. The default and minimum is 3. If the kernel supports the accept filter "dataready" this also controls how many TCP connections that will be queued in kernel space waiting for some data before being passed to accept. Values less than 3 will be silently raised. Periodic Task Intervals cleaning-interval This interval is effectively obsolete. Previously, the server would remove expired resource records from the cache every cleaning-interval minutes. BIND 9 now manages cache memory in a more sophisticated manner and does not rely on the periodic cleaning any more. Specifying this option therefore has no effect on the server's behavior. heartbeat-interval The server will perform zone maintenance tasks for all zones marked as dialup whenever this interval expires. The default is 60 minutes. Reasonable values are up to 1 day (1440 minutes). The maximum value is 28 days (40320 minutes). If set to 0, no zone maintenance for these zones will occur. interface-interval The server will scan the network interface list every interface-interval minutes. The default is 60 minutes. The maximum value is 28 days (40320 minutes). If set to 0, interface scanning will only occur when the configuration file is loaded. After the scan, the server will begin listening for queries on any newly discovered interfaces (provided they are allowed by the listen-on configuration), and will stop listening on interfaces that have gone away. statistics-interval Name server statistics will be logged every statistics-interval minutes. The default is 60. The maximum value is 28 days (40320 minutes). If set to 0, no statistics will be logged. Not yet implemented in BIND 9. Topology All other things being equal, when the server chooses a name server to query from a list of name servers, it prefers the one that is topologically closest to itself. The topology statement takes an address_match_list and interprets it in a special way. Each top-level list element is assigned a distance. Non-negated elements get a distance based on their position in the list, where the closer the match is to the start of the list, the shorter the distance is between it and the server. A negated match will be assigned the maximum distance from the server. If there is no match, the address will get a distance which is further than any non-negated list element, and closer than any negated element. For example, topology { 10/8; !1.2.3/24; { 1.2/16; 3/8; }; }; will prefer servers on network 10 the most, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least of all. The default topology is topology { localhost; localnets; }; The topology option is not implemented in BIND 9. The <command>sortlist</command> Statement The response to a DNS query may consist of multiple resource records (RRs) forming a resource records set (RRset). The name server will normally return the RRs within the RRset in an indeterminate order (but see the rrset-order statement in ). The client resolver code should rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. However, not all resolvers can do this or are correctly configured. When a client is using a local server, the sorting can be performed in the server, based on the client's address. This only requires configuring the name servers, not all the clients. The sortlist statement (see below) takes an address_match_list and interprets it even more specifically than the topology statement does (). Each top level statement in the sortlist must itself be an explicit address_match_list with one or two elements. The first element (which may be an IP address, an IP prefix, an ACL name or a nested address_match_list) of each top level list is checked against the source address of the query until a match is found. Once the source address of the query has been matched, if the top level statement contains only one element, the actual primitive element that matched the source address is used to select the address in the response to move to the beginning of the response. If the statement is a list of two elements, then the second element is treated the same as the address_match_list in a topology statement. Each top level element is assigned a distance and the address in the response with the minimum distance is moved to the beginning of the response. In the following example, any queries received from any of the addresses of the host itself will get responses preferring addresses on any of the locally connected networks. Next most preferred are addresses on the 192.168.1/24 network, and after that either the 192.168.2/24 or 192.168.3/24 network with no preference shown between these two networks. Queries received from a host on the 192.168.1/24 network will prefer other addresses on that network to the 192.168.2/24 and 192.168.3/24 networks. Queries received from a host on the 192.168.4/24 or the 192.168.5/24 network will only prefer other addresses on their directly connected networks. sortlist { { localhost; // IF the local host { localnets; // THEN first fit on the 192.168.1/24; // following nets { 192.168.2/24; 192.168.3/24; }; }; }; { 192.168.1/24; // IF on class C 192.168.1 { 192.168.1/24; // THEN use .1, or .2 or .3 { 192.168.2/24; 192.168.3/24; }; }; }; { 192.168.2/24; // IF on class C 192.168.2 { 192.168.2/24; // THEN use .2, or .1 or .3 { 192.168.1/24; 192.168.3/24; }; }; }; { 192.168.3/24; // IF on class C 192.168.3 { 192.168.3/24; // THEN use .3, or .1 or .2 { 192.168.1/24; 192.168.2/24; }; }; }; { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net }; }; The following example will give reasonable behavior for the local host and hosts on directly connected networks. It is similar to the behavior of the address sort in BIND 4.9.x. Responses sent to queries from the local host will favor any of the directly connected networks. Responses sent to queries from any other hosts on a directly connected network will prefer addresses on that same network. Responses to other queries will not be sorted. sortlist { { localhost; localnets; }; { localnets; }; }; RRset Ordering When multiple records are returned in an answer it may be useful to configure the order of the records placed into the response. The rrset-order statement permits configuration of the ordering of the records in a multiple record response. See also the sortlist statement, . An order_spec is defined as follows: class class_name type type_name name "domain_name" order ordering If no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is "*" (asterisk). The legal values for ordering are: fixed Records are returned in the order they are defined in the zone file. random Records are returned in some random order. cyclic Records are returned in a cyclic round-robin order. If BIND is configured with the "--enable-fixed-rrset" option at compile time, then the initial ordering of the RRset will match the one specified in the zone file. For example: rrset-order { class IN type A name "host.example.com" order random; order cyclic; }; will cause any responses for type A records in class IN that have "host.example.com" as a suffix, to always be returned in random order. All other records are returned in cyclic order. If multiple rrset-order statements appear, they are not combined — the last one applies. In this release of BIND 9, the rrset-order statement does not support "fixed" ordering by default. Fixed ordering can be enabled at compile time by specifying "--enable-fixed-rrset" on the "configure" command line. Tuning lame-ttl Sets the number of seconds to cache a lame server indication. 0 disables caching. (This is NOT recommended.) The default is 600 (10 minutes) and the maximum value is 1800 (30 minutes). + + + Lame-ttl also controls the amount of time DNSSEC + validation failures are cached. There is a minimum + of 30 seconds applied to bad cache entries if the + lame-ttl is set to less than 30 seconds. + max-ncache-ttl To reduce network traffic and increase performance, the server stores negative answers. max-ncache-ttl is used to set a maximum retention time for these answers in the server in seconds. The default max-ncache-ttl is 10800 seconds (3 hours). max-ncache-ttl cannot exceed 7 days and will be silently truncated to 7 days if set to a greater value. max-cache-ttl Sets the maximum time for which the server will cache ordinary (positive) answers. The default is one week (7 days). A value of zero may cause all queries to return SERVFAIL, because of lost caches of intermediate RRsets (such as NS and glue AAAA/A records) in the resolution process. min-roots The minimum number of root servers that is required for a request for the root servers to be accepted. The default is 2. Not implemented in BIND 9. sig-validity-interval Specifies the number of days into the future when DNSSEC signatures automatically generated as a result of dynamic updates () will expire. There is a optional second field which specifies how long before expiry that the signatures will be regenerated. If not specified, the signatures will be regenerated at 1/4 of base interval. The second field is specified in days if the base interval is greater than 7 days otherwise it is specified in hours. The default base interval is 30 days giving a re-signing interval of 7 1/2 days. The maximum values are 10 years (3660 days). The signature inception time is unconditionally set to one hour before the current time to allow for a limited amount of clock skew. The sig-validity-interval should be, at least, several multiples of the SOA expire interval to allow for reasonable interaction between the various timer and expiry dates. sig-signing-nodes Specify the maximum number of nodes to be examined in each quantum when signing a zone with a new DNSKEY. The default is 100. sig-signing-signatures Specify a threshold number of signatures that will terminate processing a quantum when signing a zone with a new DNSKEY. The default is 10. sig-signing-type Specify a private RDATA type to be used when generating key signing records. The default is 65535. It is expected that this parameter may be removed in a future version once there is a standard type. min-refresh-time max-refresh-time min-retry-time max-retry-time These options control the server's behavior on refreshing a zone (querying for SOA changes) or retrying failed transfers. Usually the SOA values for the zone are used, but these values are set by the master, giving slave server administrators little control over their contents. These options allow the administrator to set a minimum and maximum refresh and retry time either per-zone, per-view, or globally. These options are valid for slave and stub zones, and clamp the SOA refresh and retry times to the specified values. edns-udp-size Sets the advertised EDNS UDP buffer size in bytes to control the size of packets received. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting edns-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. max-udp-size Sets the maximum EDNS UDP message size named will send in bytes. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting max-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. This is independent of the advertised receive buffer (edns-udp-size). masterfile-format Specifies the file format of zone files (see ). The default value is text, which is the standard textual representation. Files in other formats than text are typically expected to be generated by the named-compilezone tool. Note that when a zone file in a different format than text is loaded, named may omit some of the checks which would be performed for a file in the text format. In particular, check-names checks do not apply for the raw format. This means a zone file in the raw format must be generated with the same check level as that specified in the named configuration file. This statement sets the masterfile-format for all zones, but can be overridden on a per-zone or per-view basis by including a masterfile-format statement within the zone or view block in the configuration file. clients-per-query max-clients-per-query These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept before dropping additional clients. named will attempt to self tune this value and changes will be logged. The default values are 10 and 100. This value should reflect how many queries come in for a given name in the time it takes to resolve that name. If the number of queries exceed this value, named will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained unchanged. If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped. If max-clients-per-query is set to zero, then there is no upper bound other than imposed by recursive-clients. notify-delay The delay, in seconds, between sending sets of notify messages for a zone. The default is five (5) seconds. Built-in server information zones The server provides some helpful diagnostic information through a number of built-in zones under the pseudo-top-level-domain bind in the CHAOS class. These zones are part of a built-in view (see ) of class CHAOS which is separate from the default view of class IN; therefore, any global server options such as allow-query do not apply the these zones. If you feel the need to disable these zones, use the options below, or hide the built-in CHAOS view by defining an explicit view of class CHAOS that matches all clients. version The version the server should report via a query of the name version.bind with type TXT, class CHAOS. The default is the real version number of this server. Specifying version none disables processing of the queries. hostname The hostname the server should report via a query of the name hostname.bind with type TXT, class CHAOS. This defaults to the hostname of the machine hosting the name server as found by the gethostname() function. The primary purpose of such queries is to identify which of a group of anycast servers is actually answering your queries. Specifying hostname none; disables processing of the queries. server-id The ID the server should report when receiving a Name Server Identifier (NSID) query, or a query of the name ID.SERVER with type TXT, class CHAOS. The primary purpose of such queries is to identify which of a group of anycast servers is actually answering your queries. Specifying server-id none; disables processing of the queries. Specifying server-id hostname; will cause named to use the hostname as found by the gethostname() function. The default server-id is none. Built-in Empty Zones Named has some built-in empty zones (SOA and NS records only). These are for zones that should normally be answered locally and which queries should not be sent to the Internet's root servers. The official servers which cover these namespaces return NXDOMAIN responses to these queries. In particular, these cover the reverse namespace for addresses from RFC 1918 and RFC 3330. They also include the reverse namespace for IPv6 local address (locally assigned), IPv6 link local addresses, the IPv6 loopback address and the IPv6 unknown address. Named will attempt to determine if a built-in zone already exists or is active (covered by a forward-only forwarding declaration) and will not create a empty zone in that case. The current list of empty zones is: 0.IN-ADDR.ARPA 127.IN-ADDR.ARPA 254.169.IN-ADDR.ARPA 2.0.192.IN-ADDR.ARPA 255.255.255.255.IN-ADDR.ARPA 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA D.F.IP6.ARPA 8.E.F.IP6.ARPA 9.E.F.IP6.ARPA A.E.F.IP6.ARPA B.E.F.IP6.ARPA Empty zones are settable at the view level and only apply to views of class IN. Disabled empty zones are only inherited from options if there are no disabled empty zones specified at the view level. To override the options list of disabled zones, you can disable the root zone at the view level, for example: disable-empty-zone "."; If you are using the address ranges covered here, you should already have reverse zones covering the addresses you use. In practice this appears to not be the case with many queries being made to the infrastructure servers for names in these spaces. So many in fact that sacrificial servers were needed to be deployed to channel the query load away from the infrastructure servers. The real parent servers for these zones should disable all empty zone under the parent zone they serve. For the real root servers, this is all built-in empty zones. This will enable them to return referrals to deeper in the tree. empty-server Specify what server name will appear in the returned SOA record for empty zones. If none is specified, then the zone's name will be used. empty-contact Specify what contact name will appear in the returned SOA record for empty zones. If none is specified, then "." will be used. empty-zones-enable Enable or disable all empty zones. By default, they are enabled. disable-empty-zone Disable individual empty zones. By default, none are disabled. This option can be specified multiple times. Additional Section Caching The additional section cache, also called acache, is an internal cache to improve the response performance of BIND 9. When additional section caching is enabled, BIND 9 will cache an internal short-cut to the additional section content for each answer RR. Note that acache is an internal caching mechanism of BIND 9, and is not related to the DNS caching server function. Additional section caching does not change the response content (except the RRsets ordering of the additional section, see below), but can improve the response performance significantly. It is particularly effective when BIND 9 acts as an authoritative server for a zone that has many delegations with many glue RRs. In order to obtain the maximum performance improvement from additional section caching, setting additional-from-cache to no is recommended, since the current implementation of acache does not short-cut of additional section information from the DNS cache data. One obvious disadvantage of acache is that it requires much more memory for the internal cached data. Thus, if the response performance does not matter and memory consumption is much more critical, the acache mechanism can be disabled by setting acache-enable to no. It is also possible to specify the upper limit of memory consumption for acache by using max-acache-size. Additional section caching also has a minor effect on the RRset ordering in the additional section. Without acache, cyclic order is effective for the additional section as well as the answer and authority sections. However, additional section caching fixes the ordering when it first caches an RRset for the additional section, and the same ordering will be kept in succeeding responses, regardless of the setting of rrset-order. The effect of this should be minor, however, since an RRset in the additional section typically only contains a small number of RRs (and in many cases it only contains a single RR), in which case the ordering does not matter much. The following is a summary of options related to acache. acache-enable If yes, additional section caching is enabled. The default value is no. acache-cleaning-interval The server will remove stale cache entries, based on an LRU based algorithm, every acache-cleaning-interval minutes. The default is 60 minutes. If set to 0, no periodic cleaning will occur. max-acache-size The maximum amount of memory in bytes to use for the server's acache. When the amount of data in the acache reaches this limit, the server will clean more aggressively so that the limit is not exceeded. In a server with multiple views, the limit applies separately to the acache of each view. The default is 16M. <command>server</command> Statement Grammar server ip_addr[/prefixlen] { bogus yes_or_no ; provide-ixfr yes_or_no ; request-ixfr yes_or_no ; edns yes_or_no ; edns-udp-size number ; max-udp-size number ; transfers number ; transfer-format ( one-answer | many-answers ) ; ] keys { string ; string ; ... } ; transfer-source (ip4_addr | *) port ip_port ; transfer-source-v6 (ip6_addr | *) port ip_port ; notify-source (ip4_addr | *) port ip_port ; notify-source-v6 (ip6_addr | *) port ip_port ; query-source address ( ip_addr | * ) port ( ip_port | * ) ; query-source-v6 address ( ip_addr | * ) port ( ip_port | * ) ; use-queryport-pool yes_or_no; queryport-pool-ports number; queryport-pool-updateinterval number; }; <command>server</command> Statement Definition and Usage The server statement defines characteristics to be associated with a remote name server. If a prefix length is specified, then a range of servers is covered. Only the most specific server clause applies regardless of the order in named.conf. The server statement can occur at the top level of the configuration file or inside a view statement. If a view statement contains one or more server statements, only those apply to the view and any top-level ones are ignored. If a view contains no server statements, any top-level server statements are used as defaults. If you discover that a remote server is giving out bad data, marking it as bogus will prevent further queries to it. The default value of bogus is no. The provide-ixfr clause determines whether the local server, acting as master, will respond with an incremental zone transfer when the given remote server, a slave, requests it. If set to yes, incremental transfer will be provided whenever possible. If set to no, all transfers to the remote server will be non-incremental. If not set, the value of the provide-ixfr option in the view or global options block is used as a default. The request-ixfr clause determines whether the local server, acting as a slave, will request incremental zone transfers from the given remote server, a master. If not set, the value of the request-ixfr option in the view or global options block is used as a default. IXFR requests to servers that do not support IXFR will automatically fall back to AXFR. Therefore, there is no need to manually list which servers support IXFR and which ones do not; the global default of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is to make it possible to disable the use of IXFR even when both master and slave claim to support it, for example if one of the servers is buggy and crashes or corrupts data when IXFR is used. The edns clause determines whether the local server will attempt to use EDNS when communicating with the remote server. The default is yes. The edns-udp-size option sets the EDNS UDP size that is advertised by named when querying the remote server. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted). This option is useful when you wish to advertises a different value to this server than the value you advertise globally, for example, when there is a firewall at the remote site that is blocking large replies. The max-udp-size option sets the maximum EDNS UDP message size named will send. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted). This option is useful when you know that there is a firewall that is blocking large replies from named. The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by BIND 9, BIND 8.x, and patched versions of BIND 4.9.5. You can specify which method to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format specified by the options statement will be used. transfers is used to limit the number of concurrent inbound zone transfers from the specified server. If no transfers clause is specified, the limit is set according to the transfers-per-ns option. The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, ) when talking to the remote server. When a request is sent to the remote server, a request signature will be generated using the key specified here and appended to the message. A request originating from the remote server is not required to be signed by this key. Although the grammar of the keys clause allows for multiple keys, only a single key per server is currently supported. The transfer-source and transfer-source-v6 clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. For an IPv4 remote server, only transfer-source can be specified. Similarly, for an IPv6 remote server, only transfer-source-v6 can be specified. For more details, see the description of transfer-source and transfer-source-v6 in . The notify-source and notify-source-v6 clauses specify the IPv4 and IPv6 source address to be used for notify messages sent to remote servers, respectively. For an IPv4 remote server, only notify-source can be specified. Similarly, for an IPv6 remote server, only notify-source-v6 can be specified. The query-source and query-source-v6 clauses specify the IPv4 and IPv6 source address to be used for queries sent to remote servers, respectively. For an IPv4 remote server, only query-source can be specified. Similarly, for an IPv6 remote server, only query-source-v6 can be specified. <command>statistics-channels</command> Statement Grammar statistics-channels { [ inet ( ip_addr | * ) [ port ip_port ] [allow { address_match_list } ]; ] [ inet ...; ] }; <command>statistics-channels</command> Statement Definition and Usage The statistics-channels statement declares communication channels to be used by system administrators to get access to statistics information of the name server. This statement intends to be flexible to support multiple communication protocols in the future, but currently only HTTP access is supported. It requires that BIND 9 be compiled with libxml2; the statistics-channels statement is still accepted even if it is built without the library, but any HTTP access will fail with an error. An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of * (asterisk) is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, use an ip_addr of ::. If no port is specified, port 80 is used for HTTP channels. The asterisk "*" cannot be used for ip_port. The attempt of opening a statistics channel is restricted by the optional allow clause. Connections to the statistics channel are permitted based on the address_match_list. If no allow clause is present, named accepts connection attempts from any address; since the statistics may contain sensitive internal information, it is highly recommended to restrict the source of connection requests appropriately. If no statistics-channels statement is present, named will not open any communication channels. <command>trusted-keys</command> Statement Grammar trusted-keys { string number number number string ; string number number number string ; ... }; <command>trusted-keys</command> Statement Definition and Usage The trusted-keys statement defines DNSSEC security roots. DNSSEC is described in . A security root is defined when the public key for a non-authoritative zone is known, but cannot be securely obtained through DNS, either because it is the DNS root zone or because its parent zone is unsigned. Once a key has been configured as a trusted key, it is treated as if it had been validated and proven secure. The resolver attempts DNSSEC validation on all DNS data in subdomains of a security root. All keys (and corresponding zones) listed in trusted-keys are deemed to exist regardless of what parent zones say. Similarly for all keys listed in trusted-keys only those keys are used to validate the DNSKEY RRset. The parent's DS RRset will not be used. The trusted-keys statement can contain multiple key entries, each consisting of the key's domain name, flags, protocol, algorithm, and the Base-64 representation of the key data. Spaces, tabs, newlines and carriage returns are ignored in the key data, so the configuration may be split up into multiple lines. <command>view</command> Statement Grammar view view_name class { match-clients { address_match_list }; match-destinations { address_match_list }; match-recursive-only yes_or_no ; view_option; ... zone_statement; ... }; <command>view</command> Statement Definition and Usage The view statement is a powerful feature of BIND 9 that lets a name server answer a DNS query differently depending on who is asking. It is particularly useful for implementing split DNS setups without having to run multiple servers. Each view statement defines a view of the DNS namespace that will be seen by a subset of clients. A client matches a view if its source IP address matches the address_match_list of the view's match-clients clause and its destination IP address matches the address_match_list of the view's match-destinations clause. If not specified, both match-clients and match-destinations default to matching all addresses. In addition to checking IP addresses match-clients and match-destinations can also take keys which provide an mechanism for the client to select the view. A view can also be specified as match-recursive-only, which means that only recursive requests from matching clients will match that view. The order of the view statements is significant — a client request will be resolved in the context of the first view that it matches. Zones defined within a view statement will only be accessible to clients that match the view. By defining a zone of the same name in multiple views, different zone data can be given to different clients, for example, "internal" and "external" clients in a split DNS setup. Many of the options given in the options statement can also be used within a view statement, and then apply only when resolving queries with that view. When no view-specific value is given, the value in the options statement is used as a default. Also, zone options can have default values specified in the view statement; these view-specific defaults take precedence over those in the options statement. Views are class specific. If no class is given, class IN is assumed. Note that all non-IN views must contain a hint zone, since only the IN class has compiled-in default hints. If there are no view statements in the config file, a default view that matches any client is automatically created in class IN. Any zone statements specified on the top level of the configuration file are considered to be part of this default view, and the options statement will apply to the default view. If any explicit view statements are present, all zone statements must occur inside view statements. Here is an example of a typical split DNS setup implemented using view statements: view "internal" { // This should match our internal networks. match-clients { 10.0.0.0/8; }; // Provide recursive service to internal clients only. recursion yes; // Provide a complete view of the example.com zone // including addresses of internal hosts. zone "example.com" { type master; file "example-internal.db"; }; }; view "external" { // Match all clients not matched by the previous view. match-clients { any; }; // Refuse recursive service to external clients. recursion no; // Provide a restricted view of the example.com zone // containing only publicly accessible hosts. zone "example.com" { type master; file "example-external.db"; }; }; <command>zone</command> Statement Grammar zone zone_name class { type master; allow-query { address_match_list }; allow-query-on { address_match_list }; allow-transfer { address_match_list }; allow-update { address_match_list }; update-policy { update_policy_rule ... }; also-notify { ip_addr port ip_port ; ip_addr port ip_port ; ... }; check-names (warn|fail|ignore) ; check-mx (warn|fail|ignore) ; check-wildcard yes_or_no; check-integrity yes_or_no ; dialup dialup_option ; file string ; masterfile-format (text|raw) ; journal string ; max-journal-size size_spec; forward (only|first) ; forwarders { ip_addr port ip_port ; ... }; ixfr-base string ; ixfr-from-differences yes_or_no; ixfr-tmp-file string ; maintain-ixfr-base yes_or_no ; max-ixfr-log-size number ; max-transfer-idle-out number ; max-transfer-time-out number ; notify yes_or_no | explicit | master-only ; notify-delay seconds ; notify-to-soa yes_or_no; pubkey number number number string ; notify-source (ip4_addr | *) port ip_port ; notify-source-v6 (ip6_addr | *) port ip_port ; zone-statistics yes_or_no ; sig-validity-interval number number ; sig-signing-nodes number ; sig-signing-signatures number ; sig-signing-type number ; database string ; min-refresh-time number ; max-refresh-time number ; min-retry-time number ; max-retry-time number ; key-directory path_name; zero-no-soa-ttl yes_or_no ; }; zone zone_name class { type slave; allow-notify { address_match_list }; allow-query { address_match_list }; allow-query-on { address_match_list }; allow-transfer { address_match_list }; allow-update-forwarding { address_match_list }; update-check-ksk yes_or_no; try-tcp-refresh yes_or_no; also-notify { ip_addr port ip_port ; ip_addr port ip_port ; ... }; check-names (warn|fail|ignore) ; dialup dialup_option ; file string ; masterfile-format (text|raw) ; journal string ; max-journal-size size_spec; forward (only|first) ; forwarders { ip_addr port ip_port ; ... }; ixfr-base string ; ixfr-from-differences yes_or_no; ixfr-tmp-file string ; maintain-ixfr-base yes_or_no ; masters port ip_port { ( masters_list | ip_addr port ip_port key key ) ; ... }; max-ixfr-log-size number ; max-transfer-idle-in number ; max-transfer-idle-out number ; max-transfer-time-in number ; max-transfer-time-out number ; notify yes_or_no | explicit | master-only ; notify-delay seconds ; notify-to-soa yes_or_no; pubkey number number number string ; transfer-source (ip4_addr | *) port ip_port ; transfer-source-v6 (ip6_addr | *) port ip_port ; alt-transfer-source (ip4_addr | *) port ip_port ; alt-transfer-source-v6 (ip6_addr | *) port ip_port ; use-alt-transfer-source yes_or_no; notify-source (ip4_addr | *) port ip_port ; notify-source-v6 (ip6_addr | *) port ip_port ; zone-statistics yes_or_no ; database string ; min-refresh-time number ; max-refresh-time number ; min-retry-time number ; max-retry-time number ; multi-master yes_or_no ; zero-no-soa-ttl yes_or_no ; }; zone zone_name class { type hint; file string ; delegation-only yes_or_no ; check-names (warn|fail|ignore) ; // Not Implemented. }; zone zone_name class { type stub; allow-query { address_match_list }; allow-query-on { address_match_list }; check-names (warn|fail|ignore) ; dialup dialup_option ; delegation-only yes_or_no ; file string ; masterfile-format (text|raw) ; forward (only|first) ; forwarders { ip_addr port ip_port ; ... }; masters port ip_port { ( masters_list | ip_addr port ip_port key key ) ; ... }; max-transfer-idle-in number ; max-transfer-time-in number ; pubkey number number number string ; transfer-source (ip4_addr | *) port ip_port ; transfer-source-v6 (ip6_addr | *) port ip_port ; alt-transfer-source (ip4_addr | *) port ip_port ; alt-transfer-source-v6 (ip6_addr | *) port ip_port ; use-alt-transfer-source yes_or_no; zone-statistics yes_or_no ; database string ; min-refresh-time number ; max-refresh-time number ; min-retry-time number ; max-retry-time number ; multi-master yes_or_no ; }; zone zone_name class { type forward; forward (only|first) ; forwarders { ip_addr port ip_port ; ... }; delegation-only yes_or_no ; }; zone zone_name class { type delegation-only; }; <command>zone</command> Statement Definition and Usage Zone Types master The server has a master copy of the data for the zone and will be able to provide authoritative answers for it. slave A slave zone is a replica of a master zone. The masters list specifies one or more IP addresses of master servers that the slave contacts to update its copy of the zone. Masters list elements can also be names of other masters lists. By default, transfers are made from port 53 on the servers; this can be changed for all servers by specifying a port number before the list of IP addresses, or on a per-server basis after the IP address. Authentication to the master can also be done with per-server TSIG keys. If a file is specified, then the replica will be written to this file whenever the zone is changed, and reloaded from this file on a server restart. Use of a file is recommended, since it often speeds server startup and eliminates a needless waste of bandwidth. Note that for large numbers (in the tens or hundreds of thousands) of zones per server, it is best to use a two-level naming scheme for zone filenames. For example, a slave server for the zone example.com might place the zone contents into a file called ex/example.com where ex/ is just the first two letters of the zone name. (Most operating systems behave very slowly if you put 100000 files into a single directory.) stub A stub zone is similar to a slave zone, except that it replicates only the NS records of a master zone instead of the entire zone. Stub zones are not a standard part of the DNS; they are a feature specific to the BIND implementation. Stub zones can be used to eliminate the need for glue NS record in a parent zone at the expense of maintaining a stub zone entry and a set of name server addresses in named.conf. This usage is not recommended for new configurations, and BIND 9 supports it only in a limited way. In BIND 4/8, zone transfers of a parent zone included the NS records from stub children of that zone. This meant that, in some cases, users could get away with configuring child stubs only in the master server for the parent zone. BIND 9 never mixes together zone data from different zones in this way. Therefore, if a BIND 9 master serving a parent zone has child stub zones configured, all the slave servers for the parent zone also need to have the same child stub zones configured. Stub zones can also be used as a way of forcing the resolution of a given domain to use a particular set of authoritative servers. For example, the caching name servers on a private network using RFC1918 addressing may be configured with stub zones for 10.in-addr.arpa to use a set of internal name servers as the authoritative servers for that domain. forward A "forward zone" is a way to configure forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders statement, which will apply to queries within the domain given by the zone name. If no forwarders statement is present or an empty list for forwarders is given, then no forwarding will be done for the domain, canceling the effects of any forwarders in the options statement. Thus if you want to use this type of zone to change the behavior of the global forward option (that is, "forward first" to, then "forward only", or vice versa, but want to use the same servers as set globally) you need to re-specify the global forwarders. hint The initial set of root name servers is specified using a "hint zone". When the server starts up, it uses the root hints to find a root name server and get the most recent list of root name servers. If no hint zone is specified for class IN, the server uses a compiled-in default set of root servers hints. Classes other than IN have no built-in defaults hints. delegation-only This is used to enforce the delegation-only status of infrastructure zones (e.g. COM, NET, ORG). Any answer that is received without an explicit or implicit delegation in the authority section will be treated as NXDOMAIN. This does not apply to the zone apex. This should not be applied to leaf zones. delegation-only has no effect on answers received from forwarders. See caveats in . Class The zone's name may optionally be followed by a class. If a class is not specified, class IN (for Internet), is assumed. This is correct for the vast majority of cases. The hesiod class is named for an information service from MIT's Project Athena. It is used to share information about various systems databases, such as users, groups, printers and so on. The keyword HS is a synonym for hesiod. Another MIT development is Chaosnet, a LAN protocol created in the mid-1970s. Zone data for it can be specified with the CHAOS class. Zone Options allow-notify See the description of allow-notify in . allow-query See the description of allow-query in . allow-query-on See the description of allow-query-on in . allow-transfer See the description of allow-transfer in . allow-update See the description of allow-update in . update-policy Specifies a "Simple Secure Update" policy. See . allow-update-forwarding See the description of allow-update-forwarding in . also-notify Only meaningful if notify is active for this zone. The set of machines that will receive a DNS NOTIFY message for this zone is made up of all the listed name servers (other than the primary master) for the zone plus any IP addresses specified with also-notify. A port may be specified with each also-notify address to send the notify messages to a port other than the default of 53. also-notify is not meaningful for stub zones. The default is the empty list. check-names This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn. check-mx See the description of check-mx in . check-wildcard See the description of check-wildcard in . check-integrity See the description of check-integrity in . check-sibling See the description of check-sibling in . zero-no-soa-ttl See the description of zero-no-soa-ttl in . update-check-ksk See the description of update-check-ksk in . try-tcp-refresh See the description of try-tcp-refresh in . database Specify the type of database to be used for storing the zone data. The string following the database keyword is interpreted as a list of whitespace-delimited words. The first word identifies the database type, and any subsequent words are passed as arguments to the database to be interpreted in a way specific to the database type. The default is "rbt", BIND 9's native in-memory red-black-tree database. This database does not take arguments. Other values are possible if additional database drivers have been linked into the server. Some sample drivers are included with the distribution but none are linked in by default. dialup See the description of dialup in . delegation-only The flag only applies to hint and stub zones. If set to yes, then the zone will also be treated as if it is also a delegation-only type zone. See caveats in . forward Only meaningful if the zone has a forwarders list. The only value causes the lookup to fail after trying the forwarders and getting no answer, while first would allow a normal lookup to be tried. forwarders Used to override the list of global forwarders. If it is not specified in a zone of type forward, no forwarding is done for the zone and the global options are not used. ixfr-base Was used in BIND 8 to specify the name of the transaction log (journal) file for dynamic update and IXFR. BIND 9 ignores the option and constructs the name of the journal file by appending ".jnl" to the name of the zone file. ixfr-tmp-file Was an undocumented option in BIND 8. Ignored in BIND 9. journal Allow the default journal's filename to be overridden. The default is the zone's filename with ".jnl" appended. This is applicable to master and slave zones. max-journal-size See the description of max-journal-size in . max-transfer-time-in See the description of max-transfer-time-in in . max-transfer-idle-in See the description of max-transfer-idle-in in . max-transfer-time-out See the description of max-transfer-time-out in . max-transfer-idle-out See the description of max-transfer-idle-out in . notify See the description of notify in . notify-delay See the description of notify-delay in . notify-to-soa See the description of notify-to-soa in . pubkey In BIND 8, this option was intended for specifying a public zone key for verification of signatures in DNSSEC signed zones when they are loaded from disk. BIND 9 does not verify signatures on load and ignores the option. zone-statistics If yes, the server will keep statistical information for this zone, which can be dumped to the statistics-file defined in the server options. sig-validity-interval See the description of sig-validity-interval in . sig-signing-nodes See the description of sig-signing-nodes in . sig-signing-signatures See the description of sig-signing-signatures in . sig-signing-type See the description of sig-signing-type in . transfer-source See the description of transfer-source in . transfer-source-v6 See the description of transfer-source-v6 in . alt-transfer-source See the description of alt-transfer-source in . alt-transfer-source-v6 See the description of alt-transfer-source-v6 in . use-alt-transfer-source See the description of use-alt-transfer-source in . notify-source See the description of notify-source in . notify-source-v6 See the description of notify-source-v6 in . min-refresh-time max-refresh-time min-retry-time max-retry-time See the description in . ixfr-from-differences See the description of ixfr-from-differences in . (Note that the ixfr-from-differences master and slave choices are not available at the zone level.) key-directory See the description of key-directory in . multi-master See the description of multi-master in . masterfile-format See the description of masterfile-format in . Dynamic Update Policies BIND 9 supports two alternative methods of granting clients the right to perform dynamic updates to a zone, configured by the allow-update and update-policy option, respectively. The allow-update clause works the same way as in previous versions of BIND. It grants given clients the permission to update any record of any name in the zone. The update-policy clause is new in BIND 9 and allows more fine-grained control over what updates are allowed. A set of rules is specified, where each rule either grants or denies permissions for one or more names to be updated by one or more identities. If the dynamic update request message is signed (that is, it includes either a TSIG or SIG(0) record), the identity of the signer can be determined. Rules are specified in the update-policy zone option, and are only meaningful for master zones. When the update-policy statement is present, it is a configuration error for the allow-update statement to be present. The update-policy statement only examines the signer of a message; the source address is not relevant. This is how a rule definition looks: ( grant | deny ) identity nametype name types Each rule grants or denies privileges. Once a message has successfully matched a rule, the operation is immediately granted or denied and no further rules are examined. A rule is matched when the signer matches the identity field, the name matches the name field in accordance with the nametype field, and the type matches the types specified in the type field. No signer is required for tcp-self or 6to4-self however the standard reverse mapping / prefix conversion must match the identity field. The identity field specifies a name or a wildcard name. Normally, this is the name of the TSIG or SIG(0) key used to sign the update request. When a TKEY exchange has been used to create a shared secret, the identity of the shared secret is the same as the identity of the key used to authenticate the TKEY exchange. TKEY is also the negotiation method used by GSS-TSIG, which establishes an identity that is the Kerberos principal of the client, such as "user@host.domain". When the identity field specifies a wildcard name, it is subject to DNS wildcard expansion, so the rule will apply to multiple identities. The identity field must contain a fully-qualified domain name. The nametype field has 12 values: name, subdomain, wildcard, self, selfsub, selfwild, krb5-self, ms-self, krb5-subdomain, ms-subdomain, tcp-self and 6to4-self. name Exact-match semantics. This rule matches when the name being updated is identical to the contents of the name field. subdomain This rule matches when the name being updated is a subdomain of, or identical to, the contents of the name field. wildcard The name field is subject to DNS wildcard expansion, and this rule matches when the name being updated name is a valid expansion of the wildcard. self This rule matches when the name being updated matches the contents of the identity field. The name field is ignored, but should be the same as the identity field. The self nametype is most useful when allowing using one key per name to update, where the key has the same name as the name to be updated. The identity would be specified as * (an asterisk) in this case. selfsub This rule is similar to self except that subdomains of self can also be updated. selfwild This rule is similar to self except that only subdomains of self can be updated. tcp-self Allow updates that have been sent via TCP and for which the standard mapping from the initiating IP address into the IN-ADDR.ARPA and IP6.ARPA namespaces match the name to be updated. It is theoretically possible to spoof these TCP sessions. 6to4-self Allow the 6to4 prefix to be update by any TCP conection from the 6to4 network or from the corresponding IPv4 address. This is intended to allow NS or DNAME RRsets to be added to the reverse tree. It is theoretically possible to spoof these TCP sessions. In all cases, the name field must specify a fully-qualified domain name. If no types are explicitly specified, this rule matches all types except RRSIG, NS, SOA, NSEC and NSEC3. Types may be specified by name, including "ANY" (ANY matches all types except NSEC and NSEC3, which can never be updated). Note that when an attempt is made to delete all records associated with a name, the rules are checked for each existing record type. Zone File Types of Resource Records and When to Use Them This section, largely borrowed from RFC 1034, describes the concept of a Resource Record (RR) and explains when each is used. Since the publication of RFC 1034, several new RRs have been identified and implemented in the DNS. These are also included. Resource Records A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource information associated with a particular name is composed of separate RRs. The order of RRs in a set is not significant and need not be preserved by name servers, resolvers, or other parts of the DNS. However, sorting of multiple RRs is permitted for optimization purposes, for example, to specify that a particular nearby server be tried first. See and . The components of a Resource Record are: owner name The domain name where the RR is found. type An encoded 16-bit value that specifies the type of the resource record. TTL The time-to-live of the RR. This field is a 32-bit integer in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded. class An encoded 16-bit value that identifies a protocol family or instance of a protocol. RDATA The resource data. The format of the data is type (and sometimes class) specific. The following are types of valid RRs: A A host address. In the IN class, this is a 32-bit IP address. Described in RFC 1035. AAAA IPv6 address. Described in RFC 1886. A6 IPv6 address. This can be a partial address (a suffix) and an indirection to the name where the rest of the address (the prefix) can be found. Experimental. Described in RFC 2874. AFSDB Location of AFS database servers. Experimental. Described in RFC 1183. APL Address prefix list. Experimental. Described in RFC 3123. CERT Holds a digital certificate. Described in RFC 2538. CNAME Identifies the canonical name of an alias. Described in RFC 1035. DHCID Is used for identifying which DHCP client is associated with this name. Described in RFC 4701. DNAME Replaces the domain name specified with another name to be looked up, effectively aliasing an entire subtree of the domain name space rather than a single record as in the case of the CNAME RR. Described in RFC 2672. DNSKEY Stores a public key associated with a signed DNS zone. Described in RFC 4034. DS Stores the hash of a public key associated with a signed DNS zone. Described in RFC 4034. GPOS Specifies the global position. Superseded by LOC. HINFO Identifies the CPU and OS used by a host. Described in RFC 1035. IPSECKEY Provides a method for storing IPsec keying material in DNS. Described in RFC 4025. ISDN Representation of ISDN addresses. Experimental. Described in RFC 1183. KEY Stores a public key associated with a DNS name. Used in original DNSSEC; replaced by DNSKEY in DNSSECbis, but still used with SIG(0). Described in RFCs 2535 and 2931. KX Identifies a key exchanger for this DNS name. Described in RFC 2230. LOC For storing GPS info. Described in RFC 1876. Experimental. MX Identifies a mail exchange for the domain with a 16-bit preference value (lower is better) followed by the host name of the mail exchange. Described in RFC 974, RFC 1035. NAPTR Name authority pointer. Described in RFC 2915. NSAP A network service access point. Described in RFC 1706. NS The authoritative name server for the domain. Described in RFC 1035. NSEC Used in DNSSECbis to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. Described in RFC 4034. NSEC3 Used in DNSSECbis to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. NSEC3 differs from NSEC in that it prevents zone enumeration but is more computationally expensive on both the server and the client than NSEC. Described in RFC 5155. NSEC3PARAM Used in DNSSECbis to tell the authoritative server which NSEC3 chains are available to use. Described in RFC 5155. NXT Used in DNSSEC to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. Used in original DNSSEC; replaced by NSEC in DNSSECbis. Described in RFC 2535. PTR A pointer to another part of the domain name space. Described in RFC 1035. PX Provides mappings between RFC 822 and X.400 addresses. Described in RFC 2163. RP Information on persons responsible for the domain. Experimental. Described in RFC 1183. RRSIG Contains DNSSECbis signature data. Described in RFC 4034. RT Route-through binding for hosts that do not have their own direct wide area network addresses. Experimental. Described in RFC 1183. SIG Contains DNSSEC signature data. Used in original DNSSEC; replaced by RRSIG in DNSSECbis, but still used for SIG(0). Described in RFCs 2535 and 2931. SOA Identifies the start of a zone of authority. Described in RFC 1035. SPF Contains the Sender Policy Framework information for a given email domain. Described in RFC 4408. SRV Information about well known network services (replaces WKS). Described in RFC 2782. SSHFP Provides a way to securely publish a secure shell key's fingerprint. Described in RFC 4255. TXT Text records. Described in RFC 1035. WKS Information about which well known network services, such as SMTP, that a domain supports. Historical. X25 Representation of X.25 network addresses. Experimental. Described in RFC 1183. The following classes of resource records are currently valid in the DNS: IN The Internet. CH Chaosnet, a LAN protocol created at MIT in the mid-1970s. Rarely used for its historical purpose, but reused for BIND's built-in server information zones, e.g., version.bind. HS Hesiod, an information service developed by MIT's Project Athena. It is used to share information about various systems databases, such as users, groups, printers and so on. The owner name is often implicit, rather than forming an integral part of the RR. For example, many name servers internally form tree or hash structures for the name space, and chain RRs off nodes. The remaining RR parts are the fixed header (type, class, TTL) which is consistent for all RRs, and a variable part (RDATA) that fits the needs of the resource being described. The meaning of the TTL field is a time limit on how long an RR can be kept in a cache. This limit does not apply to authoritative data in zones; it is also timed out, but by the refreshing policies for the zone. The TTL is assigned by the administrator for the zone where the data originates. While short TTLs can be used to minimize caching, and a zero TTL prohibits caching, the realities of Internet performance suggest that these times should be on the order of days for the typical host. If a change can be anticipated, the TTL can be reduced prior to the change to minimize inconsistency during the change, and then increased back to its former value following the change. The data in the RDATA section of RRs is carried as a combination of binary strings and domain names. The domain names are frequently used as "pointers" to other data in the DNS. Textual expression of RRs RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form when stored in a name server or resolver. In the examples provided in RFC 1034, a style similar to that used in master files was employed in order to show the contents of RRs. In this format, most RRs are shown on a single line, although continuation lines are possible using parentheses. The start of the line gives the owner of the RR. If a line begins with a blank, then the owner is assumed to be the same as that of the previous RR. Blank lines are often included for readability. Following the owner, we list the TTL, type, and class of the RR. Class and type use the mnemonics defined above, and TTL is an integer before the type field. In order to avoid ambiguity in parsing, type and class mnemonics are disjoint, TTLs are integers, and the type mnemonic is always last. The IN class and TTL values are often omitted from examples in the interests of clarity. The resource data or RDATA section of the RR are given using knowledge of the typical representation for the data. For example, we might show the RRs carried in a message as: ISI.EDU. MX 10 VENERA.ISI.EDU. MX 10 VAXA.ISI.EDU VENERA.ISI.EDU A 128.9.0.32 A 10.1.0.52 VAXA.ISI.EDU A 10.2.0.27 A 128.9.0.33 The MX RRs have an RDATA section which consists of a 16-bit number followed by a domain name. The address RRs use a standard IP address format to contain a 32-bit internet address. The above example shows six RRs, with two RRs at each of three domain names. Similarly we might see: XX.LCS.MIT.EDU. IN A 10.0.0.44 CH A MIT.EDU. 2420 This example shows two addresses for XX.LCS.MIT.EDU, each of a different class. Discussion of MX Records As described above, domain servers store information as a series of resource records, each of which contains a particular piece of information about a given domain name (which is usually, but not always, a host). The simplest way to think of a RR is as a typed pair of data, a domain name matched with a relevant datum, and stored with some additional type information to help systems determine when the RR is relevant. MX records are used to control delivery of email. The data specified in the record is a priority and a domain name. The priority controls the order in which email delivery is attempted, with the lowest number first. If two priorities are the same, a server is chosen randomly. If no servers at a given priority are responding, the mail transport agent will fall back to the next largest priority. Priority numbers do not have any absolute meaning — they are relevant only respective to other MX records for that domain name. The domain name given is the machine to which the mail will be delivered. It must have an associated address record (A or AAAA) — CNAME is not sufficient. For a given domain, if there is both a CNAME record and an MX record, the MX record is in error, and will be ignored. Instead, the mail will be delivered to the server specified in the MX record pointed to by the CNAME. For example: example.com. IN MX 10 mail.example.com. IN MX 10 mail2.example.com. IN MX 20 mail.backup.org. mail.example.com. IN A 10.0.0.1 mail2.example.com. IN A 10.0.0.2 Mail delivery will be attempted to mail.example.com and mail2.example.com (in any order), and if neither of those succeed, delivery to mail.backup.org will be attempted. Setting TTLs The time-to-live of the RR field is a 32-bit integer represented in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded. The following three types of TTL are currently used in a zone file. SOA The last field in the SOA is the negative caching TTL. This controls how long other servers will cache no-such-domain (NXDOMAIN) responses from you. The maximum time for negative caching is 3 hours (3h). $TTL The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set. RR TTLs Each RR can have a TTL as the second field in the RR, which will control how long other servers can cache the it. All of these TTLs default to units of seconds, though units can be explicitly specified, for example, 1h30m. Inverse Mapping in IPv4 Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain and PTR records. Entries in the in-addr.arpa domain are made in least-to-most significant order, read left to right. This is the opposite order to the way IP addresses are usually written. Thus, a machine with an IP address of 10.1.2.3 would have a corresponding in-addr.arpa name of 3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose data field is the name of the machine or, optionally, multiple PTR records if the machine has more than one name. For example, in the example.com domain: $ORIGIN 2.1.10.in-addr.arpa 3 IN PTR foo.example.com. The $ORIGIN lines in the examples are for providing context to the examples only — they do not necessarily appear in the actual usage. They are only used here to indicate that the example is relative to the listed origin. Other Zone File Directives The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format itself is class independent all records in a Master File must be of the same class. Master File Directives include $ORIGIN, $INCLUDE, and $TTL. The <command>@</command> (at-sign) When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. At the start of the zone file, it is the <zone_name> (followed by trailing dot). The <command>$ORIGIN</command> Directive Syntax: $ORIGIN domain-name comment $ORIGIN sets the domain name that will be appended to any unqualified records. When a zone is first read in there is an implicit $ORIGIN <zone_name>. (followed by trailing dot). The current $ORIGIN is appended to the domain specified in the $ORIGIN argument if it is not absolute. $ORIGIN example.com. WWW CNAME MAIN-SERVER is equivalent to WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. The <command>$INCLUDE</command> Directive Syntax: $INCLUDE filename origin comment Read and process the file filename as if it were included into the file at this point. If origin is specified the file is processed with $ORIGIN set to that value, otherwise the current $ORIGIN is used. The origin and the current domain name revert to the values they had prior to the $INCLUDE once the file has been read. RFC 1035 specifies that the current origin should be restored after an $INCLUDE, but it is silent on whether the current domain name should also be restored. BIND 9 restores both of them. This could be construed as a deviation from RFC 1035, a feature, or both. The <command>$TTL</command> Directive Syntax: $TTL default-ttl comment Set the default Time To Live (TTL) for subsequent records with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds. $TTL is defined in RFC 2308. <acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive Syntax: $GENERATE range lhs ttl class type rhs comment $GENERATE is used to create a series of resource records that only differ from each other by an iterator. $GENERATE can be used to easily generate the sets of records required to support sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA delegation. $ORIGIN 0.0.192.IN-ADDR.ARPA. $GENERATE 1-2 0 NS SERVER$.EXAMPLE. $GENERATE 1-127 $ CNAME $.0 is equivalent to 0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE. 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE. 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA. 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA. ... 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA. range This can be one of two forms: start-stop or start-stop/step. If the first form is used, then step is set to 1. All of start, stop and step must be positive. lhs This describes the owner name of the resource records to be created. Any single $ (dollar sign) symbols within the lhs string are replaced by the iterator value. To get a $ in the output, you need to escape the $ using a backslash \, e.g. \$. The $ may optionally be followed by modifiers which change the offset from the iterator, field width and base. Modifiers are introduced by a { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} subtracts 20 from the current value, prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal (d), octal (o) and hexadecimal (x or X for uppercase). The default modifier is ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended to the name. For compatibility with earlier versions, $$ is still recognized as indicating a literal $ in the output. ttl Specifies the time-to-live of the generated records. If not specified this will be inherited using the normal TTL inheritance rules. class and ttl can be entered in either order. class Specifies the class of the generated records. This must match the zone class if it is specified. class and ttl can be entered in either order. type At present the only supported types are PTR, CNAME, DNAME, A, AAAA and NS. rhs rhs is a domain name. It is processed similarly to lhs. The $GENERATE directive is a BIND extension and not part of the standard zone file format. BIND 8 does not support the optional TTL and CLASS fields. Additional File Formats In addition to the standard textual format, BIND 9 supports the ability to read or dump to zone files in other formats. The raw format is currently available as an additional format. It is a binary format representing BIND 9's internal data structure directly, thereby remarkably improving the loading time. For a primary server, a zone file in the raw format is expected to be generated from a textual zone file by the named-compilezone command. For a secondary server or for a dynamic zone, it is automatically generated (if this format is specified by the masterfile-format option) when named dumps the zone contents after zone transfer or when applying prior updates. If a zone file in a binary format needs manual modification, it first must be converted to a textual form by the named-compilezone command. All necessary modification should go to the text file, which should then be converted to the binary form by the named-compilezone command again. Although the raw format uses the network byte order and avoids architecture-dependent data alignment so that it is as much portable as possible, it is primarily expected to be used inside the same single system. In order to export a zone file in the raw format or make a portable backup of the file, it is recommended to convert the file to the standard textual representation. BIND9 Statistics BIND 9 maintains lots of statistics information and provides several interfaces for users to get access to the statistics. The available statistics include all statistics counters that were available in BIND 8 and are meaningful in BIND 9, and other information that is considered useful. The statistics information is categorized into the following sections. Incoming Requests The number of incoming DNS requests for each OPCODE. Incoming Queries The number of incoming queries for each RR type. Outgoing Queries The number of outgoing queries for each RR type sent from the internal resolver. Maintained per view. Name Server Statistics Statistics counters about incoming request processing. Zone Maintenance Statistics Statistics counters regarding zone maintenance operations such as zone transfers. Resolver Statistics Statistics counters about name resolution performed in the internal resolver. Maintained per view. Cache DB RRsets The number of RRsets per RR type (positive or negative) and nonexistent names stored in the cache database. Maintained per view. Socket I/O Statistics Statistics counters about network related events. A subset of Name Server Statistics is collected and shown per zone for which the server has the authority when zone-statistics is set to yes. These statistics counters are shown with their zone and view names. In some cases the view names are omitted for the default view. There are currently two user interfaces to get access to the statistics. One is in the plain text format dumped to the file specified by the statistics-file configuration option. The other is remotely accessible via a statistics channel when the statistics-channels statement is specified in the configuration file (see .) The Statistics File The text format statistics dump begins with a line, like: +++ Statistics Dump +++ (973798949) The number in parentheses is a standard Unix-style timestamp, measured as seconds since January 1, 1970. Following that line is a set of statistics information, which is categorized as described above. Each section begins with a line, like: ++ Name Server Statistics ++ Each section consists of lines, each containing the statistics counter value followed by its textual description. See below for available counters. For brevity, counters that have a value of 0 are not shown in the statistics file. The statistics dump ends with the line where the number is identical to the number in the beginning line; for example: --- Statistics Dump --- (973798949) Statistics Counters The following tables summarize statistics counters that BIND 9 provides. For each row of the tables, the leftmost column is the abbreviated symbol name of that counter. These symbols are shown in the statistics information accessed via an HTTP statistics channel. The rightmost column gives the description of the counter, which is also shown in the statistics file (but, in this document, possibly with slight modification for better readability). Additional notes may also be provided in this column. When a middle column exists between these two columns, it gives the corresponding counter name of the BIND 8 statistics, if applicable. Name Server Statistics Counters Symbol BIND8 Symbol Description Requestv4 RQ IPv4 requests received. Note: this also counts non query requests. Requestv6 RQ IPv6 requests received. Note: this also counts non query requests. ReqEdns0 Requests with EDNS(0) received. ReqBadEDNSVer Requests with unsupported EDNS version received. ReqTSIG Requests with TSIG received. ReqSIG0 Requests with SIG(0) received. ReqBadSIG Requests with invalid (TSIG or SIG(0)) signature. ReqTCP RTCP TCP requests received. AuthQryRej RUQ Authoritative (non recursive) queries rejected. RecQryRej RURQ Recursive queries rejected. XfrRej RUXFR Zone transfer requests rejected. UpdateRej RUUpd Dynamic update requests rejected. Response SAns Responses sent. RespTruncated Truncated responses sent. RespEDNS0 Responses with EDNS(0) sent. RespTSIG Responses with TSIG sent. RespSIG0 Responses with SIG(0) sent. QrySuccess Queries resulted in a successful answer. This means the query which returns a NOERROR response with at least one answer RR. This corresponds to the success counter of previous versions of BIND 9. QryAuthAns Queries resulted in authoritative answer. QryNoauthAns SNaAns Queries resulted in non authoritative answer. QryReferral Queries resulted in referral answer. This corresponds to the referral counter of previous versions of BIND 9. QryNxrrset Queries resulted in NOERROR responses with no data. This corresponds to the nxrrset counter of previous versions of BIND 9. QrySERVFAIL SFail Queries resulted in SERVFAIL. QryFORMERR SFErr Queries resulted in FORMERR. QryNXDOMAIN SNXD Queries resulted in NXDOMAIN. This corresponds to the nxdomain counter of previous versions of BIND 9. QryRecursion RFwdQ Queries which caused the server to perform recursion in order to find the final answer. This corresponds to the recursion counter of previous versions of BIND 9. QryDuplicate RDupQ Queries which the server attempted to recurse but discovered an existing query with the same IP address, port, query ID, name, type and class already being processed. This corresponds to the duplicate counter of previous versions of BIND 9. QryDropped Recursive queries for which the server discovered an excessive number of existing recursive queries for the same name, type and class and were subsequently dropped. This is the number of dropped queries due to the reason explained with the clients-per-query and max-clients-per-query options (see the description about .) This corresponds to the dropped counter of previous versions of BIND 9. QryFailure Other query failures. This corresponds to the failure counter of previous versions of BIND 9. Note: this counter is provided mainly for backward compatibility with the previous versions. Normally a more fine-grained counters such as AuthQryRej and RecQryRej that would also fall into this counter are provided, and so this counter would not be of much interest in practice. XfrReqDone Requested zone transfers completed. UpdateReqFwd Update requests forwarded. UpdateRespFwd Update responses forwarded. UpdateFwdFail Dynamic update forward failed. UpdateDone Dynamic updates completed. UpdateFail Dynamic updates failed. UpdateBadPrereq Dynamic updates rejected due to prerequisite failure. Zone Maintenance Statistics Counters Symbol Description NotifyOutv4 IPv4 notifies sent. NotifyOutv6 IPv6 notifies sent. NotifyInv4 IPv4 notifies received. NotifyInv6 IPv6 notifies received. NotifyRej Incoming notifies rejected. SOAOutv4 IPv4 SOA queries sent. SOAOutv6 IPv6 SOA queries sent. AXFRReqv4 IPv4 AXFR requested. AXFRReqv6 IPv6 AXFR requested. IXFRReqv4 IPv4 IXFR requested. IXFRReqv6 IPv6 IXFR requested. XfrSuccess Zone transfer requests succeeded. XfrFail Zone transfer requests failed. Resolver Statistics Counters Symbol BIND8 Symbol Description Queryv4 SFwdQ IPv4 queries sent. Queryv6 SFwdQ IPv6 queries sent. Responsev4 RR IPv4 responses received. Responsev6 RR IPv6 responses received. NXDOMAIN RNXD NXDOMAIN received. SERVFAIL RFail SERVFAIL received. FORMERR RFErr FORMERR received. OtherError RErr Other errors received. EDNS0Fail EDNS(0) query failures. Mismatch RDupR Mismatch responses received. Truncated Truncated responses received. Lame RLame Lame delegations received. Retry SDupQ Query retries performed. QueryAbort Queries aborted due to quota control. QuerySockFail Failures in opening query sockets. One common reason for such failures is a failure of opening a new socket due to a limitation on file descriptors. QueryTimeout Query timeouts. GlueFetchv4 SSysQ IPv4 NS address fetches invoked. GlueFetchv6 SSysQ IPv6 NS address fetches invoked. GlueFetchv4Fail IPv4 NS address fetch failed. GlueFetchv6Fail IPv6 NS address fetch failed. ValAttempt DNSSEC validation attempted. ValOk DNSSEC validation succeeded. ValNegOk DNSSEC validation on negative information succeeded. ValFail DNSSEC validation failed. QryRTTnn Frequency table on round trip times (RTTs) of queries. Each nn specifies the corresponding frequency. In the sequence of nn_1, nn_2, ..., nn_m, the value of nn_i is the number of queries whose RTTs are between nn_(i-1) (inclusive) and nn_i (exclusive) milliseconds. For the sake of convenience we define nn_0 to be 0. The last entry should be represented as nn_m+, which means the number of queries whose RTTs are equal to or over nn_m milliseconds. Socket I/O Statistics Counters Socket I/O statistics counters are defined per socket types, which are UDP4 (UDP/IPv4), UDP6 (UDP/IPv6), TCP4 (TCP/IPv4), TCP6 (TCP/IPv6), Unix (Unix Domain), and FDwatch (sockets opened outside the socket module). In the following table <TYPE> represents a socket type. Not all counters are available for all socket types; exceptions are noted in the description field. Symbol Description <TYPE>Open Sockets opened successfully. This counter is not applicable to the FDwatch type. <TYPE>OpenFail Failures of opening sockets. This counter is not applicable to the FDwatch type. <TYPE>Close Sockets closed. <TYPE>BindFail Failures of binding sockets. <TYPE>ConnFail Failures of connecting sockets. <TYPE>Conn Connections established successfully. <TYPE>AcceptFail Failures of accepting incoming connection requests. This counter is not applicable to the UDP and FDwatch types. <TYPE>Accept Incoming connections successfully accepted. This counter is not applicable to the UDP and FDwatch types. <TYPE>SendErr Errors in socket send operations. This counter corresponds to SErr counter of BIND 8. <TYPE>RecvErr Errors in socket receive operations. This includes errors of send operations on a connected UDP socket notified by an ICMP error message. Compatibility with <emphasis>BIND</emphasis> 8 Counters Most statistics counters that were available in BIND 8 are also supported in BIND 9 as shown in the above tables. Here are notes about other counters that do not appear in these tables. RFwdR,SFwdR These counters are not supported because BIND 9 does not adopt the notion of forwarding as BIND 8 did. RAXFR This counter is accessible in the Incoming Queries section. RIQ This counter is accessible in the Incoming Requests section. ROpts This counter is not supported because BIND 9 does not care about IP options in the first place. <acronym>BIND</acronym> 9 Security Considerations Access Control Lists Access Control Lists (ACLs) are address match lists that you can set up and nickname for future use in allow-notify, allow-query, allow-query-on, allow-recursion, allow-recursion-on, blackhole, allow-transfer, etc. Using ACLs allows you to have finer control over who can access your name server, without cluttering up your config files with huge lists of IP addresses. It is a good idea to use ACLs, and to control access to your server. Limiting access to your server by outside parties can help prevent spoofing and denial of service (DoS) attacks against your server. Here is an example of how to properly apply ACLs: // Set up an ACL named "bogusnets" that will block RFC1918 space // and some reserved space, which is commonly used in spoofing attacks. acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; // Set up an ACL called our-nets. Replace this with the real IP numbers. acl our-nets { x.x.x.x/24; x.x.x.x/21; }; options { ... ... allow-query { our-nets; }; allow-recursion { our-nets; }; ... blackhole { bogusnets; }; ... }; zone "example.com" { type master; file "m/example.com"; allow-query { any; }; }; This allows recursive queries of the server from the outside unless recursion has been previously disabled. For more information on how to use ACLs to protect your server, see the AUSCERT advisory at: ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos <command>Chroot</command> and <command>Setuid</command> On UNIX servers, it is possible to run BIND in a chrooted environment (using the chroot() function) by specifying the "" option for named. This can help improve system security by placing BIND in a "sandbox", which will limit the damage done if a server is compromised. Another useful feature in the UNIX version of BIND is the ability to run the daemon as an unprivileged user ( user ). We suggest running as an unprivileged user when using the chroot feature. Here is an example command line to load BIND in a chroot sandbox, /var/named, and to run named setuid to user 202: /usr/local/sbin/named -u 202 -t /var/named The <command>chroot</command> Environment In order for a chroot environment to work properly in a particular directory (for example, /var/named), you will need to set up an environment that includes everything BIND needs to run. From BIND's point of view, /var/named is the root of the filesystem. You will need to adjust the values of options like like directory and pid-file to account for this. Unlike with earlier versions of BIND, you typically will not need to compile named statically nor install shared libraries under the new root. However, depending on your operating system, you may need to set up things like /dev/zero, /dev/random, /dev/log, and /etc/localtime. Using the <command>setuid</command> Function Prior to running the named daemon, use the touch utility (to change file access and modification times) or the chown utility (to set the user id and/or group id) on files to which you want BIND to write. Note that if the named daemon is running as an unprivileged user, it will not be able to bind to new restricted ports if the server is reloaded. Dynamic Update Security Access to the dynamic update facility should be strictly limited. In earlier versions of BIND, the only way to do this was based on the IP address of the host requesting the update, by listing an IP address or network prefix in the allow-update zone option. This method is insecure since the source address of the update UDP packet is easily forged. Also note that if the IP addresses allowed by the allow-update option include the address of a slave server which performs forwarding of dynamic updates, the master can be trivially attacked by sending the update to the slave, which will forward it to the master with its own source IP address causing the master to approve it without question. For these reasons, we strongly recommend that updates be cryptographically authenticated by means of transaction signatures (TSIG). That is, the allow-update option should list only TSIG key names, not IP addresses or network prefixes. Alternatively, the new update-policy option can be used. Some sites choose to keep all dynamically-updated DNS data in a subdomain and delegate that subdomain to a separate zone. This way, the top-level zone containing critical data such as the IP addresses of public web and mail servers need not allow dynamic update at all. Troubleshooting Common Problems It's not working; how can I figure out what's wrong? The best solution to solving installation and configuration issues is to take preventative measures by setting up logging files beforehand. The log files provide a source of hints and information that can be used to figure out what went wrong and how to fix the problem. Incrementing and Changing the Serial Number Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that represents a date, usually of the form YYYYMMDDRR. Occasionally they will make a mistake and set them to a "date in the future" then try to correct them by setting them to the "current date". This causes problems because serial numbers are used to indicate that a zone has been updated. If the serial number on the slave server is lower than the serial number on the master, the slave server will attempt to update its copy of the zone. Setting the serial number to a lower number on the master server than the slave server means that the slave will not perform updates to its copy of the zone. The solution to this is to add 2147483647 (2^31-1) to the number, reload the zone and make sure all slaves have updated to the new zone serial number, then reset the number to what you want it to be, and reload the zone again. Where Can I Get Help? The Internet Systems Consortium (ISC) offers a wide range of support and service agreements for BIND and DHCP servers. Four levels of premium support are available and each level includes support for all ISC programs, significant discounts on products and training, and a recognized priority on bug fixes and non-funded feature requests. In addition, ISC offers a standard support agreement package which includes services ranging from bug fix announcements to remote support. It also includes training in BIND and DHCP. To discuss arrangements for support, contact info@isc.org or visit the ISC web page at http://www.isc.org/services/support/ to read more. Appendices Acknowledgments A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym> Although the "official" beginning of the Domain Name System occurred in 1984 with the publication of RFC 920, the core of the new system was described in 1983 in RFCs 882 and 883. From 1984 to 1987, the ARPAnet (the precursor to today's Internet) became a testbed of experimentation for developing the new naming/addressing scheme in a rapidly expanding, operational network environment. New RFCs were written and published in 1987 that modified the original documents to incorporate improvements based on the working model. RFC 1034, "Domain Names-Concepts and Facilities", and RFC 1035, "Domain Names-Implementation and Specification" were published and became the standards upon which all DNS implementations are built. The first working domain name server, called "Jeeves", was written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20 machines located at the University of Southern California's Information Sciences Institute (USC-ISI) and SRI International's Network Information Center (SRI-NIC). A DNS server for Unix machines, the Berkeley Internet Name Domain (BIND) package, was written soon after by a group of graduate students at the University of California at Berkeley under a grant from the US Defense Advanced Research Projects Administration (DARPA). Versions of BIND through 4.8.3 were maintained by the Computer Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark Painter, David Riggle and Songnian Zhou made up the initial BIND project team. After that, additional work on the software package was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation employee on loan to the CSRG, worked on BIND for 2 years, from 1985 to 1987. Many other people also contributed to BIND development during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell, Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently handled by Mike Karels and Øivind Kure. BIND versions 4.9 and 4.9.1 were released by Digital Equipment Corporation (now Compaq Computer Corporation). Paul Vixie, then a DEC employee, became BIND's primary caretaker. He was assisted by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe Wolfhugel, and others. In 1994, BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul Vixie became BIND's principal architect/programmer. BIND versions from 4.9.3 onward have been developed and maintained by the Internet Systems Consortium and its predecessor, the Internet Software Consortium, with support being provided by ISC's sponsors. As co-architects/programmers, Bob Halley and Paul Vixie released the first production-ready version of BIND version 8 in May 1997. BIND version 9 was released in September 2000 and is a major rewrite of nearly all aspects of the underlying BIND architecture. BIND versions 4 and 8 are officially deprecated. No additional development is done on BIND version 4 or BIND version 8. BIND development work is made possible today by the sponsorship of several corporations, and by the tireless work efforts of numerous individuals. General <acronym>DNS</acronym> Reference Information IPv6 addresses (AAAA) IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces which were introduced in the DNS to facilitate scalable Internet routing. There are three types of addresses: Unicast, an identifier for a single interface; Anycast, an identifier for a set of interfaces; and Multicast, an identifier for a set of interfaces. Here we describe the global Unicast address scheme. For more information, see RFC 3587, "Global Unicast Address Format." IPv6 unicast addresses consist of a global routing prefix, a subnet identifier, and an interface identifier. The global routing prefix is provided by the upstream provider or ISP, and (roughly) corresponds to the IPv4 network section of the address range. The subnet identifier is for local subnetting, much the same as subnetting an IPv4 /16 network into /24 subnets. The interface identifier is the address of an individual interface on a given network; in IPv6, addresses belong to interfaces rather than to machines. The subnetting capability of IPv6 is much more flexible than that of IPv4: subnetting can be carried out on bit boundaries, in much the same way as Classless InterDomain Routing (CIDR), and the DNS PTR representation ("nibble" format) makes setting up reverse zones easier. The Interface Identifier must be unique on the local link, and is usually generated automatically by the IPv6 implementation, although it is usually possible to override the default setting if necessary. A typical IPv6 address might look like: 2001:db8:201:9:a00:20ff:fe81:2b32 IPv6 address specifications often contain long strings of zeros, so the architects have included a shorthand for specifying them. The double colon (`::') indicates the longest possible string of zeros that can fit, and can be used only once in an address. Bibliography (and Suggested Reading) Request for Comments (RFCs) Specification documents for the Internet protocol suite, including the DNS, are published as part of the Request for Comments (RFCs) series of technical notes. The standards themselves are defined by the Internet Engineering Task Force (IETF) and the Internet Engineering Steering Group (IESG). RFCs can be obtained online via FTP at: ftp://www.isi.edu/in-notes/RFCxxxx.txt (where xxxx is the number of the RFC). RFCs are also available via the Web at: http://www.ietf.org/rfc/. Standards RFC974 Partridge C. Mail Routing and the Domain System January 1986 RFC1034 Mockapetris P.V. Domain Names — Concepts and Facilities November 1987 RFC1035 Mockapetris P. V. Domain Names — Implementation and Specification November 1987 Proposed Standards RFC2181 Elz R., R. Bush Clarifications to the <acronym>DNS</acronym> Specification July 1997 RFC2308 Andrews M. Negative Caching of <acronym>DNS</acronym> Queries March 1998 RFC1995 Ohta M. Incremental Zone Transfer in <acronym>DNS</acronym> August 1996 RFC1996 Vixie P. A Mechanism for Prompt Notification of Zone Changes August 1996 RFC2136 Vixie P. S. Thomson Y. Rekhter J. Bound Dynamic Updates in the Domain Name System April 1997 RFC2671 P. Vixie Extension Mechanisms for DNS (EDNS0) August 1997 RFC2672 M. Crawford Non-Terminal DNS Name Redirection August 1999 RFC2845 Vixie P. O. Gudmundsson D. Eastlake 3rd B. Wellington Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG) May 2000 RFC2930 D. Eastlake 3rd Secret Key Establishment for DNS (TKEY RR) September 2000 RFC2931 D. Eastlake 3rd DNS Request and Transaction Signatures (SIG(0)s) September 2000 RFC3007 B. Wellington Secure Domain Name System (DNS) Dynamic Update November 2000 RFC3645 S. Kwan P. Garg J. Gilroy L. Esibov J. Westhead R. Hall Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG) October 2003 <acronym>DNS</acronym> Security Proposed Standards RFC3225 D. Conrad Indicating Resolver Support of DNSSEC December 2001 RFC3833 D. Atkins R. Austein Threat Analysis of the Domain Name System (DNS) August 2004 RFC4033 R. Arends R. Austein M. Larson D. Massey S. Rose DNS Security Introduction and Requirements March 2005 RFC4034 R. Arends R. Austein M. Larson D. Massey S. Rose Resource Records for the DNS Security Extensions March 2005 RFC4035 R. Arends R. Austein M. Larson D. Massey S. Rose Protocol Modifications for the DNS Security Extensions March 2005 Other Important RFCs About <acronym>DNS</acronym> Implementation RFC1535 Gavron E. A Security Problem and Proposed Correction With Widely Deployed <acronym>DNS</acronym> Software. October 1993 RFC1536 Kumar A. J. Postel C. Neuman P. Danzig S. Miller Common <acronym>DNS</acronym> Implementation Errors and Suggested Fixes October 1993 RFC1982 Elz R. R. Bush Serial Number Arithmetic August 1996 RFC4074 Morishita Y. T. Jinmei Common Misbehaviour Against <acronym>DNS</acronym> Queries for IPv6 Addresses May 2005 Resource Record Types RFC1183 Everhart C.F. L. A. Mamakos R. Ullmann P. Mockapetris New <acronym>DNS</acronym> RR Definitions October 1990 RFC1706 Manning B. R. Colella <acronym>DNS</acronym> NSAP Resource Records October 1994 RFC2168 Daniel R. M. Mealling Resolution of Uniform Resource Identifiers using the Domain Name System June 1997 RFC1876 Davis C. P. Vixie T. Goodwin I. Dickinson A Means for Expressing Location Information in the Domain Name System January 1996 RFC2052 Gulbrandsen A. P. Vixie A <acronym>DNS</acronym> RR for Specifying the Location of Services. October 1996 RFC2163 Allocchio A. Using the Internet <acronym>DNS</acronym> to Distribute MIXER Conformant Global Address Mapping January 1998 RFC2230 Atkinson R. Key Exchange Delegation Record for the <acronym>DNS</acronym> October 1997 RFC2536 Eastlake D. 3rd DSA KEYs and SIGs in the Domain Name System (DNS) March 1999 RFC2537 Eastlake D. 3rd RSA/MD5 KEYs and SIGs in the Domain Name System (DNS) March 1999 RFC2538 Eastlake D. 3rd Gudmundsson O. Storing Certificates in the Domain Name System (DNS) March 1999 RFC2539 Eastlake D. 3rd Storage of Diffie-Hellman Keys in the Domain Name System (DNS) March 1999 RFC2540 Eastlake D. 3rd Detached Domain Name System (DNS) Information March 1999 RFC2782 Gulbrandsen A. Vixie P. Esibov L. A DNS RR for specifying the location of services (DNS SRV) February 2000 RFC2915 Mealling M. Daniel R. The Naming Authority Pointer (NAPTR) DNS Resource Record September 2000 RFC3110 Eastlake D. 3rd RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS) May 2001 RFC3123 Koch P. A DNS RR Type for Lists of Address Prefixes (APL RR) June 2001 RFC3596 Thomson S. C. Huitema V. Ksinant M. Souissi <acronym>DNS</acronym> Extensions to support IP version 6 October 2003 RFC3597 Gustafsson A. Handling of Unknown DNS Resource Record (RR) Types September 2003 <acronym>DNS</acronym> and the Internet RFC1101 Mockapetris P. V. <acronym>DNS</acronym> Encoding of Network Names and Other Types April 1989 RFC1123 Braden R. Requirements for Internet Hosts - Application and Support October 1989 RFC1591 Postel J. Domain Name System Structure and Delegation March 1994 RFC2317 Eidnes H. G. de Groot P. Vixie Classless IN-ADDR.ARPA Delegation March 1998 RFC2826 Internet Architecture Board IAB Technical Comment on the Unique DNS Root May 2000 RFC2929 Eastlake D. 3rd Brunner-Williams E. Manning B. Domain Name System (DNS) IANA Considerations September 2000 <acronym>DNS</acronym> Operations RFC1033 Lottor M. Domain administrators operations guide. November 1987 RFC1537 Beertema P. Common <acronym>DNS</acronym> Data File Configuration Errors October 1993 RFC1912 Barr D. Common <acronym>DNS</acronym> Operational and Configuration Errors February 1996 RFC2010 Manning B. P. Vixie Operational Criteria for Root Name Servers. October 1996 RFC2219 Hamilton M. R. Wright Use of <acronym>DNS</acronym> Aliases for Network Services. October 1997 Internationalized Domain Names RFC2825 IAB Daigle R. A Tangled Web: Issues of I18N, Domain Names, and the Other Internet protocols May 2000 RFC3490 Faltstrom P. Hoffman P. Costello A. Internationalizing Domain Names in Applications (IDNA) March 2003 RFC3491 Hoffman P. Blanchet M. Nameprep: A Stringprep Profile for Internationalized Domain Names March 2003 RFC3492 Costello A. Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA) March 2003 Other <acronym>DNS</acronym>-related RFCs Note: the following list of RFCs, although DNS-related, are not concerned with implementing software. RFC1464 Rosenbaum R. Using the Domain Name System To Store Arbitrary String Attributes May 1993 RFC1713 Romao A. Tools for <acronym>DNS</acronym> Debugging November 1994 RFC1794 Brisco T. <acronym>DNS</acronym> Support for Load Balancing April 1995 RFC2240 Vaughan O. A Legal Basis for Domain Name Allocation November 1997 RFC2345 Klensin J. T. Wolf G. Oglesby Domain Names and Company Name Retrieval May 1998 RFC2352 Vaughan O. A Convention For Using Legal Names as Domain Names May 1998 RFC3071 Klensin J. Reflections on the DNS, RFC 1591, and Categories of Domains February 2001 RFC3258 Hardie T. Distributing Authoritative Name Servers via Shared Unicast Addresses April 2002 RFC3901 Durand A. J. Ihren DNS IPv6 Transport Operational Guidelines September 2004 Obsolete and Unimplemented Experimental RFC RFC1712 Farrell C. M. Schulze S. Pleitner D. Baldoni <acronym>DNS</acronym> Encoding of Geographical Location November 1994 RFC2673 Crawford M. Binary Labels in the Domain Name System August 1999 RFC2874 Crawford M. Huitema C. DNS Extensions to Support IPv6 Address Aggregation and Renumbering July 2000 Obsoleted DNS Security RFCs Most of these have been consolidated into RFC4033, RFC4034 and RFC4035 which collectively describe DNSSECbis. RFC2065 Eastlake 3rd D. C. Kaufman Domain Name System Security Extensions January 1997 RFC2137 Eastlake 3rd D. Secure Domain Name System Dynamic Update April 1997 RFC2535 Eastlake 3rd D. Domain Name System Security Extensions March 1999 RFC3008 Wellington B. Domain Name System Security (DNSSEC) Signing Authority November 2000 RFC3090 Lewis E. DNS Security Extension Clarification on Zone Status March 2001 RFC3445 Massey D. Rose S. Limiting the Scope of the KEY Resource Record (RR) December 2002 RFC3655 Wellington B. Gudmundsson O. Redefinition of DNS Authenticated Data (AD) bit November 2003 RFC3658 Gudmundsson O. Delegation Signer (DS) Resource Record (RR) December 2003 RFC3755 Weiler S. Legacy Resolver Compatibility for Delegation Signer (DS) May 2004 RFC3757 Kolkman O. Schlyter J. Lewis E. Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag April 2004 RFC3845 Schlyter J. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format August 2004 Internet Drafts Internet Drafts (IDs) are rough-draft working documents of the Internet Engineering Task Force. They are, in essence, RFCs in the preliminary stages of development. Implementors are cautioned not to regard IDs as archival, and they should not be quoted or cited in any formal documents unless accompanied by the disclaimer that they are "works in progress." IDs have a lifespan of six months after which they are deleted unless updated by their authors. Other Documents About <acronym>BIND</acronym> Albitz Paul Cricket Liu <acronym>DNS</acronym> and <acronym>BIND</acronym> 1998 Sebastopol, CA: O'Reilly and Associates Manual pages Index: head/contrib/bind9/doc/arm/Bv9ARM.ch06.html =================================================================== --- head/contrib/bind9/doc/arm/Bv9ARM.ch06.html (revision 205291) +++ head/contrib/bind9/doc/arm/Bv9ARM.ch06.html (revision 205292) @@ -1,9316 +1,9324 @@ - + Chapter 6. BIND 9 Configuration Reference
Chapter 6. BIND 9 Configuration Reference
Prev     Next

Chapter 6. BIND 9 Configuration Reference

Table of Contents

Configuration File Elements
Address Match Lists
Comment Syntax
Configuration File Grammar
acl Statement Grammar
acl Statement Definition and Usage
controls Statement Grammar
controls Statement Definition and Usage
include Statement Grammar
include Statement Definition and Usage
key Statement Grammar
key Statement Definition and Usage
logging Statement Grammar
logging Statement Definition and Usage
lwres Statement Grammar
lwres Statement Definition and Usage
masters Statement Grammar
masters Statement Definition and Usage
options Statement Grammar
options Statement Definition and Usage
server Statement Grammar
server Statement Definition and Usage
statistics-channels Statement Grammar
-
statistics-channels Statement Definition and +
statistics-channels Statement Definition and Usage
-
trusted-keys Statement Grammar
-
trusted-keys Statement Definition +
trusted-keys Statement Grammar
+
trusted-keys Statement Definition and Usage
view Statement Grammar
-
view Statement Definition and Usage
+
view Statement Definition and Usage
zone Statement Grammar
-
zone Statement Definition and Usage
+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
Statistics Counters

BIND 9 configuration is broadly similar to BIND 8; however, there are a few new areas of configuration, such as views. BIND 8 configuration files should work with few alterations in BIND 9, although more complex configurations should be reviewed to check if they can be more efficiently implemented using the new features found in BIND 9.

BIND 4 configuration files can be converted to the new format using the shell script contrib/named-bootconf/named-bootconf.sh.

Configuration File Elements

Following is a list of elements used throughout the BIND configuration file documentation:

acl_name

The name of an address_match_list as defined by the acl statement.

address_match_list

A list of one or more ip_addr, ip_prefix, key_id, or acl_name elements, see the section called “Address Match Lists”.

masters_list

A named list of one or more ip_addr with optional key_id and/or ip_port. A masters_list may include other masters_lists.

domain_name

A quoted string which will be used as a DNS name, for example "my.test.domain".

dotted_decimal

One to four integers valued 0 through 255 separated by dots (`.'), such as 123, 45.67 or 89.123.45.67.

ip4_addr

An IPv4 address with exactly four elements in dotted_decimal notation.

ip6_addr

An IPv6 address, such as 2001:db8::1234. IPv6 scoped addresses that have ambiguity on their scope zones must be disambiguated by an appropriate zone ID with the percent character (`%') as delimiter. It is strongly recommended to use string zone names rather than numeric identifiers, in order to be robust against system configuration changes. However, since there is no standard mapping for such names and identifier values, currently only interface names as link identifiers are supported, assuming one-to-one mapping between interfaces and links. For example, a link-local address fe80::1 on the link attached to the interface ne0 can be specified as fe80::1%ne0. Note that on most systems link-local addresses always have the ambiguity, and need to be disambiguated.

ip_addr

An ip4_addr or ip6_addr.

ip_port

An IP port number. The number is limited to 0 through 65535, with values below 1024 typically restricted to use by processes running as root. In some cases, an asterisk (`*') character can be used as a placeholder to select a random high-numbered port.

ip_prefix

An IP network specified as an ip_addr, followed by a slash (`/') and then the number of bits in the netmask. Trailing zeros in a ip_addr may omitted. For example, 127/8 is the network 127.0.0.0 with netmask 255.0.0.0 and 1.2.3.0/28 is network 1.2.3.0 with netmask 255.255.255.240.

When specifying a prefix involving a IPv6 scoped address the scope may be omitted. In that case the prefix will match packets from any scope.

key_id

A domain_name representing the name of a shared key, to be used for transaction security.

key_list

A list of one or more key_ids, separated by semicolons and ending with a semicolon.

number

A non-negative 32-bit integer (i.e., a number between 0 and 4294967295, inclusive). Its acceptable value might further be limited by the context in which it is used.

path_name

A quoted string which will be used as a pathname, such as zones/master/my.test.domain.

port_list

A list of an ip_port or a port range. A port range is specified in the form of range followed by two ip_ports, port_low and port_high, which represents port numbers from port_low through port_high, inclusive. port_low must not be larger than port_high. For example, range 1024 65535 represents ports from 1024 through 65535. In either case an asterisk (`*') character is not allowed as a valid ip_port.

size_spec

A number, the word unlimited, or the word default.

An unlimited size_spec requests unlimited use, or the maximum available amount. A default size_spec uses the limit that was in force when the server was started.

A number can optionally be followed by a scaling factor: K or k for kilobytes, M or m for megabytes, and G or g for gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.

The value must be representable as a 64-bit unsigned integer (0 to 18446744073709551615, inclusive). Using unlimited is the best way to safely set a really large number.

yes_or_no

Either yes or no. The words true and false are also accepted, as are the numbers 1 and 0.

dialup_option

One of yes, no, notify, notify-passive, refresh or passive. When used in a zone, notify-passive, refresh, and passive are restricted to slave and stub zones.

Address Match Lists

Syntax

address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
    key key_id | acl_name | { address_match_list } )

Definition and Usage

Address match lists are primarily used to determine access control for various server operations. They are also used in the listen-on and sortlist statements. The elements which constitute an address match list can be any of the following:

  • an IP address (IPv4 or IPv6)
  • an IP prefix (in `/' notation)
  • a key ID, as defined by the key statement
  • the name of an address match list defined with the acl statement
  • a nested address match list enclosed in braces

Elements can be negated with a leading exclamation mark (`!'), and the match list names "any", "none", "localhost", and "localnets" are predefined. More information on those names can be found in the description of the acl statement.

The addition of the key clause made the name of this syntactic element something of a misnomer, since security keys can be used to validate access without regard to a host or network address. Nonetheless, the term "address match list" is still used throughout the documentation.

When a given IP address or prefix is compared to an address match list, the comparison takes place in approximately O(1) time. However, key comparisons require that the list of keys be traversed until a matching key is found, and therefore may be somewhat slower.

The interpretation of a match depends on whether the list is being used for access control, defining listen-on ports, or in a sortlist, and whether the element was negated.

When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match, access is denied. The clauses allow-notify, allow-recursion, allow-recursion-on, allow-query, allow-query-on, allow-query-cache, allow-query-cache-on, allow-transfer, allow-update, allow-update-forwarding, and blackhole all use address match lists. Similarly, the listen-on option will cause the server to refuse queries on any of the machine's addresses which do not match the list.

Order of insertion is significant. If more than one element in an ACL is found to match a given IP address or prefix, preference will be given to the one that came first in the ACL definition. Because of this first-match behavior, an element that defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example, in 1.2.3/24; ! 1.2.3.13; the 1.2.3.13 element is completely useless because the algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24 element. Using ! 1.2.3.13; 1.2.3/24 fixes that problem by having 1.2.3.13 blocked by the negation, but all other 1.2.3.* hosts fall through.

Comment Syntax

The BIND 9 comment syntax allows for comments to appear anywhere that whitespace may appear in a BIND configuration file. To appeal to programmers of all kinds, they can be written in the C, C++, or shell/perl style.

Syntax

/* This is a BIND comment as in C */

// This is a BIND comment as in C++

# This is a BIND comment as in common UNIX shells and perl

Definition and Usage

Comments may appear anywhere that whitespace may appear in a BIND configuration file.

C-style comments start with the two characters /* (slash, star) and end with */ (star, slash). Because they are completely delimited with these characters, they can be used to comment only a portion of a line or to span multiple lines.

C-style comments cannot be nested. For example, the following is not valid because the entire comment ends with the first */: 

/* This is the start of a comment.
    This is still part of the comment.
 /* This is an incorrect attempt at nesting a comment. */
    This is no longer in any comment. */

C++-style comments start with the two characters // (slash, slash) and continue to the end of the physical line. They cannot be continued across multiple physical lines; to have one logical comment span multiple lines, each line must use the // pair. For example: 

// This is the start of a comment.  The next line
 // is a new comment, even though it is logically
 // part of the previous comment.

Shell-style (or perl-style, if you prefer) comments start with the character # (number sign) and continue to the end of the physical line, as in C++ comments. For example: 

# This is the start of a comment.  The next line
 # is a new comment, even though it is logically
 # part of the previous comment.

Warning

You cannot use the semicolon (`;') character to start a comment such as you would in a zone file. The semicolon indicates the end of a configuration statement.

Configuration File Grammar

A BIND 9 configuration consists of statements and comments. Statements end with a semicolon. Statements and comments are the only elements that can appear without enclosing braces. Many statements contain a block of sub-statements, which are also terminated with a semicolon.

The following statements are supported:

acl

defines a named IP address matching list, for access control and other uses.

controls

declares control channels to be used by the rndc utility.

include

includes a file.

key

specifies key information for use in authentication and authorization using TSIG.

logging

specifies what the server logs, and where the log messages are sent.

lwres

configures named to also act as a light-weight resolver daemon (lwresd).

masters

defines a named masters list for inclusion in stub and slave zone masters clauses.

options

controls global server configuration options and sets defaults for other statements.

server

sets certain configuration options on a per-server basis.

statistics-channels

declares communication channels to get access to named statistics.

trusted-keys

defines trusted DNSSEC keys.

view

defines a view.

zone

defines a zone.

The logging and options statements may only occur once per configuration.

acl Statement Grammar

acl acl-name {
     address_match_list
 };

acl Statement Definition and Usage

The acl statement assigns a symbolic name to an address match list. It gets its name from a primary use of address match lists: Access Control Lists (ACLs).

Note that an address match list's name must be defined with acl before it can be used elsewhere; no forward references are allowed.

The following ACLs are built-in:

any

Matches all hosts.

none

Matches no hosts.

localhost

Matches the IPv4 and IPv6 addresses of all network interfaces on the system.

localnets

Matches any host on an IPv4 or IPv6 network for which the system has an interface. Some systems do not provide a way to determine the prefix lengths of local IPv6 addresses. In such a case, localnets only matches the local IPv6 addresses, just like localhost.

controls Statement Grammar

controls {
    [ inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                 keys { key_list }; ]
    [ inet ...; ]
    [ unix path perm number owner number group number keys { key_list }; ]
    [ unix ...; ]
 };

controls Statement Definition and Usage

The controls statement declares control channels to be used by system administrators to control the operation of the name server. These control channels are used by the rndc utility to send commands to and retrieve non-DNS results from a name server.

An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of * (asterisk) is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, use an ip_addr of ::. If you will only use rndc on the local host, using the loopback address (127.0.0.1 or ::1) is recommended for maximum security.

If no port is specified, port 953 is used. The asterisk "*" cannot be used for ip_port.

The ability to issue commands over the control channel is restricted by the allow and keys clauses. Connections to the control channel are permitted based on the address_match_list. This is for simple IP address based filtering only; any key_id elements of the address_match_list are ignored.

A unix control channel is a UNIX domain socket listening at the specified path in the file system. Access to the socket is specified by the perm, owner and group clauses. Note on some platforms (SunOS and Solaris) the permissions (perm) are applied to the parent directory as the permissions on the socket itself are ignored.

The primary authorization mechanism of the command channel is the key_list, which contains a list of key_ids. Each key_id in the key_list is authorized to execute commands over the control channel. See Remote Name Daemon Control application in the section called “Administrative Tools”) for information about configuring keys in rndc.

If no controls statement is present, named will set up a default control channel listening on the loopback address 127.0.0.1 and its IPv6 counterpart ::1. In this case, and also when the controls statement is present but does not have a keys clause, named will attempt to load the command channel key from the file rndc.key in /etc (or whatever sysconfdir was specified as when BIND was built). To create a rndc.key file, run rndc-confgen -a.

The rndc.key feature was created to ease the transition of systems from BIND 8, which did not have digital signatures on its command channel messages and thus did not have a keys clause. It makes it possible to use an existing BIND 8 configuration file in BIND 9 unchanged, and still have rndc work the same way ndc worked in BIND 8, simply by executing the command rndc-confgen -a after BIND 9 is installed.

Since the rndc.key feature is only intended to allow the backward-compatible usage of BIND 8 configuration files, this feature does not have a high degree of configurability. You cannot easily change the key name or the size of the secret, so you should make a rndc.conf with your own key if you wish to change those things. The rndc.key file also has its permissions set such that only the owner of the file (the user that named is running as) can access it. If you desire greater flexibility in allowing other users to access rndc commands, then you need to create a rndc.conf file and make it group readable by a group that contains the users who should have access.

To disable the command channel, use an empty controls statement: controls { };.

include Statement Grammar

include filename;

include Statement Definition and Usage

The include statement inserts the specified file at the point where the include statement is encountered. The include statement facilitates the administration of configuration files by permitting the reading or writing of some things but not others. For example, the statement could include private keys that are readable only by the name server.

key Statement Grammar

key key_id {
     algorithm string;
     secret string;
 };

key Statement Definition and Usage

The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) or the command channel (see the section called “controls Statement Definition and Usage”).

The key statement can occur at the top level of the configuration file or inside a view statement. Keys defined in top-level key statements can be used in all views. Keys intended for use in a controls statement (see the section called “controls Statement Definition and Usage”) must be defined at the top level.

The key_id, also known as the key name, is a domain name uniquely identifying the key. It can be used in a server statement to cause requests sent to that server to be signed with this key, or in address match lists to verify that incoming requests have been signed with a key matching this name, algorithm, and secret.

The algorithm_id is a string that specifies a security/authentication algorithm. Named supports hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512 TSIG authentication. Truncated hashes are supported by appending the minimum number of required bits preceded by a dash, e.g. hmac-sha1-80. The secret_string is the secret to be used by the algorithm, and is treated as a base-64 encoded string.

logging Statement Grammar

logging {
    [ channel channel_name {
      ( file path_name
          [ versions ( number | unlimited ) ]
          [ size size spec ]
        | syslog syslog_facility
        | stderr
        | null );
      [ severity (critical | error | warning | notice |
                  info | debug [ level ] | dynamic ); ]
      [ print-category yes or no; ]
      [ print-severity yes or no; ]
      [ print-time yes or no; ]
    }; ]
    [ category category_name {
      channel_name ; [ channel_name ; ... ]
    }; ]
    ...
 };

logging Statement Definition and Usage

The logging statement configures a wide variety of logging options for the name server. Its channel phrase associates output methods, format options and severity levels with a name that can then be used with the category phrase to select how various classes of messages are logged.

Only one logging statement is used to define as many channels and categories as are wanted. If there is no logging statement, the logging configuration will be: 

logging {
      category default { default_syslog; default_debug; };
      category unmatched { null; };
 };

In BIND 9, the logging configuration is only established when the entire configuration file has been parsed. In BIND 8, it was established as soon as the logging statement was parsed. When the server is starting up, all logging messages regarding syntax errors in the configuration file go to the default channels, or to standard error if the "-g" option was specified.

The channel Phrase

All log output goes to one or more channels; you can make as many of them as you want.

Every channel definition must include a destination clause that says whether messages selected for the channel go to a file, to a particular syslog facility, to the standard error stream, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (the default is info), and whether to include a named-generated time stamp, the category name and/or severity level (the default is not to include any).

The null destination clause causes all messages sent to the channel to be discarded; in that case, other options for the channel are meaningless.

The file destination clause directs the channel to a disk file. It can include limitations both on how large the file is allowed to become, and how many versions of the file will be saved each time the file is opened.

If you use the versions log file option, then named will retain that many backup versions of the file by renaming them when opening. For example, if you choose to keep three old versions of the file lamers.log, then just before it is opened lamers.log.1 is renamed to lamers.log.2, lamers.log.0 is renamed to lamers.log.1, and lamers.log is renamed to lamers.log.0. You can say versions unlimited to not limit the number of versions. If a size option is associated with the log file, then renaming is only done when the file being opened exceeds the indicated size. No backup versions are kept by default; any existing log file is simply appended.

The size option for files is used to limit log growth. If the file ever exceeds the size, then named will stop writing to the file unless it has a versions option associated with it. If backup versions are kept, the files are rolled as described above and a new one begun. If there is no versions option, no more data will be written to the log until some out-of-band mechanism removes or truncates the log to less than the maximum size. The default behavior is not to limit the size of the file.

Example usage of the size and versions options: 

channel an_example_channel {
     file "example.log" versions 3 size 20m;
     print-time yes;
     print-category yes;
 };

The syslog destination clause directs the channel to the system log. Its argument is a syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities are supported on all operating systems. How syslog will handle messages sent to this facility is described in the syslog.conf man page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, then this clause is silently ignored.

The severity clause works like syslog's "priorities", except that they can also be used if you are writing straight to a file rather than using syslog. Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted.

If you are using syslog, then the syslog.conf priorities will also determine what eventually passes through. For example, defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would print all messages it received from the channel.

The stderr destination clause directs the channel to the server's standard error stream. This is intended for use when the server is running as a foreground process, for example when debugging a configuration.

The server can supply extensive debugging information when it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug level is set either by starting the named server with the -d flag followed by a positive integer, or by running rndc trace. The global debug level can be set to zero, and debugging mode turned off, by running rndc notrace. All debugging messages in the server have a debug level, and higher debug levels give more detailed output. Channels that specify a specific debug severity, for example: 

channel specific_debug_level {
     file "foo";
     severity debug 3;
 };

will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging level. Channels with dynamic severity use the server's global debug level to determine what messages to print.

If print-time has been turned on, then the date and time will be logged. print-time may be specified for a syslog channel, but is usually pointless since syslog also logs the date and time. If print-category is requested, then the category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may be used in any combination, and will always be printed in the following order: time, category, severity. Here is an example where all three print- options are on:

28-Feb-2000 15:05:32.863 general: notice: running

There are four predefined channels that are used for named's default logging as follows. How they are used is described in the section called “The category Phrase”. 

channel default_syslog {
     syslog daemon;                      // send to syslog's daemon
                                         // facility
     severity info;                      // only send priority info
                                         // and higher
 };
 
 channel default_debug {
     file "named.run";                   // write to named.run in
                                         // the working directory
                                         // Note: stderr is used instead
                                         // of "named.run"
                                         // if the server is started
                                         // with the '-f' option.
     severity dynamic;                   // log at the server's
                                         // current debug level
 };
 
 channel default_stderr {
     stderr;                             // writes to stderr
     severity info;                      // only send priority info
                                         // and higher
 };
 
 channel null {
    null;                                // toss anything sent to
                                         // this channel
 };

The default_debug channel has the special property that it only produces output when the server's debug level is nonzero. It normally writes to a file called named.run in the server's working directory.

For security reasons, when the "-u" command line option is used, the named.run file is created only after named has changed to the new UID, and any debug output generated while named is starting up and still running as root is discarded. If you need to capture this output, you must run the server with the "-g" option and redirect standard error to a file.

Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify the default logging by pointing categories at channels you have defined.

The category Phrase

There are many categories, so you can send the logs you want to see wherever you want, without seeing logs you don't want. If you don't specify a list of channels for a category, then log messages in that category will be sent to the default category instead. If you don't specify a default category, the following "default default" is used: 

category default { default_syslog; default_debug; };

As an example, let's say you want to log security events to a file, but you also want keep the default logging behavior. You'd specify the following: 

channel my_security_channel {
     file "my_security_file";
     severity info;
 };
 category security {
     my_security_channel;
     default_syslog;
     default_debug;
 };

To discard all messages in a category, specify the null channel: 

category xfer-out { null; };
 category notify { null; };

Following are the available categories and brief descriptions of the types of log information they contain. More categories may be added in future BIND releases.

default

The default category defines the logging options for those categories where no specific configuration has been defined.

general

The catch-all. Many things still aren't classified into categories, and they all end up here.

database

Messages relating to the databases used internally by the name server to store zone and cache data.

security

Approval and denial of requests.

config

Configuration file parsing and processing.

resolver

DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.

xfer-in

Zone transfers the server is receiving.

xfer-out

Zone transfers the server is sending.

notify

The NOTIFY protocol.

client

Processing of client requests.

unmatched

Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel.

network

Network operations.

update

Dynamic updates.

update-security

Approval and denial of update requests.

queries

Specify where queries should be logged to.

At startup, specifying the category queries will also enable query logging unless querylog option has been specified.

The query log entry reports the client's IP address and port number, and the query name, class and type. It also reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C).

client 127.0.0.1#62536: query: www.example.com IN AAAA +SE

client ::1#62537: query: www.example.net IN AAAA -SE

query-errors

Information about queries that resulted in some failure.

dispatch

Dispatching of incoming packets to the server modules where they are to be processed.

dnssec

DNSSEC and TSIG protocol processing.

lame-servers

Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution.

delegation-only

Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a hint or stub zone declaration.

edns-disabled

Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand.

Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports.

Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned.

The query-errors Category

The query-errors category is specifically intended for debugging purposes: To identify why and how specific queries result in responses which indicate an error. Messages of this category are therefore only logged with debug levels.

At the debug levels of 1 or higher, each response with the rcode of SERVFAIL is logged as follows:

client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880

This means an error resulting in SERVFAIL was detected at line 3880 of source file query.c. Log messages of this level will particularly help identify the cause of SERVFAIL for an authoritative server.

At the debug levels of 2 or higher, detailed context information of recursive resolutions that resulted in SERVFAIL is logged. The log message will look like as follows:

fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]

The first part before the colon shows that a recursive resolution for AAAA records of www.example.com completed in 30.000183 seconds and the final result that led to the SERVFAIL was determined at line 2970 of source file resolver.c.

The following part shows the detected final result and the latest result of DNSSEC validation. The latter is always success when no validation attempt is made. In this example, this query resulted in SERVFAIL probably because all name servers are down or unreachable, leading to a timeout in 30 seconds. DNSSEC validation was probably not attempted.

The last part enclosed in square brackets shows statistics information collected for this particular resolution attempt. The domain field shows the deepest zone that the resolver reached; it is the zone where the error was finally detected. The meaning of the other fields is summarized in the following table.

referral

The number of referrals the resolver received throughout the resolution process. In the above example this is 2, which are most likely com and example.com.

restart

The number of cycles that the resolver tried remote servers at the domain zone. In each cycle the resolver sends one query (possibly resending it, depending on the response) to each known name server of the domain zone.

qrysent

The number of queries the resolver sent at the domain zone.

timeout

The number of timeouts since the resolver received the last response.

lame

The number of lame servers the resolver detected at the domain zone. A server is detected to be lame either by an invalid response or as a result of lookup in BIND9's address database (ADB), where lame servers are cached.

neterr

The number of erroneous results that the resolver encountered in sending queries at the domain zone. One common case is the remote server is unreachable and the resolver receives an ICMP unreachable error message.

badresp

The number of unexpected responses (other than lame) to queries sent by the resolver at the domain zone.

adberr

Failures in finding remote server addresses of the domain zone in the ADB. One common case of this is that the remote server's name does not have any address records.

findfail

Failures of resolving remote server addresses. This is a total number of failures throughout the resolution process.

valfail

Failures of DNSSEC validation. Validation failures are counted throughout the resolution process (not limited to the domain zone), but should only happen in domain.

At the debug levels of 3 or higher, the same messages as those at the debug 1 level are logged for other errors than SERVFAIL. Note that negative responses such as NXDOMAIN are not regarded as errors here.

At the debug levels of 4 or higher, the same messages as those at the debug 2 level are logged for other errors than SERVFAIL. Unlike the above case of level 3, messages are logged for negative responses. This is because any unexpected results can be difficult to debug in the recursion case.

lwres Statement Grammar

This is the grammar of the lwres statement in the named.conf file: 

lwres {
     [ listen-on { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
     [ view view_name; ]
     [ search { domain_name ; [ domain_name ; ... ] }; ]
     [ ndots number; ]
 };

lwres Statement Definition and Usage

The lwres statement configures the name server to also act as a lightweight resolver server. (See the section called “Running a Resolver Daemon”.) There may be multiple lwres statements configuring lightweight resolver servers with different properties.

The listen-on statement specifies a list of addresses (and ports) that this instance of a lightweight resolver daemon should accept requests on. If no port is specified, port 921 is used. If this statement is omitted, requests will be accepted on 127.0.0.1, port 921.

The view statement binds this instance of a lightweight resolver daemon to a view in the DNS namespace, so that the response will be constructed in the same manner as a normal DNS query matching this view. If this statement is omitted, the default view is used, and if there is no default view, an error is triggered.

The search statement is equivalent to the search statement in /etc/resolv.conf. It provides a list of domains which are appended to relative names in queries.

The ndots statement is equivalent to the ndots statement in /etc/resolv.conf. It indicates the minimum number of dots in a relative domain name that should result in an exact match lookup before search path elements are appended.

masters Statement Grammar

 masters name [port ip_port] { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] };

masters Statement Definition and Usage

masters lists allow for a common set of masters to be easily used by multiple stub and slave zones.

options Statement Grammar

This is the grammar of the options statement in the named.conf file: 

options {
     [ version version_string; ]
     [ hostname hostname_string; ]
     [ server-id server_id_string; ]
     [ directory path_name; ]
     [ key-directory path_name; ]
     [ named-xfer path_name; ]
     [ tkey-gssapi-credential principal; ]
     [ tkey-domain domainname; ]
     [ tkey-dhkey key_name key_tag; ]
     [ cache-file path_name; ]
     [ dump-file path_name; ]
     [ memstatistics yes_or_no; ]
     [ memstatistics-file path_name; ]
     [ pid-file path_name; ]
     [ recursing-file path_name; ]
     [ statistics-file path_name; ]
     [ zone-statistics yes_or_no; ]
     [ auth-nxdomain yes_or_no; ]
     [ deallocate-on-exit yes_or_no; ]
     [ dialup dialup_option; ]
     [ fake-iquery yes_or_no; ]
     [ fetch-glue yes_or_no; ]
     [ flush-zones-on-shutdown yes_or_no; ]
     [ has-old-clients yes_or_no; ]
     [ host-statistics yes_or_no; ]
     [ host-statistics-max number; ]
     [ minimal-responses yes_or_no; ]
     [ multiple-cnames yes_or_no; ]
     [ notify yes_or_no | explicit | master-only; ]
     [ recursion yes_or_no; ]
     [ rfc2308-type1 yes_or_no; ]
     [ use-id-pool yes_or_no; ]
     [ maintain-ixfr-base yes_or_no; ]
     [ ixfr-from-differences (yes_or_no | master | slave); ]
     [ dnssec-enable yes_or_no; ]
     [ dnssec-validation yes_or_no; ]
     [ dnssec-lookaside domain trust-anchor domain; ]
     [ dnssec-must-be-secure domain yes_or_no; ]
     [ dnssec-accept-expired yes_or_no; ]
     [ forward ( only | first ); ]
     [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
     [ dual-stack-servers [port ip_port] {
         ( domain_name [port ip_port] |
           ip_addr [port ip_port] ) ; 
         ... }; ]
     [ check-names ( master | slave | response )
         ( warn | fail | ignore ); ]
     [ check-mx ( warn | fail | ignore ); ]
     [ check-wildcard yes_or_no; ]
     [ check-integrity yes_or_no; ]
     [ check-mx-cname ( warn | fail | ignore ); ]
     [ check-srv-cname ( warn | fail | ignore ); ]
     [ check-sibling yes_or_no; ]
     [ allow-notify { address_match_list }; ]
     [ allow-query { address_match_list }; ]
     [ allow-query-on { address_match_list }; ]
     [ allow-query-cache { address_match_list }; ]
     [ allow-query-cache-on { address_match_list }; ]
     [ allow-transfer { address_match_list }; ]
     [ allow-recursion { address_match_list }; ]
     [ allow-recursion-on { address_match_list }; ]
     [ allow-update { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
     [ update-check-ksk yes_or_no; ]
     [ try-tcp-refresh yes_or_no; ]
     [ allow-v6-synthesis { address_match_list }; ]
     [ blackhole { address_match_list }; ]
     [ use-v4-udp-ports { port_list }; ]
     [ avoid-v4-udp-ports { port_list }; ]
     [ use-v6-udp-ports { port_list }; ]
     [ avoid-v6-udp-ports { port_list }; ]
     [ listen-on [ port ip_port ] { address_match_list }; ]
     [ listen-on-v6 [ port ip_port ] { address_match_list }; ]
     [ query-source ( ( ip4_addr | * )
         [ port ( ip_port | * ) ] |
         [ address ( ip4_addr | * ) ]
         [ port ( ip_port | * ) ] ) ; ]
     [ query-source-v6 ( ( ip6_addr | * )
         [ port ( ip_port | * ) ] | 
         [ address ( ip6_addr | * ) ] 
         [ port ( ip_port | * ) ] ) ; ]
     [ use-queryport-pool yes_or_no; ]
     [ queryport-pool-ports number; ]
     [ queryport-pool-updateinterval number; ]
     [ max-transfer-time-in number; ]
     [ max-transfer-time-out number; ]
     [ max-transfer-idle-in number; ]
     [ max-transfer-idle-out number; ]
     [ tcp-clients number; ]
     [ reserved-sockets number; ]
     [ recursive-clients number; ]
     [ serial-query-rate number; ]
     [ serial-queries number; ]
     [ tcp-listen-queue number; ]
     [ transfer-format ( one-answer | many-answers ); ]
     [ transfers-in  number; ]
     [ transfers-out number; ]
     [ transfers-per-ns number; ]
     [ transfer-source (ip4_addr | *) [port ip_port] ; ]
     [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ alt-transfer-source (ip4_addr | *) [port ip_port] ; ]
     [ alt-transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ use-alt-transfer-source yes_or_no; ]
     [ notify-delay seconds ; ]
     [ notify-source (ip4_addr | *) [port ip_port] ; ]
     [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ notify-to-soa yes_or_no ; ]
     [ also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
     [ max-ixfr-log-size number; ]
     [ max-journal-size size_spec; ]
     [ coresize size_spec ; ]
     [ datasize size_spec ; ]
     [ files size_spec ; ]
     [ stacksize size_spec ; ]
     [ cleaning-interval number; ]
     [ heartbeat-interval number; ]
     [ interface-interval number; ]
     [ statistics-interval number; ]
     [ topology { address_match_list }];
     [ sortlist { address_match_list }];
     [ rrset-order { order_spec ; [ order_spec ; ... ] ] };
     [ lame-ttl number; ]
     [ max-ncache-ttl number; ]
     [ max-cache-ttl number; ]
     [ sig-validity-interval number [number] ; ]
     [ sig-signing-nodes number ; ]
     [ sig-signing-signatures number ; ]
     [ sig-signing-type number ; ]
     [ min-roots number; ]
     [ use-ixfr yes_or_no ; ]
     [ provide-ixfr yes_or_no; ]
     [ request-ixfr yes_or_no; ]
     [ treat-cr-as-space yes_or_no ; ]
     [ min-refresh-time number ; ]
     [ max-refresh-time number ; ]
     [ min-retry-time number ; ]
     [ max-retry-time number ; ]
     [ port ip_port; ]
     [ additional-from-auth yes_or_no ; ]
     [ additional-from-cache yes_or_no ; ]
     [ random-device path_name ; ]
     [ max-cache-size size_spec ; ]
     [ match-mapped-addresses yes_or_no; ]
     [ preferred-glue ( A | AAAA | NONE ); ]
     [ edns-udp-size number; ]
     [ max-udp-size number; ]
     [ root-delegation-only [ exclude { namelist } ] ; ]
     [ querylog yes_or_no ; ]
     [ disable-algorithms domain { algorithm; [ algorithm; ] }; ]
     [ acache-enable yes_or_no ; ]
     [ acache-cleaning-interval number; ]
     [ max-acache-size size_spec ; ]
     [ clients-per-query number ; ]
     [ max-clients-per-query number ; ]
     [ masterfile-format (text|raw) ; ]
     [ empty-server name ; ]
     [ empty-contact name ; ]
     [ empty-zones-enable yes_or_no ; ]
     [ disable-empty-zone zone_name ; ]
     [ zero-no-soa-ttl yes_or_no ; ]
     [ zero-no-soa-ttl-cache yes_or_no ; ]
 };

options Statement Definition and Usage

The options statement sets up global options to be used by BIND. This statement may appear only once in a configuration file. If there is no options statement, an options block with each option set to its default will be used.

directory

The working directory of the server. Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files (e.g. named.run) is this directory. If a directory is not specified, the working directory defaults to `.', the directory from which the server was started. The directory specified should be an absolute path.

key-directory

When performing dynamic update of secure zones, the directory where the public and private DNSSEC key files should be found, if different than the current working directory. The directory specified must be an absolute path. (Note that this option has no effect on the paths for files containing non-DNSSEC keys such as the rndc.key.

named-xfer

This option is obsolete. It was used in BIND 8 to specify the pathname to the named-xfer program. In BIND 9, no separate named-xfer program is needed; its functionality is built into the name server.

tkey-gssapi-credential

The security credential with which the server should authenticate keys requested by the GSS-TSIG protocol. Currently only Kerberos 5 authentication is available and the credential is a Kerberos principal which the server can acquire through the default system key file, normally /etc/krb5.keytab. Normally this principal is of the form "dns/server.domain". To use GSS-TSIG, tkey-domain must also be set.

tkey-domain

The domain appended to the names of all shared keys generated with TKEY. When a client requests a TKEY exchange, it may or may not specify the desired name for the key. If present, the name of the shared key will be client specified part + tkey-domain. Otherwise, the name of the shared key will be random hex digits + tkey-domain. In most cases, the domainname should be the server's domain name, or an otherwise non-existent subdomain like "_tkey.domainname". If you are using GSS-TSIG, this variable must be defined.

tkey-dhkey

The Diffie-Hellman key used by the server to generate shared keys with clients using the Diffie-Hellman mode of TKEY. The server must be able to load the public and private keys from files in the working directory. In most cases, the keyname should be the server's host name.

cache-file

This is for testing only. Do not use.

dump-file

The pathname of the file the server dumps the database to when instructed to do so with rndc dumpdb. If not specified, the default is named_dump.db.

memstatistics-file

The pathname of the file the server writes memory usage statistics to on exit. If not specified, the default is named.memstats.

pid-file

The pathname of the file the server writes its process ID in. If not specified, the default is /var/run/named/named.pid. The PID file is used by programs that want to send signals to the running name server. Specifying pid-file none disables the use of a PID file — no file will be written and any existing one will be removed. Note that none is a keyword, not a filename, and therefore is not enclosed in double quotes.

recursing-file

The pathname of the file the server dumps the queries that are currently recursing when instructed to do so with rndc recursing. If not specified, the default is named.recursing.

statistics-file

The pathname of the file the server appends statistics to when instructed to do so using rndc stats. If not specified, the default is named.stats in the server's current directory. The format of the file is described in the section called “The Statistics File”.

port

The UDP/TCP port number the server uses for receiving and sending DNS protocol traffic. The default is 53. This option is mainly intended for server testing; a server using a port other than 53 will not be able to communicate with the global DNS.

random-device

The source of entropy to be used by the server. Entropy is primarily needed for DNSSEC operations, such as TKEY transactions and dynamic update of signed zones. This options specifies the device (or file) from which to read entropy. If this is a file, operations requiring entropy will fail when the file has been exhausted. If not specified, the default value is /dev/random (or equivalent) when present, and none otherwise. The random-device option takes effect during the initial configuration load at server startup time and is ignored on subsequent reloads.

preferred-glue

If specified, the listed type (A or AAAA) will be emitted before other glue in the additional section of a query response. The default is not to prefer any type (NONE).

root-delegation-only

Turn on enforcement of delegation-only in TLDs (top level domains) and root zones with an optional exclude list.

DS queries are expected to be made to and be answered by delegation only zones. Such queries and responses are treated as a exception to delegation-only processing and are not converted to NXDOMAIN responses provided a CNAME is not discovered at the query name.

If a delegation only zone server also serves a child zone it is not always possible to determine whether a answer comes from the delegation only zone or the child zone. SOA NS and DNSKEY records are apex only records and a matching response that contains these records or DS is treated as coming from a child zone. RRSIG records are also examined to see if they are signed by a child zone or not. The authority section is also examined to see if there is evidence that the answer is from the child zone. Answers that are determined to be from a child zone are not converted to NXDOMAIN responses. Despite all these checks there is still a possibility of false negatives when a child zone is being served.

Similarly false positives can arise from empty nodes (no records at the name) in the delegation only zone when the query type is not ANY.

Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM"). This list is not exhaustive. 

 options {
         root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
 };
disable-algorithms

Disable the specified DNSSEC algorithms at and below the specified name. Multiple disable-algorithms statements are allowed. Only the most specific will be applied.

dnssec-lookaside

When set, dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest dnssec-lookaside, and the normal DNSSEC validation has left the key untrusted, the trust-anchor will be append to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV record validates a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted.

dnssec-must-be-secure

Specify hierarchies which must be or may not be secure (signed and validated). If yes, then named will only accept answers if they are secure. If no, then normal DNSSEC validation applies allowing for insecure answers to be accepted. The specified domain must be under a trusted-key or dnssec-lookaside must be active.

Boolean Options

auth-nxdomain

If yes, then the AA bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is no; this is a change from BIND 8. If you are using very old DNS software, you may need to set it to yes.

deallocate-on-exit

This option was used in BIND 8 to enable checking for memory leaks on exit. BIND 9 ignores the option and always performs the checks.

memstatistics

Write memory statistics to the file specified by memstatistics-file at exit. The default is no unless '-m record' is specified on the command line in which case it is yes.

dialup

If yes, then the server treats all zones as if they are doing zone transfers across a dial-on-demand dialup link, which can be brought up by traffic originating from this server. This has different effects according to zone type and concentrates the zone maintenance so that it all happens in a short interval, once every heartbeat-interval and hopefully during the one call. It also suppresses some of the normal zone maintenance traffic. The default is no.

The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup option.

If the zone is a master zone, then the server will send out a NOTIFY request to all the slaves (default). This should trigger the zone serial number check in the slave (providing it supports NOTIFY) allowing the slave to verify the zone while the connection is active. The set of servers to which NOTIFY is sent can be controlled by notify and also-notify.

If the zone is a slave or stub zone, then the server will suppress the regular "zone up to date" (refresh) queries and only perform them when the heartbeat-interval expires in addition to sending NOTIFY requests.

Finer control can be achieved by using notify which only sends NOTIFY messages, notify-passive which sends NOTIFY messages and suppresses the normal refresh queries, refresh which suppresses normal refresh processing and sends refresh queries when the heartbeat-interval expires, and passive which just disables normal refresh processing.

dialup mode

normal refresh

heart-beat refresh

heart-beat notify

no (default)

yes

no

no

yes

no

yes

yes

notify

yes

no

yes

refresh

no

yes

no

passive

no

no

no

notify-passive

no

no

yes

Note that normal NOTIFY processing is not affected by dialup.

fake-iquery

In BIND 8, this option enabled simulating the obsolete DNS query type IQUERY. BIND 9 never does IQUERY simulation.

fetch-glue

This option is obsolete. In BIND 8, fetch-glue yes caused the server to attempt to fetch glue resource records it didn't have when constructing the additional data section of a response. This is now considered a bad idea and BIND 9 never does it.

flush-zones-on-shutdown

When the nameserver exits due receiving SIGTERM, flush or do not flush any pending zone writes. The default is flush-zones-on-shutdown no.

has-old-clients

This option was incorrectly implemented in BIND 8, and is ignored by BIND 9. To achieve the intended effect of has-old-clients yes, specify the two separate options auth-nxdomain yes and rfc2308-type1 no instead.

host-statistics

In BIND 8, this enables keeping of statistics for every host that the name server interacts with. Not implemented in BIND 9.

maintain-ixfr-base

This option is obsolete. It was used in BIND 8 to determine whether a transaction log was kept for Incremental Zone Transfer. BIND 9 maintains a transaction log whenever possible. If you need to disable outgoing incremental zone transfers, use provide-ixfr no.

minimal-responses

If yes, then when generating responses the server will only add records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This may improve the performance of the server. The default is no.

multiple-cnames

This option was used in BIND 8 to allow a domain name to have multiple CNAME records in violation of the DNS standards. BIND 9.2 onwards always strictly enforces the CNAME rules both in master files and dynamic updates.

notify

If yes (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes, see the section called “Notify”. The messages are sent to the servers listed in the zone's NS records (except the master server identified in the SOA MNAME field), and to any servers listed in the also-notify option.

If master-only, notifies are only sent for master zones. If explicit, notifies are sent only to servers explicitly listed using also-notify. If no, no notifies are sent.

The notify option may also be specified in the zone statement, in which case it overrides the options notify statement. It would only be necessary to turn off this option if it caused slaves to crash.

notify-to-soa

If yes do not check the nameservers in the NS RRset against the SOA MNAME. Normally a NOTIFY message is not sent to the SOA MNAME (SOA ORIGIN) as it is supposed to contain the name of the ultimate master. Sometimes, however, a slave is listed as the SOA MNAME in hidden master configurations and in that case you would want the ultimate master to still send NOTIFY messages to all the nameservers listed in the NS RRset.

recursion

If yes, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is off and the server does not already know the answer, it will return a referral response. The default is yes. Note that setting recursion no does not prevent clients from getting data from the server's cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect the server's internal operation, such as NOTIFY address lookups. See also fetch-glue above.

rfc2308-type1

Setting this to yes will cause the server to send NS records along with the SOA record for negative answers. The default is no.

Note

Not yet implemented in BIND 9.

use-id-pool

This option is obsolete. BIND 9 always allocates query IDs from a pool.

zone-statistics

If yes, the server will collect statistical data on all zones (unless specifically turned off on a per-zone basis by specifying zone-statistics no in the zone statement). These statistics may be accessed using rndc stats, which will dump them to the file listed in the statistics-file. See also the section called “The Statistics File”.

use-ixfr

This option is obsolete. If you need to disable IXFR to a particular server or servers, see the information on the provide-ixfr option in the section called “server Statement Definition and Usage”. See also the section called “Incremental Zone Transfers (IXFR)”.

provide-ixfr

See the description of provide-ixfr in the section called “server Statement Definition and Usage”.

request-ixfr

See the description of request-ixfr in the section called “server Statement Definition and Usage”.

treat-cr-as-space

This option was used in BIND 8 to make the server treat carriage return ("\r") characters the same way as a space or tab character, to facilitate loading of zone files on a UNIX system that were generated on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines are always accepted, and the option is ignored.

additional-from-auth, additional-from-cache

These options control the behavior of an authoritative server when answering queries which have additional data, or when following CNAME and DNAME chains.

When both of these options are set to yes (the default) and a query is being answered from authoritative data (a zone configured into the server), the additional data section of the reply will be filled in using data from other authoritative zones and from the cache. In some situations this is undesirable, such as when there is concern over the correctness of the cache, or in servers where slave zones may be added and modified by untrusted third parties. Also, avoiding the search for this additional data will speed up server operations at the possible expense of additional queries to resolve what would otherwise be provided in the additional section.

For example, if a query asks for an MX record for host foo.example.com, and the record found is "MX 10 mail.example.net", normally the address records (A and AAAA) for mail.example.net will be provided as well, if known, even though they are not in the example.com zone. Setting these options to no disables this behavior and makes the server only search for additional data in the zone it answers from.

These options are intended for use in authoritative-only servers, or in authoritative-only views. Attempts to set them to no without also specifying recursion no will cause the server to ignore the options and log a warning message.

Specifying additional-from-cache no actually disables the use of the cache not only for additional data lookups but also when looking up the answer. This is usually the desired behavior in an authoritative-only server where the correctness of the cached data is an issue.

When a name server is non-recursively queried for a name that is not below the apex of any served zone, it normally answers with an "upwards referral" to the root servers or the servers of some other known parent of the query name. Since the data in an upwards referral comes from the cache, the server will not be able to provide upwards referrals when additional-from-cache no has been specified. Instead, it will respond to such queries with REFUSED. This should not cause any problems since upwards referrals are not required for the resolution process.

match-mapped-addresses

If yes, then an IPv4-mapped IPv6 address will match any address match list entries that match the corresponding IPv4 address.

This option was introduced to work around a kernel quirk in some operating systems that causes IPv4 TCP connections, such as zone transfers, to be accepted on an IPv6 socket using mapped addresses. This caused address match lists designed for IPv4 to fail to match. However, named now solves this problem internally. The use of this option is discouraged.

ixfr-from-differences

When yes and the server loads a new version of a master zone from its zone file or receives a new version of a slave file by a non-incremental zone transfer, it will compare the new version to the previous one and calculate a set of differences. The differences are then logged in the zone's journal file such that the changes can be transmitted to downstream slaves as an incremental zone transfer.

By allowing incremental zone transfers to be used for non-dynamic zones, this option saves bandwidth at the expense of increased CPU and memory consumption at the master. In particular, if the new version of a zone is completely different from the previous one, the set of differences will be of a size comparable to the combined size of the old and new zone version, and the server will need to temporarily allocate memory to hold this complete difference set.

ixfr-from-differences also accepts master and slave at the view and options levels which causes ixfr-from-differences to be enabled for all master or slave zones respectively. It is off by default.

multi-master

This should be set when you have multiple masters for a zone and the addresses refer to different machines. If yes, named will not log when the serial number on the master is less than what named currently has. The default is no.

dnssec-enable

Enable DNSSEC support in named. Unless set to yes, named behaves as if it does not support DNSSEC. The default is yes.

dnssec-validation

Enable DNSSEC validation in named. Note dnssec-enable also needs to be set to yes to be effective. The default is yes.

dnssec-accept-expired

Accept expired signatures when verifying DNSSEC signatures. The default is no. Setting this option to "yes" leaves named vulnerable to replay attacks.

querylog

Specify whether query logging should be started when named starts. If querylog is not specified, then the query logging is determined by the presence of the logging category queries.

check-names

This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to usage area. For master zones the default is fail. For slave zones the default is warn. For answers received from the network (response) the default is ignore.

The rules for legal hostnames and mail domains are derived from RFC 952 and RFC 821 as modified by RFC 1123.

check-names applies to the owner names of A, AAAA and MX records. It also applies to the domain names in the RDATA of NS, SOA, MX, and SRV records. It also applies to the RDATA of PTR records where the owner name indicated that it is a reverse lookup of a hostname (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).

check-mx

Check whether the MX record appears to refer to a IP address. The default is to warn. Other possible values are fail and ignore.

check-wildcard

This option is used to check for non-terminal wildcards. The use of non-terminal wildcards is almost always as a result of a failure to understand the wildcard matching algorithm (RFC 1034). This option affects master zones. The default (yes) is to check for non-terminal wildcards and issue a warning.

check-integrity

Perform post load zone integrity checks on master zones. This checks that MX and SRV records refer to address (A or AAAA) records and that glue address records exist for delegated zones. For MX and SRV records only in-zone hostnames are checked (for out-of-zone hostnames use named-checkzone). For NS records only names below top of zone are checked (for out-of-zone names and glue consistency checks use named-checkzone). The default is yes.

check-mx-cname

If check-integrity is set then fail, warn or ignore MX records that refer to CNAMES. The default is to warn.

check-srv-cname

If check-integrity is set then fail, warn or ignore SRV records that refer to CNAMES. The default is to warn.

check-sibling

When performing integrity checks, also check that sibling glue exists. The default is yes.

zero-no-soa-ttl

When returning authoritative negative responses to SOA queries set the TTL of the SOA record returned in the authority section to zero. The default is yes.

zero-no-soa-ttl-cache

When caching a negative response to a SOA query set the TTL to zero. The default is no.

update-check-ksk

When regenerating the RRSIGs following a UPDATE request to a secure zone, check the KSK flag on the DNSKEY RR to determine if this key should be used to generate the RRSIG. This flag is ignored if there are not DNSKEY RRs both with and without a KSK. The default is yes.

try-tcp-refresh

Try to refresh the zone using TCP if UDP queries fail. For BIND 8 compatibility, the default is yes.

Forwarding

The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.

forward

This option is only meaningful if the forwarders list is not empty. A value of first, the default, causes the server to query the forwarders first — and if that doesn't answer the question, the server will then look for the answer itself. If only is specified, the server will only query the forwarders.

forwarders

Specifies the IP addresses to be used for forwarding. The default is the empty list (no forwarding).

Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways. You can set particular domains to use different forwarders, or have a different forward only/first behavior, or not forward at all, see the section called “zone Statement Grammar”.

Dual-stack Servers

Dual-stack servers are used as servers of last resort to work around problems in reachability due the lack of support for either IPv4 or IPv6 on the host machine.

dual-stack-servers

Specifies host names or addresses of machines with access to both IPv4 and IPv6 transports. If a hostname is used, the server must be able to resolve the name using only the transport it has. If the machine is dual stacked, then the dual-stack-servers have no effect unless access to a transport has been disabled on the command line (e.g. named -4).

Access Control

Access to the server can be restricted based on the IP address of the requesting system. See the section called “Address Match Lists” for details on how to specify IP address lists.

allow-notify

Specifies which hosts are allowed to notify this server, a slave, of zone changes in addition to the zone masters. allow-notify may also be specified in the zone statement, in which case it overrides the options allow-notify statement. It is only meaningful for a slave zone. If not specified, the default is to process notify messages only from a zone's master.

allow-query

Specifies which hosts are allowed to ask ordinary DNS questions. allow-query may also be specified in the zone statement, in which case it overrides the options allow-query statement. If not specified, the default is to allow queries from all hosts.

Note

allow-query-cache is now used to specify access to the cache.

allow-query-on

Specifies which local addresses can accept ordinary DNS questions. This makes it possible, for instance, to allow queries on internal-facing interfaces but disallow them on external-facing ones, without necessarily knowing the internal network's addresses.

allow-query-on may also be specified in the zone statement, in which case it overrides the options allow-query-on statement.

If not specified, the default is to allow queries on all addresses.

Note

allow-query-cache is used to specify access to the cache.

allow-query-cache

Specifies which hosts are allowed to get answers from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used.

allow-query-cache-on

Specifies which local addresses can give answers from the cache. If not specified, the default is to allow cache queries on any address, localnets and localhost.

allow-recursion

Specifies which hosts are allowed to make recursive queries through this server. If allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query is used if set, otherwise the default (localnets; localhost;) is used.

allow-recursion-on

Specifies which local addresses can accept recursive queries. If not specified, the default is to allow recursive queries on all addresses.

allow-update

Specifies which hosts are allowed to submit Dynamic DNS updates for master zones. The default is to deny updates from all hosts. Note that allowing updates based on the requestor's IP address is insecure; see the section called “Dynamic Update Security” for details.

allow-update-forwarding

Specifies which hosts are allowed to submit Dynamic DNS updates to slave zones to be forwarded to the master. The default is { none; }, which means that no update forwarding will be performed. To enable update forwarding, specify allow-update-forwarding { any; };. Specifying values other than { none; } or { any; } is usually counterproductive, since the responsibility for update access control should rest with the master server, not the slaves.

Note that enabling the update forwarding feature on a slave server may expose master servers relying on insecure IP address based access control to attacks; see the section called “Dynamic Update Security” for more details.

allow-v6-synthesis

This option was introduced for the smooth transition from AAAA to A6 and from "nibble labels" to binary labels. However, since both A6 and binary labels were then deprecated, this option was also deprecated. It is now ignored with some warning messages.

allow-transfer

Specifies which hosts are allowed to receive zone transfers from the server. allow-transfer may also be specified in the zone statement, in which case it overrides the options allow-transfer statement. If not specified, the default is to allow transfers to all hosts.

blackhole

Specifies a list of addresses that the server will not accept queries from or use to resolve a query. Queries from these addresses will not be responded to. The default is none.

Interfaces

The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes an optional port and an address_match_list. The server will listen on all interfaces allowed by the address match list. If a port is not specified, port 53 will be used.

Multiple listen-on statements are allowed. For example, 

listen-on { 5.6.7.8; };
 listen-on port 1234 { !1.2.3.4; 1.2/16; };

will enable the name server on port 53 for the IP address 5.6.7.8, and on port 1234 of an address on the machine in net 1.2 that is not 1.2.3.4.

If no listen-on is specified, the server will listen on port 53 on all IPv4 interfaces.

The listen-on-v6 option is used to specify the interfaces and the ports on which the server will listen for incoming queries sent using IPv6.

When 

{ any; }

is specified as the address_match_list for the listen-on-v6 option, the server does not bind a separate socket to each IPv6 interface address as it does for IPv4 if the operating system has enough API support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542). Instead, it listens on the IPv6 wildcard address. If the system only has incomplete API support for IPv6, however, the behavior is the same as that for IPv4.

A list of particular IPv6 addresses can also be specified, in which case the server listens on a separate socket for each specified address, regardless of whether the desired API is supported by the system.

Multiple listen-on-v6 options can be used. For example, 

listen-on-v6 { any; };
 listen-on-v6 port 1234 { !2001:db8::/32; any; };

will enable the name server on port 53 for any IPv6 addresses (with a single wildcard socket), and on port 1234 of IPv6 addresses that is not in the prefix 2001:db8::/32 (with separate sockets for each matched address.)

To make the server not listen on any IPv6 address, use 

listen-on-v6 { none; };

If no listen-on-v6 option is specified, the server will not listen on any IPv6 address unless -6 is specified when named is invoked. If -6 is specified then named will listen on port 53 on all IPv6 interfaces by default.

Query Address

If the server doesn't know the answer to a question, it will query other name servers. query-source specifies the address and port used for such queries. For queries sent over IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) will be used.

If port is * or is omitted, a random port number from a pre-configured range is picked up and will be used for each query. The port range(s) is that specified in the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) options, excluding the ranges specified in the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively.

The defaults of the query-source and query-source-v6 options are: 

query-source address * port *;
 query-source-v6 address * port *;

If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating system provides a programming interface to retrieve the system's default range for ephemeral ports. If such an interface is available, named will use the corresponding system default range; otherwise, it will use its own defaults: 

use-v4-udp-ports { range 1024 65535; };
 use-v6-udp-ports { range 1024 65535; };

Note: make sure the ranges be sufficiently large for security. A desirable size depends on various parameters, but we generally recommend it contain at least 16384 ports (14 bits of entropy). Note also that the system's default range when used may be too small for this purpose, and that the range may even be changed while named is running; the new range will automatically be applied when named is reloaded. It is encouraged to configure use-v4-udp-ports and use-v6-udp-ports explicitly so that the ranges are sufficiently large and are reasonably independent from the ranges used by other applications.

Note: the operational configuration where named runs may prohibit the use of some ports. For example, UNIX systems will not allow named running without a root privilege to use ports less than 1024. If such ports are included in the specified (or detected) set of query ports, the corresponding query attempts will fail, resulting in resolution failures or delay. It is therefore important to configure the set of ports that can be safely used in the expected operational environment.

The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options are: 

avoid-v4-udp-ports {};
 avoid-v6-udp-ports {};

Note: BIND 9.5.0 introduced the use-queryport-pool option to support a pool of such random ports, but this option is now obsolete because reusing the same ports in the pool may not be sufficiently secure. For the same reason, it is generally strongly discouraged to specify a particular port for the query-source or query-source-v6 options; it implicitly disables the use of randomized port numbers.

use-queryport-pool

This option is obsolete.

queryport-pool-ports

This option is obsolete.

queryport-pool-updateinterval

This option is obsolete.

Note

The address specified in the query-source option is used for both UDP and TCP queries, but the port applies only to UDP queries. TCP queries always use a random unprivileged port.

Note

Solaris 2.5.1 and earlier does not support setting the source address for TCP sockets.

Note

See also transfer-source and notify-source.

Zone Transfers

BIND has mechanisms in place to facilitate zone transfers and set limits on the amount of load that transfers place on the system. The following options apply to zone transfers.

also-notify

Defines a global list of IP addresses of name servers that are also sent NOTIFY messages whenever a fresh copy of the zone is loaded, in addition to the servers listed in the zone's NS records. This helps to ensure that copies of the zones will quickly converge on stealth servers. Optionally, a port may be specified with each also-notify address to send the notify messages to a port other than the default of 53. If an also-notify list is given in a zone statement, it will override the options also-notify statement. When a zone notify statement is set to no, the IP addresses in the global also-notify list will not be sent NOTIFY messages for that zone. The default is the empty list (no global notification list).

max-transfer-time-in

Inbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes).

max-transfer-idle-in

Inbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes).

max-transfer-time-out

Outbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes).

max-transfer-idle-out

Outbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes).

serial-query-rate

Slave servers will periodically query master servers to find out if zone serial numbers have changed. Each such query uses a minute amount of the slave server's network bandwidth. To limit the amount of bandwidth used, BIND 9 limits the rate at which queries are sent. The value of the serial-query-rate option, an integer, is the maximum number of queries sent per second. The default is 20.

serial-queries

In BIND 8, the serial-queries option set the maximum number of concurrent serial number queries allowed to be outstanding at any given time. BIND 9 does not limit the number of outstanding serial queries and ignores the serial-queries option. Instead, it limits the rate at which the queries are sent as defined using the serial-query-rate option.

transfer-format

Zone transfers can be sent using two different formats, one-answer and many-answers. The transfer-format option is used on the master server to determine which format it sends. one-answer uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only supported by relatively new slave servers, such as BIND 9, BIND 8.x and BIND 4.9.5 onwards. The many-answers format is also supported by recent Microsoft Windows nameservers. The default is many-answers. transfer-format may be overridden on a per-server basis by using the server statement.

transfers-in

The maximum number of inbound zone transfers that can be running concurrently. The default value is 10. Increasing transfers-in may speed up the convergence of slave zones, but it also may increase the load on the local system.

transfers-out

The maximum number of outbound zone transfers that can be running concurrently. Zone transfer requests in excess of the limit will be refused. The default value is 10.

transfers-per-ns

The maximum number of inbound zone transfers that can be concurrently transferring from a given remote name server. The default value is 2. Increasing transfers-per-ns may speed up the convergence of slave zones, but it also may increase the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement.

transfer-source

transfer-source determines which local address will be bound to IPv4 TCP connections used to fetch zones transferred inbound by the server. It also determines the source IPv4 address, and optionally the UDP port, used for the refresh queries and forwarded dynamic updates. If not set, it defaults to a system controlled value which will usually be the address of the interface "closest to" the remote end. This address must appear in the remote end's allow-transfer option for the zone being transferred, if one is specified. This statement sets the transfer-source for all zones, but can be overridden on a per-view or per-zone basis by including a transfer-source statement within the view or zone block in the configuration file.

Note

Solaris 2.5.1 and earlier does not support setting the source address for TCP sockets.

transfer-source-v6

The same as transfer-source, except zone transfers are performed using IPv6.

alt-transfer-source

An alternate transfer source if the one listed in transfer-source fails and use-alt-transfer-source is set.

Note

If you do not wish the alternate transfer source to be used, you should set use-alt-transfer-source appropriately and you should not depend upon getting an answer back to the first refresh query.
alt-transfer-source-v6

An alternate transfer source if the one listed in transfer-source-v6 fails and use-alt-transfer-source is set.

use-alt-transfer-source

Use the alternate transfer sources or not. If views are specified this defaults to no otherwise it defaults to yes (for BIND 8 compatibility).

notify-source

notify-source determines which local source address, and optionally UDP port, will be used to send NOTIFY messages. This address must appear in the slave server's masters zone clause or in an allow-notify clause. This statement sets the notify-source for all zones, but can be overridden on a per-zone or per-view basis by including a notify-source statement within the zone or view block in the configuration file.

Note

Solaris 2.5.1 and earlier does not support setting the source address for TCP sockets.

notify-source-v6

Like notify-source, but applies to notify messages sent to IPv6 addresses.

UDP Port Lists

use-v4-udp-ports, avoid-v4-udp-ports, use-v6-udp-ports, and avoid-v6-udp-ports specify a list of IPv4 and IPv6 UDP ports that will be used or not used as source ports for UDP messages. See the section called “Query Address” about how the available ports are determined. For example, with the following configuration 

 use-v6-udp-ports { range 32768 65535; };
 avoid-v6-udp-ports { 40000; range 50000 60000; };

UDP ports of IPv6 messages sent from named will be in one of the following ranges: 32768 to 39999, 40001 to 49999, and 60001 to 65535.

avoid-v4-udp-ports and avoid-v6-udp-ports can be used to prevent named from choosing as its random source port a port that is blocked by your firewall or a port that is used by other applications; if a query went out with a source port blocked by a firewall, the answer would not get by the firewall and the name server would have to query again. Note: the desired range can also be represented only with use-v4-udp-ports and use-v6-udp-ports, and the avoid- options are redundant in that sense; they are provided for backward compatibility and to possibly simplify the port specification.

Operating System Resource Limits

The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For example, 1G can be used instead of 1073741824 to specify a limit of one gigabyte. unlimited requests unlimited use, or the maximum available amount. default uses the limit that was in force when the server was started. See the description of size_spec in the section called “Configuration File Elements”.

The following options set operating system resource limits for the name server process. Some operating systems don't support some or any of the limits. On such systems, a warning will be issued if the unsupported limit is used.

coresize

The maximum size of a core dump. The default is default.

datasize

The maximum amount of data memory the server may use. The default is default. This is a hard limit on server memory usage. If the server attempts to allocate memory in excess of this limit, the allocation will fail, which may in turn leave the server unable to perform DNS service. Therefore, this option is rarely useful as a way of limiting the amount of memory used by the server, but it can be used to raise an operating system data size limit that is too small by default. If you wish to limit the amount of memory used by the server, use the max-cache-size and recursive-clients options instead.

files

The maximum number of files the server may have open concurrently. The default is unlimited.

stacksize

The maximum amount of stack memory the server may use. The default is default.

Server Resource Limits

The following options set limits on the server's resource consumption that are enforced internally by the server rather than the operating system.

max-ixfr-log-size

This option is obsolete; it is accepted and ignored for BIND 8 compatibility. The option max-journal-size performs a similar function in BIND 9.

max-journal-size

Sets a maximum size for each journal file (see the section called “The journal file”). When the journal file approaches the specified size, some of the oldest transactions in the journal will be automatically removed. The default is unlimited. This may also be set on a per-zone basis.

host-statistics-max

In BIND 8, specifies the maximum number of host statistics entries to be kept. Not implemented in BIND 9.

recursive-clients

The maximum number of simultaneous recursive lookups the server will perform on behalf of clients. The default is 1000. Because each recursing client uses a fair bit of memory, on the order of 20 kilobytes, the value of the recursive-clients option may have to be decreased on hosts with limited memory.

tcp-clients

The maximum number of simultaneous client TCP connections that the server will accept. The default is 100.

reserved-sockets

The number of file descriptors reserved for TCP, stdio, etc. This needs to be big enough to cover the number of interfaces named listens on, tcp-clients as well as to provide room for outgoing TCP queries and incoming zone transfers. The default is 512. The minimum value is 128 and the maximum value is 128 less than maxsockets (-S). This option may be removed in the future.

This option has little effect on Windows.

max-cache-size

The maximum amount of memory to use for the server's cache, in bytes. When the amount of data in the cache reaches this limit, the server will cause records to expire prematurely based on an LRU based strategy so that the limit is not exceeded. A value of 0 is special, meaning that records are purged from the cache only when their TTLs expire. Another special keyword unlimited means the maximum value of 32-bit unsigned integers (0xffffffff), which may not have the same effect as 0 on machines that support more than 32 bits of memory space. Any positive values less than 2MB will be ignored reset to 2MB. In a server with multiple views, the limit applies separately to the cache of each view. The default is 0.

tcp-listen-queue

The listen queue depth. The default and minimum is 3. If the kernel supports the accept filter "dataready" this also controls how many TCP connections that will be queued in kernel space waiting for some data before being passed to accept. Values less than 3 will be silently raised.

