diff --git a/CHANGES b/CHANGES index 4df3e1fc81..518332d120 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,33 @@ +3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917] + +3924. [bug] Improve 'rndc addzone' error reporting. [RT #35187] + +3923. [bug] Sanity check the xml2-config output. [RT #22246] + +3922. [bug] When resigning, dnssec-signzone was removing + all signatures from delegation nodes. It now + retains DS and (if applicable) NSEC signatures. + [RT #36946] + +3921. [bug] AD was inappopriately set on RPZ responses. [RT #36833] + +3920. [doc] Added doc for masterfile-style. [RT #36823] + +3919. [bug] dig: continue to next line if a address lookup fails + in batch mode. [RT #36755] + +3918. [doc] Update check-spf documentation. [RT #36910] + +3917. [bug] dig, nslookup and host now continue on names that are + too long after applying a search list elements. + [RT #36892] + +3916. [contrib] zone2sqlite checked wrong result code. Address + compiler warnings. [RT #36931] + +3915. [bug] Address a assertion if a route event arrived while + shutting down. [RT #36887] + 3914. [bug] Allow the URI target and CAA value fields to be zero length. [RT #36737] diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index b25760e7a6..0e5e27502c 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -346,7 +346,7 @@ option were given. .PP \fB+dscp=value\fR .RS 4 -Set the DSCP code point to be used when sending the query. Valid DSCP code points are in the range [0..63]. By default no code point is explictly set. +Set the DSCP code point to be used when sending the query. Valid DSCP code points are in the range [0..63]. By default no code point is explicitly set. .RE .PP \fB+[no]edns[=#]\fR @@ -516,7 +516,7 @@ This query option toggles the printing of statistics: when the query was made, t .PP \fB+[no]subnet=addr/prefix\fR .RS 4 -Send an EDNS Client Subnet option with the speciifed IP address or network prefix. +Send an EDNS Client Subnet option with the specified IP address or network prefix. .RE .PP \fB+[no]tcp\fR diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 7e72c4f09b..d27bb90552 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -1677,7 +1677,8 @@ preparse_args(int argc, char **argv) { static void parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, - int argc, char **argv) { + int argc, char **argv) +{ isc_result_t result; isc_textregion_t tr; isc_boolean_t firstarg = ISC_TRUE; @@ -1771,7 +1772,24 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, if (strncmp(rv[0], "%", 1) == 0) break; if (rv[0][0] == '@') { - addresscount = getaddresses(lookup, &rv[0][1], NULL); + + if (is_batchfile && !config_only) { + addresscount = getaddresses(lookup, &rv[0][1], + &result); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "couldn't get address " + "for '%s': %s: skipping " + "lookup\n", &rv[0][1], + isc_result_totext(result)); + if (ISC_LINK_LINKED(lookup, link)) + ISC_LIST_DEQUEUE(lookup_list, + lookup, link); + destroy_lookup(lookup); + return; + } + } else + addresscount = getaddresses(lookup, &rv[0][1], + NULL); } else if (rv[0][0] == '+') { plus_option(&rv[0][1], is_batchfile, lookup); diff --git a/bin/dig/dig.html b/bin/dig/dig.html index 0a5a85ee29..0e11541dbc 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -374,7 +374,7 @@

Set the DSCP code point to be used when sending the query. Valid DSCP code points are in the range - [0..63]. By default no code point is explictly set. + [0..63]. By default no code point is explicitly set.

+[no]edns[=#]

@@ -545,7 +545,7 @@

+[no]subnet=addr/prefix

- Send an EDNS Client Subnet option with the speciifed + Send an EDNS Client Subnet option with the specified IP address or network prefix.

