From 781e3c87897b6a488a6808906a07c7eed950728e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 15 Mar 2004 06:58:33 +0000 Subject: [PATCH 001/146] dd EXCLUDED --- util/kit.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/util/kit.sh b/util/kit.sh index 0d2f4e6c9f..b2c7f18cf2 100644 --- a/util/kit.sh +++ b/util/kit.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: kit.sh,v 1.26 2004/03/05 05:14:16 marka Exp $ +# $Id: kit.sh,v 1.27 2004/03/15 06:58:33 marka Exp $ # Make a release kit # @@ -114,7 +114,7 @@ fi # we still delete them from releases just in case something # gets accidentally resurrected. -rm -rf TODO conftools util doc/design doc/dev doc/expired \ +rm -rf TODO EXCLUDED conftools util doc/design doc/dev doc/expired \ doc/html doc/todo doc/private bin/lwresd doc/man \ lib/lwres/man/resolver.5 \ bin/tests/system/relay lib/cfg From 1fa26403d7679235a30fbf6289f68fed5872df30 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 16 Mar 2004 05:22:33 +0000 Subject: [PATCH 002/146] copyright --- bin/dnssec/dnssec-signzone.8 | 8 +- bin/dnssec/dnssec-signzone.html | 33 ++++- config.h.win32 | 20 +-- doc/arm/Bv9ARM-book.xml | 10 +- doc/arm/Bv9ARM.ch06.html | 114 +++++++++++------- doc/arm/Bv9ARM.ch07.html | 8 +- doc/arm/Bv9ARM.ch08.html | 14 +-- doc/arm/Bv9ARM.ch09.html | 108 ++++++++--------- doc/arm/Bv9ARM.html | 42 +++---- doc/misc/options | 6 +- lib/bind/configure.in | 20 +-- lib/bind/make/includes.in | 20 +-- lib/bind/make/rules.in | 20 +-- lib/bind/nameser/Makefile.in | 18 +-- lib/bind/port/aix32/include/Makefile.in | 18 +-- lib/bind/port/aix4/include/Makefile.in | 18 +-- lib/bind/port/aux3/include/Makefile.in | 18 +-- lib/bind/port/bsdos/include/Makefile.in | 18 +-- lib/bind/port/bsdos2/include/Makefile.in | 18 +-- lib/bind/port/darwin/include/Makefile.in | 18 +-- lib/bind/port/decunix/include/Makefile.in | 18 +-- lib/bind/port/freebsd/include/Makefile.in | 18 +-- lib/bind/port/hpux/include/Makefile.in | 18 +-- lib/bind/port/hpux10/include/Makefile.in | 18 +-- lib/bind/port/hpux9/include/Makefile.in | 18 +-- lib/bind/port/irix/include/Makefile.in | 18 +-- lib/bind/port/irix/include/paths.h | 19 +++ lib/bind/port/linux/include/Makefile.in | 18 +-- lib/bind/port/lynxos/include/Makefile.in | 18 +-- lib/bind/port/mpe/include/Makefile.in | 18 +-- lib/bind/port/netbsd/include/Makefile.in | 18 +-- lib/bind/port/next/include/Makefile.in | 18 +-- lib/bind/port/openbsd/include/Makefile.in | 18 +-- lib/bind/port/qnx/include/Makefile.in | 18 +-- lib/bind/port/rhapsody/include/Makefile.in | 18 +-- lib/bind/port/sco42/include/Makefile.in | 18 +-- lib/bind/port/sco50/include/Makefile.in | 18 +-- lib/bind/port/solaris/include/Makefile.in | 18 +-- lib/bind/port/solaris/include/sys/bitypes.h | 20 +-- lib/bind/port/sunos/include/Makefile.in | 18 +-- lib/bind/port/ultrix/include/Makefile.in | 18 +-- lib/bind/port/unixware20/include/Makefile.in | 18 +-- lib/bind/port/unixware212/include/Makefile.in | 18 +-- lib/bind/port/unixware7/include/Makefile.in | 18 +-- lib/bind/port/unknown/include/Makefile.in | 14 +++ lib/bind/resolv/Makefile.in | 18 +-- lib/dns/rdata/generic/dlv_65323.c | 19 ++- lib/dns/rdata/generic/dlv_65323.h | 19 ++- lib/win32/bindevt/bindevt.mc | 22 ++-- util/copyrights | 76 ++++++------ util/update_copyrights | 5 +- 51 files changed, 624 insertions(+), 533 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8 index df295772d8..966b89ec06 100644 --- a/bin/dnssec/dnssec-signzone.8 +++ b/bin/dnssec/dnssec-signzone.8 @@ -13,14 +13,14 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signzone.8,v 1.27 2004/03/05 12:40:36 marka Exp $ +.\" $Id: dnssec-signzone.8,v 1.28 2004/03/16 05:22:15 marka Exp $ .\" .TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" "" .SH NAME dnssec-signzone \- DNSSEC zone signing tool .SH SYNOPSIS .sp -\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-g\fR ] [ \fB-h\fR ] [ \fB-k \fIkey\fB\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] [ \fB-z\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ] +\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-g\fR ] [ \fB-h\fR ] [ \fB-k \fIkey\fB\fR ] [ \fB-l \fIdomain\fB\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] [ \fB-z\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ] .SH "DESCRIPTION" .PP \fBdnssec-signzone\fR signs a zone. It generates NSEC @@ -43,6 +43,10 @@ Specifies the DNS class of the zone. Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times. .TP +\fB-l \fIdomain\fB\fR +Generate a DLV set in addition to the key (DNSKEY) and DS sets. +The domain is appended to the name of the records. +.TP \fB-d \fIdirectory\fB\fR Look for \fIsignedkey\fR files in \fBdirectory\fR as the directory diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index 0578ddaece..575ef8e71c 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + ] [-l domain] [-i

DESCRIPTION

OPTIONS

-l domain

Generate a DLV set in addition to the key (DNSKEY) and DS sets. + The domain is appended to the name of the records. +

-d

EXAMPLE

SEE ALSO

AUTHOR

- + BIND 9 Administrator Reference Manual -2000-2003 -Internet Software Consortium - - 2004 Internet Systems Consortium, Inc. ("ISC") + +2000-2003 +Internet Software Consortium + diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index d0b512b935..1ce18a18fb 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -94,7 +94,7 @@ HREF="Bv9ARM.ch06.html#Configuration_File_Grammar" >
6.3. Zone File
] [ enable-dnssec dnssec-enable yes_or_no] [ dnssec-lookaside domain; ] + [ forward (
dnssec-lookaside

When set dnssec-lookaside provides the +validator with an alternate method to validate DNSKEY records at the +top of a zone. When set the domain specified by +dnssec-lookaside is appended to DNSKEY's +name and a DLV record is looked up. If the DLV record validates +a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted. +

enable-dnssecdnssec-enable

6.2.16.2. Forwarding

6.2.16.3. 6 to 4 Servers

6.2.16.5. Interfaces

6.2.16.6. Query Address

6.2.16.8. Bad UDP Port Lists

6.2.16.9. Operating System Resource Limits

6.2.16.10. Server Resource Limits

6.2.16.11. Periodic Task Intervals

6.2.19. trusted-keys

6.2.20. trusted-keys

6.2.22. view

6.2.24. zone

6.2.24.1. Zone Types

6.2.24.2. Class

6.2.24.3. Zone Options

6.3. Zone File

6.3.1.1. Resource Records

6.3.1.2. Textual expression of RRs

6.3.2. Discussion of MX Records

6.3.4. Inverse Mapping in IPv4

6.3.5. Other Zone File Directives

6.3.5.1. The $ORIGIN

6.3.5.2. The $INCLUDE

6.3.5.3. The $TTL

6.3.6. BIND

7.2. chroot

7.2. chroot

7.2.1. The chroot

7.2.2. Using the setuid

8.1. Common Problems
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?

8.1. Common Problems

8.1.1. It's not working; how can I figure out what's wrong?

8.2. Incrementing and Changing the Serial Number

8.3. Where Can I Get Help?

A.1. Acknowledgments

A.1. Acknowledgments

A.1.1. A Brief History of the DNS

Bibliography

Standards

[RFC974] 

[RFC1034] 

[RFC1035] 

[RFC2181] 

[RFC2308] 

[RFC1995] 

[RFC1996] 

[RFC2136] 

[RFC2845] 

Proposed Standards Still Under Development

[RFC1886] 

[RFC2065] 

[RFC2137] 

Other Important RFCs About DNS

[RFC1535] 

[RFC1536] 

[RFC1982] 

Resource Record Types

[RFC1183] 

[RFC1706] 

[RFC2168] 

[RFC1876] 

[RFC2052] 

[RFC2163] 

[RFC2230] 

DNS

[RFC1101] 

[RFC1123] 

[RFC1591] 

[RFC2317] 

DNS

[RFC1537] 

[RFC1912] 

[RFC2010] 

[RFC2219] 

Other DNS

[RFC1464] 

[RFC1713] 

[RFC1794] 

[RFC2240] 

[RFC2345] 

[RFC2352] 

Obsolete and Unimplemented Experimental RRs

[RFC1712] 

A.3.3. Other Documents About BIND

Bibliography

Copyright © 2000-2003 by Internet Software Consortium

Copyright © 2004 by Internet Systems Consortium, Inc. ("ISC")

Copyright © 2004 by Internet Systems Consortium, Inc. ("ISC")