Periodic Task Intervals

cleaning-interval

This interval is effectively obsolete. Previously, the server would remove expired resource records from the cache every cleaning-interval minutes. BIND 9 now manages cache memory in a more sophisticated manner and does not rely on the periodic cleaning any more. Specifying this option therefore has no effect on the server's behavior.

heartbeat-interval

The server will perform zone maintenance tasks for all zones marked as dialup whenever this interval expires. The default is 60 minutes. Reasonable values are up to 1 day (1440 minutes). The maximum value is 28 days (40320 minutes). If set to 0, no zone maintenance for these zones will occur.

interface-interval

The server will scan the network interface list every interface-interval minutes. The default is 60 minutes. The maximum value is 28 days (40320 minutes). If set to 0, interface scanning will only occur when the configuration file is loaded. After the scan, the server will begin listening for queries on any newly discovered interfaces (provided they are allowed by the listen-on configuration), and will stop listening on interfaces that have gone away.

statistics-interval

Name server statistics will be logged every statistics-interval minutes. The default is 60. The maximum value is 28 days (40320 minutes). If set to 0, no statistics will be logged.

Note

Not yet implemented in BIND 9.

Topology

All other things being equal, when the server chooses a name server to query from a list of name servers, it prefers the one that is topologically closest to itself. The topology statement takes an address_match_list and interprets it in a special way. Each top-level list element is assigned a distance. Non-negated elements get a distance based on their position in the list, where the closer the match is to the start of the list, the shorter the distance is between it and the server. A negated match will be assigned the maximum distance from the server. If there is no match, the address will get a distance which is further than any non-negated list element, and closer than any negated element. For example, 

topology {
     10/8;
     !1.2.3/24;
     { 1.2/16; 3/8; };
 };

will prefer servers on network 10 the most, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least of all.

The default topology is 

    topology { localhost; localnets; };

Note

The topology option is not implemented in BIND 9.

The sortlist Statement

The response to a DNS query may consist of multiple resource records (RRs) forming a resource records set (RRset). The name server will normally return the RRs within the RRset in an indeterminate order (but see the rrset-order statement in the section called “RRset Ordering”). The client resolver code should rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. However, not all resolvers can do this or are correctly configured. When a client is using a local server, the sorting can be performed in the server, based on the client's address. This only requires configuring the name servers, not all the clients.

The sortlist statement (see below) takes an address_match_list and interprets it even more specifically than the topology statement does (the section called “Topology”). Each top level statement in the sortlist must itself be an explicit address_match_list with one or two elements. The first element (which may be an IP address, an IP prefix, an ACL name or a nested address_match_list) of each top level list is checked against the source address of the query until a match is found.

Once the source address of the query has been matched, if the top level statement contains only one element, the actual primitive element that matched the source address is used to select the address in the response to move to the beginning of the response. If the statement is a list of two elements, then the second element is treated the same as the address_match_list in a topology statement. Each top level element is assigned a distance and the address in the response with the minimum distance is moved to the beginning of the response.

In the following example, any queries received from any of the addresses of the host itself will get responses preferring addresses on any of the locally connected networks. Next most preferred are addresses on the 192.168.1/24 network, and after that either the 192.168.2/24 or 192.168.3/24 network with no preference shown between these two networks. Queries received from a host on the 192.168.1/24 network will prefer other addresses on that network to the 192.168.2/24 and 192.168.3/24 networks. Queries received from a host on the 192.168.4/24 or the 192.168.5/24 network will only prefer other addresses on their directly connected networks. 

sortlist {
     { localhost;                                   // IF   the local host
         { localnets;                               // THEN first fit on the
             192.168.1/24;                          //   following nets
             { 192.168.2/24; 192.168.3/24; }; }; };
     { 192.168.1/24;                                // IF   on class C 192.168.1
         { 192.168.1/24;                            // THEN use .1, or .2 or .3
             { 192.168.2/24; 192.168.3/24; }; }; };
     { 192.168.2/24;                                // IF   on class C 192.168.2
         { 192.168.2/24;                            // THEN use .2, or .1 or .3
             { 192.168.1/24; 192.168.3/24; }; }; };
     { 192.168.3/24;                                // IF   on class C 192.168.3
         { 192.168.3/24;                            // THEN use .3, or .1 or .2
             { 192.168.1/24; 192.168.2/24; }; }; };
     { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
     };
 };

The following example will give reasonable behavior for the local host and hosts on directly connected networks. It is similar to the behavior of the address sort in BIND 4.9.x. Responses sent to queries from the local host will favor any of the directly connected networks. Responses sent to queries from any other hosts on a directly connected network will prefer addresses on that same network. Responses to other queries will not be sorted. 

sortlist {
            { localhost; localnets; };
            { localnets; };
 };

RRset Ordering

When multiple records are returned in an answer it may be useful to configure the order of the records placed into the response. The rrset-order statement permits configuration of the ordering of the records in a multiple record response. See also the sortlist statement, the section called “The sortlist Statement”.

An order_spec is defined as follows:

[class class_name] [type type_name] [name "domain_name"] order ordering

If no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is "*" (asterisk).

The legal values for ordering are:

fixed

Records are returned in the order they are defined in the zone file.

random

Records are returned in some random order.

cyclic

Records are returned in a cyclic round-robin order.

If BIND is configured with the "--enable-fixed-rrset" option at compile time, then the initial ordering of the RRset will match the one specified in the zone file.

For example: 

rrset-order {
    class IN type A name "host.example.com" order random;
    order cyclic;
 };

will cause any responses for type A records in class IN that have "host.example.com" as a suffix, to always be returned in random order. All other records are returned in cyclic order.

If multiple rrset-order statements appear, they are not combined — the last one applies.

Note

In this release of BIND 9, the rrset-order statement does not support "fixed" ordering by default. Fixed ordering can be enabled at compile time by specifying "--enable-fixed-rrset" on the "configure" command line.

Tuning

lame-ttl
-

+

+

Sets the number of seconds to cache a lame server indication. 0 disables caching. (This is NOT recommended.) The default is 600 (10 minutes) and the maximum value is 1800 (30 minutes). -

+

+

+ Lame-ttl also controls the amount of time DNSSEC + validation failures are cached. There is a minimum + of 30 seconds applied to bad cache entries if the + lame-ttl is set to less than 30 seconds. +

+
max-ncache-ttl

To reduce network traffic and increase performance, the server stores negative answers. max-ncache-ttl is used to set a maximum retention time for these answers in the server in seconds. The default max-ncache-ttl is 10800 seconds (3 hours). max-ncache-ttl cannot exceed 7 days and will be silently truncated to 7 days if set to a greater value.

max-cache-ttl

Sets the maximum time for which the server will cache ordinary (positive) answers. The default is one week (7 days). A value of zero may cause all queries to return SERVFAIL, because of lost caches of intermediate RRsets (such as NS and glue AAAA/A records) in the resolution process.

min-roots

The minimum number of root servers that is required for a request for the root servers to be accepted. The default is 2.

Note

Not implemented in BIND 9.

sig-validity-interval

Specifies the number of days into the future when DNSSEC signatures automatically generated as a result of dynamic updates (the section called “Dynamic Update”) will expire. There is a optional second field which specifies how long before expiry that the signatures will be regenerated. If not specified, the signatures will be regenerated at 1/4 of base interval. The second field is specified in days if the base interval is greater than 7 days otherwise it is specified in hours. The default base interval is 30 days giving a re-signing interval of 7 1/2 days. The maximum values are 10 years (3660 days).

The signature inception time is unconditionally set to one hour before the current time to allow for a limited amount of clock skew.

The sig-validity-interval should be, at least, several multiples of the SOA expire interval to allow for reasonable interaction between the various timer and expiry dates.

sig-signing-nodes

Specify the maximum number of nodes to be examined in each quantum when signing a zone with a new DNSKEY. The default is 100.

sig-signing-signatures

Specify a threshold number of signatures that will terminate processing a quantum when signing a zone with a new DNSKEY. The default is 10.

sig-signing-type

Specify a private RDATA type to be used when generating key signing records. The default is 65535.

It is expected that this parameter may be removed in a future version once there is a standard type.

min-refresh-time, max-refresh-time, min-retry-time, max-retry-time

These options control the server's behavior on refreshing a zone (querying for SOA changes) or retrying failed transfers. Usually the SOA values for the zone are used, but these values are set by the master, giving slave server administrators little control over their contents.

These options allow the administrator to set a minimum and maximum refresh and retry time either per-zone, per-view, or globally. These options are valid for slave and stub zones, and clamp the SOA refresh and retry times to the specified values.

edns-udp-size

Sets the advertised EDNS UDP buffer size in bytes to control the size of packets received. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting edns-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes.

max-udp-size

Sets the maximum EDNS UDP message size named will send in bytes. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting max-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. This is independent of the advertised receive buffer (edns-udp-size).

masterfile-format

Specifies the file format of zone files (see the section called “Additional File Formats”). The default value is text, which is the standard textual representation. Files in other formats than text are typically expected to be generated by the named-compilezone tool. Note that when a zone file in a different format than text is loaded, named may omit some of the checks which would be performed for a file in the text format. In particular, check-names checks do not apply for the raw format. This means a zone file in the raw format must be generated with the same check level as that specified in the named configuration file. This statement sets the masterfile-format for all zones, but can be overridden on a per-zone or per-view basis by including a masterfile-format statement within the zone or view block in the configuration file.

clients-per-query, max-clients-per-query

These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept before dropping additional clients. named will attempt to self tune this value and changes will be logged. The default values are 10 and 100.

This value should reflect how many queries come in for a given name in the time it takes to resolve that name. If the number of queries exceed this value, named will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained unchanged.

If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped.

If max-clients-per-query is set to zero, then there is no upper bound other than imposed by recursive-clients.

notify-delay

The delay, in seconds, between sending sets of notify messages for a zone. The default is five (5) seconds.

Built-in server information zones

The server provides some helpful diagnostic information through a number of built-in zones under the pseudo-top-level-domain bind in the CHAOS class. These zones are part of a built-in view (see the section called “view Statement Grammar”) of class CHAOS which is separate from the default view of class IN; therefore, any global server options such as allow-query do not apply the these zones. If you feel the need to disable these zones, use the options below, or hide the built-in CHAOS view by defining an explicit view of class CHAOS that matches all clients.

version

The version the server should report via a query of the name version.bind with type TXT, class CHAOS. The default is the real version number of this server. Specifying version none disables processing of the queries.

hostname

The hostname the server should report via a query of the name hostname.bind with type TXT, class CHAOS. This defaults to the hostname of the machine hosting the name server as found by the gethostname() function. The primary purpose of such queries is to identify which of a group of anycast servers is actually answering your queries. Specifying hostname none; disables processing of the queries.

server-id

The ID the server should report when receiving a Name Server Identifier (NSID) query, or a query of the name ID.SERVER with type TXT, class CHAOS. The primary purpose of such queries is to identify which of a group of anycast servers is actually answering your queries. Specifying server-id none; disables processing of the queries. Specifying server-id hostname; will cause named to use the hostname as found by the gethostname() function. The default server-id is none.

Built-in Empty Zones

Named has some built-in empty zones (SOA and NS records only). These are for zones that should normally be answered locally and which queries should not be sent to the Internet's root servers. The official servers which cover these namespaces return NXDOMAIN responses to these queries. In particular, these cover the reverse namespace for addresses from RFC 1918 and RFC 3330. They also include the reverse namespace for IPv6 local address (locally assigned), IPv6 link local addresses, the IPv6 loopback address and the IPv6 unknown address.

Named will attempt to determine if a built-in zone already exists or is active (covered by a forward-only forwarding declaration) and will not create a empty zone in that case.

The current list of empty zones is:

  • 0.IN-ADDR.ARPA
  • 127.IN-ADDR.ARPA
  • 254.169.IN-ADDR.ARPA
  • 2.0.192.IN-ADDR.ARPA
  • 255.255.255.255.IN-ADDR.ARPA
  • 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
  • 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
  • D.F.IP6.ARPA
  • 8.E.F.IP6.ARPA
  • 9.E.F.IP6.ARPA
  • A.E.F.IP6.ARPA
  • B.E.F.IP6.ARPA

Empty zones are settable at the view level and only apply to views of class IN. Disabled empty zones are only inherited from options if there are no disabled empty zones specified at the view level. To override the options list of disabled zones, you can disable the root zone at the view level, for example: 

             disable-empty-zone ".";

If you are using the address ranges covered here, you should already have reverse zones covering the addresses you use. In practice this appears to not be the case with many queries being made to the infrastructure servers for names in these spaces. So many in fact that sacrificial servers were needed to be deployed to channel the query load away from the infrastructure servers.

Note

The real parent servers for these zones should disable all empty zone under the parent zone they serve. For the real root servers, this is all built-in empty zones. This will enable them to return referrals to deeper in the tree.
empty-server

Specify what server name will appear in the returned SOA record for empty zones. If none is specified, then the zone's name will be used.

empty-contact

Specify what contact name will appear in the returned SOA record for empty zones. If none is specified, then "." will be used.

empty-zones-enable

Enable or disable all empty zones. By default, they are enabled.

disable-empty-zone

Disable individual empty zones. By default, none are disabled. This option can be specified multiple times.

Additional Section Caching

The additional section cache, also called acache, is an internal cache to improve the response performance of BIND 9. When additional section caching is enabled, BIND 9 will cache an internal short-cut to the additional section content for each answer RR. Note that acache is an internal caching mechanism of BIND 9, and is not related to the DNS caching server function.

Additional section caching does not change the response content (except the RRsets ordering of the additional section, see below), but can improve the response performance significantly. It is particularly effective when BIND 9 acts as an authoritative server for a zone that has many delegations with many glue RRs.

In order to obtain the maximum performance improvement from additional section caching, setting additional-from-cache to no is recommended, since the current implementation of acache does not short-cut of additional section information from the DNS cache data.

One obvious disadvantage of acache is that it requires much more memory for the internal cached data. Thus, if the response performance does not matter and memory consumption is much more critical, the acache mechanism can be disabled by setting acache-enable to no. It is also possible to specify the upper limit of memory consumption for acache by using max-acache-size.

Additional section caching also has a minor effect on the RRset ordering in the additional section. Without acache, cyclic order is effective for the additional section as well as the answer and authority sections. However, additional section caching fixes the ordering when it first caches an RRset for the additional section, and the same ordering will be kept in succeeding responses, regardless of the setting of rrset-order. The effect of this should be minor, however, since an RRset in the additional section typically only contains a small number of RRs (and in many cases it only contains a single RR), in which case the ordering does not matter much.

The following is a summary of options related to acache.

acache-enable

If yes, additional section caching is enabled. The default value is no.

acache-cleaning-interval

The server will remove stale cache entries, based on an LRU based algorithm, every acache-cleaning-interval minutes. The default is 60 minutes. If set to 0, no periodic cleaning will occur.

max-acache-size

The maximum amount of memory in bytes to use for the server's acache. When the amount of data in the acache reaches this limit, the server will clean more aggressively so that the limit is not exceeded. In a server with multiple views, the limit applies separately to the acache of each view. The default is 16M.

server Statement Grammar

server ip_addr[/prefixlen] {
     [ bogus yes_or_no ; ]
     [ provide-ixfr yes_or_no ; ]
     [ request-ixfr yes_or_no ; ]
     [ edns yes_or_no ; ]
     [ edns-udp-size number ; ]
     [ max-udp-size number ; ]
     [ transfers number ; ]
     [ transfer-format ( one-answer | many-answers ) ; ]]
     [ keys { string ; [ string ; [...]] } ; ]
     [ transfer-source (ip4_addr | *) [port ip_port] ; ]
     [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ notify-source (ip4_addr | *) [port ip_port] ; ]
     [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; ]
     [ query-source-v6 [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; ]
     [ use-queryport-pool yes_or_no; ]
     [ queryport-pool-ports number; ]
     [ queryport-pool-updateinterval number; ]
 };

server Statement Definition and Usage

The server statement defines characteristics to be associated with a remote name server. If a prefix length is specified, then a range of servers is covered. Only the most specific server clause applies regardless of the order in named.conf.

The server statement can occur at the top level of the configuration file or inside a view statement. If a view statement contains one or more server statements, only those apply to the view and any top-level ones are ignored. If a view contains no server statements, any top-level server statements are used as defaults.

If you discover that a remote server is giving out bad data, marking it as bogus will prevent further queries to it. The default value of bogus is no.

The provide-ixfr clause determines whether the local server, acting as master, will respond with an incremental zone transfer when the given remote server, a slave, requests it. If set to yes, incremental transfer will be provided whenever possible. If set to no, all transfers to the remote server will be non-incremental. If not set, the value of the provide-ixfr option in the view or global options block is used as a default.

The request-ixfr clause determines whether the local server, acting as a slave, will request incremental zone transfers from the given remote server, a master. If not set, the value of the request-ixfr option in the view or global options block is used as a default.

IXFR requests to servers that do not support IXFR will automatically fall back to AXFR. Therefore, there is no need to manually list which servers support IXFR and which ones do not; the global default of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is to make it possible to disable the use of IXFR even when both master and slave claim to support it, for example if one of the servers is buggy and crashes or corrupts data when IXFR is used.

The edns clause determines whether the local server will attempt to use EDNS when communicating with the remote server. The default is yes.

The edns-udp-size option sets the EDNS UDP size that is advertised by named when querying the remote server. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted). This option is useful when you wish to advertises a different value to this server than the value you advertise globally, for example, when there is a firewall at the remote site that is blocking large replies.

The max-udp-size option sets the maximum EDNS UDP message size named will send. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted). This option is useful when you know that there is a firewall that is blocking large replies from named.

The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by BIND 9, BIND 8.x, and patched versions of BIND 4.9.5. You can specify which method to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format specified by the options statement will be used.

transfers is used to limit the number of concurrent inbound zone transfers from the specified server. If no transfers clause is specified, the limit is set according to the transfers-per-ns option.

The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, the section called “TSIG”) when talking to the remote server. When a request is sent to the remote server, a request signature will be generated using the key specified here and appended to the message. A request originating from the remote server is not required to be signed by this key.

Although the grammar of the keys clause allows for multiple keys, only a single key per server is currently supported.

The transfer-source and transfer-source-v6 clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. For an IPv4 remote server, only transfer-source can be specified. Similarly, for an IPv6 remote server, only transfer-source-v6 can be specified. For more details, see the description of transfer-source and transfer-source-v6 in the section called “Zone Transfers”.

The notify-source and notify-source-v6 clauses specify the IPv4 and IPv6 source address to be used for notify messages sent to remote servers, respectively. For an IPv4 remote server, only notify-source can be specified. Similarly, for an IPv6 remote server, only notify-source-v6 can be specified.

The query-source and query-source-v6 clauses specify the IPv4 and IPv6 source address to be used for queries sent to remote servers, respectively. For an IPv4 remote server, only query-source can be specified. Similarly, for an IPv6 remote server, only query-source-v6 can be specified.

statistics-channels Statement Grammar

statistics-channels {
    [ inet ( ip_addr | * ) [ port ip_port ] [allow {  address_match_list  } ]; ]
    [ inet ...; ]
 };

-statistics-channels Statement Definition and +statistics-channels Statement Definition and Usage

The statistics-channels statement declares communication channels to be used by system administrators to get access to statistics information of the name server.

This statement intends to be flexible to support multiple communication protocols in the future, but currently only HTTP access is supported. It requires that BIND 9 be compiled with libxml2; the statistics-channels statement is still accepted even if it is built without the library, but any HTTP access will fail with an error.

An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of * (asterisk) is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, use an ip_addr of ::.

If no port is specified, port 80 is used for HTTP channels. The asterisk "*" cannot be used for ip_port.

The attempt of opening a statistics channel is restricted by the optional allow clause. Connections to the statistics channel are permitted based on the address_match_list. If no allow clause is present, named accepts connection attempts from any address; since the statistics may contain sensitive internal information, it is highly recommended to restrict the source of connection requests appropriately.

If no statistics-channels statement is present, named will not open any communication channels.

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
 };

-trusted-keys Statement Definition +trusted-keys Statement Definition and Usage

The trusted-keys statement defines DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the public key for a non-authoritative zone is known, but cannot be securely obtained through DNS, either because it is the DNS root zone or because its parent zone is unsigned. Once a key has been configured as a trusted key, it is treated as if it had been validated and proven secure. The resolver attempts DNSSEC validation on all DNS data in subdomains of a security root.

All keys (and corresponding zones) listed in trusted-keys are deemed to exist regardless of what parent zones say. Similarly for all keys listed in trusted-keys only those keys are used to validate the DNSKEY RRset. The parent's DS RRset will not be used.

The trusted-keys statement can contain multiple key entries, each consisting of the key's domain name, flags, protocol, algorithm, and the Base-64 representation of the key data. Spaces, tabs, newlines and carriage returns are ignored in the key data, so the configuration may be split up into multiple lines.

view Statement Grammar

view view_name
       [class] {
       match-clients { address_match_list };
       match-destinations { address_match_list };
       match-recursive-only yes_or_no ;
       [ view_option; ...]
       [ zone_statement; ...]
 };

-view Statement Definition and Usage

+view Statement Definition and Usage

The view statement is a powerful feature of BIND 9 that lets a name server answer a DNS query differently depending on who is asking. It is particularly useful for implementing split DNS setups without having to run multiple servers.

Each view statement defines a view of the DNS namespace that will be seen by a subset of clients. A client matches a view if its source IP address matches the address_match_list of the view's match-clients clause and its destination IP address matches the address_match_list of the view's match-destinations clause. If not specified, both match-clients and match-destinations default to matching all addresses. In addition to checking IP addresses match-clients and match-destinations can also take keys which provide an mechanism for the client to select the view. A view can also be specified as match-recursive-only, which means that only recursive requests from matching clients will match that view. The order of the view statements is significant — a client request will be resolved in the context of the first view that it matches.

Zones defined within a view statement will only be accessible to clients that match the view. By defining a zone of the same name in multiple views, different zone data can be given to different clients, for example, "internal" and "external" clients in a split DNS setup.

Many of the options given in the options statement can also be used within a view statement, and then apply only when resolving queries with that view. When no view-specific value is given, the value in the options statement is used as a default. Also, zone options can have default values specified in the view statement; these view-specific defaults take precedence over those in the options statement.

Views are class specific. If no class is given, class IN is assumed. Note that all non-IN views must contain a hint zone, since only the IN class has compiled-in default hints.

If there are no view statements in the config file, a default view that matches any client is automatically created in class IN. Any zone statements specified on the top level of the configuration file are considered to be part of this default view, and the options statement will apply to the default view. If any explicit view statements are present, all zone statements must occur inside view statements.

Here is an example of a typical split DNS setup implemented using view statements: 

view "internal" {
       // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
 
       // Provide recursive service to internal clients only.
       recursion yes;
 
       // Provide a complete view of the example.com zone
       // including addresses of internal hosts.
       zone "example.com" {
             type master;
             file "example-internal.db";
       };
 };
 
 view "external" {
       // Match all clients not matched by the previous view.
       match-clients { any; };
 
       // Refuse recursive service to external clients.
       recursion no;
 
       // Provide a restricted view of the example.com zone
       // containing only publicly accessible hosts.
       zone "example.com" {
            type master;
            file "example-external.db";
       };
 };

zone Statement Grammar

zone zone_name [class] {
     type master;
     [ allow-query { address_match_list }; ]
     [ allow-query-on { address_match_list }; ]
     [ allow-transfer { address_match_list }; ]
     [ allow-update { address_match_list }; ]
     [ update-policy { update_policy_rule [...] }; ]
     [ also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
     [ check-names (warn|fail|ignore) ; ]
     [ check-mx (warn|fail|ignore) ; ]
     [ check-wildcard yes_or_no; ]
     [ check-integrity yes_or_no ; ]
     [ dialup dialup_option ; ]
     [ file string ; ]
     [ masterfile-format (text|raw) ; ]
     [ journal string ; ]
     [ max-journal-size size_spec; ]
     [ forward (only|first) ; ]
     [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
     [ ixfr-base string ; ]
     [ ixfr-from-differences yes_or_no; ]
     [ ixfr-tmp-file string ; ]
     [ maintain-ixfr-base yes_or_no ; ]
     [ max-ixfr-log-size number ; ]
     [ max-transfer-idle-out number ; ]
     [ max-transfer-time-out number ; ]
     [ notify yes_or_no | explicit | master-only ; ]
     [ notify-delay seconds ; ]
     [ notify-to-soa yes_or_no; ]
     [ pubkey number number number string ; ]
     [ notify-source (ip4_addr | *) [port ip_port] ; ]
     [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ zone-statistics yes_or_no ; ]
     [ sig-validity-interval number [number] ; ]
     [ sig-signing-nodes number ; ]
     [ sig-signing-signatures number ; ]
     [ sig-signing-type number ; ]
     [ database string ; ]
     [ min-refresh-time number ; ]
     [ max-refresh-time number ; ]
     [ min-retry-time number ; ]
     [ max-retry-time number ; ]
     [ key-directory path_name; ]
     [ zero-no-soa-ttl yes_or_no ; ]
 };
 
 zone zone_name [class] {
     type slave;
     [ allow-notify { address_match_list }; ]
     [ allow-query { address_match_list }; ]
     [ allow-query-on { address_match_list }; ]
     [ allow-transfer { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
     [ update-check-ksk yes_or_no; ]
     [ try-tcp-refresh yes_or_no; ]
     [ also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
     [ check-names (warn|fail|ignore) ; ]
     [ dialup dialup_option ; ]
     [ file string ; ]
     [ masterfile-format (text|raw) ; ]
     [ journal string ; ]
     [ max-journal-size size_spec; ]
     [ forward (only|first) ; ]
     [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
     [ ixfr-base string ; ]
     [ ixfr-from-differences yes_or_no; ]
     [ ixfr-tmp-file string ; ]
     [ maintain-ixfr-base yes_or_no ; ]
     [ masters [port ip_port] { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] }; ]
     [ max-ixfr-log-size number ; ]
     [ max-transfer-idle-in number ; ]
     [ max-transfer-idle-out number ; ]
     [ max-transfer-time-in number ; ]
     [ max-transfer-time-out number ; ]
     [ notify yes_or_no | explicit | master-only ; ]
     [ notify-delay seconds ; ]
     [ notify-to-soa yes_or_no; ]
     [ pubkey number number number string ; ]
     [ transfer-source (ip4_addr | *) [port ip_port] ; ]
     [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ alt-transfer-source (ip4_addr | *) [port ip_port] ; ]
     [ alt-transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ use-alt-transfer-source yes_or_no; ]
     [ notify-source (ip4_addr | *) [port ip_port] ; ]
     [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ zone-statistics yes_or_no ; ]
     [ database string ; ]
     [ min-refresh-time number ; ]
     [ max-refresh-time number ; ]
     [ min-retry-time number ; ]
     [ max-retry-time number ; ]
     [ multi-master yes_or_no ; ]
     [ zero-no-soa-ttl yes_or_no ; ]
 };
 
 zone zone_name [class] {
     type hint;
     file string ;
     [ delegation-only yes_or_no ; ]
     [ check-names (warn|fail|ignore) ; // Not Implemented. ]
 };
 
 zone zone_name [class] {
     type stub;
     [ allow-query { address_match_list }; ]
     [ allow-query-on { address_match_list }; ]
     [ check-names (warn|fail|ignore) ; ]
     [ dialup dialup_option ; ]
     [ delegation-only yes_or_no ; ]
     [ file string ; ]
     [ masterfile-format (text|raw) ; ]
     [ forward (only|first) ; ]
     [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
     [ masters [port ip_port] { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] }; ]
     [ max-transfer-idle-in number ; ]
     [ max-transfer-time-in number ; ]
     [ pubkey number number number string ; ]
     [ transfer-source (ip4_addr | *) [port ip_port] ; ]
     [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ alt-transfer-source (ip4_addr | *) [port ip_port] ; ]
     [ alt-transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
     [ use-alt-transfer-source yes_or_no; ]
     [ zone-statistics yes_or_no ; ]
     [ database string ; ]
     [ min-refresh-time number ; ]
     [ max-refresh-time number ; ]
     [ min-retry-time number ; ]
     [ max-retry-time number ; ]
     [ multi-master yes_or_no ; ]
 };
 
 zone zone_name [class] {
     type forward;
     [ forward (only|first) ; ]
     [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
     [ delegation-only yes_or_no ; ]
 };
 
 zone zone_name [class] {
     type delegation-only;
 };

-zone Statement Definition and Usage

+zone Statement Definition and Usage

-Zone Types

+Zone Types

master

The server has a master copy of the data for the zone and will be able to provide authoritative answers for it.

slave

A slave zone is a replica of a master zone. The masters list specifies one or more IP addresses of master servers that the slave contacts to update its copy of the zone. Masters list elements can also be names of other masters lists. By default, transfers are made from port 53 on the servers; this can be changed for all servers by specifying a port number before the list of IP addresses, or on a per-server basis after the IP address. Authentication to the master can also be done with per-server TSIG keys. If a file is specified, then the replica will be written to this file whenever the zone is changed, and reloaded from this file on a server restart. Use of a file is recommended, since it often speeds server startup and eliminates a needless waste of bandwidth. Note that for large numbers (in the tens or hundreds of thousands) of zones per server, it is best to use a two-level naming scheme for zone filenames. For example, a slave server for the zone example.com might place the zone contents into a file called ex/example.com where ex/ is just the first two letters of the zone name. (Most operating systems behave very slowly if you put 100000 files into a single directory.)

stub

A stub zone is similar to a slave zone, except that it replicates only the NS records of a master zone instead of the entire zone. Stub zones are not a standard part of the DNS; they are a feature specific to the BIND implementation.

Stub zones can be used to eliminate the need for glue NS record in a parent zone at the expense of maintaining a stub zone entry and a set of name server addresses in named.conf. This usage is not recommended for new configurations, and BIND 9 supports it only in a limited way. In BIND 4/8, zone transfers of a parent zone included the NS records from stub children of that zone. This meant that, in some cases, users could get away with configuring child stubs only in the master server for the parent zone. BIND 9 never mixes together zone data from different zones in this way. Therefore, if a BIND 9 master serving a parent zone has child stub zones configured, all the slave servers for the parent zone also need to have the same child stub zones configured.

Stub zones can also be used as a way of forcing the resolution of a given domain to use a particular set of authoritative servers. For example, the caching name servers on a private network using RFC1918 addressing may be configured with stub zones for 10.in-addr.arpa to use a set of internal name servers as the authoritative servers for that domain.

forward

A "forward zone" is a way to configure forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders statement, which will apply to queries within the domain given by the zone name. If no forwarders statement is present or an empty list for forwarders is given, then no forwarding will be done for the domain, canceling the effects of any forwarders in the options statement. Thus if you want to use this type of zone to change the behavior of the global forward option (that is, "forward first" to, then "forward only", or vice versa, but want to use the same servers as set globally) you need to re-specify the global forwarders.

hint

The initial set of root name servers is specified using a "hint zone". When the server starts up, it uses the root hints to find a root name server and get the most recent list of root name servers. If no hint zone is specified for class IN, the server uses a compiled-in default set of root servers hints. Classes other than IN have no built-in defaults hints.

delegation-only

This is used to enforce the delegation-only status of infrastructure zones (e.g. COM, NET, ORG). Any answer that is received without an explicit or implicit delegation in the authority section will be treated as NXDOMAIN. This does not apply to the zone apex. This should not be applied to leaf zones.

delegation-only has no effect on answers received from forwarders.

See caveats in root-delegation-only.

-Class

+Class

The zone's name may optionally be followed by a class. If a class is not specified, class IN (for Internet), is assumed. This is correct for the vast majority of cases.

The hesiod class is named for an information service from MIT's Project Athena. It is used to share information about various systems databases, such as users, groups, printers and so on. The keyword HS is a synonym for hesiod.

Another MIT development is Chaosnet, a LAN protocol created in the mid-1970s. Zone data for it can be specified with the CHAOS class.

-Zone Options

+Zone Options
allow-notify

See the description of allow-notify in the section called “Access Control”.

allow-query

See the description of allow-query in the section called “Access Control”.

allow-query-on

See the description of allow-query-on in the section called “Access Control”.

allow-transfer

See the description of allow-transfer in the section called “Access Control”.

allow-update

See the description of allow-update in the section called “Access Control”.

update-policy

Specifies a "Simple Secure Update" policy. See the section called “Dynamic Update Policies”.

allow-update-forwarding

See the description of allow-update-forwarding in the section called “Access Control”.

also-notify

Only meaningful if notify is active for this zone. The set of machines that will receive a DNS NOTIFY message for this zone is made up of all the listed name servers (other than the primary master) for the zone plus any IP addresses specified with also-notify. A port may be specified with each also-notify address to send the notify messages to a port other than the default of 53. also-notify is not meaningful for stub zones. The default is the empty list.

check-names

This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn.

check-mx

See the description of check-mx in the section called “Boolean Options”.

check-wildcard

See the description of check-wildcard in the section called “Boolean Options”.

check-integrity

See the description of check-integrity in the section called “Boolean Options”.

check-sibling

See the description of check-sibling in the section called “Boolean Options”.

zero-no-soa-ttl

See the description of zero-no-soa-ttl in the section called “Boolean Options”.

update-check-ksk

See the description of update-check-ksk in the section called “Boolean Options”.

try-tcp-refresh

See the description of try-tcp-refresh in the section called “Boolean Options”.

database

Specify the type of database to be used for storing the zone data. The string following the database keyword is interpreted as a list of whitespace-delimited words. The first word identifies the database type, and any subsequent words are passed as arguments to the database to be interpreted in a way specific to the database type.

The default is "rbt", BIND 9's native in-memory red-black-tree database. This database does not take arguments.

Other values are possible if additional database drivers have been linked into the server. Some sample drivers are included with the distribution but none are linked in by default.

dialup

See the description of dialup in the section called “Boolean Options”.

delegation-only

The flag only applies to hint and stub zones. If set to yes, then the zone will also be treated as if it is also a delegation-only type zone.

See caveats in root-delegation-only.

forward

Only meaningful if the zone has a forwarders list. The only value causes the lookup to fail after trying the forwarders and getting no answer, while first would allow a normal lookup to be tried.

forwarders

Used to override the list of global forwarders. If it is not specified in a zone of type forward, no forwarding is done for the zone and the global options are not used.

ixfr-base

Was used in BIND 8 to specify the name of the transaction log (journal) file for dynamic update and IXFR. BIND 9 ignores the option and constructs the name of the journal file by appending ".jnl" to the name of the zone file.

ixfr-tmp-file

Was an undocumented option in BIND 8. Ignored in BIND 9.

journal

Allow the default journal's filename to be overridden. The default is the zone's filename with ".jnl" appended. This is applicable to master and slave zones.

max-journal-size

See the description of max-journal-size in the section called “Server Resource Limits”.

max-transfer-time-in

See the description of max-transfer-time-in in the section called “Zone Transfers”.

max-transfer-idle-in

See the description of max-transfer-idle-in in the section called “Zone Transfers”.

max-transfer-time-out

See the description of max-transfer-time-out in the section called “Zone Transfers”.

max-transfer-idle-out

See the description of max-transfer-idle-out in the section called “Zone Transfers”.

notify

See the description of notify in the section called “Boolean Options”.

notify-delay

See the description of notify-delay in the section called “Tuning”.

notify-to-soa

See the description of notify-to-soa in the section called “Boolean Options”.

pubkey

In BIND 8, this option was intended for specifying a public zone key for verification of signatures in DNSSEC signed zones when they are loaded from disk. BIND 9 does not verify signatures on load and ignores the option.

zone-statistics

If yes, the server will keep statistical information for this zone, which can be dumped to the statistics-file defined in the server options.

sig-validity-interval

See the description of sig-validity-interval in the section called “Tuning”.

sig-signing-nodes

See the description of sig-signing-nodes in the section called “Tuning”.

sig-signing-signatures

See the description of sig-signing-signatures in the section called “Tuning”.

sig-signing-type

See the description of sig-signing-type in the section called “Tuning”.

transfer-source

See the description of transfer-source in the section called “Zone Transfers”.

transfer-source-v6

See the description of transfer-source-v6 in the section called “Zone Transfers”.

alt-transfer-source

See the description of alt-transfer-source in the section called “Zone Transfers”.

alt-transfer-source-v6

See the description of alt-transfer-source-v6 in the section called “Zone Transfers”.

use-alt-transfer-source

See the description of use-alt-transfer-source in the section called “Zone Transfers”.

notify-source

See the description of notify-source in the section called “Zone Transfers”.

notify-source-v6

See the description of notify-source-v6 in the section called “Zone Transfers”.

min-refresh-time, max-refresh-time, min-retry-time, max-retry-time

See the description in the section called “Tuning”.

ixfr-from-differences

See the description of ixfr-from-differences in the section called “Boolean Options”. (Note that the ixfr-from-differences master and slave choices are not available at the zone level.)

key-directory

See the description of key-directory in the section called “options Statement Definition and Usage”.

multi-master

See the description of multi-master in the section called “Boolean Options”.

masterfile-format

See the description of masterfile-format in the section called “Tuning”.

Dynamic Update Policies

BIND 9 supports two alternative methods of granting clients the right to perform dynamic updates to a zone, configured by the allow-update and update-policy option, respectively.

The allow-update clause works the same way as in previous versions of BIND. It grants given clients the permission to update any record of any name in the zone.

The update-policy clause is new in BIND 9 and allows more fine-grained control over what updates are allowed. A set of rules is specified, where each rule either grants or denies permissions for one or more names to be updated by one or more identities. If the dynamic update request message is signed (that is, it includes either a TSIG or SIG(0) record), the identity of the signer can be determined.

Rules are specified in the update-policy zone option, and are only meaningful for master zones. When the update-policy statement is present, it is a configuration error for the allow-update statement to be present. The update-policy statement only examines the signer of a message; the source address is not relevant.

This is how a rule definition looks: 

 ( grant | deny ) identity nametype name [ types ]

Each rule grants or denies privileges. Once a message has successfully matched a rule, the operation is immediately granted or denied and no further rules are examined. A rule is matched when the signer matches the identity field, the name matches the name field in accordance with the nametype field, and the type matches the types specified in the type field.

No signer is required for tcp-self or 6to4-self however the standard reverse mapping / prefix conversion must match the identity field.

The identity field specifies a name or a wildcard name. Normally, this is the name of the TSIG or SIG(0) key used to sign the update request. When a TKEY exchange has been used to create a shared secret, the identity of the shared secret is the same as the identity of the key used to authenticate the TKEY exchange. TKEY is also the negotiation method used by GSS-TSIG, which establishes an identity that is the Kerberos principal of the client, such as "user@host.domain". When the identity field specifies a wildcard name, it is subject to DNS wildcard expansion, so the rule will apply to multiple identities. The identity field must contain a fully-qualified domain name.

The nametype field has 12 values: name, subdomain, wildcard, self, selfsub, selfwild, krb5-self, ms-self, krb5-subdomain, ms-subdomain, tcp-self and 6to4-self.

name

Exact-match semantics. This rule matches when the name being updated is identical to the contents of the name field.

subdomain

This rule matches when the name being updated is a subdomain of, or identical to, the contents of the name field.

wildcard

The name field is subject to DNS wildcard expansion, and this rule matches when the name being updated name is a valid expansion of the wildcard.

self

This rule matches when the name being updated matches the contents of the identity field. The name field is ignored, but should be the same as the identity field. The self nametype is most useful when allowing using one key per name to update, where the key has the same name as the name to be updated. The identity would be specified as * (an asterisk) in this case.

selfsub

This rule is similar to self except that subdomains of self can also be updated.

selfwild

This rule is similar to self except that only subdomains of self can be updated.

tcp-self

Allow updates that have been sent via TCP and for which the standard mapping from the initiating IP address into the IN-ADDR.ARPA and IP6.ARPA namespaces match the name to be updated.

Note

It is theoretically possible to spoof these TCP sessions.

6to4-self

Allow the 6to4 prefix to be update by any TCP conection from the 6to4 network or from the corresponding IPv4 address. This is intended to allow NS or DNAME RRsets to be added to the reverse tree.

Note

It is theoretically possible to spoof these TCP sessions.

In all cases, the name field must specify a fully-qualified domain name.

If no types are explicitly specified, this rule matches all types except RRSIG, NS, SOA, NSEC and NSEC3. Types may be specified by name, including "ANY" (ANY matches all types except NSEC and NSEC3, which can never be updated). Note that when an attempt is made to delete all records associated with a name, the rules are checked for each existing record type.

-Zone File

+Zone File

Types of Resource Records and When to Use Them

This section, largely borrowed from RFC 1034, describes the concept of a Resource Record (RR) and explains when each is used. Since the publication of RFC 1034, several new RRs have been identified and implemented in the DNS. These are also included.

-Resource Records

+Resource Records

A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource information associated with a particular name is composed of separate RRs. The order of RRs in a set is not significant and need not be preserved by name servers, resolvers, or other parts of the DNS. However, sorting of multiple RRs is permitted for optimization purposes, for example, to specify that a particular nearby server be tried first. See the section called “The sortlist Statement” and the section called “RRset Ordering”.

The components of a Resource Record are:

owner name

The domain name where the RR is found.

type

An encoded 16-bit value that specifies the type of the resource record.

TTL

The time-to-live of the RR. This field is a 32-bit integer in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded.

class

An encoded 16-bit value that identifies a protocol family or instance of a protocol.

RDATA

The resource data. The format of the data is type (and sometimes class) specific.

The following are types of valid RRs:

A

A host address. In the IN class, this is a 32-bit IP address. Described in RFC 1035.

AAAA

IPv6 address. Described in RFC 1886.

A6

IPv6 address. This can be a partial address (a suffix) and an indirection to the name where the rest of the address (the prefix) can be found. Experimental. Described in RFC 2874.

AFSDB

Location of AFS database servers. Experimental. Described in RFC 1183.

APL

Address prefix list. Experimental. Described in RFC 3123.

CERT

Holds a digital certificate. Described in RFC 2538.

CNAME

Identifies the canonical name of an alias. Described in RFC 1035.

DHCID

Is used for identifying which DHCP client is associated with this name. Described in RFC 4701.

DNAME

Replaces the domain name specified with another name to be looked up, effectively aliasing an entire subtree of the domain name space rather than a single record as in the case of the CNAME RR. Described in RFC 2672.

DNSKEY

Stores a public key associated with a signed DNS zone. Described in RFC 4034.

DS

Stores the hash of a public key associated with a signed DNS zone. Described in RFC 4034.

GPOS

Specifies the global position. Superseded by LOC.

HINFO

Identifies the CPU and OS used by a host. Described in RFC 1035.

IPSECKEY

Provides a method for storing IPsec keying material in DNS. Described in RFC 4025.

ISDN

Representation of ISDN addresses. Experimental. Described in RFC 1183.

KEY

Stores a public key associated with a DNS name. Used in original DNSSEC; replaced by DNSKEY in DNSSECbis, but still used with SIG(0). Described in RFCs 2535 and 2931.

KX

Identifies a key exchanger for this DNS name. Described in RFC 2230.

LOC

For storing GPS info. Described in RFC 1876. Experimental.

MX

Identifies a mail exchange for the domain with a 16-bit preference value (lower is better) followed by the host name of the mail exchange. Described in RFC 974, RFC 1035.

NAPTR

Name authority pointer. Described in RFC 2915.

NSAP

A network service access point. Described in RFC 1706.

NS

The authoritative name server for the domain. Described in RFC 1035.

NSEC

Used in DNSSECbis to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. Described in RFC 4034.

NSEC3

Used in DNSSECbis to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. NSEC3 differs from NSEC in that it prevents zone enumeration but is more computationally expensive on both the server and the client than NSEC. Described in RFC 5155.

NSEC3PARAM

Used in DNSSECbis to tell the authoritative server which NSEC3 chains are available to use. Described in RFC 5155.

NXT

Used in DNSSEC to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. Used in original DNSSEC; replaced by NSEC in DNSSECbis. Described in RFC 2535.

PTR

A pointer to another part of the domain name space. Described in RFC 1035.

PX

Provides mappings between RFC 822 and X.400 addresses. Described in RFC 2163.

RP

Information on persons responsible for the domain. Experimental. Described in RFC 1183.

RRSIG

Contains DNSSECbis signature data. Described in RFC 4034.

RT

Route-through binding for hosts that do not have their own direct wide area network addresses. Experimental. Described in RFC 1183.

SIG

Contains DNSSEC signature data. Used in original DNSSEC; replaced by RRSIG in DNSSECbis, but still used for SIG(0). Described in RFCs 2535 and 2931.

SOA

Identifies the start of a zone of authority. Described in RFC 1035.

SPF

Contains the Sender Policy Framework information for a given email domain. Described in RFC 4408.

SRV

Information about well known network services (replaces WKS). Described in RFC 2782.

SSHFP

Provides a way to securely publish a secure shell key's fingerprint. Described in RFC 4255.

TXT

Text records. Described in RFC 1035.

WKS

Information about which well known network services, such as SMTP, that a domain supports. Historical.

X25

Representation of X.25 network addresses. Experimental. Described in RFC 1183.

The following classes of resource records are currently valid in the DNS:

IN

The Internet.

CH

Chaosnet, a LAN protocol created at MIT in the mid-1970s. Rarely used for its historical purpose, but reused for BIND's built-in server information zones, e.g., version.bind.

HS

Hesiod, an information service developed by MIT's Project Athena. It is used to share information about various systems databases, such as users, groups, printers and so on.

The owner name is often implicit, rather than forming an integral part of the RR. For example, many name servers internally form tree or hash structures for the name space, and chain RRs off nodes. The remaining RR parts are the fixed header (type, class, TTL) which is consistent for all RRs, and a variable part (RDATA) that fits the needs of the resource being described.

The meaning of the TTL field is a time limit on how long an RR can be kept in a cache. This limit does not apply to authoritative data in zones; it is also timed out, but by the refreshing policies for the zone. The TTL is assigned by the administrator for the zone where the data originates. While short TTLs can be used to minimize caching, and a zero TTL prohibits caching, the realities of Internet performance suggest that these times should be on the order of days for the typical host. If a change can be anticipated, the TTL can be reduced prior to the change to minimize inconsistency during the change, and then increased back to its former value following the change.

The data in the RDATA section of RRs is carried as a combination of binary strings and domain names. The domain names are frequently used as "pointers" to other data in the DNS.

-Textual expression of RRs

+Textual expression of RRs

RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form when stored in a name server or resolver. In the examples provided in RFC 1034, a style similar to that used in master files was employed in order to show the contents of RRs. In this format, most RRs are shown on a single line, although continuation lines are possible using parentheses.

The start of the line gives the owner of the RR. If a line begins with a blank, then the owner is assumed to be the same as that of the previous RR. Blank lines are often included for readability.

Following the owner, we list the TTL, type, and class of the RR. Class and type use the mnemonics defined above, and TTL is an integer before the type field. In order to avoid ambiguity in parsing, type and class mnemonics are disjoint, TTLs are integers, and the type mnemonic is always last. The IN class and TTL values are often omitted from examples in the interests of clarity.

The resource data or RDATA section of the RR are given using knowledge of the typical representation for the data.

For example, we might show the RRs carried in a message as:

ISI.EDU.

MX

10 VENERA.ISI.EDU.

MX

10 VAXA.ISI.EDU

VENERA.ISI.EDU

A

128.9.0.32

A

10.1.0.52

VAXA.ISI.EDU

A

10.2.0.27

A

128.9.0.33

The MX RRs have an RDATA section which consists of a 16-bit number followed by a domain name. The address RRs use a standard IP address format to contain a 32-bit internet address.

The above example shows six RRs, with two RRs at each of three domain names.

Similarly we might see:

XX.LCS.MIT.EDU.

IN A

10.0.0.44

 

CH A

MIT.EDU. 2420

This example shows two addresses for XX.LCS.MIT.EDU, each of a different class.

-Discussion of MX Records

+Discussion of MX Records

As described above, domain servers store information as a series of resource records, each of which contains a particular piece of information about a given domain name (which is usually, but not always, a host). The simplest way to think of a RR is as a typed pair of data, a domain name matched with a relevant datum, and stored with some additional type information to help systems determine when the RR is relevant.

MX records are used to control delivery of email. The data specified in the record is a priority and a domain name. The priority controls the order in which email delivery is attempted, with the lowest number first. If two priorities are the same, a server is chosen randomly. If no servers at a given priority are responding, the mail transport agent will fall back to the next largest priority. Priority numbers do not have any absolute meaning — they are relevant only respective to other MX records for that domain name. The domain name given is the machine to which the mail will be delivered. It must have an associated address record (A or AAAA) — CNAME is not sufficient.

For a given domain, if there is both a CNAME record and an MX record, the MX record is in error, and will be ignored. Instead, the mail will be delivered to the server specified in the MX record pointed to by the CNAME. For example:

example.com.

IN

MX

10

mail.example.com.

IN

MX

10

mail2.example.com.

IN

MX

20

mail.backup.org.

mail.example.com.

IN

A

10.0.0.1

mail2.example.com.

IN

A

10.0.0.2

Mail delivery will be attempted to mail.example.com and mail2.example.com (in any order), and if neither of those succeed, delivery to mail.backup.org will be attempted.

Setting TTLs

The time-to-live of the RR field is a 32-bit integer represented in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded. The following three types of TTL are currently used in a zone file.

SOA

The last field in the SOA is the negative caching TTL. This controls how long other servers will cache no-such-domain (NXDOMAIN) responses from you.

The maximum time for negative caching is 3 hours (3h).

$TTL

The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.

RR TTLs

Each RR can have a TTL as the second field in the RR, which will control how long other servers can cache the it.

All of these TTLs default to units of seconds, though units can be explicitly specified, for example, 1h30m.

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain and PTR records. Entries in the in-addr.arpa domain are made in least-to-most significant order, read left to right. This is the opposite order to the way IP addresses are usually written. Thus, a machine with an IP address of 10.1.2.3 would have a corresponding in-addr.arpa name of 3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose data field is the name of the machine or, optionally, multiple PTR records if the machine has more than one name. For example, in the [example.com] domain:

$ORIGIN

2.1.10.in-addr.arpa

3

IN PTR foo.example.com.

Note

The $ORIGIN lines in the examples are for providing context to the examples only — they do not necessarily appear in the actual usage. They are only used here to indicate that the example is relative to the listed origin.

-Other Zone File Directives

+Other Zone File Directives

The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format itself is class independent all records in a Master File must be of the same class.

Master File Directives include $ORIGIN, $INCLUDE, and $TTL.

-The @ (at-sign)

+The @ (at-sign)

When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. At the start of the zone file, it is the <zone_name> (followed by trailing dot).

-The $ORIGIN Directive

+The $ORIGIN Directive

Syntax: $ORIGIN domain-name [comment]

$ORIGIN sets the domain name that will be appended to any unqualified records. When a zone is first read in there is an implicit $ORIGIN <zone_name>. (followed by trailing dot). The current $ORIGIN is appended to the domain specified in the $ORIGIN argument if it is not absolute. 

 $ORIGIN example.com.
 WWW     CNAME   MAIN-SERVER

is equivalent to 

 WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.

-The $INCLUDE Directive

+The $INCLUDE Directive

Syntax: $INCLUDE filename [ origin ] [ comment ]

Read and process the file filename as if it were included into the file at this point. If origin is specified the file is processed with $ORIGIN set to that value, otherwise the current $ORIGIN is used.

The origin and the current domain name revert to the values they had prior to the $INCLUDE once the file has been read.

Note

RFC 1035 specifies that the current origin should be restored after an $INCLUDE, but it is silent on whether the current domain name should also be restored. BIND 9 restores both of them. This could be construed as a deviation from RFC 1035, a feature, or both.

-The $TTL Directive

+The $TTL Directive

Syntax: $TTL default-ttl [ comment ]

Set the default Time To Live (TTL) for subsequent records with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.

$TTL is defined in RFC 2308.

-BIND Master File Extension: the $GENERATE Directive

+BIND Master File Extension: the $GENERATE Directive

Syntax: $GENERATE range lhs [ttl] [class] type rhs [comment]

$GENERATE is used to create a series of resource records that only differ from each other by an iterator. $GENERATE can be used to easily generate the sets of records required to support sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA delegation. 

$ORIGIN 0.0.192.IN-ADDR.ARPA.
 $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
 $GENERATE 1-127 $ CNAME $.0

is equivalent to 

0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
 ...
 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.

range

This can be one of two forms: start-stop or start-stop/step. If the first form is used, then step is set to 1. All of start, stop and step must be positive.

lhs

This describes the owner name of the resource records to be created. Any single $ (dollar sign) symbols within the lhs string are replaced by the iterator value. To get a $ in the output, you need to escape the $ using a backslash \, e.g. \$. The $ may optionally be followed by modifiers which change the offset from the iterator, field width and base. Modifiers are introduced by a { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} subtracts 20 from the current value, prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal (d), octal (o) and hexadecimal (x or X for uppercase). The default modifier is ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended to the name.

For compatibility with earlier versions, $$ is still recognized as indicating a literal $ in the output.

ttl

Specifies the time-to-live of the generated records. If not specified this will be inherited using the normal TTL inheritance rules.

class and ttl can be entered in either order.

class

Specifies the class of the generated records. This must match the zone class if it is specified.

class and ttl can be entered in either order.

type

At present the only supported types are PTR, CNAME, DNAME, A, AAAA and NS.

rhs

rhs is a domain name. It is processed similarly to lhs.

The $GENERATE directive is a BIND extension and not part of the standard zone file format.

BIND 8 does not support the optional TTL and CLASS fields.

Additional File Formats

In addition to the standard textual format, BIND 9 supports the ability to read or dump to zone files in other formats. The raw format is currently available as an additional format. It is a binary format representing BIND 9's internal data structure directly, thereby remarkably improving the loading time.

For a primary server, a zone file in the raw format is expected to be generated from a textual zone file by the named-compilezone command. For a secondary server or for a dynamic zone, it is automatically generated (if this format is specified by the masterfile-format option) when named dumps the zone contents after zone transfer or when applying prior updates.

If a zone file in a binary format needs manual modification, it first must be converted to a textual form by the named-compilezone command. All necessary modification should go to the text file, which should then be converted to the binary form by the named-compilezone command again.

Although the raw format uses the network byte order and avoids architecture-dependent data alignment so that it is as much portable as possible, it is primarily expected to be used inside the same single system. In order to export a zone file in the raw format or make a portable backup of the file, it is recommended to convert the file to the standard textual representation.

BIND9 Statistics

BIND 9 maintains lots of statistics information and provides several interfaces for users to get access to the statistics. The available statistics include all statistics counters that were available in BIND 8 and are meaningful in BIND 9, and other information that is considered useful.

The statistics information is categorized into the following sections.

Incoming Requests

The number of incoming DNS requests for each OPCODE.

Incoming Queries

The number of incoming queries for each RR type.

Outgoing Queries

The number of outgoing queries for each RR type sent from the internal resolver. Maintained per view.

Name Server Statistics

Statistics counters about incoming request processing.

Zone Maintenance Statistics

Statistics counters regarding zone maintenance operations such as zone transfers.

Resolver Statistics

Statistics counters about name resolution performed in the internal resolver. Maintained per view.

Cache DB RRsets

The number of RRsets per RR type (positive or negative) and nonexistent names stored in the cache database. Maintained per view.

Socket I/O Statistics

Statistics counters about network related events.

A subset of Name Server Statistics is collected and shown per zone for which the server has the authority when zone-statistics is set to yes. These statistics counters are shown with their zone and view names. In some cases the view names are omitted for the default view.

There are currently two user interfaces to get access to the statistics. One is in the plain text format dumped to the file specified by the statistics-file configuration option. The other is remotely accessible via a statistics channel when the statistics-channels statement is specified in the configuration file (see the section called “statistics-channels Statement Grammar”.)

The Statistics File

The text format statistics dump begins with a line, like:

+++ Statistics Dump +++ (973798949)

The number in parentheses is a standard Unix-style timestamp, measured as seconds since January 1, 1970. Following that line is a set of statistics information, which is categorized as described above. Each section begins with a line, like:

++ Name Server Statistics ++

Each section consists of lines, each containing the statistics counter value followed by its textual description. See below for available counters. For brevity, counters that have a value of 0 are not shown in the statistics file.

The statistics dump ends with the line where the number is identical to the number in the beginning line; for example:

--- Statistics Dump --- (973798949)

Statistics Counters

The following tables summarize statistics counters that BIND 9 provides. For each row of the tables, the leftmost column is the abbreviated symbol name of that counter. These symbols are shown in the statistics information accessed via an HTTP statistics channel. The rightmost column gives the description of the counter, which is also shown in the statistics file (but, in this document, possibly with slight modification for better readability). Additional notes may also be provided in this column. When a middle column exists between these two columns, it gives the corresponding counter name of the BIND 8 statistics, if applicable.

-Name Server Statistics Counters

+Name Server Statistics Counters

Symbol

BIND8 Symbol

Description

Requestv4

RQ

IPv4 requests received. Note: this also counts non query requests.

Requestv6

RQ

IPv6 requests received. Note: this also counts non query requests.

ReqEdns0

Requests with EDNS(0) received.

ReqBadEDNSVer

Requests with unsupported EDNS version received.

ReqTSIG

Requests with TSIG received.

ReqSIG0

Requests with SIG(0) received.

ReqBadSIG

Requests with invalid (TSIG or SIG(0)) signature.

ReqTCP

RTCP

TCP requests received.

AuthQryRej

RUQ

Authoritative (non recursive) queries rejected.

RecQryRej

RURQ

Recursive queries rejected.

XfrRej

RUXFR

Zone transfer requests rejected.

UpdateRej

RUUpd

Dynamic update requests rejected.

Response

SAns

Responses sent.

RespTruncated

Truncated responses sent.

RespEDNS0

Responses with EDNS(0) sent.

RespTSIG

Responses with TSIG sent.

RespSIG0

Responses with SIG(0) sent.

QrySuccess

Queries resulted in a successful answer. This means the query which returns a NOERROR response with at least one answer RR. This corresponds to the success counter of previous versions of BIND 9.

QryAuthAns

Queries resulted in authoritative answer.

QryNoauthAns

SNaAns

Queries resulted in non authoritative answer.

QryReferral

Queries resulted in referral answer. This corresponds to the referral counter of previous versions of BIND 9.

QryNxrrset

Queries resulted in NOERROR responses with no data. This corresponds to the nxrrset counter of previous versions of BIND 9.

QrySERVFAIL

SFail

Queries resulted in SERVFAIL.

QryFORMERR

SFErr

Queries resulted in FORMERR.

QryNXDOMAIN

SNXD

Queries resulted in NXDOMAIN. This corresponds to the nxdomain counter of previous versions of BIND 9.

QryRecursion

RFwdQ

Queries which caused the server to perform recursion in order to find the final answer. This corresponds to the recursion counter of previous versions of BIND 9.

QryDuplicate

RDupQ

Queries which the server attempted to recurse but discovered an existing query with the same IP address, port, query ID, name, type and class already being processed. This corresponds to the duplicate counter of previous versions of BIND 9.

QryDropped

Recursive queries for which the server discovered an excessive number of existing recursive queries for the same name, type and class and were subsequently dropped. This is the number of dropped queries due to the reason explained with the clients-per-query and max-clients-per-query options (see the description about clients-per-query.) This corresponds to the dropped counter of previous versions of BIND 9.

QryFailure

Other query failures. This corresponds to the failure counter of previous versions of BIND 9. Note: this counter is provided mainly for backward compatibility with the previous versions. Normally a more fine-grained counters such as AuthQryRej and RecQryRej that would also fall into this counter are provided, and so this counter would not be of much interest in practice.

XfrReqDone

Requested zone transfers completed.

UpdateReqFwd

Update requests forwarded.

UpdateRespFwd

Update responses forwarded.

UpdateFwdFail

Dynamic update forward failed.

UpdateDone

Dynamic updates completed.

UpdateFail

Dynamic updates failed.

UpdateBadPrereq

Dynamic updates rejected due to prerequisite failure.

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

Symbol

Description

NotifyOutv4

IPv4 notifies sent.

NotifyOutv6

IPv6 notifies sent.

NotifyInv4

IPv4 notifies received.

NotifyInv6

IPv6 notifies received.

NotifyRej

Incoming notifies rejected.

SOAOutv4

IPv4 SOA queries sent.

SOAOutv6

IPv6 SOA queries sent.

AXFRReqv4

IPv4 AXFR requested.

AXFRReqv6

IPv6 AXFR requested.

IXFRReqv4

IPv4 IXFR requested.

IXFRReqv6

IPv6 IXFR requested.

XfrSuccess

Zone transfer requests succeeded.

XfrFail

Zone transfer requests failed.

-Resolver Statistics Counters

+Resolver Statistics Counters

Symbol

BIND8 Symbol

Description

Queryv4

SFwdQ

IPv4 queries sent.

Queryv6

SFwdQ

IPv6 queries sent.

Responsev4

RR

IPv4 responses received.

Responsev6

RR

IPv6 responses received.

NXDOMAIN

RNXD

NXDOMAIN received.

SERVFAIL

RFail

SERVFAIL received.

FORMERR

RFErr

FORMERR received.

OtherError

RErr

Other errors received.

EDNS0Fail

EDNS(0) query failures.

Mismatch

RDupR

Mismatch responses received.

Truncated

Truncated responses received.

Lame

RLame

Lame delegations received.

Retry

SDupQ

Query retries performed.

QueryAbort

Queries aborted due to quota control.

QuerySockFail

Failures in opening query sockets. One common reason for such failures is a failure of opening a new socket due to a limitation on file descriptors.

QueryTimeout

Query timeouts.

GlueFetchv4

SSysQ

IPv4 NS address fetches invoked.

GlueFetchv6

SSysQ

IPv6 NS address fetches invoked.

GlueFetchv4Fail

IPv4 NS address fetch failed.

GlueFetchv6Fail

IPv6 NS address fetch failed.

ValAttempt

DNSSEC validation attempted.

ValOk

DNSSEC validation succeeded.

ValNegOk

DNSSEC validation on negative information succeeded.

ValFail

DNSSEC validation failed.

QryRTTnn

Frequency table on round trip times (RTTs) of queries. Each nn specifies the corresponding frequency. In the sequence of nn_1, nn_2, ..., nn_m, the value of nn_i is the number of queries whose RTTs are between nn_(i-1) (inclusive) and nn_i (exclusive) milliseconds. For the sake of convenience we define nn_0 to be 0. The last entry should be represented as nn_m+, which means the number of queries whose RTTs are equal to or over nn_m milliseconds.

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

Socket I/O statistics counters are defined per socket types, which are UDP4 (UDP/IPv4), UDP6 (UDP/IPv6), TCP4 (TCP/IPv4), TCP6 (TCP/IPv6), Unix (Unix Domain), and FDwatch (sockets opened outside the socket module). In the following table <TYPE> represents a socket type. Not all counters are available for all socket types; exceptions are noted in the description field.

Symbol

Description

<TYPE>Open

Sockets opened successfully. This counter is not applicable to the FDwatch type.

<TYPE>OpenFail

Failures of opening sockets. This counter is not applicable to the FDwatch type.

<TYPE>Close

Sockets closed.

<TYPE>BindFail

Failures of binding sockets.

<TYPE>ConnFail

Failures of connecting sockets.

<TYPE>Conn

Connections established successfully.

<TYPE>AcceptFail

Failures of accepting incoming connection requests. This counter is not applicable to the UDP and FDwatch types.

<TYPE>Accept

Incoming connections successfully accepted. This counter is not applicable to the UDP and FDwatch types.

<TYPE>SendErr

Errors in socket send operations. This counter corresponds to SErr counter of BIND 8.

<TYPE>RecvErr

Errors in socket receive operations. This includes errors of send operations on a connected UDP socket notified by an ICMP error message.

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

Most statistics counters that were available in BIND 8 are also supported in BIND 9 as shown in the above tables. Here are notes about other counters that do not appear in these tables.

RFwdR,SFwdR

These counters are not supported because BIND 9 does not adopt the notion of forwarding as BIND 8 did.

RAXFR

This counter is accessible in the Incoming Queries section.

RIQ

This counter is accessible in the Incoming Requests section.

ROpts

This counter is not supported because BIND 9 does not care about IP options in the first place.

Prev     Next
Chapter 5. The BIND 9 Lightweight Resolver  Home  Chapter 7. BIND 9 Security Considerations
Index: head/contrib/bind9/doc/arm/Bv9ARM.ch07.html =================================================================== --- head/contrib/bind9/doc/arm/Bv9ARM.ch07.html (revision 205291) +++ head/contrib/bind9/doc/arm/Bv9ARM.ch07.html (revision 205292) @@ -1,256 +1,256 @@ - + Chapter 7. BIND 9 Security Considerations
Chapter 7. BIND 9 Security Considerations
Prev     Next

Chapter 7. BIND 9 Security Considerations

Table of Contents

Access Control Lists
-
Chroot and Setuid
+
Chroot and Setuid
-
The chroot Environment
-
Using the setuid Function
+
The chroot Environment
+
Using the setuid Function
Dynamic Update Security

Access Control Lists

Access Control Lists (ACLs) are address match lists that you can set up and nickname for future use in allow-notify, allow-query, allow-query-on, allow-recursion, allow-recursion-on, blackhole, allow-transfer, etc.

Using ACLs allows you to have finer control over who can access your name server, without cluttering up your config files with huge lists of IP addresses.

It is a good idea to use ACLs, and to control access to your server. Limiting access to your server by outside parties can help prevent spoofing and denial of service (DoS) attacks against your server.

Here is an example of how to properly apply ACLs: 

 // Set up an ACL named "bogusnets" that will block RFC1918 space
 // and some reserved space, which is commonly used in spoofing attacks.
 acl bogusnets {
         0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
         10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
 };
 
 // Set up an ACL called our-nets. Replace this with the real IP numbers.
 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
 options {
   ...
   ...
   allow-query { our-nets; };
   allow-recursion { our-nets; };
   ...
   blackhole { bogusnets; };
   ...
 };
 
 zone "example.com" {
   type master;
   file "m/example.com";
   allow-query { any; };
 };

This allows recursive queries of the server from the outside unless recursion has been previously disabled.

For more information on how to use ACLs to protect your server, see the AUSCERT advisory at:

ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos

-Chroot and Setuid +Chroot and Setuid

On UNIX servers, it is possible to run BIND in a chrooted environment (using the chroot() function) by specifying the "-t" option for named. This can help improve system security by placing BIND in a "sandbox", which will limit the damage done if a server is compromised.

Another useful feature in the UNIX version of BIND is the ability to run the daemon as an unprivileged user ( -u user ). We suggest running as an unprivileged user when using the chroot feature.

Here is an example command line to load BIND in a chroot sandbox, /var/named, and to run named setuid to user 202:

/usr/local/sbin/named -u 202 -t /var/named

-The chroot Environment

+The chroot Environment

In order for a chroot environment to work properly in a particular directory (for example, /var/named), you will need to set up an environment that includes everything BIND needs to run. From BIND's point of view, /var/named is the root of the filesystem. You will need to adjust the values of options like like directory and pid-file to account for this.

Unlike with earlier versions of BIND, you typically will not need to compile named statically nor install shared libraries under the new root. However, depending on your operating system, you may need to set up things like /dev/zero, /dev/random, /dev/log, and /etc/localtime.

-Using the setuid Function

+Using the setuid Function

Prior to running the named daemon, use the touch utility (to change file access and modification times) or the chown utility (to set the user id and/or group id) on files to which you want BIND to write.

Note

Note that if the named daemon is running as an unprivileged user, it will not be able to bind to new restricted ports if the server is reloaded.

Dynamic Update Security

Access to the dynamic update facility should be strictly limited. In earlier versions of BIND, the only way to do this was based on the IP address of the host requesting the update, by listing an IP address or network prefix in the allow-update zone option. This method is insecure since the source address of the update UDP packet is easily forged. Also note that if the IP addresses allowed by the allow-update option include the address of a slave server which performs forwarding of dynamic updates, the master can be trivially attacked by sending the update to the slave, which will forward it to the master with its own source IP address causing the master to approve it without question.

For these reasons, we strongly recommend that updates be cryptographically authenticated by means of transaction signatures (TSIG). That is, the allow-update option should list only TSIG key names, not IP addresses or network prefixes. Alternatively, the new update-policy option can be used.

Some sites choose to keep all dynamically-updated DNS data in a subdomain and delegate that subdomain to a separate zone. This way, the top-level zone containing critical data such as the IP addresses of public web and mail servers need not allow dynamic update at all.

Prev     Next
Chapter 6. BIND 9 Configuration Reference  Home  Chapter 8. Troubleshooting
Index: head/contrib/bind9/doc/arm/Bv9ARM.ch08.html =================================================================== --- head/contrib/bind9/doc/arm/Bv9ARM.ch08.html (revision 205291) +++ head/contrib/bind9/doc/arm/Bv9ARM.ch08.html (revision 205292) @@ -1,139 +1,139 @@ - + Chapter 8. Troubleshooting
Chapter 8. Troubleshooting
Prev     Next

Chapter 8. Troubleshooting

Table of Contents

-
Common Problems
-
It's not working; how can I figure out what's wrong?
-
Incrementing and Changing the Serial Number
-
Where Can I Get Help?
+
Common Problems
+
It's not working; how can I figure out what's wrong?
+
Incrementing and Changing the Serial Number
+
Where Can I Get Help?

-Common Problems

+Common Problems

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

The best solution to solving installation and configuration issues is to take preventative measures by setting up logging files beforehand. The log files provide a source of hints and information that can be used to figure out what went wrong and how to fix the problem.

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

Zone serial numbers are just numbers — they aren't date related. A lot of people set them to a number that represents a date, usually of the form YYYYMMDDRR. Occasionally they will make a mistake and set them to a "date in the future" then try to correct them by setting them to the "current date". This causes problems because serial numbers are used to indicate that a zone has been updated. If the serial number on the slave server is lower than the serial number on the master, the slave server will attempt to update its copy of the zone.

Setting the serial number to a lower number on the master server than the slave server means that the slave will not perform updates to its copy of the zone.

The solution to this is to add 2147483647 (2^31-1) to the number, reload the zone and make sure all slaves have updated to the new zone serial number, then reset the number to what you want it to be, and reload the zone again.

-Where Can I Get Help?

+Where Can I Get Help?

The Internet Systems Consortium (ISC) offers a wide range of support and service agreements for BIND and DHCP servers. Four levels of premium support are available and each level includes support for all ISC programs, significant discounts on products and training, and a recognized priority on bug fixes and non-funded feature requests. In addition, ISC offers a standard support agreement package which includes services ranging from bug fix announcements to remote support. It also includes training in BIND and DHCP.

To discuss arrangements for support, contact info@isc.org or visit the ISC web page at http://www.isc.org/services/support/ to read more.

Prev     Next
Chapter 7. BIND 9 Security Considerations  Home  Appendix A. Appendices
Index: head/contrib/bind9/doc/arm/Bv9ARM.ch09.html =================================================================== --- head/contrib/bind9/doc/arm/Bv9ARM.ch09.html (revision 205291) +++ head/contrib/bind9/doc/arm/Bv9ARM.ch09.html (revision 205292) @@ -1,628 +1,628 @@ - + Appendix A. Appendices
Appendix A. Appendices
Prev     Next

Appendix A. Appendices

Table of Contents

-
Acknowledgments
+
Acknowledgments
A Brief History of the DNS and BIND
-
General DNS Reference Information
+
General DNS Reference Information
IPv6 addresses (AAAA)
Bibliography (and Suggested Reading)
Request for Comments (RFCs)
Internet Drafts
-
Other Documents About BIND
+
Other Documents About BIND

-Acknowledgments

+Acknowledgments

A Brief History of the DNS and BIND

Although the "official" beginning of the Domain Name System occurred in 1984 with the publication of RFC 920, the core of the new system was described in 1983 in RFCs 882 and 883. From 1984 to 1987, the ARPAnet (the precursor to today's Internet) became a testbed of experimentation for developing the new naming/addressing scheme in a rapidly expanding, operational network environment. New RFCs were written and published in 1987 that modified the original documents to incorporate improvements based on the working model. RFC 1034, "Domain Names-Concepts and Facilities", and RFC 1035, "Domain Names-Implementation and Specification" were published and became the standards upon which all DNS implementations are built.

The first working domain name server, called "Jeeves", was written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20 machines located at the University of Southern California's Information Sciences Institute (USC-ISI) and SRI International's Network Information Center (SRI-NIC). A DNS server for Unix machines, the Berkeley Internet Name Domain (BIND) package, was written soon after by a group of graduate students at the University of California at Berkeley under a grant from the US Defense Advanced Research Projects Administration (DARPA).

Versions of BIND through 4.8.3 were maintained by the Computer Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark Painter, David Riggle and Songnian Zhou made up the initial BIND project team. After that, additional work on the software package was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation employee on loan to the CSRG, worked on BIND for 2 years, from 1985 to 1987. Many other people also contributed to BIND development during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell, Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently handled by Mike Karels and Øivind Kure.

BIND versions 4.9 and 4.9.1 were released by Digital Equipment Corporation (now Compaq Computer Corporation). Paul Vixie, then a DEC employee, became BIND's primary caretaker. He was assisted by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe Wolfhugel, and others.

In 1994, BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul Vixie became BIND's principal architect/programmer.

BIND versions from 4.9.3 onward have been developed and maintained by the Internet Systems Consortium and its predecessor, the Internet Software Consortium, with support being provided by ISC's sponsors.

As co-architects/programmers, Bob Halley and Paul Vixie released the first production-ready version of BIND version 8 in May 1997.

BIND version 9 was released in September 2000 and is a major rewrite of nearly all aspects of the underlying BIND architecture.

BIND versions 4 and 8 are officially deprecated. No additional development is done on BIND version 4 or BIND version 8.

BIND development work is made possible today by the sponsorship of several corporations, and by the tireless work efforts of numerous individuals.

-General DNS Reference Information

+General DNS Reference Information

IPv6 addresses (AAAA)

IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces which were introduced in the DNS to facilitate scalable Internet routing. There are three types of addresses: Unicast, an identifier for a single interface; Anycast, an identifier for a set of interfaces; and Multicast, an identifier for a set of interfaces. Here we describe the global Unicast address scheme. For more information, see RFC 3587, "Global Unicast Address Format."

IPv6 unicast addresses consist of a global routing prefix, a subnet identifier, and an interface identifier.

The global routing prefix is provided by the upstream provider or ISP, and (roughly) corresponds to the IPv4 network section of the address range. The subnet identifier is for local subnetting, much the same as subnetting an IPv4 /16 network into /24 subnets. The interface identifier is the address of an individual interface on a given network; in IPv6, addresses belong to interfaces rather than to machines.

The subnetting capability of IPv6 is much more flexible than that of IPv4: subnetting can be carried out on bit boundaries, in much the same way as Classless InterDomain Routing (CIDR), and the DNS PTR representation ("nibble" format) makes setting up reverse zones easier.

The Interface Identifier must be unique on the local link, and is usually generated automatically by the IPv6 implementation, although it is usually possible to override the default setting if necessary. A typical IPv6 address might look like: 2001:db8:201:9:a00:20ff:fe81:2b32

IPv6 address specifications often contain long strings of zeros, so the architects have included a shorthand for specifying them. The double colon (`::') indicates the longest possible string of zeros that can fit, and can be used only once in an address.

Bibliography (and Suggested Reading)

Request for Comments (RFCs)

Specification documents for the Internet protocol suite, including the DNS, are published as part of the Request for Comments (RFCs) series of technical notes. The standards themselves are defined by the Internet Engineering Task Force (IETF) and the Internet Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:

ftp://www.isi.edu/in-notes/RFCxxxx.txt

(where xxxx is the number of the RFC). RFCs are also available via the Web at:

http://www.ietf.org/rfc/.

-Bibliography

+Bibliography

Standards

-

[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

+

[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

-

[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

+

[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

-

[RFC1035] P. V. Mockapetris. Domain Names — Implementation and +

[RFC1035] P. V. Mockapetris. Domain Names — Implementation and Specification. November 1987.

Proposed Standards

-

[RFC2181] R., R. Bush Elz. Clarifications to the DNS +

[RFC2181] R., R. Bush Elz. Clarifications to the DNS Specification. July 1997.

-

[RFC2308] M. Andrews. Negative Caching of DNS +

[RFC2308] M. Andrews. Negative Caching of DNS Queries. March 1998.

-

[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

+

[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

-

[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

+

[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

-

[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

+

[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

-

[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.

+

[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.

-

[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999.

+

[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999.

-

[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

+

[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

-

[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.

+

[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.

-

[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.

+

[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.

-

[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.

+

[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.

-

[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret +

[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG). October 2003.

DNS Security Proposed Standards

-

[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001.

+

[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001.

-

[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004.

+

[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004.

-

[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005.

+

[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005.

-

[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005.

+

[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005.

-

[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS +

[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS Security Extensions. March 2005.

Other Important RFCs About DNS Implementation

-

[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely +

[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993.

-

[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation +

[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation Errors and Suggested Fixes. October 1993.

-

[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

+

[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

-

[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS +

[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS Queries for IPv6 Addresses. May 2005.

Resource Record Types

-

[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

+

[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

-

[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

+

[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

-

[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using +

[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using the Domain Name System. June 1997.

-

[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the +

[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the Domain Name System. January 1996.

-

[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the +

[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the Location of Services.. October 1996.

-

[RFC2163] A. Allocchio. Using the Internet DNS to +

[RFC2163] A. Allocchio. Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping. January 1998.

-

[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

+

[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

-

[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.

+

[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.

-

[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.

+

[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.

-

[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.

+

[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.

-

[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.

+

[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.

-

[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.

+

[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.

-

[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.

+

[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.

-

[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.

+

[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.

-

[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.

+

[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.

-

[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.

+

[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.

-

[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP +

[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP version 6. October 2003.

-

[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.

+

[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.

DNS and the Internet

-

[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names +

[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names and Other Types. April 1989.

-

[RFC1123] Braden. Requirements for Internet Hosts - Application and +

[RFC1123] Braden. Requirements for Internet Hosts - Application and Support. October 1989.

-

[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

+

[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

-

[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

+

[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

-

[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.

+

[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.

-

[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000.

+

[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000.

DNS Operations

-

[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987.

+

[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987.

-

[RFC1537] P. Beertema. Common DNS Data File +

[RFC1537] P. Beertema. Common DNS Data File Configuration Errors. October 1993.

-

[RFC1912] D. Barr. Common DNS Operational and +

[RFC1912] D. Barr. Common DNS Operational and Configuration Errors. February 1996.

-

[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.

+

[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.

-

[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for +

[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for Network Services.. October 1997.

Internationalized Domain Names

-

[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names, +

[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names, and the Other Internet protocols. May 2000.

-

[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.

+

[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.

-

[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.

+

[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.

-

[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode +

[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA). March 2003.

Other DNS-related RFCs

Note

Note: the following list of RFCs, although DNS-related, are not concerned with implementing software.

-

[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String +

[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String Attributes. May 1993.

-

[RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

+

[RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

-

[RFC1794] T. Brisco. DNS Support for Load +

[RFC1794] T. Brisco. DNS Support for Load Balancing. April 1995.

-

[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

+

[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

-

[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

+

[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

-

[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

+

[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

-

[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.

+

[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.

-

[RFC3258] T. Hardie. Distributing Authoritative Name Servers via +

[RFC3258] T. Hardie. Distributing Authoritative Name Servers via Shared Unicast Addresses. April 2002.

-

[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.

+

[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.

Obsolete and Unimplemented Experimental RFC

-

[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical +

[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical Location. November 1994.

-

[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999.

+

[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999.

-

[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation +

[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation and Renumbering. July 2000.

Obsoleted DNS Security RFCs

Note

Most of these have been consolidated into RFC4033, RFC4034 and RFC4035 which collectively describe DNSSECbis.

-

[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

+

[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

-

[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

+

[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

-

[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999.

+

[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999.

-

[RFC3008] B. Wellington. Domain Name System Security (DNSSEC) +

[RFC3008] B. Wellington. Domain Name System Security (DNSSEC) Signing Authority. November 2000.

-

[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001.

+

[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001.

-

[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.

+

[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.

-

[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.

+

[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.

-

[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.

+

[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.

-

[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.

+

[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.

-

[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record +

[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag. April 2004.

-

[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.

+

[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.

Internet Drafts

Internet Drafts (IDs) are rough-draft working documents of the Internet Engineering Task Force. They are, in essence, RFCs in the preliminary stages of development. Implementors are cautioned not to regard IDs as archival, and they should not be quoted or cited in any formal documents unless accompanied by the disclaimer that they are "works in progress." IDs have a lifespan of six months after which they are deleted unless updated by their authors.

-Other Documents About BIND +Other Documents About BIND

-Bibliography

+Bibliography
-

Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

+

Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

Prev     Next
Chapter 8. Troubleshooting  Home  Manual pages
Index: head/contrib/bind9/doc/arm/Bv9ARM.html =================================================================== --- head/contrib/bind9/doc/arm/Bv9ARM.html (revision 205291) +++ head/contrib/bind9/doc/arm/Bv9ARM.html (revision 205292) @@ -1,276 +1,276 @@ - + BIND 9 Administrator Reference Manual
BIND 9 Administrator Reference Manual
     Next

BIND 9 Administrator Reference Manual

Copyright © 2004-2010 Internet Systems Consortium, Inc. ("ISC")

Copyright © 2000-2003 Internet Software Consortium.

Table of Contents

1. Introduction
Scope of Document
Organization of This Document
Conventions Used in This Document
The Domain Name System (DNS)
DNS Fundamentals
Domains and Domain Names
Zones
Authoritative Name Servers
Caching Name Servers
Name Servers in Multiple Roles
2. BIND Resource Requirements
Hardware requirements
CPU Requirements
Memory Requirements
Name Server Intensive Environment Issues
Supported Operating Systems
3. Name Server Configuration
Sample Configurations
A Caching-only Name Server
An Authoritative-only Name Server
Load Balancing
Name Server Operations
Tools for Use With the Name Server Daemon
Signals
4. Advanced DNS Features
Notify
Dynamic Update
The journal file
Incremental Zone Transfers (IXFR)
Split DNS
Example split DNS setup
TSIG
Generate Shared Keys for Each Pair of Hosts
Copying the Shared Secret to Both Machines
Informing the Servers of the Key's Existence
Instructing the Server to Use the Key
TSIG Key Based Access Control
Errors
TKEY
SIG(0)
DNSSEC
Generating Keys
Signing the Zone
Configuring Servers
IPv6 Support in BIND 9
Address Lookups Using AAAA Records
Address to Name Lookups Using Nibble Format
5. The BIND 9 Lightweight Resolver
The Lightweight Resolver Library
Running a Resolver Daemon
6. BIND 9 Configuration Reference
Configuration File Elements
Address Match Lists
Comment Syntax
Configuration File Grammar
acl Statement Grammar
acl Statement Definition and Usage
controls Statement Grammar
controls Statement Definition and Usage
include Statement Grammar
include Statement Definition and Usage
key Statement Grammar
key Statement Definition and Usage
logging Statement Grammar
logging Statement Definition and Usage
lwres Statement Grammar
lwres Statement Definition and Usage
masters Statement Grammar
masters Statement Definition and Usage
options Statement Grammar
options Statement Definition and Usage
server Statement Grammar
server Statement Definition and Usage
statistics-channels Statement Grammar
-
statistics-channels Statement Definition and +
statistics-channels Statement Definition and Usage
-
trusted-keys Statement Grammar
-
trusted-keys Statement Definition +
trusted-keys Statement Grammar
+
trusted-keys Statement Definition and Usage
view Statement Grammar
-
view Statement Definition and Usage
+
view Statement Definition and Usage
zone Statement Grammar
-
zone Statement Definition and Usage
+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
Statistics Counters
7. BIND 9 Security Considerations
Access Control Lists
-
Chroot and Setuid
+
Chroot and Setuid
-
The chroot Environment
-
Using the setuid Function
+
The chroot Environment
+
Using the setuid Function
Dynamic Update Security
8. Troubleshooting
-
Common Problems
-
It's not working; how can I figure out what's wrong?
-
Incrementing and Changing the Serial Number
-
Where Can I Get Help?
+
Common Problems
+
It's not working; how can I figure out what's wrong?
+
Incrementing and Changing the Serial Number
+
Where Can I Get Help?
A. Appendices
-
Acknowledgments
+
Acknowledgments
A Brief History of the DNS and BIND
-
General DNS Reference Information
+
General DNS Reference Information
IPv6 addresses (AAAA)
Bibliography (and Suggested Reading)
Request for Comments (RFCs)
Internet Drafts
-
Other Documents About BIND
+
Other Documents About BIND
I. Manual pages
dig — DNS lookup utility
host — DNS lookup utility
dnssec-dsfromkey — DNSSEC DS RR generation tool
dnssec-keyfromlabel — DNSSEC key generation tool
dnssec-keygen — DNSSEC key generation tool
dnssec-signzone — DNSSEC zone signing tool
named-checkconf — named configuration file syntax checking tool
named-checkzone — zone file validity checking or converting tool
named — Internet domain name server
nsupdate — Dynamic DNS update utility
rndc — name server control utility
rndc.conf — rndc configuration file
rndc-confgen — rndc key generation tool
     Next
     Chapter 1. Introduction
Index: head/contrib/bind9/doc/arm/Bv9ARM.pdf =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/pdf Index: head/contrib/bind9/doc/arm/man.dig.html =================================================================== --- head/contrib/bind9/doc/arm/man.dig.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.dig.html (revision 205292) @@ -1,675 +1,675 @@ - + dig
dig
Prev  Manual pages  Next

Name

dig — DNS lookup utility

Synopsis

dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m] [-p port#] [-q name] [-t type] [-x addr] [-y [hmac:]name:key] [-4] [-6] [name] [type] [class] [queryopt...]

dig [-h]

dig [global-queryopt...] [query...]

-

DESCRIPTION

+

DESCRIPTION

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.

Although dig is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when the -h option is given. Unlike earlier versions, the BIND 9 implementation of dig allows multiple lookups to be issued from the command line.

Unless it is told to query a specific name server, dig will try each of the servers listed in /etc/resolv.conf.

When no command line arguments or options are given, dig will perform an NS query for "." (the root).

It is possible to set per-user defaults for dig via ${HOME}/.digrc. This file is read and any options in it are applied before the command line arguments.

The IN and CH class names overlap with the IN and CH top level domains names. Either use the -t and -c options to specify the type and class, use the -q the specify the domain name, or use "IN." and "CH." when looking up these top level domains.

-

SIMPLE USAGE

+

SIMPLE USAGE

A typical invocation of dig looks like: 

 dig @server name type

where:

server

is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied server argument is a hostname, dig resolves that name before querying that name server. If no server argument is provided, dig consults /etc/resolv.conf and queries the name servers listed there. The reply from the name server that responds is displayed.

name

is the name of the resource record that is to be looked up.

type

indicates what type of query is required — ANY, A, MX, SIG, etc. type can be any valid query type. If no type argument is supplied, dig will perform a lookup for an A record.

-

OPTIONS

+

OPTIONS

The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"

The default query class (IN for internet) is overridden by the -c option. class is any valid class, such as HS for Hesiod records or CH for Chaosnet records.

The -f option makes dig operate in batch mode by reading a list of lookup requests to process from the file filename. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to dig using the command-line interface.

The -m option enables memory usage debugging.

If a non-standard port number is to be queried, the -p option is used. port# is the port number that dig will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non-standard port number.

The -4 option forces dig to only use IPv4 query transport. The -6 option forces dig to only use IPv6 query transport.

The -t option sets the query type to type. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the -x option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, type is set to ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was N.

The -q option sets the query name to name. This useful do distinguish the name from other arguments.

Reverse lookups — mapping addresses to names — are simplified by the -x option. addr is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 address. When this option is used, there is no need to provide the name, class and type arguments. dig automatically performs a lookup for a name like 11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the -i option. Bit string labels (RFC2874) are now experimental and are not attempted.

To sign the DNS queries sent by dig and their responses using transaction signatures (TSIG), specify a TSIG key file using the -k option. You can also specify the TSIG key itself on the command line using the -y option; hmac is the type of the TSIG, default HMAC-MD5, name is the name of the TSIG key and key is the actual key. The key is a base-64 encoded string, typically generated by dnssec-keygen(8). Caution should be taken when using the -y option on multi-user systems as the key can be visible in the output from ps(1) or in the shell's history file. When using TSIG authentication with dig, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate key and server statements in named.conf.

-

QUERY OPTIONS

+

QUERY OPTIONS

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.

Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string no to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form +keyword=value. The query options are:

+[no]tcp

Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.

+[no]vc

Use [do not use] TCP when querying name servers. This alternate syntax to +[no]tcp is provided for backwards compatibility. The "vc" stands for "virtual circuit".

+[no]ignore

Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.

+domain=somename

Set the search list to contain the single domain somename, as if specified in a domain directive in /etc/resolv.conf, and enable search list processing as if the +search option were given.

+[no]search

Use [do not use] the search list defined by the searchlist or domain directive in resolv.conf (if any). The search list is not used by default.

+[no]showsearch

Perform [do not perform] a search showing intermediate results.

+[no]defname

Deprecated, treated as a synonym for +[no]search

+[no]aaonly

Sets the "aa" flag in the query.

+[no]aaflag

A synonym for +[no]aaonly.

+[no]adflag

Set [do not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT-OUT range. AD=0 indicate that some part of the answer was insecure or not validated.

+[no]cdflag

Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.

+[no]cl

Display [do not display] the CLASS when printing the record.

+[no]ttlid

Display [do not display] the TTL when printing the record.

+[no]recurse

Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means dig normally sends recursive queries. Recursion is automatically disabled when the +nssearch or +trace query options are used.

+[no]nssearch

When this option is set, dig attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.

+[no]trace

Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, dig makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.

+[no]cmd

Toggles the printing of the initial comment in the output identifying the version of dig and the query options that have been applied. This comment is printed by default.

+[no]short

Provide a terse answer. The default is to print the answer in a verbose form.

+[no]identify

Show [or do not show] the IP address and port number that supplied the answer when the +short option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.

+[no]comments

Toggle the display of comment lines in the output. The default is to print comments.

+[no]stats

This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behavior is to print the query statistics.

+[no]qr

Print [do not print] the query as it is sent. By default, the query is not printed.

+[no]question

Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.

+[no]answer

Display [do not display] the answer section of a reply. The default is to display it.

+[no]authority

Display [do not display] the authority section of a reply. The default is to display it.

+[no]additional

Display [do not display] the additional section of a reply. The default is to display it.

+[no]all

Set or clear all display flags.

+time=T

Sets the timeout for a query to T seconds. The default timeout is 5 seconds. An attempt to set T to less than 1 will result in a query timeout of 1 second being applied.

+tries=T

Sets the number of times to try UDP queries to server to T instead of the default, 3. If T is less than or equal to zero, the number of tries is silently rounded up to 1.

+retry=T

Sets the number of times to retry UDP queries to server to T instead of the default, 2. Unlike +tries, this does not include the initial query.

+ndots=D

Set the number of dots that have to appear in name to D for it to be considered absolute. The default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf.

+bufsize=B

Set the UDP message buffer size advertised using EDNS0 to B bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent.

+edns=#

Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent. +noedns clears the remembered EDNS version.

+[no]multiline

Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the dig output.

+[no]fail

Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.

+[no]besteffort

Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.

+[no]dnssec

Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.

+[no]sigchase

Chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHASE.

+trusted-key=####

Specifies a file containing trusted keys to be used with +sigchase. Each DNSKEY record must be on its own line.

If not specified, dig will look for /etc/trusted-key.key then trusted-key.key in the current directory.

Requires dig be compiled with -DDIG_SIGCHASE.

+[no]topdown

When chasing DNSSEC signature chains perform a top-down validation. Requires dig be compiled with -DDIG_SIGCHASE.

+[no]nsid

Include an EDNS name server ID request when sending a query.

-

MULTIPLE QUERIES

+

MULTIPLE QUERIES

The BIND 9 implementation of dig supports specifying multiple queries on the command line (in addition to supporting the -f batch file option). Each of those queries can be supplied with its own set of flags, options and query options.

In this case, each query argument represent an individual query in the command-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query.

A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except the +[no]cmd option) can be overridden by a query-specific set of query options. For example: 

 dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

shows how dig could be used from the command line to make three lookups: an ANY query for www.isc.org, a reverse lookup of 127.0.0.1 and a query for the NS records of isc.org. A global query option of +qr is applied, so that dig shows the initial query it made for each lookup. The final query has a local query option of +noqr which means that dig will not print the initial query when it looks up the NS records for isc.org.

-

IDN SUPPORT

+

IDN SUPPORT

If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. dig appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the IDN_DISABLE environment variable. The IDN support is disabled if the variable is set when dig runs.

-

FILES

+

FILES

/etc/resolv.conf

${HOME}/.digrc

-

SEE ALSO

+

SEE ALSO

host(1), named(8), dnssec-keygen(8), RFC1035.

-

BUGS

+

BUGS

There are probably too many query options.

Prev  Up  Next
Manual pages  Home  host
Index: head/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html =================================================================== --- head/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html (revision 205292) @@ -1,170 +1,170 @@ - + dnssec-dsfromkey
dnssec-dsfromkey
Prev  Manual pages  Next

Name

dnssec-dsfromkey — DNSSEC DS RR generation tool

Synopsis

dnssec-dsfromkey [-v level] [-1] [-2] [-a alg] {keyfile}

dnssec-dsfromkey {-s} [-v level] [-1] [-2] [-a alg] [-c class] [-d dir] {dnsname}

-

DESCRIPTION

+

DESCRIPTION

dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).

-

OPTIONS

+

OPTIONS

-1

Use SHA-1 as the digest algorithm (the default is to use both SHA-1 and SHA-256).

-2

Use SHA-256 as the digest algorithm.

-a algorithm

Select the digest algorithm. The value of algorithm must be one of SHA-1 (SHA1) or SHA-256 (SHA256). These values are case insensitive.

-v level

Sets the debugging level.

-s

Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.

-c class

Specifies the DNS class (default is IN), useful only in the keyset mode.

-d directory

Look for keyset files in directory as the directory, ignored when not in the keyset mode.

-

EXAMPLE

+

EXAMPLE

To build the SHA-256 DS RR from the Kexample.com.+003+26160 keyfile name, the following command would be issued:

dnssec-dsfromkey -2 Kexample.com.+003+26160

The command would print something like:

example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94

-

FILES

+

FILES

The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key as generated by dnssec-keygen(8).

The keyset file name is built from the directory, the string keyset- and the dnsname.

-

CAVEAT

+

CAVEAT

A keyfile error can give a "file not found" even if the file exists.

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 3658, RFC 4509.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

Prev  Up  Next
host  Home  dnssec-keyfromlabel
Index: head/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html =================================================================== --- head/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html (revision 205292) @@ -1,216 +1,216 @@ - + dnssec-keyfromlabel
dnssec-keyfromlabel
Prev  Manual pages  Next

Name

dnssec-keyfromlabel — DNSSEC key generation tool

Synopsis

dnssec-keyfromlabel {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-n nametype] [-p protocol] [-t type] [-v level] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keyfromlabel gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034.

-

OPTIONS

+

OPTIONS

-a algorithm

Selects the cryptographic algorithm. The value of algorithm must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or DH (Diffie Hellman). These values are case insensitive.

If no algorithm is specified, then RSASHA1 will be used by default, unless the -3 option is specified, in which case NSEC3RSASHA1 will be used instead. (If -3 is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)

Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.

Note 2: DH automatically sets the -k flag.

-l label

Specifies the label of keys in the crypto hardware (PKCS#11 device).

-n nametype

Specifies the owner type of the key. The value of nametype must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.

-c class

Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.

-f flag

Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.

-h

Prints a short summary of the options and arguments to dnssec-keygen.

-k

Generate KEY records rather than DNSKEY records.

-p protocol

Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.

-t type

Indicates the use of the key. type must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.

-v level

Sets the debugging level.

-

GENERATED KEY FILES

+

GENERATED KEY FILES

When dnssec-keyfromlabel completes successfully, it prints a string of the form Knnnn.+aaa+iiiii to the standard output. This is an identification string for the key files it has generated.

  • nnnn is the key name.

  • aaa is the numeric representation of the algorithm.

  • iiiii is the key identifier (or footprint).

dnssec-keyfromlabel creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and Knnnn.+aaa+iiiii.private contains the private key.

The .key file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).

The .private file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission.

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 4034.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

Prev  Up  Next
dnssec-dsfromkey  Home  dnssec-keygen
Index: head/contrib/bind9/doc/arm/man.dnssec-keygen.html =================================================================== --- head/contrib/bind9/doc/arm/man.dnssec-keygen.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.dnssec-keygen.html (revision 205292) @@ -1,277 +1,277 @@ - + dnssec-keygen
dnssec-keygen
Prev  Manual pages  Next

Name

dnssec-keygen — DNSSEC key generation tool

Synopsis

dnssec-keygen {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.

The name of the key is specified on the command line. For DNSSEC keys, this must match the name of the zone for which the key is being generated.

-

OPTIONS

+

OPTIONS

-a algorithm

Selects the cryptographic algorithm. For DNSSEC keys, the value of algorithm must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are case insensitive.

Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.

Note 2: HMAC-MD5 and DH automatically set the -k flag.

-b keysize

Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits.

-n nametype

Specifies the owner type of the key. The value of nametype must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation.

-c class

Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.

-e

If generating an RSAMD5/RSASHA1 key, use a large exponent.

-f flag

Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.

-g generator

If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.

-h

Prints a short summary of the options and arguments to dnssec-keygen.

-k

Generate KEY records rather than DNSKEY records.

-p protocol

Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.

-r randomdev

Specifies the source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness is keyboard input. randomdev specifies the name of a character device or file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.

-s strength

Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.

-t type

Indicates the use of the key. type must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.

-v level

Sets the debugging level.

-

GENERATED KEYS

+

GENERATED KEYS

When dnssec-keygen completes successfully, it prints a string of the form Knnnn.+aaa+iiiii to the standard output. This is an identification string for the key it has generated.

  • nnnn is the key name.

  • aaa is the numeric representation of the algorithm.

  • iiiii is the key identifier (or footprint).

dnssec-keygen creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and Knnnn.+aaa+iiiii.private contains the private key.

The .key file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).

The .private file contains algorithm-specific fields. For obvious security reasons, this file does not have general read permission.

Both .key and .private files are generated for symmetric encryption algorithms such as HMAC-MD5, even though the public and private key are equivalent.

-

EXAMPLE

+

EXAMPLE

To generate a 768-bit DSA key for the domain example.com, the following command would be issued:

dnssec-keygen -a DSA -b 768 -n ZONE example.com

The command would print a string of the form:

Kexample.com.+003+26160

In this example, dnssec-keygen creates the files Kexample.com.+003+26160.key and Kexample.com.+003+26160.private.

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, RFC 2845, RFC 4034.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

Prev  Up  Next
dnssec-keyfromlabel  Home  dnssec-signzone
Index: head/contrib/bind9/doc/arm/man.dnssec-signzone.html =================================================================== --- head/contrib/bind9/doc/arm/man.dnssec-signzone.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.dnssec-signzone.html (revision 205292) @@ -1,380 +1,380 @@ - + dnssec-signzone
dnssec-signzone
Prev  Manual pages  Next

Name

dnssec-signzone — DNSSEC zone signing tool

Synopsis

dnssec-signzone [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-s start-time] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

-

DESCRIPTION

+

DESCRIPTION

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. It also generates a keyset- file containing the key-signing keys for the zone, and if signing a zone which contains delegations, it can optionally generate DS records for the child zones from their keyset- files.

-

OPTIONS

+

OPTIONS

-a

Verify all generated signatures.

-c class

Specifies the DNS class of the zone.

-k key

Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.

-l domain

Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.

-d directory

Look for keyset files in directory as the directory

-g

If the zone contains any delegations, and there are keyset- files for any of the child zones, then DS records for the child zones will be generated from the keys in those files. Existing DS records will be removed.

-s start-time

Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no start-time is specified, the current time minus 1 hour (to allow for clock skew) is used.

-e end-time

Specify the date and time when the generated RRSIG records expire. As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no end-time is specified, 30 days from the start time is used as a default.

-f output-file

The name of the output file containing the signed zone. The default is to append .signed to the input filename.

-h

Prints a short summary of the options and arguments to dnssec-signzone.

-i interval

When a previously-signed zone is passed as input, records may be resigned. The interval option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.

The default cycle interval is one quarter of the difference between the signature end and start times. So if neither end-time or start-time are specified, dnssec-signzone generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.

-I input-format

The format of the input zone file. Possible formats are "text" (default) and "raw". This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non-text format containing updates can be signed directly. The use of this option does not make much sense for non-dynamic zones.

-j jitter

When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The jitter option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.

Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.

-n ncpus

Specifies the number of threads to use. By default, one thread is started for each detected CPU.

-N soa-serial-format

The SOA serial number format of the signed zone. Possible formats are "keep" (default), "increment" and "unixtime".

"keep"

Do not modify the SOA serial number.

"increment"

Increment the SOA serial number using RFC 1982 arithmetics.

"unixtime"

Set the SOA serial number to the number of seconds since epoch.

-o origin

The zone origin. If not specified, the name of the zone file is assumed to be the origin.

-O output-format

The format of the output file containing the signed zone. Possible formats are "text" (default) and "raw".

-p

Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.

-P

Disable post sign verification tests.

The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests.

-r randomdev

Specifies the source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness is keyboard input. randomdev specifies the name of a character device or file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.

-t

Print statistics at completion.

-v level

Sets the debugging level.

-z

Ignore KSK flag on key when determining what to sign.

-3 salt

Generate a NSEC3 chain with the given hex encoded salt. A dash (salt) can be used to indicate that no salt is to be used when generating the NSEC3 chain.

-H iterations

When generating a NSEC3 chain use this many interations. The default is 100.

-A

When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.

zonefile

The file containing the zone to be signed.

key

Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing.

-

EXAMPLE

+

EXAMPLE

The following command signs the example.com zone with the DSA key generated by dnssec-keygen (Kexample.com.+003+17247). The zone's keys must be in the master file (db.example.com). This invocation looks for keyset files, in the current directory, so that DS records can be generated from them (-g). 

% dnssec-signzone -g -o example.com db.example.com \
 Kexample.com.+003+17247
 db.example.com.signed
 %

In the above example, dnssec-signzone creates the file db.example.com.signed. This file should be referenced in a zone statement in a named.conf file.

This example re-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory. 

% cp db.example.com.signed db.example.com
 % dnssec-signzone -o example.com db.example.com
 db.example.com.signed
 %
-

KNOWN BUGS

+

KNOWN BUGS

dnssec-signzone was designed so that it could sign a zone partially, using only a subset of the DNSSEC keys needed to produce a fully-signed zone. This permits a zone administrator, for example, to sign a zone with one key on one machine, move the resulting partially-signed zone to a second machine, and sign it again with a second key.

An unfortunate side-effect of this flexibility is that dnssec-signzone does not check to make sure it's signing a zone with any valid keys at all. An attempt to sign a zone without any keys will appear to succeed, producing a "signed" zone with no signatures. There is no warning issued when a zone is not fully signed.

This will be corrected in a future release. In the meantime, ISC recommends examining the output of dnssec-signzone to confirm that the zone is properly signed by all keys before using it.

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

Prev  Up  Next
dnssec-keygen  Home  named-checkconf
Index: head/contrib/bind9/doc/arm/man.host.html =================================================================== --- head/contrib/bind9/doc/arm/man.host.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.host.html (revision 205292) @@ -1,249 +1,249 @@ - + host
host
Prev  Manual pages  Next

Name

host — DNS lookup utility

Synopsis

host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

-

DESCRIPTION

+

DESCRIPTION

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, host prints a short summary of its command line arguments and options.

name is the domain name that is to be looked up. It can also be a dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which case host will by default perform a reverse lookup for that address. server is an optional argument which is either the name or IP address of the name server that host should query instead of the server or servers listed in /etc/resolv.conf.

The -a (all) option is equivalent to setting the -v option and asking host to make a query of type ANY.

When the -C option is used, host will attempt to display the SOA records for zone name from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone.

The -c option instructs to make a DNS query of class class. This can be used to lookup Hesiod or Chaosnet class resource records. The default class is IN (Internet).

Verbose output is generated by host when the -d or -v option is used. The two options are equivalent. They have been provided for backwards compatibility. In previous versions, the -d option switched on debugging traces and -v enabled verbose output.

List mode is selected by the -l option. This makes host perform a zone transfer for zone name. Transfer the zone printing out the NS, PTR and address records (A/AAAA). If combined with -a all records will be printed.

The -i option specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC1886. The default is to use IP6.ARPA.

The -N option sets the number of dots that have to be in name for it to be considered absolute. The default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf.

The number of UDP retries for a lookup can be changed with the -R option. number indicates how many times host will repeat a query that does not get answered. The default number of retries is 1. If number is negative or zero, the number of retries will default to 1.

Non-recursive queries can be made via the -r option. Setting this option clears the RD — recursion desired — bit in the query which host makes. This should mean that the name server receiving the query will not attempt to resolve name. The -r option enables host to mimic the behavior of a name server by making non-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.

By default, host uses UDP when making queries. The -T option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests.

The -4 option forces host to only use IPv4 query transport. The -6 option forces host to only use IPv6 query transport.

The -t option is used to select the query type. type can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, host automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records, but if the -C option was given, queries will be made for SOA records, and if name is a dotted-decimal IPv4 address or colon-delimited IPv6 address, host will query for PTR records. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (e.g. -t IXFR=12345678).

The time to wait for a reply can be controlled through the -W and -w options. The -W option makes host wait for wait seconds. If wait is less than one, the wait interval is set to one second. When the -w option is used, host will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.

The -s option tells host not to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior.

The -m can be used to set the memory usage debugging flags record, usage and trace.

-

IDN SUPPORT

+

IDN SUPPORT

If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. host appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the IDN_DISABLE environment variable. The IDN support is disabled if the variable is set when host runs.

-

FILES

+

FILES

/etc/resolv.conf

-

SEE ALSO

+

SEE ALSO

dig(1), named(8).

Prev  Up  Next
dig  Home  dnssec-dsfromkey
Index: head/contrib/bind9/doc/arm/man.named-checkconf.html =================================================================== --- head/contrib/bind9/doc/arm/man.named-checkconf.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.named-checkconf.html (revision 205292) @@ -1,134 +1,134 @@ - + named-checkconf
named-checkconf
Prev  Manual pages  Next

Name

named-checkconf — named configuration file syntax checking tool

Synopsis

named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-z]

-

DESCRIPTION

+

DESCRIPTION

named-checkconf checks the syntax, but not the semantics, of a named configuration file.

-

OPTIONS

+

OPTIONS

-h

Print the usage summary and exit.

-t directory

Chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named.

-v

Print the version of the named-checkconf program and exit.

-z

Perform a test load of all master zones found in named.conf.

-j

When loading a zonefile read the journal if it exists.

filename

The name of the configuration file to be checked. If not specified, it defaults to /etc/named.conf.

-

RETURN VALUES

+

RETURN VALUES

named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkzone(8), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

Prev  Up  Next
dnssec-signzone  Home  named-checkzone
Index: head/contrib/bind9/doc/arm/man.named-checkzone.html =================================================================== --- head/contrib/bind9/doc/arm/man.named-checkzone.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.named-checkzone.html (revision 205292) @@ -1,300 +1,300 @@ - + named-checkzone
named-checkzone
Prev  Manual pages  Next

Name

named-checkzone, named-compilezone — zone file validity checking or converting tool

Synopsis

named-checkzone [-d] [-h] [-j] [-q] [-v] [-c class] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-M mode] [-n mode] [-s style] [-S mode] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename}

-

DESCRIPTION

+

DESCRIPTION

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a zone. This makes named-checkzone useful for checking zone files before configuring them into a name server.

named-compilezone is similar to named-checkzone, but it always dumps the zone contents to a specified file in a specified format. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by named. When manually specified otherwise, the check levels must at least be as strict as those specified in the named configuration file.

-

OPTIONS

+

OPTIONS

-d

Enable debugging.

-h

Print the usage summary and exit.

-q

Quiet mode - exit code only.

-v

Print the version of the named-checkzone program and exit.

-j

When loading the zone file read the journal if it exists.

-c class

Specify the class of the zone. If not specified, "IN" is assumed.

-i mode

Perform post-load zone integrity checks. Possible modes are "full" (default), "full-sibling", "local", "local-sibling" and "none".

Mode "full" checks that MX records refer to A or AAAA record (both in-zone and out-of-zone hostnames). Mode "local" only checks MX records which refer to in-zone hostnames.

Mode "full" checks that SRV records refer to A or AAAA record (both in-zone and out-of-zone hostnames). Mode "local" only checks SRV records which refer to in-zone hostnames.

Mode "full" checks that delegation NS records refer to A or AAAA record (both in-zone and out-of-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. Mode "local" only checks NS records which refer to in-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone.

Mode "full-sibling" and "local-sibling" disable sibling glue checks but are otherwise the same as "full" and "local" respectively.

Mode "none" disables the checks.

-f format

Specify the format of the zone file. Possible formats are "text" (default) and "raw".

-F format

Specify the format of the output file specified. Possible formats are "text" (default) and "raw". For named-checkzone, this does not cause any effects unless it dumps the zone contents.

-k mode

Perform "check-names" checks with the specified failure mode. Possible modes are "fail" (default for named-compilezone), "warn" (default for named-checkzone) and "ignore".

-m mode

Specify whether MX records should be checked to see if they are addresses. Possible modes are "fail", "warn" (default) and "ignore".

-M mode

Check if a MX record refers to a CNAME. Possible modes are "fail", "warn" (default) and "ignore".

-n mode

Specify whether NS records should be checked to see if they are addresses. Possible modes are "fail" (default for named-compilezone), "warn" (default for named-checkzone) and "ignore".

-o filename

Write zone output to filename. If filename is - then write to standard out. This is mandatory for named-compilezone.

-s style

Specify the style of the dumped zone file. Possible styles are "full" (default) and "relative". The full format is most suitable for processing automatically by a separate script. On the other hand, the relative format is more human-readable and is thus suitable for editing by hand. For named-checkzone this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format is not text.

-S mode

Check if a SRV record refers to a CNAME. Possible modes are "fail", "warn" (default) and "ignore".

-t directory

Chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named.

-w directory

chdir to directory so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in named.conf.

-D

Dump zone file in canonical format. This is always enabled for named-compilezone.

-W mode

Specify whether to check for non-terminal wildcards. Non-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are "warn" (default) and "ignore".

zonename

The domain name of the zone being checked.

filename

The name of the zone file.

-

RETURN VALUES

+

RETURN VALUES

named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), named-checkconf(8), RFC 1035, BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

Prev  Up  Next
named-checkconf  Home  named
Index: head/contrib/bind9/doc/arm/man.named.html =================================================================== --- head/contrib/bind9/doc/arm/man.named.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.named.html (revision 205292) @@ -1,330 +1,330 @@ - + named
named
Prev  Manual pages  Next

Name

named — Internet domain name server

Synopsis

named [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

-

DESCRIPTION

+

DESCRIPTION

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see RFCs 1033, 1034, and 1035.

When invoked without arguments, named will read the default configuration file /etc/named.conf, read any initial data, and listen for queries.

-

OPTIONS

+

OPTIONS

-4

Use IPv4 only even if the host machine is capable of IPv6. -4 and -6 are mutually exclusive.

-6

Use IPv6 only even if the host machine is capable of IPv4. -4 and -6 are mutually exclusive.

-c config-file

Use config-file as the configuration file instead of the default, /etc/named.conf. To ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible directory option in the configuration file, config-file should be an absolute pathname.

-d debug-level

Set the daemon's debug level to debug-level. Debugging traces from named become more verbose as the debug level increases.

-f

Run the server in the foreground (i.e. do not daemonize).

-g

Run the server in the foreground and force all logging to stderr.

-m flag

Turn on memory usage debugging flags. Possible flags are usage, trace, record, size, and mctx. These correspond to the ISC_MEM_DEBUGXXXX flags described in <isc/mem.h>.

-n #cpus

Create #cpus worker threads to take advantage of multiple CPUs. If not specified, named will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.

-p port

Listen for queries on port port. If not specified, the default is port 53.

-s

Write memory usage statistics to stdout on exit.

Note

This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.

-S #max-socks

Allow named to use up to #max-socks sockets.

Warning

This option should be unnecessary for the vast majority of users. The use of this option could even be harmful because the specified value may exceed the limitation of the underlying system API. It is therefore set only when the default configuration causes exhaustion of file descriptors and the operational environment is known to support the specified number of sockets. Note also that the actual maximum number is normally a little fewer than the specified value because named reserves some file descriptors for its internal use.

-t directory

Chroot to directory after processing the command line arguments, but before reading the configuration file.

Warning

This option should be used in conjunction with the -u option, as chrooting a process running as root doesn't enhance security on most systems; the way chroot(2) is defined allows a process with root privileges to escape a chroot jail.

-u user

Setuid to user after completing privileged operations, such as creating sockets that listen on privileged ports.

Note

On Linux, named uses the kernel's capability mechanism to drop all root privileges except the ability to bind(2) to a privileged port and set process resource limits. Unfortunately, this means that the -u option only works when named is run on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since previous kernels did not allow privileges to be retained after setuid(2).

-v

Report the version number and exit.

-V

Report the version number and build options, and exit.

-x cache-file

Load data from cache-file into the cache of the default view.

Warning

This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release.

-

SIGNALS

+

SIGNALS

In routine operation, signals should not be used to control the nameserver; rndc should be used instead.

SIGHUP

Force a reload of the server.

SIGINT, SIGTERM

Shut down the server.

The result of sending any other signals to the server is undefined.

-

CONFIGURATION

+

CONFIGURATION

The named configuration file is too complex to describe in detail here. A complete description is provided in the BIND 9 Administrator Reference Manual.

named inherits the umask (file creation mode mask) from the parent process. If files created by named, such as journal files, need to have custom permissions, the umask should be set explicitly in the script used to start the named process.

-

FILES

+

FILES

/etc/named.conf

The default configuration file.

/var/run/named/named.pid

The default process-id file.

-

SEE ALSO

+

SEE ALSO

RFC 1033, RFC 1034, RFC 1035, named-checkconf(8), named-checkzone(8), rndc(8), lwresd(8), named.conf(5), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

Prev  Up  Next
named-checkzone  Home  nsupdate
Index: head/contrib/bind9/doc/arm/man.nsupdate.html =================================================================== --- head/contrib/bind9/doc/arm/man.nsupdate.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.nsupdate.html (revision 205292) @@ -1,569 +1,569 @@ - + nsupdate
nsupdate
Prev  Manual pages  Next

Name

nsupdate — Dynamic DNS update utility

Synopsis

nsupdate [-d] [-D] [[-g] | [-o] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

-

DESCRIPTION

+

DESCRIPTION

nsupdate is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record.

Zones that are under dynamic control via nsupdate or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost.

The resource records that are dynamically added or removed with nsupdate have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record.

The -d option makes nsupdate operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server.

The -D option makes nsupdate report additional debugging information to -d.

Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931 or GSS-TSIG as described in RFC3645. TSIG relies on a shared secret that should only be known to nsupdate and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable key and server statements would be added to /etc/named.conf so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. nsupdate does not read /etc/named.conf. GSS-TSIG uses Kerberos credentials.

nsupdate uses the -y or -k option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC-MD5. These options are mutually exclusive. With the -k option, nsupdate reads the shared secret from the file keyfile, whose name is of the form K{name}.+157.+{random}.private. For historical reasons, the file K{name}.+157.+{random}.key must also be present. When the -y option is used, a signature is generated from [hmac:]keyname:secret. keyname is the name of the key, and secret is the base64 encoded shared secret. Use of the -y option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from ps(1) or in a history file maintained by the user's shell.

The -k may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC-MD5 key.

The -g and -o specify that GSS-TSIG is to be used. The -o should only be used with old Microsoft Windows 2000 servers.

By default, nsupdate uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The -v option makes nsupdate use a TCP connection. This may be preferable when a batch of update requests is made.

The -t option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.

The -u option sets the UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries.

The -r option sets the number of UDP retries. The default is 3. If zero, only one update request will be made.

The -R randomdev option specifies a source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness is keyboard input. randomdev specifies the name of a character device or file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used. This option may be specified multiple times.

-

INPUT FORMAT

+

INPUT FORMAT

nsupdate reads input from filename or standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes. The others are either update instructions or prerequisite checks on the contents of the zone. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone. These conditions must be met if the entire update request is to succeed. Updates will be rejected if the tests for the prerequisite conditions fail.

Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. A blank input line (or the send command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server.

The command formats and their meaning are as follows:

server {servername} [port]

Sends all dynamic update requests to the name server servername. When no server statement is provided, nsupdate will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone. port is the port number on servername where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used.

local {address} [port]

Sends all dynamic update requests using the local address. When no local statement is provided, nsupdate will send updates using an address and port chosen by the system. port can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one.

zone {zonename}

Specifies that all updates are to be made to the zone zonename. If no zone statement is provided, nsupdate will attempt determine the correct zone to update based on the rest of the input.

class {classname}

Specify the default class. If no class is specified, the default class is IN.

ttl {seconds}

Specify the default time to live for records to be added. The value none will clear the default ttl.

key {name} {secret}

Specifies that all updates are to be TSIG-signed using the keyname keysecret pair. The key command overrides any key specified on the command line via -y or -k.

prereq nxdomain {domain-name}

Requires that no resource record of any type exists with name domain-name.

prereq yxdomain {domain-name}

Requires that domain-name exists (has as at least one resource record, of any type).

prereq nxrrset {domain-name} [class] {type}

Requires that no resource record exists of the specified type, class and domain-name. If class is omitted, IN (internet) is assumed.

prereq yxrrset {domain-name} [class] {type}

This requires that a resource record of the specified type, class and domain-name must exist. If class is omitted, IN (internet) is assumed.

prereq yxrrset {domain-name} [class] {type} {data...}

The data from each set of prerequisites of this form sharing a common type, class, and domain-name are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given type, class, and domain-name. The data are written in the standard text representation of the resource record's RDATA.

update delete {domain-name} [ttl] [class] [type [data...]]

Deletes any resource records named domain-name. If type and data is provided, only matching resource records will be removed. The internet class is assumed if class is not supplied. The ttl is ignored, and is only allowed for compatibility.

update add {domain-name} {ttl} [class] {type} {data...}

Adds a new resource record with the specified ttl, class and data.

show

Displays the current message, containing all of the prerequisites and updates specified since the last send.

send

Sends the current message. This is equivalent to entering a blank line.

answer

Displays the answer.

debug

Turn on debugging.

Lines beginning with a semicolon are comments and are ignored.

-

EXAMPLES

+

EXAMPLES

The examples below show how nsupdate could be used to insert and delete resource records from the example.com zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for example.com. 

 # nsupdate
 > update delete oldhost.example.com A
 > update add newhost.example.com 86400 A 172.16.1.1
 > send

Any A records for oldhost.example.com are deleted. And an A record for newhost.example.com with IP address 172.16.1.1 is added. The newly-added record has a 1 day TTL (86400 seconds). 

 # nsupdate
 > prereq nxdomain nickname.example.com
 > update add nickname.example.com 86400 CNAME somehost.example.com
 > send

The prerequisite condition gets the name server to check that there are no resource records of any type for nickname.example.com. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)

-

FILES

+

FILES

/etc/resolv.conf

used to identify default name server

K{name}.+157.+{random}.key

base-64 encoding of HMAC-MD5 key created by dnssec-keygen(8).

K{name}.+157.+{random}.private

base-64 encoding of HMAC-MD5 key created by dnssec-keygen(8).

-

SEE ALSO

+

SEE ALSO

RFC2136, RFC3007, RFC2104, RFC2845, RFC1034, RFC2535, RFC2931, named(8), dnssec-keygen(8).

-

BUGS

+

BUGS

The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.

Prev  Up  Next
named  Home  rndc
Index: head/contrib/bind9/doc/arm/man.rndc-confgen.html =================================================================== --- head/contrib/bind9/doc/arm/man.rndc-confgen.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.rndc-confgen.html (revision 205292) @@ -1,222 +1,222 @@ - + rndc-confgen
rndc-confgen
Prev  Manual pages  

Name

rndc-confgen — rndc key generation tool

Synopsis

rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-

DESCRIPTION

+

DESCRIPTION

rndc-confgen generates configuration files for rndc. It can be used as a convenient alternative to writing the rndc.conf file and the corresponding controls and key statements in named.conf by hand. Alternatively, it can be run with the -a option to set up a rndc.key file and avoid the need for a rndc.conf file and a controls statement altogether.

-

OPTIONS

+

OPTIONS

-a

Do automatic rndc configuration. This creates a file rndc.key in /etc (or whatever sysconfdir was specified as when BIND was built) that is read by both rndc and named on startup. The rndc.key file defines a default command channel and authentication key allowing rndc to communicate with named on the local host with no further configuration.

Running rndc-confgen -a allows BIND 9 and rndc to be used as drop-in replacements for BIND 8 and ndc, with no changes to the existing BIND 8 named.conf file.

If a more elaborate configuration than that generated by rndc-confgen -a is required, for example if rndc is to be used remotely, you should run rndc-confgen without the -a option and set up a rndc.conf and named.conf as directed.

-b keysize

Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.

-c keyfile

Used with the -a option to specify an alternate location for rndc.key.

-h

Prints a short summary of the options and arguments to rndc-confgen.

-k keyname

Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is rndc-key.

-p port

Specifies the command channel port where named listens for connections from rndc. The default is 953.

-r randomfile

Specifies a source of random data for generating the authorization. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness is keyboard input. randomdev specifies the name of a character device or file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used.

-s address

Specifies the IP address where named listens for command channel connections from rndc. The default is the loopback address 127.0.0.1.

-t chrootdir

Used with the -a option to specify a directory where named will run chrooted. An additional copy of the rndc.key will be written relative to this directory so that it will be found by the chrooted named.

-u user

Used with the -a option to set the owner of the rndc.key file generated. If -t is also specified only the file in the chroot area has its owner changed.

-

EXAMPLES

+

EXAMPLES

To allow rndc to be used with no manual configuration, run

rndc-confgen -a

To print a sample rndc.conf file and corresponding controls and key statements to be manually inserted into named.conf, run

rndc-confgen

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc.conf(5), named(8), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

Prev  Up  
rndc.conf  Home  
Index: head/contrib/bind9/doc/arm/man.rndc.conf.html =================================================================== --- head/contrib/bind9/doc/arm/man.rndc.conf.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.rndc.conf.html (revision 205292) @@ -1,255 +1,255 @@ - + rndc.conf
rndc.conf
Prev  Manual pages  Next

Name

rndc.conf — rndc configuration file

Synopsis

rndc.conf

-

DESCRIPTION

+

DESCRIPTION

rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to named.conf. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles are supported:

C style: /* */

C++ style: // to end of line

Unix style: # to end of line

rndc.conf is much simpler than named.conf. The file uses three statements: an options statement, a server statement and a key statement.

The options statement contains five clauses. The default-server clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to rndc. The default-key clause is followed by the name of a key which is identified by a key statement. If no keyid is provided on the rndc command line, and no key clause is found in a matching server statement, this default key will be used to authenticate the server's commands and responses. The default-port clause is followed by the port to connect to on the remote name server. If no port option is provided on the rndc command line, and no port clause is found in a matching server statement, this default port will be used to connect. The default-source-address and default-source-address-v6 clauses which can be used to set the IPv4 and IPv6 source addresses respectively.

After the server keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses: key, port and addresses. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. If an addresses clause is supplied these addresses will be used instead of the server name. Each address can take an optional port. If an source-address or source-address-v6 of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively.

The key statement begins with an identifying string, the name of the key. The statement has two clauses. algorithm identifies the encryption algorithm for rndc to use; currently only HMAC-MD5 is supported. This is followed by a secret clause which contains the base-64 encoding of the algorithm's encryption key. The base-64 string is enclosed in double quotes.

There are two common ways to generate the base-64 string for the secret. The BIND 9 program rndc-confgen can be used to generate a random key, or the mmencode program, also known as mimencode, can be used to generate a base-64 string from known input. mmencode does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.

-

EXAMPLE

+

EXAMPLE

       options {
         default-server  localhost;
         default-key     samplekey;
       };
 

       server localhost {
         key             samplekey;
       };
 

       server testserver {
         key		testkey;
         addresses	{ localhost port 5353; };
       };
 

       key samplekey {
         algorithm       hmac-md5;
         secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
       };
 

       key testkey {
         algorithm	hmac-md5;
         secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
       };

In the above example, rndc will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC-MD5 algorithm and its secret clause contains the base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.

If rndc -s testserver is used then rndc will connect to server on localhost port 5353 using the key testkey.

To generate a random secret with rndc-confgen:

rndc-confgen

A complete rndc.conf file, including the randomly generated key, will be written to the standard output. Commented-out key and controls statements for named.conf are also printed.

To generate a base-64 secret with mmencode:

echo "known plaintext for a secret" | mmencode

-

NAME SERVER CONFIGURATION

+

NAME SERVER CONFIGURATION

The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf file, using the controls statement in named.conf. See the sections on the controls statement in the BIND 9 Administrator Reference Manual for details.

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc-confgen(8), mmencode(1), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

Prev  Up  Next
rndc  Home  rndc-confgen
Index: head/contrib/bind9/doc/arm/man.rndc.html =================================================================== --- head/contrib/bind9/doc/arm/man.rndc.html (revision 205291) +++ head/contrib/bind9/doc/arm/man.rndc.html (revision 205292) @@ -1,203 +1,203 @@ - + rndc
rndc
Prev  Manual pages  Next

Name

rndc — name server control utility

Synopsis

rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

-

DESCRIPTION

+

DESCRIPTION

rndc controls the operation of a name server. It supersedes the ndc utility that was provided in old BIND releases. If rndc is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments.

rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of rndc and named, the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.

rndc reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.

-

OPTIONS

+

OPTIONS

-b source-address

Use source-address as the source address for the connection to the server. Multiple instances are permitted to allow setting of both the IPv4 and IPv6 source addresses.

-c config-file

Use config-file as the configuration file instead of the default, /etc/rndc.conf.

-k key-file

Use key-file as the key file instead of the default, /etc/rndc.key. The key in /etc/rndc.key will be used to authenticate commands sent to the server if the config-file does not exist.

-s server

server is the name or address of the server which matches a server statement in the configuration file for rndc. If no server is supplied on the command line, the host named by the default-server clause in the options statement of the rndc configuration file will be used.

-p port

Send commands to TCP port port instead of BIND 9's default control channel port, 953.

-V

Enable verbose logging.

-y key_id

Use the key key_id from the configuration file. key_id must be known by named with the same algorithm and secret string in order for control message validation to succeed. If no key_id is specified, rndc will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default-key clause of the options statement. Note that the configuration file contains shared secrets which are used to send authenticated control commands to name servers. It should therefore not have general read or write access.

For the complete set of commands supported by rndc, see the BIND 9 Administrator Reference Manual or run rndc without arguments to see its help message.

-

LIMITATIONS

+

LIMITATIONS

rndc does not yet support all the commands of the BIND 8 ndc utility.

There is currently no way to provide the shared secret for a key_id without using the configuration file.

Several error messages could be clearer.