+[no]tcp
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 85ca6e4158..1a0202b9d6 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -369,6 +369,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event); static void launch_next_query(dig_query_t *query, isc_boolean_t include_question); +static void +check_next_lookup(dig_lookup_t *lookup); + +static isc_boolean_t +next_origin(dig_lookup_t *oldlookup); static void * mem_alloc(void *arg, size_t size) { @@ -1819,8 +1824,10 @@ start_lookup(void) { } novalidation: #endif - setup_lookup(current_lookup); - do_lookup(current_lookup); + if (setup_lookup(current_lookup)) + do_lookup(current_lookup); + else if (next_origin(current_lookup)) + check_next_lookup(current_lookup); } else { check_if_done(); } @@ -2021,8 +2028,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) * Return ISC_TRUE iff there was another searchlist entry. */ static isc_boolean_t -next_origin(dig_query_t *query) { - dig_lookup_t *lookup; +next_origin(dig_lookup_t *oldlookup) { + dig_lookup_t *newlookup; dig_searchlist_t *search; dns_fixedname_t fixed; dns_name_t *name; @@ -2031,7 +2038,7 @@ next_origin(dig_query_t *query) { INSIST(!free_now); debug("next_origin()"); - debug("following up %s", query->lookup->textname); + debug("following up %s", oldlookup->textname); if (!usesearch) /* @@ -2045,30 +2052,30 @@ next_origin(dig_query_t *query) { */ dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); - result = dns_name_fromstring2(name, query->lookup->textname, NULL, + result = dns_name_fromstring2(name, oldlookup->textname, NULL, 0, NULL); if (result == ISC_R_SUCCESS && (dns_name_isabsolute(name) || (int)dns_name_countlabels(name) > ndots)) return (ISC_FALSE); - if (query->lookup->origin == NULL && !query->lookup->need_search) + if (oldlookup->origin == NULL && !oldlookup->need_search) /* * Then we just did rootorg; there's nothing left. */ return (ISC_FALSE); - if (query->lookup->origin == NULL && query->lookup->need_search) { - lookup = requeue_lookup(query->lookup, ISC_TRUE); - lookup->origin = ISC_LIST_HEAD(search_list); - lookup->need_search = ISC_FALSE; + if (oldlookup->origin == NULL && oldlookup->need_search) { + newlookup = requeue_lookup(oldlookup, ISC_TRUE); + newlookup->origin = ISC_LIST_HEAD(search_list); + newlookup->need_search = ISC_FALSE; } else { - search = ISC_LIST_NEXT(query->lookup->origin, link); - if (search == NULL && query->lookup->done_as_is) + search = ISC_LIST_NEXT(oldlookup->origin, link); + if (search == NULL && oldlookup->done_as_is) return (ISC_FALSE); - lookup = requeue_lookup(query->lookup, ISC_TRUE); - lookup->origin = search; + newlookup = requeue_lookup(oldlookup, ISC_TRUE); + newlookup->origin = search; } - cancel_lookup(query->lookup); + cancel_lookup(oldlookup); return (ISC_TRUE); } @@ -2153,7 +2160,7 @@ compute_cookie(unsigned char *cookie, size_t len) { * well as the query structures and buffer space for the replies. If the * server list is empty, clone it from the system default list. */ -void +isc_boolean_t setup_lookup(dig_lookup_t *lookup) { isc_result_t result; isc_uint32_t id; @@ -2283,20 +2290,35 @@ setup_lookup(dig_lookup_t *lookup) { if (lookup->trace && lookup->trace_root) { dns_name_clone(dns_rootname, lookup->name); } else { + dns_fixedname_t fixed; + dns_name_t *name; + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); len = strlen(lookup->textname); isc_buffer_init(&b, lookup->textname, len); isc_buffer_add(&b, len); - result = dns_name_fromtext(lookup->name, &b, - lookup->oname, 0, - &lookup->namebuf); - } - if (result != ISC_R_SUCCESS) { - dns_message_puttempname(lookup->sendmsg, - &lookup->name); - dns_message_puttempname(lookup->sendmsg, - &lookup->oname); - fatal("'%s' is not in legal name syntax (%s)", - lookup->textname, isc_result_totext(result)); + result = dns_name_fromtext(name, &b, NULL, 0, NULL); + if (result == ISC_R_SUCCESS && + !dns_name_isabsolute(name)) + result = dns_name_concatenate(name, + lookup->oname, + lookup->name, + &lookup->namebuf); + else if (result == ISC_R_SUCCESS) + result = dns_name_copy(name, lookup->name, + &lookup->namebuf); + if (result != ISC_R_SUCCESS) { + dns_message_puttempname(lookup->sendmsg, + &lookup->name); + dns_message_puttempname(lookup->sendmsg, + &lookup->oname); + if (result == DNS_R_NAMETOOLONG) + return (ISC_FALSE); + fatal("'%s' is not in legal name syntax (%s)", + lookup->textname, + isc_result_totext(result)); + } } dns_message_puttempname(lookup->sendmsg, &lookup->oname); } else @@ -2591,6 +2613,7 @@ setup_lookup(dig_lookup_t *lookup) { printf(";; QUERY SIZE: %u\n\n", isc_buffer_usedlength(&lookup->renderbuf)); } + return (ISC_TRUE); } /*% @@ -3794,7 +3817,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { if (!l->doing_xfr || l->xfr_q == query) { if (msg->rcode == dns_rcode_nxdomain && (l->origin != NULL || l->need_search)) { - if (!next_origin(query) || showsearch) { + if (!next_origin(query->lookup) || showsearch) { printmessage(query, msg, ISC_TRUE); received(b->used, &sevent->address, query); } diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h index 8c2c9dbea5..ba99428bf5 100644 --- a/bin/dig/include/dig/dig.h +++ b/bin/dig/include/dig/dig.h @@ -323,7 +323,7 @@ debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); void check_result(isc_result_t result, const char *msg); -void +isc_boolean_t setup_lookup(dig_lookup_t *lookup); void diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 8ae13d8174..e440664796 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -506,6 +506,8 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_rrsig, set->type, 0, &sigset, NULL); if (result == ISC_R_NOTFOUND) { + vbprintf(2, "no existing signatures for %s/%s\n", + namestr, typestr); result = ISC_R_SUCCESS; nosigs = ISC_TRUE; } @@ -1664,10 +1666,14 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which, } /* - * Remove signatures covering the given type (0 == all signatures). + * Remove signatures covering the given type. If type == 0, + * then remove all signatures, unless this is a delegation, in + * which case remove all signatures except for DS or nsec_datatype */ static void -remove_sigs(dns_dbnode_t *node, dns_rdatatype_t which) { +remove_sigs(dns_dbnode_t *node, isc_boolean_t delegation, + dns_rdatatype_t which) +{ isc_result_t result; dns_rdatatype_t type, covers; dns_rdatasetiter_t *rdsiter = NULL; @@ -1684,14 +1690,21 @@ remove_sigs(dns_dbnode_t *node, dns_rdatatype_t which) { covers = rdataset.covers; dns_rdataset_disassociate(&rdataset); - if (type == dns_rdatatype_rrsig && - (covers == which || which == 0)) - { - result = dns_db_deleterdataset(gdb, node, gversion, - type, covers); - check_result(result, "dns_db_deleterdataset()"); + if (type != dns_rdatatype_rrsig) continue; - } + + if (which == 0 && delegation && + (dns_rdatatype_atparent(covers) || + (nsec_datatype == dns_rdatatype_nsec && + covers == nsec_datatype))) + continue; + + if (which != 0 && covers != which) + continue; + + result = dns_db_deleterdataset(gdb, node, gversion, + type, covers); + check_result(result, "dns_db_deleterdataset()"); } dns_rdatasetiter_destroy(&rdsiter); } @@ -1778,7 +1791,7 @@ nsecify(void) { if (is_delegation(gdb, gversion, gorigin, name, node, &nsttl)) { zonecut = dns_fixedname_name(&fzonecut); dns_name_copy(name, zonecut, NULL); - remove_sigs(node, 0); + remove_sigs(node, ISC_TRUE, 0); if (generateds) add_ds(name, node, nsttl); } @@ -1800,7 +1813,7 @@ nsecify(void) { (zonecut != NULL && dns_name_issubdomain(nextname, zonecut))) { - remove_sigs(nextnode, 0); + remove_sigs(nextnode, ISC_FALSE, 0); remove_records(nextnode, dns_rdatatype_nsec, ISC_FALSE); dns_db_detachnode(gdb, &nextnode); @@ -2240,7 +2253,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations, if (!dns_name_issubdomain(nextname, gorigin) || (zonecut != NULL && dns_name_issubdomain(nextname, zonecut))) { - remove_sigs(nextnode, 0); + remove_sigs(nextnode, ISC_FALSE, 0); dns_db_detachnode(gdb, &nextnode); result = dns_dbiterator_next(dbiter); continue; @@ -2250,7 +2263,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations, { zonecut = dns_fixedname_name(&fzonecut); dns_name_copy(nextname, zonecut, NULL); - remove_sigs(nextnode, 0); + remove_sigs(nextnode, ISC_TRUE, 0); if (generateds) add_ds(nextname, nextnode, nsttl); if (OPTOUT(nsec3flags) && diff --git a/bin/named/control.c b/bin/named/control.c index 7f49eb3c89..5def85fb5b 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -206,7 +206,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { command_compare(command, NS_COMMAND_LOADKEYS)) { result = ns_server_rekey(ns_g_server, command, text); } else if (command_compare(command, NS_COMMAND_ADDZONE)) { - result = ns_server_add_zone(ns_g_server, command); + result = ns_server_add_zone(ns_g_server, command, text); } else if (command_compare(command, NS_COMMAND_DELZONE)) { result = ns_server_del_zone(ns_g_server, command, text); } else if (command_compare(command, NS_COMMAND_SIGNING)) { diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h index dbb4a89645..e8f560adba 100644 --- a/bin/named/include/named/interfacemgr.h +++ b/bin/named/include/named/interfacemgr.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2011, 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -97,7 +97,7 @@ isc_result_t ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, isc_socketmgr_t *socketmgr, dns_dispatchmgr_t *dispatchmgr, - ns_interfacemgr_t **mgrp); + isc_task_t *task, ns_interfacemgr_t **mgrp); /*% * Create a new interface manager. * diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index fd6818dca3..e1d1db275b 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -37,7 +37,6 @@ #define NS_EVENTCLASS ISC_EVENTCLASS(0x4E43) #define NS_EVENT_RELOAD (NS_EVENTCLASS + 0) #define NS_EVENT_CLIENTCONTROL (NS_EVENTCLASS + 1) -#define NS_EVENT_IFSCAN (NS_EVENTCLASS + 2) /*% * Name server state. Better here than in lots of separate global variables. @@ -225,6 +224,7 @@ void ns_server_scan_interfaces(ns_server_t *server); /*%< * Trigger a interface scan. + * Must only be called when running under server->task. */ void @@ -372,7 +372,7 @@ ns_server_validation(ns_server_t *server, char *args, isc_buffer_t *text); * Add a zone to a running process */ isc_result_t -ns_server_add_zone(ns_server_t *server, char *args); +ns_server_add_zone(ns_server_t *server, char *args, isc_buffer_t *text); /*% * Deletes a zone from a running process diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c index 342408876f..a0c0eda085 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -140,7 +140,7 @@ route_event(isc_task_t *task, isc_event_t *event) { switch (rtm->MSGTYPE) { case RTM_NEWADDR: case RTM_DELADDR: - if (ns_g_server->interface_auto) + if (mgr->route != NULL && ns_g_server->interface_auto) ns_server_scan_interfaces(ns_g_server); break; default: @@ -172,7 +172,7 @@ isc_result_t ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, isc_socketmgr_t *socketmgr, dns_dispatchmgr_t *dispatchmgr, - ns_interfacemgr_t **mgrp) + isc_task_t *task, ns_interfacemgr_t **mgrp) { isc_result_t result; ns_interfacemgr_t *mgr; @@ -232,11 +232,8 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, } mgr->task = NULL; - if (mgr->route != NULL) { - result = isc_task_create(taskmgr, 0, &mgr->task); - if (result != ISC_R_SUCCESS) - goto cleanup_route; - } + if (mgr->route != NULL) + isc_task_attach(task, &mgr->task); mgr->references = (mgr->route != NULL) ? 2 : 1; #else mgr->references = 1; @@ -260,9 +257,6 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, return (ISC_R_SUCCESS); #ifdef USE_ROUTE_SOCKET - cleanup_route: - if (mgr->route != NULL) - isc_socket_detach(&mgr->route); cleanup_aclenv: dns_aclenv_destroy(&mgr->aclenv); #endif diff --git a/bin/named/query.c b/bin/named/query.c index ec56030dcd..a79a930fd3 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -5450,7 +5450,7 @@ rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st, * response policy zone cannot verify. */ client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC | - DNS_MESSAGEFLAG_AD); + NS_CLIENTATTR_WANTAD); return (ISC_R_SUCCESS); } @@ -6679,7 +6679,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * response policy zone cannot verify. */ client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC | - DNS_MESSAGEFLAG_AD); + NS_CLIENTATTR_WANTAD); + client->message->flags &= ~DNS_MESSAGEFLAG_AD; query_putrdataset(client, &sigrdataset); rpz_st->q.is_zone = is_zone; is_zone = ISC_TRUE; diff --git a/bin/named/server.c b/bin/named/server.c index ecb64b91d5..d0dfff9a4b 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -153,6 +153,14 @@ if (result != ISC_R_SUCCESS) goto cleanup; \ } while (0) +#define TCHECK(op) \ + do { tresult = (op); \ + if (tresult != ISC_R_SUCCESS) { \ + isc_buffer_clear(text); \ + goto cleanup; \ + } \ + } while (0) + #define CHECKM(op, msg) \ do { result = (op); \ if (result != ISC_R_SUCCESS) { \ @@ -413,6 +421,9 @@ newzone_cfgctx_destroy(void **cfgp); static isc_result_t putstr(isc_buffer_t *b, const char *str); +static isc_result_t +putnull(isc_buffer_t *b); + isc_result_t add_comment(FILE *fp, const char *viewname); @@ -4845,11 +4856,6 @@ interface_timer_tick(isc_task_t *task, isc_event_t *event) { INSIST(task == server->task); UNUSED(task); - if (event->ev_type == NS_EVENT_IFSCAN) - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), - "automatic interface rescan"); - isc_event_free(&event); /* @@ -6514,7 +6520,7 @@ run_server(isc_task_t *task, isc_event_t *event) { CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_socketmgr, ns_g_dispatchmgr, - &server->interfacemgr), + server->task, &server->interfacemgr), "creating interface manager"); CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive, @@ -7061,13 +7067,16 @@ ns_server_reloadwanted(ns_server_t *server) { void ns_server_scan_interfaces(ns_server_t *server) { - isc_event_t *event; + isc_result_t result; - event = isc_event_allocate(ns_g_mctx, server, NS_EVENT_IFSCAN, - interface_timer_tick, server, - sizeof(isc_event_t)); - if (event != NULL) - isc_task_send(server->task, &event); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), + "automatic interface rescan"); + + result = isc_task_beginexclusive(server->task); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + scan_interfaces(server, ISC_TRUE); + isc_task_endexclusive(server->task); } static char * @@ -7184,9 +7193,8 @@ zone_from_args(ns_server_t *server, char *args, const char *zonetxt, isc_result_t tresult; tresult = putstr(text, problem); - if (tresult == ISC_R_SUCCESS && - isc_buffer_availablelength(text) > 0U) - isc_buffer_putuint8(text, 0); + if (tresult == ISC_R_SUCCESS) + putnull(text); } cleanup: @@ -8839,8 +8847,8 @@ add_comment(FILE *fp, const char *viewname) { * Act on an "addzone" command from the command channel. */ isc_result_t -ns_server_add_zone(ns_server_t *server, char *args) { - isc_result_t result; +ns_server_add_zone(ns_server_t *server, char *args, isc_buffer_t *text) { + isc_result_t result, tresult; isc_buffer_t argbuf; size_t arglen; cfg_parser_t *parser = NULL; @@ -8855,7 +8863,7 @@ ns_server_add_zone(ns_server_t *server, char *args) { const char *argp; const char *viewname = NULL; dns_rdataclass_t rdclass; - dns_view_t *view = 0; + dns_view_t *view = NULL; isc_buffer_t buf; dns_fixedname_t fname; dns_name_t *dnsname; @@ -8936,7 +8944,14 @@ ns_server_add_zone(ns_server_t *server, char *args) { } /* Open save file for write configuration */ - CHECK(isc_stdio_open(view->new_zone_file, "a", &fp)); + result = isc_stdio_open(view->new_zone_file, "a", &fp); + if (result != ISC_R_SUCCESS) { + TCHECK(putstr(text, "unable to open '")); + TCHECK(putstr(text, view->new_zone_file)); + TCHECK(putstr(text, "': ")); + TCHECK(putstr(text, isc_result_totext(result))); + goto cleanup; + } CHECK(isc_stdio_tell(fp, &offset)); if (offset == 0) CHECK(add_comment(fp, view->name)); @@ -8950,8 +8965,11 @@ ns_server_add_zone(ns_server_t *server, char *args) { ISC_FALSE, ISC_FALSE); dns_view_freeze(view); isc_task_endexclusive(server->task); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { + TCHECK(putstr(text, "configure_zone failed: ")); + TCHECK(putstr(text, isc_result_totext(result))); goto cleanup; + } /* Is it there yet? */ CHECK(dns_zt_find(view->zonetable, dnsname, 0, NULL, &zone)); @@ -8964,6 +8982,9 @@ ns_server_add_zone(ns_server_t *server, char *args) { if (result != ISC_R_SUCCESS) { dns_db_t *dbp = NULL; + TCHECK(putstr(text, "dns_zone_loadnew failed: ")); + TCHECK(putstr(text, isc_result_totext(result))); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "addzone failed; reverting."); @@ -8985,7 +9006,7 @@ ns_server_add_zone(ns_server_t *server, char *args) { /* Emit the zone name, quoted and escaped */ isc_buffer_init(&buf, namebuf, sizeof(namebuf)); CHECK(dns_name_totext(dnsname, ISC_TRUE, &buf)); - isc_buffer_putuint8(&buf, 0); + putnull(&buf); CHECK(isc_stdio_write("zone \"", 6, 1, fp, NULL)); CHECK(isc_stdio_write(namebuf, strlen(namebuf), 1, fp, NULL)); CHECK(isc_stdio_write("\" ", 2, 1, fp, NULL)); @@ -9024,6 +9045,8 @@ ns_server_add_zone(ns_server_t *server, char *args) { result = ISC_R_SUCCESS; cleanup: + if (isc_buffer_usedlength(text) > 0) + putnull(text); if (fp != NULL) isc_stdio_close(fp); if (parser != NULL) { @@ -9048,10 +9071,10 @@ inuse(const char* file, isc_boolean_t first, isc_buffer_t *text) { strlen(file) + (first ? sizeof(INUSEMSG) : sizeof("\n"))) { if (first) - isc_buffer_putstr(text, INUSEMSG); + putstr(text, INUSEMSG); else - isc_buffer_putstr(text, "\n"); - isc_buffer_putstr(text, file); + putstr(text, "\n"); + putstr(text, file); return (ISC_FALSE); } return (first); @@ -9231,6 +9254,8 @@ ns_server_del_zone(ns_server_t *server, char *args, isc_buffer_t *text) { dns_zone_getraw(zone, &raw); mayberaw = (raw != NULL) ? raw : zone; if (cleanup) { + isc_result_t tresult; + file = dns_zone_getfile(mayberaw); if (isc_file_exists(file)) isc_file_remove(file); @@ -9248,10 +9273,10 @@ ns_server_del_zone(ns_server_t *server, char *args, isc_buffer_t *text) { if (isc_file_exists(file)) isc_file_remove(file); } - isc_buffer_putstr(text, "zone "); - isc_buffer_putstr(text, zonename); - isc_buffer_putstr(text, " and associated files deleted"); - isc_buffer_putuint8(text, 0); + TCHECK(putstr(text, "zone ")); + TCHECK(putstr(text, zonename)); + TCHECK(putstr(text, " and associated files deleted")); + TCHECK(putnull(text)); } else if (dns_zone_gettype(mayberaw) == dns_zone_slave || dns_zone_gettype(mayberaw) == dns_zone_stub) { @@ -9270,8 +9295,7 @@ ns_server_del_zone(ns_server_t *server, char *args, isc_buffer_t *text) { file = dns_zone_getjournal(zone); (void)inuse(file, first, text); } - if (isc_buffer_availablelength(text) > 0) - isc_buffer_putuint8(text, 0); + putnull(text); } CHECK(dns_zt_unmount(view->zonetable, zone)); @@ -9286,6 +9310,8 @@ ns_server_del_zone(ns_server_t *server, char *args, isc_buffer_t *text) { result = ISC_R_SUCCESS; cleanup: + if (isc_buffer_usedlength(text) > 0) + putnull(text); if (exclusive) isc_task_endexclusive(server->task); if (ifp != NULL) @@ -9464,15 +9490,15 @@ ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) { if (clear) { CHECK(dns_zone_keydone(zone, keystr)); - isc_buffer_putstr(text, "request queued"); - isc_buffer_putuint8(text, 0); + putstr(text, "request queued"); + putnull(text); } else if (chain) { CHECK(dns_zone_setnsec3param(zone, (isc_uint8_t)hash, (isc_uint8_t)flags, iter, (isc_uint8_t)saltlen, salt, ISC_TRUE)); - isc_buffer_putstr(text, "request queued"); - isc_buffer_putuint8(text, 0); + putstr(text, "request queued"); + putnull(text); } else if (list) { privatetype = dns_zone_getprivatetype(zone); origin = dns_zone_getorigin(zone); @@ -9484,8 +9510,8 @@ ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) { dns_rdatatype_none, 0, &privset, NULL); if (result == ISC_R_NOTFOUND) { - isc_buffer_putstr(text, "No signing records found"); - isc_buffer_putuint8(text, 0); + putstr(text, "No signing records found"); + putnull(text); result = ISC_R_SUCCESS; goto cleanup; } @@ -9504,7 +9530,7 @@ ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) { CHECK(dns_private_totext(&priv, &buf)); if (!first) - isc_buffer_putstr(text, "\n"); + putstr(text, "\n"); first = ISC_FALSE; n = snprintf((char *)isc_buffer_used(text), @@ -9515,8 +9541,8 @@ ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) { isc_buffer_add(text, (unsigned int)n); } - if (!first && isc_buffer_availablelength(text) > 0) - isc_buffer_putuint8(text, 0); + if (!first) + putnull(text); if (result == ISC_R_NOMORE) result = ISC_R_SUCCESS; @@ -9551,6 +9577,15 @@ putstr(isc_buffer_t *b, const char *str) { return (ISC_R_SUCCESS); } +static isc_result_t +putnull(isc_buffer_t *b) { + if (isc_buffer_availablelength(b) == 0) + return (ISC_R_NOSPACE); + + isc_buffer_putuint8(b, 0); + return (ISC_R_SUCCESS); +} + isc_result_t ns_server_zonestatus(ns_server_t *server, char *args, isc_buffer_t *text) { isc_result_t result = ISC_R_SUCCESS; @@ -9783,11 +9818,10 @@ ns_server_zonestatus(ns_server_t *server, char *args, isc_buffer_t *text) { cleanup: /* Indicate truncated output if possible. */ - if (result == ISC_R_NOSPACE && isc_buffer_availablelength(text) > 4U) - isc_buffer_putstr(text, "\n..."); - if ((result == ISC_R_SUCCESS || result == ISC_R_NOSPACE) && - isc_buffer_availablelength(text) > 0) - isc_buffer_putuint8(text, 0); + if (result == ISC_R_NOSPACE) + putstr(text, "\n..."); + if ((result == ISC_R_SUCCESS || result == ISC_R_NOSPACE)) + putnull(text); if (db != NULL) dns_db_detach(&db); diff --git a/bin/pkcs11/pkcs11-keygen.docbook b/bin/pkcs11/pkcs11-keygen.docbook index 440df1300b..dd1e32c75a 100644 --- a/bin/pkcs11/pkcs11-keygen.docbook +++ b/bin/pkcs11/pkcs11-keygen.docbook @@ -149,7 +149,7 @@ - -e + -q Quiet mode: suppress unnecessary output. diff --git a/bin/python/dnssec-coverage.8 b/bin/python/dnssec-coverage.8 index c8969f0a65..7fe9a57781 100644 --- a/bin/python/dnssec-coverage.8 +++ b/bin/python/dnssec-coverage.8 @@ -84,7 +84,7 @@ This option is mandatory unless the \fB\-f\fR has been used to specify a zone file. (If \fB\-f\fR -has been specified, this option may still be used; it will overrde the value found in the file.) +has been specified, this option may still be used; it will override the value found in the file.) .RE .PP \-d \fIDNSKEY TTL\fR @@ -98,7 +98,7 @@ This option is mandatory unless the has been used to specify a zone file, or a default key TTL was set with the \fB\-L\fR to -\fBdnssec\-keygen\fR. (If either of those is true, this option may still be used; it will overrde the value found in the zone or key file.) +\fBdnssec\-keygen\fR. (If either of those is true, this option may still be used; it will override the value found in the zone or key file.) .RE .PP \-r \fIresign interval\fR diff --git a/bin/python/dnssec-coverage.html b/bin/python/dnssec-coverage.html index dbbb6ab050..632e288724 100644 --- a/bin/python/dnssec-coverage.html +++ b/bin/python/dnssec-coverage.html @@ -108,7 +108,7 @@