Copyright © 2000-2003 by Internet Software Consortium

6.2.19. trusted-keys
6.2.20. trusted-keys
6.2.22. view
6.2.24. zone

6.3. Zone File
6.3.2. Discussion of MX Records
6.3.4. Inverse Mapping in IPv4
6.3.5. Other Zone File Directives
6.3.6. BIND
7.2. chroot
7.2.1. The chroot
7.2.2. Using the setuid
8.1. Common Problems
8.1.1. It's not working; how can I figure out what's wrong?
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?
A.1. Acknowledgments
A.1.1. A Brief History of the DNS
A.3.3. Other Documents About BIND; root-delegation-only [ exclude { ; ... } ]; disable-algorithms { ; ... }; - enable-dnssec ; + dnssec-enable ; + dnssec-lookaside ; allow-query { ; ... }; allow-transfer { ; ... }; allow-update-forwarding { ; ... }; @@ -259,7 +260,8 @@ view { edns-udp-size ; root-delegation-only [ exclude { ; ... } ]; disable-algorithms { ; ... }; - enable-dnssec ; + dnssec-enable ; + dnssec-lookaside ; allow-query { ; ... }; allow-transfer { ; ... }; allow-update-forwarding { ; ... }; diff --git a/lib/bind/configure.in b/lib/bind/configure.in index 01a2c7b42a..028d7628ef 100644 --- a/lib/bind/configure.in +++ b/lib/bind/configure.in @@ -1,19 +1,19 @@ -# Copyright (C) 1998-2001 Internet Software Consortium. +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -AC_REVISION($Revision: 1.89 $) +AC_REVISION($Revision: 1.90 $) AC_INIT(resolv/herror.c) AC_PREREQ(2.13) diff --git a/lib/bind/make/includes.in b/lib/bind/make/includes.in index d471656246..d7e21cb36f 100644 --- a/lib/bind/make/includes.in +++ b/lib/bind/make/includes.in @@ -1,19 +1,19 @@ -# Copyright (C) 1999-2001 Internet Software Consortium. +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: includes.in,v 1.1 2001/03/29 06:31:55 marka Exp $ +# $Id: includes.in,v 1.2 2004/03/16 05:22:19 marka Exp $ # Search for machine-generated header files in the build tree, # and for normal headers in the source tree (${top_srcdir}). diff --git a/lib/bind/make/rules.in b/lib/bind/make/rules.in index 53821da219..7000fd3492 100644 --- a/lib/bind/make/rules.in +++ b/lib/bind/make/rules.in @@ -1,19 +1,19 @@ -# Copyright (C) 1998-2001 Internet Software Consortium. +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: rules.in,v 1.8 2004/03/05 03:10:55 marka Exp $ +# $Id: rules.in,v 1.9 2004/03/16 05:22:19 marka Exp $ ### ### Common Makefile rules for BIND 9. diff --git a/lib/bind/nameser/Makefile.in b/lib/bind/nameser/Makefile.in index 930078ef44..d033eee1ea 100644 --- a/lib/bind/nameser/Makefile.in +++ b/lib/bind/nameser/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.4 2001/08/09 05:59:43 marka Exp $ +# $Id: Makefile.in,v 1.5 2004/03/16 05:22:19 marka Exp $ srcdir= @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/aix32/include/Makefile.in b/lib/bind/port/aix32/include/Makefile.in index 4d09fe27b8..7aa1048fdc 100644 --- a/lib/bind/port/aix32/include/Makefile.in +++ b/lib/bind/port/aix32/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:16 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:19 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/aix4/include/Makefile.in b/lib/bind/port/aix4/include/Makefile.in index 4d09fe27b8..bc78ba890f 100644 --- a/lib/bind/port/aix4/include/Makefile.in +++ b/lib/bind/port/aix4/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:16 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:20 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/aux3/include/Makefile.in b/lib/bind/port/aux3/include/Makefile.in index 334d6f19b1..b823549519 100644 --- a/lib/bind/port/aux3/include/Makefile.in +++ b/lib/bind/port/aux3/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:17 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:20 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/bsdos/include/Makefile.in b/lib/bind/port/bsdos/include/Makefile.in index 088e514a5c..ae026dd50b 100644 --- a/lib/bind/port/bsdos/include/Makefile.in +++ b/lib/bind/port/bsdos/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:18 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:21 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/bsdos2/include/Makefile.in b/lib/bind/port/bsdos2/include/Makefile.in index 088e514a5c..ae026dd50b 100644 --- a/lib/bind/port/bsdos2/include/Makefile.in +++ b/lib/bind/port/bsdos2/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:18 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:21 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/darwin/include/Makefile.in b/lib/bind/port/darwin/include/Makefile.in index 088e514a5c..ae026dd50b 100644 --- a/lib/bind/port/darwin/include/Makefile.in +++ b/lib/bind/port/darwin/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:18 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:21 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/decunix/include/Makefile.in b/lib/bind/port/decunix/include/Makefile.in index 22b548f3f1..04c315ef5b 100644 --- a/lib/bind/port/decunix/include/Makefile.in +++ b/lib/bind/port/decunix/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:19 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:22 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/freebsd/include/Makefile.in b/lib/bind/port/freebsd/include/Makefile.in index 823474f74b..68bef09d90 100644 --- a/lib/bind/port/freebsd/include/Makefile.in +++ b/lib/bind/port/freebsd/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:19 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:22 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/hpux/include/Makefile.in b/lib/bind/port/hpux/include/Makefile.in index 17e95ce6f2..ecf852cbef 100644 --- a/lib/bind/port/hpux/include/Makefile.in +++ b/lib/bind/port/hpux/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:19 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:22 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/hpux10/include/Makefile.in b/lib/bind/port/hpux10/include/Makefile.in index b4a3d94a30..9f61cc6aeb 100644 --- a/lib/bind/port/hpux10/include/Makefile.in +++ b/lib/bind/port/hpux10/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:19 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:23 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/hpux9/include/Makefile.in b/lib/bind/port/hpux9/include/Makefile.in index 279c1e1122..9f61cc6aeb 100644 --- a/lib/bind/port/hpux9/include/Makefile.in +++ b/lib/bind/port/hpux9/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:20 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:23 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/irix/include/Makefile.in b/lib/bind/port/irix/include/Makefile.in index 9c323e20a2..14251347af 100644 --- a/lib/bind/port/irix/include/Makefile.in +++ b/lib/bind/port/irix/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.2 2001/10/22 00:40:47 marka Exp $ +# $Id: Makefile.in,v 1.3 2004/03/16 05:22:23 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/irix/include/paths.h b/lib/bind/port/irix/include/paths.h index 7ec03327e1..f8ef579694 100644 --- a/lib/bind/port/irix/include/paths.h +++ b/lib/bind/port/irix/include/paths.h @@ -1,2 +1,21 @@ +/* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: paths.h,v 1.4 2004/03/16 05:22:24 marka Exp $ */ + #define _PATH_DEVNULL "/dev/null" diff --git a/lib/bind/port/linux/include/Makefile.in b/lib/bind/port/linux/include/Makefile.in index e309cd6459..a3dbf5d474 100644 --- a/lib/bind/port/linux/include/Makefile.in +++ b/lib/bind/port/linux/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.2 2001/08/20 07:44:49 marka Exp $ +# $Id: Makefile.in,v 1.3 2004/03/16 05:22:24 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/lynxos/include/Makefile.in b/lib/bind/port/lynxos/include/Makefile.in index 508c1cb962..e755bb6c98 100644 --- a/lib/bind/port/lynxos/include/Makefile.in +++ b/lib/bind/port/lynxos/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:21 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:24 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/mpe/include/Makefile.in b/lib/bind/port/mpe/include/Makefile.in index a9fa2ba788..44d68c4b6e 100644 --- a/lib/bind/port/mpe/include/Makefile.in +++ b/lib/bind/port/mpe/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.2 2001/08/20 07:44:52 marka Exp $ +# $Id: Makefile.in,v 1.3 2004/03/16 05:22:25 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/netbsd/include/Makefile.in b/lib/bind/port/netbsd/include/Makefile.in index 119cf0f7f1..3b78127ee6 100644 --- a/lib/bind/port/netbsd/include/Makefile.in +++ b/lib/bind/port/netbsd/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:21 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:25 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/next/include/Makefile.in b/lib/bind/port/next/include/Makefile.in index f6d59f7bdf..662b0e3899 100644 --- a/lib/bind/port/next/include/Makefile.in +++ b/lib/bind/port/next/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:22 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:25 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/openbsd/include/Makefile.in b/lib/bind/port/openbsd/include/Makefile.in index a4540a7336..1c5d2a2836 100644 --- a/lib/bind/port/openbsd/include/Makefile.in +++ b/lib/bind/port/openbsd/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:22 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:26 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/qnx/include/Makefile.in b/lib/bind/port/qnx/include/Makefile.in index e9ea80abd8..831f625804 100644 --- a/lib/bind/port/qnx/include/Makefile.in +++ b/lib/bind/port/qnx/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.2 2001/08/20 07:44:53 marka Exp $ +# $Id: Makefile.in,v 1.3 2004/03/16 05:22:26 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/rhapsody/include/Makefile.in b/lib/bind/port/rhapsody/include/Makefile.in index 1029814da5..7634a401fa 100644 --- a/lib/bind/port/rhapsody/include/Makefile.in +++ b/lib/bind/port/rhapsody/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:22 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:26 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/sco42/include/Makefile.in b/lib/bind/port/sco42/include/Makefile.in index 394bb029d8..8d3e229e00 100644 --- a/lib/bind/port/sco42/include/Makefile.in +++ b/lib/bind/port/sco42/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:23 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:27 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/sco50/include/Makefile.in b/lib/bind/port/sco50/include/Makefile.in index 8e39b3eb2a..bc08b64fbb 100644 --- a/lib/bind/port/sco50/include/Makefile.in +++ b/lib/bind/port/sco50/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:23 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:27 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/solaris/include/Makefile.in b/lib/bind/port/solaris/include/Makefile.in index 1f3674b36b..928d73c40d 100644 --- a/lib/bind/port/solaris/include/Makefile.in +++ b/lib/bind/port/solaris/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:24 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:27 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/solaris/include/sys/bitypes.h b/lib/bind/port/solaris/include/sys/bitypes.h index fe1daf0f1c..27ce345685 100644 --- a/lib/bind/port/solaris/include/sys/bitypes.h +++ b/lib/bind/port/solaris/include/sys/bitypes.h @@ -1,20 +1,22 @@ /* - * Copyright (c) 1996-1999 by Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE - * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL - * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR - * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS - * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS - * SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ +/* $Id: bitypes.h,v 1.3 2004/03/16 05:22:28 marka Exp $ */ + #ifndef __BIT_TYPES_DEFINED__ #define __BIT_TYPES_DEFINED__ diff --git a/lib/bind/port/sunos/include/Makefile.in b/lib/bind/port/sunos/include/Makefile.in index 23a5e472d3..51efec2389 100644 --- a/lib/bind/port/sunos/include/Makefile.in +++ b/lib/bind/port/sunos/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:24 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:28 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/ultrix/include/Makefile.in b/lib/bind/port/ultrix/include/Makefile.in index cd1cfc0150..862f29fe5e 100644 --- a/lib/bind/port/ultrix/include/Makefile.in +++ b/lib/bind/port/ultrix/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:24 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:29 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/unixware20/include/Makefile.in b/lib/bind/port/unixware20/include/Makefile.in index 58891feae2..c4a8b5f80b 100644 --- a/lib/bind/port/unixware20/include/Makefile.in +++ b/lib/bind/port/unixware20/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:25 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:29 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/unixware212/include/Makefile.in b/lib/bind/port/unixware212/include/Makefile.in index 58891feae2..c4a8b5f80b 100644 --- a/lib/bind/port/unixware212/include/Makefile.in +++ b/lib/bind/port/unixware212/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:25 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:29 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/unixware7/include/Makefile.in b/lib/bind/port/unixware7/include/Makefile.in index bddcc13896..eb9cc49ba3 100644 --- a/lib/bind/port/unixware7/include/Makefile.in +++ b/lib/bind/port/unixware7/include/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1 2001/06/29 15:25:25 marka Exp $ +# $Id: Makefile.in,v 1.2 2004/03/16 05:22:30 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/port/unknown/include/Makefile.in b/lib/bind/port/unknown/include/Makefile.in index e69de29bb2..99e5985489 100644 --- a/lib/bind/port/unknown/include/Makefile.in +++ b/lib/bind/port/unknown/include/Makefile.in @@ -0,0 +1,14 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001 Internet Software Consortium. +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. diff --git a/lib/bind/resolv/Makefile.in b/lib/bind/resolv/Makefile.in index 056092b8ad..fe3a2aebdc 100644 --- a/lib/bind/resolv/Makefile.in +++ b/lib/bind/resolv/Makefile.in @@ -1,19 +1,19 @@ +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # -# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.3 2001/08/09 05:59:45 marka Exp $ +# $Id: Makefile.in,v 1.4 2004/03/16 05:22:30 marka Exp $ srcdir= @srcdir@ VPATH = @srcdir@ diff --git a/lib/dns/rdata/generic/dlv_65323.c b/lib/dns/rdata/generic/dlv_65323.c index dba117dbb7..19b46870e2 100644 --- a/lib/dns/rdata/generic/dlv_65323.c +++ b/lib/dns/rdata/generic/dlv_65323.c @@ -1,21 +1,20 @@ /* - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dlv_65323.c,v 1.2 2004/03/10 02:19:56 marka Exp $ */ +/* $Id: dlv_65323.c,v 1.3 2004/03/16 05:22:30 marka Exp $ */ /* draft-ietf-dnsext-delegation-signer-05.txt */ diff --git a/lib/dns/rdata/generic/dlv_65323.h b/lib/dns/rdata/generic/dlv_65323.h index 1702afb8d7..90f3b13795 100644 --- a/lib/dns/rdata/generic/dlv_65323.h +++ b/lib/dns/rdata/generic/dlv_65323.h @@ -1,21 +1,20 @@ /* - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dlv_65323.h,v 1.2 2004/03/10 02:19:57 marka Exp $ */ +/* $Id: dlv_65323.h,v 1.3 2004/03/16 05:22:31 marka Exp $ */ /* draft-ietf-dnsext-delegation-signer-05.txt */ #ifndef GENERIC_DLV_65323_H diff --git a/lib/win32/bindevt/bindevt.mc b/lib/win32/bindevt/bindevt.mc index 7943ab8324..241d4062ab 100644 --- a/lib/win32/bindevt/bindevt.mc +++ b/lib/win32/bindevt/bindevt.mc @@ -1,19 +1,19 @@ -; -; Copyright (C) 2000, 2001 Internet Software Consortium. +; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2001 Internet Software Consortium. ; ; Permission to use, copy, modify, and distribute this software for any ; purpose with or without fee is hereby granted, provided that the above ; copyright notice and this permission notice appear in all copies. ; -; THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -; DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -; IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -; INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -; FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -; NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -; WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: bindevt.mc,v 1.2 2004/03/16 05:22:31 marka Exp $ MessageIdTypedef=DWORD diff --git a/util/copyrights b/util/copyrights index 256f542943..d8adeea0f6 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1,6 +1,6 @@ ./.cvsignore X 1999,2000,2001 ./CHANGES X 2000,2001 -./COPYRIGHT X 1996,1997,1998,1999,2000,2001,2002,2003,2004 +./COPYRIGHT TXT 1996,1997,1998,1999,2000,2001,2002,2003,2004 ./FAQ X 2000,2001 ./Makefile.in MAKE 1998,1999,2000,2001,2002,2004 ./README X 1999,2000,2001 @@ -784,7 +784,7 @@ ./bin/win32/BINDInstall/resource.h X 2001 ./config.guess X 1999,2000,2001 ./config.h.in X 1999,2000,2001 -./config.h.win32 X 1999,2000,2001 +./config.h.win32 C 1999,2000,2001 ./config.sub X 1999,2000,2001 ./configure X 1998,1999,2000,2001 ./configure.in SH 1998,1999,2000,2001,2002,2003,2004 @@ -1145,7 +1145,7 @@ ./lib/bind/bsd/writev.c X 2001 ./lib/bind/config.h.in X 2001 ./lib/bind/configure X 2001 -./lib/bind/configure.in X 2001 +./lib/bind/configure.in SH 2001 ./lib/bind/dst/.cvsignore X 2001 ./lib/bind/dst/Makefile.in MAKE 2001,2004 ./lib/bind/dst/dst_api.c X 2001 @@ -1301,12 +1301,12 @@ ./lib/bind/libtool.m4 X 2001 ./lib/bind/ltmain.sh X 2001 ./lib/bind/make/.cvsignore X 2001 -./lib/bind/make/includes.in X 2001 +./lib/bind/make/includes.in MAKE 2001 ./lib/bind/make/mkdep.in X 2001 -./lib/bind/make/rules.in X 2001 +./lib/bind/make/rules.in MAKE 2001 ./lib/bind/mkinstalldirs X 2001 ./lib/bind/nameser/.cvsignore X 2001 -./lib/bind/nameser/Makefile.in X 2001 +./lib/bind/nameser/Makefile.in MAKE 2001 ./lib/bind/nameser/ns_date.c X 2001 ./lib/bind/nameser/ns_name.c X 2001 ./lib/bind/nameser/ns_netint.c X 2001 @@ -1321,31 +1321,31 @@ ./lib/bind/port/aix32/.cvsignore X 2001 ./lib/bind/port/aix32/Makefile.in MAKE 2001,2004 ./lib/bind/port/aix32/include/.cvsignore X 2001 -./lib/bind/port/aix32/include/Makefile.in X 2001 +./lib/bind/port/aix32/include/Makefile.in MAKE 2001 ./lib/bind/port/aix32/include/paths.h X 2001 ./lib/bind/port/aix32/include/sys/bitypes.h X 2001 ./lib/bind/port/aix32/include/sys/cdefs.h X 2001 ./lib/bind/port/aix4/.cvsignore X 2001 ./lib/bind/port/aix4/Makefile.in MAKE 2001,2004 ./lib/bind/port/aix4/include/.cvsignore X 2001 -./lib/bind/port/aix4/include/Makefile.in X 2001 +./lib/bind/port/aix4/include/Makefile.in MAKE 2001 ./lib/bind/port/aix4/include/sys/bitypes.h X 2001 ./lib/bind/port/aix4/include/sys/cdefs.h X 2001 ./lib/bind/port/aux3/.cvsignore X 2001 ./lib/bind/port/aux3/Makefile.in MAKE 2001,2004 ./lib/bind/port/aux3/include/.cvsignore X 2001 -./lib/bind/port/aux3/include/Makefile.in X 2001 +./lib/bind/port/aux3/include/Makefile.in MAKE 2001 ./lib/bind/port/aux3/include/sys/bitypes.h X 2001 ./lib/bind/port/aux3/include/sys/cdefs.h X 2001 ./lib/bind/port/bsdos/.cvsignore X 2001 ./lib/bind/port/bsdos/Makefile.in MAKE 2001,2004 ./lib/bind/port/bsdos/include/.cvsignore X 2001 -./lib/bind/port/bsdos/include/Makefile.in X 2001 +./lib/bind/port/bsdos/include/Makefile.in MAKE 2001 ./lib/bind/port/bsdos/include/sys/bitypes.h X 2001 ./lib/bind/port/bsdos2/.cvsignore X 2001 ./lib/bind/port/bsdos2/Makefile.in MAKE 2001,2004 ./lib/bind/port/bsdos2/include/.cvsignore X 2001 -./lib/bind/port/bsdos2/include/Makefile.in X 2001 +./lib/bind/port/bsdos2/include/Makefile.in MAKE 2001 ./lib/bind/port/bsdos2/include/sys/bitypes.h X 2001 ./lib/bind/port/cygwin/Makefile.in MAKE 2002,2004 ./lib/bind/port/cygwin/include/Makefile.in MAKE 2002,2004 @@ -1364,62 +1364,62 @@ ./lib/bind/port/darwin/.cvsignore X 2001 ./lib/bind/port/darwin/Makefile.in MAKE 2001,2004 ./lib/bind/port/darwin/include/.cvsignore X 2001 -./lib/bind/port/darwin/include/Makefile.in X 2001 +./lib/bind/port/darwin/include/Makefile.in MAKE 2001 ./lib/bind/port/darwin/include/sys/bitypes.h X 2001 ./lib/bind/port/decunix/.cvsignore X 2001 ./lib/bind/port/decunix/Makefile.in MAKE 2001,2004 ./lib/bind/port/decunix/include/.cvsignore X 2001 -./lib/bind/port/decunix/include/Makefile.in X 2001 +./lib/bind/port/decunix/include/Makefile.in MAKE 2001 ./lib/bind/port/decunix/include/sys/bitypes.h X 2001 ./lib/bind/port/decunix/include/sys/cdefs.h X 2001 ./lib/bind/port/freebsd/.cvsignore X 2001 ./lib/bind/port/freebsd/Makefile.in MAKE 2001,2004 ./lib/bind/port/freebsd/include/.cvsignore X 2001 -./lib/bind/port/freebsd/include/Makefile.in X 2001 +./lib/bind/port/freebsd/include/Makefile.in MAKE 2001 ./lib/bind/port/freebsd/include/sys/bitypes.h X 2001 ./lib/bind/port/hpux/.cvsignore X 2001 ./lib/bind/port/hpux/Makefile.in MAKE 2001,2004 ./lib/bind/port/hpux/include/.cvsignore X 2001 -./lib/bind/port/hpux/include/Makefile.in X 2001 +./lib/bind/port/hpux/include/Makefile.in MAKE 2001 ./lib/bind/port/hpux/include/paths.h X 2001 ./lib/bind/port/hpux/include/sys/bitypes.h X 2001 ./lib/bind/port/hpux/include/sys/cdefs.h X 2001 ./lib/bind/port/hpux10/.cvsignore X 2001 ./lib/bind/port/hpux10/Makefile.in MAKE 2001,2004 ./lib/bind/port/hpux10/include/.cvsignore X 2001 -./lib/bind/port/hpux10/include/Makefile.in X 2001 +./lib/bind/port/hpux10/include/Makefile.in MAKE 2001 ./lib/bind/port/hpux10/include/paths.h X 2001 ./lib/bind/port/hpux10/include/sys/bitypes.h X 2001 ./lib/bind/port/hpux10/include/sys/cdefs.h X 2001 ./lib/bind/port/hpux9/.cvsignore X 2001 ./lib/bind/port/hpux9/Makefile.in MAKE 2001,2004 ./lib/bind/port/hpux9/include/.cvsignore X 2001 -./lib/bind/port/hpux9/include/Makefile.in X 2001 +./lib/bind/port/hpux9/include/Makefile.in MAKE 2001 ./lib/bind/port/hpux9/include/sys/bitypes.h X 2001 ./lib/bind/port/hpux9/include/sys/cdefs.h X 2001 ./lib/bind/port/irix/.cvsignore X 2001 ./lib/bind/port/irix/Makefile.in MAKE 2001,2004 ./lib/bind/port/irix/include/.cvsignore X 2001 -./lib/bind/port/irix/include/Makefile.in X 2001 +./lib/bind/port/irix/include/Makefile.in MAKE 2001 ./lib/bind/port/irix/include/paths.h C 2001,2004 ./lib/bind/port/irix/include/sys/bitypes.h X 2001 ./lib/bind/port/irix/include/sys/cdefs.h X 2001 ./lib/bind/port/linux/.cvsignore X 2001 ./lib/bind/port/linux/Makefile.in MAKE 2001,2004 ./lib/bind/port/linux/include/.cvsignore X 2001 -./lib/bind/port/linux/include/Makefile.in X 2001 +./lib/bind/port/linux/include/Makefile.in MAKE 2001 ./lib/bind/port/linux/include/net/route.h X 2001 ./lib/bind/port/linux/include/sys/mbuf.h X 2001 ./lib/bind/port/lynxos/.cvsignore X 2001 ./lib/bind/port/lynxos/Makefile.in MAKE 2001,2004 ./lib/bind/port/lynxos/include/.cvsignore X 2001 -./lib/bind/port/lynxos/include/Makefile.in X 2001 +./lib/bind/port/lynxos/include/Makefile.in MAKE 2001 ./lib/bind/port/lynxos/include/sys/bitypes.h X 2001 ./lib/bind/port/lynxos/include/sys/cdefs.h X 2001 ./lib/bind/port/mpe/.cvsignore X 2001 ./lib/bind/port/mpe/Makefile.in MAKE 2001,2004 ./lib/bind/port/mpe/include/.cvsignore X 2001 -./lib/bind/port/mpe/include/Makefile.in X 2001 +./lib/bind/port/mpe/include/Makefile.in MAKE 2001 ./lib/bind/port/mpe/include/net/route.h X 2001 ./lib/bind/port/mpe/include/sys/bitypes.h X 2001 ./lib/bind/port/mpe/include/sys/cdefs.h X 2001 @@ -1430,25 +1430,25 @@ ./lib/bind/port/netbsd/.cvsignore X 2001 ./lib/bind/port/netbsd/Makefile.in MAKE 2001,2004 ./lib/bind/port/netbsd/include/.cvsignore X 2001 -./lib/bind/port/netbsd/include/Makefile.in X 2001 +./lib/bind/port/netbsd/include/Makefile.in MAKE 2001 ./lib/bind/port/netbsd/include/sys/bitypes.h X 2001 ./lib/bind/port/next/.cvsignore X 2001 ./lib/bind/port/next/Makefile.in MAKE 2001,2004 ./lib/bind/port/next/include/.cvsignore X 2001 -./lib/bind/port/next/include/Makefile.in X 2001 +./lib/bind/port/next/include/Makefile.in MAKE 2001 ./lib/bind/port/next/include/sys/bitypes.h X 2001 ./lib/bind/port/next/include/sys/cdefs.h X 2001 ./lib/bind/port/openbsd/.cvsignore X 2001 ./lib/bind/port/openbsd/Makefile.in MAKE 2001,2004 ./lib/bind/port/openbsd/include/.cvsignore X 2001 -./lib/bind/port/openbsd/include/Makefile.in X 2001 +./lib/bind/port/openbsd/include/Makefile.in MAKE 2001 ./lib/bind/port/openbsd/include/sys/bitypes.h X 2001 ./lib/bind/port/prand_conf/.cvsignore X 2001 ./lib/bind/port/prand_conf/Makefile.in MAKE 2001,2004 ./lib/bind/port/qnx/.cvsignore X 2001 ./lib/bind/port/qnx/Makefile.in MAKE 2001,2004 ./lib/bind/port/qnx/include/.cvsignore X 2001 -./lib/bind/port/qnx/include/Makefile.in X 2001 +./lib/bind/port/qnx/include/Makefile.in MAKE 2001 ./lib/bind/port/qnx/include/sys/bitypes.h X 2001 ./lib/bind/port/qnx/include/sys/cdefs.h X 2001 ./lib/bind/port/qnx/include/sys/ioctl.h X 2001 @@ -1457,12 +1457,12 @@ ./lib/bind/port/rhapsody/.cvsignore X 2001 ./lib/bind/port/rhapsody/Makefile.in MAKE 2001,2004 ./lib/bind/port/rhapsody/include/.cvsignore X 2001 -./lib/bind/port/rhapsody/include/Makefile.in X 2001 +./lib/bind/port/rhapsody/include/Makefile.in MAKE 2001 ./lib/bind/port/rhapsody/include/sys/bitypes.h X 2001 ./lib/bind/port/sco42/.cvsignore X 2001 ./lib/bind/port/sco42/Makefile.in MAKE 2001,2004 ./lib/bind/port/sco42/include/.cvsignore X 2001 -./lib/bind/port/sco42/include/Makefile.in X 2001 +./lib/bind/port/sco42/include/Makefile.in MAKE 2001 ./lib/bind/port/sco42/include/sys/bitypes.h X 2001 ./lib/bind/port/sco42/include/sys/cdefs.h X 2001 ./lib/bind/port/sco42/include/sys/mbuf.h X 2001 @@ -1470,26 +1470,26 @@ ./lib/bind/port/sco50/.cvsignore X 2001 ./lib/bind/port/sco50/Makefile.in MAKE 2001,2004 ./lib/bind/port/sco50/include/.cvsignore X 2001 -./lib/bind/port/sco50/include/Makefile.in X 2001 +./lib/bind/port/sco50/include/Makefile.in MAKE 2001 ./lib/bind/port/sco50/include/sys/mbuf.h X 2001 ./lib/bind/port/solaris/.cvsignore X 2001 ./lib/bind/port/solaris/Makefile.in MAKE 2001,2004 ./lib/bind/port/solaris/include/.cvsignore X 2001 -./lib/bind/port/solaris/include/Makefile.in X 2001 +./lib/bind/port/solaris/include/Makefile.in MAKE 2001 ./lib/bind/port/solaris/include/paths.h X 2001 -./lib/bind/port/solaris/include/sys/bitypes.h X 2001 +./lib/bind/port/solaris/include/sys/bitypes.h C 2001 ./lib/bind/port/solaris/include/sys/cdefs.h X 2001 ./lib/bind/port/sunos/.cvsignore X 2001 ./lib/bind/port/sunos/Makefile.in MAKE 2001,2004 ./lib/bind/port/sunos/include/.cvsignore X 2001 -./lib/bind/port/sunos/include/Makefile.in X 2001 +./lib/bind/port/sunos/include/Makefile.in MAKE 2001 ./lib/bind/port/sunos/include/sys/bitypes.h X 2001 ./lib/bind/port/sunos/include/sys/cdefs.h X 2001 ./lib/bind/port/sunos/include/sys/wait.h X 2001 ./lib/bind/port/ultrix/.cvsignore X 2001 ./lib/bind/port/ultrix/Makefile.in MAKE 2001,2004 ./lib/bind/port/ultrix/include/.cvsignore X 2001 -./lib/bind/port/ultrix/include/Makefile.in X 2001 +./lib/bind/port/ultrix/include/Makefile.in MAKE 2001 ./lib/bind/port/ultrix/include/rpc/xdr.h X 2001 ./lib/bind/port/ultrix/include/sys/bitypes.h X 2001 ./lib/bind/port/ultrix/include/sys/cdefs.h X 2001 @@ -1498,27 +1498,27 @@ ./lib/bind/port/unixware20/.cvsignore X 2001 ./lib/bind/port/unixware20/Makefile.in MAKE 2001,2004 ./lib/bind/port/unixware20/include/.cvsignore X 2001 -./lib/bind/port/unixware20/include/Makefile.in X 2001 +./lib/bind/port/unixware20/include/Makefile.in MAKE 2001 ./lib/bind/port/unixware20/include/sys/bitypes.h X 2001 ./lib/bind/port/unixware20/include/sys/cdefs.h X 2001 ./lib/bind/port/unixware212/.cvsignore X 2001 ./lib/bind/port/unixware212/Makefile.in MAKE 2001,2004 ./lib/bind/port/unixware212/include/.cvsignore X 2001 -./lib/bind/port/unixware212/include/Makefile.in X 2001 +./lib/bind/port/unixware212/include/Makefile.in MAKE 2001 ./lib/bind/port/unixware212/include/sys/bitypes.h X 2001 ./lib/bind/port/unixware212/include/sys/cdefs.h X 2001 ./lib/bind/port/unixware7/.cvsignore X 2001 ./lib/bind/port/unixware7/Makefile.in MAKE 2001,2004 ./lib/bind/port/unixware7/include/.cvsignore X 2001 -./lib/bind/port/unixware7/include/Makefile.in X 2001 +./lib/bind/port/unixware7/include/Makefile.in MAKE 2001 ./lib/bind/port/unknown/.cvsignore X 2001 ./lib/bind/port/unknown/Makefile.in MAKE 2001,2004 ./lib/bind/port/unknown/include/.cvsignore X 2001 -./lib/bind/port/unknown/include/Makefile.in X 2001 +./lib/bind/port/unknown/include/Makefile.in MAKE 2001 ./lib/bind/port_after.h.in X 2001 ./lib/bind/port_before.h.in X 2001 ./lib/bind/resolv/.cvsignore X 2001 -./lib/bind/resolv/Makefile.in X 2001 +./lib/bind/resolv/Makefile.in MAKE 2001 ./lib/bind/resolv/herror.c X 2001 ./lib/bind/resolv/res_comp.c X 2001 ./lib/bind/resolv/res_data.c X 2001 @@ -2262,7 +2262,7 @@ ./lib/win32/bindevt/bindevt.dsp X 2001 ./lib/win32/bindevt/bindevt.dsw X 2001 ./lib/win32/bindevt/bindevt.mak X 2001 -./lib/win32/bindevt/bindevt.mc X 2001 +./lib/win32/bindevt/bindevt.mc MC 2001 ./libtool.m4 X 2000,2001 ./ltmain.sh X 1999,2000,2001 ./make/.cvsignore X 1999,2000,2001 diff --git a/util/update_copyrights b/util/update_copyrights index 0771890bb6..ada5f4fd7e 100644 --- a/util/update_copyrights +++ b/util/update_copyrights @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: update_copyrights,v 1.31 2004/03/05 12:39:24 marka Exp $ +# $Id: update_copyrights,v 1.32 2004/03/16 05:22:33 marka Exp $ require 5.002; @@ -85,7 +85,7 @@ while (<>) { } elsif ($type =~ /^(SH|PERL|TCL|MAKE|CONF-SH)$/) { $shell_comment = 1; $prefix = "# "; - } elsif ($type eq "ZONE") { + } elsif ($type eq "ZONE" || $type eq "MC") { $zone_comment = 1; $prefix = "; "; } elsif ($type eq "MAN") { @@ -204,6 +204,7 @@ while (<>) { while () { # Not very maintainable, but ok enough for now. last unless + /[Cc]opyright/ || /See COPYRIGHT in the source root/ || /Permission to use, copy, modify, and / || /THE SOFTWARE IS PROVIDED "AS IS" AND /; From 28b863e609ff2d97b78663b46894494cfa2ea411 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 16 Mar 2004 05:52:24 +0000 Subject: [PATCH 003/146] pullup fixed from 9.3 --- bin/dig/dig.c | 4 +- bin/named/config.c | 12 +- bin/named/main.c | 12 +- bin/tests/rbt_test.txt | 156 +-- bin/tests/system/dnssec/ns2/dlv.db.in | 27 + bin/win32/BINDInstall/BINDInstallDlg.cpp | 36 +- lib/bind/.cvsignore | 3 +- lib/bind/include/netdb.h | 50 +- lib/bind/include/netgroup.h | 3 +- lib/bind/port/irix/include/paths.h | 19 - lib/bind/port/unknown/include/Makefile.in | 14 - lib/dns/Makefile.in | 8 +- lib/dns/gen.c | 80 +- lib/dns/rcode.c | 473 +++++++ lib/dns/rdata.c | 430 +------ lib/dns/resolver.c | 6 +- lib/dns/time.c | 4 +- lib/dns/win32/libdns.def | 34 +- lib/dns/win32/libdns.dsp | 28 +- lib/dns/win32/libdns.mak | 85 +- lib/isc/log.c | 4 +- lib/isc/netscope.c | 4 +- lib/isc/unix/entropy.c | 4 +- lib/isc/unix/include/isc/stat.h | 53 + lib/isc/win32/include/isc/ipv6.h | 25 +- lib/isc/win32/include/isc/offset.h | 4 +- lib/isc/win32/include/isc/platform.h | 4 +- lib/isc/win32/include/isc/time.h | 4 +- lib/isc/win32/ipv6.c | 8 +- lib/isc/win32/libisc.def | 10 + lib/isc/win32/libisc.dsp | 1416 +++++++++++---------- lib/isc/win32/libisc.mak | 24 + lib/isc/win32/net.c | 6 +- lib/isc/win32/time.c | 15 +- win32utils/BuildAll.bat | 28 +- win32utils/BuildSetup.bat | 28 +- win32utils/dnsheadergen.bat | 24 +- win32utils/readme1st.txt | 23 +- 38 files changed, 1714 insertions(+), 1454 deletions(-) create mode 100644 bin/tests/system/dnssec/ns2/dlv.db.in create mode 100644 lib/dns/rcode.c create mode 100644 lib/isc/unix/include/isc/stat.h diff --git a/bin/dig/dig.c b/bin/dig/dig.c index e00bbac1a1..ddf561f920 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.185 2004/03/05 04:57:30 marka Exp $ */ +/* $Id: dig.c,v 1.186 2004/03/16 05:52:13 marka Exp $ */ #include #include @@ -1031,7 +1031,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, goto invalid_option; switch (cmd) { case 'b': - hash = index(value, '#'); + hash = strchr(value, '#'); if (hash != NULL) { srcport = (in_port_t) parse_uint(hash + 1, "port number", MAXPORT); diff --git a/bin/named/config.c b/bin/named/config.c index 4c737e2674..8c5eaeb902 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.46 2004/03/10 02:19:52 marka Exp $ */ +/* $Id: config.c,v 1.47 2004/03/16 05:52:14 marka Exp $ */ #include @@ -124,8 +124,9 @@ options {\n\ check-names slave warn;\n\ check-names response ignore;\n\ dnssec-enable no; /* Make yes for 9.4. */ \n\ -\n\ - /* zone */\n\ +" + +" /* zone */\n\ allow-query {any;};\n\ allow-transfer {any;};\n\ notify yes;\n\ @@ -153,8 +154,9 @@ options {\n\ max-journal-size unlimited;\n\ ixfr-from-differences false;\n\ };\n\ -\n\ -#\n\ +" + +"#\n\ # Zones in the \"_bind\" view are NOT counted is the count of zones.\n\ #\n\ view \"_bind\" chaos {\n\ diff --git a/bin/named/main.c b/bin/named/main.c index 690e41e5a1..6804ff0323 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.c,v 1.135 2004/03/05 04:57:48 marka Exp $ */ +/* $Id: main.c,v 1.136 2004/03/16 05:52:14 marka Exp $ */ #include @@ -216,12 +216,12 @@ library_unexpected_error(const char *file, int line, const char *format, static void lwresd_usage(void) { fprintf(stderr, - "usage: lwresd [-c conffile | -C resolvconffile] " - "[-d debuglevel] [-f|-g]\n" - " [-n number_of_cpus] [-p port]" + "usage: lwresd [-4|-6] [-c conffile | -C resolvconffile] " + "[-d debuglevel]\n" + " [-f|-g] [-n number_of_cpus] [-p port] " "[-P listen-port] [-s]\n" " [-t chrootdir] [-u username] [-i pidfile]\n" - " [-m {usage|trace|record}]\n"); + " [-m {usage|trace|record}]\n"); } static void @@ -231,7 +231,7 @@ usage(void) { return; } fprintf(stderr, - "usage: named [-c conffile] [-d debuglevel] " + "usage: named [-4|-6] [-c conffile] [-d debuglevel] " "[-f|-g] [-n number_of_cpus]\n" " [-p port] [-s] [-t chrootdir] [-u username]\n" " [-m {usage|trace|record}]\n"); diff --git a/bin/tests/rbt_test.txt b/bin/tests/rbt_test.txt index ce22acac7f..0cdd0013f6 100644 --- a/bin/tests/rbt_test.txt +++ b/bin/tests/rbt_test.txt @@ -13,81 +13,81 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: rbt_test.txt,v 1.14 2004/03/05 04:58:39 marka Exp $ - -add a.vix.com -add b.vix.com -add c.vix.com -print -add a.b.c.d.e.f.vix.com -add b.b.c.d.e.f.vix.com -add c.b.c.d.e.f.vix.com -print -add a.d.e.f.vix.com -add q.d.e.f.vix.com -add d.e.f.vix.com -print -add g.h.vix.com -print -search q.d.e.f.vix.com -search just-parent.a.vix.com -search no-real-parent.vix.com -search does.not.exist.at.all -forward -backward -# existing name -check vix.com. -# greater than stop node, which has down pointer -check zzz.com. -# less than lowest in level (would be left link from stop node) -check 0.vix.com -# greater than stop node, no down pointer -check d.vix.com -# superdomain stored in existing node -check f.vix.com -# common ancestor stored in existing node; existing is successor -check a.e.f.vix.com -# common ancestor stored in existing node; existing is less but not predecessor -check z.e.f.vix.com -# -check g.vix.com -# -check i.vix.com -# -check b.c.vix.com -nuke d.e.f.vix.com -print -add x.a.vix.com -add y.x.a.vix.com -print -delete a.vix.com -delete x.a.vix.com -print -delete b.vix.com -delete c.vix.com -print -delete y.x.a.vix.com -print -delete g.h.vix.com. -add \[b100000].vix.com. -add \[b010000].vix.com. -add \[b001000].vix.com. -add \[b000100].vix.com. -add \[b000010].vix.com. -add \[b000001].vix.com. -p -search \[b000100].vix.com. -# zap the entire tree -add vix.com. -nuke vix.com. -add a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w. -add b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w. -print -add . -# zap it again -nuke . -# test splitting of maximal bitstring -add \[xFFFF/16].\[xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF/256].com -add \[xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF/128].com -print -quit +# $Id: rbt_test.txt,v 1.15 2004/03/16 05:52:14 marka Exp $ + +add a.vix.com +add b.vix.com +add c.vix.com +print +add a.b.c.d.e.f.vix.com +add b.b.c.d.e.f.vix.com +add c.b.c.d.e.f.vix.com +print +add a.d.e.f.vix.com +add q.d.e.f.vix.com +add d.e.f.vix.com +print +add g.h.vix.com +print +search q.d.e.f.vix.com +search just-parent.a.vix.com +search no-real-parent.vix.com +search does.not.exist.at.all +forward +backward +# existing name +check vix.com. +# greater than stop node, which has down pointer +check zzz.com. +# less than lowest in level (would be left link from stop node) +check 0.vix.com +# greater than stop node, no down pointer +check d.vix.com +# superdomain stored in existing node +check f.vix.com +# common ancestor stored in existing node; existing is successor +check a.e.f.vix.com +# common ancestor stored in existing node; existing is less but not predecessor +check z.e.f.vix.com +# +check g.vix.com +# +check i.vix.com +# +check b.c.vix.com +nuke d.e.f.vix.com +print +add x.a.vix.com +add y.x.a.vix.com +print +delete a.vix.com +delete x.a.vix.com +print +delete b.vix.com +delete c.vix.com +print +delete y.x.a.vix.com +print +delete g.h.vix.com. +add \[b100000].vix.com. +add \[b010000].vix.com. +add \[b001000].vix.com. +add \[b000100].vix.com. +add \[b000010].vix.com. +add \[b000001].vix.com. +p +search \[b000100].vix.com. +# zap the entire tree +add vix.com. +nuke vix.com. +add a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w. +add b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w. +print +add . +# zap it again +nuke . +# test splitting of maximal bitstring +add \[xFFFF/16].\[xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF/256].com +add \[xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF/128].com +print +quit diff --git a/bin/tests/system/dnssec/ns2/dlv.db.in b/bin/tests/system/dnssec/ns2/dlv.db.in new file mode 100644 index 0000000000..7a25e576d5 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/dlv.db.in @@ -0,0 +1,27 @@ +; Copyright (C) 2000-2002 Internet Software Consortium. +; +; Permission to use, copy, modify, and distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM +; DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL +; IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL +; INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING +; FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, +; NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION +; WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +; $Id: dlv.db.in,v 1.2 2004/03/16 05:52:15 marka Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp index 8d0706c7df..b08d4b21ee 100644 --- a/bin/win32/BINDInstall/BINDInstallDlg.cpp +++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: BINDInstallDlg.cpp,v 1.14 2004/03/09 04:25:06 marka Exp $ */ +/* $Id: BINDInstallDlg.cpp,v 1.15 2004/03/16 05:52:15 marka Exp $ */ /* * Copyright (c) 1999-2000 by Nortel Networks Corporation @@ -73,14 +73,14 @@ static char THIS_FILE[] = __FILE__; #endif -typedef struct _exception +typedef struct _xexception { - _exception(UINT string, ...); + _xexception(UINT string, ...); CString resString; } Exception; -_exception::_exception(UINT string, ...) +_xexception::_xexception(UINT string, ...) { CString format; va_list va; @@ -323,14 +323,14 @@ void CBINDInstallDlg::OnUninstall() { if (CheckBINDService()) StopBINDService(); - HANDLE hSCManager = OpenSCManager(NULL, NULL, + SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (!hSCManager) { MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage()); return; } - HANDLE hService = OpenService(hSCManager, BIND_SERVICE_NAME, + SC_HANDLE hService = OpenService(hSCManager, BIND_SERVICE_NAME, SERVICE_ALL_ACCESS); if (!hService && GetLastError() != ERROR_SERVICE_DOES_NOT_EXIST){ MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage()); @@ -717,8 +717,8 @@ CBINDInstallDlg::ValidateServiceAccount() { void CBINDInstallDlg::RegisterService() { - HANDLE hSCManager; - HANDLE hService; + SC_HANDLE hSCManager; + SC_HANDLE hService; CString StartName = ".\\" + m_accountName; /* @@ -772,8 +772,8 @@ CBINDInstallDlg::RegisterService() { void CBINDInstallDlg::UpdateService() { - HANDLE hSCManager; - HANDLE hService; + SC_HANDLE hSCManager; + SC_HANDLE hService; CString StartName = ".\\" + m_accountName; SetCurrent(IDS_OPEN_SCM); @@ -823,8 +823,8 @@ CBINDInstallDlg::UpdateService() { void CBINDInstallDlg::UnregisterService(BOOL uninstall) { BOOL rc = FALSE; - HANDLE hSCManager; - HANDLE hService; + SC_HANDLE hSCManager; + SC_HANDLE hService; while(1) { SetCurrent(IDS_OPEN_SCM); @@ -1014,12 +1014,12 @@ void CBINDInstallDlg::StopBINDService() { SetCurrent(IDS_STOP_SERVICE); - HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (!hSCManager) { MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage()); } - HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME, + SC_HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME, SERVICE_ALL_ACCESS); if (!hBINDSvc) { MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage()); @@ -1034,12 +1034,12 @@ void CBINDInstallDlg::StopBINDService() { void CBINDInstallDlg::StartBINDService() { SetCurrent(IDS_START_SERVICE); - HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (!hSCManager) { MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage()); } - HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME, + SC_HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME, SERVICE_ALL_ACCESS); if (!hBINDSvc) { MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage()); @@ -1053,9 +1053,9 @@ void CBINDInstallDlg::StartBINDService() { BOOL CBINDInstallDlg::CheckBINDService() { SERVICE_STATUS svcStatus; - HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (hSCManager) { - HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME, + SC_HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME, SERVICE_ALL_ACCESS); if (hBINDSvc) { BOOL rc = ControlService(hBINDSvc, diff --git a/lib/bind/.cvsignore b/lib/bind/.cvsignore index 341f628287..00e1e6dc1d 100644 --- a/lib/bind/.cvsignore +++ b/lib/bind/.cvsignore @@ -1,3 +1,4 @@ +configure.lineno port_before.h port_after.h config.log @@ -10,4 +11,4 @@ config.cache config.status timestamp libtool -configure.lineno +autom4te.cache diff --git a/lib/bind/include/netdb.h b/lib/bind/include/netdb.h index e9e445712f..f452aab789 100644 --- a/lib/bind/include/netdb.h +++ b/lib/bind/include/netdb.h @@ -86,7 +86,7 @@ /* * @(#)netdb.h 8.1 (Berkeley) 6/2/93 - * $Id: netdb.h,v 1.14 2004/03/09 06:29:53 marka Exp $ + * $Id: netdb.h,v 1.15 2004/03/16 05:52:16 marka Exp $ */ #ifndef _NETDB_H_ @@ -390,7 +390,14 @@ const char *gai_strerror __P((int)); struct hostent *getipnodebyname __P((const char *, int, int, int *)); struct hostent *getipnodebyaddr __P((const void *, size_t, int, int *)); void freehostent __P((struct hostent *)); - +#ifdef __GLIBC__ +int getnetgrent __P((/* const */ char **, /* const */ char **, + /* const */ char **)); +void setnetgrent __P((const char *)); +void endnetgrent __P((void)); +int innetgr __P((const char *, const char *, const char *, + const char *)); +#endif #ifdef _REENTRANT #if defined(__hpux) || defined(__osf__) || defined(_AIX) @@ -410,7 +417,7 @@ int endhostent_r __P((struct hostent_data *)); void endhostent_r __P((struct hostent_data *)); #endif -#ifdef __hpux +#if defined(__hpux) || defined(__osf__) int getnetbyaddr_r __P((int, int, struct netent *, struct netent_data *)); #else @@ -452,38 +459,75 @@ void endservent_r __P((struct servent_data *)); #endif #else /* defined(sun) || defined(bsdi) */ +#ifdef __GLIBC__ +int gethostbyaddr_r __P((const char *, int, int, struct hostent *, + char *, size_t, struct hostent **, int *)); +int gethostbyname_r __P((const char *, struct hostent *, + char *, size_t, struct hostent **, int *)); +int gethostent_r __P((struct hostent *, char *, size_t, + struct hostent **, int *)); +#else struct hostent *gethostbyaddr_r __P((const char *, int, int, struct hostent *, char *, int, int *)); struct hostent *gethostbyname_r __P((const char *, struct hostent *, char *, int, int *)); struct hostent *gethostent_r __P((struct hostent *, char *, int, int *)); +#endif void sethostent_r __P((int)); void endhostent_r __P((void)); +#ifdef __GLIBC__ +int getnetbyname_r __P((const char *, struct netent *, + char *, size_t, struct netent **, int*)); +int getnetbyaddr_r __P((unsigned long int, int, struct netent *, + char *, size_t, struct netent **, int*)); +int getnetent_r __P((struct netent *, char *, size_t, struct netent **, int*)); +#else struct netent *getnetbyname_r __P((const char *, struct netent *, char *, int)); struct netent *getnetbyaddr_r __P((long, int, struct netent *, char *, int)); struct netent *getnetent_r __P((struct netent *, char *, int)); +#endif void setnetent_r __P((int)); void endnetent_r __P((void)); +#ifdef __GLIBC__ +int getprotobyname_r __P((const char *, struct protoent *, char *, + size_t, struct protoent **)); +int getprotobynumber_r __P((int, struct protoent *, char *, size_t, + struct protoent **)); +int getprotoent_r __P((struct protoent *, char *, size_t, struct protoent **)); +#else struct protoent *getprotobyname_r __P((const char *, struct protoent *, char *, int)); struct protoent *getprotobynumber_r __P((int, struct protoent *, char *, int)); struct protoent *getprotoent_r __P((struct protoent *, char *, int)); +#endif void setprotoent_r __P((int)); void endprotoent_r __P((void)); +#ifdef __GLIBC__ +int getservbyname_r __P((const char *name, const char *, + struct servent *, char *, size_t, struct servent **)); +int getservbyport_r __P((int port, const char *, + struct servent *, char *, size_t, struct servent **)); +int getservent_r __P((struct servent *, char *, size_t, struct servent **)); +#else struct servent *getservbyname_r __P((const char *name, const char *, struct servent *, char *, int)); struct servent *getservbyport_r __P((int port, const char *, struct servent *, char *, int)); struct servent *getservent_r __P((struct servent *, char *, int)); +#endif void setservent_r __P((int)); void endservent_r __P((void)); +#ifdef __GLIBC__ +int getnetgrent_r __P((char **, char **, char **, char *, size_t)); +#endif + #endif #endif __END_DECLS diff --git a/lib/bind/include/netgroup.h b/lib/bind/include/netgroup.h index fee6787b3f..72003d4346 100644 --- a/lib/bind/include/netgroup.h +++ b/lib/bind/include/netgroup.h @@ -1,5 +1,6 @@ #ifndef netgroup_h #define netgroup_h +#ifndef __GLIBC__ /* * The standard is crazy. These values "belong" to getnetgrent() and @@ -15,5 +16,5 @@ void setnetgrent __P((const char *)); void endnetgrent __P((void)); int innetgr __P((const char *, const char *, const char *, const char *)); - +#endif #endif diff --git a/lib/bind/port/irix/include/paths.h b/lib/bind/port/irix/include/paths.h index f8ef579694..7ec03327e1 100644 --- a/lib/bind/port/irix/include/paths.h +++ b/lib/bind/port/irix/include/paths.h @@ -1,21 +1,2 @@ -/* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $Id: paths.h,v 1.4 2004/03/16 05:22:24 marka Exp $ */ - #define _PATH_DEVNULL "/dev/null" diff --git a/lib/bind/port/unknown/include/Makefile.in b/lib/bind/port/unknown/include/Makefile.in index 99e5985489..e69de29bb2 100644 --- a/lib/bind/port/unknown/include/Makefile.in +++ b/lib/bind/port/unknown/include/Makefile.in @@ -1,14 +0,0 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001 Internet Software Consortium. -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in index d283911bcf..04253a2a44 100644 --- a/lib/dns/Makefile.in +++ b/lib/dns/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.143 2004/03/05 05:09:17 marka Exp $ +# $Id: Makefile.in,v 1.144 2004/03/16 05:52:18 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -54,7 +54,8 @@ DNSOBJS = acl.@O@ adb.@O@ byaddr.@O@ \ lib.@O@ log.@O@ lookup.@O@ \ master.@O@ masterdump.@O@ message.@O@ \ name.@O@ ncache.@O@ nsec.@O@ order.@O@ peer.@O@ portlist.@O@ \ - rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rdata.@O@ rdatalist.@O@ \ + rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \ + rdatalist.@O@ \ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ request.@O@ \ resolver.@O@ result.@O@ rootns.@O@ sdb.@O@ soa.@O@ ssu.@O@ \ stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \ @@ -71,7 +72,8 @@ SRCS = acl.c adb.c byaddr.c \ lib.c log.c lookup.c \ master.c masterdump.c message.c \ name.c ncache.c nsec.c order.c peer.c portlist.c \ - rbt.c rbtdb.c rbtdb64.c rdata.c rdatalist.c \ + rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c \ + rdatalist.c \ rdataset.c rdatasetiter.c rdataslab.c request.c \ resolver.c result.c rootns.c sdb.c soa.c ssu.c \ stats.c tcpmsg.c time.c timer.c tkey.c \ diff --git a/lib/dns/gen.c b/lib/dns/gen.c index 7defe95547..bc5bd645c3 100644 --- a/lib/dns/gen.c +++ b/lib/dns/gen.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: gen.c,v 1.72 2004/03/05 05:09:20 marka Exp $ */ +/* $Id: gen.c,v 1.73 2004/03/16 05:52:18 marka Exp $ */ #include @@ -96,20 +96,20 @@ const char copyright[] = "/*\n" -" * Copyright (C) 1998%s Internet Software Consortium.\n" +" * Copyright (C) 2004%s Internet Systems Consortium, Inc. (\"ISC\")\n" +" * Copyright (C) 1998-2003 Internet Software Consortium.\n" " *\n" " * Permission to use, copy, modify, and distribute this software for any\n" " * purpose with or without fee is hereby granted, provided that the above\n" " * copyright notice and this permission notice appear in all copies.\n" " *\n" -" * THE SOFTWARE IS PROVIDED \"AS IS\" AND INTERNET SOFTWARE CONSORTIUM\n" -" * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL\n" -" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL\n" -" * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,\n" -" * INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING\n" -" * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,\n" -" * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION\n" -" * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n" +" * THE SOFTWARE IS PROVIDED \"AS IS\" AND ISC DISCLAIMS ALL WARRANTIES WITH\n" +" * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY\n" +" * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,\n" +" * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM\n" +" * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE\n" +" * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR\n" +" * PERFORMANCE OF THIS SOFTWARE.\n" " */\n" "\n" "/***************\n" @@ -585,7 +585,7 @@ main(int argc, char **argv) { sd(0, "", buf, filetype); if (time(&now) != -1) { - if ((tm = localtime(&now)) != NULL && tm->tm_year > 98) + if ((tm = localtime(&now)) != NULL && tm->tm_year > 104) sprintf(year, "-%d", tm->tm_year + 1900); else year[0] = 0; @@ -631,11 +631,11 @@ main(int argc, char **argv) { DIGESTARGS, DIGESTTYPE, DIGESTCLASS, DIGESTDEF); doswitch("CHECKOWNERSWITCH", "checkowner", - CHECKOWNERARGS, CHECKOWNERTYPE, - CHECKOWNERCLASS, CHECKOWNERDEF); + CHECKOWNERARGS, CHECKOWNERTYPE, + CHECKOWNERCLASS, CHECKOWNERDEF); doswitch("CHECKNAMESSWITCH", "checknames", - CHECKNAMESARGS, CHECKNAMESTYPE, - CHECKNAMESCLASS, CHECKNAMESDEF); + CHECKNAMESARGS, CHECKNAMESTYPE, + CHECKNAMESCLASS, CHECKNAMESDEF); /* * From here down, we are processing the rdata names and @@ -667,31 +667,6 @@ main(int argc, char **argv) { insert_into_typenames(254, "maila", METAQUESTIONONLY); insert_into_typenames(255, "any", METAQUESTIONONLY); - fprintf(stdout, "\ntypedef struct {\n"); - fprintf(stdout, "\tconst char *name;\n"); - fprintf(stdout, "\tunsigned int flags;\n"); - fprintf(stdout, "} typeattr_t;\n"); - fprintf(stdout, "static typeattr_t typeattr[] = {\n"); - for (i = 0; i <= maxtype; i++) { - ttn = find_typename(i); - if (ttn == NULL) { - const char *attrs; - if (i >= 128 && i < 255) - attrs = "DNS_RDATATYPEATTR_UNKNOWN | " - "DNS_RDATATYPEATTR_META"; - else - attrs = "DNS_RDATATYPEATTR_UNKNOWN"; - fprintf(stdout, "\t{ \"TYPE%d\", %s}%s\n", - i, attrs, PRINT_COMMA(i)); - } else { - fprintf(stdout, "\t{ \"%s\", %s }%s\n", - upper(ttn->typename), - upper(ttn->attr), - PRINT_COMMA(i)); - } - } - fprintf(stdout, "};\n"); - /* * Spit out a quick and dirty hash function. Here, * we walk through the list of type names, and calculate @@ -707,7 +682,7 @@ main(int argc, char **argv) { fprintf(stdout, "\t\tif (sizeof(_s) - 1 == _n && \\\n" "\t\t strncasecmp(_s,(_tn)," "(sizeof(_s) - 1)) == 0) { \\\n"); - fprintf(stdout, "\t\t\tif ((typeattr[_d].flags & " + fprintf(stdout, "\t\t\tif ((dns_rdatatype_attributes(_d) & " "DNS_RDATATYPEATTR_RESERVED) != 0) \\\n"); fprintf(stdout, "\t\t\t\treturn (ISC_R_NOTIMPLEMENTED); \\\n"); fprintf(stdout, "\t\t\t*(_tp) = _d; \\\n"); @@ -752,6 +727,29 @@ main(int argc, char **argv) { } fprintf(stdout, "\t}\n"); + fprintf(stdout, "#define RDATATYPE_ATTRIBUTE_SW \\\n"); + fprintf(stdout, "\tswitch (type) { \\\n"); + for (i = 0; i <= maxtype; i++) { + ttn = find_typename(i); + if (ttn == NULL) + continue; + fprintf(stdout, "\tcase %u: return (%s); \\\n", + i, upper(ttn->attr)); + } + fprintf(stdout, "\t}\n"); + + fprintf(stdout, "#define RDATATYPE_TOTEXT_SW \\\n"); + fprintf(stdout, "\tswitch (type) { \\\n"); + for (i = 0; i <= maxtype; i++) { + ttn = find_typename(i); + if (ttn == NULL) + continue; + fprintf(stdout, "\tcase %u: return " + "(str_totext(\"%s\", target)); \\\n", + i, upper(ttn->typename)); + } + fprintf(stdout, "\t}\n"); + fputs("#endif /* DNS_CODE_H */\n", stdout); } else if (type_enum) { char *s; diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c new file mode 100644 index 0000000000..6bdb1d940c --- /dev/null +++ b/lib/dns/rcode.c @@ -0,0 +1,473 @@ +/* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: rcode.c,v 1.2 2004/03/16 05:52:18 marka Exp $ */ + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +#define RETERR(x) \ + do { \ + isc_result_t _r = (x); \ + if (_r != ISC_R_SUCCESS) \ + return (_r); \ + } while (0) + +#define NUMBERSIZE sizeof("037777777777") /* 2^32-1 octal + NUL */ + +#define RCODENAMES \ + /* standard rcodes */ \ + { dns_rcode_noerror, "NOERROR", 0}, \ + { dns_rcode_formerr, "FORMERR", 0}, \ + { dns_rcode_servfail, "SERVFAIL", 0}, \ + { dns_rcode_nxdomain, "NXDOMAIN", 0}, \ + { dns_rcode_notimp, "NOTIMP", 0}, \ + { dns_rcode_refused, "REFUSED", 0}, \ + { dns_rcode_yxdomain, "YXDOMAIN", 0}, \ + { dns_rcode_yxrrset, "YXRRSET", 0}, \ + { dns_rcode_nxrrset, "NXRRSET", 0}, \ + { dns_rcode_notauth, "NOTAUTH", 0}, \ + { dns_rcode_notzone, "NOTZONE", 0}, + +#define ERCODENAMES \ + /* extended rcodes */ \ + { dns_rcode_badvers, "BADVERS", 0}, \ + { 0, NULL, 0 } + +#define TSIGRCODENAMES \ + /* extended rcodes */ \ + { dns_tsigerror_badsig, "BADSIG", 0}, \ + { dns_tsigerror_badkey, "BADKEY", 0}, \ + { dns_tsigerror_badtime, "BADTIME", 0}, \ + { dns_tsigerror_badmode, "BADMODE", 0}, \ + { dns_tsigerror_badname, "BADNAME", 0}, \ + { dns_tsigerror_badalg, "BADALG", 0}, \ + { 0, NULL, 0 } + +/* RFC2538 section 2.1 */ + +#define CERTNAMES \ + { 1, "PKIX", 0}, \ + { 2, "SPKI", 0}, \ + { 3, "PGP", 0}, \ + { 253, "URI", 0}, \ + { 254, "OID", 0}, \ + { 0, NULL, 0} + +/* RFC2535 section 7, RFC3110 */ + +#define SECALGNAMES \ + { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \ + { DNS_KEYALG_RSAMD5, "RSA", 0 }, \ + { DNS_KEYALG_DH, "DH", 0 }, \ + { DNS_KEYALG_DSA, "DSA", 0 }, \ + { DNS_KEYALG_ECC, "ECC", 0 }, \ + { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \ + { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \ + { DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \ + { DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \ + { 0, NULL, 0} + +/* RFC2535 section 7.1 */ + +#define SECPROTONAMES \ + { 0, "NONE", 0 }, \ + { 1, "TLS", 0 }, \ + { 2, "EMAIL", 0 }, \ + { 3, "DNSSEC", 0 }, \ + { 4, "IPSEC", 0 }, \ + { 255, "ALL", 0 }, \ + { 0, NULL, 0} + +struct tbl { + unsigned int value; + const char *name; + int flags; +}; + +static struct tbl rcodes[] = { RCODENAMES ERCODENAMES }; +static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES }; +static struct tbl certs[] = { CERTNAMES }; +static struct tbl secalgs[] = { SECALGNAMES }; +static struct tbl secprotos[] = { SECPROTONAMES }; + +static struct keyflag { + const char *name; + unsigned int value; + unsigned int mask; +} keyflags[] = { + { "NOCONF", 0x4000, 0xC000 }, + { "NOAUTH", 0x8000, 0xC000 }, + { "NOKEY", 0xC000, 0xC000 }, + { "FLAG2", 0x2000, 0x2000 }, + { "EXTEND", 0x1000, 0x1000 }, + { "FLAG4", 0x0800, 0x0800 }, + { "FLAG5", 0x0400, 0x0400 }, + { "USER", 0x0000, 0x0300 }, + { "ZONE", 0x0100, 0x0300 }, + { "HOST", 0x0200, 0x0300 }, + { "NTYP3", 0x0300, 0x0300 }, + { "FLAG8", 0x0080, 0x0080 }, + { "FLAG9", 0x0040, 0x0040 }, + { "FLAG10", 0x0020, 0x0020 }, + { "FLAG11", 0x0010, 0x0010 }, + { "SIG0", 0x0000, 0x000F }, + { "SIG1", 0x0001, 0x000F }, + { "SIG2", 0x0002, 0x000F }, + { "SIG3", 0x0003, 0x000F }, + { "SIG4", 0x0004, 0x000F }, + { "SIG5", 0x0005, 0x000F }, + { "SIG6", 0x0006, 0x000F }, + { "SIG7", 0x0007, 0x000F }, + { "SIG8", 0x0008, 0x000F }, + { "SIG9", 0x0009, 0x000F }, + { "SIG10", 0x000A, 0x000F }, + { "SIG11", 0x000B, 0x000F }, + { "SIG12", 0x000C, 0x000F }, + { "SIG13", 0x000D, 0x000F }, + { "SIG14", 0x000E, 0x000F }, + { "SIG15", 0x000F, 0x000F }, + { "KSK", DNS_KEYFLAG_KSK, DNS_KEYFLAG_KSK }, + { NULL, 0, 0 } +}; + +static isc_result_t +str_totext(const char *source, isc_buffer_t *target) { + unsigned int l; + isc_region_t region; + + isc_buffer_availableregion(target, ®ion); + l = strlen(source); + + if (l > region.length) + return (ISC_R_NOSPACE); + + memcpy(region.base, source, l); + isc_buffer_add(target, l); + return (ISC_R_SUCCESS); +} + +static isc_result_t +maybe_numeric(unsigned int *valuep, isc_textregion_t *source, + unsigned int max, isc_boolean_t hex_allowed) +{ + isc_result_t result; + isc_uint32_t n; + char buffer[NUMBERSIZE]; + + if (! isdigit(source->base[0] & 0xff) || + source->length > NUMBERSIZE - 1) + return (ISC_R_BADNUMBER); + + /* + * We have a potential number. Try to parse it with + * isc_parse_uint32(). isc_parse_uint32() requires + * null termination, so we must make a copy. + */ + strncpy(buffer, source->base, NUMBERSIZE); + INSIST(buffer[source->length] == '\0'); + + result = isc_parse_uint32(&n, buffer, 10); + if (result == ISC_R_BADNUMBER && hex_allowed) + result = isc_parse_uint32(&n, buffer, 16); + if (result != ISC_R_SUCCESS) + return (result); + if (n > max) + return (ISC_R_RANGE); + *valuep = n; + return (ISC_R_SUCCESS); +} + +static isc_result_t +dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source, + struct tbl *table, unsigned int max) +{ + isc_result_t result; + int i; + + result = maybe_numeric(valuep, source, max, ISC_FALSE); + if (result != ISC_R_BADNUMBER) + return (result); + + for (i = 0; table[i].name != NULL; i++) { + unsigned int n; + n = strlen(table[i].name); + if (n == source->length && + strncasecmp(source->base, table[i].name, n) == 0) { + *valuep = table[i].value; + return (ISC_R_SUCCESS); + } + } + return (DNS_R_UNKNOWN); +} + +static isc_result_t +dns_mnemonic_totext(unsigned int value, isc_buffer_t *target, + struct tbl *table) +{ + int i = 0; + char buf[sizeof("4294967296")]; + while (table[i].name != NULL) { + if (table[i].value == value) { + return (str_totext(table[i].name, target)); + } + i++; + } + snprintf(buf, sizeof(buf), "%u", value); + return (str_totext(buf, target)); +} + +isc_result_t +dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) { + unsigned int value; + RETERR(dns_mnemonic_fromtext(&value, source, rcodes, 0xffff)); + *rcodep = value; + return (ISC_R_SUCCESS); +} + +isc_result_t +dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target) { + return (dns_mnemonic_totext(rcode, target, rcodes)); +} + +isc_result_t +dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) { + unsigned int value; + RETERR(dns_mnemonic_fromtext(&value, source, tsigrcodes, 0xffff)); + *rcodep = value; + return (ISC_R_SUCCESS); +} + +isc_result_t +dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target) { + return (dns_mnemonic_totext(rcode, target, tsigrcodes)); +} + +isc_result_t +dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source) { + unsigned int value; + RETERR(dns_mnemonic_fromtext(&value, source, certs, 0xffff)); + *certp = value; + return (ISC_R_SUCCESS); +} + +isc_result_t +dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { + return (dns_mnemonic_totext(cert, target, certs)); +} + +isc_result_t +dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) { + unsigned int value; + RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff)); + *secalgp = value; + return (ISC_R_SUCCESS); +} + +isc_result_t +dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) { + return (dns_mnemonic_totext(secalg, target, secalgs)); +} + +isc_result_t +dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) { + unsigned int value; + RETERR(dns_mnemonic_fromtext(&value, source, secprotos, 0xff)); + *secprotop = value; + return (ISC_R_SUCCESS); +} + +isc_result_t +dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target) { + return (dns_mnemonic_totext(secproto, target, secprotos)); +} + +isc_result_t +dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source) +{ + isc_result_t result; + char *text, *end; + unsigned int value, mask; + + result = maybe_numeric(&value, source, 0xffff, ISC_TRUE); + if (result == ISC_R_SUCCESS) { + *flagsp = value; + return (ISC_R_SUCCESS); + } + if (result != ISC_R_BADNUMBER) + return (result); + + text = source->base; + end = source->base + source->length; + value = mask = 0; + + while (text < end) { + struct keyflag *p; + unsigned int len; + char *delim = memchr(text, '|', end - text); + if (delim != NULL) + len = delim - text; + else + len = end - text; + for (p = keyflags; p->name != NULL; p++) { + if (strncasecmp(p->name, text, len) == 0) + break; + } + if (p->name == NULL) + return (DNS_R_UNKNOWNFLAG); + value |= p->value; +#ifdef notyet + if ((mask & p->mask) != 0) + warn("overlapping key flags"); +#endif + mask |= p->mask; + text += len; + if (delim != NULL) + text++; /* Skip "|" */ + } + *flagsp = value; + return (ISC_R_SUCCESS); +} + +/* + * This uses lots of hard coded values, but how often do we actually + * add classes? + */ +isc_result_t +dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) { +#define COMPARE(string, rdclass) \ + if (((sizeof(string) - 1) == source->length) \ + && (strncasecmp(source->base, string, source->length) == 0)) { \ + *classp = rdclass; \ + return (ISC_R_SUCCESS); \ + } + + switch (tolower((unsigned char)source->base[0])) { + case 'a': + COMPARE("any", dns_rdataclass_any); + break; + case 'c': + /* + * RFC1035 says the mnemonic for the CHAOS class is CH, + * but historical BIND practice is to call it CHAOS. + * We will accept both forms, but only generate CH. + */ + COMPARE("ch", dns_rdataclass_chaos); + COMPARE("chaos", dns_rdataclass_chaos); + + if (source->length > 5 && + source->length < (5 + sizeof("65000")) && + strncasecmp("class", source->base, 5) == 0) { + char buf[sizeof("65000")]; + char *endp; + unsigned int val; + + strncpy(buf, source->base + 5, source->length - 5); + buf[source->length - 5] = '\0'; + val = strtoul(buf, &endp, 10); + if (*endp == '\0' && val <= 0xffff) { + *classp = (dns_rdataclass_t)val; + return (ISC_R_SUCCESS); + } + } + break; + case 'h': + COMPARE("hs", dns_rdataclass_hs); + COMPARE("hesiod", dns_rdataclass_hs); + break; + case 'i': + COMPARE("in", dns_rdataclass_in); + break; + case 'n': + COMPARE("none", dns_rdataclass_none); + break; + case 'r': + COMPARE("reserved0", dns_rdataclass_reserved0); + break; + } + +#undef COMPARE + + return (DNS_R_UNKNOWN); +} + +isc_result_t +dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target) { + char buf[sizeof("CLASS65535")]; + + switch (rdclass) { + case dns_rdataclass_any: + return (str_totext("ANY", target)); + case dns_rdataclass_chaos: + return (str_totext("CH", target)); + case dns_rdataclass_hs: + return (str_totext("HS", target)); + case dns_rdataclass_in: + return (str_totext("IN", target)); + case dns_rdataclass_none: + return (str_totext("NONE", target)); + case dns_rdataclass_reserved0: + return (str_totext("RESERVED0", target)); + default: + snprintf(buf, sizeof(buf), "CLASS%u", rdclass); + return (str_totext(buf, target)); + } +} + +void +dns_rdataclass_format(dns_rdataclass_t rdclass, + char *array, unsigned int size) +{ + isc_result_t result; + isc_buffer_t buf; + + isc_buffer_init(&buf, array, size); + result = dns_rdataclass_totext(rdclass, &buf); + /* + * Null terminate. + */ + if (result == ISC_R_SUCCESS) { + if (isc_buffer_availablelength(&buf) >= 1) + isc_buffer_putuint8(&buf, 0); + else + result = ISC_R_NOSPACE; + } + if (result != ISC_R_SUCCESS) { + snprintf(array, size, ""); + array[size - 1] = '\0'; + } +} diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index ce93d84d90..a6575a588a 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdata.c,v 1.183 2004/03/05 05:09:23 marka Exp $ */ +/* $Id: rdata.c,v 1.184 2004/03/16 05:52:18 marka Exp $ */ #include #include @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -244,122 +245,6 @@ static const char decdigits[] = "0123456789"; #define META 0x0001 #define RESERVED 0x0002 -#define RCODENAMES \ - /* standard rcodes */ \ - { dns_rcode_noerror, "NOERROR", 0}, \ - { dns_rcode_formerr, "FORMERR", 0}, \ - { dns_rcode_servfail, "SERVFAIL", 0}, \ - { dns_rcode_nxdomain, "NXDOMAIN", 0}, \ - { dns_rcode_notimp, "NOTIMP", 0}, \ - { dns_rcode_refused, "REFUSED", 0}, \ - { dns_rcode_yxdomain, "YXDOMAIN", 0}, \ - { dns_rcode_yxrrset, "YXRRSET", 0}, \ - { dns_rcode_nxrrset, "NXRRSET", 0}, \ - { dns_rcode_notauth, "NOTAUTH", 0}, \ - { dns_rcode_notzone, "NOTZONE", 0}, - -#define ERCODENAMES \ - /* extended rcodes */ \ - { dns_rcode_badvers, "BADVERS", 0}, \ - { 0, NULL, 0 } - -#define TSIGRCODENAMES \ - /* extended rcodes */ \ - { dns_tsigerror_badsig, "BADSIG", 0}, \ - { dns_tsigerror_badkey, "BADKEY", 0}, \ - { dns_tsigerror_badtime, "BADTIME", 0}, \ - { dns_tsigerror_badmode, "BADMODE", 0}, \ - { dns_tsigerror_badname, "BADNAME", 0}, \ - { dns_tsigerror_badalg, "BADALG", 0}, \ - { 0, NULL, 0 } - -/* RFC2538 section 2.1 */ - -#define CERTNAMES \ - { 1, "PKIX", 0}, \ - { 2, "SPKI", 0}, \ - { 3, "PGP", 0}, \ - { 253, "URI", 0}, \ - { 254, "OID", 0}, \ - { 0, NULL, 0} - -/* RFC2535 section 7, RFC3110 */ - -#define SECALGNAMES \ - { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \ - { DNS_KEYALG_RSAMD5, "RSA", 0 }, \ - { DNS_KEYALG_DH, "DH", 0 }, \ - { DNS_KEYALG_DSA, "DSA", 0 }, \ - { DNS_KEYALG_ECC, "ECC", 0 }, \ - { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \ - { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \ - { DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \ - { DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \ - { 0, NULL, 0} - -/* RFC2535 section 7.1 */ - -#define SECPROTONAMES \ - { 0, "NONE", 0 }, \ - { 1, "TLS", 0 }, \ - { 2, "EMAIL", 0 }, \ - { 3, "DNSSEC", 0 }, \ - { 4, "IPSEC", 0 }, \ - { 255, "ALL", 0 }, \ - { 0, NULL, 0} - -struct tbl { - unsigned int value; - const char *name; - int flags; -}; - -static struct tbl rcodes[] = { RCODENAMES ERCODENAMES }; -static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES }; -static struct tbl certs[] = { CERTNAMES }; -static struct tbl secalgs[] = { SECALGNAMES }; -static struct tbl secprotos[] = { SECPROTONAMES }; - -static struct keyflag { - const char *name; - unsigned int value; - unsigned int mask; -} keyflags[] = { - { "NOCONF", 0x4000, 0xC000 }, - { "NOAUTH", 0x8000, 0xC000 }, - { "NOKEY", 0xC000, 0xC000 }, - { "FLAG2", 0x2000, 0x2000 }, - { "EXTEND", 0x1000, 0x1000 }, - { "FLAG4", 0x0800, 0x0800 }, - { "FLAG5", 0x0400, 0x0400 }, - { "USER", 0x0000, 0x0300 }, - { "ZONE", 0x0100, 0x0300 }, - { "HOST", 0x0200, 0x0300 }, - { "NTYP3", 0x0300, 0x0300 }, - { "FLAG8", 0x0080, 0x0080 }, - { "FLAG9", 0x0040, 0x0040 }, - { "FLAG10", 0x0020, 0x0020 }, - { "FLAG11", 0x0010, 0x0010 }, - { "SIG0", 0x0000, 0x000F }, - { "SIG1", 0x0001, 0x000F }, - { "SIG2", 0x0002, 0x000F }, - { "SIG3", 0x0003, 0x000F }, - { "SIG4", 0x0004, 0x000F }, - { "SIG5", 0x0005, 0x000F }, - { "SIG6", 0x0006, 0x000F }, - { "SIG7", 0x0007, 0x000F }, - { "SIG8", 0x0008, 0x000F }, - { "SIG9", 0x0009, 0x000F }, - { "SIG10", 0x000A, 0x000F }, - { "SIG11", 0x000B, 0x000F }, - { "SIG12", 0x000C, 0x000F }, - { "SIG13", 0x000D, 0x000F }, - { "SIG14", 0x000E, 0x000F }, - { "SIG15", 0x000F, 0x000F }, - { "KSK", DNS_KEYFLAG_KSK, DNS_KEYFLAG_KSK }, - { NULL, 0, 0 } -}; - /*** *** Initialization ***/ @@ -987,199 +872,12 @@ dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad) unsigned int dns_rdatatype_attributes(dns_rdatatype_t type) { - if (type < (sizeof(typeattr)/sizeof(typeattr[0]))) - return (typeattr[type].flags); + RDATATYPE_ATTRIBUTE_SW + if (type >= (dns_rdatatype_t)128 && type < (dns_rdatatype_t)255) + return (DNS_RDATATYPEATTR_UNKNOWN | DNS_RDATATYPEATTR_META); return (DNS_RDATATYPEATTR_UNKNOWN); } -#define NUMBERSIZE sizeof("037777777777") /* 2^32-1 octal + NUL */ - -/* - * If 'source' contains a decimal number no larger than 'max', - * store it at '*value' and return ISC_R_SUCCESS. If out of - * range return ISC_R_RANGE; if not a number, return - * ISC_R_BADNUMBER. - */ -static isc_result_t -maybe_numeric(unsigned int *valuep, isc_textregion_t *source, - unsigned int max, isc_boolean_t hex_allowed) -{ - isc_result_t result; - isc_uint32_t n; - char buffer[NUMBERSIZE]; - - if (! isdigit(source->base[0] & 0xff) || - source->length > NUMBERSIZE - 1) - return (ISC_R_BADNUMBER); - - /* - * We have a potential number. Try to parse it with - * isc_parse_uint32(). isc_parse_uint32() requires - * null termination, so we must make a copy. - */ - strncpy(buffer, source->base, NUMBERSIZE); - INSIST(buffer[source->length] == '\0'); - - result = isc_parse_uint32(&n, buffer, 10); - if (result == ISC_R_BADNUMBER && hex_allowed) - result = isc_parse_uint32(&n, buffer, 16); - if (result != ISC_R_SUCCESS) - return (result); - if (n > max) - return (ISC_R_RANGE); - *valuep = n; - return (ISC_R_SUCCESS); -} - -static isc_result_t -dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source, - struct tbl *table, unsigned int max) -{ - isc_result_t result; - int i; - - result = maybe_numeric(valuep, source, max, ISC_FALSE); - if (result != ISC_R_BADNUMBER) - return (result); - - for (i = 0; table[i].name != NULL; i++) { - unsigned int n; - n = strlen(table[i].name); - if (n == source->length && - strncasecmp(source->base, table[i].name, n) == 0) { - *valuep = table[i].value; - return (ISC_R_SUCCESS); - } - } - return (DNS_R_UNKNOWN); -} - -static isc_result_t -dns_mnemonic_totext(unsigned int value, isc_buffer_t *target, - struct tbl *table) -{ - int i = 0; - char buf[sizeof("4294967296")]; - while (table[i].name != NULL) { - if (table[i].value == value) { - return (str_totext(table[i].name, target)); - } - i++; - } - snprintf(buf, sizeof(buf), "%u", value); - return (str_totext(buf, target)); -} - - -/* - * This uses lots of hard coded values, but how often do we actually - * add classes? - */ -isc_result_t -dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) { -#define COMPARE(string, rdclass) \ - if (((sizeof(string) - 1) == source->length) \ - && (strncasecmp(source->base, string, source->length) == 0)) { \ - *classp = rdclass; \ - return (ISC_R_SUCCESS); \ - } - - switch (tolower((unsigned char)source->base[0])) { - case 'a': - COMPARE("any", dns_rdataclass_any); - break; - case 'c': - /* - * RFC1035 says the mnemonic for the CHAOS class is CH, - * but historical BIND practice is to call it CHAOS. - * We will accept both forms, but only generate CH. - */ - COMPARE("ch", dns_rdataclass_chaos); - COMPARE("chaos", dns_rdataclass_chaos); - - if (source->length > 5 && - source->length < (5 + sizeof("65000")) && - strncasecmp("class", source->base, 5) == 0) { - char buf[sizeof("65000")]; - char *endp; - unsigned int val; - - strncpy(buf, source->base + 5, source->length - 5); - buf[source->length - 5] = '\0'; - val = strtoul(buf, &endp, 10); - if (*endp == '\0' && val <= 0xffff) { - *classp = (dns_rdataclass_t)val; - return (ISC_R_SUCCESS); - } - } - break; - case 'h': - COMPARE("hs", dns_rdataclass_hs); - COMPARE("hesiod", dns_rdataclass_hs); - break; - case 'i': - COMPARE("in", dns_rdataclass_in); - break; - case 'n': - COMPARE("none", dns_rdataclass_none); - break; - case 'r': - COMPARE("reserved0", dns_rdataclass_reserved0); - break; - } - -#undef COMPARE - - return (DNS_R_UNKNOWN); -} - -isc_result_t -dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target) { - char buf[sizeof("CLASS65535")]; - - switch (rdclass) { - case dns_rdataclass_any: - return (str_totext("ANY", target)); - case dns_rdataclass_chaos: - return (str_totext("CH", target)); - case dns_rdataclass_hs: - return (str_totext("HS", target)); - case dns_rdataclass_in: - return (str_totext("IN", target)); - case dns_rdataclass_none: - return (str_totext("NONE", target)); - case dns_rdataclass_reserved0: - return (str_totext("RESERVED0", target)); - default: - snprintf(buf, sizeof(buf), "CLASS%u", rdclass); - return (str_totext(buf, target)); - } -} - -void -dns_rdataclass_format(dns_rdataclass_t rdclass, - char *array, unsigned int size) -{ - isc_result_t result; - isc_buffer_t buf; - - isc_buffer_init(&buf, array, size); - result = dns_rdataclass_totext(rdclass, &buf); - /* - * Null terminate. - */ - if (result == ISC_R_SUCCESS) { - if (isc_buffer_availablelength(&buf) >= 1) - isc_buffer_putuint8(&buf, 0); - else - result = ISC_R_NOSPACE; - } - if (result != ISC_R_SUCCESS) { - snprintf(array, size, ""); - array[size - 1] = '\0'; - } -} - isc_result_t dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source) { unsigned int hash; @@ -1225,8 +923,7 @@ isc_result_t dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target) { char buf[sizeof("TYPE65535")]; - if (type < (sizeof(typeattr)/sizeof(typeattr[0]))) - return (str_totext(typeattr[type].name, target)); + RDATATYPE_TOTEXT_SW snprintf(buf, sizeof(buf), "TYPE%u", type); return (str_totext(buf, target)); } @@ -1255,121 +952,6 @@ dns_rdatatype_format(dns_rdatatype_t rdtype, } } - -/* XXXRTH Should we use a hash table here? */ - -isc_result_t -dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) { - unsigned int value; - RETERR(dns_mnemonic_fromtext(&value, source, rcodes, 0xffff)); - *rcodep = value; - return (ISC_R_SUCCESS); -} - -isc_result_t -dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target) { - return (dns_mnemonic_totext(rcode, target, rcodes)); -} - -isc_result_t -dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) { - unsigned int value; - RETERR(dns_mnemonic_fromtext(&value, source, tsigrcodes, 0xffff)); - *rcodep = value; - return (ISC_R_SUCCESS); -} - -isc_result_t -dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target) { - return (dns_mnemonic_totext(rcode, target, tsigrcodes)); -} - -isc_result_t -dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source) { - unsigned int value; - RETERR(dns_mnemonic_fromtext(&value, source, certs, 0xffff)); - *certp = value; - return (ISC_R_SUCCESS); -} - -isc_result_t -dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { - return (dns_mnemonic_totext(cert, target, certs)); -} - -isc_result_t -dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) { - unsigned int value; - RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff)); - *secalgp = value; - return (ISC_R_SUCCESS); -} - -isc_result_t -dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) { - return (dns_mnemonic_totext(secalg, target, secalgs)); -} - -isc_result_t -dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) { - unsigned int value; - RETERR(dns_mnemonic_fromtext(&value, source, secprotos, 0xff)); - *secprotop = value; - return (ISC_R_SUCCESS); -} - -isc_result_t -dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target) { - return (dns_mnemonic_totext(secproto, target, secprotos)); -} - -isc_result_t -dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source) -{ - isc_result_t result; - char *text, *end; - unsigned int value, mask; - - result = maybe_numeric(&value, source, 0xffff, ISC_TRUE); - if (result == ISC_R_SUCCESS) { - *flagsp = value; - return (ISC_R_SUCCESS); - } - if (result != ISC_R_BADNUMBER) - return (result); - - text = source->base; - end = source->base + source->length; - value = mask = 0; - - while (text < end) { - struct keyflag *p; - unsigned int len; - char *delim = memchr(text, '|', end - text); - if (delim != NULL) - len = delim - text; - else - len = end - text; - for (p = keyflags; p->name != NULL; p++) { - if (strncasecmp(p->name, text, len) == 0) - break; - } - if (p->name == NULL) - return (DNS_R_UNKNOWNFLAG); - value |= p->value; -#ifdef notyet - if ((mask & p->mask) != 0) - warn("overlapping key flags"); -#endif - mask |= p->mask; - text += len; - if (delim != NULL) - text++; /* Skip "|" */ - } - *flagsp = value; - return (ISC_R_SUCCESS); -} - /* * Private function. */ diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 9479916c9b..b71feb6598 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.283 2004/03/05 05:09:24 marka Exp $ */ +/* $Id: resolver.c,v 1.284 2004/03/16 05:52:19 marka Exp $ */ #include @@ -6272,7 +6272,7 @@ dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name, RWUNLOCK(&resolver->alglock, isc_rwlocktype_write); #endif return (result); -}; +} isc_boolean_t dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name, @@ -6307,4 +6307,4 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name, if (found) return (ISC_FALSE); return (dst_algorithm_supported(alg)); -}; +} diff --git a/lib/dns/time.c b/lib/dns/time.c index b60a933daf..b40f0b9e61 100644 --- a/lib/dns/time.c +++ b/lib/dns/time.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: time.c,v 1.25 2004/03/05 05:09:25 marka Exp $ */ +/* $Id: time.c,v 1.26 2004/03/16 05:52:19 marka Exp $ */ #include @@ -165,7 +165,7 @@ dns_time32_fromtext(const char *source, isc_uint32_t *target) { result = dns_time64_fromtext(source, &value64); if (result != ISC_R_SUCCESS) return (result); - *target = value64; + *target = (isc_uint32_t)value64; return (ISC_R_SUCCESS); } diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def index 9fc1715cfd..3cfc35f09f 100644 --- a/lib/dns/win32/libdns.def +++ b/lib/dns/win32/libdns.def @@ -3,11 +3,6 @@ LIBRARY libdns ; Exported Functions EXPORTS -dns_a6_init -dns_a6_reset -dns_a6_invalidate -dns_a6_copy -dns_a6_foreach dns_acl_create dns_acl_appendelement dns_acl_any @@ -275,9 +270,6 @@ dns_message_setsortorder dns_message_rendersection dns_message_settimeadjust dns_message_gettimeadjust -dns_label_type -dns_label_countbits -dns_label_getbit dns_name_init dns_name_reset dns_name_invalidate @@ -285,7 +277,6 @@ dns_name_setbuffer dns_name_hasbuffer dns_name_isabsolute dns_name_iswildcard -dns_name_requiresedns dns_name_hash dns_name_fullcompare dns_name_compare @@ -293,7 +284,6 @@ dns_name_equal dns_name_rdatacompare dns_name_issubdomain dns_name_matcheswildcard -dns_name_depth dns_name_countlabels dns_name_getlabel dns_name_getlabelsequence @@ -308,7 +298,6 @@ dns_name_tofilenametext dns_name_downcase dns_name_concatenate dns_name_split -dns_name_splitatdepth dns_name_dup dns_name_dupwithoffsets dns_name_free @@ -738,3 +727,26 @@ dns_zone_getupdatedisabled dns_zone_getkeydirectory dns_zone_setkeydirectory dns_dnssec_findzonekeys2 +dns_zone_fulldumptostream +dns_request_createvia3 +dns_zone_setaltxfrsource4 +dns_zone_setaltxfrsource6 +dns_zone_checknames +dns_zonemgr_resumexfrs +dns_portlist_add +dns_resolver_getudpsize +dns_acl_elementmatch +dns_rdata_checkowner +dns_rdataset_getnoqname +dns_portlist_detach +dns_dispatchmgr_setblackportlist +dns_portlist_create +dns_view_excludedelegationonly +dns_view_setrootdelonly +dns_resolver_reset_algorithms +dns_resolver_setudpsize +dns_peer_settransfersource +dns_resolver_disable_algorithm +dns_resolver_addalternate +dns_view_adddelegationonly + diff --git a/lib/dns/win32/libdns.dsp b/lib/dns/win32/libdns.dsp index 11438fd4f7..78ff41330d 100644 --- a/lib/dns/win32/libdns.dsp +++ b/lib/dns/win32/libdns.dsp @@ -43,7 +43,7 @@ RSC=rc.exe # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.6g/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6g/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.6k/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6k/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /YX /FD /c # SUBTRACT CPP /X # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 @@ -54,7 +54,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../../../openssl-0.9.6g/out32dll/libeay32.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/libdns.dll" +# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../../../openssl-0.9.6k/out32dll/libeay32.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/libdns.dll" !ELSEIF "$(CFG)" == "libdns - Win32 Debug" @@ -70,7 +70,7 @@ LINK32=link.exe # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6g/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6k/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR /YX /FD /GZ /c # SUBTRACT CPP /X # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 @@ -81,7 +81,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../../../openssl-0.9.6g/out32dll/libeay32.lib /nologo /dll /map /debug /machine:I386 /out:"../../../Build/Debug/libdns.dll" /pdbtype:sept +# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../../../openssl-0.9.6k/out32dll/libeay32.lib /nologo /dll /map /debug /machine:I386 /out:"../../../Build/Debug/libdns.dll" /pdbtype:sept !ENDIF @@ -98,10 +98,6 @@ LINK32=link.exe # PROP Default_Filter "h;hpp;hxx;hm;inl" # Begin Source File -SOURCE=..\include\dns\a6.h -# End Source File -# Begin Source File - SOURCE=..\include\dns\acl.h # End Source File # Begin Source File @@ -246,6 +242,10 @@ SOURCE=..\include\dns\peer.h # End Source File # Begin Source File +SOURCE=..\include\dns\portlist.h +# End Source File +# Begin Source File + SOURCE=..\include\dns\rbt.h # End Source File # Begin Source File @@ -398,10 +398,6 @@ SOURCE=..\include\dns\zt.h # PROP Default_Filter "c" # Begin Source File -SOURCE=..\a6.c -# End Source File -# Begin Source File - SOURCE=..\acl.c # End Source File # Begin Source File @@ -523,6 +519,10 @@ SOURCE=..\peer.c # End Source File # Begin Source File +SOURCE=..\portlist.c +# End Source File +# Begin Source File + SOURCE=..\rbt.c # End Source File # Begin Source File @@ -535,6 +535,10 @@ SOURCE=..\rbtdb64.c # End Source File # Begin Source File +SOURCE=..\rcode.c +# End Source File +# Begin Source File + SOURCE=..\rdata.c # End Source File # Begin Source File diff --git a/lib/dns/win32/libdns.mak b/lib/dns/win32/libdns.mak index bbb1e26ee8..64b70be59f 100644 --- a/lib/dns/win32/libdns.mak +++ b/lib/dns/win32/libdns.mak @@ -45,7 +45,6 @@ CLEAN :"libisc - Win32 ReleaseCLEAN" !ELSE CLEAN : !ENDIF - -@erase "$(INTDIR)\a6.obj" -@erase "$(INTDIR)\acl.obj" -@erase "$(INTDIR)\adb.obj" -@erase "$(INTDIR)\byaddr.obj" @@ -86,9 +85,11 @@ CLEAN : -@erase "$(INTDIR)\opensslrsa_link.obj" -@erase "$(INTDIR)\order.obj" -@erase "$(INTDIR)\peer.obj" + -@erase "$(INTDIR)\portlist.obj" -@erase "$(INTDIR)\rbt.obj" -@erase "$(INTDIR)\rbtdb.obj" -@erase "$(INTDIR)\rbtdb64.obj" + -@erase "$(INTDIR)\rcode.obj" -@erase "$(INTDIR)\rdata.obj" -@erase "$(INTDIR)\rdatalist.obj" -@erase "$(INTDIR)\rdataset.obj" @@ -124,7 +125,7 @@ CLEAN : if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" CPP=cl.exe -CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.6g/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6g/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c +CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.6k/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6k/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c .c{$(INTDIR)}.obj:: $(CPP) @<< @@ -164,11 +165,10 @@ BSC32_FLAGS=/nologo /o"$(OUTDIR)\libdns.bsc" BSC32_SBRS= \ LINK32=link.exe -LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../../../openssl-0.9.6g/out32dll/libeay32.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libdns.pdb" /machine:I386 /def:".\libdns.def" /out:"../../../Build/Release/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" +LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../../../openssl-0.9.6k/out32dll/libeay32.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libdns.pdb" /machine:I386 /def:".\libdns.def" /out:"../../../Build/Release/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" DEF_FILE= \ ".\libdns.def" LINK32_OBJS= \ - "$(INTDIR)\a6.obj" \ "$(INTDIR)\acl.obj" \ "$(INTDIR)\adb.obj" \ "$(INTDIR)\byaddr.obj" \ @@ -197,9 +197,11 @@ LINK32_OBJS= \ "$(INTDIR)\nsec.obj" \ "$(INTDIR)\order.obj" \ "$(INTDIR)\peer.obj" \ + "$(INTDIR)\portlist.obj" \ "$(INTDIR)\rbt.obj" \ "$(INTDIR)\rbtdb.obj" \ "$(INTDIR)\rbtdb64.obj" \ + "$(INTDIR)\rcode.obj" \ "$(INTDIR)\rdata.obj" \ "$(INTDIR)\rdatalist.obj" \ "$(INTDIR)\rdataset.obj" \ @@ -268,8 +270,6 @@ CLEAN :"libisc - Win32 DebugCLEAN" !ELSE CLEAN : !ENDIF - -@erase "$(INTDIR)\a6.obj" - -@erase "$(INTDIR)\a6.sbr" -@erase "$(INTDIR)\acl.obj" -@erase "$(INTDIR)\acl.sbr" -@erase "$(INTDIR)\adb.obj" @@ -350,12 +350,16 @@ CLEAN : -@erase "$(INTDIR)\order.sbr" -@erase "$(INTDIR)\peer.obj" -@erase "$(INTDIR)\peer.sbr" + -@erase "$(INTDIR)\portlist.obj" + -@erase "$(INTDIR)\portlist.sbr" -@erase "$(INTDIR)\rbt.obj" -@erase "$(INTDIR)\rbt.sbr" -@erase "$(INTDIR)\rbtdb.obj" -@erase "$(INTDIR)\rbtdb.sbr" -@erase "$(INTDIR)\rbtdb64.obj" -@erase "$(INTDIR)\rbtdb64.sbr" + -@erase "$(INTDIR)\rcode.obj" + -@erase "$(INTDIR)\rcode.sbr" -@erase "$(INTDIR)\rdata.obj" -@erase "$(INTDIR)\rdata.sbr" -@erase "$(INTDIR)\rdatalist.obj" @@ -422,7 +426,7 @@ CLEAN : if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" CPP=cl.exe -CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6g/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c +CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6k/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c .c{$(INTDIR)}.obj:: $(CPP) @<< @@ -460,7 +464,6 @@ RSC=rc.exe BSC32=bscmake.exe BSC32_FLAGS=/nologo /o"$(OUTDIR)\libdns.bsc" BSC32_SBRS= \ - "$(INTDIR)\a6.sbr" \ "$(INTDIR)\acl.sbr" \ "$(INTDIR)\adb.sbr" \ "$(INTDIR)\byaddr.sbr" \ @@ -489,9 +492,11 @@ BSC32_SBRS= \ "$(INTDIR)\nsec.sbr" \ "$(INTDIR)\order.sbr" \ "$(INTDIR)\peer.sbr" \ + "$(INTDIR)\portlist.sbr" \ "$(INTDIR)\rbt.sbr" \ "$(INTDIR)\rbtdb.sbr" \ "$(INTDIR)\rbtdb64.sbr" \ + "$(INTDIR)\rcode.sbr" \ "$(INTDIR)\rdata.sbr" \ "$(INTDIR)\rdatalist.sbr" \ "$(INTDIR)\rdataset.sbr" \ @@ -537,11 +542,10 @@ BSC32_SBRS= \ << LINK32=link.exe -LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../../../openssl-0.9.6g/out32dll/libeay32.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libdns.pdb" /map:"$(INTDIR)\libdns.map" /debug /machine:I386 /def:".\libdns.def" /out:"../../../Build/Debug/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" /pdbtype:sept +LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../../../openssl-0.9.6k/out32dll/libeay32.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libdns.pdb" /map:"$(INTDIR)\libdns.map" /debug /machine:I386 /def:".\libdns.def" /out:"../../../Build/Debug/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" /pdbtype:sept DEF_FILE= \ ".\libdns.def" LINK32_OBJS= \ - "$(INTDIR)\a6.obj" \ "$(INTDIR)\acl.obj" \ "$(INTDIR)\adb.obj" \ "$(INTDIR)\byaddr.obj" \ @@ -570,9 +574,11 @@ LINK32_OBJS= \ "$(INTDIR)\nsec.obj" \ "$(INTDIR)\order.obj" \ "$(INTDIR)\peer.obj" \ + "$(INTDIR)\portlist.obj" \ "$(INTDIR)\rbt.obj" \ "$(INTDIR)\rbtdb.obj" \ "$(INTDIR)\rbtdb64.obj" \ + "$(INTDIR)\rcode.obj" \ "$(INTDIR)\rdata.obj" \ "$(INTDIR)\rdatalist.obj" \ "$(INTDIR)\rdataset.obj" \ @@ -631,24 +637,6 @@ LINK32_OBJS= \ !IF "$(CFG)" == "libdns - Win32 Release" || "$(CFG)" == "libdns - Win32 Debug" -SOURCE=..\a6.c - -!IF "$(CFG)" == "libdns - Win32 Release" - - -"$(INTDIR)\a6.obj" : $(SOURCE) "$(INTDIR)" - $(CPP) $(CPP_PROJ) $(SOURCE) - - -!ELSEIF "$(CFG)" == "libdns - Win32 Debug" - - -"$(INTDIR)\a6.obj" "$(INTDIR)\a6.sbr" : $(SOURCE) "$(INTDIR)" - $(CPP) $(CPP_PROJ) $(SOURCE) - - -!ENDIF - SOURCE=..\acl.c !IF "$(CFG)" == "libdns - Win32 Release" @@ -833,7 +821,7 @@ SOURCE=..\dispatch.c !IF "$(CFG)" == "libdns - Win32 Release" -CPP_SWITCHES=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.6g/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6g/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c +CPP_SWITCHES=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.6k/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6k/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c "$(INTDIR)\dispatch.obj" : $(SOURCE) "$(INTDIR)" $(CPP) @<< @@ -843,7 +831,7 @@ CPP_SWITCHES=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.6g/inc32/ope !ELSEIF "$(CFG)" == "libdns - Win32 Debug" -CPP_SWITCHES=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6g/inc32" /I "../sec/dst/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c +CPP_SWITCHES=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6k/inc32" /I "../sec/dst/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c "$(INTDIR)\dispatch.obj" "$(INTDIR)\dispatch.sbr" : $(SOURCE) "$(INTDIR)" $(CPP) @<< @@ -1155,6 +1143,25 @@ SOURCE=..\peer.c $(CPP) $(CPP_PROJ) $(SOURCE) +!ENDIF + + +SOURCE=..\portlist.c + +!IF "$(CFG)" == "libdns - Win32 Release" + + +"$(INTDIR)\portlist.obj" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + +!ELSEIF "$(CFG)" == "libdns - Win32 Debug" + + +"$(INTDIR)\portlist.obj" "$(INTDIR)\portlist.sbr" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + !ENDIF SOURCE=..\rbt.c @@ -1209,6 +1216,24 @@ SOURCE=..\rbtdb64.c $(CPP) $(CPP_PROJ) $(SOURCE) +!ENDIF + +SOURCE=..\rcode.c + +!IF "$(CFG)" == "libdns - Win32 Release" + + +"$(INTDIR)\rcode.obj" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + +!ELSEIF "$(CFG)" == "libdns - Win32 Debug" + + +"$(INTDIR)\rcode.obj" "$(INTDIR)\rcode.sbr" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + !ENDIF SOURCE=..\rdata.c diff --git a/lib/isc/log.c b/lib/isc/log.c index 8afc2ec7c1..4a98e46398 100644 --- a/lib/isc/log.c +++ b/lib/isc/log.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.c,v 1.83 2004/03/05 05:10:46 marka Exp $ */ +/* $Id: log.c,v 1.84 2004/03/16 05:52:20 marka Exp $ */ /* Principal Authors: DCL */ @@ -27,7 +27,6 @@ #include #include /* dev_t FreeBSD 2.1 */ -#include #include #include @@ -36,6 +35,7 @@ #include #include #include +#include #include #include #include diff --git a/lib/isc/netscope.c b/lib/isc/netscope.c index f92668768f..701999077d 100644 --- a/lib/isc/netscope.c +++ b/lib/isc/netscope.c @@ -17,7 +17,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static char rcsid[] = - "$Id: netscope.c,v 1.6 2004/03/05 05:10:47 marka Exp $"; + "$Id: netscope.c,v 1.7 2004/03/16 05:52:20 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include @@ -28,7 +28,9 @@ static char rcsid[] = isc_result_t isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid) { char *ep; +#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX unsigned int ifid; +#endif struct in6_addr *in6; isc_uint32_t zone; isc_uint64_t llz; diff --git a/lib/isc/unix/entropy.c b/lib/isc/unix/entropy.c index 22ea16899e..3ae3bd3a51 100644 --- a/lib/isc/unix/entropy.c +++ b/lib/isc/unix/entropy.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: entropy.c,v 1.70 2004/03/05 05:11:44 marka Exp $ */ +/* $Id: entropy.c,v 1.71 2004/03/16 05:52:21 marka Exp $ */ /* * This is the system depenedent part of the ISC entropy API. @@ -189,7 +189,7 @@ get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) { /*FALLTHROUGH*/ case isc_usocketsource_reading: - if (sz_to_recv != 0) { + if (sz_to_recv != 0U) { n = recv(fd, buf, sz_to_recv, 0); if (n < 0) { if (errno == EWOULDBLOCK || diff --git a/lib/isc/unix/include/isc/stat.h b/lib/isc/unix/include/isc/stat.h new file mode 100644 index 0000000000..4f9493a799 --- /dev/null +++ b/lib/isc/unix/include/isc/stat.h @@ -0,0 +1,53 @@ +/* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2003 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: stat.h,v 1.2 2004/03/16 05:52:21 marka Exp $ */ + +#ifndef ISC_STAT_H +#define ISC_STAT_H 1 + +/***** + ***** Module Info + *****/ + +/* + * Portable netdb.h support. + * + * This module is responsible for defining S_IS??? macros. + * + * MP: + * No impact. + * + * Reliability: + * No anticipated impact. + * + * Resources: + * N/A. + * + * Security: + * No anticipated impact. + * + */ + +/*** + *** Imports. + ***/ + +#include +#include + +#endif /* ISC_STAT_H */ diff --git a/lib/isc/win32/include/isc/ipv6.h b/lib/isc/win32/include/isc/ipv6.h index 0c9c2ca9fb..a390168b3d 100644 --- a/lib/isc/win32/include/isc/ipv6.h +++ b/lib/isc/win32/include/isc/ipv6.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ipv6.h,v 1.11 2004/03/05 05:12:05 marka Exp $ */ +/* $Id: ipv6.h,v 1.12 2004/03/16 05:52:23 marka Exp $ */ #ifndef ISC_IPV6_H #define ISC_IPV6_H 1 @@ -43,35 +43,39 @@ * RFC 2553. */ -#define s6_addr8 s6_addr -#define in6_addr in_addr6 - +#ifndef IN6ADDR_ANY_INIT #define IN6ADDR_ANY_INIT {{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }} +#endif +#ifndef IN6ADDR_LOOPBACK_INIT #define IN6ADDR_LOOPBACK_INIT {{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }} +#endif -LIBISC_EXTERNAL_DATA extern const struct in_addr6 in6addr_any; -LIBISC_EXTERNAL_DATA extern const struct in_addr6 in6addr_loopback; +LIBISC_EXTERNAL_DATA extern const struct in6_addr isc_in6addr_any; +LIBISC_EXTERNAL_DATA extern const struct in6_addr isc_in6addr_loopback; /* * Unspecified */ - +#ifndef IN6_IS_ADDR_UNSPECIFIED #define IN6_IS_ADDR_UNSPECIFIED(a) \ *((u_long *)((a)->s6_addr) ) == 0 && \ *((u_long *)((a)->s6_addr) + 1) == 0 && \ *((u_long *)((a)->s6_addr) + 2) == 0 && \ *((u_long *)((a)->s6_addr) + 3) == 0 \ ) +#endif /* * Loopback */ +#ifndef IN6_IS_ADDR_LOOPBACK #define IN6_IS_ADDR_LOOPBACK(a) (\ *((u_long *)((a)->s6_addr) ) == 0 && \ *((u_long *)((a)->s6_addr) + 1) == 0 && \ *((u_long *)((a)->s6_addr) + 2) == 0 && \ *((u_long *)((a)->s6_addr) + 3) == htonl(1) \ ) +#endif /* * IPv4 compatible @@ -96,16 +100,21 @@ LIBISC_EXTERNAL_DATA extern const struct in_addr6 in6addr_loopback; * Multicast */ #define IN6_IS_ADDR_MULTICAST(a) \ - ((a)->s6_addr8[0] == 0xffU) + ((a)->s6_addr[0] == 0xffU) /* * Unicast link / site local. */ +#ifndef IN6_IS_ADDR_LINKLOCAL #define IN6_IS_ADDR_LINKLOCAL(a) (\ (*((u_long *)((a)->s6_addr) ) == 0xfe) && \ ((*((u_long *)((a)->s6_addr) + 1) & 0xc0) == 0x80)) +#endif + +#ifndef IN6_IS_ADDR_SITELOCAL #define IN6_IS_ADDR_SITELOCAL(a) (\ (*((u_long *)((a)->s6_addr) ) == 0xfe) && \ ((*((u_long *)((a)->s6_addr) + 1) & 0xc0) == 0xc0)) +#endif #endif /* ISC_IPV6_H */ diff --git a/lib/isc/win32/include/isc/offset.h b/lib/isc/win32/include/isc/offset.h index 5e207234e0..1c2d0bf09f 100644 --- a/lib/isc/win32/include/isc/offset.h +++ b/lib/isc/win32/include/isc/offset.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: offset.h,v 1.3 2004/03/05 05:12:05 marka Exp $ */ +/* $Id: offset.h,v 1.4 2004/03/16 05:52:23 marka Exp $ */ #ifndef ISC_OFFSET_H #define ISC_OFFSET_H 1 @@ -26,7 +26,7 @@ #include /* Required for CHAR_BIT. */ #include -typedef off_t isc_offset_t; +typedef _off_t isc_offset_t; /* * POSIX says "Additionally, blkcnt_t and off_t are extended signed integral diff --git a/lib/isc/win32/include/isc/platform.h b/lib/isc/win32/include/isc/platform.h index 505b5063cb..6c399099c9 100644 --- a/lib/isc/win32/include/isc/platform.h +++ b/lib/isc/win32/include/isc/platform.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: platform.h,v 1.8 2004/03/05 05:12:05 marka Exp $ */ +/* $Id: platform.h,v 1.9 2004/03/16 05:52:23 marka Exp $ */ #ifndef ISC_PLATFORM_H #define ISC_PLATFORM_H 1 @@ -31,6 +31,7 @@ ***/ #define ISC_PLATFORM_HAVEIPV6 +#define ISC_PLATFORM_HAVEIN6PKTINFO #define ISC_PLATFORM_NEEDPORTT #undef MSG_TRUNC #define ISC_PLATFORM_NEEDNTOP @@ -40,6 +41,7 @@ #define ISC_PLATFORM_QUADFORMAT "I64" #define ISC_PLATFORM_NEEDSTRSEP +#define ISC_PLATFORM_NEEDSTRLCPY /* * Used to control how extern data is linked; needed for Win32 platforms. diff --git a/lib/isc/win32/include/isc/time.h b/lib/isc/win32/include/isc/time.h index aa915dc4ec..ca7b85384c 100644 --- a/lib/isc/win32/include/isc/time.h +++ b/lib/isc/win32/include/isc/time.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: time.h,v 1.26 2004/03/05 05:12:06 marka Exp $ */ +/* $Id: time.h,v 1.27 2004/03/16 05:52:23 marka Exp $ */ #ifndef ISC_TIME_H #define ISC_TIME_H 1 @@ -243,6 +243,8 @@ isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len); * 'buf' points to an array of at least len chars * */ +isc_uint32_t +isc_time_seconds(const isc_time_t *t); ISC_LANG_ENDDECLS diff --git a/lib/isc/win32/ipv6.c b/lib/isc/win32/ipv6.c index d2824be09a..13ff4bf532 100644 --- a/lib/isc/win32/ipv6.c +++ b/lib/isc/win32/ipv6.c @@ -15,15 +15,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ipv6.c,v 1.5 2004/03/05 05:11:57 marka Exp $ */ - -#define off_t _off_t +/* $Id: ipv6.c,v 1.6 2004/03/16 05:52:22 marka Exp $ */ #include #include -LIBISC_EXTERNAL_DATA const struct in6_addr in6addr_any = +LIBISC_EXTERNAL_DATA const struct in6_addr isc_in6addr_any = IN6ADDR_ANY_INIT; -LIBISC_EXTERNAL_DATA const struct in6_addr in6addr_loopback = +LIBISC_EXTERNAL_DATA const struct in6_addr isc_in6addr_loopback = IN6ADDR_LOOPBACK_INIT; diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def index 10a6efb249..0018d2a3ac 100644 --- a/lib/isc/win32/libisc.def +++ b/lib/isc/win32/libisc.def @@ -218,6 +218,8 @@ isc_netaddr_any isc_netaddr_any6 isc_netaddr_ismulticast isc_netaddr_fromv4mapped +isc_netaddr_setzone +isc_netscope_pton isc_ntpaths_init isc_ntpaths_get isc_ondestroy_init @@ -421,6 +423,14 @@ isc_win32os_versioncheck isc_socket_ipv6only isc_region_compare isc_socket_filter +isc_string_strlcpy +isc_rwlock_tryupgrade +isc_rwlock_downgrade +isc_sockaddr_isexperimental +isc_net_disableipv4 +isc_net_disableipv6 +isc_task_getcurrenttime +isc_net_probe_ipv6only ; Exported Data diff --git a/lib/isc/win32/libisc.dsp b/lib/isc/win32/libisc.dsp index 1757228d20..7434387da4 100644 --- a/lib/isc/win32/libisc.dsp +++ b/lib/isc/win32/libisc.dsp @@ -1,704 +1,712 @@ -# Microsoft Developer Studio Project File - Name="libisc" - Package Owner=<4> -# Microsoft Developer Studio Generated Build File, Format Version 6.00 -# ** DO NOT EDIT ** - -# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 - -CFG=libisc - Win32 Debug -!MESSAGE This is not a valid makefile. To build this project using NMAKE, -!MESSAGE use the Export Makefile command and run -!MESSAGE -!MESSAGE NMAKE /f "libisc.mak". -!MESSAGE -!MESSAGE You can specify a configuration when running NMAKE -!MESSAGE by defining the macro CFG on the command line. For example: -!MESSAGE -!MESSAGE NMAKE /f "libisc.mak" CFG="libisc - Win32 Debug" -!MESSAGE -!MESSAGE Possible choices for configuration are: -!MESSAGE -!MESSAGE "libisc - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE "libisc - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE - -# Begin Project -# PROP AllowPerConfigDependencies 0 -# PROP Scc_ProjName "" -# PROP Scc_LocalPath "" -CPP=cl.exe -MTL=midl.exe -RSC=rc.exe - -!IF "$(CFG)" == "libisc - Win32 Release" - -# PROP BASE Use_MFC 0 -# PROP BASE Use_Debug_Libraries 0 -# PROP BASE Output_Dir "Release" -# PROP BASE Intermediate_Dir "Release" -# PROP BASE Target_Dir "" -# PROP Use_MFC 0 -# PROP Use_Debug_Libraries 0 -# PROP Output_Dir "Release" -# PROP Intermediate_Dir "Release" -# PROP Ignore_Export_Lib 0 -# PROP Target_Dir "" -# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /YX /FD /c -# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 -# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 -# ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" -BSC32=bscmake.exe -# ADD BASE BSC32 /nologo -# ADD BSC32 /nologo -LINK32=link.exe -# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 user32.lib advapi32.lib ws2_32.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/libisc.dll" -# SUBTRACT LINK32 /pdb:none - -!ELSEIF "$(CFG)" == "libisc - Win32 Debug" - -# PROP BASE Use_MFC 0 -# PROP BASE Use_Debug_Libraries 1 -# PROP BASE Output_Dir "Debug" -# PROP BASE Intermediate_Dir "Debug" -# PROP BASE Target_Dir "" -# PROP Use_MFC 0 -# PROP Use_Debug_Libraries 1 -# PROP Output_Dir "Debug" -# PROP Intermediate_Dir "Debug" -# PROP Ignore_Export_Lib 0 -# PROP Target_Dir "" -# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR /YX /FD /GZ /c -# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 -# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 -# ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" -BSC32=bscmake.exe -# ADD BASE BSC32 /nologo -# ADD BSC32 /nologo -LINK32=link.exe -# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 user32.lib advapi32.lib ws2_32.lib /nologo /dll /map /debug /machine:I386 /out:"../../../Build/Debug/libisc.dll" /pdbtype:sept - -!ENDIF - -# Begin Target - -# Name "libisc - Win32 Release" -# Name "libisc - Win32 Debug" -# Begin Group "Source Files" - -# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" -# Begin Source File - -SOURCE=.\app.c -# End Source File -# Begin Source File - -SOURCE=.\condition.c -# End Source File -# Begin Source File - -SOURCE=.\dir.c -# End Source File -# Begin Source File - -SOURCE=.\DLLMain.c -# End Source File -# Begin Source File - -SOURCE=.\entropy.c -# End Source File -# Begin Source File - -SOURCE=.\errno2result.c -# End Source File -# Begin Source File - -SOURCE=.\file.c -# End Source File -# Begin Source File - -SOURCE=.\fsaccess.c -# End Source File -# Begin Source File - -SOURCE=.\interfaceiter.c -# End Source File -# Begin Source File - -SOURCE=.\ipv6.c -# End Source File -# Begin Source File - -SOURCE=.\keyboard.c -# End Source File -# Begin Source File - -SOURCE=.\net.c -# End Source File -# Begin Source File - -SOURCE=.\ntpaths.c -# End Source File -# Begin Source File - -SOURCE=.\once.c -# End Source File -# Begin Source File - -SOURCE=.\os.c -# End Source File -# Begin Source File - -SOURCE=.\resource.c -# End Source File -# Begin Source File - -SOURCE=.\socket.c -# End Source File -# Begin Source File - -SOURCE=.\stdio.c -# End Source File -# Begin Source File - -SOURCE=.\stdtime.c -# End Source File -# Begin Source File - -SOURCE=.\strerror.c -# End Source File -# Begin Source File - -SOURCE=.\syslog.c -# End Source File -# Begin Source File - -SOURCE=.\thread.c -# End Source File -# Begin Source File - -SOURCE=.\time.c -# End Source File -# Begin Source File - -SOURCE=.\version.c -# End Source File -# Begin Source File - -SOURCE=.\win32os.c -# End Source File -# End Group -# Begin Group "Header Files" - -# PROP Default_Filter "h;hpp;hxx;hm;inl" -# Begin Source File - -SOURCE=.\include\isc\app.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\assertions.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\base64.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\bind_registry.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\bindevt.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\bitstring.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\boolean.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\buffer.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\bufferlist.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\commandline.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\condition.h -# End Source File -# Begin Source File - -SOURCE=..\..\..\config.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\dir.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\entropy.h -# End Source File -# Begin Source File - -SOURCE=.\errno2result.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\error.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\event.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\eventclass.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\file.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\formatcheck.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\fsaccess.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\hash.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\heap.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\hex.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\hmacmd5.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\int.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\interfaceiter.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\ipv6.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\keyboard.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\lang.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\lex.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\lfsr.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\lib.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\list.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\log.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\magic.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\md5.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\mem.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\msgcat.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\msioctl.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\mutex.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\mutexblock.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\net.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\netaddr.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\netdb.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\ntpaths.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\offset.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\once.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\ondestroy.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\os.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\parseint.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\platform.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\print.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\quota.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\random.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\ratelimiter.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\region.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\resource.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\result.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\resultclass.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\rwlock.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\serial.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\sha1.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\sockaddr.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\socket.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\stat.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\stdio.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\stdtime.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\strerror.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\string.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\symtab.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\syslog.h -# End Source File -# Begin Source File - -SOURCE=.\syslog.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\task.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\taskpool.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\thread.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\time.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\timer.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\types.h -# End Source File -# Begin Source File - -SOURCE=.\unistd.h -# End Source File -# Begin Source File - -SOURCE=..\include\isc\util.h -# End Source File -# Begin Source File - -SOURCE=..\..\..\versions.h -# End Source File -# Begin Source File - -SOURCE=.\include\isc\win32os.h -# End Source File -# End Group -# Begin Group "Resource Files" - -# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" -# End Group -# Begin Group "Main Isc Lib" - -# PROP Default_Filter "c" -# Begin Source File - -SOURCE=..\assertions.c -# End Source File -# Begin Source File - -SOURCE=..\base64.c -# End Source File -# Begin Source File - -SOURCE=..\bitstring.c -# End Source File -# Begin Source File - -SOURCE=..\buffer.c -# End Source File -# Begin Source File - -SOURCE=..\bufferlist.c -# End Source File -# Begin Source File - -SOURCE=..\commandline.c -# End Source File -# Begin Source File - -SOURCE=..\error.c -# End Source File -# Begin Source File - -SOURCE=..\event.c -# End Source File -# Begin Source File - -SOURCE=..\hash.c -# End Source File -# Begin Source File - -SOURCE=..\heap.c -# End Source File -# Begin Source File - -SOURCE=..\hex.c -# End Source File -# Begin Source File - -SOURCE=..\hmacmd5.c -# End Source File -# Begin Source File - -SOURCE=..\inet_aton.c -# End Source File -# Begin Source File - -SOURCE=..\inet_ntop.c -# End Source File -# Begin Source File - -SOURCE=..\inet_pton.c -# End Source File -# Begin Source File - -SOURCE=..\lex.c -# End Source File -# Begin Source File - -SOURCE=..\lfsr.c -# End Source File -# Begin Source File - -SOURCE=..\lib.c -# End Source File -# Begin Source File - -SOURCE=..\log.c -# End Source File -# Begin Source File - -SOURCE=..\md5.c -# End Source File -# Begin Source File - -SOURCE=..\mem.c -# End Source File -# Begin Source File - -SOURCE=..\nls\msgcat.c -# End Source File -# Begin Source File - -SOURCE=..\mutexblock.c -# End Source File -# Begin Source File - -SOURCE=..\netaddr.c -# End Source File -# Begin Source File - -SOURCE=..\ondestroy.c -# End Source File -# Begin Source File - -SOURCE=..\parseint.c -# End Source File -# Begin Source File - -SOURCE=..\quota.c -# End Source File -# Begin Source File - -SOURCE=..\random.c -# End Source File -# Begin Source File - -SOURCE=..\ratelimiter.c -# End Source File -# Begin Source File - -SOURCE=..\region.c -# End Source File -# Begin Source File - -SOURCE=..\result.c -# End Source File -# Begin Source File - -SOURCE=..\rwlock.c -# End Source File -# Begin Source File - -SOURCE=..\serial.c -# End Source File -# Begin Source File - -SOURCE=..\sha1.c -# End Source File -# Begin Source File - -SOURCE=..\sockaddr.c -# End Source File -# Begin Source File - -SOURCE=..\string.c -# End Source File -# Begin Source File - -SOURCE=..\symtab.c -# End Source File -# Begin Source File - -SOURCE=..\task.c -# End Source File -# Begin Source File - -SOURCE=..\taskpool.c -# End Source File -# Begin Source File - -SOURCE=..\timer.c -# End Source File -# End Group -# Begin Source File - -SOURCE=.\libisc.def -# End Source File -# End Target -# End Project +# Microsoft Developer Studio Project File - Name="libisc" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=libisc - Win32 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "libisc.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "libisc.mak" CFG="libisc - Win32 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "libisc - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "libisc - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "libisc - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 0 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /YX /FD /c +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 user32.lib advapi32.lib ws2_32.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/libisc.dll" +# SUBTRACT LINK32 /pdb:none + +!ELSEIF "$(CFG)" == "libisc - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 0 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR /YX /FD /GZ /c +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 user32.lib advapi32.lib ws2_32.lib /nologo /dll /map /debug /machine:I386 /out:"../../../Build/Debug/libisc.dll" /pdbtype:sept + +!ENDIF + +# Begin Target + +# Name "libisc - Win32 Release" +# Name "libisc - Win32 Debug" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=.\app.c +# End Source File +# Begin Source File + +SOURCE=.\condition.c +# End Source File +# Begin Source File + +SOURCE=.\dir.c +# End Source File +# Begin Source File + +SOURCE=.\DLLMain.c +# End Source File +# Begin Source File + +SOURCE=.\entropy.c +# End Source File +# Begin Source File + +SOURCE=.\errno2result.c +# End Source File +# Begin Source File + +SOURCE=.\file.c +# End Source File +# Begin Source File + +SOURCE=.\fsaccess.c +# End Source File +# Begin Source File + +SOURCE=.\interfaceiter.c +# End Source File +# Begin Source File + +SOURCE=.\ipv6.c +# End Source File +# Begin Source File + +SOURCE=.\keyboard.c +# End Source File +# Begin Source File + +SOURCE=.\net.c +# End Source File +# Begin Source File + +SOURCE=.\ntpaths.c +# End Source File +# Begin Source File + +SOURCE=.\once.c +# End Source File +# Begin Source File + +SOURCE=.\os.c +# End Source File +# Begin Source File + +SOURCE=.\resource.c +# End Source File +# Begin Source File + +SOURCE=.\socket.c +# End Source File +# Begin Source File + +SOURCE=.\strerror.c +# End Source File +# Begin Source File + +SOURCE=.\stdio.c +# End Source File +# Begin Source File + +SOURCE=.\stdtime.c +# End Source File +# Begin Source File + +SOURCE=.\syslog.c +# End Source File +# Begin Source File + +SOURCE=.\thread.c +# End Source File +# Begin Source File + +SOURCE=.\time.c +# End Source File +# Begin Source File + +SOURCE=.\version.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\include\isc\app.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\assertions.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\base64.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\bind_registry.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\bindevt.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\bitstring.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\boolean.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\buffer.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\bufferlist.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\commandline.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\condition.h +# End Source File +# Begin Source File + +SOURCE=..\..\..\config.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\dir.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\entropy.h +# End Source File +# Begin Source File + +SOURCE=.\errno2result.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\error.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\event.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\eventclass.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\file.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\formatcheck.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\fsaccess.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\hash.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\heap.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\hex.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\hmacmd5.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\int.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\interfaceiter.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\ipv6.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\keyboard.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\lang.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\lex.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\lfsr.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\lib.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\list.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\log.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\magic.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\md5.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\mem.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\msgcat.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\msioctl.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\mutex.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\mutexblock.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\net.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\netaddr.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\netscope.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\netdb.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\ntpaths.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\offset.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\once.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\ondestroy.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\parseint.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\os.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\platform.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\print.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\quota.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\random.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\ratelimiter.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\region.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\resource.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\result.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\resultclass.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\rwlock.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\serial.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\sha1.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\sockaddr.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\socket.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\stat.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\stdio.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\strerror.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\stdtime.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\string.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\symtab.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\syslog.h +# End Source File +# Begin Source File + +SOURCE=.\syslog.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\task.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\taskpool.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\thread.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\time.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\timer.h +# End Source File +# Begin Source File + +SOURCE=.\include\isc\win32os.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\types.h +# End Source File +# Begin Source File + +SOURCE=.\unistd.h +# End Source File +# Begin Source File + +SOURCE=..