-

SEE ALSO

+

SEE ALSO

rndc.conf(5), rndc-confgen(8), named(8), named.conf(5), ndc(8), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

Prev  Up  Next
nsupdate  Home  rndc.conf
Index: head/contrib/bind9/lib/dns/api =================================================================== --- head/contrib/bind9/lib/dns/api (revision 205291) +++ head/contrib/bind9/lib/dns/api (revision 205292) @@ -1,3 +1,3 @@ -LIBINTERFACE = 55 -LIBREVISION = 1 -LIBAGE = 0 +LIBINTERFACE = 56 +LIBREVISION = 0 +LIBAGE = 1 Index: head/contrib/bind9/lib/dns/include/dns/rdataset.h =================================================================== --- head/contrib/bind9/lib/dns/include/dns/rdataset.h (revision 205291) +++ head/contrib/bind9/lib/dns/include/dns/rdataset.h (revision 205292) @@ -1,639 +1,655 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataset.h,v 1.65.50.2 2009/01/18 23:47:41 tbox Exp $ */ +/* $Id: rdataset.h,v 1.65.50.2.22.2 2010/02/25 10:57:12 tbox Exp $ */ #ifndef DNS_RDATASET_H #define DNS_RDATASET_H 1 /***** ***** Module Info *****/ /*! \file dns/rdataset.h * \brief * A DNS rdataset is a handle that can be associated with a collection of * rdata all having a common owner name, class, and type. * * The dns_rdataset_t type is like a "virtual class". To actually use * rdatasets, an implementation of the method suite (e.g. "slabbed rdata") is * required. * * XXX <more> XXX * * MP: *\li Clients of this module must impose any required synchronization. * * Reliability: *\li No anticipated impact. * * Resources: *\li TBS * * Security: *\li No anticipated impact. * * Standards: *\li None. */ #include #include #include #include ISC_LANG_BEGINDECLS typedef enum { dns_rdatasetadditional_fromauth, dns_rdatasetadditional_fromcache, dns_rdatasetadditional_fromglue } dns_rdatasetadditional_t; typedef struct dns_rdatasetmethods { void (*disassociate)(dns_rdataset_t *rdataset); isc_result_t (*first)(dns_rdataset_t *rdataset); isc_result_t (*next)(dns_rdataset_t *rdataset); void (*current)(dns_rdataset_t *rdataset, dns_rdata_t *rdata); void (*clone)(dns_rdataset_t *source, dns_rdataset_t *target); unsigned int (*count)(dns_rdataset_t *rdataset); isc_result_t (*addnoqname)(dns_rdataset_t *rdataset, dns_name_t *name); isc_result_t (*getnoqname)(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *neg, dns_rdataset_t *negsig); isc_result_t (*addclosest)(dns_rdataset_t *rdataset, dns_name_t *name); isc_result_t (*getclosest)(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *neg, dns_rdataset_t *negsig); isc_result_t (*getadditional)(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype, dns_acache_t *acache, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, dns_dbnode_t **nodep, dns_name_t *fname, dns_message_t *msg, isc_stdtime_t now); isc_result_t (*setadditional)(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype, dns_acache_t *acache, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, dns_name_t *fname); isc_result_t (*putadditional)(dns_acache_t *acache, dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype); + void (*settrust)(dns_rdataset_t *rdataset, + dns_trust_t trust); + void (*expire)(dns_rdataset_t *rdataset); } dns_rdatasetmethods_t; #define DNS_RDATASET_MAGIC ISC_MAGIC('D','N','S','R') #define DNS_RDATASET_VALID(set) ISC_MAGIC_VALID(set, DNS_RDATASET_MAGIC) /*% * Direct use of this structure by clients is strongly discouraged, except * for the 'link' field which may be used however the client wishes. The * 'private', 'current', and 'index' fields MUST NOT be changed by clients. * rdataset implementations may change any of the fields. */ struct dns_rdataset { unsigned int magic; /* XXX ? */ dns_rdatasetmethods_t * methods; ISC_LINK(dns_rdataset_t) link; /* * XXX do we need these, or should they be retrieved by methods? * Leaning towards the latter, since they are not frequently required * once you have the rdataset. */ dns_rdataclass_t rdclass; dns_rdatatype_t type; dns_ttl_t ttl; dns_trust_t trust; dns_rdatatype_t covers; /* * attributes */ unsigned int attributes; /*% * the counter provides the starting point in the "cyclic" order. * The value ISC_UINT32_MAX has a special meaning of "picking up a * random value." in order to take care of databases that do not * increment the counter. */ isc_uint32_t count; /* * This RRSIG RRset should be re-generated around this time. * Only valid if DNS_RDATASETATTR_RESIGN is set in attributes. */ isc_stdtime_t resign; /*@{*/ /*% * These are for use by the rdataset implementation, and MUST NOT * be changed by clients. */ void * private1; void * private2; void * private3; unsigned int privateuint4; void * private5; void * private6; void * private7; /*@}*/ }; /*! * \def DNS_RDATASETATTR_RENDERED * Used by message.c to indicate that the rdataset was rendered. * * \def DNS_RDATASETATTR_TTLADJUSTED * Used by message.c to indicate that the rdataset's rdata had differing * TTL values, and the rdataset->ttl holds the smallest. * * \def DNS_RDATASETATTR_LOADORDER * Output the RRset in load order. */ #define DNS_RDATASETATTR_QUESTION 0x00000001 #define DNS_RDATASETATTR_RENDERED 0x00000002 /*%< Used by message.c */ #define DNS_RDATASETATTR_ANSWERED 0x00000004 /*%< Used by server. */ #define DNS_RDATASETATTR_CACHE 0x00000008 /*%< Used by resolver. */ #define DNS_RDATASETATTR_ANSWER 0x00000010 /*%< Used by resolver. */ #define DNS_RDATASETATTR_ANSWERSIG 0x00000020 /*%< Used by resolver. */ #define DNS_RDATASETATTR_EXTERNAL 0x00000040 /*%< Used by resolver. */ #define DNS_RDATASETATTR_NCACHE 0x00000080 /*%< Used by resolver. */ #define DNS_RDATASETATTR_CHAINING 0x00000100 /*%< Used by resolver. */ #define DNS_RDATASETATTR_TTLADJUSTED 0x00000200 /*%< Used by message.c */ #define DNS_RDATASETATTR_FIXEDORDER 0x00000400 #define DNS_RDATASETATTR_RANDOMIZE 0x00000800 #define DNS_RDATASETATTR_CHASE 0x00001000 /*%< Used by resolver. */ #define DNS_RDATASETATTR_NXDOMAIN 0x00002000 #define DNS_RDATASETATTR_NOQNAME 0x00004000 #define DNS_RDATASETATTR_CHECKNAMES 0x00008000 /*%< Used by resolver. */ #define DNS_RDATASETATTR_REQUIREDGLUE 0x00010000 #define DNS_RDATASETATTR_LOADORDER 0x00020000 #define DNS_RDATASETATTR_RESIGN 0x00040000 #define DNS_RDATASETATTR_CLOSEST 0x00080000 #define DNS_RDATASETATTR_OPTOUT 0x00100000 /*%< OPTOUT proof */ /*% * _OMITDNSSEC: * Omit DNSSEC records when rendering ncache records. */ #define DNS_RDATASETTOWIRE_OMITDNSSEC 0x0001 void dns_rdataset_init(dns_rdataset_t *rdataset); /*%< * Make 'rdataset' a valid, disassociated rdataset. * * Requires: *\li 'rdataset' is not NULL. * * Ensures: *\li 'rdataset' is a valid, disassociated rdataset. */ void dns_rdataset_invalidate(dns_rdataset_t *rdataset); /*%< * Invalidate 'rdataset'. * * Requires: *\li 'rdataset' is a valid, disassociated rdataset. * * Ensures: *\li If assertion checking is enabled, future attempts to use 'rdataset' * without initializing it will cause an assertion failure. */ void dns_rdataset_disassociate(dns_rdataset_t *rdataset); /*%< * Disassociate 'rdataset' from its rdata, allowing it to be reused. * * Notes: *\li The client must ensure it has no references to rdata in the rdataset * before disassociating. * * Requires: *\li 'rdataset' is a valid, associated rdataset. * * Ensures: *\li 'rdataset' is a valid, disassociated rdataset. */ isc_boolean_t dns_rdataset_isassociated(dns_rdataset_t *rdataset); /*%< * Is 'rdataset' associated? * * Requires: *\li 'rdataset' is a valid rdataset. * * Returns: *\li #ISC_TRUE 'rdataset' is associated. *\li #ISC_FALSE 'rdataset' is not associated. */ void dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass, dns_rdatatype_t type); /*%< * Make 'rdataset' a valid, associated, question rdataset, with a * question class of 'rdclass' and type 'type'. * * Notes: *\li Question rdatasets have a class and type, but no rdata. * * Requires: *\li 'rdataset' is a valid, disassociated rdataset. * * Ensures: *\li 'rdataset' is a valid, associated, question rdataset. */ void dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target); /*%< * Make 'target' refer to the same rdataset as 'source'. * * Requires: *\li 'source' is a valid, associated rdataset. * *\li 'target' is a valid, dissociated rdataset. * * Ensures: *\li 'target' references the same rdataset as 'source'. */ unsigned int dns_rdataset_count(dns_rdataset_t *rdataset); /*%< * Return the number of records in 'rdataset'. * * Requires: *\li 'rdataset' is a valid, associated rdataset. * * Returns: *\li The number of records in 'rdataset'. */ isc_result_t dns_rdataset_first(dns_rdataset_t *rdataset); /*%< * Move the rdata cursor to the first rdata in the rdataset (if any). * * Requires: *\li 'rdataset' is a valid, associated rdataset. * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_NOMORE There are no rdata in the set. */ isc_result_t dns_rdataset_next(dns_rdataset_t *rdataset); /*%< * Move the rdata cursor to the next rdata in the rdataset (if any). * * Requires: *\li 'rdataset' is a valid, associated rdataset. * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_NOMORE There are no more rdata in the set. */ void dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata); /*%< * Make 'rdata' refer to the current rdata. * * Notes: * *\li The data returned in 'rdata' is valid for the life of the * rdataset; in particular, subsequent changes in the cursor position * do not invalidate 'rdata'. * * Requires: *\li 'rdataset' is a valid, associated rdataset. * *\li The rdata cursor of 'rdataset' is at a valid location (i.e. the * result of last call to a cursor movement command was ISC_R_SUCCESS). * * Ensures: *\li 'rdata' refers to the rdata at the rdata cursor location of *\li 'rdataset'. */ isc_result_t dns_rdataset_totext(dns_rdataset_t *rdataset, dns_name_t *owner_name, isc_boolean_t omit_final_dot, isc_boolean_t question, isc_buffer_t *target); /*%< * Convert 'rdataset' to text format, storing the result in 'target'. * * Notes: *\li The rdata cursor position will be changed. * *\li The 'question' flag should normally be #ISC_FALSE. If it is * #ISC_TRUE, the TTL and rdata fields are not printed. This is * for use when printing an rdata representing a question section. * *\li This interface is deprecated; use dns_master_rdatasettottext() * and/or dns_master_questiontotext() instead. * * Requires: *\li 'rdataset' is a valid rdataset. * *\li 'rdataset' is not empty. */ isc_result_t dns_rdataset_towire(dns_rdataset_t *rdataset, dns_name_t *owner_name, dns_compress_t *cctx, isc_buffer_t *target, unsigned int options, unsigned int *countp); /*%< * Convert 'rdataset' to wire format, compressing names as specified * in 'cctx', and storing the result in 'target'. * * Notes: *\li The rdata cursor position will be changed. * *\li The number of RRs added to target will be added to *countp. * * Requires: *\li 'rdataset' is a valid rdataset. * *\li 'rdataset' is not empty. * *\li 'countp' is a valid pointer. * * Ensures: *\li On a return of ISC_R_SUCCESS, 'target' contains a wire format * for the data contained in 'rdataset'. Any error return leaves * the buffer unchanged. * *\li *countp has been incremented by the number of RRs added to * target. * * Returns: *\li #ISC_R_SUCCESS - all ok *\li #ISC_R_NOSPACE - 'target' doesn't have enough room * *\li Any error returned by dns_rdata_towire(), dns_rdataset_next(), * dns_name_towire(). */ isc_result_t dns_rdataset_towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, dns_compress_t *cctx, isc_buffer_t *target, dns_rdatasetorderfunc_t order, const void *order_arg, unsigned int options, unsigned int *countp); /*%< * Like dns_rdataset_towire(), but sorting the rdatasets according to * the integer value returned by 'order' when called with the rdataset * and 'order_arg' as arguments. * * Requires: *\li All the requirements of dns_rdataset_towire(), and * that order_arg is NULL if and only if order is NULL. */ isc_result_t dns_rdataset_towirepartial(dns_rdataset_t *rdataset, const dns_name_t *owner_name, dns_compress_t *cctx, isc_buffer_t *target, dns_rdatasetorderfunc_t order, const void *order_arg, unsigned int options, unsigned int *countp, void **state); /*%< * Like dns_rdataset_towiresorted() except that a partial rdataset * may be written. * * Requires: *\li All the requirements of dns_rdataset_towiresorted(). * If 'state' is non NULL then the current position in the * rdataset will be remembered if the rdataset in not * completely written and should be passed on on subsequent * calls (NOT CURRENTLY IMPLEMENTED). * * Returns: *\li #ISC_R_SUCCESS if all of the records were written. *\li #ISC_R_NOSPACE if unable to fit in all of the records. *countp * will be updated to reflect the number of records * written. */ isc_result_t dns_rdataset_additionaldata(dns_rdataset_t *rdataset, dns_additionaldatafunc_t add, void *arg); /*%< * For each rdata in rdataset, call 'add' for each name and type in the * rdata which is subject to additional section processing. * * Requires: * *\li 'rdataset' is a valid, non-question rdataset. * *\li 'add' is a valid dns_additionaldatafunc_t * * Ensures: * *\li If successful, dns_rdata_additionaldata() will have been called for * each rdata in 'rdataset'. * *\li If a call to dns_rdata_additionaldata() is not successful, the * result returned will be the result of dns_rdataset_additionaldata(). * * Returns: * *\li #ISC_R_SUCCESS * *\li Any error that dns_rdata_additionaldata() can return. */ isc_result_t dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *neg, dns_rdataset_t *negsig); /*%< * Return the noqname proof for this record. * * Requires: *\li 'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set. *\li 'name' to be valid. *\li 'neg' and 'negsig' to be valid and not associated. */ isc_result_t dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name); /*%< * Associate a noqname proof with this record. * Sets #DNS_RDATASETATTR_NOQNAME if successful. * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and * the 'nsec'/'nsec3' and 'rrsig(nsec)'/'rrsig(nsec3)' ttl. * * Requires: *\li 'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set. *\li 'name' to be valid and have NSEC or NSEC3 and associated RRSIG * rdatasets. */ isc_result_t dns_rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *nsec, dns_rdataset_t *nsecsig); /*%< * Return the closest encloser for this record. * * Requires: *\li 'rdataset' to be valid and #DNS_RDATASETATTR_CLOSEST to be set. *\li 'name' to be valid. *\li 'nsec' and 'nsecsig' to be valid and not associated. */ isc_result_t dns_rdataset_addclosest(dns_rdataset_t *rdataset, dns_name_t *name); /*%< * Associate a closest encloset proof with this record. * Sets #DNS_RDATASETATTR_CLOSEST if successful. * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and * the 'nsec' and 'rrsig(nsec)' ttl. * * Requires: *\li 'rdataset' to be valid and #DNS_RDATASETATTR_CLOSEST to be set. *\li 'name' to be valid and have NSEC3 and RRSIG(NSEC3) rdatasets. */ isc_result_t dns_rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype, dns_acache_t *acache, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, dns_dbnode_t **nodep, dns_name_t *fname, dns_message_t *msg, isc_stdtime_t now); /*%< * Get cached additional information from the DB node for a particular * 'rdataset.' 'type' is one of dns_rdatasetadditional_fromauth, * dns_rdatasetadditional_fromcache, and dns_rdatasetadditional_fromglue, * which specifies the origin of the information. 'qtype' is intended to * be used for specifying a particular rdata type in the cached information. * * Requires: * \li 'rdataset' is a valid rdataset. * \li 'acache' can be NULL, in which case this function will simply return * ISC_R_FAILURE. * \li For the other pointers, see dns_acache_getentry(). * * Ensures: * \li See dns_acache_getentry(). * * Returns: * \li #ISC_R_SUCCESS * \li #ISC_R_FAILURE - additional information caching is not supported. * \li #ISC_R_NOTFOUND - the corresponding DB node has not cached additional * information for 'rdataset.' * \li Any error that dns_acache_getentry() can return. */ isc_result_t dns_rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype, dns_acache_t *acache, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, dns_name_t *fname); /*%< * Set cached additional information to the DB node for a particular * 'rdataset.' See dns_rdataset_getadditional for the semantics of 'type' * and 'qtype'. * * Requires: * \li 'rdataset' is a valid rdataset. * \li 'acache' can be NULL, in which case this function will simply return * ISC_R_FAILURE. * \li For the other pointers, see dns_acache_setentry(). * * Ensures: * \li See dns_acache_setentry(). * * Returns: * \li #ISC_R_SUCCESS * \li #ISC_R_FAILURE - additional information caching is not supported. * \li #ISC_R_NOMEMORY * \li Any error that dns_acache_setentry() can return. */ isc_result_t dns_rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype); /*%< * Discard cached additional information stored in the DB node for a particular * 'rdataset.' See dns_rdataset_getadditional for the semantics of 'type' * and 'qtype'. * * Requires: * \li 'rdataset' is a valid rdataset. * \li 'acache' can be NULL, in which case this function will simply return * ISC_R_FAILURE. * * Ensures: * \li See dns_acache_cancelentry(). * * Returns: * \li #ISC_R_SUCCESS * \li #ISC_R_FAILURE - additional information caching is not supported. * \li #ISC_R_NOTFOUND - the corresponding DB node has not cached additional * information for 'rdataset.' + */ + +void +dns_rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust); +/*%< + * Set the trust of the 'rdataset' to trust in any in the backing database. + * The local trust level of 'rdataset' is also set. + */ + +void +dns_rdataset_expire(dns_rdataset_t *rdataset); +/*%< + * Mark the rdataset to be expired in the backing database. */ ISC_LANG_ENDDECLS #endif /* DNS_RDATASET_H */ Index: head/contrib/bind9/lib/dns/include/dns/resolver.h =================================================================== --- head/contrib/bind9/lib/dns/include/dns/resolver.h (revision 205291) +++ head/contrib/bind9/lib/dns/include/dns/resolver.h (revision 205292) @@ -1,513 +1,555 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.h,v 1.60.56.3 2009/01/29 22:40:35 jinmei Exp $ */ +/* $Id: resolver.h,v 1.60.56.3.22.2 2010/02/25 10:57:12 tbox Exp $ */ #ifndef DNS_RESOLVER_H #define DNS_RESOLVER_H 1 /***** ***** Module Info *****/ /*! \file dns/resolver.h * * \brief * This is the BIND 9 resolver, the module responsible for resolving DNS * requests by iteratively querying authoritative servers and following * referrals. This is a "full resolver", not to be confused with * the stub resolvers most people associate with the word "resolver". * The full resolver is part of the caching name server or resolver * daemon the stub resolver talks to. * * MP: *\li The module ensures appropriate synchronization of data structures it * creates and manipulates. * * Reliability: *\li No anticipated impact. * * Resources: *\li TBS * * Security: *\li No anticipated impact. * * Standards: *\li RFCs: 1034, 1035, 2181, TBS *\li Drafts: TBS */ #include #include #include #include ISC_LANG_BEGINDECLS /*% * A dns_fetchevent_t is sent when a 'fetch' completes. Any of 'db', * 'node', 'rdataset', and 'sigrdataset' may be bound. It is the * receiver's responsibility to detach before freeing the event. * \brief * 'rdataset', 'sigrdataset', 'client' and 'id' are the values that were * supplied when dns_resolver_createfetch() was called. They are returned * to the caller so that they may be freed. */ typedef struct dns_fetchevent { ISC_EVENT_COMMON(struct dns_fetchevent); dns_fetch_t * fetch; isc_result_t result; dns_rdatatype_t qtype; dns_db_t * db; dns_dbnode_t * node; dns_rdataset_t * rdataset; dns_rdataset_t * sigrdataset; dns_fixedname_t foundname; isc_sockaddr_t * client; dns_messageid_t id; } dns_fetchevent_t; /* * Options that modify how a 'fetch' is done. */ #define DNS_FETCHOPT_TCP 0x01 /*%< Use TCP. */ #define DNS_FETCHOPT_UNSHARED 0x02 /*%< See below. */ #define DNS_FETCHOPT_RECURSIVE 0x04 /*%< Set RD? */ #define DNS_FETCHOPT_NOEDNS0 0x08 /*%< Do not use EDNS. */ #define DNS_FETCHOPT_FORWARDONLY 0x10 /*%< Only use forwarders. */ #define DNS_FETCHOPT_NOVALIDATE 0x20 /*%< Disable validation. */ #define DNS_FETCHOPT_EDNS512 0x40 /*%< Advertise a 512 byte UDP buffer. */ #define DNS_FETCHOPT_WANTNSID 0x80 /*%< Request NSID */ #define DNS_FETCHOPT_EDNSVERSIONSET 0x00800000 #define DNS_FETCHOPT_EDNSVERSIONMASK 0xff000000 #define DNS_FETCHOPT_EDNSVERSIONSHIFT 24 /* * Upper bounds of class of query RTT (ms). Corresponds to * dns_resstatscounter_queryrttX statistics counters. */ #define DNS_RESOLVER_QRYRTTCLASS0 10 #define DNS_RESOLVER_QRYRTTCLASS0STR "10" #define DNS_RESOLVER_QRYRTTCLASS1 100 #define DNS_RESOLVER_QRYRTTCLASS1STR "100" #define DNS_RESOLVER_QRYRTTCLASS2 500 #define DNS_RESOLVER_QRYRTTCLASS2STR "500" #define DNS_RESOLVER_QRYRTTCLASS3 800 #define DNS_RESOLVER_QRYRTTCLASS3STR "800" #define DNS_RESOLVER_QRYRTTCLASS4 1600 #define DNS_RESOLVER_QRYRTTCLASS4STR "1600" /* * XXXRTH Should this API be made semi-private? (I.e. * _dns_resolver_create()). */ #define DNS_RESOLVER_CHECKNAMES 0x01 #define DNS_RESOLVER_CHECKNAMESFAIL 0x02 isc_result_t dns_resolver_create(dns_view_t *view, isc_taskmgr_t *taskmgr, unsigned int ntasks, isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr, unsigned int options, dns_dispatchmgr_t *dispatchmgr, dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6, dns_resolver_t **resp); /*%< * Create a resolver. * * Notes: * *\li Generally, applications should not create a resolver directly, but * should instead call dns_view_createresolver(). * * Requires: * *\li 'view' is a valid view. * *\li 'taskmgr' is a valid task manager. * *\li 'ntasks' > 0. * *\li 'socketmgr' is a valid socket manager. * *\li 'timermgr' is a valid timer manager. * *\li 'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL. * *\li 'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL. * *\li resp != NULL && *resp == NULL. * * Returns: * *\li #ISC_R_SUCCESS On success. * *\li Anything else Failure. */ void dns_resolver_freeze(dns_resolver_t *res); /*%< * Freeze resolver. * * Notes: * *\li Certain configuration changes cannot be made after the resolver * is frozen. Fetches cannot be created until the resolver is frozen. * * Requires: * *\li 'res' is a valid, unfrozen resolver. * * Ensures: * *\li 'res' is frozen. */ void dns_resolver_prime(dns_resolver_t *res); /*%< * Prime resolver. * * Notes: * *\li Resolvers which have a forwarding policy other than dns_fwdpolicy_only * need to be primed with the root nameservers, otherwise the root * nameserver hints data may be used indefinitely. This function requests * that the resolver start a priming fetch, if it isn't already priming. * * Requires: * *\li 'res' is a valid, frozen resolver. */ void dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task, isc_event_t **eventp); /*%< * Send '*eventp' to 'task' when 'res' has completed shutdown. * * Notes: * *\li It is not safe to detach the last reference to 'res' until * shutdown is complete. * * Requires: * *\li 'res' is a valid resolver. * *\li 'task' is a valid task. * *\li *eventp is a valid event. * * Ensures: * *\li *eventp == NULL. */ void dns_resolver_shutdown(dns_resolver_t *res); /*%< * Start the shutdown process for 'res'. * * Notes: * *\li This call has no effect if the resolver is already shutting down. * * Requires: * *\li 'res' is a valid resolver. */ void dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp); void dns_resolver_detach(dns_resolver_t **resp); isc_result_t dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, dns_name_t *domain, dns_rdataset_t *nameservers, dns_forwarders_t *forwarders, unsigned int options, isc_task_t *task, isc_taskaction_t action, void *arg, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_fetch_t **fetchp); isc_result_t dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, dns_name_t *domain, dns_rdataset_t *nameservers, dns_forwarders_t *forwarders, isc_sockaddr_t *client, isc_uint16_t id, unsigned int options, isc_task_t *task, isc_taskaction_t action, void *arg, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_fetch_t **fetchp); /*%< * Recurse to answer a question. * * Notes: * *\li This call starts a query for 'name', type 'type'. * *\li The 'domain' is a parent domain of 'name' for which * a set of name servers 'nameservers' is known. If no * such name server information is available, set * 'domain' and 'nameservers' to NULL. * *\li 'forwarders' is unimplemented, and subject to change when * we figure out how selective forwarding will work. * *\li When the fetch completes (successfully or otherwise), a * #DNS_EVENT_FETCHDONE event with action 'action' and arg 'arg' will be * posted to 'task'. * *\li The values of 'rdataset' and 'sigrdataset' will be returned in * the FETCHDONE event. * *\li 'client' and 'id' are used for duplicate query detection. '*client' * must remain stable until after 'action' has been called or * dns_resolver_cancelfetch() is called. * * Requires: * *\li 'res' is a valid resolver that has been frozen. * *\li 'name' is a valid name. * *\li 'type' is not a meta type other than ANY. * *\li 'domain' is a valid name or NULL. * *\li 'nameservers' is a valid NS rdataset (whose owner name is 'domain') * iff. 'domain' is not NULL. * *\li 'forwarders' is NULL. * *\li 'client' is a valid sockaddr or NULL. * *\li 'options' contains valid options. * *\li 'rdataset' is a valid, disassociated rdataset. * *\li 'sigrdataset' is NULL, or is a valid, disassociated rdataset. * *\li fetchp != NULL && *fetchp == NULL. * * Returns: * *\li #ISC_R_SUCCESS Success *\li #DNS_R_DUPLICATE *\li #DNS_R_DROP * *\li Many other values are possible, all of which indicate failure. */ void dns_resolver_cancelfetch(dns_fetch_t *fetch); /*%< * Cancel 'fetch'. * * Notes: * *\li If 'fetch' has not completed, post its FETCHDONE event with a * result code of #ISC_R_CANCELED. * * Requires: * *\li 'fetch' is a valid fetch. */ void dns_resolver_destroyfetch(dns_fetch_t **fetchp); /*%< * Destroy 'fetch'. * * Requires: * *\li '*fetchp' is a valid fetch. * *\li The caller has received the FETCHDONE event (either because the * fetch completed or because dns_resolver_cancelfetch() was called). * * Ensures: * *\li *fetchp == NULL. */ void dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx, isc_logcategory_t *category, isc_logmodule_t *module, int level, isc_boolean_t duplicateok); /*%< * Dump a log message on internal state at the completion of given 'fetch'. * 'lctx', 'category', 'module', and 'level' are used to write the log message. * By default, only one log message is written even if the corresponding fetch * context serves multiple clients; if 'duplicateok' is true the suppression * is disabled and the message can be written every time this function is * called. * * Requires: * *\li 'fetch' is a valid fetch, and has completed. */ dns_dispatchmgr_t * dns_resolver_dispatchmgr(dns_resolver_t *resolver); dns_dispatch_t * dns_resolver_dispatchv4(dns_resolver_t *resolver); dns_dispatch_t * dns_resolver_dispatchv6(dns_resolver_t *resolver); isc_socketmgr_t * dns_resolver_socketmgr(dns_resolver_t *resolver); isc_taskmgr_t * dns_resolver_taskmgr(dns_resolver_t *resolver); isc_uint32_t dns_resolver_getlamettl(dns_resolver_t *resolver); /*%< * Get the resolver's lame-ttl. zero => no lame processing. * * Requires: *\li 'resolver' to be valid. */ void dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl); /*%< * Set the resolver's lame-ttl. zero => no lame processing. * * Requires: *\li 'resolver' to be valid. */ unsigned int dns_resolver_nrunning(dns_resolver_t *resolver); /*%< * Return the number of currently running resolutions in this * resolver. This is may be less than the number of outstanding * fetches due to multiple identical fetches, or more than the * number of of outstanding fetches due to the fact that resolution * can continue even though a fetch has been canceled. */ isc_result_t dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt, dns_name_t *name, in_port_t port); /*%< * Add alternate addresses to be tried in the event that the nameservers * for a zone are not available in the address families supported by the * operating system. * * Require: * \li only one of 'name' or 'alt' to be valid. */ void dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize); /*%< * Set the EDNS UDP buffer size advertised by the server. */ isc_uint16_t dns_resolver_getudpsize(dns_resolver_t *resolver); /*%< * Get the current EDNS UDP buffer size. */ void dns_resolver_reset_algorithms(dns_resolver_t *resolver); /*%< * Clear the disabled DNSSEC algorithms. */ isc_result_t dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name, unsigned int alg); /*%< * Mark the give DNSSEC algorithm as disabled and below 'name'. * Valid algorithms are less than 256. * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_RANGE *\li #ISC_R_NOMEMORY */ isc_boolean_t dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name, unsigned int alg); /*%< * Check if the given algorithm is supported by this resolver. * This checks if the algorithm has been disabled via * dns_resolver_disable_algorithm() then the underlying * crypto libraries if not specifically disabled. */ isc_boolean_t dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest_type); /*%< * Is this digest type supported. */ void dns_resolver_resetmustbesecure(dns_resolver_t *resolver); isc_result_t dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name, isc_boolean_t value); isc_boolean_t dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name); void dns_resolver_setclientsperquery(dns_resolver_t *resolver, isc_uint32_t min, isc_uint32_t max); void dns_resolver_getclientsperquery(dns_resolver_t *resolver, isc_uint32_t *cur, isc_uint32_t *min, isc_uint32_t *max); isc_boolean_t dns_resolver_getzeronosoattl(dns_resolver_t *resolver); void dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state); unsigned int dns_resolver_getoptions(dns_resolver_t *resolver); + +void +dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name, + dns_rdatatype_t type, isc_time_t *expire); +/*%< + * Add a entry to the bad cache for that will expire at 'expire'. + * + * Requires: + * \li resolver to be valid. + * \li name to be valid. + */ + +isc_boolean_t +dns_resolver_getbadcache(dns_resolver_t *resolver, dns_name_t *name, + dns_rdatatype_t type, isc_time_t *now); +/*%< + * Check to see if there is a unexpired entry in the bad cache for + * . + * + * Requires: + * \li resolver to be valid. + * \li name to be valid. + */ + +void +dns_resolver_flushbadcache(dns_resolver_t *resolver, dns_name_t *name); +/*%< + * Flush the bad cache of all entries at 'name' if 'name' is non NULL. + * Flush the entire bad cache if 'name' is NULL. + * + * Requires: + * \li resolver to be valid. + */ + +void +dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp); +/*% + * Print out the contents of the bad cache to 'fp'. + * + * Requires: + * \li resolver to be valid. + */ ISC_LANG_ENDDECLS #endif /* DNS_RESOLVER_H */ Index: head/contrib/bind9/lib/dns/include/dns/result.h =================================================================== --- head/contrib/bind9/lib/dns/include/dns/result.h (revision 205291) +++ head/contrib/bind9/lib/dns/include/dns/result.h (revision 205292) @@ -1,191 +1,193 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.h,v 1.116 2008/09/25 04:02:39 tbox Exp $ */ +/* $Id: result.h,v 1.116.226.2 2010/02/25 10:57:12 tbox Exp $ */ #ifndef DNS_RESULT_H #define DNS_RESULT_H 1 /*! \file dns/result.h */ #include #include #include /* * Nothing in this file truly depends on , but the * DNS result codes are considered to be publicly derived from * the ISC result codes, so including this file buys you the ISC_R_ * namespace too. */ #include /* Contractual promise. */ /* * DNS library result codes */ #define DNS_R_LABELTOOLONG (ISC_RESULTCLASS_DNS + 0) #define DNS_R_BADESCAPE (ISC_RESULTCLASS_DNS + 1) /* * Since we dropped the support of bitstring labels, deprecate the related * result codes too. #define DNS_R_BADBITSTRING (ISC_RESULTCLASS_DNS + 2) #define DNS_R_BITSTRINGTOOLONG (ISC_RESULTCLASS_DNS + 3) */ #define DNS_R_EMPTYLABEL (ISC_RESULTCLASS_DNS + 4) #define DNS_R_BADDOTTEDQUAD (ISC_RESULTCLASS_DNS + 5) #define DNS_R_INVALIDNS (ISC_RESULTCLASS_DNS + 6) #define DNS_R_UNKNOWN (ISC_RESULTCLASS_DNS + 7) #define DNS_R_BADLABELTYPE (ISC_RESULTCLASS_DNS + 8) #define DNS_R_BADPOINTER (ISC_RESULTCLASS_DNS + 9) #define DNS_R_TOOMANYHOPS (ISC_RESULTCLASS_DNS + 10) #define DNS_R_DISALLOWED (ISC_RESULTCLASS_DNS + 11) #define DNS_R_EXTRATOKEN (ISC_RESULTCLASS_DNS + 12) #define DNS_R_EXTRADATA (ISC_RESULTCLASS_DNS + 13) #define DNS_R_TEXTTOOLONG (ISC_RESULTCLASS_DNS + 14) #define DNS_R_NOTZONETOP (ISC_RESULTCLASS_DNS + 15) #define DNS_R_SYNTAX (ISC_RESULTCLASS_DNS + 16) #define DNS_R_BADCKSUM (ISC_RESULTCLASS_DNS + 17) #define DNS_R_BADAAAA (ISC_RESULTCLASS_DNS + 18) #define DNS_R_NOOWNER (ISC_RESULTCLASS_DNS + 19) #define DNS_R_NOTTL (ISC_RESULTCLASS_DNS + 20) #define DNS_R_BADCLASS (ISC_RESULTCLASS_DNS + 21) #define DNS_R_NAMETOOLONG (ISC_RESULTCLASS_DNS + 22) #define DNS_R_PARTIALMATCH (ISC_RESULTCLASS_DNS + 23) #define DNS_R_NEWORIGIN (ISC_RESULTCLASS_DNS + 24) #define DNS_R_UNCHANGED (ISC_RESULTCLASS_DNS + 25) #define DNS_R_BADTTL (ISC_RESULTCLASS_DNS + 26) #define DNS_R_NOREDATA (ISC_RESULTCLASS_DNS + 27) #define DNS_R_CONTINUE (ISC_RESULTCLASS_DNS + 28) #define DNS_R_DELEGATION (ISC_RESULTCLASS_DNS + 29) #define DNS_R_GLUE (ISC_RESULTCLASS_DNS + 30) #define DNS_R_DNAME (ISC_RESULTCLASS_DNS + 31) #define DNS_R_CNAME (ISC_RESULTCLASS_DNS + 32) #define DNS_R_BADDB (ISC_RESULTCLASS_DNS + 33) #define DNS_R_ZONECUT (ISC_RESULTCLASS_DNS + 34) #define DNS_R_BADZONE (ISC_RESULTCLASS_DNS + 35) #define DNS_R_MOREDATA (ISC_RESULTCLASS_DNS + 36) #define DNS_R_UPTODATE (ISC_RESULTCLASS_DNS + 37) #define DNS_R_TSIGVERIFYFAILURE (ISC_RESULTCLASS_DNS + 38) #define DNS_R_TSIGERRORSET (ISC_RESULTCLASS_DNS + 39) #define DNS_R_SIGINVALID (ISC_RESULTCLASS_DNS + 40) #define DNS_R_SIGEXPIRED (ISC_RESULTCLASS_DNS + 41) #define DNS_R_SIGFUTURE (ISC_RESULTCLASS_DNS + 42) #define DNS_R_KEYUNAUTHORIZED (ISC_RESULTCLASS_DNS + 43) #define DNS_R_INVALIDTIME (ISC_RESULTCLASS_DNS + 44) #define DNS_R_EXPECTEDTSIG (ISC_RESULTCLASS_DNS + 45) #define DNS_R_UNEXPECTEDTSIG (ISC_RESULTCLASS_DNS + 46) #define DNS_R_INVALIDTKEY (ISC_RESULTCLASS_DNS + 47) #define DNS_R_HINT (ISC_RESULTCLASS_DNS + 48) #define DNS_R_DROP (ISC_RESULTCLASS_DNS + 49) #define DNS_R_NOTLOADED (ISC_RESULTCLASS_DNS + 50) #define DNS_R_NCACHENXDOMAIN (ISC_RESULTCLASS_DNS + 51) #define DNS_R_NCACHENXRRSET (ISC_RESULTCLASS_DNS + 52) #define DNS_R_WAIT (ISC_RESULTCLASS_DNS + 53) #define DNS_R_NOTVERIFIEDYET (ISC_RESULTCLASS_DNS + 54) #define DNS_R_NOIDENTITY (ISC_RESULTCLASS_DNS + 55) #define DNS_R_NOJOURNAL (ISC_RESULTCLASS_DNS + 56) #define DNS_R_ALIAS (ISC_RESULTCLASS_DNS + 57) #define DNS_R_USETCP (ISC_RESULTCLASS_DNS + 58) #define DNS_R_NOVALIDSIG (ISC_RESULTCLASS_DNS + 59) #define DNS_R_NOVALIDNSEC (ISC_RESULTCLASS_DNS + 60) #define DNS_R_NOTINSECURE (ISC_RESULTCLASS_DNS + 61) #define DNS_R_UNKNOWNSERVICE (ISC_RESULTCLASS_DNS + 62) #define DNS_R_RECOVERABLE (ISC_RESULTCLASS_DNS + 63) #define DNS_R_UNKNOWNOPT (ISC_RESULTCLASS_DNS + 64) #define DNS_R_UNEXPECTEDID (ISC_RESULTCLASS_DNS + 65) #define DNS_R_SEENINCLUDE (ISC_RESULTCLASS_DNS + 66) #define DNS_R_NOTEXACT (ISC_RESULTCLASS_DNS + 67) #define DNS_R_BLACKHOLED (ISC_RESULTCLASS_DNS + 68) #define DNS_R_BADALG (ISC_RESULTCLASS_DNS + 69) #define DNS_R_METATYPE (ISC_RESULTCLASS_DNS + 70) #define DNS_R_CNAMEANDOTHER (ISC_RESULTCLASS_DNS + 71) #define DNS_R_SINGLETON (ISC_RESULTCLASS_DNS + 72) #define DNS_R_HINTNXRRSET (ISC_RESULTCLASS_DNS + 73) #define DNS_R_NOMASTERFILE (ISC_RESULTCLASS_DNS + 74) #define DNS_R_UNKNOWNPROTO (ISC_RESULTCLASS_DNS + 75) #define DNS_R_CLOCKSKEW (ISC_RESULTCLASS_DNS + 76) #define DNS_R_BADIXFR (ISC_RESULTCLASS_DNS + 77) #define DNS_R_NOTAUTHORITATIVE (ISC_RESULTCLASS_DNS + 78) #define DNS_R_NOVALIDKEY (ISC_RESULTCLASS_DNS + 79) #define DNS_R_OBSOLETE (ISC_RESULTCLASS_DNS + 80) #define DNS_R_FROZEN (ISC_RESULTCLASS_DNS + 81) #define DNS_R_UNKNOWNFLAG (ISC_RESULTCLASS_DNS + 82) #define DNS_R_EXPECTEDRESPONSE (ISC_RESULTCLASS_DNS + 83) #define DNS_R_NOVALIDDS (ISC_RESULTCLASS_DNS + 84) #define DNS_R_NSISADDRESS (ISC_RESULTCLASS_DNS + 85) #define DNS_R_REMOTEFORMERR (ISC_RESULTCLASS_DNS + 86) #define DNS_R_TRUNCATEDTCP (ISC_RESULTCLASS_DNS + 87) #define DNS_R_LAME (ISC_RESULTCLASS_DNS + 88) #define DNS_R_UNEXPECTEDRCODE (ISC_RESULTCLASS_DNS + 89) #define DNS_R_UNEXPECTEDOPCODE (ISC_RESULTCLASS_DNS + 90) #define DNS_R_CHASEDSSERVERS (ISC_RESULTCLASS_DNS + 91) #define DNS_R_EMPTYNAME (ISC_RESULTCLASS_DNS + 92) #define DNS_R_EMPTYWILD (ISC_RESULTCLASS_DNS + 93) #define DNS_R_BADBITMAP (ISC_RESULTCLASS_DNS + 94) #define DNS_R_FROMWILDCARD (ISC_RESULTCLASS_DNS + 95) #define DNS_R_BADOWNERNAME (ISC_RESULTCLASS_DNS + 96) #define DNS_R_BADNAME (ISC_RESULTCLASS_DNS + 97) #define DNS_R_DYNAMIC (ISC_RESULTCLASS_DNS + 98) #define DNS_R_UNKNOWNCOMMAND (ISC_RESULTCLASS_DNS + 99) #define DNS_R_MUSTBESECURE (ISC_RESULTCLASS_DNS + 100) #define DNS_R_COVERINGNSEC (ISC_RESULTCLASS_DNS + 101) #define DNS_R_MXISADDRESS (ISC_RESULTCLASS_DNS + 102) #define DNS_R_DUPLICATE (ISC_RESULTCLASS_DNS + 103) #define DNS_R_INVALIDNSEC3 (ISC_RESULTCLASS_DNS + 104) +#define DNS_R_NOTMASTER (ISC_RESULTCLASS_DNS + 105) +#define DNS_R_BROKENCHAIN (ISC_RESULTCLASS_DNS + 106) -#define DNS_R_NRESULTS 105 /*%< Number of results */ +#define DNS_R_NRESULTS 107 /*%< Number of results */ /* * DNS wire format rcodes. * * By making these their own class we can easily convert them into the * wire-format rcode value simply by masking off the resultclass. */ #define DNS_R_NOERROR (ISC_RESULTCLASS_DNSRCODE + 0) #define DNS_R_FORMERR (ISC_RESULTCLASS_DNSRCODE + 1) #define DNS_R_SERVFAIL (ISC_RESULTCLASS_DNSRCODE + 2) #define DNS_R_NXDOMAIN (ISC_RESULTCLASS_DNSRCODE + 3) #define DNS_R_NOTIMP (ISC_RESULTCLASS_DNSRCODE + 4) #define DNS_R_REFUSED (ISC_RESULTCLASS_DNSRCODE + 5) #define DNS_R_YXDOMAIN (ISC_RESULTCLASS_DNSRCODE + 6) #define DNS_R_YXRRSET (ISC_RESULTCLASS_DNSRCODE + 7) #define DNS_R_NXRRSET (ISC_RESULTCLASS_DNSRCODE + 8) #define DNS_R_NOTAUTH (ISC_RESULTCLASS_DNSRCODE + 9) #define DNS_R_NOTZONE (ISC_RESULTCLASS_DNSRCODE + 10) #define DNS_R_BADVERS (ISC_RESULTCLASS_DNSRCODE + 16) #define DNS_R_NRCODERESULTS 17 /*%< Number of rcode results */ #define DNS_RESULT_ISRCODE(result) \ (ISC_RESULTCLASS_INCLASS(ISC_RESULTCLASS_DNSRCODE, (result))) ISC_LANG_BEGINDECLS const char * dns_result_totext(isc_result_t); void dns_result_register(void); dns_rcode_t dns_result_torcode(isc_result_t result); ISC_LANG_ENDDECLS #endif /* DNS_RESULT_H */ Index: head/contrib/bind9/lib/dns/include/dns/validator.h =================================================================== --- head/contrib/bind9/lib/dns/include/dns/validator.h (revision 205291) +++ head/contrib/bind9/lib/dns/include/dns/validator.h (revision 205292) @@ -1,255 +1,257 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.h,v 1.41.48.3 2009/01/18 23:25:17 marka Exp $ */ +/* $Id: validator.h,v 1.41.48.3.22.2 2010/02/25 10:57:12 tbox Exp $ */ #ifndef DNS_VALIDATOR_H #define DNS_VALIDATOR_H 1 /***** ***** Module Info *****/ /*! \file dns/validator.h * * \brief * DNS Validator * This is the BIND 9 validator, the module responsible for validating the * rdatasets and negative responses (messages). It makes use of zones in * the view and may fetch RRset to complete trust chains. It implements * DNSSEC as specified in RFC 4033, 4034 and 4035. * * It can also optionally implement ISC's DNSSEC look-aside validation. * * Correct operation is critical to preventing spoofed answers from secure * zones being accepted. * * MP: *\li The module ensures appropriate synchronization of data structures it * creates and manipulates. * * Reliability: *\li No anticipated impact. * * Resources: *\li TBS * * Security: *\li No anticipated impact. * * Standards: *\li RFCs: 1034, 1035, 2181, 4033, 4034, 4035. */ #include #include #include #include #include #include #include /* for dns_rdata_rrsig_t */ #include /*% * A dns_validatorevent_t is sent when a 'validation' completes. * \brief * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were * supplied when dns_validator_create() was called. They are returned to the * caller so that they may be freed. * * If the RESULT is ISC_R_SUCCESS and the answer is secure then * proofs[] will contain the names of the NSEC records that hold the * various proofs. Note the same name may appear multiple times. */ typedef struct dns_validatorevent { ISC_EVENT_COMMON(struct dns_validatorevent); dns_validator_t * validator; isc_result_t result; /* * Name and type of the response to be validated. */ dns_name_t * name; dns_rdatatype_t type; /* * Rdata and RRSIG (if any) for positive responses. */ dns_rdataset_t * rdataset; dns_rdataset_t * sigrdataset; /* * The full response. Required for negative responses. * Also required for positive wildcard responses. */ dns_message_t * message; /* * Proofs to be cached. */ dns_name_t * proofs[4]; /* * Optout proof seen. */ isc_boolean_t optout; } dns_validatorevent_t; #define DNS_VALIDATOR_NOQNAMEPROOF 0 #define DNS_VALIDATOR_NODATAPROOF 1 #define DNS_VALIDATOR_NOWILDCARDPROOF 2 #define DNS_VALIDATOR_CLOSESTENCLOSER 3 /*% * A validator object represents a validation in progress. * \brief * Clients are strongly discouraged from using this type directly, with * the exception of the 'link' field, which may be used directly for * whatever purpose the client desires. */ struct dns_validator { /* Unlocked. */ unsigned int magic; isc_mutex_t lock; dns_view_t * view; /* Locked by lock. */ unsigned int options; unsigned int attributes; dns_validatorevent_t * event; dns_fetch_t * fetch; dns_validator_t * subvalidator; dns_validator_t * parent; dns_keytable_t * keytable; dns_keynode_t * keynode; dst_key_t * key; dns_rdata_rrsig_t * siginfo; isc_task_t * task; isc_taskaction_t action; void * arg; unsigned int labels; dns_rdataset_t * currentset; isc_boolean_t seensig; dns_rdataset_t * keyset; dns_rdataset_t * dsset; dns_rdataset_t * soaset; dns_rdataset_t * nsecset; dns_rdataset_t * nsec3set; dns_name_t * soaname; dns_rdataset_t frdataset; dns_rdataset_t fsigrdataset; dns_fixedname_t fname; dns_fixedname_t wild; dns_fixedname_t nearest; dns_fixedname_t closest; ISC_LINK(dns_validator_t) link; dns_rdataset_t dlv; dns_fixedname_t dlvsep; isc_boolean_t havedlvsep; isc_boolean_t mustbesecure; unsigned int dlvlabels; unsigned int depth; + unsigned int authcount; + unsigned int authfail; }; /*% * dns_validator_create() options. */ #define DNS_VALIDATOR_DLV 1U #define DNS_VALIDATOR_DEFER 2U ISC_LANG_BEGINDECLS isc_result_t dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_message_t *message, unsigned int options, isc_task_t *task, isc_taskaction_t action, void *arg, dns_validator_t **validatorp); /*%< * Start a DNSSEC validation. * * This validates a response to the question given by * 'name' and 'type'. * * To validate a positive response, the response data is * given by 'rdataset' and 'sigrdataset'. If 'sigrdataset' * is NULL, the data is presumed insecure and an attempt * is made to prove its insecurity by finding the appropriate * null key. * * The complete response message may be given in 'message', * to make available any authority section NSECs that may be * needed for validation of a response resulting from a * wildcard expansion (though no such wildcard validation * is implemented yet). If the complete response message * is not available, 'message' is NULL. * * To validate a negative response, the complete negative response * message is given in 'message'. The 'rdataset', and * 'sigrdataset' arguments must be NULL, but the 'name' and 'type' * arguments must be provided. * * The validation is performed in the context of 'view'. * * When the validation finishes, a dns_validatorevent_t with * the given 'action' and 'arg' are sent to 'task'. * Its 'result' field will be ISC_R_SUCCESS iff the * response was successfully proven to be either secure or * part of a known insecure domain. * * options: * If DNS_VALIDATOR_DLV is set the caller knows there is not a * trusted key and the validator should immediately attempt to validate * the answer by looking for an appropriate DLV RRset. */ void dns_validator_send(dns_validator_t *validator); /*%< * Send a deferred validation request * * Requires: * 'validator' to points to a valid DNSSEC validator. */ void dns_validator_cancel(dns_validator_t *validator); /*%< * Cancel a DNSSEC validation in progress. * * Requires: *\li 'validator' points to a valid DNSSEC validator, which * may or may not already have completed. * * Ensures: *\li It the validator has not already sent its completion * event, it will send it with result code ISC_R_CANCELED. */ void dns_validator_destroy(dns_validator_t **validatorp); /*%< * Destroy a DNSSEC validator. * * Requires: *\li '*validatorp' points to a valid DNSSEC validator. * \li The validator must have completed and sent its completion * event. * * Ensures: *\li All resources used by the validator are freed. */ ISC_LANG_ENDDECLS #endif /* DNS_VALIDATOR_H */ Index: head/contrib/bind9/lib/dns/ncache.c =================================================================== --- head/contrib/bind9/lib/dns/ncache.c (revision 205291) +++ head/contrib/bind9/lib/dns/ncache.c (revision 205292) @@ -1,658 +1,660 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ncache.c,v 1.43 2008/09/25 04:02:38 tbox Exp $ */ +/* $Id: ncache.c,v 1.43.334.2 2010/02/25 10:57:11 tbox Exp $ */ /*! \file */ #include #include #include #include #include #include #include #include #include #include #define DNS_NCACHE_RDATA 20U /* * The format of an ncache rdata is a sequence of one or more records of * the following format: * * owner name * type * rdata count * rdata length These two occur 'rdata count' * rdata times. * */ static inline isc_result_t copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) { isc_result_t result; unsigned int count; isc_region_t ar, r; dns_rdata_t rdata = DNS_RDATA_INIT; /* * Copy the rdataset count to the buffer. */ isc_buffer_availableregion(buffer, &ar); if (ar.length < 2) return (ISC_R_NOSPACE); count = dns_rdataset_count(rdataset); INSIST(count <= 65535); isc_buffer_putuint16(buffer, (isc_uint16_t)count); result = dns_rdataset_first(rdataset); while (result == ISC_R_SUCCESS) { dns_rdataset_current(rdataset, &rdata); dns_rdata_toregion(&rdata, &r); INSIST(r.length <= 65535); isc_buffer_availableregion(buffer, &ar); if (ar.length < 2) return (ISC_R_NOSPACE); /* * Copy the rdata length to the buffer. */ isc_buffer_putuint16(buffer, (isc_uint16_t)r.length); /* * Copy the rdata to the buffer. */ result = isc_buffer_copyregion(buffer, &r); if (result != ISC_R_SUCCESS) return (result); dns_rdata_reset(&rdata); result = dns_rdataset_next(rdataset); } if (result != ISC_R_NOMORE) return (result); return (ISC_R_SUCCESS); } isc_result_t dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, dns_rdataset_t *addedrdataset) { return (dns_ncache_addoptout(message, cache, node, covers, now, maxttl, ISC_FALSE, addedrdataset)); } isc_result_t dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, isc_boolean_t optout, dns_rdataset_t *addedrdataset) { isc_result_t result; isc_buffer_t buffer; isc_region_t r; dns_rdataset_t *rdataset; dns_rdatatype_t type; dns_name_t *name; dns_ttl_t ttl; dns_trust_t trust; dns_rdata_t rdata[DNS_NCACHE_RDATA]; dns_rdataset_t ncrdataset; dns_rdatalist_t ncrdatalist; unsigned char data[4096]; unsigned int next = 0; /* * Convert the authority data from 'message' into a negative cache * rdataset, and store it in 'cache' at 'node'. */ REQUIRE(message != NULL); /* * We assume that all data in the authority section has been * validated by the caller. */ /* * Initialize the list. */ ncrdatalist.rdclass = dns_db_class(cache); ncrdatalist.type = 0; ncrdatalist.covers = covers; ncrdatalist.ttl = maxttl; ISC_LIST_INIT(ncrdatalist.rdata); ISC_LINK_INIT(&ncrdatalist, link); /* * Build an ncache rdatas into buffer. */ ttl = maxttl; trust = 0xffff; isc_buffer_init(&buffer, data, sizeof(data)); if (message->counts[DNS_SECTION_AUTHORITY]) result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); else result = ISC_R_NOMORE; while (result == ISC_R_SUCCESS) { name = NULL; dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); if ((name->attributes & DNS_NAMEATTR_NCACHE) != 0) { for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if ((rdataset->attributes & DNS_RDATASETATTR_NCACHE) == 0) continue; type = rdataset->type; if (type == dns_rdatatype_rrsig) type = rdataset->covers; if (type == dns_rdatatype_soa || type == dns_rdatatype_nsec || type == dns_rdatatype_nsec3) { if (ttl > rdataset->ttl) ttl = rdataset->ttl; if (trust > rdataset->trust) trust = rdataset->trust; /* * Copy the owner name to the buffer. */ dns_name_toregion(name, &r); result = isc_buffer_copyregion(&buffer, &r); if (result != ISC_R_SUCCESS) return (result); /* * Copy the type to the buffer. */ isc_buffer_availableregion(&buffer, &r); if (r.length < 2) return (ISC_R_NOSPACE); isc_buffer_putuint16(&buffer, rdataset->type); /* * Copy the rdataset into the buffer. */ result = copy_rdataset(rdataset, &buffer); if (result != ISC_R_SUCCESS) return (result); if (next >= DNS_NCACHE_RDATA) return (ISC_R_NOSPACE); dns_rdata_init(&rdata[next]); isc_buffer_remainingregion(&buffer, &r); rdata[next].data = r.base; rdata[next].length = r.length; rdata[next].rdclass = ncrdatalist.rdclass; rdata[next].type = 0; rdata[next].flags = 0; ISC_LIST_APPEND(ncrdatalist.rdata, &rdata[next], link); isc_buffer_forward(&buffer, r.length); next++; } } } result = dns_message_nextname(message, DNS_SECTION_AUTHORITY); } if (result != ISC_R_NOMORE) return (result); if (trust == 0xffff) { /* * We didn't find any authority data from which to create a * negative cache rdataset. In particular, we have no SOA. * * We trust that the caller wants negative caching, so this * means we have a "type 3 nxdomain" or "type 3 nodata" * response (see RFC2308 for details). * * We will now build a suitable negative cache rdataset that * will cause zero bytes to be emitted when converted to * wire format. */ /* * The ownername must exist, but it doesn't matter what value * it has. We use the root name. */ dns_name_toregion(dns_rootname, &r); result = isc_buffer_copyregion(&buffer, &r); if (result != ISC_R_SUCCESS) return (result); /* * Copy the type and a zero rdata count to the buffer. */ isc_buffer_availableregion(&buffer, &r); if (r.length < 4) return (ISC_R_NOSPACE); isc_buffer_putuint16(&buffer, 0); isc_buffer_putuint16(&buffer, 0); /* * RFC2308, section 5, says that negative answers without * SOAs should not be cached. */ ttl = 0; /* * Set trust. */ if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 && message->counts[DNS_SECTION_ANSWER] == 0) { /* * The response has aa set and we haven't followed * any CNAME or DNAME chains. */ trust = dns_trust_authauthority; } else trust = dns_trust_additional; /* * Now add it to the cache. */ if (next >= DNS_NCACHE_RDATA) return (ISC_R_NOSPACE); dns_rdata_init(&rdata[next]); isc_buffer_remainingregion(&buffer, &r); rdata[next].data = r.base; rdata[next].length = r.length; rdata[next].rdclass = ncrdatalist.rdclass; rdata[next].type = 0; rdata[next].flags = 0; ISC_LIST_APPEND(ncrdatalist.rdata, &rdata[next], link); } INSIST(trust != 0xffff); ncrdatalist.ttl = ttl; dns_rdataset_init(&ncrdataset); RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset) == ISC_R_SUCCESS); ncrdataset.trust = trust; if (message->rcode == dns_rcode_nxdomain) ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN; if (optout) ncrdataset.attributes |= DNS_RDATASETATTR_OPTOUT; return (dns_db_addrdataset(cache, node, NULL, now, &ncrdataset, 0, addedrdataset)); } isc_result_t dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx, isc_buffer_t *target, unsigned int options, unsigned int *countp) { dns_rdata_t rdata = DNS_RDATA_INIT; isc_result_t result; isc_region_t remaining, tavailable; isc_buffer_t source, savedbuffer, rdlen; dns_name_t name; dns_rdatatype_t type; unsigned int i, rcount, count; /* * Convert the negative caching rdataset 'rdataset' to wire format, * compressing names as specified in 'cctx', and storing the result in * 'target'. */ REQUIRE(rdataset != NULL); REQUIRE(rdataset->type == 0); savedbuffer = *target; count = 0; result = dns_rdataset_first(rdataset); while (result == ISC_R_SUCCESS) { dns_rdataset_current(rdataset, &rdata); isc_buffer_init(&source, rdata.data, rdata.length); isc_buffer_add(&source, rdata.length); dns_name_init(&name, NULL); isc_buffer_remainingregion(&source, &remaining); dns_name_fromregion(&name, &remaining); INSIST(remaining.length >= name.length); isc_buffer_forward(&source, name.length); remaining.length -= name.length; INSIST(remaining.length >= 4); type = isc_buffer_getuint16(&source); rcount = isc_buffer_getuint16(&source); for (i = 0; i < rcount; i++) { /* * Get the length of this rdata and set up an * rdata structure for it. */ isc_buffer_remainingregion(&source, &remaining); INSIST(remaining.length >= 2); dns_rdata_reset(&rdata); rdata.length = isc_buffer_getuint16(&source); isc_buffer_remainingregion(&source, &remaining); rdata.data = remaining.base; rdata.type = type; rdata.rdclass = rdataset->rdclass; INSIST(remaining.length >= rdata.length); isc_buffer_forward(&source, rdata.length); if ((options & DNS_NCACHETOWIRE_OMITDNSSEC) != 0 && dns_rdatatype_isdnssec(type)) continue; /* * Write the name. */ dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14); result = dns_name_towire(&name, cctx, target); if (result != ISC_R_SUCCESS) goto rollback; /* * See if we have space for type, class, ttl, and * rdata length. Write the type, class, and ttl. */ isc_buffer_availableregion(target, &tavailable); if (tavailable.length < 10) { result = ISC_R_NOSPACE; goto rollback; } isc_buffer_putuint16(target, type); isc_buffer_putuint16(target, rdataset->rdclass); isc_buffer_putuint32(target, rdataset->ttl); /* * Save space for rdata length. */ rdlen = *target; isc_buffer_add(target, 2); /* * Write the rdata. */ result = dns_rdata_towire(&rdata, cctx, target); if (result != ISC_R_SUCCESS) goto rollback; /* * Set the rdata length field to the compressed * length. */ INSIST((target->used >= rdlen.used + 2) && (target->used - rdlen.used - 2 < 65536)); isc_buffer_putuint16(&rdlen, (isc_uint16_t)(target->used - rdlen.used - 2)); count++; } INSIST(isc_buffer_remaininglength(&source) == 0); result = dns_rdataset_next(rdataset); dns_rdata_reset(&rdata); } if (result != ISC_R_NOMORE) goto rollback; *countp = count; return (ISC_R_SUCCESS); rollback: INSIST(savedbuffer.used < 65536); dns_compress_rollback(cctx, (isc_uint16_t)savedbuffer.used); *countp = 0; *target = savedbuffer; return (result); } static void rdataset_disassociate(dns_rdataset_t *rdataset) { UNUSED(rdataset); } static isc_result_t rdataset_first(dns_rdataset_t *rdataset) { unsigned char *raw = rdataset->private3; unsigned int count; count = raw[0] * 256 + raw[1]; if (count == 0) { rdataset->private5 = NULL; return (ISC_R_NOMORE); } raw += 2; /* * The privateuint4 field is the number of rdata beyond the cursor * position, so we decrement the total count by one before storing * it. */ count--; rdataset->privateuint4 = count; rdataset->private5 = raw; return (ISC_R_SUCCESS); } static isc_result_t rdataset_next(dns_rdataset_t *rdataset) { unsigned int count; unsigned int length; unsigned char *raw; count = rdataset->privateuint4; if (count == 0) return (ISC_R_NOMORE); count--; rdataset->privateuint4 = count; raw = rdataset->private5; length = raw[0] * 256 + raw[1]; raw += length + 2; rdataset->private5 = raw; return (ISC_R_SUCCESS); } static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) { unsigned char *raw = rdataset->private5; isc_region_t r; REQUIRE(raw != NULL); r.length = raw[0] * 256 + raw[1]; raw += 2; r.base = raw; dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r); } static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) { *target = *source; /* * Reset iterator state. */ target->privateuint4 = 0; target->private5 = NULL; } static unsigned int rdataset_count(dns_rdataset_t *rdataset) { unsigned char *raw = rdataset->private3; unsigned int count; count = raw[0] * 256 + raw[1]; return (count); } static dns_rdatasetmethods_t rdataset_methods = { rdataset_disassociate, rdataset_first, rdataset_next, rdataset_current, rdataset_clone, rdataset_count, + NULL, + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; isc_result_t dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset) { isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; isc_region_t remaining; isc_buffer_t source; dns_name_t tname; dns_rdatatype_t ttype; REQUIRE(ncacherdataset != NULL); REQUIRE(ncacherdataset->type == 0); REQUIRE(name != NULL); REQUIRE(!dns_rdataset_isassociated(rdataset)); REQUIRE(type != dns_rdatatype_rrsig); result = dns_rdataset_first(ncacherdataset); while (result == ISC_R_SUCCESS) { dns_rdataset_current(ncacherdataset, &rdata); isc_buffer_init(&source, rdata.data, rdata.length); isc_buffer_add(&source, rdata.length); dns_name_init(&tname, NULL); isc_buffer_remainingregion(&source, &remaining); dns_name_fromregion(&tname, &remaining); INSIST(remaining.length >= tname.length); isc_buffer_forward(&source, tname.length); remaining.length -= tname.length; INSIST(remaining.length >= 4); ttype = isc_buffer_getuint16(&source); if (ttype == type && dns_name_equal(&tname, name)) { isc_buffer_remainingregion(&source, &remaining); break; } result = dns_rdataset_next(ncacherdataset); dns_rdata_reset(&rdata); } if (result == ISC_R_NOMORE) return (ISC_R_NOTFOUND); if (result != ISC_R_SUCCESS) return (result); INSIST(remaining.length != 0); rdataset->methods = &rdataset_methods; rdataset->rdclass = ncacherdataset->rdclass; rdataset->type = type; rdataset->covers = 0; rdataset->ttl = ncacherdataset->ttl; rdataset->trust = ncacherdataset->trust; rdataset->private1 = NULL; rdataset->private2 = NULL; rdataset->private3 = remaining.base; /* * Reset iterator state. */ rdataset->privateuint4 = 0; rdataset->private5 = NULL; rdataset->private6 = NULL; return (ISC_R_SUCCESS); } void dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found, dns_rdataset_t *rdataset) { dns_rdata_t rdata = DNS_RDATA_INIT; isc_region_t remaining, sigregion; isc_buffer_t source; dns_name_t tname; dns_rdatatype_t type; unsigned int count; dns_rdata_rrsig_t rrsig; unsigned char *raw; REQUIRE(ncacherdataset != NULL); REQUIRE(ncacherdataset->type == 0); REQUIRE(found != NULL); REQUIRE(!dns_rdataset_isassociated(rdataset)); dns_rdataset_current(ncacherdataset, &rdata); isc_buffer_init(&source, rdata.data, rdata.length); isc_buffer_add(&source, rdata.length); dns_name_init(&tname, NULL); isc_buffer_remainingregion(&source, &remaining); dns_name_fromregion(found, &remaining); INSIST(remaining.length >= found->length); isc_buffer_forward(&source, found->length); remaining.length -= found->length; INSIST(remaining.length >= 4); type = isc_buffer_getuint16(&source); isc_buffer_remainingregion(&source, &remaining); rdataset->methods = &rdataset_methods; rdataset->rdclass = ncacherdataset->rdclass; rdataset->type = type; if (type == dns_rdatatype_rrsig) { /* * Extract covers from RRSIG. */ raw = remaining.base; count = raw[0] * 256 + raw[1]; INSIST(count > 0); raw += 2; sigregion.length = raw[0] * 256 + raw[1]; raw += 2; sigregion.base = raw; dns_rdata_reset(&rdata); dns_rdata_fromregion(&rdata, rdataset->rdclass, rdataset->type, &sigregion); (void)dns_rdata_tostruct(&rdata, &rrsig, NULL); rdataset->covers = rrsig.covered; } else rdataset->covers = 0; rdataset->ttl = ncacherdataset->ttl; rdataset->trust = ncacherdataset->trust; rdataset->private1 = NULL; rdataset->private2 = NULL; rdataset->private3 = remaining.base; /* * Reset iterator state. */ rdataset->privateuint4 = 0; rdataset->private5 = NULL; rdataset->private6 = NULL; } Index: head/contrib/bind9/lib/dns/rbtdb.c =================================================================== --- head/contrib/bind9/lib/dns/rbtdb.c (revision 205291) +++ head/contrib/bind9/lib/dns/rbtdb.c (revision 205292) @@ -1,8590 +1,8622 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.270.12.16 2009/12/30 08:34:30 jinmei Exp $ */ +/* $Id: rbtdb.c,v 1.270.12.16.8.3 2010/02/26 00:24:39 marka Exp $ */ /*! \file */ /* * Principal Author: Bob Halley */ #include /* #define inline */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef DNS_RBTDB_VERSION64 #include "rbtdb64.h" #else #include "rbtdb.h" #endif #ifdef DNS_RBTDB_VERSION64 #define RBTDB_MAGIC ISC_MAGIC('R', 'B', 'D', '8') #else #define RBTDB_MAGIC ISC_MAGIC('R', 'B', 'D', '4') #endif /*% * Note that "impmagic" is not the first four bytes of the struct, so * ISC_MAGIC_VALID cannot be used. */ #define VALID_RBTDB(rbtdb) ((rbtdb) != NULL && \ (rbtdb)->common.impmagic == RBTDB_MAGIC) #ifdef DNS_RBTDB_VERSION64 typedef isc_uint64_t rbtdb_serial_t; /*% * Make casting easier in symbolic debuggers by using different names * for the 64 bit version. */ #define dns_rbtdb_t dns_rbtdb64_t #define rdatasetheader_t rdatasetheader64_t #define rbtdb_version_t rbtdb_version64_t #else typedef isc_uint32_t rbtdb_serial_t; #endif typedef isc_uint32_t rbtdb_rdatatype_t; #define RBTDB_RDATATYPE_BASE(type) ((dns_rdatatype_t)((type) & 0xFFFF)) #define RBTDB_RDATATYPE_EXT(type) ((dns_rdatatype_t)((type) >> 16)) #define RBTDB_RDATATYPE_VALUE(b, e) ((rbtdb_rdatatype_t)((e) << 16) | (b)) #define RBTDB_RDATATYPE_SIGNSEC \ RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec) #define RBTDB_RDATATYPE_SIGNSEC3 \ RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3) #define RBTDB_RDATATYPE_SIGNS \ RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns) #define RBTDB_RDATATYPE_SIGCNAME \ RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname) #define RBTDB_RDATATYPE_SIGDNAME \ RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname) #define RBTDB_RDATATYPE_NCACHEANY \ RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_any) /* * We use rwlock for DB lock only when ISC_RWLOCK_USEATOMIC is non 0. * Using rwlock is effective with regard to lookup performance only when * it is implemented in an efficient way. * Otherwise, it is generally wise to stick to the simple locking since rwlock * would require more memory or can even make lookups slower due to its own * overhead (when it internally calls mutex locks). */ #ifdef ISC_RWLOCK_USEATOMIC #define DNS_RBTDB_USERWLOCK 1 #else #define DNS_RBTDB_USERWLOCK 0 #endif #if DNS_RBTDB_USERWLOCK #define RBTDB_INITLOCK(l) isc_rwlock_init((l), 0, 0) #define RBTDB_DESTROYLOCK(l) isc_rwlock_destroy(l) #define RBTDB_LOCK(l, t) RWLOCK((l), (t)) #define RBTDB_UNLOCK(l, t) RWUNLOCK((l), (t)) #else #define RBTDB_INITLOCK(l) isc_mutex_init(l) #define RBTDB_DESTROYLOCK(l) DESTROYLOCK(l) #define RBTDB_LOCK(l, t) LOCK(l) #define RBTDB_UNLOCK(l, t) UNLOCK(l) #endif /* * Since node locking is sensitive to both performance and memory footprint, * we need some trick here. If we have both high-performance rwlock and * high performance and small-memory reference counters, we use rwlock for * node lock and isc_refcount for node references. In this case, we don't have * to protect the access to the counters by locks. * Otherwise, we simply use ordinary mutex lock for node locking, and use * simple integers as reference counters which is protected by the lock. * In most cases, we can simply use wrapper macros such as NODE_LOCK and * NODE_UNLOCK. In some other cases, however, we need to protect reference * counters first and then protect other parts of a node as read-only data. * Special additional macros, NODE_STRONGLOCK(), NODE_WEAKLOCK(), etc, are also * provided for these special cases. When we can use the efficient backend * routines, we should only protect the "other members" by NODE_WEAKLOCK(read). * Otherwise, we should use NODE_STRONGLOCK() to protect the entire critical * section including the access to the reference counter. * Note that we cannot use NODE_LOCK()/NODE_UNLOCK() wherever the protected * section is also protected by NODE_STRONGLOCK(). */ #if defined(ISC_RWLOCK_USEATOMIC) && defined(DNS_RBT_USEISCREFCOUNT) typedef isc_rwlock_t nodelock_t; #define NODE_INITLOCK(l) isc_rwlock_init((l), 0, 0) #define NODE_DESTROYLOCK(l) isc_rwlock_destroy(l) #define NODE_LOCK(l, t) RWLOCK((l), (t)) #define NODE_UNLOCK(l, t) RWUNLOCK((l), (t)) #define NODE_TRYUPGRADE(l) isc_rwlock_tryupgrade(l) #define NODE_STRONGLOCK(l) ((void)0) #define NODE_STRONGUNLOCK(l) ((void)0) #define NODE_WEAKLOCK(l, t) NODE_LOCK(l, t) #define NODE_WEAKUNLOCK(l, t) NODE_UNLOCK(l, t) #define NODE_WEAKDOWNGRADE(l) isc_rwlock_downgrade(l) #else typedef isc_mutex_t nodelock_t; #define NODE_INITLOCK(l) isc_mutex_init(l) #define NODE_DESTROYLOCK(l) DESTROYLOCK(l) #define NODE_LOCK(l, t) LOCK(l) #define NODE_UNLOCK(l, t) UNLOCK(l) #define NODE_TRYUPGRADE(l) ISC_R_SUCCESS #define NODE_STRONGLOCK(l) LOCK(l) #define NODE_STRONGUNLOCK(l) UNLOCK(l) #define NODE_WEAKLOCK(l, t) ((void)0) #define NODE_WEAKUNLOCK(l, t) ((void)0) #define NODE_WEAKDOWNGRADE(l) ((void)0) #endif /*% * Whether to rate-limit updating the LRU to avoid possible thread contention. * Our performance measurement has shown the cost is marginal, so it's defined * to be 0 by default either with or without threads. */ #ifndef DNS_RBTDB_LIMITLRUUPDATE #define DNS_RBTDB_LIMITLRUUPDATE 0 #endif /* * Allow clients with a virtual time of up to 5 minutes in the past to see * records that would have otherwise have expired. */ #define RBTDB_VIRTUAL 300 struct noqname { dns_name_t name; void * neg; void * negsig; dns_rdatatype_t type; }; typedef struct acachectl acachectl_t; typedef struct rdatasetheader { /*% * Locked by the owning node's lock. */ rbtdb_serial_t serial; dns_ttl_t rdh_ttl; rbtdb_rdatatype_t type; isc_uint16_t attributes; dns_trust_t trust; struct noqname *noqname; struct noqname *closest; /*%< * We don't use the LIST macros, because the LIST structure has * both head and tail pointers, and is doubly linked. */ struct rdatasetheader *next; /*%< * If this is the top header for an rdataset, 'next' points * to the top header for the next rdataset (i.e., the next type). * Otherwise, it points up to the header whose down pointer points * at this header. */ struct rdatasetheader *down; /*%< * Points to the header for the next older version of * this rdataset. */ isc_uint32_t count; /*%< * Monotonously increased every time this rdataset is bound so that * it is used as the base of the starting point in DNS responses * when the "cyclic" rrset-order is required. Since the ordering * should not be so crucial, no lock is set for the counter for * performance reasons. */ acachectl_t *additional_auth; acachectl_t *additional_glue; dns_rbtnode_t *node; isc_stdtime_t last_used; ISC_LINK(struct rdatasetheader) link; unsigned int heap_index; /*%< * Used for TTL-based cache cleaning. */ isc_stdtime_t resign; } rdatasetheader_t; typedef ISC_LIST(rdatasetheader_t) rdatasetheaderlist_t; typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t; #define RDATASET_ATTR_NONEXISTENT 0x0001 #define RDATASET_ATTR_STALE 0x0002 #define RDATASET_ATTR_IGNORE 0x0004 #define RDATASET_ATTR_RETAIN 0x0008 #define RDATASET_ATTR_NXDOMAIN 0x0010 #define RDATASET_ATTR_RESIGN 0x0020 #define RDATASET_ATTR_STATCOUNT 0x0040 #define RDATASET_ATTR_OPTOUT 0x0080 typedef struct acache_cbarg { dns_rdatasetadditional_t type; unsigned int count; dns_db_t *db; dns_dbnode_t *node; rdatasetheader_t *header; } acache_cbarg_t; struct acachectl { dns_acacheentry_t *entry; acache_cbarg_t *cbarg; }; /* * XXX * When the cache will pre-expire data (due to memory low or other * situations) before the rdataset's TTL has expired, it MUST * respect the RETAIN bit and not expire the data until its TTL is * expired. */ #undef IGNORE /* WIN32 winbase.h defines this. */ #define EXISTS(header) \ (((header)->attributes & RDATASET_ATTR_NONEXISTENT) == 0) #define NONEXISTENT(header) \ (((header)->attributes & RDATASET_ATTR_NONEXISTENT) != 0) #define IGNORE(header) \ (((header)->attributes & RDATASET_ATTR_IGNORE) != 0) #define RETAIN(header) \ (((header)->attributes & RDATASET_ATTR_RETAIN) != 0) #define NXDOMAIN(header) \ (((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0) #define RESIGN(header) \ (((header)->attributes & RDATASET_ATTR_RESIGN) != 0) #define OPTOUT(header) \ (((header)->attributes & RDATASET_ATTR_OPTOUT) != 0) #define DEFAULT_NODE_LOCK_COUNT 7 /*%< Should be prime. */ /*% * Number of buckets for cache DB entries (locks, LRU lists, TTL heaps). * There is a tradeoff issue about configuring this value: if this is too * small, it may cause heavier contention between threads; if this is too large, * LRU purge algorithm won't work well (entries tend to be purged prematurely). * The default value should work well for most environments, but this can * also be configurable at compilation time via the * DNS_RBTDB_CACHE_NODE_LOCK_COUNT variable. This value must be larger than * 1 due to the assumption of overmem_purge(). */ #ifdef DNS_RBTDB_CACHE_NODE_LOCK_COUNT #if DNS_RBTDB_CACHE_NODE_LOCK_COUNT <= 1 #error "DNS_RBTDB_CACHE_NODE_LOCK_COUNT must be larger than 1" #else #define DEFAULT_CACHE_NODE_LOCK_COUNT DNS_RBTDB_CACHE_NODE_LOCK_COUNT #endif #else #define DEFAULT_CACHE_NODE_LOCK_COUNT 16 #endif /* DNS_RBTDB_CACHE_NODE_LOCK_COUNT */ typedef struct { nodelock_t lock; /* Protected in the refcount routines. */ isc_refcount_t references; /* Locked by lock. */ isc_boolean_t exiting; } rbtdb_nodelock_t; typedef struct rbtdb_changed { dns_rbtnode_t * node; isc_boolean_t dirty; ISC_LINK(struct rbtdb_changed) link; } rbtdb_changed_t; typedef ISC_LIST(rbtdb_changed_t) rbtdb_changedlist_t; typedef enum { dns_db_insecure, dns_db_partial, dns_db_secure } dns_db_secure_t; typedef struct rbtdb_version { /* Not locked */ rbtdb_serial_t serial; /* * Protected in the refcount routines. * XXXJT: should we change the lock policy based on the refcount * performance? */ isc_refcount_t references; /* Locked by database lock. */ isc_boolean_t writer; isc_boolean_t commit_ok; rbtdb_changedlist_t changed_list; rdatasetheaderlist_t resigned_list; ISC_LINK(struct rbtdb_version) link; dns_db_secure_t secure; isc_boolean_t havensec3; /* NSEC3 parameters */ dns_hash_t hash; isc_uint8_t flags; isc_uint16_t iterations; isc_uint8_t salt_length; unsigned char salt[DNS_NSEC3_SALTSIZE]; } rbtdb_version_t; typedef ISC_LIST(rbtdb_version_t) rbtdb_versionlist_t; typedef struct { /* Unlocked. */ dns_db_t common; #if DNS_RBTDB_USERWLOCK isc_rwlock_t lock; #else isc_mutex_t lock; #endif isc_rwlock_t tree_lock; unsigned int node_lock_count; rbtdb_nodelock_t * node_locks; dns_rbtnode_t * origin_node; dns_stats_t * rrsetstats; /* cache DB only */ /* Locked by lock. */ unsigned int active; isc_refcount_t references; unsigned int attributes; rbtdb_serial_t current_serial; rbtdb_serial_t least_serial; rbtdb_serial_t next_serial; rbtdb_version_t * current_version; rbtdb_version_t * future_version; rbtdb_versionlist_t open_versions; isc_boolean_t overmem; isc_task_t * task; dns_dbnode_t *soanode; dns_dbnode_t *nsnode; /* * This is a linked list used to implement the LRU cache. There will * be node_lock_count linked lists here. Nodes in bucket 1 will be * placed on the linked list rdatasets[1]. */ rdatasetheaderlist_t *rdatasets; /*% * Temporary storage for stale cache nodes and dynamically deleted * nodes that await being cleaned up. */ rbtnodelist_t *deadnodes; /* * Heaps. Each of these is used for TTL based expiry. */ isc_heap_t **heaps; /* Locked by tree_lock. */ dns_rbt_t * tree; dns_rbt_t * nsec3; /* Unlocked */ unsigned int quantum; } dns_rbtdb_t; #define RBTDB_ATTR_LOADED 0x01 #define RBTDB_ATTR_LOADING 0x02 /*% * Search Context */ typedef struct { dns_rbtdb_t * rbtdb; rbtdb_version_t * rbtversion; rbtdb_serial_t serial; unsigned int options; dns_rbtnodechain_t chain; isc_boolean_t copy_name; isc_boolean_t need_cleanup; isc_boolean_t wild; dns_rbtnode_t * zonecut; rdatasetheader_t * zonecut_rdataset; rdatasetheader_t * zonecut_sigrdataset; dns_fixedname_t zonecut_name; isc_stdtime_t now; } rbtdb_search_t; /*% * Load Context */ typedef struct { dns_rbtdb_t * rbtdb; isc_stdtime_t now; } rbtdb_load_t; static void rdataset_disassociate(dns_rdataset_t *rdataset); static isc_result_t rdataset_first(dns_rdataset_t *rdataset); static isc_result_t rdataset_next(dns_rdataset_t *rdataset); static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata); static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target); static unsigned int rdataset_count(dns_rdataset_t *rdataset); static isc_result_t rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *neg, dns_rdataset_t *negsig); static isc_result_t rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *neg, dns_rdataset_t *negsig); static isc_result_t rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype, dns_acache_t *acache, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, dns_dbnode_t **nodep, dns_name_t *fname, dns_message_t *msg, isc_stdtime_t now); static isc_result_t rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype, dns_acache_t *acache, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, dns_name_t *fname); static isc_result_t rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype); static inline isc_boolean_t need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now); static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_stdtime_t now); static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_boolean_t tree_locked); static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now, isc_boolean_t tree_locked); static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader); static void prune_tree(isc_task_t *task, isc_event_t *event); +static void rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust); +static void rdataset_expire(dns_rdataset_t *rdataset); static dns_rdatasetmethods_t rdataset_methods = { rdataset_disassociate, rdataset_first, rdataset_next, rdataset_current, rdataset_clone, rdataset_count, NULL, rdataset_getnoqname, NULL, rdataset_getclosest, rdataset_getadditional, rdataset_setadditional, - rdataset_putadditional + rdataset_putadditional, + rdataset_settrust, + rdataset_expire }; static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp); static isc_result_t rdatasetiter_first(dns_rdatasetiter_t *iterator); static isc_result_t rdatasetiter_next(dns_rdatasetiter_t *iterator); static void rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset); static dns_rdatasetitermethods_t rdatasetiter_methods = { rdatasetiter_destroy, rdatasetiter_first, rdatasetiter_next, rdatasetiter_current }; typedef struct rbtdb_rdatasetiter { dns_rdatasetiter_t common; rdatasetheader_t * current; } rbtdb_rdatasetiter_t; static void dbiterator_destroy(dns_dbiterator_t **iteratorp); static isc_result_t dbiterator_first(dns_dbiterator_t *iterator); static isc_result_t dbiterator_last(dns_dbiterator_t *iterator); static isc_result_t dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name); static isc_result_t dbiterator_prev(dns_dbiterator_t *iterator); static isc_result_t dbiterator_next(dns_dbiterator_t *iterator); static isc_result_t dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep, dns_name_t *name); static isc_result_t dbiterator_pause(dns_dbiterator_t *iterator); static isc_result_t dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name); static dns_dbiteratormethods_t dbiterator_methods = { dbiterator_destroy, dbiterator_first, dbiterator_last, dbiterator_seek, dbiterator_prev, dbiterator_next, dbiterator_current, dbiterator_pause, dbiterator_origin }; #define DELETION_BATCH_MAX 64 /* * If 'paused' is ISC_TRUE, then the tree lock is not being held. */ typedef struct rbtdb_dbiterator { dns_dbiterator_t common; isc_boolean_t paused; isc_boolean_t new_origin; isc_rwlocktype_t tree_locked; isc_result_t result; dns_fixedname_t name; dns_fixedname_t origin; dns_rbtnodechain_t chain; dns_rbtnodechain_t nsec3chain; dns_rbtnodechain_t *current; dns_rbtnode_t *node; dns_rbtnode_t *deletions[DELETION_BATCH_MAX]; int delete; isc_boolean_t nsec3only; isc_boolean_t nonsec3; } rbtdb_dbiterator_t; #define IS_STUB(rbtdb) (((rbtdb)->common.attributes & DNS_DBATTR_STUB) != 0) #define IS_CACHE(rbtdb) (((rbtdb)->common.attributes & DNS_DBATTR_CACHE) != 0) static void free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event); static void overmem(dns_db_t *db, isc_boolean_t overmem); static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version, isc_boolean_t *nsec3createflag); /*% * 'init_count' is used to initialize 'newheader->count' which inturn * is used to determine where in the cycle rrset-order cyclic starts. * We don't lock this as we don't care about simultaneous updates. * * Note: * Both init_count and header->count can be ISC_UINT32_MAX. * The count on the returned rdataset however can't be as * that indicates that the database does not implement cyclic * processing. */ static unsigned int init_count; /* * Locking * * If a routine is going to lock more than one lock in this module, then * the locking must be done in the following order: * * Tree Lock * * Node Lock (Only one from the set may be locked at one time by * any caller) * * Database Lock * * Failure to follow this hierarchy can result in deadlock. */ /* * Deleting Nodes * * For zone databases the node for the origin of the zone MUST NOT be deleted. */ /* * DB Routines */ static void attach(dns_db_t *source, dns_db_t **targetp) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)source; REQUIRE(VALID_RBTDB(rbtdb)); isc_refcount_increment(&rbtdb->references, NULL); *targetp = source; } static void free_rbtdb_callback(isc_task_t *task, isc_event_t *event) { dns_rbtdb_t *rbtdb = event->ev_arg; UNUSED(task); free_rbtdb(rbtdb, ISC_TRUE, event); } static void update_rrsetstats(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_boolean_t increment) { dns_rdatastatstype_t statattributes = 0; dns_rdatastatstype_t base = 0; dns_rdatastatstype_t type; /* At the moment we count statistics only for cache DB */ INSIST(IS_CACHE(rbtdb)); if (NXDOMAIN(header)) statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN; else if (RBTDB_RDATATYPE_BASE(header->type) == 0) { statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET; base = RBTDB_RDATATYPE_EXT(header->type); } else base = RBTDB_RDATATYPE_BASE(header->type); type = DNS_RDATASTATSTYPE_VALUE(base, statattributes); if (increment) dns_rdatasetstats_increment(rbtdb->rrsetstats, type); else dns_rdatasetstats_decrement(rbtdb->rrsetstats, type); } static void set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) { int idx; isc_heap_t *heap; dns_ttl_t oldttl; oldttl = header->rdh_ttl; header->rdh_ttl = newttl; if (!IS_CACHE(rbtdb)) return; /* * It's possible the rbtdb is not a cache. If this is the case, * we will not have a heap, and we move on. If we do, though, * we might need to adjust things. */ if (header->heap_index == 0 || newttl == oldttl) return; idx = header->node->locknum; if (rbtdb->heaps == NULL || rbtdb->heaps[idx] == NULL) return; heap = rbtdb->heaps[idx]; if (newttl < oldttl) isc_heap_increased(heap, header->heap_index); else isc_heap_decreased(heap, header->heap_index); } /*% * These functions allow the heap code to rank the priority of each * element. It returns ISC_TRUE if v1 happens "sooner" than v2. */ static isc_boolean_t ttl_sooner(void *v1, void *v2) { rdatasetheader_t *h1 = v1; rdatasetheader_t *h2 = v2; if (h1->rdh_ttl < h2->rdh_ttl) return (ISC_TRUE); return (ISC_FALSE); } static isc_boolean_t resign_sooner(void *v1, void *v2) { rdatasetheader_t *h1 = v1; rdatasetheader_t *h2 = v2; if (h1->resign < h2->resign) return (ISC_TRUE); return (ISC_FALSE); } /*% * This function sets the heap index into the header. */ static void set_index(void *what, unsigned int index) { rdatasetheader_t *h = what; h->heap_index = index; } /*% * Work out how many nodes can be deleted in the time between two * requests to the nameserver. Smooth the resulting number and use it * as a estimate for the number of nodes to be deleted in the next * iteration. */ static unsigned int adjust_quantum(unsigned int old, isc_time_t *start) { unsigned int pps = dns_pps; /* packets per second */ unsigned int interval; isc_uint64_t usecs; isc_time_t end; unsigned int new; if (pps < 100) pps = 100; isc_time_now(&end); interval = 1000000 / pps; /* interval in usec */ if (interval == 0) interval = 1; usecs = isc_time_microdiff(&end, start); if (usecs == 0) { /* * We were unable to measure the amount of time taken. * Double the nodes deleted next time. */ old *= 2; if (old > 1000) old = 1000; return (old); } new = old * interval; new /= (unsigned int)usecs; if (new == 0) new = 1; else if (new > 1000) new = 1000; /* Smooth */ new = (new + old * 3) / 4; isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1), "adjust_quantum -> %d", new); return (new); } static void free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) { unsigned int i; isc_ondestroy_t ondest; isc_result_t result; char buf[DNS_NAME_FORMATSIZE]; isc_time_t start; if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in) overmem((dns_db_t *)rbtdb, (isc_boolean_t)-1); REQUIRE(rbtdb->current_version != NULL || EMPTY(rbtdb->open_versions)); REQUIRE(rbtdb->future_version == NULL); if (rbtdb->current_version != NULL) { unsigned int refs; isc_refcount_decrement(&rbtdb->current_version->references, &refs); INSIST(refs == 0); UNLINK(rbtdb->open_versions, rbtdb->current_version, link); isc_refcount_destroy(&rbtdb->current_version->references); isc_mem_put(rbtdb->common.mctx, rbtdb->current_version, sizeof(rbtdb_version_t)); } /* * We assume the number of remaining dead nodes is reasonably small; * the overhead of unlinking all nodes here should be negligible. */ for (i = 0; i < rbtdb->node_lock_count; i++) { dns_rbtnode_t *node; node = ISC_LIST_HEAD(rbtdb->deadnodes[i]); while (node != NULL) { ISC_LIST_UNLINK(rbtdb->deadnodes[i], node, deadlink); node = ISC_LIST_HEAD(rbtdb->deadnodes[i]); } } if (event == NULL) rbtdb->quantum = (rbtdb->task != NULL) ? 100 : 0; again: if (rbtdb->tree != NULL) { isc_time_now(&start); result = dns_rbt_destroy2(&rbtdb->tree, rbtdb->quantum); if (result == ISC_R_QUOTA) { INSIST(rbtdb->task != NULL); if (rbtdb->quantum != 0) rbtdb->quantum = adjust_quantum(rbtdb->quantum, &start); if (event == NULL) event = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_FREESTORAGE, free_rbtdb_callback, rbtdb, sizeof(isc_event_t)); if (event == NULL) goto again; isc_task_send(rbtdb->task, &event); return; } INSIST(result == ISC_R_SUCCESS && rbtdb->tree == NULL); } if (rbtdb->nsec3 != NULL) { isc_time_now(&start); result = dns_rbt_destroy2(&rbtdb->nsec3, rbtdb->quantum); if (result == ISC_R_QUOTA) { INSIST(rbtdb->task != NULL); if (rbtdb->quantum != 0) rbtdb->quantum = adjust_quantum(rbtdb->quantum, &start); if (event == NULL) event = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_FREESTORAGE, free_rbtdb_callback, rbtdb, sizeof(isc_event_t)); if (event == NULL) goto again; isc_task_send(rbtdb->task, &event); return; } INSIST(result == ISC_R_SUCCESS && rbtdb->nsec3 == NULL); } if (event != NULL) isc_event_free(&event); if (log) { if (dns_name_dynamic(&rbtdb->common.origin)) dns_name_format(&rbtdb->common.origin, buf, sizeof(buf)); else strcpy(buf, ""); isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1), "done free_rbtdb(%s)", buf); } if (dns_name_dynamic(&rbtdb->common.origin)) dns_name_free(&rbtdb->common.origin, rbtdb->common.mctx); for (i = 0; i < rbtdb->node_lock_count; i++) { isc_refcount_destroy(&rbtdb->node_locks[i].references); NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock); } /* * Clean up LRU / re-signing order lists. */ if (rbtdb->rdatasets != NULL) { for (i = 0; i < rbtdb->node_lock_count; i++) INSIST(ISC_LIST_EMPTY(rbtdb->rdatasets[i])); isc_mem_put(rbtdb->common.mctx, rbtdb->rdatasets, rbtdb->node_lock_count * sizeof(rdatasetheaderlist_t)); } /* * Clean up dead node buckets. */ if (rbtdb->deadnodes != NULL) { for (i = 0; i < rbtdb->node_lock_count; i++) INSIST(ISC_LIST_EMPTY(rbtdb->deadnodes[i])); isc_mem_put(rbtdb->common.mctx, rbtdb->deadnodes, rbtdb->node_lock_count * sizeof(rbtnodelist_t)); } /* * Clean up heap objects. */ if (rbtdb->heaps != NULL) { for (i = 0; i < rbtdb->node_lock_count; i++) isc_heap_destroy(&rbtdb->heaps[i]); isc_mem_put(rbtdb->common.mctx, rbtdb->heaps, rbtdb->node_lock_count * sizeof(isc_heap_t *)); } if (rbtdb->rrsetstats != NULL) dns_stats_detach(&rbtdb->rrsetstats); isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks, rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t)); isc_rwlock_destroy(&rbtdb->tree_lock); isc_refcount_destroy(&rbtdb->references); if (rbtdb->task != NULL) isc_task_detach(&rbtdb->task); RBTDB_DESTROYLOCK(&rbtdb->lock); rbtdb->common.magic = 0; rbtdb->common.impmagic = 0; ondest = rbtdb->common.ondest; isc_mem_putanddetach(&rbtdb->common.mctx, rbtdb, sizeof(*rbtdb)); isc_ondestroy_notify(&ondest, rbtdb); } static inline void maybe_free_rbtdb(dns_rbtdb_t *rbtdb) { isc_boolean_t want_free = ISC_FALSE; unsigned int i; unsigned int inactive = 0; /* XXX check for open versions here */ if (rbtdb->soanode != NULL) dns_db_detachnode((dns_db_t *)rbtdb, &rbtdb->soanode); if (rbtdb->nsnode != NULL) dns_db_detachnode((dns_db_t *)rbtdb, &rbtdb->nsnode); /* * Even though there are no external direct references, there still * may be nodes in use. */ for (i = 0; i < rbtdb->node_lock_count; i++) { NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write); rbtdb->node_locks[i].exiting = ISC_TRUE; NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write); if (isc_refcount_current(&rbtdb->node_locks[i].references) == 0) { inactive++; } } if (inactive != 0) { RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); rbtdb->active -= inactive; if (rbtdb->active == 0) want_free = ISC_TRUE; RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); if (want_free) { char buf[DNS_NAME_FORMATSIZE]; if (dns_name_dynamic(&rbtdb->common.origin)) dns_name_format(&rbtdb->common.origin, buf, sizeof(buf)); else strcpy(buf, ""); isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1), "calling free_rbtdb(%s)", buf); free_rbtdb(rbtdb, ISC_TRUE, NULL); } } } static void detach(dns_db_t **dbp) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(*dbp); unsigned int refs; REQUIRE(VALID_RBTDB(rbtdb)); isc_refcount_decrement(&rbtdb->references, &refs); if (refs == 0) maybe_free_rbtdb(rbtdb); *dbp = NULL; } static void currentversion(dns_db_t *db, dns_dbversion_t **versionp) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; rbtdb_version_t *version; unsigned int refs; REQUIRE(VALID_RBTDB(rbtdb)); RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read); version = rbtdb->current_version; isc_refcount_increment(&version->references, &refs); RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read); *versionp = (dns_dbversion_t *)version; } static inline rbtdb_version_t * allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial, unsigned int references, isc_boolean_t writer) { isc_result_t result; rbtdb_version_t *version; version = isc_mem_get(mctx, sizeof(*version)); if (version == NULL) return (NULL); version->serial = serial; result = isc_refcount_init(&version->references, references); if (result != ISC_R_SUCCESS) { isc_mem_put(mctx, version, sizeof(*version)); return (NULL); } version->writer = writer; version->commit_ok = ISC_FALSE; ISC_LIST_INIT(version->changed_list); ISC_LIST_INIT(version->resigned_list); ISC_LINK_INIT(version, link); return (version); } static isc_result_t newversion(dns_db_t *db, dns_dbversion_t **versionp) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; rbtdb_version_t *version; REQUIRE(VALID_RBTDB(rbtdb)); REQUIRE(versionp != NULL && *versionp == NULL); REQUIRE(rbtdb->future_version == NULL); RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); RUNTIME_CHECK(rbtdb->next_serial != 0); /* XXX Error? */ version = allocate_version(rbtdb->common.mctx, rbtdb->next_serial, 1, ISC_TRUE); if (version != NULL) { version->commit_ok = ISC_TRUE; version->secure = rbtdb->current_version->secure; version->havensec3 = rbtdb->current_version->havensec3; if (version->havensec3) { version->flags = rbtdb->current_version->flags; version->iterations = rbtdb->current_version->iterations; version->hash = rbtdb->current_version->hash; version->salt_length = rbtdb->current_version->salt_length; memcpy(version->salt, rbtdb->current_version->salt, version->salt_length); } else { version->flags = 0; version->iterations = 0; version->hash = 0; version->salt_length = 0; memset(version->salt, 0, sizeof(version->salt)); } rbtdb->next_serial++; rbtdb->future_version = version; } RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); if (version == NULL) return (ISC_R_NOMEMORY); *versionp = version; return (ISC_R_SUCCESS); } static void attachversion(dns_db_t *db, dns_dbversion_t *source, dns_dbversion_t **targetp) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; rbtdb_version_t *rbtversion = source; unsigned int refs; REQUIRE(VALID_RBTDB(rbtdb)); isc_refcount_increment(&rbtversion->references, &refs); INSIST(refs > 1); *targetp = rbtversion; } static rbtdb_changed_t * add_changed(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, dns_rbtnode_t *node) { rbtdb_changed_t *changed; unsigned int refs; /* * Caller must be holding the node lock if its reference must be * protected by the lock. */ changed = isc_mem_get(rbtdb->common.mctx, sizeof(*changed)); RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); REQUIRE(version->writer); if (changed != NULL) { dns_rbtnode_refincrement(node, &refs); INSIST(refs != 0); changed->node = node; changed->dirty = ISC_FALSE; ISC_LIST_INITANDAPPEND(version->changed_list, changed, link); } else version->commit_ok = ISC_FALSE; RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); return (changed); } static void free_acachearray(isc_mem_t *mctx, rdatasetheader_t *header, acachectl_t *array) { unsigned int count; unsigned int i; unsigned char *raw; /* RDATASLAB */ /* * The caller must be holding the corresponding node lock. */ if (array == NULL) return; raw = (unsigned char *)header + sizeof(*header); count = raw[0] * 256 + raw[1]; /* * Sanity check: since an additional cache entry has a reference to * the original DB node (in the callback arg), there should be no * acache entries when the node can be freed. */ for (i = 0; i < count; i++) INSIST(array[i].entry == NULL && array[i].cbarg == NULL); isc_mem_put(mctx, array, count * sizeof(acachectl_t)); } static inline void free_noqname(isc_mem_t *mctx, struct noqname **noqname) { if (dns_name_dynamic(&(*noqname)->name)) dns_name_free(&(*noqname)->name, mctx); if ((*noqname)->neg != NULL) isc_mem_put(mctx, (*noqname)->neg, dns_rdataslab_size((*noqname)->neg, 0)); if ((*noqname)->negsig != NULL) isc_mem_put(mctx, (*noqname)->negsig, dns_rdataslab_size((*noqname)->negsig, 0)); isc_mem_put(mctx, *noqname, sizeof(**noqname)); *noqname = NULL; } static inline void init_rdataset(dns_rbtdb_t *rbtdb, rdatasetheader_t *h) { ISC_LINK_INIT(h, link); h->heap_index = 0; #if TRACE_HEADER if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in) fprintf(stderr, "initialized header: %p\n", h); #else UNUSED(rbtdb); #endif } static inline rdatasetheader_t * new_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx) { rdatasetheader_t *h; h = isc_mem_get(mctx, sizeof(*h)); if (h == NULL) return (NULL); #if TRACE_HEADER if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in) fprintf(stderr, "allocated header: %p\n", h); #endif init_rdataset(rbtdb, h); return (h); } static inline void free_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx, rdatasetheader_t *rdataset) { unsigned int size; int idx; if (EXISTS(rdataset) && (rdataset->attributes & RDATASET_ATTR_STATCOUNT) != 0) { update_rrsetstats(rbtdb, rdataset, ISC_FALSE); } idx = rdataset->node->locknum; if (ISC_LINK_LINKED(rdataset, link)) { INSIST(IS_CACHE(rbtdb)); ISC_LIST_UNLINK(rbtdb->rdatasets[idx], rdataset, link); } if (rdataset->heap_index != 0) isc_heap_delete(rbtdb->heaps[idx], rdataset->heap_index); rdataset->heap_index = 0; if (rdataset->noqname != NULL) free_noqname(mctx, &rdataset->noqname); if (rdataset->closest != NULL) free_noqname(mctx, &rdataset->closest); free_acachearray(mctx, rdataset, rdataset->additional_auth); free_acachearray(mctx, rdataset, rdataset->additional_glue); if ((rdataset->attributes & RDATASET_ATTR_NONEXISTENT) != 0) size = sizeof(*rdataset); else size = dns_rdataslab_size((unsigned char *)rdataset, sizeof(*rdataset)); isc_mem_put(mctx, rdataset, size); } static inline void rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) { rdatasetheader_t *header, *dcurrent; isc_boolean_t make_dirty = ISC_FALSE; /* * Caller must hold the node lock. */ /* * We set the IGNORE attribute on rdatasets with serial number * 'serial'. When the reference count goes to zero, these rdatasets * will be cleaned up; until that time, they will be ignored. */ for (header = node->data; header != NULL; header = header->next) { if (header->serial == serial) { header->attributes |= RDATASET_ATTR_IGNORE; make_dirty = ISC_TRUE; } for (dcurrent = header->down; dcurrent != NULL; dcurrent = dcurrent->down) { if (dcurrent->serial == serial) { dcurrent->attributes |= RDATASET_ATTR_IGNORE; make_dirty = ISC_TRUE; } } } if (make_dirty) node->dirty = 1; } static inline void clean_stale_headers(dns_rbtdb_t *rbtdb, isc_mem_t *mctx, rdatasetheader_t *top) { rdatasetheader_t *d, *down_next; for (d = top->down; d != NULL; d = down_next) { down_next = d->down; free_rdataset(rbtdb, mctx, d); } top->down = NULL; } static inline void clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { rdatasetheader_t *current, *top_prev, *top_next; isc_mem_t *mctx = rbtdb->common.mctx; /* * Caller must be holding the node lock. */ top_prev = NULL; for (current = node->data; current != NULL; current = top_next) { top_next = current->next; clean_stale_headers(rbtdb, mctx, current); /* * If current is nonexistent or stale, we can clean it up. */ if ((current->attributes & (RDATASET_ATTR_NONEXISTENT|RDATASET_ATTR_STALE)) != 0) { if (top_prev != NULL) top_prev->next = current->next; else node->data = current->next; free_rdataset(rbtdb, mctx, current); } else top_prev = current; } node->dirty = 0; } static inline void clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rbtdb_serial_t least_serial) { rdatasetheader_t *current, *dcurrent, *down_next, *dparent; rdatasetheader_t *top_prev, *top_next; isc_mem_t *mctx = rbtdb->common.mctx; isc_boolean_t still_dirty = ISC_FALSE; /* * Caller must be holding the node lock. */ REQUIRE(least_serial != 0); top_prev = NULL; for (current = node->data; current != NULL; current = top_next) { top_next = current->next; /* * First, we clean up any instances of multiple rdatasets * with the same serial number, or that have the IGNORE * attribute. */ dparent = current; for (dcurrent = current->down; dcurrent != NULL; dcurrent = down_next) { down_next = dcurrent->down; INSIST(dcurrent->serial <= dparent->serial); if (dcurrent->serial == dparent->serial || IGNORE(dcurrent)) { if (down_next != NULL) down_next->next = dparent; dparent->down = down_next; free_rdataset(rbtdb, mctx, dcurrent); } else dparent = dcurrent; } /* * We've now eliminated all IGNORE datasets with the possible * exception of current, which we now check. */ if (IGNORE(current)) { down_next = current->down; if (down_next == NULL) { if (top_prev != NULL) top_prev->next = current->next; else node->data = current->next; free_rdataset(rbtdb, mctx, current); /* * current no longer exists, so we can * just continue with the loop. */ continue; } else { /* * Pull up current->down, making it the new * current. */ if (top_prev != NULL) top_prev->next = down_next; else node->data = down_next; down_next->next = top_next; free_rdataset(rbtdb, mctx, current); current = down_next; } } /* * We now try to find the first down node less than the * least serial. */ dparent = current; for (dcurrent = current->down; dcurrent != NULL; dcurrent = down_next) { down_next = dcurrent->down; if (dcurrent->serial < least_serial) break; dparent = dcurrent; } /* * If there is a such an rdataset, delete it and any older * versions. */ if (dcurrent != NULL) { do { down_next = dcurrent->down; INSIST(dcurrent->serial <= least_serial); free_rdataset(rbtdb, mctx, dcurrent); dcurrent = down_next; } while (dcurrent != NULL); dparent->down = NULL; } /* * Note. The serial number of 'current' might be less than * least_serial too, but we cannot delete it because it is * the most recent version, unless it is a NONEXISTENT * rdataset. */ if (current->down != NULL) { still_dirty = ISC_TRUE; top_prev = current; } else { /* * If this is a NONEXISTENT rdataset, we can delete it. */ if (NONEXISTENT(current)) { if (top_prev != NULL) top_prev->next = current->next; else node->data = current->next; free_rdataset(rbtdb, mctx, current); } else top_prev = current; } } if (!still_dirty) node->dirty = 0; } /*% * Clean up dead nodes. These are nodes which have no references, and * have no data. They are dead but we could not or chose not to delete * them when we deleted all the data at that node because we did not want * to wait for the tree write lock. * * The caller must hold a tree write lock and bucketnum'th node (write) lock. */ static void cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) { dns_rbtnode_t *node; isc_result_t result; int count = 10; /* XXXJT: should be adjustable */ node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]); while (node != NULL && count > 0) { ISC_LIST_UNLINK(rbtdb->deadnodes[bucketnum], node, deadlink); /* * Since we're holding a tree write lock, it should be * impossible for this node to be referenced by others. */ INSIST(dns_rbtnode_refcurrent(node) == 0 && node->data == NULL); INSIST(!ISC_LINK_LINKED(node, deadlink)); if (node->nsec3) result = dns_rbt_deletenode(rbtdb->nsec3, node, ISC_FALSE); else result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE); if (result != ISC_R_SUCCESS) isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_WARNING, "cleanup_dead_nodes: " "dns_rbt_deletenode: %s", isc_result_totext(result)); node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]); count--; } } /* * Caller must be holding the node lock if its reference must be protected * by the lock. */ static inline void new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { unsigned int lockrefs, noderefs; isc_refcount_t *lockref; dns_rbtnode_refincrement0(node, &noderefs); if (noderefs == 1) { /* this is the first reference to the node */ lockref = &rbtdb->node_locks[node->locknum].references; isc_refcount_increment0(lockref, &lockrefs); INSIST(lockrefs != 0); } INSIST(noderefs != 0); } /* * This function is assumed to be called when a node is newly referenced * and can be in the deadnode list. In that case the node must be retrieved * from the list because it is going to be used. In addition, if the caller * happens to hold a write lock on the tree, it's a good chance to purge dead * nodes. * Note: while a new reference is gained in multiple places, there are only very * few cases where the node can be in the deadnode list (only empty nodes can * have been added to the list). */ static inline void reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, isc_rwlocktype_t treelocktype) { isc_boolean_t need_relock = ISC_FALSE; NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock); new_reference(rbtdb, node); NODE_WEAKLOCK(&rbtdb->node_locks[node->locknum].lock, isc_rwlocktype_read); if (ISC_LINK_LINKED(node, deadlink)) need_relock = ISC_TRUE; else if (!ISC_LIST_EMPTY(rbtdb->deadnodes[node->locknum]) && treelocktype == isc_rwlocktype_write) need_relock = ISC_TRUE; NODE_WEAKUNLOCK(&rbtdb->node_locks[node->locknum].lock, isc_rwlocktype_read); if (need_relock) { NODE_WEAKLOCK(&rbtdb->node_locks[node->locknum].lock, isc_rwlocktype_write); if (ISC_LINK_LINKED(node, deadlink)) ISC_LIST_UNLINK(rbtdb->deadnodes[node->locknum], node, deadlink); if (treelocktype == isc_rwlocktype_write) cleanup_dead_nodes(rbtdb, node->locknum); NODE_WEAKUNLOCK(&rbtdb->node_locks[node->locknum].lock, isc_rwlocktype_write); } NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock); } /* * Caller must be holding the node lock; either the "strong", read or write * lock. Note that the lock must be held even when node references are * atomically modified; in that case the decrement operation itself does not * have to be protected, but we must avoid a race condition where multiple * threads are decreasing the reference to zero simultaneously and at least * one of them is going to free the node. * This function returns ISC_TRUE if and only if the node reference decreases * to zero. */ static isc_boolean_t decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rbtdb_serial_t least_serial, isc_rwlocktype_t nlock, isc_rwlocktype_t tlock, isc_boolean_t pruning) { isc_result_t result; isc_boolean_t write_locked; rbtdb_nodelock_t *nodelock; unsigned int refs, nrefs; int bucket = node->locknum; isc_boolean_t no_reference; nodelock = &rbtdb->node_locks[bucket]; /* Handle easy and typical case first. */ if (!node->dirty && (node->data != NULL || node->down != NULL)) { dns_rbtnode_refdecrement(node, &nrefs); INSIST((int)nrefs >= 0); if (nrefs == 0) { isc_refcount_decrement(&nodelock->references, &refs); INSIST((int)refs >= 0); } return ((nrefs == 0) ? ISC_TRUE : ISC_FALSE); } /* Upgrade the lock? */ if (nlock == isc_rwlocktype_read) { NODE_WEAKUNLOCK(&nodelock->lock, isc_rwlocktype_read); NODE_WEAKLOCK(&nodelock->lock, isc_rwlocktype_write); } dns_rbtnode_refdecrement(node, &nrefs); INSIST((int)nrefs >= 0); if (nrefs > 0) { /* Restore the lock? */ if (nlock == isc_rwlocktype_read) NODE_WEAKDOWNGRADE(&nodelock->lock); return (ISC_FALSE); } if (node->dirty && dns_rbtnode_refcurrent(node) == 0) { if (IS_CACHE(rbtdb)) clean_cache_node(rbtdb, node); else { if (least_serial == 0) { /* * Caller doesn't know the least serial. * Get it. */ RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read); least_serial = rbtdb->least_serial; RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read); } clean_zone_node(rbtdb, node, least_serial); } } isc_refcount_decrement(&nodelock->references, &refs); INSIST((int)refs >= 0); /* * XXXDCL should this only be done for cache zones? */ if (node->data != NULL || node->down != NULL) { /* Restore the lock? */ if (nlock == isc_rwlocktype_read) NODE_WEAKDOWNGRADE(&nodelock->lock); return (ISC_TRUE); } /* * Attempt to switch to a write lock on the tree. If this fails, * we will add this node to a linked list of nodes in this locking * bucket which we will free later. */ if (tlock != isc_rwlocktype_write) { /* * Locking hierarchy notwithstanding, we don't need to free * the node lock before acquiring the tree write lock because * we only do a trylock. */ if (tlock == isc_rwlocktype_read) result = isc_rwlock_tryupgrade(&rbtdb->tree_lock); else result = isc_rwlock_trylock(&rbtdb->tree_lock, isc_rwlocktype_write); RUNTIME_CHECK(result == ISC_R_SUCCESS || result == ISC_R_LOCKBUSY); write_locked = ISC_TF(result == ISC_R_SUCCESS); } else write_locked = ISC_TRUE; no_reference = ISC_TRUE; if (write_locked && dns_rbtnode_refcurrent(node) == 0) { /* * We can now delete the node if the reference counter is * zero. This should be typically the case, but a different * thread may still gain a (new) reference just before the * current thread locks the tree (e.g., in findnode()). */ /* * If this node is the only one in the level it's in, deleting * this node may recursively make its parent the only node in * the parent level; if so, and if no one is currently using * the parent node, this is almost the only opportunity to * clean it up. But the recursive cleanup is not that trivial * since the child and parent may be in different lock buckets, * which would cause a lock order reversal problem. To avoid * the trouble, we'll dispatch a separate event for batch * cleaning. We need to check whether we're deleting the node * as a result of pruning to avoid infinite dispatching. * Note: pruning happens only when a task has been set for the * rbtdb. If the user of the rbtdb chooses not to set a task, * it's their responsibility to purge stale leaves (e.g. by * periodic walk-through). */ if (!pruning && node->parent != NULL && node->parent->down == node && node->left == NULL && node->right == NULL && rbtdb->task != NULL) { isc_event_t *ev; dns_db_t *db; ev = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_RBTPRUNE, prune_tree, node, sizeof(isc_event_t)); if (ev != NULL) { new_reference(rbtdb, node); db = NULL; attach((dns_db_t *)rbtdb, &db); ev->ev_sender = db; isc_task_send(rbtdb->task, &ev); no_reference = ISC_FALSE; } else { /* * XXX: this is a weird situation. We could * ignore this error case, but then the stale * node will unlikely be purged except via a * rare condition such as manual cleanup. So * we queue it in the deadnodes list, hoping * the memory shortage is temporary and the node * will be deleted later. */ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_INFO, "decrement_reference: failed to " "allocate pruning event"); INSIST(!ISC_LINK_LINKED(node, deadlink)); ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, deadlink); } } else { if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) { char printname[DNS_NAME_FORMATSIZE]; isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1), "decrement_reference: " "delete from rbt: %p %s", node, dns_rbt_formatnodename(node, printname, sizeof(printname))); } INSIST(!ISC_LINK_LINKED(node, deadlink)); if (node->nsec3) result = dns_rbt_deletenode(rbtdb->nsec3, node, ISC_FALSE); else result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE); if (result != ISC_R_SUCCESS) { isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_WARNING, "decrement_reference: " "dns_rbt_deletenode: %s", isc_result_totext(result)); } } } else if (dns_rbtnode_refcurrent(node) == 0) { INSIST(!ISC_LINK_LINKED(node, deadlink)); ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, deadlink); } else no_reference = ISC_FALSE; /* Restore the lock? */ if (nlock == isc_rwlocktype_read) NODE_WEAKDOWNGRADE(&nodelock->lock); /* * Relock a read lock, or unlock the write lock if no lock was held. */ if (tlock == isc_rwlocktype_none) if (write_locked) RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); if (tlock == isc_rwlocktype_read) if (write_locked) isc_rwlock_downgrade(&rbtdb->tree_lock); return (no_reference); } /* * Prune the tree by recursively cleaning-up single leaves. In the worst * case, the number of iteration is the number of tree levels, which is at * most the maximum number of domain name labels, i.e, 127. In practice, this * should be much smaller (only a few times), and even the worst case would be * acceptable for a single event. */ static void prune_tree(isc_task_t *task, isc_event_t *event) { dns_rbtdb_t *rbtdb = event->ev_sender; dns_rbtnode_t *node = event->ev_arg; dns_rbtnode_t *parent; unsigned int locknum; UNUSED(task); isc_event_free(&event); RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); locknum = node->locknum; NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); do { parent = node->parent; decrement_reference(rbtdb, node, 0, isc_rwlocktype_write, isc_rwlocktype_write, ISC_TRUE); if (parent != NULL && parent->down == NULL) { /* * node was the only down child of the parent and has * just been removed. We'll then need to examine the * parent. Keep the lock if possible; otherwise, * release the old lock and acquire one for the parent. */ if (parent->locknum != locknum) { NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); locknum = parent->locknum; NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); } /* * We need to gain a reference to the node before * decrementing it in the next iteration. In addition, * if the node is in the dead-nodes list, extract it * from the list beforehand as we do in * reactivate_node(). */ new_reference(rbtdb, parent); if (ISC_LINK_LINKED(parent, deadlink)) { ISC_LIST_UNLINK(rbtdb->deadnodes[locknum], parent, deadlink); } } else parent = NULL; node = parent; } while (node != NULL); NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); detach((dns_db_t **)&rbtdb); } static inline void make_least_version(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) { /* * Caller must be holding the database lock. */ rbtdb->least_serial = version->serial; *cleanup_list = version->changed_list; ISC_LIST_INIT(version->changed_list); } static inline void cleanup_nondirty(rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) { rbtdb_changed_t *changed, *next_changed; /* * If the changed record is dirty, then * an update created multiple versions of * a given rdataset. We keep this list * until we're the least open version, at * which point it's safe to get rid of any * older versions. * * If the changed record isn't dirty, then * we don't need it anymore since we're * committing and not rolling back. * * The caller must be holding the database lock. */ for (changed = HEAD(version->changed_list); changed != NULL; changed = next_changed) { next_changed = NEXT(changed, link); if (!changed->dirty) { UNLINK(version->changed_list, changed, link); APPEND(*cleanup_list, changed, link); } } } static void iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) { dns_rdataset_t keyset; dns_rdataset_t nsecset, signsecset; dns_rdata_t rdata = DNS_RDATA_INIT; isc_boolean_t haszonekey = ISC_FALSE; isc_boolean_t hasnsec = ISC_FALSE; isc_boolean_t hasoptbit = ISC_FALSE; isc_boolean_t nsec3createflag = ISC_FALSE; isc_result_t result; dns_rdataset_init(&keyset); result = dns_db_findrdataset(db, origin, version, dns_rdatatype_dnskey, 0, 0, &keyset, NULL); if (result == ISC_R_SUCCESS) { dns_rdata_t keyrdata = DNS_RDATA_INIT; result = dns_rdataset_first(&keyset); while (result == ISC_R_SUCCESS) { dns_rdataset_current(&keyset, &keyrdata); if (dns_zonekey_iszonekey(&keyrdata)) { haszonekey = ISC_TRUE; break; } result = dns_rdataset_next(&keyset); } dns_rdataset_disassociate(&keyset); } if (!haszonekey) { version->secure = dns_db_insecure; version->havensec3 = ISC_FALSE; return; } dns_rdataset_init(&nsecset); dns_rdataset_init(&signsecset); result = dns_db_findrdataset(db, origin, version, dns_rdatatype_nsec, 0, 0, &nsecset, &signsecset); if (result == ISC_R_SUCCESS) { if (dns_rdataset_isassociated(&signsecset)) { hasnsec = ISC_TRUE; result = dns_rdataset_first(&nsecset); if (result == ISC_R_SUCCESS) { dns_rdataset_current(&nsecset, &rdata); hasoptbit = dns_nsec_typepresent(&rdata, dns_rdatatype_opt); } dns_rdataset_disassociate(&signsecset); } dns_rdataset_disassociate(&nsecset); } setnsec3parameters(db, version, &nsec3createflag); /* * Do we have a valid NSEC/NSEC3 chain? */ if (version->havensec3 || (hasnsec && !hasoptbit)) version->secure = dns_db_secure; /* * Do we have a NSEC/NSEC3 chain under creation? */ else if (hasoptbit || nsec3createflag) version->secure = dns_db_partial; else version->secure = dns_db_insecure; } /*%< * Walk the origin node looking for NSEC3PARAM records. * Cache the nsec3 parameters. */ static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version, isc_boolean_t *nsec3createflag) { dns_rbtnode_t *node; dns_rdata_nsec3param_t nsec3param; dns_rdata_t rdata = DNS_RDATA_INIT; isc_region_t region; isc_result_t result; rdatasetheader_t *header, *header_next; unsigned char *raw; /* RDATASLAB */ unsigned int count, length; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); version->havensec3 = ISC_FALSE; node = rbtdb->origin_node; NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); for (header = node->data; header != NULL; header = header_next) { header_next = header->next; do { if (header->serial <= version->serial && !IGNORE(header)) { if (NONEXISTENT(header)) header = NULL; break; } else header = header->down; } while (header != NULL); if (header != NULL && header->type == dns_rdatatype_nsec3param) { /* * Find A NSEC3PARAM with a supported algorithm. */ raw = (unsigned char *)header + sizeof(*header); count = raw[0] * 256 + raw[1]; /* count */ #if DNS_RDATASET_FIXED raw += count * 4 + 2; #else raw += 2; #endif while (count-- > 0U) { length = raw[0] * 256 + raw[1]; #if DNS_RDATASET_FIXED raw += 4; #else raw += 2; #endif region.base = raw; region.length = length; raw += length; dns_rdata_fromregion(&rdata, rbtdb->common.rdclass, dns_rdatatype_nsec3param, ®ion); result = dns_rdata_tostruct(&rdata, &nsec3param, NULL); INSIST(result == ISC_R_SUCCESS); dns_rdata_reset(&rdata); if (nsec3param.hash != DNS_NSEC3_UNKNOWNALG && !dns_nsec3_supportedhash(nsec3param.hash)) continue; #ifdef RFC5155_STRICT if (nsec3param.flags != 0) continue; #else if ((nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0) *nsec3createflag = ISC_TRUE; if ((nsec3param.flags & ~DNS_NSEC3FLAG_OPTOUT) != 0) continue; #endif memcpy(version->salt, nsec3param.salt, nsec3param.salt_length); version->hash = nsec3param.hash; version->salt_length = nsec3param.salt_length; version->iterations = nsec3param.iterations; version->flags = nsec3param.flags; version->havensec3 = ISC_TRUE; /* * Look for a better algorithm than the * unknown test algorithm. */ if (nsec3param.hash != DNS_NSEC3_UNKNOWNALG) goto unlock; } } } unlock: NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); } static void closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; rbtdb_version_t *version, *cleanup_version, *least_greater; isc_boolean_t rollback = ISC_FALSE; rbtdb_changedlist_t cleanup_list; rdatasetheaderlist_t resigned_list; rbtdb_changed_t *changed, *next_changed; rbtdb_serial_t serial, least_serial; dns_rbtnode_t *rbtnode; unsigned int refs; rdatasetheader_t *header; isc_boolean_t writer; REQUIRE(VALID_RBTDB(rbtdb)); version = (rbtdb_version_t *)*versionp; cleanup_version = NULL; ISC_LIST_INIT(cleanup_list); ISC_LIST_INIT(resigned_list); isc_refcount_decrement(&version->references, &refs); if (refs > 0) { /* typical and easy case first */ if (commit) { RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read); INSIST(!version->writer); RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read); } goto end; } RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); serial = version->serial; writer = version->writer; if (version->writer) { if (commit) { unsigned cur_ref; rbtdb_version_t *cur_version; INSIST(version->commit_ok); INSIST(version == rbtdb->future_version); /* * The current version is going to be replaced. * Release the (likely last) reference to it from the * DB itself and unlink it from the open list. */ cur_version = rbtdb->current_version; isc_refcount_decrement(&cur_version->references, &cur_ref); if (cur_ref == 0) { if (cur_version->serial == rbtdb->least_serial) INSIST(EMPTY(cur_version->changed_list)); UNLINK(rbtdb->open_versions, cur_version, link); } if (EMPTY(rbtdb->open_versions)) { /* * We're going to become the least open * version. */ make_least_version(rbtdb, version, &cleanup_list); } else { /* * Some other open version is the * least version. We can't cleanup * records that were changed in this * version because the older versions * may still be in use by an open * version. * * We can, however, discard the * changed records for things that * we've added that didn't exist in * prior versions. */ cleanup_nondirty(version, &cleanup_list); } /* * If the (soon to be former) current version * isn't being used by anyone, we can clean * it up. */ if (cur_ref == 0) { cleanup_version = cur_version; APPENDLIST(version->changed_list, cleanup_version->changed_list, link); } /* * Become the current version. */ version->writer = ISC_FALSE; rbtdb->current_version = version; rbtdb->current_serial = version->serial; rbtdb->future_version = NULL; /* * Keep the current version in the open list, and * gain a reference for the DB itself (see the DB * creation function below). This must be the only * case where we need to increment the counter from * zero and need to use isc_refcount_increment0(). */ isc_refcount_increment0(&version->references, &cur_ref); INSIST(cur_ref == 1); PREPEND(rbtdb->open_versions, rbtdb->current_version, link); resigned_list = version->resigned_list; ISC_LIST_INIT(version->resigned_list); } else { /* * We're rolling back this transaction. */ cleanup_list = version->changed_list; ISC_LIST_INIT(version->changed_list); resigned_list = version->resigned_list; ISC_LIST_INIT(version->resigned_list); rollback = ISC_TRUE; cleanup_version = version; rbtdb->future_version = NULL; } } else { if (version != rbtdb->current_version) { /* * There are no external or internal references * to this version and it can be cleaned up. */ cleanup_version = version; /* * Find the version with the least serial * number greater than ours. */ least_greater = PREV(version, link); if (least_greater == NULL) least_greater = rbtdb->current_version; INSIST(version->serial < least_greater->serial); /* * Is this the least open version? */ if (version->serial == rbtdb->least_serial) { /* * Yes. Install the new least open * version. */ make_least_version(rbtdb, least_greater, &cleanup_list); } else { /* * Add any unexecuted cleanups to * those of the least greater version. */ APPENDLIST(least_greater->changed_list, version->changed_list, link); } } else if (version->serial == rbtdb->least_serial) INSIST(EMPTY(version->changed_list)); UNLINK(rbtdb->open_versions, version, link); } least_serial = rbtdb->least_serial; RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); /* * Update the zone's secure status. */ if (writer && commit && !IS_CACHE(rbtdb)) iszonesecure(db, version, rbtdb->origin_node); if (cleanup_version != NULL) { INSIST(EMPTY(cleanup_version->changed_list)); isc_mem_put(rbtdb->common.mctx, cleanup_version, sizeof(*cleanup_version)); } /* * Commit/rollback re-signed headers. */ for (header = HEAD(resigned_list); header != NULL; header = HEAD(resigned_list)) { nodelock_t *lock; ISC_LIST_UNLINK(resigned_list, header, link); lock = &rbtdb->node_locks[header->node->locknum].lock; NODE_LOCK(lock, isc_rwlocktype_write); if (rollback) resign_insert(rbtdb, header->node->locknum, header); decrement_reference(rbtdb, header->node, least_serial, isc_rwlocktype_write, isc_rwlocktype_none, ISC_FALSE); NODE_UNLOCK(lock, isc_rwlocktype_write); } if (!EMPTY(cleanup_list)) { /* * We acquire a tree write lock here in order to make sure * that stale nodes will be removed in decrement_reference(). * If we didn't have the lock, those nodes could miss the * chance to be removed until the server stops. The write lock * is expensive, but this event should be rare enough to justify * the cost. */ RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); for (changed = HEAD(cleanup_list); changed != NULL; changed = next_changed) { nodelock_t *lock; next_changed = NEXT(changed, link); rbtnode = changed->node; lock = &rbtdb->node_locks[rbtnode->locknum].lock; NODE_LOCK(lock, isc_rwlocktype_write); /* * This is a good opportunity to purge any dead nodes, * so use it. */ cleanup_dead_nodes(rbtdb, rbtnode->locknum); if (rollback) rollback_node(rbtnode, serial); decrement_reference(rbtdb, rbtnode, least_serial, isc_rwlocktype_write, isc_rwlocktype_write, ISC_FALSE); NODE_UNLOCK(lock, isc_rwlocktype_write); isc_mem_put(rbtdb->common.mctx, changed, sizeof(*changed)); } RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); } end: *versionp = NULL; } /* * Add the necessary magic for the wildcard name 'name' * to be found in 'rbtdb'. * * In order for wildcard matching to work correctly in * zone_find(), we must ensure that a node for the wildcarding * level exists in the database, and has its 'find_callback' * and 'wild' bits set. * * E.g. if the wildcard name is "*.sub.example." then we * must ensure that "sub.example." exists and is marked as * a wildcard level. */ static isc_result_t add_wildcard_magic(dns_rbtdb_t *rbtdb, dns_name_t *name) { isc_result_t result; dns_name_t foundname; dns_offsets_t offsets; unsigned int n; dns_rbtnode_t *node = NULL; dns_name_init(&foundname, offsets); n = dns_name_countlabels(name); INSIST(n >= 2); n--; dns_name_getlabelsequence(name, 1, n, &foundname); result = dns_rbt_addnode(rbtdb->tree, &foundname, &node); if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) return (result); node->nsec3 = 0; node->find_callback = 1; node->wild = 1; return (ISC_R_SUCCESS); } static isc_result_t add_empty_wildcards(dns_rbtdb_t *rbtdb, dns_name_t *name) { isc_result_t result; dns_name_t foundname; dns_offsets_t offsets; unsigned int n, l, i; dns_name_init(&foundname, offsets); n = dns_name_countlabels(name); l = dns_name_countlabels(&rbtdb->common.origin); i = l + 1; while (i < n) { dns_rbtnode_t *node = NULL; /* dummy */ dns_name_getlabelsequence(name, n - i, i, &foundname); if (dns_name_iswildcard(&foundname)) { result = add_wildcard_magic(rbtdb, &foundname); if (result != ISC_R_SUCCESS) return (result); result = dns_rbt_addnode(rbtdb->tree, &foundname, &node); if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) return (result); node->nsec3 = 0; } i++; } return (ISC_R_SUCCESS); } static isc_result_t findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create, dns_dbnode_t **nodep) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *node = NULL; dns_name_t nodename; isc_result_t result; isc_rwlocktype_t locktype = isc_rwlocktype_read; REQUIRE(VALID_RBTDB(rbtdb)); dns_name_init(&nodename, NULL); RWLOCK(&rbtdb->tree_lock, locktype); result = dns_rbt_findnode(rbtdb->tree, name, NULL, &node, NULL, DNS_RBTFIND_EMPTYDATA, NULL, NULL); if (result != ISC_R_SUCCESS) { RWUNLOCK(&rbtdb->tree_lock, locktype); if (!create) { if (result == DNS_R_PARTIALMATCH) result = ISC_R_NOTFOUND; return (result); } /* * It would be nice to try to upgrade the lock instead of * unlocking then relocking. */ locktype = isc_rwlocktype_write; RWLOCK(&rbtdb->tree_lock, locktype); node = NULL; result = dns_rbt_addnode(rbtdb->tree, name, &node); if (result == ISC_R_SUCCESS) { dns_rbt_namefromnode(node, &nodename); #ifdef DNS_RBT_USEHASH node->locknum = node->hashval % rbtdb->node_lock_count; #else node->locknum = dns_name_hash(&nodename, ISC_TRUE) % rbtdb->node_lock_count; #endif node->nsec3 = 0; add_empty_wildcards(rbtdb, name); if (dns_name_iswildcard(name)) { result = add_wildcard_magic(rbtdb, name); if (result != ISC_R_SUCCESS) { RWUNLOCK(&rbtdb->tree_lock, locktype); return (result); } } } else if (result != ISC_R_EXISTS) { RWUNLOCK(&rbtdb->tree_lock, locktype); return (result); } } reactivate_node(rbtdb, node, locktype); RWUNLOCK(&rbtdb->tree_lock, locktype); *nodep = (dns_dbnode_t *)node; return (ISC_R_SUCCESS); } static isc_result_t findnsec3node(dns_db_t *db, dns_name_t *name, isc_boolean_t create, dns_dbnode_t **nodep) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *node = NULL; dns_name_t nodename; isc_result_t result; isc_rwlocktype_t locktype = isc_rwlocktype_read; REQUIRE(VALID_RBTDB(rbtdb)); dns_name_init(&nodename, NULL); RWLOCK(&rbtdb->tree_lock, locktype); result = dns_rbt_findnode(rbtdb->nsec3, name, NULL, &node, NULL, DNS_RBTFIND_EMPTYDATA, NULL, NULL); if (result != ISC_R_SUCCESS) { RWUNLOCK(&rbtdb->tree_lock, locktype); if (!create) { if (result == DNS_R_PARTIALMATCH) result = ISC_R_NOTFOUND; return (result); } /* * It would be nice to try to upgrade the lock instead of * unlocking then relocking. */ locktype = isc_rwlocktype_write; RWLOCK(&rbtdb->tree_lock, locktype); node = NULL; result = dns_rbt_addnode(rbtdb->nsec3, name, &node); if (result == ISC_R_SUCCESS) { dns_rbt_namefromnode(node, &nodename); #ifdef DNS_RBT_USEHASH node->locknum = node->hashval % rbtdb->node_lock_count; #else node->locknum = dns_name_hash(&nodename, ISC_TRUE) % rbtdb->node_lock_count; #endif node->nsec3 = 1U; } else if (result != ISC_R_EXISTS) { RWUNLOCK(&rbtdb->tree_lock, locktype); return (result); } } else INSIST(node->nsec3); NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock); new_reference(rbtdb, node); NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock); RWUNLOCK(&rbtdb->tree_lock, locktype); *nodep = (dns_dbnode_t *)node; return (ISC_R_SUCCESS); } static isc_result_t zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { rbtdb_search_t *search = arg; rdatasetheader_t *header, *header_next; rdatasetheader_t *dname_header, *sigdname_header, *ns_header; rdatasetheader_t *found; isc_result_t result; dns_rbtnode_t *onode; /* * We only want to remember the topmost zone cut, since it's the one * that counts, so we'll just continue if we've already found a * zonecut. */ if (search->zonecut != NULL) return (DNS_R_CONTINUE); found = NULL; result = DNS_R_CONTINUE; onode = search->rbtdb->origin_node; NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); /* * Look for an NS or DNAME rdataset active in our version. */ ns_header = NULL; dname_header = NULL; sigdname_header = NULL; for (header = node->data; header != NULL; header = header_next) { header_next = header->next; if (header->type == dns_rdatatype_ns || header->type == dns_rdatatype_dname || header->type == RBTDB_RDATATYPE_SIGDNAME) { do { if (header->serial <= search->serial && !IGNORE(header)) { /* * Is this a "this rdataset doesn't * exist" record? */ if (NONEXISTENT(header)) header = NULL; break; } else header = header->down; } while (header != NULL); if (header != NULL) { if (header->type == dns_rdatatype_dname) dname_header = header; else if (header->type == RBTDB_RDATATYPE_SIGDNAME) sigdname_header = header; else if (node != onode || IS_STUB(search->rbtdb)) { /* * We've found an NS rdataset that * isn't at the origin node. We check * that they're not at the origin node, * because otherwise we'd erroneously * treat the zone top as if it were * a delegation. */ ns_header = header; } } } } /* * Did we find anything? */ if (dname_header != NULL) { /* * Note that DNAME has precedence over NS if both exist. */ found = dname_header; search->zonecut_sigrdataset = sigdname_header; } else if (ns_header != NULL) { found = ns_header; search->zonecut_sigrdataset = NULL; } if (found != NULL) { /* * We increment the reference count on node to ensure that * search->zonecut_rdataset will still be valid later. */ new_reference(search->rbtdb, node); search->zonecut = node; search->zonecut_rdataset = found; search->need_cleanup = ISC_TRUE; /* * Since we've found a zonecut, anything beneath it is * glue and is not subject to wildcard matching, so we * may clear search->wild. */ search->wild = ISC_FALSE; if ((search->options & DNS_DBFIND_GLUEOK) == 0) { /* * If the caller does not want to find glue, then * this is the best answer and the search should * stop now. */ result = DNS_R_PARTIALMATCH; } else { dns_name_t *zcname; /* * The search will continue beneath the zone cut. * This may or may not be the best match. In case it * is, we need to remember the node name. */ zcname = dns_fixedname_name(&search->zonecut_name); RUNTIME_CHECK(dns_name_copy(name, zcname, NULL) == ISC_R_SUCCESS); search->copy_name = ISC_TRUE; } } else { /* * There is no zonecut at this node which is active in this * version. * * If this is a "wild" node and the caller hasn't disabled * wildcard matching, remember that we've seen a wild node * in case we need to go searching for wildcard matches * later on. */ if (node->wild && (search->options & DNS_DBFIND_NOWILD) == 0) search->wild = ISC_TRUE; } NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); return (result); } static inline void bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header, isc_stdtime_t now, dns_rdataset_t *rdataset) { unsigned char *raw; /* RDATASLAB */ /* * Caller must be holding the node reader lock. * XXXJT: technically, we need a writer lock, since we'll increment * the header count below. However, since the actual counter value * doesn't matter, we prioritize performance here. (We may want to * use atomic increment when available). */ if (rdataset == NULL) return; new_reference(rbtdb, node); INSIST(rdataset->methods == NULL); /* We must be disassociated. */ rdataset->methods = &rdataset_methods; rdataset->rdclass = rbtdb->common.rdclass; rdataset->type = RBTDB_RDATATYPE_BASE(header->type); rdataset->covers = RBTDB_RDATATYPE_EXT(header->type); rdataset->ttl = header->rdh_ttl - now; rdataset->trust = header->trust; if (NXDOMAIN(header)) rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN; if (OPTOUT(header)) rdataset->attributes |= DNS_RDATASETATTR_OPTOUT; rdataset->private1 = rbtdb; rdataset->private2 = node; raw = (unsigned char *)header + sizeof(*header); rdataset->private3 = raw; rdataset->count = header->count++; if (rdataset->count == ISC_UINT32_MAX) rdataset->count = 0; /* * Reset iterator state. */ rdataset->privateuint4 = 0; rdataset->private5 = NULL; /* * Add noqname proof. */ rdataset->private6 = header->noqname; if (rdataset->private6 != NULL) rdataset->attributes |= DNS_RDATASETATTR_NOQNAME; rdataset->private7 = header->closest; if (rdataset->private7 != NULL) rdataset->attributes |= DNS_RDATASETATTR_CLOSEST; /* * Copy out re-signing information. */ if (RESIGN(header)) { rdataset->attributes |= DNS_RDATASETATTR_RESIGN; rdataset->resign = header->resign; } else rdataset->resign = 0; } static inline isc_result_t setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { isc_result_t result; dns_name_t *zcname; rbtdb_rdatatype_t type; dns_rbtnode_t *node; /* * The caller MUST NOT be holding any node locks. */ node = search->zonecut; type = search->zonecut_rdataset->type; /* * If we have to set foundname, we do it before anything else. * If we were to set foundname after we had set nodep or bound the * rdataset, then we'd have to undo that work if dns_name_copy() * failed. By setting foundname first, there's nothing to undo if * we have trouble. */ if (foundname != NULL && search->copy_name) { zcname = dns_fixedname_name(&search->zonecut_name); result = dns_name_copy(zcname, foundname, NULL); if (result != ISC_R_SUCCESS) return (result); } if (nodep != NULL) { /* * Note that we don't have to increment the node's reference * count here because we're going to use the reference we * already have in the search block. */ *nodep = node; search->need_cleanup = ISC_FALSE; } if (rdataset != NULL) { NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); bind_rdataset(search->rbtdb, node, search->zonecut_rdataset, search->now, rdataset); if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL) bind_rdataset(search->rbtdb, node, search->zonecut_sigrdataset, search->now, sigrdataset); NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); } if (type == dns_rdatatype_dname) return (DNS_R_DNAME); return (DNS_R_DELEGATION); } static inline isc_boolean_t valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type, dns_rbtnode_t *node) { unsigned char *raw; /* RDATASLAB */ unsigned int count, size; dns_name_t ns_name; isc_boolean_t valid = ISC_FALSE; dns_offsets_t offsets; isc_region_t region; rdatasetheader_t *header; /* * No additional locking is required. */ /* * Valid glue types are A, AAAA, A6. NS is also a valid glue type * if it occurs at a zone cut, but is not valid below it. */ if (type == dns_rdatatype_ns) { if (node != search->zonecut) { return (ISC_FALSE); } } else if (type != dns_rdatatype_a && type != dns_rdatatype_aaaa && type != dns_rdatatype_a6) { return (ISC_FALSE); } header = search->zonecut_rdataset; raw = (unsigned char *)header + sizeof(*header); count = raw[0] * 256 + raw[1]; #if DNS_RDATASET_FIXED raw += 2 + (4 * count); #else raw += 2; #endif while (count > 0) { count--; size = raw[0] * 256 + raw[1]; #if DNS_RDATASET_FIXED raw += 4; #else raw += 2; #endif region.base = raw; region.length = size; raw += size; /* * XXX Until we have rdata structures, we have no choice but * to directly access the rdata format. */ dns_name_init(&ns_name, offsets); dns_name_fromregion(&ns_name, ®ion); if (dns_name_compare(&ns_name, name) == 0) { valid = ISC_TRUE; break; } } return (valid); } static inline isc_boolean_t activeempty(rbtdb_search_t *search, dns_rbtnodechain_t *chain, dns_name_t *name) { dns_fixedname_t fnext; dns_fixedname_t forigin; dns_name_t *next; dns_name_t *origin; dns_name_t prefix; dns_rbtdb_t *rbtdb; dns_rbtnode_t *node; isc_result_t result; isc_boolean_t answer = ISC_FALSE; rdatasetheader_t *header; rbtdb = search->rbtdb; dns_name_init(&prefix, NULL); dns_fixedname_init(&fnext); next = dns_fixedname_name(&fnext); dns_fixedname_init(&forigin); origin = dns_fixedname_name(&forigin); result = dns_rbtnodechain_next(chain, NULL, NULL); while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) { node = NULL; result = dns_rbtnodechain_current(chain, &prefix, origin, &node); if (result != ISC_R_SUCCESS) break; NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); for (header = node->data; header != NULL; header = header->next) { if (header->serial <= search->serial && !IGNORE(header) && EXISTS(header)) break; } NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); if (header != NULL) break; result = dns_rbtnodechain_next(chain, NULL, NULL); } if (result == ISC_R_SUCCESS) result = dns_name_concatenate(&prefix, origin, next, NULL); if (result == ISC_R_SUCCESS && dns_name_issubdomain(next, name)) answer = ISC_TRUE; return (answer); } static inline isc_boolean_t activeemtpynode(rbtdb_search_t *search, dns_name_t *qname, dns_name_t *wname) { dns_fixedname_t fnext; dns_fixedname_t forigin; dns_fixedname_t fprev; dns_name_t *next; dns_name_t *origin; dns_name_t *prev; dns_name_t name; dns_name_t rname; dns_name_t tname; dns_rbtdb_t *rbtdb; dns_rbtnode_t *node; dns_rbtnodechain_t chain; isc_boolean_t check_next = ISC_TRUE; isc_boolean_t check_prev = ISC_TRUE; isc_boolean_t answer = ISC_FALSE; isc_result_t result; rdatasetheader_t *header; unsigned int n; rbtdb = search->rbtdb; dns_name_init(&name, NULL); dns_name_init(&tname, NULL); dns_name_init(&rname, NULL); dns_fixedname_init(&fnext); next = dns_fixedname_name(&fnext); dns_fixedname_init(&fprev); prev = dns_fixedname_name(&fprev); dns_fixedname_init(&forigin); origin = dns_fixedname_name(&forigin); /* * Find if qname is at or below a empty node. * Use our own copy of the chain. */ chain = search->chain; do { node = NULL; result = dns_rbtnodechain_current(&chain, &name, origin, &node); if (result != ISC_R_SUCCESS) break; NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); for (header = node->data; header != NULL; header = header->next) { if (header->serial <= search->serial && !IGNORE(header) && EXISTS(header)) break; } NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); if (header != NULL) break; result = dns_rbtnodechain_prev(&chain, NULL, NULL); } while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN); if (result == ISC_R_SUCCESS) result = dns_name_concatenate(&name, origin, prev, NULL); if (result != ISC_R_SUCCESS) check_prev = ISC_FALSE; result = dns_rbtnodechain_next(&chain, NULL, NULL); while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) { node = NULL; result = dns_rbtnodechain_current(&chain, &name, origin, &node); if (result != ISC_R_SUCCESS) break; NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); for (header = node->data; header != NULL; header = header->next) { if (header->serial <= search->serial && !IGNORE(header) && EXISTS(header)) break; } NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); if (header != NULL) break; result = dns_rbtnodechain_next(&chain, NULL, NULL); } if (result == ISC_R_SUCCESS) result = dns_name_concatenate(&name, origin, next, NULL); if (result != ISC_R_SUCCESS) check_next = ISC_FALSE; dns_name_clone(qname, &rname); /* * Remove the wildcard label to find the terminal name. */ n = dns_name_countlabels(wname); dns_name_getlabelsequence(wname, 1, n - 1, &tname); do { if ((check_prev && dns_name_issubdomain(prev, &rname)) || (check_next && dns_name_issubdomain(next, &rname))) { answer = ISC_TRUE; break; } /* * Remove the left hand label. */ n = dns_name_countlabels(&rname); dns_name_getlabelsequence(&rname, 1, n - 1, &rname); } while (!dns_name_equal(&rname, &tname)); return (answer); } static inline isc_result_t find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep, dns_name_t *qname) { unsigned int i, j; dns_rbtnode_t *node, *level_node, *wnode; rdatasetheader_t *header; isc_result_t result = ISC_R_NOTFOUND; dns_name_t name; dns_name_t *wname; dns_fixedname_t fwname; dns_rbtdb_t *rbtdb; isc_boolean_t done, wild, active; dns_rbtnodechain_t wchain; /* * Caller must be holding the tree lock and MUST NOT be holding * any node locks. */ /* * Examine each ancestor level. If the level's wild bit * is set, then construct the corresponding wildcard name and * search for it. If the wildcard node exists, and is active in * this version, we're done. If not, then we next check to see * if the ancestor is active in this version. If so, then there * can be no possible wildcard match and again we're done. If not, * continue the search. */ rbtdb = search->rbtdb; i = search->chain.level_matches; done = ISC_FALSE; node = *nodep; do { NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); /* * First we try to figure out if this node is active in * the search's version. We do this now, even though we * may not need the information, because it simplifies the * locking and code flow. */ for (header = node->data; header != NULL; header = header->next) { if (header->serial <= search->serial && !IGNORE(header) && EXISTS(header)) break; } if (header != NULL) active = ISC_TRUE; else active = ISC_FALSE; if (node->wild) wild = ISC_TRUE; else wild = ISC_FALSE; NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); if (wild) { /* * Construct the wildcard name for this level. */ dns_name_init(&name, NULL); dns_rbt_namefromnode(node, &name); dns_fixedname_init(&fwname); wname = dns_fixedname_name(&fwname); result = dns_name_concatenate(dns_wildcardname, &name, wname, NULL); j = i; while (result == ISC_R_SUCCESS && j != 0) { j--; level_node = search->chain.levels[j]; dns_name_init(&name, NULL); dns_rbt_namefromnode(level_node, &name); result = dns_name_concatenate(wname, &name, wname, NULL); } if (result != ISC_R_SUCCESS) break; wnode = NULL; dns_rbtnodechain_init(&wchain, NULL); result = dns_rbt_findnode(rbtdb->tree, wname, NULL, &wnode, &wchain, DNS_RBTFIND_EMPTYDATA, NULL, NULL); if (result == ISC_R_SUCCESS) { nodelock_t *lock; /* * We have found the wildcard node. If it * is active in the search's version, we're * done. */ lock = &rbtdb->node_locks[wnode->locknum].lock; NODE_LOCK(lock, isc_rwlocktype_read); for (header = wnode->data; header != NULL; header = header->next) { if (header->serial <= search->serial && !IGNORE(header) && EXISTS(header)) break; } NODE_UNLOCK(lock, isc_rwlocktype_read); if (header != NULL || activeempty(search, &wchain, wname)) { if (activeemtpynode(search, qname, wname)) { return (ISC_R_NOTFOUND); } /* * The wildcard node is active! * * Note: result is still ISC_R_SUCCESS * so we don't have to set it. */ *nodep = wnode; break; } } else if (result != ISC_R_NOTFOUND && result != DNS_R_PARTIALMATCH) { /* * An error has occurred. Bail out. */ break; } } if (active) { /* * The level node is active. Any wildcarding * present at higher levels has no * effect and we're done. */ result = ISC_R_NOTFOUND; break; } if (i > 0) { i--; node = search->chain.levels[i]; } else done = ISC_TRUE; } while (!done); return (result); } static isc_boolean_t matchparams(rdatasetheader_t *header, rbtdb_search_t *search) { dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_nsec3_t nsec3; unsigned char *raw; /* RDATASLAB */ unsigned int rdlen, count; isc_region_t region; isc_result_t result; REQUIRE(header->type == dns_rdatatype_nsec3); raw = (unsigned char *)header + sizeof(*header); count = raw[0] * 256 + raw[1]; /* count */ #if DNS_RDATASET_FIXED raw += count * 4 + 2; #else raw += 2; #endif while (count-- > 0) { rdlen = raw[0] * 256 + raw[1]; #if DNS_RDATASET_FIXED raw += 4; #else raw += 2; #endif region.base = raw; region.length = rdlen; dns_rdata_fromregion(&rdata, search->rbtdb->common.rdclass, dns_rdatatype_nsec3, ®ion); raw += rdlen; result = dns_rdata_tostruct(&rdata, &nsec3, NULL); INSIST(result == ISC_R_SUCCESS); if (nsec3.hash == search->rbtversion->hash && nsec3.iterations == search->rbtversion->iterations && nsec3.salt_length == search->rbtversion->salt_length && memcmp(nsec3.salt, search->rbtversion->salt, nsec3.salt_length) == 0) return (ISC_TRUE); dns_rdata_reset(&rdata); } return (ISC_FALSE); } static inline isc_result_t find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_rbt_t *tree, dns_db_secure_t secure) { dns_rbtnode_t *node; rdatasetheader_t *header, *header_next, *found, *foundsig; isc_boolean_t empty_node; isc_result_t result; dns_fixedname_t fname, forigin; dns_name_t *name, *origin; dns_rdatatype_t type; rbtdb_rdatatype_t sigtype; isc_boolean_t wraps; isc_boolean_t need_sig = ISC_TF(secure == dns_db_secure); if (tree == search->rbtdb->nsec3) { type = dns_rdatatype_nsec3; sigtype = RBTDB_RDATATYPE_SIGNSEC3; wraps = ISC_TRUE; } else { type = dns_rdatatype_nsec; sigtype = RBTDB_RDATATYPE_SIGNSEC; wraps = ISC_FALSE; } again: do { node = NULL; dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); dns_fixedname_init(&forigin); origin = dns_fixedname_name(&forigin); result = dns_rbtnodechain_current(&search->chain, name, origin, &node); if (result != ISC_R_SUCCESS) return (result); NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); found = NULL; foundsig = NULL; empty_node = ISC_TRUE; for (header = node->data; header != NULL; header = header_next) { header_next = header->next; /* * Look for an active, extant NSEC or RRSIG NSEC. */ do { if (header->serial <= search->serial && !IGNORE(header)) { /* * Is this a "this rdataset doesn't * exist" record? */ if (NONEXISTENT(header)) header = NULL; break; } else header = header->down; } while (header != NULL); if (header != NULL) { /* * We now know that there is at least one * active rdataset at this node. */ empty_node = ISC_FALSE; if (header->type == type) { found = header; if (foundsig != NULL) break; } else if (header->type == sigtype) { foundsig = header; if (found != NULL) break; } } } if (!empty_node) { if (found != NULL && search->rbtversion->havensec3 && found->type == dns_rdatatype_nsec3 && !matchparams(found, search)) { empty_node = ISC_TRUE; found = NULL; foundsig = NULL; result = dns_rbtnodechain_prev(&search->chain, NULL, NULL); } else if (found != NULL && (foundsig != NULL || !need_sig)) { /* * We've found the right NSEC/NSEC3 record. * * Note: for this to really be the right * NSEC record, it's essential that the NSEC * records of any nodes obscured by a zone * cut have been removed; we assume this is * the case. */ result = dns_name_concatenate(name, origin, foundname, NULL); if (result == ISC_R_SUCCESS) { if (nodep != NULL) { new_reference(search->rbtdb, node); *nodep = node; } bind_rdataset(search->rbtdb, node, found, search->now, rdataset); if (foundsig != NULL) bind_rdataset(search->rbtdb, node, foundsig, search->now, sigrdataset); } } else if (found == NULL && foundsig == NULL) { /* * This node is active, but has no NSEC or * RRSIG NSEC. That means it's glue or * other obscured zone data that isn't * relevant for our search. Treat the * node as if it were empty and keep looking. */ empty_node = ISC_TRUE; result = dns_rbtnodechain_prev(&search->chain, NULL, NULL); } else { /* * We found an active node, but either the * NSEC or the RRSIG NSEC is missing. This * shouldn't happen. */ result = DNS_R_BADDB; } } else { /* * This node isn't active. We've got to keep * looking. */ result = dns_rbtnodechain_prev(&search->chain, NULL, NULL); } NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock), isc_rwlocktype_read); } while (empty_node && result == ISC_R_SUCCESS); if (result == ISC_R_NOMORE && wraps) { result = dns_rbtnodechain_last(&search->chain, tree, NULL, NULL); if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) { wraps = ISC_FALSE; goto again; } } /* * If the result is ISC_R_NOMORE, then we got to the beginning of * the database and didn't find a NSEC record. This shouldn't * happen. */ if (result == ISC_R_NOMORE) result = DNS_R_BADDB; return (result); } static isc_result_t zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, dns_rdatatype_t type, unsigned int options, isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_rbtnode_t *node = NULL; isc_result_t result; rbtdb_search_t search; isc_boolean_t cname_ok = ISC_TRUE; isc_boolean_t close_version = ISC_FALSE; isc_boolean_t maybe_zonecut = ISC_FALSE; isc_boolean_t at_zonecut = ISC_FALSE; isc_boolean_t wild; isc_boolean_t empty_node; rdatasetheader_t *header, *header_next, *found, *nsecheader; rdatasetheader_t *foundsig, *cnamesig, *nsecsig; rbtdb_rdatatype_t sigtype; isc_boolean_t active; dns_rbtnodechain_t chain; nodelock_t *lock; dns_rbt_t *tree; search.rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(search.rbtdb)); /* * We don't care about 'now'. */ UNUSED(now); /* * If the caller didn't supply a version, attach to the current * version. */ if (version == NULL) { currentversion(db, &version); close_version = ISC_TRUE; } search.rbtversion = version; search.serial = search.rbtversion->serial; search.options = options; search.copy_name = ISC_FALSE; search.need_cleanup = ISC_FALSE; search.wild = ISC_FALSE; search.zonecut = NULL; dns_fixedname_init(&search.zonecut_name); dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx); search.now = 0; /* * 'wild' will be true iff. we've matched a wildcard. */ wild = ISC_FALSE; RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read); /* * Search down from the root of the tree. If, while going down, we * encounter a callback node, zone_zonecut_callback() will search the * rdatasets at the zone cut for active DNAME or NS rdatasets. */ tree = (options & DNS_DBFIND_FORCENSEC3) != 0 ? search.rbtdb->nsec3 : search.rbtdb->tree; result = dns_rbt_findnode(tree, name, foundname, &node, &search.chain, DNS_RBTFIND_EMPTYDATA, zone_zonecut_callback, &search); if (result == DNS_R_PARTIALMATCH) { partial_match: if (search.zonecut != NULL) { result = setup_delegation(&search, nodep, foundname, rdataset, sigrdataset); goto tree_exit; } if (search.wild) { /* * At least one of the levels in the search chain * potentially has a wildcard. For each such level, * we must see if there's a matching wildcard active * in the current version. */ result = find_wildcard(&search, &node, name); if (result == ISC_R_SUCCESS) { result = dns_name_copy(name, foundname, NULL); if (result != ISC_R_SUCCESS) goto tree_exit; wild = ISC_TRUE; goto found; } else if (result != ISC_R_NOTFOUND) goto tree_exit; } chain = search.chain; active = activeempty(&search, &chain, name); /* * If we're here, then the name does not exist, is not * beneath a zonecut, and there's no matching wildcard. */ if ((search.rbtversion->secure == dns_db_secure && !search.rbtversion->havensec3) || (search.options & DNS_DBFIND_FORCENSEC) != 0 || (search.options & DNS_DBFIND_FORCENSEC3) != 0) { result = find_closest_nsec(&search, nodep, foundname, rdataset, sigrdataset, tree, search.rbtversion->secure); if (result == ISC_R_SUCCESS) result = active ? DNS_R_EMPTYNAME : DNS_R_NXDOMAIN; } else result = active ? DNS_R_EMPTYNAME : DNS_R_NXDOMAIN; goto tree_exit; } else if (result != ISC_R_SUCCESS) goto tree_exit; found: /* * We have found a node whose name is the desired name, or we * have matched a wildcard. */ if (search.zonecut != NULL) { /* * If we're beneath a zone cut, we don't want to look for * CNAMEs because they're not legitimate zone glue. */ cname_ok = ISC_FALSE; } else { /* * The node may be a zone cut itself. If it might be one, * make sure we check for it later. * * DS records live above the zone cut in ordinary zone so * we want to ignore any referral. * * Stub zones don't have anything "above" the delgation so * we always return a referral. */ if (node->find_callback && ((node != search.rbtdb->origin_node && !dns_rdatatype_atparent(type)) || IS_STUB(search.rbtdb))) maybe_zonecut = ISC_TRUE; } /* * Certain DNSSEC types are not subject to CNAME matching * (RFC4035, section 2.5 and RFC3007). * * We don't check for RRSIG, because we don't store RRSIG records * directly. */ if (type == dns_rdatatype_key || type == dns_rdatatype_nsec) cname_ok = ISC_FALSE; /* * We now go looking for rdata... */ lock = &search.rbtdb->node_locks[node->locknum].lock; NODE_LOCK(lock, isc_rwlocktype_read); found = NULL; foundsig = NULL; sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type); nsecheader = NULL; nsecsig = NULL; cnamesig = NULL; empty_node = ISC_TRUE; for (header = node->data; header != NULL; header = header_next) { header_next = header->next; /* * Look for an active, extant rdataset. */ do { if (header->serial <= search.serial && !IGNORE(header)) { /* * Is this a "this rdataset doesn't * exist" record? */ if (NONEXISTENT(header)) header = NULL; break; } else header = header->down; } while (header != NULL); if (header != NULL) { /* * We now know that there is at least one active * rdataset at this node. */ empty_node = ISC_FALSE; /* * Do special zone cut handling, if requested. */ if (maybe_zonecut && header->type == dns_rdatatype_ns) { /* * We increment the reference count on node to * ensure that search->zonecut_rdataset will * still be valid later. */ new_reference(search.rbtdb, node); search.zonecut = node; search.zonecut_rdataset = header; search.zonecut_sigrdataset = NULL; search.need_cleanup = ISC_TRUE; maybe_zonecut = ISC_FALSE; at_zonecut = ISC_TRUE; /* * It is not clear if KEY should still be * allowed at the parent side of the zone * cut or not. It is needed for RFC3007 * validated updates. */ if ((search.options & DNS_DBFIND_GLUEOK) == 0 && type != dns_rdatatype_nsec && type != dns_rdatatype_key) { /* * Glue is not OK, but any answer we * could return would be glue. Return * the delegation. */ found = NULL; break; } if (found != NULL && foundsig != NULL) break; } /* * If the NSEC3 record doesn't match the chain * we are using behave as if it isn't here. */ if (header->type == dns_rdatatype_nsec3 && !matchparams(header, &search)) { NODE_UNLOCK(lock, isc_rwlocktype_read); goto partial_match; } /* * If we found a type we were looking for, * remember it. */ if (header->type == type || type == dns_rdatatype_any || (header->type == dns_rdatatype_cname && cname_ok)) { /* * We've found the answer! */ found = header; if (header->type == dns_rdatatype_cname && cname_ok) { /* * We may be finding a CNAME instead * of the desired type. * * If we've already got the CNAME RRSIG, * use it, otherwise change sigtype * so that we find it. */ if (cnamesig != NULL) foundsig = cnamesig; else sigtype = RBTDB_RDATATYPE_SIGCNAME; } /* * If we've got all we need, end the search. */ if (!maybe_zonecut && foundsig != NULL) break; } else if (header->type == sigtype) { /* * We've found the RRSIG rdataset for our * target type. Remember it. */ foundsig = header; /* * If we've got all we need, end the search. */ if (!maybe_zonecut && found != NULL) break; } else if (header->type == dns_rdatatype_nsec && !search.rbtversion->havensec3) { /* * Remember a NSEC rdataset even if we're * not specifically looking for it, because * we might need it later. */ nsecheader = header; } else if (header->type == RBTDB_RDATATYPE_SIGNSEC && !search.rbtversion->havensec3) { /* * If we need the NSEC rdataset, we'll also * need its signature. */ nsecsig = header; } else if (cname_ok && header->type == RBTDB_RDATATYPE_SIGCNAME) { /* * If we get a CNAME match, we'll also need * its signature. */ cnamesig = header; } } } if (empty_node) { /* * We have an exact match for the name, but there are no * active rdatasets in the desired version. That means that * this node doesn't exist in the desired version, and that * we really have a partial match. */ if (!wild) { NODE_UNLOCK(lock, isc_rwlocktype_read); goto partial_match; } } /* * If we didn't find what we were looking for... */ if (found == NULL) { if (search.zonecut != NULL) { /* * We were trying to find glue at a node beneath a * zone cut, but didn't. * * Return the delegation. */ NODE_UNLOCK(lock, isc_rwlocktype_read); result = setup_delegation(&search, nodep, foundname, rdataset, sigrdataset); goto tree_exit; } /* * The desired type doesn't exist. */ result = DNS_R_NXRRSET; if (search.rbtversion->secure == dns_db_secure && !search.rbtversion->havensec3 && (nsecheader == NULL || nsecsig == NULL)) { /* * The zone is secure but there's no NSEC, * or the NSEC has no signature! */ if (!wild) { result = DNS_R_BADDB; goto node_exit; } NODE_UNLOCK(lock, isc_rwlocktype_read); result = find_closest_nsec(&search, nodep, foundname, rdataset, sigrdataset, search.rbtdb->tree, search.rbtversion->secure); if (result == ISC_R_SUCCESS) result = DNS_R_EMPTYWILD; goto tree_exit; } if ((search.options & DNS_DBFIND_FORCENSEC) != 0 && nsecheader == NULL) { /* * There's no NSEC record, and we were told * to find one. */ result = DNS_R_BADDB; goto node_exit; } if (nodep != NULL) { new_reference(search.rbtdb, node); *nodep = node; } if ((search.rbtversion->secure == dns_db_secure && !search.rbtversion->havensec3) || (search.options & DNS_DBFIND_FORCENSEC) != 0) { bind_rdataset(search.rbtdb, node, nsecheader, 0, rdataset); if (nsecsig != NULL) bind_rdataset(search.rbtdb, node, nsecsig, 0, sigrdataset); } if (wild) foundname->attributes |= DNS_NAMEATTR_WILDCARD; goto node_exit; } /* * We found what we were looking for, or we found a CNAME. */ if (type != found->type && type != dns_rdatatype_any && found->type == dns_rdatatype_cname) { /* * We weren't doing an ANY query and we found a CNAME instead * of the type we were looking for, so we need to indicate * that result to the caller. */ result = DNS_R_CNAME; } else if (search.zonecut != NULL) { /* * If we're beneath a zone cut, we must indicate that the * result is glue, unless we're actually at the zone cut * and the type is NSEC or KEY. */ if (search.zonecut == node) { /* * It is not clear if KEY should still be * allowed at the parent side of the zone * cut or not. It is needed for RFC3007 * validated updates. */ if (type == dns_rdatatype_nsec || type == dns_rdatatype_nsec3 || type == dns_rdatatype_key) result = ISC_R_SUCCESS; else if (type == dns_rdatatype_any) result = DNS_R_ZONECUT; else result = DNS_R_GLUE; } else result = DNS_R_GLUE; /* * We might have found data that isn't glue, but was occluded * by a dynamic update. If the caller cares about this, they * will have told us to validate glue. * * XXX We should cache the glue validity state! */ if (result == DNS_R_GLUE && (search.options & DNS_DBFIND_VALIDATEGLUE) != 0 && !valid_glue(&search, foundname, type, node)) { NODE_UNLOCK(lock, isc_rwlocktype_read); result = setup_delegation(&search, nodep, foundname, rdataset, sigrdataset); goto tree_exit; } } else { /* * An ordinary successful query! */ result = ISC_R_SUCCESS; } if (nodep != NULL) { if (!at_zonecut) new_reference(search.rbtdb, node); else search.need_cleanup = ISC_FALSE; *nodep = node; } if (type != dns_rdatatype_any) { bind_rdataset(search.rbtdb, node, found, 0, rdataset); if (foundsig != NULL) bind_rdataset(search.rbtdb, node, foundsig, 0, sigrdataset); } if (wild) foundname->attributes |= DNS_NAMEATTR_WILDCARD; node_exit: NODE_UNLOCK(lock, isc_rwlocktype_read); tree_exit: RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read); /* * If we found a zonecut but aren't going to use it, we have to * let go of it. */ if (search.need_cleanup) { node = search.zonecut; lock = &(search.rbtdb->node_locks[node->locknum].lock); NODE_LOCK(lock, isc_rwlocktype_read); decrement_reference(search.rbtdb, node, 0, isc_rwlocktype_read, isc_rwlocktype_none, ISC_FALSE); NODE_UNLOCK(lock, isc_rwlocktype_read); } if (close_version) closeversion(db, &version, ISC_FALSE); dns_rbtnodechain_reset(&search.chain); return (result); } static isc_result_t zone_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options, isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { UNUSED(db); UNUSED(name); UNUSED(options); UNUSED(now); UNUSED(nodep); UNUSED(foundname); UNUSED(rdataset); UNUSED(sigrdataset); FATAL_ERROR(__FILE__, __LINE__, "zone_findzonecut() called!"); return (ISC_R_NOTIMPLEMENTED); } static isc_result_t cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { rbtdb_search_t *search = arg; rdatasetheader_t *header, *header_prev, *header_next; rdatasetheader_t *dname_header, *sigdname_header; isc_result_t result; nodelock_t *lock; isc_rwlocktype_t locktype; /* XXX comment */ REQUIRE(search->zonecut == NULL); /* * Keep compiler silent. */ UNUSED(name); lock = &(search->rbtdb->node_locks[node->locknum].lock); locktype = isc_rwlocktype_read; NODE_LOCK(lock, locktype); /* * Look for a DNAME or RRSIG DNAME rdataset. */ dname_header = NULL; sigdname_header = NULL; header_prev = NULL; for (header = node->data; header != NULL; header = header_next) { header_next = header->next; if (header->rdh_ttl <= search->now) { /* * This rdataset is stale. If no one else is * using the node, we can clean it up right * now, otherwise we mark it as stale, and * the node as dirty, so it will get cleaned * up later. */ if ((header->rdh_ttl <= search->now - RBTDB_VIRTUAL) && (locktype == isc_rwlocktype_write || NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) { /* * We update the node's status only when we * can get write access; otherwise, we leave * others to this work. Periodical cleaning * will eventually take the job as the last * resort. * We won't downgrade the lock, since other * rdatasets are probably stale, too. */ locktype = isc_rwlocktype_write; if (dns_rbtnode_refcurrent(node) == 0) { isc_mem_t *mctx; /* * header->down can be non-NULL if the * refcount has just decremented to 0 * but decrement_reference() has not * performed clean_cache_node(), in * which case we need to purge the * stale headers first. */ mctx = search->rbtdb->common.mctx; clean_stale_headers(search->rbtdb, mctx, header); if (header_prev != NULL) header_prev->next = header->next; else node->data = header->next; free_rdataset(search->rbtdb, mctx, header); } else { header->attributes |= RDATASET_ATTR_STALE; node->dirty = 1; header_prev = header; } } else header_prev = header; } else if (header->type == dns_rdatatype_dname && EXISTS(header)) { dname_header = header; header_prev = header; } else if (header->type == RBTDB_RDATATYPE_SIGDNAME && EXISTS(header)) { sigdname_header = header; header_prev = header; } else header_prev = header; } if (dname_header != NULL && (!DNS_TRUST_PENDING(dname_header->trust) || (search->options & DNS_DBFIND_PENDINGOK) != 0)) { /* * We increment the reference count on node to ensure that * search->zonecut_rdataset will still be valid later. */ new_reference(search->rbtdb, node); INSIST(!ISC_LINK_LINKED(node, deadlink)); search->zonecut = node; search->zonecut_rdataset = dname_header; search->zonecut_sigrdataset = sigdname_header; search->need_cleanup = ISC_TRUE; result = DNS_R_PARTIALMATCH; } else result = DNS_R_CONTINUE; NODE_UNLOCK(lock, locktype); return (result); } static inline isc_result_t find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { unsigned int i; dns_rbtnode_t *level_node; rdatasetheader_t *header, *header_prev, *header_next; rdatasetheader_t *found, *foundsig; isc_result_t result = ISC_R_NOTFOUND; dns_name_t name; dns_rbtdb_t *rbtdb; isc_boolean_t done; nodelock_t *lock; isc_rwlocktype_t locktype; /* * Caller must be holding the tree lock. */ rbtdb = search->rbtdb; i = search->chain.level_matches; done = ISC_FALSE; do { locktype = isc_rwlocktype_read; lock = &rbtdb->node_locks[node->locknum].lock; NODE_LOCK(lock, locktype); /* * Look for NS and RRSIG NS rdatasets. */ found = NULL; foundsig = NULL; header_prev = NULL; for (header = node->data; header != NULL; header = header_next) { header_next = header->next; if (header->rdh_ttl <= search->now) { /* * This rdataset is stale. If no one else is * using the node, we can clean it up right * now, otherwise we mark it as stale, and * the node as dirty, so it will get cleaned * up later. */ if ((header->rdh_ttl <= search->now - RBTDB_VIRTUAL) && (locktype == isc_rwlocktype_write || NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) { /* * We update the node's status only * when we can get write access. */ locktype = isc_rwlocktype_write; if (dns_rbtnode_refcurrent(node) == 0) { isc_mem_t *m; m = search->rbtdb->common.mctx; clean_stale_headers( search->rbtdb, m, header); if (header_prev != NULL) header_prev->next = header->next; else node->data = header->next; free_rdataset(rbtdb, m, header); } else { header->attributes |= RDATASET_ATTR_STALE; node->dirty = 1; header_prev = header; } } else header_prev = header; } else if (EXISTS(header)) { /* * We've found an extant rdataset. See if * we're interested in it. */ if (header->type == dns_rdatatype_ns) { found = header; if (foundsig != NULL) break; } else if (header->type == RBTDB_RDATATYPE_SIGNS) { foundsig = header; if (found != NULL) break; } header_prev = header; } else header_prev = header; } if (found != NULL) { /* * If we have to set foundname, we do it before * anything else. If we were to set foundname after * we had set nodep or bound the rdataset, then we'd * have to undo that work if dns_name_concatenate() * failed. By setting foundname first, there's * nothing to undo if we have trouble. */ if (foundname != NULL) { dns_name_init(&name, NULL); dns_rbt_namefromnode(node, &name); result = dns_name_copy(&name, foundname, NULL); while (result == ISC_R_SUCCESS && i > 0) { i--; level_node = search->chain.levels[i]; dns_name_init(&name, NULL); dns_rbt_namefromnode(level_node, &name); result = dns_name_concatenate(foundname, &name, foundname, NULL); } if (result != ISC_R_SUCCESS) { *nodep = NULL; goto node_exit; } } result = DNS_R_DELEGATION; if (nodep != NULL) { new_reference(search->rbtdb, node); *nodep = node; } bind_rdataset(search->rbtdb, node, found, search->now, rdataset); if (foundsig != NULL) bind_rdataset(search->rbtdb, node, foundsig, search->now, sigrdataset); if (need_headerupdate(found, search->now) || (foundsig != NULL && need_headerupdate(foundsig, search->now))) { if (locktype != isc_rwlocktype_write) { NODE_UNLOCK(lock, locktype); NODE_LOCK(lock, isc_rwlocktype_write); locktype = isc_rwlocktype_write; } if (need_headerupdate(found, search->now)) update_header(search->rbtdb, found, search->now); if (foundsig != NULL && need_headerupdate(foundsig, search->now)) { update_header(search->rbtdb, foundsig, search->now); } } } node_exit: NODE_UNLOCK(lock, locktype); if (found == NULL && i > 0) { i--; node = search->chain.levels[i]; } else done = ISC_TRUE; } while (!done); return (result); } static isc_result_t find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep, isc_stdtime_t now, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_rbtnode_t *node; rdatasetheader_t *header, *header_next, *header_prev; rdatasetheader_t *found, *foundsig; isc_boolean_t empty_node; isc_result_t result; dns_fixedname_t fname, forigin; dns_name_t *name, *origin; rbtdb_rdatatype_t matchtype, sigmatchtype; nodelock_t *lock; isc_rwlocktype_t locktype; matchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_nsec, 0); sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec); do { node = NULL; dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); dns_fixedname_init(&forigin); origin = dns_fixedname_name(&forigin); result = dns_rbtnodechain_current(&search->chain, name, origin, &node); if (result != ISC_R_SUCCESS) return (result); locktype = isc_rwlocktype_read; lock = &(search->rbtdb->node_locks[node->locknum].lock); NODE_LOCK(lock, locktype); found = NULL; foundsig = NULL; empty_node = ISC_TRUE; header_prev = NULL; for (header = node->data; header != NULL; header = header_next) { header_next = header->next; if (header->rdh_ttl <= now) { /* * This rdataset is stale. If no one else is * using the node, we can clean it up right * now, otherwise we mark it as stale, and the * node as dirty, so it will get cleaned up * later. */ if ((header->rdh_ttl <= now - RBTDB_VIRTUAL) && (locktype == isc_rwlocktype_write || NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) { /* * We update the node's status only * when we can get write access. */ locktype = isc_rwlocktype_write; if (dns_rbtnode_refcurrent(node) == 0) { isc_mem_t *m; m = search->rbtdb->common.mctx; clean_stale_headers( search->rbtdb, m, header); if (header_prev != NULL) header_prev->next = header->next; else node->data = header->next; free_rdataset(search->rbtdb, m, header); } else { header->attributes |= RDATASET_ATTR_STALE; node->dirty = 1; header_prev = header; } } else header_prev = header; continue; } if (NONEXISTENT(header) || RBTDB_RDATATYPE_BASE(header->type) == 0) { header_prev = header; continue; } empty_node = ISC_FALSE; if (header->type == matchtype) found = header; else if (header->type == sigmatchtype) foundsig = header; header_prev = header; } if (found != NULL) { result = dns_name_concatenate(name, origin, foundname, NULL); if (result != ISC_R_SUCCESS) goto unlock_node; bind_rdataset(search->rbtdb, node, found, now, rdataset); if (foundsig != NULL) bind_rdataset(search->rbtdb, node, foundsig, now, sigrdataset); new_reference(search->rbtdb, node); *nodep = node; result = DNS_R_COVERINGNSEC; } else if (!empty_node) { result = ISC_R_NOTFOUND; } else result = dns_rbtnodechain_prev(&search->chain, NULL, NULL); unlock_node: NODE_UNLOCK(lock, locktype); } while (empty_node && result == ISC_R_SUCCESS); return (result); } static isc_result_t cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, dns_rdatatype_t type, unsigned int options, isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_rbtnode_t *node = NULL; isc_result_t result; rbtdb_search_t search; isc_boolean_t cname_ok = ISC_TRUE; isc_boolean_t empty_node; nodelock_t *lock; isc_rwlocktype_t locktype; rdatasetheader_t *header, *header_prev, *header_next; rdatasetheader_t *found, *nsheader; rdatasetheader_t *foundsig, *nssig, *cnamesig; rdatasetheader_t *update, *updatesig; rbtdb_rdatatype_t sigtype, negtype; UNUSED(version); search.rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(search.rbtdb)); REQUIRE(version == NULL); if (now == 0) isc_stdtime_get(&now); search.rbtversion = NULL; search.serial = 1; search.options = options; search.copy_name = ISC_FALSE; search.need_cleanup = ISC_FALSE; search.wild = ISC_FALSE; search.zonecut = NULL; dns_fixedname_init(&search.zonecut_name); dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx); search.now = now; update = NULL; updatesig = NULL; RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read); /* * Search down from the root of the tree. If, while going down, we * encounter a callback node, cache_zonecut_callback() will search the * rdatasets at the zone cut for a DNAME rdataset. */ result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node, &search.chain, DNS_RBTFIND_EMPTYDATA, cache_zonecut_callback, &search); if (result == DNS_R_PARTIALMATCH) { if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0) { result = find_coveringnsec(&search, nodep, now, foundname, rdataset, sigrdataset); if (result == DNS_R_COVERINGNSEC) goto tree_exit; } if (search.zonecut != NULL) { result = setup_delegation(&search, nodep, foundname, rdataset, sigrdataset); goto tree_exit; } else { find_ns: result = find_deepest_zonecut(&search, node, nodep, foundname, rdataset, sigrdataset); goto tree_exit; } } else if (result != ISC_R_SUCCESS) goto tree_exit; /* * Certain DNSSEC types are not subject to CNAME matching * (RFC4035, section 2.5 and RFC3007). * * We don't check for RRSIG, because we don't store RRSIG records * directly. */ if (type == dns_rdatatype_key || type == dns_rdatatype_nsec) cname_ok = ISC_FALSE; /* * We now go looking for rdata... */ lock = &(search.rbtdb->node_locks[node->locknum].lock); locktype = isc_rwlocktype_read; NODE_LOCK(lock, locktype); found = NULL; foundsig = NULL; sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type); negtype = RBTDB_RDATATYPE_VALUE(0, type); nsheader = NULL; nssig = NULL; cnamesig = NULL; empty_node = ISC_TRUE; header_prev = NULL; for (header = node->data; header != NULL; header = header_next) { header_next = header->next; if (header->rdh_ttl <= now) { /* * This rdataset is stale. If no one else is using the * node, we can clean it up right now, otherwise we * mark it as stale, and the node as dirty, so it will * get cleaned up later. */ if ((header->rdh_ttl <= now - RBTDB_VIRTUAL) && (locktype == isc_rwlocktype_write || NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) { /* * We update the node's status only when we * can get write access. */ locktype = isc_rwlocktype_write; if (dns_rbtnode_refcurrent(node) == 0) { isc_mem_t *mctx; mctx = search.rbtdb->common.mctx; clean_stale_headers(search.rbtdb, mctx, header); if (header_prev != NULL) header_prev->next = header->next; else node->data = header->next; free_rdataset(search.rbtdb, mctx, header); } else { header->attributes |= RDATASET_ATTR_STALE; node->dirty = 1; header_prev = header; } } else header_prev = header; } else if (EXISTS(header)) { /* * We now know that there is at least one active * non-stale rdataset at this node. */ empty_node = ISC_FALSE; /* * If we found a type we were looking for, remember * it. */ if (header->type == type || (type == dns_rdatatype_any && RBTDB_RDATATYPE_BASE(header->type) != 0) || (cname_ok && header->type == dns_rdatatype_cname)) { /* * We've found the answer. */ found = header; if (header->type == dns_rdatatype_cname && cname_ok && cnamesig != NULL) { /* * If we've already got the CNAME RRSIG, * use it, otherwise change sigtype * so that we find it. */ if (cnamesig != NULL) foundsig = cnamesig; else sigtype = RBTDB_RDATATYPE_SIGCNAME; foundsig = cnamesig; } } else if (header->type == sigtype) { /* * We've found the RRSIG rdataset for our * target type. Remember it. */ foundsig = header; } else if (header->type == RBTDB_RDATATYPE_NCACHEANY || header->type == negtype) { /* * We've found a negative cache entry. */ found = header; } else if (header->type == dns_rdatatype_ns) { /* * Remember a NS rdataset even if we're * not specifically looking for it, because * we might need it later. */ nsheader = header; } else if (header->type == RBTDB_RDATATYPE_SIGNS) { /* * If we need the NS rdataset, we'll also * need its signature. */ nssig = header; } else if (cname_ok && header->type == RBTDB_RDATATYPE_SIGCNAME) { /* * If we get a CNAME match, we'll also need * its signature. */ cnamesig = header; } header_prev = header; } else header_prev = header; } if (empty_node) { /* * We have an exact match for the name, but there are no * extant rdatasets. That means that this node doesn't * meaningfully exist, and that we really have a partial match. */ NODE_UNLOCK(lock, locktype); goto find_ns; } /* * If we didn't find what we were looking for... */ if (found == NULL || (DNS_TRUST_ADDITIONAL(found->trust) && ((options & DNS_DBFIND_ADDITIONALOK) == 0)) || (found->trust == dns_trust_glue && ((options & DNS_DBFIND_GLUEOK) == 0)) || (DNS_TRUST_PENDING(found->trust) && ((options & DNS_DBFIND_PENDINGOK) == 0))) { /* * If there is an NS rdataset at this node, then this is the * deepest zone cut. */ if (nsheader != NULL) { if (nodep != NULL) { new_reference(search.rbtdb, node); INSIST(!ISC_LINK_LINKED(node, deadlink)); *nodep = node; } bind_rdataset(search.rbtdb, node, nsheader, search.now, rdataset); if (need_headerupdate(nsheader, search.now)) update = nsheader; if (nssig != NULL) { bind_rdataset(search.rbtdb, node, nssig, search.now, sigrdataset); if (need_headerupdate(nssig, search.now)) updatesig = nssig; } result = DNS_R_DELEGATION; goto node_exit; } /* * Go find the deepest zone cut. */ NODE_UNLOCK(lock, locktype); goto find_ns; } /* * We found what we were looking for, or we found a CNAME. */ if (nodep != NULL) { new_reference(search.rbtdb, node); INSIST(!ISC_LINK_LINKED(node, deadlink)); *nodep = node; } if (RBTDB_RDATATYPE_BASE(found->type) == 0) { /* * We found a negative cache entry. */ if (NXDOMAIN(found)) result = DNS_R_NCACHENXDOMAIN; else result = DNS_R_NCACHENXRRSET; } else if (type != found->type && type != dns_rdatatype_any && found->type == dns_rdatatype_cname) { /* * We weren't doing an ANY query and we found a CNAME instead * of the type we were looking for, so we need to indicate * that result to the caller. */ result = DNS_R_CNAME; } else { /* * An ordinary successful query! */ result = ISC_R_SUCCESS; } if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN || result == DNS_R_NCACHENXRRSET) { bind_rdataset(search.rbtdb, node, found, search.now, rdataset); if (need_headerupdate(found, search.now)) update = found; if (foundsig != NULL) { bind_rdataset(search.rbtdb, node, foundsig, search.now, sigrdataset); if (need_headerupdate(foundsig, search.now)) updatesig = foundsig; } } node_exit: if ((update != NULL || updatesig != NULL) && locktype != isc_rwlocktype_write) { NODE_UNLOCK(lock, locktype); NODE_LOCK(lock, isc_rwlocktype_write); locktype = isc_rwlocktype_write; } if (update != NULL && need_headerupdate(update, search.now)) update_header(search.rbtdb, update, search.now); if (updatesig != NULL && need_headerupdate(updatesig, search.now)) update_header(search.rbtdb, updatesig, search.now); NODE_UNLOCK(lock, locktype); tree_exit: RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read); /* * If we found a zonecut but aren't going to use it, we have to * let go of it. */ if (search.need_cleanup) { node = search.zonecut; lock = &(search.rbtdb->node_locks[node->locknum].lock); NODE_LOCK(lock, isc_rwlocktype_read); decrement_reference(search.rbtdb, node, 0, isc_rwlocktype_read, isc_rwlocktype_none, ISC_FALSE); NODE_UNLOCK(lock, isc_rwlocktype_read); } dns_rbtnodechain_reset(&search.chain); return (result); } static isc_result_t cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options, isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_rbtnode_t *node = NULL; nodelock_t *lock; isc_result_t result; rbtdb_search_t search; rdatasetheader_t *header, *header_prev, *header_next; rdatasetheader_t *found, *foundsig; unsigned int rbtoptions = DNS_RBTFIND_EMPTYDATA; isc_rwlocktype_t locktype; search.rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(search.rbtdb)); if (now == 0) isc_stdtime_get(&now); search.rbtversion = NULL; search.serial = 1; search.options = options; search.copy_name = ISC_FALSE; search.need_cleanup = ISC_FALSE; search.wild = ISC_FALSE; search.zonecut = NULL; dns_fixedname_init(&search.zonecut_name); dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx); search.now = now; if ((options & DNS_DBFIND_NOEXACT) != 0) rbtoptions |= DNS_RBTFIND_NOEXACT; RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read); /* * Search down from the root of the tree. */ result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node, &search.chain, rbtoptions, NULL, &search); if (result == DNS_R_PARTIALMATCH) { find_ns: result = find_deepest_zonecut(&search, node, nodep, foundname, rdataset, sigrdataset); goto tree_exit; } else if (result != ISC_R_SUCCESS) goto tree_exit; /* * We now go looking for an NS rdataset at the node. */ lock = &(search.rbtdb->node_locks[node->locknum].lock); locktype = isc_rwlocktype_read; NODE_LOCK(lock, locktype); found = NULL; foundsig = NULL; header_prev = NULL; for (header = node->data; header != NULL; header = header_next) { header_next = header->next; if (header->rdh_ttl <= now) { /* * This rdataset is stale. If no one else is using the * node, we can clean it up right now, otherwise we * mark it as stale, and the node as dirty, so it will * get cleaned up later. */ if ((header->rdh_ttl <= now - RBTDB_VIRTUAL) && (locktype == isc_rwlocktype_write || NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) { /* * We update the node's status only when we * can get write access. */ locktype = isc_rwlocktype_write; if (dns_rbtnode_refcurrent(node) == 0) { isc_mem_t *mctx; mctx = search.rbtdb->common.mctx; clean_stale_headers(search.rbtdb, mctx, header); if (header_prev != NULL) header_prev->next = header->next; else node->data = header->next; free_rdataset(search.rbtdb, mctx, header); } else { header->attributes |= RDATASET_ATTR_STALE; node->dirty = 1; header_prev = header; } } else header_prev = header; } else if (EXISTS(header)) { /* * If we found a type we were looking for, remember * it. */ if (header->type == dns_rdatatype_ns) { /* * Remember a NS rdataset even if we're * not specifically looking for it, because * we might need it later. */ found = header; } else if (header->type == RBTDB_RDATATYPE_SIGNS) { /* * If we need the NS rdataset, we'll also * need its signature. */ foundsig = header; } header_prev = header; } else header_prev = header; } if (found == NULL) { /* * No NS records here. */ NODE_UNLOCK(lock, locktype); goto find_ns; } if (nodep != NULL) { new_reference(search.rbtdb, node); INSIST(!ISC_LINK_LINKED(node, deadlink)); *nodep = node; } bind_rdataset(search.rbtdb, node, found, search.now, rdataset); if (foundsig != NULL) bind_rdataset(search.rbtdb, node, foundsig, search.now, sigrdataset); if (need_headerupdate(found, search.now) || (foundsig != NULL && need_headerupdate(foundsig, search.now))) { if (locktype != isc_rwlocktype_write) { NODE_UNLOCK(lock, locktype); NODE_LOCK(lock, isc_rwlocktype_write); locktype = isc_rwlocktype_write; } if (need_headerupdate(found, search.now)) update_header(search.rbtdb, found, search.now); if (foundsig != NULL && need_headerupdate(foundsig, search.now)) { update_header(search.rbtdb, foundsig, search.now); } } NODE_UNLOCK(lock, locktype); tree_exit: RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read); INSIST(!search.need_cleanup); dns_rbtnodechain_reset(&search.chain); if (result == DNS_R_DELEGATION) result = ISC_R_SUCCESS; return (result); } static void attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *node = (dns_rbtnode_t *)source; unsigned int refs; REQUIRE(VALID_RBTDB(rbtdb)); REQUIRE(targetp != NULL && *targetp == NULL); NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock); dns_rbtnode_refincrement(node, &refs); INSIST(refs != 0); NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock); *targetp = source; } static void detachnode(dns_db_t *db, dns_dbnode_t **targetp) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *node; isc_boolean_t want_free = ISC_FALSE; isc_boolean_t inactive = ISC_FALSE; rbtdb_nodelock_t *nodelock; REQUIRE(VALID_RBTDB(rbtdb)); REQUIRE(targetp != NULL && *targetp != NULL); node = (dns_rbtnode_t *)(*targetp); nodelock = &rbtdb->node_locks[node->locknum]; NODE_LOCK(&nodelock->lock, isc_rwlocktype_read); if (decrement_reference(rbtdb, node, 0, isc_rwlocktype_read, isc_rwlocktype_none, ISC_FALSE)) { if (isc_refcount_current(&nodelock->references) == 0 && nodelock->exiting) { inactive = ISC_TRUE; } } NODE_UNLOCK(&nodelock->lock, isc_rwlocktype_read); *targetp = NULL; if (inactive) { RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); rbtdb->active--; if (rbtdb->active == 0) want_free = ISC_TRUE; RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); if (want_free) { char buf[DNS_NAME_FORMATSIZE]; if (dns_name_dynamic(&rbtdb->common.origin)) dns_name_format(&rbtdb->common.origin, buf, sizeof(buf)); else strcpy(buf, ""); isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1), "calling free_rbtdb(%s)", buf); free_rbtdb(rbtdb, ISC_TRUE, NULL); } } } static isc_result_t expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *rbtnode = node; rdatasetheader_t *header; isc_boolean_t force_expire = ISC_FALSE; /* * These are the category and module used by the cache cleaner. */ isc_boolean_t log = ISC_FALSE; isc_logcategory_t *category = DNS_LOGCATEGORY_DATABASE; isc_logmodule_t *module = DNS_LOGMODULE_CACHE; int level = ISC_LOG_DEBUG(2); char printname[DNS_NAME_FORMATSIZE]; REQUIRE(VALID_RBTDB(rbtdb)); /* * Caller must hold a tree lock. */ if (now == 0) isc_stdtime_get(&now); if (rbtdb->overmem) { isc_uint32_t val; isc_random_get(&val); /* * XXXDCL Could stand to have a better policy, like LRU. */ force_expire = ISC_TF(rbtnode->down == NULL && val % 4 == 0); /* * Note that 'log' can be true IFF rbtdb->overmem is also true. * rbtdb->overmem can currently only be true for cache * databases -- hence all of the "overmem cache" log strings. */ log = ISC_TF(isc_log_wouldlog(dns_lctx, level)); if (log) isc_log_write(dns_lctx, category, module, level, "overmem cache: %s %s", force_expire ? "FORCE" : "check", dns_rbt_formatnodename(rbtnode, printname, sizeof(printname))); } /* * We may not need write access, but this code path is not performance * sensitive, so it should be okay to always lock as a writer. */ NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_write); for (header = rbtnode->data; header != NULL; header = header->next) if (header->rdh_ttl <= now - RBTDB_VIRTUAL) { /* * We don't check if refcurrent(rbtnode) == 0 and try * to free like we do in cache_find(), because * refcurrent(rbtnode) must be non-zero. This is so * because 'node' is an argument to the function. */ header->attributes |= RDATASET_ATTR_STALE; rbtnode->dirty = 1; if (log) isc_log_write(dns_lctx, category, module, level, "overmem cache: stale %s", printname); } else if (force_expire) { if (! RETAIN(header)) { set_ttl(rbtdb, header, 0); header->attributes |= RDATASET_ATTR_STALE; rbtnode->dirty = 1; } else if (log) { isc_log_write(dns_lctx, category, module, level, "overmem cache: " "reprieve by RETAIN() %s", printname); } } else if (rbtdb->overmem && log) isc_log_write(dns_lctx, category, module, level, "overmem cache: saved %s", printname); NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_write); return (ISC_R_SUCCESS); } static void overmem(dns_db_t *db, isc_boolean_t overmem) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; if (IS_CACHE(rbtdb)) rbtdb->overmem = overmem; } static void printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *rbtnode = node; isc_boolean_t first; REQUIRE(VALID_RBTDB(rbtdb)); NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_read); fprintf(out, "node %p, %u references, locknum = %u\n", rbtnode, dns_rbtnode_refcurrent(rbtnode), rbtnode->locknum); if (rbtnode->data != NULL) { rdatasetheader_t *current, *top_next; for (current = rbtnode->data; current != NULL; current = top_next) { top_next = current->next; first = ISC_TRUE; fprintf(out, "\ttype %u", current->type); do { if (!first) fprintf(out, "\t"); first = ISC_FALSE; fprintf(out, "\tserial = %lu, ttl = %u, " "trust = %u, attributes = %u, " "resign = %u\n", (unsigned long)current->serial, current->rdh_ttl, current->trust, current->attributes, current->resign); current = current->down; } while (current != NULL); } } else fprintf(out, "(empty)\n"); NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_read); } static isc_result_t createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; rbtdb_dbiterator_t *rbtdbiter; REQUIRE(VALID_RBTDB(rbtdb)); rbtdbiter = isc_mem_get(rbtdb->common.mctx, sizeof(*rbtdbiter)); if (rbtdbiter == NULL) return (ISC_R_NOMEMORY); rbtdbiter->common.methods = &dbiterator_methods; rbtdbiter->common.db = NULL; dns_db_attach(db, &rbtdbiter->common.db); rbtdbiter->common.relative_names = ISC_TF((options & DNS_DB_RELATIVENAMES) != 0); rbtdbiter->common.magic = DNS_DBITERATOR_MAGIC; rbtdbiter->common.cleaning = ISC_FALSE; rbtdbiter->paused = ISC_TRUE; rbtdbiter->tree_locked = isc_rwlocktype_none; rbtdbiter->result = ISC_R_SUCCESS; dns_fixedname_init(&rbtdbiter->name); dns_fixedname_init(&rbtdbiter->origin); rbtdbiter->node = NULL; rbtdbiter->delete = 0; rbtdbiter->nsec3only = ISC_TF((options & DNS_DB_NSEC3ONLY) != 0); rbtdbiter->nonsec3 = ISC_TF((options & DNS_DB_NONSEC3) != 0); memset(rbtdbiter->deletions, 0, sizeof(rbtdbiter->deletions)); dns_rbtnodechain_init(&rbtdbiter->chain, db->mctx); dns_rbtnodechain_init(&rbtdbiter->nsec3chain, db->mctx); if (rbtdbiter->nsec3only) rbtdbiter->current = &rbtdbiter->nsec3chain; else rbtdbiter->current = &rbtdbiter->chain; *iteratorp = (dns_dbiterator_t *)rbtdbiter; return (ISC_R_SUCCESS); } static isc_result_t zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdatatype_t type, dns_rdatatype_t covers, isc_stdtime_t now, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node; rdatasetheader_t *header, *header_next, *found, *foundsig; rbtdb_serial_t serial; rbtdb_version_t *rbtversion = version; isc_boolean_t close_version = ISC_FALSE; rbtdb_rdatatype_t matchtype, sigmatchtype; REQUIRE(VALID_RBTDB(rbtdb)); REQUIRE(type != dns_rdatatype_any); if (rbtversion == NULL) { currentversion(db, (dns_dbversion_t **) (void *)(&rbtversion)); close_version = ISC_TRUE; } serial = rbtversion->serial; now = 0; NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_read); found = NULL; foundsig = NULL; matchtype = RBTDB_RDATATYPE_VALUE(type, covers); if (covers == 0) sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type); else sigmatchtype = 0; for (header = rbtnode->data; header != NULL; header = header_next) { header_next = header->next; do { if (header->serial <= serial && !IGNORE(header)) { /* * Is this a "this rdataset doesn't * exist" record? */ if (NONEXISTENT(header)) header = NULL; break; } else header = header->down; } while (header != NULL); if (header != NULL) { /* * We have an active, extant rdataset. If it's a * type we're looking for, remember it. */ if (header->type == matchtype) { found = header; if (foundsig != NULL) break; } else if (header->type == sigmatchtype) { foundsig = header; if (found != NULL) break; } } } if (found != NULL) { bind_rdataset(rbtdb, rbtnode, found, now, rdataset); if (foundsig != NULL) bind_rdataset(rbtdb, rbtnode, foundsig, now, sigrdataset); } NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_read); if (close_version) closeversion(db, (dns_dbversion_t **) (void *)(&rbtversion), ISC_FALSE); if (found == NULL) return (ISC_R_NOTFOUND); return (ISC_R_SUCCESS); } static isc_result_t cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdatatype_t type, dns_rdatatype_t covers, isc_stdtime_t now, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node; rdatasetheader_t *header, *header_next, *found, *foundsig; rbtdb_rdatatype_t matchtype, sigmatchtype, negtype; isc_result_t result; nodelock_t *lock; isc_rwlocktype_t locktype; REQUIRE(VALID_RBTDB(rbtdb)); REQUIRE(type != dns_rdatatype_any); UNUSED(version); result = ISC_R_SUCCESS; if (now == 0) isc_stdtime_get(&now); lock = &rbtdb->node_locks[rbtnode->locknum].lock; locktype = isc_rwlocktype_read; NODE_LOCK(lock, locktype); found = NULL; foundsig = NULL; matchtype = RBTDB_RDATATYPE_VALUE(type, covers); negtype = RBTDB_RDATATYPE_VALUE(0, type); if (covers == 0) sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type); else sigmatchtype = 0; for (header = rbtnode->data; header != NULL; header = header_next) { header_next = header->next; if (header->rdh_ttl <= now) { if ((header->rdh_ttl <= now - RBTDB_VIRTUAL) && (locktype == isc_rwlocktype_write || NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) { /* * We update the node's status only when we * can get write access. */ locktype = isc_rwlocktype_write; /* * We don't check if refcurrent(rbtnode) == 0 * and try to free like we do in cache_find(), * because refcurrent(rbtnode) must be * non-zero. This is so because 'node' is an * argument to the function. */ header->attributes |= RDATASET_ATTR_STALE; rbtnode->dirty = 1; } } else if (EXISTS(header)) { if (header->type == matchtype) found = header; else if (header->type == RBTDB_RDATATYPE_NCACHEANY || header->type == negtype) found = header; else if (header->type == sigmatchtype) foundsig = header; } } if (found != NULL) { bind_rdataset(rbtdb, rbtnode, found, now, rdataset); if (foundsig != NULL) bind_rdataset(rbtdb, rbtnode, foundsig, now, sigrdataset); } NODE_UNLOCK(lock, locktype); if (found == NULL) return (ISC_R_NOTFOUND); if (RBTDB_RDATATYPE_BASE(found->type) == 0) { /* * We found a negative cache entry. */ if (NXDOMAIN(found)) result = DNS_R_NCACHENXDOMAIN; else result = DNS_R_NCACHENXRRSET; } return (result); } static isc_result_t allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, isc_stdtime_t now, dns_rdatasetiter_t **iteratorp) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node; rbtdb_version_t *rbtversion = version; rbtdb_rdatasetiter_t *iterator; unsigned int refs; REQUIRE(VALID_RBTDB(rbtdb)); iterator = isc_mem_get(rbtdb->common.mctx, sizeof(*iterator)); if (iterator == NULL) return (ISC_R_NOMEMORY); if ((db->attributes & DNS_DBATTR_CACHE) == 0) { now = 0; if (rbtversion == NULL) currentversion(db, (dns_dbversion_t **) (void *)(&rbtversion)); else { unsigned int refs; isc_refcount_increment(&rbtversion->references, &refs); INSIST(refs > 1); } } else { if (now == 0) isc_stdtime_get(&now); rbtversion = NULL; } iterator->common.magic = DNS_RDATASETITER_MAGIC; iterator->common.methods = &rdatasetiter_methods; iterator->common.db = db; iterator->common.node = node; iterator->common.version = (dns_dbversion_t *)rbtversion; iterator->common.now = now; NODE_STRONGLOCK(&rbtdb->node_locks[rbtnode->locknum].lock); dns_rbtnode_refincrement(rbtnode, &refs); INSIST(refs != 0); iterator->current = NULL; NODE_STRONGUNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock); *iteratorp = (dns_rdatasetiter_t *)iterator; return (ISC_R_SUCCESS); } static isc_boolean_t cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) { rdatasetheader_t *header, *header_next; isc_boolean_t cname, other_data; dns_rdatatype_t rdtype; /* * The caller must hold the node lock. */ /* * Look for CNAME and "other data" rdatasets active in our version. */ cname = ISC_FALSE; other_data = ISC_FALSE; for (header = node->data; header != NULL; header = header_next) { header_next = header->next; if (header->type == dns_rdatatype_cname) { /* * Look for an active extant CNAME. */ do { if (header->serial <= serial && !IGNORE(header)) { /* * Is this a "this rdataset doesn't * exist" record? */ if (NONEXISTENT(header)) header = NULL; break; } else header = header->down; } while (header != NULL); if (header != NULL) cname = ISC_TRUE; } else { /* * Look for active extant "other data". * * "Other data" is any rdataset whose type is not * KEY, NSEC, SIG or RRSIG. */ rdtype = RBTDB_RDATATYPE_BASE(header->type); if (rdtype != dns_rdatatype_key && rdtype != dns_rdatatype_sig && rdtype != dns_rdatatype_nsec && rdtype != dns_rdatatype_rrsig) { /* * Is it active and extant? */ do { if (header->serial <= serial && !IGNORE(header)) { /* * Is this a "this rdataset * doesn't exist" record? */ if (NONEXISTENT(header)) header = NULL; break; } else header = header->down; } while (header != NULL); if (header != NULL) other_data = ISC_TRUE; } } } if (cname && other_data) return (ISC_TRUE); return (ISC_FALSE); } static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) { isc_result_t result; INSIST(!IS_CACHE(rbtdb)); INSIST(newheader->heap_index == 0); INSIST(!ISC_LINK_LINKED(newheader, link)); result = isc_heap_insert(rbtdb->heaps[idx], newheader); return (result); } static isc_result_t add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, rdatasetheader_t *newheader, unsigned int options, isc_boolean_t loading, dns_rdataset_t *addedrdataset, isc_stdtime_t now) { rbtdb_changed_t *changed = NULL; rdatasetheader_t *topheader, *topheader_prev, *header; unsigned char *merged; isc_result_t result; isc_boolean_t header_nx; isc_boolean_t newheader_nx; isc_boolean_t merge; dns_rdatatype_t rdtype, covers; rbtdb_rdatatype_t negtype; dns_trust_t trust; int idx; /* * Add an rdatasetheader_t to a node. */ /* * Caller must be holding the node lock. */ if ((options & DNS_DBADD_MERGE) != 0) { REQUIRE(rbtversion != NULL); merge = ISC_TRUE; } else merge = ISC_FALSE; if ((options & DNS_DBADD_FORCE) != 0) trust = dns_trust_ultimate; else trust = newheader->trust; if (rbtversion != NULL && !loading) { /* * We always add a changed record, even if no changes end up * being made to this node, because it's harmless and * simplifies the code. */ changed = add_changed(rbtdb, rbtversion, rbtnode); if (changed == NULL) { free_rdataset(rbtdb, rbtdb->common.mctx, newheader); return (ISC_R_NOMEMORY); } } newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE; topheader_prev = NULL; negtype = 0; if (rbtversion == NULL && !newheader_nx) { rdtype = RBTDB_RDATATYPE_BASE(newheader->type); if (rdtype == 0) { /* * We're adding a negative cache entry. */ covers = RBTDB_RDATATYPE_EXT(newheader->type); if (covers == dns_rdatatype_any) { /* * We're adding an negative cache entry * which covers all types (NXDOMAIN, * NODATA(QTYPE=ANY)). * * We make all other data stale so that the * only rdataset that can be found at this * node is the negative cache entry. */ for (topheader = rbtnode->data; topheader != NULL; topheader = topheader->next) { set_ttl(rbtdb, topheader, 0); topheader->attributes |= RDATASET_ATTR_STALE; } rbtnode->dirty = 1; goto find_header; } negtype = RBTDB_RDATATYPE_VALUE(covers, 0); } else { /* * We're adding something that isn't a * negative cache entry. Look for an extant * non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative * cache entry. */ for (topheader = rbtnode->data; topheader != NULL; topheader = topheader->next) { if (topheader->type == RBTDB_RDATATYPE_NCACHEANY) break; } if (topheader != NULL && EXISTS(topheader) && topheader->rdh_ttl > now) { /* * Found one. */ if (trust < topheader->trust) { /* * The NXDOMAIN/NODATA(QTYPE=ANY) * is more trusted. */ free_rdataset(rbtdb, rbtdb->common.mctx, newheader); if (addedrdataset != NULL) bind_rdataset(rbtdb, rbtnode, topheader, now, addedrdataset); return (DNS_R_UNCHANGED); } /* * The new rdataset is better. Expire the * NXDOMAIN/NODATA(QTYPE=ANY). */ set_ttl(rbtdb, topheader, 0); topheader->attributes |= RDATASET_ATTR_STALE; rbtnode->dirty = 1; topheader = NULL; goto find_header; } negtype = RBTDB_RDATATYPE_VALUE(0, rdtype); } } for (topheader = rbtnode->data; topheader != NULL; topheader = topheader->next) { if (topheader->type == newheader->type || topheader->type == negtype) break; topheader_prev = topheader; } find_header: /* * If header isn't NULL, we've found the right type. There may be * IGNORE rdatasets between the top of the chain and the first real * data. We skip over them. */ header = topheader; while (header != NULL && IGNORE(header)) header = header->down; if (header != NULL) { header_nx = NONEXISTENT(header) ? ISC_TRUE : ISC_FALSE; /* * Deleting an already non-existent rdataset has no effect. */ if (header_nx && newheader_nx) { free_rdataset(rbtdb, rbtdb->common.mctx, newheader); return (DNS_R_UNCHANGED); } /* * Trying to add an rdataset with lower trust to a cache DB * has no effect, provided that the cache data isn't stale. */ if (rbtversion == NULL && trust < header->trust && (header->rdh_ttl > now || header_nx)) { free_rdataset(rbtdb, rbtdb->common.mctx, newheader); if (addedrdataset != NULL) bind_rdataset(rbtdb, rbtnode, header, now, addedrdataset); return (DNS_R_UNCHANGED); } /* * Don't merge if a nonexistent rdataset is involved. */ if (merge && (header_nx || newheader_nx)) merge = ISC_FALSE; /* * If 'merge' is ISC_TRUE, we'll try to create a new rdataset * that is the union of 'newheader' and 'header'. */ if (merge) { unsigned int flags = 0; INSIST(rbtversion->serial >= header->serial); merged = NULL; result = ISC_R_SUCCESS; if ((options & DNS_DBADD_EXACT) != 0) flags |= DNS_RDATASLAB_EXACT; if ((options & DNS_DBADD_EXACTTTL) != 0 && newheader->rdh_ttl != header->rdh_ttl) result = DNS_R_NOTEXACT; else if (newheader->rdh_ttl != header->rdh_ttl) flags |= DNS_RDATASLAB_FORCE; if (result == ISC_R_SUCCESS) result = dns_rdataslab_merge( (unsigned char *)header, (unsigned char *)newheader, (unsigned int)(sizeof(*newheader)), rbtdb->common.mctx, rbtdb->common.rdclass, (dns_rdatatype_t)header->type, flags, &merged); if (result == ISC_R_SUCCESS) { /* * If 'header' has the same serial number as * we do, we could clean it up now if we knew * that our caller had no references to it. * We don't know this, however, so we leave it * alone. It will get cleaned up when * clean_zone_node() runs. */ free_rdataset(rbtdb, rbtdb->common.mctx, newheader); newheader = (rdatasetheader_t *)merged; if (loading && RESIGN(newheader) && RESIGN(header) && header->resign < newheader->resign) newheader->resign = header->resign; } else { free_rdataset(rbtdb, rbtdb->common.mctx, newheader); return (result); } } /* * Don't replace existing NS, A and AAAA RRsets * in the cache if they are already exist. This * prevents named being locked to old servers. * Don't lower trust of existing record if the * update is forced. */ if (IS_CACHE(rbtdb) && header->rdh_ttl > now && header->type == dns_rdatatype_ns && !header_nx && !newheader_nx && header->trust >= newheader->trust && dns_rdataslab_equalx((unsigned char *)header, (unsigned char *)newheader, (unsigned int)(sizeof(*newheader)), rbtdb->common.rdclass, (dns_rdatatype_t)header->type)) { /* * Honour the new ttl if it is less than the * older one. */ if (header->rdh_ttl > newheader->rdh_ttl) set_ttl(rbtdb, header, newheader->rdh_ttl); if (header->noqname == NULL && newheader->noqname != NULL) { header->noqname = newheader->noqname; newheader->noqname = NULL; } if (header->closest == NULL && newheader->closest != NULL) { header->closest = newheader->closest; newheader->closest = NULL; } free_rdataset(rbtdb, rbtdb->common.mctx, newheader); if (addedrdataset != NULL) bind_rdataset(rbtdb, rbtnode, header, now, addedrdataset); return (ISC_R_SUCCESS); } if (IS_CACHE(rbtdb) && header->rdh_ttl > now && (header->type == dns_rdatatype_a || header->type == dns_rdatatype_aaaa) && !header_nx && !newheader_nx && header->trust >= newheader->trust && dns_rdataslab_equal((unsigned char *)header, (unsigned char *)newheader, (unsigned int)(sizeof(*newheader)))) { /* * Honour the new ttl if it is less than the * older one. */ if (header->rdh_ttl > newheader->rdh_ttl) set_ttl(rbtdb, header, newheader->rdh_ttl); if (header->noqname == NULL && newheader->noqname != NULL) { header->noqname = newheader->noqname; newheader->noqname = NULL; } if (header->closest == NULL && newheader->closest != NULL) { header->closest = newheader->closest; newheader->closest = NULL; } free_rdataset(rbtdb, rbtdb->common.mctx, newheader); if (addedrdataset != NULL) bind_rdataset(rbtdb, rbtnode, header, now, addedrdataset); return (ISC_R_SUCCESS); } INSIST(rbtversion == NULL || rbtversion->serial >= topheader->serial); if (topheader_prev != NULL) topheader_prev->next = newheader; else rbtnode->data = newheader; newheader->next = topheader->next; if (loading) { /* * There are no other references to 'header' when * loading, so we MAY clean up 'header' now. * Since we don't generate changed records when * loading, we MUST clean up 'header' now. */ newheader->down = NULL; free_rdataset(rbtdb, rbtdb->common.mctx, header); } else { newheader->down = topheader; topheader->next = newheader; rbtnode->dirty = 1; if (changed != NULL) changed->dirty = ISC_TRUE; if (rbtversion == NULL) { set_ttl(rbtdb, header, 0); header->attributes |= RDATASET_ATTR_STALE; } idx = newheader->node->locknum; if (IS_CACHE(rbtdb)) { ISC_LIST_PREPEND(rbtdb->rdatasets[idx], newheader, link); /* * XXXMLG We don't check the return value * here. If it fails, we will not do TTL * based expiry on this node. However, we * will do it on the LRU side, so memory * will not leak... for long. */ isc_heap_insert(rbtdb->heaps[idx], newheader); } else if (RESIGN(newheader)) resign_insert(rbtdb, idx, newheader); } } else { /* * No non-IGNORED rdatasets of the given type exist at * this node. */ /* * If we're trying to delete the type, don't bother. */ if (newheader_nx) { free_rdataset(rbtdb, rbtdb->common.mctx, newheader); return (DNS_R_UNCHANGED); } if (topheader != NULL) { /* * We have an list of rdatasets of the given type, * but they're all marked IGNORE. We simply insert * the new rdataset at the head of the list. * * Ignored rdatasets cannot occur during loading, so * we INSIST on it. */ INSIST(!loading); INSIST(rbtversion == NULL || rbtversion->serial >= topheader->serial); if (topheader_prev != NULL) topheader_prev->next = newheader; else rbtnode->data = newheader; newheader->next = topheader->next; newheader->down = topheader; topheader->next = newheader; rbtnode->dirty = 1; if (changed != NULL) changed->dirty = ISC_TRUE; } else { /* * No rdatasets of the given type exist at the node. */ newheader->next = rbtnode->data; newheader->down = NULL; rbtnode->data = newheader; } idx = newheader->node->locknum; if (IS_CACHE(rbtdb)) { ISC_LIST_PREPEND(rbtdb->rdatasets[idx], newheader, link); isc_heap_insert(rbtdb->heaps[idx], newheader); } else if (RESIGN(newheader)) { resign_insert(rbtdb, idx, newheader); } } /* * Check if the node now contains CNAME and other data. */ if (rbtversion != NULL && cname_and_other_data(rbtnode, rbtversion->serial)) return (DNS_R_CNAMEANDOTHER); if (addedrdataset != NULL) bind_rdataset(rbtdb, rbtnode, newheader, now, addedrdataset); return (ISC_R_SUCCESS); } static inline isc_boolean_t delegating_type(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rbtdb_rdatatype_t type) { if (IS_CACHE(rbtdb)) { if (type == dns_rdatatype_dname) return (ISC_TRUE); else return (ISC_FALSE); } else if (type == dns_rdatatype_dname || (type == dns_rdatatype_ns && (node != rbtdb->origin_node || IS_STUB(rbtdb)))) return (ISC_TRUE); return (ISC_FALSE); } static inline isc_result_t addnoqname(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, dns_rdataset_t *rdataset) { struct noqname *noqname; isc_mem_t *mctx = rbtdb->common.mctx; dns_name_t name; dns_rdataset_t neg, negsig; isc_result_t result; isc_region_t r; dns_name_init(&name, NULL); dns_rdataset_init(&neg); dns_rdataset_init(&negsig); result = dns_rdataset_getnoqname(rdataset, &name, &neg, &negsig); RUNTIME_CHECK(result == ISC_R_SUCCESS); noqname = isc_mem_get(mctx, sizeof(*noqname)); if (noqname == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } dns_name_init(&noqname->name, NULL); noqname->neg = NULL; noqname->negsig = NULL; noqname->type = neg.type; result = dns_name_dup(&name, mctx, &noqname->name); if (result != ISC_R_SUCCESS) goto cleanup; result = dns_rdataslab_fromrdataset(&neg, mctx, &r, 0); if (result != ISC_R_SUCCESS) goto cleanup; noqname->neg = r.base; result = dns_rdataslab_fromrdataset(&negsig, mctx, &r, 0); if (result != ISC_R_SUCCESS) goto cleanup; noqname->negsig = r.base; dns_rdataset_disassociate(&neg); dns_rdataset_disassociate(&negsig); newheader->noqname = noqname; return (ISC_R_SUCCESS); cleanup: dns_rdataset_disassociate(&neg); dns_rdataset_disassociate(&negsig); free_noqname(mctx, &noqname); return(result); } static inline isc_result_t addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, dns_rdataset_t *rdataset) { struct noqname *closest; isc_mem_t *mctx = rbtdb->common.mctx; dns_name_t name; dns_rdataset_t neg, negsig; isc_result_t result; isc_region_t r; dns_name_init(&name, NULL); dns_rdataset_init(&neg); dns_rdataset_init(&negsig); result = dns_rdataset_getclosest(rdataset, &name, &neg, &negsig); RUNTIME_CHECK(result == ISC_R_SUCCESS); closest = isc_mem_get(mctx, sizeof(*closest)); if (closest == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } dns_name_init(&closest->name, NULL); closest->neg = NULL; closest->negsig = NULL; closest->type = neg.type; result = dns_name_dup(&name, mctx, &closest->name); if (result != ISC_R_SUCCESS) goto cleanup; result = dns_rdataslab_fromrdataset(&neg, mctx, &r, 0); if (result != ISC_R_SUCCESS) goto cleanup; closest->neg = r.base; result = dns_rdataslab_fromrdataset(&negsig, mctx, &r, 0); if (result != ISC_R_SUCCESS) goto cleanup; closest->negsig = r.base; dns_rdataset_disassociate(&neg); dns_rdataset_disassociate(&negsig); newheader->closest = closest; return (ISC_R_SUCCESS); cleanup: dns_rdataset_disassociate(&neg); dns_rdataset_disassociate(&negsig); free_noqname(mctx, &closest); return(result); } static dns_dbmethods_t zone_methods; static isc_result_t addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options, dns_rdataset_t *addedrdataset) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node; rbtdb_version_t *rbtversion = version; isc_region_t region; rdatasetheader_t *newheader; rdatasetheader_t *header; isc_result_t result; isc_boolean_t delegating; isc_boolean_t tree_locked = ISC_FALSE; REQUIRE(VALID_RBTDB(rbtdb)); if (rbtdb->common.methods == &zone_methods) REQUIRE(((rbtnode->nsec3 && (rdataset->type == dns_rdatatype_nsec3 || rdataset->covers == dns_rdatatype_nsec3)) || (!rbtnode->nsec3 && rdataset->type != dns_rdatatype_nsec3 && rdataset->covers != dns_rdatatype_nsec3))); if (rbtversion == NULL) { if (now == 0) isc_stdtime_get(&now); } else now = 0; result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx, ®ion, sizeof(rdatasetheader_t)); if (result != ISC_R_SUCCESS) return (result); newheader = (rdatasetheader_t *)region.base; init_rdataset(rbtdb, newheader); set_ttl(rbtdb, newheader, rdataset->ttl + now); newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type, rdataset->covers); newheader->attributes = 0; newheader->noqname = NULL; newheader->closest = NULL; newheader->count = init_count++; newheader->trust = rdataset->trust; newheader->additional_auth = NULL; newheader->additional_glue = NULL; newheader->last_used = now; newheader->node = rbtnode; if (rbtversion != NULL) { newheader->serial = rbtversion->serial; now = 0; if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) { newheader->attributes |= RDATASET_ATTR_RESIGN; newheader->resign = rdataset->resign; } else newheader->resign = 0; } else { newheader->serial = 1; newheader->resign = 0; if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) newheader->attributes |= RDATASET_ATTR_NXDOMAIN; if ((rdataset->attributes & DNS_RDATASETATTR_OPTOUT) != 0) newheader->attributes |= RDATASET_ATTR_OPTOUT; if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0) { result = addnoqname(rbtdb, newheader, rdataset); if (result != ISC_R_SUCCESS) { free_rdataset(rbtdb, rbtdb->common.mctx, newheader); return (result); } } if ((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0) { result = addclosest(rbtdb, newheader, rdataset); if (result != ISC_R_SUCCESS) { free_rdataset(rbtdb, rbtdb->common.mctx, newheader); return (result); } } } /* * If we're adding a delegation type (e.g. NS or DNAME for a zone, * just DNAME for the cache), then we need to set the callback bit * on the node. */ if (delegating_type(rbtdb, rbtnode, rdataset->type)) delegating = ISC_TRUE; else delegating = ISC_FALSE; /* * If we're adding a delegation type or the DB is a cache in an overmem * state, hold an exclusive lock on the tree. In the latter case * the lock does not necessarily have to be acquired but it will help * purge stale entries more effectively. */ if (delegating || (IS_CACHE(rbtdb) && rbtdb->overmem)) { tree_locked = ISC_TRUE; RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); } if (IS_CACHE(rbtdb) && rbtdb->overmem) overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked); NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_write); if (rbtdb->rrsetstats != NULL) { newheader->attributes |= RDATASET_ATTR_STATCOUNT; update_rrsetstats(rbtdb, newheader, ISC_TRUE); } if (IS_CACHE(rbtdb)) { if (tree_locked) cleanup_dead_nodes(rbtdb, rbtnode->locknum); header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1); if (header && header->rdh_ttl <= now - RBTDB_VIRTUAL) expire_header(rbtdb, header, tree_locked); /* * If we've been holding a write lock on the tree just for * cleaning, we can release it now. However, we still need the * node lock. */ if (tree_locked && !delegating) { RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); tree_locked = ISC_FALSE; } } result = add(rbtdb, rbtnode, rbtversion, newheader, options, ISC_FALSE, addedrdataset, now); if (result == ISC_R_SUCCESS && delegating) rbtnode->find_callback = 1; NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_write); if (tree_locked) RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); /* * Update the zone's secure status. If version is non-NULL * this is deferred until closeversion() is called. */ if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb)) iszonesecure(db, version, rbtdb->origin_node); return (result); } static isc_result_t subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdataset_t *rdataset, unsigned int options, dns_rdataset_t *newrdataset) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node; rbtdb_version_t *rbtversion = version; rdatasetheader_t *topheader, *topheader_prev, *header, *newheader; unsigned char *subresult; isc_region_t region; isc_result_t result; rbtdb_changed_t *changed; REQUIRE(VALID_RBTDB(rbtdb)); if (rbtdb->common.methods == &zone_methods) REQUIRE(((rbtnode->nsec3 && (rdataset->type == dns_rdatatype_nsec3 || rdataset->covers == dns_rdatatype_nsec3)) || (!rbtnode->nsec3 && rdataset->type != dns_rdatatype_nsec3 && rdataset->covers != dns_rdatatype_nsec3))); result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx, ®ion, sizeof(rdatasetheader_t)); if (result != ISC_R_SUCCESS) return (result); newheader = (rdatasetheader_t *)region.base; init_rdataset(rbtdb, newheader); set_ttl(rbtdb, newheader, rdataset->ttl); newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type, rdataset->covers); newheader->attributes = 0; newheader->serial = rbtversion->serial; newheader->trust = 0; newheader->noqname = NULL; newheader->closest = NULL; newheader->count = init_count++; newheader->additional_auth = NULL; newheader->additional_glue = NULL; newheader->last_used = 0; newheader->node = rbtnode; if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) { newheader->attributes |= RDATASET_ATTR_RESIGN; newheader->resign = rdataset->resign; } else newheader->resign = 0; NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_write); changed = add_changed(rbtdb, rbtversion, rbtnode); if (changed == NULL) { free_rdataset(rbtdb, rbtdb->common.mctx, newheader); NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_write); return (ISC_R_NOMEMORY); } topheader_prev = NULL; for (topheader = rbtnode->data; topheader != NULL; topheader = topheader->next) { if (topheader->type == newheader->type) break; topheader_prev = topheader; } /* * If header isn't NULL, we've found the right type. There may be * IGNORE rdatasets between the top of the chain and the first real * data. We skip over them. */ header = topheader; while (header != NULL && IGNORE(header)) header = header->down; if (header != NULL && EXISTS(header)) { unsigned int flags = 0; subresult = NULL; result = ISC_R_SUCCESS; if ((options & DNS_DBSUB_EXACT) != 0) { flags |= DNS_RDATASLAB_EXACT; if (newheader->rdh_ttl != header->rdh_ttl) result = DNS_R_NOTEXACT; } if (result == ISC_R_SUCCESS) result = dns_rdataslab_subtract( (unsigned char *)header, (unsigned char *)newheader, (unsigned int)(sizeof(*newheader)), rbtdb->common.mctx, rbtdb->common.rdclass, (dns_rdatatype_t)header->type, flags, &subresult); if (result == ISC_R_SUCCESS) { free_rdataset(rbtdb, rbtdb->common.mctx, newheader); newheader = (rdatasetheader_t *)subresult; init_rdataset(rbtdb, newheader); /* * We have to set the serial since the rdataslab * subtraction routine copies the reserved portion of * header, not newheader. */ newheader->serial = rbtversion->serial; /* * XXXJT: dns_rdataslab_subtract() copied the pointers * to additional info. We need to clear these fields * to avoid having duplicated references. */ newheader->additional_auth = NULL; newheader->additional_glue = NULL; } else if (result == DNS_R_NXRRSET) { /* * This subtraction would remove all of the rdata; * add a nonexistent header instead. */ free_rdataset(rbtdb, rbtdb->common.mctx, newheader); newheader = new_rdataset(rbtdb, rbtdb->common.mctx); if (newheader == NULL) { result = ISC_R_NOMEMORY; goto unlock; } set_ttl(rbtdb, newheader, 0); newheader->type = topheader->type; newheader->attributes = RDATASET_ATTR_NONEXISTENT; newheader->trust = 0; newheader->serial = rbtversion->serial; newheader->noqname = NULL; newheader->closest = NULL; newheader->count = 0; newheader->additional_auth = NULL; newheader->additional_glue = NULL; newheader->node = rbtnode; newheader->resign = 0; newheader->last_used = 0; } else { free_rdataset(rbtdb, rbtdb->common.mctx, newheader); goto unlock; } /* * If we're here, we want to link newheader in front of * topheader. */ INSIST(rbtversion->serial >= topheader->serial); if (topheader_prev != NULL) topheader_prev->next = newheader; else rbtnode->data = newheader; newheader->next = topheader->next; newheader->down = topheader; topheader->next = newheader; rbtnode->dirty = 1; changed->dirty = ISC_TRUE; } else { /* * The rdataset doesn't exist, so we don't need to do anything * to satisfy the deletion request. */ free_rdataset(rbtdb, rbtdb->common.mctx, newheader); if ((options & DNS_DBSUB_EXACT) != 0) result = DNS_R_NOTEXACT; else result = DNS_R_UNCHANGED; } if (result == ISC_R_SUCCESS && newrdataset != NULL) bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset); unlock: NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_write); /* * Update the zone's secure status. If version is non-NULL * this is deferred until closeversion() is called. */ if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb)) iszonesecure(db, rbtdb->current_version, rbtdb->origin_node); return (result); } static isc_result_t deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdatatype_t type, dns_rdatatype_t covers) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node; rbtdb_version_t *rbtversion = version; isc_result_t result; rdatasetheader_t *newheader; REQUIRE(VALID_RBTDB(rbtdb)); if (type == dns_rdatatype_any) return (ISC_R_NOTIMPLEMENTED); if (type == dns_rdatatype_rrsig && covers == 0) return (ISC_R_NOTIMPLEMENTED); newheader = new_rdataset(rbtdb, rbtdb->common.mctx); if (newheader == NULL) return (ISC_R_NOMEMORY); set_ttl(rbtdb, newheader, 0); newheader->type = RBTDB_RDATATYPE_VALUE(type, covers); newheader->attributes = RDATASET_ATTR_NONEXISTENT; newheader->trust = 0; newheader->noqname = NULL; newheader->closest = NULL; newheader->additional_auth = NULL; newheader->additional_glue = NULL; if (rbtversion != NULL) newheader->serial = rbtversion->serial; else newheader->serial = 0; newheader->count = 0; newheader->last_used = 0; newheader->node = rbtnode; NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_write); result = add(rbtdb, rbtnode, rbtversion, newheader, DNS_DBADD_FORCE, ISC_FALSE, NULL, 0); NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_write); /* * Update the zone's secure status. If version is non-NULL * this is deferred until closeversion() is called. */ if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb)) iszonesecure(db, rbtdb->current_version, rbtdb->origin_node); return (result); } static isc_result_t loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) { rbtdb_load_t *loadctx = arg; dns_rbtdb_t *rbtdb = loadctx->rbtdb; dns_rbtnode_t *node; isc_result_t result; isc_region_t region; rdatasetheader_t *newheader; /* * This routine does no node locking. See comments in * 'load' below for more information on loading and * locking. */ /* * SOA records are only allowed at top of zone. */ if (rdataset->type == dns_rdatatype_soa && !IS_CACHE(rbtdb) && !dns_name_equal(name, &rbtdb->common.origin)) return (DNS_R_NOTZONETOP); if (rdataset->type != dns_rdatatype_nsec3 && rdataset->covers != dns_rdatatype_nsec3) add_empty_wildcards(rbtdb, name); if (dns_name_iswildcard(name)) { /* * NS record owners cannot legally be wild cards. */ if (rdataset->type == dns_rdatatype_ns) return (DNS_R_INVALIDNS); /* * NSEC3 record owners cannot legally be wild cards. */ if (rdataset->type == dns_rdatatype_nsec3) return (DNS_R_INVALIDNSEC3); result = add_wildcard_magic(rbtdb, name); if (result != ISC_R_SUCCESS) return (result); } node = NULL; if (rdataset->type == dns_rdatatype_nsec3 || rdataset->covers == dns_rdatatype_nsec3) { result = dns_rbt_addnode(rbtdb->nsec3, name, &node); if (result == ISC_R_SUCCESS) node->nsec3 = 1; } else { result = dns_rbt_addnode(rbtdb->tree, name, &node); if (result == ISC_R_SUCCESS) node->nsec3 = 0; } if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) return (result); if (result != ISC_R_EXISTS) { dns_name_t foundname; dns_name_init(&foundname, NULL); dns_rbt_namefromnode(node, &foundname); #ifdef DNS_RBT_USEHASH node->locknum = node->hashval % rbtdb->node_lock_count; #else node->locknum = dns_name_hash(&foundname, ISC_TRUE) % rbtdb->node_lock_count; #endif } result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx, ®ion, sizeof(rdatasetheader_t)); if (result != ISC_R_SUCCESS) return (result); newheader = (rdatasetheader_t *)region.base; init_rdataset(rbtdb, newheader); set_ttl(rbtdb, newheader, rdataset->ttl + loadctx->now); /* XXX overflow check */ newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type, rdataset->covers); newheader->attributes = 0; newheader->trust = rdataset->trust; newheader->serial = 1; newheader->noqname = NULL; newheader->closest = NULL; newheader->count = init_count++; newheader->additional_auth = NULL; newheader->additional_glue = NULL; newheader->last_used = 0; newheader->node = node; if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) { newheader->attributes |= RDATASET_ATTR_RESIGN; newheader->resign = rdataset->resign; } else newheader->resign = 0; result = add(rbtdb, node, rbtdb->current_version, newheader, DNS_DBADD_MERGE, ISC_TRUE, NULL, 0); if (result == ISC_R_SUCCESS && delegating_type(rbtdb, node, rdataset->type)) node->find_callback = 1; else if (result == DNS_R_UNCHANGED) result = ISC_R_SUCCESS; return (result); } static isc_result_t beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) { rbtdb_load_t *loadctx; dns_rbtdb_t *rbtdb; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); loadctx = isc_mem_get(rbtdb->common.mctx, sizeof(*loadctx)); if (loadctx == NULL) return (ISC_R_NOMEMORY); loadctx->rbtdb = rbtdb; if (IS_CACHE(rbtdb)) isc_stdtime_get(&loadctx->now); else loadctx->now = 0; RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); REQUIRE((rbtdb->attributes & (RBTDB_ATTR_LOADED|RBTDB_ATTR_LOADING)) == 0); rbtdb->attributes |= RBTDB_ATTR_LOADING; RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); *addp = loading_addrdataset; *dbloadp = loadctx; return (ISC_R_SUCCESS); } static isc_result_t endload(dns_db_t *db, dns_dbload_t **dbloadp) { rbtdb_load_t *loadctx; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); REQUIRE(dbloadp != NULL); loadctx = *dbloadp; REQUIRE(loadctx->rbtdb == rbtdb); RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADING) != 0); REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADED) == 0); rbtdb->attributes &= ~RBTDB_ATTR_LOADING; rbtdb->attributes |= RBTDB_ATTR_LOADED; RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); /* * If there's a KEY rdataset at the zone origin containing a * zone key, we consider the zone secure. */ if (! IS_CACHE(rbtdb)) iszonesecure(db, rbtdb->current_version, rbtdb->origin_node); *dbloadp = NULL; isc_mem_put(rbtdb->common.mctx, loadctx, sizeof(*loadctx)); return (ISC_R_SUCCESS); } static isc_result_t dump(dns_db_t *db, dns_dbversion_t *version, const char *filename, dns_masterformat_t masterformat) { dns_rbtdb_t *rbtdb; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); return (dns_master_dump2(rbtdb->common.mctx, db, version, &dns_master_style_default, filename, masterformat)); } static void delete_callback(void *data, void *arg) { dns_rbtdb_t *rbtdb = arg; rdatasetheader_t *current, *next; unsigned int locknum; current = data; locknum = current->node->locknum; NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); while (current != NULL) { next = current->next; free_rdataset(rbtdb, rbtdb->common.mctx, current); current = next; } NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); } static isc_boolean_t issecure(dns_db_t *db) { dns_rbtdb_t *rbtdb; isc_boolean_t secure; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); secure = ISC_TF(rbtdb->current_version->secure == dns_db_secure); RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); return (secure); } static isc_boolean_t isdnssec(dns_db_t *db) { dns_rbtdb_t *rbtdb; isc_boolean_t dnssec; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); dnssec = ISC_TF(rbtdb->current_version->secure != dns_db_insecure); RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); return (dnssec); } static unsigned int nodecount(dns_db_t *db) { dns_rbtdb_t *rbtdb; unsigned int count; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); count = dns_rbt_nodecount(rbtdb->tree); RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); return (count); } static void settask(dns_db_t *db, isc_task_t *task) { dns_rbtdb_t *rbtdb; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); if (rbtdb->task != NULL) isc_task_detach(&rbtdb->task); if (task != NULL) isc_task_attach(task, &rbtdb->task); RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); } static isc_boolean_t ispersistent(dns_db_t *db) { UNUSED(db); return (ISC_FALSE); } static isc_result_t getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *onode; isc_result_t result = ISC_R_SUCCESS; REQUIRE(VALID_RBTDB(rbtdb)); REQUIRE(nodep != NULL && *nodep == NULL); /* Note that the access to origin_node doesn't require a DB lock */ onode = (dns_rbtnode_t *)rbtdb->origin_node; if (onode != NULL) { NODE_STRONGLOCK(&rbtdb->node_locks[onode->locknum].lock); new_reference(rbtdb, onode); NODE_STRONGUNLOCK(&rbtdb->node_locks[onode->locknum].lock); *nodep = rbtdb->origin_node; } else { INSIST(IS_CACHE(rbtdb)); result = ISC_R_NOTFOUND; } return (result); } static isc_result_t getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash, isc_uint8_t *flags, isc_uint16_t *iterations, unsigned char *salt, size_t *salt_length) { dns_rbtdb_t *rbtdb; isc_result_t result = ISC_R_NOTFOUND; rbtdb_version_t *rbtversion = version; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); if (rbtversion == NULL) rbtversion = rbtdb->current_version; if (rbtversion->havensec3) { if (hash != NULL) *hash = rbtversion->hash; if (salt != NULL && salt_length != NULL) { REQUIRE(*salt_length >= rbtversion->salt_length); memcpy(salt, rbtversion->salt, rbtversion->salt_length); } if (salt_length != NULL) *salt_length = rbtversion->salt_length; if (iterations != NULL) *iterations = rbtversion->iterations; if (flags != NULL) *flags = rbtversion->flags; result = ISC_R_SUCCESS; } RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); return (result); } static isc_result_t setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; isc_stdtime_t oldresign; isc_result_t result = ISC_R_SUCCESS; rdatasetheader_t *header; REQUIRE(VALID_RBTDB(rbtdb)); REQUIRE(!IS_CACHE(rbtdb)); REQUIRE(rdataset != NULL); header = rdataset->private3; header--; NODE_LOCK(&rbtdb->node_locks[header->node->locknum].lock, isc_rwlocktype_write); oldresign = header->resign; header->resign = resign; if (header->heap_index != 0) { INSIST(RESIGN(header)); if (resign == 0) { isc_heap_delete(rbtdb->heaps[header->node->locknum], header->heap_index); header->heap_index = 0; } else if (resign < oldresign) isc_heap_increased(rbtdb->heaps[header->node->locknum], header->heap_index); else isc_heap_decreased(rbtdb->heaps[header->node->locknum], header->heap_index); } else if (resign && header->heap_index == 0) { header->attributes |= RDATASET_ATTR_RESIGN; result = resign_insert(rbtdb, header->node->locknum, header); } NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock, isc_rwlocktype_write); return (result); } static isc_result_t getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *foundname) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; rdatasetheader_t *header = NULL, *this; unsigned int i; isc_result_t result = ISC_R_NOTFOUND; unsigned int locknum; REQUIRE(VALID_RBTDB(rbtdb)); RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read); for (i = 0; i < rbtdb->node_lock_count; i++) { NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_read); this = isc_heap_element(rbtdb->heaps[i], 1); if (this == NULL) { NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_read); continue; } if (header == NULL) header = this; else if (isc_serial_lt(this->resign, header->resign)) { locknum = header->node->locknum; NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_read); header = this; } else NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_read); } if (header == NULL) goto unlock; bind_rdataset(rbtdb, header->node, header, 0, rdataset); if (foundname != NULL) dns_rbt_fullnamefromnode(header->node, foundname); NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock, isc_rwlocktype_read); result = ISC_R_SUCCESS; unlock: RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read); return (result); } static void resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version) { rbtdb_version_t *rbtversion = (rbtdb_version_t *)version; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *node; rdatasetheader_t *header; REQUIRE(VALID_RBTDB(rbtdb)); REQUIRE(rdataset != NULL); REQUIRE(rbtdb->future_version == rbtversion); REQUIRE(rbtversion->writer); node = rdataset->private2; header = rdataset->private3; header--; RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); NODE_LOCK(&rbtdb->node_locks[node->locknum].lock, isc_rwlocktype_write); /* * Delete from heap and save to re-signed list so that it can * be restored if we backout of this change. */ new_reference(rbtdb, node); isc_heap_delete(rbtdb->heaps[node->locknum], header->heap_index); header->heap_index = 0; ISC_LIST_APPEND(rbtversion->resigned_list, header, link); NODE_UNLOCK(&rbtdb->node_locks[node->locknum].lock, isc_rwlocktype_write); RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); } static dns_stats_t * getrrsetstats(dns_db_t *db) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); REQUIRE(IS_CACHE(rbtdb)); /* current restriction */ return (rbtdb->rrsetstats); } static dns_dbmethods_t zone_methods = { attach, detach, beginload, endload, dump, currentversion, newversion, attachversion, closeversion, findnode, zone_find, zone_findzonecut, attachnode, detachnode, expirenode, printnode, createiterator, zone_findrdataset, allrdatasets, addrdataset, subtractrdataset, deleterdataset, issecure, nodecount, ispersistent, overmem, settask, getoriginnode, NULL, getnsec3parameters, findnsec3node, setsigningtime, getsigningtime, resigned, isdnssec, NULL }; static dns_dbmethods_t cache_methods = { attach, detach, beginload, endload, dump, currentversion, newversion, attachversion, closeversion, findnode, cache_find, cache_findzonecut, attachnode, detachnode, expirenode, printnode, createiterator, cache_findrdataset, allrdatasets, addrdataset, subtractrdataset, deleterdataset, issecure, nodecount, ispersistent, overmem, settask, getoriginnode, NULL, NULL, NULL, NULL, NULL, NULL, isdnssec, getrrsetstats }; isc_result_t #ifdef DNS_RBTDB_VERSION64 dns_rbtdb64_create #else dns_rbtdb_create #endif (isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type, dns_rdataclass_t rdclass, unsigned int argc, char *argv[], void *driverarg, dns_db_t **dbp) { dns_rbtdb_t *rbtdb; isc_result_t result; int i; dns_name_t name; isc_boolean_t (*sooner)(void *, void *); /* Keep the compiler happy. */ UNUSED(argc); UNUSED(argv); UNUSED(driverarg); rbtdb = isc_mem_get(mctx, sizeof(*rbtdb)); if (rbtdb == NULL) return (ISC_R_NOMEMORY); memset(rbtdb, '\0', sizeof(*rbtdb)); dns_name_init(&rbtdb->common.origin, NULL); rbtdb->common.attributes = 0; if (type == dns_dbtype_cache) { rbtdb->common.methods = &cache_methods; rbtdb->common.attributes |= DNS_DBATTR_CACHE; } else if (type == dns_dbtype_stub) { rbtdb->common.methods = &zone_methods; rbtdb->common.attributes |= DNS_DBATTR_STUB; } else rbtdb->common.methods = &zone_methods; rbtdb->common.rdclass = rdclass; rbtdb->common.mctx = NULL; result = RBTDB_INITLOCK(&rbtdb->lock); if (result != ISC_R_SUCCESS) goto cleanup_rbtdb; result = isc_rwlock_init(&rbtdb->tree_lock, 0, 0); if (result != ISC_R_SUCCESS) goto cleanup_lock; /* * Initialize node_lock_count in a generic way to support future * extension which allows the user to specify this value on creation. * Note that when specified for a cache DB it must be larger than 1 * as commented with the definition of DEFAULT_CACHE_NODE_LOCK_COUNT. */ if (rbtdb->node_lock_count == 0) { if (IS_CACHE(rbtdb)) rbtdb->node_lock_count = DEFAULT_CACHE_NODE_LOCK_COUNT; else rbtdb->node_lock_count = DEFAULT_NODE_LOCK_COUNT; } else if (rbtdb->node_lock_count < 2 && IS_CACHE(rbtdb)) { result = ISC_R_RANGE; goto cleanup_tree_lock; } INSIST(rbtdb->node_lock_count < (1 << DNS_RBT_LOCKLENGTH)); rbtdb->node_locks = isc_mem_get(mctx, rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t)); if (rbtdb->node_locks == NULL) { result = ISC_R_NOMEMORY; goto cleanup_tree_lock; } rbtdb->rrsetstats = NULL; if (IS_CACHE(rbtdb)) { result = dns_rdatasetstats_create(mctx, &rbtdb->rrsetstats); if (result != ISC_R_SUCCESS) goto cleanup_node_locks; rbtdb->rdatasets = isc_mem_get(mctx, rbtdb->node_lock_count * sizeof(rdatasetheaderlist_t)); if (rbtdb->rdatasets == NULL) { result = ISC_R_NOMEMORY; goto cleanup_rrsetstats; } for (i = 0; i < (int)rbtdb->node_lock_count; i++) ISC_LIST_INIT(rbtdb->rdatasets[i]); } else rbtdb->rdatasets = NULL; /* * Create the heaps. */ rbtdb->heaps = isc_mem_get(mctx, rbtdb->node_lock_count * sizeof(isc_heap_t *)); if (rbtdb->heaps == NULL) { result = ISC_R_NOMEMORY; goto cleanup_rdatasets; } for (i = 0; i < (int)rbtdb->node_lock_count; i++) rbtdb->heaps[i] = NULL; sooner = IS_CACHE(rbtdb) ? ttl_sooner : resign_sooner; for (i = 0; i < (int)rbtdb->node_lock_count; i++) { result = isc_heap_create(mctx, sooner, set_index, 0, &rbtdb->heaps[i]); if (result != ISC_R_SUCCESS) goto cleanup_heaps; } /* * Create deadnode lists. */ rbtdb->deadnodes = isc_mem_get(mctx, rbtdb->node_lock_count * sizeof(rbtnodelist_t)); if (rbtdb->deadnodes == NULL) { result = ISC_R_NOMEMORY; goto cleanup_heaps; } for (i = 0; i < (int)rbtdb->node_lock_count; i++) ISC_LIST_INIT(rbtdb->deadnodes[i]); rbtdb->active = rbtdb->node_lock_count; for (i = 0; i < (int)(rbtdb->node_lock_count); i++) { result = NODE_INITLOCK(&rbtdb->node_locks[i].lock); if (result == ISC_R_SUCCESS) { result = isc_refcount_init(&rbtdb->node_locks[i].references, 0); if (result != ISC_R_SUCCESS) NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock); } if (result != ISC_R_SUCCESS) { while (i-- > 0) { NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock); isc_refcount_decrement(&rbtdb->node_locks[i].references, NULL); isc_refcount_destroy(&rbtdb->node_locks[i].references); } goto cleanup_deadnodes; } rbtdb->node_locks[i].exiting = ISC_FALSE; } /* * Attach to the mctx. The database will persist so long as there * are references to it, and attaching to the mctx ensures that our * mctx won't disappear out from under us. */ isc_mem_attach(mctx, &rbtdb->common.mctx); /* * Must be initialized before free_rbtdb() is called. */ isc_ondestroy_init(&rbtdb->common.ondest); /* * Make a copy of the origin name. */ result = dns_name_dupwithoffsets(origin, mctx, &rbtdb->common.origin); if (result != ISC_R_SUCCESS) { free_rbtdb(rbtdb, ISC_FALSE, NULL); return (result); } /* * Make the Red-Black Trees. */ result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->tree); if (result != ISC_R_SUCCESS) { free_rbtdb(rbtdb, ISC_FALSE, NULL); return (result); } result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->nsec3); if (result != ISC_R_SUCCESS) { free_rbtdb(rbtdb, ISC_FALSE, NULL); return (result); } /* * In order to set the node callback bit correctly in zone databases, * we need to know if the node has the origin name of the zone. * In loading_addrdataset() we could simply compare the new name * to the origin name, but this is expensive. Also, we don't know the * node name in addrdataset(), so we need another way of knowing the * zone's top. * * We now explicitly create a node for the zone's origin, and then * we simply remember the node's address. This is safe, because * the top-of-zone node can never be deleted, nor can its address * change. */ if (!IS_CACHE(rbtdb)) { rbtdb->origin_node = NULL; result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin, &rbtdb->origin_node); if (result != ISC_R_SUCCESS) { INSIST(result != ISC_R_EXISTS); free_rbtdb(rbtdb, ISC_FALSE, NULL); return (result); } rbtdb->origin_node->nsec3 = 0; /* * We need to give the origin node the right locknum. */ dns_name_init(&name, NULL); dns_rbt_namefromnode(rbtdb->origin_node, &name); #ifdef DNS_RBT_USEHASH rbtdb->origin_node->locknum = rbtdb->origin_node->hashval % rbtdb->node_lock_count; #else rbtdb->origin_node->locknum = dns_name_hash(&name, ISC_TRUE) % rbtdb->node_lock_count; #endif } /* * Misc. Initialization. */ result = isc_refcount_init(&rbtdb->references, 1); if (result != ISC_R_SUCCESS) { free_rbtdb(rbtdb, ISC_FALSE, NULL); return (result); } rbtdb->attributes = 0; rbtdb->overmem = ISC_FALSE; rbtdb->task = NULL; /* * Version Initialization. */ rbtdb->current_serial = 1; rbtdb->least_serial = 1; rbtdb->next_serial = 2; rbtdb->current_version = allocate_version(mctx, 1, 1, ISC_FALSE); if (rbtdb->current_version == NULL) { isc_refcount_decrement(&rbtdb->references, NULL); isc_refcount_destroy(&rbtdb->references); free_rbtdb(rbtdb, ISC_FALSE, NULL); return (ISC_R_NOMEMORY); } rbtdb->current_version->secure = dns_db_insecure; rbtdb->current_version->havensec3 = ISC_FALSE; rbtdb->current_version->flags = 0; rbtdb->current_version->iterations = 0; rbtdb->current_version->hash = 0; rbtdb->current_version->salt_length = 0; memset(rbtdb->current_version->salt, 0, sizeof(rbtdb->current_version->salt)); rbtdb->future_version = NULL; ISC_LIST_INIT(rbtdb->open_versions); /* * Keep the current version in the open list so that list operation * won't happen in normal lookup operations. */ PREPEND(rbtdb->open_versions, rbtdb->current_version, link); rbtdb->common.magic = DNS_DB_MAGIC; rbtdb->common.impmagic = RBTDB_MAGIC; *dbp = (dns_db_t *)rbtdb; return (ISC_R_SUCCESS); cleanup_deadnodes: isc_mem_put(mctx, rbtdb->deadnodes, rbtdb->node_lock_count * sizeof(rbtnodelist_t)); cleanup_heaps: if (rbtdb->heaps != NULL) { for (i = 0 ; i < (int)rbtdb->node_lock_count ; i++) if (rbtdb->heaps[i] != NULL) isc_heap_destroy(&rbtdb->heaps[i]); isc_mem_put(mctx, rbtdb->heaps, rbtdb->node_lock_count * sizeof(isc_heap_t *)); } cleanup_rdatasets: if (rbtdb->rdatasets != NULL) isc_mem_put(mctx, rbtdb->rdatasets, rbtdb->node_lock_count * sizeof(rdatasetheaderlist_t)); cleanup_rrsetstats: if (rbtdb->rrsetstats != NULL) dns_stats_detach(&rbtdb->rrsetstats); cleanup_node_locks: isc_mem_put(mctx, rbtdb->node_locks, rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t)); cleanup_tree_lock: isc_rwlock_destroy(&rbtdb->tree_lock); cleanup_lock: RBTDB_DESTROYLOCK(&rbtdb->lock); cleanup_rbtdb: isc_mem_put(mctx, rbtdb, sizeof(*rbtdb)); return (result); } /* * Slabbed Rdataset Methods */ static void rdataset_disassociate(dns_rdataset_t *rdataset) { dns_db_t *db = rdataset->private1; dns_dbnode_t *node = rdataset->private2; detachnode(db, &node); } static isc_result_t rdataset_first(dns_rdataset_t *rdataset) { unsigned char *raw = rdataset->private3; /* RDATASLAB */ unsigned int count; count = raw[0] * 256 + raw[1]; if (count == 0) { rdataset->private5 = NULL; return (ISC_R_NOMORE); } #if DNS_RDATASET_FIXED if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0) raw += 2 + (4 * count); else #endif raw += 2; /* * The privateuint4 field is the number of rdata beyond the * cursor position, so we decrement the total count by one * before storing it. * * If DNS_RDATASETATTR_LOADORDER is not set 'raw' points to the * first record. If DNS_RDATASETATTR_LOADORDER is set 'raw' points * to the first entry in the offset table. */ count--; rdataset->privateuint4 = count; rdataset->private5 = raw; return (ISC_R_SUCCESS); } static isc_result_t rdataset_next(dns_rdataset_t *rdataset) { unsigned int count; unsigned int length; unsigned char *raw; /* RDATASLAB */ count = rdataset->privateuint4; if (count == 0) return (ISC_R_NOMORE); count--; rdataset->privateuint4 = count; /* * Skip forward one record (length + 4) or one offset (4). */ raw = rdataset->private5; #if DNS_RDATASET_FIXED if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0) { #endif length = raw[0] * 256 + raw[1]; raw += length; #if DNS_RDATASET_FIXED } rdataset->private5 = raw + 4; /* length(2) + order(2) */ #else rdataset->private5 = raw + 2; /* length(2) */ #endif return (ISC_R_SUCCESS); } static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) { unsigned char *raw = rdataset->private5; /* RDATASLAB */ #if DNS_RDATASET_FIXED unsigned int offset; #endif unsigned int length; isc_region_t r; unsigned int flags = 0; REQUIRE(raw != NULL); /* * Find the start of the record if not already in private5 * then skip the length and order fields. */ #if DNS_RDATASET_FIXED if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) != 0) { offset = (raw[0] << 24) + (raw[1] << 16) + (raw[2] << 8) + raw[3]; raw = rdataset->private3; raw += offset; } #endif length = raw[0] * 256 + raw[1]; #if DNS_RDATASET_FIXED raw += 4; #else raw += 2; #endif if (rdataset->type == dns_rdatatype_rrsig) { if (*raw & DNS_RDATASLAB_OFFLINE) flags |= DNS_RDATA_OFFLINE; length--; raw++; } r.length = length; r.base = raw; dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r); rdata->flags |= flags; } static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) { dns_db_t *db = source->private1; dns_dbnode_t *node = source->private2; dns_dbnode_t *cloned_node = NULL; attachnode(db, node, &cloned_node); *target = *source; /* * Reset iterator state. */ target->privateuint4 = 0; target->private5 = NULL; } static unsigned int rdataset_count(dns_rdataset_t *rdataset) { unsigned char *raw = rdataset->private3; /* RDATASLAB */ unsigned int count; count = raw[0] * 256 + raw[1]; return (count); } static isc_result_t rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *nsec, dns_rdataset_t *nsecsig) { dns_db_t *db = rdataset->private1; dns_dbnode_t *node = rdataset->private2; dns_dbnode_t *cloned_node; struct noqname *noqname = rdataset->private6; cloned_node = NULL; attachnode(db, node, &cloned_node); nsec->methods = &rdataset_methods; nsec->rdclass = db->rdclass; nsec->type = noqname->type; nsec->covers = 0; nsec->ttl = rdataset->ttl; nsec->trust = rdataset->trust; nsec->private1 = rdataset->private1; nsec->private2 = rdataset->private2; nsec->private3 = noqname->neg; nsec->privateuint4 = 0; nsec->private5 = NULL; nsec->private6 = NULL; nsec->private7 = NULL; cloned_node = NULL; attachnode(db, node, &cloned_node); nsecsig->methods = &rdataset_methods; nsecsig->rdclass = db->rdclass; nsecsig->type = dns_rdatatype_rrsig; nsecsig->covers = noqname->type; nsecsig->ttl = rdataset->ttl; nsecsig->trust = rdataset->trust; nsecsig->private1 = rdataset->private1; nsecsig->private2 = rdataset->private2; nsecsig->private3 = noqname->negsig; nsecsig->privateuint4 = 0; nsecsig->private5 = NULL; nsec->private6 = NULL; nsec->private7 = NULL; dns_name_clone(&noqname->name, name); return (ISC_R_SUCCESS); } static isc_result_t rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *nsec, dns_rdataset_t *nsecsig) { dns_db_t *db = rdataset->private1; dns_dbnode_t *node = rdataset->private2; dns_dbnode_t *cloned_node; struct noqname *closest = rdataset->private7; cloned_node = NULL; attachnode(db, node, &cloned_node); nsec->methods = &rdataset_methods; nsec->rdclass = db->rdclass; nsec->type = closest->type; nsec->covers = 0; nsec->ttl = rdataset->ttl; nsec->trust = rdataset->trust; nsec->private1 = rdataset->private1; nsec->private2 = rdataset->private2; nsec->private3 = closest->neg; nsec->privateuint4 = 0; nsec->private5 = NULL; nsec->private6 = NULL; nsec->private7 = NULL; cloned_node = NULL; attachnode(db, node, &cloned_node); nsecsig->methods = &rdataset_methods; nsecsig->rdclass = db->rdclass; nsecsig->type = dns_rdatatype_rrsig; nsecsig->covers = closest->type; nsecsig->ttl = rdataset->ttl; nsecsig->trust = rdataset->trust; nsecsig->private1 = rdataset->private1; nsecsig->private2 = rdataset->private2; nsecsig->private3 = closest->negsig; nsecsig->privateuint4 = 0; nsecsig->private5 = NULL; nsec->private6 = NULL; nsec->private7 = NULL; dns_name_clone(&closest->name, name); return (ISC_R_SUCCESS); +} + +static void +rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) { + dns_rbtdb_t *rbtdb = rdataset->private1; + dns_rbtnode_t *rbtnode = rdataset->private2; + rdatasetheader_t *header = rdataset->private3; + + header--; + NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_write); + header->trust = rdataset->trust = trust; + NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_write); +} + +static void +rdataset_expire(dns_rdataset_t *rdataset) { + dns_rbtdb_t *rbtdb = rdataset->private1; + dns_rbtnode_t *rbtnode = rdataset->private2; + rdatasetheader_t *header = rdataset->private3; + + header--; + NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_write); + expire_header(rbtdb, header, ISC_FALSE); + NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_write); } /* * Rdataset Iterator Methods */ static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) { rbtdb_rdatasetiter_t *rbtiterator; rbtiterator = (rbtdb_rdatasetiter_t *)(*iteratorp); if (rbtiterator->common.version != NULL) closeversion(rbtiterator->common.db, &rbtiterator->common.version, ISC_FALSE); detachnode(rbtiterator->common.db, &rbtiterator->common.node); isc_mem_put(rbtiterator->common.db->mctx, rbtiterator, sizeof(*rbtiterator)); *iteratorp = NULL; } static isc_result_t rdatasetiter_first(dns_rdatasetiter_t *iterator) { rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db); dns_rbtnode_t *rbtnode = rbtiterator->common.node; rbtdb_version_t *rbtversion = rbtiterator->common.version; rdatasetheader_t *header, *top_next; rbtdb_serial_t serial; isc_stdtime_t now; if (IS_CACHE(rbtdb)) { serial = 1; now = rbtiterator->common.now; } else { serial = rbtversion->serial; now = 0; } NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_read); for (header = rbtnode->data; header != NULL; header = top_next) { top_next = header->next; do { if (header->serial <= serial && !IGNORE(header)) { /* * Is this a "this rdataset doesn't exist" * record? Or is it too old in the cache? * * Note: unlike everywhere else, we * check for now > header->rdh_ttl instead * of now >= header->rdh_ttl. This allows * ANY and RRSIG queries for 0 TTL * rdatasets to work. */ if (NONEXISTENT(header) || (now != 0 && now > header->rdh_ttl)) header = NULL; break; } else header = header->down; } while (header != NULL); if (header != NULL) break; } NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_read); rbtiterator->current = header; if (header == NULL) return (ISC_R_NOMORE); return (ISC_R_SUCCESS); } static isc_result_t rdatasetiter_next(dns_rdatasetiter_t *iterator) { rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db); dns_rbtnode_t *rbtnode = rbtiterator->common.node; rbtdb_version_t *rbtversion = rbtiterator->common.version; rdatasetheader_t *header, *top_next; rbtdb_serial_t serial; isc_stdtime_t now; rbtdb_rdatatype_t type, negtype; dns_rdatatype_t rdtype, covers; header = rbtiterator->current; if (header == NULL) return (ISC_R_NOMORE); if (IS_CACHE(rbtdb)) { serial = 1; now = rbtiterator->common.now; } else { serial = rbtversion->serial; now = 0; } NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_read); type = header->type; rdtype = RBTDB_RDATATYPE_BASE(header->type); if (rdtype == 0) { covers = RBTDB_RDATATYPE_EXT(header->type); negtype = RBTDB_RDATATYPE_VALUE(covers, 0); } else negtype = RBTDB_RDATATYPE_VALUE(0, rdtype); for (header = header->next; header != NULL; header = top_next) { top_next = header->next; /* * If not walking back up the down list. */ if (header->type != type && header->type != negtype) { do { if (header->serial <= serial && !IGNORE(header)) { /* * Is this a "this rdataset doesn't * exist" record? * * Note: unlike everywhere else, we * check for now > header->ttl instead * of now >= header->ttl. This allows * ANY and RRSIG queries for 0 TTL * rdatasets to work. */ if ((header->attributes & RDATASET_ATTR_NONEXISTENT) != 0 || (now != 0 && now > header->rdh_ttl)) header = NULL; break; } else header = header->down; } while (header != NULL); if (header != NULL) break; } } NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_read); rbtiterator->current = header; if (header == NULL) return (ISC_R_NOMORE); return (ISC_R_SUCCESS); } static void rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) { rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db); dns_rbtnode_t *rbtnode = rbtiterator->common.node; rdatasetheader_t *header; header = rbtiterator->current; REQUIRE(header != NULL); NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_read); bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now, rdataset); NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, isc_rwlocktype_read); } /* * Database Iterator Methods */ static inline void reference_iter_node(rbtdb_dbiterator_t *rbtdbiter) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db; dns_rbtnode_t *node = rbtdbiter->node; if (node == NULL) return; INSIST(rbtdbiter->tree_locked != isc_rwlocktype_none); reactivate_node(rbtdb, node, rbtdbiter->tree_locked); } static inline void dereference_iter_node(rbtdb_dbiterator_t *rbtdbiter) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db; dns_rbtnode_t *node = rbtdbiter->node; nodelock_t *lock; if (node == NULL) return; lock = &rbtdb->node_locks[node->locknum].lock; NODE_LOCK(lock, isc_rwlocktype_read); decrement_reference(rbtdb, node, 0, isc_rwlocktype_read, rbtdbiter->tree_locked, ISC_FALSE); NODE_UNLOCK(lock, isc_rwlocktype_read); rbtdbiter->node = NULL; } static void flush_deletions(rbtdb_dbiterator_t *rbtdbiter) { dns_rbtnode_t *node; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db; isc_boolean_t was_read_locked = ISC_FALSE; nodelock_t *lock; int i; if (rbtdbiter->delete != 0) { /* * Note that "%d node of %d in tree" can report things like * "flush_deletions: 59 nodes of 41 in tree". This means * That some nodes appear on the deletions list more than * once. Only the last occurence will actually be deleted. */ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1), "flush_deletions: %d nodes of %d in tree", rbtdbiter->delete, dns_rbt_nodecount(rbtdb->tree)); if (rbtdbiter->tree_locked == isc_rwlocktype_read) { RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); was_read_locked = ISC_TRUE; } RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); rbtdbiter->tree_locked = isc_rwlocktype_write; for (i = 0; i < rbtdbiter->delete; i++) { node = rbtdbiter->deletions[i]; lock = &rbtdb->node_locks[node->locknum].lock; NODE_LOCK(lock, isc_rwlocktype_read); decrement_reference(rbtdb, node, 0, isc_rwlocktype_read, rbtdbiter->tree_locked, ISC_FALSE); NODE_UNLOCK(lock, isc_rwlocktype_read); } rbtdbiter->delete = 0; RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); if (was_read_locked) { RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); rbtdbiter->tree_locked = isc_rwlocktype_read; } else { rbtdbiter->tree_locked = isc_rwlocktype_none; } } } static inline void resume_iteration(rbtdb_dbiterator_t *rbtdbiter) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db; REQUIRE(rbtdbiter->paused); REQUIRE(rbtdbiter->tree_locked == isc_rwlocktype_none); RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); rbtdbiter->tree_locked = isc_rwlocktype_read; rbtdbiter->paused = ISC_FALSE; } static void dbiterator_destroy(dns_dbiterator_t **iteratorp) { rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)(*iteratorp); dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db; dns_db_t *db = NULL; if (rbtdbiter->tree_locked == isc_rwlocktype_read) { RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); rbtdbiter->tree_locked = isc_rwlocktype_none; } else INSIST(rbtdbiter->tree_locked == isc_rwlocktype_none); dereference_iter_node(rbtdbiter); flush_deletions(rbtdbiter); dns_db_attach(rbtdbiter->common.db, &db); dns_db_detach(&rbtdbiter->common.db); dns_rbtnodechain_reset(&rbtdbiter->chain); dns_rbtnodechain_reset(&rbtdbiter->nsec3chain); isc_mem_put(db->mctx, rbtdbiter, sizeof(*rbtdbiter)); dns_db_detach(&db); *iteratorp = NULL; } static isc_result_t dbiterator_first(dns_dbiterator_t *iterator) { isc_result_t result; rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db; dns_name_t *name, *origin; if (rbtdbiter->result != ISC_R_SUCCESS && rbtdbiter->result != ISC_R_NOMORE) return (rbtdbiter->result); if (rbtdbiter->paused) resume_iteration(rbtdbiter); dereference_iter_node(rbtdbiter); name = dns_fixedname_name(&rbtdbiter->name); origin = dns_fixedname_name(&rbtdbiter->origin); dns_rbtnodechain_reset(&rbtdbiter->chain); dns_rbtnodechain_reset(&rbtdbiter->nsec3chain); if (rbtdbiter->nsec3only) { rbtdbiter->current = &rbtdbiter->nsec3chain; result = dns_rbtnodechain_first(rbtdbiter->current, rbtdb->nsec3, name, origin); } else { rbtdbiter->current = &rbtdbiter->chain; result = dns_rbtnodechain_first(rbtdbiter->current, rbtdb->tree, name, origin); if (!rbtdbiter->nonsec3 && result == ISC_R_NOTFOUND) { rbtdbiter->current = &rbtdbiter->nsec3chain; result = dns_rbtnodechain_first(rbtdbiter->current, rbtdb->nsec3, name, origin); } } if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) { result = dns_rbtnodechain_current(rbtdbiter->current, NULL, NULL, &rbtdbiter->node); if (result == ISC_R_SUCCESS) { rbtdbiter->new_origin = ISC_TRUE; reference_iter_node(rbtdbiter); } } else { INSIST(result == ISC_R_NOTFOUND); result = ISC_R_NOMORE; /* The tree is empty. */ } rbtdbiter->result = result; return (result); } static isc_result_t dbiterator_last(dns_dbiterator_t *iterator) { isc_result_t result; rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db; dns_name_t *name, *origin; if (rbtdbiter->result != ISC_R_SUCCESS && rbtdbiter->result != ISC_R_NOMORE) return (rbtdbiter->result); if (rbtdbiter->paused) resume_iteration(rbtdbiter); dereference_iter_node(rbtdbiter); name = dns_fixedname_name(&rbtdbiter->name); origin = dns_fixedname_name(&rbtdbiter->origin); dns_rbtnodechain_reset(&rbtdbiter->chain); dns_rbtnodechain_reset(&rbtdbiter->nsec3chain); result = ISC_R_NOTFOUND; if (rbtdbiter->nsec3only && !rbtdbiter->nonsec3) { rbtdbiter->current = &rbtdbiter->nsec3chain; result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->nsec3, name, origin); } if (!rbtdbiter->nsec3only && result == ISC_R_NOTFOUND) { rbtdbiter->current = &rbtdbiter->chain; result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->tree, name, origin); } if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) { result = dns_rbtnodechain_current(rbtdbiter->current, NULL, NULL, &rbtdbiter->node); if (result == ISC_R_SUCCESS) { rbtdbiter->new_origin = ISC_TRUE; reference_iter_node(rbtdbiter); } } else { INSIST(result == ISC_R_NOTFOUND); result = ISC_R_NOMORE; /* The tree is empty. */ } rbtdbiter->result = result; return (result); } static isc_result_t dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) { isc_result_t result; rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db; dns_name_t *iname, *origin; if (rbtdbiter->result != ISC_R_SUCCESS && rbtdbiter->result != ISC_R_NOTFOUND && rbtdbiter->result != ISC_R_NOMORE) return (rbtdbiter->result); if (rbtdbiter->paused) resume_iteration(rbtdbiter); dereference_iter_node(rbtdbiter); iname = dns_fixedname_name(&rbtdbiter->name); origin = dns_fixedname_name(&rbtdbiter->origin); dns_rbtnodechain_reset(&rbtdbiter->chain); dns_rbtnodechain_reset(&rbtdbiter->nsec3chain); if (rbtdbiter->nsec3only) { rbtdbiter->current = &rbtdbiter->nsec3chain; result = dns_rbt_findnode(rbtdb->nsec3, name, NULL, &rbtdbiter->node, rbtdbiter->current, DNS_RBTFIND_EMPTYDATA, NULL, NULL); } else if (rbtdbiter->nonsec3) { rbtdbiter->current = &rbtdbiter->chain; result = dns_rbt_findnode(rbtdb->tree, name, NULL, &rbtdbiter->node, rbtdbiter->current, DNS_RBTFIND_EMPTYDATA, NULL, NULL); } else { /* * Stay on main chain if not found on either chain. */ rbtdbiter->current = &rbtdbiter->chain; result = dns_rbt_findnode(rbtdb->tree, name, NULL, &rbtdbiter->node, rbtdbiter->current, DNS_RBTFIND_EMPTYDATA, NULL, NULL); if (result == DNS_R_PARTIALMATCH) { dns_rbtnode_t *node = NULL; result = dns_rbt_findnode(rbtdb->nsec3, name, NULL, &node, &rbtdbiter->nsec3chain, DNS_RBTFIND_EMPTYDATA, NULL, NULL); if (result == ISC_R_SUCCESS) { rbtdbiter->node = node; rbtdbiter->current = &rbtdbiter->nsec3chain; } } } #if 1 if (result == ISC_R_SUCCESS) { result = dns_rbtnodechain_current(rbtdbiter->current, iname, origin, NULL); if (result == ISC_R_SUCCESS) { rbtdbiter->new_origin = ISC_TRUE; reference_iter_node(rbtdbiter); } } else if (result == DNS_R_PARTIALMATCH) { result = ISC_R_NOTFOUND; rbtdbiter->node = NULL; } rbtdbiter->result = result; #else if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { isc_result_t tresult; tresult = dns_rbtnodechain_current(rbtdbiter->current, iname, origin, NULL); if (tresult == ISC_R_SUCCESS) { rbtdbiter->new_origin = ISC_TRUE; reference_iter_node(rbtdbiter); } else { result = tresult; rbtdbiter->node = NULL; } } else rbtdbiter->node = NULL; rbtdbiter->result = (result == DNS_R_PARTIALMATCH) ? ISC_R_SUCCESS : result; #endif return (result); } static isc_result_t dbiterator_prev(dns_dbiterator_t *iterator) { isc_result_t result; rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator; dns_name_t *name, *origin; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db; REQUIRE(rbtdbiter->node != NULL); if (rbtdbiter->result != ISC_R_SUCCESS) return (rbtdbiter->result); if (rbtdbiter->paused) resume_iteration(rbtdbiter); name = dns_fixedname_name(&rbtdbiter->name); origin = dns_fixedname_name(&rbtdbiter->origin); result = dns_rbtnodechain_prev(rbtdbiter->current, name, origin); if (result == ISC_R_NOMORE && !rbtdbiter->nsec3only && !rbtdbiter->nonsec3 && &rbtdbiter->nsec3chain == rbtdbiter->current) { rbtdbiter->current = &rbtdbiter->chain; dns_rbtnodechain_reset(rbtdbiter->current); result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->tree, name, origin); if (result == ISC_R_NOTFOUND) result = ISC_R_NOMORE; } dereference_iter_node(rbtdbiter); if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) { rbtdbiter->new_origin = ISC_TF(result == DNS_R_NEWORIGIN); result = dns_rbtnodechain_current(rbtdbiter->current, NULL, NULL, &rbtdbiter->node); } if (result == ISC_R_SUCCESS) reference_iter_node(rbtdbiter); rbtdbiter->result = result; return (result); } static isc_result_t dbiterator_next(dns_dbiterator_t *iterator) { isc_result_t result; rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator; dns_name_t *name, *origin; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db; REQUIRE(rbtdbiter->node != NULL); if (rbtdbiter->result != ISC_R_SUCCESS) return (rbtdbiter->result); if (rbtdbiter->paused) resume_iteration(rbtdbiter); name = dns_fixedname_name(&rbtdbiter->name); origin = dns_fixedname_name(&rbtdbiter->origin); result = dns_rbtnodechain_next(rbtdbiter->current, name, origin); if (result == ISC_R_NOMORE && !rbtdbiter->nsec3only && !rbtdbiter->nonsec3 && &rbtdbiter->chain == rbtdbiter->current) { rbtdbiter->current = &rbtdbiter->nsec3chain; dns_rbtnodechain_reset(rbtdbiter->current); result = dns_rbtnodechain_first(rbtdbiter->current, rbtdb->nsec3, name, origin); if (result == ISC_R_NOTFOUND) result = ISC_R_NOMORE; } dereference_iter_node(rbtdbiter); if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) { rbtdbiter->new_origin = ISC_TF(result == DNS_R_NEWORIGIN); result = dns_rbtnodechain_current(rbtdbiter->current, NULL, NULL, &rbtdbiter->node); } if (result == ISC_R_SUCCESS) reference_iter_node(rbtdbiter); rbtdbiter->result = result; return (result); } static isc_result_t dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep, dns_name_t *name) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db; rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator; dns_rbtnode_t *node = rbtdbiter->node; isc_result_t result; dns_name_t *nodename = dns_fixedname_name(&rbtdbiter->name); dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin); REQUIRE(rbtdbiter->result == ISC_R_SUCCESS); REQUIRE(rbtdbiter->node != NULL); if (rbtdbiter->paused) resume_iteration(rbtdbiter); if (name != NULL) { if (rbtdbiter->common.relative_names) origin = NULL; result = dns_name_concatenate(nodename, origin, name, NULL); if (result != ISC_R_SUCCESS) return (result); if (rbtdbiter->common.relative_names && rbtdbiter->new_origin) result = DNS_R_NEWORIGIN; } else result = ISC_R_SUCCESS; NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock); new_reference(rbtdb, node); NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock); *nodep = rbtdbiter->node; if (iterator->cleaning && result == ISC_R_SUCCESS) { isc_result_t expire_result; /* * If the deletion array is full, flush it before trying * to expire the current node. The current node can't * fully deleted while the iteration cursor is still on it. */ if (rbtdbiter->delete == DELETION_BATCH_MAX) flush_deletions(rbtdbiter); expire_result = expirenode(iterator->db, *nodep, 0); /* * expirenode() currently always returns success. */ if (expire_result == ISC_R_SUCCESS && node->down == NULL) { unsigned int refs; rbtdbiter->deletions[rbtdbiter->delete++] = node; NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock); dns_rbtnode_refincrement(node, &refs); INSIST(refs != 0); NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock); } } return (result); } static isc_result_t dbiterator_pause(dns_dbiterator_t *iterator) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db; rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator; if (rbtdbiter->result != ISC_R_SUCCESS && rbtdbiter->result != ISC_R_NOMORE) return (rbtdbiter->result); if (rbtdbiter->paused) return (ISC_R_SUCCESS); rbtdbiter->paused = ISC_TRUE; if (rbtdbiter->tree_locked != isc_rwlocktype_none) { INSIST(rbtdbiter->tree_locked == isc_rwlocktype_read); RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); rbtdbiter->tree_locked = isc_rwlocktype_none; } flush_deletions(rbtdbiter); return (ISC_R_SUCCESS); } static isc_result_t dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) { rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator; dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin); if (rbtdbiter->result != ISC_R_SUCCESS) return (rbtdbiter->result); return (dns_name_copy(origin, name, NULL)); } /*% * Additional cache routines. */ static isc_result_t rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype, dns_acache_t *acache, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, dns_dbnode_t **nodep, dns_name_t *fname, dns_message_t *msg, isc_stdtime_t now) { dns_rbtdb_t *rbtdb = rdataset->private1; dns_rbtnode_t *rbtnode = rdataset->private2; unsigned char *raw = rdataset->private3; /* RDATASLAB */ unsigned int current_count = rdataset->privateuint4; unsigned int count; rdatasetheader_t *header; nodelock_t *nodelock; unsigned int total_count; acachectl_t *acarray; dns_acacheentry_t *entry; isc_result_t result; UNUSED(qtype); /* we do not use this value at least for now */ UNUSED(acache); header = (struct rdatasetheader *)(raw - sizeof(*header)); total_count = raw[0] * 256 + raw[1]; INSIST(total_count > current_count); count = total_count - current_count - 1; acarray = NULL; nodelock = &rbtdb->node_locks[rbtnode->locknum].lock; NODE_LOCK(nodelock, isc_rwlocktype_read); switch (type) { case dns_rdatasetadditional_fromauth: acarray = header->additional_auth; break; case dns_rdatasetadditional_fromcache: acarray = NULL; break; case dns_rdatasetadditional_fromglue: acarray = header->additional_glue; break; default: INSIST(0); } if (acarray == NULL) { if (type != dns_rdatasetadditional_fromcache) dns_acache_countquerymiss(acache); NODE_UNLOCK(nodelock, isc_rwlocktype_read); return (ISC_R_NOTFOUND); } if (acarray[count].entry == NULL) { dns_acache_countquerymiss(acache); NODE_UNLOCK(nodelock, isc_rwlocktype_read); return (ISC_R_NOTFOUND); } entry = NULL; dns_acache_attachentry(acarray[count].entry, &entry); NODE_UNLOCK(nodelock, isc_rwlocktype_read); result = dns_acache_getentry(entry, zonep, dbp, versionp, nodep, fname, msg, now); dns_acache_detachentry(&entry); return (result); } static void acache_callback(dns_acacheentry_t *entry, void **arg) { dns_rbtdb_t *rbtdb; dns_rbtnode_t *rbtnode; nodelock_t *nodelock; acachectl_t *acarray = NULL; acache_cbarg_t *cbarg; unsigned int count; REQUIRE(arg != NULL); cbarg = *arg; /* * The caller must hold the entry lock. */ rbtdb = (dns_rbtdb_t *)cbarg->db; rbtnode = (dns_rbtnode_t *)cbarg->node; nodelock = &rbtdb->node_locks[rbtnode->locknum].lock; NODE_LOCK(nodelock, isc_rwlocktype_write); switch (cbarg->type) { case dns_rdatasetadditional_fromauth: acarray = cbarg->header->additional_auth; break; case dns_rdatasetadditional_fromglue: acarray = cbarg->header->additional_glue; break; default: INSIST(0); } count = cbarg->count; if (acarray != NULL && acarray[count].entry == entry) { acarray[count].entry = NULL; INSIST(acarray[count].cbarg == cbarg); isc_mem_put(rbtdb->common.mctx, cbarg, sizeof(acache_cbarg_t)); acarray[count].cbarg = NULL; } else isc_mem_put(rbtdb->common.mctx, cbarg, sizeof(acache_cbarg_t)); dns_acache_detachentry(&entry); NODE_UNLOCK(nodelock, isc_rwlocktype_write); dns_db_detachnode((dns_db_t *)rbtdb, (dns_dbnode_t **)(void*)&rbtnode); dns_db_detach((dns_db_t **)(void*)&rbtdb); *arg = NULL; } static void acache_cancelentry(isc_mem_t *mctx, dns_acacheentry_t *entry, acache_cbarg_t **cbargp) { acache_cbarg_t *cbarg; REQUIRE(mctx != NULL); REQUIRE(entry != NULL); REQUIRE(cbargp != NULL && *cbargp != NULL); cbarg = *cbargp; dns_acache_cancelentry(entry); dns_db_detachnode(cbarg->db, &cbarg->node); dns_db_detach(&cbarg->db); isc_mem_put(mctx, cbarg, sizeof(acache_cbarg_t)); *cbargp = NULL; } static isc_result_t rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype, dns_acache_t *acache, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, dns_name_t *fname) { dns_rbtdb_t *rbtdb = rdataset->private1; dns_rbtnode_t *rbtnode = rdataset->private2; unsigned char *raw = rdataset->private3; /* RDATASLAB */ unsigned int current_count = rdataset->privateuint4; rdatasetheader_t *header; unsigned int total_count, count; nodelock_t *nodelock; isc_result_t result; acachectl_t *acarray; dns_acacheentry_t *newentry, *oldentry = NULL; acache_cbarg_t *newcbarg, *oldcbarg = NULL; UNUSED(qtype); if (type == dns_rdatasetadditional_fromcache) return (ISC_R_SUCCESS); header = (struct rdatasetheader *)(raw - sizeof(*header)); total_count = raw[0] * 256 + raw[1]; INSIST(total_count > current_count); count = total_count - current_count - 1; /* should be private data */ newcbarg = isc_mem_get(rbtdb->common.mctx, sizeof(*newcbarg)); if (newcbarg == NULL) return (ISC_R_NOMEMORY); newcbarg->type = type; newcbarg->count = count; newcbarg->header = header; newcbarg->db = NULL; dns_db_attach((dns_db_t *)rbtdb, &newcbarg->db); newcbarg->node = NULL; dns_db_attachnode((dns_db_t *)rbtdb, (dns_dbnode_t *)rbtnode, &newcbarg->node); newentry = NULL; result = dns_acache_createentry(acache, (dns_db_t *)rbtdb, acache_callback, newcbarg, &newentry); if (result != ISC_R_SUCCESS) goto fail; /* Set cache data in the new entry. */ result = dns_acache_setentry(acache, newentry, zone, db, version, node, fname); if (result != ISC_R_SUCCESS) goto fail; nodelock = &rbtdb->node_locks[rbtnode->locknum].lock; NODE_LOCK(nodelock, isc_rwlocktype_write); acarray = NULL; switch (type) { case dns_rdatasetadditional_fromauth: acarray = header->additional_auth; break; case dns_rdatasetadditional_fromglue: acarray = header->additional_glue; break; default: INSIST(0); } if (acarray == NULL) { unsigned int i; acarray = isc_mem_get(rbtdb->common.mctx, total_count * sizeof(acachectl_t)); if (acarray == NULL) { NODE_UNLOCK(nodelock, isc_rwlocktype_write); goto fail; } for (i = 0; i < total_count; i++) { acarray[i].entry = NULL; acarray[i].cbarg = NULL; } } switch (type) { case dns_rdatasetadditional_fromauth: header->additional_auth = acarray; break; case dns_rdatasetadditional_fromglue: header->additional_glue = acarray; break; default: INSIST(0); } if (acarray[count].entry != NULL) { /* * Swap the entry. Delay cleaning-up the old entry since * it would require a node lock. */ oldentry = acarray[count].entry; INSIST(acarray[count].cbarg != NULL); oldcbarg = acarray[count].cbarg; } acarray[count].entry = newentry; acarray[count].cbarg = newcbarg; NODE_UNLOCK(nodelock, isc_rwlocktype_write); if (oldentry != NULL) { acache_cancelentry(rbtdb->common.mctx, oldentry, &oldcbarg); dns_acache_detachentry(&oldentry); } return (ISC_R_SUCCESS); fail: if (newcbarg != NULL) { if (newentry != NULL) { acache_cancelentry(rbtdb->common.mctx, newentry, &newcbarg); dns_acache_detachentry(&newentry); } else { dns_db_detachnode((dns_db_t *)rbtdb, &newcbarg->node); dns_db_detach(&newcbarg->db); isc_mem_put(rbtdb->common.mctx, newcbarg, sizeof(*newcbarg)); } } return (result); } static isc_result_t rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype) { dns_rbtdb_t *rbtdb = rdataset->private1; dns_rbtnode_t *rbtnode = rdataset->private2; unsigned char *raw = rdataset->private3; /* RDATASLAB */ unsigned int current_count = rdataset->privateuint4; rdatasetheader_t *header; nodelock_t *nodelock; unsigned int total_count, count; acachectl_t *acarray; dns_acacheentry_t *entry; acache_cbarg_t *cbarg; UNUSED(qtype); /* we do not use this value at least for now */ UNUSED(acache); if (type == dns_rdatasetadditional_fromcache) return (ISC_R_SUCCESS); header = (struct rdatasetheader *)(raw - sizeof(*header)); total_count = raw[0] * 256 + raw[1]; INSIST(total_count > current_count); count = total_count - current_count - 1; acarray = NULL; entry = NULL; nodelock = &rbtdb->node_locks[rbtnode->locknum].lock; NODE_LOCK(nodelock, isc_rwlocktype_write); switch (type) { case dns_rdatasetadditional_fromauth: acarray = header->additional_auth; break; case dns_rdatasetadditional_fromglue: acarray = header->additional_glue; break; default: INSIST(0); } if (acarray == NULL) { NODE_UNLOCK(nodelock, isc_rwlocktype_write); return (ISC_R_NOTFOUND); } entry = acarray[count].entry; if (entry == NULL) { NODE_UNLOCK(nodelock, isc_rwlocktype_write); return (ISC_R_NOTFOUND); } acarray[count].entry = NULL; cbarg = acarray[count].cbarg; acarray[count].cbarg = NULL; NODE_UNLOCK(nodelock, isc_rwlocktype_write); if (entry != NULL) { if (cbarg != NULL) acache_cancelentry(rbtdb->common.mctx, entry, &cbarg); dns_acache_detachentry(&entry); } return (ISC_R_SUCCESS); } /*% * Routines for LRU-based cache management. */ /*% * See if a given cache entry that is being reused needs to be updated * in the LRU-list. From the LRU management point of view, this function is * expected to return true for almost all cases. When used with threads, * however, this may cause a non-negligible performance penalty because a * writer lock will have to be acquired before updating the list. * If DNS_RBTDB_LIMITLRUUPDATE is defined to be non 0 at compilation time, this * function returns true if the entry has not been updated for some period of * time. We differentiate the NS or glue address case and the others since * experiments have shown that the former tends to be accessed relatively * infrequently and the cost of cache miss is higher (e.g., a missing NS records * may cause external queries at a higher level zone, involving more * transactions). * * Caller must hold the node (read or write) lock. */ static inline isc_boolean_t need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now) { if ((header->attributes & (RDATASET_ATTR_NONEXISTENT|RDATASET_ATTR_STALE)) != 0) return (ISC_FALSE); #if DNS_RBTDB_LIMITLRUUPDATE if (header->type == dns_rdatatype_ns || (header->trust == dns_trust_glue && (header->type == dns_rdatatype_a || header->type == dns_rdatatype_aaaa))) { /* * Glue records are updated if at least 60 seconds have passed * since the previous update time. */ return (header->last_used + 60 <= now); } /* Other records are updated if 5 minutes have passed. */ return (header->last_used + 300 <= now); #else UNUSED(now); return (ISC_TRUE); #endif } /*% * Update the timestamp of a given cache entry and move it to the head * of the corresponding LRU list. * * Caller must hold the node (write) lock. * * Note that the we do NOT touch the heap here, as the TTL has not changed. */ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_stdtime_t now) { INSIST(IS_CACHE(rbtdb)); /* To be checked: can we really assume this? XXXMLG */ INSIST(ISC_LINK_LINKED(header, link)); ISC_LIST_UNLINK(rbtdb->rdatasets[header->node->locknum], header, link); header->last_used = now; ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link); } /*% * Purge some expired and/or stale (i.e. unused for some period) cache entries * under an overmem condition. To recover from this condition quickly, up to * 2 entries will be purged. This process is triggered while adding a new * entry, and we specifically avoid purging entries in the same LRU bucket as * the one to which the new entry will belong. Otherwise, we might purge * entries of the same name of different RR types while adding RRsets from a * single response (consider the case where we're adding A and AAAA glue records * of the same NS name). */ static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now, isc_boolean_t tree_locked) { rdatasetheader_t *header, *header_prev; unsigned int locknum; int purgecount = 2; for (locknum = (locknum_start + 1) % rbtdb->node_lock_count; locknum != locknum_start && purgecount > 0; locknum = (locknum + 1) % rbtdb->node_lock_count) { NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); header = isc_heap_element(rbtdb->heaps[locknum], 1); if (header && header->rdh_ttl <= now - RBTDB_VIRTUAL) { expire_header(rbtdb, header, tree_locked); purgecount--; } for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); header != NULL && purgecount > 0; header = header_prev) { header_prev = ISC_LIST_PREV(header, link); /* * Unlink the entry at this point to avoid checking it * again even if it's currently used someone else and * cannot be purged at this moment. This entry won't be * referenced any more (so unlinking is safe) since the * TTL was reset to 0. */ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link); expire_header(rbtdb, header, tree_locked); purgecount--; } NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); } } static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_boolean_t tree_locked) { set_ttl(rbtdb, header, 0); header->attributes |= RDATASET_ATTR_STALE; header->node->dirty = 1; /* * Caller must hold the node (write) lock. */ if (dns_rbtnode_refcurrent(header->node) == 0) { /* * If no one else is using the node, we can clean it up now. * We first need to gain a new reference to the node to meet a * requirement of decrement_reference(). */ new_reference(rbtdb, header->node); decrement_reference(rbtdb, header->node, 0, isc_rwlocktype_write, tree_locked ? isc_rwlocktype_write : isc_rwlocktype_none, ISC_FALSE); } } Index: head/contrib/bind9/lib/dns/rdatalist.c =================================================================== --- head/contrib/bind9/lib/dns/rdatalist.c (revision 205291) +++ head/contrib/bind9/lib/dns/rdatalist.c (revision 205292) @@ -1,347 +1,349 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdatalist.c,v 1.36 2008/09/24 02:46:22 marka Exp $ */ +/* $Id: rdatalist.c,v 1.36.336.2 2010/02/25 10:57:12 tbox Exp $ */ /*! \file */ #include #include #include #include #include #include #include #include #include "rdatalist_p.h" static dns_rdatasetmethods_t methods = { isc__rdatalist_disassociate, isc__rdatalist_first, isc__rdatalist_next, isc__rdatalist_current, isc__rdatalist_clone, isc__rdatalist_count, isc__rdatalist_addnoqname, isc__rdatalist_getnoqname, isc__rdatalist_addclosest, isc__rdatalist_getclosest, + NULL, + NULL, NULL, NULL, NULL }; void dns_rdatalist_init(dns_rdatalist_t *rdatalist) { /* * Initialize rdatalist. */ rdatalist->rdclass = 0; rdatalist->type = 0; rdatalist->covers = 0; rdatalist->ttl = 0; ISC_LIST_INIT(rdatalist->rdata); ISC_LINK_INIT(rdatalist, link); } isc_result_t dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist, dns_rdataset_t *rdataset) { /* * Make 'rdataset' refer to the rdata in 'rdatalist'. */ REQUIRE(rdatalist != NULL); REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(! dns_rdataset_isassociated(rdataset)); rdataset->methods = &methods; rdataset->rdclass = rdatalist->rdclass; rdataset->type = rdatalist->type; rdataset->covers = rdatalist->covers; rdataset->ttl = rdatalist->ttl; rdataset->trust = 0; rdataset->private1 = rdatalist; rdataset->private2 = NULL; rdataset->private3 = NULL; rdataset->privateuint4 = 0; rdataset->private5 = NULL; return (ISC_R_SUCCESS); } isc_result_t dns_rdatalist_fromrdataset(dns_rdataset_t *rdataset, dns_rdatalist_t **rdatalist) { REQUIRE(rdatalist != NULL && rdataset != NULL); *rdatalist = rdataset->private1; return (ISC_R_SUCCESS); } void isc__rdatalist_disassociate(dns_rdataset_t *rdataset) { UNUSED(rdataset); } isc_result_t isc__rdatalist_first(dns_rdataset_t *rdataset) { dns_rdatalist_t *rdatalist; rdatalist = rdataset->private1; rdataset->private2 = ISC_LIST_HEAD(rdatalist->rdata); if (rdataset->private2 == NULL) return (ISC_R_NOMORE); return (ISC_R_SUCCESS); } isc_result_t isc__rdatalist_next(dns_rdataset_t *rdataset) { dns_rdata_t *rdata; rdata = rdataset->private2; if (rdata == NULL) return (ISC_R_NOMORE); rdataset->private2 = ISC_LIST_NEXT(rdata, link); if (rdataset->private2 == NULL) return (ISC_R_NOMORE); return (ISC_R_SUCCESS); } void isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) { dns_rdata_t *list_rdata; list_rdata = rdataset->private2; INSIST(list_rdata != NULL); dns_rdata_clone(list_rdata, rdata); } void isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target) { *target = *source; /* * Reset iterator state. */ target->private2 = NULL; } unsigned int isc__rdatalist_count(dns_rdataset_t *rdataset) { dns_rdatalist_t *rdatalist; dns_rdata_t *rdata; unsigned int count; rdatalist = rdataset->private1; count = 0; for (rdata = ISC_LIST_HEAD(rdatalist->rdata); rdata != NULL; rdata = ISC_LIST_NEXT(rdata, link)) count++; return (count); } isc_result_t isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) { dns_rdataset_t *neg = NULL; dns_rdataset_t *negsig = NULL; dns_rdataset_t *rdset; dns_ttl_t ttl; for (rdset = ISC_LIST_HEAD(name->list); rdset != NULL; rdset = ISC_LIST_NEXT(rdset, link)) { if (rdset->rdclass != rdataset->rdclass) continue; if (rdset->type == dns_rdatatype_nsec || rdset->type == dns_rdatatype_nsec3) neg = rdset; } if (neg == NULL) return (ISC_R_NOTFOUND); for (rdset = ISC_LIST_HEAD(name->list); rdset != NULL; rdset = ISC_LIST_NEXT(rdset, link)) { if (rdset->type == dns_rdatatype_rrsig && rdset->covers == neg->type) negsig = rdset; } if (negsig == NULL) return (ISC_R_NOTFOUND); /* * Minimise ttl. */ ttl = rdataset->ttl; if (neg->ttl < ttl) ttl = neg->ttl; if (negsig->ttl < ttl) ttl = negsig->ttl; rdataset->ttl = neg->ttl = negsig->ttl = ttl; rdataset->attributes |= DNS_RDATASETATTR_NOQNAME; rdataset->private6 = name; return (ISC_R_SUCCESS); } isc_result_t isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *neg, dns_rdataset_t *negsig) { dns_rdataclass_t rdclass = rdataset->rdclass; dns_rdataset_t *tneg = NULL; dns_rdataset_t *tnegsig = NULL; dns_name_t *noqname = rdataset->private6; REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0); (void)dns_name_dynamic(noqname); /* Sanity Check. */ for (rdataset = ISC_LIST_HEAD(noqname->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (rdataset->rdclass != rdclass) continue; if (rdataset->type == dns_rdatatype_nsec || rdataset->type == dns_rdatatype_nsec3) tneg = rdataset; } if (tneg == NULL) return (ISC_R_NOTFOUND); for (rdataset = ISC_LIST_HEAD(noqname->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (rdataset->type == dns_rdatatype_rrsig && rdataset->covers == tneg->type) tnegsig = rdataset; } if (tnegsig == NULL) return (ISC_R_NOTFOUND); dns_name_clone(noqname, name); dns_rdataset_clone(tneg, neg); dns_rdataset_clone(tnegsig, negsig); return (ISC_R_SUCCESS); } isc_result_t isc__rdatalist_addclosest(dns_rdataset_t *rdataset, dns_name_t *name) { dns_rdataset_t *neg = NULL; dns_rdataset_t *negsig = NULL; dns_rdataset_t *rdset; dns_ttl_t ttl; for (rdset = ISC_LIST_HEAD(name->list); rdset != NULL; rdset = ISC_LIST_NEXT(rdset, link)) { if (rdset->rdclass != rdataset->rdclass) continue; if (rdset->type == dns_rdatatype_nsec || rdset->type == dns_rdatatype_nsec3) neg = rdset; } if (neg == NULL) return (ISC_R_NOTFOUND); for (rdset = ISC_LIST_HEAD(name->list); rdset != NULL; rdset = ISC_LIST_NEXT(rdset, link)) { if (rdset->type == dns_rdatatype_rrsig && rdset->covers == neg->type) negsig = rdset; } if (negsig == NULL) return (ISC_R_NOTFOUND); /* * Minimise ttl. */ ttl = rdataset->ttl; if (neg->ttl < ttl) ttl = neg->ttl; if (negsig->ttl < ttl) ttl = negsig->ttl; rdataset->ttl = neg->ttl = negsig->ttl = ttl; rdataset->attributes |= DNS_RDATASETATTR_CLOSEST; rdataset->private7 = name; return (ISC_R_SUCCESS); } isc_result_t isc__rdatalist_getclosest(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *neg, dns_rdataset_t *negsig) { dns_rdataclass_t rdclass = rdataset->rdclass; dns_rdataset_t *tneg = NULL; dns_rdataset_t *tnegsig = NULL; dns_name_t *closest = rdataset->private7; REQUIRE((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0); (void)dns_name_dynamic(closest); /* Sanity Check. */ for (rdataset = ISC_LIST_HEAD(closest->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (rdataset->rdclass != rdclass) continue; if (rdataset->type == dns_rdatatype_nsec || rdataset->type == dns_rdatatype_nsec3) tneg = rdataset; } if (tneg == NULL) return (ISC_R_NOTFOUND); for (rdataset = ISC_LIST_HEAD(closest->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (rdataset->type == dns_rdatatype_rrsig && rdataset->covers == tneg->type) tnegsig = rdataset; } if (tnegsig == NULL) return (ISC_R_NOTFOUND); dns_name_clone(closest, name); dns_rdataset_clone(tneg, neg); dns_rdataset_clone(tnegsig, negsig); return (ISC_R_SUCCESS); } Index: head/contrib/bind9/lib/dns/rdataset.c =================================================================== --- head/contrib/bind9/lib/dns/rdataset.c (revision 205291) +++ head/contrib/bind9/lib/dns/rdataset.c (revision 205292) @@ -1,734 +1,755 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataset.c,v 1.82.50.2 2009/01/18 23:47:40 tbox Exp $ */ +/* $Id: rdataset.c,v 1.82.50.2.22.2 2010/02/25 10:57:12 tbox Exp $ */ /*! \file */ #include #include #include #include #include #include #include #include #include #include #include void dns_rdataset_init(dns_rdataset_t *rdataset) { /* * Make 'rdataset' a valid, disassociated rdataset. */ REQUIRE(rdataset != NULL); rdataset->magic = DNS_RDATASET_MAGIC; rdataset->methods = NULL; ISC_LINK_INIT(rdataset, link); rdataset->rdclass = 0; rdataset->type = 0; rdataset->ttl = 0; rdataset->trust = 0; rdataset->covers = 0; rdataset->attributes = 0; rdataset->count = ISC_UINT32_MAX; rdataset->private1 = NULL; rdataset->private2 = NULL; rdataset->private3 = NULL; rdataset->privateuint4 = 0; rdataset->private5 = NULL; rdataset->private6 = NULL; rdataset->resign = 0; } void dns_rdataset_invalidate(dns_rdataset_t *rdataset) { /* * Invalidate 'rdataset'. */ REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods == NULL); rdataset->magic = 0; ISC_LINK_INIT(rdataset, link); rdataset->rdclass = 0; rdataset->type = 0; rdataset->ttl = 0; rdataset->trust = 0; rdataset->covers = 0; rdataset->attributes = 0; rdataset->count = ISC_UINT32_MAX; rdataset->private1 = NULL; rdataset->private2 = NULL; rdataset->private3 = NULL; rdataset->privateuint4 = 0; rdataset->private5 = NULL; } void dns_rdataset_disassociate(dns_rdataset_t *rdataset) { /* * Disassociate 'rdataset' from its rdata, allowing it to be reused. */ REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods != NULL); (rdataset->methods->disassociate)(rdataset); rdataset->methods = NULL; ISC_LINK_INIT(rdataset, link); rdataset->rdclass = 0; rdataset->type = 0; rdataset->ttl = 0; rdataset->trust = 0; rdataset->covers = 0; rdataset->attributes = 0; rdataset->count = ISC_UINT32_MAX; rdataset->private1 = NULL; rdataset->private2 = NULL; rdataset->private3 = NULL; rdataset->privateuint4 = 0; rdataset->private5 = NULL; rdataset->private6 = NULL; } isc_boolean_t dns_rdataset_isassociated(dns_rdataset_t *rdataset) { /* * Is 'rdataset' associated? */ REQUIRE(DNS_RDATASET_VALID(rdataset)); if (rdataset->methods != NULL) return (ISC_TRUE); return (ISC_FALSE); } static void question_disassociate(dns_rdataset_t *rdataset) { UNUSED(rdataset); } static isc_result_t question_cursor(dns_rdataset_t *rdataset) { UNUSED(rdataset); return (ISC_R_NOMORE); } static void question_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) { /* * This routine should never be called. */ UNUSED(rdataset); UNUSED(rdata); REQUIRE(0); } static void question_clone(dns_rdataset_t *source, dns_rdataset_t *target) { *target = *source; } static unsigned int question_count(dns_rdataset_t *rdataset) { /* * This routine should never be called. */ UNUSED(rdataset); REQUIRE(0); return (0); } static dns_rdatasetmethods_t question_methods = { question_disassociate, question_cursor, question_cursor, question_current, question_clone, question_count, NULL, NULL, NULL, NULL, NULL, NULL, + NULL, + NULL, NULL }; void dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass, dns_rdatatype_t type) { /* * Make 'rdataset' a valid, associated, question rdataset, with a * question class of 'rdclass' and type 'type'. */ REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods == NULL); rdataset->methods = &question_methods; rdataset->rdclass = rdclass; rdataset->type = type; rdataset->attributes |= DNS_RDATASETATTR_QUESTION; } unsigned int dns_rdataset_count(dns_rdataset_t *rdataset) { /* * Return the number of records in 'rdataset'. */ REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods != NULL); return ((rdataset->methods->count)(rdataset)); } void dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) { /* * Make 'target' refer to the same rdataset as 'source'. */ REQUIRE(DNS_RDATASET_VALID(source)); REQUIRE(source->methods != NULL); REQUIRE(DNS_RDATASET_VALID(target)); REQUIRE(target->methods == NULL); (source->methods->clone)(source, target); } isc_result_t dns_rdataset_first(dns_rdataset_t *rdataset) { /* * Move the rdata cursor to the first rdata in the rdataset (if any). */ REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods != NULL); return ((rdataset->methods->first)(rdataset)); } isc_result_t dns_rdataset_next(dns_rdataset_t *rdataset) { /* * Move the rdata cursor to the next rdata in the rdataset (if any). */ REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods != NULL); return ((rdataset->methods->next)(rdataset)); } void dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) { /* * Make 'rdata' refer to the current rdata. */ REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods != NULL); (rdataset->methods->current)(rdataset, rdata); } #define MAX_SHUFFLE 32 #define WANT_FIXED(r) (((r)->attributes & DNS_RDATASETATTR_FIXEDORDER) != 0) #define WANT_RANDOM(r) (((r)->attributes & DNS_RDATASETATTR_RANDOMIZE) != 0) struct towire_sort { int key; dns_rdata_t *rdata; }; static int towire_compare(const void *av, const void *bv) { const struct towire_sort *a = (const struct towire_sort *) av; const struct towire_sort *b = (const struct towire_sort *) bv; return (a->key - b->key); } static isc_result_t towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, dns_compress_t *cctx, isc_buffer_t *target, dns_rdatasetorderfunc_t order, const void *order_arg, isc_boolean_t partial, unsigned int options, unsigned int *countp, void **state) { dns_rdata_t rdata = DNS_RDATA_INIT; isc_region_t r; isc_result_t result; unsigned int i, count, added, choice; isc_buffer_t savedbuffer, rdlen, rrbuffer; unsigned int headlen; isc_boolean_t question = ISC_FALSE; isc_boolean_t shuffle = ISC_FALSE; dns_rdata_t *shuffled = NULL, shuffled_fixed[MAX_SHUFFLE]; struct towire_sort *sorted = NULL, sorted_fixed[MAX_SHUFFLE]; UNUSED(state); /* * Convert 'rdataset' to wire format, compressing names as specified * in cctx, and storing the result in 'target'. */ REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(countp != NULL); REQUIRE((order == NULL) == (order_arg == NULL)); REQUIRE(cctx != NULL && cctx->mctx != NULL); count = 0; if ((rdataset->attributes & DNS_RDATASETATTR_QUESTION) != 0) { question = ISC_TRUE; count = 1; result = dns_rdataset_first(rdataset); INSIST(result == ISC_R_NOMORE); } else if (rdataset->type == 0) { /* * This is a negative caching rdataset. */ unsigned int ncache_opts = 0; if ((options & DNS_RDATASETTOWIRE_OMITDNSSEC) != 0) ncache_opts |= DNS_NCACHETOWIRE_OMITDNSSEC; return (dns_ncache_towire(rdataset, cctx, target, ncache_opts, countp)); } else { count = (rdataset->methods->count)(rdataset); result = dns_rdataset_first(rdataset); if (result == ISC_R_NOMORE) return (ISC_R_SUCCESS); if (result != ISC_R_SUCCESS) return (result); } /* * Do we want to shuffle this answer? */ if (!question && count > 1 && (!WANT_FIXED(rdataset) || order != NULL) && rdataset->type != dns_rdatatype_rrsig) shuffle = ISC_TRUE; if (shuffle && count > MAX_SHUFFLE) { shuffled = isc_mem_get(cctx->mctx, count * sizeof(*shuffled)); sorted = isc_mem_get(cctx->mctx, count * sizeof(*sorted)); if (shuffled == NULL || sorted == NULL) shuffle = ISC_FALSE; } else { shuffled = shuffled_fixed; sorted = sorted_fixed; } if (shuffle) { /* * First we get handles to all of the rdata. */ i = 0; do { INSIST(i < count); dns_rdata_init(&shuffled[i]); dns_rdataset_current(rdataset, &shuffled[i]); i++; result = dns_rdataset_next(rdataset); } while (result == ISC_R_SUCCESS); if (result != ISC_R_NOMORE) goto cleanup; INSIST(i == count); /* * Now we shuffle. */ if (WANT_FIXED(rdataset)) { /* * 'Fixed' order. */ INSIST(order != NULL); for (i = 0; i < count; i++) { sorted[i].key = (*order)(&shuffled[i], order_arg); sorted[i].rdata = &shuffled[i]; } } else if (WANT_RANDOM(rdataset)) { /* * 'Random' order. */ for (i = 0; i < count; i++) { dns_rdata_t rdata; isc_uint32_t val; isc_random_get(&val); choice = i + (val % (count - i)); rdata = shuffled[i]; shuffled[i] = shuffled[choice]; shuffled[choice] = rdata; if (order != NULL) sorted[i].key = (*order)(&shuffled[i], order_arg); else sorted[i].key = 0; /* Unused */ sorted[i].rdata = &shuffled[i]; } } else { /* * "Cyclic" order. */ isc_uint32_t val; unsigned int j; val = rdataset->count; if (val == ISC_UINT32_MAX) isc_random_get(&val); j = val % count; for (i = 0; i < count; i++) { if (order != NULL) sorted[j].key = (*order)(&shuffled[i], order_arg); else sorted[j].key = 0; /* Unused */ sorted[j].rdata = &shuffled[i]; j++; if (j == count) j = 0; /* Wrap around. */ } } /* * Sorted order. */ if (order != NULL) qsort(sorted, count, sizeof(sorted[0]), towire_compare); } savedbuffer = *target; i = 0; added = 0; do { /* * Copy out the name, type, class, ttl. */ rrbuffer = *target; dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14); result = dns_name_towire(owner_name, cctx, target); if (result != ISC_R_SUCCESS) goto rollback; headlen = sizeof(dns_rdataclass_t) + sizeof(dns_rdatatype_t); if (!question) headlen += sizeof(dns_ttl_t) + 2; /* XXX 2 for rdata len */ isc_buffer_availableregion(target, &r); if (r.length < headlen) { result = ISC_R_NOSPACE; goto rollback; } isc_buffer_putuint16(target, rdataset->type); isc_buffer_putuint16(target, rdataset->rdclass); if (!question) { isc_buffer_putuint32(target, rdataset->ttl); /* * Save space for rdlen. */ rdlen = *target; isc_buffer_add(target, 2); /* * Copy out the rdata */ if (shuffle) rdata = *(sorted[i].rdata); else { dns_rdata_reset(&rdata); dns_rdataset_current(rdataset, &rdata); } result = dns_rdata_towire(&rdata, cctx, target); if (result != ISC_R_SUCCESS) goto rollback; INSIST((target->used >= rdlen.used + 2) && (target->used - rdlen.used - 2 < 65536)); isc_buffer_putuint16(&rdlen, (isc_uint16_t)(target->used - rdlen.used - 2)); added++; } if (shuffle) { i++; if (i == count) result = ISC_R_NOMORE; else result = ISC_R_SUCCESS; } else { result = dns_rdataset_next(rdataset); } } while (result == ISC_R_SUCCESS); if (result != ISC_R_NOMORE) goto rollback; *countp += count; result = ISC_R_SUCCESS; goto cleanup; rollback: if (partial && result == ISC_R_NOSPACE) { INSIST(rrbuffer.used < 65536); dns_compress_rollback(cctx, (isc_uint16_t)rrbuffer.used); *countp += added; *target = rrbuffer; goto cleanup; } INSIST(savedbuffer.used < 65536); dns_compress_rollback(cctx, (isc_uint16_t)savedbuffer.used); *countp = 0; *target = savedbuffer; cleanup: if (sorted != NULL && sorted != sorted_fixed) isc_mem_put(cctx->mctx, sorted, count * sizeof(*sorted)); if (shuffled != NULL && shuffled != shuffled_fixed) isc_mem_put(cctx->mctx, shuffled, count * sizeof(*shuffled)); return (result); } isc_result_t dns_rdataset_towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, dns_compress_t *cctx, isc_buffer_t *target, dns_rdatasetorderfunc_t order, const void *order_arg, unsigned int options, unsigned int *countp) { return (towiresorted(rdataset, owner_name, cctx, target, order, order_arg, ISC_FALSE, options, countp, NULL)); } isc_result_t dns_rdataset_towirepartial(dns_rdataset_t *rdataset, const dns_name_t *owner_name, dns_compress_t *cctx, isc_buffer_t *target, dns_rdatasetorderfunc_t order, const void *order_arg, unsigned int options, unsigned int *countp, void **state) { REQUIRE(state == NULL); /* XXX remove when implemented */ return (towiresorted(rdataset, owner_name, cctx, target, order, order_arg, ISC_TRUE, options, countp, state)); } isc_result_t dns_rdataset_towire(dns_rdataset_t *rdataset, dns_name_t *owner_name, dns_compress_t *cctx, isc_buffer_t *target, unsigned int options, unsigned int *countp) { return (towiresorted(rdataset, owner_name, cctx, target, NULL, NULL, ISC_FALSE, options, countp, NULL)); } isc_result_t dns_rdataset_additionaldata(dns_rdataset_t *rdataset, dns_additionaldatafunc_t add, void *arg) { dns_rdata_t rdata = DNS_RDATA_INIT; isc_result_t result; /* * For each rdata in rdataset, call 'add' for each name and type in the * rdata which is subject to additional section processing. */ REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0); result = dns_rdataset_first(rdataset); if (result != ISC_R_SUCCESS) return (result); do { dns_rdataset_current(rdataset, &rdata); result = dns_rdata_additionaldata(&rdata, add, arg); if (result == ISC_R_SUCCESS) result = dns_rdataset_next(rdataset); dns_rdata_reset(&rdata); } while (result == ISC_R_SUCCESS); if (result != ISC_R_NOMORE) return (result); return (ISC_R_SUCCESS); } isc_result_t dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) { REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods != NULL); if (rdataset->methods->addnoqname == NULL) return (ISC_R_NOTIMPLEMENTED); return((rdataset->methods->addnoqname)(rdataset, name)); } isc_result_t dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *neg, dns_rdataset_t *negsig) { REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods != NULL); if (rdataset->methods->getnoqname == NULL) return (ISC_R_NOTIMPLEMENTED); return((rdataset->methods->getnoqname)(rdataset, name, neg, negsig)); } isc_result_t dns_rdataset_addclosest(dns_rdataset_t *rdataset, dns_name_t *name) { REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods != NULL); if (rdataset->methods->addclosest == NULL) return (ISC_R_NOTIMPLEMENTED); return((rdataset->methods->addclosest)(rdataset, name)); } isc_result_t dns_rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *neg, dns_rdataset_t *negsig) { REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods != NULL); if (rdataset->methods->getclosest == NULL) return (ISC_R_NOTIMPLEMENTED); return((rdataset->methods->getclosest)(rdataset, name, neg, negsig)); } /* * Additional cache stuff */ isc_result_t dns_rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype, dns_acache_t *acache, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, dns_dbnode_t **nodep, dns_name_t *fname, dns_message_t *msg, isc_stdtime_t now) { REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods != NULL); REQUIRE(zonep == NULL || *zonep == NULL); REQUIRE(dbp != NULL && *dbp == NULL); REQUIRE(versionp != NULL && *versionp == NULL); REQUIRE(nodep != NULL && *nodep == NULL); REQUIRE(fname != NULL); REQUIRE(msg != NULL); if (acache != NULL && rdataset->methods->getadditional != NULL) { return ((rdataset->methods->getadditional)(rdataset, type, qtype, acache, zonep, dbp, versionp, nodep, fname, msg, now)); } return (ISC_R_FAILURE); } isc_result_t dns_rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype, dns_acache_t *acache, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, dns_name_t *fname) { REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods != NULL); if (acache != NULL && rdataset->methods->setadditional != NULL) { return ((rdataset->methods->setadditional)(rdataset, type, qtype, acache, zone, db, version, node, fname)); } return (ISC_R_FAILURE); } isc_result_t dns_rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset, dns_rdatasetadditional_t type, dns_rdatatype_t qtype) { REQUIRE(DNS_RDATASET_VALID(rdataset)); REQUIRE(rdataset->methods != NULL); if (acache != NULL && rdataset->methods->putadditional != NULL) { return ((rdataset->methods->putadditional)(acache, rdataset, type, qtype)); } return (ISC_R_FAILURE); } +void +dns_rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) { + REQUIRE(DNS_RDATASET_VALID(rdataset)); + REQUIRE(rdataset->methods != NULL); + + if (rdataset->methods->settrust != NULL) + (rdataset->methods->settrust)(rdataset, trust); + else + rdataset->trust = trust; +} + +void +dns_rdataset_expire(dns_rdataset_t *rdataset) { + REQUIRE(DNS_RDATASET_VALID(rdataset)); + REQUIRE(rdataset->methods != NULL); + + if (rdataset->methods->expire != NULL) + (rdataset->methods->expire)(rdataset); +} Index: head/contrib/bind9/lib/dns/rdataslab.c =================================================================== --- head/contrib/bind9/lib/dns/rdataslab.c (revision 205291) +++ head/contrib/bind9/lib/dns/rdataslab.c (revision 205292) @@ -1,1092 +1,1094 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataslab.c,v 1.48.50.2 2009/01/18 23:47:40 tbox Exp $ */ +/* $Id: rdataslab.c,v 1.48.50.2.22.2 2010/02/25 10:57:12 tbox Exp $ */ /*! \file */ #include #include #include #include #include /* Required for HP/UX (and others?) */ #include #include #include #include #include /* * The rdataslab structure allows iteration to occur in both load order * and DNSSEC order. The structure is as follows: * * header (reservelen bytes) * record count (2 bytes) * offset table (4 x record count bytes in load order) * data records * data length (2 bytes) * order (2 bytes) * meta data (1 byte for RRSIG's) * data (data length bytes) * * If DNS_RDATASET_FIXED is defined to be zero (0) the format of a * rdataslab is as follows: * * header (reservelen bytes) * record count (2 bytes) * data records * data length (2 bytes) * data (data length bytes) * * Offsets are from the end of the header. * * Load order traversal is performed by walking the offset table to find * the start of the record (DNS_RDATASET_FIXED = 1). * * DNSSEC order traversal is performed by walking the data records. * * The order is stored with record to allow for efficient reconstruction * of the offset table following a merge or subtraction. * * The iterator methods here currently only support DNSSEC order iteration. * * The iterator methods in rbtdb support both load order and DNSSEC order * iteration. * * WARNING: * rbtdb.c directly interacts with the slab's raw structures. If the * structure changes then rbtdb.c also needs to be updated to reflect * the changes. See the areas tagged with "RDATASLAB". */ struct xrdata { dns_rdata_t rdata; unsigned int order; }; /*% Note: the "const void *" are just to make qsort happy. */ static int compare_rdata(const void *p1, const void *p2) { const struct xrdata *x1 = p1; const struct xrdata *x2 = p2; return (dns_rdata_compare(&x1->rdata, &x2->rdata)); } #if DNS_RDATASET_FIXED static void fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable, unsigned length) { unsigned int i, j; unsigned char *raw; for (i = 0, j = 0; i < length; i++) { if (offsettable[i] == 0) continue; /* * Fill in offset table. */ raw = &offsetbase[j*4 + 2]; *raw++ = (offsettable[i] & 0xff000000) >> 24; *raw++ = (offsettable[i] & 0xff0000) >> 16; *raw++ = (offsettable[i] & 0xff00) >> 8; *raw = offsettable[i] & 0xff; /* * Fill in table index. */ raw = offsetbase + offsettable[i] + 2; *raw++ = (j & 0xff00) >> 8; *raw = j++ & 0xff; } } #endif isc_result_t dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, isc_region_t *region, unsigned int reservelen) { struct xrdata *x; unsigned char *rawbuf; #if DNS_RDATASET_FIXED unsigned char *offsetbase; #endif unsigned int buflen; isc_result_t result; unsigned int nitems; unsigned int nalloc; unsigned int i; #if DNS_RDATASET_FIXED unsigned int *offsettable; #endif unsigned int length; buflen = reservelen + 2; nalloc = dns_rdataset_count(rdataset); nitems = nalloc; if (nitems == 0) return (ISC_R_FAILURE); if (nalloc > 0xffff) return (ISC_R_NOSPACE); x = isc_mem_get(mctx, nalloc * sizeof(struct xrdata)); if (x == NULL) return (ISC_R_NOMEMORY); /* * Save all of the rdata members into an array. */ result = dns_rdataset_first(rdataset); if (result != ISC_R_SUCCESS) goto free_rdatas; for (i = 0; i < nalloc && result == ISC_R_SUCCESS; i++) { INSIST(result == ISC_R_SUCCESS); dns_rdata_init(&x[i].rdata); dns_rdataset_current(rdataset, &x[i].rdata); #if DNS_RDATASET_FIXED x[i].order = i; #endif result = dns_rdataset_next(rdataset); } if (result != ISC_R_NOMORE) goto free_rdatas; if (i != nalloc) { /* * Somehow we iterated over fewer rdatas than * dns_rdataset_count() said there were! */ result = ISC_R_FAILURE; goto free_rdatas; } /* * Put into DNSSEC order. */ qsort(x, nalloc, sizeof(struct xrdata), compare_rdata); /* * Remove duplicates and compute the total storage required. * * If an rdata is not a duplicate, accumulate the storage size * required for the rdata. We do not store the class, type, etc, * just the rdata, so our overhead is 2 bytes for the number of * records, and 8 for each rdata, (length(2), offset(4) and order(2)) * and then the rdata itself. */ for (i = 1; i < nalloc; i++) { if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) { x[i-1].rdata.data = NULL; x[i-1].rdata.length = 0; #if DNS_RDATASET_FIXED /* * Preserve the least order so A, B, A -> A, B * after duplicate removal. */ if (x[i-1].order < x[i].order) x[i].order = x[i-1].order; #endif nitems--; } else { #if DNS_RDATASET_FIXED buflen += (8 + x[i-1].rdata.length); #else buflen += (2 + x[i-1].rdata.length); #endif /* * Provide space to store the per RR meta data. */ if (rdataset->type == dns_rdatatype_rrsig) buflen++; } } /* * Don't forget the last item! */ #if DNS_RDATASET_FIXED buflen += (8 + x[i-1].rdata.length); #else buflen += (2 + x[i-1].rdata.length); #endif /* * Provide space to store the per RR meta data. */ if (rdataset->type == dns_rdatatype_rrsig) buflen++; /* * Ensure that singleton types are actually singletons. */ if (nitems > 1 && dns_rdatatype_issingleton(rdataset->type)) { /* * We have a singleton type, but there's more than one * RR in the rdataset. */ result = DNS_R_SINGLETON; goto free_rdatas; } /* * Allocate the memory, set up a buffer, start copying in * data. */ rawbuf = isc_mem_get(mctx, buflen); if (rawbuf == NULL) { result = ISC_R_NOMEMORY; goto free_rdatas; } #if DNS_RDATASET_FIXED /* Allocate temporary offset table. */ offsettable = isc_mem_get(mctx, nalloc * sizeof(unsigned int)); if (offsettable == NULL) { isc_mem_put(mctx, rawbuf, buflen); result = ISC_R_NOMEMORY; goto free_rdatas; } memset(offsettable, 0, nalloc * sizeof(unsigned int)); #endif region->base = rawbuf; region->length = buflen; rawbuf += reservelen; #if DNS_RDATASET_FIXED offsetbase = rawbuf; #endif *rawbuf++ = (nitems & 0xff00) >> 8; *rawbuf++ = (nitems & 0x00ff); #if DNS_RDATASET_FIXED /* Skip load order table. Filled in later. */ rawbuf += nitems * 4; #endif for (i = 0; i < nalloc; i++) { if (x[i].rdata.data == NULL) continue; #if DNS_RDATASET_FIXED offsettable[x[i].order] = rawbuf - offsetbase; #endif length = x[i].rdata.length; if (rdataset->type == dns_rdatatype_rrsig) length++; *rawbuf++ = (length & 0xff00) >> 8; *rawbuf++ = (length & 0x00ff); #if DNS_RDATASET_FIXED rawbuf += 2; /* filled in later */ #endif /* * Store the per RR meta data. */ if (rdataset->type == dns_rdatatype_rrsig) { *rawbuf++ |= (x[i].rdata.flags & DNS_RDATA_OFFLINE) ? DNS_RDATASLAB_OFFLINE : 0; } memcpy(rawbuf, x[i].rdata.data, x[i].rdata.length); rawbuf += x[i].rdata.length; } #if DNS_RDATASET_FIXED fillin_offsets(offsetbase, offsettable, nalloc); isc_mem_put(mctx, offsettable, nalloc * sizeof(unsigned int)); #endif result = ISC_R_SUCCESS; free_rdatas: isc_mem_put(mctx, x, nalloc * sizeof(struct xrdata)); return (result); } static void rdataset_disassociate(dns_rdataset_t *rdataset) { UNUSED(rdataset); } static isc_result_t rdataset_first(dns_rdataset_t *rdataset) { unsigned char *raw = rdataset->private3; unsigned int count; count = raw[0] * 256 + raw[1]; if (count == 0) { rdataset->private5 = NULL; return (ISC_R_NOMORE); } #if DNS_RDATASET_FIXED raw += 2 + (4 * count); #else raw += 2; #endif /* * The privateuint4 field is the number of rdata beyond the cursor * position, so we decrement the total count by one before storing * it. */ count--; rdataset->privateuint4 = count; rdataset->private5 = raw; return (ISC_R_SUCCESS); } static isc_result_t rdataset_next(dns_rdataset_t *rdataset) { unsigned int count; unsigned int length; unsigned char *raw; count = rdataset->privateuint4; if (count == 0) return (ISC_R_NOMORE); count--; rdataset->privateuint4 = count; raw = rdataset->private5; length = raw[0] * 256 + raw[1]; #if DNS_RDATASET_FIXED raw += length + 4; #else raw += length + 2; #endif rdataset->private5 = raw; return (ISC_R_SUCCESS); } static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) { unsigned char *raw = rdataset->private5; isc_region_t r; unsigned int length; unsigned int flags = 0; REQUIRE(raw != NULL); length = raw[0] * 256 + raw[1]; #if DNS_RDATASET_FIXED raw += 4; #else raw += 2; #endif if (rdataset->type == dns_rdatatype_rrsig) { if (*raw & DNS_RDATASLAB_OFFLINE) flags |= DNS_RDATA_OFFLINE; length--; raw++; } r.length = length; r.base = raw; dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r); rdata->flags |= flags; } static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) { *target = *source; /* * Reset iterator state. */ target->privateuint4 = 0; target->private5 = NULL; } static unsigned int rdataset_count(dns_rdataset_t *rdataset) { unsigned char *raw = rdataset->private3; unsigned int count; count = raw[0] * 256 + raw[1]; return (count); } static dns_rdatasetmethods_t rdataset_methods = { rdataset_disassociate, rdataset_first, rdataset_next, rdataset_current, rdataset_clone, rdataset_count, + NULL, + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; void dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen, dns_rdataclass_t rdclass, dns_rdatatype_t rdtype, dns_rdatatype_t covers, dns_ttl_t ttl, dns_rdataset_t *rdataset) { REQUIRE(slab != NULL); REQUIRE(!dns_rdataset_isassociated(rdataset)); rdataset->methods = &rdataset_methods; rdataset->rdclass = rdclass; rdataset->type = rdtype; rdataset->covers = covers; rdataset->ttl = ttl; rdataset->trust = 0; rdataset->private1 = NULL; rdataset->private2 = NULL; rdataset->private3 = slab + reservelen; /* * Reset iterator state. */ rdataset->privateuint4 = 0; rdataset->private5 = NULL; } unsigned int dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) { unsigned int count, length; unsigned char *current; REQUIRE(slab != NULL); current = slab + reservelen; count = *current++ * 256; count += *current++; #if DNS_RDATASET_FIXED current += (4 * count); #endif while (count > 0) { count--; length = *current++ * 256; length += *current++; #if DNS_RDATASET_FIXED current += length + 2; #else current += length; #endif } return ((unsigned int)(current - slab)); } /* * Make the dns_rdata_t 'rdata' refer to the slab item * beginning at '*current', which is part of a slab of type * 'type' and class 'rdclass', and advance '*current' to * point to the next item in the slab. */ static inline void rdata_from_slab(unsigned char **current, dns_rdataclass_t rdclass, dns_rdatatype_t type, dns_rdata_t *rdata) { unsigned char *tcurrent = *current; isc_region_t region; unsigned int length; isc_boolean_t offline = ISC_FALSE; length = *tcurrent++ * 256; length += *tcurrent++; if (type == dns_rdatatype_rrsig) { if ((*tcurrent & DNS_RDATASLAB_OFFLINE) != 0) offline = ISC_TRUE; length--; tcurrent++; } region.length = length; #if DNS_RDATASET_FIXED tcurrent += 2; #endif region.base = tcurrent; tcurrent += region.length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); if (offline) rdata->flags |= DNS_RDATA_OFFLINE; *current = tcurrent; } /* * Return true iff 'slab' (slab data of type 'type' and class 'rdclass') * contains an rdata identical to 'rdata'. This does case insensitive * comparisons per DNSSEC. */ static inline isc_boolean_t rdata_in_slab(unsigned char *slab, unsigned int reservelen, dns_rdataclass_t rdclass, dns_rdatatype_t type, dns_rdata_t *rdata) { unsigned int count, i; unsigned char *current; dns_rdata_t trdata = DNS_RDATA_INIT; int n; current = slab + reservelen; count = *current++ * 256; count += *current++; #if DNS_RDATASET_FIXED current += (4 * count); #endif for (i = 0; i < count; i++) { rdata_from_slab(¤t, rdclass, type, &trdata); n = dns_rdata_compare(&trdata, rdata); if (n == 0) return (ISC_TRUE); if (n > 0) /* In DNSSEC order. */ break; dns_rdata_reset(&trdata); } return (ISC_FALSE); } isc_result_t dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab, unsigned int reservelen, isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_rdatatype_t type, unsigned int flags, unsigned char **tslabp) { unsigned char *ocurrent, *ostart, *ncurrent, *tstart, *tcurrent, *data; unsigned int ocount, ncount, count, olength, tlength, tcount, length; dns_rdata_t ordata = DNS_RDATA_INIT; dns_rdata_t nrdata = DNS_RDATA_INIT; isc_boolean_t added_something = ISC_FALSE; unsigned int oadded = 0; unsigned int nadded = 0; unsigned int nncount = 0; #if DNS_RDATASET_FIXED unsigned int oncount; unsigned int norder = 0; unsigned int oorder = 0; unsigned char *offsetbase; unsigned int *offsettable; #endif /* * XXX Need parameter to allow "delete rdatasets in nslab" merge, * or perhaps another merge routine for this purpose. */ REQUIRE(tslabp != NULL && *tslabp == NULL); REQUIRE(oslab != NULL && nslab != NULL); ocurrent = oslab + reservelen; ocount = *ocurrent++ * 256; ocount += *ocurrent++; #if DNS_RDATASET_FIXED ocurrent += (4 * ocount); #endif ostart = ocurrent; ncurrent = nslab + reservelen; ncount = *ncurrent++ * 256; ncount += *ncurrent++; #if DNS_RDATASET_FIXED ncurrent += (4 * ncount); #endif INSIST(ocount > 0 && ncount > 0); #if DNS_RDATASET_FIXED oncount = ncount; #endif /* * Yes, this is inefficient! */ /* * Figure out the length of the old slab's data. */ olength = 0; for (count = 0; count < ocount; count++) { length = *ocurrent++ * 256; length += *ocurrent++; #if DNS_RDATASET_FIXED olength += length + 8; ocurrent += length + 2; #else olength += length + 2; ocurrent += length; #endif } /* * Start figuring out the target length and count. */ tlength = reservelen + 2 + olength; tcount = ocount; /* * Add in the length of rdata in the new slab that aren't in * the old slab. */ do { dns_rdata_init(&nrdata); rdata_from_slab(&ncurrent, rdclass, type, &nrdata); if (!rdata_in_slab(oslab, reservelen, rdclass, type, &nrdata)) { /* * This rdata isn't in the old slab. */ #if DNS_RDATASET_FIXED tlength += nrdata.length + 8; #else tlength += nrdata.length + 2; #endif if (type == dns_rdatatype_rrsig) tlength++; tcount++; nncount++; added_something = ISC_TRUE; } ncount--; } while (ncount > 0); ncount = nncount; if (((flags & DNS_RDATASLAB_EXACT) != 0) && (tcount != ncount + ocount)) return (DNS_R_NOTEXACT); if (!added_something && (flags & DNS_RDATASLAB_FORCE) == 0) return (DNS_R_UNCHANGED); /* * Ensure that singleton types are actually singletons. */ if (tcount > 1 && dns_rdatatype_issingleton(type)) { /* * We have a singleton type, but there's more than one * RR in the rdataset. */ return (DNS_R_SINGLETON); } if (tcount > 0xffff) return (ISC_R_NOSPACE); /* * Copy the reserved area from the new slab. */ tstart = isc_mem_get(mctx, tlength); if (tstart == NULL) return (ISC_R_NOMEMORY); memcpy(tstart, nslab, reservelen); tcurrent = tstart + reservelen; #if DNS_RDATASET_FIXED offsetbase = tcurrent; #endif /* * Write the new count. */ *tcurrent++ = (tcount & 0xff00) >> 8; *tcurrent++ = (tcount & 0x00ff); #if DNS_RDATASET_FIXED /* * Skip offset table. */ tcurrent += (tcount * 4); offsettable = isc_mem_get(mctx, (ocount + oncount) * sizeof(unsigned int)); if (offsettable == NULL) { isc_mem_put(mctx, tstart, tlength); return (ISC_R_NOMEMORY); } memset(offsettable, 0, (ocount + oncount) * sizeof(unsigned int)); #endif /* * Merge the two slabs. */ ocurrent = ostart; INSIST(ocount != 0); #if DNS_RDATASET_FIXED oorder = ocurrent[2] * 256 + ocurrent[3]; INSIST(oorder < ocount); #endif rdata_from_slab(&ocurrent, rdclass, type, &ordata); ncurrent = nslab + reservelen + 2; #if DNS_RDATASET_FIXED ncurrent += (4 * oncount); #endif if (ncount > 0) { do { dns_rdata_reset(&nrdata); #if DNS_RDATASET_FIXED norder = ncurrent[2] * 256 + ncurrent[3]; INSIST(norder < oncount); #endif rdata_from_slab(&ncurrent, rdclass, type, &nrdata); } while (rdata_in_slab(oslab, reservelen, rdclass, type, &nrdata)); } while (oadded < ocount || nadded < ncount) { isc_boolean_t fromold; if (oadded == ocount) fromold = ISC_FALSE; else if (nadded == ncount) fromold = ISC_TRUE; else fromold = ISC_TF(compare_rdata(&ordata, &nrdata) < 0); if (fromold) { #if DNS_RDATASET_FIXED offsettable[oorder] = tcurrent - offsetbase; #endif length = ordata.length; data = ordata.data; if (type == dns_rdatatype_rrsig) { length++; data--; } *tcurrent++ = (length & 0xff00) >> 8; *tcurrent++ = (length & 0x00ff); #if DNS_RDATASET_FIXED tcurrent += 2; /* fill in later */ #endif memcpy(tcurrent, data, length); tcurrent += length; oadded++; if (oadded < ocount) { dns_rdata_reset(&ordata); #if DNS_RDATASET_FIXED oorder = ocurrent[2] * 256 + ocurrent[3]; INSIST(oorder < ocount); #endif rdata_from_slab(&ocurrent, rdclass, type, &ordata); } } else { #if DNS_RDATASET_FIXED offsettable[ocount + norder] = tcurrent - offsetbase; #endif length = nrdata.length; data = nrdata.data; if (type == dns_rdatatype_rrsig) { length++; data--; } *tcurrent++ = (length & 0xff00) >> 8; *tcurrent++ = (length & 0x00ff); #if DNS_RDATASET_FIXED tcurrent += 2; /* fill in later */ #endif memcpy(tcurrent, data, length); tcurrent += length; nadded++; if (nadded < ncount) { do { dns_rdata_reset(&nrdata); #if DNS_RDATASET_FIXED norder = ncurrent[2] * 256 + ncurrent[3]; INSIST(norder < oncount); #endif rdata_from_slab(&ncurrent, rdclass, type, &nrdata); } while (rdata_in_slab(oslab, reservelen, rdclass, type, &nrdata)); } } } #if DNS_RDATASET_FIXED fillin_offsets(offsetbase, offsettable, ocount + oncount); isc_mem_put(mctx, offsettable, (ocount + oncount) * sizeof(unsigned int)); #endif INSIST(tcurrent == tstart + tlength); *tslabp = tstart; return (ISC_R_SUCCESS); } isc_result_t dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab, unsigned int reservelen, isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_rdatatype_t type, unsigned int flags, unsigned char **tslabp) { unsigned char *mcurrent, *sstart, *scurrent, *tstart, *tcurrent; unsigned int mcount, scount, rcount ,count, tlength, tcount, i; dns_rdata_t srdata = DNS_RDATA_INIT; dns_rdata_t mrdata = DNS_RDATA_INIT; #if DNS_RDATASET_FIXED unsigned char *offsetbase; unsigned int *offsettable; unsigned int order; #endif REQUIRE(tslabp != NULL && *tslabp == NULL); REQUIRE(mslab != NULL && sslab != NULL); mcurrent = mslab + reservelen; mcount = *mcurrent++ * 256; mcount += *mcurrent++; scurrent = sslab + reservelen; scount = *scurrent++ * 256; scount += *scurrent++; INSIST(mcount > 0 && scount > 0); /* * Yes, this is inefficient! */ /* * Start figuring out the target length and count. */ tlength = reservelen + 2; tcount = 0; rcount = 0; #if DNS_RDATASET_FIXED mcurrent += 4 * mcount; scurrent += 4 * scount; #endif sstart = scurrent; /* * Add in the length of rdata in the mslab that aren't in * the sslab. */ for (i = 0; i < mcount; i++) { unsigned char *mrdatabegin = mcurrent; rdata_from_slab(&mcurrent, rdclass, type, &mrdata); scurrent = sstart; for (count = 0; count < scount; count++) { dns_rdata_reset(&srdata); rdata_from_slab(&scurrent, rdclass, type, &srdata); if (dns_rdata_compare(&mrdata, &srdata) == 0) break; } if (count == scount) { /* * This rdata isn't in the sslab, and thus isn't * being subtracted. */ tlength += mcurrent - mrdatabegin; tcount++; } else rcount++; dns_rdata_reset(&mrdata); } #if DNS_RDATASET_FIXED tlength += (4 * tcount); #endif /* * Check that all the records originally existed. The numeric * check only works as rdataslabs do not contain duplicates. */ if (((flags & DNS_RDATASLAB_EXACT) != 0) && (rcount != scount)) return (DNS_R_NOTEXACT); /* * Don't continue if the new rdataslab would be empty. */ if (tcount == 0) return (DNS_R_NXRRSET); /* * If nothing is going to change, we can stop. */ if (rcount == 0) return (DNS_R_UNCHANGED); /* * Copy the reserved area from the mslab. */ tstart = isc_mem_get(mctx, tlength); if (tstart == NULL) return (ISC_R_NOMEMORY); memcpy(tstart, mslab, reservelen); tcurrent = tstart + reservelen; #if DNS_RDATASET_FIXED offsetbase = tcurrent; offsettable = isc_mem_get(mctx, mcount * sizeof(unsigned int)); if (offsettable == NULL) { isc_mem_put(mctx, tstart, tlength); return (ISC_R_NOMEMORY); } memset(offsettable, 0, mcount * sizeof(unsigned int)); #endif /* * Write the new count. */ *tcurrent++ = (tcount & 0xff00) >> 8; *tcurrent++ = (tcount & 0x00ff); #if DNS_RDATASET_FIXED tcurrent += (4 * tcount); #endif /* * Copy the parts of mslab not in sslab. */ mcurrent = mslab + reservelen; mcount = *mcurrent++ * 256; mcount += *mcurrent++; #if DNS_RDATASET_FIXED mcurrent += (4 * mcount); #endif for (i = 0; i < mcount; i++) { unsigned char *mrdatabegin = mcurrent; #if DNS_RDATASET_FIXED order = mcurrent[2] * 256 + mcurrent[3]; INSIST(order < mcount); #endif rdata_from_slab(&mcurrent, rdclass, type, &mrdata); scurrent = sstart; for (count = 0; count < scount; count++) { dns_rdata_reset(&srdata); rdata_from_slab(&scurrent, rdclass, type, &srdata); if (dns_rdata_compare(&mrdata, &srdata) == 0) break; } if (count == scount) { /* * This rdata isn't in the sslab, and thus should be * copied to the tslab. */ unsigned int length = mcurrent - mrdatabegin; #if DNS_RDATASET_FIXED offsettable[order] = tcurrent - offsetbase; #endif memcpy(tcurrent, mrdatabegin, length); tcurrent += length; } dns_rdata_reset(&mrdata); } #if DNS_RDATASET_FIXED fillin_offsets(offsetbase, offsettable, mcount); isc_mem_put(mctx, offsettable, mcount * sizeof(unsigned int)); #endif INSIST(tcurrent == tstart + tlength); *tslabp = tstart; return (ISC_R_SUCCESS); } isc_boolean_t dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2, unsigned int reservelen) { unsigned char *current1, *current2; unsigned int count1, count2; unsigned int length1, length2; current1 = slab1 + reservelen; count1 = *current1++ * 256; count1 += *current1++; current2 = slab2 + reservelen; count2 = *current2++ * 256; count2 += *current2++; if (count1 != count2) return (ISC_FALSE); #if DNS_RDATASET_FIXED current1 += (4 * count1); current2 += (4 * count2); #endif while (count1 > 0) { length1 = *current1++ * 256; length1 += *current1++; length2 = *current2++ * 256; length2 += *current2++; #if DNS_RDATASET_FIXED current1 += 2; current2 += 2; #endif if (length1 != length2 || memcmp(current1, current2, length1) != 0) return (ISC_FALSE); current1 += length1; current2 += length1; count1--; } return (ISC_TRUE); } isc_boolean_t dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2, unsigned int reservelen, dns_rdataclass_t rdclass, dns_rdatatype_t type) { unsigned char *current1, *current2; unsigned int count1, count2; dns_rdata_t rdata1 = DNS_RDATA_INIT; dns_rdata_t rdata2 = DNS_RDATA_INIT; current1 = slab1 + reservelen; count1 = *current1++ * 256; count1 += *current1++; current2 = slab2 + reservelen; count2 = *current2++ * 256; count2 += *current2++; if (count1 != count2) return (ISC_FALSE); #if DNS_RDATASET_FIXED current1 += (4 * count1); current2 += (4 * count2); #endif while (count1-- > 0) { rdata_from_slab(¤t1, rdclass, type, &rdata1); rdata_from_slab(¤t2, rdclass, type, &rdata2); if (dns_rdata_compare(&rdata1, &rdata2) != 0) return (ISC_FALSE); dns_rdata_reset(&rdata1); dns_rdata_reset(&rdata2); } return (ISC_TRUE); } Index: head/contrib/bind9/lib/dns/resolver.c =================================================================== --- head/contrib/bind9/lib/dns/resolver.c (revision 205291) +++ head/contrib/bind9/lib/dns/resolver.c (revision 205292) @@ -1,7929 +1,8284 @@ /* * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.384.14.20 2010/01/07 23:47:36 tbox Exp $ */ +/* $Id: resolver.c,v 1.384.14.20.8.2 2010/02/25 10:57:12 tbox Exp $ */ /*! \file */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define DNS_RESOLVER_TRACE #ifdef DNS_RESOLVER_TRACE #define RTRACE(m) isc_log_write(dns_lctx, \ DNS_LOGCATEGORY_RESOLVER, \ DNS_LOGMODULE_RESOLVER, \ ISC_LOG_DEBUG(3), \ "res %p: %s", res, (m)) #define RRTRACE(r, m) isc_log_write(dns_lctx, \ DNS_LOGCATEGORY_RESOLVER, \ DNS_LOGMODULE_RESOLVER, \ ISC_LOG_DEBUG(3), \ "res %p: %s", (r), (m)) #define FCTXTRACE(m) isc_log_write(dns_lctx, \ DNS_LOGCATEGORY_RESOLVER, \ DNS_LOGMODULE_RESOLVER, \ ISC_LOG_DEBUG(3), \ "fctx %p(%s'): %s", fctx, fctx->info, (m)) #define FCTXTRACE2(m1, m2) \ isc_log_write(dns_lctx, \ DNS_LOGCATEGORY_RESOLVER, \ DNS_LOGMODULE_RESOLVER, \ ISC_LOG_DEBUG(3), \ "fctx %p(%s): %s %s", \ fctx, fctx->info, (m1), (m2)) #define FTRACE(m) isc_log_write(dns_lctx, \ DNS_LOGCATEGORY_RESOLVER, \ DNS_LOGMODULE_RESOLVER, \ ISC_LOG_DEBUG(3), \ "fetch %p (fctx %p(%s)): %s", \ fetch, fetch->private, \ fetch->private->info, (m)) #define QTRACE(m) isc_log_write(dns_lctx, \ DNS_LOGCATEGORY_RESOLVER, \ DNS_LOGMODULE_RESOLVER, \ ISC_LOG_DEBUG(3), \ "resquery %p (fctx %p(%s)): %s", \ query, query->fctx, \ query->fctx->info, (m)) #else #define RTRACE(m) #define RRTRACE(r, m) #define FCTXTRACE(m) #define FTRACE(m) #define QTRACE(m) #endif /*% * Maximum EDNS0 input packet size. */ #define RECV_BUFFER_SIZE 4096 /* XXXRTH Constant. */ /*% * This defines the maximum number of timeouts we will permit before we * disable EDNS0 on the query. */ #define MAX_EDNS0_TIMEOUTS 3 typedef struct fetchctx fetchctx_t; typedef struct query { /* Locked by task event serialization. */ unsigned int magic; fetchctx_t * fctx; isc_mem_t * mctx; dns_dispatchmgr_t * dispatchmgr; dns_dispatch_t * dispatch; isc_boolean_t exclusivesocket; dns_adbaddrinfo_t * addrinfo; isc_socket_t * tcpsocket; isc_time_t start; dns_messageid_t id; dns_dispentry_t * dispentry; ISC_LINK(struct query) link; isc_buffer_t buffer; isc_buffer_t *tsig; dns_tsigkey_t *tsigkey; unsigned int options; unsigned int attributes; unsigned int sends; unsigned int connects; unsigned char data[512]; } resquery_t; #define QUERY_MAGIC ISC_MAGIC('Q', '!', '!', '!') #define VALID_QUERY(query) ISC_MAGIC_VALID(query, QUERY_MAGIC) #define RESQUERY_ATTR_CANCELED 0x02 #define RESQUERY_CONNECTING(q) ((q)->connects > 0) #define RESQUERY_CANCELED(q) (((q)->attributes & \ RESQUERY_ATTR_CANCELED) != 0) #define RESQUERY_SENDING(q) ((q)->sends > 0) typedef enum { fetchstate_init = 0, /*%< Start event has not run yet. */ fetchstate_active, fetchstate_done /*%< FETCHDONE events posted. */ } fetchstate; typedef enum { badns_unreachable = 0, badns_response, badns_validation } badnstype_t; struct fetchctx { /*% Not locked. */ unsigned int magic; dns_resolver_t * res; dns_name_t name; dns_rdatatype_t type; unsigned int options; unsigned int bucketnum; char * info; /*% Locked by appropriate bucket lock. */ fetchstate state; isc_boolean_t want_shutdown; isc_boolean_t cloned; isc_boolean_t spilled; unsigned int references; isc_event_t control_event; ISC_LINK(struct fetchctx) link; ISC_LIST(dns_fetchevent_t) events; /*% Locked by task event serialization. */ dns_name_t domain; dns_rdataset_t nameservers; unsigned int attributes; isc_timer_t * timer; isc_time_t expires; isc_interval_t interval; dns_message_t * qmessage; dns_message_t * rmessage; ISC_LIST(resquery_t) queries; dns_adbfindlist_t finds; dns_adbfind_t * find; dns_adbfindlist_t altfinds; dns_adbfind_t * altfind; dns_adbaddrinfolist_t forwaddrs; dns_adbaddrinfolist_t altaddrs; isc_sockaddrlist_t forwarders; dns_fwdpolicy_t fwdpolicy; isc_sockaddrlist_t bad; isc_sockaddrlist_t edns; isc_sockaddrlist_t edns512; dns_validator_t *validator; ISC_LIST(dns_validator_t) validators; dns_db_t * cache; dns_adb_t * adb; /*% * The number of events we're waiting for. */ unsigned int pending; /*% * The number of times we've "restarted" the current * nameserver set. This acts as a failsafe to prevent * us from pounding constantly on a particular set of * servers that, for whatever reason, are not giving * us useful responses, but are responding in such a * way that they are not marked "bad". */ unsigned int restarts; /*% * The number of timeouts that have occurred since we * last successfully received a response packet. This * is used for EDNS0 black hole detection. */ unsigned int timeouts; /*% * Look aside state for DS lookups. */ dns_name_t nsname; dns_fetch_t * nsfetch; dns_rdataset_t nsrrset; /*% * Number of queries that reference this context. */ unsigned int nqueries; /*% * The reason to print when logging a successful * response to a query. */ const char * reason; /*% * Random numbers to use for mixing up server addresses. */ isc_uint32_t rand_buf; isc_uint32_t rand_bits; /*% * Fetch-local statistics for detailed logging. */ isc_result_t result; /*%< fetch result */ isc_result_t vresult; /*%< validation result */ int exitline; isc_time_t start; isc_uint64_t duration; isc_boolean_t logged; unsigned int querysent; unsigned int referrals; unsigned int lamecount; unsigned int neterr; unsigned int badresp; unsigned int adberr; unsigned int findfail; unsigned int valfail; isc_boolean_t timeout; }; #define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!') #define VALID_FCTX(fctx) ISC_MAGIC_VALID(fctx, FCTX_MAGIC) #define FCTX_ATTR_HAVEANSWER 0x0001 #define FCTX_ATTR_GLUING 0x0002 #define FCTX_ATTR_ADDRWAIT 0x0004 #define FCTX_ATTR_SHUTTINGDOWN 0x0008 #define FCTX_ATTR_WANTCACHE 0x0010 #define FCTX_ATTR_WANTNCACHE 0x0020 #define FCTX_ATTR_NEEDEDNS0 0x0040 #define FCTX_ATTR_TRIEDFIND 0x0080 #define FCTX_ATTR_TRIEDALT 0x0100 #define HAVE_ANSWER(f) (((f)->attributes & FCTX_ATTR_HAVEANSWER) != \ 0) #define GLUING(f) (((f)->attributes & FCTX_ATTR_GLUING) != \ 0) #define ADDRWAIT(f) (((f)->attributes & FCTX_ATTR_ADDRWAIT) != \ 0) #define SHUTTINGDOWN(f) (((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \ != 0) #define WANTCACHE(f) (((f)->attributes & FCTX_ATTR_WANTCACHE) != 0) #define WANTNCACHE(f) (((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0) #define NEEDEDNS0(f) (((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0) #define TRIEDFIND(f) (((f)->attributes & FCTX_ATTR_TRIEDFIND) != 0) #define TRIEDALT(f) (((f)->attributes & FCTX_ATTR_TRIEDALT) != 0) typedef struct { dns_adbaddrinfo_t * addrinfo; fetchctx_t * fctx; } dns_valarg_t; struct dns_fetch { unsigned int magic; fetchctx_t * private; }; #define DNS_FETCH_MAGIC ISC_MAGIC('F', 't', 'c', 'h') #define DNS_FETCH_VALID(fetch) ISC_MAGIC_VALID(fetch, DNS_FETCH_MAGIC) typedef struct fctxbucket { isc_task_t * task; isc_mutex_t lock; ISC_LIST(fetchctx_t) fctxs; isc_boolean_t exiting; isc_mem_t * mctx; } fctxbucket_t; typedef struct alternate { isc_boolean_t isaddress; union { isc_sockaddr_t addr; struct { dns_name_t name; in_port_t port; } _n; } _u; ISC_LINK(struct alternate) link; } alternate_t; +typedef struct dns_badcache dns_badcache_t; +struct dns_badcache { + dns_badcache_t * next; + dns_rdatatype_t type; + isc_time_t expire; + unsigned int hashval; + dns_name_t name; +}; +#define DNS_BADCACHE_SIZE 1021 +#define DNS_BADCACHE_TTL(fctx) \ + (((fctx)->res->lame_ttl > 30 ) ? (fctx)->res->lame_ttl : 30) + struct dns_resolver { /* Unlocked. */ unsigned int magic; isc_mem_t * mctx; isc_mutex_t lock; isc_mutex_t nlock; isc_mutex_t primelock; dns_rdataclass_t rdclass; isc_socketmgr_t * socketmgr; isc_timermgr_t * timermgr; isc_taskmgr_t * taskmgr; dns_view_t * view; isc_boolean_t frozen; unsigned int options; dns_dispatchmgr_t * dispatchmgr; dns_dispatch_t * dispatchv4; isc_boolean_t exclusivev4; dns_dispatch_t * dispatchv6; isc_boolean_t exclusivev6; unsigned int ndisps; unsigned int nbuckets; fctxbucket_t * buckets; isc_uint32_t lame_ttl; ISC_LIST(alternate_t) alternates; isc_uint16_t udpsize; #if USE_ALGLOCK isc_rwlock_t alglock; #endif dns_rbt_t * algorithms; #if USE_MBSLOCK isc_rwlock_t mbslock; #endif dns_rbt_t * mustbesecure; unsigned int spillatmax; unsigned int spillatmin; isc_timer_t * spillattimer; isc_boolean_t zero_no_soa_ttl; /* Locked by lock. */ unsigned int references; isc_boolean_t exiting; isc_eventlist_t whenshutdown; unsigned int activebuckets; isc_boolean_t priming; unsigned int spillat; /* clients-per-query */ unsigned int nextdisp; + + /* Bad cache. */ + dns_badcache_t ** badcache; + unsigned int badcount; + unsigned int badhash; + unsigned int badsweep; + /* Locked by primelock. */ dns_fetch_t * primefetch; /* Locked by nlock. */ unsigned int nfctx; }; #define RES_MAGIC ISC_MAGIC('R', 'e', 's', '!') #define VALID_RESOLVER(res) ISC_MAGIC_VALID(res, RES_MAGIC) /*% * Private addrinfo flags. These must not conflict with DNS_FETCHOPT_NOEDNS0, * which we also use as an addrinfo flag. */ #define FCTX_ADDRINFO_MARK 0x0001 #define FCTX_ADDRINFO_FORWARDER 0x1000 #define FCTX_ADDRINFO_TRIED 0x2000 #define UNMARKED(a) (((a)->flags & FCTX_ADDRINFO_MARK) \ == 0) #define ISFORWARDER(a) (((a)->flags & \ FCTX_ADDRINFO_FORWARDER) != 0) #define TRIED(a) (((a)->flags & \ FCTX_ADDRINFO_TRIED) != 0) #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) static void destroy(dns_resolver_t *res); static void empty_bucket(dns_resolver_t *res); static isc_result_t resquery_send(resquery_t *query); static void resquery_response(isc_task_t *task, isc_event_t *event); static void resquery_connected(isc_task_t *task, isc_event_t *event); -static void fctx_try(fetchctx_t *fctx, isc_boolean_t retrying); +static void fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, + isc_boolean_t badcache); static isc_boolean_t fctx_destroy(fetchctx_t *fctx); static isc_result_t ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, isc_boolean_t optout, dns_rdataset_t *ardataset, isc_result_t *eresultp); static void validated(isc_task_t *task, isc_event_t *event); static void maybe_destroy(fetchctx_t *fctx); static void add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason, badnstype_t badtype); /*% * Increment resolver-related statistics counters. */ static inline void inc_stats(dns_resolver_t *res, isc_statscounter_t counter) { if (res->view->resstats != NULL) isc_stats_increment(res->view->resstats, counter); } static isc_result_t valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, unsigned int valoptions, isc_task_t *task) { dns_validator_t *validator = NULL; dns_valarg_t *valarg; isc_result_t result; valarg = isc_mem_get(fctx->res->buckets[fctx->bucketnum].mctx, sizeof(*valarg)); if (valarg == NULL) return (ISC_R_NOMEMORY); valarg->fctx = fctx; valarg->addrinfo = addrinfo; if (!ISC_LIST_EMPTY(fctx->validators)) INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0); result = dns_validator_create(fctx->res->view, name, type, rdataset, sigrdataset, fctx->rmessage, valoptions, task, validated, valarg, &validator); if (result == ISC_R_SUCCESS) { inc_stats(fctx->res, dns_resstatscounter_val); if ((valoptions & DNS_VALIDATOR_DEFER) == 0) { INSIST(fctx->validator == NULL); fctx->validator = validator; } ISC_LIST_APPEND(fctx->validators, validator, link); } else isc_mem_put(fctx->res->buckets[fctx->bucketnum].mctx, valarg, sizeof(*valarg)); return (result); } static isc_boolean_t rrsig_fromchildzone(fetchctx_t *fctx, dns_rdataset_t *rdataset) { dns_namereln_t namereln; dns_rdata_rrsig_t rrsig; dns_rdata_t rdata = DNS_RDATA_INIT; int order; isc_result_t result; unsigned int labels; for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) { dns_rdataset_current(rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &rrsig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); namereln = dns_name_fullcompare(&rrsig.signer, &fctx->domain, &order, &labels); if (namereln == dns_namereln_subdomain) return (ISC_TRUE); dns_rdata_reset(&rdata); } return (ISC_FALSE); } static isc_boolean_t fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) { dns_name_t *name; dns_name_t *domain = &fctx->domain; dns_rdataset_t *rdataset; dns_rdatatype_t type; isc_result_t result; isc_boolean_t keep_auth = ISC_FALSE; if (message->rcode == dns_rcode_nxdomain) return (ISC_FALSE); /* * A DS RRset can appear anywhere in a zone, even for a delegation-only * zone. So a response to an explicit query for this type should be * excluded from delegation-only fixup. * * SOA, NS, and DNSKEY can only exist at a zone apex, so a postive * response to a query for these types can never violate the * delegation-only assumption: if the query name is below a * zone cut, the response should normally be a referral, which should * be accepted; if the query name is below a zone cut but the server * happens to have authority for the zone of the query name, the * response is a (non-referral) answer. But this does not violate * delegation-only because the query name must be in a different zone * due to the "apex-only" nature of these types. Note that if the * remote server happens to have authority for a child zone of a * delegation-only zone, we may still incorrectly "fix" the response * with NXDOMAIN for queries for other types. Unfortunately it's * generally impossible to differentiate this case from violation of * the delegation-only assumption. Once the resolver learns the * correct zone cut, possibly via a separate query for an "apex-only" * type, queries for other types will be resolved correctly. * * A query for type ANY will be accepted if it hits an exceptional * type above in the answer section as it should be from a child * zone. * * Also accept answers with RRSIG records from the child zone. * Direct queries for RRSIG records should not be answered from * the parent zone. */ if (message->counts[DNS_SECTION_ANSWER] != 0 && (fctx->type == dns_rdatatype_ns || fctx->type == dns_rdatatype_ds || fctx->type == dns_rdatatype_soa || fctx->type == dns_rdatatype_any || fctx->type == dns_rdatatype_rrsig || fctx->type == dns_rdatatype_dnskey)) { result = dns_message_firstname(message, DNS_SECTION_ANSWER); while (result == ISC_R_SUCCESS) { name = NULL; dns_message_currentname(message, DNS_SECTION_ANSWER, &name); for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (!dns_name_equal(name, &fctx->name)) continue; type = rdataset->type; /* * RRsig from child? */ if (type == dns_rdatatype_rrsig && rrsig_fromchildzone(fctx, rdataset)) return (ISC_FALSE); /* * Direct query for apex records or DS. */ if (fctx->type == type && (type == dns_rdatatype_ds || type == dns_rdatatype_ns || type == dns_rdatatype_soa || type == dns_rdatatype_dnskey)) return (ISC_FALSE); /* * Indirect query for apex records or DS. */ if (fctx->type == dns_rdatatype_any && (type == dns_rdatatype_ns || type == dns_rdatatype_ds || type == dns_rdatatype_soa || type == dns_rdatatype_dnskey)) return (ISC_FALSE); } result = dns_message_nextname(message, DNS_SECTION_ANSWER); } } /* * A NODATA response to a DS query? */ if (fctx->type == dns_rdatatype_ds && message->counts[DNS_SECTION_ANSWER] == 0) return (ISC_FALSE); /* Look for referral or indication of answer from child zone? */ if (message->counts[DNS_SECTION_AUTHORITY] == 0) goto munge; result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); while (result == ISC_R_SUCCESS) { name = NULL; dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { type = rdataset->type; if (type == dns_rdatatype_soa && dns_name_equal(name, domain)) keep_auth = ISC_TRUE; if (type != dns_rdatatype_ns && type != dns_rdatatype_soa && type != dns_rdatatype_rrsig) continue; if (type == dns_rdatatype_rrsig) { if (rrsig_fromchildzone(fctx, rdataset)) return (ISC_FALSE); else continue; } /* NS or SOA records. */ if (dns_name_equal(name, domain)) { /* * If a query for ANY causes a negative * response, we can be sure that this is * an empty node. For other type of queries * we cannot differentiate an empty node * from a node that just doesn't have that * type of record. We only accept the former * case. */ if (message->counts[DNS_SECTION_ANSWER] == 0 && fctx->type == dns_rdatatype_any) return (ISC_FALSE); } else if (dns_name_issubdomain(name, domain)) { /* Referral or answer from child zone. */ return (ISC_FALSE); } } result = dns_message_nextname(message, DNS_SECTION_AUTHORITY); } munge: message->rcode = dns_rcode_nxdomain; message->counts[DNS_SECTION_ANSWER] = 0; if (!keep_auth) message->counts[DNS_SECTION_AUTHORITY] = 0; message->counts[DNS_SECTION_ADDITIONAL] = 0; return (ISC_TRUE); } static inline isc_result_t fctx_starttimer(fetchctx_t *fctx) { /* * Start the lifetime timer for fctx. * * This is also used for stopping the idle timer; in that * case we must purge events already posted to ensure that * no further idle events are delivered. */ return (isc_timer_reset(fctx->timer, isc_timertype_once, &fctx->expires, NULL, ISC_TRUE)); } static inline void fctx_stoptimer(fetchctx_t *fctx) { isc_result_t result; /* * We don't return a result if resetting the timer to inactive fails * since there's nothing to be done about it. Resetting to inactive * should never fail anyway, since the code as currently written * cannot fail in that case. */ result = isc_timer_reset(fctx->timer, isc_timertype_inactive, NULL, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_timer_reset(): %s", isc_result_totext(result)); } } static inline isc_result_t fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) { /* * Start the idle timer for fctx. The lifetime timer continues * to be in effect. */ return (isc_timer_reset(fctx->timer, isc_timertype_once, &fctx->expires, interval, ISC_FALSE)); } /* * Stopping the idle timer is equivalent to calling fctx_starttimer(), but * we use fctx_stopidletimer for readability in the code below. */ #define fctx_stopidletimer fctx_starttimer static inline void resquery_destroy(resquery_t **queryp) { resquery_t *query; REQUIRE(queryp != NULL); query = *queryp; REQUIRE(!ISC_LINK_LINKED(query, link)); INSIST(query->tcpsocket == NULL); query->fctx->nqueries--; if (SHUTTINGDOWN(query->fctx)) maybe_destroy(query->fctx); /* Locks bucket. */ query->magic = 0; isc_mem_put(query->mctx, query, sizeof(*query)); *queryp = NULL; } static void fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp, isc_time_t *finish, isc_boolean_t no_response) { fetchctx_t *fctx; resquery_t *query; unsigned int rtt, rttms; unsigned int factor; dns_adbfind_t *find; dns_adbaddrinfo_t *addrinfo; isc_socket_t *socket; query = *queryp; fctx = query->fctx; FCTXTRACE("cancelquery"); REQUIRE(!RESQUERY_CANCELED(query)); query->attributes |= RESQUERY_ATTR_CANCELED; /* * Should we update the RTT? */ if (finish != NULL || no_response) { if (finish != NULL) { /* * We have both the start and finish times for this * packet, so we can compute a real RTT. */ rtt = (unsigned int)isc_time_microdiff(finish, &query->start); factor = DNS_ADB_RTTADJDEFAULT; rttms = rtt / 1000; if (rttms < DNS_RESOLVER_QRYRTTCLASS0) { inc_stats(fctx->res, dns_resstatscounter_queryrtt0); } else if (rttms < DNS_RESOLVER_QRYRTTCLASS1) { inc_stats(fctx->res, dns_resstatscounter_queryrtt1); } else if (rttms < DNS_RESOLVER_QRYRTTCLASS2) { inc_stats(fctx->res, dns_resstatscounter_queryrtt2); } else if (rttms < DNS_RESOLVER_QRYRTTCLASS3) { inc_stats(fctx->res, dns_resstatscounter_queryrtt3); } else if (rttms < DNS_RESOLVER_QRYRTTCLASS4) { inc_stats(fctx->res, dns_resstatscounter_queryrtt4); } else { inc_stats(fctx->res, dns_resstatscounter_queryrtt5); } } else { /* * We don't have an RTT for this query. Maybe the * packet was lost, or maybe this server is very * slow. We don't know. Increase the RTT. */ INSIST(no_response); rtt = query->addrinfo->srtt + 200000; if (rtt > 10000000) rtt = 10000000; /* * Replace the current RTT with our value. */ factor = DNS_ADB_RTTADJREPLACE; } dns_adb_adjustsrtt(fctx->adb, query->addrinfo, rtt, factor); } /* Remember that the server has been tried. */ if (!TRIED(query->addrinfo)) { dns_adb_changeflags(fctx->adb, query->addrinfo, FCTX_ADDRINFO_TRIED, FCTX_ADDRINFO_TRIED); } /* * Age RTTs of servers not tried. */ factor = DNS_ADB_RTTADJAGE; if (finish != NULL) for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs); addrinfo != NULL; addrinfo = ISC_LIST_NEXT(addrinfo, publink)) if (UNMARKED(addrinfo)) dns_adb_adjustsrtt(fctx->adb, addrinfo, 0, factor); if (finish != NULL && TRIEDFIND(fctx)) for (find = ISC_LIST_HEAD(fctx->finds); find != NULL; find = ISC_LIST_NEXT(find, publink)) for (addrinfo = ISC_LIST_HEAD(find->list); addrinfo != NULL; addrinfo = ISC_LIST_NEXT(addrinfo, publink)) if (UNMARKED(addrinfo)) dns_adb_adjustsrtt(fctx->adb, addrinfo, 0, factor); if (finish != NULL && TRIEDALT(fctx)) { for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs); addrinfo != NULL; addrinfo = ISC_LIST_NEXT(addrinfo, publink)) if (UNMARKED(addrinfo)) dns_adb_adjustsrtt(fctx->adb, addrinfo, 0, factor); for (find = ISC_LIST_HEAD(fctx->altfinds); find != NULL; find = ISC_LIST_NEXT(find, publink)) for (addrinfo = ISC_LIST_HEAD(find->list); addrinfo != NULL; addrinfo = ISC_LIST_NEXT(addrinfo, publink)) if (UNMARKED(addrinfo)) dns_adb_adjustsrtt(fctx->adb, addrinfo, 0, factor); } /* * Check for any outstanding socket events. If they exist, cancel * them and let the event handlers finish the cleanup. The resolver * only needs to worry about managing the connect and send events; * the dispatcher manages the recv events. */ if (RESQUERY_CONNECTING(query)) { /* * Cancel the connect. */ if (query->tcpsocket != NULL) { isc_socket_cancel(query->tcpsocket, NULL, ISC_SOCKCANCEL_CONNECT); } else if (query->dispentry != NULL) { INSIST(query->exclusivesocket); socket = dns_dispatch_getentrysocket(query->dispentry); if (socket != NULL) isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_CONNECT); } } else if (RESQUERY_SENDING(query)) { /* * Cancel the pending send. */ if (query->exclusivesocket && query->dispentry != NULL) socket = dns_dispatch_getentrysocket(query->dispentry); else socket = dns_dispatch_getsocket(query->dispatch); if (socket != NULL) isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_SEND); } if (query->dispentry != NULL) dns_dispatch_removeresponse(&query->dispentry, deventp); ISC_LIST_UNLINK(fctx->queries, query, link); if (query->tsig != NULL) isc_buffer_free(&query->tsig); if (query->tsigkey != NULL) dns_tsigkey_detach(&query->tsigkey); if (query->dispatch != NULL) dns_dispatch_detach(&query->dispatch); if (! (RESQUERY_CONNECTING(query) || RESQUERY_SENDING(query))) /* * It's safe to destroy the query now. */ resquery_destroy(&query); } static void fctx_cancelqueries(fetchctx_t *fctx, isc_boolean_t no_response) { resquery_t *query, *next_query; FCTXTRACE("cancelqueries"); for (query = ISC_LIST_HEAD(fctx->queries); query != NULL; query = next_query) { next_query = ISC_LIST_NEXT(query, link); fctx_cancelquery(&query, NULL, NULL, no_response); } } static void fctx_cleanupfinds(fetchctx_t *fctx) { dns_adbfind_t *find, *next_find; REQUIRE(ISC_LIST_EMPTY(fctx->queries)); for (find = ISC_LIST_HEAD(fctx->finds); find != NULL; find = next_find) { next_find = ISC_LIST_NEXT(find, publink); ISC_LIST_UNLINK(fctx->finds, find, publink); dns_adb_destroyfind(&find); } fctx->find = NULL; } static void fctx_cleanupaltfinds(fetchctx_t *fctx) { dns_adbfind_t *find, *next_find; REQUIRE(ISC_LIST_EMPTY(fctx->queries)); for (find = ISC_LIST_HEAD(fctx->altfinds); find != NULL; find = next_find) { next_find = ISC_LIST_NEXT(find, publink); ISC_LIST_UNLINK(fctx->altfinds, find, publink); dns_adb_destroyfind(&find); } fctx->altfind = NULL; } static void fctx_cleanupforwaddrs(fetchctx_t *fctx) { dns_adbaddrinfo_t *addr, *next_addr; REQUIRE(ISC_LIST_EMPTY(fctx->queries)); for (addr = ISC_LIST_HEAD(fctx->forwaddrs); addr != NULL; addr = next_addr) { next_addr = ISC_LIST_NEXT(addr, publink); ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink); dns_adb_freeaddrinfo(fctx->adb, &addr); } } static void fctx_cleanupaltaddrs(fetchctx_t *fctx) { dns_adbaddrinfo_t *addr, *next_addr; REQUIRE(ISC_LIST_EMPTY(fctx->queries)); for (addr = ISC_LIST_HEAD(fctx->altaddrs); addr != NULL; addr = next_addr) { next_addr = ISC_LIST_NEXT(addr, publink); ISC_LIST_UNLINK(fctx->altaddrs, addr, publink); dns_adb_freeaddrinfo(fctx->adb, &addr); } } static inline void fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response) { FCTXTRACE("stopeverything"); fctx_cancelqueries(fctx, no_response); fctx_cleanupfinds(fctx); fctx_cleanupaltfinds(fctx); fctx_cleanupforwaddrs(fctx); fctx_cleanupaltaddrs(fctx); fctx_stoptimer(fctx); } static inline void fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) { dns_fetchevent_t *event, *next_event; isc_task_t *task; unsigned int count = 0; isc_interval_t i; isc_boolean_t logit = ISC_FALSE; isc_time_t now; unsigned int old_spillat; unsigned int new_spillat = 0; /* initialized to silence compiler warnings */ /* * Caller must be holding the appropriate bucket lock. */ REQUIRE(fctx->state == fetchstate_done); FCTXTRACE("sendevents"); /* * Keep some record of fetch result for logging later (if required). */ fctx->result = result; fctx->exitline = line; TIME_NOW(&now); fctx->duration = isc_time_microdiff(&now, &fctx->start); for (event = ISC_LIST_HEAD(fctx->events); event != NULL; event = next_event) { next_event = ISC_LIST_NEXT(event, ev_link); ISC_LIST_UNLINK(fctx->events, event, ev_link); task = event->ev_sender; event->ev_sender = fctx; if (!HAVE_ANSWER(fctx)) event->result = result; INSIST(result != ISC_R_SUCCESS || dns_rdataset_isassociated(event->rdataset) || fctx->type == dns_rdatatype_any || fctx->type == dns_rdatatype_rrsig || fctx->type == dns_rdatatype_sig); /* * Negative results must be indicated in event->result. */ if (dns_rdataset_isassociated(event->rdataset) && event->rdataset->type == dns_rdatatype_none) { INSIST(event->result == DNS_R_NCACHENXDOMAIN || event->result == DNS_R_NCACHENXRRSET); } isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); count++; } if ((fctx->attributes & FCTX_ATTR_HAVEANSWER) != 0 && fctx->spilled && (count < fctx->res->spillatmax || fctx->res->spillatmax == 0)) { LOCK(&fctx->res->lock); if (count == fctx->res->spillat && !fctx->res->exiting) { old_spillat = fctx->res->spillat; fctx->res->spillat += 5; if (fctx->res->spillat > fctx->res->spillatmax && fctx->res->spillatmax != 0) fctx->res->spillat = fctx->res->spillatmax; new_spillat = fctx->res->spillat; if (new_spillat != old_spillat) { logit = ISC_TRUE; } isc_interval_set(&i, 20 * 60, 0); result = isc_timer_reset(fctx->res->spillattimer, isc_timertype_ticker, NULL, &i, ISC_TRUE); RUNTIME_CHECK(result == ISC_R_SUCCESS); } UNLOCK(&fctx->res->lock); if (logit) isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, "clients-per-query increased to %u", new_spillat); } } static inline void log_edns(fetchctx_t *fctx) { char domainbuf[DNS_NAME_FORMATSIZE]; if (fctx->reason == NULL) return; dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED, DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, "success resolving '%s' (in '%s'?) after %s", fctx->info, domainbuf, fctx->reason); fctx->reason = NULL; } static void fctx_done(fetchctx_t *fctx, isc_result_t result, int line) { dns_resolver_t *res; isc_boolean_t no_response; REQUIRE(line >= 0); FCTXTRACE("done"); res = fctx->res; if (result == ISC_R_SUCCESS) { /*% * Log any deferred EDNS timeout messages. */ log_edns(fctx); no_response = ISC_TRUE; } else no_response = ISC_FALSE; fctx->reason = NULL; fctx_stopeverything(fctx, no_response); LOCK(&res->buckets[fctx->bucketnum].lock); fctx->state = fetchstate_done; fctx->attributes &= ~FCTX_ATTR_ADDRWAIT; fctx_sendevents(fctx, result, line); UNLOCK(&res->buckets[fctx->bucketnum].lock); } static void process_sendevent(resquery_t *query, isc_event_t *event) { isc_socketevent_t *sevent = (isc_socketevent_t *)event; isc_boolean_t retry = ISC_FALSE; isc_result_t result; fetchctx_t *fctx; fctx = query->fctx; if (RESQUERY_CANCELED(query)) { if (query->sends == 0 && query->connects == 0) { /* * This query was canceled while the * isc_socket_sendto/connect() was in progress. */ if (query->tcpsocket != NULL) isc_socket_detach(&query->tcpsocket); resquery_destroy(&query); } } else { switch (sevent->result) { case ISC_R_SUCCESS: break; case ISC_R_HOSTUNREACH: case ISC_R_NETUNREACH: case ISC_R_NOPERM: case ISC_R_ADDRNOTAVAIL: case ISC_R_CONNREFUSED: /* * No route to remote. */ add_bad(fctx, query->addrinfo, sevent->result, badns_unreachable); fctx_cancelquery(&query, NULL, NULL, ISC_TRUE); retry = ISC_TRUE; break; default: fctx_cancelquery(&query, NULL, NULL, ISC_FALSE); break; } } isc_event_free(&event); if (retry) { /* * Behave as if the idle timer has expired. For TCP * this may not actually reflect the latest timer. */ fctx->attributes &= ~FCTX_ATTR_ADDRWAIT; result = fctx_stopidletimer(fctx); if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); else - fctx_try(fctx, ISC_TRUE); + fctx_try(fctx, ISC_TRUE, ISC_FALSE); } } static void resquery_udpconnected(isc_task_t *task, isc_event_t *event) { resquery_t *query = event->ev_arg; REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT); QTRACE("udpconnected"); UNUSED(task); INSIST(RESQUERY_CONNECTING(query)); query->connects--; process_sendevent(query, event); } static void resquery_senddone(isc_task_t *task, isc_event_t *event) { resquery_t *query = event->ev_arg; REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE); QTRACE("senddone"); /* * XXXRTH * * Currently we don't wait for the senddone event before retrying * a query. This means that if we get really behind, we may end * up doing extra work! */ UNUSED(task); INSIST(RESQUERY_SENDING(query)); query->sends--; process_sendevent(query, event); } static inline isc_result_t fctx_addopt(dns_message_t *message, unsigned int version, isc_uint16_t udpsize, isc_boolean_t request_nsid) { dns_rdataset_t *rdataset; dns_rdatalist_t *rdatalist; dns_rdata_t *rdata; isc_result_t result; rdatalist = NULL; result = dns_message_gettemprdatalist(message, &rdatalist); if (result != ISC_R_SUCCESS) return (result); rdata = NULL; result = dns_message_gettemprdata(message, &rdata); if (result != ISC_R_SUCCESS) return (result); rdataset = NULL; result = dns_message_gettemprdataset(message, &rdataset); if (result != ISC_R_SUCCESS) return (result); dns_rdataset_init(rdataset); rdatalist->type = dns_rdatatype_opt; rdatalist->covers = 0; /* * Set Maximum UDP buffer size. */ rdatalist->rdclass = udpsize; /* * Set EXTENDED-RCODE and Z to 0, DO to 1. */ rdatalist->ttl = (version << 16); rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO; /* * Set EDNS options if applicable */ if (request_nsid) { /* Send empty NSID option (RFC5001) */ unsigned char data[4]; isc_buffer_t buf; isc_buffer_init(&buf, data, sizeof(data)); isc_buffer_putuint16(&buf, DNS_OPT_NSID); isc_buffer_putuint16(&buf, 0); rdata->data = data; rdata->length = sizeof(data); } else { rdata->data = NULL; rdata->length = 0; } rdata->rdclass = rdatalist->rdclass; rdata->type = rdatalist->type; rdata->flags = 0; ISC_LIST_INIT(rdatalist->rdata); ISC_LIST_APPEND(rdatalist->rdata, rdata, link); RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) == ISC_R_SUCCESS); return (dns_message_setopt(message, rdataset)); } static inline void fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) { unsigned int seconds; unsigned int us; /* * We retry every .8 seconds the first two times through the address * list, and then we do exponential back-off. */ if (fctx->restarts < 3) us = 800000; else us = (800000 << (fctx->restarts - 2)); /* * Double the round-trip time. */ rtt *= 2; /* * Always wait for at least the doubled round-trip time. */ if (us < rtt) us = rtt; /* * But don't ever wait for more than 10 seconds. */ if (us > 10000000) us = 10000000; seconds = us / 1000000; us -= seconds * 1000000; isc_interval_set(&fctx->interval, seconds, us * 1000); } static isc_result_t fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, unsigned int options) { dns_resolver_t *res; isc_task_t *task; isc_result_t result; resquery_t *query; isc_sockaddr_t addr; isc_boolean_t have_addr = ISC_FALSE; unsigned int srtt; FCTXTRACE("query"); res = fctx->res; task = res->buckets[fctx->bucketnum].task; srtt = addrinfo->srtt; if (ISFORWARDER(addrinfo) && srtt < 1000000) srtt = 1000000; fctx_setretryinterval(fctx, srtt); result = fctx_startidletimer(fctx, &fctx->interval); if (result != ISC_R_SUCCESS) return (result); INSIST(ISC_LIST_EMPTY(fctx->validators)); dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE); query = isc_mem_get(res->buckets[fctx->bucketnum].mctx, sizeof(*query)); if (query == NULL) { result = ISC_R_NOMEMORY; goto stop_idle_timer; } query->mctx = res->buckets[fctx->bucketnum].mctx; query->options = options; query->attributes = 0; query->sends = 0; query->connects = 0; /* * Note that the caller MUST guarantee that 'addrinfo' will remain * valid until this query is canceled. */ query->addrinfo = addrinfo; TIME_NOW(&query->start); /* * If this is a TCP query, then we need to make a socket and * a dispatch for it here. Otherwise we use the resolver's * shared dispatch. */ query->dispatchmgr = res->dispatchmgr; query->dispatch = NULL; query->exclusivesocket = ISC_FALSE; query->tcpsocket = NULL; if (res->view->peers != NULL) { dns_peer_t *peer = NULL; isc_netaddr_t dstip; isc_netaddr_fromsockaddr(&dstip, &addrinfo->sockaddr); result = dns_peerlist_peerbyaddr(res->view->peers, &dstip, &peer); if (result == ISC_R_SUCCESS) { result = dns_peer_getquerysource(peer, &addr); if (result == ISC_R_SUCCESS) have_addr = ISC_TRUE; } } if ((query->options & DNS_FETCHOPT_TCP) != 0) { int pf; pf = isc_sockaddr_pf(&addrinfo->sockaddr); if (!have_addr) { switch (pf) { case PF_INET: result = dns_dispatch_getlocaladdress(res->dispatchv4, &addr); break; case PF_INET6: result = dns_dispatch_getlocaladdress(res->dispatchv6, &addr); break; default: result = ISC_R_NOTIMPLEMENTED; break; } if (result != ISC_R_SUCCESS) goto cleanup_query; } isc_sockaddr_setport(&addr, 0); result = isc_socket_create(res->socketmgr, pf, isc_sockettype_tcp, &query->tcpsocket); if (result != ISC_R_SUCCESS) goto cleanup_query; #ifndef BROKEN_TCP_BIND_BEFORE_CONNECT result = isc_socket_bind(query->tcpsocket, &addr, 0); if (result != ISC_R_SUCCESS) goto cleanup_socket; #endif /* * A dispatch will be created once the connect succeeds. */ } else { if (have_addr) { unsigned int attrs, attrmask; attrs = DNS_DISPATCHATTR_UDP; switch (isc_sockaddr_pf(&addr)) { case AF_INET: attrs |= DNS_DISPATCHATTR_IPV4; break; case AF_INET6: attrs |= DNS_DISPATCHATTR_IPV6; break; default: result = ISC_R_NOTIMPLEMENTED; goto cleanup_query; } attrmask = DNS_DISPATCHATTR_UDP; attrmask |= DNS_DISPATCHATTR_TCP; attrmask |= DNS_DISPATCHATTR_IPV4; attrmask |= DNS_DISPATCHATTR_IPV6; result = dns_dispatch_getudp(res->dispatchmgr, res->socketmgr, res->taskmgr, &addr, 4096, 1000, 32768, 16411, 16433, attrs, attrmask, &query->dispatch); if (result != ISC_R_SUCCESS) goto cleanup_query; } else { switch (isc_sockaddr_pf(&addrinfo->sockaddr)) { case PF_INET: dns_dispatch_attach(res->dispatchv4, &query->dispatch); query->exclusivesocket = res->exclusivev4; break; case PF_INET6: dns_dispatch_attach(res->dispatchv6, &query->dispatch); query->exclusivesocket = res->exclusivev6; break; default: result = ISC_R_NOTIMPLEMENTED; goto cleanup_query; } } /* * We should always have a valid dispatcher here. If we * don't support a protocol family, then its dispatcher * will be NULL, but we shouldn't be finding addresses for * protocol types we don't support, so the dispatcher * we found should never be NULL. */ INSIST(query->dispatch != NULL); } query->dispentry = NULL; query->fctx = fctx; query->tsig = NULL; query->tsigkey = NULL; ISC_LINK_INIT(query, link); query->magic = QUERY_MAGIC; if ((query->options & DNS_FETCHOPT_TCP) != 0) { /* * Connect to the remote server. * * XXXRTH Should we attach to the socket? */ result = isc_socket_connect(query->tcpsocket, &addrinfo->sockaddr, task, resquery_connected, query); if (result != ISC_R_SUCCESS) goto cleanup_socket; query->connects++; QTRACE("connecting via TCP"); } else { result = resquery_send(query); if (result != ISC_R_SUCCESS) goto cleanup_dispatch; } fctx->querysent++; ISC_LIST_APPEND(fctx->queries, query, link); query->fctx->nqueries++; if (isc_sockaddr_pf(&addrinfo->sockaddr) == PF_INET) inc_stats(res, dns_resstatscounter_queryv4); else inc_stats(res, dns_resstatscounter_queryv6); if (res->view->resquerystats != NULL) dns_rdatatypestats_increment(res->view->resquerystats, fctx->type); return (ISC_R_SUCCESS); cleanup_socket: isc_socket_detach(&query->tcpsocket); cleanup_dispatch: if (query->dispatch != NULL) dns_dispatch_detach(&query->dispatch); cleanup_query: query->magic = 0; isc_mem_put(res->buckets[fctx->bucketnum].mctx, query, sizeof(*query)); stop_idle_timer: RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS); return (result); } static isc_boolean_t triededns(fetchctx_t *fctx, isc_sockaddr_t *address) { isc_sockaddr_t *sa; for (sa = ISC_LIST_HEAD(fctx->edns); sa != NULL; sa = ISC_LIST_NEXT(sa, link)) { if (isc_sockaddr_equal(sa, address)) return (ISC_TRUE); } return (ISC_FALSE); } static void add_triededns(fetchctx_t *fctx, isc_sockaddr_t *address) { isc_sockaddr_t *sa; if (triededns(fctx, address)) return; sa = isc_mem_get(fctx->res->buckets[fctx->bucketnum].mctx, sizeof(*sa)); if (sa == NULL) return; *sa = *address; ISC_LIST_INITANDAPPEND(fctx->edns, sa, link); } static isc_boolean_t triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) { isc_sockaddr_t *sa; for (sa = ISC_LIST_HEAD(fctx->edns512); sa != NULL; sa = ISC_LIST_NEXT(sa, link)) { if (isc_sockaddr_equal(sa, address)) return (ISC_TRUE); } return (ISC_FALSE); } static void add_triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) { isc_sockaddr_t *sa; if (triededns512(fctx, address)) return; sa = isc_mem_get(fctx->res->buckets[fctx->bucketnum].mctx, sizeof(*sa)); if (sa == NULL) return; *sa = *address; ISC_LIST_INITANDAPPEND(fctx->edns512, sa, link); } static isc_result_t resquery_send(resquery_t *query) { fetchctx_t *fctx; isc_result_t result; dns_name_t *qname = NULL; dns_rdataset_t *qrdataset = NULL; isc_region_t r; dns_resolver_t *res; isc_task_t *task; isc_socket_t *socket; isc_buffer_t tcpbuffer; isc_sockaddr_t *address; isc_buffer_t *buffer; isc_netaddr_t ipaddr; dns_tsigkey_t *tsigkey = NULL; dns_peer_t *peer = NULL; isc_boolean_t useedns; dns_compress_t cctx; isc_boolean_t cleanup_cctx = ISC_FALSE; isc_boolean_t secure_domain; fctx = query->fctx; QTRACE("send"); res = fctx->res; task = res->buckets[fctx->bucketnum].task; address = NULL; if ((query->options & DNS_FETCHOPT_TCP) != 0) { /* * Reserve space for the TCP message length. */ isc_buffer_init(&tcpbuffer, query->data, sizeof(query->data)); isc_buffer_init(&query->buffer, query->data + 2, sizeof(query->data) - 2); buffer = &tcpbuffer; } else { isc_buffer_init(&query->buffer, query->data, sizeof(query->data)); buffer = &query->buffer; } result = dns_message_gettempname(fctx->qmessage, &qname); if (result != ISC_R_SUCCESS) goto cleanup_temps; result = dns_message_gettemprdataset(fctx->qmessage, &qrdataset); if (result != ISC_R_SUCCESS) goto cleanup_temps; /* * Get a query id from the dispatch. */ result = dns_dispatch_addresponse2(query->dispatch, &query->addrinfo->sockaddr, task, resquery_response, query, &query->id, &query->dispentry, res->socketmgr); if (result != ISC_R_SUCCESS) goto cleanup_temps; fctx->qmessage->opcode = dns_opcode_query; /* * Set up question. */ dns_name_init(qname, NULL); dns_name_clone(&fctx->name, qname); dns_rdataset_init(qrdataset); dns_rdataset_makequestion(qrdataset, res->rdclass, fctx->type); ISC_LIST_APPEND(qname->list, qrdataset, link); dns_message_addname(fctx->qmessage, qname, DNS_SECTION_QUESTION); qname = NULL; qrdataset = NULL; /* * Set RD if the client has requested that we do a recursive query, * or if we're sending to a forwarder. */ if ((query->options & DNS_FETCHOPT_RECURSIVE) != 0 || ISFORWARDER(query->addrinfo)) fctx->qmessage->flags |= DNS_MESSAGEFLAG_RD; /* * Set CD if the client says don't validate or the question is * under a secure entry point. */ if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) { fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD; } else if (res->view->enablevalidation) { result = dns_keytable_issecuredomain(res->view->secroots, &fctx->name, &secure_domain); if (result != ISC_R_SUCCESS) secure_domain = ISC_FALSE; if (res->view->dlv != NULL) secure_domain = ISC_TRUE; if (secure_domain) fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD; } /* * We don't have to set opcode because it defaults to query. */ fctx->qmessage->id = query->id; /* * Convert the question to wire format. */ result = dns_compress_init(&cctx, -1, fctx->res->mctx); if (result != ISC_R_SUCCESS) goto cleanup_message; cleanup_cctx = ISC_TRUE; result = dns_message_renderbegin(fctx->qmessage, &cctx, &query->buffer); if (result != ISC_R_SUCCESS) goto cleanup_message; result = dns_message_rendersection(fctx->qmessage, DNS_SECTION_QUESTION, 0); if (result != ISC_R_SUCCESS) goto cleanup_message; peer = NULL; isc_netaddr_fromsockaddr(&ipaddr, &query->addrinfo->sockaddr); (void) dns_peerlist_peerbyaddr(fctx->res->view->peers, &ipaddr, &peer); /* * The ADB does not know about servers with "edns no". Check this, * and then inform the ADB for future use. */ if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0 && peer != NULL && dns_peer_getsupportedns(peer, &useedns) == ISC_R_SUCCESS && !useedns) { query->options |= DNS_FETCHOPT_NOEDNS0; dns_adb_changeflags(fctx->adb, query->addrinfo, DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0); } /* Sync NOEDNS0 flag in addrinfo->flags and options now. */ if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0) query->options |= DNS_FETCHOPT_NOEDNS0; /* * Handle timeouts by reducing the UDP response size to 512 bytes * then if that doesn't work disabling EDNS (includes DO) and CD. * * These timeout can be due to: * * broken nameservers that don't respond to EDNS queries. * * broken/misconfigured firewalls and NAT implementations * that don't handle IP fragmentation. * * broken/misconfigured firewalls that don't handle responses * greater than 512 bytes. * * broken/misconfigured firewalls that don't handle EDNS, DO * or CD. * * packet loss / link outage. */ if (fctx->timeout) { if ((triededns512(fctx, &query->addrinfo->sockaddr) || fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) && (query->options & DNS_FETCHOPT_NOEDNS0) == 0) { query->options |= DNS_FETCHOPT_NOEDNS0; fctx->reason = "disabling EDNS"; } else if ((triededns(fctx, &query->addrinfo->sockaddr) || fctx->timeouts >= MAX_EDNS0_TIMEOUTS) && (query->options & DNS_FETCHOPT_NOEDNS0) == 0) { query->options |= DNS_FETCHOPT_EDNS512; fctx->reason = "reducing the advertised EDNS UDP " "packet size to 512 octets"; } fctx->timeout = ISC_FALSE; } /* * Use EDNS0, unless the caller doesn't want it, or we know that * the remote server doesn't like it. */ if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) { if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) { unsigned int version = 0; /* Default version. */ unsigned int flags; isc_uint16_t udpsize = res->udpsize; isc_boolean_t reqnsid = res->view->requestnsid; flags = query->addrinfo->flags; if ((flags & DNS_FETCHOPT_EDNSVERSIONSET) != 0) { version = flags & DNS_FETCHOPT_EDNSVERSIONMASK; version >>= DNS_FETCHOPT_EDNSVERSIONSHIFT; } if ((query->options & DNS_FETCHOPT_EDNS512) != 0) udpsize = 512; else if (peer != NULL) (void)dns_peer_getudpsize(peer, &udpsize); /* request NSID for current view or peer? */ if (peer != NULL) (void) dns_peer_getrequestnsid(peer, &reqnsid); result = fctx_addopt(fctx->qmessage, version, udpsize, reqnsid); if (reqnsid && result == ISC_R_SUCCESS) { query->options |= DNS_FETCHOPT_WANTNSID; } else if (result != ISC_R_SUCCESS) { /* * We couldn't add the OPT, but we'll press on. * We're not using EDNS0, so set the NOEDNS0 * bit. */ query->options |= DNS_FETCHOPT_NOEDNS0; } } else { /* * We know this server doesn't like EDNS0, so we * won't use it. Set the NOEDNS0 bit since we're * not using EDNS0. */ query->options |= DNS_FETCHOPT_NOEDNS0; } } /* * If we need EDNS0 to do this query and aren't using it, we lose. */ if (NEEDEDNS0(fctx) && (query->options & DNS_FETCHOPT_NOEDNS0) != 0) { result = DNS_R_SERVFAIL; goto cleanup_message; } if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) add_triededns(fctx, &query->addrinfo->sockaddr); if ((query->options & DNS_FETCHOPT_EDNS512) != 0) add_triededns512(fctx, &query->addrinfo->sockaddr); /* * Clear CD if EDNS is not in use. */ if ((query->options & DNS_FETCHOPT_NOEDNS0) != 0) fctx->qmessage->flags &= ~DNS_MESSAGEFLAG_CD; /* * Add TSIG record tailored to the current recipient. */ result = dns_view_getpeertsig(fctx->res->view, &ipaddr, &tsigkey); if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) goto cleanup_message; if (tsigkey != NULL) { result = dns_message_settsigkey(fctx->qmessage, tsigkey); dns_tsigkey_detach(&tsigkey); if (result != ISC_R_SUCCESS) goto cleanup_message; } result = dns_message_rendersection(fctx->qmessage, DNS_SECTION_ADDITIONAL, 0); if (result != ISC_R_SUCCESS) goto cleanup_message; result = dns_message_renderend(fctx->qmessage); if (result != ISC_R_SUCCESS) goto cleanup_message; dns_compress_invalidate(&cctx); cleanup_cctx = ISC_FALSE; if (dns_message_gettsigkey(fctx->qmessage) != NULL) { dns_tsigkey_attach(dns_message_gettsigkey(fctx->qmessage), &query->tsigkey); result = dns_message_getquerytsig(fctx->qmessage, fctx->res->mctx, &query->tsig); if (result != ISC_R_SUCCESS) goto cleanup_message; } /* * If using TCP, write the length of the message at the beginning * of the buffer. */ if ((query->options & DNS_FETCHOPT_TCP) != 0) { isc_buffer_usedregion(&query->buffer, &r); isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t)r.length); isc_buffer_add(&tcpbuffer, r.length); } /* * We're now done with the query message. */ dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER); if (query->exclusivesocket) socket = dns_dispatch_getentrysocket(query->dispentry); else socket = dns_dispatch_getsocket(query->dispatch); /* * Send the query! */ if ((query->options & DNS_FETCHOPT_TCP) == 0) { address = &query->addrinfo->sockaddr; if (query->exclusivesocket) { result = isc_socket_connect(socket, address, task, resquery_udpconnected, query); if (result != ISC_R_SUCCESS) goto cleanup_message; query->connects++; } } isc_buffer_usedregion(buffer, &r); /* * XXXRTH Make sure we don't send to ourselves! We should probably * prune out these addresses when we get them from the ADB. */ result = isc_socket_sendto(socket, &r, task, resquery_senddone, query, address, NULL); if (result != ISC_R_SUCCESS) goto cleanup_message; query->sends++; QTRACE("sent"); return (ISC_R_SUCCESS); cleanup_message: if (cleanup_cctx) dns_compress_invalidate(&cctx); dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER); /* * Stop the dispatcher from listening. */ dns_dispatch_removeresponse(&query->dispentry, NULL); cleanup_temps: if (qname != NULL) dns_message_puttempname(fctx->qmessage, &qname); if (qrdataset != NULL) dns_message_puttemprdataset(fctx->qmessage, &qrdataset); return (result); } static void resquery_connected(isc_task_t *task, isc_event_t *event) { isc_socketevent_t *sevent = (isc_socketevent_t *)event; resquery_t *query = event->ev_arg; isc_boolean_t retry = ISC_FALSE; isc_interval_t interval; isc_result_t result; unsigned int attrs; fetchctx_t *fctx; REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT); REQUIRE(VALID_QUERY(query)); QTRACE("connected"); UNUSED(task); /* * XXXRTH * * Currently we don't wait for the connect event before retrying * a query. This means that if we get really behind, we may end * up doing extra work! */ query->connects--; fctx = query->fctx; if (RESQUERY_CANCELED(query)) { /* * This query was canceled while the connect() was in * progress. */ isc_socket_detach(&query->tcpsocket); resquery_destroy(&query); } else { switch (sevent->result) { case ISC_R_SUCCESS: /* * Extend the idle timer for TCP. 20 seconds * should be long enough for a TCP connection to be * established, a single DNS request to be sent, * and the response received. */ isc_interval_set(&interval, 20, 0); result = fctx_startidletimer(query->fctx, &interval); if (result != ISC_R_SUCCESS) { fctx_cancelquery(&query, NULL, NULL, ISC_FALSE); fctx_done(fctx, result, __LINE__); break; } /* * We are connected. Create a dispatcher and * send the query. */ attrs = 0; attrs |= DNS_DISPATCHATTR_TCP; attrs |= DNS_DISPATCHATTR_PRIVATE; attrs |= DNS_DISPATCHATTR_CONNECTED; if (isc_sockaddr_pf(&query->addrinfo->sockaddr) == AF_INET) attrs |= DNS_DISPATCHATTR_IPV4; else attrs |= DNS_DISPATCHATTR_IPV6; attrs |= DNS_DISPATCHATTR_MAKEQUERY; result = dns_dispatch_createtcp(query->dispatchmgr, query->tcpsocket, query->fctx->res->taskmgr, 4096, 2, 1, 1, 3, attrs, &query->dispatch); /* * Regardless of whether dns_dispatch_create() * succeeded or not, we don't need our reference * to the socket anymore. */ isc_socket_detach(&query->tcpsocket); if (result == ISC_R_SUCCESS) result = resquery_send(query); if (result != ISC_R_SUCCESS) { fctx_cancelquery(&query, NULL, NULL, ISC_FALSE); fctx_done(fctx, result, __LINE__); } break; case ISC_R_NETUNREACH: case ISC_R_HOSTUNREACH: case ISC_R_CONNREFUSED: case ISC_R_NOPERM: case ISC_R_ADDRNOTAVAIL: case ISC_R_CONNECTIONRESET: /* * No route to remote. */ isc_socket_detach(&query->tcpsocket); fctx_cancelquery(&query, NULL, NULL, ISC_TRUE); retry = ISC_TRUE; break; default: isc_socket_detach(&query->tcpsocket); fctx_cancelquery(&query, NULL, NULL, ISC_FALSE); break; } } isc_event_free(&event); if (retry) { /* * Behave as if the idle timer has expired. For TCP * connections this may not actually reflect the latest timer. */ fctx->attributes &= ~FCTX_ATTR_ADDRWAIT; result = fctx_stopidletimer(fctx); if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); else - fctx_try(fctx, ISC_TRUE); + fctx_try(fctx, ISC_TRUE, ISC_FALSE); } } static void fctx_finddone(isc_task_t *task, isc_event_t *event) { fetchctx_t *fctx; dns_adbfind_t *find; dns_resolver_t *res; isc_boolean_t want_try = ISC_FALSE; isc_boolean_t want_done = ISC_FALSE; isc_boolean_t bucket_empty = ISC_FALSE; unsigned int bucketnum; find = event->ev_sender; fctx = event->ev_arg; REQUIRE(VALID_FCTX(fctx)); res = fctx->res; UNUSED(task); FCTXTRACE("finddone"); INSIST(fctx->pending > 0); fctx->pending--; if (ADDRWAIT(fctx)) { /* * The fetch is waiting for a name to be found. */ INSIST(!SHUTTINGDOWN(fctx)); fctx->attributes &= ~FCTX_ATTR_ADDRWAIT; if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) want_try = ISC_TRUE; else { fctx->findfail++; if (fctx->pending == 0) { /* * We've got nothing else to wait for and don't * know the answer. There's nothing to do but * fail the fctx. */ want_done = ISC_TRUE; } } } else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 && fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) { bucketnum = fctx->bucketnum; LOCK(&res->buckets[bucketnum].lock); /* * Note that we had to wait until we had the lock before * looking at fctx->references. */ if (fctx->references == 0) bucket_empty = fctx_destroy(fctx); UNLOCK(&res->buckets[bucketnum].lock); } isc_event_free(&event); dns_adb_destroyfind(&find); if (want_try) - fctx_try(fctx, ISC_TRUE); + fctx_try(fctx, ISC_TRUE, ISC_FALSE); else if (want_done) fctx_done(fctx, ISC_R_FAILURE, __LINE__); else if (bucket_empty) empty_bucket(res); } static inline isc_boolean_t bad_server(fetchctx_t *fctx, isc_sockaddr_t *address) { isc_sockaddr_t *sa; for (sa = ISC_LIST_HEAD(fctx->bad); sa != NULL; sa = ISC_LIST_NEXT(sa, link)) { if (isc_sockaddr_equal(sa, address)) return (ISC_TRUE); } return (ISC_FALSE); } static inline isc_boolean_t mark_bad(fetchctx_t *fctx) { dns_adbfind_t *curr; dns_adbaddrinfo_t *addrinfo; isc_boolean_t all_bad = ISC_TRUE; /* * Mark all known bad servers, so we don't try to talk to them * again. */ /* * Mark any bad nameservers. */ for (curr = ISC_LIST_HEAD(fctx->finds); curr != NULL; curr = ISC_LIST_NEXT(curr, publink)) { for (addrinfo = ISC_LIST_HEAD(curr->list); addrinfo != NULL; addrinfo = ISC_LIST_NEXT(addrinfo, publink)) { if (bad_server(fctx, &addrinfo->sockaddr)) addrinfo->flags |= FCTX_ADDRINFO_MARK; else all_bad = ISC_FALSE; } } /* * Mark any bad forwarders. */ for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs); addrinfo != NULL; addrinfo = ISC_LIST_NEXT(addrinfo, publink)) { if (bad_server(fctx, &addrinfo->sockaddr)) addrinfo->flags |= FCTX_ADDRINFO_MARK; else all_bad = ISC_FALSE; } /* * Mark any bad alternates. */ for (curr = ISC_LIST_HEAD(fctx->altfinds); curr != NULL; curr = ISC_LIST_NEXT(curr, publink)) { for (addrinfo = ISC_LIST_HEAD(curr->list); addrinfo != NULL; addrinfo = ISC_LIST_NEXT(addrinfo, publink)) { if (bad_server(fctx, &addrinfo->sockaddr)) addrinfo->flags |= FCTX_ADDRINFO_MARK; else all_bad = ISC_FALSE; } } for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs); addrinfo != NULL; addrinfo = ISC_LIST_NEXT(addrinfo, publink)) { if (bad_server(fctx, &addrinfo->sockaddr)) addrinfo->flags |= FCTX_ADDRINFO_MARK; else all_bad = ISC_FALSE; } return (all_bad); } static void add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason, badnstype_t badtype) { char namebuf[DNS_NAME_FORMATSIZE]; char addrbuf[ISC_SOCKADDR_FORMATSIZE]; char classbuf[64]; char typebuf[64]; char code[64]; isc_buffer_t b; isc_sockaddr_t *sa; const char *sep1, *sep2; isc_sockaddr_t *address = &addrinfo->sockaddr; if (reason == DNS_R_LAME) fctx->lamecount++; else { switch (badtype) { case badns_unreachable: fctx->neterr++; break; case badns_response: fctx->badresp++; break; case badns_validation: break; /* counted as 'valfail' */ } } if (bad_server(fctx, address)) { /* * We already know this server is bad. */ return; } FCTXTRACE("add_bad"); sa = isc_mem_get(fctx->res->buckets[fctx->bucketnum].mctx, sizeof(*sa)); if (sa == NULL) return; *sa = *address; ISC_LIST_INITANDAPPEND(fctx->bad, sa, link); if (reason == DNS_R_LAME) /* already logged */ return; if (reason == DNS_R_UNEXPECTEDRCODE && fctx->rmessage->rcode == dns_rcode_servfail && ISFORWARDER(addrinfo)) return; if (reason == DNS_R_UNEXPECTEDRCODE) { isc_buffer_init(&b, code, sizeof(code) - 1); dns_rcode_totext(fctx->rmessage->rcode, &b); code[isc_buffer_usedlength(&b)] = '\0'; sep1 = "("; sep2 = ") "; } else if (reason == DNS_R_UNEXPECTEDOPCODE) { isc_buffer_init(&b, code, sizeof(code) - 1); dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b); code[isc_buffer_usedlength(&b)] = '\0'; sep1 = "("; sep2 = ") "; } else { code[0] = '\0'; sep1 = ""; sep2 = ""; } dns_name_format(&fctx->name, namebuf, sizeof(namebuf)); dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf)); dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf)); isc_sockaddr_format(address, addrbuf, sizeof(addrbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS, DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, "%s %s%s%sresolving '%s/%s/%s': %s", dns_result_totext(reason), sep1, code, sep2, namebuf, typebuf, classbuf, addrbuf); } /* * Return 'bits' bits of random entropy from fctx->rand_buf, * refreshing it by calling isc_random_get() whenever the requested * number of bits is greater than the number in the buffer. */ static inline isc_uint32_t random_bits(fetchctx_t *fctx, isc_uint32_t bits) { isc_uint32_t ret = 0; REQUIRE(VALID_FCTX(fctx)); REQUIRE(bits <= 32); if (bits == 0) return (0); if (bits >= fctx->rand_bits) { /* if rand_bits == 0, this is unnecessary but harmless */ bits -= fctx->rand_bits; ret = fctx->rand_buf << bits; /* refresh random buffer now */ isc_random_get(&fctx->rand_buf); fctx->rand_bits = sizeof(fctx->rand_buf) * CHAR_BIT; } if (bits > 0) { isc_uint32_t mask = 0xffffffff; if (bits < 32) { mask = (1 << bits) - 1; } ret |= fctx->rand_buf & mask; fctx->rand_buf >>= bits; fctx->rand_bits -= bits; } return (ret); } /* * Add some random jitter to a server's RTT value so that the * order of queries will be unpredictable. * * RTT values of servers which have been tried are fuzzed by 128 ms. * Servers that haven't been tried yet have their RTT set to a random * value between 0 ms and 7 ms; they should get to go first, but in * unpredictable order. */ static inline void randomize_srtt(fetchctx_t *fctx, dns_adbaddrinfo_t *ai) { if (TRIED(ai)) { ai->srtt >>= 10; /* convert to milliseconds, near enough */ ai->srtt |= (ai->srtt & 0x80) | random_bits(fctx, 7); ai->srtt <<= 10; /* now back to microseconds */ } else ai->srtt = random_bits(fctx, 3) << 10; } /* * Sort addrinfo list by RTT (with random jitter) */ static void sort_adbfind(fetchctx_t *fctx, dns_adbfind_t *find) { dns_adbaddrinfo_t *best, *curr; dns_adbaddrinfolist_t sorted; /* Add jitter to SRTT values */ curr = ISC_LIST_HEAD(find->list); while (curr != NULL) { randomize_srtt(fctx, curr); curr = ISC_LIST_NEXT(curr, publink); } /* Lame N^2 bubble sort. */ ISC_LIST_INIT(sorted); while (!ISC_LIST_EMPTY(find->list)) { best = ISC_LIST_HEAD(find->list); curr = ISC_LIST_NEXT(best, publink); while (curr != NULL) { if (curr->srtt < best->srtt) best = curr; curr = ISC_LIST_NEXT(curr, publink); } ISC_LIST_UNLINK(find->list, best, publink); ISC_LIST_APPEND(sorted, best, publink); } find->list = sorted; } /* * Sort a list of finds by server RTT (with random jitter) */ static void sort_finds(fetchctx_t *fctx, dns_adbfindlist_t *findlist) { dns_adbfind_t *best, *curr; dns_adbfindlist_t sorted; dns_adbaddrinfo_t *addrinfo, *bestaddrinfo; /* Sort each find's addrinfo list by SRTT (after adding jitter) */ for (curr = ISC_LIST_HEAD(*findlist); curr != NULL; curr = ISC_LIST_NEXT(curr, publink)) sort_adbfind(fctx, curr); /* Lame N^2 bubble sort. */ ISC_LIST_INIT(sorted); while (!ISC_LIST_EMPTY(*findlist)) { best = ISC_LIST_HEAD(*findlist); bestaddrinfo = ISC_LIST_HEAD(best->list); INSIST(bestaddrinfo != NULL); curr = ISC_LIST_NEXT(best, publink); while (curr != NULL) { addrinfo = ISC_LIST_HEAD(curr->list); INSIST(addrinfo != NULL); if (addrinfo->srtt < bestaddrinfo->srtt) { best = curr; bestaddrinfo = addrinfo; } curr = ISC_LIST_NEXT(curr, publink); } ISC_LIST_UNLINK(*findlist, best, publink); ISC_LIST_APPEND(sorted, best, publink); } *findlist = sorted; } static void findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, unsigned int options, unsigned int flags, isc_stdtime_t now, isc_boolean_t *need_alternate) { dns_adbaddrinfo_t *ai; dns_adbfind_t *find; dns_resolver_t *res; isc_boolean_t unshared; isc_result_t result; res = fctx->res; unshared = ISC_TF((fctx->options | DNS_FETCHOPT_UNSHARED) != 0); /* * If this name is a subdomain of the query domain, tell * the ADB to start looking using zone/hint data. This keeps us * from getting stuck if the nameserver is beneath the zone cut * and we don't know its address (e.g. because the A record has * expired). */ if (dns_name_issubdomain(name, &fctx->domain)) options |= DNS_ADBFIND_STARTATZONE; options |= DNS_ADBFIND_GLUEOK; options |= DNS_ADBFIND_HINTOK; /* * See what we know about this address. */ find = NULL; result = dns_adb_createfind(fctx->adb, res->buckets[fctx->bucketnum].task, fctx_finddone, fctx, name, &fctx->name, fctx->type, options, now, NULL, res->view->dstport, &find); if (result != ISC_R_SUCCESS) { if (result == DNS_R_ALIAS) { /* * XXXRTH Follow the CNAME/DNAME chain? */ dns_adb_destroyfind(&find); fctx->adberr++; } } else if (!ISC_LIST_EMPTY(find->list)) { /* * We have at least some of the addresses for the * name. */ INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0); if (flags != 0 || port != 0) { for (ai = ISC_LIST_HEAD(find->list); ai != NULL; ai = ISC_LIST_NEXT(ai, publink)) { ai->flags |= flags; if (port != 0) isc_sockaddr_setport(&ai->sockaddr, port); } } if ((flags & FCTX_ADDRINFO_FORWARDER) != 0) ISC_LIST_APPEND(fctx->altfinds, find, publink); else ISC_LIST_APPEND(fctx->finds, find, publink); } else { /* * We don't know any of the addresses for this * name. */ if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) { /* * We're looking for them and will get an * event about it later. */ fctx->pending++; /* * Bootstrap. */ if (need_alternate != NULL && !*need_alternate && unshared && ((res->dispatchv4 == NULL && find->result_v6 != DNS_R_NXDOMAIN) || (res->dispatchv6 == NULL && find->result_v4 != DNS_R_NXDOMAIN))) *need_alternate = ISC_TRUE; } else { if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0) fctx->lamecount++; /* cached lame server */ else fctx->adberr++; /* unreachable server, etc. */ /* * If we know there are no addresses for * the family we are using then try to add * an alternative server. */ if (need_alternate != NULL && !*need_alternate && ((res->dispatchv4 == NULL && find->result_v6 == DNS_R_NXRRSET) || (res->dispatchv6 == NULL && find->result_v4 == DNS_R_NXRRSET))) *need_alternate = ISC_TRUE; dns_adb_destroyfind(&find); } } } static isc_boolean_t isstrictsubdomain(dns_name_t *name1, dns_name_t *name2) { int order; unsigned int nlabels; dns_namereln_t namereln; namereln = dns_name_fullcompare(name1, name2, &order, &nlabels); return (ISC_TF(namereln == dns_namereln_subdomain)); } static isc_result_t -fctx_getaddresses(fetchctx_t *fctx) { +fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { dns_rdata_t rdata = DNS_RDATA_INIT; isc_result_t result; dns_resolver_t *res; isc_stdtime_t now; unsigned int stdoptions; isc_sockaddr_t *sa; dns_adbaddrinfo_t *ai; isc_boolean_t all_bad; dns_rdata_ns_t ns; isc_boolean_t need_alternate = ISC_FALSE; FCTXTRACE("getaddresses"); /* * Don't pound on remote servers. (Failsafe!) */ fctx->restarts++; if (fctx->restarts > 10) { FCTXTRACE("too many restarts"); return (DNS_R_SERVFAIL); } res = fctx->res; stdoptions = 0; /* Keep compiler happy. */ /* * Forwarders. */ INSIST(ISC_LIST_EMPTY(fctx->forwaddrs)); INSIST(ISC_LIST_EMPTY(fctx->altaddrs)); /* * If this fctx has forwarders, use them; otherwise use any * selective forwarders specified in the view; otherwise use the * resolver's forwarders (if any). */ sa = ISC_LIST_HEAD(fctx->forwarders); if (sa == NULL) { dns_forwarders_t *forwarders = NULL; dns_name_t *name = &fctx->name; dns_name_t suffix; unsigned int labels; dns_fixedname_t fixed; dns_name_t *domain; /* * DS records are found in the parent server. * Strip label to get the correct forwarder (if any). */ if (dns_rdatatype_atparent(fctx->type) && dns_name_countlabels(name) > 1) { dns_name_init(&suffix, NULL); labels = dns_name_countlabels(name); dns_name_getlabelsequence(name, 1, labels - 1, &suffix); name = &suffix; } dns_fixedname_init(&fixed); domain = dns_fixedname_name(&fixed); result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, domain, &forwarders); if (result == ISC_R_SUCCESS) { sa = ISC_LIST_HEAD(forwarders->addrs); fctx->fwdpolicy = forwarders->fwdpolicy; if (fctx->fwdpolicy == dns_fwdpolicy_only && isstrictsubdomain(domain, &fctx->domain)) { isc_mem_t *mctx; mctx = res->buckets[fctx->bucketnum].mctx; dns_name_free(&fctx->domain, mctx); dns_name_init(&fctx->domain, NULL); result = dns_name_dup(domain, mctx, &fctx->domain); if (result != ISC_R_SUCCESS) return (result); } } } while (sa != NULL) { if ((isc_sockaddr_pf(sa) == AF_INET && fctx->res->dispatchv4 == NULL) || (isc_sockaddr_pf(sa) == AF_INET6 && fctx->res->dispatchv6 == NULL)) { sa = ISC_LIST_NEXT(sa, link); continue; } ai = NULL; result = dns_adb_findaddrinfo(fctx->adb, sa, &ai, 0); /* XXXMLG */ if (result == ISC_R_SUCCESS) { dns_adbaddrinfo_t *cur; ai->flags |= FCTX_ADDRINFO_FORWARDER; cur = ISC_LIST_HEAD(fctx->forwaddrs); while (cur != NULL && cur->srtt < ai->srtt) cur = ISC_LIST_NEXT(cur, publink); if (cur != NULL) ISC_LIST_INSERTBEFORE(fctx->forwaddrs, cur, ai, publink); else ISC_LIST_APPEND(fctx->forwaddrs, ai, publink); } sa = ISC_LIST_NEXT(sa, link); } /* * If the forwarding policy is "only", we don't need the addresses * of the nameservers. */ if (fctx->fwdpolicy == dns_fwdpolicy_only) goto out; /* * Normal nameservers. */ stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT; if (fctx->restarts == 1) { /* * To avoid sending out a flood of queries likely to * result in NXRRSET, we suppress fetches for address * families we don't have the first time through, * provided that we have addresses in some family we * can use. * * We don't want to set this option all the time, since * if fctx->restarts > 1, we've clearly been having trouble * with the addresses we had, so getting more could help. */ stdoptions |= DNS_ADBFIND_AVOIDFETCHES; } if (res->dispatchv4 != NULL) stdoptions |= DNS_ADBFIND_INET; if (res->dispatchv6 != NULL) stdoptions |= DNS_ADBFIND_INET6; isc_stdtime_get(&now); INSIST(ISC_LIST_EMPTY(fctx->finds)); INSIST(ISC_LIST_EMPTY(fctx->altfinds)); for (result = dns_rdataset_first(&fctx->nameservers); result == ISC_R_SUCCESS; result = dns_rdataset_next(&fctx->nameservers)) { dns_rdataset_current(&fctx->nameservers, &rdata); /* * Extract the name from the NS record. */ result = dns_rdata_tostruct(&rdata, &ns, NULL); if (result != ISC_R_SUCCESS) continue; findname(fctx, &ns.name, 0, stdoptions, 0, now, &need_alternate); dns_rdata_reset(&rdata); dns_rdata_freestruct(&ns); } if (result != ISC_R_NOMORE) return (result); /* * Do we need to use 6 to 4? */ if (need_alternate) { int family; alternate_t *a; family = (res->dispatchv6 != NULL) ? AF_INET6 : AF_INET; for (a = ISC_LIST_HEAD(fctx->res->alternates); a != NULL; a = ISC_LIST_NEXT(a, link)) { if (!a->isaddress) { findname(fctx, &a->_u._n.name, a->_u._n.port, stdoptions, FCTX_ADDRINFO_FORWARDER, now, NULL); continue; } if (isc_sockaddr_pf(&a->_u.addr) != family) continue; ai = NULL; result = dns_adb_findaddrinfo(fctx->adb, &a->_u.addr, &ai, 0); if (result == ISC_R_SUCCESS) { dns_adbaddrinfo_t *cur; ai->flags |= FCTX_ADDRINFO_FORWARDER; cur = ISC_LIST_HEAD(fctx->altaddrs); while (cur != NULL && cur->srtt < ai->srtt) cur = ISC_LIST_NEXT(cur, publink); if (cur != NULL) ISC_LIST_INSERTBEFORE(fctx->altaddrs, cur, ai, publink); else ISC_LIST_APPEND(fctx->altaddrs, ai, publink); } } } out: /* * Mark all known bad servers. */ all_bad = mark_bad(fctx); /* * How are we doing? */ if (all_bad) { /* * We've got no addresses. */ if (fctx->pending > 0) { /* * We're fetching the addresses, but don't have any * yet. Tell the caller to wait for an answer. */ result = DNS_R_WAIT; } else { + isc_time_t expire; + isc_interval_t i; /* * We've lost completely. We don't know any * addresses, and the ADB has told us it can't get * them. */ FCTXTRACE("no addresses"); + isc_interval_set(&i, DNS_BADCACHE_TTL(fctx), 0); + result = isc_time_nowplusinterval(&expire, &i); + if (badcache && + (fctx->type == dns_rdatatype_dnskey || + fctx->type == dns_rdatatype_dlv || + fctx->type == dns_rdatatype_ds) && + result == ISC_R_SUCCESS) + dns_resolver_addbadcache(fctx->res, + &fctx->name, + fctx->type, &expire); result = ISC_R_FAILURE; } } else { /* * We've found some addresses. We might still be looking * for more addresses. */ sort_finds(fctx, &fctx->finds); sort_finds(fctx, &fctx->altfinds); result = ISC_R_SUCCESS; } return (result); } static inline void possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr) { isc_netaddr_t na; char buf[ISC_NETADDR_FORMATSIZE]; isc_sockaddr_t *sa; isc_boolean_t aborted = ISC_FALSE; isc_boolean_t bogus; dns_acl_t *blackhole; isc_netaddr_t ipaddr; dns_peer_t *peer = NULL; dns_resolver_t *res; const char *msg = NULL; sa = &addr->sockaddr; res = fctx->res; isc_netaddr_fromsockaddr(&ipaddr, sa); blackhole = dns_dispatchmgr_getblackhole(res->dispatchmgr); (void) dns_peerlist_peerbyaddr(res->view->peers, &ipaddr, &peer); if (blackhole != NULL) { int match; if (dns_acl_match(&ipaddr, NULL, blackhole, &res->view->aclenv, &match, NULL) == ISC_R_SUCCESS && match > 0) aborted = ISC_TRUE; } if (peer != NULL && dns_peer_getbogus(peer, &bogus) == ISC_R_SUCCESS && bogus) aborted = ISC_TRUE; if (aborted) { addr->flags |= FCTX_ADDRINFO_MARK; msg = "ignoring blackholed / bogus server: "; } else if (isc_sockaddr_ismulticast(sa)) { addr->flags |= FCTX_ADDRINFO_MARK; msg = "ignoring multicast address: "; } else if (isc_sockaddr_isexperimental(sa)) { addr->flags |= FCTX_ADDRINFO_MARK; msg = "ignoring experimental address: "; } else if (sa->type.sa.sa_family != AF_INET6) { return; } else if (IN6_IS_ADDR_V4MAPPED(&sa->type.sin6.sin6_addr)) { addr->flags |= FCTX_ADDRINFO_MARK; msg = "ignoring IPv6 mapped IPV4 address: "; } else if (IN6_IS_ADDR_V4COMPAT(&sa->type.sin6.sin6_addr)) { addr->flags |= FCTX_ADDRINFO_MARK; msg = "ignoring IPv6 compatibility IPV4 address: "; } else return; if (!isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) return; isc_netaddr_fromsockaddr(&na, sa); isc_netaddr_format(&na, buf, sizeof(buf)); FCTXTRACE2(msg, buf); } static inline dns_adbaddrinfo_t * fctx_nextaddress(fetchctx_t *fctx) { dns_adbfind_t *find, *start; dns_adbaddrinfo_t *addrinfo; dns_adbaddrinfo_t *faddrinfo; /* * Return the next untried address, if any. */ /* * Find the first unmarked forwarder (if any). */ for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs); addrinfo != NULL; addrinfo = ISC_LIST_NEXT(addrinfo, publink)) { if (!UNMARKED(addrinfo)) continue; possibly_mark(fctx, addrinfo); if (UNMARKED(addrinfo)) { addrinfo->flags |= FCTX_ADDRINFO_MARK; fctx->find = NULL; return (addrinfo); } } /* * No forwarders. Move to the next find. */ fctx->attributes |= FCTX_ATTR_TRIEDFIND; find = fctx->find; if (find == NULL) find = ISC_LIST_HEAD(fctx->finds); else { find = ISC_LIST_NEXT(find, publink); if (find == NULL) find = ISC_LIST_HEAD(fctx->finds); } /* * Find the first unmarked addrinfo. */ addrinfo = NULL; if (find != NULL) { start = find; do { for (addrinfo = ISC_LIST_HEAD(find->list); addrinfo != NULL; addrinfo = ISC_LIST_NEXT(addrinfo, publink)) { if (!UNMARKED(addrinfo)) continue; possibly_mark(fctx, addrinfo); if (UNMARKED(addrinfo)) { addrinfo->flags |= FCTX_ADDRINFO_MARK; break; } } if (addrinfo != NULL) break; find = ISC_LIST_NEXT(find, publink); if (find == NULL) find = ISC_LIST_HEAD(fctx->finds); } while (find != start); } fctx->find = find; if (addrinfo != NULL) return (addrinfo); /* * No nameservers left. Try alternates. */ fctx->attributes |= FCTX_ATTR_TRIEDALT; find = fctx->altfind; if (find == NULL) find = ISC_LIST_HEAD(fctx->altfinds); else { find = ISC_LIST_NEXT(find, publink); if (find == NULL) find = ISC_LIST_HEAD(fctx->altfinds); } /* * Find the first unmarked addrinfo. */ addrinfo = NULL; if (find != NULL) { start = find; do { for (addrinfo = ISC_LIST_HEAD(find->list); addrinfo != NULL; addrinfo = ISC_LIST_NEXT(addrinfo, publink)) { if (!UNMARKED(addrinfo)) continue; possibly_mark(fctx, addrinfo); if (UNMARKED(addrinfo)) { addrinfo->flags |= FCTX_ADDRINFO_MARK; break; } } if (addrinfo != NULL) break; find = ISC_LIST_NEXT(find, publink); if (find == NULL) find = ISC_LIST_HEAD(fctx->altfinds); } while (find != start); } faddrinfo = addrinfo; /* * See if we have a better alternate server by address. */ for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs); addrinfo != NULL; addrinfo = ISC_LIST_NEXT(addrinfo, publink)) { if (!UNMARKED(addrinfo)) continue; possibly_mark(fctx, addrinfo); if (UNMARKED(addrinfo) && (faddrinfo == NULL || addrinfo->srtt < faddrinfo->srtt)) { if (faddrinfo != NULL) faddrinfo->flags &= ~FCTX_ADDRINFO_MARK; addrinfo->flags |= FCTX_ADDRINFO_MARK; break; } } if (addrinfo == NULL) { addrinfo = faddrinfo; fctx->altfind = find; } return (addrinfo); } static void -fctx_try(fetchctx_t *fctx, isc_boolean_t retrying) { +fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) { isc_result_t result; dns_adbaddrinfo_t *addrinfo; FCTXTRACE("try"); REQUIRE(!ADDRWAIT(fctx)); addrinfo = fctx_nextaddress(fctx); if (addrinfo == NULL) { /* * We have no more addresses. Start over. */ fctx_cancelqueries(fctx, ISC_TRUE); fctx_cleanupfinds(fctx); fctx_cleanupaltfinds(fctx); fctx_cleanupforwaddrs(fctx); fctx_cleanupaltaddrs(fctx); - result = fctx_getaddresses(fctx); + result = fctx_getaddresses(fctx, badcache); if (result == DNS_R_WAIT) { /* * Sleep waiting for addresses. */ FCTXTRACE("addrwait"); fctx->attributes |= FCTX_ATTR_ADDRWAIT; return; } else if (result != ISC_R_SUCCESS) { /* * Something bad happened. */ fctx_done(fctx, result, __LINE__); return; } addrinfo = fctx_nextaddress(fctx); /* * While we may have addresses from the ADB, they * might be bad ones. In this case, return SERVFAIL. */ if (addrinfo == NULL) { fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); return; } } result = fctx_query(fctx, addrinfo, fctx->options); if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); else if (retrying) inc_stats(fctx->res, dns_resstatscounter_retry); } static isc_boolean_t fctx_destroy(fetchctx_t *fctx) { dns_resolver_t *res; unsigned int bucketnum; isc_sockaddr_t *sa, *next_sa; /* * Caller must be holding the bucket lock. */ REQUIRE(VALID_FCTX(fctx)); REQUIRE(fctx->state == fetchstate_done || fctx->state == fetchstate_init); REQUIRE(ISC_LIST_EMPTY(fctx->events)); REQUIRE(ISC_LIST_EMPTY(fctx->queries)); REQUIRE(ISC_LIST_EMPTY(fctx->finds)); REQUIRE(ISC_LIST_EMPTY(fctx->altfinds)); REQUIRE(fctx->pending == 0); REQUIRE(fctx->references == 0); REQUIRE(ISC_LIST_EMPTY(fctx->validators)); FCTXTRACE("destroy"); res = fctx->res; bucketnum = fctx->bucketnum; ISC_LIST_UNLINK(res->buckets[bucketnum].fctxs, fctx, link); /* * Free bad. */ for (sa = ISC_LIST_HEAD(fctx->bad); sa != NULL; sa = next_sa) { next_sa = ISC_LIST_NEXT(sa, link); ISC_LIST_UNLINK(fctx->bad, sa, link); isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa)); } for (sa = ISC_LIST_HEAD(fctx->edns); sa != NULL; sa = next_sa) { next_sa = ISC_LIST_NEXT(sa, link); ISC_LIST_UNLINK(fctx->edns, sa, link); isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa)); } for (sa = ISC_LIST_HEAD(fctx->edns512); sa != NULL; sa = next_sa) { next_sa = ISC_LIST_NEXT(sa, link); ISC_LIST_UNLINK(fctx->edns512, sa, link); isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa)); } isc_timer_detach(&fctx->timer); dns_message_destroy(&fctx->rmessage); dns_message_destroy(&fctx->qmessage); if (dns_name_countlabels(&fctx->domain) > 0) dns_name_free(&fctx->domain, res->buckets[bucketnum].mctx); if (dns_rdataset_isassociated(&fctx->nameservers)) dns_rdataset_disassociate(&fctx->nameservers); dns_name_free(&fctx->name, res->buckets[bucketnum].mctx); dns_db_detach(&fctx->cache); dns_adb_detach(&fctx->adb); isc_mem_free(res->buckets[bucketnum].mctx, fctx->info); isc_mem_put(res->buckets[bucketnum].mctx, fctx, sizeof(*fctx)); LOCK(&res->nlock); res->nfctx--; UNLOCK(&res->nlock); if (res->buckets[bucketnum].exiting && ISC_LIST_EMPTY(res->buckets[bucketnum].fctxs)) return (ISC_TRUE); return (ISC_FALSE); } /* * Fetch event handlers. */ static void fctx_timeout(isc_task_t *task, isc_event_t *event) { fetchctx_t *fctx = event->ev_arg; isc_timerevent_t *tevent = (isc_timerevent_t *)event; resquery_t *query; REQUIRE(VALID_FCTX(fctx)); UNUSED(task); FCTXTRACE("timeout"); inc_stats(fctx->res, dns_resstatscounter_querytimeout); if (event->ev_type == ISC_TIMEREVENT_LIFE) { fctx->reason = NULL; fctx_done(fctx, ISC_R_TIMEDOUT, __LINE__); } else { isc_result_t result; fctx->timeouts++; fctx->timeout = ISC_TRUE; /* * We could cancel the running queries here, or we could let * them keep going. Since we normally use separate sockets for * different queries, we adopt the former approach to reduce * the number of open sockets: cancel the oldest query if it * expired after the query had started (this is usually the * case but is not always so, depending on the task schedule * timing). */ query = ISC_LIST_HEAD(fctx->queries); if (query != NULL && isc_time_compare(&tevent->due, &query->start) >= 0) { fctx_cancelquery(&query, NULL, NULL, ISC_TRUE); } fctx->attributes &= ~FCTX_ATTR_ADDRWAIT; /* * Our timer has triggered. Reestablish the fctx lifetime * timer. */ result = fctx_starttimer(fctx); if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); else /* * Keep trying. */ - fctx_try(fctx, ISC_TRUE); + fctx_try(fctx, ISC_TRUE, ISC_FALSE); } isc_event_free(&event); } static void fctx_shutdown(fetchctx_t *fctx) { isc_event_t *cevent; /* * Start the shutdown process for fctx, if it isn't already underway. */ FCTXTRACE("shutdown"); /* * The caller must be holding the appropriate bucket lock. */ if (fctx->want_shutdown) return; fctx->want_shutdown = ISC_TRUE; /* * Unless we're still initializing (in which case the * control event is still outstanding), we need to post * the control event to tell the fetch we want it to * exit. */ if (fctx->state != fetchstate_init) { cevent = &fctx->control_event; isc_task_send(fctx->res->buckets[fctx->bucketnum].task, &cevent); } } static void fctx_doshutdown(isc_task_t *task, isc_event_t *event) { fetchctx_t *fctx = event->ev_arg; isc_boolean_t bucket_empty = ISC_FALSE; dns_resolver_t *res; unsigned int bucketnum; dns_validator_t *validator; REQUIRE(VALID_FCTX(fctx)); UNUSED(task); res = fctx->res; bucketnum = fctx->bucketnum; FCTXTRACE("doshutdown"); /* * An fctx that is shutting down is no longer in ADDRWAIT mode. */ fctx->attributes &= ~FCTX_ATTR_ADDRWAIT; /* * Cancel all pending validators. Note that this must be done * without the bucket lock held, since that could cause deadlock. */ validator = ISC_LIST_HEAD(fctx->validators); while (validator != NULL) { dns_validator_cancel(validator); validator = ISC_LIST_NEXT(validator, link); } if (fctx->nsfetch != NULL) dns_resolver_cancelfetch(fctx->nsfetch); /* * Shut down anything that is still running on behalf of this * fetch. To avoid deadlock with the ADB, we must do this * before we lock the bucket lock. */ fctx_stopeverything(fctx, ISC_FALSE); LOCK(&res->buckets[bucketnum].lock); fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN; INSIST(fctx->state == fetchstate_active || fctx->state == fetchstate_done); INSIST(fctx->want_shutdown); if (fctx->state != fetchstate_done) { fctx->state = fetchstate_done; fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__); } if (fctx->references == 0 && fctx->pending == 0 && fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) bucket_empty = fctx_destroy(fctx); UNLOCK(&res->buckets[bucketnum].lock); if (bucket_empty) empty_bucket(res); } static void fctx_start(isc_task_t *task, isc_event_t *event) { fetchctx_t *fctx = event->ev_arg; isc_boolean_t done = ISC_FALSE, bucket_empty = ISC_FALSE; dns_resolver_t *res; unsigned int bucketnum; REQUIRE(VALID_FCTX(fctx)); UNUSED(task); res = fctx->res; bucketnum = fctx->bucketnum; FCTXTRACE("start"); LOCK(&res->buckets[bucketnum].lock); INSIST(fctx->state == fetchstate_init); if (fctx->want_shutdown) { /* * We haven't started this fctx yet, and we've been requested * to shut it down. */ fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN; fctx->state = fetchstate_done; fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__); /* * Since we haven't started, we INSIST that we have no * pending ADB finds and no pending validations. */ INSIST(fctx->pending == 0); INSIST(fctx->nqueries == 0); INSIST(ISC_LIST_EMPTY(fctx->validators)); if (fctx->references == 0) { /* * It's now safe to destroy this fctx. */ bucket_empty = fctx_destroy(fctx); } done = ISC_TRUE; } else { /* * Normal fctx startup. */ fctx->state = fetchstate_active; /* * Reset the control event for later use in shutting down * the fctx. */ ISC_EVENT_INIT(event, sizeof(*event), 0, NULL, DNS_EVENT_FETCHCONTROL, fctx_doshutdown, fctx, NULL, NULL, NULL); } UNLOCK(&res->buckets[bucketnum].lock); if (!done) { isc_result_t result; /* * All is well. Start working on the fetch. */ result = fctx_starttimer(fctx); if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); else - fctx_try(fctx, ISC_FALSE); + fctx_try(fctx, ISC_FALSE, ISC_FALSE); } else if (bucket_empty) empty_bucket(res); } /* * Fetch Creation, Joining, and Cancelation. */ static inline isc_result_t fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client, dns_messageid_t id, isc_taskaction_t action, void *arg, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_fetch_t *fetch) { isc_task_t *clone; dns_fetchevent_t *event; FCTXTRACE("join"); /* * We store the task we're going to send this event to in the * sender field. We'll make the fetch the sender when we actually * send the event. */ clone = NULL; isc_task_attach(task, &clone); event = (dns_fetchevent_t *) isc_event_allocate(fctx->res->mctx, clone, DNS_EVENT_FETCHDONE, action, arg, sizeof(*event)); if (event == NULL) { isc_task_detach(&clone); return (ISC_R_NOMEMORY); } event->result = DNS_R_SERVFAIL; event->qtype = fctx->type; event->db = NULL; event->node = NULL; event->rdataset = rdataset; event->sigrdataset = sigrdataset; event->fetch = fetch; event->client = client; event->id = id; dns_fixedname_init(&event->foundname); /* * Make sure that we can store the sigrdataset in the * first event if it is needed by any of the events. */ if (event->sigrdataset != NULL) ISC_LIST_PREPEND(fctx->events, event, ev_link); else ISC_LIST_APPEND(fctx->events, event, ev_link); fctx->references++; fetch->magic = DNS_FETCH_MAGIC; fetch->private = fctx; return (ISC_R_SUCCESS); } static isc_result_t fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, dns_name_t *domain, dns_rdataset_t *nameservers, unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp) { fetchctx_t *fctx; isc_result_t result; isc_result_t iresult; isc_interval_t interval; dns_fixedname_t fixed; unsigned int findoptions = 0; char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; dns_name_t suffix; /* * Caller must be holding the lock for bucket number 'bucketnum'. */ REQUIRE(fctxp != NULL && *fctxp == NULL); fctx = isc_mem_get(res->buckets[bucketnum].mctx, sizeof(*fctx)); if (fctx == NULL) return (ISC_R_NOMEMORY); dns_name_format(name, buf, sizeof(buf)); dns_rdatatype_format(type, typebuf, sizeof(typebuf)); strcat(buf, "/"); /* checked */ strcat(buf, typebuf); /* checked */ fctx->info = isc_mem_strdup(res->buckets[bucketnum].mctx, buf); if (fctx->info == NULL) { result = ISC_R_NOMEMORY; goto cleanup_fetch; } FCTXTRACE("create"); dns_name_init(&fctx->name, NULL); result = dns_name_dup(name, res->buckets[bucketnum].mctx, &fctx->name); if (result != ISC_R_SUCCESS) goto cleanup_info; dns_name_init(&fctx->domain, NULL); dns_rdataset_init(&fctx->nameservers); fctx->type = type; fctx->options = options; /* * Note! We do not attach to the task. We are relying on the * resolver to ensure that this task doesn't go away while we are * using it. */ fctx->res = res; fctx->references = 0; fctx->bucketnum = bucketnum; fctx->state = fetchstate_init; fctx->want_shutdown = ISC_FALSE; fctx->cloned = ISC_FALSE; ISC_LIST_INIT(fctx->queries); ISC_LIST_INIT(fctx->finds); ISC_LIST_INIT(fctx->altfinds); ISC_LIST_INIT(fctx->forwaddrs); ISC_LIST_INIT(fctx->altaddrs); ISC_LIST_INIT(fctx->forwarders); fctx->fwdpolicy = dns_fwdpolicy_none; ISC_LIST_INIT(fctx->bad); ISC_LIST_INIT(fctx->edns); ISC_LIST_INIT(fctx->edns512); ISC_LIST_INIT(fctx->validators); fctx->validator = NULL; fctx->find = NULL; fctx->altfind = NULL; fctx->pending = 0; fctx->restarts = 0; fctx->querysent = 0; fctx->referrals = 0; TIME_NOW(&fctx->start); fctx->timeouts = 0; fctx->lamecount = 0; fctx->adberr = 0; fctx->neterr = 0; fctx->badresp = 0; fctx->findfail = 0; fctx->valfail = 0; fctx->result = ISC_R_FAILURE; fctx->vresult = ISC_R_SUCCESS; fctx->exitline = -1; /* sentinel */ fctx->logged = ISC_FALSE; fctx->attributes = 0; fctx->spilled = ISC_FALSE; fctx->nqueries = 0; fctx->reason = NULL; fctx->rand_buf = 0; fctx->rand_bits = 0; fctx->timeout = ISC_FALSE; dns_name_init(&fctx->nsname, NULL); fctx->nsfetch = NULL; dns_rdataset_init(&fctx->nsrrset); if (domain == NULL) { dns_forwarders_t *forwarders = NULL; unsigned int labels; dns_name_t *fwdname = name; /* * DS records are found in the parent server. * Strip label to get the correct forwarder (if any). */ if (dns_rdatatype_atparent(fctx->type) && dns_name_countlabels(name) > 1) { dns_name_init(&suffix, NULL); labels = dns_name_countlabels(name); dns_name_getlabelsequence(name, 1, labels - 1, &suffix); fwdname = &suffix; } dns_fixedname_init(&fixed); domain = dns_fixedname_name(&fixed); result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname, domain, &forwarders); if (result == ISC_R_SUCCESS) fctx->fwdpolicy = forwarders->fwdpolicy; if (fctx->fwdpolicy != dns_fwdpolicy_only) { /* * The caller didn't supply a query domain and * nameservers, and we're not in forward-only mode, * so find the best nameservers to use. */ if (dns_rdatatype_atparent(fctx->type)) findoptions |= DNS_DBFIND_NOEXACT; result = dns_view_findzonecut(res->view, name, domain, 0, findoptions, ISC_TRUE, &fctx->nameservers, NULL); if (result != ISC_R_SUCCESS) goto cleanup_name; result = dns_name_dup(domain, res->buckets[bucketnum].mctx, &fctx->domain); if (result != ISC_R_SUCCESS) { dns_rdataset_disassociate(&fctx->nameservers); goto cleanup_name; } } else { /* * We're in forward-only mode. Set the query domain. */ result = dns_name_dup(domain, res->buckets[bucketnum].mctx, &fctx->domain); if (result != ISC_R_SUCCESS) goto cleanup_name; } } else { result = dns_name_dup(domain, res->buckets[bucketnum].mctx, &fctx->domain); if (result != ISC_R_SUCCESS) goto cleanup_name; dns_rdataset_clone(nameservers, &fctx->nameservers); } INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)); fctx->qmessage = NULL; result = dns_message_create(res->buckets[bucketnum].mctx, DNS_MESSAGE_INTENTRENDER, &fctx->qmessage); if (result != ISC_R_SUCCESS) goto cleanup_domain; fctx->rmessage = NULL; result = dns_message_create(res->buckets[bucketnum].mctx, DNS_MESSAGE_INTENTPARSE, &fctx->rmessage); if (result != ISC_R_SUCCESS) goto cleanup_qmessage; /* * Compute an expiration time for the entire fetch. */ isc_interval_set(&interval, 30, 0); /* XXXRTH constant */ iresult = isc_time_nowplusinterval(&fctx->expires, &interval); if (iresult != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_time_nowplusinterval: %s", isc_result_totext(iresult)); result = ISC_R_UNEXPECTED; goto cleanup_rmessage; } /* * Default retry interval initialization. We set the interval now * mostly so it won't be uninitialized. It will be set to the * correct value before a query is issued. */ isc_interval_set(&fctx->interval, 2, 0); /* * Create an inactive timer. It will be made active when the fetch * is actually started. */ fctx->timer = NULL; iresult = isc_timer_create(res->timermgr, isc_timertype_inactive, NULL, NULL, res->buckets[bucketnum].task, fctx_timeout, fctx, &fctx->timer); if (iresult != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_timer_create: %s", isc_result_totext(iresult)); result = ISC_R_UNEXPECTED; goto cleanup_rmessage; } /* * Attach to the view's cache and adb. */ fctx->cache = NULL; dns_db_attach(res->view->cachedb, &fctx->cache); fctx->adb = NULL; dns_adb_attach(res->view->adb, &fctx->adb); ISC_LIST_INIT(fctx->events); ISC_LINK_INIT(fctx, link); fctx->magic = FCTX_MAGIC; ISC_LIST_APPEND(res->buckets[bucketnum].fctxs, fctx, link); LOCK(&res->nlock); res->nfctx++; UNLOCK(&res->nlock); *fctxp = fctx; return (ISC_R_SUCCESS); cleanup_rmessage: dns_message_destroy(&fctx->rmessage); cleanup_qmessage: dns_message_destroy(&fctx->qmessage); cleanup_domain: if (dns_name_countlabels(&fctx->domain) > 0) dns_name_free(&fctx->domain, res->buckets[bucketnum].mctx); if (dns_rdataset_isassociated(&fctx->nameservers)) dns_rdataset_disassociate(&fctx->nameservers); cleanup_name: dns_name_free(&fctx->name, res->buckets[bucketnum].mctx); cleanup_info: isc_mem_free(res->buckets[bucketnum].mctx, fctx->info); cleanup_fetch: isc_mem_put(res->buckets[bucketnum].mctx, fctx, sizeof(*fctx)); return (result); } /* * Handle Responses */ static inline isc_boolean_t is_lame(fetchctx_t *fctx) { dns_message_t *message = fctx->rmessage; dns_name_t *name; dns_rdataset_t *rdataset; isc_result_t result; if (message->rcode != dns_rcode_noerror && message->rcode != dns_rcode_nxdomain) return (ISC_FALSE); if (message->counts[DNS_SECTION_ANSWER] != 0) return (ISC_FALSE); if (message->counts[DNS_SECTION_AUTHORITY] == 0) return (ISC_FALSE); result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); while (result == ISC_R_SUCCESS) { name = NULL; dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { dns_namereln_t namereln; int order; unsigned int labels; if (rdataset->type != dns_rdatatype_ns) continue; namereln = dns_name_fullcompare(name, &fctx->domain, &order, &labels); if (namereln == dns_namereln_equal && (message->flags & DNS_MESSAGEFLAG_AA) != 0) return (ISC_FALSE); if (namereln == dns_namereln_subdomain) return (ISC_FALSE); return (ISC_TRUE); } result = dns_message_nextname(message, DNS_SECTION_AUTHORITY); } return (ISC_FALSE); } static inline void log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) { char namebuf[DNS_NAME_FORMATSIZE]; char domainbuf[DNS_NAME_FORMATSIZE]; char addrbuf[ISC_SOCKADDR_FORMATSIZE]; dns_name_format(&fctx->name, namebuf, sizeof(namebuf)); dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS, DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, "lame server resolving '%s' (in '%s'?): %s", namebuf, domainbuf, addrbuf); } static inline isc_result_t same_question(fetchctx_t *fctx) { isc_result_t result; dns_message_t *message = fctx->rmessage; dns_name_t *name; dns_rdataset_t *rdataset; /* * Caller must be holding the fctx lock. */ /* * XXXRTH Currently we support only one question. */ if (message->counts[DNS_SECTION_QUESTION] != 1) return (DNS_R_FORMERR); result = dns_message_firstname(message, DNS_SECTION_QUESTION); if (result != ISC_R_SUCCESS) return (result); name = NULL; dns_message_currentname(message, DNS_SECTION_QUESTION, &name); rdataset = ISC_LIST_HEAD(name->list); INSIST(rdataset != NULL); INSIST(ISC_LIST_NEXT(rdataset, link) == NULL); if (fctx->type != rdataset->type || fctx->res->rdclass != rdataset->rdclass || !dns_name_equal(&fctx->name, name)) return (DNS_R_FORMERR); return (ISC_R_SUCCESS); } static void clone_results(fetchctx_t *fctx) { dns_fetchevent_t *event, *hevent; isc_result_t result; dns_name_t *name, *hname; FCTXTRACE("clone_results"); /* * Set up any other events to have the same data as the first * event. * * Caller must be holding the appropriate lock. */ fctx->cloned = ISC_TRUE; hevent = ISC_LIST_HEAD(fctx->events); if (hevent == NULL) return; hname = dns_fixedname_name(&hevent->foundname); for (event = ISC_LIST_NEXT(hevent, ev_link); event != NULL; event = ISC_LIST_NEXT(event, ev_link)) { name = dns_fixedname_name(&event->foundname); result = dns_name_copy(hname, name, NULL); if (result != ISC_R_SUCCESS) event->result = result; else event->result = hevent->result; dns_db_attach(hevent->db, &event->db); dns_db_attachnode(hevent->db, hevent->node, &event->node); INSIST(hevent->rdataset != NULL); INSIST(event->rdataset != NULL); if (dns_rdataset_isassociated(hevent->rdataset)) dns_rdataset_clone(hevent->rdataset, event->rdataset); INSIST(! (hevent->sigrdataset == NULL && event->sigrdataset != NULL)); if (hevent->sigrdataset != NULL && dns_rdataset_isassociated(hevent->sigrdataset) && event->sigrdataset != NULL) dns_rdataset_clone(hevent->sigrdataset, event->sigrdataset); } } #define CACHE(r) (((r)->attributes & DNS_RDATASETATTR_CACHE) != 0) #define ANSWER(r) (((r)->attributes & DNS_RDATASETATTR_ANSWER) != 0) #define ANSWERSIG(r) (((r)->attributes & DNS_RDATASETATTR_ANSWERSIG) != 0) #define EXTERNAL(r) (((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0) #define CHAINING(r) (((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0) #define CHASE(r) (((r)->attributes & DNS_RDATASETATTR_CHASE) != 0) #define CHECKNAMES(r) (((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0) /* * Destroy '*fctx' if it is ready to be destroyed (i.e., if it has * no references and is no longer waiting for any events). If this * was the last fctx in the resolver, destroy the resolver. * * Requires: * '*fctx' is shutting down. */ static void maybe_destroy(fetchctx_t *fctx) { unsigned int bucketnum; isc_boolean_t bucket_empty = ISC_FALSE; dns_resolver_t *res = fctx->res; dns_validator_t *validator, *next_validator; REQUIRE(SHUTTINGDOWN(fctx)); if (fctx->pending != 0 || fctx->nqueries != 0) return; for (validator = ISC_LIST_HEAD(fctx->validators); validator != NULL; validator = next_validator) { next_validator = ISC_LIST_NEXT(validator, link); dns_validator_cancel(validator); /* * If this is a active validator wait for the cancel * to complete before calling dns_validator_destroy(). */ if (validator == fctx->validator) continue; ISC_LIST_UNLINK(fctx->validators, validator, link); dns_validator_destroy(&validator); } bucketnum = fctx->bucketnum; LOCK(&res->buckets[bucketnum].lock); if (fctx->references == 0 && ISC_LIST_EMPTY(fctx->validators)) bucket_empty = fctx_destroy(fctx); UNLOCK(&res->buckets[bucketnum].lock); if (bucket_empty) empty_bucket(res); } /* * The validator has finished. */ static void validated(isc_task_t *task, isc_event_t *event) { isc_result_t result = ISC_R_SUCCESS; isc_result_t eresult = ISC_R_SUCCESS; isc_stdtime_t now; fetchctx_t *fctx; dns_validatorevent_t *vevent; dns_fetchevent_t *hevent; dns_rdataset_t *ardataset = NULL; dns_rdataset_t *asigrdataset = NULL; dns_dbnode_t *node = NULL; isc_boolean_t negative; isc_boolean_t chaining; isc_boolean_t sentresponse; isc_uint32_t ttl; dns_dbnode_t *nsnode = NULL; dns_name_t *name; dns_rdataset_t *rdataset; dns_rdataset_t *sigrdataset; dns_valarg_t *valarg; dns_adbaddrinfo_t *addrinfo; UNUSED(task); /* for now */ REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE); valarg = event->ev_arg; fctx = valarg->fctx; addrinfo = valarg->addrinfo; REQUIRE(VALID_FCTX(fctx)); REQUIRE(!ISC_LIST_EMPTY(fctx->validators)); vevent = (dns_validatorevent_t *)event; FCTXTRACE("received validation completion event"); ISC_LIST_UNLINK(fctx->validators, vevent->validator, link); fctx->validator = NULL; /* * Destroy the validator early so that we can * destroy the fctx if necessary. */ dns_validator_destroy(&vevent->validator); isc_mem_put(fctx->res->buckets[fctx->bucketnum].mctx, valarg, sizeof(*valarg)); negative = ISC_TF(vevent->rdataset == NULL); sentresponse = ISC_TF((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0); /* * If shutting down, ignore the results. Check to see if we're * done waiting for validator completions and ADB pending events; if * so, destroy the fctx. */ if (SHUTTINGDOWN(fctx) && !sentresponse) { maybe_destroy(fctx); /* Locks bucket. */ goto cleanup_event; } LOCK(&fctx->res->buckets[fctx->bucketnum].lock); + isc_stdtime_get(&now); + /* * If chaining, we need to make sure that the right result code is * returned, and that the rdatasets are bound. */ if (vevent->result == ISC_R_SUCCESS && !negative && vevent->rdataset != NULL && CHAINING(vevent->rdataset)) { if (vevent->rdataset->type == dns_rdatatype_cname) eresult = DNS_R_CNAME; else { INSIST(vevent->rdataset->type == dns_rdatatype_dname); eresult = DNS_R_DNAME; } chaining = ISC_TRUE; } else chaining = ISC_FALSE; /* * Either we're not shutting down, or we are shutting down but want * to cache the result anyway (if this was a validation started by * a query with cd set) */ hevent = ISC_LIST_HEAD(fctx->events); if (hevent != NULL) { if (!negative && !chaining && (fctx->type == dns_rdatatype_any || fctx->type == dns_rdatatype_rrsig || fctx->type == dns_rdatatype_sig)) { /* * Don't bind rdatasets; the caller * will iterate the node. */ } else { ardataset = hevent->rdataset; asigrdataset = hevent->sigrdataset; } } if (vevent->result != ISC_R_SUCCESS) { FCTXTRACE("validation failed"); inc_stats(fctx->res, dns_resstatscounter_valfail); fctx->valfail++; fctx->vresult = vevent->result; - result = ISC_R_NOTFOUND; - if (vevent->rdataset != NULL) - result = dns_db_findnode(fctx->cache, vevent->name, - ISC_TRUE, &node); - if (result == ISC_R_SUCCESS) - (void)dns_db_deleterdataset(fctx->cache, node, NULL, - vevent->type, 0); - if (result == ISC_R_SUCCESS && vevent->sigrdataset != NULL) - (void)dns_db_deleterdataset(fctx->cache, node, NULL, - dns_rdatatype_rrsig, - vevent->type); - if (result == ISC_R_SUCCESS) - dns_db_detachnode(fctx->cache, &node); - result = vevent->result; + if (fctx->vresult != DNS_R_BROKENCHAIN) { + result = ISC_R_NOTFOUND; + if (vevent->rdataset != NULL) + result = dns_db_findnode(fctx->cache, + vevent->name, + ISC_TRUE, &node); + if (result == ISC_R_SUCCESS) + (void)dns_db_deleterdataset(fctx->cache, node, + NULL, + vevent->type, 0); + if (result == ISC_R_SUCCESS && + vevent->sigrdataset != NULL) + (void)dns_db_deleterdataset(fctx->cache, node, + NULL, + dns_rdatatype_rrsig, + vevent->type); + if (result == ISC_R_SUCCESS) + dns_db_detachnode(fctx->cache, &node); + } + if (fctx->vresult == DNS_R_BROKENCHAIN && !negative) { + /* + * Cache the data as pending for later validation. + */ + result = ISC_R_NOTFOUND; + if (vevent->rdataset != NULL) + result = dns_db_findnode(fctx->cache, + vevent->name, + ISC_TRUE, &node); + if (result == ISC_R_SUCCESS) { + (void)dns_db_addrdataset(fctx->cache, node, + NULL, now, + vevent->rdataset, 0, + NULL); + } + if (result == ISC_R_SUCCESS && + vevent->sigrdataset != NULL) + (void)dns_db_addrdataset(fctx->cache, node, + NULL, now, + vevent->sigrdataset, + 0, NULL); + if (result == ISC_R_SUCCESS) + dns_db_detachnode(fctx->cache, &node); + } + result = fctx->vresult; add_bad(fctx, addrinfo, result, badns_validation); isc_event_free(&event); UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); INSIST(fctx->validator == NULL); fctx->validator = ISC_LIST_HEAD(fctx->validators); - if (fctx->validator != NULL) { + if (fctx->validator != NULL) dns_validator_send(fctx->validator); - } else if (sentresponse) + else if (sentresponse) fctx_done(fctx, result, __LINE__); /* Locks bucket. */ - else - fctx_try(fctx, ISC_TRUE); /* Locks bucket. */ + else if (result == DNS_R_BROKENCHAIN) { + isc_result_t tresult; + isc_time_t expire; + isc_interval_t i; + + isc_interval_set(&i, DNS_BADCACHE_TTL(fctx), 0); + tresult = isc_time_nowplusinterval(&expire, &i); + if (negative && + (fctx->type == dns_rdatatype_dnskey || + fctx->type == dns_rdatatype_dlv || + fctx->type == dns_rdatatype_ds) && + tresult == ISC_R_SUCCESS) + dns_resolver_addbadcache(fctx->res, + &fctx->name, + fctx->type, &expire); + fctx_done(fctx, result, __LINE__); /* Locks bucket. */ + } else + fctx_try(fctx, ISC_TRUE, ISC_TRUE); /* Locks bucket. */ return; } - isc_stdtime_get(&now); if (negative) { dns_rdatatype_t covers; FCTXTRACE("nonexistence validation OK"); inc_stats(fctx->res, dns_resstatscounter_valnegsuccess); if (fctx->rmessage->rcode == dns_rcode_nxdomain) covers = dns_rdatatype_any; else covers = fctx->type; result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE, &node); if (result != ISC_R_SUCCESS) goto noanswer_response; /* * If we are asking for a SOA record set the cache time * to zero to facilitate locating the containing zone of * a arbitrary zone. */ ttl = fctx->res->view->maxncachettl; if (fctx->type == dns_rdatatype_soa && covers == dns_rdatatype_any && fctx->res->zero_no_soa_ttl) ttl = 0; result = ncache_adderesult(fctx->rmessage, fctx->cache, node, covers, now, ttl, vevent->optout, ardataset, &eresult); if (result != ISC_R_SUCCESS) goto noanswer_response; goto answer_response; } else inc_stats(fctx->res, dns_resstatscounter_valsuccess); FCTXTRACE("validation OK"); if (vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF] != NULL) { result = dns_rdataset_addnoqname(vevent->rdataset, vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF]); RUNTIME_CHECK(result == ISC_R_SUCCESS); INSIST(vevent->sigrdataset != NULL); vevent->sigrdataset->ttl = vevent->rdataset->ttl; if (vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER] != NULL) { result = dns_rdataset_addclosest(vevent->rdataset, vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER]); RUNTIME_CHECK(result == ISC_R_SUCCESS); } } /* * The data was already cached as pending data. * Re-cache it as secure and bind the cached * rdatasets to the first event on the fetch * event list. */ result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE, &node); if (result != ISC_R_SUCCESS) goto noanswer_response; result = dns_db_addrdataset(fctx->cache, node, NULL, now, vevent->rdataset, 0, ardataset); if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) goto noanswer_response; if (ardataset != NULL && ardataset->type == 0) { if (NXDOMAIN(ardataset)) eresult = DNS_R_NCACHENXDOMAIN; else eresult = DNS_R_NCACHENXRRSET; } else if (vevent->sigrdataset != NULL) { result = dns_db_addrdataset(fctx->cache, node, NULL, now, vevent->sigrdataset, 0, asigrdataset); if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) goto noanswer_response; } if (sentresponse) { /* * If we only deferred the destroy because we wanted to cache * the data, destroy now. */ dns_db_detachnode(fctx->cache, &node); UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); if (SHUTTINGDOWN(fctx)) maybe_destroy(fctx); /* Locks bucket. */ goto cleanup_event; } if (!ISC_LIST_EMPTY(fctx->validators)) { INSIST(!negative); INSIST(fctx->type == dns_rdatatype_any || fctx->type == dns_rdatatype_rrsig || fctx->type == dns_rdatatype_sig); /* * Don't send a response yet - we have * more rdatasets that still need to * be validated. */ dns_db_detachnode(fctx->cache, &node); UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); dns_validator_send(ISC_LIST_HEAD(fctx->validators)); goto cleanup_event; } answer_response: /* * Cache any NS/NSEC records that happened to be validated. */ result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY); while (result == ISC_R_SUCCESS) { name = NULL; dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY, &name); for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if ((rdataset->type != dns_rdatatype_ns && rdataset->type != dns_rdatatype_nsec) || rdataset->trust != dns_trust_secure) continue; for (sigrdataset = ISC_LIST_HEAD(name->list); sigrdataset != NULL; sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { if (sigrdataset->type != dns_rdatatype_rrsig || sigrdataset->covers != rdataset->type) continue; break; } if (sigrdataset == NULL || sigrdataset->trust != dns_trust_secure) continue; result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &nsnode); if (result != ISC_R_SUCCESS) continue; result = dns_db_addrdataset(fctx->cache, nsnode, NULL, now, rdataset, 0, NULL); if (result == ISC_R_SUCCESS) result = dns_db_addrdataset(fctx->cache, nsnode, NULL, now, sigrdataset, 0, NULL); dns_db_detachnode(fctx->cache, &nsnode); } result = dns_message_nextname(fctx->rmessage, DNS_SECTION_AUTHORITY); } result = ISC_R_SUCCESS; /* * Respond with an answer, positive or negative, * as opposed to an error. 