This option is mandatory unless the -f has been used to specify a zone file. (If -f has - been specified, this option may still be used; it will overrde + been specified, this option may still be used; it will override the value found in the file.)

@@ -134,7 +134,7 @@ been used to specify a zone file, or a default key TTL was set with the -L to dnssec-keygen. (If either of those is true, - this option may still be used; it will overrde the value found + this option may still be used; it will override the value found in the zone or key file.)

diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index fd1b2e0bdf..8758edd908 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -20,11 +20,11 @@ .\" Title: rndc .\" Author: .\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: February 07, 2014 +.\" Date: August 15, 2014 .\" Manual: BIND9 .\" Source: BIND9 .\" -.TH "RNDC" "8" "February 07, 2014" "BIND9" "BIND9" +.TH "RNDC" "8" "August 15, 2014" "BIND9" "BIND9" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -300,7 +300,7 @@ Flushes the server's cache. Flushes the given name from the server's DNS cache and, if applicable, from the server's nameserver address database or bad\-server cache. .RE .PP -\fBflushtree\fR [\-all] \fIname\fR [\fIview\fR] +\fBflushtree\fR \fIname\fR [\fIview\fR] .RS 4 Flushes the given name, and all of its subdomains, from the server's DNS cache, the address database, and the bad server cache. .RE diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index f9c85434ec..263b4063cb 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -357,7 +357,7 @@ and, if applicable, from the server's nameserver address database or bad-server cache.

-
flushtree [-all] name [view]
+
flushtree name [view]

Flushes the given name, and all of its subdomains, from the server's DNS cache, the address database, @@ -581,7 +581,7 @@

-

LIMITATIONS

+

LIMITATIONS

There is currently no way to provide the shared secret for a key_id without using the configuration file. @@ -591,7 +591,7 @@