\include\isc\util.h +# End Source File +# Begin Source File + +SOURCE=..\..\..\versions.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# Begin Group "Main Isc Lib" + +# PROP Default_Filter "c" +# Begin Source File + +SOURCE=..\assertions.c +# End Source File +# Begin Source File + +SOURCE=..\base64.c +# End Source File +# Begin Source File + +SOURCE=..\bitstring.c +# End Source File +# Begin Source File + +SOURCE=..\buffer.c +# End Source File +# Begin Source File + +SOURCE=..\bufferlist.c +# End Source File +# Begin Source File + +SOURCE=..\commandline.c +# End Source File +# Begin Source File + +SOURCE=..\error.c +# End Source File +# Begin Source File + +SOURCE=..\event.c +# End Source File +# Begin Source File + +SOURCE=..\hash.c +# End Source File +# Begin Source File + +SOURCE=..\heap.c +# End Source File +# Begin Source File + +SOURCE=..\hex.c +# End Source File +# Begin Source File + +SOURCE=..\hmacmd5.c +# End Source File +# Begin Source File + +SOURCE=..\inet_aton.c +# End Source File +# Begin Source File + +SOURCE=..\inet_ntop.c +# End Source File +# Begin Source File + +SOURCE=..\inet_pton.c +# End Source File +# Begin Source File + +SOURCE=..\lex.c +# End Source File +# Begin Source File + +SOURCE=..\lfsr.c +# End Source File +# Begin Source File + +SOURCE=..\lib.c +# End Source File +# Begin Source File + +SOURCE=..\log.c +# End Source File +# Begin Source File + +SOURCE=..\md5.c +# End Source File +# Begin Source File + +SOURCE=..\mem.c +# End Source File +# Begin Source File + +SOURCE=..\nls\msgcat.c +# End Source File +# Begin Source File + +SOURCE=..\mutexblock.c +# End Source File +# Begin Source File + +SOURCE=..\netaddr.c +# End Source File +# Begin Source File + +SOURCE=..\netscope.c +# End Source File +# Begin Source File + +SOURCE=..\ondestroy.c +# End Source File +# Begin Source File + +SOURCE=..\parseint.c +# End Source File +# Begin Source File + +SOURCE=..\quota.c +# End Source File +# Begin Source File + +SOURCE=..\random.c +# End Source File +# Begin Source File + +SOURCE=..\ratelimiter.c +# End Source File +# Begin Source File + +SOURCE=..\region.c +# End Source File +# Begin Source File + +SOURCE=..\result.c +# End Source File +# Begin Source File + +SOURCE=..\rwlock.c +# End Source File +# Begin Source File + +SOURCE=..\serial.c +# End Source File +# Begin Source File + +SOURCE=..\sha1.c +# End Source File +# Begin Source File + +SOURCE=..\sockaddr.c +# End Source File +# Begin Source File + +SOURCE=..\string.c +# End Source File +# Begin Source File + +SOURCE=..\symtab.c +# End Source File +# Begin Source File + +SOURCE=..\task.c +# End Source File +# Begin Source File + +SOURCE=..\taskpool.c +# End Source File +# Begin Source File + +SOURCE=..\timer.c +# End Source File +# Begin Source File + +SOURCE=.\win32os.c +# End Source File +# End Group +# Begin Source File + +SOURCE=.\libisc.def +# End Source File +# End Target +# End Project diff --git a/lib/isc/win32/libisc.mak b/lib/isc/win32/libisc.mak index f48928a4b2..cba3a9fe97 100644 --- a/lib/isc/win32/libisc.mak +++ b/lib/isc/win32/libisc.mak @@ -74,6 +74,7 @@ CLEAN : -@erase "$(INTDIR)\mutexblock.obj" -@erase "$(INTDIR)\net.obj" -@erase "$(INTDIR)\netaddr.obj" + -@erase "$(INTDIR)\netscope.obj" -@erase "$(INTDIR)\ntpaths.obj" -@erase "$(INTDIR)\once.obj" -@erase "$(INTDIR)\ondestroy.obj" @@ -171,6 +172,7 @@ LINK32_OBJS= \ "$(INTDIR)\msgcat.obj" \ "$(INTDIR)\mutexblock.obj" \ "$(INTDIR)\netaddr.obj" \ + "$(INTDIR)\netscope.obj" \ "$(INTDIR)\ondestroy.obj" \ "$(INTDIR)\quota.obj" \ "$(INTDIR)\random.obj" \ @@ -277,6 +279,8 @@ CLEAN : -@erase "$(INTDIR)\net.sbr" -@erase "$(INTDIR)\netaddr.obj" -@erase "$(INTDIR)\netaddr.sbr" + -@erase "$(INTDIR)\netscope.obj" + -@erase "$(INTDIR)\netscope.sbr" -@erase "$(INTDIR)\ntpaths.obj" -@erase "$(INTDIR)\ntpaths.sbr" -@erase "$(INTDIR)\once.obj" @@ -402,6 +406,7 @@ BSC32_SBRS= \ "$(INTDIR)\msgcat.sbr" \ "$(INTDIR)\mutexblock.sbr" \ "$(INTDIR)\netaddr.sbr" \ + "$(INTDIR)\netscope.sbr" \ "$(INTDIR)\ondestroy.sbr" \ "$(INTDIR)\quota.sbr" \ "$(INTDIR)\random.sbr" \ @@ -478,6 +483,7 @@ LINK32_OBJS= \ "$(INTDIR)\msgcat.obj" \ "$(INTDIR)\mutexblock.obj" \ "$(INTDIR)\netaddr.obj" \ + "$(INTDIR)\netscope.obj" \ "$(INTDIR)\ondestroy.obj" \ "$(INTDIR)\quota.obj" \ "$(INTDIR)\random.obj" \ @@ -1373,6 +1379,24 @@ SOURCE=..\netaddr.c $(CPP) $(CPP_PROJ) $(SOURCE) +!ENDIF + +SOURCE=..\netscope.c + +!IF "$(CFG)" == "libisc - Win32 Release" + + +"$(INTDIR)\netscope.obj" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + +!ELSEIF "$(CFG)" == "libisc - Win32 Debug" + + +"$(INTDIR)\netscope.obj" "$(INTDIR)\netscope.sbr" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + !ENDIF SOURCE=..\ondestroy.c diff --git a/lib/isc/win32/net.c b/lib/isc/win32/net.c index 687ed6e17e..080e0923e2 100644 --- a/lib/isc/win32/net.c +++ b/lib/isc/win32/net.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: net.c,v 1.8 2004/03/05 05:11:57 marka Exp $ */ +/* $Id: net.c,v 1.9 2004/03/16 05:52:22 marka Exp $ */ #include @@ -140,14 +140,14 @@ isc_net_probeipv4(void) { return (ipv4_result); } -#ifdef ISC_PLATFORM_HAVEIPV6 -#ifdef WANT_IPV6 isc_result_t isc_net_probeipv6(void) { initialize(); return (ipv6_result); } +#ifdef ISC_PLATFORM_HAVEIPV6 +#ifdef WANT_IPV6 static void try_ipv6only(void) { #ifdef IPV6_V6ONLY diff --git a/lib/isc/win32/time.c b/lib/isc/win32/time.c index 793c4faed7..7fa77028f6 100644 --- a/lib/isc/win32/time.c +++ b/lib/isc/win32/time.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: time.c,v 1.37 2004/03/05 05:11:59 marka Exp $ */ +/* $Id: time.c,v 1.38 2004/03/16 05:52:22 marka Exp $ */ #include @@ -200,6 +200,19 @@ isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2) { return (i3); } +isc_uint32_t +isc_time_seconds(const isc_time_t *t) { + SYSTEMTIME st; + + /* + * Convert the time to a SYSTEMTIME structure and the grab the + * milliseconds + */ + FileTimeToSystemTime(&t->absolute, &st); + + return ((isc_uint32_t)(st.wMilliseconds / 1000)); +} + isc_uint32_t isc_time_nanoseconds(const isc_time_t *t) { SYSTEMTIME st; diff --git a/win32utils/BuildAll.bat b/win32utils/BuildAll.bat index 50fcb54ad1..22222ad770 100644 --- a/win32utils/BuildAll.bat +++ b/win32utils/BuildAll.bat @@ -1,19 +1,19 @@ echo off rem -rem Copyright (C) 2001-2 Internet Software Consortium. +rem Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +rem Copyright (C) 2001-2002 Internet Software Consortium. +rem +rem Permission to use, copy, modify, and distribute this software for any +rem purpose with or without fee is hereby granted, provided that the above +rem copyright notice and this permission notice appear in all copies. rem -rem Permission to use, copy, modify, and distribute this software for any -rem purpose with or without fee is hereby granted, provided that the above -rem copyright notice and this permission notice appear in all copies. -rem -rem THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -rem DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -rem IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -rem INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -rem FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -rem NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -rem WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +rem THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +rem REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +rem AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +rem LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +rem OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +rem PERFORMANCE OF THIS SOFTWARE. rem BuildAll.bat rem This script sets up the files necessary ready to build BIND 9 @@ -25,7 +25,7 @@ rem OpenSSL is a prerequisite for building and running this release of rem BIND 9. You must fetch the OpenSSL sources yourself from rem http://www.OpenSSL.org/ and compile it yourself. The code must reside rem at the same level as the bind 9.2.0 source tree and it's top-level -rem directory be named openssl-0.9.6g. This restriction will be lifted in +rem directory be named openssl-0.9.6k. This restriction will be lifted in rem a future release of BIND 9 for Windows NT/2000/XP. echo Setting up the BIND files required for the build diff --git a/win32utils/BuildSetup.bat b/win32utils/BuildSetup.bat index 6747133f4e..d59d790896 100644 --- a/win32utils/BuildSetup.bat +++ b/win32utils/BuildSetup.bat @@ -1,19 +1,19 @@ echo off rem -rem Copyright (C) 2000-2002 Internet Software Consortium. +rem Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +rem Copyright (C) 2001-2002 Internet Software Consortium. rem -rem Permission to use, copy, modify, and distribute this software for any -rem purpose with or without fee is hereby granted, provided that the above -rem copyright notice and this permission notice appear in all copies. +rem Permission to use, copy, modify, and distribute this software for any +rem purpose with or without fee is hereby granted, provided that the above +rem copyright notice and this permission notice appear in all copies. rem -rem THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -rem DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -rem IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -rem INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -rem FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -rem NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -rem WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +rem THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +rem REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +rem AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +rem LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +rem OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +rem PERFORMANCE OF THIS SOFTWARE. rem BuildSetup.bat rem This script sets up the files necessary ready to build BIND 9. @@ -32,7 +32,7 @@ rem Generate header files for lib/dns call dnsheadergen.bat echo Ensure that the OpenSSL sources are at the same level in -echo the directory tree and is named openssl-0.9.6g or libdns +echo the directory tree and is named openssl-0.9.6k or libdns echo will not build. rem Make sure that the Build directories are there. @@ -50,7 +50,7 @@ copy ..\FAQ ..\Build\Release echo Copying the OpenSSL DLL. -copy ..\..\openssl-0.9.6g\out32dll\libeay32.dll ..\Build\Release\ +copy ..\..\openssl-0.9.6k\out32dll\libeay32.dll ..\Build\Release\ rem Done diff --git a/win32utils/dnsheadergen.bat b/win32utils/dnsheadergen.bat index 936e123b62..09422fe8c6 100644 --- a/win32utils/dnsheadergen.bat +++ b/win32utils/dnsheadergen.bat @@ -1,19 +1,19 @@ echo off rem -rem Copyright (C) 2000, 2001 Internet Software Consortium. +rem Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +rem Copyright (C) 2001-2002 Internet Software Consortium. rem -rem Permission to use, copy, modify, and distribute this software for any -rem purpose with or without fee is hereby granted, provided that the above -rem copyright notice and this permission notice appear in all copies. +rem Permission to use, copy, modify, and distribute this software for any +rem purpose with or without fee is hereby granted, provided that the above +rem copyright notice and this permission notice appear in all copies. rem -rem THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -rem DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -rem IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -rem INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -rem FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -rem NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -rem WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +rem THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +rem REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +rem AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +rem LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +rem OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +rem PERFORMANCE OF THIS SOFTWARE. cd ..\lib\dns cd win32 diff --git a/win32utils/readme1st.txt b/win32utils/readme1st.txt index 564c606d2c..5390ddb5ac 100644 --- a/win32utils/readme1st.txt +++ b/win32utils/readme1st.txt @@ -2,19 +2,13 @@ Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2001, 2003 Internet Software Consortium. See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. -$Id: readme1st.txt,v 1.11 2004/03/05 05:14:21 marka Exp $ +$Id: readme1st.txt,v 1.12 2004/03/16 05:52:24 marka Exp $ - Release of BIND 9.2.0 for Windows NT/2000 + Release of BIND 9.4 for Window NT/2000 -Date: 10-Aug-2001. - - This is the first release of BIND 9.2.0 for Windows NT/2000. As such -it should be fully tested on a test system before installing on a -production system or anywhere that is considered critical for Internet -access. The release has not been thoroughly tested. While IPv6 -addresses should work, there is no support yet for a BIND server using -an IPv6 stack. Only IPv4 stacks are supported on the box running this -version of BIND. IPv6 stacks will be supported in a future release. +This is a feature release of BIND 9.4 for Window NT/2000. Only +IPv4 stacks are supported on the box running this version of BIND. +IPv6 stacks will be supported in a future release. Kit Installation Information @@ -75,6 +69,11 @@ started and stopped in the same way as any other service and automatically starts whenever the system is booted. Signals are not supported and are in fact ignored. +Note: Unlike most Windows applications, named does not, change its +working directory when started as a service. If you wish to use +relative files in named.conf you will need to specify a working +directory. + Documentation This kit includes Documentation in HTML format. The documentation is not @@ -110,6 +109,8 @@ BIND running on that system. This will be fixed in a future release. +Messages are logged to the Application log in the EventViewer. + Problems Please report all problems to bind9-bugs@isc.org and not to me. All From ca9a8f6d0b0f2a400a96f868193471510364336f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 16 Mar 2004 23:50:56 +0000 Subject: [PATCH 004/146] newcopyrights --- util/copyrights | 83 +++++++++++++++++++++++++------------------------ 1 file changed, 43 insertions(+), 40 deletions(-) diff --git a/util/copyrights b/util/copyrights index d8adeea0f6..eb03ea0c02 100644 --- a/util/copyrights +++ b/util/copyrights @@ -465,6 +465,7 @@ ./bin/tests/system/dnssec/ns1/root.db.in ZONE 2000,2001,2004 ./bin/tests/system/dnssec/ns1/sign.sh SH 2000,2001,2002,2003,2004 ./bin/tests/system/dnssec/ns2/.cvsignore X 2000,2001 +./bin/tests/system/dnssec/ns2/dlv.db.in ZONE 2004 ./bin/tests/system/dnssec/ns2/dst.example.db.in ZONE 2004 ./bin/tests/system/dnssec/ns2/example.db.in ZONE 2000,2001,2002,2004 ./bin/tests/system/dnssec/ns2/insecure.secure.example.db ZONE 2000,2001,2004 @@ -784,7 +785,7 @@ ./bin/win32/BINDInstall/resource.h X 2001 ./config.guess X 1999,2000,2001 ./config.h.in X 1999,2000,2001 -./config.h.win32 C 1999,2000,2001 +./config.h.win32 C 1999,2000,2001,2004 ./config.sub X 1999,2000,2001 ./configure X 1998,1999,2000,2001 ./configure.in SH 1998,1999,2000,2001,2002,2003,2004 @@ -1145,7 +1146,7 @@ ./lib/bind/bsd/writev.c X 2001 ./lib/bind/config.h.in X 2001 ./lib/bind/configure X 2001 -./lib/bind/configure.in SH 2001 +./lib/bind/configure.in SH 2001,2004 ./lib/bind/dst/.cvsignore X 2001 ./lib/bind/dst/Makefile.in MAKE 2001,2004 ./lib/bind/dst/dst_api.c X 2001 @@ -1301,12 +1302,12 @@ ./lib/bind/libtool.m4 X 2001 ./lib/bind/ltmain.sh X 2001 ./lib/bind/make/.cvsignore X 2001 -./lib/bind/make/includes.in MAKE 2001 +./lib/bind/make/includes.in MAKE 2001,2004 ./lib/bind/make/mkdep.in X 2001 -./lib/bind/make/rules.in MAKE 2001 +./lib/bind/make/rules.in MAKE 2001,2004 ./lib/bind/mkinstalldirs X 2001 ./lib/bind/nameser/.cvsignore X 2001 -./lib/bind/nameser/Makefile.in MAKE 2001 +./lib/bind/nameser/Makefile.in MAKE 2001,2004 ./lib/bind/nameser/ns_date.c X 2001 ./lib/bind/nameser/ns_name.c X 2001 ./lib/bind/nameser/ns_netint.c X 2001 @@ -1321,31 +1322,31 @@ ./lib/bind/port/aix32/.cvsignore X 2001 ./lib/bind/port/aix32/Makefile.in MAKE 2001,2004 ./lib/bind/port/aix32/include/.cvsignore X 2001 -./lib/bind/port/aix32/include/Makefile.in MAKE 2001 +./lib/bind/port/aix32/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/aix32/include/paths.h X 2001 ./lib/bind/port/aix32/include/sys/bitypes.h X 2001 ./lib/bind/port/aix32/include/sys/cdefs.h X 2001 ./lib/bind/port/aix4/.cvsignore X 2001 ./lib/bind/port/aix4/Makefile.in MAKE 2001,2004 ./lib/bind/port/aix4/include/.cvsignore X 2001 -./lib/bind/port/aix4/include/Makefile.in MAKE 2001 +./lib/bind/port/aix4/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/aix4/include/sys/bitypes.h X 2001 ./lib/bind/port/aix4/include/sys/cdefs.h X 2001 ./lib/bind/port/aux3/.cvsignore X 2001 ./lib/bind/port/aux3/Makefile.in MAKE 2001,2004 ./lib/bind/port/aux3/include/.cvsignore X 2001 -./lib/bind/port/aux3/include/Makefile.in MAKE 2001 +./lib/bind/port/aux3/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/aux3/include/sys/bitypes.h X 2001 ./lib/bind/port/aux3/include/sys/cdefs.h X 2001 ./lib/bind/port/bsdos/.cvsignore X 2001 ./lib/bind/port/bsdos/Makefile.in MAKE 2001,2004 ./lib/bind/port/bsdos/include/.cvsignore X 2001 -./lib/bind/port/bsdos/include/Makefile.in MAKE 2001 +./lib/bind/port/bsdos/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/bsdos/include/sys/bitypes.h X 2001 ./lib/bind/port/bsdos2/.cvsignore X 2001 ./lib/bind/port/bsdos2/Makefile.in MAKE 2001,2004 ./lib/bind/port/bsdos2/include/.cvsignore X 2001 -./lib/bind/port/bsdos2/include/Makefile.in MAKE 2001 +./lib/bind/port/bsdos2/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/bsdos2/include/sys/bitypes.h X 2001 ./lib/bind/port/cygwin/Makefile.in MAKE 2002,2004 ./lib/bind/port/cygwin/include/Makefile.in MAKE 2002,2004 @@ -1364,62 +1365,62 @@ ./lib/bind/port/darwin/.cvsignore X 2001 ./lib/bind/port/darwin/Makefile.in MAKE 2001,2004 ./lib/bind/port/darwin/include/.cvsignore X 2001 -./lib/bind/port/darwin/include/Makefile.in MAKE 2001 +./lib/bind/port/darwin/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/darwin/include/sys/bitypes.h X 2001 ./lib/bind/port/decunix/.cvsignore X 2001 ./lib/bind/port/decunix/Makefile.in MAKE 2001,2004 ./lib/bind/port/decunix/include/.cvsignore X 2001 -./lib/bind/port/decunix/include/Makefile.in MAKE 2001 +./lib/bind/port/decunix/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/decunix/include/sys/bitypes.h X 2001 ./lib/bind/port/decunix/include/sys/cdefs.h X 2001 ./lib/bind/port/freebsd/.cvsignore X 2001 ./lib/bind/port/freebsd/Makefile.in MAKE 2001,2004 ./lib/bind/port/freebsd/include/.cvsignore X 2001 -./lib/bind/port/freebsd/include/Makefile.in MAKE 2001 +./lib/bind/port/freebsd/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/freebsd/include/sys/bitypes.h X 2001 ./lib/bind/port/hpux/.cvsignore X 2001 ./lib/bind/port/hpux/Makefile.in MAKE 2001,2004 ./lib/bind/port/hpux/include/.cvsignore X 2001 -./lib/bind/port/hpux/include/Makefile.in MAKE 2001 +./lib/bind/port/hpux/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/hpux/include/paths.h X 2001 ./lib/bind/port/hpux/include/sys/bitypes.h X 2001 ./lib/bind/port/hpux/include/sys/cdefs.h X 2001 ./lib/bind/port/hpux10/.cvsignore X 2001 ./lib/bind/port/hpux10/Makefile.in MAKE 2001,2004 ./lib/bind/port/hpux10/include/.cvsignore X 2001 -./lib/bind/port/hpux10/include/Makefile.in MAKE 2001 +./lib/bind/port/hpux10/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/hpux10/include/paths.h X 2001 ./lib/bind/port/hpux10/include/sys/bitypes.h X 2001 ./lib/bind/port/hpux10/include/sys/cdefs.h X 2001 ./lib/bind/port/hpux9/.cvsignore X 2001 ./lib/bind/port/hpux9/Makefile.in MAKE 2001,2004 ./lib/bind/port/hpux9/include/.cvsignore X 2001 -./lib/bind/port/hpux9/include/Makefile.in MAKE 2001 +./lib/bind/port/hpux9/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/hpux9/include/sys/bitypes.h X 2001 ./lib/bind/port/hpux9/include/sys/cdefs.h X 2001 ./lib/bind/port/irix/.cvsignore X 2001 ./lib/bind/port/irix/Makefile.in MAKE 2001,2004 ./lib/bind/port/irix/include/.cvsignore X 2001 -./lib/bind/port/irix/include/Makefile.in MAKE 2001 +./lib/bind/port/irix/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/irix/include/paths.h C 2001,2004 ./lib/bind/port/irix/include/sys/bitypes.h X 2001 ./lib/bind/port/irix/include/sys/cdefs.h X 2001 ./lib/bind/port/linux/.cvsignore X 2001 ./lib/bind/port/linux/Makefile.in MAKE 2001,2004 ./lib/bind/port/linux/include/.cvsignore X 2001 -./lib/bind/port/linux/include/Makefile.in MAKE 2001 +./lib/bind/port/linux/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/linux/include/net/route.h X 2001 ./lib/bind/port/linux/include/sys/mbuf.h X 2001 ./lib/bind/port/lynxos/.cvsignore X 2001 ./lib/bind/port/lynxos/Makefile.in MAKE 2001,2004 ./lib/bind/port/lynxos/include/.cvsignore X 2001 -./lib/bind/port/lynxos/include/Makefile.in MAKE 2001 +./lib/bind/port/lynxos/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/lynxos/include/sys/bitypes.h X 2001 ./lib/bind/port/lynxos/include/sys/cdefs.h X 2001 ./lib/bind/port/mpe/.cvsignore X 2001 ./lib/bind/port/mpe/Makefile.in MAKE 2001,2004 ./lib/bind/port/mpe/include/.cvsignore X 2001 -./lib/bind/port/mpe/include/Makefile.in MAKE 2001 +./lib/bind/port/mpe/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/mpe/include/net/route.h X 2001 ./lib/bind/port/mpe/include/sys/bitypes.h X 2001 ./lib/bind/port/mpe/include/sys/cdefs.h X 2001 @@ -1430,25 +1431,25 @@ ./lib/bind/port/netbsd/.cvsignore X 2001 ./lib/bind/port/netbsd/Makefile.in MAKE 2001,2004 ./lib/bind/port/netbsd/include/.cvsignore X 2001 -./lib/bind/port/netbsd/include/Makefile.in MAKE 2001 +./lib/bind/port/netbsd/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/netbsd/include/sys/bitypes.h X 2001 ./lib/bind/port/next/.cvsignore X 2001 ./lib/bind/port/next/Makefile.in MAKE 2001,2004 ./lib/bind/port/next/include/.cvsignore X 2001 -./lib/bind/port/next/include/Makefile.in MAKE 2001 +./lib/bind/port/next/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/next/include/sys/bitypes.h X 2001 ./lib/bind/port/next/include/sys/cdefs.h X 2001 ./lib/bind/port/openbsd/.cvsignore X 2001 ./lib/bind/port/openbsd/Makefile.in MAKE 2001,2004 ./lib/bind/port/openbsd/include/.cvsignore X 2001 -./lib/bind/port/openbsd/include/Makefile.in MAKE 2001 +./lib/bind/port/openbsd/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/openbsd/include/sys/bitypes.h X 2001 ./lib/bind/port/prand_conf/.cvsignore X 2001 ./lib/bind/port/prand_conf/Makefile.in MAKE 2001,2004 ./lib/bind/port/qnx/.cvsignore X 2001 ./lib/bind/port/qnx/Makefile.in MAKE 2001,2004 ./lib/bind/port/qnx/include/.cvsignore X 2001 -./lib/bind/port/qnx/include/Makefile.in MAKE 2001 +./lib/bind/port/qnx/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/qnx/include/sys/bitypes.h X 2001 ./lib/bind/port/qnx/include/sys/cdefs.h X 2001 ./lib/bind/port/qnx/include/sys/ioctl.h X 2001 @@ -1457,12 +1458,12 @@ ./lib/bind/port/rhapsody/.cvsignore X 2001 ./lib/bind/port/rhapsody/Makefile.in MAKE 2001,2004 ./lib/bind/port/rhapsody/include/.cvsignore X 2001 -./lib/bind/port/rhapsody/include/Makefile.in MAKE 2001 +./lib/bind/port/rhapsody/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/rhapsody/include/sys/bitypes.h X 2001 ./lib/bind/port/sco42/.cvsignore X 2001 ./lib/bind/port/sco42/Makefile.in MAKE 2001,2004 ./lib/bind/port/sco42/include/.cvsignore X 2001 -./lib/bind/port/sco42/include/Makefile.in MAKE 2001 +./lib/bind/port/sco42/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/sco42/include/sys/bitypes.h X 2001 ./lib/bind/port/sco42/include/sys/cdefs.h X 2001 ./lib/bind/port/sco42/include/sys/mbuf.h X 2001 @@ -1470,26 +1471,26 @@ ./lib/bind/port/sco50/.cvsignore X 2001 ./lib/bind/port/sco50/Makefile.in MAKE 2001,2004 ./lib/bind/port/sco50/include/.cvsignore X 2001 -./lib/bind/port/sco50/include/Makefile.in MAKE 2001 +./lib/bind/port/sco50/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/sco50/include/sys/mbuf.h X 2001 ./lib/bind/port/solaris/.cvsignore X 2001 ./lib/bind/port/solaris/Makefile.in MAKE 2001,2004 ./lib/bind/port/solaris/include/.cvsignore X 2001 -./lib/bind/port/solaris/include/Makefile.in MAKE 2001 +./lib/bind/port/solaris/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/solaris/include/paths.h X 2001 -./lib/bind/port/solaris/include/sys/bitypes.h C 2001 +./lib/bind/port/solaris/include/sys/bitypes.h C 2001,2004 ./lib/bind/port/solaris/include/sys/cdefs.h X 2001 ./lib/bind/port/sunos/.cvsignore X 2001 ./lib/bind/port/sunos/Makefile.in MAKE 2001,2004 ./lib/bind/port/sunos/include/.cvsignore X 2001 -./lib/bind/port/sunos/include/Makefile.in MAKE 2001 +./lib/bind/port/sunos/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/sunos/include/sys/bitypes.h X 2001 ./lib/bind/port/sunos/include/sys/cdefs.h X 2001 ./lib/bind/port/sunos/include/sys/wait.h X 2001 ./lib/bind/port/ultrix/.cvsignore X 2001 ./lib/bind/port/ultrix/Makefile.in MAKE 2001,2004 ./lib/bind/port/ultrix/include/.cvsignore X 2001 -./lib/bind/port/ultrix/include/Makefile.in MAKE 2001 +./lib/bind/port/ultrix/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/ultrix/include/rpc/xdr.h X 2001 ./lib/bind/port/ultrix/include/sys/bitypes.h X 2001 ./lib/bind/port/ultrix/include/sys/cdefs.h X 2001 @@ -1498,27 +1499,27 @@ ./lib/bind/port/unixware20/.cvsignore X 2001 ./lib/bind/port/unixware20/Makefile.in MAKE 2001,2004 ./lib/bind/port/unixware20/include/.cvsignore X 2001 -./lib/bind/port/unixware20/include/Makefile.in MAKE 2001 +./lib/bind/port/unixware20/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/unixware20/include/sys/bitypes.h X 2001 ./lib/bind/port/unixware20/include/sys/cdefs.h X 2001 ./lib/bind/port/unixware212/.cvsignore X 2001 ./lib/bind/port/unixware212/Makefile.in MAKE 2001,2004 ./lib/bind/port/unixware212/include/.cvsignore X 2001 -./lib/bind/port/unixware212/include/Makefile.in MAKE 2001 +./lib/bind/port/unixware212/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/unixware212/include/sys/bitypes.h X 2001 ./lib/bind/port/unixware212/include/sys/cdefs.h X 2001 ./lib/bind/port/unixware7/.cvsignore X 2001 ./lib/bind/port/unixware7/Makefile.in MAKE 2001,2004 ./lib/bind/port/unixware7/include/.cvsignore X 2001 -./lib/bind/port/unixware7/include/Makefile.in MAKE 2001 +./lib/bind/port/unixware7/include/Makefile.in MAKE 2001,2004 ./lib/bind/port/unknown/.cvsignore X 2001 ./lib/bind/port/unknown/Makefile.in MAKE 2001,2004 ./lib/bind/port/unknown/include/.cvsignore X 2001 -./lib/bind/port/unknown/include/Makefile.in MAKE 2001 +./lib/bind/port/unknown/include/Makefile.in MAKE 2001,2004 ./lib/bind/port_after.h.in X 2001 ./lib/bind/port_before.h.in X 2001 ./lib/bind/resolv/.cvsignore X 2001 -./lib/bind/resolv/Makefile.in MAKE 2001 +./lib/bind/resolv/Makefile.in MAKE 2001,2004 ./lib/bind/resolv/herror.c X 2001 ./lib/bind/resolv/res_comp.c X 2001 ./lib/bind/resolv/res_data.c X 2001 @@ -1664,6 +1665,7 @@ ./lib/dns/rbtdb.h C 1999,2000,2001,2004 ./lib/dns/rbtdb64.c C 1999,2000,2001,2004 ./lib/dns/rbtdb64.h C 1999,2000,2001,2004 +./lib/dns/rcode.c C 2004 ./lib/dns/rdata.c C 1998,1999,2000,2001,2002,2003,2004 ./lib/dns/rdata/any_255/tsig_250.c C 1999,2000,2001,2002,2003,2004 ./lib/dns/rdata/any_255/tsig_250.h C 1999,2000,2001,2004 @@ -1994,6 +1996,7 @@ ./lib/isc/unix/include/isc/net.h C 1999,2000,2001,2002,2003,2004 ./lib/isc/unix/include/isc/netdb.h C 1999,2000,2001,2004 ./lib/isc/unix/include/isc/offset.h C 2000,2001,2004 +./lib/isc/unix/include/isc/stat.h C 2004 ./lib/isc/unix/include/isc/stdtime.h C 1999,2000,2001,2004 ./lib/isc/unix/include/isc/strerror.h C 2001,2004 ./lib/isc/unix/include/isc/syslog.h C 1999,2000,2001,2004 @@ -2262,7 +2265,7 @@ ./lib/win32/bindevt/bindevt.dsp X 2001 ./lib/win32/bindevt/bindevt.dsw X 2001 ./lib/win32/bindevt/bindevt.mak X 2001 -./lib/win32/bindevt/bindevt.mc MC 2001 +./lib/win32/bindevt/bindevt.mc MC 2001,2004 ./libtool.m4 X 2000,2001 ./ltmain.sh X 1999,2000,2001 ./make/.cvsignore X 1999,2000,2001 @@ -2299,9 +2302,9 @@ ./util/update_copyrights PERL 1998,1999,2000,2001,2004 ./version X 1999,2000,2001 ./win32utils/BINDBuild.dsw X 2001 -./win32utils/BuildAll.bat BAT 2001,2002 -./win32utils/BuildSetup.bat BAT 2001,2002 -./win32utils/dnsheadergen.bat BAT 2001 +./win32utils/BuildAll.bat BAT 2001,2002,2004 +./win32utils/BuildSetup.bat BAT 2001,2002,2004 +./win32utils/dnsheadergen.bat BAT 2001,2004 ./win32utils/makedefs.pl PERL 2001,2004 ./win32utils/makeversion.pl PERL 2001,2004 ./win32utils/readme1st.txt TXT.BRIEF 2001,2003,2004 From 1676408640d8283c9f17eec0b183e1302ea7fd70 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 18 Mar 2004 02:58:08 +0000 Subject: [PATCH 005/146] pullup silence compiler fixes ifconfig.sh for Solaris 9 README updates --- README | 23 ++++++++++++++++++++ bin/tests/system/ifconfig.sh | 8 +++---- doc/dev/release | 4 ++-- lib/bind/dst/dst_internal.h | 2 +- lib/bind/dst/md5_dgst.c | 8 +++---- lib/bind/dst/md5_locl.h | 4 ++-- lib/bind/inet/inet_addr.c | 10 ++++----- lib/bind/inet/inet_cidr_ntop.c | 6 +++--- lib/bind/inet/inet_cidr_pton.c | 6 +++--- lib/bind/inet/inet_makeaddr.c | 4 ++-- lib/bind/inet/inet_net_pton.c | 12 +++++------ lib/bind/inet/inet_network.c | 8 +++---- lib/bind/irs/dns.c | 4 ++-- lib/bind/irs/dns_ho.c | 8 +++---- lib/bind/irs/dns_nw.c | 4 ++-- lib/bind/irs/dns_p.h | 4 ++-- lib/bind/irs/gen.c | 4 ++-- lib/bind/irs/gen_ho.c | 4 ++-- lib/bind/irs/gen_nw.c | 4 ++-- lib/bind/irs/gethostent.c | 10 ++++----- lib/bind/irs/getnameinfo.c | 8 +++---- lib/bind/irs/getnetent.c | 8 +++---- lib/bind/irs/hesiod.c | 4 ++-- lib/bind/irs/irp.c | 4 ++-- lib/bind/irs/irpmarshall.c | 36 +++++++++++++++---------------- lib/bind/irs/irs_data.c | 4 ++-- lib/bind/irs/lcl.c | 4 ++-- lib/bind/irs/lcl_ho.c | 4 ++-- lib/bind/irs/lcl_nw.c | 4 ++-- lib/bind/isc/base64.c | 8 +++---- lib/bind/isc/ctl_clnt.c | 8 +++---- lib/bind/isc/ctl_p.c | 4 ++-- lib/bind/isc/ctl_srvr.c | 8 +++---- lib/bind/isc/ev_streams.c | 4 ++-- lib/bind/isc/ev_timers.c | 36 +++++++++++++++++++++++++------ lib/bind/isc/eventlib.c | 5 +++-- lib/bind/isc/hex.c | 10 ++++----- lib/bind/isc/logging.c | 6 +++--- lib/bind/isc/memcluster.c | 20 ++++++++--------- lib/bind/nameser/ns_date.c | 4 ++-- lib/bind/nameser/ns_print.c | 26 +++++++++++----------- lib/bind/nameser/ns_samedomain.c | 14 ++++++------ lib/bind/resolv/res_data.c | 20 ++++++++--------- lib/bind/resolv/res_debug.c | 10 ++++----- lib/bind/resolv/res_findzonecut.c | 4 ++-- lib/bind/resolv/res_init.c | 4 ++-- lib/bind/resolv/res_mkquery.c | 6 +++--- lib/bind/resolv/res_mkupdate.c | 6 +++--- lib/bind/resolv/res_query.c | 14 ++++++------ lib/bind/resolv/res_send.c | 16 +++++++------- lib/bind/resolv/res_sendsigned.c | 2 +- lib/bind/resolv/res_update.c | 4 ++-- lib/dns/include/dns/name.h | 14 +++++++----- lib/dns/portlist.c | 13 +++++------ lib/dns/rdata/generic/dlv_65323.c | 8 +++---- lib/dns/rdata/generic/ds_43.c | 8 +++---- lib/dns/rdata/generic/rrsig_46.c | 4 ++-- lib/dns/rdata/in_1/apl_42.c | 4 ++-- lib/dns/sec/dst/dst_api.c | 4 ++-- lib/dns/sec/dst/dst_parse.c | 4 ++-- lib/dns/sec/dst/openssl_link.c | 4 ++-- lib/dns/sec/dst/openssldh_link.c | 4 ++-- lib/dns/sec/dst/opensslrsa_link.c | 4 ++-- lib/dns/zone.c | 4 ++-- lib/isc/mem.c | 4 ++-- lib/isc/string.c | 16 +++++++------- lib/isc/unix/file.c | 4 ++-- lib/isc/unix/socket.c | 6 +++--- lib/isccfg/parser.c | 8 +++---- util/copyrights | 4 ++-- win32utils/win32-build.txt | 6 +++--- 71 files changed, 314 insertions(+), 261 deletions(-) diff --git a/README b/README index a8bf1f7b15..717d8fd47d 100644 --- a/README +++ b/README @@ -48,12 +48,35 @@ BIND 9.3.0 BIND 9.3.0 has a number of new features over 9.2, including: + DNSSEC is now DS based. + See doc/draft/draft-ietf-dnsext-dnssec-* + + DNSSEC lookaside validation. + + check-names is now implemented. + rrset-order in more complete. + + IPv4/IPv6 transition support, dual-stack-servers. + + IXFR deltas can now be generated when loading master files, + ixfr-from-differences. + + It is now possible to specify the size of a journal, max-journal-size. + + It is now possible to define a named set of master servers to be + used in masters clause, masters. + + The advertised EDNS UDP size can now be set, edns-udp-size. + + allow-v6-synthesis has been obsoleted. + NOTE: * Zones containing MD and MF will now be rejected. * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than NOTIMPL. This will have impact on scripts that are looking for NOTIMPL. + libbind: corresponds to that from BIND 8.4.5. BIND 9.2.0 diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh index 725902d658..9e3d57a504 100644 --- a/bin/tests/system/ifconfig.sh +++ b/bin/tests/system/ifconfig.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: ifconfig.sh,v 1.45 2004/03/10 02:19:52 marka Exp $ +# $Id: ifconfig.sh,v 1.46 2004/03/18 02:57:54 marka Exp $ # # Set up interface aliases for bind9 system tests. @@ -72,9 +72,9 @@ case "$1" in *-sun-solaris2.[6-7]) ifconfig lo0:$int 10.53.0.$ns netmask 0xffffffff up ;; - *-*-solaris2.8) - ifconfig lo0:$int plumb - ifconfig lo0:$int 10.53.0.$ns up + *-*-solaris2.[8-9]) + /sbin/ifconfig lo0:$int plumb + /sbin/ifconfig lo0:$int 10.53.0.$ns up ;; *-*-linux*) ifconfig lo:$int 10.53.0.$ns up netmask 255.255.255.0 diff --git a/doc/dev/release b/doc/dev/release index 313b6c9270..ed4859d268 100644 --- a/doc/dev/release +++ b/doc/dev/release @@ -2,7 +2,7 @@ Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000-2003 Internet Software Consortium. See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. -$Id: release,v 1.59 2004/03/13 04:08:07 sra Exp $ +$Id: release,v 1.60 2004/03/18 02:57:55 marka Exp $ Preparing a bind9 release @@ -136,7 +136,7 @@ release. $ CFLAGS=-I/usr/local/include ./configure '--with-iconv=-L/usr/local/lib -liconv' [ Sample on freebsd -- formerly used giconv, now uses iconv ] - ./configure --with-iconv-include=/usr/local/include \ + ./configure --with-iconv-include=/usr/local/include \ '--with-iconv=-L/usr/local/lib -liconv' $ make diff --git a/lib/bind/dst/dst_internal.h b/lib/bind/dst/dst_internal.h index 0848adf7e5..928650a726 100644 --- a/lib/bind/dst/dst_internal.h +++ b/lib/bind/dst/dst_internal.h @@ -73,7 +73,7 @@ typedef struct dst_key { #ifndef SAFE_FREE #define SAFE_FREE(a) \ do{if(a != NULL){memset(a,0, sizeof(*a)); free(a); a=NULL;}} while (0) -#define SAFE_FREE2(a,s) if (a != NULL && s > 0){memset(a,0, s);free(a); a=NULL;} +#define SAFE_FREE2(a,s) if (a != NULL && (long)s > 0){memset(a,0, s);free(a); a=NULL;} #endif typedef struct dst_func { diff --git a/lib/bind/dst/md5_dgst.c b/lib/bind/dst/md5_dgst.c index 78882d1c95..48c327eac3 100644 --- a/lib/bind/dst/md5_dgst.c +++ b/lib/bind/dst/md5_dgst.c @@ -99,7 +99,7 @@ unsigned long len; int sw,sc; ULONG l; - if (len == 0) return; + if (len == 0U) return; l=(c->Nl+(len<<3))&0xffffffffL; /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to @@ -115,7 +115,7 @@ unsigned long len; sw=c->num>>2; sc=c->num&0x03; - if ((c->num+len) >= MD5_CBLOCK) + if ((c->num+len) >= (size_t)MD5_CBLOCK) { l= p[sw]; p_c2l(data,l,sc); @@ -136,7 +136,7 @@ unsigned long len; int ew,ec; c->num+=(int)len; - if ((sc+len) < 4) /* ugly, add char's to a word */ + if ((sc+len) < 4U) /* ugly, add char's to a word */ { l= p[sw]; p_c2l_p(data,l,sc,len); @@ -163,7 +163,7 @@ unsigned long len; /* we now can process the input data in blocks of MD5_CBLOCK * chars and save the leftovers to c->data. */ p=c->data; - while (len >= MD5_CBLOCK) + while (len >= (size_t)MD5_CBLOCK) { #if defined(L_ENDIAN) || defined(B_ENDIAN) memcpy(p,data,MD5_CBLOCK); diff --git a/lib/bind/dst/md5_locl.h b/lib/bind/dst/md5_locl.h index b2f0028fbd..ce4c765c1b 100644 --- a/lib/bind/dst/md5_locl.h +++ b/lib/bind/dst/md5_locl.h @@ -101,9 +101,9 @@ switch (sc) \ { \ case 0: l =((unsigned long)(*((c)++))); \ - if (--len == 0) break; \ + if (--len == 0U) break; \ case 1: l|=((unsigned long)(*((c)++)))<< 8; \ - if (--len == 0) break; \ + if (--len == 0U) break; \ case 2: l|=((unsigned long)(*((c)++)))<<16; \ } \ } diff --git a/lib/bind/inet/inet_addr.c b/lib/bind/inet/inet_addr.c index 4e30c227fb..a821b19a8b 100644 --- a/lib/bind/inet/inet_addr.c +++ b/lib/bind/inet/inet_addr.c @@ -70,7 +70,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; -static const char rcsid[] = "$Id: inet_addr.c,v 1.3 2004/03/09 06:29:56 marka Exp $"; +static const char rcsid[] = "$Id: inet_addr.c,v 1.4 2004/03/18 02:57:56 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include "port_before.h" @@ -156,7 +156,7 @@ inet_aton(const char *cp, struct in_addr *addr) { * a.b.c (with c treated as 16 bits) * a.b (with b treated as 24 bits) */ - if (pp >= parts + 3 || val > 0xff) + if (pp >= parts + 3 || val > 0xffU) return (0); *pp++ = val; c = *++cp; @@ -183,19 +183,19 @@ inet_aton(const char *cp, struct in_addr *addr) { break; case 2: /* a.b -- 8.24 bits */ - if (val > 0xffffff) + if (val > 0xffffffU) return (0); val |= parts[0] << 24; break; case 3: /* a.b.c -- 8.8.16 bits */ - if (val > 0xffff) + if (val > 0xffffU) return (0); val |= (parts[0] << 24) | (parts[1] << 16); break; case 4: /* a.b.c.d -- 8.8.8.8 bits */ - if (val > 0xff) + if (val > 0xffU) return (0); val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8); break; diff --git a/lib/bind/inet/inet_cidr_ntop.c b/lib/bind/inet/inet_cidr_ntop.c index 85df5906e8..48685393ce 100644 --- a/lib/bind/inet/inet_cidr_ntop.c +++ b/lib/bind/inet/inet_cidr_ntop.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.3 2004/03/09 06:29:57 marka Exp $"; +static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.4 2004/03/18 02:57:56 marka Exp $"; #endif #include "port_before.h" @@ -121,7 +121,7 @@ inet_cidr_ntop_ipv4(const u_char *src, int bits, char *dst, size_t size) { if (bits == -1) len = 4; else - for (len = 1, b = 1 ; b < 4; b++) + for (len = 1, b = 1 ; b < 4U; b++) if (*(src + b)) len = b + 1; @@ -130,7 +130,7 @@ inet_cidr_ntop_ipv4(const u_char *src, int bits, char *dst, size_t size) { if (len > bytes) bytes = len; b = decoct(src, bytes, dst, size); - if (b == 0) + if (b == 0U) goto emsgsize; dst += b; size -= b; diff --git a/lib/bind/inet/inet_cidr_pton.c b/lib/bind/inet/inet_cidr_pton.c index ede928c68e..0eec171399 100644 --- a/lib/bind/inet/inet_cidr_pton.c +++ b/lib/bind/inet/inet_cidr_pton.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: inet_cidr_pton.c,v 1.4 2004/03/09 06:29:57 marka Exp $"; +static const char rcsid[] = "$Id: inet_cidr_pton.c,v 1.5 2004/03/18 02:57:57 marka Exp $"; #endif #include "port_before.h" @@ -98,7 +98,7 @@ inet_cidr_pton_ipv4(const char *src, u_char *dst, int *pbits, int ipv6) { if (tmp > 255) goto enoent; } while ((ch = *src++) != '\0' && isascii(ch) && isdigit(ch)); - if (size-- == 0) + if (size-- == 0U) goto emsgsize; *dst++ = (u_char) tmp; if (ch == '\0' || ch == '/') @@ -133,7 +133,7 @@ inet_cidr_pton_ipv4(const char *src, u_char *dst, int *pbits, int ipv6) { goto enoent; /* Extend address to four octets. */ - while (size-- > 0) + while (size-- > 0U) *dst++ = 0; *pbits = bits; diff --git a/lib/bind/inet/inet_makeaddr.c b/lib/bind/inet/inet_makeaddr.c index 49ea023df9..1d20619b99 100644 --- a/lib/bind/inet/inet_makeaddr.c +++ b/lib/bind/inet/inet_makeaddr.c @@ -53,9 +53,9 @@ inet_makeaddr(net, host) { u_long addr; - if (net < 128) + if (net < 128U) addr = (net << IN_CLASSA_NSHIFT) | (host & IN_CLASSA_HOST); - else if (net < 65536) + else if (net < 65536U) addr = (net << IN_CLASSB_NSHIFT) | (host & IN_CLASSB_HOST); else if (net < 16777216L) addr = (net << IN_CLASSC_NSHIFT) | (host & IN_CLASSC_HOST); diff --git a/lib/bind/inet/inet_net_pton.c b/lib/bind/inet/inet_net_pton.c index de5cb3ac83..6950a01cee 100644 --- a/lib/bind/inet/inet_net_pton.c +++ b/lib/bind/inet/inet_net_pton.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: inet_net_pton.c,v 1.6 2004/03/09 06:29:57 marka Exp $"; +static const char rcsid[] = "$Id: inet_net_pton.c,v 1.7 2004/03/18 02:57:57 marka Exp $"; #endif #include "port_before.h" @@ -70,7 +70,7 @@ inet_net_pton_ipv4(const char *src, u_char *dst, size_t size) { && isascii((unsigned char)(src[1])) && isxdigit((unsigned char)(src[1]))) { /* Hexadecimal: Eat nybble string. */ - if (size <= 0) + if (size <= 0U) goto emsgsize; dirty = 0; src++; /* skip x or X. */ @@ -84,14 +84,14 @@ inet_net_pton_ipv4(const char *src, u_char *dst, size_t size) { else tmp = (tmp << 4) | n; if (++dirty == 2) { - if (size-- <= 0) + if (size-- <= 0U) goto emsgsize; *dst++ = (u_char) tmp; dirty = 0; } } if (dirty) { /* Odd trailing nybble? */ - if (size-- <= 0) + if (size-- <= 0U) goto emsgsize; *dst++ = (u_char) (tmp << 4); } @@ -108,7 +108,7 @@ inet_net_pton_ipv4(const char *src, u_char *dst, size_t size) { goto enoent; } while ((ch = *src++) != '\0' && isascii(ch) && isdigit(ch)); - if (size-- <= 0) + if (size-- <= 0U) goto emsgsize; *dst++ = (u_char) tmp; if (ch == '\0' || ch == '/') @@ -171,7 +171,7 @@ inet_net_pton_ipv4(const char *src, u_char *dst, size_t size) { } /* Extend network to cover the actual mask. */ while (bits > ((dst - odst) * 8)) { - if (size-- <= 0) + if (size-- <= 0U) goto emsgsize; *dst++ = '\0'; } diff --git a/lib/bind/inet/inet_network.c b/lib/bind/inet/inet_network.c index 9090d135f5..aaa50c8315 100644 --- a/lib/bind/inet/inet_network.c +++ b/lib/bind/inet/inet_network.c @@ -66,14 +66,14 @@ again: base = 16, cp++; while ((c = *cp) != 0) { if (isdigit((unsigned char)c)) { - if (base == 8 && (c == '8' || c == '9')) + if (base == 8U && (c == '8' || c == '9')) return (INADDR_NONE); val = (val * base) + (c - '0'); cp++; digit = 1; continue; } - if (base == 16 && isxdigit((unsigned char)c)) { + if (base == 16U && isxdigit((unsigned char)c)) { val = (val << 4) + (c + 10 - (islower((unsigned char)c) ? 'a' : 'A')); cp++; @@ -85,7 +85,7 @@ again: if (!digit) return (INADDR_NONE); if (*cp == '.') { - if (pp >= parts + 4 || val > 0xff) + if (pp >= parts + 4 || val > 0xffU) return (INADDR_NONE); *pp++ = val, cp++; goto again; @@ -94,7 +94,7 @@ again: return (INADDR_NONE); *pp++ = val; n = pp - parts; - if (n > 4) + if (n > 4U) return (INADDR_NONE); for (val = 0, i = 0; i < n; i++) { val <<= 8; diff --git a/lib/bind/irs/dns.c b/lib/bind/irs/dns.c index 637c0702af..a04fcf8ba2 100644 --- a/lib/bind/irs/dns.c +++ b/lib/bind/irs/dns.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: dns.c,v 1.2 2004/03/09 06:29:59 marka Exp $"; +static const char rcsid[] = "$Id: dns.c,v 1.3 2004/03/18 02:57:58 marka Exp $"; #endif /* @@ -118,7 +118,7 @@ dns_res_get(struct irs_acc *this) { dns_res_set(this, res, free); } - if ((dns->res->options & RES_INIT) == 0 && + if ((dns->res->options & RES_INIT) == 0U && res_ninit(dns->res) < 0) return (NULL); diff --git a/lib/bind/irs/dns_ho.c b/lib/bind/irs/dns_ho.c index 6f2e9a116c..46f2ca580f 100644 --- a/lib/bind/irs/dns_ho.c +++ b/lib/bind/irs/dns_ho.c @@ -52,7 +52,7 @@ /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: dns_ho.c,v 1.13 2004/03/09 06:29:59 marka Exp $"; +static const char rcsid[] = "$Id: dns_ho.c,v 1.14 2004/03/18 02:57:58 marka Exp $"; #endif /* LIBC_SCCS and not lint */ /* Imports. */ @@ -386,7 +386,7 @@ ho_byaddr(struct irs_ho *this, const void *addr, int len, int af) q2->qtype = T_PTR; q2->answer = q2->qbuf.buf; q2->anslen = sizeof(q2->qbuf); - if ((pvt->res->options & RES_NO_NIBBLE2) != 0) + if ((pvt->res->options & RES_NO_NIBBLE2) != 0U) q2->action = RESTGT_IGNORE; else q2->action = RESTGT_AFTERFAILURE; @@ -838,7 +838,7 @@ gethostans(struct irs_ho *this, } cp += n; #ifdef RES_USE_DNAME - if ((pvt->res->options & RES_USE_DNAME) != 0) + if ((pvt->res->options & RES_USE_DNAME) != 0U) #endif { /* @@ -1149,7 +1149,7 @@ init(struct irs_ho *this) { if (!pvt->res && !ho_res_get(this)) return (-1); - if (((pvt->res->options & RES_INIT) == 0) && + if (((pvt->res->options & RES_INIT) == 0U) && res_ninit(pvt->res) == -1) return (-1); return (0); diff --git a/lib/bind/irs/dns_nw.c b/lib/bind/irs/dns_nw.c index 0078648b53..79a5aefcf0 100644 --- a/lib/bind/irs/dns_nw.c +++ b/lib/bind/irs/dns_nw.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: dns_nw.c,v 1.8 2004/03/09 06:29:59 marka Exp $"; +static const char rcsid[] = "$Id: dns_nw.c,v 1.9 2004/03/18 02:57:58 marka Exp $"; #endif /* LIBC_SCCS and not lint */ /* Imports. */ @@ -587,7 +587,7 @@ init(struct irs_nw *this) { if (!pvt->res && !nw_res_get(this)) return (-1); - if (((pvt->res->options & RES_INIT) == 0) && + if (((pvt->res->options & RES_INIT) == 0U) && res_ninit(pvt->res) == -1) return (-1); return (0); diff --git a/lib/bind/irs/dns_p.h b/lib/bind/irs/dns_p.h index 40f82f069d..451ce566de 100644 --- a/lib/bind/irs/dns_p.h +++ b/lib/bind/irs/dns_p.h @@ -16,13 +16,13 @@ */ /* - * $Id: dns_p.h,v 1.2 2004/03/09 06:29:59 marka Exp $ + * $Id: dns_p.h,v 1.3 2004/03/18 02:57:58 marka Exp $ */ #ifndef _DNS_P_H_INCLUDED #define _DNS_P_H_INCLUDED -#define maybe_ok(res, nm, ok) (((res)->options & RES_NOCHECKNAME) != 0 || \ +#define maybe_ok(res, nm, ok) (((res)->options & RES_NOCHECKNAME) != 0U || \ (ok)(nm) != 0) #define maybe_hnok(res, hn) maybe_ok((res), (hn), res_hnok) #define maybe_dnok(res, dn) maybe_ok((res), (dn), res_dnok) diff --git a/lib/bind/irs/gen.c b/lib/bind/irs/gen.c index c13f16dcb8..093ecf361e 100644 --- a/lib/bind/irs/gen.c +++ b/lib/bind/irs/gen.c @@ -16,7 +16,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: gen.c,v 1.4 2004/03/09 06:30:00 marka Exp $"; +static const char rcsid[] = "$Id: gen.c,v 1.5 2004/03/18 02:57:58 marka Exp $"; #endif /* @@ -175,7 +175,7 @@ gen_res_get(struct irs_acc *this) { gen_res_set(this, res, free); } - if (((irs->res->options & RES_INIT) == 0) && res_ninit(irs->res) < 0) + if (((irs->res->options & RES_INIT) == 0U) && res_ninit(irs->res) < 0) return (NULL); return (irs->res); diff --git a/lib/bind/irs/gen_ho.c b/lib/bind/irs/gen_ho.c index 521409dbc8..e2b76a8a80 100644 --- a/lib/bind/irs/gen_ho.c +++ b/lib/bind/irs/gen_ho.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: gen_ho.c,v 1.2 2004/03/09 06:30:00 marka Exp $"; +static const char rcsid[] = "$Id: gen_ho.c,v 1.3 2004/03/18 02:57:58 marka Exp $"; #endif /* LIBC_SCCS and not lint */ /* Imports */ @@ -383,7 +383,7 @@ init(struct irs_ho *this) { if (!pvt->res && !ho_res_get(this)) return (-1); - if (((pvt->res->options & RES_INIT) == 0) && + if (((pvt->res->options & RES_INIT) == 0U) && (res_ninit(pvt->res) == -1)) return (-1); diff --git a/lib/bind/irs/gen_nw.c b/lib/bind/irs/gen_nw.c index 3846f0fd51..10567e370b 100644 --- a/lib/bind/irs/gen_nw.c +++ b/lib/bind/irs/gen_nw.c @@ -16,7 +16,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: gen_nw.c,v 1.2 2004/03/09 06:30:00 marka Exp $"; +static const char rcsid[] = "$Id: gen_nw.c,v 1.3 2004/03/18 02:57:58 marka Exp $"; #endif /* Imports */ @@ -255,7 +255,7 @@ init(struct irs_nw *this) { if (!pvt->res && !nw_res_get(this)) return (-1); - if (((pvt->res->options & RES_INIT) == 0) && + if (((pvt->res->options & RES_INIT) == 0U) && res_ninit(pvt->res) == -1) return (-1); return (0); diff --git a/lib/bind/irs/gethostent.c b/lib/bind/irs/gethostent.c index bf02a2e94c..59343e25c6 100644 --- a/lib/bind/irs/gethostent.c +++ b/lib/bind/irs/gethostent.c @@ -16,7 +16,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: gethostent.c,v 1.5 2004/03/09 06:30:01 marka Exp $"; +static const char rcsid[] = "$Id: gethostent.c,v 1.6 2004/03/18 02:57:59 marka Exp $"; #endif /* Imports */ @@ -187,7 +187,7 @@ gethostent_p(struct net_data *net_data) { return (NULL); while ((hp = (*ho->next)(ho)) != NULL && hp->h_addrtype == AF_INET6 && - (net_data->res->options & RES_USE_INET6) == 0) + (net_data->res->options & RES_USE_INET6) == 0U) continue; net_data->ho_last = hp; return (net_data->ho_last); @@ -356,13 +356,13 @@ getipnodebyaddr(const void *src, size_t len, int af, int *error_num) { switch (af) { case AF_INET: - if (len != INADDRSZ) { + if (len != (size_t)INADDRSZ) { *error_num = NO_RECOVERY; return (NULL); } break; case AF_INET6: - if (len != IN6ADDRSZ) { + if (len != (size_t)IN6ADDRSZ) { *error_num = NO_RECOVERY; return (NULL); } @@ -1007,7 +1007,7 @@ fakeaddr(const char *name, int af, struct net_data *net_data) { } strncpy(pvt->name, name, NS_MAXDNAME); pvt->name[NS_MAXDNAME] = '\0'; - if (af == AF_INET && (net_data->res->options & RES_USE_INET6) != 0) { + if (af == AF_INET && (net_data->res->options & RES_USE_INET6) != 0U) { map_v4v6_address(pvt->addr, pvt->addr); af = AF_INET6; } diff --git a/lib/bind/irs/getnameinfo.c b/lib/bind/irs/getnameinfo.c index 702b932bf3..dd8c14b46b 100644 --- a/lib/bind/irs/getnameinfo.c +++ b/lib/bind/irs/getnameinfo.c @@ -132,7 +132,7 @@ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags) port = ((const struct sockinet *)sa)->si_port; /* network byte order */ addr = (const char *)sa + afd->a_off; - if (serv == NULL || servlen == 0) { + if (serv == NULL || servlen == 0U) { /* * rfc2553bis says that serv == NULL or servlen == 0 means that * the caller does not want the result. @@ -177,7 +177,7 @@ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags) } break; } - if (host == NULL || hostlen == 0) { + if (host == NULL || hostlen == 0U) { /* * rfc2553bis says that host == NULL or hostlen == 0 means that * the caller does not want the result. @@ -283,7 +283,7 @@ ip6_sa2str(const struct sockaddr_in6 *sa6, char *buf, #ifdef NI_NUMERICSCOPE if (flags & NI_NUMERICSCOPE) { sprintf(tmp, "%u", sa6->sin6_scope_id); - if (bufsiz != 0) { + if (bufsiz != 0U) { strncpy(buf, tmp, bufsiz - 1); buf[bufsiz - 1] = '\0'; } @@ -313,7 +313,7 @@ ip6_sa2str(const struct sockaddr_in6 *sa6, char *buf, /* last resort */ sprintf(tmp, "%u", sa6->sin6_scope_id); - if (bufsiz != 0) { + if (bufsiz != 0U) { strncpy(buf, tmp, bufsiz - 1); buf[bufsiz - 1] = '\0'; } diff --git a/lib/bind/irs/getnetent.c b/lib/bind/irs/getnetent.c index 3b024baba2..1926dabf97 100644 --- a/lib/bind/irs/getnetent.c +++ b/lib/bind/irs/getnetent.c @@ -16,7 +16,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: getnetent.c,v 1.5 2004/03/09 06:30:01 marka Exp $"; +static const char rcsid[] = "$Id: getnetent.c,v 1.6 2004/03/18 02:57:59 marka Exp $"; #endif /* Imports */ @@ -156,13 +156,13 @@ getnetbyaddr_p(unsigned long net, int type, struct net_data *net_data) { return (net_data->nw_last); /* cannonize net(host order) */ - if (net < 256) { + if (net < 256UL) { net <<= 24; bits = 8; - } else if (net < 65536) { + } else if (net < 65536UL) { net <<= 16; bits = 16; - } else if (net < 16777216) { + } else if (net < 16777216UL) { net <<= 8; bits = 24; } else diff --git a/lib/bind/irs/hesiod.c b/lib/bind/irs/hesiod.c index 8d1d584c55..714a48dd3a 100644 --- a/lib/bind/irs/hesiod.c +++ b/lib/bind/irs/hesiod.c @@ -1,5 +1,5 @@ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: hesiod.c,v 1.3 2004/03/09 06:30:02 marka Exp $"; +static const char rcsid[] = "$Id: hesiod.c,v 1.4 2004/03/18 02:57:59 marka Exp $"; #endif /* @@ -516,7 +516,7 @@ init(struct hesiod_p *ctx) { if (!ctx->res && !__hesiod_res_get(ctx)) return (-1); - if (((ctx->res->options & RES_INIT) == 0) && + if (((ctx->res->options & RES_INIT) == 0U) && (res_ninit(ctx->res) == -1)) return (-1); diff --git a/lib/bind/irs/irp.c b/lib/bind/irs/irp.c index 07ab29d98f..b85e349680 100644 --- a/lib/bind/irs/irp.c +++ b/lib/bind/irs/irp.c @@ -16,7 +16,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: irp.c,v 1.5 2004/03/09 06:30:03 marka Exp $"; +static const char rcsid[] = "$Id: irp.c,v 1.6 2004/03/18 02:57:59 marka Exp $"; #endif /* Imports */ @@ -387,7 +387,7 @@ irs_irp_read_response(struct irp_p *pvt, char *text, size_t textlen) { if (sscanf(line, "%d", &code) != 1) { code = 0; - } else if (text != NULL && textlen > 0) { + } else if (text != NULL && textlen > 0U) { p = line; while (isspace((unsigned char)*p)) p++; while (isdigit((unsigned char)*p)) p++; diff --git a/lib/bind/irs/irpmarshall.c b/lib/bind/irs/irpmarshall.c index a9df594475..a86c394f55 100644 --- a/lib/bind/irs/irpmarshall.c +++ b/lib/bind/irs/irpmarshall.c @@ -49,7 +49,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: irpmarshall.c,v 1.4 2004/03/09 06:30:03 marka Exp $"; +static const char rcsid[] = "$Id: irpmarshall.c,v 1.5 2004/03/18 02:57:59 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #if 0 @@ -508,7 +508,7 @@ irp_unmarshall_gr(struct group *gr, char *buffer) { /* gr_name field */ name = NULL; - if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0) { + if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) { goto error; } @@ -523,7 +523,7 @@ irp_unmarshall_gr(struct group *gr, char *buffer) { /* gr_gid field */ tb = tmpbuf; if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL || - strlen(tb) == 0) { + strlen(tb) == 0U) { goto error; } t = strtol(tmpbuf, &tb, 10); @@ -679,7 +679,7 @@ irp_unmarshall_sv(struct servent *sv, char *buffer) { /* s_name field */ name = NULL; - if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0) { + if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) { goto error; } @@ -700,7 +700,7 @@ irp_unmarshall_sv(struct servent *sv, char *buffer) { /* s_port field */ tb = tmpbuf; if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL || - strlen(tb) == 0) { + strlen(tb) == 0U) { goto error; } t = strtol(tmpbuf, &tb, 10); @@ -837,7 +837,7 @@ int irp_unmarshall_pr(struct protoent *pr, char *buffer) { /* p_name field */ name = NULL; - if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0) { + if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) { goto error; } @@ -858,7 +858,7 @@ int irp_unmarshall_pr(struct protoent *pr, char *buffer) { /* p_proto field */ tb = tmpbuf; if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL || - strlen(tb) == 0) { + strlen(tb) == 0U) { goto error; } t = strtol(tmpbuf, &tb, 10); @@ -1040,7 +1040,7 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) { /* h_name field */ name = NULL; - if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0) { + if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) { goto error; } @@ -1061,7 +1061,7 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) { /* h_addrtype field */ tb = tmpbuf; if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL || - strlen(tb) == 0) { + strlen(tb) == 0U) { goto error; } if (strcmp(tmpbuf, "AF_INET") == 0) @@ -1075,7 +1075,7 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) { /* h_length field */ tb = tmpbuf; if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL || - strlen(tb) == 0) { + strlen(tb) == 0U) { goto error; } t = strtol(tmpbuf, &tb, 10); @@ -1428,7 +1428,7 @@ irp_unmarshall_nw(struct nwent *ne, char *buffer) { /* n_name field */ name = NULL; - if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0) { + if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) { goto error; } @@ -1449,7 +1449,7 @@ irp_unmarshall_nw(struct nwent *ne, char *buffer) { /* h_addrtype field */ tb = tmpbuf; if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL || - strlen(tb) == 0) { + strlen(tb) == 0U) { goto error; } if (strcmp(tmpbuf, "AF_INET") == 0) @@ -1463,7 +1463,7 @@ irp_unmarshall_nw(struct nwent *ne, char *buffer) { /* n_net field */ tb = tmpbuf; if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL || - strlen(tb) == 0) { + strlen(tb) == 0U) { goto error; } nnet = 0; @@ -1605,7 +1605,7 @@ irp_unmarshall_ne(struct netent *ne, char *buffer) { /* n_name field */ name = NULL; - if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0) { + if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) { goto error; } @@ -1626,7 +1626,7 @@ irp_unmarshall_ne(struct netent *ne, char *buffer) { /* h_addrtype field */ tb = tmpbuf; if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL || - strlen(tb) == 0) { + strlen(tb) == 0U) { goto error; } if (strcmp(tmpbuf, "AF_INET") == 0) @@ -1640,7 +1640,7 @@ irp_unmarshall_ne(struct netent *ne, char *buffer) { /* n_net field */ tb = tmpbuf; if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL || - strlen(tb) == 0) { + strlen(tb) == 0U) { goto error; } bits = inet_net_pton(naddrtype, tmpbuf, &nnet, sizeof nnet); @@ -1961,12 +1961,12 @@ strcmp_nws(const char *a, const char *b) { static void free_array(char **argv, size_t entries) { char **p = argv; - int useEntries = (entries > 0); + int useEntries = (entries > 0U); if (argv == NULL) return; - while ((useEntries && entries > 0) || *p) { + while ((useEntries && entries > 0U) || *p) { if (*p) free(*p); p++; diff --git a/lib/bind/irs/irs_data.c b/lib/bind/irs/irs_data.c index 4f11fad6c0..9b33369550 100644 --- a/lib/bind/irs/irs_data.c +++ b/lib/bind/irs/irs_data.c @@ -16,7 +16,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: irs_data.c,v 1.6 2004/03/09 06:30:03 marka Exp $"; +static const char rcsid[] = "$Id: irs_data.c,v 1.7 2004/03/18 02:57:59 marka Exp $"; #endif #include "port_before.h" @@ -169,7 +169,7 @@ net_data_create(const char *conf_file) { return (NULL); } - if ((net_data->res->options & RES_INIT) == 0 && + if ((net_data->res->options & RES_INIT) == 0U && res_ninit(net_data->res) == -1) { (*net_data->irs->close)(net_data->irs); memput(net_data, sizeof (struct net_data)); diff --git a/lib/bind/irs/lcl.c b/lib/bind/irs/lcl.c index 180292382b..1de99915f0 100644 --- a/lib/bind/irs/lcl.c +++ b/lib/bind/irs/lcl.c @@ -16,7 +16,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: lcl.c,v 1.2 2004/03/09 06:30:03 marka Exp $"; +static const char rcsid[] = "$Id: lcl.c,v 1.3 2004/03/18 02:57:59 marka Exp $"; #endif /* Imports */ @@ -106,7 +106,7 @@ lcl_res_get(struct irs_acc *this) { lcl_res_set(this, res, free); } - if ((lcl->res->options & RES_INIT) == 0 && + if ((lcl->res->options & RES_INIT) == 0U && res_ninit(lcl->res) < 0) return (NULL); diff --git a/lib/bind/irs/lcl_ho.c b/lib/bind/irs/lcl_ho.c index 0538fb442b..a311db2281 100644 --- a/lib/bind/irs/lcl_ho.c +++ b/lib/bind/irs/lcl_ho.c @@ -52,7 +52,7 @@ /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: lcl_ho.c,v 1.2 2004/03/09 06:30:04 marka Exp $"; +static const char rcsid[] = "$Id: lcl_ho.c,v 1.3 2004/03/18 02:57:59 marka Exp $"; #endif /* LIBC_SCCS and not lint */ /* Imports. */ @@ -569,7 +569,7 @@ init(struct irs_ho *this) { if (!pvt->res && !ho_res_get(this)) return (-1); - if (((pvt->res->options & RES_INIT) == 0) && + if (((pvt->res->options & RES_INIT) == 0U) && res_ninit(pvt->res) == -1) return (-1); return (0); diff --git a/lib/bind/irs/lcl_nw.c b/lib/bind/irs/lcl_nw.c index e66ccc6a26..6c625b4161 100644 --- a/lib/bind/irs/lcl_nw.c +++ b/lib/bind/irs/lcl_nw.c @@ -49,7 +49,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: lcl_nw.c,v 1.2 2004/03/09 06:30:04 marka Exp $"; +static const char rcsid[] = "$Id: lcl_nw.c,v 1.3 2004/03/18 02:57:59 marka Exp $"; /* from getgrent.c 8.2 (Berkeley) 3/21/94"; */ /* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $ */ #endif /* LIBC_SCCS and not lint */ @@ -364,7 +364,7 @@ init(struct irs_nw *this) { if (!pvt->res && !nw_res_get(this)) return (-1); - if (((pvt->res->options & RES_INIT) == 0) && + if (((pvt->res->options & RES_INIT) == 0U) && res_ninit(pvt->res) == -1) return (-1); return (0); diff --git a/lib/bind/isc/base64.c b/lib/bind/isc/base64.c index cad2e65026..9553ac8c90 100644 --- a/lib/bind/isc/base64.c +++ b/lib/bind/isc/base64.c @@ -41,7 +41,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: base64.c,v 1.2 2004/03/09 06:30:06 marka Exp $"; +static const char rcsid[] = "$Id: base64.c,v 1.3 2004/03/18 02:57:59 marka Exp $"; #endif /* not lint */ #include "port_before.h" @@ -138,7 +138,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) { u_char output[4]; size_t i; - while (2 < srclength) { + while (2U < srclength) { input[0] = *src++; input[1] = *src++; input[2] = *src++; @@ -162,7 +162,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) { } /* Now we worry about padding. */ - if (0 != srclength) { + if (0U != srclength) { /* Get what's left. */ input[0] = input[1] = input[2] = '\0'; for (i = 0; i < srclength; i++) @@ -179,7 +179,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) { return (-1); target[datalength++] = Base64[output[0]]; target[datalength++] = Base64[output[1]]; - if (srclength == 1) + if (srclength == 1U) target[datalength++] = Pad64; else target[datalength++] = Base64[output[2]]; diff --git a/lib/bind/isc/ctl_clnt.c b/lib/bind/isc/ctl_clnt.c index d0577641fe..0d26e5090a 100644 --- a/lib/bind/isc/ctl_clnt.c +++ b/lib/bind/isc/ctl_clnt.c @@ -1,5 +1,5 @@ #if !defined(lint) && !defined(SABER) -static const char rcsid[] = "$Id: ctl_clnt.c,v 1.6 2004/03/09 06:30:07 marka Exp $"; +static const char rcsid[] = "$Id: ctl_clnt.c,v 1.7 2004/03/18 02:58:00 marka Exp $"; #endif /* not lint */ /* @@ -234,7 +234,7 @@ ctl_command(struct ctl_cctx *ctx, const char *cmd, size_t len, default: abort(); } - if (len >= MAX_LINELEN) { + if (len >= (size_t)MAX_LINELEN) { errno = EMSGSIZE; return (-1); } @@ -528,7 +528,7 @@ readable(evContext ev, void *uap, int fd, int evmask) { (*tran->donefunc)(ctx, tran->uap, ctx->inbuf.text, (done ? 0 : CTL_MORE)); ctx->inbuf.used -= ((eos - ctx->inbuf.text) + 1); - if (ctx->inbuf.used == 0) + if (ctx->inbuf.used == 0U) ctl_bufput(&ctx->inbuf); else memmove(ctx->inbuf.text, eos + 1, ctx->inbuf.used); @@ -543,7 +543,7 @@ readable(evContext ev, void *uap, int fd, int evmask) { goto again; return; } - if (ctx->inbuf.used == MAX_LINELEN) { + if (ctx->inbuf.used == (size_t)MAX_LINELEN) { (*ctx->logger)(ctl_error, "%s: line too long (%-10s...)", me, ctx->inbuf.text); error(ctx); diff --git a/lib/bind/isc/ctl_p.c b/lib/bind/isc/ctl_p.c index 888c5a0aac..2604475615 100644 --- a/lib/bind/isc/ctl_p.c +++ b/lib/bind/isc/ctl_p.c @@ -1,5 +1,5 @@ #if !defined(lint) && !defined(SABER) -static const char rcsid[] = "$Id: ctl_p.c,v 1.2 2004/03/09 06:30:07 marka Exp $"; +static const char rcsid[] = "$Id: ctl_p.c,v 1.3 2004/03/18 02:58:00 marka Exp $"; #endif /* not lint */ /* @@ -78,7 +78,7 @@ int ctl_bufget(struct ctl_buf *buf, ctl_logfunc logger) { static const char me[] = "ctl_bufget"; - REQUIRE(!allocated_p(*buf) && buf->used == 0); + REQUIRE(!allocated_p(*buf) && buf->used == 0U); buf->text = memget(MAX_LINELEN); if (!allocated_p(*buf)) { (*logger)(ctl_error, "%s: getmem: %s", me, strerror(errno)); diff --git a/lib/bind/isc/ctl_srvr.c b/lib/bind/isc/ctl_srvr.c index 516db7108d..4c3934fcd5 100644 --- a/lib/bind/isc/ctl_srvr.c +++ b/lib/bind/isc/ctl_srvr.c @@ -1,5 +1,5 @@ #if !defined(lint) && !defined(SABER) -static const char rcsid[] = "$Id: ctl_srvr.c,v 1.5 2004/03/09 06:30:07 marka Exp $"; +static const char rcsid[] = "$Id: ctl_srvr.c,v 1.6 2004/03/18 02:58:00 marka Exp $"; #endif /* not lint */ /* @@ -321,7 +321,7 @@ ctl_response(struct ctl_sess *sess, u_int code, const char *text, me, address_expr); goto untimely; } - if (sizeof "000-\r\n" + strlen(text) > MAX_LINELEN) { + if (sizeof "000-\r\n" + strlen(text) > (size_t)MAX_LINELEN) { (*ctx->logger)(ctl_error, "%s: %s: output buffer ovf, closing", me, address_expr); goto untimely; @@ -604,13 +604,13 @@ ctl_readable(evContext lev, void *uap, int fd, int evmask) { ctl_docommand(sess); } sess->inbuf.used -= ((eos - sess->inbuf.text) + 1); - if (sess->inbuf.used == 0) + if (sess->inbuf.used == 0U) ctl_bufput(&sess->inbuf); else memmove(sess->inbuf.text, eos + 1, sess->inbuf.used); return; } - if (sess->inbuf.used == MAX_LINELEN) { + if (sess->inbuf.used == (size_t)MAX_LINELEN) { (*ctx->logger)(ctl_error, "%s: %s: line too long, closing", me, address_expr); ctl_close(sess); diff --git a/lib/bind/isc/ev_streams.c b/lib/bind/isc/ev_streams.c index 48294140fb..87506350c5 100644 --- a/lib/bind/isc/ev_streams.c +++ b/lib/bind/isc/ev_streams.c @@ -20,7 +20,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: ev_streams.c,v 1.3 2004/03/09 06:30:07 marka Exp $"; +static const char rcsid[] = "$Id: ev_streams.c,v 1.4 2004/03/18 02:58:00 marka Exp $"; #endif #include "port_before.h" @@ -221,7 +221,7 @@ copyvec(evStream *str, const struct iovec *iov, int iocnt) { /* Pull off or truncate lead iovec(s). */ static void consume(evStream *str, size_t bytes) { - while (bytes > 0) { + while (bytes > 0U) { if (bytes < (size_t)str->iovCur->iov_len) { str->iovCur->iov_len -= bytes; str->iovCur->iov_base = (void *) diff --git a/lib/bind/isc/ev_timers.c b/lib/bind/isc/ev_timers.c index 6f22501372..16dbc06468 100644 --- a/lib/bind/isc/ev_timers.c +++ b/lib/bind/isc/ev_timers.c @@ -20,7 +20,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: ev_timers.c,v 1.4 2004/03/09 06:30:07 marka Exp $"; +static const char rcsid[] = "$Id: ev_timers.c,v 1.5 2004/03/18 02:58:00 marka Exp $"; #endif /* Import. */ @@ -180,14 +180,25 @@ evSetTimer(evContext opaqueCtx, (long)due.tv_sec, due.tv_nsec, (long)inter.tv_sec, inter.tv_nsec); - if (due.tv_sec < 0 || due.tv_nsec < 0) +#ifdef __hpux + /* + * tv_sec and tv_nsec are unsigned. + */ + if (due.tv_nsec >= BILLION) EV_ERR(EINVAL); - if (inter.tv_sec < 0 || inter.tv_nsec < 0) + if (inter.tv_nsec >= BILLION) EV_ERR(EINVAL); +#else + if (due.tv_sec < 0 || due.tv_nsec < 0 || due.tv_nsec >= BILLION) + EV_ERR(EINVAL); + + if (inter.tv_sec < 0 || inter.tv_nsec < 0 || inter.tv_nsec >= BILLION) + EV_ERR(EINVAL); +#endif /* due={0,0} is a magic cookie meaning "now." */ - if (due.tv_sec == 0 && due.tv_nsec == 0L) + if (due.tv_sec == (time_t)0 && due.tv_nsec == 0L) due = evNowTime(); /* Allocate and fill. */ @@ -254,6 +265,8 @@ evConfigTimer(evContext opaqueCtx, evTimer *timer = id.opaque; int result=0; + UNUSED(value); + if (heap_element(ctx->timers, timer->index) != timer) EV_ERR(ENOENT); @@ -283,11 +296,22 @@ evResetTimer(evContext opaqueCtx, if (heap_element(ctx->timers, timer->index) != timer) EV_ERR(ENOENT); - if (due.tv_sec < 0 || due.tv_nsec < 0) +#ifdef __hpux + /* + * tv_sec and tv_nsec are unsigned. + */ + if (due.tv_nsec >= BILLION) EV_ERR(EINVAL); - if (inter.tv_sec < 0 || inter.tv_nsec < 0) + if (inter.tv_nsec >= BILLION) EV_ERR(EINVAL); +#else + if (due.tv_sec < 0 || due.tv_nsec < 0 || due.tv_nsec >= BILLION) + EV_ERR(EINVAL); + + if (inter.tv_sec < 0 || inter.tv_nsec < 0 || inter.tv_nsec >= BILLION) + EV_ERR(EINVAL); +#endif old_due = timer->due; diff --git a/lib/bind/isc/eventlib.c b/lib/bind/isc/eventlib.c index e2366f9956..6a6ae959d8 100644 --- a/lib/bind/isc/eventlib.c +++ b/lib/bind/isc/eventlib.c @@ -20,7 +20,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: eventlib.c,v 1.4 2004/03/09 06:30:07 marka Exp $"; +static const char rcsid[] = "$Id: eventlib.c,v 1.5 2004/03/18 02:58:00 marka Exp $"; #endif #include "port_before.h" @@ -590,7 +590,8 @@ evDrop(evContext opaqueCtx, evEvent opaqueEv) { * Timer is still there. Delete it if it has expired, * otherwise set it according to its next interval. */ - if (this->inter.tv_sec == 0 && this->inter.tv_nsec == 0L) { + if (this->inter.tv_sec == (time_t)0 && + this->inter.tv_nsec == 0L) { opaque.opaque = this; (void) evClearTimer(opaqueCtx, opaque); } else { diff --git a/lib/bind/isc/hex.c b/lib/bind/isc/hex.c index 3901d4ced5..c177ca0fa3 100644 --- a/lib/bind/isc/hex.c +++ b/lib/bind/isc/hex.c @@ -63,7 +63,7 @@ isc_gethexstring(unsigned char *buf, size_t len, int count, FILE *fp, goto formerr; x = (x<<4) | (s - hex); if (++n == 2) { - if (len > 0) { + if (len > 0U) { *buf++ = x; len--; } else @@ -86,11 +86,11 @@ isc_puthexstring(FILE *fp, const unsigned char *buf, size_t buflen, { size_t i = 0; - if (len1 < 4) + if (len1 < 4U) len1 = 4; - if (len2 < 4) + if (len2 < 4U) len2 = 4; - while (buflen > 0) { + while (buflen > 0U) { fputc(hex[(buf[0]>>4)&0xf], fp); fputc(hex[buf[0]&0xf], fp); i += 2; @@ -106,7 +106,7 @@ isc_puthexstring(FILE *fp, const unsigned char *buf, size_t buflen, void isc_tohex(const unsigned char *buf, size_t buflen, char *t) { - while (buflen > 0) { + while (buflen > 0U) { *t++ = hex[(buf[0]>>4)&0xf]; *t++ = hex[buf[0]&0xf]; buf++; diff --git a/lib/bind/isc/logging.c b/lib/bind/isc/logging.c index 93e9a4d10c..e27f01d8cb 100644 --- a/lib/bind/isc/logging.c +++ b/lib/bind/isc/logging.c @@ -16,7 +16,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: logging.c,v 1.5 2004/03/09 06:30:08 marka Exp $"; +static const char rcsid[] = "$Id: logging.c,v 1.6 2004/03/18 02:58:00 marka Exp $"; #endif /* not lint */ #include "port_before.h" @@ -75,7 +75,7 @@ version_rename(log_channel chan) { /* * Need to have room for '.nn' (XXX assumes LOG_MAX_VERSIONS < 100) */ - if (strlen(chan->out.file.name) > (PATH_MAX-3)) + if (strlen(chan->out.file.name) > (size_t)(PATH_MAX-3)) return; for (ver--; ver > 0; ver--) { sprintf(old_name, "%s.%d", chan->out.file.name, ver-1); @@ -364,7 +364,7 @@ log_vwrite(log_context lc, int category, int level, const char *format, if (!did_vsprintf) { if (VSPRINTF((lc->buffer, format, args)) > - LOG_BUFFER_SIZE) { + (size_t)LOG_BUFFER_SIZE) { syslog(LOG_CRIT, "memory overrun in log_vwrite()"); exit(1); diff --git a/lib/bind/isc/memcluster.c b/lib/bind/isc/memcluster.c index e5d0d3ee6e..aa210dd06d 100644 --- a/lib/bind/isc/memcluster.c +++ b/lib/bind/isc/memcluster.c @@ -24,7 +24,7 @@ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: memcluster.c,v 1.4 2004/03/09 06:30:08 marka Exp $"; +static const char rcsid[] = "$Id: memcluster.c,v 1.5 2004/03/18 02:58:00 marka Exp $"; #endif /* not lint */ #include "port_before.h" @@ -124,11 +124,11 @@ meminit(size_t init_max_size, size_t target_size) { errno = EEXIST; return (-1); } - if (init_max_size == 0) + if (init_max_size == 0U) max_size = DEF_MAX_SIZE; else max_size = init_max_size; - if (target_size == 0) + if (target_size == 0U) mem_target = DEF_MEM_TARGET; else mem_target = target_size; @@ -180,7 +180,7 @@ __memget_record(size_t size, const char *file, int line) { if (freelists == NULL) if (meminit(0, 0) == -1) return (NULL); - if (size == 0) { + if (size == 0U) { errno = EINVAL; return (NULL); } @@ -354,7 +354,7 @@ __memput_record(void *mem, size_t size, const char *file, int line) { REQUIRE(freelists != NULL); - if (size == 0) { + if (size == 0U) { errno = EINVAL; return; } @@ -396,7 +396,7 @@ __memput_record(void *mem, size_t size, const char *file, int line) { free(mem); #endif - INSIST(stats[max_size].gets != 0); + INSIST(stats[max_size].gets != 0U); stats[max_size].gets--; return; } @@ -433,7 +433,7 @@ __memput_record(void *mem, size_t size, const char *file, int line) { * max. size (max_size) ends up getting recorded as a call to * max_size. */ - INSIST(stats[size].gets != 0); + INSIST(stats[size].gets != 0U); stats[size].gets--; stats[new_size].freefrags++; } @@ -469,12 +469,12 @@ memstats(FILE *out) { for (i = 1; i <= max_size; i++) { const struct stats *s = &stats[i]; - if (s->totalgets == 0 && s->gets == 0) + if (s->totalgets == 0U && s->gets == 0U) continue; fprintf(out, "%s%5d: %11lu gets, %11lu rem", (i == max_size) ? ">=" : " ", i, s->totalgets, s->gets); - if (s->blocks != 0) + if (s->blocks != 0U) fprintf(out, " (%lu bl, %lu ff)", s->blocks, s->freefrags); fputc('\n', out); @@ -501,7 +501,7 @@ memactive(void) { if (stats == NULL) return (0); for (i = 1; i <= max_size; i++) - if (stats[i].gets != 0) + if (stats[i].gets != 0U) return (1); return (0); } diff --git a/lib/bind/nameser/ns_date.c b/lib/bind/nameser/ns_date.c index c8f10c8508..fa301d7b13 100644 --- a/lib/bind/nameser/ns_date.c +++ b/lib/bind/nameser/ns_date.c @@ -16,7 +16,7 @@ */ #ifndef lint -static const char rcsid[] = "$Id: ns_date.c,v 1.4 2004/03/09 06:30:09 marka Exp $"; +static const char rcsid[] = "$Id: ns_date.c,v 1.5 2004/03/18 02:58:01 marka Exp $"; #endif /* Import. */ @@ -57,7 +57,7 @@ ns_datetosecs(const char *cp, int *errp) { static const int days_per_month[12] = {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}; - if (strlen(cp) != 14) { + if (strlen(cp) != 14U) { *errp = 1; return (0); } diff --git a/lib/bind/nameser/ns_print.c b/lib/bind/nameser/ns_print.c index ef9ec79c40..aea847daba 100644 --- a/lib/bind/nameser/ns_print.c +++ b/lib/bind/nameser/ns_print.c @@ -16,7 +16,7 @@ */ #ifndef lint -static const char rcsid[] = "$Id: ns_print.c,v 1.5 2004/03/09 06:30:09 marka Exp $"; +static const char rcsid[] = "$Id: ns_print.c,v 1.6 2004/03/18 02:58:01 marka Exp $"; #endif /* Import. */ @@ -145,7 +145,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen, addlen(x, &buf, &buflen); len = SPRINTF((tmp, " %s %s", p_class(class), p_type(type))); T(addstr(tmp, len, &buf, &buflen)); - if (rdlen == 0) + if (rdlen == 0U) return (buf - obuf); T(spaced = addtab(x + len, 16, spaced, &buf, &buflen)); @@ -154,7 +154,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen, */ switch (type) { case ns_t_a: - if (rdlen != NS_INADDRSZ) + if (rdlen != (size_t)NS_INADDRSZ) goto formerr; (void) inet_ntop(AF_INET, rdata, buf, buflen); addlen(strlen(buf), &buf, &buflen); @@ -258,7 +258,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen, case ns_t_rt: { u_int t; - if (rdlen < NS_INT16SZ) + if (rdlen < (size_t)NS_INT16SZ) goto formerr; /* Priority. */ @@ -276,7 +276,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen, case ns_t_px: { u_int t; - if (rdlen < NS_INT16SZ) + if (rdlen < (size_t)NS_INT16SZ) goto formerr; /* Priority. */ @@ -322,7 +322,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen, } case ns_t_aaaa: - if (rdlen != NS_IN6ADDRSZ) + if (rdlen != (size_t)NS_IN6ADDRSZ) goto formerr; (void) inet_ntop(AF_INET6, rdata, buf, buflen); addlen(strlen(buf), &buf, &buflen); @@ -341,7 +341,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen, u_int order, preference; char t[50]; - if (rdlen < 2*NS_INT16SZ) + if (rdlen < 2U*NS_INT16SZ) goto formerr; /* Order, Precedence. */ @@ -382,7 +382,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen, u_int priority, weight, port; char t[50]; - if (rdlen < NS_INT16SZ*3) + if (rdlen < 3U*NS_INT16SZ) goto formerr; /* Priority, Weight, Port. */ @@ -411,7 +411,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen, case ns_t_wks: { int n, lcnt; - if (rdlen < NS_INT32SZ + 1) + if (rdlen < 1U + NS_INT32SZ) goto formerr; /* Address. */ @@ -455,7 +455,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen, const char *leader; int n; - if (rdlen < NS_INT16SZ + NS_INT8SZ + NS_INT8SZ) + if (rdlen < 0U + NS_INT16SZ + NS_INT8SZ + NS_INT8SZ) goto formerr; /* Key flags, Protocol, Algorithm. */ @@ -498,7 +498,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen, u_long t; int n; - if (rdlen < 22) + if (rdlen < 22U) goto formerr; /* Type covered, Algorithm, Label count, Original TTL. */ @@ -662,7 +662,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen, int pbyte, pbit; /* prefix length */ - if (rdlen == 0) goto formerr; + if (rdlen == 0U) goto formerr; len = SPRINTF((tmp, "%d ", *rdata)); T(addstr(tmp, len, &buf, &buflen)); pbit = *rdata; @@ -829,7 +829,7 @@ addname(const u_char *msg, size_t msglen, newlen = prune_origin(*buf, origin); if (**buf == '\0') { goto root; - } else if (newlen == 0) { + } else if (newlen == 0U) { /* Use "@" instead of name. */ if (newlen + 2 > *buflen) goto enospc; /* No room for "@\0". */ diff --git a/lib/bind/nameser/ns_samedomain.c b/lib/bind/nameser/ns_samedomain.c index 983e1645a3..0473a9b5af 100644 --- a/lib/bind/nameser/ns_samedomain.c +++ b/lib/bind/nameser/ns_samedomain.c @@ -16,7 +16,7 @@ */ #ifndef lint -static const char rcsid[] = "$Id: ns_samedomain.c,v 1.4 2004/03/09 06:30:10 marka Exp $"; +static const char rcsid[] = "$Id: ns_samedomain.c,v 1.5 2004/03/18 02:58:01 marka Exp $"; #endif #include "port_before.h" @@ -56,7 +56,7 @@ ns_samedomain(const char *a, const char *b) { lb = strlen(b); /* Ignore a trailing label separator (i.e. an unescaped dot) in 'a'. */ - if (la != 0 && a[la - 1] == '.') { + if (la != 0U && a[la - 1] == '.') { escaped = 0; /* Note this loop doesn't get executed if la==1. */ for (i = la - 2; i >= 0; i--) @@ -72,7 +72,7 @@ ns_samedomain(const char *a, const char *b) { } /* Ignore a trailing label separator (i.e. an unescaped dot) in 'b'. */ - if (lb != 0 && b[lb - 1] == '.') { + if (lb != 0U && b[lb - 1] == '.') { escaped = 0; /* note this loop doesn't get executed if lb==1 */ for (i = lb - 2; i >= 0; i--) @@ -88,7 +88,7 @@ ns_samedomain(const char *a, const char *b) { } /* lb == 0 means 'b' is the root domain, so 'a' must be in 'b'. */ - if (lb == 0) + if (lb == 0U) return (1); /* 'b' longer than 'a' means 'a' can't be in 'b'. */ @@ -171,9 +171,9 @@ ns_makecanon(const char *src, char *dst, size_t dstsize) { return (-1); } strcpy(dst, src); - while (n >= 1 && dst[n - 1] == '.') /* Ends in "." */ - if (n >= 2 && dst[n - 2] == '\\' && /* Ends in "\." */ - (n < 3 || dst[n - 3] != '\\')) /* But not "\\." */ + while (n >= 1U && dst[n - 1] == '.') /* Ends in "." */ + if (n >= 2U && dst[n - 2] == '\\' && /* Ends in "\." */ + (n < 3U || dst[n - 3] != '\\')) /* But not "\\." */ break; else dst[--n] = '\0'; diff --git a/lib/bind/resolv/res_data.c b/lib/bind/resolv/res_data.c index 6433f27af3..fc191fa341 100644 --- a/lib/bind/resolv/res_data.c +++ b/lib/bind/resolv/res_data.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: res_data.c,v 1.2 2004/03/09 06:30:17 marka Exp $"; +static const char rcsid[] = "$Id: res_data.c,v 1.3 2004/03/18 02:58:01 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include "port_before.h" @@ -133,7 +133,7 @@ fp_query(const u_char *msg, FILE *file) { void fp_nquery(const u_char *msg, int len, FILE *file) { - if ((_res.options & RES_INIT) == 0 && res_init() == -1) + if ((_res.options & RES_INIT) == 0U && res_init() == -1) return; res_pquery(&_res, msg, len, file); @@ -149,7 +149,7 @@ res_mkquery(int op, /* opcode of query */ u_char *buf, /* buffer to put query */ int buflen) /* size of buffer */ { - if ((_res.options & RES_INIT) == 0 && res_init() == -1) { + if ((_res.options & RES_INIT) == 0U && res_init() == -1) { RES_SET_H_ERRNO(&_res, NETDB_INTERNAL); return (-1); } @@ -160,7 +160,7 @@ res_mkquery(int op, /* opcode of query */ int res_mkupdate(ns_updrec *rrecp_in, u_char *buf, int buflen) { - if ((_res.options & RES_INIT) == 0 && res_init() == -1) { + if ((_res.options & RES_INIT) == 0U && res_init() == -1) { RES_SET_H_ERRNO(&_res, NETDB_INTERNAL); return (-1); } @@ -174,7 +174,7 @@ res_query(const char *name, /* domain name */ u_char *answer, /* buffer to put answer */ int anslen) /* size of answer buffer */ { - if ((_res.options & RES_INIT) == 0 && res_init() == -1) { + if ((_res.options & RES_INIT) == 0U && res_init() == -1) { RES_SET_H_ERRNO(&_res, NETDB_INTERNAL); return (-1); } @@ -198,7 +198,7 @@ res_isourserver(const struct sockaddr_in *inp) { int res_send(const u_char *buf, int buflen, u_char *ans, int anssiz) { - if ((_res.options & RES_INIT) == 0 && res_init() == -1) { + if ((_res.options & RES_INIT) == 0U && res_init() == -1) { /* errno should have been set by res_init() in this case. */ return (-1); } @@ -210,7 +210,7 @@ int res_sendsigned(const u_char *buf, int buflen, ns_tsig_key *key, u_char *ans, int anssiz) { - if ((_res.options & RES_INIT) == 0 && res_init() == -1) { + if ((_res.options & RES_INIT) == 0U && res_init() == -1) { /* errno should have been set by res_init() in this case. */ return (-1); } @@ -225,7 +225,7 @@ res_close(void) { int res_update(ns_updrec *rrecp_in) { - if ((_res.options & RES_INIT) == 0 && res_init() == -1) { + if ((_res.options & RES_INIT) == 0U && res_init() == -1) { RES_SET_H_ERRNO(&_res, NETDB_INTERNAL); return (-1); } @@ -239,7 +239,7 @@ res_search(const char *name, /* domain name */ u_char *answer, /* buffer to put answer */ int anslen) /* size of answer */ { - if ((_res.options & RES_INIT) == 0 && res_init() == -1) { + if ((_res.options & RES_INIT) == 0U && res_init() == -1) { RES_SET_H_ERRNO(&_res, NETDB_INTERNAL); return (-1); } @@ -254,7 +254,7 @@ res_querydomain(const char *name, u_char *answer, /* buffer to put answer */ int anslen) /* size of answer */ { - if ((_res.options & RES_INIT) == 0 && res_init() == -1) { + if ((_res.options & RES_INIT) == 0U && res_init() == -1) { RES_SET_H_ERRNO(&_res, NETDB_INTERNAL); return (-1); } diff --git a/lib/bind/resolv/res_debug.c b/lib/bind/resolv/res_debug.c index 9754abaf11..e18214f9b7 100644 --- a/lib/bind/resolv/res_debug.c +++ b/lib/bind/resolv/res_debug.c @@ -95,7 +95,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_debug.c 8.1 (Berkeley) 6/4/93"; -static const char rcsid[] = "$Id: res_debug.c,v 1.9 2004/03/09 06:30:17 marka Exp $"; +static const char rcsid[] = "$Id: res_debug.c,v 1.10 2004/03/18 02:58:01 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include "port_before.h" @@ -137,7 +137,7 @@ fp_resstat(const res_state statp, FILE *file) { u_long mask; fprintf(file, ";; res options:"); - for (mask = 1; mask != 0; mask <<= 1) + for (mask = 1; mask != 0U; mask <<= 1) if (statp->options & mask) fprintf(file, " %s", p_option(mask)); putc('\n', file); @@ -672,7 +672,7 @@ p_sockun(union res_sockaddr_union u, char *buf, size_t size) { sprintf(ret, "[af%d]", u.sin.sin_family); break; } - if (size > 0) { + if (size > 0U) { strncpy(buf, ret, size - 1); buf[size - 1] = '0'; } @@ -1128,7 +1128,7 @@ res_nametoclass(const char *buf, int *successp) { goto done; errno = 0; result = strtoul(buf + 5, &endptr, 10); - if (errno == 0 && *endptr == '\0' && result <= 0xffff) + if (errno == 0 && *endptr == '\0' && result <= 0xffffU) success = 1; done: if (successp) @@ -1151,7 +1151,7 @@ res_nametotype(const char *buf, int *successp) { goto done; errno = 0; result = strtoul(buf + 4, &endptr, 10); - if (errno == 0 && *endptr == '\0' && result <= 0xffff) + if (errno == 0 && *endptr == '\0' && result <= 0xffffU) success = 1; done: if (successp) diff --git a/lib/bind/resolv/res_findzonecut.c b/lib/bind/resolv/res_findzonecut.c index 86c39de473..dcc9f71f3d 100644 --- a/lib/bind/resolv/res_findzonecut.c +++ b/lib/bind/resolv/res_findzonecut.c @@ -1,5 +1,5 @@ #if !defined(lint) && !defined(SABER) -static const char rcsid[] = "$Id: res_findzonecut.c,v 1.6 2004/03/09 06:30:17 marka Exp $"; +static const char rcsid[] = "$Id: res_findzonecut.c,v 1.7 2004/03/18 02:58:01 marka Exp $"; #endif /* not lint */ /* @@ -90,7 +90,7 @@ static void res_dprintf(const char *, ...) ISC_FORMAT_PRINTF(1, 2); #define DPRINTF(x) do {\ int save_errno = errno; \ - if ((statp->options & RES_DEBUG) != 0) res_dprintf x; \ + if ((statp->options & RES_DEBUG) != 0U) res_dprintf x; \ errno = save_errno; \ } while (0) diff --git a/lib/bind/resolv/res_init.c b/lib/bind/resolv/res_init.c index bf492782ea..d902b9f95e 100644 --- a/lib/bind/resolv/res_init.c +++ b/lib/bind/resolv/res_init.c @@ -70,7 +70,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_init.c 8.1 (Berkeley) 6/7/93"; -static const char rcsid[] = "$Id: res_init.c,v 1.15 2004/03/09 06:30:17 marka Exp $"; +static const char rcsid[] = "$Id: res_init.c,v 1.16 2004/03/18 02:58:02 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include "port_before.h" @@ -170,7 +170,7 @@ __res_vinit(res_state statp, int preinit) { statp->id = res_randomid(); } - if ((statp->options & RES_INIT) != 0) + if ((statp->options & RES_INIT) != 0U) res_ndestroy(statp); memset(u, 0, sizeof(u)); diff --git a/lib/bind/resolv/res_mkquery.c b/lib/bind/resolv/res_mkquery.c index 9d1f912506..7b7b1daa32 100644 --- a/lib/bind/resolv/res_mkquery.c +++ b/lib/bind/resolv/res_mkquery.c @@ -70,7 +70,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_mkquery.c 8.1 (Berkeley) 6/4/93"; -static const char rcsid[] = "$Id: res_mkquery.c,v 1.4 2004/03/09 06:30:17 marka Exp $"; +static const char rcsid[] = "$Id: res_mkquery.c,v 1.5 2004/03/18 02:58:02 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include "port_before.h" @@ -125,7 +125,7 @@ res_nmkquery(res_state statp, hp = (HEADER *) buf; hp->id = htons(++statp->id); hp->opcode = op; - hp->rd = (statp->options & RES_RECURSE) != 0; + hp->rd = (statp->options & RES_RECURSE) != 0U; hp->rcode = NOERROR; cp = buf + HFIXEDSZ; ep = buf + buflen; @@ -219,7 +219,7 @@ res_nopt(res_state statp, u_int16_t flags = 0; #ifdef DEBUG - if ((statp->options & RES_DEBUG) != 0) + if ((statp->options & RES_DEBUG) != 0U) printf(";; res_nopt()\n"); #endif diff --git a/lib/bind/resolv/res_mkupdate.c b/lib/bind/resolv/res_mkupdate.c index a3fb7007b9..740e2d5400 100644 --- a/lib/bind/resolv/res_mkupdate.c +++ b/lib/bind/resolv/res_mkupdate.c @@ -21,7 +21,7 @@ */ #if !defined(lint) && !defined(SABER) -static const char rcsid[] = "$Id: res_mkupdate.c,v 1.3 2004/03/09 06:30:18 marka Exp $"; +static const char rcsid[] = "$Id: res_mkupdate.c,v 1.4 2004/03/18 02:58:02 marka Exp $"; #endif /* not lint */ #include "port_before.h" @@ -380,7 +380,7 @@ res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) { } break; case T_TXT: - while (1) { + for (;;) { if ((n = getstr_str(buf2, sizeof buf2, &startp, endp)) < 0) { if (cp != (sp2 + INT16SZ)) @@ -582,7 +582,7 @@ res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) { ShrinkBuffer(n); maxtype = 0; memset(data, 0, sizeof data); - while (1) { + for (;;) { if (!getword_str(buf2, sizeof buf2, &startp, endp)) break; diff --git a/lib/bind/resolv/res_query.c b/lib/bind/resolv/res_query.c index 5fc1b14f79..324a9f9af0 100644 --- a/lib/bind/resolv/res_query.c +++ b/lib/bind/resolv/res_query.c @@ -70,7 +70,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_query.c 8.1 (Berkeley) 6/4/93"; -static const char rcsid[] = "$Id: res_query.c,v 1.6 2004/03/09 06:30:18 marka Exp $"; +static const char rcsid[] = "$Id: res_query.c,v 1.7 2004/03/18 02:58:02 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include "port_before.h" @@ -133,7 +133,7 @@ again: buf, sizeof(buf)); #ifdef RES_USE_EDNS0 if (n > 0 && (statp->_flags & RES_F_EDNS0ERR) == 0 && - (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0) + (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0U) n = res_nopt(statp, n, buf, sizeof(buf), anslen); #endif if (n <= 0) { @@ -148,7 +148,7 @@ again: if (n < 0) { #ifdef RES_USE_EDNS0 /* if the query choked with EDNS0, retry without EDNS0 */ - if ((statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0 && + if ((statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0U && ((oflags ^ statp->_flags) & RES_F_EDNS0ERR) != 0) { statp->_flags |= RES_F_EDNS0ERR; if (statp->options & RES_DEBUG) @@ -252,8 +252,8 @@ res_nsearch(res_state statp, * - there is at least one dot, there is no trailing dot, * and RES_DNSRCH is set. */ - if ((!dots && (statp->options & RES_DEFNAMES) != 0) || - (dots && !trailing_dot && (statp->options & RES_DNSRCH) != 0)) { + if ((!dots && (statp->options & RES_DEFNAMES) != 0U) || + (dots && !trailing_dot && (statp->options & RES_DNSRCH) != 0U)) { int done = 0; for (domain = (const char * const *)statp->dnsrch; @@ -311,7 +311,7 @@ res_nsearch(res_state statp, /* if we got here for some reason other than DNSRCH, * we only wanted one iteration of the loop, so stop. */ - if ((statp->options & RES_DNSRCH) == 0) + if ((statp->options & RES_DNSRCH) == 0U) done++; } } @@ -320,7 +320,7 @@ res_nsearch(res_state statp, * If the query has not already been tried as is then try it * unless RES_NOTLDQUERY is set and there were no dots. */ - if ((dots || !searched || (statp->options & RES_NOTLDQUERY) == 0) && + if ((dots || !searched || (statp->options & RES_NOTLDQUERY) == 0U) && !(tried_as_is || root_on_list)) { ret = res_nquerydomain(statp, name, NULL, class, type, answer, anslen); diff --git a/lib/bind/resolv/res_send.c b/lib/bind/resolv/res_send.c index 3fe3485e35..149478808d 100644 --- a/lib/bind/resolv/res_send.c +++ b/lib/bind/resolv/res_send.c @@ -70,7 +70,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_send.c 8.1 (Berkeley) 6/4/93"; -static const char rcsid[] = "$Id: res_send.c,v 1.8 2004/03/09 06:30:18 marka Exp $"; +static const char rcsid[] = "$Id: res_send.c,v 1.9 2004/03/18 02:58:02 marka Exp $"; #endif /* LIBC_SCCS and not lint */ /* @@ -352,8 +352,8 @@ res_nsend(res_state statp, * Some resolvers want to even out the load on their nameservers. * Note that RES_BLAST overrides RES_ROTATE. */ - if ((statp->options & RES_ROTATE) != 0 && - (statp->options & RES_BLAST) == 0) { + if ((statp->options & RES_ROTATE) != 0U && + (statp->options & RES_BLAST) == 0U) { union res_sockaddr_union inu; struct sockaddr_in ina; int lastns = statp->nscount - 1; @@ -467,8 +467,8 @@ res_nsend(res_state statp, * or if we haven't been asked to keep a socket open, * close the socket. */ - if ((v_circuit && (statp->options & RES_USEVC) == 0) || - (statp->options & RES_STAYOPEN) == 0) { + if ((v_circuit && (statp->options & RES_USEVC) == 0U) || + (statp->options & RES_STAYOPEN) == 0U) { res_nclose(statp); } if (statp->rhook) { @@ -902,7 +902,7 @@ send_dg(res_state statp, goto wait; } #ifdef RES_USE_EDNS0 - if (anhp->rcode == FORMERR && (statp->options & RES_USE_EDNS0) != 0) { + if (anhp->rcode == FORMERR && (statp->options & RES_USE_EDNS0) != 0U) { /* * Do not retry if the server do not understand EDNS0. * The case has to be captured here, as FORMERR packet do not @@ -970,7 +970,7 @@ Aerror(const res_state statp, FILE *file, const char *string, int error, alen = alen; - if ((statp->options & RES_DEBUG) != 0) { + if ((statp->options & RES_DEBUG) != 0U) { if (getnameinfo(address, alen, hbuf, sizeof(hbuf), sbuf, sizeof(sbuf), niflags)) { strncpy(hbuf, "?", sizeof(hbuf) - 1); @@ -988,7 +988,7 @@ static void Perror(const res_state statp, FILE *file, const char *string, int error) { int save = errno; - if ((statp->options & RES_DEBUG) != 0) + if ((statp->options & RES_DEBUG) != 0U) fprintf(file, "res_send: %s: %s\n", string, strerror(error)); errno = save; diff --git a/lib/bind/resolv/res_sendsigned.c b/lib/bind/resolv/res_sendsigned.c index 328ec11a6a..1984377ab1 100644 --- a/lib/bind/resolv/res_sendsigned.c +++ b/lib/bind/resolv/res_sendsigned.c @@ -135,7 +135,7 @@ retry: } hp = (HEADER *) answer; - if (hp->tc && !usingTCP && (statp->options & RES_IGNTC) == 0) { + if (hp->tc && !usingTCP && (statp->options & RES_IGNTC) == 0U) { nstatp->options &= ~RES_IGNTC; usingTCP = 1; goto retry; diff --git a/lib/bind/resolv/res_update.c b/lib/bind/resolv/res_update.c index 2f22644499..4242693735 100644 --- a/lib/bind/resolv/res_update.c +++ b/lib/bind/resolv/res_update.c @@ -1,5 +1,5 @@ #if !defined(lint) && !defined(SABER) -static const char rcsid[] = "$Id: res_update.c,v 1.11 2004/03/09 06:30:18 marka Exp $"; +static const char rcsid[] = "$Id: res_update.c,v 1.12 2004/03/18 02:58:02 marka Exp $"; #endif /* not lint */ /* @@ -83,7 +83,7 @@ static void res_dprintf(const char *, ...) ISC_FORMAT_PRINTF(1, 2); #define DPRINTF(x) do {\ int save_errno = errno; \ - if ((statp->options & RES_DEBUG) != 0) res_dprintf x; \ + if ((statp->options & RES_DEBUG) != 0U) res_dprintf x; \ errno = save_errno; \ } while (0) diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h index 35c4309894..287d33d03b 100644 --- a/lib/dns/include/dns/name.h +++ b/lib/dns/include/dns/name.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: name.h,v 1.106 2004/03/05 05:09:44 marka Exp $ */ +/* $Id: name.h,v 1.107 2004/03/18 02:58:03 marka Exp $ */ #ifndef DNS_NAME_H #define DNS_NAME_H 1 @@ -1218,10 +1218,14 @@ do { \ #define DNS_NAME_SPLIT(n, l, p, s) \ do { \ - if ((p) != NULL) \ - dns_name_getlabelsequence((n), 0, (n)->labels - (l), (p)); \ - if ((s) != NULL) \ - dns_name_getlabelsequence((n), (n)->labels - (l), (l), (s)); \ + dns_name_t *_n = (n); \ + dns_name_t *_p = (p); \ + dns_name_t *_s = (s); \ + unsigned int _l = (l); \ + if (_p != NULL) \ + dns_name_getlabelsequence(_n, 0, _n->labels - _l, _p); \ + if (_s != NULL) \ + dns_name_getlabelsequence(_n, _n->labels - _l, _l, _s); \ } while (0); #ifdef DNS_NAME_USEINLINE diff --git a/lib/dns/portlist.c b/lib/dns/portlist.c index b0721f6c01..0906a06720 100644 --- a/lib/dns/portlist.c +++ b/lib/dns/portlist.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: portlist.c,v 1.5 2004/03/05 05:09:22 marka Exp $ */ +/* $Id: portlist.c,v 1.6 2004/03/18 02:58:03 marka Exp $ */ #include @@ -102,29 +102,30 @@ find_port(dns_element_t *list, unsigned int len, in_port_t port) { unsigned int max = len - 1; unsigned int last = len; - while (1) { + for (;;) { if (list[xtry].port == port) return (&list[xtry]); if (port > list[xtry].port) { if (xtry == max) - return (NULL); + break; min = xtry; xtry = xtry + (max - xtry + 1) / 2; INSIST(xtry <= max); if (xtry == last) - return (NULL); + break; last = min; } else { if (xtry == min) - return (NULL); + break; max = xtry; xtry = xtry - (xtry - min + 1) / 2; INSIST(xtry >= min); if (xtry == last) - return (NULL); + break; last = max; } } + return (NULL); } isc_result_t diff --git a/lib/dns/rdata/generic/dlv_65323.c b/lib/dns/rdata/generic/dlv_65323.c index 19b46870e2..1cc4725229 100644 --- a/lib/dns/rdata/generic/dlv_65323.c +++ b/lib/dns/rdata/generic/dlv_65323.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dlv_65323.c,v 1.3 2004/03/16 05:22:30 marka Exp $ */ +/* $Id: dlv_65323.c,v 1.4 2004/03/18 02:58:04 marka Exp $ */ /* draft-ietf-dnsext-delegation-signer-05.txt */ @@ -40,7 +40,7 @@ fromtext_dlv(ARGS_FROMTEXT) { */ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number, ISC_FALSE)); - if (token.value.as_ulong > 0xffff) + if (token.value.as_ulong > 0xffffU) RETTOK(ISC_R_RANGE); RETERR(uint16_tobuffer(token.value.as_ulong, target)); @@ -49,7 +49,7 @@ fromtext_dlv(ARGS_FROMTEXT) { */ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number, ISC_FALSE)); - if (token.value.as_ulong > 0xff) + if (token.value.as_ulong > 0xffU) RETTOK(ISC_R_RANGE); RETERR(uint8_tobuffer(token.value.as_ulong, target)); @@ -58,7 +58,7 @@ fromtext_dlv(ARGS_FROMTEXT) { */ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number, ISC_FALSE)); - if (token.value.as_ulong > 0xff) + if (token.value.as_ulong > 0xffU) RETTOK(ISC_R_RANGE); RETERR(uint8_tobuffer(token.value.as_ulong, target)); type = (isc_uint16_t) token.value.as_ulong; diff --git a/lib/dns/rdata/generic/ds_43.c b/lib/dns/rdata/generic/ds_43.c index 3ae033ad07..c03077df9f 100644 --- a/lib/dns/rdata/generic/ds_43.c +++ b/lib/dns/rdata/generic/ds_43.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ds_43.c,v 1.6 2004/03/05 05:10:11 marka Exp $ */ +/* $Id: ds_43.c,v 1.7 2004/03/18 02:58:04 marka Exp $ */ /* draft-ietf-dnsext-delegation-signer-05.txt */ @@ -42,7 +42,7 @@ fromtext_ds(ARGS_FROMTEXT) { */ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number, ISC_FALSE)); - if (token.value.as_ulong > 0xffff) + if (token.value.as_ulong > 0xffffU) RETTOK(ISC_R_RANGE); RETERR(uint16_tobuffer(token.value.as_ulong, target)); @@ -51,7 +51,7 @@ fromtext_ds(ARGS_FROMTEXT) { */ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number, ISC_FALSE)); - if (token.value.as_ulong > 0xff) + if (token.value.as_ulong > 0xffU) RETTOK(ISC_R_RANGE); RETERR(uint8_tobuffer(token.value.as_ulong, target)); @@ -60,7 +60,7 @@ fromtext_ds(ARGS_FROMTEXT) { */ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number, ISC_FALSE)); - if (token.value.as_ulong > 0xff) + if (token.value.as_ulong > 0xffU) RETTOK(ISC_R_RANGE); RETERR(uint8_tobuffer(token.value.as_ulong, target)); type = (isc_uint16_t) token.value.as_ulong; diff --git a/lib/dns/rdata/generic/rrsig_46.c b/lib/dns/rdata/generic/rrsig_46.c index bf5c62ef1d..e055205b7d 100644 --- a/lib/dns/rdata/generic/rrsig_46.c +++ b/lib/dns/rdata/generic/rrsig_46.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rrsig_46.c,v 1.4 2004/03/05 05:10:17 marka Exp $ */ +/* $Id: rrsig_46.c,v 1.5 2004/03/18 02:58:04 marka Exp $ */ /* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */ @@ -73,7 +73,7 @@ fromtext_rrsig(ARGS_FROMTEXT) { */ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number, ISC_FALSE)); - if (token.value.as_ulong > 0xff) + if (token.value.as_ulong > 0xffU) RETTOK(ISC_R_RANGE); c = (unsigned char)token.value.as_ulong; RETERR(mem_tobuffer(target, &c, 1)); diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c index 43db104776..e4e296c66f 100644 --- a/lib/dns/rdata/in_1/apl_42.c +++ b/lib/dns/rdata/in_1/apl_42.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: apl_42.c,v 1.7 2004/03/05 05:10:24 marka Exp $ */ +/* $Id: apl_42.c,v 1.8 2004/03/18 02:58:04 marka Exp $ */ /* RFC 3123 */ @@ -57,7 +57,7 @@ fromtext_in_apl(ARGS_FROMTEXT) { afi = strtoul(cp, &ap, 10); if (*ap++ != ':' || cp == ap) RETTOK(DNS_R_SYNTAX); - if (afi > 0xffff) + if (afi > 0xffffU) RETTOK(ISC_R_RANGE); slash = strchr(ap, '/'); if (slash == NULL || slash == ap) diff --git a/lib/dns/sec/dst/dst_api.c b/lib/dns/sec/dst/dst_api.c index ff861f3607..4e44c96113 100644 --- a/lib/dns/sec/dst/dst_api.c +++ b/lib/dns/sec/dst/dst_api.c @@ -18,7 +18,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_api.c,v 1.113 2004/03/10 02:19:58 marka Exp $ + * $Id: dst_api.c,v 1.114 2004/03/18 02:58:05 marka Exp $ */ #include @@ -1143,7 +1143,7 @@ algorithm_status(unsigned int alg) { return (DST_R_UNSUPPORTEDALG); } -isc_result_t +static isc_result_t addsuffix(char *filename, unsigned int len, const char *ofilename, const char *suffix) { diff --git a/lib/dns/sec/dst/dst_parse.c b/lib/dns/sec/dst/dst_parse.c index 9c8fa43b73..8c337b2a03 100644 --- a/lib/dns/sec/dst/dst_parse.c +++ b/lib/dns/sec/dst/dst_parse.c @@ -18,7 +18,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_parse.c,v 1.40 2004/03/05 05:48:24 marka Exp $ + * $Id: dst_parse.c,v 1.41 2004/03/18 02:58:05 marka Exp $ */ #include @@ -381,7 +381,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, fprintf(fp, "(HMAC_MD5)\n"); break; default: - fprintf(fp, "(?)\n"); break; + fprintf(fp, "(?)\n"); break; } diff --git a/lib/dns/sec/dst/openssl_link.c b/lib/dns/sec/dst/openssl_link.c index 5aa2149ee1..9f2f24656f 100644 --- a/lib/dns/sec/dst/openssl_link.c +++ b/lib/dns/sec/dst/openssl_link.c @@ -18,7 +18,7 @@ /* * Principal Author: Brian Wellington - * $Id: openssl_link.c,v 1.56 2004/03/05 05:48:24 marka Exp $ + * $Id: openssl_link.c,v 1.57 2004/03/18 02:58:05 marka Exp $ */ #ifdef OPENSSL @@ -118,7 +118,7 @@ mem_realloc(void *ptr, size_t size) { INSIST(dst__memory_pool != NULL); p = NULL; - if (size > 0) { + if (size > 0U) { p = mem_alloc(size); if (p != NULL && ptr != NULL) memcpy(p, ptr, size); diff --git a/lib/dns/sec/dst/openssldh_link.c b/lib/dns/sec/dst/openssldh_link.c index eb56215000..e3093a7947 100644 --- a/lib/dns/sec/dst/openssldh_link.c +++ b/lib/dns/sec/dst/openssldh_link.c @@ -18,7 +18,7 @@ /* * Principal Author: Brian Wellington - * $Id: openssldh_link.c,v 1.52 2004/03/05 05:48:24 marka Exp $ + * $Id: openssldh_link.c,v 1.53 2004/03/18 02:58:05 marka Exp $ */ #ifdef OPENSSL @@ -536,7 +536,7 @@ BN_fromhex(BIGNUM *b, const char *str) { unsigned int i; BIGNUM *out; - RUNTIME_CHECK(strlen(str) < 1024 && strlen(str) % 2 == 0); + RUNTIME_CHECK(strlen(str) < 1024U && strlen(str) % 2 == 0U); for (i = 0; i < strlen(str); i += 2) { char *s; unsigned int high, low; diff --git a/lib/dns/sec/dst/opensslrsa_link.c b/lib/dns/sec/dst/opensslrsa_link.c index 63943b6a26..f60a07b1e4 100644 --- a/lib/dns/sec/dst/opensslrsa_link.c +++ b/lib/dns/sec/dst/opensslrsa_link.c @@ -17,7 +17,7 @@ /* * Principal Author: Brian Wellington - * $Id: opensslrsa_link.c,v 1.28 2004/03/05 05:10:31 marka Exp $ + * $Id: opensslrsa_link.c,v 1.29 2004/03/18 02:58:05 marka Exp $ */ #ifdef OPENSSL @@ -177,7 +177,7 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa); if (status == 0) { err = ERR_peek_error_line(&file, &line); - if (err != 0) { + if (err != 0U) { message = ERR_error_string(err, NULL); fprintf(stderr, "%s:%s:%d\n", message, file ? file : "", line); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 181202dfd0..9f73101035 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.409 2004/03/05 05:09:26 marka Exp $ */ +/* $Id: zone.c,v 1.410 2004/03/18 02:58:03 marka Exp $ */ #include @@ -6729,7 +6729,7 @@ dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata) { char namebuf[DNS_NAME_FORMATSIZE]; char namebuf2[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; - unsigned int level = ISC_LOG_WARNING; + int level = ISC_LOG_WARNING; dns_name_t bad; REQUIRE(DNS_ZONE_VALID(zone)); diff --git a/lib/isc/mem.c b/lib/isc/mem.c index 6f63adf41e..059a2b32b7 100644 --- a/lib/isc/mem.c +++ b/lib/isc/mem.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mem.c,v 1.115 2004/03/05 05:10:46 marka Exp $ */ +/* $Id: mem.c,v 1.116 2004/03/18 02:58:06 marka Exp $ */ #include @@ -870,7 +870,7 @@ destroy(isc_mem_t *ctx) { if (ctx->checkfree) { for (i = 0; i <= ctx->max_size; i++) { #if ISC_MEM_TRACKLINES - if (ctx->stats[i].gets != 0) + if (ctx->stats[i].gets != 0U) print_active(ctx, stderr); #endif INSIST(ctx->stats[i].gets == 0U); diff --git a/lib/isc/string.c b/lib/isc/string.c index 966ec99676..99a126a1a6 100644 --- a/lib/isc/string.c +++ b/lib/isc/string.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: string.c,v 1.9 2004/03/05 05:10:49 marka Exp $ */ +/* $Id: string.c,v 1.10 2004/03/18 02:58:06 marka Exp $ */ #include @@ -118,16 +118,16 @@ isc_string_strlcpy(char *dst, const char *src, size_t size) size_t n = size; /* Copy as many bytes as will fit */ - if (n != 0 && --n != 0) { + if (n != 0U && --n != 0U) { do { if ((*d++ = *s++) == 0) break; - } while (--n != 0); + } while (--n != 0U); } /* Not enough room in dst, add NUL and traverse rest of src */ - if (n == 0) { - if (size != 0) + if (n == 0U) { + if (size != 0U) *d = '\0'; /* NUL-terminate dst */ while (*s++) ; @@ -145,15 +145,15 @@ isc_string_strlcat(char *dst, const char *src, size_t size) size_t dlen; /* Find the end of dst and adjust bytes left but don't go past end */ - while (n-- != 0 && *d != '\0') + while (n-- != 0U && *d != '\0') d++; dlen = d - dst; n = size - dlen; - if (n == 0) + if (n == 0U) return(dlen + strlen(s)); while (*s != '\0') { - if (n != 1) { + if (n != 1U) { *d++ = *s; n--; } diff --git a/lib/isc/unix/file.c b/lib/isc/unix/file.c index cbb9ff1495..64c34e7c25 100644 --- a/lib/isc/unix/file.c +++ b/lib/isc/unix/file.c @@ -48,7 +48,7 @@ * SUCH DAMAGE. */ -/* $Id: file.c,v 1.46 2004/03/05 05:11:44 marka Exp $ */ +/* $Id: file.c,v 1.47 2004/03/18 02:58:06 marka Exp $ */ #include @@ -394,7 +394,7 @@ dir_current(char *dirname, size_t length) { isc_result_t result = ISC_R_SUCCESS; REQUIRE(dirname != NULL); - REQUIRE(length > 0); + REQUIRE(length > 0U); cwd = getcwd(dirname, length); diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c index 242183a2bc..5d7e15969d 100644 --- a/lib/isc/unix/socket.c +++ b/lib/isc/unix/socket.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.236 2004/03/05 05:11:46 marka Exp $ */ +/* $Id: socket.c,v 1.237 2004/03/18 02:58:07 marka Exp $ */ #include @@ -488,7 +488,7 @@ cmsg_space(ISC_SOCKADDR_LEN_T len) { cmsgp = CMSG_NXTHDR(&msg, cmsgp); if (cmsgp != NULL) - return ((void *)cmsgp - (void *)msg.msg_control); + return ((char *)cmsgp - (char *)msg.msg_control); else return (0); #endif @@ -535,7 +535,7 @@ process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) { #ifndef USE_CMSG return; #else - if (msg->msg_controllen == 0 || msg->msg_control == NULL) + if (msg->msg_controllen == 0U || msg->msg_control == NULL) return; #ifdef SO_TIMESTAMP diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c index e2038912cb..8a4affd493 100644 --- a/lib/isccfg/parser.c +++ b/lib/isccfg/parser.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: parser.c,v 1.111 2004/03/05 05:12:22 marka Exp $ */ +/* $Id: parser.c,v 1.112 2004/03/18 02:58:07 marka Exp $ */ #include @@ -1656,7 +1656,7 @@ token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) { } } if ((flags & CFG_ADDR_V4PREFIXOK) != 0 && - strlen(s) <= 15) { + strlen(s) <= 15U) { char buf[64]; int i; @@ -1670,7 +1670,7 @@ token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) { } } if ((flags & CFG_ADDR_V6OK) != 0 && - strlen(s) <= 127) { + strlen(s) <= 127U) { char buf[128]; char *d; /* zone delimiter */ isc_uint32_t zone = 0; /* scope zone ID */ @@ -1737,7 +1737,7 @@ cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port) { "expected port number or '*'"); return (ISC_R_UNEXPECTEDTOKEN); } - if (pctx->token.value.as_ulong >= 65536) { + if (pctx->token.value.as_ulong >= 65536U) { cfg_parser_error(pctx, CFG_LOG_NEAR, "port number out of range"); return (ISC_R_UNEXPECTEDTOKEN); diff --git a/util/copyrights b/util/copyrights index eb03ea0c02..40c89916b7 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1402,7 +1402,7 @@ ./lib/bind/port/irix/Makefile.in MAKE 2001,2004 ./lib/bind/port/irix/include/.cvsignore X 2001 ./lib/bind/port/irix/include/Makefile.in MAKE 2001,2004 -./lib/bind/port/irix/include/paths.h C 2001,2004 +./lib/bind/port/irix/include/paths.h X 2001 ./lib/bind/port/irix/include/sys/bitypes.h X 2001 ./lib/bind/port/irix/include/sys/cdefs.h X 2001 ./lib/bind/port/linux/.cvsignore X 2001 @@ -1665,7 +1665,7 @@ ./lib/dns/rbtdb.h C 1999,2000,2001,2004 ./lib/dns/rbtdb64.c C 1999,2000,2001,2004 ./lib/dns/rbtdb64.h C 1999,2000,2001,2004 -./lib/dns/rcode.c C 2004 +./lib/dns/rcode.c C 1998,1999,2000,2001,2002,2003,2004 ./lib/dns/rdata.c C 1998,1999,2000,2001,2002,2003,2004 ./lib/dns/rdata/any_255/tsig_250.c C 1999,2000,2001,2002,2003,2004 ./lib/dns/rdata/any_255/tsig_250.h C 1999,2000,2001,2004 diff --git a/win32utils/win32-build.txt b/win32utils/win32-build.txt index 98e99c7370..4185171096 100644 --- a/win32utils/win32-build.txt +++ b/win32utils/win32-build.txt @@ -2,11 +2,11 @@ Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2001, 2002 Internet Software Consortium. See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. -$Id: win32-build.txt,v 1.7 2004/03/05 05:14:21 marka Exp $ +$Id: win32-build.txt,v 1.8 2004/03/18 02:58:08 marka Exp $ - BIND 9.3.0 Beta for Win32 Source Build Instructions. 28-Jul-2001 + BIND 9.4 for Win32 Source Build Instructions. 28-Jul-2001 -Building BIND 9.3.x on Windows NT/2000 has two prerequisites: +Building BIND 9.4 on Windows NT/2000 has two prerequisites: 1) You need to install Perl for Windows NT/2000. ActiveState (http://www.activestate.com/) is the one most people install and use; 2) OpenSSL (http://www.openssl.org) needs to be downloaded and built From 321df4df1972da49223fc8ee1180f94b88295568 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 18 Mar 2004 03:47:04 +0000 Subject: [PATCH 006/146] add rt number --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 76eeabcb82..51b2b61f2d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,4 @@ -1592. [bug] configure_view() could leak a dispatch. +1592. [bug] configure_view() could leak a dispatch. [RT# 10675] 1591. [bug] libbind: updated to BIND 8.4.5. From bae21f249ead77e442a025b9b18d90e21ebf72ce Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 18 Mar 2004 04:29:56 +0000 Subject: [PATCH 007/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 51b2b61f2d..3738ec0f3c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1593. [placeholder] rt10642 + 1592. [bug] configure_view() could leak a dispatch. [RT# 10675] 1591. [bug] libbind: updated to BIND 8.4.5. From 36fa8f333a456c032460d2b52377b8c0bd1591a8 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 19 Mar 2004 04:50:20 +0000 Subject: [PATCH 008/146] Update description: ISC_R_CONTINUE -> DNS_R_CONTINUE --- lib/dns/include/dns/masterdump.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h index 5cff65a70b..07f6beb829 100644 --- a/lib/dns/include/dns/masterdump.h +++ b/lib/dns/include/dns/masterdump.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: masterdump.h,v 1.30 2004/03/05 05:09:43 marka Exp $ */ +/* $Id: masterdump.h,v 1.31 2004/03/19 04:50:20 marka Exp $ */ #ifndef DNS_MASTERDUMP_H #define DNS_MASTERDUMP_H 1 @@ -222,7 +222,7 @@ dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db, * * Returns: * ISC_R_SUCCESS - * ISC_R_CONTINUE dns_master_dumptostreaminc() only. + * DNS_R_CONTINUE dns_master_dumptostreaminc() only. * ISC_R_NOMEMORY * Any database or rrset iterator error. * Any dns_rdata_totext() error code. @@ -247,7 +247,7 @@ dns_master_dump(isc_mem_t *mctx, dns_db_t *db, * * Returns: * ISC_R_SUCCESS - * ISC_R_CONTINUE dns_master_dumpinc() only. + * DNS_R_CONTINUE dns_master_dumpinc() only. * ISC_R_NOMEMORY * Any database or rrset iterator error. * Any dns_rdata_totext() error code. From bdb609f5874056f6f1cd212ebf8700132e683fe5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 19 Mar 2004 04:57:14 +0000 Subject: [PATCH 009/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 3738ec0f3c..82fc7f2377 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1594. [placeholder] rt10565 + 1593. [placeholder] rt10642 1592. [bug] configure_view() could leak a dispatch. [RT# 10675] From ead4d2d676b12a856769d3750861c6efbb95f709 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 19 Mar 2004 06:42:46 +0000 Subject: [PATCH 010/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 82fc7f2377..110572dcdc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1595. [placeholder] rt9164 + 1594. [placeholder] rt10565 1593. [placeholder] rt10642 From c5cde9d5a70c921da901a23845e740ccc7a8c4e4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 22 Mar 2004 01:46:01 +0000 Subject: [PATCH 011/146] 1593. [bug] rndc should return "unknown command" to unknown commands. [RT# 10642] --- CHANGES | 3 ++- bin/named/control.c | 6 ++++-- lib/dns/include/dns/result.h | 5 +++-- lib/dns/result.c | 5 +++-- 4 files changed, 12 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 110572dcdc..98b5d814a2 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,8 @@ 1594. [placeholder] rt10565 -1593. [placeholder] rt10642 +1593. [bug] rndc should return "unknown command" to unknown + commands. [RT# 10642] 1592. [bug] configure_view() could leak a dispatch. [RT# 10675] diff --git a/bin/named/control.c b/bin/named/control.c index ff1d8a198a..e951238bdd 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.c,v 1.19 2004/03/05 04:57:46 marka Exp $ */ +/* $Id: control.c,v 1.20 2004/03/22 01:46:00 marka Exp $ */ #include @@ -27,6 +27,8 @@ #include #include +#include + #include #include #include @@ -134,7 +136,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, "unknown control channel command '%s'", command); - result = ISC_R_NOTIMPLEMENTED; + result = DNS_R_UNKNOWNCOMMAND; } return (result); diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h index 6f2b340297..27e94f4545 100644 --- a/lib/dns/include/dns/result.h +++ b/lib/dns/include/dns/result.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.h,v 1.103 2004/03/05 05:09:46 marka Exp $ */ +/* $Id: result.h,v 1.104 2004/03/22 01:46:01 marka Exp $ */ #ifndef DNS_RESULT_H #define DNS_RESULT_H 1 @@ -140,8 +140,9 @@ #define DNS_R_BADOWNERNAME (ISC_RESULTCLASS_DNS + 96) #define DNS_R_BADNAME (ISC_RESULTCLASS_DNS + 97) #define DNS_R_DYNAMIC (ISC_RESULTCLASS_DNS + 98) +#define DNS_R_UNKNOWNCOMMAND (ISC_RESULTCLASS_DNS + 99) -#define DNS_R_NRESULTS 99 /* Number of results */ +#define DNS_R_NRESULTS 100 /* Number of results */ /* * DNS wire format rcodes. diff --git a/lib/dns/result.c b/lib/dns/result.c index 1e5ba43adc..685d29da39 100644 --- a/lib/dns/result.c +++ b/lib/dns/result.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.c,v 1.114 2004/03/05 05:09:24 marka Exp $ */ +/* $Id: result.c,v 1.115 2004/03/22 01:46:01 marka Exp $ */ #include @@ -147,7 +147,8 @@ static const char *text[DNS_R_NRESULTS] = { "from wildcard", /* 95 DNS_R_FROMWILDCARD */ "bad owner name (check-names)", /* 96 DNS_R_BADOWNERNAME */ "bad name (check-names)", /* 97 DNS_R_BADNAME */ - "dynamic zone" /* 98 DNS_R_DYNAMIC */ + "dynamic zone", /* 98 DNS_R_DYNAMIC */ + "unknown command" /* 99 DNS_R_UNKNOWNCOMMAND */ }; static const char *rcode_text[DNS_R_NRCODERESULTS] = { From 85315eb5361d92ba034cecc26c3526e121392386 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 22 Mar 2004 04:20:04 +0000 Subject: [PATCH 012/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 98b5d814a2..9867d2dda3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1596. [placeholder] rt10150 + 1595. [placeholder] rt9164 1594. [placeholder] rt10565 From 39e5cab80a2abc95ca034ac79ea3f973fc66f5b3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 23 Mar 2004 01:32:20 +0000 Subject: [PATCH 013/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 9867d2dda3..b570f6a13b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1597. [placeholder] rt6496a + 1596. [placeholder] rt10150 1595. [placeholder] rt9164 From 7c82b7ae3f3006e20d00529a15372d6cba133c20 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 30 Mar 2004 01:18:49 +0000 Subject: [PATCH 014/146] placeholder --- CHANGES | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGES b/CHANGES index b570f6a13b..b770373b75 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +1600. [placeholder] rt10861. + +1599. [placeholder] rt10861. + +1598. [placeholder] rt10861. + 1597. [placeholder] rt6496a 1596. [placeholder] rt10150 From 0b9af9eb37f624033652f6cc463262474ee13344 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 30 Mar 2004 02:05:40 +0000 Subject: [PATCH 015/146] 1596. [func] Accept 'notify-source' style syntax for query-source. --- CHANGES | 2 +- doc/arm/Bv9ARM-book.xml | 6 +++--- lib/isccfg/namedconf.c | 45 +++++++++++++++++------------------------ 3 files changed, 23 insertions(+), 30 deletions(-) diff --git a/CHANGES b/CHANGES index b770373b75..3a2037ced4 100644 --- a/CHANGES +++ b/CHANGES @@ -6,7 +6,7 @@ 1597. [placeholder] rt6496a -1596. [placeholder] rt10150 +1596. [func] Accept 'notify-source' style syntax for query-source. 1595. [placeholder] rt9164 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 69801b9998..b5af9b183d 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2,7 +2,7 @@ - + BIND 9 Administrator Reference Manual @@ -2774,8 +2774,8 @@ statement in the named.conf file: avoid-v6-udp-ports { port_list }; listen-on port ip_port { address_match_list }; listen-on-v6 port ip_port { address_match_list }; - query-source address ( ip_addr | * ) port ( ip_port | * ) ; - query-source-v6 address ( ip_addr | * ) port ( ip_port | * ) ; + query-source ( ( ip4_addr | * ) port ( ip_port | * ) | address ( ip4_addr | * ) port ( ip_port | * ) ) ; + query-source-v6 ( ( ip6_addr | * ) port ( ip_port | * ) | address ( ip6_addr | * ) port ( ip_port | * ) ) ; max-transfer-time-in number; max-transfer-time-out number; max-transfer-idle-in number; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 291893f939..6c0f7de639 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namedconf.c,v 1.30 2004/03/10 02:19:58 marka Exp $ */ +/* $Id: namedconf.c,v 1.31 2004/03/30 02:05:40 marka Exp $ */ #include @@ -1219,24 +1219,24 @@ static cfg_type_t cfg_type_optional_class = { }; static isc_result_t -parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) { +parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { isc_result_t result; cfg_obj_t *obj = NULL; isc_netaddr_t netaddr; in_port_t port; unsigned int have_address = 0; unsigned int have_port = 0; + const unsigned int *flagp = type->of; - if ((flags & CFG_ADDR_V4OK) != 0) + if ((*flagp & CFG_ADDR_V4OK) != 0) isc_netaddr_any(&netaddr); - else if ((flags & CFG_ADDR_V6OK) != 0) + else if ((*flagp & CFG_ADDR_V6OK) != 0) isc_netaddr_any6(&netaddr); else INSIST(0); port = 0; - CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj)); for (;;) { CHECK(cfg_peektoken(pctx, 0)); if (pctx->token.type == isc_tokentype_string) { @@ -1245,8 +1245,7 @@ parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) { { /* read "address" */ CHECK(cfg_gettoken(pctx, 0)); - CHECK(cfg_parse_rawaddr(pctx, - flags | CFG_ADDR_WILDOK, + CHECK(cfg_parse_rawaddr(pctx, *flagp, &netaddr)); have_address++; } else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0) @@ -1257,6 +1256,8 @@ parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) { CFG_ADDR_WILDOK, &port)); have_port++; + } else if (have_port == 0 && have_address == 0) { + return (cfg_parse_sockaddr(pctx, type, ret)); } else { cfg_parser_error(pctx, CFG_LOG_NEAR, "expected 'address' or 'port'"); @@ -1271,6 +1272,7 @@ parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) { return (ISC_R_UNEXPECTEDTOKEN); } + CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj)); isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port); *ret = obj; return (ISC_R_SUCCESS); @@ -1281,18 +1283,6 @@ parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) { return (result); } -static isc_result_t -parse_querysource4(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { - UNUSED(type); - return (parse_querysource(pctx, CFG_ADDR_V4OK, ret)); -} - -static isc_result_t -parse_querysource6(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { - UNUSED(type); - return (parse_querysource(pctx, CFG_ADDR_V6OK, ret)); -} - static void print_querysource(cfg_printer_t *pctx, cfg_obj_t *obj) { isc_netaddr_t na; @@ -1303,16 +1293,21 @@ print_querysource(cfg_printer_t *pctx, cfg_obj_t *obj) { cfg_print_rawuint(pctx, isc_sockaddr_getport(&obj->value.sockaddr)); } +static unsigned int sockaddr4wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V4OK; +static unsigned int sockaddr6wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V6OK; static cfg_type_t cfg_type_querysource4 = { - "querysource4", parse_querysource4, NULL, cfg_doc_terminal, - NULL, NULL + "querysource4", parse_querysource, NULL, cfg_doc_terminal, + NULL, &sockaddr4wild_flags }; + static cfg_type_t cfg_type_querysource6 = { - "querysource6", parse_querysource6, NULL, cfg_doc_terminal, - NULL, NULL + "querysource6", parse_querysource, NULL, cfg_doc_terminal, + NULL, &sockaddr6wild_flags }; + static cfg_type_t cfg_type_querysource = { - "querysource", NULL, print_querysource, NULL, &cfg_rep_sockaddr, NULL }; + "querysource", NULL, print_querysource, NULL, &cfg_rep_sockaddr, NULL +}; /* addrmatchelt */ @@ -1605,13 +1600,11 @@ static cfg_type_t cfg_type_logfile = { }; /* An IPv4/IPv6 address with optional port, "*" accepted as wildcard. */ -static unsigned int sockaddr4wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V4OK; static cfg_type_t cfg_type_sockaddr4wild = { "sockaddr4wild", cfg_parse_sockaddr, cfg_print_sockaddr, cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr4wild_flags }; -static unsigned int sockaddr6wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V6OK; static cfg_type_t cfg_type_sockaddr6wild = { "v6addrportwild", cfg_parse_sockaddr, cfg_print_sockaddr, cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr6wild_flags From 3b1fce680f1dbe9467cd3b0ab3138ea52d5a976f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 30 Mar 2004 02:13:45 +0000 Subject: [PATCH 016/146] 1595. [func] New notify type 'master-only'. Enable notify for master zones only. --- CHANGES | 3 ++- bin/named/zoneconf.c | 4 +++- doc/arm/Bv9ARM-book.xml | 8 +++++--- lib/dns/include/dns/types.h | 5 +++-- lib/dns/zone.c | 6 +++++- lib/isccfg/namedconf.c | 4 ++-- 6 files changed, 20 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index 3a2037ced4..45bad73eb4 100644 --- a/CHANGES +++ b/CHANGES @@ -8,7 +8,8 @@ 1596. [func] Accept 'notify-source' style syntax for query-source. -1595. [placeholder] rt9164 +1595. [func] New notify type 'master-only'. Enable notify for + master zones only. 1594. [placeholder] rt10565 diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 66cbad9fe7..3121dd61dc 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.c,v 1.110 2004/03/05 04:57:49 marka Exp $ */ +/* $Id: zoneconf.c,v 1.111 2004/03/30 02:13:43 marka Exp $ */ #include @@ -472,6 +472,8 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig, char *notifystr = cfg_obj_asstring(obj); if (strcasecmp(notifystr, "explicit") == 0) notifytype = dns_notifytype_explicit; + else if (strcasecmp(notifystr, "master-only") == 0) + notifytype = dns_notifytype_masteronly; else INSIST(0); } diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index b5af9b183d..b7f66f3a58 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2,7 +2,7 @@ - + BIND 9 Administrator Reference Manual @@ -2752,7 +2752,7 @@ statement in the named.conf file: host-statistics yes_or_no; minimal-responses yes_or_no; multiple-cnames yes_or_no; - notify yes_or_no | explicit; + notify yes_or_no | explicit | master-only; recursion yes_or_no; rfc2308-type1 yes_or_no; use-id-pool yes_or_no; @@ -3165,6 +3165,8 @@ servers listed in the zone's NS records (except the master server identified in the SOA MNAME field), and to any servers listed in the also-notify option. +If master-only, notifies are only sent +for master zones. If explicit, notifies are sent only to servers explicitly listed using also-notify. If no, no notifies are sent. @@ -4543,7 +4545,7 @@ Statement Grammar max-transfer-idle-out number ; max-transfer-time-in number ; max-transfer-time-out number ; - notify yes_or_no | explicit ; + notify yes_or_no | explicit | master-only ; pubkey number number number string ; transfer-source (ip4_addr | *) port ip_port ; transfer-source-v6 (ip6_addr | *) port ip_port ; diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h index 1da751ae12..42e8314252 100644 --- a/lib/dns/include/dns/types.h +++ b/lib/dns/include/dns/types.