'node' must be non-NULL. */ fctx->attributes |= FCTX_ATTR_HAVEANSWER; if (hevent != NULL) { hevent->result = eresult; RUNTIME_CHECK(dns_name_copy(vevent->name, dns_fixedname_name(&hevent->foundname), NULL) == ISC_R_SUCCESS); dns_db_attach(fctx->cache, &hevent->db); dns_db_transfernode(fctx->cache, &node, &hevent->node); clone_results(fctx); } noanswer_response: if (node != NULL) dns_db_detachnode(fctx->cache, &node); UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); fctx_done(fctx, result, __LINE__); /* Locks bucket. */ cleanup_event: INSIST(node == NULL); isc_event_free(&event); } static inline isc_result_t cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now) { dns_rdataset_t *rdataset, *sigrdataset; dns_rdataset_t *addedrdataset, *ardataset, *asigrdataset; dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL; dns_dbnode_t *node, **anodep; dns_db_t **adbp; dns_name_t *aname; dns_resolver_t *res; isc_boolean_t need_validation, secure_domain, have_answer; isc_result_t result, eresult; dns_fetchevent_t *event; unsigned int options; isc_task_t *task; isc_boolean_t fail; unsigned int valoptions = 0; /* * The appropriate bucket lock must be held. */ res = fctx->res; need_validation = ISC_FALSE; secure_domain = ISC_FALSE; have_answer = ISC_FALSE; eresult = ISC_R_SUCCESS; task = res->buckets[fctx->bucketnum].task; /* * Is DNSSEC validation required for this name? */ if (res->view->enablevalidation) { result = dns_keytable_issecuredomain(res->view->secroots, name, &secure_domain); if (result != ISC_R_SUCCESS) return (result); if (!secure_domain && res->view->dlv != NULL) { valoptions = DNS_VALIDATOR_DLV; secure_domain = ISC_TRUE; } } if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) need_validation = ISC_FALSE; else need_validation = secure_domain; adbp = NULL; aname = NULL; anodep = NULL; ardataset = NULL; asigrdataset = NULL; event = NULL; if ((name->attributes & DNS_NAMEATTR_ANSWER) != 0 && !need_validation) { have_answer = ISC_TRUE; event = ISC_LIST_HEAD(fctx->events); if (event != NULL) { adbp = &event->db; aname = dns_fixedname_name(&event->foundname); result = dns_name_copy(name, aname, NULL); if (result != ISC_R_SUCCESS) return (result); anodep = &event->node; /* * If this is an ANY, SIG or RRSIG query, we're not * going to return any rdatasets, unless we encountered * a CNAME or DNAME as "the answer". In this case, * we're going to return DNS_R_CNAME or DNS_R_DNAME * and we must set up the rdatasets. */ if ((fctx->type != dns_rdatatype_any && fctx->type != dns_rdatatype_rrsig && fctx->type != dns_rdatatype_sig) || (name->attributes & DNS_NAMEATTR_CHAINING) != 0) { ardataset = event->rdataset; asigrdataset = event->sigrdataset; } } } /* * Find or create the cache node. */ node = NULL; result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node); if (result != ISC_R_SUCCESS) return (result); /* * Cache or validate each cacheable rdataset. */ fail = ISC_TF((fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL) != 0); for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (!CACHE(rdataset)) continue; if (CHECKNAMES(rdataset)) { char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; char classbuf[DNS_RDATATYPE_FORMATSIZE]; dns_name_format(name, namebuf, sizeof(namebuf)); dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf)); dns_rdataclass_format(rdataset->rdclass, classbuf, sizeof(classbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, "check-names %s %s/%s/%s", fail ? "failure" : "warning", namebuf, typebuf, classbuf); if (fail) { if (ANSWER(rdataset)) { dns_db_detachnode(fctx->cache, &node); return (DNS_R_BADNAME); } continue; } } /* * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) rdataset->ttl = res->view->maxcachettl; /* * If this RRset is in a secure domain, is in bailiwick, * and is not glue, attempt DNSSEC validation. (We do not * attempt to validate glue or out-of-bailiwick data--even * though there might be some performance benefit to doing * so--because it makes it simpler and safer to ensure that * records from a secure domain are only cached if validated * within the context of a query to the domain that owns * them.) */ if (secure_domain && rdataset->trust != dns_trust_glue && !EXTERNAL(rdataset)) { dns_trust_t trust; /* * RRSIGs are validated as part of validating the * type they cover. */ if (rdataset->type == dns_rdatatype_rrsig) continue; /* * Find the SIG for this rdataset, if we have it. */ for (sigrdataset = ISC_LIST_HEAD(name->list); sigrdataset != NULL; sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { if (sigrdataset->type == dns_rdatatype_rrsig && sigrdataset->covers == rdataset->type) break; } if (sigrdataset == NULL) { if (!ANSWER(rdataset) && need_validation) { /* * Ignore non-answer rdatasets that * are missing signatures. */ continue; } } /* * Normalize the rdataset and sigrdataset TTLs. */ if (sigrdataset != NULL) { rdataset->ttl = ISC_MIN(rdataset->ttl, sigrdataset->ttl); sigrdataset->ttl = rdataset->ttl; } /* * Cache this rdataset/sigrdataset pair as * pending data. Track whether it was additional * or not. */ if (rdataset->trust == dns_trust_additional) trust = dns_trust_pending_additional; else trust = dns_trust_pending_answer; rdataset->trust = trust; if (sigrdataset != NULL) sigrdataset->trust = trust; if (!need_validation || !ANSWER(rdataset)) { addedrdataset = ardataset; result = dns_db_addrdataset(fctx->cache, node, NULL, now, rdataset, 0, addedrdataset); if (result == DNS_R_UNCHANGED) { result = ISC_R_SUCCESS; if (!need_validation && ardataset != NULL && ardataset->type == 0) { /* * The answer in the cache is * better than the answer we * found, and is a negative * cache entry, so we must set * eresult appropriately. */ if (NXDOMAIN(ardataset)) eresult = DNS_R_NCACHENXDOMAIN; else eresult = DNS_R_NCACHENXRRSET; /* * We have a negative response * from the cache so don't * attempt to add the RRSIG * rrset. */ continue; } } if (result != ISC_R_SUCCESS) break; if (sigrdataset != NULL) { addedrdataset = asigrdataset; result = dns_db_addrdataset(fctx->cache, node, NULL, now, sigrdataset, 0, addedrdataset); if (result == DNS_R_UNCHANGED) result = ISC_R_SUCCESS; if (result != ISC_R_SUCCESS) break; } else if (!ANSWER(rdataset)) continue; } if (ANSWER(rdataset) && need_validation) { if (fctx->type != dns_rdatatype_any && fctx->type != dns_rdatatype_rrsig && fctx->type != dns_rdatatype_sig) { /* * This is The Answer. We will * validate it, but first we cache * the rest of the response - it may * contain useful keys. */ INSIST(valrdataset == NULL && valsigrdataset == NULL); valrdataset = rdataset; valsigrdataset = sigrdataset; } else { /* * This is one of (potentially) * multiple answers to an ANY * or SIG query. To keep things * simple, we just start the * validator right away rather * than caching first and * having to remember which * rdatasets needed validation. */ result = valcreate(fctx, addrinfo, name, rdataset->type, rdataset, sigrdataset, valoptions, task); /* * Defer any further validations. * This prevents multiple validators * from manipulating fctx->rmessage * simultaneously. */ valoptions |= DNS_VALIDATOR_DEFER; } } else if (CHAINING(rdataset)) { if (rdataset->type == dns_rdatatype_cname) eresult = DNS_R_CNAME; else { INSIST(rdataset->type == dns_rdatatype_dname); eresult = DNS_R_DNAME; } } } else if (!EXTERNAL(rdataset)) { /* * It's OK to cache this rdataset now. */ if (ANSWER(rdataset)) addedrdataset = ardataset; else if (ANSWERSIG(rdataset)) addedrdataset = asigrdataset; else addedrdataset = NULL; if (CHAINING(rdataset)) { if (rdataset->type == dns_rdatatype_cname) eresult = DNS_R_CNAME; else { INSIST(rdataset->type == dns_rdatatype_dname); eresult = DNS_R_DNAME; } } if (rdataset->trust == dns_trust_glue && (rdataset->type == dns_rdatatype_ns || (rdataset->type == dns_rdatatype_rrsig && rdataset->covers == dns_rdatatype_ns))) { /* * If the trust level is 'dns_trust_glue' * then we are adding data from a referral * we got while executing the search algorithm. * New referral data always takes precedence * over the existing cache contents. */ options = DNS_DBADD_FORCE; } else options = 0; /* * Now we can add the rdataset. */ result = dns_db_addrdataset(fctx->cache, node, NULL, now, rdataset, options, addedrdataset); if (result == DNS_R_UNCHANGED) { if (ANSWER(rdataset) && ardataset != NULL && ardataset->type == 0) { /* * The answer in the cache is better * than the answer we found, and is * a negative cache entry, so we * must set eresult appropriately. */ if (NXDOMAIN(ardataset)) eresult = DNS_R_NCACHENXDOMAIN; else eresult = DNS_R_NCACHENXRRSET; } result = ISC_R_SUCCESS; } else if (result != ISC_R_SUCCESS) break; } } if (valrdataset != NULL) result = valcreate(fctx, addrinfo, name, fctx->type, valrdataset, valsigrdataset, valoptions, task); if (result == ISC_R_SUCCESS && have_answer) { fctx->attributes |= FCTX_ATTR_HAVEANSWER; if (event != NULL) { /* * Negative results must be indicated in event->result. */ if (dns_rdataset_isassociated(event->rdataset) && event->rdataset->type == dns_rdatatype_none) { INSIST(eresult == DNS_R_NCACHENXDOMAIN || eresult == DNS_R_NCACHENXRRSET); } event->result = eresult; dns_db_attach(fctx->cache, adbp); dns_db_transfernode(fctx->cache, &node, anodep); clone_results(fctx); } } if (node != NULL) dns_db_detachnode(fctx->cache, &node); return (result); } static inline isc_result_t cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now) { isc_result_t result; dns_section_t section; dns_name_t *name; FCTXTRACE("cache_message"); fctx->attributes &= ~FCTX_ATTR_WANTCACHE; LOCK(&fctx->res->buckets[fctx->bucketnum].lock); for (section = DNS_SECTION_ANSWER; section <= DNS_SECTION_ADDITIONAL; section++) { result = dns_message_firstname(fctx->rmessage, section); while (result == ISC_R_SUCCESS) { name = NULL; dns_message_currentname(fctx->rmessage, section, &name); if ((name->attributes & DNS_NAMEATTR_CACHE) != 0) { result = cache_name(fctx, name, addrinfo, now); if (result != ISC_R_SUCCESS) break; } result = dns_message_nextname(fctx->rmessage, section); } if (result != ISC_R_NOMORE) break; } if (result == ISC_R_NOMORE) result = ISC_R_SUCCESS; UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); return (result); } /* * Do what dns_ncache_addoptout() does, and then compute an appropriate eresult. */ static isc_result_t ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, isc_boolean_t optout, dns_rdataset_t *ardataset, isc_result_t *eresultp) { isc_result_t result; dns_rdataset_t rdataset; if (ardataset == NULL) { dns_rdataset_init(&rdataset); ardataset = &rdataset; } result = dns_ncache_addoptout(message, cache, node, covers, now, maxttl, optout, ardataset); if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) { /* * If the cache now contains a negative entry and we * care about whether it is DNS_R_NCACHENXDOMAIN or * DNS_R_NCACHENXRRSET then extract it. */ if (ardataset->type == 0) { /* * The cache data is a negative cache entry. */ if (NXDOMAIN(ardataset)) *eresultp = DNS_R_NCACHENXDOMAIN; else *eresultp = DNS_R_NCACHENXRRSET; } else { /* * Either we don't care about the nature of the * cache rdataset (because no fetch is interested * in the outcome), or the cache rdataset is not * a negative cache entry. Whichever case it is, * we can return success. * * XXXRTH There's a CNAME/DNAME problem here. */ *eresultp = ISC_R_SUCCESS; } result = ISC_R_SUCCESS; } if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset)) dns_rdataset_disassociate(ardataset); return (result); } static inline isc_result_t ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_rdatatype_t covers, isc_stdtime_t now) { isc_result_t result, eresult; dns_name_t *name; dns_resolver_t *res; dns_db_t **adbp; dns_dbnode_t *node, **anodep; dns_rdataset_t *ardataset; isc_boolean_t need_validation, secure_domain; dns_name_t *aname; dns_fetchevent_t *event; isc_uint32_t ttl; unsigned int valoptions = 0; FCTXTRACE("ncache_message"); fctx->attributes &= ~FCTX_ATTR_WANTNCACHE; res = fctx->res; need_validation = ISC_FALSE; secure_domain = ISC_FALSE; eresult = ISC_R_SUCCESS; name = &fctx->name; node = NULL; /* * XXXMPA remove when we follow cnames and adjust the setting * of FCTX_ATTR_WANTNCACHE in noanswer_response(). */ INSIST(fctx->rmessage->counts[DNS_SECTION_ANSWER] == 0); /* * Is DNSSEC validation required for this name? */ if (fctx->res->view->enablevalidation) { result = dns_keytable_issecuredomain(res->view->secroots, name, &secure_domain); if (result != ISC_R_SUCCESS) return (result); if (!secure_domain && res->view->dlv != NULL) { valoptions = DNS_VALIDATOR_DLV; secure_domain = ISC_TRUE; } } if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) need_validation = ISC_FALSE; else need_validation = secure_domain; if (secure_domain) { /* * Mark all rdatasets as pending. */ dns_rdataset_t *trdataset; dns_name_t *tname; result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY); while (result == ISC_R_SUCCESS) { tname = NULL; dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY, &tname); for (trdataset = ISC_LIST_HEAD(tname->list); trdataset != NULL; trdataset = ISC_LIST_NEXT(trdataset, link)) trdataset->trust = dns_trust_pending_answer; result = dns_message_nextname(fctx->rmessage, DNS_SECTION_AUTHORITY); } if (result != ISC_R_NOMORE) return (result); } if (need_validation) { /* * Do negative response validation. */ result = valcreate(fctx, addrinfo, name, fctx->type, NULL, NULL, valoptions, res->buckets[fctx->bucketnum].task); /* * If validation is necessary, return now. Otherwise continue * to process the message, letting the validation complete * in its own good time. */ return (result); } LOCK(&res->buckets[fctx->bucketnum].lock); adbp = NULL; aname = NULL; anodep = NULL; ardataset = NULL; if (!HAVE_ANSWER(fctx)) { event = ISC_LIST_HEAD(fctx->events); if (event != NULL) { adbp = &event->db; aname = dns_fixedname_name(&event->foundname); result = dns_name_copy(name, aname, NULL); if (result != ISC_R_SUCCESS) goto unlock; anodep = &event->node; ardataset = event->rdataset; } } else event = NULL; result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node); if (result != ISC_R_SUCCESS) goto unlock; /* * If we are asking for a SOA record set the cache time * to zero to facilitate locating the containing zone of * a arbitrary zone. */ ttl = fctx->res->view->maxncachettl; if (fctx->type == dns_rdatatype_soa && covers == dns_rdatatype_any && fctx->res->zero_no_soa_ttl) ttl = 0; result = ncache_adderesult(fctx->rmessage, fctx->cache, node, covers, now, ttl, ISC_FALSE, ardataset, &eresult); if (result != ISC_R_SUCCESS) goto unlock; if (!HAVE_ANSWER(fctx)) { fctx->attributes |= FCTX_ATTR_HAVEANSWER; if (event != NULL) { event->result = eresult; dns_db_attach(fctx->cache, adbp); dns_db_transfernode(fctx->cache, &node, anodep); clone_results(fctx); } } unlock: UNLOCK(&res->buckets[fctx->bucketnum].lock); if (node != NULL) dns_db_detachnode(fctx->cache, &node); return (result); } static inline void mark_related(dns_name_t *name, dns_rdataset_t *rdataset, isc_boolean_t external, isc_boolean_t gluing) { name->attributes |= DNS_NAMEATTR_CACHE; if (gluing) { rdataset->trust = dns_trust_glue; /* * Glue with 0 TTL causes problems. We force the TTL to * 1 second to prevent this. */ if (rdataset->ttl == 0) rdataset->ttl = 1; } else rdataset->trust = dns_trust_additional; /* * Avoid infinite loops by only marking new rdatasets. */ if (!CACHE(rdataset)) { name->attributes |= DNS_NAMEATTR_CHASE; rdataset->attributes |= DNS_RDATASETATTR_CHASE; } rdataset->attributes |= DNS_RDATASETATTR_CACHE; if (external) rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL; } static isc_result_t check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) { fetchctx_t *fctx = arg; isc_result_t result; dns_name_t *name; dns_rdataset_t *rdataset; isc_boolean_t external; dns_rdatatype_t rtype; isc_boolean_t gluing; REQUIRE(VALID_FCTX(fctx)); if (GLUING(fctx)) gluing = ISC_TRUE; else gluing = ISC_FALSE; name = NULL; rdataset = NULL; result = dns_message_findname(fctx->rmessage, DNS_SECTION_ADDITIONAL, addname, dns_rdatatype_any, 0, &name, NULL); if (result == ISC_R_SUCCESS) { external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); if (type == dns_rdatatype_a) { for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (rdataset->type == dns_rdatatype_rrsig) rtype = rdataset->covers; else rtype = rdataset->type; if (rtype == dns_rdatatype_a || rtype == dns_rdatatype_aaaa) mark_related(name, rdataset, external, gluing); } } else { result = dns_message_findtype(name, type, 0, &rdataset); if (result == ISC_R_SUCCESS) { mark_related(name, rdataset, external, gluing); /* * Do we have its SIG too? */ rdataset = NULL; result = dns_message_findtype(name, dns_rdatatype_rrsig, type, &rdataset); if (result == ISC_R_SUCCESS) mark_related(name, rdataset, external, gluing); } } } return (ISC_R_SUCCESS); } static void chase_additional(fetchctx_t *fctx) { isc_boolean_t rescan; dns_section_t section = DNS_SECTION_ADDITIONAL; isc_result_t result; again: rescan = ISC_FALSE; for (result = dns_message_firstname(fctx->rmessage, section); result == ISC_R_SUCCESS; result = dns_message_nextname(fctx->rmessage, section)) { dns_name_t *name = NULL; dns_rdataset_t *rdataset; dns_message_currentname(fctx->rmessage, DNS_SECTION_ADDITIONAL, &name); if ((name->attributes & DNS_NAMEATTR_CHASE) == 0) continue; name->attributes &= ~DNS_NAMEATTR_CHASE; for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (CHASE(rdataset)) { rdataset->attributes &= ~DNS_RDATASETATTR_CHASE; (void)dns_rdataset_additionaldata(rdataset, check_related, fctx); rescan = ISC_TRUE; } } } if (rescan) goto again; } static inline isc_result_t cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_cname_t cname; result = dns_rdataset_first(rdataset); if (result != ISC_R_SUCCESS) return (result); dns_rdataset_current(rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &cname, NULL); if (result != ISC_R_SUCCESS) return (result); dns_name_init(tname, NULL); dns_name_clone(&cname.cname, tname); dns_rdata_freestruct(&cname); return (ISC_R_SUCCESS); } static inline isc_result_t dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname, dns_fixedname_t *fixeddname) { isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; unsigned int nlabels; int order; dns_namereln_t namereln; dns_rdata_dname_t dname; dns_fixedname_t prefix; /* * Get the target name of the DNAME. */ result = dns_rdataset_first(rdataset); if (result != ISC_R_SUCCESS) return (result); dns_rdataset_current(rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &dname, NULL); if (result != ISC_R_SUCCESS) return (result); /* * Get the prefix of qname. */ namereln = dns_name_fullcompare(qname, oname, &order, &nlabels); if (namereln != dns_namereln_subdomain) { dns_rdata_freestruct(&dname); return (DNS_R_FORMERR); } dns_fixedname_init(&prefix); dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); dns_fixedname_init(fixeddname); result = dns_name_concatenate(dns_fixedname_name(&prefix), &dname.dname, dns_fixedname_name(fixeddname), NULL); dns_rdata_freestruct(&dname); return (result); } /* * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral). * If bind8_ns_resp is ISC_TRUE, this is a suspected BIND 8 * response to an NS query that should be treated as a referral * even though the NS records occur in the answer section * rather than the authority section. */ static isc_result_t noanswer_response(fetchctx_t *fctx, dns_name_t *oqname, isc_boolean_t bind8_ns_resp) { isc_result_t result; dns_message_t *message; dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name; dns_rdataset_t *rdataset, *ns_rdataset; isc_boolean_t aa, negative_response; dns_rdatatype_t type; dns_section_t section = bind8_ns_resp ? DNS_SECTION_ANSWER : DNS_SECTION_AUTHORITY; FCTXTRACE("noanswer_response"); message = fctx->rmessage; /* * Setup qname. */ if (oqname == NULL) { /* * We have a normal, non-chained negative response or * referral. */ if ((message->flags & DNS_MESSAGEFLAG_AA) != 0) aa = ISC_TRUE; else aa = ISC_FALSE; qname = &fctx->name; } else { /* * We're being invoked by answer_response() after it has * followed a CNAME/DNAME chain. */ qname = oqname; aa = ISC_FALSE; /* * If the current qname is not a subdomain of the query * domain, there's no point in looking at the authority * section without doing DNSSEC validation. * * Until we do that validation, we'll just return success * in this case. */ if (!dns_name_issubdomain(qname, &fctx->domain)) return (ISC_R_SUCCESS); } /* * We have to figure out if this is a negative response, or a * referral. */ /* * Sometimes we can tell if its a negative response by looking at * the message header. */ negative_response = ISC_FALSE; if (message->rcode == dns_rcode_nxdomain || (message->counts[DNS_SECTION_ANSWER] == 0 && message->counts[DNS_SECTION_AUTHORITY] == 0)) negative_response = ISC_TRUE; /* * Process the authority section. */ ns_name = NULL; ns_rdataset = NULL; soa_name = NULL; ds_name = NULL; result = dns_message_firstname(message, section); while (result == ISC_R_SUCCESS) { name = NULL; dns_message_currentname(message, section, &name); if (dns_name_issubdomain(name, &fctx->domain)) { /* * Look for NS/SOA RRsets first. */ for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { type = rdataset->type; if (type == dns_rdatatype_rrsig) type = rdataset->covers; if (((type == dns_rdatatype_ns || type == dns_rdatatype_soa) && !dns_name_issubdomain(qname, name))) return (DNS_R_FORMERR); if (type == dns_rdatatype_ns) { /* * NS or RRSIG NS. * * Only one set of NS RRs is allowed. */ if (rdataset->type == dns_rdatatype_ns) { if (ns_name != NULL && name != ns_name) return (DNS_R_FORMERR); ns_name = name; ns_rdataset = rdataset; } name->attributes |= DNS_NAMEATTR_CACHE; rdataset->attributes |= DNS_RDATASETATTR_CACHE; rdataset->trust = dns_trust_glue; } if (type == dns_rdatatype_soa) { /* * SOA, or RRSIG SOA. * * Only one SOA is allowed. */ if (rdataset->type == dns_rdatatype_soa) { if (soa_name != NULL && name != soa_name) return (DNS_R_FORMERR); soa_name = name; } name->attributes |= DNS_NAMEATTR_NCACHE; rdataset->attributes |= DNS_RDATASETATTR_NCACHE; if (aa) rdataset->trust = dns_trust_authauthority; else rdataset->trust = dns_trust_additional; } } } result = dns_message_nextname(message, section); if (result == ISC_R_NOMORE) break; else if (result != ISC_R_SUCCESS) return (result); } /* * A negative response has a SOA record (Type 2) * and a optional NS RRset (Type 1) or it has neither * a SOA or a NS RRset (Type 3, handled above) or * rcode is NXDOMAIN (handled above) in which case * the NS RRset is allowed (Type 4). */ if (soa_name != NULL) negative_response = ISC_TRUE; result = dns_message_firstname(message, section); while (result == ISC_R_SUCCESS) { name = NULL; dns_message_currentname(message, section, &name); if (dns_name_issubdomain(name, &fctx->domain)) { for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { type = rdataset->type; if (type == dns_rdatatype_rrsig) type = rdataset->covers; if (type == dns_rdatatype_nsec || type == dns_rdatatype_nsec3) { /* * NSEC or RRSIG NSEC. */ if (negative_response) { name->attributes |= DNS_NAMEATTR_NCACHE; rdataset->attributes |= DNS_RDATASETATTR_NCACHE; } else if (type == dns_rdatatype_nsec) { name->attributes |= DNS_NAMEATTR_CACHE; rdataset->attributes |= DNS_RDATASETATTR_CACHE; } if (aa) rdataset->trust = dns_trust_authauthority; else rdataset->trust = dns_trust_additional; /* * No additional data needs to be * marked. */ } else if (type == dns_rdatatype_ds) { /* * DS or SIG DS. * * These should only be here if * this is a referral, and there * should only be one DS. */ if (ns_name == NULL) return (DNS_R_FORMERR); if (rdataset->type == dns_rdatatype_ds) { if (ds_name != NULL && name != ds_name) return (DNS_R_FORMERR); ds_name = name; } name->attributes |= DNS_NAMEATTR_CACHE; rdataset->attributes |= DNS_RDATASETATTR_CACHE; if (aa) rdataset->trust = dns_trust_authauthority; else rdataset->trust = dns_trust_additional; } } } result = dns_message_nextname(message, section); if (result == ISC_R_NOMORE) break; else if (result != ISC_R_SUCCESS) return (result); } /* * Trigger lookups for DNS nameservers. */ if (negative_response && message->rcode == dns_rcode_noerror && fctx->type == dns_rdatatype_ds && soa_name != NULL && dns_name_equal(soa_name, qname) && !dns_name_equal(qname, dns_rootname)) return (DNS_R_CHASEDSSERVERS); /* * Did we find anything? */ if (!negative_response && ns_name == NULL) { /* * Nope. */ if (oqname != NULL) { /* * We've already got a partial CNAME/DNAME chain, * and haven't found else anything useful here, but * no error has occurred since we have an answer. */ return (ISC_R_SUCCESS); } else { /* * The responder is insane. */ return (DNS_R_FORMERR); } } /* * If we found both NS and SOA, they should be the same name. */ if (ns_name != NULL && soa_name != NULL && ns_name != soa_name) return (DNS_R_FORMERR); /* * Do we have a referral? (We only want to follow a referral if * we're not following a chain.) */ if (!negative_response && ns_name != NULL && oqname == NULL) { /* * We already know ns_name is a subdomain of fctx->domain. * If ns_name is equal to fctx->domain, we're not making * progress. We return DNS_R_FORMERR so that we'll keep * trying other servers. */ if (dns_name_equal(ns_name, &fctx->domain)) return (DNS_R_FORMERR); /* * If the referral name is not a parent of the query * name, consider the responder insane. */ if (! dns_name_issubdomain(&fctx->name, ns_name)) { FCTXTRACE("referral to non-parent"); return (DNS_R_FORMERR); } /* * Mark any additional data related to this rdataset. * It's important that we do this before we change the * query domain. */ INSIST(ns_rdataset != NULL); fctx->attributes |= FCTX_ATTR_GLUING; (void)dns_rdataset_additionaldata(ns_rdataset, check_related, fctx); fctx->attributes &= ~FCTX_ATTR_GLUING; /* * NS rdatasets with 0 TTL cause problems. * dns_view_findzonecut() will not find them when we * try to follow the referral, and we'll SERVFAIL * because the best nameservers are now above QDOMAIN. * We force the TTL to 1 second to prevent this. */ if (ns_rdataset->ttl == 0) ns_rdataset->ttl = 1; /* * Set the current query domain to the referral name. * * XXXRTH We should check if we're in forward-only mode, and * if so we should bail out. */ INSIST(dns_name_countlabels(&fctx->domain) > 0); dns_name_free(&fctx->domain, fctx->res->buckets[fctx->bucketnum].mctx); if (dns_rdataset_isassociated(&fctx->nameservers)) dns_rdataset_disassociate(&fctx->nameservers); dns_name_init(&fctx->domain, NULL); result = dns_name_dup(ns_name, fctx->res->buckets[fctx->bucketnum].mctx, &fctx->domain); if (result != ISC_R_SUCCESS) return (result); fctx->attributes |= FCTX_ATTR_WANTCACHE; return (DNS_R_DELEGATION); } /* * Since we're not doing a referral, we don't want to cache any * NS RRs we may have found. */ if (ns_name != NULL) ns_name->attributes &= ~DNS_NAMEATTR_CACHE; if (negative_response && oqname == NULL) fctx->attributes |= FCTX_ATTR_WANTNCACHE; return (ISC_R_SUCCESS); } static isc_result_t answer_response(fetchctx_t *fctx) { isc_result_t result; dns_message_t *message; dns_name_t *name, *qname, tname; dns_rdataset_t *rdataset; isc_boolean_t done, external, chaining, aa, found, want_chaining; isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; unsigned int aflag; dns_rdatatype_t type; dns_fixedname_t dname, fqname; FCTXTRACE("answer_response"); message = fctx->rmessage; /* * Examine the answer section, marking those rdatasets which are * part of the answer and should be cached. */ done = ISC_FALSE; found_cname = ISC_FALSE; found_type = ISC_FALSE; chaining = ISC_FALSE; have_answer = ISC_FALSE; want_chaining = ISC_FALSE; if ((message->flags & DNS_MESSAGEFLAG_AA) != 0) aa = ISC_TRUE; else aa = ISC_FALSE; qname = &fctx->name; type = fctx->type; result = dns_message_firstname(message, DNS_SECTION_ANSWER); while (!done && result == ISC_R_SUCCESS) { name = NULL; dns_message_currentname(message, DNS_SECTION_ANSWER, &name); external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); if (dns_name_equal(name, qname)) { wanted_chaining = ISC_FALSE; for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { found = ISC_FALSE; want_chaining = ISC_FALSE; aflag = 0; if (rdataset->type == dns_rdatatype_nsec3) { /* * NSEC3 records are not allowed to * appear in the answer section. */ return (DNS_R_FORMERR); } if (rdataset->type == type && !found_cname) { /* * We've found an ordinary answer. */ found = ISC_TRUE; found_type = ISC_TRUE; done = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWER; } else if (type == dns_rdatatype_any) { /* * We've found an answer matching * an ANY query. There may be * more. */ found = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWER; } else if (rdataset->type == dns_rdatatype_rrsig && rdataset->covers == type && !found_cname) { /* * We've found a signature that * covers the type we're looking for. */ found = ISC_TRUE; found_type = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWERSIG; } else if (rdataset->type == dns_rdatatype_cname && !found_type) { /* * We're looking for something else, * but we found a CNAME. * * Getting a CNAME response for some * query types is an error. */ if (type == dns_rdatatype_rrsig || type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec) return (DNS_R_FORMERR); found = ISC_TRUE; found_cname = ISC_TRUE; want_chaining = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWER; result = cname_target(rdataset, &tname); if (result != ISC_R_SUCCESS) return (result); } else if (rdataset->type == dns_rdatatype_rrsig && rdataset->covers == dns_rdatatype_cname && !found_type) { /* * We're looking for something else, * but we found a SIG CNAME. */ found = ISC_TRUE; found_cname = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWERSIG; } if (found) { /* * We've found an answer to our * question. */ name->attributes |= DNS_NAMEATTR_CACHE; rdataset->attributes |= DNS_RDATASETATTR_CACHE; rdataset->trust = dns_trust_answer; if (!chaining) { /* * This data is "the" answer * to our question only if * we're not chaining (i.e. * if we haven't followed * a CNAME or DNAME). */ INSIST(!external); if (aflag == DNS_RDATASETATTR_ANSWER) have_answer = ISC_TRUE; name->attributes |= DNS_NAMEATTR_ANSWER; rdataset->attributes |= aflag; if (aa) rdataset->trust = dns_trust_authanswer; } else if (external) { /* * This data is outside of * our query domain, and * may not be cached. */ rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL; } /* * Mark any additional data related * to this rdataset. */ (void)dns_rdataset_additionaldata( rdataset, check_related, fctx); /* * CNAME chaining. */ if (want_chaining) { wanted_chaining = ISC_TRUE; name->attributes |= DNS_NAMEATTR_CHAINING; rdataset->attributes |= DNS_RDATASETATTR_CHAINING; qname = &tname; } } /* * We could add an "else" clause here and * log that we're ignoring this rdataset. */ } /* * If wanted_chaining is true, we've done * some chaining as the result of processing * this node, and thus we need to set * chaining to true. * * We don't set chaining inside of the * rdataset loop because doing that would * cause us to ignore the signatures of * CNAMEs. */ if (wanted_chaining) chaining = ISC_TRUE; } else { /* * Look for a DNAME (or its SIG). Anything else is * ignored. */ wanted_chaining = ISC_FALSE; for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { isc_boolean_t found_dname = ISC_FALSE; found = ISC_FALSE; aflag = 0; if (rdataset->type == dns_rdatatype_dname) { /* * We're looking for something else, * but we found a DNAME. * * If we're not chaining, then the * DNAME should not be external. */ if (!chaining && external) return (DNS_R_FORMERR); found = ISC_TRUE; want_chaining = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWER; result = dname_target(rdataset, qname, name, &dname); if (result == ISC_R_NOSPACE) { /* * We can't construct the * DNAME target. Do not * try to continue. */ want_chaining = ISC_FALSE; } else if (result != ISC_R_SUCCESS) return (result); else found_dname = ISC_TRUE; } else if (rdataset->type == dns_rdatatype_rrsig && rdataset->covers == dns_rdatatype_dname) { /* * We've found a signature that * covers the DNAME. */ found = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWERSIG; } if (found) { /* * We've found an answer to our * question. */ name->attributes |= DNS_NAMEATTR_CACHE; rdataset->attributes |= DNS_RDATASETATTR_CACHE; rdataset->trust = dns_trust_answer; if (!chaining) { /* * This data is "the" answer * to our question only if * we're not chaining. */ INSIST(!external); if (aflag == DNS_RDATASETATTR_ANSWER) have_answer = ISC_TRUE; name->attributes |= DNS_NAMEATTR_ANSWER; rdataset->attributes |= aflag; if (aa) rdataset->trust = dns_trust_authanswer; } else if (external) { rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL; } /* * DNAME chaining. */ if (found_dname) { /* * Copy the dname into the * qname fixed name. * * Although we check for * failure of the copy * operation, in practice it * should never fail since * we already know that the * result fits in a fixedname. */ dns_fixedname_init(&fqname); result = dns_name_copy( dns_fixedname_name(&dname), dns_fixedname_name(&fqname), NULL); if (result != ISC_R_SUCCESS) return (result); wanted_chaining = ISC_TRUE; name->attributes |= DNS_NAMEATTR_CHAINING; rdataset->attributes |= DNS_RDATASETATTR_CHAINING; qname = dns_fixedname_name( &fqname); } } } if (wanted_chaining) chaining = ISC_TRUE; } result = dns_message_nextname(message, DNS_SECTION_ANSWER); } if (result == ISC_R_NOMORE) result = ISC_R_SUCCESS; if (result != ISC_R_SUCCESS) return (result); /* * We should have found an answer. */ if (!have_answer) return (DNS_R_FORMERR); /* * This response is now potentially cacheable. */ fctx->attributes |= FCTX_ATTR_WANTCACHE; /* * Did chaining end before we got the final answer? */ if (chaining) { /* * Yes. This may be a negative reply, so hand off * authority section processing to the noanswer code. * If it isn't a noanswer response, no harm will be * done. */ return (noanswer_response(fctx, qname, ISC_FALSE)); } /* * We didn't end with an incomplete chain, so the rcode should be * "no error". */ if (message->rcode != dns_rcode_noerror) return (DNS_R_FORMERR); /* * Examine the authority section (if there is one). * * We expect there to be only one owner name for all the rdatasets * in this section, and we expect that it is not external. */ done = ISC_FALSE; result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); while (!done && result == ISC_R_SUCCESS) { name = NULL; dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); if (!external) { /* * We expect to find NS or SIG NS rdatasets, and * nothing else. */ for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (rdataset->type == dns_rdatatype_ns || (rdataset->type == dns_rdatatype_rrsig && rdataset->covers == dns_rdatatype_ns)) { name->attributes |= DNS_NAMEATTR_CACHE; rdataset->attributes |= DNS_RDATASETATTR_CACHE; if (aa && !chaining) rdataset->trust = dns_trust_authauthority; else rdataset->trust = dns_trust_additional; /* * Mark any additional data related * to this rdataset. */ (void)dns_rdataset_additionaldata( rdataset, check_related, fctx); done = ISC_TRUE; } } } result = dns_message_nextname(message, DNS_SECTION_AUTHORITY); } if (result == ISC_R_NOMORE) result = ISC_R_SUCCESS; return (result); } static void resume_dslookup(isc_task_t *task, isc_event_t *event) { dns_fetchevent_t *fevent; dns_resolver_t *res; fetchctx_t *fctx; isc_result_t result; isc_boolean_t bucket_empty = ISC_FALSE; isc_boolean_t locked = ISC_FALSE; unsigned int bucketnum; dns_rdataset_t nameservers; dns_fixedname_t fixed; dns_name_t *domain; REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE); fevent = (dns_fetchevent_t *)event; fctx = event->ev_arg; REQUIRE(VALID_FCTX(fctx)); res = fctx->res; UNUSED(task); FCTXTRACE("resume_dslookup"); if (fevent->node != NULL) dns_db_detachnode(fevent->db, &fevent->node); if (fevent->db != NULL) dns_db_detach(&fevent->db); dns_rdataset_init(&nameservers); bucketnum = fctx->bucketnum; if (fevent->result == ISC_R_CANCELED) { dns_resolver_destroyfetch(&fctx->nsfetch); fctx_done(fctx, ISC_R_CANCELED, __LINE__); } else if (fevent->result == ISC_R_SUCCESS) { FCTXTRACE("resuming DS lookup"); dns_resolver_destroyfetch(&fctx->nsfetch); if (dns_rdataset_isassociated(&fctx->nameservers)) dns_rdataset_disassociate(&fctx->nameservers); dns_rdataset_clone(fevent->rdataset, &fctx->nameservers); dns_name_free(&fctx->domain, fctx->res->buckets[bucketnum].mctx); dns_name_init(&fctx->domain, NULL); result = dns_name_dup(&fctx->nsname, fctx->res->buckets[bucketnum].mctx, &fctx->domain); if (result != ISC_R_SUCCESS) { fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); goto cleanup; } /* * Try again. */ - fctx_try(fctx, ISC_TRUE); + fctx_try(fctx, ISC_TRUE, ISC_FALSE); } else { unsigned int n; dns_rdataset_t *nsrdataset = NULL; /* * Retrieve state from fctx->nsfetch before we destroy it. */ dns_fixedname_init(&fixed); domain = dns_fixedname_name(&fixed); dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL); if (dns_name_equal(&fctx->nsname, domain)) { fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); dns_resolver_destroyfetch(&fctx->nsfetch); goto cleanup; } if (dns_rdataset_isassociated( &fctx->nsfetch->private->nameservers)) { dns_rdataset_clone( &fctx->nsfetch->private->nameservers, &nameservers); nsrdataset = &nameservers; } else domain = NULL; dns_resolver_destroyfetch(&fctx->nsfetch); n = dns_name_countlabels(&fctx->nsname); dns_name_getlabelsequence(&fctx->nsname, 1, n - 1, &fctx->nsname); if (dns_rdataset_isassociated(fevent->rdataset)) dns_rdataset_disassociate(fevent->rdataset); FCTXTRACE("continuing to look for parent's NS records"); result = dns_resolver_createfetch(fctx->res, &fctx->nsname, dns_rdatatype_ns, domain, nsrdataset, NULL, 0, task, resume_dslookup, fctx, &fctx->nsrrset, NULL, &fctx->nsfetch); if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); else { LOCK(&res->buckets[bucketnum].lock); locked = ISC_TRUE; fctx->references++; } } cleanup: if (dns_rdataset_isassociated(&nameservers)) dns_rdataset_disassociate(&nameservers); if (dns_rdataset_isassociated(fevent->rdataset)) dns_rdataset_disassociate(fevent->rdataset); INSIST(fevent->sigrdataset == NULL); isc_event_free(&event); if (!locked) LOCK(&res->buckets[bucketnum].lock); fctx->references--; if (fctx->references == 0) bucket_empty = fctx_destroy(fctx); UNLOCK(&res->buckets[bucketnum].lock); if (bucket_empty) empty_bucket(res); } static inline void checknamessection(dns_message_t *message, dns_section_t section) { isc_result_t result; dns_name_t *name; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t *rdataset; for (result = dns_message_firstname(message, section); result == ISC_R_SUCCESS; result = dns_message_nextname(message, section)) { name = NULL; dns_message_currentname(message, section, &name); for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) { dns_rdataset_current(rdataset, &rdata); if (!dns_rdata_checkowner(name, rdata.rdclass, rdata.type, ISC_FALSE) || !dns_rdata_checknames(&rdata, name, NULL)) { rdataset->attributes |= DNS_RDATASETATTR_CHECKNAMES; } dns_rdata_reset(&rdata); } } } } static void checknames(dns_message_t *message) { checknamessection(message, DNS_SECTION_ANSWER); checknamessection(message, DNS_SECTION_AUTHORITY); checknamessection(message, DNS_SECTION_ADDITIONAL); } /* * Log server NSID at log level 'level' */ static isc_result_t log_nsid(dns_rdataset_t *opt, resquery_t *query, int level, isc_mem_t *mctx) { static const char hex[17] = "0123456789abcdef"; char addrbuf[ISC_SOCKADDR_FORMATSIZE]; isc_uint16_t optcode, nsid_len, buflen, i; isc_result_t result; isc_buffer_t nsidbuf; dns_rdata_t rdata; unsigned char *p, *buf, *nsid; /* Extract rdata from OPT rdataset */ result = dns_rdataset_first(opt); if (result != ISC_R_SUCCESS) return (ISC_R_FAILURE); dns_rdata_init(&rdata); dns_rdataset_current(opt, &rdata); if (rdata.length < 4) return (ISC_R_FAILURE); /* Check for NSID */ isc_buffer_init(&nsidbuf, rdata.data, rdata.length); isc_buffer_add(&nsidbuf, rdata.length); optcode = isc_buffer_getuint16(&nsidbuf); nsid_len = isc_buffer_getuint16(&nsidbuf); if (optcode != DNS_OPT_NSID || nsid_len == 0) return (ISC_R_FAILURE); /* Allocate buffer for storing hex version of the NSID */ buflen = nsid_len * 2 + 1; buf = isc_mem_get(mctx, buflen); if (buf == NULL) return (ISC_R_NOSPACE); /* Convert to hex */ p = buf; nsid = rdata.data + 4; for (i = 0; i < nsid_len; i++) { *p++ = hex[(nsid[0] >> 4) & 0xf]; *p++ = hex[nsid[0] & 0xf]; nsid++; } *p = '\0'; isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf, sizeof(addrbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_RESOLVER, level, "received NSID '%s' from %s", buf, addrbuf); /* Clean up */ isc_mem_put(mctx, buf, buflen); return (ISC_R_SUCCESS); } static void log_packet(dns_message_t *message, int level, isc_mem_t *mctx) { isc_buffer_t buffer; char *buf = NULL; int len = 1024; isc_result_t result; if (! isc_log_wouldlog(dns_lctx, level)) return; /* * Note that these are multiline debug messages. We want a newline * to appear in the log after each message. */ do { buf = isc_mem_get(mctx, len); if (buf == NULL) break; isc_buffer_init(&buffer, buf, len); result = dns_message_totext(message, &dns_master_style_debug, 0, &buffer); if (result == ISC_R_NOSPACE) { isc_mem_put(mctx, buf, len); len += 1024; } else if (result == ISC_R_SUCCESS) isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_RESOLVER, level, "received packet:\n%.*s", (int)isc_buffer_usedlength(&buffer), buf); } while (result == ISC_R_NOSPACE); if (buf != NULL) isc_mem_put(mctx, buf, len); } static void resquery_response(isc_task_t *task, isc_event_t *event) { isc_result_t result = ISC_R_SUCCESS; resquery_t *query = event->ev_arg; dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event; isc_boolean_t keep_trying, get_nameservers, resend; isc_boolean_t truncated; dns_message_t *message; dns_rdataset_t *opt; fetchctx_t *fctx; dns_name_t *fname; dns_fixedname_t foundname; isc_stdtime_t now; isc_time_t tnow, *finish; dns_adbaddrinfo_t *addrinfo; unsigned int options; unsigned int findoptions; isc_result_t broken_server; badnstype_t broken_type = badns_response; REQUIRE(VALID_QUERY(query)); fctx = query->fctx; options = query->options; REQUIRE(VALID_FCTX(fctx)); REQUIRE(event->ev_type == DNS_EVENT_DISPATCH); QTRACE("response"); if (isc_sockaddr_pf(&query->addrinfo->sockaddr) == PF_INET) inc_stats(fctx->res, dns_resstatscounter_responsev4); else inc_stats(fctx->res, dns_resstatscounter_responsev6); (void)isc_timer_touch(fctx->timer); keep_trying = ISC_FALSE; broken_server = ISC_R_SUCCESS; get_nameservers = ISC_FALSE; resend = ISC_FALSE; truncated = ISC_FALSE; finish = NULL; if (fctx->res->exiting) { result = ISC_R_SHUTTINGDOWN; goto done; } fctx->timeouts = 0; fctx->timeout = ISC_FALSE; /* * XXXRTH We should really get the current time just once. We * need a routine to convert from an isc_time_t to an * isc_stdtime_t. */ TIME_NOW(&tnow); finish = &tnow; isc_stdtime_get(&now); /* * Did the dispatcher have a problem? */ if (devent->result != ISC_R_SUCCESS) { if (devent->result == ISC_R_EOF && (query->options & DNS_FETCHOPT_NOEDNS0) == 0) { /* * The problem might be that they * don't understand EDNS0. Turn it * off and try again. */ options |= DNS_FETCHOPT_NOEDNS0; resend = ISC_TRUE; /* * Remember that they don't like EDNS0. */ dns_adb_changeflags(fctx->adb, query->addrinfo, DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0); } else { /* * There's no hope for this query. */ keep_trying = ISC_TRUE; /* * If this is a network error on an exclusive query * socket, mark the server as bad so that we won't try * it for this fetch again. */ if (query->exclusivesocket && (devent->result == ISC_R_HOSTUNREACH || devent->result == ISC_R_NETUNREACH || devent->result == ISC_R_CONNREFUSED || devent->result == ISC_R_CANCELED)) { broken_server = devent->result; broken_type = badns_unreachable; } } goto done; } message = fctx->rmessage; if (query->tsig != NULL) { result = dns_message_setquerytsig(message, query->tsig); if (result != ISC_R_SUCCESS) goto done; } if (query->tsigkey) { result = dns_message_settsigkey(message, query->tsigkey); if (result != ISC_R_SUCCESS) goto done; } result = dns_message_parse(message, &devent->buffer, 0); if (result != ISC_R_SUCCESS) { switch (result) { case ISC_R_UNEXPECTEDEND: if (!message->question_ok || (message->flags & DNS_MESSAGEFLAG_TC) == 0 || (options & DNS_FETCHOPT_TCP) != 0) { /* * Either the message ended prematurely, * and/or wasn't marked as being truncated, * and/or this is a response to a query we * sent over TCP. In all of these cases, * something is wrong with the remote * server and we don't want to retry using * TCP. */ if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) { /* * The problem might be that they * don't understand EDNS0. Turn it * off and try again. */ options |= DNS_FETCHOPT_NOEDNS0; resend = ISC_TRUE; /* * Remember that they don't like EDNS0. */ dns_adb_changeflags( fctx->adb, query->addrinfo, DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0); inc_stats(fctx->res, dns_resstatscounter_edns0fail); } else { broken_server = result; keep_trying = ISC_TRUE; } goto done; } /* * We defer retrying via TCP for a bit so we can * check out this message further. */ truncated = ISC_TRUE; break; case DNS_R_FORMERR: if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) { /* * The problem might be that they * don't understand EDNS0. Turn it * off and try again. */ options |= DNS_FETCHOPT_NOEDNS0; resend = ISC_TRUE; /* * Remember that they don't like EDNS0. */ dns_adb_changeflags(fctx->adb, query->addrinfo, DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0); inc_stats(fctx->res, dns_resstatscounter_edns0fail); } else { broken_server = DNS_R_UNEXPECTEDRCODE; keep_trying = ISC_TRUE; } goto done; default: /* * Something bad has happened. */ goto done; } } /* * Log the incoming packet. */ log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx); /* * Did we request NSID? If so, and if the response contains * NSID data, log it at INFO level. */ opt = dns_message_getopt(message); if (opt != NULL && (query->options & DNS_FETCHOPT_WANTNSID) != 0) log_nsid(opt, query, ISC_LOG_INFO, fctx->res->mctx); /* * If the message is signed, check the signature. If not, this * returns success anyway. */ result = dns_message_checksig(message, fctx->res->view); if (result != ISC_R_SUCCESS) goto done; /* * The dispatcher should ensure we only get responses with QR set. */ INSIST((message->flags & DNS_MESSAGEFLAG_QR) != 0); /* * INSIST() that the message comes from the place we sent it to, * since the dispatch code should ensure this. * * INSIST() that the message id is correct (this should also be * ensured by the dispatch code). */ /* * Deal with truncated responses by retrying using TCP. */ if ((message->flags & DNS_MESSAGEFLAG_TC) != 0) truncated = ISC_TRUE; if (truncated) { inc_stats(fctx->res, dns_resstatscounter_truncated); if ((options & DNS_FETCHOPT_TCP) != 0) { broken_server = DNS_R_TRUNCATEDTCP; keep_trying = ISC_TRUE; } else { options |= DNS_FETCHOPT_TCP; resend = ISC_TRUE; } goto done; } /* * Is it a query response? */ if (message->opcode != dns_opcode_query) { /* XXXRTH Log */ broken_server = DNS_R_UNEXPECTEDOPCODE; keep_trying = ISC_TRUE; goto done; } /* * Update statistics about erroneous responses. */ if (message->rcode != dns_rcode_noerror) { switch (message->rcode) { case dns_rcode_nxdomain: inc_stats(fctx->res, dns_resstatscounter_nxdomain); break; case dns_rcode_servfail: inc_stats(fctx->res, dns_resstatscounter_servfail); break; case dns_rcode_formerr: inc_stats(fctx->res, dns_resstatscounter_formerr); break; default: inc_stats(fctx->res, dns_resstatscounter_othererror); break; } } /* * Is the remote server broken, or does it dislike us? */ if (message->rcode != dns_rcode_noerror && message->rcode != dns_rcode_nxdomain) { if (((message->rcode == dns_rcode_formerr || message->rcode == dns_rcode_notimp) || (message->rcode == dns_rcode_servfail && dns_message_getopt(message) == NULL)) && (query->options & DNS_FETCHOPT_NOEDNS0) == 0) { /* * It's very likely they don't like EDNS0. * If the response code is SERVFAIL, also check if the * response contains an OPT RR and don't cache the * failure since it can be returned for various other * reasons. * * XXXRTH We should check if the question * we're asking requires EDNS0, and * if so, we should bail out. */ options |= DNS_FETCHOPT_NOEDNS0; resend = ISC_TRUE; /* * Remember that they don't like EDNS0. */ if (message->rcode != dns_rcode_servfail) dns_adb_changeflags(fctx->adb, query->addrinfo, DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0); inc_stats(fctx->res, dns_resstatscounter_edns0fail); } else if (message->rcode == dns_rcode_formerr) { if (ISFORWARDER(query->addrinfo)) { /* * This forwarder doesn't understand us, * but other forwarders might. Keep trying. */ broken_server = DNS_R_REMOTEFORMERR; keep_trying = ISC_TRUE; } else { /* * The server doesn't understand us. Since * all servers for a zone need similar * capabilities, we assume that we will get * FORMERR from all servers, and thus we * cannot make any more progress with this * fetch. */ result = DNS_R_FORMERR; } } else if (message->rcode == dns_rcode_yxdomain) { /* * DNAME mapping failed because the new name * was too long. There's no chance of success * for this fetch. */ result = DNS_R_YXDOMAIN; } else if (message->rcode == dns_rcode_badvers) { unsigned int flags, mask; unsigned int version; resend = ISC_TRUE; version = (opt->ttl >> 16) & 0xff; flags = (version << DNS_FETCHOPT_EDNSVERSIONSHIFT) | DNS_FETCHOPT_EDNSVERSIONSET; mask = DNS_FETCHOPT_EDNSVERSIONMASK | DNS_FETCHOPT_EDNSVERSIONSET; switch (version) { case 0: dns_adb_changeflags(fctx->adb, query->addrinfo, flags, mask); break; default: broken_server = DNS_R_BADVERS; keep_trying = ISC_TRUE; break; } } else { /* * XXXRTH log. */ broken_server = DNS_R_UNEXPECTEDRCODE; INSIST(broken_server != ISC_R_SUCCESS); keep_trying = ISC_TRUE; } goto done; } /* * Is the question the same as the one we asked? */ result = same_question(fctx); if (result != ISC_R_SUCCESS) { /* XXXRTH Log */ if (result == DNS_R_FORMERR) keep_trying = ISC_TRUE; goto done; } /* * Is the server lame? */ if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) && is_lame(fctx)) { inc_stats(fctx->res, dns_resstatscounter_lame); log_lame(fctx, query->addrinfo); result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name, fctx->type, now + fctx->res->lame_ttl); if (result != ISC_R_SUCCESS) isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, "could not mark server as lame: %s", isc_result_totext(result)); broken_server = DNS_R_LAME; keep_trying = ISC_TRUE; goto done; } /* * Enforce delegations only zones like NET and COM. */ if (!ISFORWARDER(query->addrinfo) && dns_view_isdelegationonly(fctx->res->view, &fctx->domain) && !dns_name_equal(&fctx->domain, &fctx->name) && fix_mustbedelegationornxdomain(message, fctx)) { char namebuf[DNS_NAME_FORMATSIZE]; char domainbuf[DNS_NAME_FORMATSIZE]; char addrbuf[ISC_SOCKADDR_FORMATSIZE]; char classbuf[64]; char typebuf[64]; dns_name_format(&fctx->name, namebuf, sizeof(namebuf)); dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf)); dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf)); isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf, sizeof(addrbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY, DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, "enforced delegation-only for '%s' (%s/%s/%s) " "from %s", domainbuf, namebuf, typebuf, classbuf, addrbuf); } if ((fctx->res->options & DNS_RESOLVER_CHECKNAMES) != 0) checknames(message); /* * Clear cache bits. */ fctx->attributes &= ~(FCTX_ATTR_WANTNCACHE | FCTX_ATTR_WANTCACHE); /* * Did we get any answers? */ if (message->counts[DNS_SECTION_ANSWER] > 0 && (message->rcode == dns_rcode_noerror || message->rcode == dns_rcode_nxdomain)) { /* * We've got answers. However, if we sent * a BIND 8 server an NS query, it may have * incorrectly responded with a non-authoritative * answer instead of a referral. Since this * answer lacks the SIGs necessary to do DNSSEC * validation, we must invoke the following special * kludge to treat it as a referral. */ if (fctx->type == dns_rdatatype_ns && (message->flags & DNS_MESSAGEFLAG_AA) == 0 && !ISFORWARDER(query->addrinfo)) { result = noanswer_response(fctx, NULL, ISC_TRUE); if (result != DNS_R_DELEGATION) { /* * The answer section must have contained * something other than the NS records * we asked for. Since AA is not set * and the server is not a forwarder, * it is technically lame and it's easier * to treat it as such than to figure out * some more elaborate course of action. */ broken_server = DNS_R_LAME; keep_trying = ISC_TRUE; goto done; } goto force_referral; } result = answer_response(fctx); if (result != ISC_R_SUCCESS) { if (result == DNS_R_FORMERR) keep_trying = ISC_TRUE; goto done; } } else if (message->counts[DNS_SECTION_AUTHORITY] > 0 || message->rcode == dns_rcode_noerror || message->rcode == dns_rcode_nxdomain) { /* * NXDOMAIN, NXRDATASET, or referral. */ result = noanswer_response(fctx, NULL, ISC_FALSE); if (result == DNS_R_CHASEDSSERVERS) { } else if (result == DNS_R_DELEGATION) { force_referral: /* * We don't have the answer, but we know a better * place to look. */ get_nameservers = ISC_TRUE; keep_trying = ISC_TRUE; /* * We have a new set of name servers, and it * has not experienced any restarts yet. */ fctx->restarts = 0; /* * Update local statistics counters collected for each * new zone. */ fctx->referrals++; fctx->querysent = 0; fctx->lamecount = 0; fctx->neterr = 0; fctx->badresp = 0; fctx->adberr = 0; result = ISC_R_SUCCESS; } else if (result != ISC_R_SUCCESS) { /* * Something has gone wrong. */ if (result == DNS_R_FORMERR) keep_trying = ISC_TRUE; goto done; } } else { /* * The server is insane. */ /* XXXRTH Log */ broken_server = DNS_R_UNEXPECTEDRCODE; keep_trying = ISC_TRUE; goto done; } /* * Follow additional section data chains. */ chase_additional(fctx); /* * Cache the cacheable parts of the message. This may also cause * work to be queued to the DNSSEC validator. */ if (WANTCACHE(fctx)) { result = cache_message(fctx, query->addrinfo, now); if (result != ISC_R_SUCCESS) goto done; } /* * Ncache the negatively cacheable parts of the message. This may * also cause work to be queued to the DNSSEC validator. */ if (WANTNCACHE(fctx)) { dns_rdatatype_t covers; if (message->rcode == dns_rcode_nxdomain) covers = dns_rdatatype_any; else covers = fctx->type; /* * Cache any negative cache entries in the message. */ result = ncache_message(fctx, query->addrinfo, covers, now); } done: /* * Remember the query's addrinfo, in case we need to mark the * server as broken. */ addrinfo = query->addrinfo; /* * Cancel the query. * * XXXRTH Don't cancel the query if waiting for validation? */ fctx_cancelquery(&query, &devent, finish, ISC_FALSE); if (keep_trying) { if (result == DNS_R_FORMERR) broken_server = DNS_R_FORMERR; if (broken_server != ISC_R_SUCCESS) { /* * Add this server to the list of bad servers for * this fctx. */ add_bad(fctx, addrinfo, broken_server, broken_type); } if (get_nameservers) { dns_name_t *name; dns_fixedname_init(&foundname); fname = dns_fixedname_name(&foundname); if (result != ISC_R_SUCCESS) { fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); return; } findoptions = 0; if (dns_rdatatype_atparent(fctx->type)) findoptions |= DNS_DBFIND_NOEXACT; if ((options & DNS_FETCHOPT_UNSHARED) == 0) name = &fctx->name; else name = &fctx->domain; result = dns_view_findzonecut(fctx->res->view, name, fname, now, findoptions, ISC_TRUE, &fctx->nameservers, NULL); if (result != ISC_R_SUCCESS) { FCTXTRACE("couldn't find a zonecut"); fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); return; } if (!dns_name_issubdomain(fname, &fctx->domain)) { /* * The best nameservers are now above our * QDOMAIN. */ FCTXTRACE("nameservers now above QDOMAIN"); fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); return; } dns_name_free(&fctx->domain, fctx->res->buckets[fctx->bucketnum].mctx); dns_name_init(&fctx->domain, NULL); result = dns_name_dup(fname, fctx->res->buckets[fctx->bucketnum].mctx, &fctx->domain); if (result != ISC_R_SUCCESS) { fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); return; } fctx_cancelqueries(fctx, ISC_TRUE); fctx_cleanupfinds(fctx); fctx_cleanupaltfinds(fctx); fctx_cleanupforwaddrs(fctx); fctx_cleanupaltaddrs(fctx); } /* * Try again. */ - fctx_try(fctx, !get_nameservers); + fctx_try(fctx, !get_nameservers, ISC_FALSE); } else if (resend) { /* * Resend (probably with changed options). */ FCTXTRACE("resend"); inc_stats(fctx->res, dns_resstatscounter_retry); result = fctx_query(fctx, addrinfo, options); if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); } else if (result == ISC_R_SUCCESS && !HAVE_ANSWER(fctx)) { /* * All has gone well so far, but we are waiting for the * DNSSEC validator to validate the answer. */ FCTXTRACE("wait for validator"); fctx_cancelqueries(fctx, ISC_TRUE); /* * We must not retransmit while the validator is working; * it has references to the current rmessage. */ result = fctx_stopidletimer(fctx); if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); } else if (result == DNS_R_CHASEDSSERVERS) { unsigned int n; add_bad(fctx, addrinfo, result, broken_type); fctx_cancelqueries(fctx, ISC_TRUE); fctx_cleanupfinds(fctx); fctx_cleanupforwaddrs(fctx); n = dns_name_countlabels(&fctx->name); dns_name_getlabelsequence(&fctx->name, 1, n - 1, &fctx->nsname); FCTXTRACE("suspending DS lookup to find parent's NS records"); result = dns_resolver_createfetch(fctx->res, &fctx->nsname, dns_rdatatype_ns, NULL, NULL, NULL, 0, task, resume_dslookup, fctx, &fctx->nsrrset, NULL, &fctx->nsfetch); if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); LOCK(&fctx->res->buckets[fctx->bucketnum].lock); fctx->references++; UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); result = fctx_stopidletimer(fctx); if (result != ISC_R_SUCCESS) fctx_done(fctx, result, __LINE__); } else { /* * We're done. */ fctx_done(fctx, result, __LINE__); } } /*** *** Resolver Methods ***/ +static void +destroy_badcache(dns_resolver_t *res) { + dns_badcache_t *bad, *next; + unsigned int i; + if (res->badcache != NULL) { + for (i = 0; i < res->badhash; i++) + for (bad = res->badcache[i]; bad != NULL; + bad = next) { + next = bad->next; + isc_mem_put(res->mctx, bad, sizeof(*bad) + + bad->name.length); + res->badcount--; + } + isc_mem_put(res->mctx, res->badcache, + sizeof(*res->badcache) * res->badhash); + res->badcache = NULL; + res->badhash = 0; + INSIST(res->badcount == 0); + } +} + static void destroy(dns_resolver_t *res) { unsigned int i; alternate_t *a; REQUIRE(res->references == 0); REQUIRE(!res->priming); REQUIRE(res->primefetch == NULL); RTRACE("destroy"); INSIST(res->nfctx == 0); DESTROYLOCK(&res->primelock); DESTROYLOCK(&res->nlock); DESTROYLOCK(&res->lock); for (i = 0; i < res->nbuckets; i++) { INSIST(ISC_LIST_EMPTY(res->buckets[i].fctxs)); isc_task_shutdown(res->buckets[i].task); isc_task_detach(&res->buckets[i].task); DESTROYLOCK(&res->buckets[i].lock); isc_mem_detach(&res->buckets[i].mctx); } isc_mem_put(res->mctx, res->buckets, res->nbuckets * sizeof(fctxbucket_t)); if (res->dispatchv4 != NULL) dns_dispatch_detach(&res->dispatchv4); if (res->dispatchv6 != NULL) dns_dispatch_detach(&res->dispatchv6); while ((a = ISC_LIST_HEAD(res->alternates)) != NULL) { ISC_LIST_UNLINK(res->alternates, a, link); if (!a->isaddress) dns_name_free(&a->_u._n.name, res->mctx); isc_mem_put(res->mctx, a, sizeof(*a)); } dns_resolver_reset_algorithms(res); + destroy_badcache(res); dns_resolver_resetmustbesecure(res); #if USE_ALGLOCK isc_rwlock_destroy(&res->alglock); #endif #if USE_MBSLOCK isc_rwlock_destroy(&res->mbslock); #endif isc_timer_detach(&res->spillattimer); res->magic = 0; isc_mem_put(res->mctx, res, sizeof(*res)); } static void send_shutdown_events(dns_resolver_t *res) { isc_event_t *event, *next_event; isc_task_t *etask; /* * Caller must be holding the resolver lock. */ for (event = ISC_LIST_HEAD(res->whenshutdown); event != NULL; event = next_event) { next_event = ISC_LIST_NEXT(event, ev_link); ISC_LIST_UNLINK(res->whenshutdown, event, ev_link); etask = event->ev_sender; event->ev_sender = res; isc_task_sendanddetach(&etask, &event); } } static void empty_bucket(dns_resolver_t *res) { RTRACE("empty_bucket"); LOCK(&res->lock); INSIST(res->activebuckets > 0); res->activebuckets--; if (res->activebuckets == 0) send_shutdown_events(res); UNLOCK(&res->lock); } static void spillattimer_countdown(isc_task_t *task, isc_event_t *event) { dns_resolver_t *res = event->ev_arg; isc_result_t result; unsigned int count; isc_boolean_t logit = ISC_FALSE; REQUIRE(VALID_RESOLVER(res)); UNUSED(task); LOCK(&res->lock); INSIST(!res->exiting); if (res->spillat > res->spillatmin) { res->spillat--; logit = ISC_TRUE; } if (res->spillat <= res->spillatmin) { result = isc_timer_reset(res->spillattimer, isc_timertype_inactive, NULL, NULL, ISC_TRUE); RUNTIME_CHECK(result == ISC_R_SUCCESS); } count = res->spillat; UNLOCK(&res->lock); if (logit) isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, "clients-per-query decreased to %u", count); isc_event_free(&event); } isc_result_t dns_resolver_create(dns_view_t *view, isc_taskmgr_t *taskmgr, unsigned int ntasks, isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr, unsigned int options, dns_dispatchmgr_t *dispatchmgr, dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6, dns_resolver_t **resp) { dns_resolver_t *res; isc_result_t result = ISC_R_SUCCESS; unsigned int i, buckets_created = 0; isc_task_t *task = NULL; char name[16]; unsigned dispattr; /* * Create a resolver. */ REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(ntasks > 0); REQUIRE(resp != NULL && *resp == NULL); REQUIRE(dispatchmgr != NULL); REQUIRE(dispatchv4 != NULL || dispatchv6 != NULL); res = isc_mem_get(view->mctx, sizeof(*res)); if (res == NULL) return (ISC_R_NOMEMORY); RTRACE("create"); res->mctx = view->mctx; res->rdclass = view->rdclass; res->socketmgr = socketmgr; res->timermgr = timermgr; res->taskmgr = taskmgr; res->dispatchmgr = dispatchmgr; res->view = view; res->options = options; res->lame_ttl = 0; ISC_LIST_INIT(res->alternates); res->udpsize = RECV_BUFFER_SIZE; res->algorithms = NULL; + res->badcache = NULL; + res->badcount = 0; + res->badhash = 0; + res->badsweep = 0; res->mustbesecure = NULL; res->spillatmin = res->spillat = 10; res->spillatmax = 100; res->spillattimer = NULL; res->zero_no_soa_ttl = ISC_FALSE; res->ndisps = 0; res->nextdisp = 0; /* meaningless at this point, but init it */ res->nbuckets = ntasks; res->activebuckets = ntasks; res->buckets = isc_mem_get(view->mctx, ntasks * sizeof(fctxbucket_t)); if (res->buckets == NULL) { result = ISC_R_NOMEMORY; goto cleanup_res; } for (i = 0; i < ntasks; i++) { result = isc_mutex_init(&res->buckets[i].lock); if (result != ISC_R_SUCCESS) goto cleanup_buckets; res->buckets[i].task = NULL; result = isc_task_create(taskmgr, 0, &res->buckets[i].task); if (result != ISC_R_SUCCESS) { DESTROYLOCK(&res->buckets[i].lock); goto cleanup_buckets; } res->buckets[i].mctx = NULL; snprintf(name, sizeof(name), "res%u", i); #ifdef ISC_PLATFORM_USETHREADS /* * Use a separate memory context for each bucket to reduce * contention among multiple threads. Do this only when * enabling threads because it will be require more memory. */ result = isc_mem_create(0, 0, &res->buckets[i].mctx); if (result != ISC_R_SUCCESS) { isc_task_detach(&res->buckets[i].task); DESTROYLOCK(&res->buckets[i].lock); goto cleanup_buckets; } isc_mem_setname(res->buckets[i].mctx, name, NULL); #else isc_mem_attach(view->mctx, &res->buckets[i].mctx); #endif isc_task_setname(res->buckets[i].task, name, res); ISC_LIST_INIT(res->buckets[i].fctxs); res->buckets[i].exiting = ISC_FALSE; buckets_created++; } res->dispatchv4 = NULL; if (dispatchv4 != NULL) { dns_dispatch_attach(dispatchv4, &res->dispatchv4); dispattr = dns_dispatch_getattributes(dispatchv4); res->exclusivev4 = ISC_TF((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0); } res->dispatchv6 = NULL; if (dispatchv6 != NULL) { dns_dispatch_attach(dispatchv6, &res->dispatchv6); dispattr = dns_dispatch_getattributes(dispatchv6); res->exclusivev6 = ISC_TF((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0); } res->references = 1; res->exiting = ISC_FALSE; res->frozen = ISC_FALSE; ISC_LIST_INIT(res->whenshutdown); res->priming = ISC_FALSE; res->primefetch = NULL; res->nfctx = 0; result = isc_mutex_init(&res->lock); if (result != ISC_R_SUCCESS) goto cleanup_dispatches; result = isc_mutex_init(&res->nlock); if (result != ISC_R_SUCCESS) goto cleanup_lock; result = isc_mutex_init(&res->primelock); if (result != ISC_R_SUCCESS) goto cleanup_nlock; task = NULL; result = isc_task_create(taskmgr, 0, &task); if (result != ISC_R_SUCCESS) goto cleanup_primelock; result = isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL, task, spillattimer_countdown, res, &res->spillattimer); isc_task_detach(&task); if (result != ISC_R_SUCCESS) goto cleanup_primelock; #if USE_ALGLOCK result = isc_rwlock_init(&res->alglock, 0, 0); if (result != ISC_R_SUCCESS) goto cleanup_spillattimer; #endif #if USE_MBSLOCK result = isc_rwlock_init(&res->mbslock, 0, 0); if (result != ISC_R_SUCCESS) goto cleanup_alglock; #endif res->magic = RES_MAGIC; *resp = res; return (ISC_R_SUCCESS); #if USE_MBSLOCK cleanup_alglock: #if USE_ALGLOCK isc_rwlock_destroy(&res->alglock); #endif #endif #if USE_ALGLOCK || USE_MBSLOCK cleanup_spillattimer: isc_timer_detach(&res->spillattimer); #endif cleanup_primelock: DESTROYLOCK(&res->primelock); cleanup_nlock: DESTROYLOCK(&res->nlock); cleanup_lock: DESTROYLOCK(&res->lock); cleanup_dispatches: if (res->dispatchv6 != NULL) dns_dispatch_detach(&res->dispatchv6); if (res->dispatchv4 != NULL) dns_dispatch_detach(&res->dispatchv4); cleanup_buckets: for (i = 0; i < buckets_created; i++) { isc_mem_detach(&res->buckets[i].mctx); DESTROYLOCK(&res->buckets[i].lock); isc_task_shutdown(res->buckets[i].task); isc_task_detach(&res->buckets[i].task); } isc_mem_put(view->mctx, res->buckets, res->nbuckets * sizeof(fctxbucket_t)); cleanup_res: isc_mem_put(view->mctx, res, sizeof(*res)); return (result); } static void prime_done(isc_task_t *task, isc_event_t *event) { dns_resolver_t *res; dns_fetchevent_t *fevent; dns_fetch_t *fetch; dns_db_t *db = NULL; REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE); fevent = (dns_fetchevent_t *)event; res = event->ev_arg; REQUIRE(VALID_RESOLVER(res)); UNUSED(task); LOCK(&res->lock); INSIST(res->priming); res->priming = ISC_FALSE; LOCK(&res->primelock); fetch = res->primefetch; res->primefetch = NULL; UNLOCK(&res->primelock); UNLOCK(&res->lock); if (fevent->result == ISC_R_SUCCESS && res->view->cache != NULL && res->view->hints != NULL) { dns_cache_attachdb(res->view->cache, &db); dns_root_checkhints(res->view, res->view->hints, db); dns_db_detach(&db); } if (fevent->node != NULL) dns_db_detachnode(fevent->db, &fevent->node); if (fevent->db != NULL) dns_db_detach(&fevent->db); if (dns_rdataset_isassociated(fevent->rdataset)) dns_rdataset_disassociate(fevent->rdataset); INSIST(fevent->sigrdataset == NULL); isc_mem_put(res->mctx, fevent->rdataset, sizeof(*fevent->rdataset)); isc_event_free(&event); dns_resolver_destroyfetch(&fetch); } void dns_resolver_prime(dns_resolver_t *res) { isc_boolean_t want_priming = ISC_FALSE; dns_rdataset_t *rdataset; isc_result_t result; REQUIRE(VALID_RESOLVER(res)); REQUIRE(res->frozen); RTRACE("dns_resolver_prime"); LOCK(&res->lock); if (!res->exiting && !res->priming) { INSIST(res->primefetch == NULL); res->priming = ISC_TRUE; want_priming = ISC_TRUE; } UNLOCK(&res->lock); if (want_priming) { /* * To avoid any possible recursive locking problems, we * start the priming fetch like any other fetch, and holding * no resolver locks. No one else will try to start it * because we're the ones who set res->priming to true. * Any other callers of dns_resolver_prime() while we're * running will see that res->priming is already true and * do nothing. */ RTRACE("priming"); rdataset = isc_mem_get(res->mctx, sizeof(*rdataset)); if (rdataset == NULL) { LOCK(&res->lock); INSIST(res->priming); INSIST(res->primefetch == NULL); res->priming = ISC_FALSE; UNLOCK(&res->lock); return; } dns_rdataset_init(rdataset); LOCK(&res->primelock); result = dns_resolver_createfetch(res, dns_rootname, dns_rdatatype_ns, NULL, NULL, NULL, 0, res->buckets[0].task, prime_done, res, rdataset, NULL, &res->primefetch); UNLOCK(&res->primelock); if (result != ISC_R_SUCCESS) { LOCK(&res->lock); INSIST(res->priming); res->priming = ISC_FALSE; UNLOCK(&res->lock); } } } void dns_resolver_freeze(dns_resolver_t *res) { /* * Freeze resolver. */ REQUIRE(VALID_RESOLVER(res)); REQUIRE(!res->frozen); res->frozen = ISC_TRUE; } void dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp) { REQUIRE(VALID_RESOLVER(source)); REQUIRE(targetp != NULL && *targetp == NULL); RRTRACE(source, "attach"); LOCK(&source->lock); REQUIRE(!source->exiting); INSIST(source->references > 0); source->references++; INSIST(source->references != 0); UNLOCK(&source->lock); *targetp = source; } void dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task, isc_event_t **eventp) { isc_task_t *clone; isc_event_t *event; REQUIRE(VALID_RESOLVER(res)); REQUIRE(eventp != NULL); event = *eventp; *eventp = NULL; LOCK(&res->lock); if (res->exiting && res->activebuckets == 0) { /* * We're already shutdown. Send the event. */ event->ev_sender = res; isc_task_send(task, &event); } else { clone = NULL; isc_task_attach(task, &clone); event->ev_sender = clone; ISC_LIST_APPEND(res->whenshutdown, event, ev_link); } UNLOCK(&res->lock); } void dns_resolver_shutdown(dns_resolver_t *res) { unsigned int i; fetchctx_t *fctx; isc_socket_t *sock; isc_result_t result; REQUIRE(VALID_RESOLVER(res)); RTRACE("shutdown"); LOCK(&res->lock); if (!res->exiting) { RTRACE("exiting"); res->exiting = ISC_TRUE; for (i = 0; i < res->nbuckets; i++) { LOCK(&res->buckets[i].lock); for (fctx = ISC_LIST_HEAD(res->buckets[i].fctxs); fctx != NULL; fctx = ISC_LIST_NEXT(fctx, link)) fctx_shutdown(fctx); if (res->dispatchv4 != NULL && !res->exclusivev4) { sock = dns_dispatch_getsocket(res->dispatchv4); isc_socket_cancel(sock, res->buckets[i].task, ISC_SOCKCANCEL_ALL); } if (res->dispatchv6 != NULL && !res->exclusivev6) { sock = dns_dispatch_getsocket(res->dispatchv6); isc_socket_cancel(sock, res->buckets[i].task, ISC_SOCKCANCEL_ALL); } res->buckets[i].exiting = ISC_TRUE; if (ISC_LIST_EMPTY(res->buckets[i].fctxs)) { INSIST(res->activebuckets > 0); res->activebuckets--; } UNLOCK(&res->buckets[i].lock); } if (res->activebuckets == 0) send_shutdown_events(res); result = isc_timer_reset(res->spillattimer, isc_timertype_inactive, NULL, NULL, ISC_TRUE); RUNTIME_CHECK(result == ISC_R_SUCCESS); } UNLOCK(&res->lock); } void dns_resolver_detach(dns_resolver_t **resp) { dns_resolver_t *res; isc_boolean_t need_destroy = ISC_FALSE; REQUIRE(resp != NULL); res = *resp; REQUIRE(VALID_RESOLVER(res)); RTRACE("detach"); LOCK(&res->lock); INSIST(res->references > 0); res->references--; if (res->references == 0) { INSIST(res->exiting && res->activebuckets == 0); need_destroy = ISC_TRUE; } UNLOCK(&res->lock); if (need_destroy) destroy(res); *resp = NULL; } static inline isc_boolean_t fctx_match(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type, unsigned int options) { if (fctx->type != type || fctx->options != options) return (ISC_FALSE); return (dns_name_equal(&fctx->name, name)); } static inline void log_fetch(dns_name_t *name, dns_rdatatype_t type) { char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; int level = ISC_LOG_DEBUG(1); if (! isc_log_wouldlog(dns_lctx, level)) return; dns_name_format(name, namebuf, sizeof(namebuf)); dns_rdatatype_format(type, typebuf, sizeof(typebuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_RESOLVER, level, "createfetch: %s %s", namebuf, typebuf); } isc_result_t dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, dns_name_t *domain, dns_rdataset_t *nameservers, dns_forwarders_t *forwarders, unsigned int options, isc_task_t *task, isc_taskaction_t action, void *arg, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_fetch_t **fetchp) { return (dns_resolver_createfetch2(res, name, type, domain, nameservers, forwarders, NULL, 0, options, task, action, arg, rdataset, sigrdataset, fetchp)); } isc_result_t dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, dns_name_t *domain, dns_rdataset_t *nameservers, dns_forwarders_t *forwarders, isc_sockaddr_t *client, dns_messageid_t id, unsigned int options, isc_task_t *task, isc_taskaction_t action, void *arg, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_fetch_t **fetchp) { dns_fetch_t *fetch; fetchctx_t *fctx = NULL; isc_result_t result = ISC_R_SUCCESS; unsigned int bucketnum; isc_boolean_t new_fctx = ISC_FALSE; isc_event_t *event; unsigned int count = 0; unsigned int spillat; unsigned int spillatmin; UNUSED(forwarders); REQUIRE(VALID_RESOLVER(res)); REQUIRE(res->frozen); /* XXXRTH Check for meta type */ if (domain != NULL) { REQUIRE(DNS_RDATASET_VALID(nameservers)); REQUIRE(nameservers->type == dns_rdatatype_ns); } else REQUIRE(nameservers == NULL); REQUIRE(forwarders == NULL); REQUIRE(!dns_rdataset_isassociated(rdataset)); REQUIRE(sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset)); REQUIRE(fetchp != NULL && *fetchp == NULL); log_fetch(name, type); /* * XXXRTH use a mempool? */ fetch = isc_mem_get(res->mctx, sizeof(*fetch)); if (fetch == NULL) return (ISC_R_NOMEMORY); bucketnum = dns_name_fullhash(name, ISC_FALSE) % res->nbuckets; LOCK(&res->lock); spillat = res->spillat; spillatmin = res->spillatmin; UNLOCK(&res->lock); LOCK(&res->buckets[bucketnum].lock); if (res->buckets[bucketnum].exiting) { result = ISC_R_SHUTTINGDOWN; goto unlock; } if ((options & DNS_FETCHOPT_UNSHARED) == 0) { for (fctx = ISC_LIST_HEAD(res->buckets[bucketnum].fctxs); fctx != NULL; fctx = ISC_LIST_NEXT(fctx, link)) { if (fctx_match(fctx, name, type, options)) break; } } /* * Is this a duplicate? */ if (fctx != NULL && client != NULL) { dns_fetchevent_t *fevent; for (fevent = ISC_LIST_HEAD(fctx->events); fevent != NULL; fevent = ISC_LIST_NEXT(fevent, ev_link)) { if (fevent->client != NULL && fevent->id == id && isc_sockaddr_equal(fevent->client, client)) { result = DNS_R_DUPLICATE; goto unlock; } count++; } } if (count >= spillatmin && spillatmin != 0) { INSIST(fctx != NULL); if (count >= spillat) fctx->spilled = ISC_TRUE; if (fctx->spilled) { result = DNS_R_DROP; goto unlock; } } /* * If we didn't have a fetch, would attach to a done fetch, this * fetch has already cloned its results, or if the fetch has gone * "idle" (no one was interested in it), we need to start a new * fetch instead of joining with the existing one. */ if (fctx == NULL || fctx->state == fetchstate_done || fctx->cloned || ISC_LIST_EMPTY(fctx->events)) { fctx = NULL; result = fctx_create(res, name, type, domain, nameservers, options, bucketnum, &fctx); if (result != ISC_R_SUCCESS) goto unlock; new_fctx = ISC_TRUE; } result = fctx_join(fctx, task, client, id, action, arg, rdataset, sigrdataset, fetch); if (new_fctx) { if (result == ISC_R_SUCCESS) { /* * Launch this fctx. */ event = &fctx->control_event; ISC_EVENT_INIT(event, sizeof(*event), 0, NULL, DNS_EVENT_FETCHCONTROL, fctx_start, fctx, NULL, NULL, NULL); isc_task_send(res->buckets[bucketnum].task, &event); } else { /* * We don't care about the result of fctx_destroy() * since we know we're not exiting. */ (void)fctx_destroy(fctx); } } unlock: UNLOCK(&res->buckets[bucketnum].lock); if (result == ISC_R_SUCCESS) { FTRACE("created"); *fetchp = fetch; } else isc_mem_put(res->mctx, fetch, sizeof(*fetch)); return (result); } void dns_resolver_cancelfetch(dns_fetch_t *fetch) { fetchctx_t *fctx; dns_resolver_t *res; dns_fetchevent_t *event, *next_event; isc_task_t *etask; REQUIRE(DNS_FETCH_VALID(fetch)); fctx = fetch->private; REQUIRE(VALID_FCTX(fctx)); res = fctx->res; FTRACE("cancelfetch"); LOCK(&res->buckets[fctx->bucketnum].lock); /* * Find the completion event for this fetch (as opposed * to those for other fetches that have joined the same * fctx) and send it with result = ISC_R_CANCELED. */ event = NULL; if (fctx->state != fetchstate_done) { for (event = ISC_LIST_HEAD(fctx->events); event != NULL; event = next_event) { next_event = ISC_LIST_NEXT(event, ev_link); if (event->fetch == fetch) { ISC_LIST_UNLINK(fctx->events, event, ev_link); break; } } } if (event != NULL) { etask = event->ev_sender; event->ev_sender = fctx; event->result = ISC_R_CANCELED; isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event)); } /* * The fctx continues running even if no fetches remain; * the answer is still cached. */ UNLOCK(&res->buckets[fctx->bucketnum].lock); } void dns_resolver_destroyfetch(dns_fetch_t **fetchp) { dns_fetch_t *fetch; dns_resolver_t *res; dns_fetchevent_t *event, *next_event; fetchctx_t *fctx; unsigned int bucketnum; isc_boolean_t bucket_empty = ISC_FALSE; REQUIRE(fetchp != NULL); fetch = *fetchp; REQUIRE(DNS_FETCH_VALID(fetch)); fctx = fetch->private; REQUIRE(VALID_FCTX(fctx)); res = fctx->res; FTRACE("destroyfetch"); bucketnum = fctx->bucketnum; LOCK(&res->buckets[bucketnum].lock); /* * Sanity check: the caller should have gotten its event before * trying to destroy the fetch. */ event = NULL; if (fctx->state != fetchstate_done) { for (event = ISC_LIST_HEAD(fctx->events); event != NULL; event = next_event) { next_event = ISC_LIST_NEXT(event, ev_link); RUNTIME_CHECK(event->fetch != fetch); } } INSIST(fctx->references > 0); fctx->references--; if (fctx->references == 0) { /* * No one cares about the result of this fetch anymore. */ if (fctx->pending == 0 && fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators) && SHUTTINGDOWN(fctx)) { /* * This fctx is already shutdown; we were just * waiting for the last reference to go away. */ bucket_empty = fctx_destroy(fctx); } else { /* * Initiate shutdown. */ fctx_shutdown(fctx); } } UNLOCK(&res->buckets[bucketnum].lock); isc_mem_put(res->mctx, fetch, sizeof(*fetch)); *fetchp = NULL; if (bucket_empty) empty_bucket(res); } void dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx, isc_logcategory_t *category, isc_logmodule_t *module, int level, isc_boolean_t duplicateok) { fetchctx_t *fctx; dns_resolver_t *res; char domainbuf[DNS_NAME_FORMATSIZE]; REQUIRE(DNS_FETCH_VALID(fetch)); fctx = fetch->private; REQUIRE(VALID_FCTX(fctx)); res = fctx->res; LOCK(&res->buckets[fctx->bucketnum].lock); INSIST(fctx->exitline >= 0); if (!fctx->logged || duplicateok) { dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); isc_log_write(lctx, category, module, level, "fetch completed at %s:%d for %s in " "%" ISC_PRINT_QUADFORMAT "u." "%06" ISC_PRINT_QUADFORMAT "u: %s/%s " "[domain:%s,referral:%u,restart:%u,qrysent:%u," "timeout:%u,lame:%u,neterr:%u,badresp:%u," "adberr:%u,findfail:%u,valfail:%u]", __FILE__, fctx->exitline, fctx->info, fctx->duration / 1000000, fctx->duration % 1000000, isc_result_totext(fctx->result), isc_result_totext(fctx->vresult), domainbuf, fctx->referrals, fctx->restarts, fctx->querysent, fctx->timeouts, fctx->lamecount, fctx->neterr, fctx->badresp, fctx->adberr, fctx->findfail, fctx->valfail); fctx->logged = ISC_TRUE; } UNLOCK(&res->buckets[fctx->bucketnum].lock); } dns_dispatchmgr_t * dns_resolver_dispatchmgr(dns_resolver_t *resolver) { REQUIRE(VALID_RESOLVER(resolver)); return (resolver->dispatchmgr); } dns_dispatch_t * dns_resolver_dispatchv4(dns_resolver_t *resolver) { REQUIRE(VALID_RESOLVER(resolver)); return (resolver->dispatchv4); } dns_dispatch_t * dns_resolver_dispatchv6(dns_resolver_t *resolver) { REQUIRE(VALID_RESOLVER(resolver)); return (resolver->dispatchv6); } isc_socketmgr_t * dns_resolver_socketmgr(dns_resolver_t *resolver) { REQUIRE(VALID_RESOLVER(resolver)); return (resolver->socketmgr); } isc_taskmgr_t * dns_resolver_taskmgr(dns_resolver_t *resolver) { REQUIRE(VALID_RESOLVER(resolver)); return (resolver->taskmgr); } isc_uint32_t dns_resolver_getlamettl(dns_resolver_t *resolver) { REQUIRE(VALID_RESOLVER(resolver)); return (resolver->lame_ttl); } void dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl) { REQUIRE(VALID_RESOLVER(resolver)); resolver->lame_ttl = lame_ttl; } unsigned int dns_resolver_nrunning(dns_resolver_t *resolver) { unsigned int n; LOCK(&resolver->nlock); n = resolver->nfctx; UNLOCK(&resolver->nlock); return (n); } isc_result_t dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt, dns_name_t *name, in_port_t port) { alternate_t *a; isc_result_t result; REQUIRE(VALID_RESOLVER(resolver)); REQUIRE(!resolver->frozen); REQUIRE((alt == NULL) ^ (name == NULL)); a = isc_mem_get(resolver->mctx, sizeof(*a)); if (a == NULL) return (ISC_R_NOMEMORY); if (alt != NULL) { a->isaddress = ISC_TRUE; a->_u.addr = *alt; } else { a->isaddress = ISC_FALSE; a->_u._n.port = port; dns_name_init(&a->_u._n.name, NULL); result = dns_name_dup(name, resolver->mctx, &a->_u._n.name); if (result != ISC_R_SUCCESS) { isc_mem_put(resolver->mctx, a, sizeof(*a)); return (result); } } ISC_LINK_INIT(a, link); ISC_LIST_APPEND(resolver->alternates, a, link); return (ISC_R_SUCCESS); } void dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize) { REQUIRE(VALID_RESOLVER(resolver)); resolver->udpsize = udpsize; } isc_uint16_t dns_resolver_getudpsize(dns_resolver_t *resolver) { REQUIRE(VALID_RESOLVER(resolver)); return (resolver->udpsize); +} + +void +dns_resolver_flushbadcache(dns_resolver_t *resolver, dns_name_t *name) { + unsigned int i; + dns_badcache_t *bad, *prev, *next; + + REQUIRE(VALID_RESOLVER(resolver)); + + LOCK(&resolver->lock); + if (resolver->badcache == NULL) + goto unlock; + + if (name != NULL) { + isc_time_t now; + isc_result_t result; + result = isc_time_now(&now); + if (result != ISC_R_SUCCESS) + isc_time_settoepoch(&now); + i = dns_name_hash(name, ISC_FALSE) % resolver->badhash; + prev = NULL; + for (bad = resolver->badcache[i]; bad != NULL; bad = next) { + int n; + next = bad->next; + n = isc_time_compare(&bad->expire, &now); + if (n < 0 || dns_name_equal(name, &bad->name)) { + if (prev == NULL) + resolver->badcache[i] = bad->next; + else + prev->next = bad->next; + isc_mem_put(resolver->mctx, bad, sizeof(*bad) + + bad->name.length); + resolver->badcount--; + } else + prev = bad; + } + } else + destroy_badcache(resolver); + + unlock: + UNLOCK(&resolver->lock); + +} + +static void +resizehash(dns_resolver_t *resolver, isc_time_t *now, isc_boolean_t grow) { + unsigned int newsize; + dns_badcache_t **new, *bad, *next; + unsigned int i; + + if (grow) + newsize = resolver->badhash * 2 + 1; + else + newsize = (resolver->badhash - 1) / 2; + + new = isc_mem_get(resolver->mctx, + sizeof(*resolver->badcache) * newsize); + if (new == NULL) + return; + memset(new, 0, sizeof(*resolver->badcache) * newsize); + for (i = 0; i < resolver->badhash; i++) { + for (bad = resolver->badcache[i]; bad != NULL; bad = next) { + next = bad->next; + if (isc_time_compare(&bad->expire, now) < 0) { + isc_mem_put(resolver->mctx, bad, sizeof(*bad) + + bad->name.length); + resolver->badcount--; + } else { + bad->next = new[bad->hashval % newsize]; + new[bad->hashval % newsize] = bad; + } + } + } + isc_mem_put(resolver->mctx, resolver->badcache, + sizeof(*resolver->badcache) * resolver->badhash); + resolver->badhash = newsize; + resolver->badcache = new; +} + +void +dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name, + dns_rdatatype_t type, isc_time_t *expire) +{ + isc_time_t now; + isc_result_t result = ISC_R_SUCCESS; + unsigned int i, hashval; + dns_badcache_t *bad, *prev, *next; + + REQUIRE(VALID_RESOLVER(resolver)); + + LOCK(&resolver->lock); + if (resolver->badcache == NULL) { + resolver->badcache = isc_mem_get(resolver->mctx, + sizeof(*resolver->badcache) * + DNS_BADCACHE_SIZE); + if (resolver->badcache == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + resolver->badhash = DNS_BADCACHE_SIZE; + memset(resolver->badcache, 0, sizeof(*resolver->badcache) * + resolver->badhash); + } + + result = isc_time_now(&now); + if (result != ISC_R_SUCCESS) + isc_time_settoepoch(&now); + hashval = dns_name_hash(name, ISC_FALSE); + i = hashval % resolver->badhash; + prev = NULL; + for (bad = resolver->badcache[i]; bad != NULL; bad = next) { + next = bad->next; + if (bad->type == type && dns_name_equal(name, &bad->name)) + break; + if (isc_time_compare(&bad->expire, &now) < 0) { + if (prev == NULL) + resolver->badcache[i] = bad->next; + else + prev->next = bad->next; + isc_mem_put(resolver->mctx, bad, sizeof(*bad) + + bad->name.length); + resolver->badcount--; + } else + prev = bad; + } + if (bad == NULL) { + isc_buffer_t buffer; + bad = isc_mem_get(resolver->mctx, sizeof(*bad) + name->length); + if (bad == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + bad->type = type; + bad->hashval = hashval; + isc_buffer_init(&buffer, bad + 1, name->length); + dns_name_init(&bad->name, NULL); + dns_name_copy(name, &bad->name, &buffer); + bad->next = resolver->badcache[i]; + resolver->badcache[i] = bad; + resolver->badcount++; + if (resolver->badcount > resolver->badhash * 8) + resizehash(resolver, &now, ISC_TRUE); + if (resolver->badcount < resolver->badhash * 2 && + resolver->badhash > DNS_BADCACHE_SIZE) + resizehash(resolver, &now, ISC_FALSE); + } + bad->expire = *expire; + cleanup: + UNLOCK(&resolver->lock); +} + +isc_boolean_t +dns_resolver_getbadcache(dns_resolver_t *resolver, dns_name_t *name, + dns_rdatatype_t type, isc_time_t *now) +{ + dns_badcache_t *bad, *prev, *next; + isc_boolean_t answer = ISC_FALSE; + unsigned int i; + + REQUIRE(VALID_RESOLVER(resolver)); + + LOCK(&resolver->lock); + if (resolver->badcache == NULL) + goto unlock; + + i = dns_name_hash(name, ISC_FALSE) % resolver->badhash; + prev = NULL; + for (bad = resolver->badcache[i]; bad != NULL; bad = next) { + next = bad->next; + /* + * Search the hash list. Clean out expired records as we go. + */ + if (isc_time_compare(&bad->expire, now) < 0) { + if (prev != NULL) + prev->next = bad->next; + else + resolver->badcache[i] = bad->next; + isc_mem_put(resolver->mctx, bad, sizeof(*bad) + + bad->name.length); + resolver->badcount--; + continue; + } + if (bad->type == type && dns_name_equal(name, &bad->name)) { + answer = ISC_TRUE; + break; + } + prev = bad; + } + + /* + * Slow sweep to clean out stale records. + */ + i = resolver->badsweep++ % resolver->badhash; + bad = resolver->badcache[i]; + if (bad != NULL && isc_time_compare(&bad->expire, now) < 0) { + resolver->badcache[i] = bad->next; + isc_mem_put(resolver->mctx, bad, sizeof(*bad) + + bad->name.length); + resolver->badcount--; + } + + unlock: + UNLOCK(&resolver->lock); + return (answer); +} + +void +dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp) { + char namebuf[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + dns_badcache_t *bad, *next, *prev; + isc_time_t now; + unsigned int i; + isc_uint64_t t; + + LOCK(&resolver->lock); + fprintf(fp, ";\n; Bad cache\n;\n"); + + if (resolver->badcache == NULL) + goto unlock; + + TIME_NOW(&now); + for (i = 0; i < resolver->badhash; i++) { + prev = NULL; + for (bad = resolver->badcache[i]; bad != NULL; bad = next) { + next = bad->next; + if (isc_time_compare(&bad->expire, &now) < 0) { + if (prev != NULL) + prev->next = bad->next; + else + resolver->badcache[i] = bad->next; + isc_mem_put(resolver->mctx, bad, sizeof(*bad) + + bad->name.length); + resolver->badcount--; + continue; + } + prev = bad; + dns_name_format(&bad->name, namebuf, sizeof(namebuf)); + dns_rdatatype_format(bad->type, typebuf, + sizeof(typebuf)); + t = isc_time_microdiff(&bad->expire, &now); + t /= 1000; + fprintf(fp, "; %s/%s [ttl " + "%" ISC_PLATFORM_QUADFORMAT "u]\n", + namebuf, typebuf, t); + } + } + + unlock: + UNLOCK(&resolver->lock); } static void free_algorithm(void *node, void *arg) { unsigned char *algorithms = node; isc_mem_t *mctx = arg; isc_mem_put(mctx, algorithms, *algorithms); } void dns_resolver_reset_algorithms(dns_resolver_t *resolver) { REQUIRE(VALID_RESOLVER(resolver)); #if USE_ALGLOCK RWLOCK(&resolver->alglock, isc_rwlocktype_write); #endif if (resolver->algorithms != NULL) dns_rbt_destroy(&resolver->algorithms); #if USE_ALGLOCK RWUNLOCK(&resolver->alglock, isc_rwlocktype_write); #endif } isc_result_t dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name, unsigned int alg) { unsigned int len, mask; unsigned char *new; unsigned char *algorithms; isc_result_t result; dns_rbtnode_t *node = NULL; REQUIRE(VALID_RESOLVER(resolver)); if (alg > 255) return (ISC_R_RANGE); #if USE_ALGLOCK RWLOCK(&resolver->alglock, isc_rwlocktype_write); #endif if (resolver->algorithms == NULL) { result = dns_rbt_create(resolver->mctx, free_algorithm, resolver->mctx, &resolver->algorithms); if (result != ISC_R_SUCCESS) goto cleanup; } len = alg/8 + 2; mask = 1 << (alg%8); result = dns_rbt_addnode(resolver->algorithms, name, &node); if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) { algorithms = node->data; if (algorithms == NULL || len > *algorithms) { new = isc_mem_get(resolver->mctx, len); if (new == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } memset(new, 0, len); if (algorithms != NULL) memcpy(new, algorithms, *algorithms); new[len-1] |= mask; *new = len; node->data = new; if (algorithms != NULL) isc_mem_put(resolver->mctx, algorithms, *algorithms); } else algorithms[len-1] |= mask; } result = ISC_R_SUCCESS; cleanup: #if USE_ALGLOCK RWUNLOCK(&resolver->alglock, isc_rwlocktype_write); #endif return (result); } isc_boolean_t dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name, unsigned int alg) { unsigned int len, mask; unsigned char *algorithms; void *data = NULL; isc_result_t result; isc_boolean_t found = ISC_FALSE; REQUIRE(VALID_RESOLVER(resolver)); #if USE_ALGLOCK RWLOCK(&resolver->alglock, isc_rwlocktype_read); #endif if (resolver->algorithms == NULL) goto unlock; result = dns_rbt_findname(resolver->algorithms, name, 0, NULL, &data); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { len = alg/8 + 2; mask = 1 << (alg%8); algorithms = data; if (len <= *algorithms && (algorithms[len-1] & mask) != 0) found = ISC_TRUE; } unlock: #if USE_ALGLOCK RWUNLOCK(&resolver->alglock, isc_rwlocktype_read); #endif if (found) return (ISC_FALSE); return (dst_algorithm_supported(alg)); } isc_boolean_t dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest) { UNUSED(resolver); return (dns_ds_digest_supported(digest)); } void dns_resolver_resetmustbesecure(dns_resolver_t *resolver) { REQUIRE(VALID_RESOLVER(resolver)); #if USE_MBSLOCK RWLOCK(&resolver->mbslock, isc_rwlocktype_write); #endif if (resolver->mustbesecure != NULL) dns_rbt_destroy(&resolver->mustbesecure); #if USE_MBSLOCK RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write); #endif } static isc_boolean_t yes = ISC_TRUE, no = ISC_FALSE; isc_result_t dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name, isc_boolean_t value) { isc_result_t result; REQUIRE(VALID_RESOLVER(resolver)); #if USE_MBSLOCK RWLOCK(&resolver->mbslock, isc_rwlocktype_write); #endif if (resolver->mustbesecure == NULL) { result = dns_rbt_create(resolver->mctx, NULL, NULL, &resolver->mustbesecure); if (result != ISC_R_SUCCESS) goto cleanup; } result = dns_rbt_addname(resolver->mustbesecure, name, value ? &yes : &no); cleanup: #if USE_MBSLOCK RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write); #endif return (result); } isc_boolean_t dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name) { void *data = NULL; isc_boolean_t value = ISC_FALSE; isc_result_t result; REQUIRE(VALID_RESOLVER(resolver)); #if USE_MBSLOCK RWLOCK(&resolver->mbslock, isc_rwlocktype_read); #endif if (resolver->mustbesecure == NULL) goto unlock; result = dns_rbt_findname(resolver->mustbesecure, name, 0, NULL, &data); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) value = *(isc_boolean_t*)data; unlock: #if USE_MBSLOCK RWUNLOCK(&resolver->mbslock, isc_rwlocktype_read); #endif return (value); } void dns_resolver_getclientsperquery(dns_resolver_t *resolver, isc_uint32_t *cur, isc_uint32_t *min, isc_uint32_t *max) { REQUIRE(VALID_RESOLVER(resolver)); LOCK(&resolver->lock); if (cur != NULL) *cur = resolver->spillat; if (min != NULL) *min = resolver->spillatmin; if (max != NULL) *max = resolver->spillatmax; UNLOCK(&resolver->lock); } void dns_resolver_setclientsperquery(dns_resolver_t *resolver, isc_uint32_t min, isc_uint32_t max) { REQUIRE(VALID_RESOLVER(resolver)); LOCK(&resolver->lock); resolver->spillatmin = resolver->spillat = min; resolver->spillatmax = max; UNLOCK(&resolver->lock); } isc_boolean_t dns_resolver_getzeronosoattl(dns_resolver_t *resolver) { REQUIRE(VALID_RESOLVER(resolver)); return (resolver->zero_no_soa_ttl); } void dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state) { REQUIRE(VALID_RESOLVER(resolver)); resolver->zero_no_soa_ttl = state; } unsigned int dns_resolver_getoptions(dns_resolver_t *resolver) { REQUIRE(VALID_RESOLVER(resolver)); return (resolver->options); } Index: head/contrib/bind9/lib/dns/result.c =================================================================== --- head/contrib/bind9/lib/dns/result.c (revision 205291) +++ head/contrib/bind9/lib/dns/result.c (revision 205292) @@ -1,277 +1,280 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.c,v 1.125 2008/09/25 04:02:38 tbox Exp $ */ +/* $Id: result.c,v 1.125.122.2 2010/02/25 10:57:12 tbox Exp $ */ /*! \file */ #include #include #include #include #include static const char *text[DNS_R_NRESULTS] = { "label too long", /*%< 0 DNS_R_LABELTOOLONG */ "bad escape", /*%< 1 DNS_R_BADESCAPE */ /*! * Note that DNS_R_BADBITSTRING and DNS_R_BITSTRINGTOOLONG are * deprecated. */ "bad bitstring", /*%< 2 DNS_R_BADBITSTRING */ "bitstring too long", /*%< 3 DNS_R_BITSTRINGTOOLONG */ "empty label", /*%< 4 DNS_R_EMPTYLABEL */ "bad dotted quad", /*%< 5 DNS_R_BADDOTTEDQUAD */ "invalid NS owner name (wildcard)", /*%< 6 DNS_R_INVALIDNS */ "unknown class/type", /*%< 7 DNS_R_UNKNOWN */ "bad label type", /*%< 8 DNS_R_BADLABELTYPE */ "bad compression pointer", /*%< 9 DNS_R_BADPOINTER */ "too many hops", /*%< 10 DNS_R_TOOMANYHOPS */ "disallowed (by application policy)", /*%< 11 DNS_R_DISALLOWED */ "extra input text", /*%< 12 DNS_R_EXTRATOKEN */ "extra input data", /*%< 13 DNS_R_EXTRADATA */ "text too long", /*%< 14 DNS_R_TEXTTOOLONG */ "not at top of zone", /*%< 15 DNS_R_NOTZONETOP */ "syntax error", /*%< 16 DNS_R_SYNTAX */ "bad checksum", /*%< 17 DNS_R_BADCKSUM */ "bad IPv6 address", /*%< 18 DNS_R_BADAAAA */ "no owner", /*%< 19 DNS_R_NOOWNER */ "no ttl", /*%< 20 DNS_R_NOTTL */ "bad class", /*%< 21 DNS_R_BADCLASS */ "name too long", /*%< 22 DNS_R_NAMETOOLONG */ "partial match", /*%< 23 DNS_R_PARTIALMATCH */ "new origin", /*%< 24 DNS_R_NEWORIGIN */ "unchanged", /*%< 25 DNS_R_UNCHANGED */ "bad ttl", /*%< 26 DNS_R_BADTTL */ "more data needed/to be rendered", /*%< 27 DNS_R_NOREDATA */ "continue", /*%< 28 DNS_R_CONTINUE */ "delegation", /*%< 29 DNS_R_DELEGATION */ "glue", /*%< 30 DNS_R_GLUE */ "dname", /*%< 31 DNS_R_DNAME */ "cname", /*%< 32 DNS_R_CNAME */ "bad database", /*%< 33 DNS_R_BADDB */ "zonecut", /*%< 34 DNS_R_ZONECUT */ "bad zone", /*%< 35 DNS_R_BADZONE */ "more data", /*%< 36 DNS_R_MOREDATA */ "up to date", /*%< 37 DNS_R_UPTODATE */ "tsig verify failure", /*%< 38 DNS_R_TSIGVERIFYFAILURE */ "tsig indicates error", /*%< 39 DNS_R_TSIGERRORSET */ "RRSIG failed to verify", /*%< 40 DNS_R_SIGINVALID */ "RRSIG has expired", /*%< 41 DNS_R_SIGEXPIRED */ "RRSIG validity period has not begun", /*%< 42 DNS_R_SIGFUTURE */ "key is unauthorized to sign data", /*%< 43 DNS_R_KEYUNAUTHORIZED */ "invalid time", /*%< 44 DNS_R_INVALIDTIME */ "expected a TSIG or SIG(0)", /*%< 45 DNS_R_EXPECTEDTSIG */ "did not expect a TSIG or SIG(0)", /*%< 46 DNS_R_UNEXPECTEDTSIG */ "TKEY is unacceptable", /*%< 47 DNS_R_INVALIDTKEY */ "hint", /*%< 48 DNS_R_HINT */ "drop", /*%< 49 DNS_R_DROP */ "zone not loaded", /*%< 50 DNS_R_NOTLOADED */ "ncache nxdomain", /*%< 51 DNS_R_NCACHENXDOMAIN */ "ncache nxrrset", /*%< 52 DNS_R_NCACHENXRRSET */ "wait", /*%< 53 DNS_R_WAIT */ "not verified yet", /*%< 54 DNS_R_NOTVERIFIEDYET */ "no identity", /*%< 55 DNS_R_NOIDENTITY */ "no journal", /*%< 56 DNS_R_NOJOURNAL */ "alias", /*%< 57 DNS_R_ALIAS */ "use TCP", /*%< 58 DNS_R_USETCP */ "no valid RRSIG", /*%< 59 DNS_R_NOVALIDSIG */ "no valid NSEC", /*%< 60 DNS_R_NOVALIDNSEC */ "not insecure", /*%< 61 DNS_R_NOTINSECURE */ "unknown service", /*%< 62 DNS_R_UNKNOWNSERVICE */ "recoverable error occurred", /*%< 63 DNS_R_RECOVERABLE */ "unknown opt attribute record", /*%< 64 DNS_R_UNKNOWNOPT */ "unexpected message id", /*%< 65 DNS_R_UNEXPECTEDID */ "seen include file", /*%< 66 DNS_R_SEENINCLUDE */ "not exact", /*%< 67 DNS_R_NOTEXACT */ "address blackholed", /*%< 68 DNS_R_BLACKHOLED */ "bad algorithm", /*%< 69 DNS_R_BADALG */ "invalid use of a meta type", /*%< 70 DNS_R_METATYPE */ "CNAME and other data", /*%< 71 DNS_R_CNAMEANDOTHER */ "multiple RRs of singleton type", /*%< 72 DNS_R_SINGLETON */ "hint nxrrset", /*%< 73 DNS_R_HINTNXRRSET */ "no master file configured", /*%< 74 DNS_R_NOMASTERFILE */ "unknown protocol", /*%< 75 DNS_R_UNKNOWNPROTO */ "clocks are unsynchronized", /*%< 76 DNS_R_CLOCKSKEW */ "IXFR failed", /*%< 77 DNS_R_BADIXFR */ "not authoritative", /*%< 78 DNS_R_NOTAUTHORITATIVE */ "no valid KEY", /*%< 79 DNS_R_NOVALIDKEY */ "obsolete", /*%< 80 DNS_R_OBSOLETE */ "already frozen", /*%< 81 DNS_R_FROZEN */ "unknown flag", /*%< 82 DNS_R_UNKNOWNFLAG */ "expected a response", /*%< 83 DNS_R_EXPECTEDRESPONSE */ "no valid DS", /*%< 84 DNS_R_NOVALIDDS */ "NS is an address", /*%< 85 DNS_R_NSISADDRESS */ "received FORMERR", /*%< 86 DNS_R_REMOTEFORMERR */ "truncated TCP response", /*%< 87 DNS_R_TRUNCATEDTCP */ "lame server detected", /*%< 88 DNS_R_LAME */ "unexpected RCODE", /*%< 89 DNS_R_UNEXPECTEDRCODE */ "unexpected OPCODE", /*%< 90 DNS_R_UNEXPECTEDOPCODE */ "chase DS servers", /*%< 91 DNS_R_CHASEDSSERVERS */ "empty name", /*%< 92 DNS_R_EMPTYNAME */ "empty wild", /*%< 93 DNS_R_EMPTYWILD */ "bad bitmap", /*%< 94 DNS_R_BADBITMAP */ "from wildcard", /*%< 95 DNS_R_FROMWILDCARD */ "bad owner name (check-names)", /*%< 96 DNS_R_BADOWNERNAME */ "bad name (check-names)", /*%< 97 DNS_R_BADNAME */ "dynamic zone", /*%< 98 DNS_R_DYNAMIC */ "unknown command", /*%< 99 DNS_R_UNKNOWNCOMMAND */ "must-be-secure", /*%< 100 DNS_R_MUSTBESECURE */ "covering NSEC record returned", /*%< 101 DNS_R_COVERINGNSEC */ "MX is an address", /*%< 102 DNS_R_MXISADDRESS */ "duplicate query", /*%< 103 DNS_R_DUPLICATE */ "invalid NSEC3 owner name (wildcard)", /*%< 104 DNS_R_INVALIDNSEC3 */ + + "not master", /*%< 105 DNS_R_NOTMASTER */ + "broken trust chain", /*%< 106 DNS_R_BROKENCHAIN */ }; static const char *rcode_text[DNS_R_NRCODERESULTS] = { "NOERROR", /*%< 0 DNS_R_NOEROR */ "FORMERR", /*%< 1 DNS_R_FORMERR */ "SERVFAIL", /*%< 2 DNS_R_SERVFAIL */ "NXDOMAIN", /*%< 3 DNS_R_NXDOMAIN */ "NOTIMP", /*%< 4 DNS_R_NOTIMP */ "REFUSED", /*%< 5 DNS_R_REFUSED */ "YXDOMAIN", /*%< 6 DNS_R_YXDOMAIN */ "YXRRSET", /*%< 7 DNS_R_YXRRSET */ "NXRRSET", /*%< 8 DNS_R_NXRRSET */ "NOTAUTH", /*%< 9 DNS_R_NOTAUTH */ "NOTZONE", /*%< 10 DNS_R_NOTZONE */ "", /*%< 11 has no macro */ "", /*%< 12 has no macro */ "", /*%< 13 has no macro */ "", /*%< 14 has no macro */ "", /*%< 15 has no macro */ "BADVERS", /*%< 16 DNS_R_BADVERS */ }; #define DNS_RESULT_RESULTSET 2 #define DNS_RESULT_RCODERESULTSET 3 static isc_once_t once = ISC_ONCE_INIT; static void initialize_action(void) { isc_result_t result; result = isc_result_register(ISC_RESULTCLASS_DNS, DNS_R_NRESULTS, text, dns_msgcat, DNS_RESULT_RESULTSET); if (result == ISC_R_SUCCESS) result = isc_result_register(ISC_RESULTCLASS_DNSRCODE, DNS_R_NRCODERESULTS, rcode_text, dns_msgcat, DNS_RESULT_RCODERESULTSET); if (result != ISC_R_SUCCESS) UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_result_register() failed: %u", result); } static void initialize(void) { dns_lib_initmsgcat(); RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS); } const char * dns_result_totext(isc_result_t result) { initialize(); return (isc_result_totext(result)); } void dns_result_register(void) { initialize(); } dns_rcode_t dns_result_torcode(isc_result_t result) { dns_rcode_t rcode = dns_rcode_servfail; if (DNS_RESULT_ISRCODE(result)) { /* * Rcodes can't be bigger than 12 bits, which is why we * AND with 0xFFF instead of 0xFFFF. */ return ((dns_rcode_t)((result) & 0xFFF)); } /* * Try to supply an appropriate rcode. */ switch (result) { case ISC_R_SUCCESS: rcode = dns_rcode_noerror; break; case ISC_R_BADBASE64: case ISC_R_NOSPACE: case ISC_R_RANGE: case ISC_R_UNEXPECTEDEND: case DNS_R_BADAAAA: /* case DNS_R_BADBITSTRING: deprecated */ case DNS_R_BADCKSUM: case DNS_R_BADCLASS: case DNS_R_BADLABELTYPE: case DNS_R_BADPOINTER: case DNS_R_BADTTL: case DNS_R_BADZONE: /* case DNS_R_BITSTRINGTOOLONG: deprecated */ case DNS_R_EXTRADATA: case DNS_R_LABELTOOLONG: case DNS_R_NOREDATA: case DNS_R_SYNTAX: case DNS_R_TEXTTOOLONG: case DNS_R_TOOMANYHOPS: case DNS_R_TSIGERRORSET: case DNS_R_UNKNOWN: rcode = dns_rcode_formerr; break; case DNS_R_DISALLOWED: rcode = dns_rcode_refused; break; case DNS_R_TSIGVERIFYFAILURE: case DNS_R_CLOCKSKEW: rcode = dns_rcode_notauth; break; default: rcode = dns_rcode_servfail; } return (rcode); } Index: head/contrib/bind9/lib/dns/sdb.c =================================================================== --- head/contrib/bind9/lib/dns/sdb.c (revision 205291) +++ head/contrib/bind9/lib/dns/sdb.c (revision 205292) @@ -1,1556 +1,1558 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sdb.c,v 1.66.48.3 2009/06/26 06:25:44 marka Exp $ */ +/* $Id: sdb.c,v 1.66.48.3.8.2 2010/02/25 10:57:12 tbox Exp $ */ /*! \file */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "rdatalist_p.h" struct dns_sdbimplementation { const dns_sdbmethods_t *methods; void *driverdata; unsigned int flags; isc_mem_t *mctx; isc_mutex_t driverlock; dns_dbimplementation_t *dbimp; }; struct dns_sdb { /* Unlocked */ dns_db_t common; char *zone; dns_sdbimplementation_t *implementation; void *dbdata; isc_mutex_t lock; /* Locked */ unsigned int references; }; struct dns_sdblookup { /* Unlocked */ unsigned int magic; dns_sdb_t *sdb; ISC_LIST(dns_rdatalist_t) lists; ISC_LIST(isc_buffer_t) buffers; dns_name_t *name; ISC_LINK(dns_sdblookup_t) link; isc_mutex_t lock; dns_rdatacallbacks_t callbacks; /* Locked */ unsigned int references; }; typedef struct dns_sdblookup dns_sdbnode_t; struct dns_sdballnodes { dns_dbiterator_t common; ISC_LIST(dns_sdbnode_t) nodelist; dns_sdbnode_t *current; dns_sdbnode_t *origin; }; typedef dns_sdballnodes_t sdb_dbiterator_t; typedef struct sdb_rdatasetiter { dns_rdatasetiter_t common; dns_rdatalist_t *current; } sdb_rdatasetiter_t; #define SDB_MAGIC ISC_MAGIC('S', 'D', 'B', '-') /*% * Note that "impmagic" is not the first four bytes of the struct, so * ISC_MAGIC_VALID cannot be used. */ #define VALID_SDB(sdb) ((sdb) != NULL && \ (sdb)->common.impmagic == SDB_MAGIC) #define SDBLOOKUP_MAGIC ISC_MAGIC('S','D','B','L') #define VALID_SDBLOOKUP(sdbl) ISC_MAGIC_VALID(sdbl, SDBLOOKUP_MAGIC) #define VALID_SDBNODE(sdbn) VALID_SDBLOOKUP(sdbn) /* These values are taken from RFC1537 */ #define SDB_DEFAULT_REFRESH (60 * 60 * 8) #define SDB_DEFAULT_RETRY (60 * 60 * 2) #define SDB_DEFAULT_EXPIRE (60 * 60 * 24 * 7) #define SDB_DEFAULT_MINIMUM (60 * 60 * 24) /* This is a reasonable value */ #define SDB_DEFAULT_TTL (60 * 60 * 24) #ifdef __COVERITY__ #define MAYBE_LOCK(sdb) LOCK(&sdb->implementation->driverlock) #define MAYBE_UNLOCK(sdb) UNLOCK(&sdb->implementation->driverlock) #else #define MAYBE_LOCK(sdb) \ do { \ unsigned int flags = sdb->implementation->flags; \ if ((flags & DNS_SDBFLAG_THREADSAFE) == 0) \ LOCK(&sdb->implementation->driverlock); \ } while (0) #define MAYBE_UNLOCK(sdb) \ do { \ unsigned int flags = sdb->implementation->flags; \ if ((flags & DNS_SDBFLAG_THREADSAFE) == 0) \ UNLOCK(&sdb->implementation->driverlock); \ } while (0) #endif static int dummy; static isc_result_t dns_sdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type, dns_rdataclass_t rdclass, unsigned int argc, char *argv[], void *driverarg, dns_db_t **dbp); static isc_result_t findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdatatype_t type, dns_rdatatype_t covers, isc_stdtime_t now, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); static isc_result_t createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep); static void destroynode(dns_sdbnode_t *node); static void detachnode(dns_db_t *db, dns_dbnode_t **targetp); static void list_tordataset(dns_rdatalist_t *rdatalist, dns_db_t *db, dns_dbnode_t *node, dns_rdataset_t *rdataset); static void dbiterator_destroy(dns_dbiterator_t **iteratorp); static isc_result_t dbiterator_first(dns_dbiterator_t *iterator); static isc_result_t dbiterator_last(dns_dbiterator_t *iterator); static isc_result_t dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name); static isc_result_t dbiterator_prev(dns_dbiterator_t *iterator); static isc_result_t dbiterator_next(dns_dbiterator_t *iterator); static isc_result_t dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep, dns_name_t *name); static isc_result_t dbiterator_pause(dns_dbiterator_t *iterator); static isc_result_t dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name); static dns_dbiteratormethods_t dbiterator_methods = { dbiterator_destroy, dbiterator_first, dbiterator_last, dbiterator_seek, dbiterator_prev, dbiterator_next, dbiterator_current, dbiterator_pause, dbiterator_origin }; static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp); static isc_result_t rdatasetiter_first(dns_rdatasetiter_t *iterator); static isc_result_t rdatasetiter_next(dns_rdatasetiter_t *iterator); static void rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset); static dns_rdatasetitermethods_t rdatasetiter_methods = { rdatasetiter_destroy, rdatasetiter_first, rdatasetiter_next, rdatasetiter_current }; /* * Functions used by implementors of simple databases */ isc_result_t dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods, void *driverdata, unsigned int flags, isc_mem_t *mctx, dns_sdbimplementation_t **sdbimp) { dns_sdbimplementation_t *imp; isc_result_t result; REQUIRE(drivername != NULL); REQUIRE(methods != NULL); REQUIRE(methods->lookup != NULL); REQUIRE(mctx != NULL); REQUIRE(sdbimp != NULL && *sdbimp == NULL); REQUIRE((flags & ~(DNS_SDBFLAG_RELATIVEOWNER | DNS_SDBFLAG_RELATIVERDATA | DNS_SDBFLAG_THREADSAFE)) == 0); imp = isc_mem_get(mctx, sizeof(dns_sdbimplementation_t)); if (imp == NULL) return (ISC_R_NOMEMORY); imp->methods = methods; imp->driverdata = driverdata; imp->flags = flags; imp->mctx = NULL; isc_mem_attach(mctx, &imp->mctx); result = isc_mutex_init(&imp->driverlock); if (result != ISC_R_SUCCESS) goto cleanup_mctx; imp->dbimp = NULL; result = dns_db_register(drivername, dns_sdb_create, imp, mctx, &imp->dbimp); if (result != ISC_R_SUCCESS) goto cleanup_mutex; *sdbimp = imp; return (ISC_R_SUCCESS); cleanup_mutex: DESTROYLOCK(&imp->driverlock); cleanup_mctx: isc_mem_put(mctx, imp, sizeof(dns_sdbimplementation_t)); return (result); } void dns_sdb_unregister(dns_sdbimplementation_t **sdbimp) { dns_sdbimplementation_t *imp; isc_mem_t *mctx; REQUIRE(sdbimp != NULL && *sdbimp != NULL); imp = *sdbimp; dns_db_unregister(&imp->dbimp); DESTROYLOCK(&imp->driverlock); mctx = imp->mctx; isc_mem_put(mctx, imp, sizeof(dns_sdbimplementation_t)); isc_mem_detach(&mctx); *sdbimp = NULL; } static inline unsigned int initial_size(unsigned int len) { unsigned int size; for (size = 1024; size < (64 * 1024); size *= 2) if (len < size) return (size); return (65535); } isc_result_t dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t typeval, dns_ttl_t ttl, const unsigned char *rdatap, unsigned int rdlen) { dns_rdatalist_t *rdatalist; dns_rdata_t *rdata; isc_buffer_t *rdatabuf = NULL; isc_result_t result; isc_mem_t *mctx; isc_region_t region; mctx = lookup->sdb->common.mctx; rdatalist = ISC_LIST_HEAD(lookup->lists); while (rdatalist != NULL) { if (rdatalist->type == typeval) break; rdatalist = ISC_LIST_NEXT(rdatalist, link); } if (rdatalist == NULL) { rdatalist = isc_mem_get(mctx, sizeof(dns_rdatalist_t)); if (rdatalist == NULL) return (ISC_R_NOMEMORY); rdatalist->rdclass = lookup->sdb->common.rdclass; rdatalist->type = typeval; rdatalist->covers = 0; rdatalist->ttl = ttl; ISC_LIST_INIT(rdatalist->rdata); ISC_LINK_INIT(rdatalist, link); ISC_LIST_APPEND(lookup->lists, rdatalist, link); } else if (rdatalist->ttl != ttl) return (DNS_R_BADTTL); rdata = isc_mem_get(mctx, sizeof(dns_rdata_t)); if (rdata == NULL) return (ISC_R_NOMEMORY); result = isc_buffer_allocate(mctx, &rdatabuf, rdlen); if (result != ISC_R_SUCCESS) goto failure; DE_CONST(rdatap, region.base); region.length = rdlen; isc_buffer_copyregion(rdatabuf, ®ion); isc_buffer_usedregion(rdatabuf, ®ion); dns_rdata_init(rdata); dns_rdata_fromregion(rdata, rdatalist->rdclass, rdatalist->type, ®ion); ISC_LIST_APPEND(rdatalist->rdata, rdata, link); ISC_LIST_APPEND(lookup->buffers, rdatabuf, link); rdata = NULL; failure: if (rdata != NULL) isc_mem_put(mctx, rdata, sizeof(dns_rdata_t)); return (result); } isc_result_t dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl, const char *data) { unsigned int datalen; dns_rdatatype_t typeval; isc_textregion_t r; isc_lex_t *lex = NULL; isc_result_t result; unsigned char *p = NULL; unsigned int size = 0; /* Init to suppress compiler warning */ isc_mem_t *mctx; dns_sdbimplementation_t *imp; dns_name_t *origin; isc_buffer_t b; isc_buffer_t rb; REQUIRE(VALID_SDBLOOKUP(lookup)); REQUIRE(type != NULL); REQUIRE(data != NULL); mctx = lookup->sdb->common.mctx; DE_CONST(type, r.base); r.length = strlen(type); result = dns_rdatatype_fromtext(&typeval, &r); if (result != ISC_R_SUCCESS) return (result); imp = lookup->sdb->implementation; if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0) origin = &lookup->sdb->common.origin; else origin = dns_rootname; result = isc_lex_create(mctx, 64, &lex); if (result != ISC_R_SUCCESS) goto failure; datalen = strlen(data); size = initial_size(datalen); do { isc_buffer_init(&b, data, datalen); isc_buffer_add(&b, datalen); result = isc_lex_openbuffer(lex, &b); if (result != ISC_R_SUCCESS) goto failure; if (size >= 65535) size = 65535; p = isc_mem_get(mctx, size); if (p == NULL) { result = ISC_R_NOMEMORY; goto failure; } isc_buffer_init(&rb, p, size); result = dns_rdata_fromtext(NULL, lookup->sdb->common.rdclass, typeval, lex, origin, 0, mctx, &rb, &lookup->callbacks); if (result != ISC_R_NOSPACE) break; /* * Is the RR too big? */ if (size >= 65535) break; isc_mem_put(mctx, p, size); p = NULL; size *= 2; } while (result == ISC_R_NOSPACE); if (result != ISC_R_SUCCESS) goto failure; result = dns_sdb_putrdata(lookup, typeval, ttl, isc_buffer_base(&rb), isc_buffer_usedlength(&rb)); failure: if (p != NULL) isc_mem_put(mctx, p, size); if (lex != NULL) isc_lex_destroy(&lex); return (result); } static isc_result_t getnode(dns_sdballnodes_t *allnodes, const char *name, dns_sdbnode_t **nodep) { dns_name_t *newname, *origin; dns_fixedname_t fnewname; dns_sdb_t *sdb = (dns_sdb_t *)allnodes->common.db; dns_sdbimplementation_t *imp = sdb->implementation; dns_sdbnode_t *sdbnode; isc_mem_t *mctx = sdb->common.mctx; isc_buffer_t b; isc_result_t result; dns_fixedname_init(&fnewname); newname = dns_fixedname_name(&fnewname); if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0) origin = &sdb->common.origin; else origin = dns_rootname; isc_buffer_init(&b, name, strlen(name)); isc_buffer_add(&b, strlen(name)); result = dns_name_fromtext(newname, &b, origin, ISC_FALSE, NULL); if (result != ISC_R_SUCCESS) return (result); if (allnodes->common.relative_names) { /* All names are relative to the root */ unsigned int nlabels = dns_name_countlabels(newname); dns_name_getlabelsequence(newname, 0, nlabels - 1, newname); } sdbnode = ISC_LIST_HEAD(allnodes->nodelist); if (sdbnode == NULL || !dns_name_equal(sdbnode->name, newname)) { sdbnode = NULL; result = createnode(sdb, &sdbnode); if (result != ISC_R_SUCCESS) return (result); sdbnode->name = isc_mem_get(mctx, sizeof(dns_name_t)); if (sdbnode->name == NULL) { destroynode(sdbnode); return (ISC_R_NOMEMORY); } dns_name_init(sdbnode->name, NULL); result = dns_name_dup(newname, mctx, sdbnode->name); if (result != ISC_R_SUCCESS) { isc_mem_put(mctx, sdbnode->name, sizeof(dns_name_t)); destroynode(sdbnode); return (result); } ISC_LIST_PREPEND(allnodes->nodelist, sdbnode, link); if (allnodes->origin == NULL && dns_name_equal(newname, &sdb->common.origin)) allnodes->origin = sdbnode; } *nodep = sdbnode; return (ISC_R_SUCCESS); } isc_result_t dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name, const char *type, dns_ttl_t ttl, const char *data) { isc_result_t result; dns_sdbnode_t *sdbnode = NULL; result = getnode(allnodes, name, &sdbnode); if (result != ISC_R_SUCCESS) return (result); return (dns_sdb_putrr(sdbnode, type, ttl, data)); } isc_result_t dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name, dns_rdatatype_t type, dns_ttl_t ttl, const void *rdata, unsigned int rdlen) { isc_result_t result; dns_sdbnode_t *sdbnode = NULL; result = getnode(allnodes, name, &sdbnode); if (result != ISC_R_SUCCESS) return (result); return (dns_sdb_putrdata(sdbnode, type, ttl, rdata, rdlen)); } isc_result_t dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname, isc_uint32_t serial) { char str[2 * DNS_NAME_MAXTEXT + 5 * (sizeof("2147483647")) + 7]; int n; REQUIRE(mname != NULL); REQUIRE(rname != NULL); n = snprintf(str, sizeof(str), "%s %s %u %u %u %u %u", mname, rname, serial, SDB_DEFAULT_REFRESH, SDB_DEFAULT_RETRY, SDB_DEFAULT_EXPIRE, SDB_DEFAULT_MINIMUM); if (n >= (int)sizeof(str) || n < 0) return (ISC_R_NOSPACE); return (dns_sdb_putrr(lookup, "SOA", SDB_DEFAULT_TTL, str)); } /* * DB routines */ static void attach(dns_db_t *source, dns_db_t **targetp) { dns_sdb_t *sdb = (dns_sdb_t *) source; REQUIRE(VALID_SDB(sdb)); LOCK(&sdb->lock); REQUIRE(sdb->references > 0); sdb->references++; UNLOCK(&sdb->lock); *targetp = source; } static void destroy(dns_sdb_t *sdb) { isc_mem_t *mctx; dns_sdbimplementation_t *imp = sdb->implementation; mctx = sdb->common.mctx; if (imp->methods->destroy != NULL) { MAYBE_LOCK(sdb); imp->methods->destroy(sdb->zone, imp->driverdata, &sdb->dbdata); MAYBE_UNLOCK(sdb); } isc_mem_free(mctx, sdb->zone); DESTROYLOCK(&sdb->lock); sdb->common.magic = 0; sdb->common.impmagic = 0; dns_name_free(&sdb->common.origin, mctx); isc_mem_put(mctx, sdb, sizeof(dns_sdb_t)); isc_mem_detach(&mctx); } static void detach(dns_db_t **dbp) { dns_sdb_t *sdb = (dns_sdb_t *)(*dbp); isc_boolean_t need_destroy = ISC_FALSE; REQUIRE(VALID_SDB(sdb)); LOCK(&sdb->lock); REQUIRE(sdb->references > 0); sdb->references--; if (sdb->references == 0) need_destroy = ISC_TRUE; UNLOCK(&sdb->lock); if (need_destroy) destroy(sdb); *dbp = NULL; } static isc_result_t beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) { UNUSED(db); UNUSED(addp); UNUSED(dbloadp); return (ISC_R_NOTIMPLEMENTED); } static isc_result_t endload(dns_db_t *db, dns_dbload_t **dbloadp) { UNUSED(db); UNUSED(dbloadp); return (ISC_R_NOTIMPLEMENTED); } static isc_result_t dump(dns_db_t *db, dns_dbversion_t *version, const char *filename, dns_masterformat_t masterformat) { UNUSED(db); UNUSED(version); UNUSED(filename); UNUSED(masterformat); return (ISC_R_NOTIMPLEMENTED); } static void currentversion(dns_db_t *db, dns_dbversion_t **versionp) { REQUIRE(versionp != NULL && *versionp == NULL); UNUSED(db); *versionp = (void *) &dummy; return; } static isc_result_t newversion(dns_db_t *db, dns_dbversion_t **versionp) { UNUSED(db); UNUSED(versionp); return (ISC_R_NOTIMPLEMENTED); } static void attachversion(dns_db_t *db, dns_dbversion_t *source, dns_dbversion_t **targetp) { REQUIRE(source != NULL && source == (void *) &dummy); REQUIRE(targetp != NULL && *targetp == NULL); UNUSED(db); *targetp = source; return; } static void closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { REQUIRE(versionp != NULL && *versionp == (void *) &dummy); REQUIRE(commit == ISC_FALSE); UNUSED(db); UNUSED(commit); *versionp = NULL; } static isc_result_t createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep) { dns_sdbnode_t *node; isc_result_t result; node = isc_mem_get(sdb->common.mctx, sizeof(dns_sdbnode_t)); if (node == NULL) return (ISC_R_NOMEMORY); node->sdb = NULL; attach((dns_db_t *)sdb, (dns_db_t **)&node->sdb); ISC_LIST_INIT(node->lists); ISC_LIST_INIT(node->buffers); ISC_LINK_INIT(node, link); node->name = NULL; result = isc_mutex_init(&node->lock); if (result != ISC_R_SUCCESS) { isc_mem_put(sdb->common.mctx, node, sizeof(dns_sdbnode_t)); return (result); } dns_rdatacallbacks_init(&node->callbacks); node->references = 1; node->magic = SDBLOOKUP_MAGIC; *nodep = node; return (ISC_R_SUCCESS); } static void destroynode(dns_sdbnode_t *node) { dns_rdatalist_t *list; dns_rdata_t *rdata; isc_buffer_t *b; dns_sdb_t *sdb; isc_mem_t *mctx; sdb = node->sdb; mctx = sdb->common.mctx; while (!ISC_LIST_EMPTY(node->lists)) { list = ISC_LIST_HEAD(node->lists); while (!ISC_LIST_EMPTY(list->rdata)) { rdata = ISC_LIST_HEAD(list->rdata); ISC_LIST_UNLINK(list->rdata, rdata, link); isc_mem_put(mctx, rdata, sizeof(dns_rdata_t)); } ISC_LIST_UNLINK(node->lists, list, link); isc_mem_put(mctx, list, sizeof(dns_rdatalist_t)); } while (!ISC_LIST_EMPTY(node->buffers)) { b = ISC_LIST_HEAD(node->buffers); ISC_LIST_UNLINK(node->buffers, b, link); isc_buffer_free(&b); } if (node->name != NULL) { dns_name_free(node->name, mctx); isc_mem_put(mctx, node->name, sizeof(dns_name_t)); } DESTROYLOCK(&node->lock); node->magic = 0; isc_mem_put(mctx, node, sizeof(dns_sdbnode_t)); detach((dns_db_t **) (void *)&sdb); } static isc_result_t findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create, dns_dbnode_t **nodep) { dns_sdb_t *sdb = (dns_sdb_t *)db; dns_sdbnode_t *node = NULL; isc_result_t result; isc_buffer_t b; char namestr[DNS_NAME_MAXTEXT + 1]; isc_boolean_t isorigin; dns_sdbimplementation_t *imp; REQUIRE(VALID_SDB(sdb)); REQUIRE(create == ISC_FALSE); REQUIRE(nodep != NULL && *nodep == NULL); UNUSED(name); UNUSED(create); imp = sdb->implementation; isc_buffer_init(&b, namestr, sizeof(namestr)); if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) { dns_name_t relname; unsigned int labels; labels = dns_name_countlabels(name) - dns_name_countlabels(&db->origin); dns_name_init(&relname, NULL); dns_name_getlabelsequence(name, 0, labels, &relname); result = dns_name_totext(&relname, ISC_TRUE, &b); if (result != ISC_R_SUCCESS) return (result); } else { result = dns_name_totext(name, ISC_TRUE, &b); if (result != ISC_R_SUCCESS) return (result); } isc_buffer_putuint8(&b, 0); result = createnode(sdb, &node); if (result != ISC_R_SUCCESS) return (result); isorigin = dns_name_equal(name, &sdb->common.origin); MAYBE_LOCK(sdb); result = imp->methods->lookup(sdb->zone, namestr, sdb->dbdata, node); MAYBE_UNLOCK(sdb); if (result != ISC_R_SUCCESS && !(result == ISC_R_NOTFOUND && isorigin && imp->methods->authority != NULL)) { destroynode(node); return (result); } if (isorigin && imp->methods->authority != NULL) { MAYBE_LOCK(sdb); result = imp->methods->authority(sdb->zone, sdb->dbdata, node); MAYBE_UNLOCK(sdb); if (result != ISC_R_SUCCESS) { destroynode(node); return (result); } } *nodep = node; return (ISC_R_SUCCESS); } static isc_result_t find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, dns_rdatatype_t type, unsigned int options, isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_sdb_t *sdb = (dns_sdb_t *)db; dns_dbnode_t *node = NULL; dns_fixedname_t fname; dns_rdataset_t xrdataset; dns_name_t *xname; unsigned int nlabels, olabels; isc_result_t result; unsigned int i; REQUIRE(VALID_SDB(sdb)); REQUIRE(nodep == NULL || *nodep == NULL); REQUIRE(version == NULL || version == (void *) &dummy); UNUSED(options); UNUSED(sdb); if (!dns_name_issubdomain(name, &db->origin)) return (DNS_R_NXDOMAIN); olabels = dns_name_countlabels(&db->origin); nlabels = dns_name_countlabels(name); dns_fixedname_init(&fname); xname = dns_fixedname_name(&fname); if (rdataset == NULL) { dns_rdataset_init(&xrdataset); rdataset = &xrdataset; } result = DNS_R_NXDOMAIN; for (i = olabels; i <= nlabels; i++) { /* * Unless this is an explicit lookup at the origin, don't * look at the origin. */ if (i == olabels && i != nlabels) continue; /* * Look up the next label. */ dns_name_getlabelsequence(name, nlabels - i, i, xname); result = findnode(db, xname, ISC_FALSE, &node); if (result != ISC_R_SUCCESS) { result = DNS_R_NXDOMAIN; continue; } /* * Look for a DNAME at the current label, unless this is * the qname. */ if (i < nlabels) { result = findrdataset(db, node, version, dns_rdatatype_dname, 0, now, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) { result = DNS_R_DNAME; break; } } /* * Look for an NS at the current label, unless this is the * origin or glue is ok. */ if (i != olabels && (options & DNS_DBFIND_GLUEOK) == 0) { result = findrdataset(db, node, version, dns_rdatatype_ns, 0, now, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) { if (i == nlabels && type == dns_rdatatype_any) { result = DNS_R_ZONECUT; dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated (sigrdataset)) { dns_rdataset_disassociate (sigrdataset); } } else result = DNS_R_DELEGATION; break; } } /* * If the current name is not the qname, add another label * and try again. */ if (i < nlabels) { destroynode(node); node = NULL; continue; } /* * If we're looking for ANY, we're done. */ if (type == dns_rdatatype_any) { result = ISC_R_SUCCESS; break; } /* * Look for the qtype. */ result = findrdataset(db, node, version, type, 0, now, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) break; /* * Look for a CNAME */ if (type != dns_rdatatype_cname) { result = findrdataset(db, node, version, dns_rdatatype_cname, 0, now, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) { result = DNS_R_CNAME; break; } } result = DNS_R_NXRRSET; break; } if (rdataset == &xrdataset && dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); if (foundname != NULL) { isc_result_t xresult; xresult = dns_name_copy(xname, foundname, NULL); if (xresult != ISC_R_SUCCESS) { if (node != NULL) destroynode(node); if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); return (DNS_R_BADDB); } } if (nodep != NULL) *nodep = node; else if (node != NULL) detachnode(db, &node); return (result); } static isc_result_t findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options, isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { UNUSED(db); UNUSED(name); UNUSED(options); UNUSED(now); UNUSED(nodep); UNUSED(foundname); UNUSED(rdataset); UNUSED(sigrdataset); return (ISC_R_NOTIMPLEMENTED); } static void attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) { dns_sdb_t *sdb = (dns_sdb_t *)db; dns_sdbnode_t *node = (dns_sdbnode_t *)source; REQUIRE(VALID_SDB(sdb)); UNUSED(sdb); LOCK(&node->lock); INSIST(node->references > 0); node->references++; INSIST(node->references != 0); /* Catch overflow. */ UNLOCK(&node->lock); *targetp = source; } static void detachnode(dns_db_t *db, dns_dbnode_t **targetp) { dns_sdb_t *sdb = (dns_sdb_t *)db; dns_sdbnode_t *node; isc_boolean_t need_destroy = ISC_FALSE; REQUIRE(VALID_SDB(sdb)); REQUIRE(targetp != NULL && *targetp != NULL); UNUSED(sdb); node = (dns_sdbnode_t *)(*targetp); LOCK(&node->lock); INSIST(node->references > 0); node->references--; if (node->references == 0) need_destroy = ISC_TRUE; UNLOCK(&node->lock); if (need_destroy) destroynode(node); *targetp = NULL; } static isc_result_t expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) { UNUSED(db); UNUSED(node); UNUSED(now); INSIST(0); return (ISC_R_UNEXPECTED); } static void printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) { UNUSED(db); UNUSED(node); UNUSED(out); return; } static isc_result_t createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp) { dns_sdb_t *sdb = (dns_sdb_t *)db; sdb_dbiterator_t *sdbiter; dns_sdbimplementation_t *imp = sdb->implementation; isc_result_t result; REQUIRE(VALID_SDB(sdb)); if (imp->methods->allnodes == NULL) return (ISC_R_NOTIMPLEMENTED); if ((options & DNS_DB_NSEC3ONLY) != 0 || (options & DNS_DB_NONSEC3) != 0) return (ISC_R_NOTIMPLEMENTED); sdbiter = isc_mem_get(sdb->common.mctx, sizeof(sdb_dbiterator_t)); if (sdbiter == NULL) return (ISC_R_NOMEMORY); sdbiter->common.methods = &dbiterator_methods; sdbiter->common.db = NULL; dns_db_attach(db, &sdbiter->common.db); sdbiter->common.relative_names = ISC_TF(options & DNS_DB_RELATIVENAMES); sdbiter->common.magic = DNS_DBITERATOR_MAGIC; ISC_LIST_INIT(sdbiter->nodelist); sdbiter->current = NULL; sdbiter->origin = NULL; MAYBE_LOCK(sdb); result = imp->methods->allnodes(sdb->zone, sdb->dbdata, sdbiter); MAYBE_UNLOCK(sdb); if (result != ISC_R_SUCCESS) { dbiterator_destroy((dns_dbiterator_t **) (void *)&sdbiter); return (result); } if (sdbiter->origin != NULL) { ISC_LIST_UNLINK(sdbiter->nodelist, sdbiter->origin, link); ISC_LIST_PREPEND(sdbiter->nodelist, sdbiter->origin, link); } *iteratorp = (dns_dbiterator_t *)sdbiter; return (ISC_R_SUCCESS); } static isc_result_t findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdatatype_t type, dns_rdatatype_t covers, isc_stdtime_t now, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_rdatalist_t *list; dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)node; REQUIRE(VALID_SDBNODE(node)); UNUSED(db); UNUSED(version); UNUSED(covers); UNUSED(now); UNUSED(sigrdataset); if (type == dns_rdatatype_rrsig) return (ISC_R_NOTIMPLEMENTED); list = ISC_LIST_HEAD(sdbnode->lists); while (list != NULL) { if (list->type == type) break; list = ISC_LIST_NEXT(list, link); } if (list == NULL) return (ISC_R_NOTFOUND); list_tordataset(list, db, node, rdataset); return (ISC_R_SUCCESS); } static isc_result_t allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, isc_stdtime_t now, dns_rdatasetiter_t **iteratorp) { sdb_rdatasetiter_t *iterator; REQUIRE(version == NULL || version == &dummy); UNUSED(version); UNUSED(now); iterator = isc_mem_get(db->mctx, sizeof(sdb_rdatasetiter_t)); if (iterator == NULL) return (ISC_R_NOMEMORY); iterator->common.magic = DNS_RDATASETITER_MAGIC; iterator->common.methods = &rdatasetiter_methods; iterator->common.db = db; iterator->common.node = NULL; attachnode(db, node, &iterator->common.node); iterator->common.version = version; iterator->common.now = now; *iteratorp = (dns_rdatasetiter_t *)iterator; return (ISC_R_SUCCESS); } static isc_result_t addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options, dns_rdataset_t *addedrdataset) { UNUSED(db); UNUSED(node); UNUSED(version); UNUSED(now); UNUSED(rdataset); UNUSED(options); UNUSED(addedrdataset); return (ISC_R_NOTIMPLEMENTED); } static isc_result_t subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdataset_t *rdataset, unsigned int options, dns_rdataset_t *newrdataset) { UNUSED(db); UNUSED(node); UNUSED(version); UNUSED(rdataset); UNUSED(options); UNUSED(newrdataset); return (ISC_R_NOTIMPLEMENTED); } static isc_result_t deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdatatype_t type, dns_rdatatype_t covers) { UNUSED(db); UNUSED(node); UNUSED(version); UNUSED(type); UNUSED(covers); return (ISC_R_NOTIMPLEMENTED); } static isc_boolean_t issecure(dns_db_t *db) { UNUSED(db); return (ISC_FALSE); } static unsigned int nodecount(dns_db_t *db) { UNUSED(db); return (0); } static isc_boolean_t ispersistent(dns_db_t *db) { UNUSED(db); return (ISC_TRUE); } static void overmem(dns_db_t *db, isc_boolean_t overmem) { UNUSED(db); UNUSED(overmem); } static void settask(dns_db_t *db, isc_task_t *task) { UNUSED(db); UNUSED(task); } static dns_dbmethods_t sdb_methods = { attach, detach, beginload, endload, dump, currentversion, newversion, attachversion, closeversion, findnode, find, findzonecut, attachnode, detachnode, expirenode, printnode, createiterator, findrdataset, allrdatasets, addrdataset, subtractrdataset, deleterdataset, issecure, nodecount, ispersistent, overmem, settask, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; static isc_result_t dns_sdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type, dns_rdataclass_t rdclass, unsigned int argc, char *argv[], void *driverarg, dns_db_t **dbp) { dns_sdb_t *sdb; isc_result_t result; char zonestr[DNS_NAME_MAXTEXT + 1]; isc_buffer_t b; dns_sdbimplementation_t *imp; REQUIRE(driverarg != NULL); imp = driverarg; if (type != dns_dbtype_zone) return (ISC_R_NOTIMPLEMENTED); sdb = isc_mem_get(mctx, sizeof(dns_sdb_t)); if (sdb == NULL) return (ISC_R_NOMEMORY); memset(sdb, 0, sizeof(dns_sdb_t)); dns_name_init(&sdb->common.origin, NULL); sdb->common.attributes = 0; sdb->common.methods = &sdb_methods; sdb->common.rdclass = rdclass; sdb->common.mctx = NULL; sdb->implementation = imp; isc_mem_attach(mctx, &sdb->common.mctx); result = isc_mutex_init(&sdb->lock); if (result != ISC_R_SUCCESS) goto cleanup_mctx; result = dns_name_dupwithoffsets(origin, mctx, &sdb->common.origin); if (result != ISC_R_SUCCESS) goto cleanup_lock; isc_buffer_init(&b, zonestr, sizeof(zonestr)); result = dns_name_totext(origin, ISC_TRUE, &b); if (result != ISC_R_SUCCESS) goto cleanup_origin; isc_buffer_putuint8(&b, 0); sdb->zone = isc_mem_strdup(mctx, zonestr); if (sdb->zone == NULL) { result = ISC_R_NOMEMORY; goto cleanup_origin; } sdb->dbdata = NULL; if (imp->methods->create != NULL) { MAYBE_LOCK(sdb); result = imp->methods->create(sdb->zone, argc, argv, imp->driverdata, &sdb->dbdata); MAYBE_UNLOCK(sdb); if (result != ISC_R_SUCCESS) goto cleanup_zonestr; } sdb->references = 1; sdb->common.magic = DNS_DB_MAGIC; sdb->common.impmagic = SDB_MAGIC; *dbp = (dns_db_t *)sdb; return (ISC_R_SUCCESS); cleanup_zonestr: isc_mem_free(mctx, sdb->zone); cleanup_origin: dns_name_free(&sdb->common.origin, mctx); cleanup_lock: isc_mutex_destroy(&sdb->lock); cleanup_mctx: isc_mem_put(mctx, sdb, sizeof(dns_sdb_t)); isc_mem_detach(&mctx); return (result); } /* * Rdataset Methods */ static void disassociate(dns_rdataset_t *rdataset) { dns_dbnode_t *node = rdataset->private5; dns_sdbnode_t *sdbnode = (dns_sdbnode_t *) node; dns_db_t *db = (dns_db_t *) sdbnode->sdb; detachnode(db, &node); isc__rdatalist_disassociate(rdataset); } static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) { dns_dbnode_t *node = source->private5; dns_sdbnode_t *sdbnode = (dns_sdbnode_t *) node; dns_db_t *db = (dns_db_t *) sdbnode->sdb; dns_dbnode_t *tempdb = NULL; isc__rdatalist_clone(source, target); attachnode(db, node, &tempdb); source->private5 = tempdb; } static dns_rdatasetmethods_t methods = { disassociate, isc__rdatalist_first, isc__rdatalist_next, isc__rdatalist_current, rdataset_clone, isc__rdatalist_count, isc__rdatalist_addnoqname, isc__rdatalist_getnoqname, + NULL, + NULL, NULL, NULL, NULL, NULL, NULL }; static void list_tordataset(dns_rdatalist_t *rdatalist, dns_db_t *db, dns_dbnode_t *node, dns_rdataset_t *rdataset) { /* * The sdb rdataset is an rdatalist with some additions. * - private1 & private2 are used by the rdatalist. * - private3 & private 4 are unused. * - private5 is the node. */ /* This should never fail. */ RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) == ISC_R_SUCCESS); rdataset->methods = &methods; dns_db_attachnode(db, node, &rdataset->private5); } /* * Database Iterator Methods */ static void dbiterator_destroy(dns_dbiterator_t **iteratorp) { sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)(*iteratorp); dns_sdb_t *sdb = (dns_sdb_t *)sdbiter->common.db; while (!ISC_LIST_EMPTY(sdbiter->nodelist)) { dns_sdbnode_t *node; node = ISC_LIST_HEAD(sdbiter->nodelist); ISC_LIST_UNLINK(sdbiter->nodelist, node, link); destroynode(node); } dns_db_detach(&sdbiter->common.db); isc_mem_put(sdb->common.mctx, sdbiter, sizeof(sdb_dbiterator_t)); *iteratorp = NULL; } static isc_result_t dbiterator_first(dns_dbiterator_t *iterator) { sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator; sdbiter->current = ISC_LIST_HEAD(sdbiter->nodelist); if (sdbiter->current == NULL) return (ISC_R_NOMORE); else return (ISC_R_SUCCESS); } static isc_result_t dbiterator_last(dns_dbiterator_t *iterator) { sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator; sdbiter->current = ISC_LIST_TAIL(sdbiter->nodelist); if (sdbiter->current == NULL) return (ISC_R_NOMORE); else return (ISC_R_SUCCESS); } static isc_result_t dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) { sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator; sdbiter->current = ISC_LIST_HEAD(sdbiter->nodelist); while (sdbiter->current != NULL) { if (dns_name_equal(sdbiter->current->name, name)) return (ISC_R_SUCCESS); sdbiter->current = ISC_LIST_NEXT(sdbiter->current, link); } return (ISC_R_NOTFOUND); } static isc_result_t dbiterator_prev(dns_dbiterator_t *iterator) { sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator; sdbiter->current = ISC_LIST_PREV(sdbiter->current, link); if (sdbiter->current == NULL) return (ISC_R_NOMORE); else return (ISC_R_SUCCESS); } static isc_result_t dbiterator_next(dns_dbiterator_t *iterator) { sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator; sdbiter->current = ISC_LIST_NEXT(sdbiter->current, link); if (sdbiter->current == NULL) return (ISC_R_NOMORE); else return (ISC_R_SUCCESS); } static isc_result_t dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep, dns_name_t *name) { sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator; attachnode(iterator->db, sdbiter->current, nodep); if (name != NULL) return (dns_name_copy(sdbiter->current->name, name, NULL)); return (ISC_R_SUCCESS); } static isc_result_t dbiterator_pause(dns_dbiterator_t *iterator) { UNUSED(iterator); return (ISC_R_SUCCESS); } static isc_result_t dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) { UNUSED(iterator); return (dns_name_copy(dns_rootname, name, NULL)); } /* * Rdataset Iterator Methods */ static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) { sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)(*iteratorp); detachnode(sdbiterator->common.db, &sdbiterator->common.node); isc_mem_put(sdbiterator->common.db->mctx, sdbiterator, sizeof(sdb_rdatasetiter_t)); *iteratorp = NULL; } static isc_result_t rdatasetiter_first(dns_rdatasetiter_t *iterator) { sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator; dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)iterator->node; if (ISC_LIST_EMPTY(sdbnode->lists)) return (ISC_R_NOMORE); sdbiterator->current = ISC_LIST_HEAD(sdbnode->lists); return (ISC_R_SUCCESS); } static isc_result_t rdatasetiter_next(dns_rdatasetiter_t *iterator) { sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator; sdbiterator->current = ISC_LIST_NEXT(sdbiterator->current, link); if (sdbiterator->current == NULL) return (ISC_R_NOMORE); else return (ISC_R_SUCCESS); } static void rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) { sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator; list_tordataset(sdbiterator->current, iterator->db, iterator->node, rdataset); } Index: head/contrib/bind9/lib/dns/sdlz.c =================================================================== --- head/contrib/bind9/lib/dns/sdlz.c (revision 205291) +++ head/contrib/bind9/lib/dns/sdlz.c (revision 205292) @@ -1,1804 +1,1806 @@ /* - * Portions Copyright (C) 2005-2009 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2005-2010 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ /* * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the * above copyright notice and this permission notice appear in all * copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE * USE OR PERFORMANCE OF THIS SOFTWARE. * * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was * conceived and contributed by Rob Butler. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the * above copyright notice and this permission notice appear in all * copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE * USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sdlz.c,v 1.18.50.3 2009/06/26 06:25:44 marka Exp $ */ +/* $Id: sdlz.c,v 1.18.50.3.8.2 2010/02/25 10:57:12 tbox Exp $ */ /*! \file */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "rdatalist_p.h" /* * Private Types */ struct dns_sdlzimplementation { const dns_sdlzmethods_t *methods; isc_mem_t *mctx; void *driverarg; unsigned int flags; isc_mutex_t driverlock; dns_dlzimplementation_t *dlz_imp; }; struct dns_sdlz_db { /* Unlocked */ dns_db_t common; void *dbdata; dns_sdlzimplementation_t *dlzimp; isc_mutex_t refcnt_lock; /* Locked */ unsigned int references; }; struct dns_sdlzlookup { /* Unlocked */ unsigned int magic; dns_sdlz_db_t *sdlz; ISC_LIST(dns_rdatalist_t) lists; ISC_LIST(isc_buffer_t) buffers; dns_name_t *name; ISC_LINK(dns_sdlzlookup_t) link; isc_mutex_t lock; dns_rdatacallbacks_t callbacks; /* Locked */ unsigned int references; }; typedef struct dns_sdlzlookup dns_sdlznode_t; struct dns_sdlzallnodes { dns_dbiterator_t common; ISC_LIST(dns_sdlznode_t) nodelist; dns_sdlznode_t *current; dns_sdlznode_t *origin; }; typedef dns_sdlzallnodes_t sdlz_dbiterator_t; typedef struct sdlz_rdatasetiter { dns_rdatasetiter_t common; dns_rdatalist_t *current; } sdlz_rdatasetiter_t; #define SDLZDB_MAGIC ISC_MAGIC('D', 'L', 'Z', 'S') /* * Note that "impmagic" is not the first four bytes of the struct, so * ISC_MAGIC_VALID cannot be used. */ #define VALID_SDLZDB(sdlzdb) ((sdlzdb) != NULL && \ (sdlzdb)->common.impmagic == SDLZDB_MAGIC) #define SDLZLOOKUP_MAGIC ISC_MAGIC('D','L','Z','L') #define VALID_SDLZLOOKUP(sdlzl) ISC_MAGIC_VALID(sdlzl, SDLZLOOKUP_MAGIC) #define VALID_SDLZNODE(sdlzn) VALID_SDLZLOOKUP(sdlzn) /* These values are taken from RFC 1537 */ #define SDLZ_DEFAULT_REFRESH (60 * 60 * 8) #define SDLZ_DEFAULT_RETRY (60 * 60 * 2) #define SDLZ_DEFAULT_EXPIRE (60 * 60 * 24 * 7) #define SDLZ_DEFAULT_MINIMUM (60 * 60 * 24) /* This is a reasonable value */ #define SDLZ_DEFAULT_TTL (60 * 60 * 24) static int dummy; #ifdef __COVERITY__ #define MAYBE_LOCK(imp) LOCK(&imp->driverlock) #define MAYBE_UNLOCK(imp) UNLOCK(&imp->driverlock) #else #define MAYBE_LOCK(imp) \ do { \ unsigned int flags = imp->flags; \ if ((flags & DNS_SDLZFLAG_THREADSAFE) == 0) \ LOCK(&imp->driverlock); \ } while (0) #define MAYBE_UNLOCK(imp) \ do { \ unsigned int flags = imp->flags; \ if ((flags & DNS_SDLZFLAG_THREADSAFE) == 0) \ UNLOCK(&imp->driverlock); \ } while (0) #endif /* * Forward references. Try to keep these to a minimum. */ static void list_tordataset(dns_rdatalist_t *rdatalist, dns_db_t *db, dns_dbnode_t *node, dns_rdataset_t *rdataset); static void detachnode(dns_db_t *db, dns_dbnode_t **targetp); static void dbiterator_destroy(dns_dbiterator_t **iteratorp); static isc_result_t dbiterator_first(dns_dbiterator_t *iterator); static isc_result_t dbiterator_last(dns_dbiterator_t *iterator); static isc_result_t dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name); static isc_result_t dbiterator_prev(dns_dbiterator_t *iterator); static isc_result_t dbiterator_next(dns_dbiterator_t *iterator); static isc_result_t dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep, dns_name_t *name); static isc_result_t dbiterator_pause(dns_dbiterator_t *iterator); static isc_result_t dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name); static dns_dbiteratormethods_t dbiterator_methods = { dbiterator_destroy, dbiterator_first, dbiterator_last, dbiterator_seek, dbiterator_prev, dbiterator_next, dbiterator_current, dbiterator_pause, dbiterator_origin }; /* * Utility functions */ /*% Converts the input string to lowercase, in place. */ static void dns_sdlz_tolower(char *str) { unsigned int len = strlen(str); unsigned int i; for (i = 0; i < len; i++) { if (str[i] >= 'A' && str[i] <= 'Z') str[i] += 32; } } static inline unsigned int initial_size(const char *data) { unsigned int len = (strlen(data) / 64) + 1; return (len * 64 + 64); } /* * Rdataset Iterator Methods. These methods were "borrowed" from the SDB * driver interface. See the SDB driver interface documentation for more info. */ static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) { sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)(*iteratorp); detachnode(sdlziterator->common.db, &sdlziterator->common.node); isc_mem_put(sdlziterator->common.db->mctx, sdlziterator, sizeof(sdlz_rdatasetiter_t)); *iteratorp = NULL; } static isc_result_t rdatasetiter_first(dns_rdatasetiter_t *iterator) { sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator; dns_sdlznode_t *sdlznode = (dns_sdlznode_t *)iterator->node; if (ISC_LIST_EMPTY(sdlznode->lists)) return (ISC_R_NOMORE); sdlziterator->current = ISC_LIST_HEAD(sdlznode->lists); return (ISC_R_SUCCESS); } static isc_result_t rdatasetiter_next(dns_rdatasetiter_t *iterator) { sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator; sdlziterator->current = ISC_LIST_NEXT(sdlziterator->current, link); if (sdlziterator->current == NULL) return (ISC_R_NOMORE); else return (ISC_R_SUCCESS); } static void rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) { sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator; list_tordataset(sdlziterator->current, iterator->db, iterator->node, rdataset); } static dns_rdatasetitermethods_t rdatasetiter_methods = { rdatasetiter_destroy, rdatasetiter_first, rdatasetiter_next, rdatasetiter_current }; /* * DB routines. These methods were "borrowed" from the SDB driver interface. * See the SDB driver interface documentation for more info. */ static void attach(dns_db_t *source, dns_db_t **targetp) { dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *) source; REQUIRE(VALID_SDLZDB(sdlz)); LOCK(&sdlz->refcnt_lock); REQUIRE(sdlz->references > 0); sdlz->references++; UNLOCK(&sdlz->refcnt_lock); *targetp = source; } static void destroy(dns_sdlz_db_t *sdlz) { isc_mem_t *mctx; mctx = sdlz->common.mctx; sdlz->common.magic = 0; sdlz->common.impmagic = 0; isc_mutex_destroy(&sdlz->refcnt_lock); dns_name_free(&sdlz->common.origin, mctx); isc_mem_put(mctx, sdlz, sizeof(dns_sdlz_db_t)); isc_mem_detach(&mctx); } static void detach(dns_db_t **dbp) { dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)(*dbp); isc_boolean_t need_destroy = ISC_FALSE; REQUIRE(VALID_SDLZDB(sdlz)); LOCK(&sdlz->refcnt_lock); REQUIRE(sdlz->references > 0); sdlz->references--; if (sdlz->references == 0) need_destroy = ISC_TRUE; UNLOCK(&sdlz->refcnt_lock); if (need_destroy) destroy(sdlz); *dbp = NULL; } static isc_result_t beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) { UNUSED(db); UNUSED(addp); UNUSED(dbloadp); return (ISC_R_NOTIMPLEMENTED); } static isc_result_t endload(dns_db_t *db, dns_dbload_t **dbloadp) { UNUSED(db); UNUSED(dbloadp); return (ISC_R_NOTIMPLEMENTED); } static isc_result_t dump(dns_db_t *db, dns_dbversion_t *version, const char *filename, dns_masterformat_t masterformat) { UNUSED(db); UNUSED(version); UNUSED(filename); UNUSED(masterformat); return (ISC_R_NOTIMPLEMENTED); } static void currentversion(dns_db_t *db, dns_dbversion_t **versionp) { REQUIRE(versionp != NULL && *versionp == NULL); UNUSED(db); *versionp = (void *) &dummy; return; } static isc_result_t newversion(dns_db_t *db, dns_dbversion_t **versionp) { UNUSED(db); UNUSED(versionp); return (ISC_R_NOTIMPLEMENTED); } static void attachversion(dns_db_t *db, dns_dbversion_t *source, dns_dbversion_t **targetp) { REQUIRE(source != NULL && source == (void *) &dummy); UNUSED(db); UNUSED(source); UNUSED(targetp); *targetp = source; } static void closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { REQUIRE(versionp != NULL && *versionp == (void *) &dummy); REQUIRE(commit == ISC_FALSE); UNUSED(db); UNUSED(commit); *versionp = NULL; } static isc_result_t createnode(dns_sdlz_db_t *sdlz, dns_sdlznode_t **nodep) { dns_sdlznode_t *node; isc_result_t result; node = isc_mem_get(sdlz->common.mctx, sizeof(dns_sdlznode_t)); if (node == NULL) return (ISC_R_NOMEMORY); node->sdlz = NULL; attach((dns_db_t *)sdlz, (dns_db_t **)&node->sdlz); ISC_LIST_INIT(node->lists); ISC_LIST_INIT(node->buffers); ISC_LINK_INIT(node, link); node->name = NULL; result = isc_mutex_init(&node->lock); if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_mutex_init() failed: %s", isc_result_totext(result)); isc_mem_put(sdlz->common.mctx, node, sizeof(dns_sdlznode_t)); return (ISC_R_UNEXPECTED); } dns_rdatacallbacks_init(&node->callbacks); node->references = 1; node->magic = SDLZLOOKUP_MAGIC; *nodep = node; return (ISC_R_SUCCESS); } static void destroynode(dns_sdlznode_t *node) { dns_rdatalist_t *list; dns_rdata_t *rdata; isc_buffer_t *b; dns_sdlz_db_t *sdlz; dns_db_t *db; isc_mem_t *mctx; sdlz = node->sdlz; mctx = sdlz->common.mctx; while (!ISC_LIST_EMPTY(node->lists)) { list = ISC_LIST_HEAD(node->lists); while (!ISC_LIST_EMPTY(list->rdata)) { rdata = ISC_LIST_HEAD(list->rdata); ISC_LIST_UNLINK(list->rdata, rdata, link); isc_mem_put(mctx, rdata, sizeof(dns_rdata_t)); } ISC_LIST_UNLINK(node->lists, list, link); isc_mem_put(mctx, list, sizeof(dns_rdatalist_t)); } while (!ISC_LIST_EMPTY(node->buffers)) { b = ISC_LIST_HEAD(node->buffers); ISC_LIST_UNLINK(node->buffers, b, link); isc_buffer_free(&b); } if (node->name != NULL) { dns_name_free(node->name, mctx); isc_mem_put(mctx, node->name, sizeof(dns_name_t)); } DESTROYLOCK(&node->lock); node->magic = 0; isc_mem_put(mctx, node, sizeof(dns_sdlznode_t)); db = &sdlz->common; detach(&db); } static isc_result_t findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create, dns_dbnode_t **nodep) { dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db; dns_sdlznode_t *node = NULL; isc_result_t result; isc_buffer_t b; char namestr[DNS_NAME_MAXTEXT + 1]; isc_buffer_t b2; char zonestr[DNS_NAME_MAXTEXT + 1]; isc_boolean_t isorigin; dns_sdlzauthorityfunc_t authority; REQUIRE(VALID_SDLZDB(sdlz)); REQUIRE(create == ISC_FALSE); REQUIRE(nodep != NULL && *nodep == NULL); UNUSED(name); UNUSED(create); isc_buffer_init(&b, namestr, sizeof(namestr)); if ((sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVEOWNER) != 0) { dns_name_t relname; unsigned int labels; labels = dns_name_countlabels(name) - dns_name_countlabels(&db->origin); dns_name_init(&relname, NULL); dns_name_getlabelsequence(name, 0, labels, &relname); result = dns_name_totext(&relname, ISC_TRUE, &b); if (result != ISC_R_SUCCESS) return (result); } else { result = dns_name_totext(name, ISC_TRUE, &b); if (result != ISC_R_SUCCESS) return (result); } isc_buffer_putuint8(&b, 0); isc_buffer_init(&b2, zonestr, sizeof(zonestr)); result = dns_name_totext(&sdlz->common.origin, ISC_TRUE, &b2); if (result != ISC_R_SUCCESS) return (result); isc_buffer_putuint8(&b2, 0); result = createnode(sdlz, &node); if (result != ISC_R_SUCCESS) return (result); isorigin = dns_name_equal(name, &sdlz->common.origin); /* make sure strings are always lowercase */ dns_sdlz_tolower(zonestr); dns_sdlz_tolower(namestr); MAYBE_LOCK(sdlz->dlzimp); /* try to lookup the host (namestr) */ result = sdlz->dlzimp->methods->lookup(zonestr, namestr, sdlz->dlzimp->driverarg, sdlz->dbdata, node); /* * if the host (namestr) was not found, try to lookup a * "wildcard" host. */ if (result != ISC_R_SUCCESS) { result = sdlz->dlzimp->methods->lookup(zonestr, "*", sdlz->dlzimp->driverarg, sdlz->dbdata, node); } MAYBE_UNLOCK(sdlz->dlzimp); if (result != ISC_R_SUCCESS && !isorigin) { destroynode(node); return (result); } if (isorigin && sdlz->dlzimp->methods->authority != NULL) { MAYBE_LOCK(sdlz->dlzimp); authority = sdlz->dlzimp->methods->authority; result = (*authority)(zonestr, sdlz->dlzimp->driverarg, sdlz->dbdata, node); MAYBE_UNLOCK(sdlz->dlzimp); if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) { destroynode(node); return (result); } } *nodep = node; return (ISC_R_SUCCESS); } static isc_result_t findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options, isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { UNUSED(db); UNUSED(name); UNUSED(options); UNUSED(now); UNUSED(nodep); UNUSED(foundname); UNUSED(rdataset); UNUSED(sigrdataset); return (ISC_R_NOTIMPLEMENTED); } static void attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) { dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db; dns_sdlznode_t *node = (dns_sdlznode_t *)source; REQUIRE(VALID_SDLZDB(sdlz)); UNUSED(sdlz); LOCK(&node->lock); INSIST(node->references > 0); node->references++; INSIST(node->references != 0); /* Catch overflow. */ UNLOCK(&node->lock); *targetp = source; } static void detachnode(dns_db_t *db, dns_dbnode_t **targetp) { dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db; dns_sdlznode_t *node; isc_boolean_t need_destroy = ISC_FALSE; REQUIRE(VALID_SDLZDB(sdlz)); REQUIRE(targetp != NULL && *targetp != NULL); UNUSED(sdlz); node = (dns_sdlznode_t *)(*targetp); LOCK(&node->lock); INSIST(node->references > 0); node->references--; if (node->references == 0) need_destroy = ISC_TRUE; UNLOCK(&node->lock); if (need_destroy) destroynode(node); *targetp = NULL; } static isc_result_t expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) { UNUSED(db); UNUSED(node); UNUSED(now); INSIST(0); return (ISC_R_UNEXPECTED); } static void printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) { UNUSED(db); UNUSED(node); UNUSED(out); return; } static isc_result_t createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp) { dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db; sdlz_dbiterator_t *sdlziter; isc_result_t result; isc_buffer_t b; char zonestr[DNS_NAME_MAXTEXT + 1]; REQUIRE(VALID_SDLZDB(sdlz)); if (sdlz->dlzimp->methods->allnodes == NULL) return (ISC_R_NOTIMPLEMENTED); if ((options & DNS_DB_NSEC3ONLY) != 0 || (options & DNS_DB_NONSEC3) != 0) return (ISC_R_NOTIMPLEMENTED); isc_buffer_init(&b, zonestr, sizeof(zonestr)); result = dns_name_totext(&sdlz->common.origin, ISC_TRUE, &b); if (result != ISC_R_SUCCESS) return (result); isc_buffer_putuint8(&b, 0); sdlziter = isc_mem_get(sdlz->common.mctx, sizeof(sdlz_dbiterator_t)); if (sdlziter == NULL) return (ISC_R_NOMEMORY); sdlziter->common.methods = &dbiterator_methods; sdlziter->common.db = NULL; dns_db_attach(db, &sdlziter->common.db); sdlziter->common.relative_names = ISC_TF(options & DNS_DB_RELATIVENAMES); sdlziter->common.magic = DNS_DBITERATOR_MAGIC; ISC_LIST_INIT(sdlziter->nodelist); sdlziter->current = NULL; sdlziter->origin = NULL; /* make sure strings are always lowercase */ dns_sdlz_tolower(zonestr); MAYBE_LOCK(sdlz->dlzimp); result = sdlz->dlzimp->methods->allnodes(zonestr, sdlz->dlzimp->driverarg, sdlz->dbdata, sdlziter); MAYBE_UNLOCK(sdlz->dlzimp); if (result != ISC_R_SUCCESS) { dns_dbiterator_t *iter = &sdlziter->common; dbiterator_destroy(&iter); return (result); } if (sdlziter->origin != NULL) { ISC_LIST_UNLINK(sdlziter->nodelist, sdlziter->origin, link); ISC_LIST_PREPEND(sdlziter->nodelist, sdlziter->origin, link); } *iteratorp = (dns_dbiterator_t *)sdlziter; return (ISC_R_SUCCESS); } static isc_result_t findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdatatype_t type, dns_rdatatype_t covers, isc_stdtime_t now, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_rdatalist_t *list; dns_sdlznode_t *sdlznode = (dns_sdlznode_t *)node; REQUIRE(VALID_SDLZNODE(node)); UNUSED(db); UNUSED(version); UNUSED(covers); UNUSED(now); UNUSED(sigrdataset); if (type == dns_rdatatype_sig || type == dns_rdatatype_rrsig) return (ISC_R_NOTIMPLEMENTED); list = ISC_LIST_HEAD(sdlznode->lists); while (list != NULL) { if (list->type == type) break; list = ISC_LIST_NEXT(list, link); } if (list == NULL) return (ISC_R_NOTFOUND); list_tordataset(list, db, node, rdataset); return (ISC_R_SUCCESS); } static isc_result_t find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, dns_rdatatype_t type, unsigned int options, isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db; dns_dbnode_t *node = NULL; dns_fixedname_t fname; dns_rdataset_t xrdataset; dns_name_t *xname; unsigned int nlabels, olabels; isc_result_t result; unsigned int i; REQUIRE(VALID_SDLZDB(sdlz)); REQUIRE(nodep == NULL || *nodep == NULL); REQUIRE(version == NULL || version == (void *) &dummy); UNUSED(options); UNUSED(sdlz); if (!dns_name_issubdomain(name, &db->origin)) return (DNS_R_NXDOMAIN); olabels = dns_name_countlabels(&db->origin); nlabels = dns_name_countlabels(name); dns_fixedname_init(&fname); xname = dns_fixedname_name(&fname); if (rdataset == NULL) { dns_rdataset_init(&xrdataset); rdataset = &xrdataset; } result = DNS_R_NXDOMAIN; for (i = olabels; i <= nlabels; i++) { /* * Unless this is an explicit lookup at the origin, don't * look at the origin. */ if (i == olabels && i != nlabels) continue; /* * Look up the next label. */ dns_name_getlabelsequence(name, nlabels - i, i, xname); result = findnode(db, xname, ISC_FALSE, &node); if (result != ISC_R_SUCCESS) { result = DNS_R_NXDOMAIN; continue; } /* * Look for a DNAME at the current label, unless this is * the qname. */ if (i < nlabels) { result = findrdataset(db, node, version, dns_rdatatype_dname, 0, now, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) { result = DNS_R_DNAME; break; } } /* * Look for an NS at the current label, unless this is the * origin or glue is ok. */ if (i != olabels && (options & DNS_DBFIND_GLUEOK) == 0) { result = findrdataset(db, node, version, dns_rdatatype_ns, 0, now, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) { if (i == nlabels && type == dns_rdatatype_any) { result = DNS_R_ZONECUT; dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated (sigrdataset)) { dns_rdataset_disassociate (sigrdataset); } } else result = DNS_R_DELEGATION; break; } } /* * If the current name is not the qname, add another label * and try again. */ if (i < nlabels) { destroynode(node); node = NULL; continue; } /* * If we're looking for ANY, we're done. */ if (type == dns_rdatatype_any) { result = ISC_R_SUCCESS; break; } /* * Look for the qtype. */ result = findrdataset(db, node, version, type, 0, now, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) break; /* * Look for a CNAME */ if (type != dns_rdatatype_cname) { result = findrdataset(db, node, version, dns_rdatatype_cname, 0, now, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) { result = DNS_R_CNAME; break; } } result = DNS_R_NXRRSET; break; } if (rdataset == &xrdataset && dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); if (foundname != NULL) { isc_result_t xresult; xresult = dns_name_copy(xname, foundname, NULL); if (xresult != ISC_R_SUCCESS) { if (node != NULL) destroynode(node); if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); return (DNS_R_BADDB); } } if (nodep != NULL) *nodep = node; else if (node != NULL) detachnode(db, &node); return (result); } static isc_result_t allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, isc_stdtime_t now, dns_rdatasetiter_t **iteratorp) { sdlz_rdatasetiter_t *iterator; REQUIRE(version == NULL || version == &dummy); UNUSED(version); UNUSED(now); iterator = isc_mem_get(db->mctx, sizeof(sdlz_rdatasetiter_t)); if (iterator == NULL) return (ISC_R_NOMEMORY); iterator->common.magic = DNS_RDATASETITER_MAGIC; iterator->common.methods = &rdatasetiter_methods; iterator->common.db = db; iterator->common.node = NULL; attachnode(db, node, &iterator->common.node); iterator->common.version = version; iterator->common.now = now; *iteratorp = (dns_rdatasetiter_t *)iterator; return (ISC_R_SUCCESS); } static isc_result_t addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options, dns_rdataset_t *addedrdataset) { UNUSED(db); UNUSED(node); UNUSED(version); UNUSED(now); UNUSED(rdataset); UNUSED(options); UNUSED(addedrdataset); return (ISC_R_NOTIMPLEMENTED); } static isc_result_t subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdataset_t *rdataset, unsigned int options, dns_rdataset_t *newrdataset) { UNUSED(db); UNUSED(node); UNUSED(version); UNUSED(rdataset); UNUSED(options); UNUSED(newrdataset); return (ISC_R_NOTIMPLEMENTED); } static isc_result_t deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdatatype_t type, dns_rdatatype_t covers) { UNUSED(db); UNUSED(node); UNUSED(version); UNUSED(type); UNUSED(covers); return (ISC_R_NOTIMPLEMENTED); } static isc_boolean_t issecure(dns_db_t *db) { UNUSED(db); return (ISC_FALSE); } static unsigned int nodecount(dns_db_t *db) { UNUSED(db); return (0); } static isc_boolean_t ispersistent(dns_db_t *db) { UNUSED(db); return (ISC_TRUE); } static void overmem(dns_db_t *db, isc_boolean_t overmem) { UNUSED(db); UNUSED(overmem); } static void settask(dns_db_t *db, isc_task_t *task) { UNUSED(db); UNUSED(task); } static dns_dbmethods_t sdlzdb_methods = { attach, detach, beginload, endload, dump, currentversion, newversion, attachversion, closeversion, findnode, find, findzonecut, attachnode, detachnode, expirenode, printnode, createiterator, findrdataset, allrdatasets, addrdataset, subtractrdataset, deleterdataset, issecure, nodecount, ispersistent, overmem, settask, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; /* * Database Iterator Methods. These methods were "borrowed" from the SDB * driver interface. See the SDB driver interface documentation for more info. */ static void dbiterator_destroy(dns_dbiterator_t **iteratorp) { sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)(*iteratorp); dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)sdlziter->common.db; while (!ISC_LIST_EMPTY(sdlziter->nodelist)) { dns_sdlznode_t *node; node = ISC_LIST_HEAD(sdlziter->nodelist); ISC_LIST_UNLINK(sdlziter->nodelist, node, link); destroynode(node); } dns_db_detach(&sdlziter->common.db); isc_mem_put(sdlz->common.mctx, sdlziter, sizeof(sdlz_dbiterator_t)); *iteratorp = NULL; } static isc_result_t dbiterator_first(dns_dbiterator_t *iterator) { sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator; sdlziter->current = ISC_LIST_HEAD(sdlziter->nodelist); if (sdlziter->current == NULL) return (ISC_R_NOMORE); else return (ISC_R_SUCCESS); } static isc_result_t dbiterator_last(dns_dbiterator_t *iterator) { sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator; sdlziter->current = ISC_LIST_TAIL(sdlziter->nodelist); if (sdlziter->current == NULL) return (ISC_R_NOMORE); else return (ISC_R_SUCCESS); } static isc_result_t dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) { sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator; sdlziter->current = ISC_LIST_HEAD(sdlziter->nodelist); while (sdlziter->current != NULL) { if (dns_name_equal(sdlziter->current->name, name)) return (ISC_R_SUCCESS); sdlziter->current = ISC_LIST_NEXT(sdlziter->current, link); } return (ISC_R_NOTFOUND); } static isc_result_t dbiterator_prev(dns_dbiterator_t *iterator) { sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator; sdlziter->current = ISC_LIST_PREV(sdlziter->current, link); if (sdlziter->current == NULL) return (ISC_R_NOMORE); else return (ISC_R_SUCCESS); } static isc_result_t dbiterator_next(dns_dbiterator_t *iterator) { sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator; sdlziter->current = ISC_LIST_NEXT(sdlziter->current, link); if (sdlziter->current == NULL) return (ISC_R_NOMORE); else return (ISC_R_SUCCESS); } static isc_result_t dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep, dns_name_t *name) { sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator; attachnode(iterator->db, sdlziter->current, nodep); if (name != NULL) return (dns_name_copy(sdlziter->current->name, name, NULL)); return (ISC_R_SUCCESS); } static isc_result_t dbiterator_pause(dns_dbiterator_t *iterator) { UNUSED(iterator); return (ISC_R_SUCCESS); } static isc_result_t dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) { UNUSED(iterator); return (dns_name_copy(dns_rootname, name, NULL)); } /* * Rdataset Methods. These methods were "borrowed" from the SDB driver * interface. See the SDB driver interface documentation for more info. */ static void disassociate(dns_rdataset_t *rdataset) { dns_dbnode_t *node = rdataset->private5; dns_sdlznode_t *sdlznode = (dns_sdlznode_t *) node; dns_db_t *db = (dns_db_t *) sdlznode->sdlz; detachnode(db, &node); isc__rdatalist_disassociate(rdataset); } static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) { dns_dbnode_t *node = source->private5; dns_sdlznode_t *sdlznode = (dns_sdlznode_t *) node; dns_db_t *db = (dns_db_t *) sdlznode->sdlz; dns_dbnode_t *tempdb = NULL; isc__rdatalist_clone(source, target); attachnode(db, node, &tempdb); source->private5 = tempdb; } static dns_rdatasetmethods_t rdataset_methods = { disassociate, isc__rdatalist_first, isc__rdatalist_next, isc__rdatalist_current, rdataset_clone, isc__rdatalist_count, isc__rdatalist_addnoqname, isc__rdatalist_getnoqname, + NULL, + NULL, NULL, NULL, NULL, NULL, NULL }; static void list_tordataset(dns_rdatalist_t *rdatalist, dns_db_t *db, dns_dbnode_t *node, dns_rdataset_t *rdataset) { /* * The sdlz rdataset is an rdatalist with some additions. * - private1 & private2 are used by the rdatalist. * - private3 & private 4 are unused. * - private5 is the node. */ /* This should never fail. */ RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) == ISC_R_SUCCESS); rdataset->methods = &rdataset_methods; dns_db_attachnode(db, node, &rdataset->private5); } /* * SDLZ core methods. This is the core of the new DLZ functionality. */ /*% * Build a 'bind' database driver structure to be returned by * either the find zone or the allow zone transfer method. * This method is only available in this source file, it is * not made available anywhere else. */ static isc_result_t dns_sdlzcreateDBP(isc_mem_t *mctx, void *driverarg, void *dbdata, dns_name_t *name, dns_rdataclass_t rdclass, dns_db_t **dbp) { isc_result_t result; dns_sdlz_db_t *sdlzdb; dns_sdlzimplementation_t *imp; /* check that things are as we expect */ REQUIRE(dbp != NULL && *dbp == NULL); REQUIRE(name != NULL); imp = (dns_sdlzimplementation_t *) driverarg; /* allocate and zero memory for driver structure */ sdlzdb = isc_mem_get(mctx, sizeof(dns_sdlz_db_t)); if (sdlzdb == NULL) return (ISC_R_NOMEMORY); memset(sdlzdb, 0, sizeof(dns_sdlz_db_t)); /* initialize and set origin */ dns_name_init(&sdlzdb->common.origin, NULL); result = dns_name_dupwithoffsets(name, mctx, &sdlzdb->common.origin); if (result != ISC_R_SUCCESS) goto mem_cleanup; /* initialize the reference count mutex */ result = isc_mutex_init(&sdlzdb->refcnt_lock); if (result != ISC_R_SUCCESS) goto name_cleanup; /* set the rest of the database structure attributes */ sdlzdb->dlzimp = imp; sdlzdb->common.methods = &sdlzdb_methods; sdlzdb->common.attributes = 0; sdlzdb->common.rdclass = rdclass; sdlzdb->common.mctx = NULL; sdlzdb->dbdata = dbdata; sdlzdb->references = 1; /* attach to the memory context */ isc_mem_attach(mctx, &sdlzdb->common.mctx); /* mark structure as valid */ sdlzdb->common.magic = DNS_DB_MAGIC; sdlzdb->common.impmagic = SDLZDB_MAGIC; *dbp = (dns_db_t *) sdlzdb; return (result); /* * reference count mutex could not be initialized, clean up * name memory */ name_cleanup: dns_name_free(&sdlzdb->common.origin, mctx); mem_cleanup: isc_mem_put(mctx, sdlzdb, sizeof(dns_sdlz_db_t)); return (result); } static isc_result_t dns_sdlzallowzonexfr(void *driverarg, void *dbdata, isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_name_t *name, isc_sockaddr_t *clientaddr, dns_db_t **dbp) { isc_buffer_t b; isc_buffer_t b2; char namestr[DNS_NAME_MAXTEXT + 1]; char clientstr[(sizeof "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255") + 1]; isc_netaddr_t netaddr; isc_result_t result; dns_sdlzimplementation_t *imp; /* * Perform checks to make sure data is as we expect it to be. */ REQUIRE(driverarg != NULL); REQUIRE(name != NULL); REQUIRE(clientaddr != NULL); REQUIRE(dbp != NULL && *dbp == NULL); imp = (dns_sdlzimplementation_t *) driverarg; /* Convert DNS name to ascii text */ isc_buffer_init(&b, namestr, sizeof(namestr)); result = dns_name_totext(name, ISC_TRUE, &b); if (result != ISC_R_SUCCESS) return (result); isc_buffer_putuint8(&b, 0); /* convert client address to ascii text */ isc_buffer_init(&b2, clientstr, sizeof(clientstr)); isc_netaddr_fromsockaddr(&netaddr, clientaddr); result = isc_netaddr_totext(&netaddr, &b2); if (result != ISC_R_SUCCESS) return (result); isc_buffer_putuint8(&b2, 0); /* make sure strings are always lowercase */ dns_sdlz_tolower(namestr); dns_sdlz_tolower(clientstr); /* Call SDLZ driver's find zone method */ if (imp->methods->allowzonexfr != NULL) { MAYBE_LOCK(imp); result = imp->methods->allowzonexfr(imp->driverarg, dbdata, namestr, clientstr); MAYBE_UNLOCK(imp); /* * if zone is supported and transfers allowed build a 'bind' * database driver */ if (result == ISC_R_SUCCESS) result = dns_sdlzcreateDBP(mctx, driverarg, dbdata, name, rdclass, dbp); return (result); } return (ISC_R_NOTIMPLEMENTED); } static isc_result_t dns_sdlzcreate(isc_mem_t *mctx, const char *dlzname, unsigned int argc, char *argv[], void *driverarg, void **dbdata) { dns_sdlzimplementation_t *imp; isc_result_t result = ISC_R_NOTFOUND; /* Write debugging message to log */ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2), "Loading SDLZ driver."); /* * Performs checks to make sure data is as we expect it to be. */ REQUIRE(driverarg != NULL); REQUIRE(dlzname != NULL); REQUIRE(dbdata != NULL); UNUSED(mctx); imp = driverarg; /* If the create method exists, call it. */ if (imp->methods->create != NULL) { MAYBE_LOCK(imp); result = imp->methods->create(dlzname, argc, argv, imp->driverarg, dbdata); MAYBE_UNLOCK(imp); } /* Write debugging message to log */ if (result == ISC_R_SUCCESS) { isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2), "SDLZ driver loaded successfully."); } else { isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "SDLZ driver failed to load."); } return (result); } static void dns_sdlzdestroy(void *driverdata, void **dbdata) { dns_sdlzimplementation_t *imp; /* Write debugging message to log */ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2), "Unloading SDLZ driver."); imp = driverdata; /* If the destroy method exists, call it. */ if (imp->methods->destroy != NULL) { MAYBE_LOCK(imp); imp->methods->destroy(imp->driverarg, dbdata); MAYBE_UNLOCK(imp); } } static isc_result_t dns_sdlzfindzone(void *driverarg, void *dbdata, isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_name_t *name, dns_db_t **dbp) { isc_buffer_t b; char namestr[DNS_NAME_MAXTEXT + 1]; isc_result_t result; dns_sdlzimplementation_t *imp; /* * Perform checks to make sure data is as we expect it to be. */ REQUIRE(driverarg != NULL); REQUIRE(name != NULL); REQUIRE(dbp != NULL && *dbp == NULL); imp = (dns_sdlzimplementation_t *) driverarg; /* Convert DNS name to ascii text */ isc_buffer_init(&b, namestr, sizeof(namestr)); result = dns_name_totext(name, ISC_TRUE, &b); if (result != ISC_R_SUCCESS) return (result); isc_buffer_putuint8(&b, 0); /* make sure strings are always lowercase */ dns_sdlz_tolower(namestr); /* Call SDLZ driver's find zone method */ MAYBE_LOCK(imp); result = imp->methods->findzone(imp->driverarg, dbdata, namestr); MAYBE_UNLOCK(imp); /* * if zone is supported build a 'bind' database driver * structure to return */ if (result == ISC_R_SUCCESS) result = dns_sdlzcreateDBP(mctx, driverarg, dbdata, name, rdclass, dbp); return (result); } static dns_dlzmethods_t sdlzmethods = { dns_sdlzcreate, dns_sdlzdestroy, dns_sdlzfindzone, dns_sdlzallowzonexfr }; /* * Public functions. */ isc_result_t dns_sdlz_putrr(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl, const char *data) { dns_rdatalist_t *rdatalist; dns_rdata_t *rdata; dns_rdatatype_t typeval; isc_consttextregion_t r; isc_buffer_t b; isc_buffer_t *rdatabuf = NULL; isc_lex_t *lex; isc_result_t result; unsigned int size; isc_mem_t *mctx; dns_name_t *origin; REQUIRE(VALID_SDLZLOOKUP(lookup)); REQUIRE(type != NULL); REQUIRE(data != NULL); mctx = lookup->sdlz->common.mctx; r.base = type; r.length = strlen(type); result = dns_rdatatype_fromtext(&typeval, (void *) &r); if (result != ISC_R_SUCCESS) return (result); rdatalist = ISC_LIST_HEAD(lookup->lists); while (rdatalist != NULL) { if (rdatalist->type == typeval) break; rdatalist = ISC_LIST_NEXT(rdatalist, link); } if (rdatalist == NULL) { rdatalist = isc_mem_get(mctx, sizeof(dns_rdatalist_t)); if (rdatalist == NULL) return (ISC_R_NOMEMORY); rdatalist->rdclass = lookup->sdlz->common.rdclass; rdatalist->type = typeval; rdatalist->covers = 0; rdatalist->ttl = ttl; ISC_LIST_INIT(rdatalist->rdata); ISC_LINK_INIT(rdatalist, link); ISC_LIST_APPEND(lookup->lists, rdatalist, link); } else if (rdatalist->ttl != ttl) return (DNS_R_BADTTL); rdata = isc_mem_get(mctx, sizeof(dns_rdata_t)); if (rdata == NULL) return (ISC_R_NOMEMORY); dns_rdata_init(rdata); if ((lookup->sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVERDATA) != 0) origin = &lookup->sdlz->common.origin; else origin = dns_rootname; lex = NULL; result = isc_lex_create(mctx, 64, &lex); if (result != ISC_R_SUCCESS) goto failure; size = initial_size(data); do { isc_buffer_init(&b, data, strlen(data)); isc_buffer_add(&b, strlen(data)); result = isc_lex_openbuffer(lex, &b); if (result != ISC_R_SUCCESS) goto failure; rdatabuf = NULL; result = isc_buffer_allocate(mctx, &rdatabuf, size); if (result != ISC_R_SUCCESS) goto failure; result = dns_rdata_fromtext(rdata, rdatalist->rdclass, rdatalist->type, lex, origin, ISC_FALSE, mctx, rdatabuf, &lookup->callbacks); if (result != ISC_R_SUCCESS) isc_buffer_free(&rdatabuf); size *= 2; } while (result == ISC_R_NOSPACE); if (result != ISC_R_SUCCESS) goto failure; ISC_LIST_APPEND(rdatalist->rdata, rdata, link); ISC_LIST_APPEND(lookup->buffers, rdatabuf, link); if (lex != NULL) isc_lex_destroy(&lex); return (ISC_R_SUCCESS); failure: if (rdatabuf != NULL) isc_buffer_free(&rdatabuf); if (lex != NULL) isc_lex_destroy(&lex); isc_mem_put(mctx, rdata, sizeof(dns_rdata_t)); return (result); } isc_result_t dns_sdlz_putnamedrr(dns_sdlzallnodes_t *allnodes, const char *name, const char *type, dns_ttl_t ttl, const char *data) { dns_name_t *newname, *origin; dns_fixedname_t fnewname; dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)allnodes->common.db; dns_sdlznode_t *sdlznode; isc_mem_t *mctx = sdlz->common.mctx; isc_buffer_t b; isc_result_t result; dns_fixedname_init(&fnewname); newname = dns_fixedname_name(&fnewname); if ((sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVERDATA) != 0) origin = &sdlz->common.origin; else origin = dns_rootname; isc_buffer_init(&b, name, strlen(name)); isc_buffer_add(&b, strlen(name)); result = dns_name_fromtext(newname, &b, origin, ISC_FALSE, NULL); if (result != ISC_R_SUCCESS) return (result); if (allnodes->common.relative_names) { /* All names are relative to the root */ unsigned int nlabels = dns_name_countlabels(newname); dns_name_getlabelsequence(newname, 0, nlabels - 1, newname); } sdlznode = ISC_LIST_HEAD(allnodes->nodelist); if (sdlznode == NULL || !dns_name_equal(sdlznode->name, newname)) { sdlznode = NULL; result = createnode(sdlz, &sdlznode); if (result != ISC_R_SUCCESS) return (result); sdlznode->name = isc_mem_get(mctx, sizeof(dns_name_t)); if (sdlznode->name == NULL) { destroynode(sdlznode); return (ISC_R_NOMEMORY); } dns_name_init(sdlznode->name, NULL); result = dns_name_dup(newname, mctx, sdlznode->name); if (result != ISC_R_SUCCESS) { isc_mem_put(mctx, sdlznode->name, sizeof(dns_name_t)); destroynode(sdlznode); return (result); } ISC_LIST_PREPEND(allnodes->nodelist, sdlznode, link); if (allnodes->origin == NULL && dns_name_equal(newname, &sdlz->common.origin)) allnodes->origin = sdlznode; } return (dns_sdlz_putrr(sdlznode, type, ttl, data)); } isc_result_t dns_sdlz_putsoa(dns_sdlzlookup_t *lookup, const char *mname, const char *rname, isc_uint32_t serial) { char str[2 * DNS_NAME_MAXTEXT + 5 * (sizeof("2147483647")) + 7]; int n; REQUIRE(mname != NULL); REQUIRE(rname != NULL); n = snprintf(str, sizeof str, "%s %s %u %u %u %u %u", mname, rname, serial, SDLZ_DEFAULT_REFRESH, SDLZ_DEFAULT_RETRY, SDLZ_DEFAULT_EXPIRE, SDLZ_DEFAULT_MINIMUM); if (n >= (int)sizeof(str) || n < 0) return (ISC_R_NOSPACE); return (dns_sdlz_putrr(lookup, "SOA", SDLZ_DEFAULT_TTL, str)); } isc_result_t dns_sdlzregister(const char *drivername, const dns_sdlzmethods_t *methods, void *driverarg, unsigned int flags, isc_mem_t *mctx, dns_sdlzimplementation_t **sdlzimp) { dns_sdlzimplementation_t *imp; isc_result_t result; /* * Performs checks to make sure data is as we expect it to be. */ REQUIRE(drivername != NULL); REQUIRE(methods != NULL); REQUIRE(methods->findzone != NULL); REQUIRE(methods->lookup != NULL); REQUIRE(mctx != NULL); REQUIRE(sdlzimp != NULL && *sdlzimp == NULL); REQUIRE((flags & ~(DNS_SDLZFLAG_RELATIVEOWNER | DNS_SDLZFLAG_RELATIVERDATA | DNS_SDLZFLAG_THREADSAFE)) == 0); /* Write debugging message to log */ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2), "Registering SDLZ driver '%s'", drivername); /* * Allocate memory for a sdlz_implementation object. Error if * we cannot. */ imp = isc_mem_get(mctx, sizeof(dns_sdlzimplementation_t)); if (imp == NULL) return (ISC_R_NOMEMORY); /* Make sure memory region is set to all 0's */ memset(imp, 0, sizeof(dns_sdlzimplementation_t)); /* Store the data passed into this method */ imp->methods = methods; imp->driverarg = driverarg; imp->flags = flags; imp->mctx = NULL; /* attach the new sdlz_implementation object to a memory context */ isc_mem_attach(mctx, &imp->mctx); /* * initialize the driver lock, error if we cannot * (used if a driver does not support multiple threads) */ result = isc_mutex_init(&imp->driverlock); if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_mutex_init() failed: %s", isc_result_totext(result)); goto cleanup_mctx; } imp->dlz_imp = NULL; /* * register the DLZ driver. Pass in our "extra" sdlz information as * a driverarg. (that's why we stored the passed in driver arg in our * sdlz_implementation structure) Also, store the dlz_implementation * structure in our sdlz_implementation. */ result = dns_dlzregister(drivername, &sdlzmethods, imp, mctx, &imp->dlz_imp); /* if registration fails, cleanup and get outta here. */ if (result != ISC_R_SUCCESS) goto cleanup_mutex; *sdlzimp = imp; return (ISC_R_SUCCESS); cleanup_mutex: /* destroy the driver lock, we don't need it anymore */ DESTROYLOCK(&imp->driverlock); cleanup_mctx: /* * return the memory back to the available memory pool and * remove it from the memory context. */ isc_mem_put(mctx, imp, sizeof(dns_sdlzimplementation_t)); isc_mem_detach(&mctx); return (result); } void dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp) { dns_sdlzimplementation_t *imp; isc_mem_t *mctx; /* Write debugging message to log */ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2), "Unregistering SDLZ driver."); /* * Performs checks to make sure data is as we expect it to be. */ REQUIRE(sdlzimp != NULL && *sdlzimp != NULL); imp = *sdlzimp; /* Unregister the DLZ driver implementation */ dns_dlzunregister(&imp->dlz_imp); /* destroy the driver lock, we don't need it anymore */ DESTROYLOCK(&imp->driverlock); mctx = imp->mctx; /* * return the memory back to the available memory pool and * remove it from the memory context. */ isc_mem_put(mctx, imp, sizeof(dns_sdlzimplementation_t)); isc_mem_detach(&mctx); *sdlzimp = NULL; } Index: head/contrib/bind9/lib/dns/validator.c =================================================================== --- head/contrib/bind9/lib/dns/validator.c (revision 205291) +++ head/contrib/bind9/lib/dns/validator.c (revision 205292) @@ -1,3863 +1,3977 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.164.12.11 2009/12/30 06:44:44 each Exp $ */ +/* $Id: validator.c,v 1.164.12.11.8.2 2010/02/25 10:57:12 tbox Exp $ */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /*! \file * \brief * Basic processing sequences. * * \li When called with rdataset and sigrdataset: * validator_start -> validate -> proveunsecure -> startfinddlvsep -> * dlv_validator_start -> validator_start -> validate -> proveunsecure * * validator_start -> validate -> nsecvalidate (secure wildcard answer) * * \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV: * validator_start -> startfinddlvsep -> dlv_validator_start -> * validator_start -> validate -> proveunsecure * * \li When called with rdataset: * validator_start -> proveunsecure -> startfinddlvsep -> * dlv_validator_start -> validator_start -> proveunsecure * * \li When called with rdataset and with DNS_VALIDATOR_DLV: * validator_start -> startfinddlvsep -> dlv_validator_start -> * validator_start -> proveunsecure * * \li When called without a rdataset: * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep -> * dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure * * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate() * to always validate the authority section even when it does not contain * signatures. * * validator_start: determines what type of validation to do. * validate: attempts to perform a positive validation. * proveunsecure: attempts to prove the answer comes from a unsecure zone. * nsecvalidate: attempts to prove a negative response. * startfinddlvsep: starts the DLV record lookup. * dlv_validator_start: resets state and restarts the lookup using the * DLV RRset found by startfinddlvsep. */ #define VALIDATOR_MAGIC ISC_MAGIC('V', 'a', 'l', '?') #define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC) #define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */ #define VALATTR_CANCELED 0x0002 /*%< Canceled. */ #define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and * have attempted a verify. */ #define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */ #define VALATTR_DLVTRIED 0x0020 /*%< Looked for a DLV record. */ /*! * NSEC proofs to be looked for. */ #define VALATTR_NEEDNOQNAME 0x00000100 #define VALATTR_NEEDNOWILDCARD 0x00000200 #define VALATTR_NEEDNODATA 0x00000400 /*! * NSEC proofs that have been found. */ #define VALATTR_FOUNDNOQNAME 0x00001000 #define VALATTR_FOUNDNOWILDCARD 0x00002000 #define VALATTR_FOUNDNODATA 0x00004000 #define VALATTR_FOUNDCLOSEST 0x00008000 /* * */ #define VALATTR_FOUNDOPTOUT 0x00010000 #define VALATTR_FOUNDUNKNOWN 0x00020000 #define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0) #define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0) #define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0) #define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0) #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0) #define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0) static void destroy(dns_validator_t *val); static isc_result_t get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo, dns_rdataset_t *rdataset); static isc_result_t validate(dns_validator_t *val, isc_boolean_t resume); static isc_result_t validatezonekey(dns_validator_t *val); static isc_result_t nsecvalidate(dns_validator_t *val, isc_boolean_t resume); static isc_result_t proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume); static void validator_logv(dns_validator_t *val, isc_logcategory_t *category, isc_logmodule_t *module, int level, const char *fmt, va_list ap) ISC_FORMAT_PRINTF(5, 0); static void validator_log(dns_validator_t *val, int level, const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4); static void validator_logcreate(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, const char *caller, const char *operation); static isc_result_t dlv_validatezonekey(dns_validator_t *val); static void dlv_validator_start(dns_validator_t *val); static isc_result_t finddlvsep(dns_validator_t *val, isc_boolean_t resume); static isc_result_t startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure); /*% * Mark the RRsets as a answer. */ static inline void markanswer(dns_validator_t *val) { validator_log(val, ISC_LOG_DEBUG(3), "marking as answer"); if (val->event->rdataset != NULL) - val->event->rdataset->trust = dns_trust_answer; + dns_rdataset_settrust(val->event->rdataset, dns_trust_answer); if (val->event->sigrdataset != NULL) - val->event->sigrdataset->trust = dns_trust_answer; + dns_rdataset_settrust(val->event->sigrdataset, + dns_trust_answer); } +static inline void +marksecure(dns_validatorevent_t *event) { + dns_rdataset_settrust(event->rdataset, dns_trust_secure); + dns_rdataset_settrust(event->sigrdataset, dns_trust_secure); +} + static void validator_done(dns_validator_t *val, isc_result_t result) { isc_task_t *task; if (val->event == NULL) return; /* * Caller must be holding the lock. */ val->event->result = result; task = val->event->ev_sender; val->event->ev_sender = val; val->event->ev_type = DNS_EVENT_VALIDATORDONE; val->event->ev_action = val->action; val->event->ev_arg = val->arg; isc_task_sendanddetach(&task, (isc_event_t **)&val->event); } static inline isc_boolean_t exit_check(dns_validator_t *val) { /* * Caller must be holding the lock. */ if (!SHUTDOWN(val)) return (ISC_FALSE); INSIST(val->event == NULL); if (val->fetch != NULL || val->subvalidator != NULL) return (ISC_FALSE); return (ISC_TRUE); } /* * Check that we have atleast one supported algorithm in the DLV RRset. */ static inline isc_boolean_t dlv_algorithm_supported(dns_validator_t *val) { dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_dlv_t dlv; isc_result_t result; for (result = dns_rdataset_first(&val->dlv); result == ISC_R_SUCCESS; result = dns_rdataset_next(&val->dlv)) { dns_rdata_reset(&rdata); dns_rdataset_current(&val->dlv, &rdata); result = dns_rdata_tostruct(&rdata, &dlv, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (!dns_resolver_algorithm_supported(val->view->resolver, val->event->name, dlv.algorithm)) continue; if (dlv.digest_type != DNS_DSDIGEST_SHA256 && dlv.digest_type != DNS_DSDIGEST_SHA1) continue; return (ISC_TRUE); } return (ISC_FALSE); } /*% * Look in the NSEC record returned from a DS query to see if there is * a NS RRset at this name. If it is found we are at a delegation point. */ static isc_boolean_t isdelegation(dns_name_t *name, dns_rdataset_t *rdataset, isc_result_t dbresult) { dns_fixedname_t fixed; dns_label_t hashlabel; dns_name_t nsec3name; dns_rdata_nsec3_t nsec3; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t set; int order; int scope; isc_boolean_t found; isc_buffer_t buffer; isc_result_t result; unsigned char hash[NSEC3_MAX_HASH_LENGTH]; unsigned char owner[NSEC3_MAX_HASH_LENGTH]; unsigned int length; REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET); dns_rdataset_init(&set); if (dbresult == DNS_R_NXRRSET) dns_rdataset_clone(rdataset, &set); else { result = dns_ncache_getrdataset(rdataset, name, dns_rdatatype_nsec, &set); if (result == ISC_R_NOTFOUND) goto trynsec3; if (result != ISC_R_SUCCESS) return (ISC_FALSE); } INSIST(set.type == dns_rdatatype_nsec); found = ISC_FALSE; result = dns_rdataset_first(&set); if (result == ISC_R_SUCCESS) { dns_rdataset_current(&set, &rdata); found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns); dns_rdata_reset(&rdata); } dns_rdataset_disassociate(&set); return (found); trynsec3: /* * Iterate over the ncache entry. */ found = ISC_FALSE; dns_name_init(&nsec3name, NULL); dns_fixedname_init(&fixed); dns_name_downcase(name, dns_fixedname_name(&fixed), NULL); name = dns_fixedname_name(&fixed); result = dns_rdataset_first(rdataset); for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) { dns_ncache_current(rdataset, &nsec3name, &set); if (set.type != dns_rdatatype_nsec3) { dns_rdataset_disassociate(&set); continue; } dns_name_getlabel(&nsec3name, 0, &hashlabel); isc_region_consume(&hashlabel, 1); isc_buffer_init(&buffer, owner, sizeof(owner)); result = isc_base32hex_decoderegion(&hashlabel, &buffer); if (result != ISC_R_SUCCESS) { dns_rdataset_disassociate(&set); continue; } for (result = dns_rdataset_first(&set); result == ISC_R_SUCCESS; result = dns_rdataset_next(&set)) { dns_rdata_reset(&rdata); dns_rdataset_current(&set, &rdata); (void)dns_rdata_tostruct(&rdata, &nsec3, NULL); if (nsec3.hash != 1) continue; length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations, nsec3.salt, nsec3.salt_length, name->ndata, name->length); if (length != isc_buffer_usedlength(&buffer)) continue; order = memcmp(hash, owner, length); if (order == 0) { found = dns_nsec3_typepresent(&rdata, dns_rdatatype_ns); dns_rdataset_disassociate(&set); return (found); } if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0) continue; /* * Does this optout span cover the name? */ scope = memcmp(owner, nsec3.next, nsec3.next_length); if ((scope < 0 && order > 0 && memcmp(hash, nsec3.next, length) < 0) || (scope >= 0 && (order > 0 || memcmp(hash, nsec3.next, length) < 0))) { dns_rdataset_disassociate(&set); return (ISC_TRUE); } } dns_rdataset_disassociate(&set); } return (found); } /*% * We have been asked to to look for a key. * If found resume the validation process. * If not found fail the validation process. */ static void fetch_callback_validator(isc_task_t *task, isc_event_t *event) { dns_fetchevent_t *devent; dns_validator_t *val; dns_rdataset_t *rdataset; isc_boolean_t want_destroy; isc_result_t result; isc_result_t eresult; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_FETCHDONE); devent = (dns_fetchevent_t *)event; val = devent->ev_arg; rdataset = &val->frdataset; eresult = devent->result; /* Free resources which are not of interest. */ if (devent->node != NULL) dns_db_detachnode(devent->db, &devent->node); if (devent->db != NULL) dns_db_detach(&devent->db); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); isc_event_free(&event); dns_resolver_destroyfetch(&val->fetch); INSIST(val->event != NULL); validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator"); LOCK(&val->lock); if (CANCELED(val)) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "keyset with trust %d", rdataset->trust); /* * Only extract the dst key if the keyset is secure. */ if (rdataset->trust >= dns_trust_secure) { result = get_dst_key(val, val->siginfo, rdataset); if (result == ISC_R_SUCCESS) val->keyset = &val->frdataset; } result = validate(val, ISC_TRUE); if (result != DNS_R_WAIT) validator_done(val, result); } else { validator_log(val, ISC_LOG_DEBUG(3), "fetch_callback_validator: got %s", isc_result_totext(eresult)); if (eresult == ISC_R_CANCELED) validator_done(val, eresult); else - validator_done(val, DNS_R_NOVALIDKEY); + validator_done(val, DNS_R_BROKENCHAIN); } want_destroy = exit_check(val); UNLOCK(&val->lock); if (want_destroy) destroy(val); } /*% * We were asked to look for a DS record as part of following a key chain * upwards. If found resume the validation process. If not found fail the * validation process. */ static void dsfetched(isc_task_t *task, isc_event_t *event) { dns_fetchevent_t *devent; dns_validator_t *val; dns_rdataset_t *rdataset; isc_boolean_t want_destroy; isc_result_t result; isc_result_t eresult; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_FETCHDONE); devent = (dns_fetchevent_t *)event; val = devent->ev_arg; rdataset = &val->frdataset; eresult = devent->result; /* Free resources which are not of interest. */ if (devent->node != NULL) dns_db_detachnode(devent->db, &devent->node); if (devent->db != NULL) dns_db_detach(&devent->db); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); isc_event_free(&event); dns_resolver_destroyfetch(&val->fetch); INSIST(val->event != NULL); validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched"); LOCK(&val->lock); if (CANCELED(val)) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "dsset with trust %d", rdataset->trust); val->dsset = &val->frdataset; result = validatezonekey(val); if (result != DNS_R_WAIT) validator_done(val, result); } else if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET || eresult == DNS_R_SERVFAIL) /* RFC 1034 parent? */ { validator_log(val, ISC_LOG_DEBUG(3), "falling back to insecurity proof (%s)", dns_result_totext(eresult)); val->attributes |= VALATTR_INSECURITY; result = proveunsecure(val, ISC_FALSE, ISC_FALSE); if (result != DNS_R_WAIT) validator_done(val, result); } else { validator_log(val, ISC_LOG_DEBUG(3), "dsfetched: got %s", isc_result_totext(eresult)); if (eresult == ISC_R_CANCELED) validator_done(val, eresult); else - validator_done(val, DNS_R_NOVALIDDS); + validator_done(val, DNS_R_BROKENCHAIN); } want_destroy = exit_check(val); UNLOCK(&val->lock); if (want_destroy) destroy(val); } /*% * We were asked to look for the DS record as part of proving that a * name is unsecure. * * If the DS record doesn't exist and the query name corresponds to * a delegation point we are transitioning from a secure zone to a * unsecure zone. * * If the DS record exists it will be secure. We can continue looking * for the break point in the chain of trust. */ static void dsfetched2(isc_task_t *task, isc_event_t *event) { dns_fetchevent_t *devent; dns_validator_t *val; dns_name_t *tname; isc_boolean_t want_destroy; isc_result_t result; isc_result_t eresult; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_FETCHDONE); devent = (dns_fetchevent_t *)event; val = devent->ev_arg; eresult = devent->result; /* Free resources which are not of interest. */ if (devent->node != NULL) dns_db_detachnode(devent->db, &devent->node); if (devent->db != NULL) dns_db_detach(&devent->db); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); dns_resolver_destroyfetch(&val->fetch); INSIST(val->event != NULL); validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2: %s", dns_result_totext(eresult)); LOCK(&val->lock); if (CANCELED(val)) { validator_done(val, ISC_R_CANCELED); } else if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) { /* * There is no DS. If this is a delegation, we're done. */ tname = dns_fixedname_name(&devent->foundname); if (isdelegation(tname, &val->frdataset, eresult)) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); validator_done(val, DNS_R_MUSTBESECURE); } else if (val->view->dlv == NULL || DLVTRIED(val)) { markanswer(val); validator_done(val, ISC_R_SUCCESS); } else { result = startfinddlvsep(val, tname); if (result != DNS_R_WAIT) validator_done(val, result); } } else { result = proveunsecure(val, ISC_FALSE, ISC_TRUE); if (result != DNS_R_WAIT) validator_done(val, result); } } else if (eresult == ISC_R_SUCCESS || eresult == DNS_R_NXDOMAIN || eresult == DNS_R_NCACHENXDOMAIN) { /* * There is a DS which may or may not be a zone cut. * In either case we are still in a secure zone resume * validation. */ result = proveunsecure(val, ISC_TF(eresult == ISC_R_SUCCESS), ISC_TRUE); if (result != DNS_R_WAIT) validator_done(val, result); } else { if (eresult == ISC_R_CANCELED) validator_done(val, eresult); else validator_done(val, DNS_R_NOVALIDDS); } isc_event_free(&event); want_destroy = exit_check(val); UNLOCK(&val->lock); if (want_destroy) destroy(val); } /*% * Callback from when a DNSKEY RRset has been validated. * * Resumes the stalled validation process. */ static void keyvalidated(isc_task_t *task, isc_event_t *event) { dns_validatorevent_t *devent; dns_validator_t *val; isc_boolean_t want_destroy; isc_result_t result; isc_result_t eresult; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE); devent = (dns_validatorevent_t *)event; val = devent->ev_arg; eresult = devent->result; isc_event_free(&event); dns_validator_destroy(&val->subvalidator); INSIST(val->event != NULL); validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated"); LOCK(&val->lock); if (CANCELED(val)) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "keyset with trust %d", val->frdataset.trust); /* * Only extract the dst key if the keyset is secure. */ if (val->frdataset.trust >= dns_trust_secure) (void) get_dst_key(val, val->siginfo, &val->frdataset); result = validate(val, ISC_TRUE); if (result != DNS_R_WAIT) validator_done(val, result); } else { + if (eresult != DNS_R_BROKENCHAIN) { + if (dns_rdataset_isassociated(&val->frdataset)) + dns_rdataset_expire(&val->frdataset); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_expire(&val->fsigrdataset); + } validator_log(val, ISC_LOG_DEBUG(3), "keyvalidated: got %s", isc_result_totext(eresult)); - validator_done(val, eresult); + validator_done(val, DNS_R_BROKENCHAIN); } want_destroy = exit_check(val); UNLOCK(&val->lock); if (want_destroy) destroy(val); } /*% * Callback when the DS record has been validated. * * Resumes validation of the zone key or the unsecure zone proof. */ static void dsvalidated(isc_task_t *task, isc_event_t *event) { dns_validatorevent_t *devent; dns_validator_t *val; isc_boolean_t want_destroy; isc_result_t result; isc_result_t eresult; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE); devent = (dns_validatorevent_t *)event; val = devent->ev_arg; eresult = devent->result; isc_event_free(&event); dns_validator_destroy(&val->subvalidator); INSIST(val->event != NULL); validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated"); LOCK(&val->lock); if (CANCELED(val)) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "dsset with trust %d", val->frdataset.trust); if ((val->attributes & VALATTR_INSECURITY) != 0) result = proveunsecure(val, ISC_TRUE, ISC_TRUE); else result = validatezonekey(val); if (result != DNS_R_WAIT) validator_done(val, result); } else { + if (eresult != DNS_R_BROKENCHAIN) { + if (dns_rdataset_isassociated(&val->frdataset)) + dns_rdataset_expire(&val->frdataset); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_expire(&val->fsigrdataset); + } validator_log(val, ISC_LOG_DEBUG(3), "dsvalidated: got %s", isc_result_totext(eresult)); - validator_done(val, eresult); + validator_done(val, DNS_R_BROKENCHAIN); } want_destroy = exit_check(val); UNLOCK(&val->lock); if (want_destroy) destroy(val); } /*% * Return ISC_R_SUCCESS if we can determine that the name doesn't exist * or we can determine whether there is data or not at the name. * If the name does not exist return the wildcard name. * * Return ISC_R_IGNORE when the NSEC is not the appropriate one. */ static isc_result_t nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname, dns_rdataset_t *nsecset, isc_boolean_t *exists, isc_boolean_t *data, dns_name_t *wild) { int order; dns_rdata_t rdata = DNS_RDATA_INIT; isc_result_t result; dns_namereln_t relation; unsigned int olabels, nlabels, labels; dns_rdata_nsec_t nsec; isc_boolean_t atparent; isc_boolean_t ns; isc_boolean_t soa; REQUIRE(exists != NULL); REQUIRE(data != NULL); REQUIRE(nsecset != NULL && nsecset->type == dns_rdatatype_nsec); result = dns_rdataset_first(nsecset); if (result != ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "failure processing NSEC set"); return (result); } dns_rdataset_current(nsecset, &rdata); validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant nsec"); relation = dns_name_fullcompare(name, nsecname, &order, &olabels); if (order < 0) { /* * The name is not within the NSEC range. */ validator_log(val, ISC_LOG_DEBUG(3), "NSEC does not cover name, before NSEC"); return (ISC_R_IGNORE); } if (order == 0) { /* * The names are the same. */ atparent = dns_rdatatype_atparent(val->event->type); ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns); soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa); if (ns && !soa) { if (!atparent) { /* * This NSEC record is from somewhere higher in * the DNS, and at the parent of a delegation. * It can not be legitimately used here. */ validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent nsec"); return (ISC_R_IGNORE); } } else if (atparent && ns && soa) { /* * This NSEC record is from the child. * It can not be legitimately used here. */ validator_log(val, ISC_LOG_DEBUG(3), "ignoring child nsec"); return (ISC_R_IGNORE); } if (val->event->type == dns_rdatatype_cname || val->event->type == dns_rdatatype_nxt || val->event->type == dns_rdatatype_nsec || val->event->type == dns_rdatatype_key || !dns_nsec_typepresent(&rdata, dns_rdatatype_cname)) { *exists = ISC_TRUE; *data = dns_nsec_typepresent(&rdata, val->event->type); validator_log(val, ISC_LOG_DEBUG(3), "nsec proves name exists (owner) data=%d", *data); return (ISC_R_SUCCESS); } validator_log(val, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists"); return (ISC_R_IGNORE); } if (relation == dns_namereln_subdomain && dns_nsec_typepresent(&rdata, dns_rdatatype_ns) && !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) { /* * This NSEC record is from somewhere higher in * the DNS, and at the parent of a delegation. * It can not be legitimately used here. */ validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent nsec"); return (ISC_R_IGNORE); } result = dns_rdata_tostruct(&rdata, &nsec, NULL); if (result != ISC_R_SUCCESS) return (result); relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels); if (order == 0) { dns_rdata_freestruct(&nsec); validator_log(val, ISC_LOG_DEBUG(3), "ignoring nsec matches next name"); return (ISC_R_IGNORE); } if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) { /* * The name is not within the NSEC range. */ dns_rdata_freestruct(&nsec); validator_log(val, ISC_LOG_DEBUG(3), "ignoring nsec because name is past end of range"); return (ISC_R_IGNORE); } if (order > 0 && relation == dns_namereln_subdomain) { validator_log(val, ISC_LOG_DEBUG(3), "nsec proves name exist (empty)"); dns_rdata_freestruct(&nsec); *exists = ISC_TRUE; *data = ISC_FALSE; return (ISC_R_SUCCESS); } if (wild != NULL) { dns_name_t common; dns_name_init(&common, NULL); if (olabels > nlabels) { labels = dns_name_countlabels(nsecname); dns_name_getlabelsequence(nsecname, labels - olabels, olabels, &common); } else { labels = dns_name_countlabels(&nsec.next); dns_name_getlabelsequence(&nsec.next, labels - nlabels, nlabels, &common); } result = dns_name_concatenate(dns_wildcardname, &common, wild, NULL); if (result != ISC_R_SUCCESS) { dns_rdata_freestruct(&nsec); validator_log(val, ISC_LOG_DEBUG(3), "failure generating wildcard name"); return (result); } } dns_rdata_freestruct(&nsec); validator_log(val, ISC_LOG_DEBUG(3), "nsec range ok"); *exists = ISC_FALSE; return (ISC_R_SUCCESS); } static isc_result_t nsec3noexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsec3name, dns_rdataset_t *nsec3set, dns_name_t *zonename, isc_boolean_t *exists, isc_boolean_t *data, isc_boolean_t *optout, isc_boolean_t *unknown, isc_boolean_t *setclosest, isc_boolean_t *setnearest, dns_name_t *closest, dns_name_t *nearest) { char namebuf[DNS_NAME_FORMATSIZE]; dns_fixedname_t fzone; dns_fixedname_t qfixed; dns_label_t hashlabel; dns_name_t *qname; dns_name_t *zone; dns_rdata_nsec3_t nsec3; dns_rdata_t rdata = DNS_RDATA_INIT; int order; int scope; isc_boolean_t atparent; isc_boolean_t first; isc_boolean_t ns; isc_boolean_t soa; isc_buffer_t buffer; isc_result_t answer = ISC_R_IGNORE; isc_result_t result; unsigned char hash[NSEC3_MAX_HASH_LENGTH]; unsigned char owner[NSEC3_MAX_HASH_LENGTH]; unsigned int length; unsigned int qlabels; unsigned int zlabels; REQUIRE((exists == NULL && data == NULL) || (exists != NULL && data != NULL)); REQUIRE(nsec3set != NULL && nsec3set->type == dns_rdatatype_nsec3); REQUIRE((setclosest == NULL && closest == NULL) || (setclosest != NULL && closest != NULL)); REQUIRE((setnearest == NULL && nearest == NULL) || (setnearest != NULL && nearest != NULL)); result = dns_rdataset_first(nsec3set); if (result != ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "failure processing NSEC3 set"); return (result); } dns_rdataset_current(nsec3set, &rdata); result = dns_rdata_tostruct(&rdata, &nsec3, NULL); if (result != ISC_R_SUCCESS) return (result); validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant NSEC3"); dns_fixedname_init(&fzone); zone = dns_fixedname_name(&fzone); zlabels = dns_name_countlabels(nsec3name); /* * NSEC3 records must have two or more labels to be valid. */ if (zlabels < 2) return (ISC_R_IGNORE); /* * Strip off the NSEC3 hash to get the zone. */ zlabels--; dns_name_split(nsec3name, zlabels, NULL, zone); /* * If not below the zone name we can ignore this record. */ if (!dns_name_issubdomain(name, zone)) return (ISC_R_IGNORE); /* * Is this zone the same or deeper than the current zone? */ if (dns_name_countlabels(zonename) == 0 || dns_name_issubdomain(zone, zonename)) dns_name_copy(zone, zonename, NULL); if (!dns_name_equal(zone, zonename)) return (ISC_R_IGNORE); /* * Are we only looking for the most enclosing zone? */ if (exists == NULL || data == NULL) return (ISC_R_SUCCESS); /* * Only set unknown once we are sure that this NSEC3 is from * the deepest covering zone. */ if (!dns_nsec3_supportedhash(nsec3.hash)) { if (unknown != NULL) *unknown = ISC_TRUE; return (ISC_R_IGNORE); } /* * Recover the hash from the first label. */ dns_name_getlabel(nsec3name, 0, &hashlabel); isc_region_consume(&hashlabel, 1); isc_buffer_init(&buffer, owner, sizeof(owner)); result = isc_base32hex_decoderegion(&hashlabel, &buffer); if (result != ISC_R_SUCCESS) return (result); /* * The hash lengths should match. If not ignore the record. */ if (isc_buffer_usedlength(&buffer) != nsec3.next_length) return (ISC_R_IGNORE); /* * Work out what this NSEC3 covers. * Inside (<0) or outside (>=0). */ scope = memcmp(owner, nsec3.next, nsec3.next_length); /* * Prepare to compute all the hashes. */ dns_fixedname_init(&qfixed); qname = dns_fixedname_name(&qfixed); dns_name_downcase(name, qname, NULL); qlabels = dns_name_countlabels(qname); first = ISC_TRUE; while (qlabels >= zlabels) { length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations, nsec3.salt, nsec3.salt_length, qname->ndata, qname->length); /* * The computed hash length should match. */ if (length != nsec3.next_length) { validator_log(val, ISC_LOG_DEBUG(3), "ignoring NSEC bad length %u vs %u", length, nsec3.next_length); return (ISC_R_IGNORE); } order = memcmp(hash, owner, length); if (first && order == 0) { /* * The hashes are the same. */ atparent = dns_rdatatype_atparent(val->event->type); ns = dns_nsec3_typepresent(&rdata, dns_rdatatype_ns); soa = dns_nsec3_typepresent(&rdata, dns_rdatatype_soa); if (ns && !soa) { if (!atparent) { /* * This NSEC record is from somewhere * higher in the DNS, and at the * parent of a delegation. It can not * be legitimately used here. */ validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent NSEC3"); return (ISC_R_IGNORE); } } else if (atparent && ns && soa) { /* * This NSEC record is from the child. * It can not be legitimately used here. */ validator_log(val, ISC_LOG_DEBUG(3), "ignoring child NSEC3"); return (ISC_R_IGNORE); } if (val->event->type == dns_rdatatype_cname || val->event->type == dns_rdatatype_nxt || val->event->type == dns_rdatatype_nsec || val->event->type == dns_rdatatype_key || !dns_nsec3_typepresent(&rdata, dns_rdatatype_cname)) { *exists = ISC_TRUE; *data = dns_nsec3_typepresent(&rdata, val->event->type); validator_log(val, ISC_LOG_DEBUG(3), "NSEC3 proves name exists (owner) " "data=%d", *data); return (ISC_R_SUCCESS); } validator_log(val, ISC_LOG_DEBUG(3), "NSEC3 proves CNAME exists"); return (ISC_R_IGNORE); } if (order == 0 && dns_nsec3_typepresent(&rdata, dns_rdatatype_ns) && !dns_nsec3_typepresent(&rdata, dns_rdatatype_soa)) { /* * This NSEC3 record is from somewhere higher in * the DNS, and at the parent of a delegation. * It can not be legitimately used here. */ validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent NSEC3"); return (ISC_R_IGNORE); } /* * Potential closest encloser. */ if (order == 0) { if (closest != NULL && (dns_name_countlabels(closest) == 0 || dns_name_issubdomain(qname, closest)) && !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) && !dns_nsec3_typepresent(&rdata, dns_rdatatype_dname) && (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) || !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns))) { dns_name_format(qname, namebuf, sizeof(namebuf)); validator_log(val, ISC_LOG_DEBUG(3), "NSEC3 indicates potential " "closest encloser: '%s'", namebuf); dns_name_copy(qname, closest, NULL); *setclosest = ISC_TRUE; } dns_name_format(qname, namebuf, sizeof(namebuf)); validator_log(val, ISC_LOG_DEBUG(3), "NSEC3 at super-domain %s", namebuf); return (answer); } /* * Find if the name does not exist. * * We continue as we need to find the name closest to the * closest encloser that doesn't exist. * * We also need to continue to ensure that we are not * proving the non-existence of a record in a sub-zone. * If that would be the case we will return ISC_R_IGNORE * above. */ if ((scope < 0 && order > 0 && memcmp(hash, nsec3.next, length) < 0) || (scope >= 0 && (order > 0 || memcmp(hash, nsec3.next, length) < 0))) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(qname, namebuf, sizeof(namebuf)); validator_log(val, ISC_LOG_DEBUG(3), "NSEC3 proves " "name does not exist: '%s'", namebuf); if (nearest != NULL && (dns_name_countlabels(nearest) == 0 || dns_name_issubdomain(nearest, qname))) { dns_name_copy(qname, nearest, NULL); *setnearest = ISC_TRUE; } #if 0 /* * The closest encloser may be the zone name. */ if (closest != NULL && dns_name_countlabels(closest) == 0 && !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) && !dns_nsec3_typepresent(&rdata, dns_rdatatype_dname) && (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) || !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns))) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(zone, namebuf, sizeof(namebuf)); validator_log(val, ISC_LOG_DEBUG(3), "NSEC3 potential closest " "encloser from zone name: '%s'", namebuf); dns_name_copy(zone, closest, NULL); *setclosest = ISC_TRUE; } #endif *exists = ISC_FALSE; *data = ISC_FALSE; if (optout != NULL) { if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0) validator_log(val, ISC_LOG_DEBUG(3), "NSEC3 indicates optout"); *optout = ISC_TF(nsec3.flags & DNS_NSEC3FLAG_OPTOUT); } answer = ISC_R_SUCCESS; } qlabels--; if (qlabels > 0) dns_name_split(qname, qlabels, NULL, qname); first = ISC_FALSE; } return (answer); } /*% * Callback for when NSEC records have been validated. * * Looks for NOQNAME, NODATA and OPTOUT proofs. * * Resumes nsecvalidate. */ static void authvalidated(isc_task_t *task, isc_event_t *event) { dns_validatorevent_t *devent; dns_validator_t *val; dns_rdataset_t *rdataset; dns_rdataset_t *sigrdataset; isc_boolean_t want_destroy; isc_result_t result; isc_boolean_t exists, data; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE); devent = (dns_validatorevent_t *)event; rdataset = devent->rdataset; sigrdataset = devent->sigrdataset; val = devent->ev_arg; result = devent->result; dns_validator_destroy(&val->subvalidator); INSIST(val->event != NULL); validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated"); LOCK(&val->lock); if (CANCELED(val)) { validator_done(val, ISC_R_CANCELED); } else if (result != ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "authvalidated: got %s", isc_result_totext(result)); + if (result == DNS_R_BROKENCHAIN) + val->authfail++; if (result == ISC_R_CANCELED) validator_done(val, result); else { result = nsecvalidate(val, ISC_TRUE); if (result != DNS_R_WAIT) validator_done(val, result); } } else { dns_name_t **proofs = val->event->proofs; dns_name_t *wild = dns_fixedname_name(&val->wild); if (rdataset->trust == dns_trust_secure) val->seensig = ISC_TRUE; if (rdataset->type == dns_rdatatype_nsec && rdataset->trust == dns_trust_secure && ((val->attributes & VALATTR_NEEDNODATA) != 0 || (val->attributes & VALATTR_NEEDNOQNAME) != 0) && (val->attributes & VALATTR_FOUNDNODATA) == 0 && (val->attributes & VALATTR_FOUNDNOQNAME) == 0 && nsecnoexistnodata(val, val->event->name, devent->name, rdataset, &exists, &data, wild) == ISC_R_SUCCESS) { if (exists && !data) { val->attributes |= VALATTR_FOUNDNODATA; if (NEEDNODATA(val)) proofs[DNS_VALIDATOR_NODATAPROOF] = devent->name; } if (!exists) { val->attributes |= VALATTR_FOUNDNOQNAME; val->attributes |= VALATTR_FOUNDCLOSEST; /* * The NSEC noqname proof also contains * the closest encloser. */ if (NEEDNOQNAME(val)) proofs[DNS_VALIDATOR_NOQNAMEPROOF] = devent->name; } } result = nsecvalidate(val, ISC_TRUE); if (result != DNS_R_WAIT) validator_done(val, result); } want_destroy = exit_check(val); UNLOCK(&val->lock); if (want_destroy) destroy(val); /* * Free stuff from the event. */ isc_event_free(&event); } /*% * Looks for the requested name and type in the view (zones and cache). * * When looking for a DLV record also checks to make sure the NSEC record * returns covers the query name as part of aggressive negative caching. * * Returns: * \li ISC_R_SUCCESS * \li ISC_R_NOTFOUND * \li DNS_R_NCACHENXDOMAIN * \li DNS_R_NCACHENXRRSET * \li DNS_R_NXRRSET * \li DNS_R_NXDOMAIN + * \li DNS_R_BROKENCHAIN */ static inline isc_result_t view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { dns_fixedname_t fixedname; dns_name_t *foundname; dns_rdata_nsec_t nsec; dns_rdata_t rdata = DNS_RDATA_INIT; isc_result_t result; unsigned int options; + isc_time_t now; char buf1[DNS_NAME_FORMATSIZE]; char buf2[DNS_NAME_FORMATSIZE]; char buf3[DNS_NAME_FORMATSIZE]; + char namebuf[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; if (dns_rdataset_isassociated(&val->frdataset)) dns_rdataset_disassociate(&val->frdataset); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); if (val->view->zonetable == NULL) return (ISC_R_CANCELED); + if (isc_time_now(&now) == ISC_R_SUCCESS && + dns_resolver_getbadcache(val->view->resolver, name, type, &now)) { + + dns_name_format(name, namebuf, sizeof(namebuf)); + dns_rdatatype_format(type, typebuf, sizeof(typebuf)); + validator_log(val, ISC_LOG_INFO, "bad cache hit (%s/%s)", + namebuf, typebuf); + return (DNS_R_BROKENCHAIN); + } + options = DNS_DBFIND_PENDINGOK; if (type == dns_rdatatype_dlv) options |= DNS_DBFIND_COVERINGNSEC; dns_fixedname_init(&fixedname); foundname = dns_fixedname_name(&fixedname); result = dns_view_find(val->view, name, type, 0, options, ISC_FALSE, NULL, NULL, foundname, &val->frdataset, &val->fsigrdataset); + if (result == DNS_R_NXDOMAIN) { if (dns_rdataset_isassociated(&val->frdataset)) dns_rdataset_disassociate(&val->frdataset); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); } else if (result == DNS_R_COVERINGNSEC) { validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC"); /* * Check if the returned NSEC covers the name. */ INSIST(type == dns_rdatatype_dlv); if (val->frdataset.trust != dns_trust_secure) { validator_log(val, ISC_LOG_DEBUG(3), "covering nsec: trust %u", val->frdataset.trust); goto notfound; } result = dns_rdataset_first(&val->frdataset); if (result != ISC_R_SUCCESS) goto notfound; dns_rdataset_current(&val->frdataset, &rdata); if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) && !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) { /* Parent NSEC record. */ if (dns_name_issubdomain(name, foundname)) { validator_log(val, ISC_LOG_DEBUG(3), "covering nsec: for parent"); goto notfound; } } result = dns_rdata_tostruct(&rdata, &nsec, NULL); if (result != ISC_R_SUCCESS) goto notfound; if (dns_name_compare(foundname, &nsec.next) >= 0) { /* End of zone chain. */ if (!dns_name_issubdomain(name, &nsec.next)) { /* * XXXMPA We could look for a parent NSEC * at nsec.next and if found retest with * this NSEC. */ dns_rdata_freestruct(&nsec); validator_log(val, ISC_LOG_DEBUG(3), "covering nsec: not in zone"); goto notfound; } } else if (dns_name_compare(name, &nsec.next) >= 0) { /* * XXXMPA We could check if this NSEC is at a zone * apex and if the qname is not below it and look for * a parent NSEC with the same name. This requires * that we can cache both NSEC records which we * currently don't support. */ dns_rdata_freestruct(&nsec); validator_log(val, ISC_LOG_DEBUG(3), "covering nsec: not in range"); goto notfound; } if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) { dns_name_format(name, buf1, sizeof buf1); dns_name_format(foundname, buf2, sizeof buf2); dns_name_format(&nsec.next, buf3, sizeof buf3); validator_log(val, ISC_LOG_DEBUG(3), "covering nsec found: '%s' '%s' '%s'", buf1, buf2, buf3); } if (dns_rdataset_isassociated(&val->frdataset)) dns_rdataset_disassociate(&val->frdataset); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); dns_rdata_freestruct(&nsec); result = DNS_R_NCACHENXDOMAIN; } else if (result != ISC_R_SUCCESS && result != DNS_R_NCACHENXDOMAIN && result != DNS_R_NCACHENXRRSET && result != DNS_R_EMPTYNAME && result != DNS_R_NXRRSET && result != ISC_R_NOTFOUND) { goto notfound; } return (result); notfound: if (dns_rdataset_isassociated(&val->frdataset)) dns_rdataset_disassociate(&val->frdataset); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); return (ISC_R_NOTFOUND); } /*% * Checks to make sure we are not going to loop. As we use a SHARED fetch * the validation process will stall if looping was to occur. */ static inline isc_boolean_t check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_validator_t *parent; for (parent = val; parent != NULL; parent = parent->parent) { if (parent->event != NULL && parent->event->type == type && dns_name_equal(parent->event->name, name) && /* * As NSEC3 records are meta data you sometimes * need to prove a NSEC3 record which says that * itself doesn't exist. */ (parent->event->type != dns_rdatatype_nsec3 || rdataset == NULL || sigrdataset == NULL || parent->event->message == NULL || parent->event->rdataset != NULL || parent->event->sigrdataset != NULL)) { validator_log(val, ISC_LOG_DEBUG(3), "continuing validation would lead to " "deadlock: aborting validation"); return (ISC_TRUE); } } return (ISC_FALSE); } /*% * Start a fetch for the requested name and type. */ static inline isc_result_t create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, isc_taskaction_t callback, const char *caller) { if (dns_rdataset_isassociated(&val->frdataset)) dns_rdataset_disassociate(&val->frdataset); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); if (check_deadlock(val, name, type, NULL, NULL)) return (DNS_R_NOVALIDSIG); validator_logcreate(val, name, type, caller, "fetch"); return (dns_resolver_createfetch(val->view->resolver, name, type, NULL, NULL, NULL, 0, val->event->ev_sender, callback, val, &val->frdataset, &val->fsigrdataset, &val->fetch)); } /*% * Start a subvalidation process. */ static inline isc_result_t create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, isc_taskaction_t action, const char *caller) { isc_result_t result; if (check_deadlock(val, name, type, rdataset, sigrdataset)) return (DNS_R_NOVALIDSIG); validator_logcreate(val, name, type, caller, "validator"); result = dns_validator_create(val->view, name, type, rdataset, sigrdataset, NULL, 0, val->task, action, val, &val->subvalidator); if (result == ISC_R_SUCCESS) { val->subvalidator->parent = val; val->subvalidator->depth = val->depth + 1; } return (result); } /*% * Try to find a key that could have signed 'siginfo' among those * in 'rdataset'. If found, build a dst_key_t for it and point * val->key at it. * * If val->key is non-NULL, this returns the next matching key. */ static isc_result_t get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo, dns_rdataset_t *rdataset) { isc_result_t result; isc_buffer_t b; dns_rdata_t rdata = DNS_RDATA_INIT; dst_key_t *oldkey = val->key; isc_boolean_t foundold; if (oldkey == NULL) foundold = ISC_TRUE; else { foundold = ISC_FALSE; val->key = NULL; } result = dns_rdataset_first(rdataset); if (result != ISC_R_SUCCESS) goto failure; do { dns_rdataset_current(rdataset, &rdata); isc_buffer_init(&b, rdata.data, rdata.length); isc_buffer_add(&b, rdata.length); INSIST(val->key == NULL); result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b, val->view->mctx, &val->key); if (result != ISC_R_SUCCESS) goto failure; if (siginfo->algorithm == (dns_secalg_t)dst_key_alg(val->key) && siginfo->keyid == (dns_keytag_t)dst_key_id(val->key) && dst_key_iszonekey(val->key)) { if (foundold) /* * This is the key we're looking for. */ return (ISC_R_SUCCESS); else if (dst_key_compare(oldkey, val->key) == ISC_TRUE) { foundold = ISC_TRUE; dst_key_free(&oldkey); } } dst_key_free(&val->key); dns_rdata_reset(&rdata); result = dns_rdataset_next(rdataset); } while (result == ISC_R_SUCCESS); if (result == ISC_R_NOMORE) result = ISC_R_NOTFOUND; failure: if (oldkey != NULL) dst_key_free(&oldkey); return (result); } /*% * Get the key that generated this signature. */ static isc_result_t get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { isc_result_t result; unsigned int nlabels; int order; dns_namereln_t namereln; /* * Is the signer name appropriate for this signature? * * The signer name must be at the same level as the owner name * or closer to the DNS root. */ namereln = dns_name_fullcompare(val->event->name, &siginfo->signer, &order, &nlabels); if (namereln != dns_namereln_subdomain && namereln != dns_namereln_equal) return (DNS_R_CONTINUE); if (namereln == dns_namereln_equal) { /* * If this is a self-signed keyset, it must not be a zone key * (since get_key is not called from validatezonekey). */ if (val->event->rdataset->type == dns_rdatatype_dnskey) return (DNS_R_CONTINUE); /* * Records appearing in the parent zone at delegation * points cannot be self-signed. */ if (dns_rdatatype_atparent(val->event->rdataset->type)) return (DNS_R_CONTINUE); } else { /* * SOA and NS RRsets can only be signed by a key with * the same name. */ if (val->event->rdataset->type == dns_rdatatype_soa || val->event->rdataset->type == dns_rdatatype_ns) { const char *typename; if (val->event->rdataset->type == dns_rdatatype_soa) typename = "SOA"; else typename = "NS"; validator_log(val, ISC_LOG_DEBUG(3), "%s signer mismatch", typename); return (DNS_R_CONTINUE); } } /* * Do we know about this key? */ result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey); if (result == ISC_R_SUCCESS) { /* * We have an rrset for the given keyname. */ val->keyset = &val->frdataset; if (DNS_TRUST_PENDING(val->frdataset.trust) && dns_rdataset_isassociated(&val->fsigrdataset)) { /* * We know the key but haven't validated it yet. */ result = create_validator(val, &siginfo->signer, dns_rdatatype_dnskey, &val->frdataset, &val->fsigrdataset, keyvalidated, "get_key"); if (result != ISC_R_SUCCESS) return (result); return (DNS_R_WAIT); } else if (DNS_TRUST_PENDING(val->frdataset.trust)) { /* * Having a pending key with no signature means that * something is broken. */ result = DNS_R_CONTINUE; } else if (val->frdataset.trust < dns_trust_secure) { /* * The key is legitimately insecure. There's no * point in even attempting verification. */ val->key = NULL; result = ISC_R_SUCCESS; } else { /* * See if we've got the key used in the signature. */ validator_log(val, ISC_LOG_DEBUG(3), "keyset with trust %d", val->frdataset.trust); result = get_dst_key(val, siginfo, val->keyset); if (result != ISC_R_SUCCESS) { /* * Either the key we're looking for is not * in the rrset, or something bad happened. * Give up. */ result = DNS_R_CONTINUE; } } } else if (result == ISC_R_NOTFOUND) { /* * We don't know anything about this key. */ - result = create_fetch(val, &siginfo->signer, dns_rdatatype_dnskey, + result = create_fetch(val, &siginfo->signer, + dns_rdatatype_dnskey, fetch_callback_validator, "get_key"); if (result != ISC_R_SUCCESS) return (result); return (DNS_R_WAIT); } else if (result == DNS_R_NCACHENXDOMAIN || result == DNS_R_NCACHENXRRSET || result == DNS_R_EMPTYNAME || result == DNS_R_NXDOMAIN || result == DNS_R_NXRRSET) { /* * This key doesn't exist. */ result = DNS_R_CONTINUE; - } + } else if (result == DNS_R_BROKENCHAIN) + return (result); if (dns_rdataset_isassociated(&val->frdataset) && val->keyset != &val->frdataset) dns_rdataset_disassociate(&val->frdataset); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); return (result); } static dns_keytag_t compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) { isc_region_t r; dns_rdata_toregion(rdata, &r); return (dst_region_computeid(&r, key->algorithm)); } /*% * Is this keyset self-signed? */ static isc_boolean_t isselfsigned(dns_validator_t *val) { dns_rdataset_t *rdataset, *sigrdataset; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_t sigrdata = DNS_RDATA_INIT; dns_rdata_dnskey_t key; dns_rdata_rrsig_t sig; dns_keytag_t keytag; isc_result_t result; rdataset = val->event->rdataset; sigrdataset = val->event->sigrdataset; INSIST(rdataset->type == dns_rdatatype_dnskey); for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) { dns_rdata_reset(&rdata); dns_rdataset_current(rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &key, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); keytag = compute_keytag(&rdata, &key); for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(sigrdataset)) { dns_rdata_reset(&sigrdata); dns_rdataset_current(sigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (sig.algorithm == key.algorithm && sig.keyid == keytag) return (ISC_TRUE); } } return (ISC_FALSE); } /*% * Attempt to verify the rdataset using the given key and rdata (RRSIG). * The signature was good and from a wildcard record and the QNAME does * not match the wildcard we need to look for a NOQNAME proof. * * Returns: * \li ISC_R_SUCCESS if the verification succeeds. * \li Others if the verification fails. */ static isc_result_t verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata, isc_uint16_t keyid) { isc_result_t result; dns_fixedname_t fixed; isc_boolean_t ignore = ISC_FALSE; val->attributes |= VALATTR_TRIEDVERIFY; dns_fixedname_init(&fixed); again: result = dns_dnssec_verify2(val->event->name, val->event->rdataset, key, ignore, val->view->mctx, rdata, dns_fixedname_name(&fixed)); if (result == DNS_R_SIGEXPIRED && val->view->acceptexpired) { ignore = ISC_TRUE; goto again; } if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD)) validator_log(val, ISC_LOG_INFO, "accepted expired %sRRSIG (keyid=%u)", (result == DNS_R_FROMWILDCARD) ? "wildcard " : "", keyid); else validator_log(val, ISC_LOG_DEBUG(3), "verify rdataset (keyid=%u): %s", keyid, isc_result_totext(result)); if (result == DNS_R_FROMWILDCARD) { if (!dns_name_equal(val->event->name, dns_fixedname_name(&fixed))) val->attributes |= VALATTR_NEEDNOQNAME; result = ISC_R_SUCCESS; } return (result); } /*% * Attempts positive response validation of a normal RRset. * * Returns: * \li ISC_R_SUCCESS Validation completed successfully * \li DNS_R_WAIT Validation has started but is waiting * for an event. * \li Other return codes are possible and all indicate failure. */ static isc_result_t validate(dns_validator_t *val, isc_boolean_t resume) { isc_result_t result; dns_validatorevent_t *event; dns_rdata_t rdata = DNS_RDATA_INIT; /* * Caller must be holding the validator lock. */ event = val->event; if (resume) { /* * We already have a sigrdataset. */ result = ISC_R_SUCCESS; validator_log(val, ISC_LOG_DEBUG(3), "resuming validate"); } else { result = dns_rdataset_first(event->sigrdataset); } for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(event->sigrdataset)) { dns_rdata_reset(&rdata); dns_rdataset_current(event->sigrdataset, &rdata); if (val->siginfo == NULL) { val->siginfo = isc_mem_get(val->view->mctx, sizeof(*val->siginfo)); if (val->siginfo == NULL) return (ISC_R_NOMEMORY); } result = dns_rdata_tostruct(&rdata, val->siginfo, NULL); if (result != ISC_R_SUCCESS) return (result); /* * At this point we could check that the signature algorithm * was known and "sufficiently good". */ if (!dns_resolver_algorithm_supported(val->view->resolver, event->name, val->siginfo->algorithm)) continue; if (!resume) { result = get_key(val, val->siginfo); if (result == DNS_R_CONTINUE) continue; /* Try the next SIG RR. */ if (result != ISC_R_SUCCESS) return (result); } /* * The key is insecure, so mark the data as insecure also. */ if (val->key == NULL) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); return (DNS_R_MUSTBESECURE); } markanswer(val); return (ISC_R_SUCCESS); } do { result = verify(val, val->key, &rdata, val->siginfo->keyid); if (result == ISC_R_SUCCESS) break; if (val->keynode != NULL) { dns_keynode_t *nextnode = NULL; result = dns_keytable_findnextkeynode( val->keytable, val->keynode, &nextnode); dns_keytable_detachkeynode(val->keytable, &val->keynode); val->keynode = nextnode; if (result != ISC_R_SUCCESS) { val->key = NULL; break; } val->key = dns_keynode_key(val->keynode); } else { if (get_dst_key(val, val->siginfo, val->keyset) != ISC_R_SUCCESS) break; } } while (1); if (result != ISC_R_SUCCESS) validator_log(val, ISC_LOG_DEBUG(3), "failed to verify rdataset"); else { isc_uint32_t ttl; isc_stdtime_t now; isc_stdtime_get(&now); ttl = ISC_MIN(event->rdataset->ttl, val->siginfo->timeexpire - now); if (val->keyset != NULL) ttl = ISC_MIN(ttl, val->keyset->ttl); event->rdataset->ttl = ttl; event->sigrdataset->ttl = ttl; } if (val->keynode != NULL) dns_keytable_detachkeynode(val->keytable, &val->keynode); else { if (val->key != NULL) dst_key_free(&val->key); if (val->keyset != NULL) { dns_rdataset_disassociate(val->keyset); val->keyset = NULL; } } val->key = NULL; if ((val->attributes & VALATTR_NEEDNOQNAME) != 0) { if (val->event->message == NULL) { validator_log(val, ISC_LOG_DEBUG(3), "no message available for noqname proof"); return (DNS_R_NOVALIDSIG); } validator_log(val, ISC_LOG_DEBUG(3), "looking for noqname proof"); return (nsecvalidate(val, ISC_FALSE)); } else if (result == ISC_R_SUCCESS) { - event->rdataset->trust = dns_trust_secure; - event->sigrdataset->trust = dns_trust_secure; + marksecure(event); validator_log(val, ISC_LOG_DEBUG(3), "marking as secure"); return (result); } else { validator_log(val, ISC_LOG_DEBUG(3), "verify failure: %s", isc_result_totext(result)); resume = ISC_FALSE; } } if (result != ISC_R_NOMORE) { validator_log(val, ISC_LOG_DEBUG(3), "failed to iterate signatures: %s", isc_result_totext(result)); return (result); } validator_log(val, ISC_LOG_INFO, "no valid signature found"); return (DNS_R_NOVALIDSIG); } /*% * Validate the DNSKEY RRset by looking for a DNSKEY that matches a * DLV record and that also verifies the DNSKEY RRset. */ static isc_result_t dlv_validatezonekey(dns_validator_t *val) { dns_keytag_t keytag; dns_rdata_dlv_t dlv; dns_rdata_dnskey_t key; dns_rdata_rrsig_t sig; dns_rdata_t dlvrdata = DNS_RDATA_INIT; dns_rdata_t keyrdata = DNS_RDATA_INIT; dns_rdata_t newdsrdata = DNS_RDATA_INIT; dns_rdata_t sigrdata = DNS_RDATA_INIT; dns_rdataset_t trdataset; dst_key_t *dstkey; isc_boolean_t supported_algorithm; isc_result_t result; unsigned char dsbuf[DNS_DS_BUFFERSIZE]; isc_uint8_t digest_type; validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey"); /* * Look through the DLV record and find the keys that can sign the * key set and the matching signature. For each such key, attempt * verification. */ supported_algorithm = ISC_FALSE; /* * If DNS_DSDIGEST_SHA256 is present we are required to prefer * it over DNS_DSDIGEST_SHA1. This in practice means that we * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256 * is present. */ digest_type = DNS_DSDIGEST_SHA1; for (result = dns_rdataset_first(&val->dlv); result == ISC_R_SUCCESS; result = dns_rdataset_next(&val->dlv)) { dns_rdata_reset(&dlvrdata); dns_rdataset_current(&val->dlv, &dlvrdata); result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (!dns_resolver_algorithm_supported(val->view->resolver, val->event->name, dlv.algorithm)) continue; if (dlv.digest_type == DNS_DSDIGEST_SHA256 && dlv.length == ISC_SHA256_DIGESTLENGTH) { digest_type = DNS_DSDIGEST_SHA256; break; } } for (result = dns_rdataset_first(&val->dlv); result == ISC_R_SUCCESS; result = dns_rdataset_next(&val->dlv)) { dns_rdata_reset(&dlvrdata); dns_rdataset_current(&val->dlv, &dlvrdata); result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (!dns_resolver_digest_supported(val->view->resolver, dlv.digest_type)) continue; if (dlv.digest_type != digest_type) continue; if (!dns_resolver_algorithm_supported(val->view->resolver, val->event->name, dlv.algorithm)) continue; supported_algorithm = ISC_TRUE; dns_rdataset_init(&trdataset); dns_rdataset_clone(val->event->rdataset, &trdataset); for (result = dns_rdataset_first(&trdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(&trdataset)) { dns_rdata_reset(&keyrdata); dns_rdataset_current(&trdataset, &keyrdata); result = dns_rdata_tostruct(&keyrdata, &key, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); keytag = compute_keytag(&keyrdata, &key); if (dlv.key_tag != keytag || dlv.algorithm != key.algorithm) continue; dns_rdata_reset(&newdsrdata); result = dns_ds_buildrdata(val->event->name, &keyrdata, dlv.digest_type, dsbuf, &newdsrdata); if (result != ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "dns_ds_buildrdata() -> %s", dns_result_totext(result)); continue; } /* Covert to DLV */ newdsrdata.type = dns_rdatatype_dlv; if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0) break; } if (result != ISC_R_SUCCESS) { dns_rdataset_disassociate(&trdataset); validator_log(val, ISC_LOG_DEBUG(3), "no DNSKEY matching DLV"); continue; } validator_log(val, ISC_LOG_DEBUG(3), "Found matching DLV record: checking for signature"); for (result = dns_rdataset_first(val->event->sigrdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(val->event->sigrdataset)) { dns_rdata_reset(&sigrdata); dns_rdataset_current(val->event->sigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (dlv.key_tag != sig.keyid && dlv.algorithm != sig.algorithm) continue; dstkey = NULL; result = dns_dnssec_keyfromrdata(val->event->name, &keyrdata, val->view->mctx, &dstkey); if (result != ISC_R_SUCCESS) /* * This really shouldn't happen, but... */ continue; result = verify(val, dstkey, &sigrdata, sig.keyid); dst_key_free(&dstkey); if (result == ISC_R_SUCCESS) break; } dns_rdataset_disassociate(&trdataset); if (result == ISC_R_SUCCESS) break; validator_log(val, ISC_LOG_DEBUG(3), "no RRSIG matching DLV key"); } if (result == ISC_R_SUCCESS) { - val->event->rdataset->trust = dns_trust_secure; - val->event->sigrdataset->trust = dns_trust_secure; + marksecure(val->event); validator_log(val, ISC_LOG_DEBUG(3), "marking as secure"); return (result); } else if (result == ISC_R_NOMORE && !supported_algorithm) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); return (DNS_R_MUSTBESECURE); } validator_log(val, ISC_LOG_DEBUG(3), "no supported algorithm/digest (dlv)"); markanswer(val); return (ISC_R_SUCCESS); } else return (DNS_R_NOVALIDSIG); } /*% * Attempts positive response validation of an RRset containing zone keys. * * Returns: * \li ISC_R_SUCCESS Validation completed successfully * \li DNS_R_WAIT Validation has started but is waiting * for an event. * \li Other return codes are possible and all indicate failure. */ static isc_result_t validatezonekey(dns_validator_t *val) { isc_result_t result; dns_validatorevent_t *event; dns_rdataset_t trdataset; dns_rdata_t dsrdata = DNS_RDATA_INIT; dns_rdata_t newdsrdata = DNS_RDATA_INIT; dns_rdata_t keyrdata = DNS_RDATA_INIT; dns_rdata_t sigrdata = DNS_RDATA_INIT; unsigned char dsbuf[DNS_DS_BUFFERSIZE]; char namebuf[DNS_NAME_FORMATSIZE]; dns_keytag_t keytag; dns_rdata_ds_t ds; dns_rdata_dnskey_t key; dns_rdata_rrsig_t sig; dst_key_t *dstkey; isc_boolean_t supported_algorithm; isc_boolean_t atsep = ISC_FALSE; isc_uint8_t digest_type; /* * Caller must be holding the validator lock. */ event = val->event; if (val->havedlvsep && val->dlv.trust >= dns_trust_secure && dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep))) return (dlv_validatezonekey(val)); if (val->dsset == NULL) { /* * First, see if this key was signed by a trusted key. */ for (result = dns_rdataset_first(val->event->sigrdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(val->event->sigrdataset)) { dns_keynode_t *keynode = NULL, *nextnode = NULL; dns_rdata_reset(&sigrdata); dns_rdataset_current(val->event->sigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (!dns_name_equal(val->event->name, &sig.signer)) continue; result = dns_keytable_findkeynode(val->keytable, val->event->name, sig.algorithm, sig.keyid, &keynode); if (result == DNS_R_PARTIALMATCH || result == ISC_R_SUCCESS) atsep = ISC_TRUE; while (result == ISC_R_SUCCESS) { dstkey = dns_keynode_key(keynode); result = verify(val, dstkey, &sigrdata, sig.keyid); if (result == ISC_R_SUCCESS) { dns_keytable_detachkeynode(val->keytable, &keynode); break; } result = dns_keytable_findnextkeynode( val->keytable, keynode, &nextnode); dns_keytable_detachkeynode(val->keytable, &keynode); keynode = nextnode; } if (result == ISC_R_SUCCESS) { - event->rdataset->trust = dns_trust_secure; - event->sigrdataset->trust = dns_trust_secure; + marksecure(event); validator_log(val, ISC_LOG_DEBUG(3), "signed by trusted key; " "marking as secure"); return (result); } } /* * If this is the root name and there was no trusted key, * give up, since there's no DS at the root. */ if (dns_name_equal(event->name, dns_rootname)) { if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) return (DNS_R_NOVALIDSIG); else return (DNS_R_NOVALIDDS); } if (atsep) { /* * We have not found a key to verify this DNSKEY * RRset. As this is a SEP we have to assume that * the RRset is invalid. */ dns_name_format(val->event->name, namebuf, sizeof(namebuf)); - validator_log(val, ISC_LOG_DEBUG(2), + validator_log(val, ISC_LOG_NOTICE, "unable to find a DNSKEY which verifies " "the DNSKEY RRset and also matches one " "of specified trusted-keys for '%s'", namebuf); + validator_log(val, ISC_LOG_NOTICE, + "please check the 'trusted-keys' for " + "'%s' in named.conf.", namebuf); return (DNS_R_NOVALIDKEY); } /* * Otherwise, try to find the DS record. */ result = view_find(val, val->event->name, dns_rdatatype_ds); if (result == ISC_R_SUCCESS) { /* * We have DS records. */ val->dsset = &val->frdataset; if (DNS_TRUST_PENDING(val->frdataset.trust) && dns_rdataset_isassociated(&val->fsigrdataset)) { result = create_validator(val, val->event->name, dns_rdatatype_ds, &val->frdataset, &val->fsigrdataset, dsvalidated, "validatezonekey"); if (result != ISC_R_SUCCESS) return (result); return (DNS_R_WAIT); } else if (DNS_TRUST_PENDING(val->frdataset.trust)) { /* * There should never be an unsigned DS. */ dns_rdataset_disassociate(&val->frdataset); validator_log(val, ISC_LOG_DEBUG(2), "unsigned DS record"); return (DNS_R_NOVALIDSIG); } else result = ISC_R_SUCCESS; } else if (result == ISC_R_NOTFOUND) { /* * We don't have the DS. Find it. */ result = create_fetch(val, val->event->name, dns_rdatatype_ds, dsfetched, "validatezonekey"); if (result != ISC_R_SUCCESS) return (result); return (DNS_R_WAIT); } else if (result == DNS_R_NCACHENXDOMAIN || result == DNS_R_NCACHENXRRSET || result == DNS_R_EMPTYNAME || result == DNS_R_NXDOMAIN || result == DNS_R_NXRRSET) { /* * The DS does not exist. */ if (dns_rdataset_isassociated(&val->frdataset)) dns_rdataset_disassociate(&val->frdataset); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); validator_log(val, ISC_LOG_DEBUG(2), "no DS record"); return (DNS_R_NOVALIDSIG); - } + } else if (result == DNS_R_BROKENCHAIN) + return (result); } /* * We have a DS set. */ INSIST(val->dsset != NULL); if (val->dsset->trust < dns_trust_secure) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); return (DNS_R_MUSTBESECURE); } markanswer(val); return (ISC_R_SUCCESS); } /* * Look through the DS record and find the keys that can sign the * key set and the matching signature. For each such key, attempt * verification. */ supported_algorithm = ISC_FALSE; /* * If DNS_DSDIGEST_SHA256 is present we are required to prefer * it over DNS_DSDIGEST_SHA1. This in practice means that we * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256 * is present. */ digest_type = DNS_DSDIGEST_SHA1; for (result = dns_rdataset_first(val->dsset); result == ISC_R_SUCCESS; result = dns_rdataset_next(val->dsset)) { dns_rdata_reset(&dsrdata); dns_rdataset_current(val->dsset, &dsrdata); result = dns_rdata_tostruct(&dsrdata, &ds, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (!dns_resolver_algorithm_supported(val->view->resolver, val->event->name, ds.algorithm)) continue; if (ds.digest_type == DNS_DSDIGEST_SHA256 && ds.length == ISC_SHA256_DIGESTLENGTH) { digest_type = DNS_DSDIGEST_SHA256; break; } } for (result = dns_rdataset_first(val->dsset); result == ISC_R_SUCCESS; result = dns_rdataset_next(val->dsset)) { dns_rdata_reset(&dsrdata); dns_rdataset_current(val->dsset, &dsrdata); result = dns_rdata_tostruct(&dsrdata, &ds, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (!dns_resolver_digest_supported(val->view->resolver, ds.digest_type)) continue; if (ds.digest_type != digest_type) continue; if (!dns_resolver_algorithm_supported(val->view->resolver, val->event->name, ds.algorithm)) continue; supported_algorithm = ISC_TRUE; dns_rdataset_init(&trdataset); dns_rdataset_clone(val->event->rdataset, &trdataset); /* * Look for the KEY that matches the DS record. */ for (result = dns_rdataset_first(&trdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(&trdataset)) { dns_rdata_reset(&keyrdata); dns_rdataset_current(&trdataset, &keyrdata); result = dns_rdata_tostruct(&keyrdata, &key, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); keytag = compute_keytag(&keyrdata, &key); if (ds.key_tag != keytag || ds.algorithm != key.algorithm) continue; dns_rdata_reset(&newdsrdata); result = dns_ds_buildrdata(val->event->name, &keyrdata, ds.digest_type, dsbuf, &newdsrdata); if (result != ISC_R_SUCCESS) continue; if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0) break; } if (result != ISC_R_SUCCESS) { dns_rdataset_disassociate(&trdataset); validator_log(val, ISC_LOG_DEBUG(3), "no DNSKEY matching DS"); continue; } for (result = dns_rdataset_first(val->event->sigrdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(val->event->sigrdataset)) { dns_rdata_reset(&sigrdata); dns_rdataset_current(val->event->sigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (ds.key_tag != sig.keyid || ds.algorithm != sig.algorithm) continue; if (!dns_name_equal(val->event->name, &sig.signer)) { validator_log(val, ISC_LOG_DEBUG(3), "DNSKEY signer mismatch"); continue; } dstkey = NULL; result = dns_dnssec_keyfromrdata(val->event->name, &keyrdata, val->view->mctx, &dstkey); if (result != ISC_R_SUCCESS) /* * This really shouldn't happen, but... */ continue; result = verify(val, dstkey, &sigrdata, sig.keyid); dst_key_free(&dstkey); if (result == ISC_R_SUCCESS) break; } dns_rdataset_disassociate(&trdataset); if (result == ISC_R_SUCCESS) break; validator_log(val, ISC_LOG_DEBUG(3), "no RRSIG matching DS key"); } if (result == ISC_R_SUCCESS) { - event->rdataset->trust = dns_trust_secure; - event->sigrdataset->trust = dns_trust_secure; + marksecure(event); validator_log(val, ISC_LOG_DEBUG(3), "marking as secure"); return (result); } else if (result == ISC_R_NOMORE && !supported_algorithm) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); return (DNS_R_MUSTBESECURE); } validator_log(val, ISC_LOG_DEBUG(3), "no supported algorithm/digest (DS)"); markanswer(val); return (ISC_R_SUCCESS); } else return (DNS_R_NOVALIDSIG); } /*% * Starts a positive response validation. * * Returns: * \li ISC_R_SUCCESS Validation completed successfully * \li DNS_R_WAIT Validation has started but is waiting * for an event. * \li Other return codes are possible and all indicate failure. */ static isc_result_t start_positive_validation(dns_validator_t *val) { /* * If this is not a key, go straight into validate(). */ if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val)) return (validate(val, ISC_FALSE)); return (validatezonekey(val)); } /*% * Look for NODATA at the wildcard and NOWILDCARD proofs in the * previously validated NSEC records. As these proofs are mutually * exclusive we stop when one is found. * * Returns * \li ISC_R_SUCCESS */ static isc_result_t checkwildcard(dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename) { dns_name_t *name, *wild; dns_message_t *message = val->event->message; isc_result_t result; isc_boolean_t exists, data; char namebuf[DNS_NAME_FORMATSIZE]; wild = dns_fixedname_name(&val->wild); if (dns_name_countlabels(wild) == 0) { validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: no wildcard to check"); return (ISC_R_SUCCESS); } dns_name_format(wild, namebuf, sizeof(namebuf)); validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf); for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); result == ISC_R_SUCCESS; result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) { dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; name = NULL; dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (rdataset->type != type) continue; for (sigrdataset = ISC_LIST_HEAD(name->list); sigrdataset != NULL; sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { if (sigrdataset->type == dns_rdatatype_rrsig && sigrdataset->covers == rdataset->type) break; } if (sigrdataset == NULL) continue; if (rdataset->trust != dns_trust_secure) continue; if (rdataset->type == dns_rdatatype_nsec && ((val->attributes & VALATTR_NEEDNODATA) != 0 || (val->attributes & VALATTR_NEEDNOWILDCARD) != 0) && (val->attributes & VALATTR_FOUNDNODATA) == 0 && (val->attributes & VALATTR_FOUNDNOWILDCARD) == 0 && nsecnoexistnodata(val, wild, name, rdataset, &exists, &data, NULL) == ISC_R_SUCCESS) { dns_name_t **proofs = val->event->proofs; if (exists && !data) val->attributes |= VALATTR_FOUNDNODATA; if (exists && !data && NEEDNODATA(val)) proofs[DNS_VALIDATOR_NODATAPROOF] = name; if (!exists) val->attributes |= VALATTR_FOUNDNOWILDCARD; if (!exists && NEEDNOQNAME(val)) proofs[DNS_VALIDATOR_NOWILDCARDPROOF] = name; return (ISC_R_SUCCESS); } if (rdataset->type == dns_rdatatype_nsec3 && ((val->attributes & VALATTR_NEEDNODATA) != 0 || (val->attributes & VALATTR_NEEDNOWILDCARD) != 0) && (val->attributes & VALATTR_FOUNDNODATA) == 0 && (val->attributes & VALATTR_FOUNDNOWILDCARD) == 0 && nsec3noexistnodata(val, wild, name, rdataset, zonename, &exists, &data, NULL, NULL, NULL, NULL, NULL, NULL) == ISC_R_SUCCESS) { dns_name_t **proofs = val->event->proofs; if (exists && !data) val->attributes |= VALATTR_FOUNDNODATA; if (exists && !data && NEEDNODATA(val)) proofs[DNS_VALIDATOR_NODATAPROOF] = name; if (!exists) val->attributes |= VALATTR_FOUNDNOWILDCARD; if (!exists && NEEDNOQNAME(val)) proofs[DNS_VALIDATOR_NOWILDCARDPROOF] = name; return (ISC_R_SUCCESS); } } } if (result == ISC_R_NOMORE) result = ISC_R_SUCCESS; return (result); } static isc_result_t findnsec3proofs(dns_validator_t *val) { dns_name_t *name; dns_message_t *message = val->event->message; isc_result_t result; isc_boolean_t exists, data, optout, unknown; isc_boolean_t setclosest, setnearest; dns_fixedname_t fclosest, fnearest, fzonename; dns_name_t *closest, *nearest, *zonename; dns_name_t **proofs = val->event->proofs; dns_fixedname_init(&fclosest); dns_fixedname_init(&fnearest); dns_fixedname_init(&fzonename); closest = dns_fixedname_name(&fclosest); nearest = dns_fixedname_name(&fnearest); zonename = dns_fixedname_name(&fzonename); for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); result == ISC_R_SUCCESS; result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) { dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; name = NULL; dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (rdataset->type != dns_rdatatype_nsec3) continue; for (sigrdataset = ISC_LIST_HEAD(name->list); sigrdataset != NULL; sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { if (sigrdataset->type == dns_rdatatype_rrsig && sigrdataset->covers == dns_rdatatype_nsec3) break; } if (sigrdataset == NULL) continue; if (rdataset->trust != dns_trust_secure) continue; result = nsec3noexistnodata(val, val->event->name, name, rdataset, zonename, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL); if (result != ISC_R_IGNORE && result != ISC_R_SUCCESS) return (result); } } if (result != ISC_R_NOMORE) result = ISC_R_SUCCESS; if (dns_name_countlabels(zonename) == 0) return (ISC_R_SUCCESS); for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); result == ISC_R_SUCCESS; result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) { dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; name = NULL; dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (rdataset->type != dns_rdatatype_nsec3) continue; for (sigrdataset = ISC_LIST_HEAD(name->list); sigrdataset != NULL; sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { if (sigrdataset->type == dns_rdatatype_rrsig && sigrdataset->covers == dns_rdatatype_nsec3) break; } if (sigrdataset == NULL) continue; if (rdataset->trust != dns_trust_secure) continue; /* * We process all NSEC3 records to find the closest * encloser and nearest name to the closest encloser. */ setclosest = setnearest = ISC_FALSE; optout = ISC_FALSE; unknown = ISC_FALSE; result = nsec3noexistnodata(val, val->event->name, name, rdataset, zonename, &exists, &data, &optout, &unknown, &setclosest, &setnearest, closest, nearest); if (setclosest) proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name; if (unknown) val->attributes |= VALATTR_FOUNDUNKNOWN; if (result != ISC_R_SUCCESS) continue; if (exists && !data && NEEDNODATA(val)) { val->attributes |= VALATTR_FOUNDNODATA; proofs[DNS_VALIDATOR_NODATAPROOF] = name; } if (!exists && setnearest) { val->attributes |= VALATTR_FOUNDNOQNAME; proofs[DNS_VALIDATOR_NOQNAMEPROOF] = name; if (optout) val->attributes |= VALATTR_FOUNDOPTOUT; } } } if (result != ISC_R_NOMORE) result = ISC_R_SUCCESS; /* * To know we have a valid noqname and optout proofs we need to also * have a valid closest encloser. Otherwise we could still be looking * at proofs from the parent zone. */ if (dns_name_countlabels(closest) > 0 && dns_name_countlabels(nearest) == dns_name_countlabels(closest) + 1 && dns_name_issubdomain(nearest, closest)) { val->attributes |= VALATTR_FOUNDCLOSEST; result = dns_name_concatenate(dns_wildcardname, closest, dns_fixedname_name(&val->wild), NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); } else { val->attributes &= ~VALATTR_FOUNDNOQNAME; val->attributes &= ~VALATTR_FOUNDOPTOUT; proofs[DNS_VALIDATOR_NOQNAMEPROOF] = NULL; } /* * Do we need to check for the wildcard? */ if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 && (val->attributes & VALATTR_FOUNDCLOSEST) != 0 && (((val->attributes & VALATTR_NEEDNODATA) != 0 && (val->attributes & VALATTR_FOUNDNODATA) == 0) || (val->attributes & VALATTR_NEEDNOWILDCARD) != 0)) { result = checkwildcard(val, dns_rdatatype_nsec3, zonename); if (result != ISC_R_SUCCESS) return (result); } return (result); } /*% * Prove a negative answer is good or that there is a NOQNAME when the * answer is from a wildcard. * * Loop through the authority section looking for NODATA, NOWILDCARD * and NOQNAME proofs in the NSEC records by calling authvalidated(). * * If the required proofs are found we are done. * * If the proofs are not found attempt to prove this is a unsecure * response. */ static isc_result_t nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { dns_name_t *name; dns_message_t *message = val->event->message; isc_result_t result; if (!resume) result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); else { result = ISC_R_SUCCESS; validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate"); } for (; result == ISC_R_SUCCESS; result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) { dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; name = NULL; dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); if (resume) { rdataset = ISC_LIST_NEXT(val->currentset, link); val->currentset = NULL; resume = ISC_FALSE; } else rdataset = ISC_LIST_HEAD(name->list); for (; rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { if (rdataset->type == dns_rdatatype_rrsig) continue; for (sigrdataset = ISC_LIST_HEAD(name->list); sigrdataset != NULL; sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { if (sigrdataset->type == dns_rdatatype_rrsig && sigrdataset->covers == rdataset->type) break; } /* * If a signed zone is missing the zone key, bad * things could happen. A query for data in the zone * would lead to a query for the zone key, which * would return a negative answer, which would contain * an SOA and an NSEC signed by the missing key, which * would trigger another query for the DNSKEY (since * the first one is still in progress), and go into an * infinite loop. Avoid that. */ if (val->event->type == dns_rdatatype_dnskey && dns_name_equal(name, val->event->name)) { dns_rdata_t nsec = DNS_RDATA_INIT; if (rdataset->type != dns_rdatatype_nsec) continue; result = dns_rdataset_first(rdataset); if (result != ISC_R_SUCCESS) return (result); dns_rdataset_current(rdataset, &nsec); if (dns_nsec_typepresent(&nsec, dns_rdatatype_soa)) continue; } val->currentset = rdataset; result = create_validator(val, name, rdataset->type, rdataset, sigrdataset, authvalidated, "nsecvalidate"); if (result != ISC_R_SUCCESS) return (result); + val->authcount++; return (DNS_R_WAIT); } } if (result == ISC_R_NOMORE) result = ISC_R_SUCCESS; if (result != ISC_R_SUCCESS) return (result); /* * Do we only need to check for NOQNAME? To get here we must have * had a secure wildcard answer. */ if ((val->attributes & VALATTR_NEEDNODATA) == 0 && (val->attributes & VALATTR_NEEDNOWILDCARD) == 0 && (val->attributes & VALATTR_NEEDNOQNAME) != 0) { if ((val->attributes & VALATTR_FOUNDNOQNAME) == 0) findnsec3proofs(val); if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 && (val->attributes & VALATTR_FOUNDCLOSEST) != 0) { validator_log(val, ISC_LOG_DEBUG(3), "noqname proof found"); validator_log(val, ISC_LOG_DEBUG(3), "marking as secure"); - val->event->rdataset->trust = dns_trust_secure; - val->event->sigrdataset->trust = dns_trust_secure; + marksecure(val->event); return (ISC_R_SUCCESS); } else if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0 && dns_name_countlabels(dns_fixedname_name(&val->wild)) != 0) { validator_log(val, ISC_LOG_DEBUG(3), "optout proof found"); val->event->optout = ISC_TRUE; markanswer(val); return (ISC_R_SUCCESS); } else if ((val->attributes & VALATTR_FOUNDUNKNOWN) != 0) { validator_log(val, ISC_LOG_DEBUG(3), "unknown NSEC3 hash algorithm found"); markanswer(val); return (ISC_R_SUCCESS); } validator_log(val, ISC_LOG_DEBUG(3), "noqname proof not found"); return (DNS_R_NOVALIDNSEC); } if ((val->attributes & VALATTR_FOUNDNOQNAME) == 0 && (val->attributes & VALATTR_FOUNDNODATA) == 0) findnsec3proofs(val); /* * Do we need to check for the wildcard? */ if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 && (val->attributes & VALATTR_FOUNDCLOSEST) != 0 && (((val->attributes & VALATTR_NEEDNODATA) != 0 && (val->attributes & VALATTR_FOUNDNODATA) == 0) || (val->attributes & VALATTR_NEEDNOWILDCARD) != 0)) { result = checkwildcard(val, dns_rdatatype_nsec, NULL); if (result != ISC_R_SUCCESS) return (result); } if (((val->attributes & VALATTR_NEEDNODATA) != 0 && ((val->attributes & VALATTR_FOUNDNODATA) != 0 || (val->attributes & VALATTR_FOUNDOPTOUT) != 0)) || ((val->attributes & VALATTR_NEEDNOQNAME) != 0 && (val->attributes & VALATTR_FOUNDNOQNAME) != 0 && (val->attributes & VALATTR_NEEDNOWILDCARD) != 0 && (val->attributes & VALATTR_FOUNDNOWILDCARD) != 0 && (val->attributes & VALATTR_FOUNDCLOSEST) != 0)) { if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0) val->event->optout = ISC_TRUE; validator_log(val, ISC_LOG_DEBUG(3), "nonexistence proof(s) found"); return (ISC_R_SUCCESS); } findnsec3proofs(val); + if (val->authcount == val->authfail) + return (DNS_R_BROKENCHAIN); validator_log(val, ISC_LOG_DEBUG(3), "nonexistence proof(s) not found"); val->attributes |= VALATTR_INSECURITY; return (proveunsecure(val, ISC_FALSE, ISC_FALSE)); } static isc_boolean_t check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) { dns_rdata_t dsrdata = DNS_RDATA_INIT; dns_rdata_ds_t ds; isc_result_t result; for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) { dns_rdataset_current(rdataset, &dsrdata); result = dns_rdata_tostruct(&dsrdata, &ds, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (dns_resolver_digest_supported(val->view->resolver, ds.digest_type) && dns_resolver_algorithm_supported(val->view->resolver, name, ds.algorithm)) { dns_rdata_reset(&dsrdata); return (ISC_TRUE); } dns_rdata_reset(&dsrdata); } return (ISC_FALSE); } +static void +dlvvalidated(isc_task_t *task, isc_event_t *event) { + dns_validatorevent_t *devent; + dns_validator_t *val; + isc_result_t eresult; + isc_boolean_t want_destroy; + + UNUSED(task); + INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE); + + devent = (dns_validatorevent_t *)event; + val = devent->ev_arg; + eresult = devent->result; + + isc_event_free(&event); + dns_validator_destroy(&val->subvalidator); + + INSIST(val->event != NULL); + + validator_log(val, ISC_LOG_DEBUG(3), "in dlvvalidated"); + LOCK(&val->lock); + if (CANCELED(val)) { + validator_done(val, ISC_R_CANCELED); + } else if (eresult == ISC_R_SUCCESS) { + validator_log(val, ISC_LOG_DEBUG(3), + "dlvset with trust %d", val->frdataset.trust); + dns_rdataset_clone(&val->frdataset, &val->dlv); + val->havedlvsep = ISC_TRUE; + if (dlv_algorithm_supported(val)) + dlv_validator_start(val); + else { + markanswer(val); + validator_done(val, ISC_R_SUCCESS); + } + } else { + if (eresult != DNS_R_BROKENCHAIN) { + if (dns_rdataset_isassociated(&val->frdataset)) + dns_rdataset_expire(&val->frdataset); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_expire(&val->fsigrdataset); + } + validator_log(val, ISC_LOG_DEBUG(3), + "dlvvalidated: got %s", + isc_result_totext(eresult)); + validator_done(val, DNS_R_BROKENCHAIN); + } + want_destroy = exit_check(val); + UNLOCK(&val->lock); + if (want_destroy) + destroy(val); +} + /*% * Callback from fetching a DLV record. * * Resumes the DLV lookup process. */ static void dlvfetched(isc_task_t *task, isc_event_t *event) { char namebuf[DNS_NAME_FORMATSIZE]; dns_fetchevent_t *devent; dns_validator_t *val; isc_boolean_t want_destroy; isc_result_t eresult; isc_result_t result; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_FETCHDONE); devent = (dns_fetchevent_t *)event; val = devent->ev_arg; eresult = devent->result; /* Free resources which are not of interest. */ if (devent->node != NULL) dns_db_detachnode(devent->db, &devent->node); if (devent->db != NULL) dns_db_detach(&devent->db); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); isc_event_free(&event); dns_resolver_destroyfetch(&val->fetch); INSIST(val->event != NULL); validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s", dns_result_totext(eresult)); LOCK(&val->lock); if (eresult == ISC_R_SUCCESS) { dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf, sizeof(namebuf)); dns_rdataset_clone(&val->frdataset, &val->dlv); val->havedlvsep = ISC_TRUE; if (dlv_algorithm_supported(val)) { validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf); dlv_validator_start(val); } else { validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported algorithms", namebuf); markanswer(val); validator_done(val, ISC_R_SUCCESS); } } else if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NXDOMAIN || eresult == DNS_R_NCACHENXRRSET || eresult == DNS_R_NCACHENXDOMAIN) { result = finddlvsep(val, ISC_TRUE); if (result == ISC_R_SUCCESS) { if (dlv_algorithm_supported(val)) { dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf, sizeof(namebuf)); validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf); dlv_validator_start(val); } else { validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported " "algorithms", namebuf); markanswer(val); validator_done(val, ISC_R_SUCCESS); } } else if (result == ISC_R_NOTFOUND) { validator_log(val, ISC_LOG_DEBUG(3), "DLV not found"); markanswer(val); validator_done(val, ISC_R_SUCCESS); } else { validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s", dns_result_totext(result)); if (result != DNS_R_WAIT) validator_done(val, result); } } else { validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s", dns_result_totext(eresult)); validator_done(val, eresult); } want_destroy = exit_check(val); UNLOCK(&val->lock); if (want_destroy) destroy(val); } /*% * Start the DLV lookup process. * * Returns * \li ISC_R_SUCCESS * \li DNS_R_WAIT * \li Others on validation failures. */ static isc_result_t startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) { char namebuf[DNS_NAME_FORMATSIZE]; isc_result_t result; INSIST(!DLVTRIED(val)); val->attributes |= VALATTR_DLVTRIED; dns_name_format(unsecure, namebuf, sizeof(namebuf)); validator_log(val, ISC_LOG_DEBUG(3), "plain DNSSEC returns unsecure (%s): looking for DLV", namebuf); if (dns_name_issubdomain(val->event->name, val->view->dlv)) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); return (DNS_R_MUSTBESECURE); } val->dlvlabels = dns_name_countlabels(unsecure) - 1; result = finddlvsep(val, ISC_FALSE); if (result == ISC_R_NOTFOUND) { validator_log(val, ISC_LOG_DEBUG(3), "DLV not found"); markanswer(val); return (ISC_R_SUCCESS); } if (result != ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s", dns_result_totext(result)); return (result); } dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf, sizeof(namebuf)); if (dlv_algorithm_supported(val)) { validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf); dlv_validator_start(val); return (DNS_R_WAIT); } validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported " "algorithms", namebuf); markanswer(val); validator_done(val, ISC_R_SUCCESS); return (ISC_R_SUCCESS); } /*% * Continue the DLV lookup process. * * Returns * \li ISC_R_SUCCESS * \li ISC_R_NOTFOUND * \li DNS_R_WAIT * \li Others on validation failure. */ static isc_result_t finddlvsep(dns_validator_t *val, isc_boolean_t resume) { char namebuf[DNS_NAME_FORMATSIZE]; dns_fixedname_t dlvfixed; dns_name_t *dlvname; dns_name_t *dlvsep; dns_name_t noroot; isc_result_t result; unsigned int labels; INSIST(val->view->dlv != NULL); if (!resume) { if (dns_name_issubdomain(val->event->name, val->view->dlv)) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); return (DNS_R_MUSTBESECURE); } dns_fixedname_init(&val->dlvsep); dlvsep = dns_fixedname_name(&val->dlvsep); dns_name_copy(val->event->name, dlvsep, NULL); /* * If this is a response to a DS query, we need to look in * the parent zone for the trust anchor. */ if (val->event->type == dns_rdatatype_ds) { labels = dns_name_countlabels(dlvsep); if (labels == 0) return (ISC_R_NOTFOUND); dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep); } } else { dlvsep = dns_fixedname_name(&val->dlvsep); labels = dns_name_countlabels(dlvsep); dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep); } dns_name_init(&noroot, NULL); dns_fixedname_init(&dlvfixed); dlvname = dns_fixedname_name(&dlvfixed); labels = dns_name_countlabels(dlvsep); if (labels == 0) return (ISC_R_NOTFOUND); dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot); result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL); while (result == ISC_R_NOSPACE) { labels = dns_name_countlabels(dlvsep); dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep); dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot); result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL); } if (result != ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed"); return (DNS_R_NOVALIDSIG); } while (dns_name_countlabels(dlvname) >= dns_name_countlabels(val->view->dlv) + val->dlvlabels) { dns_name_format(dlvname, namebuf, sizeof(namebuf)); validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s", namebuf); result = view_find(val, dlvname, dns_rdatatype_dlv); if (result == ISC_R_SUCCESS) { + if (DNS_TRUST_PENDING(val->frdataset.trust) && + dns_rdataset_isassociated(&val->fsigrdataset)) + { + dns_fixedname_init(&val->fname); + dns_name_copy(dlvname, + dns_fixedname_name(&val->fname), + NULL); + result = create_validator(val, + dns_fixedname_name(&val->fname), + dns_rdatatype_dlv, + &val->frdataset, + &val->fsigrdataset, + dlvvalidated, + "finddlvsep"); + if (result != ISC_R_SUCCESS) + return (result); + return (DNS_R_WAIT); + } if (val->frdataset.trust < dns_trust_secure) return (DNS_R_NOVALIDSIG); val->havedlvsep = ISC_TRUE; dns_rdataset_clone(&val->frdataset, &val->dlv); return (ISC_R_SUCCESS); } if (result == ISC_R_NOTFOUND) { result = create_fetch(val, dlvname, dns_rdatatype_dlv, dlvfetched, "finddlvsep"); if (result != ISC_R_SUCCESS) return (result); return (DNS_R_WAIT); } if (result != DNS_R_NXRRSET && result != DNS_R_NXDOMAIN && result != DNS_R_EMPTYNAME && result != DNS_R_NCACHENXRRSET && result != DNS_R_NCACHENXDOMAIN) return (result); /* * Strip first labels from both dlvsep and dlvname. */ labels = dns_name_countlabels(dlvsep); if (labels == 0) break; dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep); labels = dns_name_countlabels(dlvname); dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname); } return (ISC_R_NOTFOUND); } /*% * proveunsecure walks down from the SEP looking for a break in the * chain of trust. That occurs when we can prove the DS record does * not exist at a delegation point or the DS exists at a delegation * but we don't support the algorithm/digest. * * If DLV is active and we look for a DLV record at or below the * point we go insecure. If found we restart the validation process. * If not found or DLV isn't active we mark the response as a answer. * * Returns: * \li ISC_R_SUCCESS val->event->name is in a unsecure zone * \li DNS_R_WAIT validation is in progress. * \li DNS_R_MUSTBESECURE val->event->name is supposed to be secure * (policy) but we proved that it is unsecure. * \li DNS_R_NOVALIDSIG * \li DNS_R_NOVALIDNSEC * \li DNS_R_NOTINSECURE + * \li DNS_R_BROKENCHAIN */ static isc_result_t proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume) { isc_result_t result; dns_fixedname_t fixedsecroot; dns_name_t *secroot; dns_name_t *tname; char namebuf[DNS_NAME_FORMATSIZE]; dns_name_t *found; dns_fixedname_t fixedfound; dns_fixedname_init(&fixedsecroot); secroot = dns_fixedname_name(&fixedsecroot); dns_fixedname_init(&fixedfound); found = dns_fixedname_name(&fixedfound); if (val->havedlvsep) dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL); else { unsigned int labels; dns_name_copy(val->event->name, secroot, NULL); /* * If this is a response to a DS query, we need to look in * the parent zone for the trust anchor. */ labels = dns_name_countlabels(secroot); if (val->event->type == dns_rdatatype_ds && labels > 1U) dns_name_getlabelsequence(secroot, 1, labels - 1, secroot); result = dns_keytable_finddeepestmatch(val->keytable, secroot, secroot); if (result == ISC_R_NOTFOUND) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); result = DNS_R_MUSTBESECURE; goto out; } if (val->view->dlv == NULL || DLVTRIED(val)) { markanswer(val); return (ISC_R_SUCCESS); } return (startfinddlvsep(val, dns_rootname)); } else if (result != ISC_R_SUCCESS) return (result); } if (!resume) { /* * We are looking for breaks below the SEP so add a label. */ val->labels = dns_name_countlabels(secroot) + 1; } else { validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure"); /* * If we have a DS rdataset and it is secure then check if * the DS rdataset has a supported algorithm combination. * If not this is a insecure delegation as far as this * resolver is concerned. Fall back to DLV if available. */ if (have_ds && val->frdataset.trust >= dns_trust_secure && !check_ds(val, dns_fixedname_name(&val->fname), &val->frdataset)) { dns_name_format(dns_fixedname_name(&val->fname), namebuf, sizeof(namebuf)); if ((val->view->dlv == NULL || DLVTRIED(val)) && val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure at '%s'", namebuf); result = DNS_R_MUSTBESECURE; goto out; } validator_log(val, ISC_LOG_DEBUG(3), "no supported algorithm/digest (%s/DS)", namebuf); if (val->view->dlv == NULL || DLVTRIED(val)) { markanswer(val); result = ISC_R_SUCCESS; goto out; } result = startfinddlvsep(val, dns_fixedname_name(&val->fname)); goto out; } val->labels++; } for (; val->labels <= dns_name_countlabels(val->event->name); val->labels++) { dns_fixedname_init(&val->fname); tname = dns_fixedname_name(&val->fname); if (val->labels == dns_name_countlabels(val->event->name)) dns_name_copy(val->event->name, tname, NULL); else dns_name_split(val->event->name, val->labels, NULL, tname); dns_name_format(tname, namebuf, sizeof(namebuf)); validator_log(val, ISC_LOG_DEBUG(3), "checking existence of DS at '%s'", namebuf); result = view_find(val, tname, dns_rdatatype_ds); if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) { /* * There is no DS. If this is a delegation, * we maybe done. */ if (DNS_TRUST_PENDING(val->frdataset.trust)) { result = create_fetch(val, tname, dns_rdatatype_ds, dsfetched2, "proveunsecure"); if (result != ISC_R_SUCCESS) goto out; return (DNS_R_WAIT); } /* * Zones using NSEC3 don't return a NSEC RRset so * we need to use dns_view_findzonecut2 to find * the zone cut. */ if (result == DNS_R_NXRRSET && !dns_rdataset_isassociated(&val->frdataset) && dns_view_findzonecut2(val->view, tname, found, 0, 0, ISC_FALSE, ISC_FALSE, NULL, NULL) == ISC_R_SUCCESS && dns_name_equal(tname, found)) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); return (DNS_R_MUSTBESECURE); } if (val->view->dlv == NULL || DLVTRIED(val)) { markanswer(val); return (ISC_R_SUCCESS); } return (startfinddlvsep(val, tname)); } if (val->frdataset.trust < dns_trust_secure) { /* * This shouldn't happen, since the negative * response should have been validated. Since * there's no way of validating existing * negative response blobs, give up. */ result = DNS_R_NOVALIDSIG; goto out; } if (isdelegation(tname, &val->frdataset, result)) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); return (DNS_R_MUSTBESECURE); } if (val->view->dlv == NULL || DLVTRIED(val)) { markanswer(val); return (ISC_R_SUCCESS); } return (startfinddlvsep(val, tname)); } continue; } else if (result == ISC_R_SUCCESS) { /* * There is a DS here. Verify that it's secure and * continue. */ if (val->frdataset.trust >= dns_trust_secure) { if (!check_ds(val, tname, &val->frdataset)) { validator_log(val, ISC_LOG_DEBUG(3), "no supported algorithm/" "digest (%s/DS)", namebuf); if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure"); result = DNS_R_MUSTBESECURE; goto out; } if (val->view->dlv == NULL || DLVTRIED(val)) { markanswer(val); result = ISC_R_SUCCESS; goto out; } result = startfinddlvsep(val, tname); goto out; } continue; } else if (!dns_rdataset_isassociated(&val->fsigrdataset)) { result = DNS_R_NOVALIDSIG; goto out; } result = create_validator(val, tname, dns_rdatatype_ds, &val->frdataset, &val->fsigrdataset, dsvalidated, "proveunsecure"); if (result != ISC_R_SUCCESS) goto out; return (DNS_R_WAIT); } else if (result == DNS_R_NXDOMAIN || result == DNS_R_NCACHENXDOMAIN) { /* * This is not a zone cut. Assuming things are * as expected, continue. */ if (!dns_rdataset_isassociated(&val->frdataset)) { /* * There should be an NSEC here, since we * are still in a secure zone. */ result = DNS_R_NOVALIDNSEC; goto out; } else if (val->frdataset.trust < dns_trust_secure) { /* * This shouldn't happen, since the negative * response should have been validated. Since * there's no way of validating existing * negative response blobs, give up. */ result = DNS_R_NOVALIDSIG; goto out; } continue; } else if (result == ISC_R_NOTFOUND) { /* * We don't know anything about the DS. Find it. */ result = create_fetch(val, tname, dns_rdatatype_ds, dsfetched2, "proveunsecure"); if (result != ISC_R_SUCCESS) goto out; return (DNS_R_WAIT); - } + } else if (result == DNS_R_BROKENCHAIN) + return (result); } /* if ((val->attributes & VALATTR_NEEDOPTOUT) == 0 && val->event->message != NULL) { val->attributes |= VALATTR_NEEDOPTOUT; return (nsecvalidate(val, ISC_FALSE)); } */ validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed"); return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */ out: if (dns_rdataset_isassociated(&val->frdataset)) dns_rdataset_disassociate(&val->frdataset); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); return (result); } /*% * Reset state and revalidate the answer using DLV. */ static void dlv_validator_start(dns_validator_t *val) { isc_event_t *event; validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start"); /* * Reset state and try again. */ val->attributes &= VALATTR_DLVTRIED; val->options &= ~DNS_VALIDATOR_DLV; event = (isc_event_t *)val->event; isc_task_send(val->task, &event); } /*% * Start the validation process. * * Attempt to validate the answer based on the category it appears to * fall in. * \li 1. secure positive answer. * \li 2. unsecure positive answer. * \li 3. a negative answer (secure or unsecure). * * Note a answer that appears to be a secure positive answer may actually * be a unsecure positive answer. */ static void validator_start(isc_task_t *task, isc_event_t *event) { dns_validator_t *val; dns_validatorevent_t *vevent; isc_boolean_t want_destroy = ISC_FALSE; isc_result_t result = ISC_R_FAILURE; UNUSED(task); REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART); vevent = (dns_validatorevent_t *)event; val = vevent->validator; /* If the validator has been canceled, val->event == NULL */ if (val->event == NULL) return; if (DLVTRIED(val)) validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV"); else validator_log(val, ISC_LOG_DEBUG(3), "starting"); LOCK(&val->lock); if ((val->options & DNS_VALIDATOR_DLV) != 0 && val->event->rdataset != NULL) { validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV"); result = startfinddlvsep(val, dns_rootname); } else if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) { isc_result_t saved_result; /* * This looks like a simple validation. We say "looks like" * because it might end up requiring an insecurity proof. */ validator_log(val, ISC_LOG_DEBUG(3), "attempting positive response validation"); INSIST(dns_rdataset_isassociated(val->event->rdataset)); INSIST(dns_rdataset_isassociated(val->event->sigrdataset)); result = start_positive_validation(val); if (result == DNS_R_NOVALIDSIG && (val->attributes & VALATTR_TRIEDVERIFY) == 0) { saved_result = result; validator_log(val, ISC_LOG_DEBUG(3), "falling back to insecurity proof"); val->attributes |= VALATTR_INSECURITY; result = proveunsecure(val, ISC_FALSE, ISC_FALSE); if (result == DNS_R_NOTINSECURE) result = saved_result; } } else if (val->event->rdataset != NULL) { /* * This is either an unsecure subdomain or a response from * a broken server. */ INSIST(dns_rdataset_isassociated(val->event->rdataset)); validator_log(val, ISC_LOG_DEBUG(3), "attempting insecurity proof"); val->attributes |= VALATTR_INSECURITY; result = proveunsecure(val, ISC_FALSE, ISC_FALSE); } else if (val->event->rdataset == NULL && val->event->sigrdataset == NULL) { /* * This is a nonexistence validation. */ validator_log(val, ISC_LOG_DEBUG(3), "attempting negative response validation"); if (val->event->message->rcode == dns_rcode_nxdomain) { val->attributes |= VALATTR_NEEDNOQNAME; val->attributes |= VALATTR_NEEDNOWILDCARD; } else val->attributes |= VALATTR_NEEDNODATA; result = nsecvalidate(val, ISC_FALSE); } else { /* * This shouldn't happen. */ INSIST(0); } if (result != DNS_R_WAIT) { want_destroy = exit_check(val); validator_done(val, result); } UNLOCK(&val->lock); if (want_destroy) destroy(val); } isc_result_t dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_message_t *message, unsigned int options, isc_task_t *task, isc_taskaction_t action, void *arg, dns_validator_t **validatorp) { isc_result_t result; dns_validator_t *val; isc_task_t *tclone; dns_validatorevent_t *event; REQUIRE(name != NULL); REQUIRE(rdataset != NULL || (rdataset == NULL && sigrdataset == NULL && message != NULL)); REQUIRE(validatorp != NULL && *validatorp == NULL); tclone = NULL; result = ISC_R_FAILURE; val = isc_mem_get(view->mctx, sizeof(*val)); if (val == NULL) return (ISC_R_NOMEMORY); val->view = NULL; dns_view_weakattach(view, &val->view); event = (dns_validatorevent_t *) isc_event_allocate(view->mctx, task, DNS_EVENT_VALIDATORSTART, validator_start, NULL, sizeof(dns_validatorevent_t)); if (event == NULL) { result = ISC_R_NOMEMORY; goto cleanup_val; } isc_task_attach(task, &tclone); event->validator = val; event->result = ISC_R_FAILURE; event->name = name; event->type = type; event->rdataset = rdataset; event->sigrdataset = sigrdataset; event->message = message; memset(event->proofs, 0, sizeof(event->proofs)); event->optout = ISC_FALSE; result = isc_mutex_init(&val->lock); if (result != ISC_R_SUCCESS) goto cleanup_event; val->event = event; val->options = options; val->attributes = 0; val->fetch = NULL; val->subvalidator = NULL; val->parent = NULL; val->keytable = NULL; dns_keytable_attach(val->view->secroots, &val->keytable); val->keynode = NULL; val->key = NULL; val->siginfo = NULL; val->task = task; val->action = action; val->arg = arg; val->labels = 0; val->currentset = NULL; val->keyset = NULL; val->dsset = NULL; dns_rdataset_init(&val->dlv); val->seensig = ISC_FALSE; val->havedlvsep = ISC_FALSE; val->depth = 0; + val->authcount = 0; + val->authfail = 0; val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name); dns_rdataset_init(&val->frdataset); dns_rdataset_init(&val->fsigrdataset); dns_fixedname_init(&val->wild); dns_fixedname_init(&val->nearest); dns_fixedname_init(&val->closest); ISC_LINK_INIT(val, link); val->magic = VALIDATOR_MAGIC; if ((options & DNS_VALIDATOR_DEFER) == 0) isc_task_send(task, ISC_EVENT_PTR(&event)); *validatorp = val; return (ISC_R_SUCCESS); cleanup_event: isc_task_detach(&tclone); isc_event_free(ISC_EVENT_PTR(&event)); cleanup_val: dns_view_weakdetach(&val->view); isc_mem_put(view->mctx, val, sizeof(*val)); return (result); } void dns_validator_send(dns_validator_t *validator) { isc_event_t *event; REQUIRE(VALID_VALIDATOR(validator)); LOCK(&validator->lock); INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0); event = (isc_event_t *)validator->event; validator->options &= ~DNS_VALIDATOR_DEFER; UNLOCK(&validator->lock); isc_task_send(validator->task, ISC_EVENT_PTR(&event)); } void dns_validator_cancel(dns_validator_t *validator) { REQUIRE(VALID_VALIDATOR(validator)); LOCK(&validator->lock); validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel"); if (validator->event != NULL) { if (validator->fetch != NULL) dns_resolver_cancelfetch(validator->fetch); if (validator->subvalidator != NULL) dns_validator_cancel(validator->subvalidator); if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { isc_task_t *task = validator->event->ev_sender; validator->options &= ~DNS_VALIDATOR_DEFER; isc_event_free((isc_event_t **)&validator->event); isc_task_detach(&task); } validator->attributes |= VALATTR_CANCELED; } UNLOCK(&validator->lock); } static void destroy(dns_validator_t *val) { isc_mem_t *mctx; REQUIRE(SHUTDOWN(val)); REQUIRE(val->event == NULL); REQUIRE(val->fetch == NULL); if (val->keynode != NULL) dns_keytable_detachkeynode(val->keytable, &val->keynode); else if (val->key != NULL) dst_key_free(&val->key); if (val->keytable != NULL) dns_keytable_detach(&val->keytable); if (val->subvalidator != NULL) dns_validator_destroy(&val->subvalidator); if (val->havedlvsep) dns_rdataset_disassociate(&val->dlv); if (dns_rdataset_isassociated(&val->frdataset)) dns_rdataset_disassociate(&val->frdataset); if (dns_rdataset_isassociated(&val->fsigrdataset)) dns_rdataset_disassociate(&val->fsigrdataset); mctx = val->view->mctx; if (val->siginfo != NULL) isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo)); DESTROYLOCK(&val->lock); dns_view_weakdetach(&val->view); val->magic = 0; isc_mem_put(mctx, val, sizeof(*val)); } void dns_validator_destroy(dns_validator_t **validatorp) { dns_validator_t *val; isc_boolean_t want_destroy = ISC_FALSE; REQUIRE(validatorp != NULL); val = *validatorp; REQUIRE(VALID_VALIDATOR(val)); LOCK(&val->lock); val->attributes |= VALATTR_SHUTDOWN; validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy"); want_destroy = exit_check(val); UNLOCK(&val->lock); if (want_destroy) destroy(val); *validatorp = NULL; } static void validator_logv(dns_validator_t *val, isc_logcategory_t *category, isc_logmodule_t *module, int level, const char *fmt, va_list ap) { char msgbuf[2048]; static const char spaces[] = " *"; int depth = val->depth * 2; vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap); if ((unsigned int) depth >= sizeof spaces) depth = sizeof spaces - 1; if (val->event != NULL && val->event->name != NULL) { char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; dns_name_format(val->event->name, namebuf, sizeof(namebuf)); dns_rdatatype_format(val->event->type, typebuf, sizeof(typebuf)); isc_log_write(dns_lctx, category, module, level, "%.*svalidating @%p: %s %s: %s", depth, spaces, val, namebuf, typebuf, msgbuf); } else { isc_log_write(dns_lctx, category, module, level, "%.*svalidator @%p: %s", depth, spaces, val, msgbuf); } } static void validator_log(dns_validator_t *val, int level, const char *fmt, ...) { va_list ap; if (! isc_log_wouldlog(dns_lctx, level)) return; va_start(ap, fmt); validator_logv(val, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_VALIDATOR, level, fmt, ap); va_end(ap); } static void validator_logcreate(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, const char *caller, const char *operation) { char namestr[DNS_NAME_FORMATSIZE]; char typestr[DNS_RDATATYPE_FORMATSIZE]; dns_name_format(name, namestr, sizeof(namestr)); dns_rdatatype_format(type, typestr, sizeof(typestr)); validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s", caller, operation, namestr, typestr); } Index: head/contrib/bind9/lib/dns/view.c =================================================================== --- head/contrib/bind9/lib/dns/view.c (revision 205291) +++ head/contrib/bind9/lib/dns/view.c (revision 205292) @@ -1,1469 +1,1474 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.c,v 1.150.84.3 2009/11/12 23:39:23 marka Exp $ */ +/* $Id: view.c,v 1.150.84.3.8.2 2010/02/25 10:57:12 tbox Exp $ */ /*! \file */ #include #include #include #include /* Required for HP/UX (and others?) */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define RESSHUTDOWN(v) (((v)->attributes & DNS_VIEWATTR_RESSHUTDOWN) != 0) #define ADBSHUTDOWN(v) (((v)->attributes & DNS_VIEWATTR_ADBSHUTDOWN) != 0) #define REQSHUTDOWN(v) (((v)->attributes & DNS_VIEWATTR_REQSHUTDOWN) != 0) #define DNS_VIEW_DELONLYHASH 111 static void resolver_shutdown(isc_task_t *task, isc_event_t *event); static void adb_shutdown(isc_task_t *task, isc_event_t *event); static void req_shutdown(isc_task_t *task, isc_event_t *event); isc_result_t dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, const char *name, dns_view_t **viewp) { dns_view_t *view; isc_result_t result; /* * Create a view. */ REQUIRE(name != NULL); REQUIRE(viewp != NULL && *viewp == NULL); view = isc_mem_get(mctx, sizeof(*view)); if (view == NULL) return (ISC_R_NOMEMORY); view->name = isc_mem_strdup(mctx, name); if (view->name == NULL) { result = ISC_R_NOMEMORY; goto cleanup_view; } result = isc_mutex_init(&view->lock); if (result != ISC_R_SUCCESS) goto cleanup_name; view->zonetable = NULL; result = dns_zt_create(mctx, rdclass, &view->zonetable); if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "dns_zt_create() failed: %s", isc_result_totext(result)); result = ISC_R_UNEXPECTED; goto cleanup_mutex; } view->secroots = NULL; result = dns_keytable_create(mctx, &view->secroots); if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "dns_keytable_create() failed: %s", isc_result_totext(result)); result = ISC_R_UNEXPECTED; goto cleanup_zt; } view->trustedkeys = NULL; result = dns_keytable_create(mctx, &view->trustedkeys); if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "dns_keytable_create() failed: %s", isc_result_totext(result)); result = ISC_R_UNEXPECTED; goto cleanup_secroots; } view->fwdtable = NULL; result = dns_fwdtable_create(mctx, &view->fwdtable); if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "dns_fwdtable_create() failed: %s", isc_result_totext(result)); result = ISC_R_UNEXPECTED; goto cleanup_trustedkeys; } view->acache = NULL; view->cache = NULL; view->cachedb = NULL; view->dlzdatabase = NULL; view->hints = NULL; view->resolver = NULL; view->adb = NULL; view->requestmgr = NULL; view->mctx = mctx; view->rdclass = rdclass; view->frozen = ISC_FALSE; view->task = NULL; result = isc_refcount_init(&view->references, 1); if (result != ISC_R_SUCCESS) goto cleanup_fwdtable; view->weakrefs = 0; view->attributes = (DNS_VIEWATTR_RESSHUTDOWN|DNS_VIEWATTR_ADBSHUTDOWN| DNS_VIEWATTR_REQSHUTDOWN); view->statickeys = NULL; view->dynamickeys = NULL; view->matchclients = NULL; view->matchdestinations = NULL; view->matchrecursiveonly = ISC_FALSE; result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys); if (result != ISC_R_SUCCESS) goto cleanup_references; view->peers = NULL; view->order = NULL; view->delonly = NULL; view->rootdelonly = ISC_FALSE; view->rootexclude = NULL; view->resstats = NULL; view->resquerystats = NULL; /* * Initialize configuration data with default values. */ view->recursion = ISC_TRUE; view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */ view->additionalfromcache = ISC_TRUE; view->additionalfromauth = ISC_TRUE; view->enablednssec = ISC_TRUE; view->enablevalidation = ISC_TRUE; view->acceptexpired = ISC_FALSE; view->minimalresponses = ISC_FALSE; view->transfer_format = dns_one_answer; view->queryacl = NULL; view->queryonacl = NULL; view->recursionacl = NULL; view->recursiononacl = NULL; view->sortlist = NULL; view->transferacl = NULL; view->notifyacl = NULL; view->updateacl = NULL; view->upfwdacl = NULL; view->requestixfr = ISC_TRUE; view->provideixfr = ISC_TRUE; view->maxcachettl = 7 * 24 * 3600; view->maxncachettl = 3 * 3600; view->dstport = 53; view->preferred_glue = 0; view->flush = ISC_FALSE; view->dlv = NULL; view->maxudp = 0; dns_fixedname_init(&view->dlv_fixed); result = dns_order_create(view->mctx, &view->order); if (result != ISC_R_SUCCESS) goto cleanup_dynkeys; result = dns_peerlist_new(view->mctx, &view->peers); if (result != ISC_R_SUCCESS) goto cleanup_order; result = dns_aclenv_init(view->mctx, &view->aclenv); if (result != ISC_R_SUCCESS) goto cleanup_peerlist; ISC_LINK_INIT(view, link); ISC_EVENT_INIT(&view->resevent, sizeof(view->resevent), 0, NULL, DNS_EVENT_VIEWRESSHUTDOWN, resolver_shutdown, view, NULL, NULL, NULL); ISC_EVENT_INIT(&view->adbevent, sizeof(view->adbevent), 0, NULL, DNS_EVENT_VIEWADBSHUTDOWN, adb_shutdown, view, NULL, NULL, NULL); ISC_EVENT_INIT(&view->reqevent, sizeof(view->reqevent), 0, NULL, DNS_EVENT_VIEWREQSHUTDOWN, req_shutdown, view, NULL, NULL, NULL); view->magic = DNS_VIEW_MAGIC; *viewp = view; return (ISC_R_SUCCESS); cleanup_peerlist: dns_peerlist_detach(&view->peers); cleanup_order: dns_order_detach(&view->order); cleanup_dynkeys: dns_tsigkeyring_destroy(&view->dynamickeys); cleanup_references: isc_refcount_destroy(&view->references); cleanup_fwdtable: dns_fwdtable_destroy(&view->fwdtable); cleanup_trustedkeys: dns_keytable_detach(&view->trustedkeys); cleanup_secroots: dns_keytable_detach(&view->secroots); cleanup_zt: dns_zt_detach(&view->zonetable); cleanup_mutex: DESTROYLOCK(&view->lock); cleanup_name: isc_mem_free(mctx, view->name); cleanup_view: isc_mem_put(mctx, view, sizeof(*view)); return (result); } static inline void destroy(dns_view_t *view) { REQUIRE(!ISC_LINK_LINKED(view, link)); REQUIRE(isc_refcount_current(&view->references) == 0); REQUIRE(view->weakrefs == 0); REQUIRE(RESSHUTDOWN(view)); REQUIRE(ADBSHUTDOWN(view)); REQUIRE(REQSHUTDOWN(view)); if (view->order != NULL) dns_order_detach(&view->order); if (view->peers != NULL) dns_peerlist_detach(&view->peers); if (view->dynamickeys != NULL) dns_tsigkeyring_destroy(&view->dynamickeys); if (view->statickeys != NULL) dns_tsigkeyring_destroy(&view->statickeys); if (view->adb != NULL) dns_adb_detach(&view->adb); if (view->resolver != NULL) dns_resolver_detach(&view->resolver); if (view->acache != NULL) { if (view->cachedb != NULL) dns_acache_putdb(view->acache, view->cachedb); dns_acache_detach(&view->acache); } if (view->requestmgr != NULL) dns_requestmgr_detach(&view->requestmgr); if (view->task != NULL) isc_task_detach(&view->task); if (view->hints != NULL) dns_db_detach(&view->hints); if (view->dlzdatabase != NULL) dns_dlzdestroy(&view->dlzdatabase); if (view->cachedb != NULL) dns_db_detach(&view->cachedb); if (view->cache != NULL) dns_cache_detach(&view->cache); if (view->matchclients != NULL) dns_acl_detach(&view->matchclients); if (view->matchdestinations != NULL) dns_acl_detach(&view->matchdestinations); if (view->queryacl != NULL) dns_acl_detach(&view->queryacl); if (view->queryonacl != NULL) dns_acl_detach(&view->queryonacl); if (view->recursionacl != NULL) dns_acl_detach(&view->recursionacl); if (view->recursiononacl != NULL) dns_acl_detach(&view->recursiononacl); if (view->sortlist != NULL) dns_acl_detach(&view->sortlist); if (view->transferacl != NULL) dns_acl_detach(&view->transferacl); if (view->notifyacl != NULL) dns_acl_detach(&view->notifyacl); if (view->updateacl != NULL) dns_acl_detach(&view->updateacl); if (view->upfwdacl != NULL) dns_acl_detach(&view->upfwdacl); if (view->delonly != NULL) { dns_name_t *name; int i; for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) { name = ISC_LIST_HEAD(view->delonly[i]); while (name != NULL) { ISC_LIST_UNLINK(view->delonly[i], name, link); dns_name_free(name, view->mctx); isc_mem_put(view->mctx, name, sizeof(*name)); name = ISC_LIST_HEAD(view->delonly[i]); } } isc_mem_put(view->mctx, view->delonly, sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH); view->delonly = NULL; } if (view->rootexclude != NULL) { dns_name_t *name; int i; for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) { name = ISC_LIST_HEAD(view->rootexclude[i]); while (name != NULL) { ISC_LIST_UNLINK(view->rootexclude[i], name, link); dns_name_free(name, view->mctx); isc_mem_put(view->mctx, name, sizeof(*name)); name = ISC_LIST_HEAD(view->rootexclude[i]); } } isc_mem_put(view->mctx, view->rootexclude, sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH); view->rootexclude = NULL; } if (view->resstats != NULL) isc_stats_detach(&view->resstats); if (view->resquerystats != NULL) dns_stats_detach(&view->resquerystats); dns_keytable_detach(&view->trustedkeys); dns_keytable_detach(&view->secroots); dns_fwdtable_destroy(&view->fwdtable); dns_aclenv_destroy(&view->aclenv); DESTROYLOCK(&view->lock); isc_refcount_destroy(&view->references); isc_mem_free(view->mctx, view->name); isc_mem_put(view->mctx, view, sizeof(*view)); } /* * Return true iff 'view' may be freed. * The caller must be holding the view lock. */ static isc_boolean_t all_done(dns_view_t *view) { if (isc_refcount_current(&view->references) == 0 && view->weakrefs == 0 && RESSHUTDOWN(view) && ADBSHUTDOWN(view) && REQSHUTDOWN(view)) return (ISC_TRUE); return (ISC_FALSE); } void dns_view_attach(dns_view_t *source, dns_view_t **targetp) { REQUIRE(DNS_VIEW_VALID(source)); REQUIRE(targetp != NULL && *targetp == NULL); isc_refcount_increment(&source->references, NULL); *targetp = source; } static void view_flushanddetach(dns_view_t **viewp, isc_boolean_t flush) { dns_view_t *view; unsigned int refs; isc_boolean_t done = ISC_FALSE; REQUIRE(viewp != NULL); view = *viewp; REQUIRE(DNS_VIEW_VALID(view)); if (flush) view->flush = ISC_TRUE; isc_refcount_decrement(&view->references, &refs); if (refs == 0) { LOCK(&view->lock); if (!RESSHUTDOWN(view)) dns_resolver_shutdown(view->resolver); if (!ADBSHUTDOWN(view)) dns_adb_shutdown(view->adb); if (!REQSHUTDOWN(view)) dns_requestmgr_shutdown(view->requestmgr); if (view->acache != NULL) dns_acache_shutdown(view->acache); if (view->flush) dns_zt_flushanddetach(&view->zonetable); else dns_zt_detach(&view->zonetable); done = all_done(view); UNLOCK(&view->lock); } *viewp = NULL; if (done) destroy(view); } void dns_view_flushanddetach(dns_view_t **viewp) { view_flushanddetach(viewp, ISC_TRUE); } void dns_view_detach(dns_view_t **viewp) { view_flushanddetach(viewp, ISC_FALSE); } static isc_result_t dialup(dns_zone_t *zone, void *dummy) { UNUSED(dummy); dns_zone_dialup(zone); return (ISC_R_SUCCESS); } void dns_view_dialup(dns_view_t *view) { REQUIRE(DNS_VIEW_VALID(view)); (void)dns_zt_apply(view->zonetable, ISC_FALSE, dialup, NULL); } void dns_view_weakattach(dns_view_t *source, dns_view_t **targetp) { REQUIRE(DNS_VIEW_VALID(source)); REQUIRE(targetp != NULL && *targetp == NULL); LOCK(&source->lock); source->weakrefs++; UNLOCK(&source->lock); *targetp = source; } void dns_view_weakdetach(dns_view_t **viewp) { dns_view_t *view; isc_boolean_t done = ISC_FALSE; REQUIRE(viewp != NULL); view = *viewp; REQUIRE(DNS_VIEW_VALID(view)); LOCK(&view->lock); INSIST(view->weakrefs > 0); view->weakrefs--; done = all_done(view); UNLOCK(&view->lock); *viewp = NULL; if (done) destroy(view); } static void resolver_shutdown(isc_task_t *task, isc_event_t *event) { dns_view_t *view = event->ev_arg; isc_boolean_t done; REQUIRE(event->ev_type == DNS_EVENT_VIEWRESSHUTDOWN); REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(view->task == task); UNUSED(task); LOCK(&view->lock); view->attributes |= DNS_VIEWATTR_RESSHUTDOWN; done = all_done(view); UNLOCK(&view->lock); isc_event_free(&event); if (done) destroy(view); } static void adb_shutdown(isc_task_t *task, isc_event_t *event) { dns_view_t *view = event->ev_arg; isc_boolean_t done; REQUIRE(event->ev_type == DNS_EVENT_VIEWADBSHUTDOWN); REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(view->task == task); UNUSED(task); LOCK(&view->lock); view->attributes |= DNS_VIEWATTR_ADBSHUTDOWN; done = all_done(view); UNLOCK(&view->lock); isc_event_free(&event); if (done) destroy(view); } static void req_shutdown(isc_task_t *task, isc_event_t *event) { dns_view_t *view = event->ev_arg; isc_boolean_t done; REQUIRE(event->ev_type == DNS_EVENT_VIEWREQSHUTDOWN); REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(view->task == task); UNUSED(task); LOCK(&view->lock); view->attributes |= DNS_VIEWATTR_REQSHUTDOWN; done = all_done(view); UNLOCK(&view->lock); isc_event_free(&event); if (done) destroy(view); } isc_result_t dns_view_createresolver(dns_view_t *view, isc_taskmgr_t *taskmgr, unsigned int ntasks, isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr, unsigned int options, dns_dispatchmgr_t *dispatchmgr, dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6) { isc_result_t result; isc_event_t *event; isc_mem_t *mctx = NULL; REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(!view->frozen); REQUIRE(view->resolver == NULL); result = isc_task_create(taskmgr, 0, &view->task); if (result != ISC_R_SUCCESS) return (result); isc_task_setname(view->task, "view", view); result = dns_resolver_create(view, taskmgr, ntasks, socketmgr, timermgr, options, dispatchmgr, dispatchv4, dispatchv6, &view->resolver); if (result != ISC_R_SUCCESS) { isc_task_detach(&view->task); return (result); } event = &view->resevent; dns_resolver_whenshutdown(view->resolver, view->task, &event); view->attributes &= ~DNS_VIEWATTR_RESSHUTDOWN; result = isc_mem_create(0, 0, &mctx); if (result != ISC_R_SUCCESS) { dns_resolver_shutdown(view->resolver); return (result); } result = dns_adb_create(mctx, view, timermgr, taskmgr, &view->adb); isc_mem_setname(mctx, "ADB", NULL); isc_mem_detach(&mctx); if (result != ISC_R_SUCCESS) { dns_resolver_shutdown(view->resolver); return (result); } event = &view->adbevent; dns_adb_whenshutdown(view->adb, view->task, &event); view->attributes &= ~DNS_VIEWATTR_ADBSHUTDOWN; result = dns_requestmgr_create(view->mctx, timermgr, socketmgr, dns_resolver_taskmgr(view->resolver), dns_resolver_dispatchmgr(view->resolver), dns_resolver_dispatchv4(view->resolver), dns_resolver_dispatchv6(view->resolver), &view->requestmgr); if (result != ISC_R_SUCCESS) { dns_adb_shutdown(view->adb); dns_resolver_shutdown(view->resolver); return (result); } event = &view->reqevent; dns_requestmgr_whenshutdown(view->requestmgr, view->task, &event); view->attributes &= ~DNS_VIEWATTR_REQSHUTDOWN; return (ISC_R_SUCCESS); } void dns_view_setcache(dns_view_t *view, dns_cache_t *cache) { REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(!view->frozen); if (view->cache != NULL) { if (view->acache != NULL) dns_acache_putdb(view->acache, view->cachedb); dns_db_detach(&view->cachedb); dns_cache_detach(&view->cache); } dns_cache_attach(cache, &view->cache); dns_cache_attachdb(cache, &view->cachedb); INSIST(DNS_DB_VALID(view->cachedb)); if (view->acache != NULL) dns_acache_setdb(view->acache, view->cachedb); } void dns_view_sethints(dns_view_t *view, dns_db_t *hints) { REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(!view->frozen); REQUIRE(view->hints == NULL); REQUIRE(dns_db_iszone(hints)); dns_db_attach(hints, &view->hints); } void dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring) { REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(ring != NULL); if (view->statickeys != NULL) dns_tsigkeyring_destroy(&view->statickeys); view->statickeys = ring; } void dns_view_setdstport(dns_view_t *view, in_port_t dstport) { REQUIRE(DNS_VIEW_VALID(view)); view->dstport = dstport; } isc_result_t dns_view_addzone(dns_view_t *view, dns_zone_t *zone) { isc_result_t result; REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(!view->frozen); result = dns_zt_mount(view->zonetable, zone); return (result); } void dns_view_freeze(dns_view_t *view) { REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(!view->frozen); if (view->resolver != NULL) { INSIST(view->cachedb != NULL); dns_resolver_freeze(view->resolver); } view->frozen = ISC_TRUE; } isc_result_t dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) { isc_result_t result; REQUIRE(DNS_VIEW_VALID(view)); result = dns_zt_find(view->zonetable, name, 0, NULL, zonep); if (result == DNS_R_PARTIALMATCH) { dns_zone_detach(zonep); result = ISC_R_NOTFOUND; } return (result); } isc_result_t dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints, dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { isc_result_t result; dns_db_t *db, *zdb; dns_dbnode_t *node, *znode; isc_boolean_t is_cache; dns_rdataset_t zrdataset, zsigrdataset; dns_zone_t *zone; /* * Find an rdataset whose owner name is 'name', and whose type is * 'type'. */ REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(view->frozen); REQUIRE(type != dns_rdatatype_rrsig); REQUIRE(rdataset != NULL); /* XXXBEW - remove this */ REQUIRE(nodep == NULL || *nodep == NULL); /* * Initialize. */ dns_rdataset_init(&zrdataset); dns_rdataset_init(&zsigrdataset); zdb = NULL; znode = NULL; /* * Find a database to answer the query. */ zone = NULL; db = NULL; node = NULL; result = dns_zt_find(view->zonetable, name, 0, NULL, &zone); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { result = dns_zone_getdb(zone, &db); if (result != ISC_R_SUCCESS && view->cachedb != NULL) dns_db_attach(view->cachedb, &db); else if (result != ISC_R_SUCCESS) goto cleanup; } else if (result == ISC_R_NOTFOUND && view->cachedb != NULL) dns_db_attach(view->cachedb, &db); else goto cleanup; is_cache = dns_db_iscache(db); db_find: /* * Now look for an answer in the database. */ result = dns_db_find(db, name, NULL, type, options, now, &node, foundname, rdataset, sigrdataset); if (result == DNS_R_DELEGATION || result == ISC_R_NOTFOUND) { if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); if (node != NULL) dns_db_detachnode(db, &node); if (!is_cache) { dns_db_detach(&db); if (view->cachedb != NULL) { /* * Either the answer is in the cache, or we * don't know it. */ is_cache = ISC_TRUE; dns_db_attach(view->cachedb, &db); goto db_find; } } else { /* * We don't have the data in the cache. If we've got * glue from the zone, use it. */ if (dns_rdataset_isassociated(&zrdataset)) { dns_rdataset_clone(&zrdataset, rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(&zsigrdataset)) dns_rdataset_clone(&zsigrdataset, sigrdataset); result = DNS_R_GLUE; if (db != NULL) dns_db_detach(&db); dns_db_attach(zdb, &db); dns_db_attachnode(db, znode, &node); goto cleanup; } } /* * We don't know the answer. */ result = ISC_R_NOTFOUND; } else if (result == DNS_R_GLUE) { if (view->cachedb != NULL) { /* * We found an answer, but the cache may be better. * Remember what we've got and go look in the cache. */ is_cache = ISC_TRUE; dns_rdataset_clone(rdataset, &zrdataset); dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_clone(sigrdataset, &zsigrdataset); dns_rdataset_disassociate(sigrdataset); } dns_db_attach(db, &zdb); dns_db_attachnode(zdb, node, &znode); dns_db_detachnode(db, &node); dns_db_detach(&db); dns_db_attach(view->cachedb, &db); goto db_find; } /* * Otherwise, the glue is the best answer. */ result = ISC_R_SUCCESS; } if (result == ISC_R_NOTFOUND && use_hints && view->hints != NULL) { if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); if (db != NULL) { if (node != NULL) dns_db_detachnode(db, &node); dns_db_detach(&db); } result = dns_db_find(view->hints, name, NULL, type, options, now, &node, foundname, rdataset, sigrdataset); if (result == ISC_R_SUCCESS || result == DNS_R_GLUE) { /* * We just used a hint. Let the resolver know it * should consider priming. */ dns_resolver_prime(view->resolver); dns_db_attach(view->hints, &db); result = DNS_R_HINT; } else if (result == DNS_R_NXRRSET) { dns_db_attach(view->hints, &db); result = DNS_R_HINTNXRRSET; } else if (result == DNS_R_NXDOMAIN) result = ISC_R_NOTFOUND; /* * Cleanup if non-standard hints are used. */ if (db == NULL && node != NULL) dns_db_detachnode(view->hints, &node); } cleanup: if (dns_rdataset_isassociated(&zrdataset)) { dns_rdataset_disassociate(&zrdataset); if (dns_rdataset_isassociated(&zsigrdataset)) dns_rdataset_disassociate(&zsigrdataset); } if (zdb != NULL) { if (znode != NULL) dns_db_detachnode(zdb, &znode); dns_db_detach(&zdb); } if (db != NULL) { if (node != NULL) { if (nodep != NULL) *nodep = node; else dns_db_detachnode(db, &node); } if (dbp != NULL) *dbp = db; else dns_db_detach(&db); } else INSIST(node == NULL); if (zone != NULL) dns_zone_detach(&zone); return (result); } isc_result_t dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { isc_result_t result; dns_fixedname_t foundname; dns_fixedname_init(&foundname); result = dns_view_find(view, name, type, now, options, use_hints, NULL, NULL, dns_fixedname_name(&foundname), rdataset, sigrdataset); if (result == DNS_R_NXDOMAIN) { /* * The rdataset and sigrdataset of the relevant NSEC record * may be returned, but the caller cannot use them because * foundname is not returned by this simplified API. We * disassociate them here to prevent any misuse by the caller. */ if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); } else if (result != ISC_R_SUCCESS && result != DNS_R_GLUE && result != DNS_R_HINT && result != DNS_R_NCACHENXDOMAIN && result != DNS_R_NCACHENXRRSET && result != DNS_R_NXRRSET && result != DNS_R_HINTNXRRSET && result != ISC_R_NOTFOUND) { if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); result = ISC_R_NOTFOUND; } return (result); } isc_result_t dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname, isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { return(dns_view_findzonecut2(view, name, fname, now, options, use_hints, ISC_TRUE, rdataset, sigrdataset)); } isc_result_t dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname, isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints, isc_boolean_t use_cache, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { isc_result_t result; dns_db_t *db; isc_boolean_t is_cache, use_zone, try_hints; dns_zone_t *zone; dns_name_t *zfname; dns_rdataset_t zrdataset, zsigrdataset; dns_fixedname_t zfixedname; REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(view->frozen); db = NULL; zone = NULL; use_zone = ISC_FALSE; try_hints = ISC_FALSE; zfname = NULL; /* * Initialize. */ dns_fixedname_init(&zfixedname); dns_rdataset_init(&zrdataset); dns_rdataset_init(&zsigrdataset); /* * Find the right database. */ result = dns_zt_find(view->zonetable, name, 0, NULL, &zone); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) result = dns_zone_getdb(zone, &db); if (result == ISC_R_NOTFOUND) { /* * We're not directly authoritative for this query name, nor * is it a subdomain of any zone for which we're * authoritative. */ if (use_cache && view->cachedb != NULL) { /* * We have a cache; try it. */ dns_db_attach(view->cachedb, &db); } else { /* * Maybe we have hints... */ try_hints = ISC_TRUE; goto finish; } } else if (result != ISC_R_SUCCESS) { /* * Something is broken. */ goto cleanup; } is_cache = dns_db_iscache(db); db_find: /* * Look for the zonecut. */ if (!is_cache) { result = dns_db_find(db, name, NULL, dns_rdatatype_ns, options, now, NULL, fname, rdataset, sigrdataset); if (result == DNS_R_DELEGATION) result = ISC_R_SUCCESS; else if (result != ISC_R_SUCCESS) goto cleanup; if (use_cache && view->cachedb != NULL && db != view->hints) { /* * We found an answer, but the cache may be better. */ zfname = dns_fixedname_name(&zfixedname); result = dns_name_copy(fname, zfname, NULL); if (result != ISC_R_SUCCESS) goto cleanup; dns_rdataset_clone(rdataset, &zrdataset); dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { dns_rdataset_clone(sigrdataset, &zsigrdataset); dns_rdataset_disassociate(sigrdataset); } dns_db_detach(&db); dns_db_attach(view->cachedb, &db); is_cache = ISC_TRUE; goto db_find; } } else { result = dns_db_findzonecut(db, name, options, now, NULL, fname, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) { if (zfname != NULL && !dns_name_issubdomain(fname, zfname)) { /* * We found a zonecut in the cache, but our * zone delegation is better. */ use_zone = ISC_TRUE; } } else if (result == ISC_R_NOTFOUND) { if (zfname != NULL) { /* * We didn't find anything in the cache, but we * have a zone delegation, so use it. */ use_zone = ISC_TRUE; } else { /* * Maybe we have hints... */ try_hints = ISC_TRUE; } } else { /* * Something bad happened. */ goto cleanup; } } finish: if (use_zone) { if (dns_rdataset_isassociated(rdataset)) { dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); } result = dns_name_copy(zfname, fname, NULL); if (result != ISC_R_SUCCESS) goto cleanup; dns_rdataset_clone(&zrdataset, rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(&zrdataset)) dns_rdataset_clone(&zsigrdataset, sigrdataset); } else if (try_hints && use_hints && view->hints != NULL) { /* * We've found nothing so far, but we have hints. */ result = dns_db_find(view->hints, dns_rootname, NULL, dns_rdatatype_ns, 0, now, NULL, fname, rdataset, NULL); if (result != ISC_R_SUCCESS) { /* * We can't even find the hints for the root * nameservers! */ if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); result = ISC_R_NOTFOUND; } } cleanup: if (dns_rdataset_isassociated(&zrdataset)) { dns_rdataset_disassociate(&zrdataset); if (dns_rdataset_isassociated(&zsigrdataset)) dns_rdataset_disassociate(&zsigrdataset); } if (db != NULL) dns_db_detach(&db); if (zone != NULL) dns_zone_detach(&zone); return (result); } isc_result_t dns_viewlist_find(dns_viewlist_t *list, const char *name, dns_rdataclass_t rdclass, dns_view_t **viewp) { dns_view_t *view; REQUIRE(list != NULL); for (view = ISC_LIST_HEAD(*list); view != NULL; view = ISC_LIST_NEXT(view, link)) { if (strcmp(view->name, name) == 0 && view->rdclass == rdclass) break; } if (view == NULL) return (ISC_R_NOTFOUND); dns_view_attach(view, viewp); return (ISC_R_SUCCESS); } isc_result_t dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name, isc_boolean_t allclasses, dns_rdataclass_t rdclass, dns_zone_t **zonep) { dns_view_t *view; isc_result_t result; dns_zone_t *zone1 = NULL, *zone2 = NULL; dns_zone_t **zp = NULL;; REQUIRE(list != NULL); for (view = ISC_LIST_HEAD(*list); view != NULL; view = ISC_LIST_NEXT(view, link)) { if (allclasses == ISC_FALSE && view->rdclass != rdclass) continue; /* * If the zone is defined in more than one view, * treat it as not found. */ zp = (zone1 == NULL) ? &zone1 : &zone2; result = dns_zt_find(view->zonetable, name, 0, NULL, zp); INSIST(result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH); /* Treat a partial match as no match */ if (result == DNS_R_PARTIALMATCH) { dns_zone_detach(zp); result = ISC_R_NOTFOUND; } if (zone2 != NULL) { dns_zone_detach(&zone1); dns_zone_detach(&zone2); return (ISC_R_NOTFOUND); } } if (zone1 != NULL) { dns_zone_attach(zone1, zonep); dns_zone_detach(&zone1); return (ISC_R_SUCCESS); } return (ISC_R_NOTFOUND); } isc_result_t dns_view_load(dns_view_t *view, isc_boolean_t stop) { REQUIRE(DNS_VIEW_VALID(view)); return (dns_zt_load(view->zonetable, stop)); } isc_result_t dns_view_loadnew(dns_view_t *view, isc_boolean_t stop) { REQUIRE(DNS_VIEW_VALID(view)); return (dns_zt_loadnew(view->zonetable, stop)); } isc_result_t dns_view_gettsig(dns_view_t *view, dns_name_t *keyname, dns_tsigkey_t **keyp) { isc_result_t result; REQUIRE(keyp != NULL && *keyp == NULL); result = dns_tsigkey_find(keyp, keyname, NULL, view->statickeys); if (result == ISC_R_NOTFOUND) result = dns_tsigkey_find(keyp, keyname, NULL, view->dynamickeys); return (result); } isc_result_t dns_view_getpeertsig(dns_view_t *view, isc_netaddr_t *peeraddr, dns_tsigkey_t **keyp) { isc_result_t result; dns_name_t *keyname = NULL; dns_peer_t *peer = NULL; result = dns_peerlist_peerbyaddr(view->peers, peeraddr, &peer); if (result != ISC_R_SUCCESS) return (result); result = dns_peer_getkey(peer, &keyname); if (result != ISC_R_SUCCESS) return (result); result = dns_view_gettsig(view, keyname, keyp); return ((result == ISC_R_NOTFOUND) ? ISC_R_FAILURE : result); } isc_result_t dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg) { REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(source != NULL); return (dns_tsig_verify(source, msg, view->statickeys, view->dynamickeys)); } isc_result_t dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) { isc_result_t result; REQUIRE(DNS_VIEW_VALID(view)); (void)fprintf(fp, ";\n; Cache dump of view '%s'\n;\n", view->name); result = dns_master_dumptostream(view->mctx, view->cachedb, NULL, - &dns_master_style_cache, fp); + &dns_master_style_cache, fp); if (result != ISC_R_SUCCESS) return (result); dns_adb_dump(view->adb, fp); + dns_resolver_printbadcache(view->resolver, fp); return (ISC_R_SUCCESS); } isc_result_t dns_view_flushcache(dns_view_t *view) { isc_result_t result; REQUIRE(DNS_VIEW_VALID(view)); if (view->cachedb == NULL) return (ISC_R_SUCCESS); result = dns_cache_flush(view->cache); if (result != ISC_R_SUCCESS) return (result); if (view->acache != NULL) dns_acache_putdb(view->acache, view->cachedb); dns_db_detach(&view->cachedb); dns_cache_attachdb(view->cache, &view->cachedb); if (view->acache != NULL) dns_acache_setdb(view->acache, view->cachedb); + if (view->resolver != NULL) + dns_resolver_flushbadcache(view->resolver, NULL); dns_adb_flush(view->adb); return (ISC_R_SUCCESS); } isc_result_t dns_view_flushname(dns_view_t *view, dns_name_t *name) { REQUIRE(DNS_VIEW_VALID(view)); if (view->adb != NULL) dns_adb_flushname(view->adb, name); if (view->cache == NULL) return (ISC_R_SUCCESS); + if (view->resolver != NULL) + dns_resolver_flushbadcache(view->resolver, name); return (dns_cache_flushname(view->cache, name)); } isc_result_t dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name) { isc_result_t result; dns_name_t *new; isc_uint32_t hash; REQUIRE(DNS_VIEW_VALID(view)); if (view->delonly == NULL) { view->delonly = isc_mem_get(view->mctx, sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH); if (view->delonly == NULL) return (ISC_R_NOMEMORY); for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++) ISC_LIST_INIT(view->delonly[hash]); } hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH; new = ISC_LIST_HEAD(view->delonly[hash]); while (new != NULL && !dns_name_equal(new, name)) new = ISC_LIST_NEXT(new, link); if (new != NULL) return (ISC_R_SUCCESS); new = isc_mem_get(view->mctx, sizeof(*new)); if (new == NULL) return (ISC_R_NOMEMORY); dns_name_init(new, NULL); result = dns_name_dup(name, view->mctx, new); if (result == ISC_R_SUCCESS) ISC_LIST_APPEND(view->delonly[hash], new, link); else isc_mem_put(view->mctx, new, sizeof(*new)); return (result); } isc_result_t dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name) { isc_result_t result; dns_name_t *new; isc_uint32_t hash; REQUIRE(DNS_VIEW_VALID(view)); if (view->rootexclude == NULL) { view->rootexclude = isc_mem_get(view->mctx, sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH); if (view->rootexclude == NULL) return (ISC_R_NOMEMORY); for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++) ISC_LIST_INIT(view->rootexclude[hash]); } hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH; new = ISC_LIST_HEAD(view->rootexclude[hash]); while (new != NULL && !dns_name_equal(new, name)) new = ISC_LIST_NEXT(new, link); if (new != NULL) return (ISC_R_SUCCESS); new = isc_mem_get(view->mctx, sizeof(*new)); if (new == NULL) return (ISC_R_NOMEMORY); dns_name_init(new, NULL); result = dns_name_dup(name, view->mctx, new); if (result == ISC_R_SUCCESS) ISC_LIST_APPEND(view->rootexclude[hash], new, link); else isc_mem_put(view->mctx, new, sizeof(*new)); return (result); } isc_boolean_t dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name) { dns_name_t *new; isc_uint32_t hash; REQUIRE(DNS_VIEW_VALID(view)); if (!view->rootdelonly && view->delonly == NULL) return (ISC_FALSE); hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH; if (view->rootdelonly && dns_name_countlabels(name) <= 2) { if (view->rootexclude == NULL) return (ISC_TRUE); new = ISC_LIST_HEAD(view->rootexclude[hash]); while (new != NULL && !dns_name_equal(new, name)) new = ISC_LIST_NEXT(new, link); if (new == NULL) return (ISC_TRUE); } if (view->delonly == NULL) return (ISC_FALSE); new = ISC_LIST_HEAD(view->delonly[hash]); while (new != NULL && !dns_name_equal(new, name)) new = ISC_LIST_NEXT(new, link); if (new == NULL) return (ISC_FALSE); return (ISC_TRUE); } void dns_view_setrootdelonly(dns_view_t *view, isc_boolean_t value) { REQUIRE(DNS_VIEW_VALID(view)); view->rootdelonly = value; } isc_boolean_t dns_view_getrootdelonly(dns_view_t *view) { REQUIRE(DNS_VIEW_VALID(view)); return (view->rootdelonly); } isc_result_t dns_view_freezezones(dns_view_t *view, isc_boolean_t value) { REQUIRE(DNS_VIEW_VALID(view)); return (dns_zt_freezezones(view->zonetable, value)); } void dns_view_setresstats(dns_view_t *view, isc_stats_t *stats) { REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(!view->frozen); REQUIRE(view->resstats == NULL); isc_stats_attach(stats, &view->resstats); } void dns_view_getresstats(dns_view_t *view, isc_stats_t **statsp) { REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(statsp != NULL && *statsp == NULL); if (view->resstats != NULL) isc_stats_attach(view->resstats, statsp); } void dns_view_setresquerystats(dns_view_t *view, dns_stats_t *stats) { REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(!view->frozen); REQUIRE(view->resquerystats == NULL); dns_stats_attach(stats, &view->resquerystats); } void dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp) { REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(statsp != NULL && *statsp == NULL); if (view->resquerystats != NULL) dns_stats_attach(view->resquerystats, statsp); } Index: head/contrib/bind9/lib/lwres/man/lwres.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres.html (revision 205292) @@ -1,218 +1,218 @@ - + lwres
-
+