-

SEE ALSO

+

SEE ALSO

rndc.conf(5), rndc-confgen(8), named(8), @@ -601,7 +601,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index a0c6f8826b..37786696a0 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -57,6 +57,7 @@ ARPANAME=$TOP/bin/tools/arpaname RESOLVE=$TOP/lib/samples/resolve RRCHECKER=$TOP/bin/tools/named-rrchecker GENRANDOM=$TOP/bin/tools/genrandom +NSLOOKUP=$TOP/bin/dig/nslookup RANDFILE=$TOP/bin/tests/system/random.data @@ -68,8 +69,8 @@ SUBDIRS="acl additional allow_query addzone autosign builtin @COVERAGE@ database dlv dlvauto dlz dlzexternal dname dns64 dnssec dsdigest dscp ecdsa emptyzones filter-aaaa formerr forward geoip glue gost ixfr inline limits logfileconfig - lwresd masterfile masterformat metadata notify nsupdate pending - @PKCS11_TEST@ redirect resolver rndc rpz rrl rrchecker + lwresd masterfile masterformat metadata notify nslookup nsupdate + pending @PKCS11_TEST@ redirect resolver rndc rpz rrl rrchecker rrsetorder rsabigexponent sit smartsign sortlist spf staticstub statistics stub tkey tsig tsiggss unknown upforwd verify views wildcard xfer xferquota zero zonechecks" @@ -93,4 +94,4 @@ fi export NAMED LWRESD DIG NSUPDATE KEYGEN KEYFRLAB SIGNER KEYSIGNER KEYSETTOOL \ PERL SUBDIRS RNDC CHECKZONE PK11GEN PK11LIST PK11DEL TESTSOCK6 \ - JOURNALPRINT ARPANAME RESOLVE RRCHECKER + JOURNALPRINT ARPANAME RESOLVE RRCHECKER NSLOOKUP diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index c83e4fd56c..2e20d835d4 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -27,6 +27,7 @@ rm -f ns2/private.secure.example.db rm -f ns2/badparam.db ns2/badparam.db.bad rm -f ns2/single-nsec3.db rm -f ns2/nsec3chain-test.db +rm -f ns2/in-addr.arpa.db rm -f */example.bk rm -f dig.out.* rm -f rndc.out.* diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in index a00b69f409..6efbef1674 100644 --- a/bin/tests/system/dnssec/ns1/root.db.in +++ b/bin/tests/system/dnssec/ns1/root.db.in @@ -34,3 +34,4 @@ algroll NS ns2.algroll ns2.algroll. A 10.53.0.2 optout-tld NS ns6.optout-tld. ns6.optout-tld. A 10.53.0.6 +in-addr.arpa. NS ns2.example. diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 88e6e87181..8e9005b803 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -28,6 +28,8 @@ zonefile=root.db cp ../ns2/dsset-example. . cp ../ns2/dsset-dlv. . +cp ../ns2/dsset-in-addr.arpa. . + grep "8 [12] " ../ns2/dsset-algroll. > dsset-algroll. cp ../ns6/dsset-optout-tld. . diff --git a/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in b/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in new file mode 100644 index 0000000000..d60b717ef1 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in @@ -0,0 +1,8 @@ +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. +; +; As we are testing empty zone behaviour ns3 doesn't need to be +; configured to serve 10.in-addr.arpa. +; +10 NS ns3.example. diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf index 40a71503af..a6f9aafca4 100644 --- a/bin/tests/system/dnssec/ns2/named.conf +++ b/bin/tests/system/dnssec/ns2/named.conf @@ -102,4 +102,9 @@ zone "nsec3chain-test" { allow-update {any;}; }; +zone "in-addr.arpa" { + type master; + file "in-addr.arpa.db.signed"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index f302d79b00..1a4c73221e 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -87,6 +87,18 @@ tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { { print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed +# +# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. +# +zone=in-addr.arpa. +infile=in-addr.arpa.db.in +zonefile=in-addr.arpa.db + +keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile +$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null # Sign the privately secure file diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index b719d4487c..bd742663af 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1854,6 +1854,16 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking that DS at a RFC 1918 empty zone lookup succeeds ($n)" +ret=0 +$DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.6 >dig.out.ns6.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 +grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" ret=0 $DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 diff --git a/bin/tests/system/geoip/data/README b/bin/tests/system/geoip/data/README index 11f51e9a8e..47a6858f59 100644 --- a/bin/tests/system/geoip/data/README +++ b/bin/tests/system/geoip/data/README @@ -1,4 +1,4 @@ -Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC") See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. The data data files in this directory are sample GeoIP databases, diff --git a/bin/tests/system/nslookup/clean.sh b/bin/tests/system/nslookup/clean.sh new file mode 100644 index 0000000000..7deb83a3bb --- /dev/null +++ b/bin/tests/system/nslookup/clean.sh @@ -0,0 +1,16 @@ +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +rm -f ns1/example.db +rm -f nslookup.out* diff --git a/bin/tests/system/nslookup/ns1/named.conf b/bin/tests/system/nslookup/ns1/named.conf new file mode 100644 index 0000000000..fc1fb510ff --- /dev/null +++ b/bin/tests/system/nslookup/ns1/named.conf @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "example" { + type master; + file "example.db"; +}; diff --git a/bin/tests/system/nslookup/setup.sh b/bin/tests/system/nslookup/setup.sh new file mode 100644 index 0000000000..092e5800c8 --- /dev/null +++ b/bin/tests/system/nslookup/setup.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL ../genzone.sh 1 >ns1/example.db diff --git a/bin/tests/system/nslookup/tests.sh b/bin/tests/system/nslookup/tests.sh new file mode 100644 index 0000000000..d77afd9fec --- /dev/null +++ b/bin/tests/system/nslookup/tests.sh @@ -0,0 +1,36 @@ +#!/bin/sh +# +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +n=`expr $n + 1` +echo "Check that domain names that are too big when applying a search list entry are handled cleanly ($n)" +ret=0 +l=012345678901234567890123456789012345678901234567890123456789012 +t=0123456789012345678901234567890123456789012345678901234567890 +d=$l.$l.$l.$t +$NSLOOKUP -port=5300 -domain=$d -type=soa example 10.53.0.1 > nslookup.out${n} || ret=1 +grep "origin = ns1.example" nslookup.out${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:exit status: $status" +exit $status + diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index aea61c90b8..4d4978a229 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -209,6 +209,11 @@ clean_result () { # $1=dig args $2=other dig output file ckresult () { #ckalive "$1" "I:server crashed by 'dig $1'" || return 1 + if grep "flags:.* aa .*ad;" $DIGNM; then + setret "I:'dig $1' AA and AD set;" + elif grep "flags:.* aa .*ad;" $DIGNM; then + setret "I:'dig $1' AD set;" + fi if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then NEED_TCP=`echo "$1" | sed -n -e 's/[Tt][Cc][Pp].*/TCP/p'` RESULT_TCP=`sed -n -e 's/.*Truncated, retrying in TCP.*/TCP/p' $DIGNM` diff --git a/configure b/configure index 0abefed7e5..926962c506 100755 --- a/configure +++ b/configure @@ -16458,10 +16458,30 @@ esac if test "X$libxml2_libs" != "X" then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } CFLAGS="$CFLAGS $libxml2_cflags" LIBS="$LIBS $libxml2_libs" + # + # Sanity check xml2-config output. + # + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +return(xmlTextWriterStartElement(NULL, NULL)); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + as_fn_error $? "xml2-config returns badness" "$LINENO" 5 +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext $as_echo "#define HAVE_LIBXML2 1" >>confdefs.h diff --git a/configure.in b/configure.in index 539d11e4e7..6c2580a89b 100644 --- a/configure.in +++ b/configure.in @@ -2085,9 +2085,15 @@ esac if test "X$libxml2_libs" != "X" then - AC_MSG_RESULT(yes) CFLAGS="$CFLAGS $libxml2_cflags" LIBS="$LIBS $libxml2_libs" + # + # Sanity check xml2-config output. + # + AC_TRY_LINK([#include ], + [return(xmlTextWriterStartElement(NULL, NULL));], + AC_MSG_RESULT(yes), + AC_MSG_ERROR(xml2-config returns badness)) AC_DEFINE(HAVE_LIBXML2, 1, [Define if libxml2 was found]) else AC_MSG_RESULT(no) diff --git a/contrib/sdb/bdb/bdb.c b/contrib/sdb/bdb/bdb.c index e4393bc52c..23594bbe3c 100644 --- a/contrib/sdb/bdb/bdb.c +++ b/contrib/sdb/bdb/bdb.c @@ -229,7 +229,8 @@ bdb_init(void) NULL, bdb_allnodes, bdb_create, - bdb_destroy + bdb_destroy, + NULL /* lookup2 */ }; return dns_sdb_register(DRIVERNAME, &bdb_methods, NULL, 0, ns_g_mctx, diff --git a/contrib/sdb/dir/dirdb.c b/contrib/sdb/dir/dirdb.c index efaf892c27..188f885558 100644 --- a/contrib/sdb/dir/dirdb.c +++ b/contrib/sdb/dir/dirdb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011, 2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -179,7 +179,8 @@ static dns_sdbmethods_t dirdb_methods = { dirdb_authority, NULL, /* allnodes */ dirdb_create, - dirdb_destroy + dirdb_destroy, + NULL /* lookup2 */ }; /* diff --git a/contrib/sdb/ldap/ldapdb.c b/contrib/sdb/ldap/ldapdb.c index 08d8df4539..caade37c80 100644 --- a/contrib/sdb/ldap/ldapdb.c +++ b/contrib/sdb/ldap/ldapdb.c @@ -386,6 +386,8 @@ ldapdb_lookup(const char *zone, const char *name, void *dbdata, dns_sdblookup_t *lookup, dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo) { + UNUSED(methods); + UNUSED(clientinfo); return (ldapdb_search(zone, name, dbdata, lookup, NULL, NULL)); } #else @@ -661,7 +663,8 @@ static dns_sdbmethods_t ldapdb_methods = { NULL, /* authority */ ldapdb_allnodes, ldapdb_create, - ldapdb_destroy + ldapdb_destroy, + NULL /* lookup2 */ }; /* Wrapper around dns_sdb_register() */ diff --git a/contrib/sdb/pgsql/pgsqldb.c b/contrib/sdb/pgsql/pgsqldb.c index fa3d453d81..50d3cba3c1 100644 --- a/contrib/sdb/pgsql/pgsqldb.c +++ b/contrib/sdb/pgsql/pgsqldb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011, 2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -335,7 +335,8 @@ static dns_sdbmethods_t pgsqldb_methods = { NULL, /* authority */ pgsqldb_allnodes, pgsqldb_create, - pgsqldb_destroy + pgsqldb_destroy, + NULL /* lookup2 */ }; /* diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c index a26d72d4b3..b8f5912b23 100644 --- a/contrib/sdb/pgsql/zonetodb.c +++ b/contrib/sdb/pgsql/zonetodb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2009, 2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -74,7 +74,7 @@ check_result(isc_result_t result, const char *message) { * "dest" must be an array of at least size 2*strlen(source) + 1. */ static void -quotestring(const char *source, char *dest) { +quotestring(const unsigned char *source, unsigned char *dest) { while (*source != 0) { if (*source == '\'') *dest++ = '\''; @@ -101,19 +101,19 @@ addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) { result = dns_name_totext(name, ISC_TRUE, &b); check_result(result, "dns_name_totext"); namearray[isc_buffer_usedlength(&b)] = 0; - quotestring(namearray, canonnamearray); + quotestring((const unsigned char *)namearray, canonnamearray); isc_buffer_init(&b, typearray, sizeof(typearray) - 1); result = dns_rdatatype_totext(rdata->type, &b); check_result(result, "dns_rdatatype_totext"); typearray[isc_buffer_usedlength(&b)] = 0; - quotestring(typearray, canontypearray); + quotestring((const unsigned char *)typearray, canontypearray); isc_buffer_init(&b, dataarray, sizeof(dataarray) - 1); result = dns_rdata_totext(rdata, NULL, &b); check_result(result, "dns_rdata_totext"); dataarray[isc_buffer_usedlength(&b)] = 0; - quotestring(dataarray, canondataarray); + quotestring((const unsigned char *)dataarray, canondataarray); snprintf(str, sizeof(str), "INSERT INTO %s (NAME, TTL, RDTYPE, RDATA)" diff --git a/contrib/sdb/sqlite/sqlitedb.c b/contrib/sdb/sqlite/sqlitedb.c index 8491aa8a5a..57fe16db16 100644 --- a/contrib/sdb/sqlite/sqlitedb.c +++ b/contrib/sdb/sqlite/sqlitedb.c @@ -306,7 +306,8 @@ static dns_sdbmethods_t sqlitedb_methods = { NULL, /* authority */ sqlitedb_allnodes, sqlitedb_create, - sqlitedb_destroy + sqlitedb_destroy, + NULL /* lookup2 */ }; diff --git a/contrib/sdb/sqlite/zone2sqlite.c b/contrib/sdb/sqlite/zone2sqlite.c index 7b9260a250..7bcb6f0368 100644 --- a/contrib/sdb/sqlite/zone2sqlite.c +++ b/contrib/sdb/sqlite/zone2sqlite.c @@ -137,7 +137,7 @@ addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) res = sqlite3_exec(dbi.db, sql, add_rdata_cb, NULL, &errmsg); sqlite3_free(sql); - if (result != SQLITE_OK) { + if (res != SQLITE_OK) { fprintf(stderr, "INSERT failed: %s\n", errmsg); closeandexit(1); } diff --git a/contrib/sdb/tcl/tcldb.c b/contrib/sdb/tcl/tcldb.c index 9035600e72..8c1e77a638 100644 --- a/contrib/sdb/tcl/tcldb.c +++ b/contrib/sdb/tcl/tcldb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011, 2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -213,7 +213,8 @@ static dns_sdbmethods_t tcldb_methods = { NULL, /* authority */ NULL, /* allnodes */ tcldb_create, - NULL /* destroy */ + NULL, /* destroy */ + NULL /* lookup2 */ }; /* diff --git a/contrib/sdb/time/timedb.c b/contrib/sdb/time/timedb.c index 704014f13e..a5201f5e71 100644 --- a/contrib/sdb/time/timedb.c +++ b/contrib/sdb/time/timedb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2011, 2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -130,7 +130,8 @@ static dns_sdbmethods_t timedb_methods = { timedb_authority, NULL, /* allnodes */ NULL, /* create */ - NULL /* destroy */ + NULL, /* destroy */ + NULL /* lookup2 */ }; /* diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 0b29da99f9..5678806d0a 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -4841,7 +4841,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] check-mx-cname ( warn | fail | ignore ); check-srv-cname ( warn | fail | ignore ); check-sibling yes_or_no; - check-spf ( warn | fail | ignore ); + check-spf ( warn | ignore ); allow-new-zones { yes_or_no }; allow-notify { address_match_list }; allow-query { address_match_list }; @@ -4981,6 +4981,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] max-clients-per-query number ; masterfile-format (text|raw|map) ; + masterfile-style + (relative|full) ; empty-server name ; empty-contact name ; empty-zones-enable yes_or_no ; @@ -6879,10 +6881,13 @@ options { The default is yes. - Check that the two forms of Sender Policy Framework - records (TXT records starting with "v=spf1" and SPF) either - both exist or both don't exist. Warnings are - emitted it they don't and be suppressed with + The use of the SPF record for publishing Sender + Policy Framework is deprecated as the migration + from using TXT records to SPF records was abandoned. + Enabling this option also checks that a TXT Sender + Policy Framework record exists (starts with "v=spf1") + if there is an SPF record. Warnings are emitted if the + TXT record does not exist and can be suppressed with check-spf. @@ -6924,11 +6929,11 @@ options { check-spf - When performing integrity checks, check that the - two forms of Sender Policy Framwork records (TXT - records starting with "v=spf1" and SPF) both exist - or both don't exist and issue a warning if not - met. The default is warn. + If check-integrity is set then + check that there is a TXT Sender Policy Framework + record present (starts with "v=spf1") if there is an + SPF record present. The default is + warn. @@ -8992,6 +8997,31 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; + + masterfile-style + + + Specifies the formatting of zone files during dump + when the is + text. (This option is ignored + with any other .) + + + When set to relative, + records are printed in a multi-line format with owner + names expressed relative to a shared origin. When set + to full, records are printed in + a single-line format with absolute owner names. + The full format is most suitable + when a zone file needs to be processed automatically + by a script. The relative format + is more human-readable, and is thus suitable when a + zone is to be edited by hand. The default is + relative. + + + + clients-per-query max-clients-per-query @@ -9000,7 +9030,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept - before dropping additional clients. named will attempt to + before dropping additional clients. + named will attempt to self tune this value and changes will be logged. The default values are 10 and 100. @@ -11144,7 +11175,7 @@ view "external" { check-names (warn|fail|ignore) ; check-mx (warn|fail|ignore) ; check-wildcard yes_or_no; - check-spf ( warn | fail | ignore ); + check-spf ( warn | ignore ); check-integrity yes_or_no ; dialup dialup_option ; file string ; diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 10cd0e4cf0..2af4d98d8e 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -1532,7 +1532,7 @@ $ ./configure --enable-native-pkcs11 \