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: types.h,v 1.109 2004/03/05 05:09:47 marka Exp $ */ +/* $Id: types.h,v 1.110 2004/03/30 02:13:44 marka Exp $ */ #ifndef DNS_TYPES_H #define DNS_TYPES_H 1 @@ -136,7 +136,8 @@ typedef enum { typedef enum { dns_notifytype_no = 0, dns_notifytype_yes = 1, - dns_notifytype_explicit = 2 + dns_notifytype_explicit = 2, + dns_notifytype_masteronly = 3 } dns_notifytype_t; typedef enum { diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 9f73101035..cb914f125b 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.410 2004/03/18 02:58:03 marka Exp $ */ +/* $Id: zone.c,v 1.411 2004/03/30 02:13:44 marka Exp $ */ #include @@ -2917,6 +2917,10 @@ zone_notify(dns_zone_t *zone) { if (notifytype == dns_notifytype_no) return; + if (notifytype == dns_notifytype_masteronly && + zone->type != dns_zone_master) + return; + origin = &zone->origin; /* diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 6c0f7de639..3c7bdd88e4 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namedconf.c,v 1.31 2004/03/30 02:05:40 marka Exp $ */ +/* $Id: namedconf.c,v 1.32 2004/03/30 02:13:45 marka Exp $ */ #include @@ -1126,7 +1126,7 @@ static cfg_type_t cfg_type_dialuptype = { &cfg_rep_string, dialup_enums }; -static const char *notify_enums[] = { "explicit", NULL }; +static const char *notify_enums[] = { "explicit", "master-only", NULL }; static isc_result_t parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret)); From d4e1933abc4bfa3d42dcc2f093c81816a317dde6 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 31 Mar 2004 04:36:55 +0000 Subject: [PATCH 017/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 45bad73eb4..1247ab3b11 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1600. [placeholder] rt10920. + 1600. [placeholder] rt10861. 1599. [placeholder] rt10861. From 6ec0f98cf6e88aeba1615763fdec253bf391f22e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 1 Apr 2004 02:14:41 +0000 Subject: [PATCH 018/146] placeholder --- CHANGES | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 1247ab3b11..0a12b562b2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,6 @@ -1600. [placeholder] rt10920. +1602. [placeholder] rt10925. + +1601. [placeholder] rt10920. 1600. [placeholder] rt10861. From 154bd87b5c9d603329dd691b822525c6885f21d4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 1 Apr 2004 05:06:36 +0000 Subject: [PATCH 019/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 0a12b562b2..07b91cf2ba 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1603. [placeholder] rt10929. + 1602. [placeholder] rt10925. 1601. [placeholder] rt10920. From 4995dba770c1f5f421cf22a2e9e138586a153765 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 2 Apr 2004 05:13:25 +0000 Subject: [PATCH 020/146] 1604. [bug] A xfrout_ctx_create() failure would result in xfrout_ctx_destroy() being called with a partially initaliased structure. --- CHANGES | 4 ++++ bin/named/xfrout.c | 24 +++++++++++++++++------- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 07b91cf2ba..09911b6175 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +1604. [bug] A xfrout_ctx_create() failure would result in + xfrout_ctx_destroy() being called with a + partially initaliased structure. + 1603. [placeholder] rt10929. 1602. [placeholder] rt10925. diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c index fb2cb2246e..0d260870dc 100644 --- a/bin/named/xfrout.c +++ b/bin/named/xfrout.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrout.c,v 1.115 2004/03/05 04:57:49 marka Exp $ */ +/* $Id: xfrout.c,v 1.116 2004/04/02 05:13:25 marka Exp $ */ #include @@ -1142,8 +1142,6 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { &xfr)); xfr->mnemonic = mnemonic; stream = NULL; - db = NULL; - ver = NULL; quota = NULL; CHECK(xfr->stream->methods->first(xfr->stream)); @@ -1225,10 +1223,10 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, xfr->qname = qname; xfr->qtype = qtype; xfr->qclass = qclass; - xfr->db = db; - xfr->ver = ver; - xfr->quota = quota; - xfr->stream = stream; + xfr->db = NULL; + xfr->ver = NULL; + dns_db_attach(db, &xfr->db); + dns_db_attachversion(db, ver, &xfr->ver); xfr->end_of_stream = ISC_FALSE; xfr->tsigkey = tsigkey; xfr->lasttsig = lasttsig; @@ -1239,6 +1237,12 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, xfr->sends = 0; xfr->shuttingdown = ISC_FALSE; xfr->mnemonic = NULL; + xfr->buf.base = NULL; + xfr->buf.length = 0; + xfr->txmem = NULL; + xfr->txmemlen = 0; + xfr->stream = NULL; + xfr->quota = NULL; /* * Allocate a temporary buffer for the uncompressed response @@ -1283,6 +1287,12 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, */ xfr->client->shutdown = xfrout_client_shutdown; xfr->client->shutdown_arg = xfr; + /* + * These MUST be after the last "goto failure;" / CHECK to + * prevent a double free by the caller. + */ + xfr->quota = quota; + xfr->stream = stream; *xfrp = xfr; return (ISC_R_SUCCESS); From e3f6b4d2195b2fcd28f769452d460d1b35f1952a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 6 Apr 2004 22:04:52 +0000 Subject: [PATCH 021/146] regen --- bin/check/named-checkconf.8 | 5 +- bin/check/named-checkconf.html | 9 +- bin/check/named-checkzone.8 | 5 +- bin/check/named-checkzone.html | 9 +- bin/dig/dig.1 | 5 +- bin/dig/dig.html | 9 +- bin/dig/host.1 | 5 +- bin/dig/host.html | 9 +- bin/dnssec/dnssec-keygen.8 | 5 +- bin/dnssec/dnssec-keygen.html | 9 +- bin/dnssec/dnssec-signzone.8 | 5 +- bin/dnssec/dnssec-signzone.html | 9 +- bin/named/lwresd.8 | 3 +- bin/named/lwresd.html | 7 +- bin/named/named.8 | 5 +- bin/named/named.html | 9 +- bin/nsupdate/nsupdate.8 | 5 +- bin/nsupdate/nsupdate.html | 9 +- bin/rndc/rndc-confgen.8 | 5 +- bin/rndc/rndc-confgen.html | 9 +- bin/rndc/rndc.8 | 3 +- bin/rndc/rndc.conf.5 | 3 +- bin/rndc/rndc.conf.html | 9 +- bin/rndc/rndc.html | 9 +- doc/arm/Bv9ARM.ch06.html | 155 +++++++++++++++++------- doc/arm/Bv9ARM.ch07.html | 8 +- doc/arm/Bv9ARM.ch08.html | 14 +-- doc/arm/Bv9ARM.ch09.html | 108 ++++++++--------- doc/arm/Bv9ARM.html | 38 +++--- lib/lwres/man/lwres.3 | 3 +- lib/lwres/man/lwres.html | 9 +- lib/lwres/man/lwres_buffer.3 | 3 +- lib/lwres/man/lwres_buffer.html | 9 +- lib/lwres/man/lwres_config.3 | 3 +- lib/lwres/man/lwres_config.html | 9 +- lib/lwres/man/lwres_context.3 | 3 +- lib/lwres/man/lwres_context.html | 9 +- lib/lwres/man/lwres_gabn.3 | 3 +- lib/lwres/man/lwres_gabn.html | 9 +- lib/lwres/man/lwres_gai_strerror.3 | 3 +- lib/lwres/man/lwres_gai_strerror.html | 9 +- lib/lwres/man/lwres_getaddrinfo.3 | 3 +- lib/lwres/man/lwres_getaddrinfo.html | 9 +- lib/lwres/man/lwres_gethostent.3 | 5 +- lib/lwres/man/lwres_gethostent.html | 9 +- lib/lwres/man/lwres_getipnode.3 | 3 +- lib/lwres/man/lwres_getipnode.html | 9 +- lib/lwres/man/lwres_getnameinfo.3 | 3 +- lib/lwres/man/lwres_getnameinfo.html | 9 +- lib/lwres/man/lwres_getrrsetbyname.3 | 3 +- lib/lwres/man/lwres_getrrsetbyname.html | 9 +- lib/lwres/man/lwres_gnba.3 | 3 +- lib/lwres/man/lwres_gnba.html | 9 +- lib/lwres/man/lwres_hstrerror.3 | 3 +- lib/lwres/man/lwres_hstrerror.html | 9 +- lib/lwres/man/lwres_inetntop.3 | 3 +- lib/lwres/man/lwres_inetntop.html | 9 +- lib/lwres/man/lwres_noop.3 | 3 +- lib/lwres/man/lwres_noop.html | 9 +- lib/lwres/man/lwres_packet.3 | 3 +- lib/lwres/man/lwres_packet.html | 9 +- lib/lwres/man/lwres_resutil.3 | 3 +- lib/lwres/man/lwres_resutil.html | 9 +- 63 files changed, 318 insertions(+), 371 deletions(-) diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index c79414434a..47378ff48a 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -1,5 +1,6 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2002 Internet Software Consortium. +.\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named-checkconf.8,v 1.16 2004/03/05 12:40:35 marka Exp $ -.\" .TH "NAMED-CHECKCONF" "8" "June 14, 2000" "BIND9" "" .SH NAME named-checkconf \- named configuration file syntax checking tool diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index 74becc7c4b..40beeaf8f1 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -1,11 +1,11 @@ - - - - -<!-- $Id: named-checkzone.html,v 1.11 2004/03/05 08:32:15 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index fbf20b955a..4fc30be507 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -1,5 +1,6 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. +.\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dig.1,v 1.23 2004/03/05 12:40:35 marka Exp $ -.\" .TH "DIG" "1" "Jun 30, 2000" "BIND9" "" .SH NAME dig \- DNS lookup utility diff --git a/bin/dig/dig.html b/bin/dig/dig.html index 6acdf09f05..056a14f09c 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000-2003 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: dig.html,v 1.13 2004/03/05 08:32:15 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/bin/dig/host.1 b/bin/dig/host.1 index ddd4cb71c7..871591e069 100644 --- a/bin/dig/host.1 +++ b/bin/dig/host.1 @@ -1,5 +1,6 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2002 Internet Software Consortium. +.\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: host.1,v 1.14 2004/03/05 12:40:35 marka Exp $ -.\" .TH "HOST" "1" "Jun 30, 2000" "BIND9" "" .SH NAME host \- DNS lookup utility diff --git a/bin/dig/host.html b/bin/dig/host.html index fc271bcc91..b60d62996a 100644 --- a/bin/dig/host.html +++ b/bin/dig/host.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000-2002 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: host.html,v 1.7 2004/03/05 08:32:16 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 444eb6ab1a..a607e51b4e 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -1,5 +1,6 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. +.\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keygen.8,v 1.23 2004/03/05 12:40:35 marka Exp $ -.\" .TH "DNSSEC-KEYGEN" "8" "June 30, 2000" "BIND9" "" .SH NAME dnssec-keygen \- DNSSEC key generation tool diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index 41aa57cc9c..169274a612 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: dnssec-keygen.html,v 1.9 2004/03/05 08:32:16 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8 index 966b89ec06..2a6581c4f8 100644 --- a/bin/dnssec/dnssec-signzone.8 +++ b/bin/dnssec/dnssec-signzone.8 @@ -1,5 +1,6 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. +.\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signzone.8,v 1.28 2004/03/16 05:22:15 marka Exp $ -.\" .TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" "" .SH NAME dnssec-signzone \- DNSSEC zone signing tool diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index 575ef8e71c..afd379a0f0 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: dnssec-signzone.html,v 1.8 2004/03/16 05:22:16 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/bin/named/lwresd.8 b/bin/named/lwresd.8 index 0f48b19632..35edcaee0b 100644 --- a/bin/named/lwresd.8 +++ b/bin/named/lwresd.8 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwresd.8,v 1.15 2004/03/05 12:40:36 marka Exp $ -.\" .TH "LWRESD" "8" "June 30, 2000" "BIND9" "" .SH NAME lwresd \- lightweight resolver daemon diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html index 4c96d608f9..d07641c07b 100644 --- a/bin/named/lwresd.html +++ b/bin/named/lwresd.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwresd.html,v 1.5 2004/03/05 08:32:17 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/bin/named/named.8 b/bin/named/named.8 index 7381fad4df..4f55e88b4f 100644 --- a/bin/named/named.8 +++ b/bin/named/named.8 @@ -1,5 +1,6 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. +.\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.8,v 1.20 2004/03/05 12:40:36 marka Exp $ -.\" .TH "NAMED" "8" "June 30, 2000" "BIND9" "" .SH NAME named \- Internet domain name server diff --git a/bin/named/named.html b/bin/named/named.html index d2eda30437..0548445fa0 100644 --- a/bin/named/named.html +++ b/bin/named/named.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: named.html,v 1.6 2004/03/05 08:32:17 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/bin/nsupdate/nsupdate.8 b/bin/nsupdate/nsupdate.8 index 04907dc0f9..e1277e9230 100644 --- a/bin/nsupdate/nsupdate.8 +++ b/bin/nsupdate/nsupdate.8 @@ -1,5 +1,6 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. +.\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: nsupdate.8,v 1.30 2004/03/05 12:40:36 marka Exp $ -.\" .TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "" .SH NAME nsupdate \- Dynamic DNS update utility diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html index c7b9283a3e..6fdb7d0c95 100644 --- a/bin/nsupdate/nsupdate.html +++ b/bin/nsupdate/nsupdate.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: nsupdate.html,v 1.14 2004/03/05 08:32:17 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/bin/rndc/rndc-confgen.8 b/bin/rndc/rndc-confgen.8 index a66a999c4a..0c82fa4872 100644 --- a/bin/rndc/rndc-confgen.8 +++ b/bin/rndc/rndc-confgen.8 @@ -1,5 +1,6 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2001-2003 Internet Software Consortium. +.\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc-confgen.8,v 1.9 2004/03/05 12:40:36 marka Exp $ -.\" .TH "RNDC-CONFGEN" "8" "Aug 27, 2001" "BIND9" "" .SH NAME rndc-confgen \- rndc key generation tool diff --git a/bin/rndc/rndc-confgen.html b/bin/rndc/rndc-confgen.html index 98bafd7b6e..2fa3ca61c2 100644 --- a/bin/rndc/rndc-confgen.html +++ b/bin/rndc/rndc-confgen.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001-2003 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: rndc-confgen.html,v 1.8 2004/03/05 08:32:17 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index 1325d14d70..c9d03b9188 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc.8,v 1.26 2004/03/05 12:40:36 marka Exp $ -.\" .TH "RNDC" "8" "June 30, 2000" "BIND9" "" .SH NAME rndc \- name server control utility diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5 index 8da915f1e5..ffd1819d77 100644 --- a/bin/rndc/rndc.conf.5 +++ b/bin/rndc/rndc.conf.5 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc.conf.5,v 1.23 2004/03/05 12:40:36 marka Exp $ -.\" .TH "RNDC.CONF" "5" "June 30, 2000" "BIND9" "" .SH NAME rndc.conf \- rndc configuration file diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html index 473e643c98..c1816c9cbb 100644 --- a/bin/rndc/rndc.conf.html +++ b/bin/rndc/rndc.conf.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: rndc.conf.html,v 1.6 2004/03/05 08:32:18 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index 24c4384a35..376d193dae 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: rndc.html,v 1.8 2004/03/05 08:32:18 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 1ce18a18fb..dacc5e0f47 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -94,7 +94,7 @@ HREF="Bv9ARM.ch06.html#Configuration_File_Grammar" ></DT ><DT >6.3. <A -HREF="Bv9ARM.ch06.html#AEN4008" +HREF="Bv9ARM.ch06.html#AEN4021" >Zone File</A ></DT ></DL @@ -3648,6 +3648,11 @@ CLASS="replaceable" ><I >explicit</I ></TT +> | <TT +CLASS="replaceable" +><I +>master-only</I +></TT >; </SPAN >] [<SPAN @@ -3940,12 +3945,35 @@ CLASS="replaceable" >] [<SPAN CLASS="optional" -> query-source [<SPAN +> query-source ( ( <TT +CLASS="replaceable" +><I +>ip4_addr</I +></TT +> | <TT +CLASS="replaceable" +><I +>*</I +></TT +> ) [<SPAN +CLASS="optional" +> port ( <TT +CLASS="replaceable" +><I +>ip_port</I +></TT +> | <TT +CLASS="replaceable" +><I +>*</I +></TT +> ) </SPAN +>] | [<SPAN CLASS="optional" > address ( <TT CLASS="replaceable" ><I ->ip_addr</I +>ip4_addr</I ></TT > | <TT CLASS="replaceable" @@ -3966,16 +3994,39 @@ CLASS="replaceable" >*</I ></TT > ) </SPAN ->]; </SPAN +>] ) ; </SPAN >] [<SPAN CLASS="optional" -> query-source-v6 [<SPAN +> query-source-v6 ( ( <TT +CLASS="replaceable" +><I +>ip6_addr</I +></TT +> | <TT +CLASS="replaceable" +><I +>*</I +></TT +> ) [<SPAN +CLASS="optional" +> port ( <TT +CLASS="replaceable" +><I +>ip_port</I +></TT +> | <TT +CLASS="replaceable" +><I +>*</I +></TT +> ) </SPAN +>] | [<SPAN CLASS="optional" > address ( <TT CLASS="replaceable" ><I ->ip_addr</I +>ip6_addr</I ></TT > | <TT CLASS="replaceable" @@ -3996,7 +4047,7 @@ CLASS="replaceable" >*</I ></TT > ) </SPAN ->]; </SPAN +>] ) ; </SPAN >] [<SPAN CLASS="optional" @@ -5151,7 +5202,7 @@ processing.</P ><DIV CLASS="informaltable" ><A -NAME="AEN2392" +NAME="AEN2403" ></A ><P ></P @@ -5621,6 +5672,13 @@ CLASS="command" > If <TT CLASS="userinput" ><B +>master-only</B +></TT +>, notifies are only sent +for master zones. +If <TT +CLASS="userinput" +><B >explicit</B ></TT >, notifies are sent only to @@ -6078,7 +6136,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN2671" +NAME="AEN2683" >6.2.16.2. Forwarding</A ></H3 ><P @@ -6146,7 +6204,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN2690" +NAME="AEN2702" >6.2.16.3. 6 to 4 Servers</A ></H3 ><P @@ -6368,7 +6426,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN2757" +NAME="AEN2769" >6.2.16.5. Interfaces</A ></H3 ><P @@ -6447,7 +6505,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN2778" +NAME="AEN2790" >6.2.16.6. Query Address</A ></H3 ><P @@ -6938,7 +6996,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN2940" +NAME="AEN2952" >6.2.16.8. Bad UDP Port Lists</A ></H3 ><P @@ -6962,7 +7020,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN2945" +NAME="AEN2957" >6.2.16.9. Operating System Resource Limits</A ></H3 ><P @@ -7082,7 +7140,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN2982" +NAME="AEN2994" >6.2.16.10. Server Resource Limits</A ></H3 ><P @@ -7205,7 +7263,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN3023" +NAME="AEN3035" >6.2.16.11. Periodic Task Intervals</A ></H3 ><P @@ -7576,7 +7634,7 @@ CLASS="command" ><DIV CLASS="informaltable" ><A -NAME="AEN3111" +NAME="AEN3123" ></A ><P ></P @@ -8058,7 +8116,7 @@ number is identical to the number in the beginning line.</P ><DIV CLASS="informaltable" ><A -NAME="AEN3255" +NAME="AEN3267" ></A ><P ></P @@ -8592,7 +8650,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN3394" +NAME="AEN3406" >6.2.19. <B CLASS="command" >trusted-keys</B @@ -8667,7 +8725,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN3410" +NAME="AEN3422" >6.2.20. <B CLASS="command" >trusted-keys</B @@ -8769,7 +8827,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN3432" +NAME="AEN3444" >6.2.22. <B CLASS="command" >view</B @@ -9277,6 +9335,11 @@ CLASS="replaceable" ><I >explicit</I ></TT +> | <TT +CLASS="replaceable" +><I +>master-only</I +></TT > ; </SPAN >] [<SPAN @@ -9523,7 +9586,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN3606" +NAME="AEN3619" >6.2.24. <B CLASS="command" >zone</B @@ -9534,13 +9597,13 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN3609" +NAME="AEN3622" >6.2.24.1. Zone Types</A ></H3 ><DIV CLASS="informaltable" ><A -NAME="AEN3611" +NAME="AEN3624" ></A ><P ></P @@ -9810,7 +9873,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN3674" +NAME="AEN3687" >6.2.24.2. Class</A ></H3 ><P @@ -9848,7 +9911,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN3684" +NAME="AEN3697" >6.2.24.3. Zone Options</A ></H3 ><P @@ -10606,7 +10669,7 @@ CLASS="varname" ><DIV CLASS="informaltable" ><A -NAME="AEN3967" +NAME="AEN3980" ></A ><P ></P @@ -10773,7 +10836,7 @@ CLASS="sect1" ><H1 CLASS="sect1" ><A -NAME="AEN4008" +NAME="AEN4021" >6.3. Zone File</A ></H1 ><DIV @@ -10794,7 +10857,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN4013" +NAME="AEN4026" >6.3.1.1. Resource Records</A ></H3 ><P @@ -10817,7 +10880,7 @@ HREF="Bv9ARM.ch06.html#rrset_ordering" ><DIV CLASS="informaltable" ><A -NAME="AEN4019" +NAME="AEN4032" ></A ><P ></P @@ -10928,7 +10991,7 @@ CLASS="emphasis" ><DIV CLASS="informaltable" ><A -NAME="AEN4051" +NAME="AEN4064" ></A ><P ></P @@ -11453,7 +11516,7 @@ are currently valid in the DNS:</P ><DIV CLASS="informaltable" ><A -NAME="AEN4203" +NAME="AEN4216" ></A ><P ></P @@ -11555,7 +11618,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN4227" +NAME="AEN4240" >6.3.1.2. Textual expression of RRs</A ></H3 ><P @@ -11585,7 +11648,7 @@ knowledge of the typical representation for the data.</P ><DIV CLASS="informaltable" ><A -NAME="AEN4234" +NAME="AEN4247" ></A ><P ></P @@ -11794,7 +11857,7 @@ domain names.</P ><DIV CLASS="informaltable" ><A -NAME="AEN4300" +NAME="AEN4313" ></A ><P ></P @@ -11885,7 +11948,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN4328" +NAME="AEN4341" >6.3.2. Discussion of MX Records</A ></H2 ><P @@ -11921,7 +11984,7 @@ pointed to by the CNAME.</P ><DIV CLASS="informaltable" ><A -NAME="AEN4334" +NAME="AEN4347" ></A ><P ></P @@ -12217,7 +12280,7 @@ used in a zone file.</P ><DIV CLASS="informaltable" ><A -NAME="AEN4426" +NAME="AEN4439" ></A ><P ></P @@ -12300,7 +12363,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN4449" +NAME="AEN4462" >6.3.4. Inverse Mapping in IPv4</A ></H2 ><P @@ -12327,7 +12390,7 @@ CLASS="optional" ><DIV CLASS="informaltable" ><A -NAME="AEN4454" +NAME="AEN4467" ></A ><P ></P @@ -12407,7 +12470,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN4476" +NAME="AEN4489" >6.3.5. Other Zone File Directives</A ></H2 ><P @@ -12432,7 +12495,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN4483" +NAME="AEN4496" >6.3.5.1. The <B CLASS="command" >$ORIGIN</B @@ -12502,7 +12565,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN4503" +NAME="AEN4516" >6.3.5.2. The <B CLASS="command" >$INCLUDE</B @@ -12584,7 +12647,7 @@ CLASS="sect3" ><H3 CLASS="sect3" ><A -NAME="AEN4523" +NAME="AEN4536" >6.3.5.3. The <B CLASS="command" >$TTL</B @@ -12624,7 +12687,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN4534" +NAME="AEN4547" >6.3.6. <SPAN CLASS="acronym" >BIND</SPAN @@ -12719,7 +12782,7 @@ CLASS="literal" ><DIV CLASS="informaltable" ><A -NAME="AEN4558" +NAME="AEN4571" ></A ><P ></P diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 9ef11d9c2e..36a3108aaf 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -89,7 +89,7 @@ HREF="Bv9ARM.ch07.html#Access_Control_Lists" ></DT ><DT >7.2. <A -HREF="Bv9ARM.ch07.html#AEN4651" +HREF="Bv9ARM.ch07.html#AEN4664" ><B CLASS="command" >chroot</B @@ -197,7 +197,7 @@ CLASS="sect1" ><H1 CLASS="sect1" ><A -NAME="AEN4651" +NAME="AEN4664" >7.2. <B CLASS="command" >chroot</B @@ -279,7 +279,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN4674" +NAME="AEN4687" >7.2.1. The <B CLASS="command" >chroot</B @@ -355,7 +355,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN4692" +NAME="AEN4705" >7.2.2. Using the <B CLASS="command" >setuid</B diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 50fe8512c6..71573a90d3 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -81,17 +81,17 @@ CLASS="TOC" ></DT ><DT >8.1. <A -HREF="Bv9ARM.ch08.html#AEN4713" +HREF="Bv9ARM.ch08.html#AEN4726" >Common Problems</A ></DT ><DT >8.2. <A -HREF="Bv9ARM.ch08.html#AEN4718" +HREF="Bv9ARM.ch08.html#AEN4731" >Incrementing and Changing the Serial Number</A ></DT ><DT >8.3. <A -HREF="Bv9ARM.ch08.html#AEN4723" +HREF="Bv9ARM.ch08.html#AEN4736" >Where Can I Get Help?</A ></DT ></DL @@ -101,7 +101,7 @@ CLASS="sect1" ><H1 CLASS="sect1" ><A -NAME="AEN4713" +NAME="AEN4726" >8.1. Common Problems</A ></H1 ><DIV @@ -109,7 +109,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN4715" +NAME="AEN4728" >8.1.1. It's not working; how can I figure out what's wrong?</A ></H2 ><P @@ -125,7 +125,7 @@ CLASS="sect1" ><H1 CLASS="sect1" ><A -NAME="AEN4718" +NAME="AEN4731" >8.2. Incrementing and Changing the Serial Number</A ></H1 ><P @@ -154,7 +154,7 @@ CLASS="sect1" ><H1 CLASS="sect1" ><A -NAME="AEN4723" +NAME="AEN4736" >8.3. Where Can I Get Help?</A ></H1 ><P diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index e4121e933b..b1a40e8456 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -74,7 +74,7 @@ CLASS="TOC" ></DT ><DT >A.1. <A -HREF="Bv9ARM.ch09.html#AEN4739" +HREF="Bv9ARM.ch09.html#AEN4752" >Acknowledgments</A ></DT ><DT @@ -97,7 +97,7 @@ CLASS="sect1" ><H1 CLASS="sect1" ><A -NAME="AEN4739" +NAME="AEN4752" >A.1. Acknowledgments</A ></H1 ><DIV @@ -105,7 +105,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN4741" +NAME="AEN4754" >A.1.1. A Brief History of the <SPAN CLASS="acronym" >DNS</SPAN @@ -269,7 +269,7 @@ Unicast address scheme. For more information, see RFC 2374.</P ><DIV CLASS="informaltable" ><A -NAME="AEN4777" +NAME="AEN4790" ></A ><P ></P @@ -488,7 +488,7 @@ VALIGN="MIDDLE" <DIV CLASS="informaltable" ><A -NAME="AEN4846" +NAME="AEN4859" ></A ><P ></P @@ -746,19 +746,19 @@ TARGET="_top" </P ><H3 ><A -NAME="AEN4914" +NAME="AEN4927" >Bibliography</A ></H3 ><H2 CLASS="bibliodiv" ><A -NAME="AEN4915" +NAME="AEN4928" >Standards</A ></H2 ><DIV CLASS="biblioentry" ><A -NAME="AEN4917" +NAME="AEN4930" ></A ><P >[RFC974] <SPAN @@ -775,7 +775,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN4924" +NAME="AEN4937" ></A ><P >[RFC1034] <SPAN @@ -792,7 +792,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN4931" +NAME="AEN4944" ></A ><P >[RFC1035] <SPAN @@ -816,7 +816,7 @@ NAME="proposed_standards" ><DIV CLASS="biblioentry" ><A -NAME="AEN4940" +NAME="AEN4953" ></A ><P >[RFC2181] <SPAN @@ -836,7 +836,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN4948" +NAME="AEN4961" ></A ><P >[RFC2308] <SPAN @@ -856,7 +856,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN4956" +NAME="AEN4969" ></A ><P >[RFC1995] <SPAN @@ -876,7 +876,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN4964" +NAME="AEN4977" ></A ><P >[RFC1996] <SPAN @@ -893,7 +893,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN4971" +NAME="AEN4984" ></A ><P >[RFC2136] <SPAN @@ -919,7 +919,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN4988" +NAME="AEN5001" ></A ><P >[RFC2845] <SPAN @@ -948,13 +948,13 @@ STYLE="margin-left=0.5in" ><H2 CLASS="bibliodiv" ><A -NAME="AEN5007" +NAME="AEN5020" >Proposed Standards Still Under Development</A ></H2 ><DIV CLASS="biblioentry" ><A -NAME="AEN5012" +NAME="AEN5025" ></A ><P >[RFC1886] <SPAN @@ -977,7 +977,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5024" +NAME="AEN5037" ></A ><P >[RFC2065] <SPAN @@ -997,7 +997,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5036" +NAME="AEN5049" ></A ><P >[RFC2137] <SPAN @@ -1014,7 +1014,7 @@ STYLE="margin-left=0.5in" ><H2 CLASS="bibliodiv" ><A -NAME="AEN5044" +NAME="AEN5057" >Other Important RFCs About <SPAN CLASS="acronym" >DNS</SPAN @@ -1023,7 +1023,7 @@ CLASS="acronym" ><DIV CLASS="biblioentry" ><A -NAME="AEN5047" +NAME="AEN5060" ></A ><P >[RFC1535] <SPAN @@ -1043,7 +1043,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5055" +NAME="AEN5068" ></A ><P >[RFC1536] <SPAN @@ -1075,7 +1075,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5076" +NAME="AEN5089" ></A ><P >[RFC1982] <SPAN @@ -1095,13 +1095,13 @@ STYLE="margin-left=0.5in" ><H2 CLASS="bibliodiv" ><A -NAME="AEN5087" +NAME="AEN5100" >Resource Record Types</A ></H2 ><DIV CLASS="biblioentry" ><A -NAME="AEN5089" +NAME="AEN5102" ></A ><P >[RFC1183] <SPAN @@ -1130,7 +1130,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5107" +NAME="AEN5120" ></A ><P >[RFC1706] <SPAN @@ -1153,7 +1153,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5119" +NAME="AEN5132" ></A ><P >[RFC2168] <SPAN @@ -1174,7 +1174,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5130" +NAME="AEN5143" ></A ><P >[RFC1876] <SPAN @@ -1201,7 +1201,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5147" +NAME="AEN5160" ></A ><P >[RFC2052] <SPAN @@ -1225,7 +1225,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5159" +NAME="AEN5172" ></A ><P >[RFC2163] <SPAN @@ -1246,7 +1246,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5167" +NAME="AEN5180" ></A ><P >[RFC2230] <SPAN @@ -1266,7 +1266,7 @@ STYLE="margin-left=0.5in" ><H2 CLASS="bibliodiv" ><A -NAME="AEN5175" +NAME="AEN5188" ><SPAN CLASS="acronym" >DNS</SPAN @@ -1275,7 +1275,7 @@ CLASS="acronym" ><DIV CLASS="biblioentry" ><A -NAME="AEN5178" +NAME="AEN5191" ></A ><P >[RFC1101] <SPAN @@ -1295,7 +1295,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5186" +NAME="AEN5199" ></A ><P >[RFC1123] <SPAN @@ -1312,7 +1312,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5193" +NAME="AEN5206" ></A ><P >[RFC1591] <SPAN @@ -1329,7 +1329,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5200" +NAME="AEN5213" ></A ><P >[RFC2317] <SPAN @@ -1352,7 +1352,7 @@ STYLE="margin-left=0.5in" ><H2 CLASS="bibliodiv" ><A -NAME="AEN5214" +NAME="AEN5227" ><SPAN CLASS="acronym" >DNS</SPAN @@ -1361,7 +1361,7 @@ CLASS="acronym" ><DIV CLASS="biblioentry" ><A -NAME="AEN5217" +NAME="AEN5230" ></A ><P >[RFC1537] <SPAN @@ -1381,7 +1381,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5225" +NAME="AEN5238" ></A ><P >[RFC1912] <SPAN @@ -1401,7 +1401,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5233" +NAME="AEN5246" ></A ><P >[RFC2010] <SPAN @@ -1421,7 +1421,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5244" +NAME="AEN5257" ></A ><P >[RFC2219] <SPAN @@ -1444,7 +1444,7 @@ STYLE="margin-left=0.5in" ><H2 CLASS="bibliodiv" ><A -NAME="AEN5256" +NAME="AEN5269" >Other <SPAN CLASS="acronym" >DNS</SPAN @@ -1453,7 +1453,7 @@ CLASS="acronym" ><DIV CLASS="biblioentry" ><A -NAME="AEN5262" +NAME="AEN5275" ></A ><P >[RFC1464] <SPAN @@ -1470,7 +1470,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5269" +NAME="AEN5282" ></A ><P >[RFC1713] <SPAN @@ -1490,7 +1490,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5277" +NAME="AEN5290" ></A ><P >[RFC1794] <SPAN @@ -1510,7 +1510,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5285" +NAME="AEN5298" ></A ><P >[RFC2240] <SPAN @@ -1527,7 +1527,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5292" +NAME="AEN5305" ></A ><P >[RFC2345] <SPAN @@ -1550,7 +1550,7 @@ STYLE="margin-left=0.5in" ><DIV CLASS="biblioentry" ><A -NAME="AEN5306" +NAME="AEN5319" ></A ><P >[RFC2352] <SPAN @@ -1567,13 +1567,13 @@ STYLE="margin-left=0.5in" ><H2 CLASS="bibliodiv" ><A -NAME="AEN5313" +NAME="AEN5326" >Obsolete and Unimplemented Experimental RRs</A ></H2 ><DIV CLASS="biblioentry" ><A -NAME="AEN5315" +NAME="AEN5328" ></A ><P >[RFC1712] <SPAN @@ -1624,7 +1624,7 @@ CLASS="sect2" ><H2 CLASS="sect2" ><A -NAME="AEN5336" +NAME="AEN5349" >A.3.3. Other Documents About <SPAN CLASS="acronym" >BIND</SPAN @@ -1634,13 +1634,13 @@ CLASS="acronym" ></P ><H3 ><A -NAME="AEN5340" +NAME="AEN5353" >Bibliography</A ></H3 ><DIV CLASS="biblioentry" ><A -NAME="AEN5341" +NAME="AEN5354" ></A ><P ><SPAN diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 120716ac0e..f75c737bd3 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -546,7 +546,7 @@ CLASS="command" ></DT ><DT >6.2.19. <A -HREF="Bv9ARM.ch06.html#AEN3394" +HREF="Bv9ARM.ch06.html#AEN3406" ><B CLASS="command" >trusted-keys</B @@ -554,7 +554,7 @@ CLASS="command" ></DT ><DT >6.2.20. <A -HREF="Bv9ARM.ch06.html#AEN3410" +HREF="Bv9ARM.ch06.html#AEN3422" ><B CLASS="command" >trusted-keys</B @@ -571,7 +571,7 @@ CLASS="command" ></DT ><DT >6.2.22. <A -HREF="Bv9ARM.ch06.html#AEN3432" +HREF="Bv9ARM.ch06.html#AEN3444" ><B CLASS="command" >view</B @@ -588,7 +588,7 @@ Statement Grammar</A ></DT ><DT >6.2.24. <A -HREF="Bv9ARM.ch06.html#AEN3606" +HREF="Bv9ARM.ch06.html#AEN3619" ><B CLASS="command" >zone</B @@ -598,7 +598,7 @@ CLASS="command" ></DD ><DT >6.3. <A -HREF="Bv9ARM.ch06.html#AEN4008" +HREF="Bv9ARM.ch06.html#AEN4021" >Zone File</A ></DT ><DD @@ -610,7 +610,7 @@ HREF="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" ></DT ><DT >6.3.2. <A -HREF="Bv9ARM.ch06.html#AEN4328" +HREF="Bv9ARM.ch06.html#AEN4341" >Discussion of MX Records</A ></DT ><DT @@ -620,17 +620,17 @@ HREF="Bv9ARM.ch06.html#Setting_TTLs" ></DT ><DT >6.3.4. <A -HREF="Bv9ARM.ch06.html#AEN4449" +HREF="Bv9ARM.ch06.html#AEN4462" >Inverse Mapping in IPv4</A ></DT ><DT >6.3.5. <A -HREF="Bv9ARM.ch06.html#AEN4476" +HREF="Bv9ARM.ch06.html#AEN4489" >Other Zone File Directives</A ></DT ><DT >6.3.6. <A -HREF="Bv9ARM.ch06.html#AEN4534" +HREF="Bv9ARM.ch06.html#AEN4547" ><SPAN CLASS="acronym" >BIND</SPAN @@ -660,7 +660,7 @@ HREF="Bv9ARM.ch07.html#Access_Control_Lists" ></DT ><DT >7.2. <A -HREF="Bv9ARM.ch07.html#AEN4651" +HREF="Bv9ARM.ch07.html#AEN4664" ><B CLASS="command" >chroot</B @@ -674,7 +674,7 @@ UNIX servers)</A ><DL ><DT >7.2.1. <A -HREF="Bv9ARM.ch07.html#AEN4674" +HREF="Bv9ARM.ch07.html#AEN4687" >The <B CLASS="command" >chroot</B @@ -682,7 +682,7 @@ CLASS="command" ></DT ><DT >7.2.2. <A -HREF="Bv9ARM.ch07.html#AEN4692" +HREF="Bv9ARM.ch07.html#AEN4705" >Using the <B CLASS="command" >setuid</B @@ -706,26 +706,26 @@ HREF="Bv9ARM.ch08.html" ><DL ><DT >8.1. <A -HREF="Bv9ARM.ch08.html#AEN4713" +HREF="Bv9ARM.ch08.html#AEN4726" >Common Problems</A ></DT ><DD ><DL ><DT >8.1.1. <A -HREF="Bv9ARM.ch08.html#AEN4715" +HREF="Bv9ARM.ch08.html#AEN4728" >It's not working; how can I figure out what's wrong?</A ></DT ></DL ></DD ><DT >8.2. <A -HREF="Bv9ARM.ch08.html#AEN4718" +HREF="Bv9ARM.ch08.html#AEN4731" >Incrementing and Changing the Serial Number</A ></DT ><DT >8.3. <A -HREF="Bv9ARM.ch08.html#AEN4723" +HREF="Bv9ARM.ch08.html#AEN4736" >Where Can I Get Help?</A ></DT ></DL @@ -739,14 +739,14 @@ HREF="Bv9ARM.ch09.html" ><DL ><DT >A.1. <A -HREF="Bv9ARM.ch09.html#AEN4739" +HREF="Bv9ARM.ch09.html#AEN4752" >Acknowledgments</A ></DT ><DD ><DL ><DT >A.1.1. <A -HREF="Bv9ARM.ch09.html#AEN4741" +HREF="Bv9ARM.ch09.html#AEN4754" >A Brief History of the <SPAN CLASS="acronym" >DNS</SPAN @@ -793,7 +793,7 @@ HREF="Bv9ARM.ch09.html#internet_drafts" ></DT ><DT >A.3.3. <A -HREF="Bv9ARM.ch09.html#AEN5336" +HREF="Bv9ARM.ch09.html#AEN5349" >Other Documents About <SPAN CLASS="acronym" >BIND</SPAN diff --git a/lib/lwres/man/lwres.3 b/lib/lwres/man/lwres.3 index 949ac87ab9..fe5c4c5951 100644 --- a/lib/lwres/man/lwres.3 +++ b/lib/lwres/man/lwres.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres.3,v 1.17 2004/03/05 12:40:38 marka Exp $ -.\" .TH "LWRES" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres \- introduction to the lightweight resolver library diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html index f87478d3a1..2c02244ebf 100644 --- a/lib/lwres/man/lwres.html +++ b/lib/lwres/man/lwres.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres.html,v 1.5 2004/03/05 08:32:19 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_buffer.3 b/lib/lwres/man/lwres_buffer.3 index 6ba1648da4..44bccfc913 100644 --- a/lib/lwres/man/lwres_buffer.3 +++ b/lib/lwres/man/lwres_buffer.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_buffer.3,v 1.15 2004/03/05 12:40:38 marka Exp $ -.\" .TH "LWRES_BUFFER" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem \- lightweight resolver buffer management diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html index 87b5909b27..9529f7138c 100644 --- a/lib/lwres/man/lwres_buffer.html +++ b/lib/lwres/man/lwres_buffer.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_buffer.html,v 1.5 2004/03/05 08:32:19 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_config.3 b/lib/lwres/man/lwres_config.3 index 2152e3cd77..a638233391 100644 --- a/lib/lwres/man/lwres_config.3 +++ b/lib/lwres/man/lwres_config.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_config.3,v 1.15 2004/03/05 12:40:38 marka Exp $ -.\" .TH "LWRES_CONFIG" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get \- lightweight resolver configuration diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html index c2c98dd2e0..75ec9f6c6d 100644 --- a/lib/lwres/man/lwres_config.html +++ b/lib/lwres/man/lwres_config.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_config.html,v 1.5 2004/03/05 08:32:19 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_context.3 b/lib/lwres/man/lwres_context.3 index 378f8ebf75..9be410fc13 100644 --- a/lib/lwres/man/lwres_context.3 +++ b/lib/lwres/man/lwres_context.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_context.3,v 1.17 2004/03/05 12:40:38 marka Exp $ -.\" .TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv \- lightweight resolver context management diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html index 13230ed728..dd602681c7 100644 --- a/lib/lwres/man/lwres_context.html +++ b/lib/lwres/man/lwres_context.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_context.html,v 1.7 2004/03/05 08:32:19 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_gabn.3 b/lib/lwres/man/lwres_gabn.3 index eab9b19b19..7331d2b109 100644 --- a/lib/lwres/man/lwres_gabn.3 +++ b/lib/lwres/man/lwres_gabn.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_gabn.3,v 1.16 2004/03/05 12:40:38 marka Exp $ -.\" .TH "LWRES_GABN" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free \- lightweight resolver getaddrbyname message handling diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html index f911df9a52..25bff476cb 100644 --- a/lib/lwres/man/lwres_gabn.html +++ b/lib/lwres/man/lwres_gabn.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_gabn.html,v 1.7 2004/03/05 08:32:19 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_gai_strerror.3 b/lib/lwres/man/lwres_gai_strerror.3 index 14ad3677d7..a100eece7e 100644 --- a/lib/lwres/man/lwres_gai_strerror.3 +++ b/lib/lwres/man/lwres_gai_strerror.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_gai_strerror.3,v 1.16 2004/03/05 12:40:38 marka Exp $ -.\" .TH "LWRES_GAI_STRERROR" "3" "Jun 30, 2000" "BIND9" "" .SH NAME gai_strerror \- print suitable error string diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html index 8ca68a6a83..97243d0525 100644 --- a/lib/lwres/man/lwres_gai_strerror.html +++ b/lib/lwres/man/lwres_gai_strerror.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_gai_strerror.html,v 1.6 2004/03/05 08:32:20 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_getaddrinfo.3 b/lib/lwres/man/lwres_getaddrinfo.3 index 55c86db678..04ddd5d03c 100644 --- a/lib/lwres/man/lwres_getaddrinfo.3 +++ b/lib/lwres/man/lwres_getaddrinfo.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_getaddrinfo.3,v 1.20 2004/03/05 12:40:38 marka Exp $ -.\" .TH "LWRES_GETADDRINFO" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and service name diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html index 0fa1ad6047..36dcee9cfa 100644 --- a/lib/lwres/man/lwres_getaddrinfo.html +++ b/lib/lwres/man/lwres_getaddrinfo.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_getaddrinfo.html,v 1.10 2004/03/05 08:32:20 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_gethostent.3 b/lib/lwres/man/lwres_gethostent.3 index 93efce9c73..41435b84e5 100644 --- a/lib/lwres/man/lwres_gethostent.3 +++ b/lib/lwres/man/lwres_gethostent.3 @@ -1,5 +1,6 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2001 Internet Software Consortium. +.\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_gethostent.3,v 1.19 2004/03/05 12:40:38 marka Exp $ -.\" .TH "LWRES_GETHOSTENT" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r \- lightweight resolver get network host entry diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html index a636b61cc0..55bb7393ff 100644 --- a/lib/lwres/man/lwres_gethostent.html +++ b/lib/lwres/man/lwres_gethostent.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_gethostent.html,v 1.9 2004/03/05 08:32:20 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_getipnode.3 b/lib/lwres/man/lwres_getipnode.3 index c10fd94040..980eac1c1f 100644 --- a/lib/lwres/man/lwres_getipnode.3 +++ b/lib/lwres/man/lwres_getipnode.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_getipnode.3,v 1.17 2004/03/05 12:40:38 marka Exp $ -.\" .TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight resolver nodename / address translation API diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html index 9dcd5cc281..3551dcddb6 100644 --- a/lib/lwres/man/lwres_getipnode.html +++ b/lib/lwres/man/lwres_getipnode.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001, 2003 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_getipnode.html,v 1.9 2004/03/05 08:32:20 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_getnameinfo.3 b/lib/lwres/man/lwres_getnameinfo.3 index 30cececf13..d05dcdea1d 100644 --- a/lib/lwres/man/lwres_getnameinfo.3 +++ b/lib/lwres/man/lwres_getnameinfo.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_getnameinfo.3,v 1.18 2004/03/05 12:40:39 marka Exp $ -.\" .TH "LWRES_GETNAMEINFO" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_getnameinfo \- lightweight resolver socket address structure to hostname and service name diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html index 697d130297..48bb5ce66e 100644 --- a/lib/lwres/man/lwres_getnameinfo.html +++ b/lib/lwres/man/lwres_getnameinfo.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_getnameinfo.html,v 1.6 2004/03/05 08:32:20 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_getrrsetbyname.3 b/lib/lwres/man/lwres_getrrsetbyname.3 index 98c82e7b3c..cf373defba 100644 --- a/lib/lwres/man/lwres_getrrsetbyname.3 +++ b/lib/lwres/man/lwres_getrrsetbyname.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_getrrsetbyname.3,v 1.14 2004/03/05 12:40:39 marka Exp $ -.\" .TH "LWRES_GETRRSETBYNAME" "3" "Oct 18, 2000" "BIND9" "" .SH NAME lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html index f43a37896d..477426eef2 100644 --- a/lib/lwres/man/lwres_getrrsetbyname.html +++ b/lib/lwres/man/lwres_getrrsetbyname.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_getrrsetbyname.html,v 1.6 2004/03/05 08:32:20 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_gnba.3 b/lib/lwres/man/lwres_gnba.3 index 40ac772a33..aa950d72f5 100644 --- a/lib/lwres/man/lwres_gnba.3 +++ b/lib/lwres/man/lwres_gnba.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_gnba.3,v 1.16 2004/03/05 12:40:39 marka Exp $ -.\" .TH "LWRES_GNBA" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free \- lightweight resolver getnamebyaddress message handling diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html index c118765a7c..7d47fa24b6 100644 --- a/lib/lwres/man/lwres_gnba.html +++ b/lib/lwres/man/lwres_gnba.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_gnba.html,v 1.7 2004/03/05 08:32:21 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_hstrerror.3 b/lib/lwres/man/lwres_hstrerror.3 index 0fddab36e5..82574c0225 100644 --- a/lib/lwres/man/lwres_hstrerror.3 +++ b/lib/lwres/man/lwres_hstrerror.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_hstrerror.3,v 1.16 2004/03/05 12:40:39 marka Exp $ -.\" .TH "LWRES_HSTRERROR" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_herror, lwres_hstrerror \- lightweight resolver error message generation diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html index 046eec9858..8da7f54558 100644 --- a/lib/lwres/man/lwres_hstrerror.html +++ b/lib/lwres/man/lwres_hstrerror.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_hstrerror.html,v 1.6 2004/03/05 08:32:21 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_inetntop.3 b/lib/lwres/man/lwres_inetntop.3 index 88d188d31f..3e431a7e25 100644 --- a/lib/lwres/man/lwres_inetntop.3 +++ b/lib/lwres/man/lwres_inetntop.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_inetntop.3,v 1.15 2004/03/05 12:40:39 marka Exp $ -.\" .TH "LWRES_INETNTOP" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_net_ntop \- lightweight resolver IP address presentation diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html index cec738965f..ca0569af23 100644 --- a/lib/lwres/man/lwres_inetntop.html +++ b/lib/lwres/man/lwres_inetntop.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_inetntop.html,v 1.6 2004/03/05 08:32:21 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_noop.3 b/lib/lwres/man/lwres_noop.3 index 8220f27f1e..a142352e47 100644 --- a/lib/lwres/man/lwres_noop.3 +++ b/lib/lwres/man/lwres_noop.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_noop.3,v 1.17 2004/03/05 12:40:39 marka Exp $ -.\" .TH "LWRES_NOOP" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free \- lightweight resolver no-op message handling diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html index ebd5d8d8e3..f89907379f 100644 --- a/lib/lwres/man/lwres_noop.html +++ b/lib/lwres/man/lwres_noop.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_noop.html,v 1.8 2004/03/05 08:32:21 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_packet.3 b/lib/lwres/man/lwres_packet.3 index df12e5af9e..3ba25659c9 100644 --- a/lib/lwres/man/lwres_packet.3 +++ b/lib/lwres/man/lwres_packet.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_packet.3,v 1.18 2004/03/05 12:40:39 marka Exp $ -.\" .TH "LWRES_PACKET" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_lwpacket_renderheader, lwres_lwpacket_parseheader \- lightweight resolver packet handling functions diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html index fe3f1b39c2..d7354604d5 100644 --- a/lib/lwres/man/lwres_packet.html +++ b/lib/lwres/man/lwres_packet.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_packet.html,v 1.9 2004/03/05 08:32:21 marka Exp $ --> - <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_resutil.3 b/lib/lwres/man/lwres_resutil.3 index 50d73ba541..59b39402df 100644 --- a/lib/lwres/man/lwres_resutil.3 +++ b/lib/lwres/man/lwres_resutil.3 @@ -1,3 +1,4 @@ +.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -13,8 +14,6 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_resutil.3,v 1.17 2004/03/05 12:40:39 marka Exp $ -.\" .TH "LWRES_RESUTIL" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr \- lightweight resolver utility functions diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html index a67e315c8d..a2cbacabf3 100644 --- a/lib/lwres/man/lwres_resutil.html +++ b/lib/lwres/man/lwres_resutil.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,9 +14,6 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - -<!-- $Id: lwres_resutil.html,v 1.9 2004/03/05 08:32:21 marka Exp $ --> - <HTML ><HEAD ><TITLE From 61e1dc26d62c2a0059e3ca7efe2ad0f4a5b8df92 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Wed, 7 Apr 2004 00:57:04 +0000 Subject: [PATCH 022/146] regen --- bin/check/named-checkconf.8 | 5 +++-- bin/check/named-checkconf.html | 9 ++++++--- bin/check/named-checkzone.8 | 5 +++-- bin/check/named-checkzone.html | 9 ++++++--- bin/dig/dig.1 | 5 +++-- bin/dig/dig.html | 9 ++++++--- bin/dig/host.1 | 5 +++-- bin/dig/host.html | 9 ++++++--- bin/dnssec/dnssec-keygen.8 | 5 +++-- bin/dnssec/dnssec-keygen.html | 9 ++++++--- bin/dnssec/dnssec-signzone.8 | 5 +++-- bin/dnssec/dnssec-signzone.html | 9 ++++++--- bin/named/lwresd.8 | 3 ++- bin/named/lwresd.html | 7 +++++-- bin/named/named.8 | 5 +++-- bin/named/named.html | 9 ++++++--- bin/nsupdate/nsupdate.8 | 5 +++-- bin/nsupdate/nsupdate.html | 9 ++++++--- bin/rndc/rndc-confgen.8 | 5 +++-- bin/rndc/rndc-confgen.html | 9 ++++++--- bin/rndc/rndc.8 | 3 ++- bin/rndc/rndc.conf.5 | 3 ++- bin/rndc/rndc.conf.html | 9 ++++++--- bin/rndc/rndc.html | 9 ++++++--- lib/lwres/man/lwres.3 | 3 ++- lib/lwres/man/lwres.html | 9 ++++++--- lib/lwres/man/lwres_buffer.3 | 3 ++- lib/lwres/man/lwres_buffer.html | 9 ++++++--- lib/lwres/man/lwres_config.3 | 3 ++- lib/lwres/man/lwres_config.html | 9 ++++++--- lib/lwres/man/lwres_context.3 | 3 ++- lib/lwres/man/lwres_context.html | 9 ++++++--- lib/lwres/man/lwres_gabn.3 | 3 ++- lib/lwres/man/lwres_gabn.html | 9 ++++++--- lib/lwres/man/lwres_gai_strerror.3 | 3 ++- lib/lwres/man/lwres_gai_strerror.html | 9 ++++++--- lib/lwres/man/lwres_getaddrinfo.3 | 3 ++- lib/lwres/man/lwres_getaddrinfo.html | 9 ++++++--- lib/lwres/man/lwres_gethostent.3 | 5 +++-- lib/lwres/man/lwres_gethostent.html | 9 ++++++--- lib/lwres/man/lwres_getipnode.3 | 3 ++- lib/lwres/man/lwres_getipnode.html | 9 ++++++--- lib/lwres/man/lwres_getnameinfo.3 | 3 ++- lib/lwres/man/lwres_getnameinfo.html | 9 ++++++--- lib/lwres/man/lwres_getrrsetbyname.3 | 3 ++- lib/lwres/man/lwres_getrrsetbyname.html | 9 ++++++--- lib/lwres/man/lwres_gnba.3 | 3 ++- lib/lwres/man/lwres_gnba.html | 9 ++++++--- lib/lwres/man/lwres_hstrerror.3 | 3 ++- lib/lwres/man/lwres_hstrerror.html | 9 ++++++--- lib/lwres/man/lwres_inetntop.3 | 3 ++- lib/lwres/man/lwres_inetntop.html | 9 ++++++--- lib/lwres/man/lwres_noop.3 | 3 ++- lib/lwres/man/lwres_noop.html | 9 ++++++--- lib/lwres/man/lwres_packet.3 | 3 ++- lib/lwres/man/lwres_packet.html | 9 ++++++--- lib/lwres/man/lwres_resutil.3 | 3 ++- lib/lwres/man/lwres_resutil.html | 9 ++++++--- 58 files changed, 241 insertions(+), 125 deletions(-) diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index 47378ff48a..bf7c81299c 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -1,6 +1,5 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2000-2002 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: named-checkconf.8,v 1.18 2004/04/07 00:56:58 marka Exp $ +.\" .TH "NAMED-CHECKCONF" "8" "June 14, 2000" "BIND9" "" .SH NAME named-checkconf \- named configuration file syntax checking tool diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index 40beeaf8f1..b319248a24 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001, 2002 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: named-checkconf.html,v 1.11 2004/04/07 00:56:58 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8 index 3bb45c7135..9c3599b867 100644 --- a/bin/check/named-checkzone.8 +++ b/bin/check/named-checkzone.8 @@ -1,6 +1,5 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2000-2002 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: named-checkzone.8,v 1.20 2004/04/07 00:56:58 marka Exp $ +.\" .TH "NAMED-CHECKZONE" "8" "June 13, 2000" "BIND9" "" .SH NAME named-checkzone \- zone file validity checking tool diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html index 0b68690b78..6f3c95c76d 100644 --- a/bin/check/named-checkzone.html +++ b/bin/check/named-checkzone.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001, 2002 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: named-checkzone.html,v 1.13 2004/04/07 00:56:58 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index 4fc30be507..4087888b3c 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -1,6 +1,5 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: dig.1,v 1.25 2004/04/07 00:56:58 marka Exp $ +.\" .TH "DIG" "1" "Jun 30, 2000" "BIND9" "" .SH NAME dig \- DNS lookup utility diff --git a/bin/dig/dig.html b/bin/dig/dig.html index 056a14f09c..f3d6802fd2 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2000-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: dig.html,v 1.15 2004/04/07 00:56:59 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/bin/dig/host.1 b/bin/dig/host.1 index 871591e069..ff5af27c2b 100644 --- a/bin/dig/host.1 +++ b/bin/dig/host.1 @@ -1,6 +1,5 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2000-2002 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: host.1,v 1.16 2004/04/07 00:56:59 marka Exp $ +.\" .TH "HOST" "1" "Jun 30, 2000" "BIND9" "" .SH NAME host \- DNS lookup utility diff --git a/bin/dig/host.html b/bin/dig/host.html index b60d62996a..77f279445f 100644 --- a/bin/dig/host.html +++ b/bin/dig/host.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2000-2002 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: host.html,v 1.9 2004/04/07 00:56:59 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index a607e51b4e..08b17aecb0 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -1,6 +1,5 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: dnssec-keygen.8,v 1.25 2004/04/07 00:56:59 marka Exp $ +.\" .TH "DNSSEC-KEYGEN" "8" "June 30, 2000" "BIND9" "" .SH NAME dnssec-keygen \- DNSSEC key generation tool diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index 169274a612..f66e8e3a3f 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: dnssec-keygen.html,v 1.11 2004/04/07 00:56:59 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8 index 2a6581c4f8..2ac81231f6 100644 --- a/bin/dnssec/dnssec-signzone.8 +++ b/bin/dnssec/dnssec-signzone.8 @@ -1,6 +1,5 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: dnssec-signzone.8,v 1.30 2004/04/07 00:56:59 marka Exp $ +.\" .TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" "" .SH NAME dnssec-signzone \- DNSSEC zone signing tool diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index afd379a0f0..77bd1c4cb8 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: dnssec-signzone.html,v 1.10 2004/04/07 00:56:59 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/bin/named/lwresd.8 b/bin/named/lwresd.8 index 35edcaee0b..46b4aca49d 100644 --- a/bin/named/lwresd.8 +++ b/bin/named/lwresd.8 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwresd.8,v 1.17 2004/04/07 00:57:00 marka Exp $ +.\" .TH "LWRESD" "8" "June 30, 2000" "BIND9" "" .SH NAME lwresd \- lightweight resolver daemon diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html index d07641c07b..e6b6d3215d 100644 --- a/bin/named/lwresd.html +++ b/bin/named/lwresd.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwresd.html,v 1.7 2004/04/07 00:57:00 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/bin/named/named.8 b/bin/named/named.8 index 4f55e88b4f..7f48deb719 100644 --- a/bin/named/named.8 +++ b/bin/named/named.8 @@ -1,6 +1,5 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: named.8,v 1.22 2004/04/07 00:57:00 marka Exp $ +.\" .TH "NAMED" "8" "June 30, 2000" "BIND9" "" .SH NAME named \- Internet domain name server diff --git a/bin/named/named.html b/bin/named/named.html index 0548445fa0..ffeb0cd39f 100644 --- a/bin/named/named.html +++ b/bin/named/named.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2000, 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: named.html,v 1.8 2004/04/07 00:57:00 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/bin/nsupdate/nsupdate.8 b/bin/nsupdate/nsupdate.8 index e1277e9230..83cbdcc13e 100644 --- a/bin/nsupdate/nsupdate.8 +++ b/bin/nsupdate/nsupdate.8 @@ -1,6 +1,5 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: nsupdate.8,v 1.32 2004/04/07 00:57:00 marka Exp $ +.\" .TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "" .SH NAME nsupdate \- Dynamic DNS update utility diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html index 6fdb7d0c95..87bad0ce12 100644 --- a/bin/nsupdate/nsupdate.html +++ b/bin/nsupdate/nsupdate.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: nsupdate.html,v 1.16 2004/04/07 00:57:01 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/bin/rndc/rndc-confgen.8 b/bin/rndc/rndc-confgen.8 index 0c82fa4872..0529b9b75d 100644 --- a/bin/rndc/rndc-confgen.8 +++ b/bin/rndc/rndc-confgen.8 @@ -1,6 +1,5 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2001-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: rndc-confgen.8,v 1.11 2004/04/07 00:57:01 marka Exp $ +.\" .TH "RNDC-CONFGEN" "8" "Aug 27, 2001" "BIND9" "" .SH NAME rndc-confgen \- rndc key generation tool diff --git a/bin/rndc/rndc-confgen.html b/bin/rndc/rndc-confgen.html index 2fa3ca61c2..bf178fed59 100644 --- a/bin/rndc/rndc-confgen.html +++ b/bin/rndc/rndc-confgen.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: rndc-confgen.html,v 1.10 2004/04/07 00:57:01 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index c9d03b9188..226d925502 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: rndc.8,v 1.28 2004/04/07 00:57:01 marka Exp $ +.\" .TH "RNDC" "8" "June 30, 2000" "BIND9" "" .SH NAME rndc \- name server control utility diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5 index ffd1819d77..b1a08cae9f 100644 --- a/bin/rndc/rndc.conf.5 +++ b/bin/rndc/rndc.conf.5 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: rndc.conf.5,v 1.25 2004/04/07 00:57:01 marka Exp $ +.\" .TH "RNDC.CONF" "5" "June 30, 2000" "BIND9" "" .SH NAME rndc.conf \- rndc configuration file diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html index c1816c9cbb..83d72797bd 100644 --- a/bin/rndc/rndc.conf.html +++ b/bin/rndc/rndc.conf.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: rndc.conf.html,v 1.8 2004/04/07 00:57:01 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index 376d193dae..941ef48964 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: rndc.html,v 1.10 2004/04/07 00:57:01 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres.3 b/lib/lwres/man/lwres.3 index fe5c4c5951..5ab7e1c6bc 100644 --- a/lib/lwres/man/lwres.3 +++ b/lib/lwres/man/lwres.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres.3,v 1.19 2004/04/07 00:57:01 marka Exp $ +.\" .TH "LWRES" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres \- introduction to the lightweight resolver library diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html index 2c02244ebf..be6f16a424 100644 --- a/lib/lwres/man/lwres.html +++ b/lib/lwres/man/lwres.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres.html,v 1.7 2004/04/07 00:57:01 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_buffer.3 b/lib/lwres/man/lwres_buffer.3 index 44bccfc913..942732f6f6 100644 --- a/lib/lwres/man/lwres_buffer.3 +++ b/lib/lwres/man/lwres_buffer.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_buffer.3,v 1.17 2004/04/07 00:57:02 marka Exp $ +.\" .TH "LWRES_BUFFER" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem \- lightweight resolver buffer management diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html index 9529f7138c..2b3c278734 100644 --- a/lib/lwres/man/lwres_buffer.html +++ b/lib/lwres/man/lwres_buffer.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_buffer.html,v 1.7 2004/04/07 00:57:02 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_config.3 b/lib/lwres/man/lwres_config.3 index a638233391..296807650f 100644 --- a/lib/lwres/man/lwres_config.3 +++ b/lib/lwres/man/lwres_config.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_config.3,v 1.17 2004/04/07 00:57:02 marka Exp $ +.\" .TH "LWRES_CONFIG" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get \- lightweight resolver configuration diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html index 75ec9f6c6d..719a665f65 100644 --- a/lib/lwres/man/lwres_config.html +++ b/lib/lwres/man/lwres_config.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_config.html,v 1.7 2004/04/07 00:57:02 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_context.3 b/lib/lwres/man/lwres_context.3 index 9be410fc13..3001815f7f 100644 --- a/lib/lwres/man/lwres_context.3 +++ b/lib/lwres/man/lwres_context.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_context.3,v 1.19 2004/04/07 00:57:02 marka Exp $ +.\" .TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv \- lightweight resolver context management diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html index dd602681c7..06fb1376a8 100644 --- a/lib/lwres/man/lwres_context.html +++ b/lib/lwres/man/lwres_context.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_context.html,v 1.9 2004/04/07 00:57:02 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_gabn.3 b/lib/lwres/man/lwres_gabn.3 index 7331d2b109..89f574100c 100644 --- a/lib/lwres/man/lwres_gabn.3 +++ b/lib/lwres/man/lwres_gabn.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_gabn.3,v 1.18 2004/04/07 00:57:02 marka Exp $ +.\" .TH "LWRES_GABN" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free \- lightweight resolver getaddrbyname message handling diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html index 25bff476cb..ec79c8d71e 100644 --- a/lib/lwres/man/lwres_gabn.html +++ b/lib/lwres/man/lwres_gabn.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_gabn.html,v 1.9 2004/04/07 00:57:02 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_gai_strerror.3 b/lib/lwres/man/lwres_gai_strerror.3 index a100eece7e..b9f1d2f177 100644 --- a/lib/lwres/man/lwres_gai_strerror.3 +++ b/lib/lwres/man/lwres_gai_strerror.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_gai_strerror.3,v 1.18 2004/04/07 00:57:02 marka Exp $ +.\" .TH "LWRES_GAI_STRERROR" "3" "Jun 30, 2000" "BIND9" "" .SH NAME gai_strerror \- print suitable error string diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html index 97243d0525..572d38f84b 100644 --- a/lib/lwres/man/lwres_gai_strerror.html +++ b/lib/lwres/man/lwres_gai_strerror.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_gai_strerror.html,v 1.8 2004/04/07 00:57:02 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_getaddrinfo.3 b/lib/lwres/man/lwres_getaddrinfo.3 index 04ddd5d03c..c9623a6c00 100644 --- a/lib/lwres/man/lwres_getaddrinfo.3 +++ b/lib/lwres/man/lwres_getaddrinfo.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_getaddrinfo.3,v 1.22 2004/04/07 00:57:02 marka Exp $ +.\" .TH "LWRES_GETADDRINFO" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and service name diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html index 36dcee9cfa..87bc99e39b 100644 --- a/lib/lwres/man/lwres_getaddrinfo.html +++ b/lib/lwres/man/lwres_getaddrinfo.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_getaddrinfo.html,v 1.12 2004/04/07 00:57:02 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_gethostent.3 b/lib/lwres/man/lwres_gethostent.3 index 41435b84e5..8aff45d985 100644 --- a/lib/lwres/man/lwres_gethostent.3 +++ b/lib/lwres/man/lwres_gethostent.3 @@ -1,6 +1,5 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_gethostent.3,v 1.21 2004/04/07 00:57:03 marka Exp $ +.\" .TH "LWRES_GETHOSTENT" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r \- lightweight resolver get network host entry diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html index 55bb7393ff..4a59e6216c 100644 --- a/lib/lwres/man/lwres_gethostent.html +++ b/lib/lwres/man/lwres_gethostent.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_gethostent.html,v 1.11 2004/04/07 00:57:03 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_getipnode.3 b/lib/lwres/man/lwres_getipnode.3 index 980eac1c1f..46e9f3290c 100644 --- a/lib/lwres/man/lwres_getipnode.3 +++ b/lib/lwres/man/lwres_getipnode.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_getipnode.3,v 1.19 2004/04/07 00:57:03 marka Exp $ +.\" .TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight resolver nodename / address translation API diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html index 3551dcddb6..97a900b088 100644 --- a/lib/lwres/man/lwres_getipnode.html +++ b/lib/lwres/man/lwres_getipnode.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001, 2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_getipnode.html,v 1.11 2004/04/07 00:57:03 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_getnameinfo.3 b/lib/lwres/man/lwres_getnameinfo.3 index d05dcdea1d..e7cafa252e 100644 --- a/lib/lwres/man/lwres_getnameinfo.3 +++ b/lib/lwres/man/lwres_getnameinfo.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_getnameinfo.3,v 1.20 2004/04/07 00:57:04 marka Exp $ +.\" .TH "LWRES_GETNAMEINFO" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_getnameinfo \- lightweight resolver socket address structure to hostname and service name diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html index 48bb5ce66e..1b387c5b8d 100644 --- a/lib/lwres/man/lwres_getnameinfo.html +++ b/lib/lwres/man/lwres_getnameinfo.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_getnameinfo.html,v 1.8 2004/04/07 00:57:04 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_getrrsetbyname.3 b/lib/lwres/man/lwres_getrrsetbyname.3 index cf373defba..76cc9048eb 100644 --- a/lib/lwres/man/lwres_getrrsetbyname.3 +++ b/lib/lwres/man/lwres_getrrsetbyname.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_getrrsetbyname.3,v 1.16 2004/04/07 00:57:04 marka Exp $ +.\" .TH "LWRES_GETRRSETBYNAME" "3" "Oct 18, 2000" "BIND9" "" .SH NAME lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html index 477426eef2..07ffb1b3b4 100644 --- a/lib/lwres/man/lwres_getrrsetbyname.html +++ b/lib/lwres/man/lwres_getrrsetbyname.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_getrrsetbyname.html,v 1.8 2004/04/07 00:57:04 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_gnba.3 b/lib/lwres/man/lwres_gnba.3 index aa950d72f5..cb924420d0 100644 --- a/lib/lwres/man/lwres_gnba.3 +++ b/lib/lwres/man/lwres_gnba.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_gnba.3,v 1.18 2004/04/07 00:57:04 marka Exp $ +.\" .TH "LWRES_GNBA" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free \- lightweight resolver getnamebyaddress message handling diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html index 7d47fa24b6..537588d227 100644 --- a/lib/lwres/man/lwres_gnba.html +++ b/lib/lwres/man/lwres_gnba.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_gnba.html,v 1.9 2004/04/07 00:57:04 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_hstrerror.3 b/lib/lwres/man/lwres_hstrerror.3 index 82574c0225..211ba6256a 100644 --- a/lib/lwres/man/lwres_hstrerror.3 +++ b/lib/lwres/man/lwres_hstrerror.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_hstrerror.3,v 1.18 2004/04/07 00:57:04 marka Exp $ +.\" .TH "LWRES_HSTRERROR" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_herror, lwres_hstrerror \- lightweight resolver error message generation diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html index 8da7f54558..b6f615ec40 100644 --- a/lib/lwres/man/lwres_hstrerror.html +++ b/lib/lwres/man/lwres_hstrerror.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_hstrerror.html,v 1.8 2004/04/07 00:57:04 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_inetntop.3 b/lib/lwres/man/lwres_inetntop.3 index 3e431a7e25..b2dc17dc88 100644 --- a/lib/lwres/man/lwres_inetntop.3 +++ b/lib/lwres/man/lwres_inetntop.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_inetntop.3,v 1.17 2004/04/07 00:57:04 marka Exp $ +.\" .TH "LWRES_INETNTOP" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_net_ntop \- lightweight resolver IP address presentation diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html index ca0569af23..392244a763 100644 --- a/lib/lwres/man/lwres_inetntop.html +++ b/lib/lwres/man/lwres_inetntop.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_inetntop.html,v 1.8 2004/04/07 00:57:04 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_noop.3 b/lib/lwres/man/lwres_noop.3 index a142352e47..08f0e51fb4 100644 --- a/lib/lwres/man/lwres_noop.3 +++ b/lib/lwres/man/lwres_noop.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_noop.3,v 1.19 2004/04/07 00:57:04 marka Exp $ +.\" .TH "LWRES_NOOP" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free \- lightweight resolver no-op message handling diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html index f89907379f..3af84215a2 100644 --- a/lib/lwres/man/lwres_noop.html +++ b/lib/lwres/man/lwres_noop.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_noop.html,v 1.10 2004/04/07 00:57:04 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_packet.3 b/lib/lwres/man/lwres_packet.3 index 3ba25659c9..f2a677f544 100644 --- a/lib/lwres/man/lwres_packet.3 +++ b/lib/lwres/man/lwres_packet.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_packet.3,v 1.20 2004/04/07 00:57:04 marka Exp $ +.\" .TH "LWRES_PACKET" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_lwpacket_renderheader, lwres_lwpacket_parseheader \- lightweight resolver packet handling functions diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html index d7354604d5..5ac9bcae64 100644 --- a/lib/lwres/man/lwres_packet.html +++ b/lib/lwres/man/lwres_packet.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_packet.html,v 1.11 2004/04/07 00:57:04 marka Exp $ --> + <HTML ><HEAD ><TITLE diff --git a/lib/lwres/man/lwres_resutil.3 b/lib/lwres/man/lwres_resutil.3 index 59b39402df..7a4c6db27f 100644 --- a/lib/lwres/man/lwres_resutil.3 +++ b/lib/lwres/man/lwres_resutil.3 @@ -1,4 +1,3 @@ -.\" .\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -14,6 +13,8 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" +.\" $Id: lwres_resutil.3,v 1.19 2004/04/07 00:57:04 marka Exp $ +.\" .TH "LWRES_RESUTIL" "3" "Jun 30, 2000" "BIND9" "" .SH NAME lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr \- lightweight resolver utility functions diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html index a2cbacabf3..535a4e8183 100644 --- a/lib/lwres/man/lwres_resutil.html +++ b/lib/lwres/man/lwres_resutil.html @@ -1,11 +1,11 @@ <!-- - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2001 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - + - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, @@ -14,6 +14,9 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $Id: lwres_resutil.html,v 1.11 2004/04/07 00:57:04 marka Exp $ --> + <HTML ><HEAD ><TITLE From e1f638a7141a4c1364e4ca45025241c9e2fecf74 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Wed, 7 Apr 2004 02:13:43 +0000 Subject: [PATCH 023/146] placeholder --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 09911b6175..e0be390874 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +1606. [placeholder] rt10440a + +1605. [placeholder] rt10440a + 1604. [bug] A xfrout_ctx_create() failure would result in xfrout_ctx_destroy() being called with a partially initaliased structure. From 71ff97b91b6f9344e57717526ed5e11e2cd36921 Mon Sep 17 00:00:00 2001 From: Jakob Schlyter <source@isc.org> Date: Wed, 7 Apr 2004 19:40:33 +0000 Subject: [PATCH 024/146] remove rt10131; resolved --- doc/private/branches | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/private/branches b/doc/private/branches index 9124d93c8a..2c86c6ebba 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -16,7 +16,6 @@ chroot open marka rt5299 open marka rt5456 review explorer rt9976 review jakob -rt10131 review jakob a6_remove closed adb_race closed explorer From 0822cc50657c972c6a5ee29cba9506847c7ea7c2 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Thu, 8 Apr 2004 00:10:42 +0000 Subject: [PATCH 025/146] 1594. [bug] 'rndc dumpdb' could prevent named from answering queries while the dump was in progress. [RT #10565] --- CHANGES | 3 +- bin/named/server.c | 266 ++++++++++++++++++++++++++++++++++++++------- 2 files changed, 231 insertions(+), 38 deletions(-) diff --git a/CHANGES b/CHANGES index e0be390874..33178b1432 100644 --- a/CHANGES +++ b/CHANGES @@ -25,7 +25,8 @@ 1595. [func] New notify type 'master-only'. Enable notify for master zones only. -1594. [placeholder] rt10565 +1594. [bug] 'rndc dumpdb' could prevent named from answering + queries while the dump was in progress. [RT #10565] 1593. [bug] rndc should return "unknown command" to unknown commands. [RT# 10642] diff --git a/bin/named/server.c b/bin/named/server.c index 9b41de3cb4..89a9b4b2a9 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.419 2004/03/14 23:00:47 marka Exp $ */ +/* $Id: server.c,v 1.420 2004/04/08 00:10:42 marka Exp $ */ #include <config.h> @@ -49,6 +49,7 @@ #include <dns/journal.h> #include <dns/keytable.h> #include <dns/master.h> +#include <dns/masterdump.h> #include <dns/order.h> #include <dns/peer.h> #include <dns/portlist.h> @@ -129,6 +130,32 @@ struct ns_dispatch { ISC_LINK(struct ns_dispatch) link; }; +struct dumpcontext { + isc_mem_t *mctx; + isc_boolean_t dumpcache; + isc_boolean_t dumpzones; + FILE *fp; + ISC_LIST(struct viewlistentry) viewlist; + struct viewlistentry *view; + struct zonelistentry *zone; + dns_dumpctx_t *mdctx; + dns_db_t *db; + dns_db_t *cache; + isc_task_t *task; + dns_dbversion_t *version; +}; + +struct viewlistentry { + dns_view_t *view; + ISC_LINK(struct viewlistentry) link; + ISC_LIST(struct zonelistentry) zonelist; +}; + +struct zonelistentry { + dns_zone_t *zone; + ISC_LINK(struct zonelistentry) link; +}; + static void fatal(const char *msg, isc_result_t result); @@ -3518,32 +3545,206 @@ ns_server_dumpstats(ns_server_t *server) { } static isc_result_t -printzone(dns_zone_t *zone, void *uap) { - FILE *fp = uap; - char buf[1024+32]; - isc_result_t result; +add_zone_tolist(dns_zone_t *zone, void *uap) { + struct dumpcontext *dctx = uap; + struct zonelistentry *zle; - dns_zone_name(zone, buf, sizeof(buf)); - fprintf(fp, ";\n; Zone dump of '%s'\n;\n", buf); - result = dns_zone_dumptostream(zone, fp); - if (result == ISC_R_NOTIMPLEMENTED) { - fprintf(fp, "; %s\n", dns_result_totext(result)); - result = ISC_R_SUCCESS; - } + zle = isc_mem_get(dctx->mctx, sizeof *zle); + if (zle == NULL) + return (ISC_R_NOMEMORY); + zle->zone = NULL; + dns_zone_attach(zone, &zle->zone); + ISC_LINK_INIT(zle, link); + ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link); + return (ISC_R_SUCCESS); +} + +static isc_result_t +add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) { + struct viewlistentry *vle; + isc_result_t result = ISC_R_SUCCESS; + + vle = isc_mem_get(dctx->mctx, sizeof *vle); + if (vle == NULL) + return (ISC_R_NOMEMORY); + vle->view = NULL; + dns_view_attach(view, &vle->view); + ISC_LINK_INIT(vle, link); + ISC_LIST_INIT(vle->zonelist); + ISC_LIST_APPEND(dctx->viewlist, vle, link); + if (dctx->dumpzones) + result = dns_zt_apply(view->zonetable, ISC_TRUE, + add_zone_tolist, dctx); return (result); } +static void +dumpcontext_destroy(struct dumpcontext *dctx) { + struct viewlistentry *vle; + struct zonelistentry *zle; + + vle = ISC_LIST_HEAD(dctx->viewlist); + while (vle != NULL) { + ISC_LIST_UNLINK(dctx->viewlist, vle, link); + zle = ISC_LIST_HEAD(vle->zonelist); + while (zle != NULL) { + ISC_LIST_UNLINK(vle->zonelist, zle, link); + dns_zone_detach(&zle->zone); + isc_mem_put(dctx->mctx, zle, sizeof *zle); + zle = ISC_LIST_HEAD(vle->zonelist); + } + dns_view_detach(&vle->view); + isc_mem_put(dctx->mctx, vle, sizeof *vle); + vle = ISC_LIST_HEAD(dctx->viewlist); + } + if (dctx->version != NULL) + dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE); + if (dctx->db != NULL) + dns_db_detach(&dctx->db); + if (dctx->cache != NULL) + dns_db_detach(&dctx->cache); + if (dctx->task != NULL) + isc_task_detach(&dctx->task); + if (dctx->fp != NULL) + (void)isc_stdio_close(dctx->fp); + if (dctx->mdctx != NULL) + dns_dumpctx_detach(&dctx->mdctx); + isc_mem_put(dctx->mctx, dctx, sizeof *dctx); +} + +static void +dumpdone(void *arg, isc_result_t result) { + struct dumpcontext *dctx = arg; + char buf[1024+32]; + const dns_master_style_t *style; + + if (result != ISC_R_SUCCESS) + goto cleanup; + if (dctx->mdctx != NULL) + dns_dumpctx_detach(&dctx->mdctx); + if (dctx->view == NULL) { + dctx->view = ISC_LIST_HEAD(dctx->viewlist); + if (dctx->view == NULL) + goto done; + INSIST(dctx->zone == NULL); + } + nextview: + fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name); + if (dctx->zone == NULL && dctx->cache == NULL && dctx->dumpcache) { + style = &dns_master_style_cache; + /* start cache dump */ + if (dctx->view->view->cachedb != NULL) + dns_db_attach(dctx->view->view->cachedb, &dctx->cache); + if (dctx->cache != NULL) { + + fprintf(dctx->fp, ";\n; Cache dump of view '%s'\n;\n", + dctx->view->view->name); + result = dns_master_dumptostreaminc(dctx->mctx, + dctx->cache, NULL, + style, dctx->fp, + dctx->task, + dumpdone, dctx, + &dctx->mdctx); + if (result == DNS_R_CONTINUE) + return; + if (result == ISC_R_NOTIMPLEMENTED) + fprintf(dctx->fp, "; %s\n", + dns_result_totext(result)); + else if (result != ISC_R_SUCCESS) + goto cleanup; + } + } + if (dctx->cache != NULL) { + dns_adb_dump(dctx->view->view->adb, dctx->fp); + dns_db_detach(&dctx->cache); + } + if (dctx->dumpzones) { + style = &dns_master_style_full; + nextzone: + if (dctx->version != NULL) + dns_db_closeversion(dctx->db, &dctx->version, + ISC_FALSE); + if (dctx->db != NULL) + dns_db_detach(&dctx->db); + if (dctx->zone == NULL) + dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist); + else + dctx->zone = ISC_LIST_NEXT(dctx->zone, link); + if (dctx->zone != NULL) { + /* start zone dump */ + dns_zone_name(dctx->zone->zone, buf, sizeof(buf)); + fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf); + result = dns_zone_getdb(dctx->zone->zone, &dctx->db); + if (result != ISC_R_SUCCESS) { + fprintf(dctx->fp, "; %s\n", + dns_result_totext(result)); + goto nextzone; + } + dns_db_currentversion(dctx->db, &dctx->version); + result = dns_master_dumptostreaminc(dctx->mctx, + dctx->db, + dctx->version, + style, dctx->fp, + dctx->task, + dumpdone, dctx, + &dctx->mdctx); + if (result == DNS_R_CONTINUE) + return; + if (result == ISC_R_NOTIMPLEMENTED) + fprintf(dctx->fp, "; %s\n", + dns_result_totext(result)); + if (result != ISC_R_SUCCESS) + goto cleanup; + } + } + if (dctx->view != NULL) + dctx->view = ISC_LIST_NEXT(dctx->view, link); + if (dctx->view != NULL) + goto nextview; + done: + fprintf(dctx->fp, "; Dump complete\n"); + result = isc_stdio_flush(dctx->fp); + if (result == ISC_R_SUCCESS) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "dumpdb complete"); + cleanup: + if (result != ISC_R_SUCCESS) + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "dumpdb failed: %s", dns_result_totext(result)); + dumpcontext_destroy(dctx); +} + + isc_result_t ns_server_dumpdb(ns_server_t *server, char *args) { - FILE *fp = NULL; + struct dumpcontext *dctx = NULL; dns_view_t *view; isc_result_t result; - isc_boolean_t zones = ISC_FALSE; - isc_boolean_t cache = ISC_TRUE; char *ptr; const char *sep; - CHECKMF(isc_stdio_open(server->dumpfile, "w", &fp), + dctx = isc_mem_get(server->mctx, sizeof(*dctx)); + if (dctx == NULL) + return (ISC_R_NOMEMORY); + + dctx->mctx = server->mctx; + dctx->dumpcache = ISC_TRUE; + dctx->dumpzones = ISC_FALSE; + dctx->fp = NULL; + ISC_LIST_INIT(dctx->viewlist); + dctx->view = NULL; + dctx->zone = NULL; + dctx->cache = NULL; + dctx->mdctx = NULL; + dctx->db = NULL; + dctx->cache = NULL; + dctx->task = NULL; + dctx->version = NULL; + isc_task_attach(server->task, &dctx->task); + + CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp), "could not open dump file", server->dumpfile); /* Skip the command name. */ @@ -3558,16 +3759,16 @@ ns_server_dumpdb(ns_server_t *server, char *args) { ptr = next_token(&args, " \t"); if (ptr != NULL && strcmp(ptr, "-all") == 0) { - zones = ISC_TRUE; - cache = ISC_TRUE; + dctx->dumpzones = ISC_TRUE; + dctx->dumpcache = ISC_TRUE; ptr = next_token(&args, " \t"); } else if (ptr != NULL && strcmp(ptr, "-cache") == 0) { - zones = ISC_FALSE; - cache = ISC_TRUE; + dctx->dumpzones = ISC_FALSE; + dctx->dumpcache = ISC_TRUE; ptr = next_token(&args, " \t"); } else if (ptr != NULL && strcmp(ptr, "-zones") == 0) { - zones = ISC_TRUE; - cache = ISC_FALSE; + dctx->dumpzones = ISC_TRUE; + dctx->dumpcache = ISC_FALSE; ptr = next_token(&args, " \t"); } @@ -3577,23 +3778,14 @@ ns_server_dumpdb(ns_server_t *server, char *args) { { if (ptr != NULL && strcmp(view->name, ptr) != 0) continue; - fprintf(fp, ";\n; Start view %s\n;\n", view->name); - if (cache && view->cachedb != NULL) - CHECKM(dns_view_dumpdbtostream(view, fp), - "could not dump cache"); - if (zones && view->zonetable != NULL) - CHECKM(dns_zt_apply(view->zonetable, ISC_TRUE, - printzone, fp), - "could not dump zones"); + CHECK(add_view_tolist(dctx, view)); } - fprintf(fp, "; Dump complete\n"); - result = isc_stdio_flush(fp); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "dumpdb complete"); + dumpdone(dctx, ISC_R_SUCCESS); + return (ISC_R_SUCCESS); + cleanup: - if (fp != NULL) - (void)isc_stdio_close(fp); + if (dctx != NULL) + dumpcontext_destroy(dctx); return (result); } From 5eb0659963ec2aa5158425b39620ec1b30c83c7b Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Thu, 8 Apr 2004 01:21:16 +0000 Subject: [PATCH 026/146] 1607. [bug] dig, host and nslookup were still using random() to generate query ids. [RT# 11013] --- CHANGES | 3 +++ bin/dig/dighost.c | 14 +++++--------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/CHANGES b/CHANGES index 33178b1432..894647d993 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1607. [bug] dig, host and nslookup were still using random() + to generate query ids. [RT# 11013] + 1606. [placeholder] rt10440a 1605. [placeholder] rt10440a diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 3f7e799cbf..be3d2d7062 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dighost.c,v 1.259 2004/03/05 04:57:30 marka Exp $ */ +/* $Id: dighost.c,v 1.260 2004/04/08 01:21:16 marka Exp $ */ /* * Notice to programmers: Do not use this code as an example of how to @@ -53,6 +53,7 @@ #include <isc/lang.h> #include <isc/netaddr.h> #include <isc/print.h> +#include <isc/random.h> #include <isc/result.h> #include <isc/string.h> #include <isc/task.h> @@ -806,13 +807,6 @@ setup_libs(void) { debug("setup_libs()"); - /* - * Warning: This is not particularly good randomness. We'll - * just use random() now for getting id values, but doing so - * does NOT ensure that id's can't be guessed. - */ - srandom(getpid()); - result = isc_net_probeipv4(); if (result == ISC_R_SUCCESS) have_ipv4 = ISC_TRUE; @@ -1284,6 +1278,7 @@ insert_soa(dig_lookup_t *lookup) { void setup_lookup(dig_lookup_t *lookup) { isc_result_t result; + isc_uint32_t id; int len; dig_server_t *serv; dig_query_t *query; @@ -1397,7 +1392,8 @@ setup_lookup(dig_lookup_t *lookup) { trying(store, lookup); INSIST(dns_name_isabsolute(lookup->name)); - lookup->sendmsg->id = (unsigned short)(random() & 0xFFFF); + isc_random_get(&id); + lookup->sendmsg->id = (unsigned short)id & 0xFFFF; lookup->sendmsg->opcode = dns_opcode_query; lookup->msgcounter = 0; /* From 69f08f8ae4980678911fa2d81323a0930708db4a Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Sat, 10 Apr 2004 02:34:44 +0000 Subject: [PATCH 027/146] add missing double-quote --- doc/dev/coding.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/dev/coding.html b/doc/dev/coding.html index 91430488f7..60df967f87 100644 --- a/doc/dev/coding.html +++ b/doc/dev/coding.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: coding.html,v 1.19 2004/03/05 05:04:50 marka Exp $ --> +<!-- $Id: coding.html,v 1.20 2004/04/10 02:34:44 marka Exp $ --> <H2>C Language</H2> @@ -60,7 +60,7 @@ and indentation: <PRE><CODE> puts("This string got very far to the " "left and wrapped. ANSI catenation " - "rules will turn this into one + "rules will turn this into one " "long string."); </CODE></PRE> From e76c2e04a4e70584d5a3955240adeb30fa8453fb Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Sat, 10 Apr 2004 03:47:09 +0000 Subject: [PATCH 028/146] pullup from BIND 8 1657. [bug] gmtime_r() called incorrectly. --- lib/bind/resolv/res_debug.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/bind/resolv/res_debug.c b/lib/bind/resolv/res_debug.c index e18214f9b7..cc67f1e3b1 100644 --- a/lib/bind/resolv/res_debug.c +++ b/lib/bind/resolv/res_debug.c @@ -95,7 +95,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_debug.c 8.1 (Berkeley) 6/4/93"; -static const char rcsid[] = "$Id: res_debug.c,v 1.10 2004/03/18 02:58:01 marka Exp $"; +static const char rcsid[] = "$Id: res_debug.c,v 1.11 2004/04/10 03:47:09 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include "port_before.h" @@ -1099,9 +1099,10 @@ p_secstodate (u_long secs) { static char output[15]; /* YYYYMMDDHHMMSS and null */ time_t clock = secs; struct tm *time; - #ifdef HAVE_TIME_R - gmtime_r(&clock, &time); + struct tm res; + + time = gmtime_r(&clock, &res); #else time = gmtime(&clock); #endif From b39213ce599dc433c6f99144c97ca3d562f40344 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Sat, 10 Apr 2004 04:03:16 +0000 Subject: [PATCH 029/146] 1603. [bug] nsupdate: set interactive based on isatty(). [RT# 10929] --- CHANGES | 3 ++- bin/nsupdate/nsupdate.c | 4 +++- config.h.win32 | 3 ++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 894647d993..ea2ef1214d 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,8 @@ xfrout_ctx_destroy() being called with a partially initaliased structure. -1603. [placeholder] rt10929. +1603. [bug] nsupdate: set interactive based on isatty(). + [RT# 10929] 1602. [placeholder] rt10925. diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 3afcb65087..46d36097a5 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsupdate.c,v 1.130 2004/03/05 04:58:15 marka Exp $ */ +/* $Id: nsupdate.c,v 1.131 2004/04/10 04:03:16 marka Exp $ */ #include <config.h> @@ -1953,6 +1953,8 @@ main(int argc, char **argv) { input = stdin; + interactive = ISC_TF(isatty(0)); + isc_app_start(); parse_args(argc, argv); diff --git a/config.h.win32 b/config.h.win32 index b6b1f7c38d..152f4f893b 100644 --- a/config.h.win32 +++ b/config.h.win32 @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h.win32,v 1.8 2004/03/16 05:22:15 marka Exp $ */ +/* $Id: config.h.win32,v 1.9 2004/04/10 04:03:16 marka Exp $ */ /* * win32 configuration file @@ -192,6 +192,7 @@ typedef long off_t; #define open _open #define close _close #define write _write +#define isatty _isatty #ifndef _WINSOCKAPI_ #define _WINSOCKAPI_ /* Prevent inclusion of winsock.h in windows.h */ From 8862388bcb44f634cbfc3e69f11ff4cb76590a4b Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Sat, 10 Apr 2004 04:33:36 +0000 Subject: [PATCH 030/146] 1602. [bug] Logging to a file failed unless a size was specified. [RT# 10925] --- CHANGES | 3 ++- lib/isc/include/isc/log.h | 4 +++- lib/isc/log.c | 6 +++--- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index ea2ef1214d..4b41979bc5 100644 --- a/CHANGES +++ b/CHANGES @@ -12,7 +12,8 @@ 1603. [bug] nsupdate: set interactive based on isatty(). [RT# 10929] -1602. [placeholder] rt10925. +1602. [bug] Logging to a file failed unless a size was specified. + [RT# 10925] 1601. [placeholder] rt10920. diff --git a/lib/isc/include/isc/log.h b/lib/isc/include/isc/log.h index 57714c0d36..96bcaf69ba 100644 --- a/lib/isc/include/isc/log.h +++ b/lib/isc/include/isc/log.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.h,v 1.47 2004/03/05 05:10:58 marka Exp $ */ +/* $Id: log.h,v 1.48 2004/04/10 04:33:36 marka Exp $ */ #ifndef ISC_LOG_H #define ISC_LOG_H 1 @@ -96,6 +96,8 @@ struct isc_logmodule { * channel the name, versions and maximum_size should be set before calling * isc_log_createchannel(). To define an ISC_LOG_TOFILEDESC channel set only * the stream before the call. + * + * Setting maximum_size to zero implies no maximum. */ typedef struct isc_logfile { FILE *stream; /* Initialized to NULL for ISC_LOG_TOFILE. */ diff --git a/lib/isc/log.c b/lib/isc/log.c index 4a98e46398..21dfffd48a 100644 --- a/lib/isc/log.c +++ b/lib/isc/log.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.c,v 1.84 2004/03/16 05:52:20 marka Exp $ */ +/* $Id: log.c,v 1.85 2004/04/10 04:33:36 marka Exp $ */ /* Principal Authors: DCL */ @@ -1317,7 +1317,7 @@ isc_log_open(isc_logchannel_t *channel) { if (stat(path, &statbuf) == 0) { regular_file = S_ISREG(statbuf.st_mode) ? ISC_TRUE : ISC_FALSE; /* XXXDCL if not regular_file complain? */ - roll = ISC_TF(regular_file && + roll = ISC_TF(regular_file && FILE_MAXSIZE(channel) > 0 && statbuf.st_size >= FILE_MAXSIZE(channel)); } else if (errno == ENOENT) regular_file = ISC_TRUE; @@ -1691,7 +1691,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category, * threshold, note it so that it will not be logged * to any more. */ - if (FILE_MAXSIZE(channel) != 0) { + if (FILE_MAXSIZE(channel) > 0) { INSIST(channel->type == ISC_LOG_TOFILE); /* XXXDCL NT fstat/fileno */ From 80cc19dc262cead5a8af41838ebfae5a6e587605 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Sat, 10 Apr 2004 05:03:27 +0000 Subject: [PATCH 031/146] 1601. [bug] Silence spurious warning 'both "recursion no;" and "allow-recursion" active' warning from view "_bind". [RT# 10920] --- CHANGES | 4 +++- bin/named/server.c | 7 ++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 4b41979bc5..b062f5b0ce 100644 --- a/CHANGES +++ b/CHANGES @@ -15,7 +15,9 @@ 1602. [bug] Logging to a file failed unless a size was specified. [RT# 10925] -1601. [placeholder] rt10920. +1601. [bug] Silence spurious warning 'both "recursion no;" and + "allow-recursion" active' warning from view "_bind". + [RT# 10920] 1600. [placeholder] rt10861. diff --git a/bin/named/server.c b/bin/named/server.c index 89a9b4b2a9..0a6dc833f3 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.420 2004/04/08 00:10:42 marka Exp $ */ +/* $Id: server.c,v 1.421 2004/04/10 05:03:27 marka Exp $ */ #include <config.h> @@ -1102,8 +1102,9 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, CHECK(configure_view_acl(vconfig, config, "allow-query", actx, ns_g_mctx, &view->queryacl)); - CHECK(configure_view_acl(vconfig, config, "allow-recursion", - actx, ns_g_mctx, &view->recursionacl)); + if (strcmp(view->name, "_bind") != 0) + CHECK(configure_view_acl(vconfig, config, "allow-recursion", + actx, ns_g_mctx, &view->recursionacl)); /* * Warning if both "recursion no;" and allow-recursion are active From 7b18445dd6dc3dce5015d3106777e295cae56ffb Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Mon, 12 Apr 2004 07:07:06 +0000 Subject: [PATCH 032/146] #ifdef EPFNOSUPPORT --- lib/bind/resolv/res_send.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/bind/resolv/res_send.c b/lib/bind/resolv/res_send.c index 149478808d..84d8eb20b2 100644 --- a/lib/bind/resolv/res_send.c +++ b/lib/bind/resolv/res_send.c @@ -70,7 +70,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_send.c 8.1 (Berkeley) 6/4/93"; -static const char rcsid[] = "$Id: res_send.c,v 1.9 2004/03/18 02:58:02 marka Exp $"; +static const char rcsid[] = "$Id: res_send.c,v 1.10 2004/04/12 07:07:06 marka Exp $"; #endif /* LIBC_SCCS and not lint */ /* @@ -612,7 +612,9 @@ send_vc(res_state statp, if (statp->_vcsock < 0) { switch (errno) { case EPROTONOSUPPORT: +#ifdef EPFNOSUPPORT case EPFNOSUPPORT: +#endif case EAFNOSUPPORT: Perror(statp, stderr, "socket(vc)", errno); return (0); @@ -773,7 +775,9 @@ send_dg(res_state statp, if (EXT(statp).nssocks[ns] < 0) { switch (errno) { case EPROTONOSUPPORT: +#ifdef EPFNOSUPPORT case EPFNOSUPPORT: +#endif case EAFNOSUPPORT: Perror(statp, stderr, "socket(dg)", errno); return (0); From ea17e969771f19485dc7ab2f731d641128a9ee3b Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Tue, 13 Apr 2004 01:09:37 +0000 Subject: [PATCH 033/146] 1608. [func] dig and host now accept -4/-6 to select IP transport to use when making queries. --- CHANGES | 3 +++ bin/dig/dig.c | 18 +++++++++++++++++- bin/dig/dig.docbook | 10 +++++++++- bin/dig/host.c | 23 ++++++++++++++++++++--- bin/dig/host.docbook | 10 +++++++++- 5 files changed, 58 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index b062f5b0ce..e6068f4bd3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1608. [func] dig and host now accept -4/-6 to select IP transport + to use when making queries. + 1607. [bug] dig, host and nslookup were still using random() to generate query ids. [RT# 11013] diff --git a/bin/dig/dig.c b/bin/dig/dig.c index ddf561f920..98c50168de 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.186 2004/03/16 05:52:13 marka Exp $ */ +/* $Id: dig.c,v 1.187 2004/04/13 01:09:36 marka Exp $ */ #include <config.h> #include <stdlib.h> @@ -167,6 +167,8 @@ help(void) { " -c class (specify query class)\n" " -k keyfile (specify tsig key file)\n" " -y name:key (specify named base64 tsig key)\n" +" -4 (use IPv4 query transport only)\n" +" -6 (use IPv6 query transport only)\n" " d-opt is of the form +keyword[=value], where keyword is:\n" " +[no]vc (TCP mode)\n" " +[no]tcp (TCP mode, alternate syntax)\n" @@ -1022,6 +1024,20 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, case 'n': /* deprecated */ return (ISC_FALSE); + case '4': + if (have_ipv4) { + isc_net_disableipv6(); + have_ipv6 = ISC_FALSE; + } else + fatal("can't find IPv4 networking"); + return (ISC_FALSE); + case '6': + if (have_ipv6) { + isc_net_disableipv4(); + have_ipv4 = ISC_FALSE; + } else + fatal("can't find IPv6 networking"); + return (ISC_FALSE); case 'v': version(); exit(0); diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook index 619bb237ce..fbe3031a0c 100644 --- a/bin/dig/dig.docbook +++ b/bin/dig/dig.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dig.docbook,v 1.17 2004/03/05 04:57:30 marka Exp $ --> +<!-- $Id: dig.docbook,v 1.18 2004/04/13 01:09:36 marka Exp $ --> <refentry> @@ -47,6 +47,8 @@ <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg> <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg> <arg><option>-y <replaceable class="parameter">name:key</replaceable></option></arg> +<arg><option>-4</option></arg> +<arg><option>-6</option></arg> <arg choice=opt>name</arg> <arg choice=opt>type</arg> <arg choice=opt>class</arg> @@ -181,6 +183,12 @@ to test a name server that has been configured to listen for queries on a non-standard port number. </para> +<para> +The <option>-4</option> option forces <command>dig</command> to only +use IPv4 query transport. The <option>-6</option> option forces +<command>dig</command> to only use IPv6 query transport. +</para> + <para> The <option>-t</option> option sets the query type to <parameter>type</parameter>. It can be any valid query type which is diff --git a/bin/dig/host.c b/bin/dig/host.c index 7a9cb0747f..b0a79611aa 100644 --- a/bin/dig/host.c +++ b/bin/dig/host.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: host.c,v 1.94 2004/03/05 04:57:30 marka Exp $ */ +/* $Id: host.c,v 1.95 2004/04/13 01:09:37 marka Exp $ */ #include <config.h> #include <limits.h> @@ -44,6 +44,7 @@ extern ISC_LIST(dig_lookup_t) lookup_list; extern dig_serverlist_t server_list; extern ISC_LIST(dig_searchlist_t) search_list; +extern isc_boolean_t have_ipv4, have_ipv6; extern isc_boolean_t usesearch; extern isc_boolean_t debugging; extern unsigned int timeout; @@ -140,7 +141,9 @@ show_usage(void) { " -T enables TCP/IP mode\n" " -v enables verbose output\n" " -w specifies to wait forever for a reply\n" -" -W specifies how long to wait for a reply\n", stderr); +" -W specifies how long to wait for a reply\n" +" -4 use IPv4 query transport only\n" +" -6 use IPv6 query transport only\n", stderr); exit(1); } @@ -540,7 +543,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { lookup = make_empty_lookup(); - while ((c = isc_commandline_parse(argc, argv, "lvwrdt:c:aTCN:R:W:Dni")) + while ((c = isc_commandline_parse(argc, argv, "lvwrdt:c:aTCN:R:W:Dni46")) != EOF) { switch (c) { case 'l': @@ -663,6 +666,20 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { case 'D': debugging = ISC_TRUE; break; + case '4': + if (have_ipv4) { + isc_net_disableipv6(); + have_ipv6 = ISC_FALSE; + } else + fatal("can't find IPv4 networking"); + break; + case '6': + if (have_ipv6) { + isc_net_disableipv4(); + have_ipv4 = ISC_FALSE; + } else + fatal("can't find IPv6 networking"); + break; } } diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook index 4654ec11b8..a3442b878e 100644 --- a/bin/dig/host.docbook +++ b/bin/dig/host.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: host.docbook,v 1.5 2004/03/05 04:57:30 marka Exp $ --> +<!-- $Id: host.docbook,v 1.6 2004/04/13 01:09:37 marka Exp $ --> <refentry> @@ -44,6 +44,8 @@ <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg> <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg> <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg> + <arg><option>-4</option></arg> + <arg><option>-6</option></arg> <arg choice=req>name</arg> <arg choice=opt>server</arg> </cmdsynopsis> @@ -154,6 +156,12 @@ the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests. </para> +<para> +The <option>-4</option> option forces <command>host</command> to only +use IPv4 query transport. The <option>-6</option> option forces +<command>host</command> to only use IPv6 query transport. +</para> + <para> The <option>-t</option> option is used to select the query type. <parameter>type</parameter> can be any recognised query type: CNAME, From 1ae75c1024eb0475c2be352b8707772e16332ad0 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Tue, 13 Apr 2004 02:39:35 +0000 Subject: [PATCH 034/146] 1609. [func] dig now has support to chase DNSSEC signature chains. Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. --- CHANGES | 3 + README | 5 +- bin/dig/Makefile.in | 7 +- bin/dig/dig.c | 126 +- bin/dig/dig.docbook | 33 +- bin/dig/dighost.c | 2364 ++++++++++++++++++++++++++++++++++++- bin/dig/host.c | 19 +- bin/dig/include/dig/dig.h | 47 +- bin/dig/nslookup.c | 27 +- 9 files changed, 2564 insertions(+), 67 deletions(-) diff --git a/CHANGES b/CHANGES index e6068f4bd3..0b4e537943 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1609. [func] dig now has support to chase DNSSEC signature chains. + Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. + 1608. [func] dig and host now accept -4/-6 to select IP transport to use when making queries. diff --git a/README b/README index 717d8fd47d..aa7ce9503b 100644 --- a/README +++ b/README @@ -237,7 +237,10 @@ Building Possible settings: Change the default syslog facility of named/lwresd. - e.g. -DISC_FACILITY=LOG_LOCAL0 + -DISC_FACILITY=LOG_LOCAL0 + Enable DNSSEC signature chasing support in dig. + -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and + -DDIG_SIGCHASE_BU=1) To build shared libraries, specify "--with-libtool" on the configure command line. diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in index c7b43377af..e74e55c977 100644 --- a/bin/dig/Makefile.in +++ b/bin/dig/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.33 2004/03/05 04:57:29 marka Exp $ +# $Id: Makefile.in,v 1.34 2004/04/13 02:39:33 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -27,6 +27,7 @@ CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \ ${ISC_INCLUDES} ${LWRES_INCLUDES} CDEFINES = -DVERSION=\"${VERSION}\" + CWARNINGS = ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ @@ -96,4 +97,6 @@ install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs host@EXEEXT@ ${DESTDIR}${bindir} ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ nslookup@EXEEXT@ ${DESTDIR}${bindir} - for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; done + for m in ${MANPAGES}; do \ + ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \ + done diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 98c50168de..5d72a0f80d 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.187 2004/04/13 01:09:36 marka Exp $ */ +/* $Id: dig.c,v 1.188 2004/04/13 02:39:34 marka Exp $ */ #include <config.h> #include <stdlib.h> @@ -43,6 +43,15 @@ #include <dig/dig.h> +#ifdef DIG_SIGCHASE +#ifndef DIG_SIGCHASE_BU +#define DIG_SIGCHASE_BU 1 +#endif +#ifndef DIG_SIGCHASE_TD +#define DIG_SIGCHASE_TD 1 +#endif +#endif + extern ISC_LIST(dig_lookup_t) lookup_list; extern dig_serverlist_t server_list; extern ISC_LIST(dig_searchlist_t) search_list; @@ -69,6 +78,9 @@ extern isc_sockaddr_t bind_address; extern char keynametext[MXNAME]; extern char keyfile[MXNAME]; extern char keysecret[MXNAME]; +#ifdef DIG_SIGCHASE +extern char trustedkey[MXNAME]; +#endif extern dns_tsigkey_t *key; extern isc_boolean_t validated; extern isc_taskmgr_t *taskmgr; @@ -205,6 +217,13 @@ help(void) { " +[no]identify (ID responders in short answers)\n" " +[no]trace (Trace delegation down from root)\n" " +[no]dnssec (Request DNSSEC records)\n" +#ifdef DIG_SIGCHASE +" +[no]sigchase (Chase DNSSEC signatures)\n" +" +trusted-key=#### (Trusted Key when chasing DNSSEC sigs)\n" +#if DIG_SIGCHASE_TD +" +[no]topdown (Do DNSSEC validation top down mode)\n" +#endif +#endif " +[no]multiline (Print records in an expanded format)\n" " global d-opts and servers (before host name) affect all queries.\n" " local d-opts and servers (after host name) affect only that lookup.\n" @@ -350,6 +369,51 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags, return (ISC_R_SUCCESS); } +#ifdef DIG_SIGCHASE +isc_result_t +printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, + isc_buffer_t *target) +{ + isc_result_t result; + dns_master_style_t *style = NULL; + unsigned int styleflags = 0; + + if (rdataset == NULL || owner_name == NULL || target == NULL) + return(ISC_FALSE); + + styleflags |= DNS_STYLEFLAG_REL_OWNER; + if (nottl) + styleflags |= DNS_STYLEFLAG_NO_TTL; + if (noclass) + styleflags |= DNS_STYLEFLAG_NO_CLASS; + if (multiline) { + styleflags |= DNS_STYLEFLAG_OMIT_OWNER; + styleflags |= DNS_STYLEFLAG_OMIT_CLASS; + styleflags |= DNS_STYLEFLAG_REL_DATA; + styleflags |= DNS_STYLEFLAG_OMIT_TTL; + styleflags |= DNS_STYLEFLAG_TTL; + styleflags |= DNS_STYLEFLAG_MULTILINE; + styleflags |= DNS_STYLEFLAG_COMMENT; + } + if (multiline || (nottl && noclass)) + result = dns_master_stylecreate(&style, styleflags, + 24, 24, 24, 32, 80, 8, mctx); + else if (nottl || noclass) + result = dns_master_stylecreate(&style, styleflags, + 24, 24, 32, 40, 80, 8, mctx); + else + result = dns_master_stylecreate(&style, styleflags, + 24, 32, 40, 48, 80, 8, mctx); + check_result(result, "dns_master_stylecreate"); + + result = dns_master_rdatasettotext(owner_name, rdataset, style, target); + + if (style != NULL) + dns_master_styledestroy(&style, mctx); + + return(result); +} +#endif /* * Callback from dighost.c to print the reply from a server @@ -450,8 +514,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { repopulate_buffer: - if (query->lookup->comments && headers && !short_form) - { + if (query->lookup->comments && headers && !short_form) { result = dns_message_pseudosectiontotext(msg, DNS_PSEUDOSECTION_OPT, style, flags, buf); @@ -649,17 +712,20 @@ plus_option(char *option, isc_boolean_t is_batchfile, char option_store[256]; char *cmd, *value, *ptr; isc_boolean_t state = ISC_TRUE; +#ifdef DIG_SIGCHASE + size_t n; +#endif strncpy(option_store, option, sizeof(option_store)); option_store[sizeof(option_store)-1]=0; ptr = option_store; cmd = next_token(&ptr,"="); if (cmd == NULL) { - printf(";; Invalid option %s\n",option_store); + printf(";; Invalid option %s\n", option_store); return; } value = ptr; - if (strncasecmp(cmd,"no",2)==0) { + if (strncasecmp(cmd, "no", 2)==0) { cmd += 2; state = ISC_FALSE; } @@ -899,6 +965,14 @@ plus_option(char *option, isc_boolean_t is_batchfile, lookup->stats = ISC_FALSE; } break; +#ifdef DIG_SIGCHASE + case 'i': /* sigchase */ + FULLCHECK("sigchase"); + lookup->sigchase = state; + if (lookup->sigchase) + lookup->dnssec = ISC_TRUE; + break; +#endif case 't': /* stats */ FULLCHECK("stats"); lookup->stats = state; @@ -924,6 +998,12 @@ plus_option(char *option, isc_boolean_t is_batchfile, if (timeout == 0) timeout = 1; break; +#if DIG_SIGCHASE_TD + case 'o': /* topdown */ + FULLCHECK("topdown"); + lookup->do_topdown = state; + break; +#endif case 'r': switch (cmd[2]) { case 'a': /* trace */ @@ -937,7 +1017,7 @@ plus_option(char *option, isc_boolean_t is_batchfile, lookup->stats = ISC_FALSE; lookup->section_additional = ISC_FALSE; lookup->section_authority = ISC_TRUE; - lookup->section_question = ISC_FALSE; + lookup->section_question = ISC_FALSE; } break; case 'i': /* tries */ @@ -947,10 +1027,22 @@ plus_option(char *option, isc_boolean_t is_batchfile, if (!state) goto invalid_option; lookup->retries = parse_uint(value, "tries", - MAXTRIES); + MAXTRIES); if (lookup->retries == 0) lookup->retries = 1; break; +#ifdef DIG_SIGCHASE + case 'u': /* trusted-key */ + if (value == NULL) + goto need_value; + if (!state) + goto invalid_option; + n = strlcpy(trustedkey, ptr, + sizeof(trustedkey)); + if (n >= sizeof(trustedkey)) + fatal("trusted key too large"); + break; +#endif default: goto invalid_option; } @@ -1049,8 +1141,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, case 'b': hash = strchr(value, '#'); if (hash != NULL) { - srcport = (in_port_t) parse_uint(hash + 1, - "port number", MAXPORT); + srcport = (in_port_t) + parse_uint(hash + 1, + "port number", MAXPORT); *hash = '\0'; } else srcport = 0; @@ -1105,8 +1198,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, result = dns_rdatatype_fromtext(&rdtype, (isc_textregion_t *)&tr); if (result == ISC_R_SUCCESS && - rdtype == dns_rdatatype_ixfr) - { + rdtype == dns_rdatatype_ixfr) { result = DNS_R_UNKNOWN; } } @@ -1153,8 +1245,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, case 'x': *lookup = clone_lookup(default_lookup, ISC_TRUE); if (get_reverse(textname, sizeof(textname), value, - ip6_int, ISC_FALSE) == ISC_R_SUCCESS) - { + ip6_int, ISC_FALSE) == ISC_R_SUCCESS) { strncpy((*lookup)->textname, textname, sizeof((*lookup)->textname)); debug("looking up %s", (*lookup)->textname); @@ -1166,8 +1257,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, if (!(*lookup)->rdclassset) (*lookup)->rdclass = dns_rdataclass_in; (*lookup)->new_search = ISC_TRUE; - if (*lookup && *firstarg) - { + if (*lookup && *firstarg) { printgreeting(argc, argv, *lookup); *firstarg = ISC_FALSE; } @@ -1333,8 +1423,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, result = dns_rdatatype_fromtext(&rdtype, (isc_textregion_t *)&tr); if (result == ISC_R_SUCCESS && - rdtype == dns_rdatatype_ixfr) - { + rdtype == dns_rdatatype_ixfr) { result = DNS_R_UNKNOWN; fprintf(stderr, ";; Warning, " "ixfr requires a " @@ -1548,6 +1637,9 @@ main(int argc, char **argv) { fclose(batchfp); batchname = NULL; } +#ifdef DIG_SIGCHASE + clean_trustedkey(); +#endif cancel_all(); destroy_libs(); isc_app_finish(); diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook index fbe3031a0c..7724593785 100644 --- a/bin/dig/dig.docbook +++ b/bin/dig/dig.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dig.docbook,v 1.18 2004/04/13 01:09:36 marka Exp $ --> +<!-- $Id: dig.docbook,v 1.19 2004/04/13 02:39:34 marka Exp $ --> <refentry> @@ -483,29 +483,46 @@ Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the <command>dig</command> output. -</para> -</listitem></varlistentry> +</para></listitem></varlistentry> <varlistentry><term><option>+[no]fail</option></term> <listitem><para> Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour. -</para> +</para></listitem></varlistentry> -</listitem></varlistentry> <varlistentry><term><option>+[no]besteffort</option></term> <listitem><para> Attempt to display the contents of messages which are malformed. The default is to not display malformed answers. -</para> +</para></listitem></varlistentry> -</listitem></varlistentry> <varlistentry><term><option>+[no]dnssec</option></term> <listitem><para> Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. -</para> +</para></listitem></varlistentry> + +<varlistentry><term><option>+[no]sigchase</option></term> +<listitem><para> +Chase DNSSEC signature chains. Requires dig be compiled with +-DDIG_SIGCHASE. +</para></listitem></varlistentry> + +<varlistentry><term><option>+trusted-key=####</option></term> +<listitem><para> +Specify a trusted key to be used with <option>+sigchase</option>. +Requires dig be compiled with -DDIG_SIGCHASE. +</para></listitem></varlistentry> + +<varlistentry><term><option>+[no]topdown</option></term> +<listitem><para> +When chasing DNSSEC signature chains perform a top down validation. +Requires dig be compiled with -DDIG_SIGCHASE. +</para></listitem></varlistentry> + + </variablelist> diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index be3d2d7062..cecde0c26e 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dighost.c,v 1.260 2004/04/08 01:21:16 marka Exp $ */ +/* $Id: dighost.c,v 1.261 2004/04/13 02:39:35 marka Exp $ */ /* * Notice to programmers: Do not use this code as an example of how to @@ -32,7 +32,24 @@ #include <string.h> #include <limits.h> +#ifdef DIG_SIGCHASE +#ifndef DIG_SIGCHASE_BU +#define DIG_SIGCHASE_BU 1 +#endif +#ifndef DIG_SIGCHASE_TD +#define DIG_SIGCHASE_TD 1 +#endif +#endif + #include <dns/byaddr.h> +#ifdef DIG_SIGCHASE +#include <dns/dnssec.h> +#include <dns/ds.h> +#include <dns/nsec.h> +#include <isc/file.h> +#include <isc/random.h> +#include <ctype.h> +#endif #include <dns/fixedname.h> #include <dns/message.h> #include <dns/name.h> @@ -52,6 +69,9 @@ #include <isc/entropy.h> #include <isc/lang.h> #include <isc/netaddr.h> +#ifdef DIG_SIGCHASE +#include <isc/netdb.h> +#endif #include <isc/print.h> #include <isc/random.h> #include <isc/result.h> @@ -133,6 +153,152 @@ char *progname = NULL; isc_mutex_t lookup_lock; dig_lookup_t *current_lookup = NULL; +#ifdef DIG_SIGCHASE + +isc_result_t get_trusted_key(isc_mem_t *mctx); +dns_rdataset_t * sigchase_scanname(dns_rdatatype_t type, + dns_rdatatype_t covers, + isc_boolean_t *lookedup, + dns_name_t *rdata_name); +dns_rdataset_t * chase_scanname_section(dns_message_t *msg, + dns_name_t *name, + dns_rdatatype_t type, + dns_rdatatype_t covers, + int section); +isc_result_t advanced_rrsearch(dns_rdataset_t **rdataset, + dns_name_t *name, + dns_rdatatype_t type, + dns_rdatatype_t covers, + isc_boolean_t *lookedup); +isc_result_t sigchase_verify_sig_key(dns_name_t *name, + dns_rdataset_t *rdataset, + dst_key_t* dnsseckey, + dns_rdataset_t *sigrdataset, + isc_mem_t *mctx); +isc_result_t sigchase_verify_sig(dns_name_t *name, + dns_rdataset_t *rdataset, + dns_rdataset_t *keyrdataset, + dns_rdataset_t *sigrdataset, + isc_mem_t *mctx); +isc_result_t sigchase_verify_ds(dns_name_t *name, + dns_rdataset_t *keyrdataset, + dns_rdataset_t *dsrdataset, + isc_mem_t *mctx); +void sigchase(dns_message_t *msg); +void print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx); +void print_rdataset(dns_name_t *name, + dns_rdataset_t *rdataset, isc_mem_t *mctx); +void dup_name(dns_name_t *source, dns_name_t* target, + isc_mem_t *mctx); +void dump_database(void); +void dump_database_section(dns_message_t *msg, int section); +dns_rdataset_t * search_type(dns_name_t *name, dns_rdatatype_t type, + dns_rdatatype_t covers); +isc_result_t contains_trusted_key(dns_name_t *name, + dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset, + isc_mem_t *mctx); +void print_type(dns_rdatatype_t type); +isc_result_t prove_nx_domain(dns_message_t * msg, + dns_name_t * name, + dns_name_t * rdata_name, + dns_rdataset_t ** rdataset, + dns_rdataset_t ** sigrdataset); +isc_result_t prove_nx_type(dns_message_t * msg, dns_name_t *name, + dns_rdataset_t *nsec, + dns_rdataclass_t class, + dns_rdatatype_t type, + dns_name_t * rdata_name, + dns_rdataset_t ** rdataset, + dns_rdataset_t ** sigrdataset); +isc_result_t prove_nx(dns_message_t * msg, dns_name_t * name, + dns_rdataclass_t class, + dns_rdatatype_t type, + dns_name_t * rdata_name, + dns_rdataset_t ** rdataset, + dns_rdataset_t ** sigrdataset); +isc_result_t nameFromString( const char *str, dns_name_t *p_ret ); +int inf_name(dns_name_t * name1, dns_name_t * name2); +isc_result_t opentmpkey(isc_mem_t *mctx, const char *file, + char **tempp, FILE **fp); +isc_result_t removetmpkey(isc_mem_t *mctx, const char *file); +void clean_trustedkey(void ); +void insert_trustedkey(dst_key_t * key); +#if DIG_SIGCHASE_BU +isc_result_t getneededrr(dns_message_t *msg); +void sigchase_bottom_up(dns_message_t *msg); +void sigchase_bu(dns_message_t *msg); +#endif +#if DIG_SIGCHASE_TD +isc_result_t initialization(dns_name_t *name); +isc_result_t prepare_lookup(dns_name_t *name); +isc_result_t grandfather_pb_test(dns_name_t * zone_name, + dns_rdataset_t *sigrdataset); +isc_result_t child_of_zone(dns_name_t *name, + dns_name_t *zone_name, + dns_name_t *child_name); +void sigchase_td(dns_message_t *msg); +#endif +char trustedkey[MXNAME] = ""; + +dns_rdataset_t * chase_rdataset = NULL; +dns_rdataset_t * chase_sigrdataset = NULL; +dns_rdataset_t * chase_dsrdataset = NULL; +dns_rdataset_t * chase_sigdsrdataset = NULL; +dns_rdataset_t * chase_keyrdataset = NULL; +dns_rdataset_t * chase_sigkeyrdataset = NULL; +dns_rdataset_t * chase_nsrdataset = NULL; + +dns_name_t chase_name; /* the query name */ +#if DIG_SIGCHASE_TD +/* + * the current name is the parent name when we follow delegation + */ +dns_name_t chase_current_name; +/* + * the child name is used for delegation (NS DS responses in AUTHORITY section) + */ +dns_name_t chase_authority_name; +#endif +#if DIG_SIGCHASE_BU +dns_name_t chase_signame; +#endif + + +isc_boolean_t chase_siglookedup = ISC_FALSE; +isc_boolean_t chase_keylookedup = ISC_FALSE; +isc_boolean_t chase_sigkeylookedup = ISC_FALSE; +isc_boolean_t chase_dslookedup = ISC_FALSE; +isc_boolean_t chase_sigdslookedup = ISC_FALSE; +#if DIG_SIGCHASE_TD +isc_boolean_t chase_nslookedup = ISC_FALSE; +isc_boolean_t chase_lookedup = ISC_FALSE; + + +isc_boolean_t delegation_follow = ISC_FALSE; +isc_boolean_t grandfather_pb = ISC_FALSE; +isc_boolean_t have_response = ISC_FALSE; +isc_boolean_t have_delegation_ns = ISC_FALSE; +dns_message_t * error_message = NULL; +#endif + +isc_boolean_t dsvalidating = ISC_FALSE; +isc_boolean_t chase_name_dup = ISC_FALSE; + +ISC_LIST(dig_message_t) chase_message_list; +ISC_LIST(dig_message_t) chase_message_list2; + + +#define MAX_TRUSTED_KEY 5 +typedef struct struct_trusted_key_list { + dst_key_t * key[MAX_TRUSTED_KEY]; + int nb_tk; +} struct_tk_list; + +struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0}; + +#endif + /* * Apply and clear locks at the event level in global task. * Can I get rid of these using shutdown events? XXX @@ -506,6 +672,18 @@ make_empty_lookup(void) { looknew->servfail_stops = ISC_TRUE; looknew->besteffort = ISC_TRUE; looknew->dnssec = ISC_FALSE; +#ifdef DIG_SIGCHASE + looknew->sigchase = ISC_FALSE; +#if DIG_SIGCHASE_TD + looknew->do_topdown = ISC_FALSE; + looknew->trace_root_sigchase = ISC_FALSE; + looknew->rdtype_sigchaseset = ISC_FALSE; + looknew->rdtype_sigchase = dns_rdatatype_any; + looknew->qrdtype_sigchase = dns_rdatatype_any; + looknew->rdclass_sigchase = dns_rdataclass_in; + looknew->rdclass_sigchaseset = ISC_FALSE; +#endif +#endif looknew->udpsize = 0; looknew->recurse = ISC_TRUE; looknew->aaonly = ISC_FALSE; @@ -550,6 +728,9 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { looknew = make_empty_lookup(); INSIST(looknew != NULL); strncpy(looknew->textname, lookold->textname, MXNAME); +#if DIG_SIGCHASE_TD + strncpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME); +#endif strncpy(looknew->cmdline, lookold->cmdline, MXNAME); looknew->textname[MXNAME-1] = 0; looknew->rdtype = lookold->rdtype; @@ -567,6 +748,18 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { looknew->servfail_stops = lookold->servfail_stops; looknew->besteffort = lookold->besteffort; looknew->dnssec = lookold->dnssec; +#ifdef DIG_SIGCHASE + looknew->sigchase = lookold->sigchase; +#if DIG_SIGCHASE_TD + looknew->do_topdown = lookold->do_topdown; + looknew->trace_root_sigchase = lookold->trace_root_sigchase; + looknew->rdtype_sigchaseset = lookold->rdtype_sigchaseset; + looknew->rdtype_sigchase = lookold->rdtype_sigchase; + looknew->qrdtype_sigchase = lookold->qrdtype_sigchase; + looknew->rdclass_sigchase = lookold->rdclass_sigchase; + looknew->rdclass_sigchaseset = lookold->rdclass_sigchaseset; +#endif +#endif looknew->udpsize = lookold->udpsize; looknew->recurse = lookold->recurse; looknew->aaonly = lookold->aaonly; @@ -758,12 +951,12 @@ setup_system(void) { if (lwconf->nsnext == 0) { if (have_ipv4) { lwresult = add_nameserver(lwconf, "127.0.0.1", AF_INET); - if(lwresult != ISC_R_SUCCESS) + if (lwresult != ISC_R_SUCCESS) fatal("add_nameserver failed"); } if (have_ipv6) { lwresult = add_nameserver(lwconf, "::1", AF_INET6); - if(lwresult != ISC_R_SUCCESS) + if (lwresult != ISC_R_SUCCESS) fatal("add_nameserver failed"); } } @@ -775,6 +968,11 @@ setup_system(void) { setup_file_key(); else if (keysecret[0] != 0) setup_text_key(); +#ifdef DIG_SIGCHASE + /* Setup the list of messages for +sigchase */ + ISC_LIST_INIT(chase_message_list); +#endif + } static void @@ -1052,6 +1250,94 @@ start_lookup(void) { */ if (current_lookup != NULL) { ISC_LIST_DEQUEUE(lookup_list, current_lookup, link); +#if DIG_SIGCHASE_TD + if (current_lookup->do_topdown && + !current_lookup->rdtype_sigchaseset) { + dst_key_t * trustedkey = NULL; + isc_buffer_t *b = NULL; + isc_region_t r; + isc_result_t result; + dns_name_t query_name; + dns_name_t * key_name; + int i; + + result = get_trusted_key(mctx); + if (result != ISC_R_SUCCESS) { + printf("\n;; No trusted key, " + "+sigchase option is disabled\n"); + current_lookup->sigchase = ISC_FALSE; + goto novalidation; + } + result = nameFromString(current_lookup->textname, + &query_name); + check_result(result, "nameFromString"); + + for (i = 0; i< tk_list.nb_tk; i++) { + key_name = dst_key_name(tk_list.key[i]); + + if (dns_name_issubdomain(&query_name, + key_name) == ISC_TRUE) + trustedkey = tk_list.key[i]; + /* + * Verifier que la temp est bien la plus basse + * WARNING + */ + } + if (trustedkey == NULL) { + printf("\n;; The queried zone: "); + dns_name_print(&query_name, stdout); + printf(" isn't a subdomain of any Trusted Keys" + ": +sigchase option is disable\n"); + current_lookup->sigchase = ISC_FALSE; + dns_name_free(&query_name, mctx); + goto novalidation; + } + dns_name_free(&query_name, mctx); + + + current_lookup->rdtype_sigchase + = current_lookup->rdtype; + current_lookup->rdtype_sigchaseset + = current_lookup->rdtypeset; + current_lookup->rdtype = dns_rdatatype_ns; + + + current_lookup->qrdtype_sigchase + = current_lookup->qrdtype; + current_lookup->qrdtype = dns_rdatatype_ns; + + current_lookup->rdclass_sigchase + = current_lookup->rdclass; + current_lookup->rdclass_sigchaseset + = current_lookup->rdclassset; + current_lookup->rdclass = dns_rdataclass_in; + + + strncpy(current_lookup->textnamesigchase, + current_lookup->textname, MXNAME); + + current_lookup->trace_root_sigchase = ISC_TRUE; + + result = isc_buffer_allocate(mctx, &b, BUFSIZE); + check_result(result, "isc_buffer_allocate"); + result = dns_name_totext(dst_key_name(trustedkey), + ISC_FALSE, b); + check_result(result, "dns_name_totext"); + isc_buffer_usedregion(b, &r); + r.base[r.length] = '\0'; + strncpy(current_lookup->textname, (char*)r.base, + MXNAME); + isc_buffer_free(&b); + + result = nameFromString(current_lookup + ->textnamesigchase, + &chase_name); + check_result(result, "nameFromString"); + + dns_name_init(&chase_authority_name, NULL); + } + novalidation: +#endif setup_lookup(current_lookup); do_lookup(current_lookup); } else { @@ -1104,8 +1390,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) for (result = dns_message_firstname(msg, section); result == ISC_R_SUCCESS; - result = dns_message_nextname(msg, section)) - { + result = dns_message_nextname(msg, section)) { name = NULL; dns_message_currentname(msg, section, &name); @@ -1119,8 +1404,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; - result = dns_rdataset_next(rdataset)) - { + result = dns_rdataset_next(rdataset)) { char namestr[DNS_NAME_FORMATSIZE]; dns_rdata_ns_t ns; @@ -1946,7 +2230,8 @@ launch_next_query(dig_query_t *query, isc_boolean_t include_question) { isc_buffer_clear(&query->slbuf); isc_buffer_clear(&query->lengthbuf); - isc_buffer_putuint16(&query->slbuf, (isc_uint16_t) query->lookup->sendbuf.used); + isc_buffer_putuint16(&query->slbuf, + (isc_uint16_t) query->lookup->sendbuf.used); ISC_LIST_INIT(query->sendlist); ISC_LINK_INIT(&query->slbuf, link); ISC_LIST_ENQUEUE(query->sendlist, &query->slbuf, link); @@ -1962,7 +2247,7 @@ launch_next_query(dig_query_t *query, isc_boolean_t include_question) { global_task, tcp_length_done, query); check_result(result, "isc_socket_recvv"); recvcount++; - debug("recvcount=%d",recvcount); + debug("recvcount=%d", recvcount); if (!query->first_soa_rcvd) { debug("sending a request in launch_next_query"); TIME_NOW(&query->time_sent); @@ -2214,6 +2499,10 @@ recv_done(isc_task_t *task, isc_event_t *event) { dig_query_t *query = NULL; isc_buffer_t *b = NULL; dns_message_t *msg = NULL; +#ifdef DIG_SIGCHASE + dig_message_t *chase_msg = NULL; + dig_message_t *chase_msg2 = NULL; +#endif isc_result_t result; dig_lookup_t *n, *l; isc_boolean_t docancel = ISC_FALSE; @@ -2221,6 +2510,13 @@ recv_done(isc_task_t *task, isc_event_t *event) { unsigned int parseflags; dns_messageid_t id; unsigned int msgflags; +#ifdef DIG_SIGCHASE + isc_result_t do_sigchase = ISC_FALSE; + + dns_message_t *msg_temp = NULL; + isc_region_t r; + isc_buffer_t *buf = NULL; +#endif UNUSED(task); INSIST(!free_now); @@ -2323,7 +2619,8 @@ recv_done(isc_task_t *task, isc_event_t *event) { fail = ISC_FALSE; query->warn_id = ISC_FALSE; } else - printf(";; ERROR: short (< header size) message\n"); + printf(";; ERROR: short " + "(< header size) message\n"); if (fail) { isc_event_free(&event); clear_query(query); @@ -2336,7 +2633,8 @@ recv_done(isc_task_t *task, isc_event_t *event) { printf(";; Warning: ID mismatch: " "expected ID %u, got %u\n", l->sendmsg->id, id); else - printf(";; Warning: short (< header size) message received\n"); + printf(";; Warning: short " + "(< header size) message received\n"); } if (!match) { @@ -2375,6 +2673,14 @@ recv_done(isc_task_t *task, isc_event_t *event) { debug("before parse starts"); parseflags = DNS_MESSAGEPARSE_PRESERVEORDER; +#ifdef DIG_SIGCHASE + if (!l->sigchase) { + do_sigchase = ISC_FALSE; + } else { + parseflags = 0; + do_sigchase = ISC_TRUE; + } +#endif if (l->besteffort) { parseflags |= DNS_MESSAGEPARSE_BESTEFFORT; parseflags |= DNS_MESSAGEPARSE_IGNORETRUNCATION; @@ -2398,8 +2704,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { return; } if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 - && !l->ignore && !l->tcp_mode) - { + && !l->ignore && !l->tcp_mode) { printf(";; Truncated, retrying in TCP mode.