Name

lwres — introduction to the lightweight resolver library

Synopsis

#include <lwres/lwres.h>
-

DESCRIPTION

+

DESCRIPTION

The BIND 9 lightweight resolver library is a simple, name service independent stub resolver library. It provides hostname-to-address and address-to-hostname lookup services to applications by transmitting lookup requests to a resolver daemon lwresd running on the local host. The resover daemon performs the lookup using the DNS or possibly other name service protocols, and returns the results to the application through the library. The library and resolver daemon communicate using a simple UDP-based protocol.

-

OVERVIEW

+

OVERVIEW

The lwresd library implements multiple name service APIs. The standard gethostbyname(), gethostbyaddr(), gethostbyname_r(), gethostbyaddr_r(), getaddrinfo(), getipnodebyname(), and getipnodebyaddr() functions are all supported. To allow the lwres library to coexist with system libraries that define functions of the same name, the library defines these functions with names prefixed by lwres_. To define the standard names, applications must include the header file <lwres/netdb.h> which contains macro definitions mapping the standard function names into lwres_ prefixed ones. Operating system vendors who integrate the lwres library into their base distributions should rename the functions in the library proper so that the renaming macros are not needed.

The library also provides a native API consisting of the functions lwres_getaddrsbyname() and lwres_getnamebyaddr(). These may be called by applications that require more detailed control over the lookup process than the standard functions provide.

In addition to these name service independent address lookup functions, the library implements a new, experimental API for looking up arbitrary DNS resource records, using the lwres_getaddrsbyname() function.

Finally, there is a low-level API for converting lookup requests and responses to and from raw lwres protocol packets. This API can be used by clients requiring nonblocking operation, and is also used when implementing the server side of the lwres protocol, for example in the lwresd resolver daemon. The use of this low-level API in clients and servers is outlined in the following sections.

-

CLIENT-SIDE LOW-LEVEL API CALL FLOW

+

CLIENT-SIDE LOW-LEVEL API CALL FLOW

When a client program wishes to make an lwres request using the native low-level API, it typically performs the following sequence of actions.

(1) Allocate or use an existing lwres_packet_t, called pkt below.

(2) Set pkt.recvlength to the maximum length we will accept. This is done so the receiver of our packets knows how large our receive buffer is. The "default" is a constant in lwres.h: LWRES_RECVLENGTH = 4096.

(3) Set pkt.serial to a unique serial number. This value is echoed back to the application by the remote server.

(4) Set pkt.pktflags. Usually this is set to 0.

(5) Set pkt.result to 0.

(6) Call lwres_*request_render(), or marshall in the data using the primitives such as lwres_packet_render() and storing the packet data.

(7) Transmit the resulting buffer.

(8) Call lwres_*response_parse() to parse any packets received.

(9) Verify that the opcode and serial match a request, and process the packet specific information contained in the body.

-

SERVER-SIDE LOW-LEVEL API CALL FLOW

+

SERVER-SIDE LOW-LEVEL API CALL FLOW

When implementing the server side of the lightweight resolver protocol using the lwres library, a sequence of actions like the following is typically involved in processing each request packet.

Note that the same lwres_packet_t is used in both the _parse() and _render() calls, with only a few modifications made to the packet header's contents between uses. This method is recommended as it keeps the serial, opcode, and other fields correct.

(1) When a packet is received, call lwres_*request_parse() to unmarshall it. This returns a lwres_packet_t (also called pkt, below) as well as a data specific type, such as lwres_gabnrequest_t.

(2) Process the request in the data specific type.

(3) Set the pkt.result, pkt.recvlength as above. All other fields can be left untouched since they were filled in by the *_parse() call above. If using lwres_*response_render(), pkt.pktflags will be set up properly. Otherwise, the LWRES_LWPACKETFLAG_RESPONSE bit should be set.

(4) Call the data specific rendering function, such as lwres_gabnresponse_render().

(5) Send the resulting packet to the client.

-

SEE ALSO

+

SEE ALSO

lwres_gethostent(3), lwres_getipnode(3), lwres_getnameinfo(3), lwres_noop(3), lwres_gabn(3), lwres_gnba(3), lwres_context(3), lwres_config(3), resolver(5), lwresd(8).

Index: head/contrib/bind9/lib/lwres/man/lwres_buffer.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_buffer.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_buffer.html (revision 205292) @@ -1,455 +1,455 @@ - + lwres_buffer
-
+

Name

lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem — lightweight resolver buffer management

Synopsis

 #include <lwres/lwbuffer.h>
void lwres_buffer_init( lwres_buffer_t *  b,
  void *  base,
  unsigned int   length);
void lwres_buffer_invalidate( lwres_buffer_t *  b);
void lwres_buffer_add( lwres_buffer_t *  b,
  unsigned int   n);
void lwres_buffer_subtract( lwres_buffer_t *  b,
  unsigned int   n);
void lwres_buffer_clear( lwres_buffer_t *  b);
void lwres_buffer_first( lwres_buffer_t *  b);
void lwres_buffer_forward( lwres_buffer_t *  b,
  unsigned int   n);
void lwres_buffer_back( lwres_buffer_t *  b,
  unsigned int   n);
lwres_uint8_t lwres_buffer_getuint8( lwres_buffer_t *  b);
void lwres_buffer_putuint8( lwres_buffer_t *  b,
  lwres_uint8_t   val);
lwres_uint16_t lwres_buffer_getuint16( lwres_buffer_t *  b);
void lwres_buffer_putuint16( lwres_buffer_t *  b,
  lwres_uint16_t   val);
lwres_uint32_t lwres_buffer_getuint32( lwres_buffer_t *  b);
void lwres_buffer_putuint32( lwres_buffer_t *  b,
  lwres_uint32_t   val);
void lwres_buffer_putmem( lwres_buffer_t *  b,
  const unsigned char *  base,
  unsigned int   length);
void lwres_buffer_getmem( lwres_buffer_t *  b,
  unsigned char *  base,
  unsigned int   length);
-

DESCRIPTION

+

DESCRIPTION

These functions provide bounds checked access to a region of memory where data is being read or written. They are based on, and similar to, the isc_buffer_ functions in the ISC library.

A buffer is a region of memory, together with a set of related subregions. The used region and the available region are disjoint, and their union is the buffer's region. The used region extends from the beginning of the buffer region to the last used byte. The available region extends from one byte greater than the last used byte to the end of the buffer's region. The size of the used region can be changed using various buffer commands. Initially, the used region is empty.

The used region is further subdivided into two disjoint regions: the consumed region and the remaining region. The union of these two regions is the used region. The consumed region extends from the beginning of the used region to the byte before the current offset (if any). The remaining region the current pointer to the end of the used region. The size of the consumed region can be changed using various buffer commands. Initially, the consumed region is empty.

The active region is an (optional) subregion of the remaining region. It extends from the current offset to an offset in the remaining region. Initially, the active region is empty. If the current offset advances beyond the chosen offset, the active region will also be empty. 

    /------------entire length---------------\\
    /----- used region -----\\/-- available --\\
    +----------------------------------------+
    | consumed  | remaining |                |
    +----------------------------------------+
    a           b     c     d                e
       

   a == base of buffer.
   b == current pointer.  Can be anywhere between a and d.
   c == active pointer.  Meaningful between b and d.
   d == used pointer.
   e == length of buffer.
       

   a-e == entire length of buffer.
   a-d == used region.
   a-b == consumed region.
   b-d == remaining region.
   b-c == optional active region.

lwres_buffer_init() initializes the lwres_buffer_t *b and assocates it with the memory region of size length bytes starting at location base.

lwres_buffer_invalidate() marks the buffer *b as invalid. Invalidating a buffer after use is not required, but makes it possible to catch its possible accidental use.

The functions lwres_buffer_add() and lwres_buffer_subtract() respectively increase and decrease the used space in buffer *b by n bytes. lwres_buffer_add() checks for buffer overflow and lwres_buffer_subtract() checks for underflow. These functions do not allocate or deallocate memory. They just change the value of used.

A buffer is re-initialised by lwres_buffer_clear(). The function sets used, current and active to zero.

lwres_buffer_first makes the consumed region of buffer *p empty by setting current to zero (the start of the buffer).

lwres_buffer_forward() increases the consumed region of buffer *b by n bytes, checking for overflow. Similarly, lwres_buffer_back() decreases buffer b's consumed region by n bytes and checks for underflow.

lwres_buffer_getuint8() reads an unsigned 8-bit integer from *b and returns it. lwres_buffer_putuint8() writes the unsigned 8-bit integer val to buffer *b.

lwres_buffer_getuint16() and lwres_buffer_getuint32() are identical to lwres_buffer_putuint8() except that they respectively read an unsigned 16-bit or 32-bit integer in network byte order from b. Similarly, lwres_buffer_putuint16() and lwres_buffer_putuint32() writes the unsigned 16-bit or 32-bit integer val to buffer b, in network byte order.

Arbitrary amounts of data are read or written from a lightweight resolver buffer with lwres_buffer_getmem() and lwres_buffer_putmem() respectively. lwres_buffer_putmem() copies length bytes of memory at base to b. Conversely, lwres_buffer_getmem() copies length bytes of memory from b to base.

Index: head/contrib/bind9/lib/lwres/man/lwres_config.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_config.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_config.html (revision 205292) @@ -1,156 +1,156 @@ - + lwres_config
-
+

Name

lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get — lightweight resolver configuration

Synopsis

#include <lwres/lwres.h>
void lwres_conf_init( lwres_context_t *  ctx);
void lwres_conf_clear( lwres_context_t *  ctx);
lwres_result_t lwres_conf_parse( lwres_context_t *  ctx,
  const char *  filename);
lwres_result_t lwres_conf_print( lwres_context_t *  ctx,
  FILE *  fp);
lwres_conf_t * lwres_conf_get( lwres_context_t *  ctx);
-

DESCRIPTION

+

DESCRIPTION

lwres_conf_init() creates an empty lwres_conf_t structure for lightweight resolver context ctx.

lwres_conf_clear() frees up all the internal memory used by that lwres_conf_t structure in resolver context ctx.

lwres_conf_parse() opens the file filename and parses it to initialise the resolver context ctx's lwres_conf_t structure.

lwres_conf_print() prints the lwres_conf_t structure for resolver context ctx to the FILE fp.

-

RETURN VALUES

+

RETURN VALUES

lwres_conf_parse() returns LWRES_R_SUCCESS if it successfully read and parsed filename. It returns LWRES_R_FAILURE if filename could not be opened or contained incorrect resolver statements.

lwres_conf_print() returns LWRES_R_SUCCESS unless an error occurred when converting the network addresses to a numeric host address string. If this happens, the function returns LWRES_R_FAILURE.

-

SEE ALSO

+

SEE ALSO

stdio(3), resolver(5).

-

FILES

+

FILES

/etc/resolv.conf

Index: head/contrib/bind9/lib/lwres/man/lwres_context.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_context.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_context.html (revision 205292) @@ -1,295 +1,295 @@ - + lwres_context
-
+

Name

lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv — lightweight resolver context management

Synopsis

#include <lwres/lwres.h>
lwres_result_t lwres_context_create( lwres_context_t **  contextp,
  void *  arg,
  lwres_malloc_t   malloc_function,
  lwres_free_t   free_function);
lwres_result_t lwres_context_destroy( lwres_context_t **  contextp);
void lwres_context_initserial( lwres_context_t *  ctx,
  lwres_uint32_t   serial);
lwres_uint32_t lwres_context_nextserial( lwres_context_t *  ctx);
void lwres_context_freemem( lwres_context_t *  ctx,
  void *  mem,
  size_t   len);
void lwres_context_allocmem( lwres_context_t *  ctx,
  size_t   len);
void * lwres_context_sendrecv( lwres_context_t *  ctx,
  void *  sendbase,
  int   sendlen,
  void *  recvbase,
  int   recvlen,
  int *  recvd_len);
-

DESCRIPTION

+

DESCRIPTION

lwres_context_create() creates a lwres_context_t structure for use in lightweight resolver operations. It holds a socket and other data needed for communicating with a resolver daemon. The new lwres_context_t is returned through contextp, a pointer to a lwres_context_t pointer. This lwres_context_t pointer must initially be NULL, and is modified to point to the newly created lwres_context_t.

When the lightweight resolver needs to perform dynamic memory allocation, it will call malloc_function to allocate memory and free_function to free it. If malloc_function and free_function are NULL, memory is allocated using malloc(3). and free(3). It is not permitted to have a NULL malloc_function and a non-NULL free_function or vice versa. arg is passed as the first parameter to the memory allocation functions. If malloc_function and free_function are NULL, arg is unused and should be passed as NULL.

Once memory for the structure has been allocated, it is initialized using lwres_conf_init(3) and returned via *contextp.

lwres_context_destroy() destroys a lwres_context_t, closing its socket. contextp is a pointer to a pointer to the context that is to be destroyed. The pointer will be set to NULL when the context has been destroyed.

The context holds a serial number that is used to identify resolver request packets and associate responses with the corresponding requests. This serial number is controlled using lwres_context_initserial() and lwres_context_nextserial(). lwres_context_initserial() sets the serial number for context *ctx to serial. lwres_context_nextserial() increments the serial number and returns the previous value.

Memory for a lightweight resolver context is allocated and freed using lwres_context_allocmem() and lwres_context_freemem(). These use whatever allocations were defined when the context was created with lwres_context_create(). lwres_context_allocmem() allocates len bytes of memory and if successful returns a pointer to the allocated storage. lwres_context_freemem() frees len bytes of space starting at location mem.

lwres_context_sendrecv() performs I/O for the context ctx. Data are read and written from the context's socket. It writes data from sendbase — typically a lightweight resolver query packet — and waits for a reply which is copied to the receive buffer at recvbase. The number of bytes that were written to this receive buffer is returned in *recvd_len.

-

RETURN VALUES

+

RETURN VALUES

lwres_context_create() returns LWRES_R_NOMEMORY if memory for the struct lwres_context could not be allocated, LWRES_R_SUCCESS otherwise.

Successful calls to the memory allocator lwres_context_allocmem() return a pointer to the start of the allocated space. It returns NULL if memory could not be allocated.

LWRES_R_SUCCESS is returned when lwres_context_sendrecv() completes successfully. LWRES_R_IOERROR is returned if an I/O error occurs and LWRES_R_TIMEOUT is returned if lwres_context_sendrecv() times out waiting for a response.

-

SEE ALSO

+

SEE ALSO

lwres_conf_init(3), malloc(3), free(3).

Index: head/contrib/bind9/lib/lwres/man/lwres_gabn.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_gabn.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_gabn.html (revision 205292) @@ -1,324 +1,324 @@ - + lwres_gabn
-
+

Name

lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free — lightweight resolver getaddrbyname message handling

Synopsis

#include <lwres/lwres.h>
lwres_result_t lwres_gabnrequest_render( lwres_context_t *  ctx,
  lwres_gabnrequest_t *  req,
  lwres_lwpacket_t *  pkt,
  lwres_buffer_t *  b);
lwres_result_t lwres_gabnresponse_render( lwres_context_t *  ctx,
  lwres_gabnresponse_t *  req,
  lwres_lwpacket_t *  pkt,
  lwres_buffer_t *  b);
lwres_result_t lwres_gabnrequest_parse( lwres_context_t *  ctx,
  lwres_buffer_t *  b,
  lwres_lwpacket_t *  pkt,
  lwres_gabnrequest_t **  structp);
lwres_result_t lwres_gabnresponse_parse( lwres_context_t *  ctx,
  lwres_buffer_t *  b,
  lwres_lwpacket_t *  pkt,
  lwres_gabnresponse_t **  structp);
void lwres_gabnresponse_free( lwres_context_t *  ctx,
  lwres_gabnresponse_t **  structp);
void lwres_gabnrequest_free( lwres_context_t *  ctx,
  lwres_gabnrequest_t **  structp);
-

DESCRIPTION

+

DESCRIPTION

These are low-level routines for creating and parsing lightweight resolver name-to-address lookup request and response messages.

There are four main functions for the getaddrbyname opcode. One render function converts a getaddrbyname request structure — lwres_gabnrequest_t — to the lighweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a getaddrbyname request structure. Another render function converts the getaddrbyname response structure — lwres_gabnresponse_t — to the canonical format. This is complemented by a parse function which converts a packet in canonical format to a getaddrbyname response structure.

These structures are defined in <lwres/lwres.h>. They are shown below. 

 #define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
 

 typedef struct lwres_addr lwres_addr_t;
 typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
 

 typedef struct {
         lwres_uint32_t  flags;
         lwres_uint32_t  addrtypes;
         lwres_uint16_t  namelen;
         char           *name;
 } lwres_gabnrequest_t;
 

 typedef struct {
         lwres_uint32_t          flags;
         lwres_uint16_t          naliases;
         lwres_uint16_t          naddrs;
         char                   *realname;
         char                  **aliases;
         lwres_uint16_t          realnamelen;
         lwres_uint16_t         *aliaslen;
         lwres_addrlist_t        addrs;
         void                   *base;
         size_t                  baselen;
 } lwres_gabnresponse_t;

lwres_gabnrequest_render() uses resolver context ctx to convert getaddrbyname request structure req to canonical format. The packet header structure pkt is initialised and transferred to buffer b. The contents of *req are then appended to the buffer in canonical format. lwres_gabnresponse_render() performs the same task, except it converts a getaddrbyname response structure lwres_gabnresponse_t to the lightweight resolver's canonical format.

lwres_gabnrequest_parse() uses context ctx to convert the contents of packet pkt to a lwres_gabnrequest_t structure. Buffer b provides space to be used for storing this structure. When the function succeeds, the resulting lwres_gabnrequest_t is made available through *structp. lwres_gabnresponse_parse() offers the same semantics as lwres_gabnrequest_parse() except it yields a lwres_gabnresponse_t structure.

lwres_gabnresponse_free() and lwres_gabnrequest_free() release the memory in resolver context ctx that was allocated to the lwres_gabnresponse_t or lwres_gabnrequest_t structures referenced via structp. Any memory associated with ancillary buffers and strings for those structures is also discarded.

-

RETURN VALUES

+

RETURN VALUES

The getaddrbyname opcode functions lwres_gabnrequest_render(), lwres_gabnresponse_render() lwres_gabnrequest_parse() and lwres_gabnresponse_parse() all return LWRES_R_SUCCESS on success. They return LWRES_R_NOMEMORY if memory allocation fails. LWRES_R_UNEXPECTEDEND is returned if the available space in the buffer b is too small to accommodate the packet header or the lwres_gabnrequest_t and lwres_gabnresponse_t structures. lwres_gabnrequest_parse() and lwres_gabnresponse_parse() will return LWRES_R_UNEXPECTEDEND if the buffer is not empty after decoding the received packet. These functions will return LWRES_R_FAILURE if pktflags in the packet header structure lwres_lwpacket_t indicate that the packet is not a response to an earlier query.

-

SEE ALSO

+

SEE ALSO

lwres_packet(3)

Index: head/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html (revision 205292) @@ -1,124 +1,124 @@ - + lwres_gai_strerror
-
+

Name

lwres_gai_strerror — print suitable error string

Synopsis

#include <lwres/netdb.h>
char * gai_strerror( int   ecode);
-

DESCRIPTION

+

DESCRIPTION

lwres_gai_strerror() returns an error message corresponding to an error code returned by getaddrinfo(). The following error codes and their meaning are defined in include/lwres/netdb.h.

EAI_ADDRFAMILY

address family for hostname not supported

EAI_AGAIN

temporary failure in name resolution

EAI_BADFLAGS

invalid value for ai_flags

EAI_FAIL

non-recoverable failure in name resolution

EAI_FAMILY

ai_family not supported

EAI_MEMORY

memory allocation failure

EAI_NODATA

no address associated with hostname

EAI_NONAME

hostname or servname not provided, or not known

EAI_SERVICE

servname not supported for ai_socktype

EAI_SOCKTYPE

ai_socktype not supported

EAI_SYSTEM

system error returned in errno

The message invalid error code is returned if ecode is out of range.

ai_flags, ai_family and ai_socktype are elements of the struct addrinfo used by lwres_getaddrinfo().

-

SEE ALSO

+

SEE ALSO

strerror(3), lwres_getaddrinfo(3), getaddrinfo(3), RFC2133.

Index: head/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html (revision 205292) @@ -1,322 +1,322 @@ - + lwres_getaddrinfo
-
+

Name

lwres_getaddrinfo, lwres_freeaddrinfo — socket address structure to host and service name

Synopsis

#include <lwres/netdb.h>
int lwres_getaddrinfo( const char *  hostname,
  const char *  servname,
  const struct addrinfo *  hints,
  struct addrinfo **  res);
void lwres_freeaddrinfo( struct addrinfo *  ai);

If the operating system does not provide a struct addrinfo, the following structure is used: 

 struct  addrinfo {
         int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
         int             ai_family;      /* PF_xxx */
         int             ai_socktype;    /* SOCK_xxx */
         int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
         size_t          ai_addrlen;     /* length of ai_addr */
         char            *ai_canonname;  /* canonical name for hostname */
         struct sockaddr *ai_addr;       /* binary address */
         struct addrinfo *ai_next;       /* next structure in linked list */
 };

-

DESCRIPTION

+

DESCRIPTION

lwres_getaddrinfo() is used to get a list of IP addresses and port numbers for host hostname and service servname. The function is the lightweight resolver's implementation of getaddrinfo() as defined in RFC2133. hostname and servname are pointers to null-terminated strings or NULL. hostname is either a host name or a numeric host address string: a dotted decimal IPv4 address or an IPv6 address. servname is either a decimal port number or a service name as listed in /etc/services.

hints is an optional pointer to a struct addrinfo. This structure can be used to provide hints concerning the type of socket that the caller supports or wishes to use. The caller can supply the following structure elements in *hints:

ai_family

The protocol family that should be used. When ai_family is set to PF_UNSPEC, it means the caller will accept any protocol family supported by the operating system.

ai_socktype

denotes the type of socket — SOCK_STREAM, SOCK_DGRAM or SOCK_RAW — that is wanted. When ai_socktype is zero the caller will accept any socket type.

ai_protocol

indicates which transport protocol is wanted: IPPROTO_UDP or IPPROTO_TCP. If ai_protocol is zero the caller will accept any protocol.

ai_flags

Flag bits. If the AI_CANONNAME bit is set, a successful call to lwres_getaddrinfo() will return a null-terminated string containing the canonical name of the specified hostname in ai_canonname of the first addrinfo structure returned. Setting the AI_PASSIVE bit indicates that the returned socket address structure is intended for used in a call to bind(2). In this case, if the hostname argument is a NULL pointer, then the IP address portion of the socket address structure will be set to INADDR_ANY for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6 address.

When ai_flags does not set the AI_PASSIVE bit, the returned socket address structure will be ready for use in a call to connect(2) for a connection-oriented protocol or connect(2), sendto(2), or sendmsg(2) if a connectionless protocol was chosen. The IP address portion of the socket address structure will be set to the loopback address if hostname is a NULL pointer and AI_PASSIVE is not set in ai_flags.

If ai_flags is set to AI_NUMERICHOST it indicates that hostname should be treated as a numeric string defining an IPv4 or IPv6 address and no name resolution should be attempted.

All other elements of the struct addrinfo passed via hints must be zero.

A hints of NULL is treated as if the caller provided a struct addrinfo initialized to zero with ai_familyset to PF_UNSPEC.

After a successful call to lwres_getaddrinfo(), *res is a pointer to a linked list of one or more addrinfo structures. Each struct addrinfo in this list cn be processed by following the ai_next pointer, until a NULL pointer is encountered. The three members ai_family, ai_socktype, and ai_protocol in each returned addrinfo structure contain the corresponding arguments for a call to socket(2). For each addrinfo structure in the list, the ai_addr member points to a filled-in socket address structure of length ai_addrlen.

All of the information returned by lwres_getaddrinfo() is dynamically allocated: the addrinfo structures, and the socket address structures and canonical host name strings pointed to by the addrinfostructures. Memory allocated for the dynamically allocated structures created by a successful call to lwres_getaddrinfo() is released by lwres_freeaddrinfo(). ai is a pointer to a struct addrinfo created by a call to lwres_getaddrinfo().

-

RETURN VALUES

+

RETURN VALUES

lwres_getaddrinfo() returns zero on success or one of the error codes listed in gai_strerror(3) if an error occurs. If both hostname and servname are NULL lwres_getaddrinfo() returns EAI_NONAME.

-

SEE ALSO

+

SEE ALSO

lwres(3), lwres_getaddrinfo(3), lwres_freeaddrinfo(3), lwres_gai_strerror(3), RFC2133, getservbyname(3), bind(2), connect(2), sendto(2), sendmsg(2), socket(2).

Index: head/contrib/bind9/lib/lwres/man/lwres_gethostent.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_gethostent.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_gethostent.html (revision 205292) @@ -1,466 +1,466 @@ - + lwres_gethostent
-
+

Name

lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r — lightweight resolver get network host entry

Synopsis

#include <lwres/netdb.h>
struct hostent * lwres_gethostbyname( const char *  name);
struct hostent * lwres_gethostbyname2( const char *  name,
  int   af);
struct hostent * lwres_gethostbyaddr( const char *  addr,
  int   len,
  int   type);
struct hostent * lwres_gethostent(   );
void lwres_sethostent( int   stayopen);
void lwres_endhostent(   );
struct hostent * lwres_gethostbyname_r( const char *  name,
  struct hostent *  resbuf,
  char *  buf,
  int   buflen,
  int *  error);
struct hostent * lwres_gethostbyaddr_r( const char *  addr,
  int   len,
  int   type,
  struct hostent *  resbuf,
  char *  buf,
  int   buflen,
  int *  error);
struct hostent * lwres_gethostent_r( struct hostent *  resbuf,
  char *  buf,
  int   buflen,
  int *  error);
void lwres_sethostent_r( int   stayopen);
void lwres_endhostent_r(   );
-

DESCRIPTION

+

DESCRIPTION

These functions provide hostname-to-address and address-to-hostname lookups by means of the lightweight resolver. They are similar to the standard gethostent(3) functions provided by most operating systems. They use a struct hostent which is usually defined in <namedb.h>. 

 struct  hostent {
         char    *h_name;        /* official name of host */
         char    **h_aliases;    /* alias list */
         int     h_addrtype;     /* host address type */
         int     h_length;       /* length of address */
         char    **h_addr_list;  /* list of addresses from name server */
 };
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */

The members of this structure are:

h_name

The official (canonical) name of the host.

h_aliases

A NULL-terminated array of alternate names (nicknames) for the host.

h_addrtype

The type of address being returned — PF_INET or PF_INET6.

h_length

The length of the address in bytes.

h_addr_list

A NULL terminated array of network addresses for the host. Host addresses are returned in network byte order.

For backward compatibility with very old software, h_addr is the first address in h_addr_list.

lwres_gethostent(), lwres_sethostent(), lwres_endhostent(), lwres_gethostent_r(), lwres_sethostent_r() and lwres_endhostent_r() provide iteration over the known host entries on systems that provide such functionality through facilities like /etc/hosts or NIS. The lightweight resolver does not currently implement these functions; it only provides them as stub functions that always return failure.

lwres_gethostbyname() and lwres_gethostbyname2() look up the hostname name. lwres_gethostbyname() always looks for an IPv4 address while lwres_gethostbyname2() looks for an address of protocol family af: either PF_INET or PF_INET6 — IPv4 or IPV6 addresses respectively. Successful calls of the functions return a struct hostentfor the name that was looked up. NULL is returned if the lookups by lwres_gethostbyname() or lwres_gethostbyname2() fail.

Reverse lookups of addresses are performed by lwres_gethostbyaddr(). addr is an address of length len bytes and protocol family typePF_INET or PF_INET6. lwres_gethostbyname_r() is a thread-safe function for forward lookups. If an error occurs, an error code is returned in *error. resbuf is a pointer to a struct hostent which is initialised by a successful call to lwres_gethostbyname_r(). buf is a buffer of length len bytes which is used to store the h_name, h_aliases, and h_addr_list elements of the struct hostent returned in resbuf. Successful calls to lwres_gethostbyname_r() return resbuf, which is a pointer to the struct hostent it created.

lwres_gethostbyaddr_r() is a thread-safe function that performs a reverse lookup of address addr which is len bytes long and is of protocol family typePF_INET or PF_INET6. If an error occurs, the error code is returned in *error. The other function parameters are identical to those in lwres_gethostbyname_r(). resbuf is a pointer to a struct hostent which is initialised by a successful call to lwres_gethostbyaddr_r(). buf is a buffer of length len bytes which is used to store the h_name, h_aliases, and h_addr_list elements of the struct hostent returned in resbuf. Successful calls to lwres_gethostbyaddr_r() return resbuf, which is a pointer to the struct hostent() it created.

-

RETURN VALUES

+

RETURN VALUES

The functions lwres_gethostbyname(), lwres_gethostbyname2(), lwres_gethostbyaddr(), and lwres_gethostent() return NULL to indicate an error. In this case the global variable lwres_h_errno will contain one of the following error codes defined in <lwres/netdb.h>:

HOST_NOT_FOUND

The host or address was not found.

TRY_AGAIN

A recoverable error occurred, e.g., a timeout. Retrying the lookup may succeed.

NO_RECOVERY

A non-recoverable error occurred.

NO_DATA

The name exists, but has no address information associated with it (or vice versa in the case of a reverse lookup). The code NO_ADDRESS is accepted as a synonym for NO_DATA for backwards compatibility.

lwres_hstrerror(3) translates these error codes to suitable error messages.

lwres_gethostent() and lwres_gethostent_r() always return NULL.

Successful calls to lwres_gethostbyname_r() and lwres_gethostbyaddr_r() return resbuf, a pointer to the struct hostent that was initialised by these functions. They return NULL if the lookups fail or if buf was too small to hold the list of addresses and names referenced by the h_name, h_aliases, and h_addr_list elements of the struct hostent. If buf was too small, both lwres_gethostbyname_r() and lwres_gethostbyaddr_r() set the global variable errno to ERANGE.

-

SEE ALSO

+

SEE ALSO

gethostent(3), lwres_getipnode(3), lwres_hstrerror(3)

-

BUGS

+

BUGS

lwres_gethostbyname(), lwres_gethostbyname2(), lwres_gethostbyaddr() and lwres_endhostent() are not thread safe; they return pointers to static data and provide error codes through a global variable. Thread-safe versions for name and address lookup are provided by lwres_gethostbyname_r(), and lwres_gethostbyaddr_r() respectively.

The resolver daemon does not currently support any non-DNS name services such as /etc/hosts or NIS, consequently the above functions don't, either.

Index: head/contrib/bind9/lib/lwres/man/lwres_getipnode.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_getipnode.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_getipnode.html (revision 205292) @@ -1,279 +1,279 @@ - + lwres_getipnode
-
+

Name

lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent — lightweight resolver nodename / address translation API

Synopsis

#include <lwres/netdb.h>
struct hostent * lwres_getipnodebyname( const char *  name,
  int   af,
  int   flags,
  int *  error_num);
struct hostent * lwres_getipnodebyaddr( const void *  src,
  size_t   len,
  int   af,
  int *  error_num);
void lwres_freehostent( struct hostent *  he);
-

DESCRIPTION

+

DESCRIPTION

These functions perform thread safe, protocol independent nodename-to-address and address-to-nodename translation as defined in RFC2553.

They use a struct hostent which is defined in namedb.h: 

 struct  hostent {
         char    *h_name;        /* official name of host */
         char    **h_aliases;    /* alias list */
         int     h_addrtype;     /* host address type */
         int     h_length;       /* length of address */
         char    **h_addr_list;  /* list of addresses from name server */
 };
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */

The members of this structure are:

h_name

The official (canonical) name of the host.

h_aliases

A NULL-terminated array of alternate names (nicknames) for the host.

h_addrtype

The type of address being returned - usually PF_INET or PF_INET6.

h_length

The length of the address in bytes.

h_addr_list

A NULL terminated array of network addresses for the host. Host addresses are returned in network byte order.

lwres_getipnodebyname() looks up addresses of protocol family af for the hostname name. The flags parameter contains ORed flag bits to specify the types of addresses that are searched for, and the types of addresses that are returned. The flag bits are:

AI_V4MAPPED

This is used with an af of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped IPv6 addresses.

AI_ALL

This is used with an af of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned. If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped IPv6 addresses.

AI_ADDRCONFIG

Only return an IPv6 or IPv4 address if here is an active network interface of that type. This is not currently implemented in the BIND 9 lightweight resolver, and the flag is ignored.

AI_DEFAULT

This default sets the AI_V4MAPPED and AI_ADDRCONFIG flag bits.

lwres_getipnodebyaddr() performs a reverse lookup of address src which is len bytes long. af denotes the protocol family, typically PF_INET or PF_INET6.

lwres_freehostent() releases all the memory associated with the struct hostent pointer he. Any memory allocated for the h_name, h_addr_list and h_aliases is freed, as is the memory for the hostent structure itself.

-

RETURN VALUES

+

RETURN VALUES

If an error occurs, lwres_getipnodebyname() and lwres_getipnodebyaddr() set *error_num to an appropriate error code and the function returns a NULL pointer. The error codes and their meanings are defined in <lwres/netdb.h>:

HOST_NOT_FOUND

No such host is known.

NO_ADDRESS

The server recognised the request and the name but no address is available. Another type of request to the name server for the domain might return an answer.

TRY_AGAIN

A temporary and possibly transient error occurred, such as a failure of a server to respond. The request may succeed if retried.

NO_RECOVERY

An unexpected failure occurred, and retrying the request is pointless.

lwres_hstrerror(3) translates these error codes to suitable error messages.

-

SEE ALSO

+

SEE ALSO

RFC2553, lwres(3), lwres_gethostent(3), lwres_getaddrinfo(3), lwres_getnameinfo(3), lwres_hstrerror(3).

Index: head/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html (revision 205292) @@ -1,176 +1,176 @@ - + lwres_getnameinfo
-
+

Name

lwres_getnameinfo — lightweight resolver socket address structure to hostname and service name

Synopsis

#include <lwres/netdb.h>
int lwres_getnameinfo( const struct sockaddr *  sa,
  size_t   salen,
  char *  host,
  size_t   hostlen,
  char *  serv,
  size_t   servlen,
  int   flags);
-

DESCRIPTION

+

DESCRIPTION

This function is equivalent to the getnameinfo(3) function defined in RFC2133. lwres_getnameinfo() returns the hostname for the struct sockaddr sa which is salen bytes long. The hostname is of length hostlen and is returned via *host. The maximum length of the hostname is 1025 bytes: NI_MAXHOST.

The name of the service associated with the port number in sa is returned in *serv. It is servlen bytes long. The maximum length of the service name is NI_MAXSERV - 32 bytes.

The flags argument sets the following bits:

NI_NOFQDN

A fully qualified domain name is not required for local hosts. The local part of the fully qualified domain name is returned instead.

NI_NUMERICHOST

Return the address in numeric form, as if calling inet_ntop(), instead of a host name.

NI_NAMEREQD

A name is required. If the hostname cannot be found in the DNS and this flag is set, a non-zero error code is returned. If the hostname is not found and the flag is not set, the address is returned in numeric form.

NI_NUMERICSERV

The service name is returned as a digit string representing the port number.

NI_DGRAM

Specifies that the service being looked up is a datagram service, and causes getservbyport() to be called with a second argument of "udp" instead of its default of "tcp". This is required for the few ports (512-514) that have different services for UDP and TCP.

-

RETURN VALUES

+

RETURN VALUES

lwres_getnameinfo() returns 0 on success or a non-zero error code if an error occurs.

-

SEE ALSO

+

SEE ALSO

RFC2133, getservbyport(3), lwres(3), lwres_getnameinfo(3), lwres_getnamebyaddr(3). lwres_net_ntop(3).

-

BUGS

+

BUGS

RFC2133 fails to define what the nonzero return values of getnameinfo(3) are.

Index: head/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html (revision 205292) @@ -1,192 +1,192 @@ - + lwres_getrrsetbyname
-
+

Name

lwres_getrrsetbyname, lwres_freerrset — retrieve DNS records

Synopsis

#include <lwres/netdb.h>
int lwres_getrrsetbyname( const char *  hostname,
  unsigned int   rdclass,
  unsigned int   rdtype,
  unsigned int   flags,
  struct rrsetinfo **  res);
void lwres_freerrset( struct rrsetinfo *  rrset);

The following structures are used: 

 struct  rdatainfo {
         unsigned int            rdi_length;     /* length of data */
         unsigned char           *rdi_data;      /* record data */
 };
 

 struct  rrsetinfo {
         unsigned int            rri_flags;      /* RRSET_VALIDATED... */
         unsigned int            rri_rdclass;    /* class number */
         unsigned int            rri_rdtype;     /* RR type number */
         unsigned int            rri_ttl;        /* time to live */
         unsigned int            rri_nrdatas;    /* size of rdatas array */
         unsigned int            rri_nsigs;      /* size of sigs array */
         char                    *rri_name;      /* canonical name */
         struct rdatainfo        *rri_rdatas;    /* individual records */
         struct rdatainfo        *rri_sigs;      /* individual signatures */
 };

-

DESCRIPTION

+

DESCRIPTION

lwres_getrrsetbyname() gets a set of resource records associated with a hostname, class, and type. hostname is a pointer a to null-terminated string. The flags field is currently unused and must be zero.

After a successful call to lwres_getrrsetbyname(), *res is a pointer to an rrsetinfo structure, containing a list of one or more rdatainfo structures containing resource records and potentially another list of rdatainfo structures containing SIG resource records associated with those records. The members rri_rdclass and rri_rdtype are copied from the parameters. rri_ttl and rri_name are properties of the obtained rrset. The resource records contained in rri_rdatas and rri_sigs are in uncompressed DNS wire format. Properties of the rdataset are represented in the rri_flags bitfield. If the RRSET_VALIDATED bit is set, the data has been DNSSEC validated and the signatures verified.

All of the information returned by lwres_getrrsetbyname() is dynamically allocated: the rrsetinfo and rdatainfo structures, and the canonical host name strings pointed to by the rrsetinfostructure. Memory allocated for the dynamically allocated structures created by a successful call to lwres_getrrsetbyname() is released by lwres_freerrset(). rrset is a pointer to a struct rrset created by a call to lwres_getrrsetbyname().

-

RETURN VALUES

+

RETURN VALUES

lwres_getrrsetbyname() returns zero on success, and one of the following error codes if an error occurred:

ERRSET_NONAME

the name does not exist

ERRSET_NODATA

the name exists, but does not have data of the desired type

ERRSET_NOMEMORY

memory could not be allocated

ERRSET_INVAL

a parameter is invalid

ERRSET_FAIL

other failure

-

SEE ALSO

+

SEE ALSO

lwres(3).

Index: head/contrib/bind9/lib/lwres/man/lwres_gnba.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_gnba.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_gnba.html (revision 205292) @@ -1,316 +1,316 @@ - + lwres_gnba
-
+

Name

lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free — lightweight resolver getnamebyaddress message handling

Synopsis

 #include <lwres/lwres.h>
lwres_result_t lwres_gnbarequest_render ( lwres_context_t *  ctx,
  lwres_gnbarequest_t *  req,
  lwres_lwpacket_t *  pkt,
  lwres_buffer_t *  b);
lwres_result_t lwres_gnbaresponse_render ( lwres_context_t *  ctx,
  lwres_gnbaresponse_t *  req,
  lwres_lwpacket_t *  pkt,
  lwres_buffer_t *  b);
lwres_result_t lwres_gnbarequest_parse( lwres_context_t *  ctx,
  lwres_buffer_t *  b,
  lwres_lwpacket_t *  pkt,
  lwres_gnbarequest_t **  structp);
lwres_result_t lwres_gnbaresponse_parse( lwres_context_t *  ctx,
  lwres_buffer_t *  b,
  lwres_lwpacket_t *  pkt,
  lwres_gnbaresponse_t **  structp);
void lwres_gnbaresponse_free ( lwres_context_t *  ctx,
  lwres_gnbaresponse_t **  structp);
void lwres_gnbarequest_free( lwres_context_t *  ctx,
  lwres_gnbarequest_t **  structp);
-

DESCRIPTION

+

DESCRIPTION

These are low-level routines for creating and parsing lightweight resolver address-to-name lookup request and response messages.

There are four main functions for the getnamebyaddr opcode. One render function converts a getnamebyaddr request structure — lwres_gnbarequest_t — to the lightweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a getnamebyaddr request structure. Another render function converts the getnamebyaddr response structure — lwres_gnbaresponse_t to the canonical format. This is complemented by a parse function which converts a packet in canonical format to a getnamebyaddr response structure.

These structures are defined in lwres/lwres.h. They are shown below. 

 #define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
 

 typedef struct {
         lwres_uint32_t  flags;
         lwres_addr_t    addr;
 } lwres_gnbarequest_t;
 

 typedef struct {
         lwres_uint32_t  flags;
         lwres_uint16_t  naliases;
         char           *realname;
         char          **aliases;
         lwres_uint16_t  realnamelen;
         lwres_uint16_t *aliaslen;
         void           *base;
         size_t          baselen;
 } lwres_gnbaresponse_t;

lwres_gnbarequest_render() uses resolver context ctx to convert getnamebyaddr request structure req to canonical format. The packet header structure pkt is initialised and transferred to buffer b. The contents of *req are then appended to the buffer in canonical format. lwres_gnbaresponse_render() performs the same task, except it converts a getnamebyaddr response structure lwres_gnbaresponse_t to the lightweight resolver's canonical format.

lwres_gnbarequest_parse() uses context ctx to convert the contents of packet pkt to a lwres_gnbarequest_t structure. Buffer b provides space to be used for storing this structure. When the function succeeds, the resulting lwres_gnbarequest_t is made available through *structp. lwres_gnbaresponse_parse() offers the same semantics as lwres_gnbarequest_parse() except it yields a lwres_gnbaresponse_t structure.

lwres_gnbaresponse_free() and lwres_gnbarequest_free() release the memory in resolver context ctx that was allocated to the lwres_gnbaresponse_t or lwres_gnbarequest_t structures referenced via structp. Any memory associated with ancillary buffers and strings for those structures is also discarded.

-

RETURN VALUES

+

RETURN VALUES

The getnamebyaddr opcode functions lwres_gnbarequest_render(), lwres_gnbaresponse_render() lwres_gnbarequest_parse() and lwres_gnbaresponse_parse() all return LWRES_R_SUCCESS on success. They return LWRES_R_NOMEMORY if memory allocation fails. LWRES_R_UNEXPECTEDEND is returned if the available space in the buffer b is too small to accommodate the packet header or the lwres_gnbarequest_t and lwres_gnbaresponse_t structures. lwres_gnbarequest_parse() and lwres_gnbaresponse_parse() will return LWRES_R_UNEXPECTEDEND if the buffer is not empty after decoding the received packet. These functions will return LWRES_R_FAILURE if pktflags in the packet header structure lwres_lwpacket_t indicate that the packet is not a response to an earlier query.

-

SEE ALSO

+

SEE ALSO

lwres_packet(3).

Index: head/contrib/bind9/lib/lwres/man/lwres_hstrerror.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_hstrerror.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_hstrerror.html (revision 205292) @@ -1,104 +1,104 @@ - + lwres_hstrerror
-
+

Name

lwres_herror, lwres_hstrerror — lightweight resolver error message generation

Synopsis

#include <lwres/netdb.h>
void lwres_herror( const char *  s);
const char * lwres_hstrerror( int   err);
-

DESCRIPTION

+

DESCRIPTION

lwres_herror() prints the string s on stderr followed by the string generated by lwres_hstrerror() for the error code stored in the global variable lwres_h_errno.

lwres_hstrerror() returns an appropriate string for the error code gievn by err. The values of the error codes and messages are as follows:

NETDB_SUCCESS

Resolver Error 0 (no error)

HOST_NOT_FOUND

Unknown host

TRY_AGAIN

Host name lookup failure

NO_RECOVERY

Unknown server error

NO_DATA

No address associated with name

-

RETURN VALUES

+

RETURN VALUES

The string Unknown resolver error is returned by lwres_hstrerror() when the value of lwres_h_errno is not a valid error code.

-

SEE ALSO

+

SEE ALSO

herror(3), lwres_hstrerror(3).

Index: head/contrib/bind9/lib/lwres/man/lwres_inetntop.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_inetntop.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_inetntop.html (revision 205292) @@ -1,103 +1,103 @@ - + lwres_inetntop
-
+

Name

lwres_net_ntop — lightweight resolver IP address presentation

Synopsis

#include <lwres/net.h>
const char * lwres_net_ntop( int   af,
  const void *  src,
  char *  dst,
  size_t   size);
-

DESCRIPTION

+

DESCRIPTION

lwres_net_ntop() converts an IP address of protocol family af — IPv4 or IPv6 — at location src from network format to its conventional representation as a string. For IPv4 addresses, that string would be a dotted-decimal. An IPv6 address would be represented in colon notation as described in RFC1884.

The generated string is copied to dst provided size indicates it is long enough to store the ASCII representation of the address.

-

RETURN VALUES

+

RETURN VALUES

If successful, the function returns dst: a pointer to a string containing the presentation format of the address. lwres_net_ntop() returns NULL and sets the global variable errno to EAFNOSUPPORT if the protocol family given in af is not supported.

-

SEE ALSO

+

SEE ALSO

RFC1884, inet_ntop(3), errno(3).

Index: head/contrib/bind9/lib/lwres/man/lwres_noop.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_noop.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_noop.html (revision 205292) @@ -1,317 +1,317 @@ - + lwres_noop
-
+

Name

lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free — lightweight resolver no-op message handling

Synopsis

 #include <lwres/lwres.h>
lwres_result_t lwres_nooprequest_render( lwres_context_t *  ctx,
  lwres_nooprequest_t *  req,
  lwres_lwpacket_t *  pkt,
  lwres_buffer_t *  b);
lwres_result_t lwres_noopresponse_render( lwres_context_t *  ctx,
  lwres_noopresponse_t *  req,
  lwres_lwpacket_t *  pkt,
  lwres_buffer_t *  b);
lwres_result_t lwres_nooprequest_parse( lwres_context_t *  ctx,
  lwres_buffer_t *  b,
  lwres_lwpacket_t *  pkt,
  lwres_nooprequest_t **  structp);
lwres_result_t lwres_noopresponse_parse( lwres_context_t *  ctx,
  lwres_buffer_t *  b,
  lwres_lwpacket_t *  pkt,
  lwres_noopresponse_t **  structp);
void lwres_noopresponse_free( lwres_context_t *  ctx,
  lwres_noopresponse_t **  structp);
void lwres_nooprequest_free( lwres_context_t *  ctx,
  lwres_nooprequest_t **  structp);
-

DESCRIPTION

+

DESCRIPTION

These are low-level routines for creating and parsing lightweight resolver no-op request and response messages.

The no-op message is analogous to a ping packet: a packet is sent to the resolver daemon and is simply echoed back. The opcode is intended to allow a client to determine if the server is operational or not.

There are four main functions for the no-op opcode. One render function converts a no-op request structure — lwres_nooprequest_t — to the lighweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a no-op request structure. Another render function converts the no-op response structure — lwres_noopresponse_t to the canonical format. This is complemented by a parse function which converts a packet in canonical format to a no-op response structure.

These structures are defined in lwres/lwres.h. They are shown below. 

 #define LWRES_OPCODE_NOOP       0x00000000U
 

 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
 } lwres_nooprequest_t;
 

 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
 } lwres_noopresponse_t;

Although the structures have different types, they are identical. This is because the no-op opcode simply echos whatever data was sent: the response is therefore identical to the request.

lwres_nooprequest_render() uses resolver context ctx to convert no-op request structure req to canonical format. The packet header structure pkt is initialised and transferred to buffer b. The contents of *req are then appended to the buffer in canonical format. lwres_noopresponse_render() performs the same task, except it converts a no-op response structure lwres_noopresponse_t to the lightweight resolver's canonical format.

lwres_nooprequest_parse() uses context ctx to convert the contents of packet pkt to a lwres_nooprequest_t structure. Buffer b provides space to be used for storing this structure. When the function succeeds, the resulting lwres_nooprequest_t is made available through *structp. lwres_noopresponse_parse() offers the same semantics as lwres_nooprequest_parse() except it yields a lwres_noopresponse_t structure.

lwres_noopresponse_free() and lwres_nooprequest_free() release the memory in resolver context ctx that was allocated to the lwres_noopresponse_t or lwres_nooprequest_t structures referenced via structp.

-

RETURN VALUES

+

RETURN VALUES

The no-op opcode functions lwres_nooprequest_render(), lwres_noopresponse_render() lwres_nooprequest_parse() and lwres_noopresponse_parse() all return LWRES_R_SUCCESS on success. They return LWRES_R_NOMEMORY if memory allocation fails. LWRES_R_UNEXPECTEDEND is returned if the available space in the buffer b is too small to accommodate the packet header or the lwres_nooprequest_t and lwres_noopresponse_t structures. lwres_nooprequest_parse() and lwres_noopresponse_parse() will return LWRES_R_UNEXPECTEDEND if the buffer is not empty after decoding the received packet. These functions will return LWRES_R_FAILURE if pktflags in the packet header structure lwres_lwpacket_t indicate that the packet is not a response to an earlier query.

-

SEE ALSO

+

SEE ALSO

lwres_packet(3)

Index: head/contrib/bind9/lib/lwres/man/lwres_packet.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_packet.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_packet.html (revision 205292) @@ -1,235 +1,235 @@ - + lwres_packet
-
+

Name

lwres_lwpacket_renderheader, lwres_lwpacket_parseheader — lightweight resolver packet handling functions

Synopsis

#include <lwres/lwpacket.h>
lwres_result_t lwres_lwpacket_renderheader( lwres_buffer_t *  b,
  lwres_lwpacket_t *  pkt);
lwres_result_t lwres_lwpacket_parseheader( lwres_buffer_t *  b,
  lwres_lwpacket_t *  pkt);
-

DESCRIPTION

+

DESCRIPTION

These functions rely on a struct lwres_lwpacket which is defined in lwres/lwpacket.h. 

 typedef struct lwres_lwpacket lwres_lwpacket_t;
       

 struct lwres_lwpacket {
         lwres_uint32_t          length;
         lwres_uint16_t          version;
         lwres_uint16_t          pktflags;
         lwres_uint32_t          serial;
         lwres_uint32_t          opcode;
         lwres_uint32_t          result;
         lwres_uint32_t          recvlength;
         lwres_uint16_t          authtype;
         lwres_uint16_t          authlength;
 };

The elements of this structure are:

length

the overall packet length, including the entire packet header. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.

version

the header format. There is currently only one format, LWRES_LWPACKETVERSION_0. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.

pktflags

library-defined flags for this packet: for instance whether the packet is a request or a reply. Flag values can be set, but not defined by the caller. This field is filled in by the application wit the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the lwres_gabn_*() and lwres_gnba_*() calls.

serial

is set by the requestor and is returned in all replies. If two or more packets from the same source have the same serial number and are from the same source, they are assumed to be duplicates and the latter ones may be dropped. This field must be set by the application.

opcode

indicates the operation. Opcodes between 0x00000000 and 0x03ffffff are reserved for use by the lightweight resolver library. Opcodes between 0x04000000 and 0xffffffff are application defined. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.

result

is only valid for replies. Results between 0x04000000 and 0xffffffff are application defined. Results between 0x00000000 and 0x03ffffff are reserved for library use. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.

recvlength

is the maximum buffer size that the receiver can handle on requests and the size of the buffer needed to satisfy a request when the buffer is too large for replies. This field is supplied by the application.

authtype

defines the packet level authentication that is used. Authorisation types between 0x1000 and 0xffff are application defined and types between 0x0000 and 0x0fff are reserved for library use. Currently these are not used and must be zero.

authlen

gives the length of the authentication data. Since packet authentication is currently not used, this must be zero.

The following opcodes are currently defined:

NOOP

Success is always returned and the packet contents are echoed. The lwres_noop_*() functions should be used for this type.

GETADDRSBYNAME

returns all known addresses for a given name. The lwres_gabn_*() functions should be used for this type.

GETNAMEBYADDR

return the hostname for the given address. The lwres_gnba_*() functions should be used for this type.

lwres_lwpacket_renderheader() transfers the contents of lightweight resolver packet structure lwres_lwpacket_t *pkt in network byte order to the lightweight resolver buffer, *b.

lwres_lwpacket_parseheader() performs the converse operation. It transfers data in network byte order from buffer *b to resolver packet *pkt. The contents of the buffer b should correspond to a lwres_lwpacket_t.

-

RETURN VALUES

+

RETURN VALUES

Successful calls to lwres_lwpacket_renderheader() and lwres_lwpacket_parseheader() return LWRES_R_SUCCESS. If there is insufficient space to copy data between the buffer *b and lightweight resolver packet *pkt both functions return LWRES_R_UNEXPECTEDEND.

Index: head/contrib/bind9/lib/lwres/man/lwres_resutil.html =================================================================== --- head/contrib/bind9/lib/lwres/man/lwres_resutil.html (revision 205291) +++ head/contrib/bind9/lib/lwres/man/lwres_resutil.html (revision 205292) @@ -1,258 +1,258 @@ - + lwres_resutil
-
+

Name

lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr — lightweight resolver utility functions

Synopsis

#include <lwres/lwres.h>
lwres_result_t lwres_string_parse( lwres_buffer_t *  b,
  char **  c,
  lwres_uint16_t *  len);
lwres_result_t lwres_addr_parse( lwres_buffer_t *  b,
  lwres_addr_t *  addr);
lwres_result_t lwres_getaddrsbyname( lwres_context_t *  ctx,
  const char *  name,
  lwres_uint32_t   addrtypes,
  lwres_gabnresponse_t **  structp);
lwres_result_t lwres_getnamebyaddr( lwres_context_t *  ctx,
  lwres_uint32_t   addrtype,
  lwres_uint16_t   addrlen,
  const unsigned char *  addr,
  lwres_gnbaresponse_t **  structp);
-

DESCRIPTION

+

DESCRIPTION

lwres_string_parse() retrieves a DNS-encoded string starting the current pointer of lightweight resolver buffer b: i.e. b->current. When the function returns, the address of the first byte of the encoded string is returned via *c and the length of that string is given by *len. The buffer's current pointer is advanced to point at the character following the string length, the encoded string, and the trailing NULL character.

lwres_addr_parse() extracts an address from the buffer b. The buffer's current pointer b->current is presumed to point at an encoded address: the address preceded by a 32-bit protocol family identifier and a 16-bit length field. The encoded address is copied to addr->address and addr->length indicates the size in bytes of the address that was copied. b->current is advanced to point at the next byte of available data in the buffer following the encoded address.

lwres_getaddrsbyname() and lwres_getnamebyaddr() use the lwres_gnbaresponse_t structure defined below: 

 typedef struct {
         lwres_uint32_t          flags;
         lwres_uint16_t          naliases;
         lwres_uint16_t          naddrs;
         char                   *realname;
         char                  **aliases;
         lwres_uint16_t          realnamelen;
         lwres_uint16_t         *aliaslen;
         lwres_addrlist_t        addrs;
         void                   *base;
         size_t                  baselen;
 } lwres_gabnresponse_t;

The contents of this structure are not manipulated directly but they are controlled through the lwres_gabn(3) functions.

The lightweight resolver uses lwres_getaddrsbyname() to perform foward lookups. Hostname name is looked up using the resolver context ctx for memory allocation. addrtypes is a bitmask indicating which type of addresses are to be looked up. Current values for this bitmask are LWRES_ADDRTYPE_V4 for IPv4 addresses and LWRES_ADDRTYPE_V6 for IPv6 addresses. Results of the lookup are returned in *structp.

lwres_getnamebyaddr() performs reverse lookups. Resolver context ctx is used for memory allocation. The address type is indicated by addrtype: LWRES_ADDRTYPE_V4 or LWRES_ADDRTYPE_V6. The address to be looked up is given by addr and its length is addrlen bytes. The result of the function call is made available through *structp.

-

RETURN VALUES

+

RETURN VALUES

Successful calls to lwres_string_parse() and lwres_addr_parse() return LWRES_R_SUCCESS. Both functions return LWRES_R_FAILURE if the buffer is corrupt or LWRES_R_UNEXPECTEDEND if the buffer has less space than expected for the components of the encoded string or address.

lwres_getaddrsbyname() returns LWRES_R_SUCCESS on success and it returns LWRES_R_NOTFOUND if the hostname name could not be found.

LWRES_R_SUCCESS is returned by a successful call to lwres_getnamebyaddr().

Both lwres_getaddrsbyname() and lwres_getnamebyaddr() return LWRES_R_NOMEMORY when memory allocation requests fail and LWRES_R_UNEXPECTEDEND if the buffers used for sending queries and receiving replies are too small.

-

SEE ALSO

+

SEE ALSO

lwres_buffer(3), lwres_gabn(3).

Index: head/contrib/bind9/version =================================================================== --- head/contrib/bind9/version (revision 205291) +++ head/contrib/bind9/version (revision 205292) @@ -1,10 +1,10 @@ -# $Id: version,v 1.43.12.8 2010/02/18 03:34:50 marka Exp $ +# $Id: version,v 1.43.12.8.2.3 2010/03/04 00:08:28 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # MAJORVER=9 MINORVER=6 PATCHVER=2 -RELEASETYPE= -RELEASEVER= +RELEASETYPE=-P +RELEASEVER=1 Index: head/contrib/bind9 =================================================================== --- head/contrib/bind9 (revision 205291) +++ head/contrib/bind9 (revision 205292) Property changes on: head/contrib/bind9 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /vendor/bind9/dist:r204601-205275 Index: head/lib/bind/config.h =================================================================== --- head/lib/bind/config.h (revision 205291) +++ head/lib/bind/config.h (revision 205292) @@ -1,353 +1,357 @@ /* $FreeBSD$ */ /* config.h. Generated from config.h.in by configure. */ /* config.h.in. Generated from configure.in by autoheader. */ /* * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR * PERFORMANCE OF THIS SOFTWARE. */ /* $Id: acconfig.h,v 1.51.334.2 2009/02/16 23:47:15 tbox Exp $ */ /*! \file */ /*** *** This file is not to be included by any public header files, because *** it does not get installed. ***/ /** define on DEC OSF to enable 4.4BSD style sa_len support */ /* #undef _SOCKADDR_LEN */ /** define if your system needs pthread_init() before using pthreads */ /* #undef NEED_PTHREAD_INIT */ /** define if your system has sigwait() */ #define HAVE_SIGWAIT 1 /** define if sigwait() is the UnixWare flavor */ /* #undef HAVE_UNIXWARE_SIGWAIT */ /** define on Solaris to get sigwait() to work using pthreads semantics */ /* #undef _POSIX_PTHREAD_SEMANTICS */ /** define if LinuxThreads is in use */ /* #undef HAVE_LINUXTHREADS */ /** define if sysconf() is available */ #define HAVE_SYSCONF 1 /** define if sysctlbyname() is available */ #define HAVE_SYSCTLBYNAME 1 /** define if catgets() is available */ #define HAVE_CATGETS 1 /** define if getifaddrs() exists */ #define HAVE_GETIFADDRS 1 /** define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */ #define HAVE_IFLIST_SYSCTL 1 /** define if tzset() is available */ #define HAVE_TZSET 1 /** define if struct addrinfo exists */ #define HAVE_ADDRINFO 1 /** define if getaddrinfo() exists */ #define HAVE_GETADDRINFO 1 /** define if gai_strerror() exists */ #define HAVE_GAISTRERROR 1 /** define if arc4random() exists */ #define HAVE_ARC4RANDOM 1 /** * define if pthread_setconcurrency() should be called to tell the * OS how many threads we might want to run. */ /* #undef CALL_PTHREAD_SETCONCURRENCY */ /** define if IPv6 is not disabled */ /* #undef WANT_IPV6 */ /** define if flockfile() is available */ #define HAVE_FLOCKFILE 1 /** define if getc_unlocked() is available */ #define HAVE_GETCUNLOCKED 1 /** Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */ /* #undef SHUTUP_SPUTAUX */ #ifdef SHUTUP_SPUTAUX struct __sFILE; extern __inline int __sputaux(int _c, struct __sFILE *_p); #endif /** Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */ /* #undef SHUTUP_SIGWAIT */ #ifdef SHUTUP_SIGWAIT int sigwait(const unsigned int *set, int *sig); #endif /** Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */ /* #undef SHUTUP_STDARG_CAST */ #if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__) #include /** Grr. Must be included *every time*. */ /** * The silly continuation line is to keep configure from * commenting out the #undef. */ #undef \ va_start #define va_start(ap, last) \ do { \ union { const void *konst; long *var; } _u; \ _u.konst = &(last); \ ap = (va_list)(_u.var + __va_words(__typeof(last))); \ } while (0) #endif /** SHUTUP_STDARG_CAST && __GNUC__ */ /** define if the system has a random number generating device */ #define PATH_RANDOMDEV "/dev/random" /** define if pthread_attr_getstacksize() is available */ #define HAVE_PTHREAD_ATTR_GETSTACKSIZE 1 /** define if pthread_attr_setstacksize() is available */ #define HAVE_PTHREAD_ATTR_SETSTACKSIZE 1 /** define if you have strerror in the C library. */ #define HAVE_STRERROR 1 /** Define if you are running under Compaq TruCluster. */ /* #undef HAVE_TRUCLUSTER */ /* Define if OpenSSL includes DSA support */ #define HAVE_OPENSSL_DSA 1 /* Define to the length type used by the socket API (socklen_t, size_t, int). */ #define ISC_SOCKADDR_LEN_T socklen_t /* Define if threads need PTHREAD_SCOPE_SYSTEM */ /* #undef NEED_PTHREAD_SCOPE_SYSTEM */ /* Define if recvmsg() does not meet all of the BSD socket API specifications. */ /* #undef BROKEN_RECVMSG */ /* Define if you cannot bind() before connect() for TCP sockets. */ /* #undef BROKEN_TCP_BIND_BEFORE_CONNECT */ /* Define to enable "rrset-order fixed" syntax. */ /* #undef DNS_RDATASET_FIXED */ /* Solaris hack to get select_large_fdset. */ /* #undef FD_SETSIZE */ /* Define to 1 if you have the `chroot' function. */ #define HAVE_CHROOT 1 /* Define to 1 if you have the header file. */ #define HAVE_DLFCN_H 1 /* Define to 1 if you have the `EVP_sha256' function. */ #define HAVE_EVP_SHA256 1 /* Define to 1 if you have the `EVP_sha512' function. */ #define HAVE_EVP_SHA512 1 /* Define to 1 if you have the header file. */ #define HAVE_FCNTL_H 1 /* Define to 1 if you have the header file. */ /* #undef HAVE_GSSAPI_GSSAPI_H */ /* Define to 1 if you have the header file. */ /* #undef HAVE_GSSAPI_H */ /* Define to 1 if you have the header file. */ #define HAVE_INTTYPES_H 1 /* Define to 1 if you have the `c' library (-lc). */ /* #undef HAVE_LIBC */ /* Define to 1 if you have the `cap' library (-lcap). */ /* #undef HAVE_LIBCAP */ /* Define to 1 if you have the `c_r' library (-lc_r). */ /* #undef HAVE_LIBC_R */ /* Define to 1 if you have the `nsl' library (-lnsl). */ /* #undef HAVE_LIBNSL */ /* Define to 1 if you have the `pthread' library (-lpthread). */ /* #undef HAVE_LIBPTHREAD */ /* Define to 1 if you have the `scf' library (-lscf). */ /* #undef HAVE_LIBSCF */ /* Define to 1 if you have the `socket' library (-lsocket). */ /* #undef HAVE_LIBSOCKET */ /* Define to 1 if you have the `thr' library (-lthr). */ /* #undef HAVE_LIBTHR */ /* Define if libxml2 was found */ /* #undef HAVE_LIBXML2 */ /* Define to 1 if you have the header file. */ /* #undef HAVE_LINUX_CAPABILITY_H */ /* Define to 1 if you have the header file. */ #define HAVE_LOCALE_H 1 /* Define to 1 if you have the header file. */ #define HAVE_MEMORY_H 1 /* Define to 1 if you have the `nanosleep' function. */ #define HAVE_NANOSLEEP 1 /* Define to 1 if you have the header file. */ /* #undef HAVE_NET_IF6_H */ /* Define to 1 if you have the `setlocale' function. */ #define HAVE_SETLOCALE 1 /* Define to 1 if you have the header file. */ #define HAVE_STDINT_H 1 /* Define to 1 if you have the header file. */ #define HAVE_STDLIB_H 1 /* Define to 1 if you have the header file. */ #define HAVE_STRINGS_H 1 /* Define to 1 if you have the header file. */ #define HAVE_STRING_H 1 /* Define to 1 if you have the header file. */ /* #undef HAVE_SYS_CAPABILITY_H */ /* Define to 1 if you have the header file. */ /* #undef HAVE_SYS_DEVPOLL_H */ /* Define to 1 if you have the header file. */ /* #undef HAVE_SYS_DYNTUNE_H */ /* Define to 1 if you have the header file. */ #define HAVE_SYS_PARAM_H 1 /* Define to 1 if you have the header file. */ /* #undef HAVE_SYS_PRCTL_H */ /* Define to 1 if you have the header file. */ #define HAVE_SYS_SELECT_H 1 /* Define to 1 if you have the header file. */ #define HAVE_SYS_SOCKIO_H 1 /* Define to 1 if you have the header file. */ #define HAVE_SYS_STAT_H 1 /* Define to 1 if you have the header file. */ #define HAVE_SYS_SYSCTL_H 1 /* Define to 1 if you have the header file. */ #define HAVE_SYS_TIME_H 1 /* Define to 1 if you have the header file. */ #define HAVE_SYS_TYPES_H 1 /* Define to 1 if you have the header file. */ #define HAVE_SYS_UN_H 1 /* Define if running under Compaq TruCluster */ /* #undef HAVE_TRUCLUSTER */ /* Define to 1 if you have the header file. */ #define HAVE_UNISTD_H 1 +/* Define to the sub-directory in which libtool stores uninstalled libraries. + */ +#define LT_OBJDIR ".libs/" + /* Defined if extern char *optarg is not declared. */ /* #undef NEED_OPTARG */ /* Define if connect does not honour the permission on the UNIX domain socket. */ /* #undef NEED_SECURE_DIRECTORY */ /* Define to the address where bug reports for this package should be sent. */ #define PACKAGE_BUGREPORT "" /* Define to the full name of this package. */ #define PACKAGE_NAME "" /* Define to the full name and version of this package. */ #define PACKAGE_STRING "" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "" /* Define to the version of this package. */ #define PACKAGE_VERSION "" /* Sets which flag to pass to open/fcntl to make non-blocking (O_NDELAY/O_NONBLOCK). */ #define PORT_NONBLOCK O_NONBLOCK /* Define to 1 if you have the ANSI C header files. */ #define STDC_HEADERS 1 /* Define to 1 if you can safely include both and . */ #define TIME_WITH_SYS_TIME 1 /* Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make non-blocking. */ /* #undef USE_FIONBIO_IOCTL */ /* define if idnkit support is to be included. */ /* #undef WITH_IDN */ /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ #if defined __BIG_ENDIAN__ # define WORDS_BIGENDIAN 1 #elif ! defined __LITTLE_ENDIAN__ /* # undef WORDS_BIGENDIAN */ #endif /* Define to empty if `const' does not conform to ANSI C. */ /* #undef const */ /* Define to `__inline__' or `__inline' if that's what the C compiler calls it, or to nothing if 'inline' is not supported under any name. */ #ifndef __cplusplus #define inline /**/ #endif /* Define to `unsigned int' if does not define. */ /* #undef size_t */ /* Define to `int' if does not define. */ /* #undef ssize_t */ /* Define to `unsigned long' if does not define. */ /* #undef uintptr_t */ /* Define to empty if the keyword `volatile' does not work. Warning: valid code using `volatile' can become incorrect without. Disable with care. */ /* #undef volatile */