The modified OpenSSL code is included in the BIND 9 release, - in the form of a context diff against the latest verions of + in the form of a context diff against the latest versions of OpenSSL. OpenSSL 0.9.8, 1.0.0, and 1.0.1 are supported; there are separate diffs for each version. In the examples to follow, we use OpenSSL 0.9.8, but the same methods work with OpenSSL @@ -2020,7 +2020,7 @@ $ dnssec-signzone -E '' -S example.net

DLZ (Dynamically Loadable Zones)

- DLZ (Dynamically Loadable Zones) is an extention to BIND 9 that allows + DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that allows zone data to be retrieved directly from an external database. There is no required format or schema. DLZ drivers exist for several different database backends including PostgreSQL, MySQL, and LDAP and can be diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index ec241708ec..5115b571ac 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -437,7 +437,7 @@ In most cases, setting a value to 0 does not literally mean zero; it means "undefined" or "as big as possible", depending on the context. - See the expalantions of particular parameters + See the explanations of particular parameters that use size_spec for details on how they interpret its use.

@@ -3082,7 +3082,7 @@ options { restarted (NTA's do not persist across restarts).

- For convienience, TTL-style time unit suffixes can be + For convenience, TTL-style time unit suffixes can be used to specify the NTA lifetime in seconds, minutes or hours. nta-lifetime defaults to one hour. It cannot exceed one day. @@ -3107,13 +3107,13 @@ options { the negative trust anchor is allowed to expire early.

- Validity checks can be disabled for an indivdiual + Validity checks can be disabled for an individual NTA by using rndc nta -f, or for all NTA's by setting nta-recheck to zero.

- For convienience, TTL-style time unit suffixes can be + For convenience, TTL-style time unit suffixes can be used to specify the NTA recheck interval in seconds, minutes or hours. The default is five minutes.

@@ -4406,7 +4406,7 @@ options { than matching the case of the records entered in the zone file. This allows responses to exactly match the query, which is required by some clients - due to incorrect use of case-sensitive comparisions. + due to incorrect use of case-sensitive comparisons.

Case-insensitive compression is always @@ -4414,12 +4414,12 @@ options { the client matches this ACL.

- There are circusmstances in which named + There are circumstances in which named will not preserve the case of owner names of records: if a zone file defines records of different types with the same name, but the capitalization of the name is different (e.g., "www.example.com/A" and - "WWW.EXAMPLE.COM/AAAA"), then all resposnes for that + "WWW.EXAMPLE.COM/AAAA"), then all responses for that name will use the first version of the name that was used in the zone file. This limitation may be addressed in a future release. However, @@ -6772,7 +6772,7 @@ rate-limit { is over 1000 and the ratio is over 10), the one that appears last in the configuration file is the one chosen. To eliminate any ambiguity, it is recommended - that under normal circumstnaces, rate limiting bands should + that under normal circumstances, rate limiting bands should be configured using either size or ratio parameters, but not both.

@@ -10316,8 +10316,7 @@ view external {

Each RR can have a TTL as the second field in the RR, which will control how long other - servers can cache - the it. + servers can cache it.

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 086e266214..6d3e33fa49 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -57,13 +57,13 @@
BIND 9 DNS Library Support
-
Prerequisite
-
Compilation
-
Installation
-
Known Defects/Restrictions
-
The dns.conf File
-
Sample Applications
-
Library References
+
Prerequisite
+
Compilation
+
Installation
+
Known Defects/Restrictions
+
The dns.conf File
+
Sample Applications
+
Library References
@@ -648,7 +648,7 @@

-Prerequisite

+Prerequisite

GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -657,7 +657,7 @@

-Compilation

+Compilation
 $ ./configure --enable-exportlib [other flags]
 $ make
@@ -672,7 +672,7 @@ $ make
 
 

 

-Installation

+Installation

 
 $ cd lib/export
 $ make install
@@ -694,7 +694,7 @@ $ make install
 
 

 

-Known Defects/Restrictions

+Known Defects/Restrictions

 
    
 
  • Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -734,7 +734,7 @@ $ make
 

 

 

-The dns.conf File

+The dns.conf File

 
The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -752,14 +752,14 @@ $ make
 
 

 

-Sample Applications

+Sample Applications

 
Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   

 

 

-sample: a simple stub resolver utility

+sample: a simple stub resolver utility

 

   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -823,7 +823,7 @@ $ make
 
 

 

-sample-async: a simple stub resolver, working asynchronously

+sample-async: a simple stub resolver, working asynchronously

 

   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -856,7 +856,7 @@ $ make
   consists of a single domain name. Example:
   


   www.example.com

-  mx.examle.net

+  mx.example.net

   ns.xxx.example

 

 
@@ -864,7 +864,7 @@ $ make
 
 

 

-sample-request: a simple DNS transaction client

+sample-request: a simple DNS transaction client

 

   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -905,7 +905,7 @@ $ make
 
 

 

-sample-gai: getaddrinfo() and getnameinfo() test code

+sample-gai: getaddrinfo() and getnameinfo() test code

 

   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -922,7 +922,7 @@ $ make
 
 

 

-sample-update: a simple dynamic update client program

+sample-update: a simple dynamic update client program

 

   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -1017,7 +1017,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-nsprobe: domain/name server checker in terms of RFC 4074

+nsprobe: domain/name server checker in terms of RFC 4074

 

   It checks a set
   of domains to see the name servers of the domains behave
@@ -1074,7 +1074,7 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 

 

-Library References

+Library References

 
As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index f010db7c88..ad13583dfa 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -251,13 +251,13 @@
 
 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 
 
I. Manual pages

diff --git a/doc/arm/dlz.xml b/doc/arm/dlz.xml
index 74a9f2a500..d98bc698f9 100644
--- a/doc/arm/dlz.xml
+++ b/doc/arm/dlz.xml
@@ -1,6 +1,6 @@