\n"); n = requeue_lookup(l, ISC_TRUE); n->tcp_mode = ISC_TRUE; @@ -2493,24 +2798,33 @@ recv_done(isc_task_t *task, isc_event_t *event) { } if (!l->doing_xfr || l->xfr_q == query) { +#ifdef DIG_SIGCHASE + int count = 0; +#endif if (msg->rcode != dns_rcode_noerror && l->origin != NULL) { if (!next_origin(msg, query)) { printmessage(query, msg, ISC_TRUE); received(b->used, &sevent->address, query); } } else if (!l->trace && !l->ns_search_only) { - printmessage(query, msg, ISC_TRUE); +#ifdef DIG_SIGCHASE + if (!do_sigchase) +#endif + printmessage(query, msg, ISC_TRUE); } else if (l->trace) { int n = 0; +#ifdef DIG_SIGCHASE + count = msg->counts[DNS_SECTION_ANSWER]; +#else int count = msg->counts[DNS_SECTION_ANSWER]; +#endif debug("in TRACE code"); if (!l->ns_search_only) printmessage(query, msg, ISC_TRUE); l->rdtype = l->qrdtype; - if (l->trace_root || (l->ns_search_only && count > 0)) - { + if (l->trace_root || (l->ns_search_only && count > 0)) { if (!l->trace_root) l->rdtype = dns_rdatatype_soa; n = followup_lookup(msg, query, @@ -2537,9 +2851,56 @@ recv_done(isc_task_t *task, isc_event_t *event) { docancel = ISC_TRUE; l->trace_root = ISC_FALSE; } else +#ifdef DIG_SIGCHASE + if (!do_sigchase) +#endif printmessage(query, msg, ISC_TRUE); } +#ifdef DIG_SIGCHASE + if ( do_sigchase) { + chase_msg = isc_mem_allocate(mctx, + sizeof(dig_message_t)); + if (chase_msg == NULL) { + fatal("Memory allocation failure in %s:%d", + __FILE__, __LINE__); + } + ISC_LIST_APPEND(chase_message_list, chase_msg, link); + if (dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, + &msg_temp) != ISC_R_SUCCESS) { + fatal("dns_message_create in %s:%d", + __FILE__, __LINE__); + } + + isc_buffer_usedregion(b, &r); + result = isc_buffer_allocate(mctx, &buf, r.length); + + check_result(result, "isc_buffer_allocate"); + result = isc_buffer_copyregion(buf, &r); + check_result(result, "isc_buffer_copyregion"); + + result = dns_message_parse(msg_temp, buf, 0); + + isc_buffer_free(&buf); + chase_msg->msg = msg_temp; + + chase_msg2 = isc_mem_allocate(mctx, + sizeof(dig_message_t)); + if (chase_msg2 == NULL) { + fatal("Memory allocation failure in %s:%d", + __FILE__, __LINE__); + } + ISC_LIST_APPEND(chase_message_list2, chase_msg2, link); + chase_msg2->msg = msg; + } +#endif + } + +#ifdef DIG_SIGCHASE + if (l->sigchase && ISC_LIST_EMPTY(lookup_list) ) { + sigchase(msg_temp); + } +#endif if (l->pending) debug("still pending."); @@ -2560,21 +2921,37 @@ recv_done(isc_task_t *task, isc_event_t *event) { check_next_lookup(l); } } else { - if (msg->rcode == dns_rcode_noerror || l->origin == NULL) - received(b->used, &sevent->address, query); + + if (msg->rcode == dns_rcode_noerror || l->origin == NULL) { + +#ifdef DIG_SIGCHASE + if (!l->sigchase) +#endif + received(b->used, &sevent->address, query); + } + if (!query->lookup->ns_search_only) query->lookup->pending = ISC_FALSE; if (!query->lookup->ns_search_only || - query->lookup->trace_root || docancel) - { - dns_message_destroy(&msg); + query->lookup->trace_root || docancel) { +#ifdef DIG_SIGCHASE + if (!do_sigchase) +#endif + dns_message_destroy(&msg); + cancel_lookup(l); } clear_query(query); check_next_lookup(l); } - if (msg != NULL) - dns_message_destroy(&msg); + if (msg != NULL) { +#ifdef DIG_SIGCHASE + if (do_sigchase) + msg = NULL; + else +#endif + dns_message_destroy(&msg); + } isc_event_free(&event); UNLOCK_LOOKUP; } @@ -2677,6 +3054,10 @@ cancel_all(void) { */ void destroy_libs(void) { +#ifdef DIG_SIGCHASE + void * ptr; + dig_message_t *chase_msg; +#endif debug("destroy_libs()"); if (global_task != NULL) { @@ -2739,8 +3120,1945 @@ destroy_libs(void) { UNLOCK_LOOKUP; DESTROYLOCK(&lookup_lock); +#ifdef DIG_SIGCHASE + + debug("Destroy the messages kept for sigchase"); + /* Destroy the messages kept for sigchase */ + chase_msg = ISC_LIST_HEAD(chase_message_list); + + while (chase_msg != NULL) { + INSIST(chase_msg->msg != NULL); + dns_message_destroy(&(chase_msg->msg)); + ptr = chase_msg; + chase_msg = ISC_LIST_NEXT(chase_msg, link); + isc_mem_free(mctx, ptr); + } + + chase_msg = ISC_LIST_HEAD(chase_message_list2); + + while (chase_msg != NULL) { + INSIST(chase_msg->msg != NULL); + dns_message_destroy(&(chase_msg->msg)); + ptr = chase_msg; + chase_msg = ISC_LIST_NEXT(chase_msg, link); + isc_mem_free(mctx, ptr); + } + + debug("Destroy memory"); + +#endif if (memdebugging != 0) isc_mem_stats(mctx, stderr); if (mctx != NULL) isc_mem_destroy(&mctx); } + + + + +#ifdef DIG_SIGCHASE +void +print_type(dns_rdatatype_t type) +{ + isc_buffer_t * b = NULL; + isc_result_t result; + isc_region_t r; + + result = isc_buffer_allocate(mctx, &b, 4000); + check_result(result, "isc_buffer_allocate"); + + result = dns_rdatatype_totext(type, b); + check_result(result, "print_type"); + + isc_buffer_usedregion(b, &r); + r.base[r.length] = '\0'; + + printf("%s", r.base); + + isc_buffer_free(&b); +} + + +void +dump_database_section( dns_message_t *msg, int section) +{ + dns_name_t *msg_name=NULL; + + dns_rdataset_t *rdataset; + + do { + dns_message_currentname(msg, section, &msg_name); + + for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) { + dns_name_print(msg_name, stdout); + printf("\n"); + print_rdataset(msg_name, rdataset, mctx); + printf("end\n"); + } + msg_name = NULL; + } while ( dns_message_nextname(msg, section) == ISC_R_SUCCESS); +} + + +void dump_database(void) +{ + dig_message_t * msg; + + for (msg = ISC_LIST_HEAD(chase_message_list); msg != NULL; + msg = ISC_LIST_NEXT(msg, link)) { + if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER) + == ISC_R_SUCCESS) + dump_database_section(msg->msg, DNS_SECTION_ANSWER); + + if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY) + == ISC_R_SUCCESS) + dump_database_section(msg->msg, DNS_SECTION_AUTHORITY); + + if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL) + == ISC_R_SUCCESS) + dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL); + } +} + + +dns_rdataset_t * search_type(dns_name_t *name, + dns_rdatatype_t type, + dns_rdatatype_t covers) +{ + dns_rdataset_t *rdataset; + dns_rdata_sig_t siginfo; + dns_rdata_t sigrdata; + isc_result_t result; + + for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) { + if (type == dns_rdatatype_any) { + if (rdataset->type != dns_rdatatype_rrsig) + return rdataset; + } + else if ((type == dns_rdatatype_rrsig) && + (rdataset->type == dns_rdatatype_rrsig)) { + dns_rdata_init(&sigrdata); + result = dns_rdataset_first(rdataset); + check_result(result, "empty rdataset"); + dns_rdataset_current(rdataset, &sigrdata); + result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); + check_result(result, "sigrdata tostruct siginfo"); + + if ((siginfo.covered == covers) || + (covers == dns_rdatatype_any)) { + dns_rdata_reset(&sigrdata); + dns_rdata_freestruct(&siginfo); + return rdataset; + } + dns_rdata_reset(&sigrdata); + dns_rdata_freestruct(&siginfo); + } + else if (rdataset->type == type) + return rdataset; + } + return NULL; +} + +dns_rdataset_t * +chase_scanname_section(dns_message_t *msg, + dns_name_t *name, + dns_rdatatype_t type, + dns_rdatatype_t covers, + int section) +{ + dns_rdataset_t *rdataset; + dns_name_t *msg_name = NULL; + + do { + dns_message_currentname(msg, section, &msg_name); + if (dns_name_compare(msg_name, name) == 0) { + rdataset = search_type(msg_name, type, covers); + if ( rdataset != NULL) + return rdataset; + } + msg_name = NULL; + } while ( dns_message_nextname(msg, section) == ISC_R_SUCCESS); + + return(NULL); +} + + +dns_rdataset_t * +chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) +{ + dns_rdataset_t *rdataset = NULL; + dig_message_t * msg; + + for (msg = ISC_LIST_HEAD(chase_message_list2); msg != NULL; + msg = ISC_LIST_NEXT(msg, link)) { + if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER) + == ISC_R_SUCCESS) + rdataset = chase_scanname_section(msg->msg, name, + type, covers, + DNS_SECTION_ANSWER); + if (rdataset != NULL) + return rdataset; + if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY) + == ISC_R_SUCCESS) + rdataset = + chase_scanname_section(msg->msg, name, + type, covers, + DNS_SECTION_AUTHORITY); + if (rdataset != NULL) + return rdataset; + if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL) + == ISC_R_SUCCESS) + rdataset = + chase_scanname_section(msg->msg, name, type, + covers, + DNS_SECTION_ADDITIONAL); + if (rdataset != NULL) + return rdataset; + } + + return NULL; +} + +dns_rdataset_t * +sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, + isc_boolean_t * lookedup, + dns_name_t *rdata_name ) +{ + dig_lookup_t *lookup; + isc_buffer_t *b = NULL; + isc_region_t r; + isc_result_t result; + dns_rdataset_t * temp; + dns_rdatatype_t querytype; + + if ((temp=chase_scanname(rdata_name, type, covers))!=NULL) { + return(temp); + } + + if (*lookedup == ISC_TRUE) { + return(NULL); + } + + lookup = clone_lookup(current_lookup, ISC_TRUE); + lookup->trace_root = ISC_FALSE; + lookup->new_search = ISC_TRUE; + + result = isc_buffer_allocate(mctx, &b, BUFSIZE); + check_result(result, "isc_buffer_allocate"); + result = dns_name_totext(rdata_name, ISC_FALSE, b); + check_result(result, "dns_name_totext"); + isc_buffer_usedregion(b, &r); + r.base[r.length] = '\0'; + strcpy(lookup->textname, (char*)r.base); + isc_buffer_free(&b); + + if (type == dns_rdatatype_rrsig) + querytype = covers; + else + querytype = type; + if (querytype == 0 || querytype == 255) { + printf("Error in the queried type: %d\n", querytype); + return(NULL); + } + + lookup->rdtype = querytype; + lookup->rdtypeset = ISC_TRUE; + lookup->qrdtype = querytype; + *lookedup = ISC_TRUE; + + ISC_LIST_APPEND(lookup_list, lookup, link); + printf("\n\nLaunch a query to find a RRset of type "); + print_type(type); + printf(" for zone: %s\n", lookup->textname); + return(NULL); +} + +void +insert_trustedkey(dst_key_t * key) +{ + if (key == NULL) + return; + if (tk_list.nb_tk >= MAX_TRUSTED_KEY) + return; + + tk_list.key[tk_list.nb_tk++] = key; + return; +} + +void +clean_trustedkey() +{ + int i = 0; + + for (i= 0; i < MAX_TRUSTED_KEY; i++) { + if (tk_list.key[i] != NULL) { + dst_key_free(&tk_list.key[i]); + tk_list.key[i] = NULL; + } + else + break; + } + tk_list.nb_tk = 0; + return; +} + +char alphnum[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; + +isc_result_t +removetmpkey(isc_mem_t *mctx, const char *file) +{ + char *tempnamekey = NULL; + int tempnamekeylen; + isc_result_t result; + + tempnamekeylen = strlen(file)+10; + + tempnamekey = isc_mem_allocate(mctx, tempnamekeylen); + if (tempnamekey == NULL) + return (ISC_R_NOMEMORY); + + memset(tempnamekey, 0, tempnamekeylen); + + strcat(tempnamekey, file); + strcat(tempnamekey,".key"); + isc_file_remove(tempnamekey); + + result = isc_file_remove(tempnamekey); + isc_mem_free(mctx, tempnamekey); + return(result); +} + +isc_result_t +opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { + FILE *f = NULL; + isc_result_t result; + char *tempname = NULL; + char *tempnamekey = NULL; + int tempnamelen; + int tempnamekeylen; + char *x; + char *cp; + isc_uint32_t which; + + while (1) { + tempnamelen = strlen(file) + 20; + tempname = isc_mem_allocate(mctx, tempnamelen); + if (tempname == NULL) + return (ISC_R_NOMEMORY); + memset(tempname, 0, tempnamelen); + + result = isc_file_mktemplate(file, tempname, tempnamelen); + if (result != ISC_R_SUCCESS) + goto cleanup; + + cp = tempname; + while (*cp != '\0') + cp++; + if (cp == tempname) { + isc_mem_free(mctx, tempname); + return (ISC_R_FAILURE); + } + + x = cp--; + while (cp >= tempname && *cp == 'X') { + isc_random_get(&which); + *cp = alphnum[which % (sizeof(alphnum) - 1)]; + x = cp--; + } + + tempnamekeylen = tempnamelen+5; + tempnamekey = isc_mem_allocate(mctx, tempnamekeylen); + if (tempnamekey == NULL) + return (ISC_R_NOMEMORY); + + memset(tempnamekey, 0, tempnamekeylen); + strncpy(tempnamekey, tempname, tempnamelen); + strcat(tempnamekey ,".key"); + + + if (isc_file_exists(tempnamekey)) { + isc_mem_free(mctx, tempnamekey); + isc_mem_free(mctx, tempname); + continue; + } + + if ((f = fopen(tempnamekey, "w")) == NULL) { + printf("get_trusted_key(): trusted key not found %s\n", + tempnamekey); + return ISC_R_FAILURE; + } + break; + } + isc_mem_free(mctx, tempnamekey); + *tempp = tempname; + *fp = f; + return (ISC_R_SUCCESS); + + cleanup: + isc_mem_free(mctx, tempname); + + return (result); +} + + +isc_result_t +get_trusted_key(isc_mem_t *mctx) +{ + isc_result_t result; + const char * filename = NULL; + char * filetemp =NULL; + char buf[1500]; + FILE *fp , *fptemp; + dst_key_t * key = NULL; + + result = isc_file_exists(trustedkey); + if (result != ISC_TRUE) { + result = isc_file_exists("/etc/trusted-key.key"); + if (result != ISC_TRUE) { + result = isc_file_exists("./trusted-key.key"); + if (result != ISC_TRUE) + return ISC_R_FAILURE; + else + filename = "./trusted-key.key"; + } + else + filename = "/etc/trusted-key.key"; + } + else + filename = trustedkey; + + if (filename == NULL) { + printf("No trusted key\n"); + return ISC_R_FAILURE; + } + + if ((fp = fopen(filename, "r")) == NULL) { + printf("get_trusted_key(): trusted key not found %s\n", + filename); + return ISC_R_FAILURE; + } + while (fgets(buf, 1500, fp) != NULL) { + result = opentmpkey(mctx,"tmp_file", &filetemp, &fptemp); + if (result != ISC_R_SUCCESS) { + fclose(fp); + return ISC_R_FAILURE; + } + if (fputs(buf, fptemp)<0) { + fclose(fp); + fclose(fptemp); + return ISC_R_FAILURE; + } + fclose(fptemp); + result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC, + mctx, &key); + removetmpkey(mctx, filetemp); + isc_mem_free(mctx, filetemp); + if (result != ISC_R_SUCCESS ) { + fclose(fp); + return ISC_R_FAILURE; + } + insert_trustedkey(key); +#if 0 + dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp"); +#endif + key = NULL; + } + return ISC_R_SUCCESS; +} + + +isc_result_t +nameFromString( const char *str, dns_name_t *p_ret ) +{ + int len = strlen(str); + int ret; + isc_buffer_t buffer; + dns_fixedname_t fixedname; + REQUIRE( p_ret); + REQUIRE( str != NULL ); + + isc_buffer_init( &buffer, str, len ); + isc_buffer_add( &buffer, len ); + + dns_fixedname_init(&fixedname); + ret = dns_name_fromtext( dns_fixedname_name(&fixedname), &buffer, + dns_rootname, ISC_TRUE, NULL); + if ( ret != ISC_R_SUCCESS ) return ret; + + dns_name_init(p_ret, NULL ); + + ret = dns_name_dup( dns_fixedname_name(&fixedname), mctx, p_ret ); + return ret; +} + + +#if DIG_SIGCHASE_TD +isc_result_t +prepare_lookup(dns_name_t *name) +{ + isc_result_t result; + dig_lookup_t * lookup = NULL; + dig_server_t *s; + void *ptr; + + lookup = clone_lookup(current_lookup, ISC_TRUE); + lookup->trace_root = ISC_FALSE; + lookup->new_search = ISC_TRUE; + lookup->trace_root_sigchase = ISC_FALSE; + + strncpy(lookup->textname, lookup->textnamesigchase, MXNAME); + + lookup->rdtype = lookup->rdtype_sigchase; + lookup->rdtypeset = ISC_TRUE; + lookup->qrdtype = lookup->qrdtype_sigchase; + + + + s = ISC_LIST_HEAD(lookup->my_server_list); + while (s != NULL) { + debug("freeing server %p belonging to %p", + s, lookup); + ptr = s; + s = ISC_LIST_NEXT(s, link); + ISC_LIST_DEQUEUE(lookup->my_server_list, + (dig_server_t *)ptr, link); + isc_mem_free(mctx, ptr); + } + + + for (result = dns_rdataset_first(chase_nsrdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(chase_nsrdataset)) { + char namestr[DNS_NAME_FORMATSIZE]; + dns_rdata_ns_t ns; + dns_rdata_t rdata = DNS_RDATA_INIT; + dig_server_t * srv = NULL; +#define __FOLLOW_GLUE__ +#ifdef __FOLLOW_GLUE__ + isc_buffer_t * b = NULL; + isc_result_t result; + isc_region_t r; + dns_rdataset_t * rdataset =NULL; + isc_boolean_t true = ISC_TRUE; +#endif + + memset(namestr, 0, DNS_NAME_FORMATSIZE); + + dns_rdataset_current(chase_nsrdataset, &rdata); + + (void)dns_rdata_tostruct(&rdata, &ns, NULL); + + + +#ifdef __FOLLOW_GLUE__ + + result = advanced_rrsearch(&rdataset, &ns.name, + dns_rdatatype_aaaa, + dns_rdatatype_any, &true); + if (result == ISC_R_SUCCESS) { + for (result = dns_rdataset_first(rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(rdataset)) { + dns_rdata_t aaaa = DNS_RDATA_INIT; + dns_rdataset_current(rdataset, &aaaa); + + result = isc_buffer_allocate(mctx, &b, 80); + check_result(result, "isc_buffer_allocate"); + + dns_rdata_totext(&aaaa, &ns.name, b); + isc_buffer_usedregion(b, &r); + r.base[r.length] = '\0'; + strncpy(namestr, (char*)r.base, + DNS_NAME_FORMATSIZE); + isc_buffer_free(&b); + dns_rdata_reset(&aaaa); + + + srv = make_server(namestr); + + ISC_LIST_APPEND(lookup->my_server_list, + srv, link); + } + } + + rdataset = NULL; + result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a, + dns_rdatatype_any, &true); + if (result == ISC_R_SUCCESS) { + for (result = dns_rdataset_first(rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(rdataset)) { + dns_rdata_t a = DNS_RDATA_INIT; + dns_rdataset_current(rdataset, &a); + + result = isc_buffer_allocate(mctx, &b, 80); + check_result(result, "isc_buffer_allocate"); + + dns_rdata_totext(&a, &ns.name, b); + isc_buffer_usedregion(b, &r); + r.base[r.length] = '\0'; + strncpy(namestr, (char*)r.base, + DNS_NAME_FORMATSIZE); + isc_buffer_free(&b); + dns_rdata_reset(&a); + printf("ns name: %s\n", namestr); + + + srv = make_server(namestr); + + ISC_LIST_APPEND(lookup->my_server_list, + srv, link); + } + } +#else + + dns_name_format(&ns.name, namestr, sizeof(namestr)); + printf("ns name: "); + dns_name_print(&ns.name, stdout); + printf("\n"); + srv = make_server(namestr); + + ISC_LIST_APPEND(lookup->my_server_list, srv, link); + +#endif + dns_rdata_freestruct(&ns); + dns_rdata_reset(&rdata); + + } + + ISC_LIST_APPEND(lookup_list, lookup, link); + printf("\nLaunch a query to find a RRset of type "); + print_type(lookup->rdtype); + printf(" for zone: %s", lookup->textname); + printf(" with nameservers:"); + printf("\n"); + print_rdataset(name, chase_nsrdataset, mctx); + return ISC_R_SUCCESS; +} + + +isc_result_t +child_of_zone(dns_name_t * name, dns_name_t * zone_name, + dns_name_t * child_name) +{ + dns_namereln_t name_reln; + int orderp; + unsigned int nlabelsp; + + name_reln = dns_name_fullcompare(name, zone_name, &orderp, &nlabelsp); + if ( (name_reln != dns_namereln_subdomain) || + (dns_name_countlabels(name) <= + dns_name_countlabels(zone_name) +1)) { + printf("\n;; ERROR : "); + dns_name_print(name, stdout); + printf(" is not a subdomain of: "); + dns_name_print(zone_name, stdout); + printf(" FAILED\n\n"); + return ISC_R_FAILURE; + } + + dns_name_getlabelsequence(name, + dns_name_countlabels(name) - + dns_name_countlabels(zone_name) -1, + dns_name_countlabels(zone_name) +1, + child_name); + return ISC_R_SUCCESS; +} + +isc_result_t +grandfather_pb_test(dns_name_t * zone_name, dns_rdataset_t * sigrdataset) +{ + isc_result_t result; + dns_rdata_t sigrdata; + dns_rdata_sig_t siginfo; + + result = dns_rdataset_first(sigrdataset); + check_result(result, "empty RRSIG dataset"); + dns_rdata_init(&sigrdata); + + do { + dns_rdataset_current(sigrdataset, &sigrdata); + + result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); + check_result(result, "sigrdata tostruct siginfo"); + + if (dns_name_compare(&siginfo.signer, zone_name) == 0) { + dns_rdata_freestruct(&siginfo); + dns_rdata_reset(&sigrdata); + return ISC_R_SUCCESS; + } + + dns_rdata_freestruct(&siginfo); + + } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); + + dns_rdata_reset(&sigrdata); + + return ISC_R_FAILURE; +} + + +isc_result_t +initialization(dns_name_t * name) +{ + isc_result_t result; + isc_boolean_t true = ISC_TRUE; + + chase_nsrdataset = NULL; + result = advanced_rrsearch(&chase_nsrdataset, name, dns_rdatatype_ns, + dns_rdatatype_any, &true); + if (result != ISC_R_SUCCESS) { + printf("\n;; NS RRset is missing to continue validation:" + " FAILED\n\n"); + return ISC_R_FAILURE; + } + INSIST(chase_nsrdataset != NULL); + prepare_lookup(name); + + dup_name(name, &chase_current_name, mctx); + + return ISC_R_SUCCESS; +} +#endif + +void +print_rdataset(dns_name_t * name, dns_rdataset_t *rdataset, isc_mem_t *mctx) +{ + isc_buffer_t * b = NULL; + isc_result_t result; + isc_region_t r; + + result = isc_buffer_allocate(mctx, &b, 9000); + check_result(result, "isc_buffer_allocate"); + + printrdataset(name, rdataset, b); + + isc_buffer_usedregion(b, &r); + r.base[r.length] = '\0'; + + + printf("%s\n", r.base); + + isc_buffer_free(&b); +} + + +void +dup_name(dns_name_t *source, dns_name_t* target, isc_mem_t *mctx) +{ + isc_result_t result; + + dns_name_init(target, NULL); + result = dns_name_dup(source, mctx, target); + check_result(result, "dns_name_dup"); +} + +/* + * + * take a DNSKEY RRset and the RRSIG RRset corresponding in parameter + * return ISC_R_SUCCESS if the DNSKEY RRset contains a trusted_key + * and the RRset is valid + * return ISC_R_NOTFOUND if not contains trusted key + or if the RRset isn't valid + * return ISC_R_FAILURE if problem + * + */ +isc_result_t +contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset, + isc_mem_t *mctx) +{ + isc_result_t result; + dns_rdata_t rdata; + dst_key_t * trustedKey = NULL; + dst_key_t * dnsseckey = NULL; + int i; + + if (name == NULL || rdataset == NULL) { + return ISC_R_FAILURE; + } + + result = dns_rdataset_first(rdataset); + check_result(result, "empty rdataset"); + dns_rdata_init(&rdata); + + do { + dns_rdataset_current(rdataset, &rdata); + INSIST(rdata.type == dns_rdatatype_dnskey); + + result = dns_dnssec_keyfromrdata(name, &rdata, + mctx, &dnsseckey); + check_result(result, "dns_dnssec_keyfromrdata"); + + + for (i = 0; i< tk_list.nb_tk; i++) { + if (dst_key_compare(tk_list.key[i], dnsseckey) + == ISC_TRUE) { + dns_rdata_reset(&rdata); + + printf(";; Ok, find a Trusted Key in the " + "DNSKEY RRset: %d\n", + dst_key_id(dnsseckey)); + if (sigchase_verify_sig_key(name, rdataset, + dnsseckey, + sigrdataset, + mctx) + == ISC_R_SUCCESS) { + dst_key_free(&dnsseckey); + dnsseckey = NULL; + return ISC_R_SUCCESS; + } + } + } + + dns_rdata_reset(&rdata); + if (dnsseckey != NULL) + dst_key_free(&dnsseckey); + } while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS); + + if (trustedKey != NULL) + dst_key_free(&trustedKey); + trustedKey = NULL; + + return ISC_R_NOTFOUND; +} + +isc_result_t +sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, + dns_rdataset_t *keyrdataset, + dns_rdataset_t *sigrdataset, + isc_mem_t *mctx) +{ + isc_result_t result; + dns_rdata_t keyrdata; + dst_key_t * dnsseckey = NULL; + + result = dns_rdataset_first(keyrdataset); + check_result(result, "empty DNSKEY dataset"); + dns_rdata_init(&keyrdata); + + do { + dns_rdataset_current(keyrdataset, &keyrdata); + INSIST(keyrdata.type == dns_rdatatype_dnskey); + + result = dns_dnssec_keyfromrdata(name, &keyrdata, + mctx, &dnsseckey); + check_result(result, "dns_dnssec_keyfromrdata"); + + result = sigchase_verify_sig_key(name, rdataset, dnsseckey, + sigrdataset, mctx); + if (result == ISC_R_SUCCESS) { + dns_rdata_reset(&keyrdata); + dst_key_free(&dnsseckey); + return(ISC_R_SUCCESS); + } + dst_key_free(&dnsseckey); + } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); + + dns_rdata_reset(&keyrdata); + + return ISC_R_NOTFOUND; +} + +isc_result_t +sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset, + dst_key_t* dnsseckey, + dns_rdataset_t *sigrdataset, isc_mem_t *mctx) +{ + isc_result_t result; + dns_rdata_t sigrdata; + dns_rdata_sig_t siginfo; + + result = dns_rdataset_first(sigrdataset); + check_result(result, "empty RRSIG dataset"); + dns_rdata_init(&sigrdata); + + do { + dns_rdataset_current(sigrdataset, &sigrdata); + + result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); + check_result(result, "sigrdata tostruct siginfo"); + + /* + * Test if the id of the DNSKEY is + * the id of the DNSKEY signer's + */ + if (siginfo.keyid == dst_key_id(dnsseckey)) { + + result = dns_rdataset_first(rdataset); + check_result(result, "empty DS dataset"); + + result = dns_dnssec_verify(name, rdataset, dnsseckey, + ISC_FALSE, mctx, &sigrdata); + + printf(";; VERIFYING "); + print_type(rdataset->type); + printf(" RRset for "); + dns_name_print(name, stdout); + printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey), + isc_result_totext(result)); + + if (result == ISC_R_SUCCESS) { + dns_rdata_reset(&sigrdata); + return result; + } + } + dns_rdata_freestruct(&siginfo); + + } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); + + dns_rdata_reset(&sigrdata); + + return ISC_R_NOTFOUND; +} + + +isc_result_t +sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, + dns_rdataset_t *dsrdataset, isc_mem_t *mctx) +{ + isc_result_t result; + dns_rdata_t keyrdata; + dns_rdata_t newdsrdata; + dns_rdata_t dsrdata; + dns_rdata_ds_t dsinfo; + dst_key_t* dnsseckey = NULL; + unsigned char dsbuf[DNS_DS_BUFFERSIZE]; + + result = dns_rdataset_first(dsrdataset); + check_result(result, "empty DSset dataset"); + dns_rdata_init(&dsrdata); + do { + dns_rdataset_current(dsrdataset, &dsrdata); + + result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL); + check_result(result, "dns_rdata_tostruct for DS"); + + result = dns_rdataset_first(keyrdataset); + check_result(result, "empty KEY dataset"); + dns_rdata_init(&keyrdata); + + do { + dns_rdataset_current(keyrdataset, &keyrdata); + INSIST(keyrdata.type == dns_rdatatype_dnskey); + + result = dns_dnssec_keyfromrdata(name, &keyrdata, + mctx, &dnsseckey); + check_result(result, "dns_dnssec_keyfromrdata"); + + /* + * Test if the id of the DNSKEY is the + * id of DNSKEY referenced by the DS + */ + if (dsinfo.key_tag == dst_key_id(dnsseckey)) { + dns_rdata_init(&newdsrdata); + + result = dns_ds_buildrdata(name, &keyrdata, + dsinfo.digest_type, + dsbuf, &newdsrdata); + dns_rdata_freestruct(&dsinfo); + + if (result != ISC_R_SUCCESS) { + dns_rdata_reset(&keyrdata); + dns_rdata_reset(&newdsrdata); + dns_rdata_reset(&dsrdata); + dst_key_free(&dnsseckey); + dns_rdata_freestruct(&dsinfo); + printf("Oops: impossible to build" + " new DS rdata\n"); + return result; + } + + + if (dns_rdata_compare(&dsrdata, + &newdsrdata) == 0) { + printf(";; OK a DS valids a DNSKEY" + " in the RRset\n"); + printf(";; Now verify that this" + " DNSKEY validates the " + "DNSKEY RRset\n"); + + result = sigchase_verify_sig_key(name, + keyrdataset, + dnsseckey, + chase_sigkeyrdataset, + mctx); + if (result == ISC_R_SUCCESS) { + dns_rdata_reset(&keyrdata); + dns_rdata_reset(&newdsrdata); + dns_rdata_reset(&dsrdata); + dst_key_free(&dnsseckey); + + return result; + } + } + else { + printf(";; This DS is NOT the DS for" + " the chasing KEY: FAILED\n"); + } + + dns_rdata_reset(&newdsrdata); + } + dst_key_free(&dnsseckey); + dnsseckey = NULL; + } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); + dns_rdata_reset(&keyrdata); + + } while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS); +#if 0 + dns_rdata_reset(&dsrdata); WARNING +#endif + + return ISC_R_NOTFOUND; +} + +/* + * + * take a pointer on a rdataset in parameter and try to resolv it. + * the searched rrset is a rrset on 'name' with type 'type' + * (and if the type is a rrsig the signature cover 'covers'). + * the lookedup is to known if you have already done the query on the net. + * ISC_R_SUCCESS: if we found the rrset + * ISC_R_NOTFOUND: we do not found the rrset in cache + * and we do a query on the net + * ISC_R_FAILURE: rrset not found + */ +isc_result_t +advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t * name, + dns_rdatatype_t type, + dns_rdatatype_t covers, + isc_boolean_t *lookedup) +{ + isc_boolean_t tmplookedup; + + INSIST(rdataset != NULL); + + if (*rdataset != NULL) + return(ISC_R_SUCCESS); + + tmplookedup = *lookedup; + if ((*rdataset = sigchase_scanname(type, covers, + lookedup, name)) == NULL) { + if (tmplookedup) + return (ISC_R_FAILURE); + return (ISC_R_NOTFOUND); + } + *lookedup = ISC_FALSE; + return(ISC_R_SUCCESS); +} + + + +#if DIG_SIGCHASE_TD +void +sigchase_td(dns_message_t * msg) +{ + isc_result_t result; + dns_name_t * name = NULL; + isc_boolean_t have_answer = ISC_FALSE; + + isc_boolean_t true = ISC_TRUE; + + if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) + == ISC_R_SUCCESS) { + dns_message_currentname(msg, DNS_SECTION_ANSWER, &name); + if (current_lookup->trace_root_sigchase) { + initialization(name); + return; + } + have_answer = true; + } + else { + if (!current_lookup->trace_root_sigchase) { + result = dns_message_firstname(msg, + DNS_SECTION_AUTHORITY); + if (result == ISC_R_SUCCESS) + dns_message_currentname(msg, + DNS_SECTION_AUTHORITY, + &name); + chase_nsrdataset + = chase_scanname_section(msg, name, + dns_rdatatype_ns, + dns_rdatatype_any, + DNS_SECTION_AUTHORITY); + dup_name(name, &chase_authority_name, mctx); + if (chase_nsrdataset != NULL) { + have_delegation_ns = ISC_TRUE; + printf("no response but there is a delegation" + " in authority section:"); + dns_name_print(name, stdout); + printf("\n"); + } + else { + printf("no response and no delegation in " + "authority section but a reference" + " to: "); + dns_name_print(name, stdout); + printf("\n"); + error_message = msg; + } + } + else { + printf(";; NO ANSWERS: %s\n", + isc_result_totext(result)); + dns_name_free(&chase_name, mctx); + clean_trustedkey(); + return; + } + } + + + if (have_answer) { + chase_rdataset + = chase_scanname_section(msg, &chase_name, + current_lookup + ->rdtype_sigchase, + dns_rdatatype_any, + DNS_SECTION_ANSWER); + if (chase_rdataset != NULL) + have_response = ISC_TRUE; + } + + result = advanced_rrsearch(&chase_keyrdataset, + &chase_current_name, + dns_rdatatype_dnskey, + dns_rdatatype_any, + &chase_keylookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; DNSKEY is missing to continue validation:" + " FAILED\n\n"); + goto cleanandgo; + } + if (result == ISC_R_NOTFOUND) + return; + INSIST(chase_keyrdataset != NULL); + printf("\n;; DNSKEYset:\n"); + print_rdataset(&chase_current_name , chase_keyrdataset, mctx); + + + result = advanced_rrsearch(&chase_sigkeyrdataset, + &chase_current_name, + dns_rdatatype_rrsig, + dns_rdatatype_dnskey, + &chase_sigkeylookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; RRSIG of DNSKEY is missing to continue validation:" + " FAILED\n\n"); + goto cleanandgo; + } + if (result == ISC_R_NOTFOUND) + return; + INSIST(chase_sigkeyrdataset != NULL); + printf("\n;; RRSIG of the DNSKEYset:\n"); + print_rdataset(&chase_current_name , chase_sigkeyrdataset, mctx); + + + if (!chase_dslookedup && !chase_nslookedup) { + if (!delegation_follow) { + result = contains_trusted_key(&chase_current_name, + chase_keyrdataset, + chase_sigkeyrdataset, + mctx); + } + else { + INSIST(chase_dsrdataset != NULL); + INSIST(chase_sigdsrdataset != NULL); + result = sigchase_verify_ds(&chase_current_name, + chase_keyrdataset, + chase_dsrdataset, + mctx); + } + + if (result != ISC_R_SUCCESS) { + printf("\n;; chain of trust can't be validated:" + " FAILED\n\n"); + goto cleanandgo; + } + else { + chase_dsrdataset = NULL; + chase_sigdsrdataset = NULL; + } + } + + if (have_response || (!have_delegation_ns && !have_response)) { + /* test if it's a grand father case */ + + if (have_response) { + result = advanced_rrsearch(&chase_sigrdataset, + &chase_name, + dns_rdatatype_rrsig, + current_lookup + ->rdtype_sigchase, + &true); + if (result == ISC_R_FAILURE) { + printf("\n;; RRset is missing to continue" + " validation SHOULD NOT APPEND:" + " FAILED\n\n"); + goto cleanandgo; + } + + } + else { + result = advanced_rrsearch(&chase_sigrdataset, + &chase_authority_name, + dns_rdatatype_rrsig, + dns_rdatatype_any, + &true); + if (result == ISC_R_FAILURE) { + printf("\n;; RRSIG is missing to continue" + " validation SHOULD NOT APPEND:" + " FAILED\n\n"); + goto cleanandgo; + } + } + result = grandfather_pb_test(&chase_current_name, + chase_sigrdataset); + if (result != ISC_R_SUCCESS) { + dns_name_t tmp_name; + + printf("\n;; We are in a Grand Father Problem:" + " See 2.2.1 in RFC 3568\n"); + chase_rdataset = NULL; + chase_sigrdataset = NULL; + have_response = ISC_FALSE; + have_delegation_ns = ISC_FALSE; + + dns_name_init(&tmp_name, NULL); + result = child_of_zone(&chase_name, &chase_current_name, + &tmp_name); + if (chase_authority_name.labels != 0) + dns_name_free( &chase_authority_name, mctx); + dup_name(&tmp_name, &chase_authority_name, mctx); + printf(";; and we try to continue chain of trust" + " validation of the zone: "); + dns_name_print(&chase_authority_name, stdout); + printf("\n"); + have_delegation_ns = ISC_TRUE; + } + else { + if (have_response) + goto finalstep; + else + chase_sigrdataset = NULL; + } + } + + if (have_delegation_ns) { + chase_nsrdataset = NULL; + result = advanced_rrsearch(&chase_nsrdataset, + &chase_authority_name, + dns_rdatatype_ns, + dns_rdatatype_any, + &chase_nslookedup); + if (result == ISC_R_FAILURE) { + printf("\n;;NSset is missing to continue validation:" + " FAILED\n\n"); + goto cleanandgo; + } + if (result == ISC_R_NOTFOUND) { + return; + } + INSIST(chase_nsrdataset != NULL); + + result = advanced_rrsearch(&chase_dsrdataset, + &chase_authority_name, + dns_rdatatype_ds, + dns_rdatatype_any, + &chase_dslookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; DSset is missing to continue validation:" + " FAILED\n\n"); + goto cleanandgo; + } + if (result == ISC_R_NOTFOUND) + return; + INSIST(chase_dsrdataset != NULL); + printf("\n;; DSset:\n"); + print_rdataset(&chase_authority_name , chase_dsrdataset, mctx); + + result = advanced_rrsearch(&chase_sigdsrdataset, + &chase_authority_name, + dns_rdatatype_rrsig, + dns_rdatatype_ds, + &true); + if (result != ISC_R_SUCCESS) { + printf("\n;; DSset is missing to continue validation:" + " FAILED\n\n"); + goto cleanandgo; + } + printf("\n;; RRSIGset of DSset\n"); + print_rdataset(&chase_authority_name, + chase_sigdsrdataset, mctx); + INSIST(chase_sigdsrdataset != NULL); + + result = sigchase_verify_sig(&chase_authority_name, + chase_dsrdataset, + chase_keyrdataset, + chase_sigdsrdataset, mctx); + if (result != ISC_R_SUCCESS) { + printf("\n;; Impossible to verify the DSset:" + " FAILED\n\n"); + goto cleanandgo; + } + chase_keyrdataset = NULL; + chase_sigkeyrdataset = NULL; + + + prepare_lookup(&chase_authority_name); + + have_response = ISC_FALSE; + have_delegation_ns = ISC_FALSE; + delegation_follow = ISC_TRUE; + error_message = NULL; + dns_name_free(&chase_current_name, mctx); + dup_name(&chase_authority_name, &chase_current_name, mctx); + dns_name_free(&chase_authority_name, mctx); + return; + } + + + if (error_message != NULL) { + dns_rdataset_t * rdataset; + dns_rdataset_t * sigrdataset; + dns_name_t rdata_name; + isc_result_t ret = ISC_R_FAILURE; + + result = prove_nx(error_message, &chase_name, + current_lookup->rdclass_sigchase, + current_lookup->rdtype_sigchase, &rdata_name, + &rdataset, &sigrdataset); + if (&rdata_name == NULL || rdataset == NULL || + sigrdataset == NULL) { + printf("\n;; Impossible to verify the non-existence," + " the NSEC RRset can't be validated:" + " FAILED\n\n"); + goto cleanandgo; + } + ret = sigchase_verify_sig(&rdata_name, rdataset, + chase_keyrdataset, + sigrdataset, mctx); + if (ret != ISC_R_SUCCESS) { + dns_name_free(&rdata_name, mctx); + printf("\n;; Impossible to verify the NSEC RR to prove" + " the non-existence : FAILED\n\n"); + goto cleanandgo; + } + dns_name_free(&rdata_name, mctx); + if (result != ISC_R_SUCCESS) { + printf("\n;; Impossible to verify the non-existence:" + " FAILED\n\n"); + goto cleanandgo; + } + else { + printf("\n;; OK the query doesn't have response but" + " we have validate this fact : SUCCESS\n\n"); + goto cleanandgo; + } + } + + cleanandgo: + printf(";; cleanandgo \n"); + dns_name_free(&chase_name, mctx); + if (chase_current_name.labels != 0) + dns_name_free(&chase_current_name, mctx); + if (chase_authority_name.labels != 0) + dns_name_free(&chase_authority_name, mctx); + clean_trustedkey(); + return; + + finalstep : + result = advanced_rrsearch(&chase_rdataset, &chase_name, + current_lookup->rdtype_sigchase, + dns_rdatatype_any , + &true); + if (result == ISC_R_FAILURE) { + printf("\n;; RRsig of RRset is missing to continue validation" + " SHOULD NOT APPEND: FAILED\n\n"); + goto cleanandgo; + } + result = sigchase_verify_sig(&chase_name, chase_rdataset, + chase_keyrdataset, + chase_sigrdataset, mctx); + if (result != ISC_R_SUCCESS) { + printf("\n;; Impossible to verify the RRset : FAILED\n\n"); + /* + printf("RRset:\n"); + print_rdataset(&chase_name , chase_rdataset, mctx); + printf("DNSKEYset:\n"); + print_rdataset(&chase_name , chase_keyrdataset, mctx); + printf("RRSIG of RRset:\n"); + print_rdataset(&chase_name , chase_sigrdataset, mctx); + printf("\n"); + */ + goto cleanandgo; + } + else { + printf("\n;; The Answer:\n"); + print_rdataset(&chase_name , chase_rdataset, mctx); + + printf("\n;; FINISH : we have validate the DNSSEC chain" + " of trust: SUCCESS\n\n"); + goto cleanandgo; + } +} + +#endif + + +#if DIG_SIGCHASE_BU + +isc_result_t +getneededrr(dns_message_t *msg) +{ + isc_result_t result; + dns_name_t *name = NULL; + dns_rdata_t sigrdata; + dns_rdata_sig_t siginfo; + isc_boolean_t true = ISC_TRUE; + + if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) + != ISC_R_SUCCESS) { + printf(";; NO ANSWERS: %s\n", isc_result_totext(result)); + + if (chase_name.ndata == NULL) { + return ISC_R_ADDRNOTAVAIL; + } + } + else { + dns_message_currentname(msg, DNS_SECTION_ANSWER, &name); + } + + /* What do we chase? */ + if (chase_rdataset == NULL) { + result = advanced_rrsearch(&chase_rdataset, name, + dns_rdatatype_any, + dns_rdatatype_any, &true); + if (result != ISC_R_SUCCESS) { + printf("\n;; No Answers: Validation FAILED\n\n"); + return ISC_R_NOTFOUND; + } + dup_name(name, &chase_name, mctx); + printf(";; RRset to chase:\n"); + print_rdataset(&chase_name, chase_rdataset, mctx); + } + INSIST(chase_rdataset != NULL); + + + if (chase_sigrdataset == NULL) { + result = advanced_rrsearch(&chase_sigrdataset, name, + dns_rdatatype_rrsig, + chase_rdataset->type, + &chase_siglookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; RRSIG is missing for continue validation:" + " FAILED\n\n"); + if (chase_name.ndata != NULL) + dns_name_free(&chase_name, mctx); + return ISC_R_NOTFOUND; + } + if (result == ISC_R_NOTFOUND) { + return(ISC_R_NOTFOUND); + } + printf("\n;; RRSIG of the RRset to chase:\n"); + print_rdataset(&chase_name, chase_sigrdataset, mctx); + } + INSIST(chase_sigrdataset != NULL); + + + /* first find the DNSKEY name */ + result = dns_rdataset_first(chase_sigrdataset); + check_result(result, "empty RRSIG dataset"); + dns_rdata_init(&sigrdata); + dns_rdataset_current(chase_sigrdataset, &sigrdata); + result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); + check_result(result, "sigrdata tostruct siginfo"); + dup_name(&siginfo.signer, &chase_signame, mctx); + dns_rdata_freestruct(&siginfo); + dns_rdata_reset(&sigrdata); + + /* Do we have a key? */ + if (chase_keyrdataset == NULL) { + result = advanced_rrsearch(&chase_keyrdataset, + &chase_signame, + dns_rdatatype_dnskey, + dns_rdatatype_any, + &chase_keylookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; DNSKEY is missing to continue validation:" + " FAILED\n\n"); + dns_name_free(&chase_signame, mctx); + if (chase_name.ndata != NULL) + dns_name_free(&chase_name, mctx); + return ISC_R_NOTFOUND; + } + if (result == ISC_R_NOTFOUND) { + dns_name_free(&chase_signame, mctx); + return(ISC_R_NOTFOUND); + } + printf("\n;; DNSKEYset that signs the RRset to chase:\n"); + print_rdataset(&chase_signame, chase_keyrdataset, mctx); + } + INSIST(chase_keyrdataset != NULL); + + if (chase_sigkeyrdataset == NULL) { + result = advanced_rrsearch(&chase_sigkeyrdataset, + &chase_signame, + dns_rdatatype_rrsig, + dns_rdatatype_dnskey, + &chase_sigkeylookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; RRSIG for DNSKEY is missing to continue" + " validation : FAILED\n\n"); + dns_name_free(&chase_signame, mctx); + if (chase_name.ndata != NULL) + dns_name_free(&chase_name, mctx); + return ISC_R_NOTFOUND; + } + if (result == ISC_R_NOTFOUND) { + dns_name_free(&chase_signame, mctx); + return(ISC_R_NOTFOUND); + } + printf("\n;; RRSIG of the DNSKEYset that signs the " + "RRset to chase:\n"); + print_rdataset(&chase_signame, chase_sigkeyrdataset, mctx); + } + INSIST(chase_sigkeyrdataset != NULL); + + + if (chase_dsrdataset == NULL) { + result = advanced_rrsearch(&chase_dsrdataset, &chase_signame, + dns_rdatatype_ds, + dns_rdatatype_any, + &chase_dslookedup); + if (result == ISC_R_FAILURE) { + printf("\n;; WARNING There is no DS for the zone: "); + dns_name_print(&chase_signame, stdout); + printf("\n"); + } + if (result == ISC_R_NOTFOUND) { + dns_name_free(&chase_signame, mctx); + return(ISC_R_NOTFOUND); + } + if (chase_dsrdataset != NULL) { + printf("\n;; DSset of the DNSKEYset\n"); + print_rdataset(&chase_signame, chase_dsrdataset, mctx); + } + } + + if (chase_dsrdataset != NULL) { + /* + * if there is no RRSIG of DS, + * we don't want to search on the network + */ + result = advanced_rrsearch(&chase_sigdsrdataset, + &chase_signame, + dns_rdatatype_rrsig, + dns_rdatatype_ds, &true); + if (result == ISC_R_FAILURE) { + printf(";; WARNING : NO RRSIG DS : RRSIG DS" + " should come with DS\n"); + /* + * We continue even the DS couldn't be validated, + * because the DNSKEY could be a Trusted Key. + */ + chase_dsrdataset = NULL; + } + else { + printf("\n;; RRSIG of the DSset of the DNSKEYset\n"); + print_rdataset(&chase_signame, chase_sigdsrdataset, + mctx); + } + } + return(1); +} + + + +void +sigchase_bu(dns_message_t *msg) +{ + isc_result_t result; + int ret; + + if (tk_list.nb_tk == 0) { + result = get_trusted_key(mctx); + if (result != ISC_R_SUCCESS) { + printf("No trusted keys present\n"); + return; + } + } + + + ret = getneededrr(msg); + if (ret == ISC_R_NOTFOUND) + return; + + if (ret == ISC_R_ADDRNOTAVAIL) { + /* We have no response */ + dns_rdataset_t * rdataset; + dns_rdataset_t * sigrdataset; + dns_name_t rdata_name; + dns_name_t query_name; + + + nameFromString(current_lookup->textname, &query_name); + + result = prove_nx(msg, &query_name, current_lookup->rdclass, + current_lookup->rdtype, &rdata_name, + &rdataset, &sigrdataset); + dns_name_free(&query_name, mctx); + if (&rdata_name == NULL || rdataset == NULL || + sigrdataset == NULL) { + printf("\n;; Impossible to verify the Non-existence," + " the NSEC RRset can't be validated: " + "FAILED\n\n"); + clean_trustedkey(); + return; + } + + if (result != ISC_R_SUCCESS) { + printf("\n No Answers and impossible to prove the" + " unsecurity : Validation FAILED\n\n"); + clean_trustedkey(); + return; + } + printf(";; An NSEC prove the non-existence of a answers," + " Now we want validate this NSEC\n"); + + dup_name(&rdata_name, &chase_name, mctx); + dns_name_free(&rdata_name, mctx); + chase_rdataset = rdataset; + chase_sigrdataset = sigrdataset; + chase_keyrdataset = NULL; + chase_sigkeyrdataset = NULL; + chase_dsrdataset = NULL; + chase_sigdsrdataset = NULL; + chase_siglookedup = ISC_FALSE; + chase_keylookedup = ISC_FALSE; + chase_dslookedup = ISC_FALSE; + chase_sigdslookedup = ISC_FALSE; + sigchase(msg); + clean_trustedkey(); + return; + } + + + printf("\n\n\n;; WE HAVE MATERIAL, WE NOW DO VALIDATION\n"); + + result = sigchase_verify_sig(&chase_name, chase_rdataset, + chase_keyrdataset, + chase_sigrdataset, mctx); + if (result != ISC_R_SUCCESS) { + dns_name_free(&chase_name, mctx); + dns_name_free(&chase_signame, mctx); + printf(";; No DNSKEY is valid to check the RRSIG" + " of the RRset: FAILED\n"); + clean_trustedkey(); + return; + } + printf(";; OK We found DNSKEY (or more) to validate the RRset\n"); + + result = contains_trusted_key(&chase_signame, chase_keyrdataset, + chase_sigkeyrdataset, mctx); + if (result == ISC_R_SUCCESS) { + dns_name_free(&chase_name, mctx); + dns_name_free(&chase_signame, mctx); + printf("\n;; Ok this DNSKEY is a Trusted Key," + " DNSSEC validation is ok: SUCCESS\n\n"); + clean_trustedkey(); + return; + } + + printf(";; Now, we are going to validate this DNSKEY by the DS\n"); + + if (chase_dsrdataset == NULL) { + dns_name_free(&chase_name, mctx); + dns_name_free(&chase_signame, mctx); + printf(";; the DNSKEY isn't trusted-key and there isn't" + " DS to validate the DNSKEY: FAILED\n"); + clean_trustedkey(); + return; + } + + result = sigchase_verify_ds(&chase_signame, chase_keyrdataset, + chase_dsrdataset, mctx); + if (result != ISC_R_SUCCESS) { + dns_name_free(&chase_signame, mctx); + dns_name_free(&chase_name, mctx); + printf(";; ERROR no DS validates a DNSKEY in the" + " DNSKEY RRset: FAILED\n"); + clean_trustedkey(); + return; + } + else + printf(";; OK this DNSKEY (validated by the DS) validates" + " the RRset of the DNSKEYs, thus the DNSKEY validates" + " the RRset\n"); + INSIST(chase_sigdsrdataset != NULL); + + dns_name_free(&chase_name, mctx); + dup_name(&chase_signame, &chase_name, mctx); + dns_name_free(&chase_signame, mctx); + chase_rdataset = chase_dsrdataset; + chase_sigrdataset = chase_sigdsrdataset; + chase_keyrdataset = NULL; + chase_sigkeyrdataset = NULL; + chase_dsrdataset = NULL; + chase_sigdsrdataset = NULL; + chase_siglookedup = chase_keylookedup = ISC_FALSE; + chase_dslookedup = chase_sigdslookedup = ISC_FALSE; + + printf(";; Now, we want to validate the DS : recursive call\n"); + sigchase(msg); + return; +} +#endif + +void +sigchase(dns_message_t * msg) +{ +#if DIG_SIGCHASE_TD + if (current_lookup->do_topdown) { + sigchase_td(msg); + return; + } +#endif +#if DIG_SIGCHASE_BU + sigchase_bu(msg); + return; +#endif +} + + +/* + * return 1 if name1 < name2 + * 0 if name1 == name2 + * -1 if name1 > name2 + * and -2 if problem + */ +int +inf_name(dns_name_t * name1, dns_name_t * name2) +{ + dns_label_t label1; + dns_label_t label2; + unsigned int nblabel1; + unsigned int nblabel2; + int min_lum_label; + int i; + int ret = -2; + + nblabel1 = dns_name_countlabels(name1); + nblabel2 = dns_name_countlabels(name2); + + if (nblabel1 >= nblabel2) + min_lum_label = nblabel2; + else + min_lum_label = nblabel1; + + + for (i=1 ; i < min_lum_label; i++) { + dns_name_getlabel(name1, nblabel1 -1 - i, &label1); + dns_name_getlabel(name2, nblabel2 -1 - i, &label2); + if ((ret = isc_region_compare(&label1, &label2)) != 0) { + if (ret <0 ) + return -1; + else if (ret >0 ) + return 1; + } + } + if (nblabel1 == nblabel2) + return 0; + + if (nblabel1 < nblabel2) + return -1; + else + return 1; +} + +/** + * + * + * + */ +isc_result_t +prove_nx_domain(dns_message_t *msg, + dns_name_t *name, + dns_name_t *rdata_name, + dns_rdataset_t ** rdataset, + dns_rdataset_t **sigrdataset) +{ + isc_result_t ret = ISC_R_FAILURE; + isc_result_t result = ISC_R_NOTFOUND; + dns_rdataset_t * nsecset = NULL; + dns_rdataset_t * signsecset = NULL ; + dns_rdata_t nsec = DNS_RDATA_INIT; + dns_name_t * nsecname = NULL; + dns_rdata_nsec_t nsecstruct; + + if ((result = dns_message_firstname(msg, DNS_SECTION_AUTHORITY)) + != ISC_R_SUCCESS) { + printf(";; nothing in authority section : impossible to" + " validate the non-existence : FAILED\n"); + return(ISC_R_FAILURE); + } + + do { + dns_message_currentname(msg, DNS_SECTION_AUTHORITY, &nsecname); + nsecset = search_type(nsecname, dns_rdatatype_nsec, + dns_rdatatype_any); + if (nsecset == NULL) + continue; + + printf("There is a NSEC for this zone in the" + " AUTHORITY section:\n"); + print_rdataset(nsecname, nsecset, mctx); + + for (result = dns_rdataset_first(nsecset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(nsecset)) { + dns_rdataset_current(nsecset, &nsec); + + + signsecset + = chase_scanname_section(msg, nsecname, + dns_rdatatype_rrsig, + dns_rdatatype_nsec, + DNS_SECTION_AUTHORITY); + if (signsecset == NULL) { + printf(";; no RRSIG NSEC in authority section:" + " impossible to validate the " + "non-existence: FAILED\n"); + return(ISC_R_FAILURE); + } + + ret = dns_rdata_tostruct(&nsec, &nsecstruct, NULL); + check_result(ret,"dns_rdata_tostruct"); + + if ((inf_name(nsecname, &nsecstruct.next) == 1 && + inf_name(name, &nsecstruct.next) == 1) || + (inf_name(name, nsecname) == 1 && + inf_name(&nsecstruct.next, name) == 1)) { + dns_rdata_freestruct(&nsecstruct); + *rdataset = nsecset; + *sigrdataset = signsecset; + dup_name(nsecname, rdata_name, mctx); + + return ISC_R_SUCCESS; + } + + dns_rdata_freestruct(&nsecstruct); + } + nsecname = NULL; + } while (dns_message_nextname(msg, DNS_SECTION_AUTHORITY) + == ISC_R_SUCCESS); + + *rdataset = NULL; + *sigrdataset = NULL; + rdata_name = NULL; + return(ISC_R_FAILURE); +} + +/** + * + * + * + * + * + */ +isc_result_t +prove_nx_type(dns_message_t * msg, + dns_name_t *name, + dns_rdataset_t *nsecset, + dns_rdataclass_t class, + dns_rdatatype_t type, + dns_name_t * rdata_name, + dns_rdataset_t ** rdataset, + dns_rdataset_t ** sigrdataset) +{ + isc_result_t ret; + dns_rdataset_t * signsecset; + dns_rdata_t nsec = DNS_RDATA_INIT; + + UNUSED(class); + UNUSED(rdata_name); + + ret = dns_rdataset_first(nsecset); + check_result(ret,"dns_rdataset_first"); + + dns_rdataset_current(nsecset, &nsec); + + ret = dns_nsec_typepresent(&nsec, type); + if (ret == ISC_R_SUCCESS) + printf("OK the NSEC said that the type doesn't exist \n"); + + signsecset = chase_scanname_section(msg, name, + dns_rdatatype_rrsig, + dns_rdatatype_nsec, + DNS_SECTION_AUTHORITY); + if (signsecset == NULL) { + printf("There isn't RRSIG NSEC for the zone \n"); + return ISC_R_FAILURE; + } + *rdataset = nsecset; + *sigrdataset = signsecset; + + return (ret); +} + +/** + * + * + * + * + */ +isc_result_t +prove_nx(dns_message_t * msg, + dns_name_t * name, + dns_rdataclass_t class, + dns_rdatatype_t type, + dns_name_t * rdata_name, + dns_rdataset_t ** rdataset, + dns_rdataset_t ** sigrdataset) +{ + isc_result_t ret; + dns_rdataset_t * nsecset = NULL; + + + printf("We want to prove the non-existance of a type of rdata %d" + " or of the zone: \n", type); + + if ((ret = dns_message_firstname(msg, DNS_SECTION_AUTHORITY)) + != ISC_R_SUCCESS) { + printf(";; nothing in authority section : impossible to" + " validate the non-existence : FAILED\n"); + return(ISC_R_FAILURE); + } + + nsecset = chase_scanname_section(msg, name, dns_rdatatype_nsec, + dns_rdatatype_any, + DNS_SECTION_AUTHORITY); + if (nsecset != NULL) { + printf("We have a NSEC for this zone :OK\n"); + ret = prove_nx_type(msg, name, nsecset, class, + type, rdata_name, rdataset, + sigrdataset); + if (ret != ISC_R_SUCCESS) { + printf("prove_nx: ERROR type exist\n"); + return(ret); + } else { + printf("prove_nx: OK type does not exist\n"); + return(ISC_R_SUCCESS); + } + } else { + printf("there is no NSEC for this zone: validating " + "that the zone doesn't exist\n"); + ret = prove_nx_domain(msg, name, rdata_name, + rdataset, sigrdataset); + return(ret); + } + /* Never get here */ +} +#endif diff --git a/bin/dig/host.c b/bin/dig/host.c index b0a79611aa..719fe75b03 100644 --- a/bin/dig/host.c +++ b/bin/dig/host.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: host.c,v 1.95 2004/04/13 01:09:37 marka Exp $ */ +/* $Id: host.c,v 1.96 2004/04/13 02:39:35 marka Exp $ */ #include <config.h> #include <limits.h> @@ -209,8 +209,18 @@ say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata, printf("\n"); isc_buffer_free(&b); } - - +#ifdef _SIGCHASE_ +/* Just for compatibility : not use in host program */ +isc_result_t +printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, + isc_buffer_t *target) +{ + UNUSED(owner_name); + UNUSED(rdataset); + UNUSED(target); + return(ISC_FALSE); +} +#endif static isc_result_t printsection(dns_message_t *msg, dns_section_t sectionid, const char *section_name, isc_boolean_t headers, @@ -698,8 +708,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { lookup->pending = ISC_FALSE; if (get_reverse(store, sizeof(store), hostname, - lookup->ip6_int, ISC_TRUE) == ISC_R_SUCCESS) - { + lookup->ip6_int, ISC_TRUE) == ISC_R_SUCCESS) { strncpy(lookup->textname, store, sizeof(lookup->textname)); lookup->textname[sizeof(lookup->textname)-1] = 0; lookup->rdtype = dns_rdatatype_ptr; diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h index 9a1284d53b..4c6b43aa7b 100644 --- a/bin/dig/include/dig/dig.h +++ b/bin/dig/include/dig/dig.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.h,v 1.82 2004/03/05 04:57:34 marka Exp $ */ +/* $Id: dig.h,v 1.83 2004/04/13 02:39:35 marka Exp $ */ #ifndef DIG_H #define DIG_H @@ -79,6 +79,9 @@ ISC_LANG_BEGINDECLS typedef struct dig_lookup dig_lookup_t; typedef struct dig_query dig_query_t; typedef struct dig_server dig_server_t; +#ifdef _SIGCHASE_ +typedef struct dig_message dig_message_t; +#endif typedef ISC_LIST(dig_server_t) dig_serverlist_t; typedef struct dig_searchlist dig_searchlist_t; @@ -110,10 +113,27 @@ struct dig_lookup { new_search, besteffort, dnssec; +#ifdef _SIGCHASE_ +isc_boolean_t sigchase; +#ifdef _SIGCHASE_TD_ +isc_boolean_t do_topdown, + trace_root_sigchase, + rdtype_sigchaseset, + rdclass_sigchaseset; + /* Name we are going to validate RRset */ + char textnamesigchase[MXNAME]; +#endif +#endif + char textname[MXNAME]; /* Name we're going to be looking up */ char cmdline[MXNAME]; dns_rdatatype_t rdtype; dns_rdatatype_t qrdtype; +#ifdef _SIGCHASE_TD_ + dns_rdatatype_t rdtype_sigchase; + dns_rdatatype_t qrdtype_sigchase; + dns_rdataclass_t rdclass_sigchase; +#endif dns_rdataclass_t rdclass; isc_boolean_t rdtypeset; isc_boolean_t rdclassset; @@ -183,7 +203,12 @@ struct dig_searchlist { char origin[MXNAME]; ISC_LINK(dig_searchlist_t) link; }; - +#ifdef _SIGCHASE_ +struct dig_message { + dns_message_t *msg; + ISC_LINK(dig_message_t) link; +}; +#endif /* * Routines in dighost.c. */ @@ -255,9 +280,19 @@ destroy_libs(void); void set_search_domain(char *domain); +#ifdef _SIGCHASE_ +void +clean_trustedkey(void); +#endif + /* * Routines to be defined in dig.c, host.c, and nslookup.c. */ +#ifdef _SIGCHASE_ +isc_result_t +printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, + isc_buffer_t *target); +#endif isc_result_t printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers); @@ -282,6 +317,14 @@ dighost_shutdown(void); char * next_token(char **stringp, const char *delim); +#ifdef _SIGCHASE_ +/* Chasing functions */ +dns_rdataset_t * +chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers); +void +chase_sig(dns_message_t *msg); +#endif + ISC_LANG_ENDDECLS #endif diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c index 7b3b5a37a7..7d7b1dab91 100644 --- a/bin/dig/nslookup.c +++ b/bin/dig/nslookup.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nslookup.c,v 1.101 2004/03/05 04:57:30 marka Exp $ */ +/* $Id: nslookup.c,v 1.102 2004/04/13 02:39:35 marka Exp $ */ #include <config.h> @@ -189,7 +189,18 @@ printa(dns_rdata_t *rdata) { printf("Address: %.*s\n", (int)isc_buffer_usedlength(&b), (char *)isc_buffer_base(&b)); } - +#ifdef _SIGCHASE_ +/* Just for compatibility : not use in host program */ +isc_result_t +printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, + isc_buffer_t *target) +{ + UNUSED(owner_name); + UNUSED(rdataset); + UNUSED(target); + return(ISC_FALSE); +} +#endif static void printrdata(dns_rdata_t *rdata) { isc_result_t result; @@ -520,7 +531,8 @@ safecpy(char *dest, char *src, int size) { } static isc_result_t -parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max, const char *desc) { +parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max, + const char *desc) { isc_uint32_t n; isc_result_t result = isc_parse_uint32(&n, value, 10); if (result == ISC_R_SUCCESS && n > max) @@ -663,8 +675,7 @@ addlookup(char *opt) { } lookup = make_empty_lookup(); if (get_reverse(store, sizeof(store), opt, lookup->ip6_int, ISC_TRUE) - == ISC_R_SUCCESS) - { + == ISC_R_SUCCESS) { safecpy(lookup->textname, store, sizeof(lookup->textname)); lookup->rdtype = dns_rdatatype_ptr; lookup->rdtypeset = ISC_TRUE; @@ -732,15 +743,13 @@ get_next_command(void) { in_use = ISC_FALSE; goto cleanup; } else if (strcasecmp(ptr, "help") == 0 || - strcasecmp(ptr, "?") == 0) - { + strcasecmp(ptr, "?") == 0) { printf("The '%s' command is not yet implemented.\n", ptr); goto cleanup; } else if (strcasecmp(ptr, "finger") == 0 || strcasecmp(ptr, "root") == 0 || strcasecmp(ptr, "ls") == 0 || - strcasecmp(ptr, "view") == 0) - { + strcasecmp(ptr, "view") == 0) { printf("The '%s' command is not implemented.\n", ptr); goto cleanup; } else From 2a23a625246acfbf6ff92b86a6b8b9df59dbeaa4 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Tue, 13 Apr 2004 02:54:15 +0000 Subject: [PATCH 035/146] sigchase --- bin/dig/dig.c | 6 +++--- bin/dig/host.c | 4 ++-- bin/dig/include/dig/dig.h | 20 ++++++++++---------- bin/dig/nslookup.c | 13 +++++++++++-- 4 files changed, 26 insertions(+), 17 deletions(-) diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 5d72a0f80d..a2f31badba 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.188 2004/04/13 02:39:34 marka Exp $ */ +/* $Id: dig.c,v 1.189 2004/04/13 02:54:14 marka Exp $ */ #include <config.h> #include <stdlib.h> @@ -41,8 +41,6 @@ #include <dns/rdataclass.h> #include <dns/result.h> -#include <dig/dig.h> - #ifdef DIG_SIGCHASE #ifndef DIG_SIGCHASE_BU #define DIG_SIGCHASE_BU 1 @@ -52,6 +50,8 @@ #endif #endif +#include <dig/dig.h> + extern ISC_LIST(dig_lookup_t) lookup_list; extern dig_serverlist_t server_list; extern ISC_LIST(dig_searchlist_t) search_list; diff --git a/bin/dig/host.c b/bin/dig/host.c index 719fe75b03..24aea48785 100644 --- a/bin/dig/host.c +++ b/bin/dig/host.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: host.c,v 1.96 2004/04/13 02:39:35 marka Exp $ */ +/* $Id: host.c,v 1.97 2004/04/13 02:54:14 marka Exp $ */ #include <config.h> #include <limits.h> @@ -209,7 +209,7 @@ say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata, printf("\n"); isc_buffer_free(&b); } -#ifdef _SIGCHASE_ +#ifdef DIG_SIGCHASE /* Just for compatibility : not use in host program */ isc_result_t printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h index 4c6b43aa7b..ce252d4761 100644 --- a/bin/dig/include/dig/dig.h +++ b/bin/dig/include/dig/dig.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.h,v 1.83 2004/04/13 02:39:35 marka Exp $ */ +/* $Id: dig.h,v 1.84 2004/04/13 02:54:15 marka Exp $ */ #ifndef DIG_H #define DIG_H @@ -79,7 +79,7 @@ ISC_LANG_BEGINDECLS typedef struct dig_lookup dig_lookup_t; typedef struct dig_query dig_query_t; typedef struct dig_server dig_server_t; -#ifdef _SIGCHASE_ +#ifdef DIG_SIGCHASE typedef struct dig_message dig_message_t; #endif typedef ISC_LIST(dig_server_t) dig_serverlist_t; @@ -113,10 +113,10 @@ struct dig_lookup { new_search, besteffort, dnssec; -#ifdef _SIGCHASE_ +#ifdef DIG_SIGCHASE isc_boolean_t sigchase; -#ifdef _SIGCHASE_TD_ -isc_boolean_t do_topdown, +#if DIG_SIGCHASE_TD + isc_boolean_t do_topdown, trace_root_sigchase, rdtype_sigchaseset, rdclass_sigchaseset; @@ -129,7 +129,7 @@ isc_boolean_t do_topdown, char cmdline[MXNAME]; dns_rdatatype_t rdtype; dns_rdatatype_t qrdtype; -#ifdef _SIGCHASE_TD_ +#if DIG_SIGCHASE_TD dns_rdatatype_t rdtype_sigchase; dns_rdatatype_t qrdtype_sigchase; dns_rdataclass_t rdclass_sigchase; @@ -203,7 +203,7 @@ struct dig_searchlist { char origin[MXNAME]; ISC_LINK(dig_searchlist_t) link; }; -#ifdef _SIGCHASE_ +#ifdef DIG_SIGCHASE struct dig_message { dns_message_t *msg; ISC_LINK(dig_message_t) link; @@ -280,7 +280,7 @@ destroy_libs(void); void set_search_domain(char *domain); -#ifdef _SIGCHASE_ +#ifdef DIG_SIGCHASE void clean_trustedkey(void); #endif @@ -288,7 +288,7 @@ clean_trustedkey(void); /* * Routines to be defined in dig.c, host.c, and nslookup.c. */ -#ifdef _SIGCHASE_ +#ifdef DIG_SIGCHASE isc_result_t printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, isc_buffer_t *target); @@ -317,7 +317,7 @@ dighost_shutdown(void); char * next_token(char **stringp, const char *delim); -#ifdef _SIGCHASE_ +#ifdef DIG_SIGCHASE /* Chasing functions */ dns_rdataset_t * chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers); diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c index 7d7b1dab91..41333a2551 100644 --- a/bin/dig/nslookup.c +++ b/bin/dig/nslookup.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nslookup.c,v 1.102 2004/04/13 02:39:35 marka Exp $ */ +/* $Id: nslookup.c,v 1.103 2004/04/13 02:54:15 marka Exp $ */ #include <config.h> @@ -42,6 +42,15 @@ #include <dns/rdatatype.h> #include <dns/byaddr.h> +#ifdef DIG_SIGCHASE +#ifndef DIG_SIGCHASE_BU +#define DIG_SIGCHASE_BU 1 +#endif +#ifndef DIG_SIGCHASE_TD +#define DIG_SIGCHASE_TD 1 +#endif +#endif + #include <dig/dig.h> extern ISC_LIST(dig_lookup_t) lookup_list; @@ -189,7 +198,7 @@ printa(dns_rdata_t *rdata) { printf("Address: %.*s\n", (int)isc_buffer_usedlength(&b), (char *)isc_buffer_base(&b)); } -#ifdef _SIGCHASE_ +#ifdef DIG_SIGCHASE /* Just for compatibility : not use in host program */ isc_result_t printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, From f38cee63260a466e97ea92bc00cc4155955723da Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Tue, 13 Apr 2004 03:31:14 +0000 Subject: [PATCH 036/146] remove stray nbits reference. --- bin/tests/name_test.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/bin/tests/name_test.c b/bin/tests/name_test.c index d17023c4a2..4de1cbbf10 100644 --- a/bin/tests/name_test.c +++ b/bin/tests/name_test.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: name_test.c,v 1.36 2004/03/05 04:58:39 marka Exp $ */ +/* $Id: name_test.c,v 1.37 2004/04/13 03:31:14 marka Exp $ */ #include <config.h> @@ -319,8 +319,7 @@ main(int argc, char *argv[]) { } if (namereln != dns_namereln_none && namereln != dns_namereln_equal) - printf(", nlabels = %u, nbits = %u", - nlabels, nbits); + printf(", nlabels = %u", nlabels); printf("\n"); } printf("dns_name_equal() returns %s\n", From a72932d4c73433c056accc1486fba31c05f59bab Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Tue, 13 Apr 2004 04:44:05 +0000 Subject: [PATCH 037/146] regen --- bin/dig/dig.1 | 20 +++++++++++-- bin/dig/dig.html | 73 +++++++++++++++++++++++++++++++++++++++++------ bin/dig/host.1 | 8 ++++-- bin/dig/host.html | 30 ++++++++++++++++--- 4 files changed, 114 insertions(+), 17 deletions(-) diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index 4087888b3c..4d67c64b85 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -13,14 +13,14 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dig.1,v 1.25 2004/04/07 00:56:58 marka Exp $ +.\" $Id: dig.1,v 1.26 2004/04/13 04:44:04 marka Exp $ .\" .TH "DIG" "1" "Jun 30, 2000" "BIND9" "" .SH NAME dig \- DNS lookup utility .SH SYNOPSIS .sp -\fBdig\fR [ \fB@server\fR ] [ \fB-b \fIaddress\fB\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-f \fIfilename\fB\fR ] [ \fB-k \fIfilename\fB\fR ] [ \fB-p \fIport#\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-x \fIaddr\fB\fR ] [ \fB-y \fIname:key\fB\fR ] [ \fBname\fR ] [ \fBtype\fR ] [ \fBclass\fR ] [ \fBqueryopt\fR\fI...\fR ] +\fBdig\fR [ \fB@server\fR ] [ \fB-b \fIaddress\fB\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-f \fIfilename\fB\fR ] [ \fB-k \fIfilename\fB\fR ] [ \fB-p \fIport#\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-x \fIaddr\fB\fR ] [ \fB-y \fIname:key\fB\fR ] [ \fB-4\fR ] [ \fB-6\fR ] [ \fBname\fR ] [ \fBtype\fR ] [ \fBclass\fR ] [ \fBqueryopt\fR\fI...\fR ] .sp \fBdig\fR [ \fB-h\fR ] .sp @@ -108,6 +108,10 @@ instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non-standard port number. .PP +The \fB-4\fR option forces \fBdig\fR to only +use IPv4 query transport. The \fB-6\fR option forces +\fBdig\fR to only use IPv6 query transport. +.PP The \fB-t\fR option sets the query type to \fItype\fR. It can be any valid query type which is supported in BIND9. The default query type "A", unless the @@ -333,6 +337,18 @@ The default is to not display malformed answers. \fB+[no]dnssec\fR Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. +.TP +\fB+[no]sigchase\fR +Chase DNSSEC signature chains. Requires dig be compiled with +-DDIG_SIGCHASE. +.TP +\fB+trusted-key=####\fR +Specify a trusted key to be used with \fB+sigchase\fR. +Requires dig be compiled with -DDIG_SIGCHASE. +.TP +\fB+[no]topdown\fR +When chasing DNSSEC signature chains perform a top down validation. +Requires dig be compiled with -DDIG_SIGCHASE. .SH "MULTIPLE QUERIES" .PP The BIND 9 implementation of \fBdig \fR supports diff --git a/bin/dig/dig.html b/bin/dig/dig.html index f3d6802fd2..bef936515a 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dig.html,v 1.15 2004/04/07 00:56:59 marka Exp $ --> +<!-- $Id: dig.html,v 1.16 2004/04/13 04:44:04 marka Exp $ --> <HTML ><HEAD @@ -120,6 +120,12 @@ CLASS="REPLACEABLE" >name:key</I ></TT ></TT +>] [<TT +CLASS="OPTION" +>-4</TT +>] [<TT +CLASS="OPTION" +>-6</TT >] [name] [type] [class] [queryopt...]</P ><P ><B @@ -138,7 +144,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN51" +NAME="AEN55" ></A ><H2 >DESCRIPTION</H2 @@ -203,7 +209,7 @@ are applied before the command line arguments.</P ><DIV CLASS="REFSECT1" ><A -NAME="AEN68" +NAME="AEN72" ></A ><H2 >SIMPLE USAGE</H2 @@ -300,7 +306,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN97" +NAME="AEN101" ></A ><H2 >OPTIONS</H2 @@ -371,6 +377,22 @@ on a non-standard port number.</P ><P >The <TT CLASS="OPTION" +>-4</TT +> option forces <B +CLASS="COMMAND" +>dig</B +> to only +use IPv4 query transport. The <TT +CLASS="OPTION" +>-6</TT +> option forces +<B +CLASS="COMMAND" +>dig</B +> to only use IPv6 query transport.</P +><P +>The <TT +CLASS="OPTION" >-t</TT > option sets the query type to <TT @@ -516,7 +538,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN147" +NAME="AEN156" ></A ><H2 >QUERY OPTIONS</H2 @@ -1045,6 +1067,39 @@ CLASS="OPTION" >Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.</P ></DD +><DT +><TT +CLASS="OPTION" +>+[no]sigchase</TT +></DT +><DD +><P +>Chase DNSSEC signature chains. Requires dig be compiled with +-DDIG_SIGCHASE.</P +></DD +><DT +><TT +CLASS="OPTION" +>+trusted-key=####</TT +></DT +><DD +><P +>Specify a trusted key to be used with <TT +CLASS="OPTION" +>+sigchase</TT +>. +Requires dig be compiled with -DDIG_SIGCHASE.</P +></DD +><DT +><TT +CLASS="OPTION" +>+[no]topdown</TT +></DT +><DD +><P +>When chasing DNSSEC signature chains perform a top down validation. +Requires dig be compiled with -DDIG_SIGCHASE.</P +></DD ></DL ></DIV > </P @@ -1052,7 +1107,7 @@ in the OPT record in the additional section of the query.</P ><DIV CLASS="REFSECT1" ><A -NAME="AEN355" +NAME="AEN380" ></A ><H2 >MULTIPLE QUERIES</H2 @@ -1136,7 +1191,7 @@ CLASS="LITERAL" ><DIV CLASS="REFSECT1" ><A -NAME="AEN373" +NAME="AEN398" ></A ><H2 >FILES</H2 @@ -1154,7 +1209,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN379" +NAME="AEN404" ></A ><H2 >SEE ALSO</H2 @@ -1188,7 +1243,7 @@ CLASS="CITETITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN392" +NAME="AEN417" ></A ><H2 >BUGS </H2 diff --git a/bin/dig/host.1 b/bin/dig/host.1 index ff5af27c2b..24e387759c 100644 --- a/bin/dig/host.1 +++ b/bin/dig/host.1 @@ -13,14 +13,14 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: host.1,v 1.16 2004/04/07 00:56:59 marka Exp $ +.\" $Id: host.1,v 1.17 2004/04/13 04:44:05 marka Exp $ .\" .TH "HOST" "1" "Jun 30, 2000" "BIND9" "" .SH NAME host \- DNS lookup utility .SH SYNOPSIS .sp -\fBhost\fR [ \fB-aCdlnrTwv\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-N \fIndots\fB\fR ] [ \fB-R \fInumber\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-W \fIwait\fB\fR ] \fBname\fR [ \fBserver\fR ] +\fBhost\fR [ \fB-aCdlnrTwv\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-N \fIndots\fB\fR ] [ \fB-R \fInumber\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-W \fIwait\fB\fR ] [ \fB-4\fR ] [ \fB-6\fR ] \fBname\fR [ \fBserver\fR ] .SH "DESCRIPTION" .PP \fBhost\fR @@ -102,6 +102,10 @@ By default \fBhost\fR uses UDP when making queries. The the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests. .PP +The \fB-4\fR option forces \fBhost\fR to only +use IPv4 query transport. The \fB-6\fR option forces +\fBhost\fR to only use IPv6 query transport. +.PP The \fB-t\fR option is used to select the query type. \fItype\fR can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, diff --git a/bin/dig/host.html b/bin/dig/host.html index 77f279445f..9d96704d17 100644 --- a/bin/dig/host.html +++ b/bin/dig/host.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: host.html,v 1.9 2004/04/07 00:56:59 marka Exp $ --> +<!-- $Id: host.html,v 1.10 2004/04/13 04:44:05 marka Exp $ --> <HTML ><HEAD @@ -99,12 +99,18 @@ CLASS="REPLACEABLE" >wait</I ></TT ></TT +>] [<TT +CLASS="OPTION" +>-4</TT +>] [<TT +CLASS="OPTION" +>-6</TT >] {name} [server]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN33" +NAME="AEN37" ></A ><H2 >DESCRIPTION</H2 @@ -337,6 +343,22 @@ require it, such as zone transfer (AXFR) requests.</P ><P >The <TT CLASS="OPTION" +>-4</TT +> option forces <B +CLASS="COMMAND" +>host</B +> to only +use IPv4 query transport. The <TT +CLASS="OPTION" +>-6</TT +> option forces +<B +CLASS="COMMAND" +>host</B +> to only use IPv6 query transport.</P +><P +>The <TT +CLASS="OPTION" >-t</TT > option is used to select the query type. <TT @@ -410,7 +432,7 @@ value for an integer quantity.</P ><DIV CLASS="REFSECT1" ><A -NAME="AEN106" +NAME="AEN115" ></A ><H2 >FILES</H2 @@ -423,7 +445,7 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN110" +NAME="AEN119" ></A ><H2 >SEE ALSO</H2 From 2e7f4872e31f8d4f1c56662b207e522ab4d139ef Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Tue, 13 Apr 2004 04:57:08 +0000 Subject: [PATCH 038/146] decunix prototype mismatch decunix silence compiler warning. --- lib/bind/include/netgroup.h | 8 ++++++-- lib/bind/irs/getnetgrent_r.c | 6 ++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/lib/bind/include/netgroup.h b/lib/bind/include/netgroup.h index 72003d4346..2296208c15 100644 --- a/lib/bind/include/netgroup.h +++ b/lib/bind/include/netgroup.h @@ -11,10 +11,14 @@ int getnetgrent __P((/* const */ char **, /* const */ char **, int getnetgrent_r __P((char **, char **, char **, char *, int)); -void setnetgrent __P((const char *)); - void endnetgrent __P((void)); +#ifdef __osf__ +int innetgr __P((char *, char *, char *, char *)); +void setnetgrent __P((char *)); +#else +void setnetgrent __P((const char *)); int innetgr __P((const char *, const char *, const char *, const char *)); #endif #endif +#endif diff --git a/lib/bind/irs/getnetgrent_r.c b/lib/bind/irs/getnetgrent_r.c index 777b5467a4..969790bf35 100644 --- a/lib/bind/irs/getnetgrent_r.c +++ b/lib/bind/irs/getnetgrent_r.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: getnetgrent_r.c,v 1.7 2004/03/09 06:30:02 marka Exp $"; +static const char rcsid[] = "$Id: getnetgrent_r.c,v 1.8 2004/04/13 04:57:08 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include <port_before.h> @@ -77,7 +77,9 @@ setnetgrent_r(const char *netgroup, NGR_R_ENT_ARGS) setnetgrent_r(const char *netgroup) #endif { - setnetgrent(netgroup); + char *tmp; + DE_CONST(netgroup, tmp); + setnetgrent(tmp); #ifdef NGR_R_PRIVATE *buf = NULL; #endif From 56d61bf855f2e5fba90a67434f2026c5e9ca9169 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Tue, 13 Apr 2004 05:56:30 +0000 Subject: [PATCH 039/146] remove spurious tabs --- bin/dig/Makefile.in | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in index e74e55c977..d1d0212e7b 100644 --- a/bin/dig/Makefile.in +++ b/bin/dig/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.34 2004/04/13 02:39:33 marka Exp $ +# $Id: Makefile.in,v 1.35 2004/04/13 05:56:30 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -27,7 +27,6 @@ CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \ ${ISC_INCLUDES} ${LWRES_INCLUDES} CDEFINES = -DVERSION=\"${VERSION}\" - CWARNINGS = ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ From 5567c75d30954144e0905451942afb4a18af45b7 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Tue, 13 Apr 2004 07:19:18 +0000 Subject: [PATCH 040/146] add description for RES_NO_NIBBLE2 --- lib/bind/resolv/res_debug.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/bind/resolv/res_debug.c b/lib/bind/resolv/res_debug.c index cc67f1e3b1..1a6108b3a1 100644 --- a/lib/bind/resolv/res_debug.c +++ b/lib/bind/resolv/res_debug.c @@ -95,7 +95,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_debug.c 8.1 (Berkeley) 6/4/93"; -static const char rcsid[] = "$Id: res_debug.c,v 1.11 2004/04/10 03:47:09 marka Exp $"; +static const char rcsid[] = "$Id: res_debug.c,v 1.12 2004/04/13 07:19:18 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include "port_before.h" @@ -625,7 +625,9 @@ p_option(u_long option) { #ifdef RES_NOTLDQUERY case RES_NOTLDQUERY: return "no-tld-query"; #endif - +#ifdef RES_NO_NIBBLE2 + case RES_NO_NIBBLE2: return "no-nibble2"; +#endif /* XXX nonreentrant */ default: sprintf(nbuf, "?0x%lx?", (u_long)option); return (nbuf); From 46ed893dd0c8096d2bcbf31e6dcf79b2786e7b7f Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Wed, 14 Apr 2004 02:11:33 +0000 Subject: [PATCH 041/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 0b4e537943..2551a0a8b3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1610. [placeholder] rt11069 + 1609. [func] dig now has support to chase DNSSEC signature chains. Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. From a0a19510c03e6004fd11ec278745d499751cd081 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Wed, 14 Apr 2004 02:23:12 +0000 Subject: [PATCH 042/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 2551a0a8b3..680a1e429c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1611. [placeholder] rt11065 + 1610. [placeholder] rt11069 1609. [func] dig now has support to chase DNSSEC signature chains. From 9287a6b1828606024691406e3132fa715f00d634 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Wed, 14 Apr 2004 05:09:43 +0000 Subject: [PATCH 043/146] silence compiler warning --- lib/isc/include/isc/refcount.h | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/isc/include/isc/refcount.h b/lib/isc/include/isc/refcount.h index 0db8e4c590..0aa76c5606 100644 --- a/lib/isc/include/isc/refcount.h +++ b/lib/isc/include/isc/refcount.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: refcount.h,v 1.6 2004/03/05 05:11:00 marka Exp $ */ +/* $Id: refcount.h,v 1.7 2004/04/14 05:09:43 marka Exp $ */ #ifndef ISC_REFCOUNT_H #define ISC_REFCOUNT_H 1 @@ -143,16 +143,18 @@ typedef struct isc_refcount { #define isc_refcount_increment(rp, tp) \ do { \ + unsigned int *_tmp = (unsigned int *)(tp); \ int _n = ++(rp)->refs; \ - if ((tp) != NULL) \ - *(unsigned int *)(tp) = (unsigned int)(_n); \ + if (_tmp != NULL) \ + *_tmp = _n; \ } while (0) #define isc_refcount_decrement(rp, tp) \ do { \ + unsigned int *_tmp = (unsigned int *)(tp); \ int _n = --(rp)->refs; \ - if ((tp) != NULL) \ - *(unsigned int *)(tp) = (unsigned int)(_n); \ + if (_tmp != NULL) \ + *_tmp = _n; \ } while (0) #endif From 9a2127f8335bad323451d7825119cd9f72e32464 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Thu, 15 Apr 2004 00:32:44 +0000 Subject: [PATCH 044/146] Attempt to disable parallel processing. --- lib/dns/Makefile.in | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in index 04253a2a44..ea5a2bc807 100644 --- a/lib/dns/Makefile.in +++ b/lib/dns/Makefile.in @@ -13,12 +13,16 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.144 2004/03/16 05:52:18 marka Exp $ +# $Id: Makefile.in,v 1.145 2004/04/15 00:32:44 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ +# Attempt to disable parallel processing. +.NOTPARALLEL: +.NO_PARALLEL: + @BIND9_VERSION@ @LIBDNS_API@ From 42b48d11ca7b296324d7a8a98cdbf0070b0deb1d Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Thu, 15 Apr 2004 01:58:25 +0000 Subject: [PATCH 045/146] hide ((isc_event_t **) (void *)) cast using a macro, ISC_EVENT_PTR. --- bin/dnssec/dnssec-signzone.c | 6 +++--- bin/named/query.c | 4 ++-- bin/named/update.c | 12 ++++++------ lib/dns/dispatch.c | 12 ++++++------ lib/dns/lookup.c | 4 ++-- lib/dns/resolver.c | 6 +++--- lib/dns/validator.c | 4 ++-- lib/isc/include/isc/event.h | 4 +++- lib/isc/unix/socket.c | 18 +++++++++--------- 9 files changed, 36 insertions(+), 34 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 1c735a2024..4abbf56847 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.177 2004/03/10 02:19:51 marka Exp $ */ +/* $Id: dnssec-signzone.c,v 1.178 2004/04/15 01:58:22 marka Exp $ */ #include <config.h> @@ -1113,7 +1113,7 @@ assignwork(isc_task_t *task, isc_task_t *worker) { sevent->node = node; sevent->fname = fname; - isc_task_send(worker, (isc_event_t **) (void*) &sevent); + isc_task_send(worker, ISC_EVENT_PTR(&sevent)); assigned++; } @@ -1169,7 +1169,7 @@ sign(isc_task_t *task, isc_event_t *event) { fatal("failed to allocate event\n"); wevent->node = node; wevent->fname = fname; - isc_task_send(master, (isc_event_t **) (void*) &wevent); + isc_task_send(master, ISC_EVENT_PTR(&wevent)); } /* diff --git a/bin/named/query.c b/bin/named/query.c index c37e728d81..1ba7622df2 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.257 2004/03/10 02:19:52 marka Exp $ */ +/* $Id: query.c,v 1.258 2004/04/15 01:58:23 marka Exp $ */ #include <config.h> @@ -3276,7 +3276,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_db_detach(&zdb); } if (event != NULL) - isc_event_free((isc_event_t **) (void*)&event); + isc_event_free(ISC_EVENT_PTR(&event)); /* * AA bit. diff --git a/bin/named/update.c b/bin/named/update.c index fe4a5982de..9268fcd52e 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.109 2004/03/05 04:57:49 marka Exp $ */ +/* $Id: update.c,v 1.110 2004/04/15 01:58:23 marka Exp $ */ #include <config.h> @@ -1965,11 +1965,11 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) { event->ev_arg = evclient; dns_zone_gettask(zone, &zonetask); - isc_task_send(zonetask, (isc_event_t **) (void *)&event); + isc_task_send(zonetask, ISC_EVENT_PTR(&event)); failure: if (event != NULL) - isc_event_free((isc_event_t **) (void *)&event); + isc_event_free(ISC_EVENT_PTR(&event)); return (result); } @@ -2723,7 +2723,7 @@ forward_callback(void *arg, isc_result_t result, dns_message_t *answer) { uev->ev_action = forward_done; uev->answer = answer; } - isc_task_send(client->task, (isc_event_t **) (void *)&uev); + isc_task_send(client->task, ISC_EVENT_PTR(&uev)); } static void @@ -2777,10 +2777,10 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) { event->ev_arg = evclient; dns_zone_gettask(zone, &zonetask); - isc_task_send(zonetask, (isc_event_t **) (void *)&event); + isc_task_send(zonetask, ISC_EVENT_PTR(&event)); failure: if (event != NULL) - isc_event_free((isc_event_t **) (void *)&event); + isc_event_free(ISC_EVENT_PTR(&event)); return (result); } diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c index dcf95e1727..a5edb9762b 100644 --- a/lib/dns/dispatch.c +++ b/lib/dns/dispatch.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dispatch.c,v 1.116 2004/03/05 05:09:19 marka Exp $ */ +/* $Id: dispatch.c,v 1.117 2004/04/15 01:58:24 marka Exp $ */ #include <config.h> @@ -672,7 +672,7 @@ udp_recv(isc_task_t *task, isc_event_t *ev_in) { rev, rev->buffer.base, rev->buffer.length, resp->task); resp->item_out = ISC_TRUE; - isc_task_send(resp->task, (isc_event_t **) (void *)&rev); + isc_task_send(resp->task, ISC_EVENT_PTR(&rev)); } /* @@ -856,7 +856,7 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in) { rev, rev->buffer.base, rev->buffer.length, resp->task); resp->item_out = ISC_TRUE; - isc_task_send(resp->task, (isc_event_t **) (void *)&rev); + isc_task_send(resp->task, ISC_EVENT_PTR(&rev)); } /* @@ -2078,7 +2078,7 @@ do_cancel(dns_dispatch_t *disp, dns_dispentry_t *resp) { "cancel: failsafe event %p -> task %p", ev, resp->task); resp->item_out = ISC_TRUE; - isc_task_send(resp->task, (isc_event_t **) (void *)&ev); + isc_task_send(resp->task, ISC_EVENT_PTR(&ev)); } isc_socket_t * @@ -2174,7 +2174,7 @@ dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event) { buf = allocate_udp_buffer(disp); if (buf == NULL) { - isc_event_free((isc_event_t **) (void *)&newsevent); + isc_event_free(ISC_EVENT_PTR(&newsevent)); return; } memcpy(buf, sevent->region.base, sevent->n); @@ -2187,7 +2187,7 @@ dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event) { newsevent->pktinfo = sevent->pktinfo; newsevent->attributes = sevent->attributes; - isc_task_send(disp->task, (isc_event_t **) (void*)&newsevent); + isc_task_send(disp->task, ISC_EVENT_PTR(&newsevent)); } #if 0 diff --git a/lib/dns/lookup.c b/lib/dns/lookup.c index 07b89a26f6..3a994b3896 100644 --- a/lib/dns/lookup.c +++ b/lib/dns/lookup.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lookup.c,v 1.14 2004/03/05 05:09:21 marka Exp $ */ +/* $Id: lookup.c,v 1.15 2004/04/15 01:58:24 marka Exp $ */ #include <config.h> @@ -316,7 +316,7 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) { dns_db_detachnode(event->db, &event->node); if (event->db != NULL) dns_db_detach(&event->db); - isc_event_free((isc_event_t **) (void *)&event); + isc_event_free(ISC_EVENT_PTR(&event)); } /* diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index b71feb6598..acfc12b399 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.284 2004/03/16 05:52:19 marka Exp $ */ +/* $Id: resolver.c,v 1.285 2004/04/15 01:58:24 marka Exp $ */ #include <config.h> @@ -721,7 +721,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) { fctx->type == dns_rdatatype_any || fctx->type == dns_rdatatype_rrsig); - isc_task_sendanddetach(&task, (isc_event_t **) (void *)&event); + isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); } } @@ -6024,7 +6024,7 @@ dns_resolver_cancelfetch(dns_fetch_t *fetch) { etask = event->ev_sender; event->ev_sender = fctx; event->result = ISC_R_CANCELED; - isc_task_sendanddetach(&etask, (isc_event_t **) (void *)&event); + isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event)); } /* * The fctx continues running even if no fetches remain; diff --git a/lib/dns/validator.c b/lib/dns/validator.c index fbcec39c5e..6896b0c7dc 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.119 2004/03/10 02:19:56 marka Exp $ */ +/* $Id: validator.c,v 1.120 2004/04/15 01:58:24 marka Exp $ */ #include <config.h> @@ -2384,7 +2384,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, ISC_LINK_INIT(val, link); val->magic = VALIDATOR_MAGIC; - isc_task_send(task, (isc_event_t **) (void *)&event); + isc_task_send(task, ISC_EVENT_PTR(&event)); *validatorp = val; diff --git a/lib/isc/include/isc/event.h b/lib/isc/include/isc/event.h index 1c5d5e51a7..90e078c951 100644 --- a/lib/isc/include/isc/event.h +++ b/lib/isc/include/isc/event.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: event.h,v 1.27 2004/03/05 05:10:56 marka Exp $ */ +/* $Id: event.h,v 1.28 2004/04/15 01:58:25 marka Exp $ */ #ifndef ISC_EVENT_H #define ISC_EVENT_H 1 @@ -82,6 +82,8 @@ struct isc_event { #define ISC_EVENTTYPE_FIRSTEVENT 0x00000000 #define ISC_EVENTTYPE_LASTEVENT 0xffffffff +#define ISC_EVENT_PTR(p) ((isc_event_t **)(void *)(p)) + ISC_LANG_BEGINDECLS isc_event_t * diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c index 5d7e15969d..3b1396cf13 100644 --- a/lib/isc/unix/socket.c +++ b/lib/isc/unix/socket.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.237 2004/03/18 02:58:07 marka Exp $ */ +/* $Id: socket.c,v 1.238 2004/04/15 01:58:25 marka Exp $ */ #include <config.h> @@ -1958,7 +1958,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) { task = dev->ev_sender; dev->ev_sender = sock; - isc_task_sendanddetach(&task, (isc_event_t **) (void *)&dev); + isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev)); return; soft_error: @@ -2997,7 +2997,7 @@ isc_socket_accept(isc_socket_t *sock, ret = allocate_socket(manager, sock->type, &nsock); if (ret != ISC_R_SUCCESS) { - isc_event_free((isc_event_t **) (void *)&dev); + isc_event_free(ISC_EVENT_PTR(&dev)); UNLOCK(&sock->lock); return (ret); } @@ -3097,12 +3097,12 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr, UNEXPECTED_ERROR(__FILE__, __LINE__, "%d/%s", errno, strbuf); UNLOCK(&sock->lock); - isc_event_free((isc_event_t **) (void *)&dev); + isc_event_free(ISC_EVENT_PTR(&dev)); return (ISC_R_UNEXPECTED); err_exit: sock->connected = 0; - isc_task_send(task, (isc_event_t **) (void *)&dev); + isc_task_send(task, ISC_EVENT_PTR(&dev)); UNLOCK(&sock->lock); return (ISC_R_SUCCESS); @@ -3115,7 +3115,7 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr, sock->connected = 1; sock->bound = 1; dev->result = ISC_R_SUCCESS; - isc_task_send(task, (isc_event_t **) (void *)&dev); + isc_task_send(task, ISC_EVENT_PTR(&dev)); UNLOCK(&sock->lock); return (ISC_R_SUCCESS); @@ -3253,7 +3253,7 @@ internal_connect(isc_task_t *me, isc_event_t *ev) { task = dev->ev_sender; dev->ev_sender = sock; - isc_task_sendanddetach(&task, (isc_event_t **) (void *)&dev); + isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev)); } isc_result_t @@ -3401,7 +3401,7 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) { dev->result = ISC_R_CANCELED; dev->ev_sender = sock; isc_task_sendanddetach(¤t_task, - (isc_event_t **) (void *)&dev); + ISC_EVENT_PTR(&dev)); } dev = next; @@ -3428,7 +3428,7 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) { dev->result = ISC_R_CANCELED; dev->ev_sender = sock; isc_task_sendanddetach(¤t_task, - (isc_event_t **) (void *)&dev); + ISC_EVENT_PTR(&dev)); } } From 764808211e952f1617aaa609281da66d80120c0d Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Thu, 15 Apr 2004 04:49:50 +0000 Subject: [PATCH 046/146] #include <time.h>. --- bin/named/unix/os.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c index 174b5a5efb..0c4717b113 100644 --- a/bin/named/unix/os.c +++ b/bin/named/unix/os.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.66 2004/03/05 04:58:01 marka Exp $ */ +/* $Id: os.c,v 1.67 2004/04/15 04:49:50 marka Exp $ */ #include <config.h> #include <stdarg.h> @@ -32,6 +32,9 @@ #include <stdlib.h> #include <signal.h> #include <syslog.h> +#ifdef HAVE_TZSET +#include <time.h> +#endif #include <unistd.h> #include <isc/buffer.h> From c2ec022f5784a2ff844f7d062c2022197dc4ad09 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Thu, 15 Apr 2004 06:47:08 +0000 Subject: [PATCH 047/146] 1610. [bug] On dual stack machines "dig -b" failed to set the address type to be looked up with "@server". [RT #11069] --- CHANGES | 4 +++- bin/dig/dig.c | 10 ++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 680a1e429c..69f290e41e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ 1611. [placeholder] rt11065 -1610. [placeholder] rt11069 +1610. [bug] On dual stack machines "dig -b" failed to set the + address type to be looked up with "@server". + [RT #11069] 1609. [func] dig now has support to chase DNSSEC signature chains. Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. diff --git a/bin/dig/dig.c b/bin/dig/dig.c index a2f31badba..c8a75f2d14 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.189 2004/04/13 02:54:14 marka Exp $ */ +/* $Id: dig.c,v 1.190 2004/04/15 06:47:08 marka Exp $ */ #include <config.h> #include <stdlib.h> @@ -1147,11 +1147,13 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, *hash = '\0'; } else srcport = 0; - if (have_ipv6 && inet_pton(AF_INET6, value, &in6) == 1) + if (have_ipv6 && inet_pton(AF_INET6, value, &in6) == 1) { isc_sockaddr_fromin6(&bind_address, &in6, srcport); - else if (have_ipv4 && inet_pton(AF_INET, value, &in4) == 1) + isc_net_disableipv4(); + } else if (have_ipv4 && inet_pton(AF_INET, value, &in4) == 1) { isc_sockaddr_fromin(&bind_address, &in4, srcport); - else { + isc_net_disableipv6(); + } else { if (hash != NULL) *hash = '#'; fatal("invalid address %s", value); From b4fe7caac90b28629d207b40a77862e2535f925c Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Thu, 15 Apr 2004 07:02:06 +0000 Subject: [PATCH 048/146] 1611. [bug] solaris: IPv6 interface scanning failed to cope with no active IPv6 interfaces. --- CHANGES | 3 ++- lib/isc/unix/ifiter_ioctl.c | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 69f290e41e..6b47c6486e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,5 @@ -1611. [placeholder] rt11065 +1611. [bug] solaris: IPv6 interface scanning failed to cope with + no active IPv6 interfaces. 1610. [bug] On dual stack machines "dig -b" failed to set the address type to be looked up with "@server". diff --git a/lib/isc/unix/ifiter_ioctl.c b/lib/isc/unix/ifiter_ioctl.c index ba0c45076a..b8fee5a62a 100644 --- a/lib/isc/unix/ifiter_ioctl.c +++ b/lib/isc/unix/ifiter_ioctl.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ifiter_ioctl.c,v 1.44 2004/03/05 05:11:45 marka Exp $ */ +/* $Id: ifiter_ioctl.c,v 1.45 2004/04/15 07:02:06 marka Exp $ */ /* * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl. @@ -267,7 +267,8 @@ getbuf6(isc_interfaceiter_t *iter) { iter->bufsize6 *= 2; } - iter->mode = 6; + if (iter->lifc.lifc_len != 0) + iter->mode = 6; return (ISC_R_SUCCESS); cleanup: From 8d414d155953f89a4eff40f16878438a8c9228f3 Mon Sep 17 00:00:00 2001 From: Mark Andrews <marka@isc.org> Date: Thu, 15 Apr 2004 23:40:27 +0000 Subject: [PATCH 049/146] 1600. [bug] Duplicate zone pre-load checks were not case insensitive. 1599. [bug] Fix memory leak on error path when checking named.conf. 1598. [func] Specify that certain parts of the namespace must be secure (dnssec-must-be-secure). --- CHANGES | 8 +- bin/named/server.c | 43 +++++++- bin/tests/system/dnssec/ns2/example.db.in | 6 +- bin/tests/system/dnssec/ns3/named.conf | 7 +- bin/tests/system/dnssec/ns4/named.conf | 3 +- doc/arm/Bv9ARM-book.xml | 14 ++- lib/bind9/check.c | 117 +++++++++++++++++++--- lib/dns/include/dns/resolver.h | 12 ++- lib/dns/include/dns/result.h | 5 +- lib/dns/include/dns/validator.h | 3 +- lib/dns/resolver.c | 108 ++++++++++++++++++-- lib/dns/result.c | 6 +- lib/dns/validator.c | 56 ++++++++++- lib/isccfg/namedconf.c | 15 ++- 14 files changed, 359 insertions(+), 44 deletions(-) diff --git a/CHANGES b/CHANGES index 6b47c6486e..f34157a414 100644 --- a/CHANGES +++ b/CHANGES @@ -32,11 +32,13 @@ "allow-recursion" active' warning from view "_bind". [RT# 10920] -1600. [placeholder] rt10861. +1600. [bug] Duplicate zone pre-load checks were not case + insensitive. -1599. [placeholder] rt10861. +1599. [bug] Fix memory leak on error path when checking named.conf. -1598. [placeholder] rt10861. +1598. [func] Specify that certain parts of the namespace must + be secure (dnssec-must-be-secure). 1597. [placeholder] rt6496a diff --git a/bin/named/server.c b/bin/named/server.c index 0a6dc833f3..1ce9565aa8 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.421 2004/04/10 05:03:27 marka Exp $ */ +/* $Id: server.c,v 1.422 2004/04/15 23:40:21 marka Exp $ */ #include <config.h> @@ -376,6 +376,39 @@ configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config, return (result); } +static isc_result_t +mustbesecure(cfg_obj_t *mbs, dns_resolver_t *resolver) +{ + cfg_listelt_t *element; + cfg_obj_t *obj; + const char *str; + dns_fixedname_t fixed; + dns_name_t *name; + isc_boolean_t value; + isc_result_t result; + isc_buffer_t b; + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + for (element = cfg_list_first(mbs); + element != NULL; + element = cfg_list_next(element)) + { + obj = cfg_listelt_value(element); + str = cfg_obj_asstring(cfg_tuple_get(obj, "name")); + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + CHECK(dns_name_fromtext(name, &b, dns_rootname, + ISC_FALSE, NULL)); + value = cfg_obj_asboolean(cfg_tuple_get(obj, "value")); + CHECK(dns_resolver_setmustbesecure(resolver, name, value)); + } + + result = ISC_R_SUCCESS; + + cleanup: + return (result); +} /* * Get a dispatch appropriate for the resolver of a given view. @@ -1164,9 +1197,15 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, * For now, there is only one kind of trusted keys, the * "security roots". */ - if (view->enablednssec) + if (view->enablednssec) { CHECK(configure_view_dnsseckeys(vconfig, config, mctx, &view->secroots)); + dns_resolver_resetmustbesecure(view->resolver); + obj = NULL; + result = ns_config_get(maps, "dnssec-must-be-secure", &obj); + if (result == ISC_R_SUCCESS) + CHECK(mustbesecure(obj, view->resolver)); + } obj = NULL; result = ns_config_get(maps, "max-cache-ttl", &obj); diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index ad8d8b280e..c9f00c55ec 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -13,7 +13,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: example.db.in,v 1.13 2004/03/05 05:00:15 marka Exp $ +; $Id: example.db.in,v 1.14 2004/04/15 23:40:22 marka Exp $ $TTL 300 ; 5 minutes @ IN SOA mname1. . ( @@ -66,6 +66,10 @@ ns.bogus A 10.53.0.3 dynamic NS dynamic dynamic A 10.53.0.3 +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + z A 10.0.0.26 keyless NS ns.keyless diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index 5af6fb02d3..a4c454a0b9 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.25 2004/03/10 02:19:54 marka Exp $ */ +/* $Id: named.conf,v 1.26 2004/04/15 23:40:22 marka Exp $ */ // NS3 @@ -74,4 +74,9 @@ zone "keyless.example" { file "keyless.example.db.signed"; }; +zone "mustbesecure.example" { + type master; + file "mustbesecure.example.db"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns4/named.conf b/bin/tests/system/dnssec/ns4/named.conf index 4f908e47b2..040e481e4c 100644 --- a/bin/tests/system/dnssec/ns4/named.conf +++ b/bin/tests/system/dnssec/ns4/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.22 2004/03/10 02:19:54 marka Exp $ */ +/* $Id: named.conf,v 1.23 2004/04/15 23:40:23 marka Exp $ */ // NS4 @@ -31,6 +31,7 @@ options { listen-on-v6 { none; }; recursion yes; dnssec-enable yes; + dnssec-must-be-secure mustbesecure.example yes; }; zone "." { diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index b7f66f3a58..fdef26b578 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2,7 +2,7 @@ <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"> -<!-- File: $Id: Bv9ARM-book.xml,v 1.243 2004/03/30 02:13:44 marka Exp $ --> +<!-- File: $Id: Bv9ARM-book.xml,v 1.244 2004/04/15 23:40:23 marka Exp $ --> <book> <title>BIND 9 Administrator Reference Manual @@ -2759,6 +2759,7 @@ statement in the named.conf file: maintain-ixfr-base yes_or_no; dnssec-enable yes_or_no; dnssec-lookaside domain; + dnssec-must-be-secure domain yes_or_no; forward ( only | first ); forwarders { ip_addr port ip_port ; ip_addr port ip_port ; ... }; dual-stack-servers port ip_port { ( domain_name port ip_port | ip_addr port ip_port ) ; ... }; @@ -2990,6 +2991,17 @@ name and a DLV record is looked up. If the DLV record validates a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted. +dnssec-must-be-secure + +Specify heirachies which must / may not be secure (signed and validated). +If yes then named will only accept answers if they +are secure. +If no then normal dnssec validation applies +allowing for insecure answers to be accepted. +The specified domain must be under a trusted-key or +dnssec-lookaside must be active. + + Boolean Options diff --git a/lib/bind9/check.c b/lib/bind9/check.c index fb8ea2a9df..db90d6c7a6 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.44 2004/03/10 02:19:55 marka Exp $ */ +/* $Id: check.c,v 1.45 2004/04/15 23:40:24 marka Exp $ */ #include @@ -42,6 +42,13 @@ #include +static void +freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) { + UNUSED(type); + UNUSED(value); + isc_mem_free(userarg, key); +} + static isc_result_t check_orderent(cfg_obj_t *ent, isc_log_t *logctx) { isc_result_t result = ISC_R_SUCCESS; @@ -272,6 +279,67 @@ disabled_algorithms(cfg_obj_t *disabled, isc_log_t *logctx) { return (result); } +static isc_result_t +mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx, + isc_mem_t *mctx) +{ + cfg_obj_t *obj; + char namebuf[DNS_NAME_FORMATSIZE]; + const char *str; + dns_fixedname_t fixed; + dns_name_t *name; + isc_buffer_t b; + isc_result_t result = ISC_R_SUCCESS; + isc_result_t tresult; + isc_symvalue_t symvalue; + char *key; + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + obj = cfg_tuple_get(secure, "name"); + str = cfg_obj_asstring(obj); + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + tresult = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL); + if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "bad domain name '%s'", str); + result = tresult; + } else { + + dns_name_format(name, namebuf, sizeof(namebuf)); + key = isc_mem_strdup(mctx, namebuf); + if (key == NULL) + return (ISC_R_NOMEMORY); + symvalue.as_pointer = secure; + tresult = isc_symtab_define(symtab, key, 1, symvalue, + isc_symexists_reject); + if (tresult == ISC_R_EXISTS) { + const char *file; + unsigned int line; + + RUNTIME_CHECK(isc_symtab_lookup(symtab, key, 1, + &symvalue) == ISC_R_SUCCESS); + isc_mem_free(mctx, key); + file = cfg_obj_file(symvalue.as_pointer); + line = cfg_obj_line(symvalue.as_pointer); + + if (file == NULL) + file = ""; + + cfg_obj_log(secure, logctx, ISC_LOG_ERROR, + "dnssec-must-be-secure '%s': already " + "exists previous definition: %s:%u", + namebuf, file, line); + result = tresult; + } else if (tresult != ISC_R_SUCCESS) { + isc_mem_free(mctx, key); + result = tresult; + } + } + return (result); +} + typedef struct { const char *name; unsigned int scale; @@ -279,7 +347,7 @@ typedef struct { } intervaltable; static isc_result_t -check_options(cfg_obj_t *options, isc_log_t *logctx) { +check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) { isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult; unsigned int i; @@ -406,6 +474,31 @@ check_options(cfg_obj_t *options, isc_log_t *logctx) { result = tresult; } } + + /* + * Check dnssec-must-be-secure. + */ + obj = NULL; + (void)cfg_map_get(options, "dnssec-must-be-secure", &obj); + if (obj != NULL) { + isc_symtab_t *symtab = NULL; + tresult = isc_symtab_create(mctx, 100, freekey, mctx, + ISC_FALSE, &symtab); + if (tresult != ISC_R_SUCCESS) + result = tresult; + for (element = cfg_list_first(obj); + element != NULL; + element = cfg_list_next(element)) + { + obj = cfg_listelt_value(element); + tresult = mustbesecure(obj, symtab, logctx, mctx); + if (tresult != ISC_R_SUCCESS) + result = tresult; + } + if (symtab != NULL) + isc_symtab_destroy(&symtab); + } + return (result); } @@ -703,7 +796,8 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab, zname, file, line); result = ISC_R_FAILURE; } else if (tresult != ISC_R_SUCCESS) { - isc_mem_strdup(mctx, key); + isc_mem_free(mctx, key); + return (tresult); } } @@ -818,7 +912,7 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab, /* * Check various options. */ - tresult = check_options(zoptions, logctx); + tresult = check_options(zoptions, logctx, mctx); if (tresult != ISC_R_SUCCESS) result = tresult; @@ -886,13 +980,6 @@ check_keylist(cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) { return (result); } -static void -freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) { - UNUSED(type); - UNUSED(value); - isc_mem_free(userarg, key); -} - static isc_result_t check_servers(cfg_obj_t *servers, isc_log_t *logctx) { isc_result_t result = ISC_R_SUCCESS; @@ -969,7 +1056,7 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass, * there are no duplicate zones. */ tresult = isc_symtab_create(mctx, 100, freekey, mctx, - ISC_TRUE, &symtab); + ISC_FALSE, &symtab); if (tresult != ISC_R_SUCCESS) return (ISC_R_NOMEMORY); @@ -1067,9 +1154,9 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass, } if (vconfig != NULL) - tresult = check_options(vconfig, logctx); + tresult = check_options(vconfig, logctx, mctx); else - tresult = check_options(config, logctx); + tresult = check_options(config, logctx, mctx); if (tresult != ISC_R_SUCCESS) result = tresult; @@ -1095,7 +1182,7 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) { (void)cfg_map_get(config, "options", &options); if (options != NULL && - check_options(options, logctx) != ISC_R_SUCCESS) + check_options(options, logctx, mctx) != ISC_R_SUCCESS) result = ISC_R_FAILURE; (void)cfg_map_get(config, "server", &servers); diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h index b20359ce46..0f35a6ba71 100644 --- a/lib/dns/include/dns/resolver.h +++ b/lib/dns/include/dns/resolver.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.h,v 1.40 2004/03/05 05:09:46 marka Exp $ */ +/* $Id: resolver.h,v 1.41 2004/04/15 23:40:26 marka Exp $ */ #ifndef DNS_RESOLVER_H #define DNS_RESOLVER_H 1 @@ -416,6 +416,16 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name, * crypto libraries if not specifically disabled. */ +void +dns_resolver_resetmustbesecure(dns_resolver_t *resolver); + +isc_result_t +dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name, + isc_boolean_t value); + +isc_boolean_t +dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name); + ISC_LANG_ENDDECLS #endif /* DNS_RESOLVER_H */ diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h index 27e94f4545..a41fbfa80f 100644 --- a/lib/dns/include/dns/result.h +++ b/lib/dns/include/dns/result.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.h,v 1.104 2004/03/22 01:46:01 marka Exp $ */ +/* $Id: result.h,v 1.105 2004/04/15 23:40:26 marka Exp $ */ #ifndef DNS_RESULT_H #define DNS_RESULT_H 1 @@ -141,8 +141,9 @@ #define DNS_R_BADNAME (ISC_RESULTCLASS_DNS + 97) #define DNS_R_DYNAMIC (ISC_RESULTCLASS_DNS + 98) #define DNS_R_UNKNOWNCOMMAND (ISC_RESULTCLASS_DNS + 99) +#define DNS_R_MUSTBESECURE (ISC_RESULTCLASS_DNS + 100) -#define DNS_R_NRESULTS 100 /* Number of results */ +#define DNS_R_NRESULTS 101 /* Number of results */ /* * DNS wire format rcodes. diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h index 02c492db45..59d2aefe33 100644 --- a/lib/dns/include/dns/validator.h +++ b/lib/dns/include/dns/validator.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.h,v 1.27 2004/03/10 02:19:56 marka Exp $ */ +/* $Id: validator.h,v 1.28 2004/04/15 23:40:26 marka Exp $ */ #ifndef DNS_VALIDATOR_H #define DNS_VALIDATOR_H 1 @@ -121,6 +121,7 @@ struct dns_validator { dns_fixedname_t wild; ISC_LINK(dns_validator_t) link; dns_rdataset_t * dlv; + isc_boolean_t mustbesecure; }; ISC_LANG_BEGINDECLS diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index acfc12b399..bdbf2ca04d 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.285 2004/04/15 01:58:24 marka Exp $ */ +/* $Id: resolver.c,v 1.286 2004/04/15 23:40:24 marka Exp $ */ #include @@ -288,10 +288,14 @@ struct dns_resolver { isc_uint32_t lame_ttl; ISC_LIST(alternate_t) alternates; isc_uint16_t udpsize; -#if USE_ALGLOG +#if USE_ALGLOCK isc_rwlock_t alglock; #endif dns_rbt_t * algorithms; +#if USE_MBSLOCK + isc_rwlock_t mbslock; +#endif + dns_rbt_t * mustbesecure; /* Locked by lock. */ unsigned int references; isc_boolean_t exiting; @@ -5438,6 +5442,13 @@ destroy(dns_resolver_t *res) { isc_mem_put(res->mctx, a, sizeof(*a)); } dns_resolver_reset_algorithms(res); + dns_resolver_resetmustbesecure(res); +#if USE_ALGLOCK + isc_rwlock_destroy(&res->alglock); +#endif +#if USE_MBSLOCK + isc_rwlock_destroy(&res->mbslock); +#endif res->magic = 0; isc_mem_put(res->mctx, res, sizeof(*res)); } @@ -5518,6 +5529,7 @@ dns_resolver_create(dns_view_t *view, ISC_LIST_INIT(res->alternates); res->udpsize = RECV_BUFFER_SIZE; res->algorithms = NULL; + res->mustbesecure = NULL; res->nbuckets = ntasks; res->activebuckets = ntasks; @@ -5576,6 +5588,11 @@ dns_resolver_create(dns_view_t *view, if (result != ISC_R_SUCCESS) goto cleanup_primelock; #endif +#if USE_MBSLOCK + result = isc_rwlock_init(&res->mbslock, 0, 0); + if (result != ISC_R_SUCCESS) + goto cleanup_alglock; +#endif res->magic = RES_MAGIC; @@ -5583,9 +5600,15 @@ dns_resolver_create(dns_view_t *view, return (ISC_R_SUCCESS); +#if USE_MBSLOCK + cleanup_alglock: #if USE_ALGLOCK + isc_rwlock_destroy(&res->alglock); +#endif +#endif +#if USE_ALGLOCK || USE_MBSLOCK cleanup_primelock: - DESTROYLOCK(&res->nlock); + DESTROYLOCK(&res->primelock); #endif cleanup_nlock: @@ -6286,14 +6309,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name, REQUIRE(VALID_RESOLVER(resolver)); - if (resolver->algorithms == NULL) - return (dst_algorithm_supported(alg)); - #if USE_ALGLOCK - RWLOCK(&resolver->alglock, isc_rwlocktype_read) + RWLOCK(&resolver->alglock, isc_rwlocktype_read); #endif - result = dns_rbt_findname(resolver->algorithms, name, - DNS_RBTFIND_NOEXACT, NULL, &data); + if (resolver->algorithms == NULL) + goto unlock; + result = dns_rbt_findname(resolver->algorithms, name, 0, NULL, &data); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { len = alg/8 + 2; mask = 1 << (alg%8); @@ -6301,10 +6322,77 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name, if (len <= *algorithms && (algorithms[len-1] & mask) != 0) found = ISC_TRUE; } + unlock: #if USE_ALGLOCK - RWUNLOCK(&resolver->alglock, isc_rwlocktype_read) + RWUNLOCK(&resolver->alglock, isc_rwlocktype_read); #endif if (found) return (ISC_FALSE); return (dst_algorithm_supported(alg)); } + +void +dns_resolver_resetmustbesecure(dns_resolver_t *resolver) { + + REQUIRE(VALID_RESOLVER(resolver)); + +#if USE_MBSLOCK + RWLOCK(&resolver->mbslock, isc_rwlocktype_write); +#endif + if (resolver->mustbesecure != NULL) + dns_rbt_destroy(&resolver->mustbesecure); +#if USE_MBSLOCK + RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write); +#endif +} + +static isc_boolean_t yes = ISC_TRUE, no = ISC_FALSE; + +isc_result_t +dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name, + isc_boolean_t value) +{ + isc_result_t result; + + REQUIRE(VALID_RESOLVER(resolver)); + +#if USE_MBSLOCK + RWLOCK(&resolver->mbslock, isc_rwlocktype_write); +#endif + if (resolver->mustbesecure == NULL) { + result = dns_rbt_create(resolver->mctx, NULL, NULL, + &resolver->mustbesecure); + if (result != ISC_R_SUCCESS) + goto cleanup; + } + result = dns_rbt_addname(resolver->mustbesecure, name, + value ? &yes : &no); + cleanup: +#if USE_MBSLOCK + RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write); +#endif + return (result); +} + +isc_boolean_t +dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name) { + void *data = NULL; + isc_boolean_t value = ISC_FALSE; + isc_result_t result; + + REQUIRE(VALID_RESOLVER(resolver)); + +#if USE_MBSLOCK + RWLOCK(&resolver->mbslock, isc_rwlocktype_read); +#endif + if (resolver->mustbesecure == NULL) + goto unlock; + result = dns_rbt_findname(resolver->mustbesecure, name, 0, NULL, &data); + if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) + value = *(isc_boolean_t*)data; + unlock: +#if USE_MBSLOCK + RWUNLOCK(&resolver->mbslock, isc_rwlocktype_read); +#endif + return (value); +} diff --git a/lib/dns/result.c b/lib/dns/result.c index 685d29da39..982cc4b1f5 100644 --- a/lib/dns/result.c +++ b/lib/dns/result.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.c,v 1.115 2004/03/22 01:46:01 marka Exp $ */ +/* $Id: result.c,v 1.116 2004/04/15 23:40:25 marka Exp $ */ #include @@ -148,7 +148,9 @@ static const char *text[DNS_R_NRESULTS] = { "bad owner name (check-names)", /* 96 DNS_R_BADOWNERNAME */ "bad name (check-names)", /* 97 DNS_R_BADNAME */ "dynamic zone", /* 98 DNS_R_DYNAMIC */ - "unknown command" /* 99 DNS_R_UNKNOWNCOMMAND */ + "unknown command", /* 99 DNS_R_UNKNOWNCOMMAND */ + + "must-be-secure" /* 100 DNS_R_MUSTBESECURE */ }; static const char *rcode_text[DNS_R_NRCODERESULTS] = { diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 6896b0c7dc..ddaf8c00c9 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.120 2004/04/15 01:58:24 marka Exp $ */ +/* $Id: validator.c,v 1.121 2004/04/15 23:40:25 marka Exp $ */ #include @@ -348,8 +348,14 @@ dsfetched2(isc_task_t *task, isc_event_t *event) { */ tname = dns_fixedname_name(&devent->foundname); if (isdelegation(tname, &val->frdataset, eresult)) { - val->event->rdataset->trust = dns_trust_answer; - validator_done(val, ISC_R_SUCCESS); + if (val->mustbesecure) { + validator_log(val, ISC_LOG_WARNING, + "must be secure failure"); + validator_done(val, DNS_R_MUSTBESECURE); + } else { + val->event->rdataset->trust = dns_trust_answer; + validator_done(val, ISC_R_SUCCESS); + } } else { result = proveunsecure(val, ISC_TRUE); if (result != DNS_R_WAIT) @@ -1127,6 +1133,11 @@ validate(dns_validator_t *val, isc_boolean_t resume) { * The key is insecure, so mark the data as insecure also. */ if (val->key == NULL) { + if (val->mustbesecure) { + validator_log(val, ISC_LOG_WARNING, + "must be secure failure"); + return (DNS_R_MUSTBESECURE); + } event->rdataset->trust = dns_trust_answer; event->sigrdataset->trust = dns_trust_answer; validator_log(val, ISC_LOG_DEBUG(3), @@ -1410,6 +1421,11 @@ dlv_validatezonekey(dns_validator_t *val) { INSIST(val->dlv != NULL); if (val->dlv->trust < dns_trust_secure) { + if (val->mustbesecure) { + validator_log(val, ISC_LOG_WARNING, + "must be secure failure"); + return (DNS_R_MUSTBESECURE); + } val->event->rdataset->trust = dns_trust_answer; val->event->sigrdataset->trust = dns_trust_answer; return (ISC_R_SUCCESS); @@ -1508,6 +1524,11 @@ dlv_validatezonekey(dns_validator_t *val) { validator_log(val, ISC_LOG_DEBUG(3), "marking as secure"); return (result); } else if (result == ISC_R_NOMORE && !supported_algorithm) { + if (val->mustbesecure) { + validator_log(val, ISC_LOG_WARNING, + "must be secure failure"); + return (DNS_R_MUSTBESECURE); + } val->event->rdataset->trust = dns_trust_answer; val->event->sigrdataset->trust = dns_trust_answer; validator_log(val, ISC_LOG_DEBUG(3), @@ -1686,6 +1707,11 @@ validatezonekey(dns_validator_t *val) { INSIST(val->dsset != NULL); if (val->dsset->trust < dns_trust_secure) { + if (val->mustbesecure) { + validator_log(val, ISC_LOG_WARNING, + "must be secure failure"); + return (DNS_R_MUSTBESECURE); + } val->event->rdataset->trust = dns_trust_answer; val->event->sigrdataset->trust = dns_trust_answer; return (ISC_R_SUCCESS); @@ -1790,6 +1816,11 @@ validatezonekey(dns_validator_t *val) { return (dlv_validatezonekey(val)); } else if (result == ISC_R_NOMORE && !supported_algorithm) { + if (val->mustbesecure) { + validator_log(val, ISC_LOG_WARNING, + "must be secure failure"); + return (DNS_R_MUSTBESECURE); + } val->event->rdataset->trust = dns_trust_answer; val->event->sigrdataset->trust = dns_trust_answer; validator_log(val, ISC_LOG_DEBUG(3), @@ -2093,6 +2124,12 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { if (val->frdataset.trust >= dns_trust_secure && !check_ds_algorithm(val, dns_fixedname_name(&val->fname), &val->frdataset)) { + if (val->mustbesecure) { + validator_log(val, ISC_LOG_WARNING, + "must be secure failure"); + result = DNS_R_MUSTBESECURE; + goto out; + } validator_log(val, ISC_LOG_DEBUG(3), "no supported algorithm (ds)"); val->event->rdataset->trust = dns_trust_answer; @@ -2138,6 +2175,11 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { goto out; } if (isdelegation(tname, &val->frdataset, result)) { + if (val->mustbesecure) { + validator_log(val, ISC_LOG_WARNING, + "must be secure failure"); + return (DNS_R_MUSTBESECURE); + } val->event->rdataset->trust = dns_trust_answer; return (ISC_R_SUCCESS); } @@ -2152,6 +2194,13 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { &val->frdataset)) { validator_log(val, ISC_LOG_DEBUG(3), "no supported algorithm (ds)"); + if (val->mustbesecure) { + validator_log(val, + ISC_LOG_WARNING, + "must be secure failure"); + result = DNS_R_MUSTBESECURE; + goto out; + } val->event->rdataset->trust = dns_trust_answer; result = ISC_R_SUCCESS; @@ -2378,6 +2427,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, val->nsecset = NULL; val->soaname = NULL; val->seensig = ISC_FALSE; + val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name); dns_rdataset_init(&val->frdataset); dns_rdataset_init(&val->fsigrdataset); dns_fixedname_init(&val->wild); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 3c7bdd88e4..5460253c0f 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namedconf.c,v 1.32 2004/03/30 02:13:45 marka Exp $ */ +/* $Id: namedconf.c,v 1.33 2004/04/15 23:40:27 marka Exp $ */ #include @@ -647,6 +647,17 @@ static cfg_type_t cfg_type_disablealgorithm = { &cfg_rep_tuple, disablealgorithm_fields }; +static cfg_tuplefielddef_t mustbesecure_fields[] = { + { "name", &cfg_type_astring, 0 }, + { "value", &cfg_type_boolean, 0 }, + { NULL, NULL, 0 } +}; + +static cfg_type_t cfg_type_mustbesecure = { + "mustbesecure", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, + &cfg_rep_tuple, mustbesecure_fields +}; + /* * Clauses that can be found within the 'view' statement, * with defaults in the 'options' statement. @@ -693,6 +704,8 @@ view_clauses[] = { CFG_CLAUSEFLAG_MULTI }, { "dnssec-enable", &cfg_type_boolean, 0 }, { "dnssec-lookaside", &cfg_type_astring, 0 }, + { "dnssec-must-be-secure", &cfg_type_mustbesecure, + CFG_CLAUSEFLAG_MULTI }, { NULL, NULL, 0 } }; From b5e4e4da43461f416b19d52ec047495e6960579d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 16 Apr 2004 02:56:14 +0000 Subject: [PATCH 050/146] regen --- doc/arm/Bv9ARM.ch06.html | 121 ++++++++++++++++++++++++++------------- doc/arm/Bv9ARM.ch07.html | 8 +-- doc/arm/Bv9ARM.ch08.html | 14 ++--- doc/arm/Bv9ARM.ch09.html | 108 +++++++++++++++++----------------- doc/arm/Bv9ARM.html | 38 ++++++------ doc/misc/options | 2 + 6 files changed, 167 insertions(+), 124 deletions(-) diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index dacc5e0f47..eda5506b01 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -94,7 +94,7 @@ HREF="Bv9ARM.ch06.html#Configuration_File_Grammar" >
6.3. Zone File
] [ dnssec-must-be-secure domain yes_or_no; ] + [ forward (
dnssec-must-be-secure

Specify heirachies which must / may not be secure (signed and validated). +If yes then named will only accept answers if they +are secure. +If no then normal dnssec validation applies +allowing for insecure answers to be accepted. +The specified domain must be under a trusted-key or +dnssec-lookaside must be active. +

6.2.16.2. Forwarding

6.2.16.3. 6 to 4 Servers

6.2.16.5. Interfaces

6.2.16.6. Query Address

6.2.16.8. Bad UDP Port Lists

6.2.16.9. Operating System Resource Limits

6.2.16.10. Server Resource Limits

6.2.16.11. Periodic Task Intervals

6.2.19. trusted-keys

6.2.20. trusted-keys

6.2.22. view

6.2.24. zone

6.2.24.1. Zone Types

6.2.24.2. Class

6.2.24.3. Zone Options

6.3. Zone File

6.3.1.1. Resource Records

6.3.1.2. Textual expression of RRs

6.3.2. Discussion of MX Records

6.3.4. Inverse Mapping in IPv4

6.3.5. Other Zone File Directives

6.3.5.1. The $ORIGIN

6.3.5.2. The $INCLUDE

6.3.5.3. The $TTL

6.3.6. BIND

7.2. chroot

7.2. chroot

7.2.1. The chroot

7.2.2. Using the setuid

8.1. Common Problems
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?

8.1. Common Problems

8.1.1. It's not working; how can I figure out what's wrong?

8.2. Incrementing and Changing the Serial Number

8.3. Where Can I Get Help?

A.1. Acknowledgments

A.1. Acknowledgments

A.1.1. A Brief History of the DNS

Bibliography

Standards

[RFC974] 

[RFC1034] 

[RFC1035] 

[RFC2181] 

[RFC2308] 

[RFC1995] 

[RFC1996] 

[RFC2136] 

[RFC2845] 

Proposed Standards Still Under Development

[RFC1886] 

[RFC2065] 

[RFC2137] 

Other Important RFCs About DNS

[RFC1535] 

[RFC1536] 

[RFC1982] 

Resource Record Types

[RFC1183] 

[RFC1706] 

[RFC2168] 

[RFC1876] 

[RFC2052] 

[RFC2163] 

[RFC2230] 

DNS

[RFC1101] 

[RFC1123] 

[RFC1591] 

[RFC2317] 

DNS

[RFC1537] 

[RFC1912] 

[RFC2010] 

[RFC2219] 

Other DNS

[RFC1464] 

[RFC1713] 

[RFC1794] 

[RFC2240] 

[RFC2345] 

[RFC2352] 

Obsolete and Unimplemented Experimental RRs

[RFC1712] 

A.3.3. Other Documents About BIND

Bibliography

6.2.19. trusted-keys
6.2.20. trusted-keys
6.2.22. view
6.2.24. zone
6.3. Zone File
6.3.2. Discussion of MX Records
6.3.4. Inverse Mapping in IPv4
6.3.5. Other Zone File Directives
6.3.6. BIND
7.2. chroot
7.2.1. The chroot
7.2.2. Using the setuid
8.1. Common Problems
8.1.1. It's not working; how can I figure out what's wrong?
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?
A.1. Acknowledgments
A.1.1. A Brief History of the DNS
A.3.3. Other Documents About BIND { ; ... }; dnssec-enable ; dnssec-lookaside ; + dnssec-must-be-secure ; allow-query { ; ... }; allow-transfer { ; ... }; allow-update-forwarding { ; ... }; @@ -262,6 +263,7 @@ view { disable-algorithms { ; ... }; dnssec-enable ; dnssec-lookaside ; + dnssec-must-be-secure ; allow-query { ; ... }; allow-transfer { ; ... }; allow-update-forwarding { ; ... }; From c3c72c1033b9d085b1a1fe74a9e3efb6db724ce2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sun, 18 Apr 2004 01:08:52 +0000 Subject: [PATCH 051/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index f34157a414..7cde753d05 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1612. [placeholder] rt11116 + 1611. [bug] solaris: IPv6 interface scanning failed to cope with no active IPv6 interfaces. From ed6e3610e3e56aac554dc93cad461a0016e961f9 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sun, 18 Apr 2004 01:37:19 +0000 Subject: [PATCH 052/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 7cde753d05..f3020b322a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1613. [placeholder] rt11119 + 1612. [placeholder] rt11116 1611. [bug] solaris: IPv6 interface scanning failed to cope with From de6ceebf98bedee0b1e1e81d078befbd728b801c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sun, 18 Apr 2004 01:56:16 +0000 Subject: [PATCH 053/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index f3020b322a..961b87575a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1614. [placeholder] rt11101 + 1613. [placeholder] rt11119 1612. [placeholder] rt11116 From b21b49a1d43dbc44d2b15674ce03a13562165566 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Apr 2004 02:54:15 +0000 Subject: [PATCH 054/146] 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if it is defined. --- CHANGES | 3 +++ lib/isc/unix/socket.c | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 961b87575a..b76bd475ca 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if + it is defined. + 1614. [placeholder] rt11101 1613. [placeholder] rt11119 diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c index 3b1396cf13..4c6734b0cb 100644 --- a/lib/isc/unix/socket.c +++ b/lib/isc/unix/socket.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.238 2004/04/15 01:58:25 marka Exp $ */ +/* $Id: socket.c,v 1.239 2004/04/19 02:53:05 marka Exp $ */ #include @@ -62,8 +62,12 @@ * some as socklen_t. This is here so it can be easily changed if needed. */ #ifndef ISC_SOCKADDR_LEN_T +#ifdef _BSD_SOCKLEN_T_ +#define ISC_SOCKADDR_LEN_T _BSD_SOCKLEN_T_ +#else #define ISC_SOCKADDR_LEN_T unsigned int #endif +#endif /* * Define what the possible "soft" errors can be. These are non-fatal returns From ad3b537a241f40bbb3fdc4de252881c42645021b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Apr 2004 03:48:01 +0000 Subject: [PATCH 055/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index b76bd475ca..eace48f17d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1616. [placeholder] rt11127 + 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if it is defined. From 5ed76fa7ea83d3ce7a33d365aa3b84410c3b8773 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Apr 2004 04:16:55 +0000 Subject: [PATCH 056/146] 1617. [port] win32: VC++ 6.0 support. --- CHANGES | 2 ++ bin/named/server.c | 8 ++++---- bin/win32/BINDInstall/BINDInstallDlg.cpp | 8 +++++--- lib/isc/win32/include/isc/ipv6.h | 6 +++++- lib/isc/win32/include/isc/net.h | 7 ++++++- lib/isc/win32/include/isc/platform.h | 4 +++- 6 files changed, 25 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index eace48f17d..65b85327ff 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1617. [port] win32: VC++ 6.0 support. + 1616. [placeholder] rt11127 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if diff --git a/bin/named/server.c b/bin/named/server.c index 1ce9565aa8..50e5cd5666 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.422 2004/04/15 23:40:21 marka Exp $ */ +/* $Id: server.c,v 1.423 2004/04/19 04:16:54 marka Exp $ */ #include @@ -937,7 +937,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, udpsize = 512; if (udpsize > 4096) udpsize = 4096; - dns_resolver_setudpsize(view->resolver, udpsize); + dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize); /* * Set supported DNSSEC algorithms. @@ -2070,7 +2070,7 @@ portlist_fromconf(dns_portlist_t *portlist, unsigned int family, element != NULL; element = cfg_list_next(element)) { cfg_obj_t *obj = cfg_listelt_value(element); - in_port_t port = cfg_obj_asuint32(obj); + in_port_t port = (in_port_t)cfg_obj_asuint32(obj); result = dns_portlist_add(portlist, family, port); if (result != ISC_R_SUCCESS) @@ -2231,7 +2231,7 @@ load_configuration(const char *filename, ns_server_t *server, udpsize = 512; if (udpsize > 4096) udpsize = 4096; - ns_g_udpsize = udpsize; + ns_g_udpsize = (isc_uint16_t)udpsize; /* * Configure the zone manager. diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp index b08d4b21ee..44fe7d2cdb 100644 --- a/bin/win32/BINDInstall/BINDInstallDlg.cpp +++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: BINDInstallDlg.cpp,v 1.15 2004/03/16 05:52:15 marka Exp $ */ +/* $Id: BINDInstallDlg.cpp,v 1.16 2004/04/19 04:16:54 marka Exp $ */ /* * Copyright (c) 1999-2000 by Nortel Networks Corporation @@ -113,8 +113,10 @@ const FileData installFiles[] = {"msvcrt.dll", FileData::WinSystem, FileData::Critical, TRUE}, # endif #endif +#if _MSC_VER > 1200 {"mfc70.dll", FileData::WinSystem, FileData::Critical, TRUE}, {"msvcr70.dll", FileData::WinSystem, FileData::Critical, TRUE}, +#endif {"bindevt.dll", FileData::WinSystem, FileData::Normal, FALSE}, {"libbind9.dll", FileData::WinSystem, FileData::Critical, FALSE}, {"libisc.dll", FileData::WinSystem, FileData::Critical, FALSE}, @@ -435,7 +437,7 @@ void CBINDInstallDlg::OnInstall() { m_accountExists = TRUE; } - ProgramGroup(); + ProgramGroup(FALSE); try { CreateDirs(); @@ -473,7 +475,7 @@ void CBINDInstallDlg::OnInstall() { RegCloseKey(hKey); } - ProgramGroup(); + ProgramGroup(FALSE); if (m_startOnInstall) StartBINDService(); diff --git a/lib/isc/win32/include/isc/ipv6.h b/lib/isc/win32/include/isc/ipv6.h index a390168b3d..db07a5299e 100644 --- a/lib/isc/win32/include/isc/ipv6.h +++ b/lib/isc/win32/include/isc/ipv6.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ipv6.h,v 1.12 2004/03/16 05:52:23 marka Exp $ */ +/* $Id: ipv6.h,v 1.13 2004/04/19 04:16:55 marka Exp $ */ #ifndef ISC_IPV6_H #define ISC_IPV6_H 1 @@ -43,6 +43,10 @@ * RFC 2553. */ +#if _MSC_VER < 1300 +#define in6_addr in_addr6 +#endif + #ifndef IN6ADDR_ANY_INIT #define IN6ADDR_ANY_INIT {{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }} #endif diff --git a/lib/isc/win32/include/isc/net.h b/lib/isc/win32/include/isc/net.h index a414f2f5a2..f42105ead9 100644 --- a/lib/isc/win32/include/isc/net.h +++ b/lib/isc/win32/include/isc/net.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: net.h,v 1.21 2004/03/05 05:12:05 marka Exp $ */ +/* $Id: net.h,v 1.22 2004/04/19 04:16:55 marka Exp $ */ #ifndef ISC_NET_H #define ISC_NET_H 1 @@ -117,6 +117,11 @@ struct in6_pktinfo { }; #endif +#if _MSC_VER < 1300 +#define in6addr_any isc_in6addr_any +#define in6addr_loopback isc_in6addr_loopback +#endif + /* * Ensure type in_port_t is defined. */ diff --git a/lib/isc/win32/include/isc/platform.h b/lib/isc/win32/include/isc/platform.h index 6c399099c9..a94d039dfd 100644 --- a/lib/isc/win32/include/isc/platform.h +++ b/lib/isc/win32/include/isc/platform.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: platform.h,v 1.9 2004/03/16 05:52:23 marka Exp $ */ +/* $Id: platform.h,v 1.10 2004/04/19 04:16:55 marka Exp $ */ #ifndef ISC_PLATFORM_H #define ISC_PLATFORM_H 1 @@ -31,7 +31,9 @@ ***/ #define ISC_PLATFORM_HAVEIPV6 +#if _MSC_VER > 1200 #define ISC_PLATFORM_HAVEIN6PKTINFO +#endif #define ISC_PLATFORM_NEEDPORTT #undef MSG_TRUNC #define ISC_PLATFORM_NEEDNTOP From eec7c83e2329e8225e0ff29b90f6abd234418604 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Apr 2004 05:16:42 +0000 Subject: [PATCH 057/146] add missing entry points --- lib/dns/win32/libdns.def | 4 ++++ lib/isc/win32/libisc.def | 1 + 2 files changed, 5 insertions(+) diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def index 3cfc35f09f..6da850ec33 100644 --- a/lib/dns/win32/libdns.def +++ b/lib/dns/win32/libdns.def @@ -749,4 +749,8 @@ dns_peer_settransfersource dns_resolver_disable_algorithm dns_resolver_addalternate dns_view_adddelegationonly +dns_resolver_resetmustbesecure +dns_resolver_setmustbesecure +dns_dumpctx_detach +dns_master_dumptostreaminc diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def index 0018d2a3ac..8421191354 100644 --- a/lib/isc/win32/libisc.def +++ b/lib/isc/win32/libisc.def @@ -431,6 +431,7 @@ isc_net_disableipv4 isc_net_disableipv6 isc_task_getcurrenttime isc_net_probe_ipv6only +isc_timermgr_poke ; Exported Data From dc02df4d9e57afcd09682d45bd42f981414d7b88 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Apr 2004 05:48:02 +0000 Subject: [PATCH 058/146] silence deprecated warning --- bin/win32/BINDInstall/BINDInstall.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bin/win32/BINDInstall/BINDInstall.cpp b/bin/win32/BINDInstall/BINDInstall.cpp index aec8076ab3..517f519221 100644 --- a/bin/win32/BINDInstall/BINDInstall.cpp +++ b/bin/win32/BINDInstall/BINDInstall.cpp @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: BINDInstall.cpp,v 1.4 2004/03/05 05:04:16 marka Exp $ */ +/* $Id: BINDInstall.cpp,v 1.5 2004/04/19 05:48:02 marka Exp $ */ /* * Copyright (c) 1999-2000 by Nortel Networks Corporation @@ -78,11 +78,12 @@ BOOL CBINDInstallApp::InitInstance() // If you are not using these features and wish to reduce the size // of your final executable, you should remove from the following // the specific initialization routines you do not need. - +#if _MSC_VER < 1300 #ifdef _AFXDLL Enable3dControls(); // Call this when using MFC in a shared DLL #else Enable3dControlsStatic(); // Call this when linking to MFC statically +#endif #endif CBINDInstallDlg dlg; From 90039392500d15bf056ab4505d048fcba0d485df Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Apr 2004 05:52:21 +0000 Subject: [PATCH 059/146] silence missing prototype warning. --- config.h.win32 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config.h.win32 b/config.h.win32 index 152f4f893b..486fa4c832 100644 --- a/config.h.win32 +++ b/config.h.win32 @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h.win32,v 1.9 2004/04/10 04:03:16 marka Exp $ */ +/* $Id: config.h.win32,v 1.10 2004/04/19 05:52:21 marka Exp $ */ /* * win32 configuration file @@ -192,6 +192,7 @@ typedef long off_t; #define open _open #define close _close #define write _write +#include #define isatty _isatty #ifndef _WINSOCKAPI_ From 86548554f6180bbe051c8cd8f03c93fc9b6a7825 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Apr 2004 21:47:43 +0000 Subject: [PATCH 060/146] 1618. [bug] Fencepost errors in dns_name_ishostname() and dns_name_ismailbox() could trigger a INSIST(). --- CHANGES | 3 +++ lib/dns/name.c | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 65b85327ff..c3af43005e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1618. [bug] Fencepost errors in dns_name_ishostname() and + dns_name_ismailbox() could trigger a INSIST(). + 1617. [port] win32: VC++ 6.0 support. 1616. [placeholder] rt11127 diff --git a/lib/dns/name.c b/lib/dns/name.c index 1f2cb81804..9e76f6c3b0 100644 --- a/lib/dns/name.c +++ b/lib/dns/name.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: name.c,v 1.144 2004/03/05 05:09:21 marka Exp $ */ +/* $Id: name.c,v 1.145 2004/04/19 21:47:43 marka Exp $ */ #include @@ -285,7 +285,7 @@ dns_name_ismailbox(const dns_name_t *name) { ndata = name->ndata; n = *ndata++; - INSIST(n < 63); + INSIST(n <= 63); while (n--) { ch = *ndata++; if (!domainchar(ch)) @@ -300,7 +300,7 @@ dns_name_ismailbox(const dns_name_t *name) { */ while (ndata < (name->ndata + name->length)) { n = *ndata++; - INSIST(n < 63); + INSIST(n <= 63); first = ISC_TRUE; while (n--) { ch = *ndata++; @@ -345,7 +345,7 @@ dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard) { */ while (ndata < (name->ndata + name->length)) { n = *ndata++; - INSIST(n < 63); + INSIST(n <= 63); first = ISC_TRUE; while (n--) { ch = *ndata++; From ea38808b7dc1b2e760f18f2cc3ae07deaf15ba1a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Apr 2004 23:09:51 +0000 Subject: [PATCH 061/146] 1614. [port] win32: silence resource limit messages. [RT# 11101] --- CHANGES | 2 +- bin/named/config.c | 14 ++++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index c3af43005e..fdaf167bbd 100644 --- a/CHANGES +++ b/CHANGES @@ -8,7 +8,7 @@ 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if it is defined. -1614. [placeholder] rt11101 +1614. [port] win32: silence resource limit messages. [RT# 11101] 1613. [placeholder] rt11119 diff --git a/bin/named/config.c b/bin/named/config.c index 8c5eaeb902..c761833734 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.47 2004/03/16 05:52:14 marka Exp $ */ +/* $Id: config.c,v 1.48 2004/04/19 23:09:51 marka Exp $ */ #include @@ -44,14 +44,17 @@ static char defaultconf[] = "\ options {\n\ -# blackhole {none;};\n\ - coresize default;\n\ +# blackhole {none;};\n" +#ifndef WIN32 +" coresize default;\n\ datasize default;\n\ - deallocate-on-exit true;\n\ + files default;\n\ + stacksize default;\n" +#endif +" deallocate-on-exit true;\n\ # directory \n\ dump-file \"named_dump.db\";\n\ fake-iquery no;\n\ - files default;\n\ has-old-clients false;\n\ heartbeat-interval 60;\n\ host-statistics no;\n\ @@ -77,7 +80,6 @@ options {\n\ serial-queries 20;\n\ serial-query-rate 20;\n\ server-id none;\n\ - stacksize default;\n\ statistics-file \"named.stats\";\n\ statistics-interval 60;\n\ tcp-clients 100;\n\ From 2dc1141d73cf8424bc7ad505b8db521f9d3f9cd2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Apr 2004 23:16:20 +0000 Subject: [PATCH 062/146] silence compiler warning --- lib/dns/resolver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index bdbf2ca04d..b7eb0297a6 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.286 2004/04/15 23:40:24 marka Exp $ */ +/* $Id: resolver.c,v 1.287 2004/04/19 23:16:20 marka Exp $ */ #include @@ -1563,7 +1563,7 @@ add_bad(fetchctx_t *fctx, isc_sockaddr_t *address, isc_result_t reason) { sep2 = ") "; } else if (reason == DNS_R_UNEXPECTEDOPCODE) { isc_buffer_init(&b, code, sizeof(code) - 1); - dns_opcode_totext(fctx->rmessage->opcode, &b); + dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b); code[isc_buffer_usedlength(&b)] = '\0'; sep1 = "("; sep2 = ") "; From fa81ddd7b9a65cca5c95fa9356acd78f86730827 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 20 Apr 2004 06:46:46 +0000 Subject: [PATCH 063/146] 1613. [bug] Builds would fail on machines w/o a if_nametoindex(). Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif. [RT #11119] --- lib/isc/unix/interfaceiter.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/isc/unix/interfaceiter.c b/lib/isc/unix/interfaceiter.c index 00a7f6ddf2..5025d94621 100644 --- a/lib/isc/unix/interfaceiter.c +++ b/lib/isc/unix/interfaceiter.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfaceiter.c,v 1.35 2004/03/05 05:11:45 marka Exp $ */ +/* $Id: interfaceiter.c,v 1.36 2004/04/20 06:46:46 marka Exp $ */ #include @@ -106,6 +106,7 @@ get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src, (isc_uint32_t)zone16); dst->type.in6.s6_addr[2] = 0; dst->type.in6.s6_addr[3] = 0; +#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX } else if (ifname != NULL) { unsigned int zone; @@ -120,6 +121,7 @@ get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src, isc_netaddr_setzone(dst, (isc_uint32_t)zone); } +#endif } } } From b0cab2b6bf4c6b3b0b549a07d447a27e705e4ff1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 20 Apr 2004 06:53:52 +0000 Subject: [PATCH 064/146] 1616. [compat] Ensure that named's version is visible in the core dump. [RT #11127] --- bin/named/main.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/bin/named/main.c b/bin/named/main.c index 6804ff0323..ef0aa93979 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.c,v 1.136 2004/03/16 05:52:14 marka Exp $ */ +/* $Id: main.c,v 1.137 2004/04/20 06:53:52 marka Exp $ */ #include @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -70,7 +71,8 @@ static isc_boolean_t want_stats = ISC_FALSE; static char program_name[ISC_DIR_NAMEMAX] = "named"; static char absolute_conffile[ISC_DIR_PATHMAX]; -static char saved_command_line[512]; +static char saved_command_line[512]; +static char version[512]; void ns_main_earlywarning(const char *format, ...) { @@ -684,6 +686,17 @@ int main(int argc, char *argv[]) { isc_result_t result; + /* + * Record version in core image. + * strings named.core | grep "named version:" + */ + strlcat(version, +#ifdef __DATE__ + "named version: BIND " VERSION " (" __DATE__ ")", +#else + "named version: BIND " VERSION, +#endif + sizeof(version)); result = isc_file_progname(*argv, program_name, sizeof(program_name)); if (result != ISC_R_SUCCESS) ns_main_earlyfatal("program name too long"); From 349f684cf175422918d10e91e7bee747c18ae840 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 20 Apr 2004 07:16:23 +0000 Subject: [PATCH 065/146] 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). [RT# 11118] --- CHANGES | 10 ++++++++-- bin/named/server.c | 8 +++++--- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index fdaf167bbd..537428e655 100644 --- a/CHANGES +++ b/CHANGES @@ -1,16 +1,22 @@ +1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). + [RT# 11118] + 1618. [bug] Fencepost errors in dns_name_ishostname() and dns_name_ismailbox() could trigger a INSIST(). 1617. [port] win32: VC++ 6.0 support. -1616. [placeholder] rt11127 +1616. [compat] Ensure that named's version is visible in the core + dump. [RT #11127] 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if it is defined. 1614. [port] win32: silence resource limit messages. [RT# 11101] -1613. [placeholder] rt11119 +1613. [bug] Builds would fail on machines w/o a if_nametoindex(). + Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif. + [RT #11119] 1612. [placeholder] rt11116 diff --git a/bin/named/server.c b/bin/named/server.c index 50e5cd5666..19257f0fff 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.423 2004/04/19 04:16:54 marka Exp $ */ +/* $Id: server.c,v 1.424 2004/04/20 07:16:23 marka Exp $ */ #include @@ -3072,15 +3072,17 @@ start_reserved_dispatches(ns_server_t *server) { static void end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) { - ns_dispatch_t *dispatch; + ns_dispatch_t *dispatch, *nextdispatch; REQUIRE(NS_SERVER_VALID(server)); for (dispatch = ISC_LIST_HEAD(server->dispatches); dispatch != NULL; - dispatch = ISC_LIST_NEXT(dispatch, link)) { + dispatch = nextdispatch) { + nextdispatch = ISC_LIST_NEXT(dispatch, link); if (!all && server->dispatchgen == dispatch-> dispatchgen) continue; + ISC_LIST_UNLINK(server->dispatches, dispatch, link); dns_dispatch_detach(&dispatch->dispatch); isc_mem_put(server->mctx, dispatch, sizeof(*dispatch)); } From 1cf54d1966b3de8f6593e9e80eae9a80a1c011ad Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 20 Apr 2004 14:11:47 +0000 Subject: [PATCH 066/146] 1612. [bug] check-names at the option/view level could trigger an INSIST. [RT# 11116] --- CHANGES | 3 +- bin/named/config.c | 39 ++++++++++++++++- bin/named/include/named/config.h | 5 ++- bin/named/server.c | 75 ++++++++++++++------------------ bin/named/zoneconf.c | 28 ++---------- 5 files changed, 79 insertions(+), 71 deletions(-) diff --git a/CHANGES b/CHANGES index 537428e655..4e86a673dc 100644 --- a/CHANGES +++ b/CHANGES @@ -18,7 +18,8 @@ Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif. [RT #11119] -1612. [placeholder] rt11116 +1612. [bug] check-names at the option/view level could trigger + an INSIST. [RT# 11116] 1611. [bug] solaris: IPv6 interface scanning failed to cope with no active IPv6 interfaces. diff --git a/bin/named/config.c b/bin/named/config.c index c761833734..4a9961940d 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.48 2004/04/19 23:09:51 marka Exp $ */ +/* $Id: config.c,v 1.49 2004/04/20 14:11:46 marka Exp $ */ #include @@ -195,7 +195,7 @@ ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) { } isc_result_t -ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj) { +ns_config_get(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) { int i; for (i = 0;; i++) { @@ -206,6 +206,41 @@ ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj) { } } +isc_result_t +ns_checknames_get(cfg_obj_t **maps, const char *which, cfg_obj_t **obj) { + cfg_listelt_t *element; + cfg_obj_t *checknames; + cfg_obj_t *type; + cfg_obj_t *value; + int i; + + for (i = 0;; i++) { + if (maps[i] == NULL) + return (ISC_R_NOTFOUND); + checknames = NULL; + if (cfg_map_get(maps[i], "check-names", &checknames) == ISC_R_SUCCESS) { + /* + * Zone map entry is not a list. + */ + if (checknames != NULL && !cfg_obj_islist(checknames)) { + *obj = checknames; + return (ISC_R_SUCCESS); + } + for (element = cfg_list_first(checknames); + element != NULL; + element = cfg_list_next(element)) { + value = cfg_listelt_value(element); + type = cfg_tuple_get(value, "type"); + if (strcasecmp(cfg_obj_asstring(type), which) == 0) { + *obj = cfg_tuple_get(value, "mode"); + return (ISC_R_SUCCESS); + } + } + + } + } +} + int ns_config_listcount(cfg_obj_t *list) { cfg_listelt_t *e; diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h index 1e797f39ed..083d3eb0af 100644 --- a/bin/named/include/named/config.h +++ b/bin/named/include/named/config.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h,v 1.6 2004/03/05 04:57:55 marka Exp $ */ +/* $Id: config.h,v 1.7 2004/04/20 14:11:47 marka Exp $ */ #ifndef NAMED_CONFIG_H #define NAMED_CONFIG_H 1 @@ -31,6 +31,9 @@ ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf); isc_result_t ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj); +isc_result_t +ns_checknames_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj); + int ns_config_listcount(cfg_obj_t *list); diff --git a/bin/named/server.c b/bin/named/server.c index 19257f0fff..606726a141 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.424 2004/04/20 07:16:23 marka Exp $ */ +/* $Id: server.c,v 1.425 2004/04/20 14:11:46 marka Exp $ */ #include @@ -399,7 +399,7 @@ mustbesecure(cfg_obj_t *mbs, dns_resolver_t *resolver) isc_buffer_init(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); CHECK(dns_name_fromtext(name, &b, dns_rootname, - ISC_FALSE, NULL)); + ISC_FALSE, NULL)); value = cfg_obj_asboolean(cfg_tuple_get(obj, "value")); CHECK(dns_resolver_setmustbesecure(resolver, name, value)); } @@ -857,33 +857,22 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, * Check-names. */ obj = NULL; - str = ""; - result = ns_config_get(maps, "check-names", &obj); + result = ns_checknames_get(maps, "response", &obj); INSIST(result == ISC_R_SUCCESS); - for (element = cfg_list_first(obj); - element != NULL; - element = cfg_list_next(element)) { - cfg_obj_t *value, *type; - value = cfg_listelt_value(element); - type = cfg_tuple_get(value, "type"); - if (strcasecmp(cfg_obj_asstring(type), "response") == 0) { - str = cfg_obj_asstring(cfg_tuple_get(value, "mode")); - break; - } - } - if (strcasecmp(str, "fail") == 0) { - check = DNS_RESOLVER_CHECKNAMES | + str = cfg_obj_asstring(obj); + if (strcasecmp(str, "fail") == 0) { + check = DNS_RESOLVER_CHECKNAMES | DNS_RESOLVER_CHECKNAMESFAIL; view->checknames = ISC_TRUE; - } else if (strcasecmp(str, "warn") == 0) { - check = DNS_RESOLVER_CHECKNAMES; + } else if (strcasecmp(str, "warn") == 0) { + check = DNS_RESOLVER_CHECKNAMES; view->checknames = ISC_FALSE; - } else if (strcasecmp(str, "ignore") == 0) { + } else if (strcasecmp(str, "ignore") == 0) { check = 0; view->checknames = ISC_FALSE; } else - INSIST(0); + INSIST(0); /* * Resolver. @@ -1199,7 +1188,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, */ if (view->enablednssec) { CHECK(configure_view_dnsseckeys(vconfig, config, mctx, - &view->secroots)); + &view->secroots)); dns_resolver_resetmustbesecure(view->resolver); obj = NULL; result = ns_config_get(maps, "dnssec-must-be-secure", &obj); @@ -1229,7 +1218,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, view->preferred_glue = dns_rdatatype_aaaa; else view->preferred_glue = 0; - } else + } else view->preferred_glue = 0; obj = NULL; @@ -1950,7 +1939,7 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) { */ static void interface_timer_tick(isc_task_t *task, isc_event_t *event) { - isc_result_t result; + isc_result_t result; ns_server_t *server = (ns_server_t *) event->ev_arg; INSIST(task == server->task); UNUSED(task); @@ -2146,7 +2135,7 @@ load_configuration(const char *filename, ns_server_t *server, * option where the above parsing failed, parse resolv.conf. */ if (ns_g_lwresdonly && - (lwresd_g_useresolvconf || + (lwresd_g_useresolvconf || (!ns_g_conffileset && result == ISC_R_FILENOTFOUND))) { isc_log_write(ns_g_lctx, @@ -3123,29 +3112,29 @@ ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr) { dispatch->dispatchgen = server->dispatchgen; dispatch->dispatch = NULL; - attrs = 0; - attrs |= DNS_DISPATCHATTR_UDP; - switch (isc_sockaddr_pf(addr)) { - case AF_INET: - attrs |= DNS_DISPATCHATTR_IPV4; - break; - case AF_INET6: - attrs |= DNS_DISPATCHATTR_IPV6; - break; + attrs = 0; + attrs |= DNS_DISPATCHATTR_UDP; + switch (isc_sockaddr_pf(addr)) { + case AF_INET: + attrs |= DNS_DISPATCHATTR_IPV4; + break; + case AF_INET6: + attrs |= DNS_DISPATCHATTR_IPV6; + break; default: result = ISC_R_NOTIMPLEMENTED; goto cleanup; - } - attrmask = 0; - attrmask |= DNS_DISPATCHATTR_UDP; - attrmask |= DNS_DISPATCHATTR_TCP; - attrmask |= DNS_DISPATCHATTR_IPV4; - attrmask |= DNS_DISPATCHATTR_IPV6; + } + attrmask = 0; + attrmask |= DNS_DISPATCHATTR_UDP; + attrmask |= DNS_DISPATCHATTR_TCP; + attrmask |= DNS_DISPATCHATTR_IPV4; + attrmask |= DNS_DISPATCHATTR_IPV6; result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr, - ns_g_taskmgr, &dispatch->addr, 4096, - 1000, 32768, 16411, 16433, - attrs, attrmask, &dispatch->dispatch); + ns_g_taskmgr, &dispatch->addr, 4096, + 1000, 32768, 16411, 16433, + attrs, attrmask, &dispatch->dispatch); if (result != ISC_R_SUCCESS) goto cleanup; diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 3121dd61dc..36a4ee84dd 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.c,v 1.111 2004/03/30 02:13:43 marka Exp $ */ +/* $Id: zoneconf.c,v 1.112 2004/04/20 14:11:46 marka Exp $ */ #include @@ -295,11 +295,7 @@ strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) { static void checknames(dns_zonetype_t ztype, cfg_obj_t **maps, cfg_obj_t **objp) { const char *zone = NULL; - cfg_listelt_t *element; - cfg_obj_t *type; - cfg_obj_t *value; - cfg_obj_t *check; - int i; + isc_result_t result; switch (ztype) { case dns_zone_slave: zone = "slave"; break; @@ -307,24 +303,8 @@ checknames(dns_zonetype_t ztype, cfg_obj_t **maps, cfg_obj_t **objp) { default: INSIST(0); } - for (i = 0; maps[i] != NULL; i++) { - check = NULL; - cfg_map_get(maps[i], "check-names", &check); - if (check != NULL && !cfg_obj_islist(check)) { - *objp = check; - return; - } - for (element = cfg_list_first(check); - element != NULL; - element = cfg_list_next(element)) { - value = cfg_listelt_value(element); - type = cfg_tuple_get(value, "type"); - if (strcasecmp(cfg_obj_asstring(type), zone) == 0) { - *objp = cfg_tuple_get(value, "mode"); - return; - } - } - } + result = ns_checknames_get(maps, zone, objp); + INSIST(result == ISC_R_SUCCESS); } isc_result_t From c5076a76f6562b5aa48e6a1c680c343b53846157 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 21 Apr 2004 02:14:24 +0000 Subject: [PATCH 067/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 4e86a673dc..5ebe224262 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1620. [placeholder] rt11149 + 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). [RT# 11118] From ec13cdb55eb5f7bcf362280bad18eb11cd0f0298 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 22 Apr 2004 03:32:33 +0000 Subject: [PATCH 068/146] pullup: decunix/ibm: gethostbyname_r() only supported a small number of addresses. --- lib/bind/irs/gethostent_r.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/bind/irs/gethostent_r.c b/lib/bind/irs/gethostent_r.c index 0eb2013b28..20abe59395 100644 --- a/lib/bind/irs/gethostent_r.c +++ b/lib/bind/irs/gethostent_r.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: gethostent_r.c,v 1.5 2004/03/09 06:30:01 marka Exp $"; +static const char rcsid[] = "$Id: gethostent_r.c,v 1.6 2004/04/22 03:32:33 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include @@ -214,8 +214,8 @@ copy_hostent(struct hostent *he, struct hostent *hptr, HOST_R_COPY_ARGS) { /* copy up to first 35 addresses */ i = 0; - cp = hdptr->hostaddr; - eob = hdptr->hostaddr + sizeof(hdptr->hostaddr); + cp = hdptr->hostbuf; + eob = hdptr->hostbuf + sizeof(hdptr->hostbuf); hptr->h_addr_list = hdptr->h_addr_ptrs; while (he->h_addr_list[i] && i < (_MAXADDRS)) { if (n < (eob - cp)) { @@ -230,8 +230,6 @@ copy_hostent(struct hostent *he, struct hostent *hptr, HOST_R_COPY_ARGS) { hptr->h_addr_list[i] = NULL; /* copy official name */ - cp = hdptr->hostbuf; - eob = hdptr->hostbuf + sizeof(hdptr->hostbuf); if ((n = strlen(he->h_name) + 1) < (eob - cp)) { strcpy(cp, he->h_name); hptr->h_name = cp; From 267a22597fc1c5ffd81532ec1afad36b729f6cb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?= Date: Thu, 22 Apr 2004 09:40:09 +0000 Subject: [PATCH 069/146] 1622. [placeholder] rt11156 1621. [placeholder] rt11156 --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 5ebe224262..f292f06436 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +1622. [placeholder] rt11156 + +1621. [placeholder] rt11156 + 1620. [placeholder] rt11149 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). From b9625d9be5d89015b75cc7c25088a8d1a3bb7655 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 23 Apr 2004 02:15:15 +0000 Subject: [PATCH 070/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index f292f06436..8afd8e312c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1623. [placeholder] rt11177 + 1622. [placeholder] rt11156 1621. [placeholder] rt11156 From 3dc3d557be91d59317b34fc5a9ae79b1925d5878 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 28 Apr 2004 04:07:28 +0000 Subject: [PATCH 071/146] 1620. [func] When loading a zone report if it is signed. [RT #11149] --- CHANGES | 2 +- lib/dns/zone.c | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 8afd8e312c..7bf9ba73a2 100644 --- a/CHANGES +++ b/CHANGES @@ -4,7 +4,7 @@ 1621. [placeholder] rt11156 -1620. [placeholder] rt11149 +1620. [func] When loading a zone report if it is signed. [RT #11149] 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). [RT# 11118] diff --git a/lib/dns/zone.c b/lib/dns/zone.c index cb914f125b..206fd4566f 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.411 2004/03/30 02:13:44 marka Exp $ */ +/* $Id: zone.c,v 1.412 2004/04/28 04:07:28 marka Exp $ */ #include @@ -1430,7 +1430,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, zone_settimer(zone, &now); if (! dns_db_ispersistent(db)) - dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u", zone->serial); + dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u%s", + zone->serial, + dns_db_issecure(db) ? " (signed)" : ""); return (result); From 08b40678f36df355db8e7b84fa4e74f726dd2b3e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 28 Apr 2004 04:23:24 +0000 Subject: [PATCH 072/146] 1623. [bug] A serial number of zero was being displayed in the "sending notifies" log message when also-notify was used. [RT #11177] --- CHANGES | 4 ++- lib/dns/zone.c | 96 ++++++++++++++++++++++++-------------------------- 2 files changed, 50 insertions(+), 50 deletions(-) diff --git a/CHANGES b/CHANGES index 7bf9ba73a2..b74d00be3c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,6 @@ -1623. [placeholder] rt11177 +1623. [bug] A serial number of zero was being displayed in the + "sending notifies" log message when also-notify was + used. [RT #11177] 1622. [placeholder] rt11156 diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 206fd4566f..85031b19dd 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.412 2004/04/28 04:07:28 marka Exp $ */ +/* $Id: zone.c,v 1.413 2004/04/28 04:23:24 marka Exp $ */ #include @@ -2893,7 +2893,7 @@ zone_notify(dns_zone_t *zone) { dns_name_t master; dns_rdata_ns_t ns; dns_rdata_soa_t soa; - isc_uint32_t serial = 0; + isc_uint32_t serial; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t nsrdset; dns_rdataset_t soardset; @@ -2933,44 +2933,8 @@ zone_notify(dns_zone_t *zone) { flags |= DNS_NOTIFY_NOSOA; /* - * Enqueue notify requests for 'also-notify' servers. + * Get SOA RRset. */ - LOCK_ZONE(zone); - for (i = 0; i < zone->notifycnt; i++) { - dst = zone->notify[i]; - if (notify_isqueued(zone, NULL, &dst)) - continue; - result = notify_create(zone->mctx, flags, ¬ify); - if (result != ISC_R_SUCCESS) { - UNLOCK_ZONE(zone); - return; - } - zone_iattach(zone, ¬ify->zone); - notify->dst = dst; - ISC_LIST_APPEND(zone->notifies, notify, link); - result = notify_send_queue(notify); - if (result != ISC_R_SUCCESS) { - notify_destroy(notify, ISC_TRUE); - UNLOCK_ZONE(zone); - return; - } - if (!loggednotify) { - notify_log(zone, ISC_LOG_INFO, - "sending notifies (serial %u)", - serial); - loggednotify = ISC_TRUE; - } - notify = NULL; - } - UNLOCK_ZONE(zone); - - if (notifytype == dns_notifytype_explicit) - return; - - /* - * Process NS RRset to generate notifies. - */ - dns_db_currentversion(zone->db, &version); result = dns_db_findnode(zone->db, origin, ISC_FALSE, &node); if (result != ISC_R_SUCCESS) @@ -2984,21 +2948,55 @@ zone_notify(dns_zone_t *zone) { goto cleanup2; /* - * Find master server's name. + * Find serial and master server's name. */ dns_name_init(&master, NULL); result = dns_rdataset_first(&soardset); - if (result == ISC_R_SUCCESS) { - dns_rdataset_current(&soardset, &rdata); - result = dns_rdata_tostruct(&rdata, &soa, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - dns_rdata_reset(&rdata); - result = dns_name_dup(&soa.origin, zone->mctx, &master); - serial = soa.serial; - dns_rdataset_disassociate(&soardset); - } if (result != ISC_R_SUCCESS) goto cleanup3; + dns_rdataset_current(&soardset, &rdata); + result = dns_rdata_tostruct(&rdata, &soa, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdata_reset(&rdata); + result = dns_name_dup(&soa.origin, zone->mctx, &master); + serial = soa.serial; + dns_rdataset_disassociate(&soardset); + if (result != ISC_R_SUCCESS) + goto cleanup3; + + /* + * Enqueue notify requests for 'also-notify' servers. + */ + LOCK_ZONE(zone); + for (i = 0; i < zone->notifycnt; i++) { + dst = zone->notify[i]; + if (notify_isqueued(zone, NULL, &dst)) + continue; + result = notify_create(zone->mctx, flags, ¬ify); + if (result != ISC_R_SUCCESS) + continue; + zone_iattach(zone, ¬ify->zone); + notify->dst = dst; + ISC_LIST_APPEND(zone->notifies, notify, link); + result = notify_send_queue(notify); + if (result != ISC_R_SUCCESS) + notify_destroy(notify, ISC_TRUE); + if (!loggednotify) { + notify_log(zone, ISC_LOG_INFO, + "sending notifies (serial %u)", + serial); + loggednotify = ISC_TRUE; + } + notify = NULL; + } + UNLOCK_ZONE(zone); + + if (notifytype == dns_notifytype_explicit) + goto cleanup3; + + /* + * Process NS RRset to generate notifies. + */ dns_rdataset_init(&nsrdset); result = dns_db_findrdataset(zone->db, node, version, From cc32d38366fa680fc29f9fb17bd3ebe515835445 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 29 Apr 2004 01:37:14 +0000 Subject: [PATCH 073/146] 1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is available, and suppress wildcard binding if not. 1621. [bug] match-destinations did not work for IPv6 TCP queries. [RT# 11156] --- CHANGES | 6 ++- bin/named/client.c | 47 +++++++++++++---- bin/named/include/named/interfacemgr.h | 5 +- bin/named/interfacemgr.c | 26 +++++---- lib/isc/unix/include/isc/net.h | 15 +++++- lib/isc/unix/net.c | 73 ++++++++++++++++++++++++-- lib/isc/win32/include/isc/net.h | 15 +++++- lib/isc/win32/libisc.def | 1 + lib/isc/win32/net.c | 73 ++++++++++++++++++++++++-- 9 files changed, 230 insertions(+), 31 deletions(-) diff --git a/CHANGES b/CHANGES index b74d00be3c..279838502a 100644 --- a/CHANGES +++ b/CHANGES @@ -2,9 +2,11 @@ "sending notifies" log message when also-notify was used. [RT #11177] -1622. [placeholder] rt11156 +1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is + available, and suppress wildcard binding if not. -1621. [placeholder] rt11156 +1621. [bug] match-destinations did not work for IPv6 TCP queries. + [RT# 11156] 1620. [func] When loading a zone report if it is signed. [RT #11149] diff --git a/bin/named/client.c b/bin/named/client.c index 5972828878..a8c4698321 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.219 2004/03/05 04:57:46 marka Exp $ */ +/* $Id: client.c,v 1.220 2004/04/29 01:37:12 marka Exp $ */ #include @@ -1344,12 +1344,33 @@ client_request(isc_task_t *task, isc_event_t *event) { } /* - * Determine the destination address. For IPv6, we get this from the - * pktinfo structure (if supported). For IPv4, we have to make do with - * the address of the interface where the request was received. + * Determine the destination address. If the receiving interface is + * bound to a specific address, we simply use it regardless of the + * address family. All IPv4 queries should fall into this case. + * Otherwise, if this is a TCP query, get the address from the + * receiving socket (this needs a system call and can be heavy). + * For IPv6 UDP queries, we get this from the pktinfo structure (if + * supported). + * If all the attempts fail (this can happen due to memory shortage, + * etc), we regard this as an error for safety. */ - if (client->interface->addr.type.sa.sa_family == AF_INET6) { - if ((client->attributes & NS_CLIENTATTR_PKTINFO) != 0) { + if ((client->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0) + isc_netaddr_fromsockaddr(&destaddr, &client->interface->addr); + else { + result = ISC_R_FAILURE; + + if (TCP_CLIENT(client)) { + isc_sockaddr_t destsockaddr; + + result = isc_socket_getsockname(client->tcpsocket, + &destsockaddr); + if (result == ISC_R_SUCCESS) + isc_netaddr_fromsockaddr(&destaddr, + &destsockaddr); + } + if (result != ISC_R_SUCCESS && + client->interface->addr.type.sa.sa_family == AF_INET6 && + (client->attributes & NS_CLIENTATTR_PKTINFO) != 0) { isc_uint32_t zone = 0; /* @@ -1366,11 +1387,15 @@ client_request(isc_task_t *task, isc_event_t *event) { isc_netaddr_fromin6(&destaddr, &client->pktinfo.ipi6_addr); isc_netaddr_setzone(&destaddr, zone); - - } else - isc_netaddr_any6(&destaddr); - } else { - isc_netaddr_fromsockaddr(&destaddr, &client->interface->addr); + result = ISC_R_SUCCESS; + } + if (result != ISC_R_SUCCESS) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "failed to get request's " + "destination: %s", + isc_result_totext(result)); + goto cleanup; + } } /* diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h index f72fe7b597..9c4d422ef7 100644 --- a/bin/named/include/named/interfacemgr.h +++ b/bin/named/include/named/interfacemgr.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfacemgr.h,v 1.26 2004/03/05 04:57:55 marka Exp $ */ +/* $Id: interfacemgr.h,v 1.27 2004/04/29 01:37:13 marka Exp $ */ #ifndef NAMED_INTERFACEMGR_H #define NAMED_INTERFACEMGR_H 1 @@ -65,6 +65,8 @@ #define IFACE_MAGIC ISC_MAGIC('I',':','-',')') #define NS_INTERFACE_VALID(t) ISC_MAGIC_VALID(t, IFACE_MAGIC) +#define NS_INTERFACEFLAG_ANYADDR 0x01U /* bound to "any" address */ + struct ns_interface { unsigned int magic; /* Magic number. */ ns_interfacemgr_t * mgr; /* Interface manager. */ @@ -72,6 +74,7 @@ struct ns_interface { int references; /* Locked */ unsigned int generation; /* Generation number. */ isc_sockaddr_t addr; /* Address and port. */ + unsigned int flags; /* Interface characteristics */ char name[32]; /* Null terminated. */ dns_dispatch_t * udpdispatch; /* UDP dispatcher. */ isc_socket_t * tcpsocket; /* TCP socket. */ diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c index f440e521a0..7a20850044 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfacemgr.c,v 1.76 2004/03/05 04:57:46 marka Exp $ */ +/* $Id: interfacemgr.c,v 1.77 2004/04/29 01:37:12 marka Exp $ */ #include @@ -545,6 +545,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, isc_boolean_t scan_ipv6 = ISC_FALSE; isc_boolean_t adjusting = ISC_FALSE; isc_boolean_t ipv6only = ISC_TRUE; + isc_boolean_t ipv6pktinfo = ISC_TRUE; isc_result_t result; isc_netaddr_t zero_address, zero_address6; ns_listenelt_t *le; @@ -586,7 +587,12 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, log_explicit = ISC_TRUE; } #endif - if (scan_ipv6 == ISC_TRUE && ipv6only) { + if (scan_ipv6 == ISC_TRUE && + isc_net_probe_ipv6pktinfo() != ISC_R_SUCCESS) { + ipv6pktinfo = ISC_FALSE; + log_explicit = ISC_TRUE; + } + if (scan_ipv6 == ISC_TRUE && ipv6only && ipv6pktinfo) { for (le = ISC_LIST_HEAD(mgr->listenon6->elts); le != NULL; le = ISC_LIST_NEXT(le, link)) { @@ -610,7 +616,9 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, result = ns_interface_setup(mgr, &listen_addr, "", &ifp, ISC_TRUE); - if (result != ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) + ifp->flags |= NS_INTERFACEFLAG_ANYADDR; + else isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, "listening on all IPv6 " @@ -719,7 +727,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, * The case of "any" IPv6 address will require * special considerations later, so remember it. */ - if (family == AF_INET6 && ipv6only && + if (family == AF_INET6 && ipv6only && ipv6pktinfo && listenon_is_ip6_any(le)) ipv6_wildcard = ISC_TRUE; @@ -760,14 +768,14 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, continue; if (log_explicit && family == AF_INET6 && - !adjusting) { + !adjusting && listenon_is_ip6_any(le)) { isc_log_write(IFMGR_COMMON_LOGARGS, verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1), - "IPv6-only option is not" - " available; explicitly" - " binding to all IPv6" - " addresses."); + "IPv6 socket API is " + "incomplete; explicitly " + "binding to each IPv6 " + "address separately"); log_explicit = ISC_FALSE; } isc_sockaddr_format(&listen_sockaddr, diff --git a/lib/isc/unix/include/isc/net.h b/lib/isc/unix/include/isc/net.h index 7ff2da1921..2044a3cc3d 100644 --- a/lib/isc/unix/include/isc/net.h +++ b/lib/isc/unix/include/isc/net.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: net.h,v 1.39 2004/03/05 05:11:52 marka Exp $ */ +/* $Id: net.h,v 1.40 2004/04/29 01:37:13 marka Exp $ */ #ifndef ISC_NET_H #define ISC_NET_H 1 @@ -278,6 +278,19 @@ isc_net_probe_ipv6only(void); * ISC_R_UNEXPECTED */ +isc_result_t +isc_net_probe_ipv6pktinfo(void); +/* + * Check if the system's kernel supports the IPV6_(RECV)PKTINFO socket option + * for UDP sockets. + * + * Returns: + * + * ISC_R_SUCCESS the option is supported. + * ISC_R_NOTFOUND IPv6 itself or the option is not supported. + * ISC_R_UNEXPECTED + */ + void isc_net_disableipv4(void); diff --git a/lib/isc/unix/net.c b/lib/isc/unix/net.c index 16395a15c6..b8576f35be 100644 --- a/lib/isc/unix/net.c +++ b/lib/isc/unix/net.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: net.c,v 1.29 2004/03/05 05:11:46 marka Exp $ */ +/* $Id: net.c,v 1.30 2004/04/29 01:37:13 marka Exp $ */ #include @@ -40,9 +40,11 @@ const struct in6_addr isc_net_in6addrloop = IN6ADDR_LOOPBACK_INIT; static isc_once_t once = ISC_ONCE_INIT; static isc_once_t once_ipv6only = ISC_ONCE_INIT; +static isc_once_t once_ipv6pktinfo = ISC_ONCE_INIT; static isc_result_t ipv4_result = ISC_R_NOTFOUND; static isc_result_t ipv6_result = ISC_R_NOTFOUND; static isc_result_t ipv6only_result = ISC_R_NOTFOUND; +static isc_result_t ipv6pktinfo_result = ISC_R_NOTFOUND; static isc_result_t try_proto(int domain) { @@ -225,7 +227,7 @@ try_ipv6only(void) { close: close(s); return; -#endif +#endif /* IPV6_V6ONLY */ } static void @@ -233,8 +235,61 @@ initialize_ipv6only(void) { RUNTIME_CHECK(isc_once_do(&once_ipv6only, try_ipv6only) == ISC_R_SUCCESS); } +#endif /* IPV6_V6ONLY */ + +static void +try_ipv6pktinfo(void) { + int s, on; + char strbuf[ISC_STRERRORSIZE]; + isc_result_t result; + int optname; + + result = isc_net_probeipv6(); + if (result != ISC_R_SUCCESS) { + ipv6pktinfo_result = result; + return; + } + + /* we only use this for UDP sockets */ + s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP); + if (s == -1) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + UNEXPECTED_ERROR(__FILE__, __LINE__, + "socket() %s: %s", + isc_msgcat_get(isc_msgcat, + ISC_MSGSET_GENERAL, + ISC_MSG_FAILED, + "failed"), + strbuf); + ipv6pktinfo_result = ISC_R_UNEXPECTED; + return; + } + +#ifdef IPV6_RECVPKTINFO + optname = IPV6_RECVPKTINFO; +#else + optname = IPV6_PKTINFO; #endif -#endif + on = 1; + if (setsockopt(s, IPPROTO_IPV6, optname, &on, sizeof(on)) < 0) { + ipv6pktinfo_result = ISC_R_NOTFOUND; + goto close; + } + + close(s); + ipv6pktinfo_result = ISC_R_SUCCESS; + +close: + close(s); + return; +} + +static void +initialize_ipv6pktinfo(void) { + RUNTIME_CHECK(isc_once_do(&once_ipv6pktinfo, + try_ipv6pktinfo) == ISC_R_SUCCESS); +} +#endif /* WANT_IPV6 */ isc_result_t isc_net_probe_ipv6only(void) { @@ -248,6 +303,18 @@ isc_net_probe_ipv6only(void) { return (ipv6only_result); } +isc_result_t +isc_net_probe_ipv6pktinfo(void) { +#ifdef ISC_PLATFORM_HAVEIPV6 +#ifdef WANT_IPV6 + initialize_ipv6pktinfo(); +#else + ipv6pktinfo_result = ISC_R_NOTFOUND; +#endif +#endif + return (ipv6pktinfo_result); +} + void isc_net_disableipv4(void) { initialize(); diff --git a/lib/isc/win32/include/isc/net.h b/lib/isc/win32/include/isc/net.h index f42105ead9..86497492cf 100644 --- a/lib/isc/win32/include/isc/net.h +++ b/lib/isc/win32/include/isc/net.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: net.h,v 1.22 2004/04/19 04:16:55 marka Exp $ */ +/* $Id: net.h,v 1.23 2004/04/29 01:37:14 marka Exp $ */ #ifndef ISC_NET_H #define ISC_NET_H 1 @@ -270,6 +270,19 @@ isc_net_probe_ipv6only(void); * ISC_R_UNEXPECTED */ +isc_result_t +isc_net_probe_ipv6pktinfo(void); +/* + * Check if the system's kernel supports the IPV6_(RECV)PKTINFO socket option + * for UDP sockets. + * + * Returns: + * + * ISC_R_SUCCESS the option is supported. + * ISC_R_NOTFOUND IPv6 itself or the option is not supported. + * ISC_R_UNEXPECTED + */ + void isc_net_disableipv4(void); diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def index 8421191354..85074d4bc1 100644 --- a/lib/isc/win32/libisc.def +++ b/lib/isc/win32/libisc.def @@ -432,6 +432,7 @@ isc_net_disableipv6 isc_task_getcurrenttime isc_net_probe_ipv6only isc_timermgr_poke +isc_net_probe_ipv6pktinfo ; Exported Data diff --git a/lib/isc/win32/net.c b/lib/isc/win32/net.c index 080e0923e2..b86eabd062 100644 --- a/lib/isc/win32/net.c +++ b/lib/isc/win32/net.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: net.c,v 1.9 2004/03/16 05:52:22 marka Exp $ */ +/* $Id: net.c,v 1.10 2004/04/29 01:37:14 marka Exp $ */ #include @@ -36,9 +36,11 @@ const struct in6_addr isc_net_in6addrany = IN6ADDR_ANY_INIT; static isc_once_t once = ISC_ONCE_INIT; static isc_once_t once_ipv6only = ISC_ONCE_INIT; +static isc_once_t once_ipv6pktinfo = ISC_ONCE_INIT; static isc_result_t ipv4_result = ISC_R_NOTFOUND; static isc_result_t ipv6_result = ISC_R_NOTFOUND; static isc_result_t ipv6only_result = ISC_R_NOTFOUND; +static isc_result_t ipv6pktinfo_result = ISC_R_NOTFOUND; static isc_result_t try_proto(int domain) { @@ -218,7 +220,7 @@ try_ipv6only(void) { close: close(s); return; -#endif +#endif /* IPV6_V6ONLY */ } static void @@ -226,8 +228,61 @@ initialize_ipv6only(void) { RUNTIME_CHECK(isc_once_do(&once_ipv6only, try_ipv6only) == ISC_R_SUCCESS); } + +static void +try_ipv6pktinfo(void) { + int s, on; + char strbuf[ISC_STRERRORSIZE]; + isc_result_t result; + int optname; + + result = isc_net_probeipv6(); + if (result != ISC_R_SUCCESS) { + ipv6pktinfo_result = result; + return; + } + + /* we only use this for UDP sockets */ + s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP); + if (s == -1) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + UNEXPECTED_ERROR(__FILE__, __LINE__, + "socket() %s: %s", + isc_msgcat_get(isc_msgcat, + ISC_MSGSET_GENERAL, + ISC_MSG_FAILED, + "failed"), + strbuf); + ipv6pktinfo_result = ISC_R_UNEXPECTED; + return; + } + +#ifdef IPV6_RECVPKTINFO + optname = IPV6_RECVPKTINFO; +#else + optname = IPV6_PKTINFO; #endif -#endif + on = 1; + if (setsockopt(s, IPPROTO_IPV6, optname, &on, sizeof(on)) < 0) { + ipv6pktinfo_result = ISC_R_NOTFOUND; + goto close; + } + + close(s); + ipv6pktinfo_result = ISC_R_SUCCESS; + +close: + close(s); + return; +} + +static void +initialize_ipv6pktinfo(void) { + RUNTIME_CHECK(isc_once_do(&once_ipv6pktinfo, + try_ipv6pktinfo) == ISC_R_SUCCESS); +} +#endif /* WANT_IPV6 */ +#endif /* ISC_PLATFORM_HAVEIPV6 */ isc_result_t isc_net_probe_ipv6only(void) { @@ -241,6 +296,18 @@ isc_net_probe_ipv6only(void) { return (ipv6only_result); } +isc_result_t +isc_net_probe_ipv6pktinfo(void) { +#ifdef ISC_PLATFORM_HAVEIPV6 +#ifdef WANT_IPV6 + initialize_ipv6pktinfo(); +#else + ipv6pktinfo_result = ISC_R_NOTFOUND; +#endif +#endif + return (ipv6pktinfo_result); +} + void isc_net_disableipv4(void) { initialize(); From 8407fbc61d73caa766c0689558525d0a76296c86 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 29 Apr 2004 01:44:44 +0000 Subject: [PATCH 074/146] 1624. [bug] zonemgr_putio() call should be locked. [RT# 11163] --- CHANGES | 2 ++ lib/dns/zone.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 279838502a..4b2391e3e9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1624. [bug] zonemgr_putio() call should be locked. [RT# 11163] + 1623. [bug] A serial number of zero was being displayed in the "sending notifies" log message when also-notify was used. [RT #11177] diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 85031b19dd..6922e9d596 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.413 2004/04/28 04:23:24 marka Exp $ */ +/* $Id: zone.c,v 1.414 2004/04/29 01:44:44 marka Exp $ */ #include @@ -2388,10 +2388,10 @@ dump_done(void *arg, isc_result_t result) { if (zone->dctx != NULL) dns_dumpctx_detach(&zone->dctx); + zonemgr_putio(&zone->writeio); UNLOCK_ZONE(zone); if (again) (void)zone_dump(zone, ISC_FALSE); - zonemgr_putio(&zone->writeio); dns_zone_idetach(&zone); } From 445acbbea8bd5143749e97a8ff247a808321aa6c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 30 Apr 2004 04:18:12 +0000 Subject: [PATCH 075/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 4b2391e3e9..e30b39e50d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1625. [placeholder] rt11237 + 1624. [bug] zonemgr_putio() call should be locked. [RT# 11163] 1623. [bug] A serial number of zero was being displayed in the From e0199985cfe68e8556cf0060ad8f7effbcdc5628 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 3 May 2004 11:14:01 +0000 Subject: [PATCH 076/146] 1626. [bug] --enable-getifaddrs was broken. [RT#11259] --- CHANGES | 2 ++ configure.in | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index e30b39e50d..642aec1c5d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1626. [bug] --enable-getifaddrs was broken. [RT#11259] + 1625. [placeholder] rt11237 1624. [bug] zonemgr_putio() call should be locked. [RT# 11163] diff --git a/configure.in b/configure.in index 0d62aec7c8..17ea5538d2 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.355 $) +AC_REVISION($Revision: 1.356 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.13) @@ -1567,7 +1567,7 @@ case $host in # project handles the AF_INET6 case correctly. We need to avoid # using the former but prefer the latter unless overridden by # --enable-getifaddrs=glibc. - if $use_getifaddrs = glibc + if test $use_getifaddrs = glibc then AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS)) else From cdebaff62dadc0b18ac2fd198ac556f381dbdf82 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 3 May 2004 11:15:27 +0000 Subject: [PATCH 077/146] regen --- configure | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configure b/configure index 3ce9c566b5..2a928f657d 100755 --- a/configure +++ b/configure @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # -# $Id: configure,v 1.339 2004/03/14 23:44:26 marka Exp $ +# $Id: configure,v 1.340 2004/05/03 11:15:27 marka Exp $ # # Portions Copyright (C) 1996-2001 Nominum, Inc. # @@ -29,7 +29,7 @@ # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# From configure.in Revision: 1.355 . +# From configure.in Revision: 1.356 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -24603,7 +24603,7 @@ case $host in # project handles the AF_INET6 case correctly. We need to avoid # using the former but prefer the latter unless overridden by # --enable-getifaddrs=glibc. - if $use_getifaddrs = glibc + if test $use_getifaddrs = glibc then echo "$as_me:$LINENO: checking for getifaddrs" >&5 echo $ECHO_N "checking for getifaddrs... $ECHO_C" >&6 From 578f588228f5e04ccf648b6ae596f396ad6a22c9 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 3 May 2004 23:54:38 +0000 Subject: [PATCH 078/146] 1627. [bug] win32: sockets were not being closed when the last external reference was removed. [RT# 11179] --- CHANGES | 3 + config.h.win32 | 6 +- lib/isc/win32/libisc.def | 2 + lib/isc/win32/socket.c | 416 ++++++++++++++++++++------------------- 4 files changed, 225 insertions(+), 202 deletions(-) diff --git a/CHANGES b/CHANGES index 642aec1c5d..21c2ac5780 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1627. [bug] win32: sockets were not being closed when the + last external reference was removed. [RT# 11179] + 1626. [bug] --enable-getifaddrs was broken. [RT#11259] 1625. [placeholder] rt11237 diff --git a/config.h.win32 b/config.h.win32 index 486fa4c832..ab3f7a9f06 100644 --- a/config.h.win32 +++ b/config.h.win32 @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h.win32,v 1.10 2004/04/19 05:52:21 marka Exp $ */ +/* $Id: config.h.win32,v 1.11 2004/05/03 23:54:37 marka Exp $ */ /* * win32 configuration file @@ -104,6 +104,10 @@ /* Define if you have h_errno */ #define HAVE_H_ERRNO +#define ISC_PLATFORM_NEEDSTRLCAT + +#define ISC_PLATFORM_NEEDSTRLCPY + #define S_IFMT _S_IFMT /* file type mask */ #define S_IFDIR _S_IFDIR /* directory */ #define S_IFCHR _S_IFCHR /* character special */ diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def index 85074d4bc1..e0c7cd2c16 100644 --- a/lib/isc/win32/libisc.def +++ b/lib/isc/win32/libisc.def @@ -433,6 +433,8 @@ isc_task_getcurrenttime isc_net_probe_ipv6only isc_timermgr_poke isc_net_probe_ipv6pktinfo +isc_string_strlcat +isc_string_strlcpy ; Exported Data diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c index 377b8e1a09..e94cecd818 100644 --- a/lib/isc/win32/socket.c +++ b/lib/isc/win32/socket.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.30 2004/03/05 05:11:59 marka Exp $ */ +/* $Id: socket.c,v 1.31 2004/05/03 23:54:38 marka Exp $ */ /* This code has been rewritten to take advantage of Windows Sockets * I/O Completion Ports and Events. I/O Completion Ports is ONLY @@ -239,8 +239,10 @@ struct isc_socket { listener : 1, /* listener socket */ connected : 1, connecting : 1, /* connect pending */ - bound : 1; /* bound to local addr */ - + bound : 1, /* bound to local addr */ + pending_free: 1; + unsigned int pending_recv; + unsigned int pending_send; }; /* @@ -346,11 +348,8 @@ static isc_threadresult_t WINAPI SocketIoThread(LPVOID ThreadContext); static void free_socket(isc_socket_t **); enum { - SOCKET_CANCEL, - SOCKET_SHUTDOWN, SOCKET_RECV, SOCKET_SEND, - SOCK_ACCEPT }; enum { @@ -358,9 +357,6 @@ enum { EVENT_DELETE }; -#define SOCK_DEAD(s) ((s)->references == 0) - - #if defined(ISC_SOCKET_DEBUG) /* * This is used to dump the contents of the sock structure @@ -454,7 +450,7 @@ iocompletionport_createthreads(int total_threads, isc_socketmgr_t *manager) { * We need at least one */ for (i = 0; i < total_threads; i++) { - manager->hIOCPThreads[i] = CreateThread( NULL, 0, SocketIoThread, + manager->hIOCPThreads[i] = CreateThread(NULL, 0, SocketIoThread, manager, 0, &manager->dwIOCPThreadIds[i]); if(manager->hIOCPThreads[i] == NULL) { @@ -521,7 +517,8 @@ iocompletionport_exit(isc_socketmgr_t *manager) { } /* - * Add sockets in here and pass the sock data in as part of the information needed + * Add sockets in here and pass the sock data in as part of the + * information needed. */ void iocompletionport_update(isc_socket_t *sock) { @@ -652,9 +649,10 @@ socket_eventlist_add(event_change_t *evchange, sock_event_list *evlist, sock->evthread_id = GetCurrentThreadId(); return (ISC_TRUE); } + /* - * Note that the eventLock is locked before calling this function - * All Events and associated sockes are closed here + * Note that the eventLock is locked before calling this function. + * All Events and associated sockets are closed here. */ isc_boolean_t socket_eventlist_delete(event_change_t *evchange, sock_event_list *evlist) { @@ -664,7 +662,7 @@ socket_eventlist_delete(event_change_t *evchange, sock_event_list *evlist) { REQUIRE(evchange != NULL); /* Make sure this is the right thread from which to delete the event */ - if(evchange->evthread_id != GetCurrentThreadId()) + if (evchange->evthread_id != GetCurrentThreadId()) return (ISC_FALSE); REQUIRE(evlist != NULL); @@ -678,6 +676,7 @@ socket_eventlist_delete(event_change_t *evchange, sock_event_list *evlist) { break; } } + /* Actual event start at 1 */ if (iEvent < 1) return (ISC_FALSE); @@ -686,6 +685,7 @@ socket_eventlist_delete(event_change_t *evchange, sock_event_list *evlist) { evlist->aEventList[i] = evlist->aEventList[i + 1]; evlist->aSockList[i] = evlist->aSockList[i + 1]; } + evlist->aEventList[evlist->max_event - 1] = 0; evlist->aSockList[evlist->max_event - 1] = NULL; @@ -698,6 +698,7 @@ socket_eventlist_delete(event_change_t *evchange, sock_event_list *evlist) { return (ISC_TRUE); } + /* * Get the event changes off of the list and apply the * requested changes. The manager lock is taken out at @@ -722,15 +723,20 @@ process_eventlist(sock_event_list *evlist, isc_socketmgr_t *manager) { LOCK(&manager->lock); - /* First the deletes */ + /* + * First the deletes. + */ evchange = ISC_LIST_HEAD(manager->event_updates); while (evchange != NULL) { next = ISC_LIST_NEXT(evchange, link); del = ISC_FALSE; - if(evchange->action == EVENT_DELETE) { + if (evchange->action == EVENT_DELETE) { del = socket_eventlist_delete(evchange, evlist); - /* Delete only if this thread's socket list was updated */ + /* + * Delete only if this thread's socket list was + * updated. + */ if (del) { ISC_LIST_DEQUEUE(manager->event_updates, evchange, link); @@ -740,15 +746,21 @@ process_eventlist(sock_event_list *evlist, isc_socketmgr_t *manager) { } evchange = next; } - /* Now the adds */ + + /* + * Now the adds. + */ evchange = ISC_LIST_HEAD(manager->event_updates); while (evchange != NULL) { next = ISC_LIST_NEXT(evchange, link); del = ISC_FALSE; - if(evchange->action == EVENT_ADD) { + if (evchange->action == EVENT_ADD) { del = socket_eventlist_add(evchange, evlist, manager); - /* Delete only if this thread's socket list was updated */ + /* + * Delete only if this thread's socket list was + * updated. + */ if (del) { ISC_LIST_DEQUEUE(manager->event_updates, evchange, link); @@ -761,13 +773,15 @@ process_eventlist(sock_event_list *evlist, isc_socketmgr_t *manager) { UNLOCK(&manager->lock); return (ISC_R_SUCCESS); } + /* * Add the event list changes to the queue and notify the * event loop */ static void notify_eventlist(isc_socket_t *sock, isc_socketmgr_t *manager, - unsigned int action) { + unsigned int action) +{ event_change_t *evchange; @@ -793,6 +807,7 @@ notify_eventlist(isc_socket_t *sock, isc_socketmgr_t *manager, else WSASetEvent(manager->prime_alert); } + /* * Note that the socket is already locked before calling this function */ @@ -830,6 +845,7 @@ socket_event_add(isc_socket_t *sock, long type) { notify_eventlist(sock, sock->manager, EVENT_ADD); return (ISC_R_SUCCESS); } + /* * Note that the socket is not locked before calling this function */ @@ -847,8 +863,8 @@ socket_event_delete(isc_socket_t *sock) { sock->hAlert = NULL; sock->evthread_id = 0; } - } + /* * Routine to cleanup and then close the socket. * Only close the socket here if it is NOT associated @@ -872,6 +888,7 @@ socket_close(isc_socket_t *sock) { } } + /* * Initialize socket services */ @@ -893,7 +910,8 @@ BOOL InitSockets() { int internal_sendmsg(isc_socket_t *sock, IoCompletionInfo *lpo, - struct msghdr *messagehdr, int flags, int *Error) { + struct msghdr *messagehdr, int flags, int *Error) +{ int Result; DWORD BytesSent; DWORD Flags = flags; @@ -918,19 +936,20 @@ internal_sendmsg(isc_socket_t *sock, IoCompletionInfo *lpo, *Error = WSAGetLastError(); switch (*Error) { + case WSA_IO_INCOMPLETE : + case WSA_WAIT_IO_COMPLETION : + case WSA_IO_PENDING : + sock->pending_send++; + case NO_ERROR : + break; - case NO_ERROR : - case WSA_IO_INCOMPLETE : - case WSA_WAIT_IO_COMPLETION : - case WSA_IO_PENDING : - break; - - default : - return (-1); - break; - } - } - if(lpo != NULL) + default : + return (-1); + break; + } + } else + sock->pending_send++; + if (lpo != NULL) return (0); else return (total_sent); @@ -938,7 +957,8 @@ internal_sendmsg(isc_socket_t *sock, IoCompletionInfo *lpo, int internal_recvmsg(isc_socket_t *sock, IoCompletionInfo *lpo, - struct msghdr *messagehdr, int flags, int *Error) { + struct msghdr *messagehdr, int flags, int *Error) +{ DWORD Flags = 0; DWORD NumBytes = 0; int total_bytes = 0; @@ -946,14 +966,14 @@ internal_recvmsg(isc_socket_t *sock, IoCompletionInfo *lpo, *Error = 0; Result = WSARecvFrom((SOCKET) sock->fd, - messagehdr->msg_iov, - messagehdr->msg_iovlen, - &NumBytes, - &Flags, - messagehdr->msg_name, - (int *)&(messagehdr->msg_namelen), - (LPOVERLAPPED) lpo, - NULL); + messagehdr->msg_iov, + messagehdr->msg_iovlen, + &NumBytes, + &Flags, + messagehdr->msg_name, + (int *)&(messagehdr->msg_namelen), + (LPOVERLAPPED) lpo, + NULL); total_bytes = (int) NumBytes; @@ -963,31 +983,32 @@ internal_recvmsg(isc_socket_t *sock, IoCompletionInfo *lpo, *Error = WSAGetLastError(); switch (*Error) { + case WSA_IO_INCOMPLETE: + case WSA_WAIT_IO_COMPLETION: + case WSA_IO_PENDING: + sock->pending_recv++; + case NO_ERROR: + break; - case NO_ERROR : - case WSA_IO_INCOMPLETE : - case WSA_WAIT_IO_COMPLETION : - case WSA_IO_PENDING : - break; + default : + return (-1); + break; + } + } else + sock->pending_recv++; - default : - return (-1); - break; - } - } /* Return the flags received in header */ messagehdr->msg_flags = Flags; - if(lpo != NULL) + if (lpo != NULL) return (-1); else return (total_bytes); - } static void -manager_log(isc_socketmgr_t *sockmgr, - isc_logcategory_t *category, isc_logmodule_t *module, int level, - const char *fmt, ...) { +manager_log(isc_socketmgr_t *sockmgr, isc_logcategory_t *category, + isc_logmodule_t *module, int level, const char *fmt, ...) +{ char msgbuf[2048]; va_list ap; @@ -1007,11 +1028,13 @@ socket_log(isc_socket_t *sock, isc_sockaddr_t *address, isc_logcategory_t *category, isc_logmodule_t *module, int level, isc_msgcat_t *msgcat, int msgset, int message, const char *fmt, ...) ISC_FORMAT_PRINTF(9, 10); + static void socket_log(isc_socket_t *sock, isc_sockaddr_t *address, isc_logcategory_t *category, isc_logmodule_t *module, int level, isc_msgcat_t *msgcat, int msgset, int message, - const char *fmt, ...) { + const char *fmt, ...) +{ char msgbuf[2048]; char peerbuf[256]; va_list ap; @@ -1058,6 +1081,7 @@ make_nonblock(SOCKET fd) { return (ISC_R_SUCCESS); } + /* * Windows 2000 systems incorrectly cause UDP sockets using WASRecvFrom * to not work correctly, returning a WSACONNRESET error when a WSASendTo @@ -1107,7 +1131,8 @@ connection_reset_fix(SOCKET fd) { static void build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *msg, char *cmsg, - WSABUF *iov, size_t *write_countp) { + WSABUF *iov, size_t *write_countp) +{ unsigned int iovcount; isc_buffer_t *buffer; isc_region_t used; @@ -1194,7 +1219,8 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev, static void build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *msg, char *cmsg, - WSABUF *iov, size_t *read_countp) { + WSABUF *iov, size_t *read_countp) +{ unsigned int iovcount; isc_buffer_t *buffer; isc_region_t available; @@ -1224,10 +1250,10 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev, iov[0].len = read_count; iovcount = 1; } else { - /* - * Multibuffer I/O. - * Skip empty buffers. - */ + /* + * Multibuffer I/O. + * Skip empty buffers. + */ while (buffer != NULL) { REQUIRE(ISC_BUFFER_VALID(buffer)); if (isc_buffer_availablelength(buffer) != 0) @@ -1266,7 +1292,8 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev, static void set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock, - isc_socketevent_t *dev) { + isc_socketevent_t *dev) +{ if (sock->type == isc_sockettype_udp) { if (address != NULL) dev->address = *address; @@ -1280,14 +1307,14 @@ set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock, static isc_socketevent_t * allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype, - isc_taskaction_t action, const void *arg) { + isc_taskaction_t action, const void *arg) +{ isc_socketevent_t *ev; ev = (isc_socketevent_t *)isc_event_allocate(sock->manager->mctx, sock, eventtype, action, arg, sizeof(*ev)); - if (ev == NULL) return (NULL); @@ -1324,7 +1351,8 @@ dump_msg(struct msghdr *msg, isc_socket_t *sock) { static int completeio_recv(isc_socket_t *sock, isc_socketevent_t *dev, - struct msghdr *messagehdr, int cc, int recv_errno) { + struct msghdr *messagehdr, int cc, int recv_errno) +{ size_t actual_count; isc_buffer_t *buffer; @@ -1442,31 +1470,27 @@ completeio_recv(isc_socket_t *sock, isc_socketevent_t *dev, dev->result = ISC_R_SUCCESS; return (DOIO_SUCCESS); } + static int startio_recv(isc_socket_t *sock, isc_socketevent_t *dev, int *nbytes, - BOOL bwait, int *recv_errno) { + int *recv_errno) +{ char *cmsg = NULL; char strbuf[ISC_STRERRORSIZE]; IoCompletionInfo *lpo; int status; - struct msghdr messagehdr; struct msghdr *msghdr; - if (!bwait) { - lpo = (IoCompletionInfo *) HeapAlloc(hHeapHandle, - HEAP_ZERO_MEMORY, sizeof(IoCompletionInfo)); - lpo->request_type = SOCKET_RECV; - lpo->dev = dev; - msghdr = &lpo->messagehdr; - } else { /* Wait for recv to complete */ - lpo = NULL; - msghdr = &messagehdr; - } - sock->references++; + lpo = (IoCompletionInfo *) HeapAlloc(hHeapHandle, + HEAP_ZERO_MEMORY, + sizeof(IoCompletionInfo)); + lpo->request_type = SOCKET_RECV; + lpo->dev = dev; + msghdr = &lpo->messagehdr; memset(msghdr, 0, sizeof(struct msghdr)); build_msghdr_recv(sock, dev, msghdr, cmsg, sock->iov, - &(sock->totalBytes)); + &(sock->totalBytes)); #if defined(ISC_SOCKET_DEBUG) dump_msg(msghdr, sock); @@ -1485,13 +1509,12 @@ startio_recv(isc_socket_t *sock, isc_socketevent_t *dev, int *nbytes, socket_log(sock, NULL, IOEVENT, isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_DOIORECV, - "startio_recv: recvmsg(%d) %d bytes, err %d/%s", + "startio_recv: recvmsg(%d) %d bytes, " + "err %d/%s", sock->fd, *nbytes, *recv_errno, strbuf); } - status = completeio_recv(sock, dev, msghdr, *nbytes, *recv_errno); - if(status != DOIO_SOFT) { - sock->references--; - } + status = completeio_recv(sock, dev, msghdr, + *nbytes, *recv_errno); goto done; } dev->result = ISC_R_SUCCESS; @@ -1499,6 +1522,7 @@ startio_recv(isc_socket_t *sock, isc_socketevent_t *dev, int *nbytes, done: return (status); } + /* * Returns: * DOIO_SUCCESS The operation succeeded. dev->result contains @@ -1513,8 +1537,9 @@ done: * No other return values are possible. */ static int -completeio_send(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *messagehdr, int cc, - int send_errno) { +completeio_send(isc_socket_t *sock, isc_socketevent_t *dev, + struct msghdr *messagehdr, int cc, int send_errno) +{ char addrbuf[ISC_SOCKADDR_FORMATSIZE]; char strbuf[ISC_STRERRORSIZE]; @@ -1592,28 +1617,24 @@ completeio_send(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *messa dev->result = ISC_R_SUCCESS; return (DOIO_SUCCESS); } + static int startio_send(isc_socket_t *sock, isc_socketevent_t *dev, int *nbytes, - BOOL bwait, int *send_errno) { + int *send_errno) +{ char *cmsg = NULL; char strbuf[ISC_STRERRORSIZE]; IoCompletionInfo *lpo; int status; - struct msghdr messagehdr; struct msghdr *msghdr; - if (!bwait) { - lpo = (IoCompletionInfo *) HeapAlloc(hHeapHandle, - HEAP_ZERO_MEMORY, sizeof(IoCompletionInfo)); - lpo->request_type = SOCKET_SEND; - lpo->dev = dev; - msghdr = &lpo->messagehdr; - } else { /* Wait for send to complete */ - lpo = NULL; - msghdr = &messagehdr; - } + lpo = (IoCompletionInfo *) HeapAlloc(hHeapHandle, + HEAP_ZERO_MEMORY, + sizeof(IoCompletionInfo)); + lpo->request_type = SOCKET_SEND; + lpo->dev = dev; + msghdr = &lpo->messagehdr; memset(msghdr, 0, sizeof(struct msghdr)); - sock->references++; build_msghdr_send(sock, dev, msghdr, cmsg, sock->iov, &(sock->totalBytes)); @@ -1631,13 +1652,12 @@ startio_send(isc_socket_t *sock, isc_socketevent_t *dev, int *nbytes, socket_log(sock, NULL, IOEVENT, isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALSEND, - "startio_send: internal_sendmsg(%d) %d bytes, err %d/%s", + "startio_send: internal_sendmsg(%d) %d " + "bytes, err %d/%s", sock->fd, *nbytes, *send_errno, strbuf); } - status = completeio_send(sock, dev, msghdr, *nbytes, *send_errno); - if(status != DOIO_SOFT) { - sock->references--; - } + status = completeio_send(sock, dev, msghdr, + *nbytes, *send_errno); goto done; } dev->result = ISC_R_SUCCESS; @@ -1645,6 +1665,7 @@ startio_send(isc_socket_t *sock, isc_socketevent_t *dev, int *nbytes, done: return (status); } + /* * Kill. * @@ -1655,6 +1676,7 @@ static void destroy_socket(isc_socket_t **sockp) { isc_socket_t *sock = *sockp; isc_socketmgr_t *manager = sock->manager; + isc_boolean_t dofree = ISC_TRUE; REQUIRE(sock != NULL); @@ -1668,15 +1690,14 @@ destroy_socket(isc_socket_t **sockp) { LOCK(&manager->lock); - /* - * No one has this socket open and the socket doesn't have to be - * locked. The socket_close function makes sure that if needed - * the event_wait loop removes any associated event from the list - * of events being waited on. - */ + LOCK(&sock->lock); socket_close(sock); - + if (sock->pending_recv != 0 || sock->pending_send != 0) { + dofree = ISC_FALSE; + sock->pending_free = 1; + } ISC_LIST_UNLINK(manager->socklist, sock, link); + UNLOCK(&sock->lock); if (ISC_LIST_EMPTY(manager->socklist)) SIGNAL(&manager->shutdown_ok); @@ -1684,10 +1705,10 @@ destroy_socket(isc_socket_t **sockp) { /* * XXX should reset manager->maxfd here */ - UNLOCK(&manager->lock); - free_socket(sockp); + if (dofree) + free_socket(sockp); } static isc_result_t @@ -1721,6 +1742,9 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type, sock->connect_ev = NULL; sock->pending_accept = 0; sock->pending_close = 0; + sock->pending_recv = 0; + sock->pending_send = 0; + sock->pending_free = 0; sock->iocp = 0; sock->listener = 0; sock->connected = 0; @@ -2066,14 +2090,6 @@ internal_accept(isc_socket_t *sock, int accept_errno) { INSIST(sock->pending_accept == 1); sock->pending_accept = 0; - INSIST(sock->references > 0); - sock->references--; /* the internal event is done with this socket */ - if (sock->references == 0) { - UNLOCK(&sock->lock); - destroy_socket(&sock); - return; - } - /* * Check any possible error status from the event notification here. * Note that we don't take any action since it was only @@ -2284,18 +2300,6 @@ internal_connect(isc_socket_t *sock, int connect_errno) { LOCK(&sock->lock); - /* - * When the internal event was sent the reference count was bumped - * to keep the socket around for us. Decrement the count here. - */ - INSIST(sock->references > 0); - sock->references--; - if (sock->references == 0) { - UNLOCK(&sock->lock); - destroy_socket(&sock); - return; - } - /* * Has this event been canceled? */ @@ -2366,7 +2370,9 @@ internal_connect(isc_socket_t *sock, int connect_errno) { } static void -internal_recv(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *messagehdr, int nbytes, int recv_errno) { +internal_recv(isc_socket_t *sock, isc_socketevent_t *dev, + struct msghdr *messagehdr, int nbytes, int recv_errno) +{ isc_socketevent_t *ldev; int io_state; int cc; @@ -2378,14 +2384,8 @@ internal_recv(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *message isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALRECV, "internal_recv: task got socket event %p", dev); - INSIST(sock->references > 0); - sock->references--; /* the internal event is done with this socket */ - if (sock->references == 0) { - UNLOCK(&sock->lock); - destroy_socket(&sock); - return; - } - + INSIST(sock->pending_recv > 0); + sock->pending_recv--; /* If the event is no longer in the list we can just return */ ldev = ISC_LIST_HEAD(sock->recv_list); while (ldev != NULL && ldev != dev) { @@ -2398,34 +2398,36 @@ internal_recv(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *message * Try to do as much I/O as possible on this socket. There are no * limits here, currently. */ - switch (completeio_recv(sock, dev, messagehdr, nbytes, recv_errno)) { - case DOIO_SOFT: - cc = 0; - recv_errno = 0; - io_state = startio_recv(sock, dev, &cc, FALSE, &recv_errno); - goto done; + switch (completeio_recv(sock, dev, messagehdr, nbytes, recv_errno)) { + case DOIO_SOFT: + cc = 0; + recv_errno = 0; + io_state = startio_recv(sock, dev, &cc, &recv_errno); + goto done; - case DOIO_EOF: - /* - * read of 0 means the remote end was closed. - * Run through the event queue and dispatch all - * the events with an EOF result code. - */ - dev->result = ISC_R_EOF; - send_recvdone_event(sock, &dev); - goto done; + case DOIO_EOF: + /* + * read of 0 means the remote end was closed. + * Run through the event queue and dispatch all + * the events with an EOF result code. + */ + dev->result = ISC_R_EOF; + send_recvdone_event(sock, &dev); + goto done; - case DOIO_SUCCESS: - case DOIO_HARD: - send_recvdone_event(sock, &dev); - break; - } + case DOIO_SUCCESS: + case DOIO_HARD: + send_recvdone_event(sock, &dev); + break; + } done: UNLOCK(&sock->lock); } static void -internal_send(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *messagehdr, int nbytes, int send_errno) { +internal_send(isc_socket_t *sock, isc_socketevent_t *dev, + struct msghdr *messagehdr, int nbytes, int send_errno) +{ isc_socketevent_t *ldev; int io_state; int cc; @@ -2440,13 +2442,8 @@ internal_send(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *message isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALSEND, "internal_send: task got socket event %p", dev); - INSIST(sock->references > 0); - sock->references--; /* the internal event is done with this socket */ - if (sock->references == 0) { - UNLOCK(&sock->lock); - destroy_socket(&sock); - return; - } + INSIST(sock->pending_send > 0); + sock->pending_send--; /* If the event is no longer in the list we can just return */ ldev = ISC_LIST_HEAD(sock->send_list); @@ -2463,7 +2460,7 @@ internal_send(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *message case DOIO_SOFT: cc = 0; send_errno = 0; - io_state = startio_send(sock, dev, &cc, FALSE, &send_errno); + io_state = startio_send(sock, dev, &cc, &send_errno); goto done; case DOIO_HARD: @@ -2487,8 +2484,6 @@ SocketIoThread(LPVOID ThreadContext) { isc_socketmgr_t *manager = ThreadContext; BOOL bSuccess = FALSE; DWORD nbytes; - DWORD tbytes; - DWORD tflags; IoCompletionInfo *lpo = NULL; isc_socket_t *sock = NULL; int request; @@ -2504,7 +2499,9 @@ SocketIoThread(LPVOID ThreadContext) { * preempt normal recv packet processing, but not * higher than the timer sync thread. */ - if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_ABOVE_NORMAL)) { + if (!SetThreadPriority(GetCurrentThread(), + THREAD_PRIORITY_ABOVE_NORMAL)) + { errval = GetLastError(); isc__strerror(errval, strbuf, sizeof(strbuf)); FATAL_ERROR(__FILE__, __LINE__, @@ -2514,33 +2511,53 @@ SocketIoThread(LPVOID ThreadContext) { strbuf); } - /* * Loop forever waiting on I/O Completions and then processing them */ - while(TRUE) { + while (TRUE) { bSuccess = GetQueuedCompletionStatus ( manager->hIoCompletionPort, &nbytes, (LPDWORD) &sock, (LPOVERLAPPED *)&lpo, - INFINITE - ); - if(lpo == NULL ) { + INFINITE); + if (lpo == NULL) { /* * Received request to exit */ break; } errstatus = 0; - if(!bSuccess) { + if (!bSuccess) { + isc_boolean_t dofree = ISC_FALSE; + REQUIRE(VALID_SOCKET(sock)); /* - * I/O Failure - * Find out why + * Was this the socket closed under us? */ - WSAGetOverlappedResult(sock->fd, (LPWSAOVERLAPPED) &lpo, - &tbytes, FALSE, &tflags); - dev = lpo->dev; + errstatus = WSAGetLastError(); + if (nbytes == 0 && errstatus == WSA_OPERATION_ABORTED) { + LOCK(&sock->lock); + switch (lpo->request_type) { + case SOCKET_RECV: + INSIST(sock->pending_recv > 0); + sock->pending_recv--; + break; + case SOCKET_SEND: + INSIST(sock->pending_send > 0); + sock->pending_send--; + break; + } + if (sock->pending_recv == 0 && + sock->pending_send == 0 && + sock->pending_free) + dofree = ISC_TRUE; + UNLOCK(&sock->lock); + if (dofree) + free_socket(&sock); + if (lpo != NULL) + HeapFree(hHeapHandle, 0, lpo); + continue; + } } request = lpo->request_type; @@ -2548,20 +2565,17 @@ SocketIoThread(LPVOID ThreadContext) { messagehdr = &lpo->messagehdr; switch (request) { - case SOCKET_CANCEL: - break; case SOCKET_RECV: internal_recv(sock, dev, messagehdr, nbytes, errstatus); break; case SOCKET_SEND: internal_send(sock, dev, messagehdr, nbytes, errstatus); break; - default: - break; /* Unknown: Just ignore it */ } if (lpo != NULL) HeapFree(hHeapHandle, 0, lpo); } + /* * Exit Completion Port Thread */ @@ -2570,6 +2584,7 @@ SocketIoThread(LPVOID ThreadContext) { ISC_MSG_EXITING, "SocketIoThread exiting")); return ((isc_threadresult_t)0); } + /* * This is the thread that will loop forever, waiting for an event to * happen. @@ -2631,7 +2646,6 @@ event_wait(void *uap) { } while (cc < 0 && !manager->bShutdown && manager->event_written == 0); - if (manager->bShutdown) break; @@ -2690,11 +2704,9 @@ event_wait(void *uap) { if (wsock->listener == 1 && wsock->pending_accept == 0) { wsock->pending_accept = 1; - wsock->references++; internal_accept(wsock, event_errno); } else { - wsock->references++; internal_connect(wsock, event_errno); } } @@ -2706,6 +2718,7 @@ event_wait(void *uap) { return ((isc_threadresult_t)0); } + /* * Create a new socket manager. */ @@ -2861,7 +2874,8 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) { static isc_result_t socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task, - unsigned int flags) { + unsigned int flags) +{ int io_state; int cc = 0; isc_task_t *ntask = NULL; @@ -2872,7 +2886,7 @@ socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task, LOCK(&sock->lock); iocompletionport_update(sock); - io_state = startio_recv(sock, dev, &cc, FALSE, &recv_errno); + io_state = startio_recv(sock, dev, &cc, &recv_errno); switch (io_state) { case DOIO_SOFT: @@ -3050,7 +3064,7 @@ socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task, LOCK(&sock->lock); have_lock = ISC_TRUE; iocompletionport_update(sock); - io_state = startio_send(sock, dev, &cc, FALSE, &send_errno); + io_state = startio_send(sock, dev, &cc, &send_errno); switch (io_state) { case DOIO_SOFT: @@ -3642,8 +3656,8 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) { isc_socket_newconnev_t *next; isc_task_t *current_task; - dev = ISC_LIST_HEAD(sock->accept_list); socket_event_delete(sock); + dev = ISC_LIST_HEAD(sock->accept_list); while (dev != NULL) { current_task = dev->ev_sender; From 1ccee0aff35cff5a5bd5da41972e29492da3617e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 4 May 2004 03:24:39 +0000 Subject: [PATCH 079/146] silence compiler warning (cast to long and use %ld) --- bin/named/unix/os.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c index 0c4717b113..1fd9e08a5f 100644 --- a/bin/named/unix/os.c +++ b/bin/named/unix/os.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.67 2004/04/15 04:49:50 marka Exp $ */ +/* $Id: os.c,v 1.68 2004/05/04 03:24:39 marka Exp $ */ #include #include @@ -616,7 +616,7 @@ ns_os_shutdownmsg(char *command, isc_buffer_t *text) { n = snprintf((char *)isc_buffer_used(text), isc_buffer_availablelength(text), - "pid: %d", pid); + "pid: %ld", (long)pid); /* Only send a message if it is complete. */ if (n < isc_buffer_availablelength(text)) isc_buffer_add(text, n); From af6e33e7a054ed8c47f3760c7c25f95988ea1fe3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 4 May 2004 03:28:31 +0000 Subject: [PATCH 080/146] silence compiler punned warning (adjust signed/unsigned chars). --- lib/bind/nameser/ns_name.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/lib/bind/nameser/ns_name.c b/lib/bind/nameser/ns_name.c index 4567b209f2..73724a01f4 100644 --- a/lib/bind/nameser/ns_name.c +++ b/lib/bind/nameser/ns_name.c @@ -16,7 +16,7 @@ */ #ifndef lint -static const char rcsid[] = "$Id: ns_name.c,v 1.8 2004/03/09 06:30:09 marka Exp $"; +static const char rcsid[] = "$Id: ns_name.c,v 1.9 2004/05/04 03:28:31 marka Exp $"; #endif #include "port_before.h" @@ -75,9 +75,11 @@ static int dn_find(const u_char *, const u_char *, const u_char * const *, const u_char * const *); static int encode_bitsring(const char **, const char *, - char **, char **, const char *); + unsigned char **, unsigned char **, + unsigned const char *); static int labellen(const u_char *); -static int decode_bitstring(const char **, char *, const char *); +static int decode_bitstring(const unsigned char **, + char *, const char *); /* Public. */ @@ -132,7 +134,7 @@ ns_name_ntop(const u_char *src, char *dst, size_t dstsiz) errno = EINVAL; return(-1); } - if ((m = decode_bitstring((const char **)&cp, dn, eom)) < 0) + if ((m = decode_bitstring(&cp, dn, eom)) < 0) { errno = EMSGSIZE; return(-1); @@ -212,11 +214,8 @@ ns_name_pton(const char *src, u_char *dst, size_t dstsiz) errno = EINVAL; /* ??? */ return(-1); } - if ((e = encode_bitsring(&src, - cp + 2, - (char **)&label, - (char **)&bp, - (const char *)eom)) + if ((e = encode_bitsring(&src, cp + 2, + &label, &bp, eom)) != 0) { errno = e; return(-1); @@ -788,9 +787,9 @@ dn_find(const u_char *domain, const u_char *msg, } static int -decode_bitstring(const char **cpp, char *dn, const char *eom) +decode_bitstring(const unsigned char **cpp, char *dn, const char *eom) { - const char *cp = *cpp; + const unsigned char *cp = *cpp; char *beg = dn, tc; int b, blen, plen, i; @@ -836,12 +835,13 @@ decode_bitstring(const char **cpp, char *dn, const char *eom) } static int -encode_bitsring(const char **bp, const char *end, char **labelp, - char ** dst, const char *eom) +encode_bitsring(const char **bp, const char *end, unsigned char **labelp, + unsigned char ** dst, unsigned const char *eom) { int afterslash = 0; const char *cp = *bp; - char *tp, c; + unsigned char *tp; + char c; const char *beg_blen; char *end_blen = NULL; int value = 0, count = 0, tbcount = 0, blen = 0; From 38e8022ace865803bdd609c9763cd7d7ba2818dc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 5 May 2004 01:32:58 +0000 Subject: [PATCH 081/146] 1625. [bug] named failed to load/transfer RFC2535 signed zones which contained CNAMES. [RT# 11237] --- CHANGES | 3 +- bin/named/update.c | 10 +- bin/tests/system/dnssec/ns2/example.db.in | 6 +- bin/tests/system/dnssec/ns2/named.conf | 8 +- .../system/dnssec/ns2/rfc2335.example.db | 103 ++++++++++++++++++ bin/tests/system/dnssec/ns3/named.conf | 8 +- bin/tests/system/dnssec/tests.sh | 23 +++- lib/dns/master.c | 5 +- lib/dns/message.c | 17 ++- lib/dns/rbtdb.c | 7 +- 10 files changed, 168 insertions(+), 22 deletions(-) create mode 100644 bin/tests/system/dnssec/ns2/rfc2335.example.db diff --git a/CHANGES b/CHANGES index 21c2ac5780..f52be02cbe 100644 --- a/CHANGES +++ b/CHANGES @@ -3,7 +3,8 @@ 1626. [bug] --enable-getifaddrs was broken. [RT#11259] -1625. [placeholder] rt11237 +1625. [bug] named failed to load/transfer RFC2535 signed zones + which contained CNAMES. [RT# 11237] 1624. [bug] zonemgr_putio() call should be locked. [RT# 11163] diff --git a/bin/named/update.c b/bin/named/update.c index 9268fcd52e..86838e4158 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.110 2004/04/15 01:58:23 marka Exp $ */ +/* $Id: update.c,v 1.111 2004/05/05 01:32:56 marka Exp $ */ #include @@ -850,7 +850,8 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, this name and type */ *typep = type = t->rdata.type; - if (type == dns_rdatatype_rrsig) + if (type == dns_rdatatype_rrsig || + type == dns_rdatatype_sig) covers = dns_rdata_covers(&t->rdata); else covers = 0; @@ -2467,8 +2468,9 @@ update_action(isc_task_t *task, isc_event_t *event) { ctx.ignore_add = ISC_FALSE; dns_diff_init(mctx, &ctx.del_diff); dns_diff_init(mctx, &ctx.add_diff); - CHECK(foreach_rr(db, ver, name, rdata.type, covers, - add_rr_prepare_action, &ctx)); + CHECK(foreach_rr(db, ver, name, rdata.type, + covers, add_rr_prepare_action, + &ctx)); if (ctx.ignore_add) { dns_diff_clear(&ctx.del_diff); diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index c9f00c55ec..761738f1c6 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -13,7 +13,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: example.db.in,v 1.14 2004/04/15 23:40:22 marka Exp $ +; $Id: example.db.in,v 1.15 2004/05/05 01:32:57 marka Exp $ $TTL 300 ; 5 minutes @ IN SOA mname1. . ( @@ -70,6 +70,10 @@ dynamic A 10.53.0.3 mustbesecure NS ns.mustbesecure ns.mustbesecure A 10.53.0.3 +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + z A 10.0.0.26 keyless NS ns.keyless diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf index ce2501f7f9..66f33bf692 100644 --- a/bin/tests/system/dnssec/ns2/named.conf +++ b/bin/tests/system/dnssec/ns2/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.23 2004/03/10 02:19:53 marka Exp $ */ +/* $Id: named.conf,v 1.24 2004/05/05 01:32:57 marka Exp $ */ // NS2 @@ -62,4 +62,10 @@ zone "insecure.secure.example" { allow-update { any; }; }; +zone "rfc2335.example" { + type master; + file "rfc2335.example.db"; +}; + + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns2/rfc2335.example.db b/bin/tests/system/dnssec/ns2/rfc2335.example.db new file mode 100644 index 0000000000..b8b477ea84 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/rfc2335.example.db @@ -0,0 +1,103 @@ +; File written on Fri Apr 30 12:19:15 2004 +; dnssec_signzone version 9.2.4rc3 +rfc2335.example. 300 IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + 300 SIG SOA 1 2 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + nGPJKIzF7X/hMJbZURRz59UeEi/6HRxCn9Er + GqSnpw0Ea9Yx5Axu6sLKnF7jXlkZ6NHMCIpJ + +Lv+FDHXTs/dQg== ) + 300 NS ns.rfc2335.example. + 300 SIG NS 1 2 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + Q234AL9dJYMvxdWG33lpww6AJ3GplKp+ace7 + MUaj0oqDdkx4DtJF2XaP2xcqq7kTOObdQ8ES + vVxNThqOx7LFzg== ) + 300 KEY 256 3 1 ( + AQPZhzXIabI8y5ihWUw7F0WxN2MabnYWkOcV + Fn11NgaGSdjBSYPRMMwMCasD5N2KYPRUP83W + y8mj+ofcoW1FurcZ + ) ; key id = 47799 + 300 NXT a.rfc2335.example. NS SOA SIG KEY NXT + 300 SIG NXT 1 2 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + Y587mqNy6pBEfbsU6+weM2XRSqLwLwRT9Sl7 + oNuOK9kV3TR4R2M54m2S0MgJCXbRAwU+fF8Q + UbZkSTVe2N8Nyg== ) +a.rfc2335.example. 300 IN A 10.0.0.1 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + FnfWrcw5ire8ut25504zti5l///BdDMUAkJZ + UCLFiTW4lBGMcq1pqz64zltDZXCgJ3xUeQ2i + nRt19/ZxO6Z1KA== ) + 300 NXT b.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + R6SpC3ndMVg4u/eZaaUsXSuMHV/hZXeaM/Op + bJLAe3KxMiOHfb6XgLy7wflAiC1xt6A9bWpy + kTc5T5gfic33kA== ) +b.rfc2335.example. 300 IN A 10.0.0.2 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + zjRsYXMGyhDI6ipDtu8YXC9XPN+3hGamzzxL + 8uPE/LPo+x19MNdbzEgWzlajAf1/mkSGr2jN + BDMVBA5NMKpwAA== ) + 300 NXT d.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + aV87iZCYsC5Tqop827Zzb18TNqopGt0QynkR + gIF/lIHqZasNFRfaS1/nTnXdDKD8JS5IqxKb + oTJr5zswDAtCEw== ) +d.rfc2335.example. 300 IN A 10.0.0.4 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + NsKyvhUYZxTbOTBX4YwxTxevI5iGBpULKwmt + +D4l00ME4XRygOVmiqVDTT9dF1EgjDxOdfMT + hSjtCh5M1b2f6g== ) + 300 NXT ns.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + OGqlvSDZIZdHYigh4UAFzXfPze7vcQfgj7sN + +cAeoh4BL1gpa00DqANCxowNCYluDk3ZCDwt + UHZEJa8ZjNvv4g== ) +ns.rfc2335.example. 300 IN A 10.53.0.3 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + T6ZGeUWflLTku8jO23x/TeAPeUl8t0I18FCh + qHUZaHomLQasQ2jlZQn6cLpFd2uFJkBNxZ0G + I39aG7G1bObXdA== ) + 300 NXT x.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + l46mrf3/Ii5iRm3AiDjYeMg4ZXBgitHxXA2y + e/NhKpkxRRpCs7UQ94wT/RiSCjjK49E5FBe6 + 5bRxtWq0GI7zlg== ) +x.rfc2335.example. 300 IN CNAME a.rfc2335.example. + 300 SIG CNAME 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + L3IOluq+kboBd2gR2Mu54uJKCUzfmyHRiWKl + kfx+vuFr0I8mEHQRmJtouxNDrBzmzGp5vybK + SdabLWw0n6uQEA== ) + 300 NXT z.rfc2335.example. CNAME SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + CBKoJSkZzdpwiON7JS4yPFY5VVeBjfT19x/O + vx+5UK1JZUNKhTXWWgW1er+JlLzNf4Ot40+l + z9HUTyaeS0eWyw== ) +z.rfc2335.example. 300 IN A 10.0.0.26 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + ccqjVHnehvVwlNNd4+7n/GzGlRjj+ul0gCT3 + X3950LTccxHsOFyjNNm8v/Ho/aurSYdqXEjY + jwmjC6elwkzB7A== ) + 300 NXT rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + W42WoFyd9erysv8HjKo+CpHIH1x6+pAKwCDO + /hHnkEpQI3brewxl7cWOPYeA92Ns80Ody/ui + m2E28A5gnmWqPw== ) diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index a4c454a0b9..71e88928e8 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.26 2004/04/15 23:40:22 marka Exp $ */ +/* $Id: named.conf,v 1.27 2004/05/05 01:32:57 marka Exp $ */ // NS3 @@ -79,4 +79,10 @@ zone "mustbesecure.example" { file "mustbesecure.example.db"; }; +zone "rfc2335.example" { + type slave; + masters { 10.53.0.2; }; + file "rfc2335.example.bk"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 24a1f7ac61..2b251ce97b 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.44 2004/03/10 02:19:53 marka Exp $ +# $Id: tests.sh,v 1.45 2004/05/05 01:32:56 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -446,6 +446,27 @@ ret=0 $DIG $DIGOPTS private.secure.example. SOA @10.53.0.6 \ > dig.out.ns6.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that we can load a rfc2535 signed zone ($n)" +ret=0 +$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that we can transfer a rfc2535 signed zone ($n)" +ret=0 +$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` # Run a minimal update test if possible. This is really just # a regression test for RT #2399; more tests should be added. diff --git a/lib/dns/master.c b/lib/dns/master.c index f38432c820..615a95a494 100644 --- a/lib/dns/master.c +++ b/lib/dns/master.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: master.c,v 1.148 2004/03/05 05:09:21 marka Exp $ */ +/* $Id: master.c,v 1.149 2004/05/05 01:32:58 marka Exp $ */ #include @@ -1645,7 +1645,8 @@ load(dns_loadctx_t *lctx) { } - if (type == dns_rdatatype_rrsig) + if (type == dns_rdatatype_rrsig || + type == dns_rdatatype_sig) covers = dns_rdata_covers(&rdata[rdcount]); else covers = 0; diff --git a/lib/dns/message.c b/lib/dns/message.c index 81304265d6..e13c544f98 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.c,v 1.222 2004/03/10 00:47:40 marka Exp $ */ +/* $Id: message.c,v 1.223 2004/05/05 01:32:58 marka Exp $ */ /*** *** Imports @@ -1288,18 +1288,16 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, if (result != ISC_R_SUCCESS) goto cleanup; rdata->rdclass = rdclass; + issigzero = ISC_FALSE; if (rdtype == dns_rdatatype_rrsig && rdata->flags == 0) { covers = dns_rdata_covers(rdata); if (covers == 0) DO_FORMERR; - } else - covers = 0; - - issigzero = ISC_FALSE; - if (rdtype == dns_rdatatype_sig /* SIG(0) */ && - rdata->flags == 0) { - if (dns_rdata_covers(rdata) == 0) { + } else if (rdtype == dns_rdatatype_sig /* SIG(0) */ && + rdata->flags == 0) { + covers = dns_rdata_covers(rdata); + if (covers == 0) { if (sectionid != DNS_SECTION_ADDITIONAL || count != msg->counts[sectionid] - 1) DO_FORMERR; @@ -1308,7 +1306,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, skip_type_search = ISC_TRUE; issigzero = ISC_TRUE; } - } + } else + covers = 0; /* * If we are doing a dynamic update or this is a meta-type, diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 87771ce344..d0693fd6bd 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.196 2004/03/05 05:09:22 marka Exp $ */ +/* $Id: rbtdb.c,v 1.197 2004/05/05 01:32:58 marka Exp $ */ /* * Principal Author: Bob Halley @@ -3669,10 +3669,13 @@ cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) { * or RRSIG CNAME. */ rdtype = RBTDB_RDATATYPE_BASE(header->type); - if (rdtype == dns_rdatatype_rrsig) + if (rdtype == dns_rdatatype_rrsig || + rdtype == dns_rdatatype_sig) rdtype = RBTDB_RDATATYPE_EXT(header->type); if (rdtype != dns_rdatatype_nsec && rdtype != dns_rdatatype_dnskey && + rdtype != dns_rdatatype_nxt && + rdtype != dns_rdatatype_key && rdtype != dns_rdatatype_cname) { /* * We've found a type that isn't From 854b0d831e45a90211917e3a49f40d10c4a2ee79 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 5 May 2004 23:50:30 +0000 Subject: [PATCH 082/146] newcopyrights --- util/copyrights | 1 + 1 file changed, 1 insertion(+) diff --git a/util/copyrights b/util/copyrights index 40c89916b7..373cc1cc24 100644 --- a/util/copyrights +++ b/util/copyrights @@ -471,6 +471,7 @@ ./bin/tests/system/dnssec/ns2/insecure.secure.example.db ZONE 2000,2001,2004 ./bin/tests/system/dnssec/ns2/named.conf CONF-C 2000,2001,2002,2004 ./bin/tests/system/dnssec/ns2/private.secure.example.db.in ZONE 2000,2001,2004 +./bin/tests/system/dnssec/ns2/rfc2335.example.db ZONE 2004 ./bin/tests/system/dnssec/ns2/sign.sh SH 2000,2001,2002,2003,2004 ./bin/tests/system/dnssec/ns3/.cvsignore X 2000,2001 ./bin/tests/system/dnssec/ns3/bogus.example.db.in ZONE 2000,2001,2004 From 71839e2a424a904a60429a380ee7685464022e4b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 6 May 2004 03:16:07 +0000 Subject: [PATCH 083/146] 1628. [bug] Typo in Compaq Trucluster support. [RT# 11264] --- CHANGES | 2 ++ lib/isc/unix/ifiter_ioctl.c | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index f52be02cbe..0c1b9a9bca 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1628. [bug] Typo in Compaq Trucluster support. [RT# 11264] + 1627. [bug] win32: sockets were not being closed when the last external reference was removed. [RT# 11179] diff --git a/lib/isc/unix/ifiter_ioctl.c b/lib/isc/unix/ifiter_ioctl.c index b8fee5a62a..ef2850ad19 100644 --- a/lib/isc/unix/ifiter_ioctl.c +++ b/lib/isc/unix/ifiter_ioctl.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ifiter_ioctl.c,v 1.45 2004/04/15 07:02:06 marka Exp $ */ +/* $Id: ifiter_ioctl.c,v 1.46 2004/05/06 03:16:07 marka Exp $ */ /* * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl. @@ -943,7 +943,7 @@ internal_next(isc_interfaceiter_t *iter) { #endif #ifdef HAVE_TRUCLUSTER if (!iter->clua_done) { - clua_result = clua_getaliasaddress(&intr->clua_sa, + clua_result = clua_getaliasaddress(&iter->clua_sa, &iter->clua_context); if (clua_result != CLUA_SUCCESS) iter->clua_done = ISC_TRUE; @@ -983,7 +983,7 @@ void internal_first(isc_interfaceiter_t *iter) { #endif #ifdef HAVE_TRUCLUSTER iter->clua_context = 0; - clua_result = clua_getaliasaddress(&intr->clua_sa, + clua_result = clua_getaliasaddress(&iter->clua_sa, &iter->clua_context); iter->clua_done = ISC_TF(clua_result != CLUA_SUCCESS); #endif From 75654de87118c587629b5dc6882b6c1925d34983 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?= Date: Sun, 9 May 2004 12:02:46 +0000 Subject: [PATCH 084/146] 1629. [placeholder] rt8753 --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 0c1b9a9bca..008ce3e9bf 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1629. [placeholder] rt8753 + 1628. [bug] Typo in Compaq Trucluster support. [RT# 11264] 1627. [bug] win32: sockets were not being closed when the From d9147148dde80db2ce3390ded26333d106d3c10b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?= Date: Sun, 9 May 2004 12:59:22 +0000 Subject: [PATCH 085/146] 1630. [contrib] queryperf: add support for IPv6 transport. --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 008ce3e9bf..93262bfc77 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1630. [placeholder] queryperf-v6 + 1629. [placeholder] rt8753 1628. [bug] Typo in Compaq Trucluster support. [RT# 11264] From 78ef0ebab3a4039f8efc8afdb7ee4b936ffc34ca Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 11 May 2004 22:20:13 +0000 Subject: [PATCH 087/146] 1631. [bug] dns_journal_compact() could sometimes corrupt the journal. [RT #11124] --- CHANGES | 3 +++ lib/dns/journal.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 93262bfc77..78a6f3b569 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1631. [bug] dns_journal_compact() could sometimes corrupt the + journal. [RT #11124] + 1630. [placeholder] queryperf-v6 1629. [placeholder] rt8753 diff --git a/lib/dns/journal.c b/lib/dns/journal.c index c6d052a8f4..95c8bc577a 100644 --- a/lib/dns/journal.c +++ b/lib/dns/journal.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journal.c,v 1.86 2004/03/05 05:09:20 marka Exp $ */ +/* $Id: journal.c,v 1.87 2004/05/11 22:20:13 marka Exp $ */ #include @@ -2115,6 +2115,7 @@ index_to_disk(dns_journal_t *j) { } INSIST(p == j->rawindex + rawbytes); + CHECK(journal_seek(j, sizeof(journal_rawheader_t))); CHECK(journal_write(j, j->rawindex, rawbytes)); } failure: From 9907906b7d8f949e71773698da358b38efae273c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 12 May 2004 01:58:44 +0000 Subject: [PATCH 088/146] refer to transfer-source and notify-source in query-source description. --- doc/arm/Bv9ARM-book.xml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index fdef26b578..90d5e58513 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2,7 +2,7 @@ - + BIND 9 Administrator Reference Manual @@ -3565,7 +3565,7 @@ the server will not listen on any IPv6 address. query other name servers. query-source specifies the address and port used for such queries. For queries sent over IPv6, there is a separate query-source-v6 option. - If address is * or is omitted, +If address is * or is omitted, a wildcard IP address (INADDR_ANY) will be used. If port is * or is omitted, a random unprivileged port will be used, avoid-v4-udp-ports @@ -3579,6 +3579,9 @@ query-source-v6 address * port *; is used for both UDP and TCP queries, but the port applies only to UDP queries. TCP queries always use a random unprivileged port. + +See also transfer-source and +notify-source. Zone Transfers From da059d6dd4035c1f4736e7978065c4d51893b136 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 12 May 2004 02:46:05 +0000 Subject: [PATCH 089/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 78a6f3b569..1cdff5af40 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1632. [placeholder] rt11288 + 1631. [bug] dns_journal_compact() could sometimes corrupt the journal. [RT #11124] From 0fefeb4beb1662657aa65623b08c5bc5f8dd31d1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 12 May 2004 02:55:09 +0000 Subject: [PATCH 090/146] regen --- doc/arm/Bv9ARM.ch06.html | 89 +++++++++++++++++++------------- doc/arm/Bv9ARM.ch07.html | 8 +-- doc/arm/Bv9ARM.ch08.html | 14 ++--- doc/arm/Bv9ARM.ch09.html | 108 +++++++++++++++++++-------------------- doc/arm/Bv9ARM.html | 38 +++++++------- 5 files changed, 137 insertions(+), 120 deletions(-) diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index eda5506b01..ab41aa75ad 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -94,7 +94,7 @@ HREF="Bv9ARM.ch06.html#Configuration_File_Grammar" >
6.3. Zone File
query-source-v6 option. - If address is

Note: See also transfer-source and +notify-source.

6.2.16.8. Bad UDP Port Lists

6.2.16.9. Operating System Resource Limits

6.2.16.10. Server Resource Limits

6.2.16.11. Periodic Task Intervals

6.2.19. trusted-keys

6.2.20. trusted-keys

6.2.22. view

6.2.24. zone

6.2.24.1. Zone Types

6.2.24.2. Class

6.2.24.3. Zone Options

6.3. Zone File

6.3.1.1. Resource Records

6.3.1.2. Textual expression of RRs

6.3.2. Discussion of MX Records

6.3.4. Inverse Mapping in IPv4

6.3.5. Other Zone File Directives

6.3.5.1. The $ORIGIN

6.3.5.2. The $INCLUDE

6.3.5.3. The $TTL

6.3.6. BIND

7.2. chroot

7.2. chroot

7.2.1. The chroot

7.2.2. Using the setuid

8.1. Common Problems
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?

8.1. Common Problems

8.1.1. It's not working; how can I figure out what's wrong?

8.2. Incrementing and Changing the Serial Number

8.3. Where Can I Get Help?

A.1. Acknowledgments

A.1. Acknowledgments

A.1.1. A Brief History of the DNS

Bibliography

Standards

[RFC974] 

[RFC1034] 

[RFC1035] 

[RFC2181] 

[RFC2308] 

[RFC1995] 

[RFC1996] 

[RFC2136] 

[RFC2845] 

Proposed Standards Still Under Development

[RFC1886] 

[RFC2065] 

[RFC2137] 

Other Important RFCs About DNS

[RFC1535] 

[RFC1536] 

[RFC1982] 

Resource Record Types

[RFC1183] 

[RFC1706] 

[RFC2168] 

[RFC1876] 

[RFC2052] 

[RFC2163] 

[RFC2230] 

DNS

[RFC1101] 

[RFC1123] 

[RFC1591] 

[RFC2317] 

DNS

[RFC1537] 

[RFC1912] 

[RFC2010] 

[RFC2219] 

Other DNS

[RFC1464] 

[RFC1713] 

[RFC1794] 

[RFC2240] 

[RFC2345] 

[RFC2352] 

Obsolete and Unimplemented Experimental RRs

[RFC1712] 

A.3.3. Other Documents About BIND

Bibliography

6.2.19. trusted-keys
6.2.20. trusted-keys
6.2.22. view
6.2.24. zone
6.3. Zone File
6.3.2. Discussion of MX Records
6.3.4. Inverse Mapping in IPv4
6.3.5. Other Zone File Directives
6.3.6. BIND
7.2. chroot
7.2.1. The chroot
7.2.2. Using the setuid
8.1. Common Problems
8.1.1. It's not working; how can I figure out what's wrong?
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?
A.1. Acknowledgments
A.1.1. A Brief History of the DNS
A.3.3. Other Documents About BIND Date: Wed, 12 May 2004 04:38:21 +0000 Subject: [PATCH 091/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 1cdff5af40..674f7097c4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1633. [placeholder] rt11331 + 1632. [placeholder] rt11288 1631. [bug] dns_journal_compact() could sometimes corrupt the From 5efa612be0471cc4e133b795db3dd3addf18ba6c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 12 May 2004 04:48:23 +0000 Subject: [PATCH 092/146] 1632. [bug] nsupdate failed to send prerequisite only UPDATE messages. [RT #11288] --- CHANGES | 3 ++- bin/nsupdate/nsupdate.c | 11 ++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 674f7097c4..0b2eeff51c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,7 @@ 1633. [placeholder] rt11331 -1632. [placeholder] rt11288 +1632. [bug] nsupdate failed to send prerequisite only UPDATE + messages. [RT #11288] 1631. [bug] dns_journal_compact() could sometimes corrupt the journal. [RT #11124] diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 46d36097a5..53777b8dfb 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsupdate.c,v 1.131 2004/04/10 04:03:16 marka Exp $ */ +/* $Id: nsupdate.c,v 1.132 2004/05/12 04:48:23 marka Exp $ */ #include @@ -1847,12 +1847,17 @@ start_update(void) { dns_request_t *request = NULL; dns_message_t *soaquery = NULL; dns_name_t *firstname; + dns_section_t section = DNS_SECTION_UPDATE; ddebug("start_update()"); if (answer != NULL) dns_message_destroy(&answer); - result = dns_message_firstname(updatemsg, DNS_SECTION_UPDATE); + result = dns_message_firstname(updatemsg, section); + if (result == ISC_R_NOMORE) { + section = DNS_SECTION_PREREQUISITE; + result = dns_message_firstname(updatemsg, section); + } if (result != ISC_R_SUCCESS) { done_update(); return; @@ -1879,7 +1884,7 @@ start_update(void) { dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa); firstname = NULL; - dns_message_currentname(updatemsg, DNS_SECTION_UPDATE, &firstname); + dns_message_currentname(updatemsg, section, &firstname); dns_name_init(name, NULL); dns_name_clone(firstname, name); From 392cd518b3aff35c0396f84884cd51680edd68a1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 12 May 2004 06:38:37 +0000 Subject: [PATCH 093/146] 1633. [bug] named should return NOTIMP to update requests to a slaves without a allow-update-forwarding acl specified. [RT #11331] --- CHANGES | 4 +++- bin/named/update.c | 13 ++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 0b2eeff51c..b806e0ca34 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,6 @@ -1633. [placeholder] rt11331 +1633. [bug] named should return NOTIMP to update requests to a + slaves without a allow-update-forwarding acl specified. + [RT #11331] 1632. [bug] nsupdate failed to send prerequisite only UPDATE messages. [RT #11288] diff --git a/bin/named/update.c b/bin/named/update.c index 86838e4158..ee6114e0e2 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.111 2004/05/05 01:32:56 marka Exp $ */ +/* $Id: update.c,v 1.112 2004/05/12 06:38:37 marka Exp $ */ #include @@ -239,7 +239,7 @@ update_log(ns_client_t *client, dns_zone_t *zone, static isc_result_t checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message, - dns_name_t *zonename) + dns_name_t *zonename, isc_boolean_t slave) { char namebuf[DNS_NAME_FORMATSIZE]; char classbuf[DNS_RDATACLASS_FORMATSIZE]; @@ -247,6 +247,8 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message, const char *msg = "denied"; isc_result_t result; + if (slave && acl == NULL) + return (DNS_R_NOTIMP); result = ns_client_checkaclsilent(client, acl, ISC_FALSE); if (result == ISC_R_SUCCESS) { @@ -2048,7 +2050,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) { break; case dns_zone_slave: CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone), - "update forwarding", zonename)); + "update forwarding", zonename, ISC_TRUE)); CHECK(send_forward_event(client, zone)); break; default: @@ -2257,9 +2259,10 @@ update_action(isc_task_t *task, isc_event_t *event) { result = ISC_R_SUCCESS; if (ssutable == NULL) CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone), - "update", zonename)); + "update", zonename, ISC_FALSE)); else if (client->signer == NULL) - CHECK(checkupdateacl(client, NULL, "update", zonename)); + CHECK(checkupdateacl(client, NULL, "update", zonename, + ISC_FALSE)); if (dns_zone_getupdatedisabled(zone)) FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled"); From f620c5e527746a2ec3d90a11d21abd8a114746df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?= Date: Wed, 12 May 2004 07:04:58 +0000 Subject: [PATCH 094/146] 1630. [contrib] queryperf: add support for IPv6 transport. --- CHANGES | 2 +- contrib/queryperf/Makefile.in | 12 +- contrib/queryperf/configure | 3527 +++++++++++++++++++++++++------- contrib/queryperf/configure.in | 24 +- contrib/queryperf/queryperf.c | 388 +++- 5 files changed, 3128 insertions(+), 825 deletions(-) diff --git a/CHANGES b/CHANGES index b806e0ca34..758dbacb76 100644 --- a/CHANGES +++ b/CHANGES @@ -8,7 +8,7 @@ 1631. [bug] dns_journal_compact() could sometimes corrupt the journal. [RT #11124] -1630. [placeholder] queryperf-v6 +1630. [contrib] queryperf: add support for IPv6 transport. 1629. [placeholder] rt8753 diff --git a/contrib/queryperf/Makefile.in b/contrib/queryperf/Makefile.in index 2ed19a4736..5e49e49c34 100644 --- a/contrib/queryperf/Makefile.in +++ b/contrib/queryperf/Makefile.in @@ -1,15 +1,23 @@ # Copyright (C) 2000, 2001 Nominum, Inc. All Rights Reserved. CC = @CC@ +LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ DEFS = @DEFS@ -queryperf: queryperf.o - $(CC) $(CFLAGS) $(DEFS) queryperf.o $(LIBS) -lm -o queryperf +queryperf: queryperf.o $(LIBOBJS) + $(CC) $(CFLAGS) $(DEFS) queryperf.o $(LIBOBJS) $(LIBS) -lm -o queryperf queryperf.o: queryperf.c $(CC) $(CFLAGS) $(DEFS) -c queryperf.c +# under missing subdir +getaddrinfo.o: ./missing/getaddrinfo.c + $(CC) $(CFLAGS) -c ./missing/$*.c + +getnameinfo.o: ./missing/getnameinfo.c + $(CC) $(CFLAGS) -c ./missing/$*.c + clean: rm -f *.o queryperf diff --git a/contrib/queryperf/configure b/contrib/queryperf/configure index fb750cb1cc..89f5697867 100755 --- a/contrib/queryperf/configure +++ b/contrib/queryperf/configure @@ -1,26 +1,273 @@ #! /bin/sh - # Guess values for system-dependent variables and create Makefiles. -# Generated automatically using autoconf version 2.13 -# Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc. +# Generated by GNU Autoconf 2.53. # +# Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, 2002 +# Free Software Foundation, Inc. # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. -# Defaults: -ac_help= +if expr a : '\(a\)' >/dev/null 2>&1; then + as_expr=expr +else + as_expr=false +fi + + +## --------------------- ## +## M4sh Initialization. ## +## --------------------- ## + +# Be Bourne compatible +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: +elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then + set -o posix +fi + +# NLS nuisances. +# Support unset when possible. +if (FOO=FOO; unset FOO) >/dev/null 2>&1; then + as_unset=unset +else + as_unset=false +fi + +(set +x; test -n "`(LANG=C; export LANG) 2>&1`") && + { $as_unset LANG || test "${LANG+set}" != set; } || + { LANG=C; export LANG; } +(set +x; test -n "`(LC_ALL=C; export LC_ALL) 2>&1`") && + { $as_unset LC_ALL || test "${LC_ALL+set}" != set; } || + { LC_ALL=C; export LC_ALL; } +(set +x; test -n "`(LC_TIME=C; export LC_TIME) 2>&1`") && + { $as_unset LC_TIME || test "${LC_TIME+set}" != set; } || + { LC_TIME=C; export LC_TIME; } +(set +x; test -n "`(LC_CTYPE=C; export LC_CTYPE) 2>&1`") && + { $as_unset LC_CTYPE || test "${LC_CTYPE+set}" != set; } || + { LC_CTYPE=C; export LC_CTYPE; } +(set +x; test -n "`(LANGUAGE=C; export LANGUAGE) 2>&1`") && + { $as_unset LANGUAGE || test "${LANGUAGE+set}" != set; } || + { LANGUAGE=C; export LANGUAGE; } +(set +x; test -n "`(LC_COLLATE=C; export LC_COLLATE) 2>&1`") && + { $as_unset LC_COLLATE || test "${LC_COLLATE+set}" != set; } || + { LC_COLLATE=C; export LC_COLLATE; } +(set +x; test -n "`(LC_NUMERIC=C; export LC_NUMERIC) 2>&1`") && + { $as_unset LC_NUMERIC || test "${LC_NUMERIC+set}" != set; } || + { LC_NUMERIC=C; export LC_NUMERIC; } +(set +x; test -n "`(LC_MESSAGES=C; export LC_MESSAGES) 2>&1`") && + { $as_unset LC_MESSAGES || test "${LC_MESSAGES+set}" != set; } || + { LC_MESSAGES=C; export LC_MESSAGES; } + + +# Name of the executable. +as_me=`(basename "$0") 2>/dev/null || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)$' \| \ + . : '\(.\)' 2>/dev/null || +echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; } + /^X\/\(\/\/\)$/{ s//\1/; q; } + /^X\/\(\/\).*/{ s//\1/; q; } + s/.*/./; q'` + +# PATH needs CR, and LINENO needs CR and PATH. +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + echo "#! /bin/sh" >conftest.sh + echo "exit 0" >>conftest.sh + chmod +x conftest.sh + if (PATH=".;."; conftest.sh) >/dev/null 2>&1; then + PATH_SEPARATOR=';' + else + PATH_SEPARATOR=: + fi + rm -f conftest.sh +fi + + + as_lineno_1=$LINENO + as_lineno_2=$LINENO + as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null` + test "x$as_lineno_1" != "x$as_lineno_2" && + test "x$as_lineno_3" = "x$as_lineno_2" || { + # Find who we are. Look in the path if we contain no path at all + # relative or not. + case $0 in + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break +done + + ;; + esac + # We did not find ourselves, most probably we were run as `sh COMMAND' + # in which case we are not to be found in the path. + if test "x$as_myself" = x; then + as_myself=$0 + fi + if test ! -f "$as_myself"; then + { echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2 + { (exit 1); exit 1; }; } + fi + case $CONFIG_SHELL in + '') + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for as_base in sh bash ksh sh5; do + case $as_dir in + /*) + if ("$as_dir/$as_base" -c ' + as_lineno_1=$LINENO + as_lineno_2=$LINENO + as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null` + test "x$as_lineno_1" != "x$as_lineno_2" && + test "x$as_lineno_3" = "x$as_lineno_2" ') 2>/dev/null; then + CONFIG_SHELL=$as_dir/$as_base + export CONFIG_SHELL + exec "$CONFIG_SHELL" "$0" ${1+"$@"} + fi;; + esac + done +done +;; + esac + + # Create $as_me.lineno as a copy of $as_myself, but with $LINENO + # uniformly replaced by the line number. The first 'sed' inserts a + # line-number line before each line; the second 'sed' does the real + # work. The second script uses 'N' to pair each line-number line + # with the numbered line, and appends trailing '-' during + # substitution so that $LINENO is not a special case at line end. + # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the + # second 'sed' script. Blame Lee E. McMahon for sed's syntax. :-) + sed '=' <$as_myself | + sed ' + N + s,$,-, + : loop + s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3, + t loop + s,-$,, + s,^['$as_cr_digits']*\n,, + ' >$as_me.lineno && + chmod +x $as_me.lineno || + { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 + { (exit 1); exit 1; }; } + + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensible to this). + . ./$as_me.lineno + # Exit status is that of the last command. + exit +} + + +case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in + *c*,-n*) ECHO_N= ECHO_C=' +' ECHO_T=' ' ;; + *c*,* ) ECHO_N=-n ECHO_C= ECHO_T= ;; + *) ECHO_N= ECHO_C='\c' ECHO_T= ;; +esac + +if expr a : '\(a\)' >/dev/null 2>&1; then + as_expr=expr +else + as_expr=false +fi + +rm -f conf$$ conf$$.exe conf$$.file +echo >conf$$.file +if ln -s conf$$.file conf$$ 2>/dev/null; then + # We could just check for DJGPP; but this test a) works b) is more generic + # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04). + if test -f conf$$.exe; then + # Don't use ln at all; we don't have any links + as_ln_s='cp -p' + else + as_ln_s='ln -s' + fi +elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln +else + as_ln_s='cp -p' +fi +rm -f conf$$ conf$$.exe conf$$.file + +as_executable_p="test -f" + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="sed y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="sed y%*+%pp%;s%[^_$as_cr_alnum]%_%g" + + +# IFS +# We need space, tab and new line, in precisely that order. +as_nl=' +' +IFS=" $as_nl" + +# CDPATH. +$as_unset CDPATH || test "${CDPATH+set}" != set || { CDPATH=$PATH_SEPARATOR; export CDPATH; } + + +# Name of the host. +# hostname on some systems (SVR3.2, Linux) returns a bogus exit status, +# so uname gets run too. +ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` + +exec 6>&1 + +# +# Initializations. +# ac_default_prefix=/usr/local -# Any additions from configure.in: +cross_compiling=no +subdirs= +MFLAGS= +MAKEFLAGS= +SHELL=${CONFIG_SHELL-/bin/sh} + +# Maximum number of lines to put in a shell here document. +# This variable seems obsolete. It should probably be removed, and +# only ac_max_sed_lines should be used. +: ${ac_max_here_lines=38} + +# Identity of this package. +PACKAGE_NAME= +PACKAGE_TARNAME= +PACKAGE_VERSION= +PACKAGE_STRING= +PACKAGE_BUGREPORT= + +ac_unique_file="queryperf.c" # Initialize some variables set by options. +ac_init_help= +ac_init_version=false # The variables have the same names as the options, with # dashes changed to underlines. -build=NONE -cache_file=./config.cache +cache_file=/dev/null exec_prefix=NONE -host=NONE no_create= -nonopt=NONE no_recursion= prefix=NONE program_prefix=NONE @@ -29,10 +276,15 @@ program_transform_name=s,x,x, silent= site= srcdir= -target=NONE verbose= x_includes=NONE x_libraries=NONE + +# Installation directory options. +# These are left unexpanded so users can "make install exec_prefix=/foo" +# and all the variables that are supposed to be based on exec_prefix +# by default will actually change. +# Use braces instead of parens because sh, perl, etc. also accept them. bindir='${exec_prefix}/bin' sbindir='${exec_prefix}/sbin' libexecdir='${exec_prefix}/libexec' @@ -46,17 +298,9 @@ oldincludedir='/usr/include' infodir='${prefix}/info' mandir='${prefix}/man' -# Initialize some other variables. -subdirs= -MFLAGS= MAKEFLAGS= -SHELL=${CONFIG_SHELL-/bin/sh} -# Maximum number of lines to put in a shell here document. -ac_max_here_lines=12 - ac_prev= for ac_option do - # If the previous option needs an argument, assign it. if test -n "$ac_prev"; then eval "$ac_prev=\$ac_option" @@ -64,59 +308,59 @@ do continue fi - case "$ac_option" in - -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;; - *) ac_optarg= ;; - esac + ac_optarg=`expr "x$ac_option" : 'x[^=]*=\(.*\)'` # Accept the important Cygnus configure options, so we can diagnose typos. - case "$ac_option" in + case $ac_option in -bindir | --bindir | --bindi | --bind | --bin | --bi) ac_prev=bindir ;; -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) - bindir="$ac_optarg" ;; + bindir=$ac_optarg ;; -build | --build | --buil | --bui | --bu) - ac_prev=build ;; + ac_prev=build_alias ;; -build=* | --build=* | --buil=* | --bui=* | --bu=*) - build="$ac_optarg" ;; + build_alias=$ac_optarg ;; -cache-file | --cache-file | --cache-fil | --cache-fi \ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) ac_prev=cache_file ;; -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) - cache_file="$ac_optarg" ;; + cache_file=$ac_optarg ;; + + --config-cache | -C) + cache_file=config.cache ;; -datadir | --datadir | --datadi | --datad | --data | --dat | --da) ac_prev=datadir ;; -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \ | --da=*) - datadir="$ac_optarg" ;; + datadir=$ac_optarg ;; -disable-* | --disable-*) - ac_feature=`echo $ac_option|sed -e 's/-*disable-//'` + ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. - if test -n "`echo $ac_feature| sed 's/[-a-zA-Z0-9_]//g'`"; then - { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; } - fi - ac_feature=`echo $ac_feature| sed 's/-/_/g'` - eval "enable_${ac_feature}=no" ;; + expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null && + { echo "$as_me: error: invalid feature name: $ac_feature" >&2 + { (exit 1); exit 1; }; } + ac_feature=`echo $ac_feature | sed 's/-/_/g'` + eval "enable_$ac_feature=no" ;; -enable-* | --enable-*) - ac_feature=`echo $ac_option|sed -e 's/-*enable-//' -e 's/=.*//'` + ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. - if test -n "`echo $ac_feature| sed 's/[-_a-zA-Z0-9]//g'`"; then - { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; } - fi - ac_feature=`echo $ac_feature| sed 's/-/_/g'` - case "$ac_option" in - *=*) ;; + expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null && + { echo "$as_me: error: invalid feature name: $ac_feature" >&2 + { (exit 1); exit 1; }; } + ac_feature=`echo $ac_feature | sed 's/-/_/g'` + case $ac_option in + *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;; *) ac_optarg=yes ;; esac - eval "enable_${ac_feature}='$ac_optarg'" ;; + eval "enable_$ac_feature='$ac_optarg'" ;; -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ @@ -125,95 +369,47 @@ do -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ | --exec=* | --exe=* | --ex=*) - exec_prefix="$ac_optarg" ;; + exec_prefix=$ac_optarg ;; -gas | --gas | --ga | --g) # Obsolete; use --with-gas. with_gas=yes ;; - -help | --help | --hel | --he) - # Omit some internal or obsolete options to make the list less imposing. - # This message is too long to be a string in the A/UX 3.1 sh. - cat << EOF -Usage: configure [options] [host] -Options: [defaults in brackets after descriptions] -Configuration: - --cache-file=FILE cache test results in FILE - --help print this message - --no-create do not create output files - --quiet, --silent do not print \`checking...' messages - --version print the version of autoconf that created configure -Directory and file names: - --prefix=PREFIX install architecture-independent files in PREFIX - [$ac_default_prefix] - --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX - [same as prefix] - --bindir=DIR user executables in DIR [EPREFIX/bin] - --sbindir=DIR system admin executables in DIR [EPREFIX/sbin] - --libexecdir=DIR program executables in DIR [EPREFIX/libexec] - --datadir=DIR read-only architecture-independent data in DIR - [PREFIX/share] - --sysconfdir=DIR read-only single-machine data in DIR [PREFIX/etc] - --sharedstatedir=DIR modifiable architecture-independent data in DIR - [PREFIX/com] - --localstatedir=DIR modifiable single-machine data in DIR [PREFIX/var] - --libdir=DIR object code libraries in DIR [EPREFIX/lib] - --includedir=DIR C header files in DIR [PREFIX/include] - --oldincludedir=DIR C header files for non-gcc in DIR [/usr/include] - --infodir=DIR info documentation in DIR [PREFIX/info] - --mandir=DIR man documentation in DIR [PREFIX/man] - --srcdir=DIR find the sources in DIR [configure dir or ..] - --program-prefix=PREFIX prepend PREFIX to installed program names - --program-suffix=SUFFIX append SUFFIX to installed program names - --program-transform-name=PROGRAM - run sed PROGRAM on installed program names -EOF - cat << EOF -Host type: - --build=BUILD configure for building on BUILD [BUILD=HOST] - --host=HOST configure for HOST [guessed] - --target=TARGET configure for TARGET [TARGET=HOST] -Features and packages: - --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) - --enable-FEATURE[=ARG] include FEATURE [ARG=yes] - --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] - --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) - --x-includes=DIR X include files are in DIR - --x-libraries=DIR X library files are in DIR -EOF - if test -n "$ac_help"; then - echo "--enable and --with options recognized:$ac_help" - fi - exit 0 ;; + -help | --help | --hel | --he | -h) + ac_init_help=long ;; + -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) + ac_init_help=recursive ;; + -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) + ac_init_help=short ;; -host | --host | --hos | --ho) - ac_prev=host ;; + ac_prev=host_alias ;; -host=* | --host=* | --hos=* | --ho=*) - host="$ac_optarg" ;; + host_alias=$ac_optarg ;; -includedir | --includedir | --includedi | --included | --include \ | --includ | --inclu | --incl | --inc) ac_prev=includedir ;; -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ | --includ=* | --inclu=* | --incl=* | --inc=*) - includedir="$ac_optarg" ;; + includedir=$ac_optarg ;; -infodir | --infodir | --infodi | --infod | --info | --inf) ac_prev=infodir ;; -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) - infodir="$ac_optarg" ;; + infodir=$ac_optarg ;; -libdir | --libdir | --libdi | --libd) ac_prev=libdir ;; -libdir=* | --libdir=* | --libdi=* | --libd=*) - libdir="$ac_optarg" ;; + libdir=$ac_optarg ;; -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ | --libexe | --libex | --libe) ac_prev=libexecdir ;; -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ | --libexe=* | --libex=* | --libe=*) - libexecdir="$ac_optarg" ;; + libexecdir=$ac_optarg ;; -localstatedir | --localstatedir | --localstatedi | --localstated \ | --localstate | --localstat | --localsta | --localst \ @@ -222,19 +418,19 @@ EOF -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ | --localstate=* | --localstat=* | --localsta=* | --localst=* \ | --locals=* | --local=* | --loca=* | --loc=* | --lo=*) - localstatedir="$ac_optarg" ;; + localstatedir=$ac_optarg ;; -mandir | --mandir | --mandi | --mand | --man | --ma | --m) ac_prev=mandir ;; -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) - mandir="$ac_optarg" ;; + mandir=$ac_optarg ;; -nfp | --nfp | --nf) # Obsolete; use --without-fp. with_fp=no ;; -no-create | --no-create | --no-creat | --no-crea | --no-cre \ - | --no-cr | --no-c) + | --no-cr | --no-c | -n) no_create=yes ;; -no-recursion | --no-recursion | --no-recursio | --no-recursi \ @@ -248,26 +444,26 @@ EOF -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) - oldincludedir="$ac_optarg" ;; + oldincludedir=$ac_optarg ;; -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) ac_prev=prefix ;; -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) - prefix="$ac_optarg" ;; + prefix=$ac_optarg ;; -program-prefix | --program-prefix | --program-prefi | --program-pref \ | --program-pre | --program-pr | --program-p) ac_prev=program_prefix ;; -program-prefix=* | --program-prefix=* | --program-prefi=* \ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) - program_prefix="$ac_optarg" ;; + program_prefix=$ac_optarg ;; -program-suffix | --program-suffix | --program-suffi | --program-suff \ | --program-suf | --program-su | --program-s) ac_prev=program_suffix ;; -program-suffix=* | --program-suffix=* | --program-suffi=* \ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) - program_suffix="$ac_optarg" ;; + program_suffix=$ac_optarg ;; -program-transform-name | --program-transform-name \ | --program-transform-nam | --program-transform-na \ @@ -284,7 +480,7 @@ EOF | --program-transfo=* | --program-transf=* \ | --program-trans=* | --program-tran=* \ | --progr-tra=* | --program-tr=* | --program-t=*) - program_transform_name="$ac_optarg" ;; + program_transform_name=$ac_optarg ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) @@ -294,7 +490,7 @@ EOF ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | --sbi=* | --sb=*) - sbindir="$ac_optarg" ;; + sbindir=$ac_optarg ;; -sharedstatedir | --sharedstatedir | --sharedstatedi \ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ @@ -305,58 +501,57 @@ EOF | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ | --sha=* | --sh=*) - sharedstatedir="$ac_optarg" ;; + sharedstatedir=$ac_optarg ;; -site | --site | --sit) ac_prev=site ;; -site=* | --site=* | --sit=*) - site="$ac_optarg" ;; + site=$ac_optarg ;; -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) ac_prev=srcdir ;; -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) - srcdir="$ac_optarg" ;; + srcdir=$ac_optarg ;; -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ | --syscon | --sysco | --sysc | --sys | --sy) ac_prev=sysconfdir ;; -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) - sysconfdir="$ac_optarg" ;; + sysconfdir=$ac_optarg ;; -target | --target | --targe | --targ | --tar | --ta | --t) - ac_prev=target ;; + ac_prev=target_alias ;; -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) - target="$ac_optarg" ;; + target_alias=$ac_optarg ;; -v | -verbose | --verbose | --verbos | --verbo | --verb) verbose=yes ;; - -version | --version | --versio | --versi | --vers) - echo "configure generated by autoconf version 2.13" - exit 0 ;; + -version | --version | --versio | --versi | --vers | -V) + ac_init_version=: ;; -with-* | --with-*) - ac_package=`echo $ac_option|sed -e 's/-*with-//' -e 's/=.*//'` + ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. - if test -n "`echo $ac_package| sed 's/[-_a-zA-Z0-9]//g'`"; then - { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; } - fi + expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null && + { echo "$as_me: error: invalid package name: $ac_package" >&2 + { (exit 1); exit 1; }; } ac_package=`echo $ac_package| sed 's/-/_/g'` - case "$ac_option" in - *=*) ;; + case $ac_option in + *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;; *) ac_optarg=yes ;; esac - eval "with_${ac_package}='$ac_optarg'" ;; + eval "with_$ac_package='$ac_optarg'" ;; -without-* | --without-*) - ac_package=`echo $ac_option|sed -e 's/-*without-//'` + ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. - if test -n "`echo $ac_package| sed 's/[-a-zA-Z0-9_]//g'`"; then - { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; } - fi - ac_package=`echo $ac_package| sed 's/-/_/g'` - eval "with_${ac_package}=no" ;; + expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null && + { echo "$as_me: error: invalid package name: $ac_package" >&2 + { (exit 1); exit 1; }; } + ac_package=`echo $ac_package | sed 's/-/_/g'` + eval "with_$ac_package=no" ;; --x) # Obsolete; use --with-x. @@ -367,99 +562,110 @@ EOF ac_prev=x_includes ;; -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) - x_includes="$ac_optarg" ;; + x_includes=$ac_optarg ;; -x-libraries | --x-libraries | --x-librarie | --x-librari \ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) ac_prev=x_libraries ;; -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) - x_libraries="$ac_optarg" ;; + x_libraries=$ac_optarg ;; - -*) { echo "configure: error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; } + -*) { echo "$as_me: error: unrecognized option: $ac_option +Try \`$0 --help' for more information." >&2 + { (exit 1); exit 1; }; } ;; + *=*) + ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` + # Reject names that are not valid shell variable names. + expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null && + { echo "$as_me: error: invalid variable name: $ac_envvar" >&2 + { (exit 1); exit 1; }; } + ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` + eval "$ac_envvar='$ac_optarg'" + export $ac_envvar ;; + *) - if test -n "`echo $ac_option| sed 's/[-a-z0-9.]//g'`"; then - echo "configure: warning: $ac_option: invalid host type" 1>&2 - fi - if test "x$nonopt" != xNONE; then - { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; } - fi - nonopt="$ac_option" + # FIXME: should be removed in autoconf 3.0. + echo "$as_me: WARNING: you should use --build, --host, --target" >&2 + expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && + echo "$as_me: WARNING: invalid host type: $ac_option" >&2 + : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option} ;; esac done if test -n "$ac_prev"; then - { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; } + ac_option=--`echo $ac_prev | sed 's/_/-/g'` + { echo "$as_me: error: missing argument to $ac_option" >&2 + { (exit 1); exit 1; }; } fi -trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15 - -# File descriptor usage: -# 0 standard input -# 1 file creation -# 2 errors and warnings -# 3 some systems may open it to /dev/tty -# 4 used on the Kubota Titan -# 6 checking for... messages and results -# 5 compiler messages saved in config.log -if test "$silent" = yes; then - exec 6>/dev/null -else - exec 6>&1 -fi -exec 5>./config.log - -echo "\ -This file contains any messages produced by compilers while -running configure, to aid debugging if configure makes a mistake. -" 1>&5 - -# Strip out --no-create and --no-recursion so they do not pile up. -# Also quote any args containing shell metacharacters. -ac_configure_args= -for ac_arg +# Be sure to have absolute paths. +for ac_var in exec_prefix prefix do - case "$ac_arg" in - -no-create | --no-create | --no-creat | --no-crea | --no-cre \ - | --no-cr | --no-c) ;; - -no-recursion | --no-recursion | --no-recursio | --no-recursi \ - | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;; - *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*) - ac_configure_args="$ac_configure_args '$ac_arg'" ;; - *) ac_configure_args="$ac_configure_args $ac_arg" ;; + eval ac_val=$`echo $ac_var` + case $ac_val in + [\\/$]* | ?:[\\/]* | NONE | '' ) ;; + *) { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2 + { (exit 1); exit 1; }; };; esac done -# NLS nuisances. -# Only set these to C if already set. These must not be set unconditionally -# because not all systems understand e.g. LANG=C (notably SCO). -# Fixing LC_MESSAGES prevents Solaris sh from translating var values in `set'! -# Non-C LC_CTYPE values break the ctype check. -if test "${LANG+set}" = set; then LANG=C; export LANG; fi -if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi -if test "${LC_MESSAGES+set}" = set; then LC_MESSAGES=C; export LC_MESSAGES; fi -if test "${LC_CTYPE+set}" = set; then LC_CTYPE=C; export LC_CTYPE; fi +# Be sure to have absolute paths. +for ac_var in bindir sbindir libexecdir datadir sysconfdir sharedstatedir \ + localstatedir libdir includedir oldincludedir infodir mandir +do + eval ac_val=$`echo $ac_var` + case $ac_val in + [\\/$]* | ?:[\\/]* ) ;; + *) { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2 + { (exit 1); exit 1; }; };; + esac +done -# confdefs.h avoids OS command line length limits that DEFS can exceed. -rm -rf conftest* confdefs.h -# AIX cpp loses on an empty file, so make sure it contains at least a newline. -echo > confdefs.h +# There might be people who depend on the old broken behavior: `$host' +# used to hold the argument of --host etc. +# FIXME: To remove some day. +build=$build_alias +host=$host_alias +target=$target_alias + +# FIXME: To remove some day. +if test "x$host_alias" != x; then + if test "x$build_alias" = x; then + cross_compiling=maybe + echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host. + If a cross compiler is detected then cross compile mode will be used." >&2 + elif test "x$build_alias" != "x$host_alias"; then + cross_compiling=yes + fi +fi + +ac_tool_prefix= +test -n "$host_alias" && ac_tool_prefix=$host_alias- + +test "$silent" = yes && exec 6>/dev/null -# A filename unique to this package, relative to the directory that -# configure is in, which we can look for to find out if srcdir is correct. -ac_unique_file=queryperf.c # Find the source files, if location was not specified. if test -z "$srcdir"; then ac_srcdir_defaulted=yes # Try the directory containing this script, then its parent. - ac_prog=$0 - ac_confdir=`echo $ac_prog|sed 's%/[^/][^/]*$%%'` - test "x$ac_confdir" = "x$ac_prog" && ac_confdir=. + ac_confdir=`(dirname "$0") 2>/dev/null || +$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$0" : 'X\(//\)[^/]' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| \ + . : '\(.\)' 2>/dev/null || +echo X"$0" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } + /^X\(\/\/\)[^/].*/{ s//\1/; q; } + /^X\(\/\/\)$/{ s//\1/; q; } + /^X\(\/\).*/{ s//\1/; q; } + s/.*/./; q'` srcdir=$ac_confdir if test ! -r $srcdir/$ac_unique_file; then srcdir=.. @@ -469,13 +675,357 @@ else fi if test ! -r $srcdir/$ac_unique_file; then if test "$ac_srcdir_defaulted" = yes; then - { echo "configure: error: can not find sources in $ac_confdir or .." 1>&2; exit 1; } + { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2 + { (exit 1); exit 1; }; } else - { echo "configure: error: can not find sources in $srcdir" 1>&2; exit 1; } + { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2 + { (exit 1); exit 1; }; } fi fi -srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'` +srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'` +ac_env_build_alias_set=${build_alias+set} +ac_env_build_alias_value=$build_alias +ac_cv_env_build_alias_set=${build_alias+set} +ac_cv_env_build_alias_value=$build_alias +ac_env_host_alias_set=${host_alias+set} +ac_env_host_alias_value=$host_alias +ac_cv_env_host_alias_set=${host_alias+set} +ac_cv_env_host_alias_value=$host_alias +ac_env_target_alias_set=${target_alias+set} +ac_env_target_alias_value=$target_alias +ac_cv_env_target_alias_set=${target_alias+set} +ac_cv_env_target_alias_value=$target_alias +ac_env_CC_set=${CC+set} +ac_env_CC_value=$CC +ac_cv_env_CC_set=${CC+set} +ac_cv_env_CC_value=$CC +ac_env_CFLAGS_set=${CFLAGS+set} +ac_env_CFLAGS_value=$CFLAGS +ac_cv_env_CFLAGS_set=${CFLAGS+set} +ac_cv_env_CFLAGS_value=$CFLAGS +ac_env_LDFLAGS_set=${LDFLAGS+set} +ac_env_LDFLAGS_value=$LDFLAGS +ac_cv_env_LDFLAGS_set=${LDFLAGS+set} +ac_cv_env_LDFLAGS_value=$LDFLAGS +ac_env_CPPFLAGS_set=${CPPFLAGS+set} +ac_env_CPPFLAGS_value=$CPPFLAGS +ac_cv_env_CPPFLAGS_set=${CPPFLAGS+set} +ac_cv_env_CPPFLAGS_value=$CPPFLAGS +# +# Report the --help message. +# +if test "$ac_init_help" = "long"; then + # Omit some internal or obsolete options to make the list less imposing. + # This message is too long to be a string in the A/UX 3.1 sh. + cat <<_ACEOF +\`configure' configures this package to adapt to many kinds of systems. + +Usage: $0 [OPTION]... [VAR=VALUE]... + +To assign environment variables (e.g., CC, CFLAGS...), specify them as +VAR=VALUE. See below for descriptions of some of the useful variables. + +Defaults for the options are specified in brackets. + +Configuration: + -h, --help display this help and exit + --help=short display options specific to this package + --help=recursive display the short help of all the included packages + -V, --version display version information and exit + -q, --quiet, --silent do not print \`checking...' messages + --cache-file=FILE cache test results in FILE [disabled] + -C, --config-cache alias for \`--cache-file=config.cache' + -n, --no-create do not create output files + --srcdir=DIR find the sources in DIR [configure dir or \`..'] + +_ACEOF + + cat <<_ACEOF +Installation directories: + --prefix=PREFIX install architecture-independent files in PREFIX + [$ac_default_prefix] + --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX + [PREFIX] + +By default, \`make install' will install all the files in +\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify +an installation prefix other than \`$ac_default_prefix' using \`--prefix', +for instance \`--prefix=\$HOME'. + +For better control, use the options below. + +Fine tuning of the installation directories: + --bindir=DIR user executables [EPREFIX/bin] + --sbindir=DIR system admin executables [EPREFIX/sbin] + --libexecdir=DIR program executables [EPREFIX/libexec] + --datadir=DIR read-only architecture-independent data [PREFIX/share] + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] + --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --libdir=DIR object code libraries [EPREFIX/lib] + --includedir=DIR C header files [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc [/usr/include] + --infodir=DIR info documentation [PREFIX/info] + --mandir=DIR man documentation [PREFIX/man] +_ACEOF + + cat <<\_ACEOF +_ACEOF +fi + +if test -n "$ac_init_help"; then + + cat <<\_ACEOF + +Some influential environment variables: + CC C compiler command + CFLAGS C compiler flags + LDFLAGS linker flags, e.g. -L if you have libraries in a + nonstandard directory + CPPFLAGS C/C++ preprocessor flags, e.g. -I if you have + headers in a nonstandard directory + +Use these variables to override the choices made by `configure' or to help +it to find libraries and programs with nonstandard names/locations. + +_ACEOF +fi + +if test "$ac_init_help" = "recursive"; then + # If there are subdirs, report their specific --help. + ac_popdir=`pwd` + for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue + test -d $ac_dir || continue + ac_builddir=. + +if test "$ac_dir" != .; then + ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` + # A "../" for each directory in $ac_dir_suffix. + ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'` +else + ac_dir_suffix= ac_top_builddir= +fi + +case $srcdir in + .) # No --srcdir option. We are building in place. + ac_srcdir=. + if test -z "$ac_top_builddir"; then + ac_top_srcdir=. + else + ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'` + fi ;; + [\\/]* | ?:[\\/]* ) # Absolute path. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir ;; + *) # Relative path. + ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_builddir$srcdir ;; +esac +# Don't blindly perform a `cd "$ac_dir"/$ac_foo && pwd` since $ac_foo can be +# absolute. +ac_abs_builddir=`cd "$ac_dir" && cd $ac_builddir && pwd` +ac_abs_top_builddir=`cd "$ac_dir" && cd $ac_top_builddir && pwd` +ac_abs_srcdir=`cd "$ac_dir" && cd $ac_srcdir && pwd` +ac_abs_top_srcdir=`cd "$ac_dir" && cd $ac_top_srcdir && pwd` + + cd $ac_dir + # Check for guested configure; otherwise get Cygnus style configure. + if test -f $ac_srcdir/configure.gnu; then + echo + $SHELL $ac_srcdir/configure.gnu --help=recursive + elif test -f $ac_srcdir/configure; then + echo + $SHELL $ac_srcdir/configure --help=recursive + elif test -f $ac_srcdir/configure.ac || + test -f $ac_srcdir/configure.in; then + echo + $ac_configure --help + else + echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 + fi + cd $ac_popdir + done +fi + +test -n "$ac_init_help" && exit 0 +if $ac_init_version; then + cat <<\_ACEOF + +Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, 2002 +Free Software Foundation, Inc. +This configure script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it. +_ACEOF + exit 0 +fi +exec 5>config.log +cat >&5 <<_ACEOF +This file contains any messages produced by compilers while +running configure, to aid debugging if configure makes a mistake. + +It was created by $as_me, which was +generated by GNU Autoconf 2.53. Invocation command line was + + $ $0 $@ + +_ACEOF +{ +cat <<_ASUNAME +## --------- ## +## Platform. ## +## --------- ## + +hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` +uname -m = `(uname -m) 2>/dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` + +/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` +hostinfo = `(hostinfo) 2>/dev/null || echo unknown` +/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` +/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` + +_ASUNAME + +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + echo "PATH: $as_dir" +done + +} >&5 + +cat >&5 <<_ACEOF + + +## ----------- ## +## Core tests. ## +## ----------- ## + +_ACEOF + + +# Keep a trace of the command line. +# Strip out --no-create and --no-recursion so they do not pile up. +# Also quote any args containing shell meta-characters. +ac_configure_args= +ac_sep= +for ac_arg +do + case $ac_arg in + -no-create | --no-create | --no-creat | --no-crea | --no-cre \ + | --no-cr | --no-c | -n ) continue ;; + -no-recursion | --no-recursion | --no-recursio | --no-recursi \ + | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) + continue ;; + *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*) + ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + case " $ac_configure_args " in + *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. + *) ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'" + ac_sep=" " ;; + esac + # Get rid of the leading space. +done + +# When interrupted or exit'd, cleanup temporary files, and complete +# config.log. We remove comments because anyway the quotes in there +# would cause problems or look ugly. +# WARNING: Be sure not to use single quotes in there, as some shells, +# such as our DU 5.0 friend, will then `close' the trap. +trap 'exit_status=$? + # Save into config.log some information that might help in debugging. + { + echo + cat <<\_ASBOX +## ---------------- ## +## Cache variables. ## +## ---------------- ## +_ASBOX + echo + # The following way of writing the cache mishandles newlines in values, +{ + (set) 2>&1 | + case `(ac_space='"'"' '"'"'; set | grep ac_space) 2>&1` in + *ac_space=\ *) + sed -n \ + "s/'"'"'/'"'"'\\\\'"'"''"'"'/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='"'"'\\2'"'"'/p" + ;; + *) + sed -n \ + "s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p" + ;; + esac; +} + echo + if test -s confdefs.h; then + cat <<\_ASBOX +## ----------- ## +## confdefs.h. ## +## ----------- ## +_ASBOX + echo + sed "/^$/d" confdefs.h + echo + fi + test "$ac_signal" != 0 && + echo "$as_me: caught signal $ac_signal" + echo "$as_me: exit $exit_status" + } >&5 + rm -f core core.* *.core && + rm -rf conftest* confdefs* conf$$* $ac_clean_files && + exit $exit_status + ' 0 +for ac_signal in 1 2 13 15; do + trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal +done +ac_signal=0 + +# confdefs.h avoids OS command line length limits that DEFS can exceed. +rm -rf conftest* confdefs.h +# AIX cpp loses on an empty file, so make sure it contains at least a newline. +echo >confdefs.h + +# Predefined preprocessor variables. + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_NAME "$PACKAGE_NAME" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_TARNAME "$PACKAGE_TARNAME" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_VERSION "$PACKAGE_VERSION" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_STRING "$PACKAGE_STRING" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" +_ACEOF + + +# Let the site file select an alternate cache file if it wants to. # Prefer explicitly selected file to automatically selected ones. if test -z "$CONFIG_SITE"; then if test "x$prefix" != xNONE; then @@ -486,252 +1036,729 @@ if test -z "$CONFIG_SITE"; then fi for ac_site_file in $CONFIG_SITE; do if test -r "$ac_site_file"; then - echo "loading site script $ac_site_file" + { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5 +echo "$as_me: loading site script $ac_site_file" >&6;} + sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" fi done if test -r "$cache_file"; then - echo "loading cache $cache_file" - . $cache_file + # Some versions of bash will fail to source /dev/null (special + # files actually), so we avoid doing that. + if test -f "$cache_file"; then + { echo "$as_me:$LINENO: loading cache $cache_file" >&5 +echo "$as_me: loading cache $cache_file" >&6;} + case $cache_file in + [\\/]* | ?:[\\/]* ) . $cache_file;; + *) . ./$cache_file;; + esac + fi else - echo "creating cache $cache_file" - > $cache_file + { echo "$as_me:$LINENO: creating cache $cache_file" >&5 +echo "$as_me: creating cache $cache_file" >&6;} + >$cache_file +fi + +# Check that the precious variables saved in the cache have kept the same +# value. +ac_cache_corrupted=false +for ac_var in `(set) 2>&1 | + sed -n 's/^ac_env_\([a-zA-Z_0-9]*\)_set=.*/\1/p'`; do + eval ac_old_set=\$ac_cv_env_${ac_var}_set + eval ac_new_set=\$ac_env_${ac_var}_set + eval ac_old_val="\$ac_cv_env_${ac_var}_value" + eval ac_new_val="\$ac_env_${ac_var}_value" + case $ac_old_set,$ac_new_set in + set,) + { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 +echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,set) + { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5 +echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,);; + *) + if test "x$ac_old_val" != "x$ac_new_val"; then + { echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5 +echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} + { echo "$as_me:$LINENO: former value: $ac_old_val" >&5 +echo "$as_me: former value: $ac_old_val" >&2;} + { echo "$as_me:$LINENO: current value: $ac_new_val" >&5 +echo "$as_me: current value: $ac_new_val" >&2;} + ac_cache_corrupted=: + fi;; + esac + # Pass precious variables to config.status. + if test "$ac_new_set" = set; then + case $ac_new_val in + *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*) + ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; + *) ac_arg=$ac_var=$ac_new_val ;; + esac + case " $ac_configure_args " in + *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. + *) ac_configure_args="$ac_configure_args '$ac_arg'" ;; + esac + fi +done +if $ac_cache_corrupted; then + { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5 +echo "$as_me: error: changes in the environment can compromise the build" >&2;} + { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5 +echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;} + { (exit 1); exit 1; }; } fi ac_ext=c -# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. ac_cpp='$CPP $CPPFLAGS' -ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' -ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' -cross_compiling=$ac_cv_prog_cc_cross - -ac_exeext= -ac_objext=o -if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then - # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu. - if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then - ac_n= ac_c=' -' ac_t=' ' - else - ac_n=-n ac_c= ac_t= - fi -else - ac_n= ac_c='\c' ac_t= -fi +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu -# Extract the first word of "gcc", so it can be a program name with args. -set dummy gcc; ac_word=$2 -echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:531: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 + + + + + + + + + + + + + + + + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. +set dummy ${ac_tool_prefix}gcc; ac_word=$2 +echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 +if test "${ac_cv_prog_CC+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_dummy="$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$ac_word; then - ac_cv_prog_CC="gcc" - break - fi - done - IFS="$ac_save_ifs" +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="${ac_tool_prefix}gcc" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done + fi fi -CC="$ac_cv_prog_CC" +CC=$ac_cv_prog_CC if test -n "$CC"; then - echo "$ac_t""$CC" 1>&6 + echo "$as_me:$LINENO: result: $CC" >&5 +echo "${ECHO_T}$CC" >&6 else - echo "$ac_t""no" 1>&6 + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi + +fi +if test -z "$ac_cv_prog_CC"; then + ac_ct_CC=$CC + # Extract the first word of "gcc", so it can be a program name with args. +set dummy gcc; ac_word=$2 +echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 +if test "${ac_cv_prog_ac_ct_CC+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="gcc" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done + +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 +echo "${ECHO_T}$ac_ct_CC" >&6 +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi + + CC=$ac_ct_CC +else + CC="$ac_cv_prog_CC" fi if test -z "$CC"; then - # Extract the first word of "cc", so it can be a program name with args. -set dummy cc; ac_word=$2 -echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:561: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. +set dummy ${ac_tool_prefix}cc; ac_word=$2 +echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 +if test "${ac_cv_prog_CC+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="${ac_tool_prefix}cc" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + echo "$as_me:$LINENO: result: $CC" >&5 +echo "${ECHO_T}$CC" >&6 +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi + +fi +if test -z "$ac_cv_prog_CC"; then + ac_ct_CC=$CC + # Extract the first word of "cc", so it can be a program name with args. +set dummy cc; ac_word=$2 +echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 +if test "${ac_cv_prog_ac_ct_CC+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="cc" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done + +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 +echo "${ECHO_T}$ac_ct_CC" >&6 +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi + + CC=$ac_ct_CC +else + CC="$ac_cv_prog_CC" +fi + +fi +if test -z "$CC"; then + # Extract the first word of "cc", so it can be a program name with args. +set dummy cc; ac_word=$2 +echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 +if test "${ac_cv_prog_CC+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ac_prog_rejected=no - ac_dummy="$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$ac_word; then - if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then - ac_prog_rejected=yes - continue - fi - ac_cv_prog_CC="cc" - break - fi - done - IFS="$ac_save_ifs" +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then + ac_prog_rejected=yes + continue + fi + ac_cv_prog_CC="cc" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done + if test $ac_prog_rejected = yes; then # We found a bogon in the path, so make sure we never use it. set dummy $ac_cv_prog_CC shift - if test $# -gt 0; then + if test $# != 0; then # We chose a different compiler from the bogus one. # However, it has the same basename, so the bogon will be chosen # first if we set CC to just the basename; use the full file name. shift - set dummy "$ac_dir/$ac_word" "$@" + set dummy "$as_dir/$ac_word" ${1+"$@"} shift ac_cv_prog_CC="$@" fi fi fi fi -CC="$ac_cv_prog_CC" +CC=$ac_cv_prog_CC if test -n "$CC"; then - echo "$ac_t""$CC" 1>&6 + echo "$as_me:$LINENO: result: $CC" >&5 +echo "${ECHO_T}$CC" >&6 else - echo "$ac_t""no" 1>&6 + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 fi - if test -z "$CC"; then - case "`uname -s`" in - *win32* | *WIN32*) - # Extract the first word of "cl", so it can be a program name with args. -set dummy cl; ac_word=$2 -echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:612: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 +fi +if test -z "$CC"; then + if test -n "$ac_tool_prefix"; then + for ac_prog in cl + do + # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +set dummy $ac_tool_prefix$ac_prog; ac_word=$2 +echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 +if test "${ac_cv_prog_CC+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_dummy="$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$ac_word; then - ac_cv_prog_CC="cl" - break - fi - done - IFS="$ac_save_ifs" -fi -fi -CC="$ac_cv_prog_CC" -if test -n "$CC"; then - echo "$ac_t""$CC" 1>&6 -else - echo "$ac_t""no" 1>&6 -fi - ;; - esac +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="$ac_tool_prefix$ac_prog" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 fi - test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; } +done +done + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + echo "$as_me:$LINENO: result: $CC" >&5 +echo "${ECHO_T}$CC" >&6 +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 fi -echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 -echo "configure:644: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 + test -n "$CC" && break + done +fi +if test -z "$CC"; then + ac_ct_CC=$CC + for ac_prog in cl +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 +if test "${ac_cv_prog_ac_ct_CC+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="$ac_prog" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done -ac_ext=c -# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. -ac_cpp='$CPP $CPPFLAGS' -ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' -ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' -cross_compiling=$ac_cv_prog_cc_cross +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 +echo "${ECHO_T}$ac_ct_CC" >&6 +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi -cat > conftest.$ac_ext << EOF + test -n "$ac_ct_CC" && break +done -#line 655 "configure" + CC=$ac_ct_CC +fi + +fi + + +test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH" >&5 +echo "$as_me: error: no acceptable C compiler found in \$PATH" >&2;} + { (exit 1); exit 1; }; } + +# Provide some information about the compiler. +echo "$as_me:$LINENO:" \ + "checking for C compiler version" >&5 +ac_compiler=`set X $ac_compile; echo $2` +{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 + (eval $ac_compiler --version &5) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } +{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v &5\"") >&5 + (eval $ac_compiler -v &5) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } +{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V &5\"") >&5 + (eval $ac_compiler -V &5) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } + +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" #include "confdefs.h" -main(){return(0);} -EOF -if { (eval echo configure:660: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - ac_cv_prog_cc_works=yes - # If we can't run a trivial program, we are probably using a cross compiler. - if (./conftest; exit) 2>/dev/null; then - ac_cv_prog_cc_cross=no - else - ac_cv_prog_cc_cross=yes - fi -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_cv_prog_cc_works=no -fi -rm -fr conftest* -ac_ext=c -# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. -ac_cpp='$CPP $CPPFLAGS' -ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' -ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' -cross_compiling=$ac_cv_prog_cc_cross - -echo "$ac_t""$ac_cv_prog_cc_works" 1>&6 -if test $ac_cv_prog_cc_works = no; then - { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } -fi -echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 -echo "configure:686: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 -echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 -cross_compiling=$ac_cv_prog_cc_cross - -echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 -echo "configure:691: checking whether we are using GNU C" >&5 -if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.c <&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then - ac_cv_prog_gcc=yes +int +main () +{ + + ; + return 0; +} +_ACEOF +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files a.out a.exe" +# Try to create an executable without -o first, disregard a.out. +# It will help us diagnose broken compilers, and finding out an intuition +# of exeext. +echo "$as_me:$LINENO: checking for C compiler default output" >&5 +echo $ECHO_N "checking for C compiler default output... $ECHO_C" >&6 +ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` +if { (eval echo "$as_me:$LINENO: \"$ac_link_default\"") >&5 + (eval $ac_link_default) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + # Find the output, starting from the most likely. This scheme is +# not robust to junk in `.', hence go to wildcards (a.*) only as a last +# resort. + +# Be careful to initialize this variable, since it used to be cached. +# Otherwise an old cache value of `no' led to `EXEEXT = no' in a Makefile. +ac_cv_exeext= +for ac_file in `ls a_out.exe a.exe conftest.exe 2>/dev/null; + ls a.out conftest 2>/dev/null; + ls a.* conftest.* 2>/dev/null`; do + case $ac_file in + *.$ac_ext | *.o | *.obj | *.xcoff | *.tds | *.d | *.pdb | *.xSYM ) ;; + a.out ) # We found the default executable, but exeext='' is most + # certainly right. + break;; + *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + # FIXME: I believe we export ac_cv_exeext for Libtool --akim. + export ac_cv_exeext + break;; + * ) break;; + esac +done else - ac_cv_prog_gcc=no -fi + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +{ { echo "$as_me:$LINENO: error: C compiler cannot create executables" >&5 +echo "$as_me: error: C compiler cannot create executables" >&2;} + { (exit 77); exit 77; }; } fi -echo "$ac_t""$ac_cv_prog_gcc" 1>&6 +ac_exeext=$ac_cv_exeext +echo "$as_me:$LINENO: result: $ac_file" >&5 +echo "${ECHO_T}$ac_file" >&6 -if test $ac_cv_prog_gcc = yes; then - GCC=yes +# Check the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +echo "$as_me:$LINENO: checking whether the C compiler works" >&5 +echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6 +# FIXME: These cross compiler hacks should be removed for Autoconf 3.0 +# If not cross compiling, check that we can run a simple program. +if test "$cross_compiling" != yes; then + if { ac_try='./$ac_file' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + cross_compiling=no + else + if test "$cross_compiling" = maybe; then + cross_compiling=yes + else + { { echo "$as_me:$LINENO: error: cannot run C compiled programs. +If you meant to cross compile, use \`--host'." >&5 +echo "$as_me: error: cannot run C compiled programs. +If you meant to cross compile, use \`--host'." >&2;} + { (exit 1); exit 1; }; } + fi + fi +fi +echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + +rm -f a.out a.exe conftest$ac_cv_exeext +ac_clean_files=$ac_clean_files_save +# Check the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +echo "$as_me:$LINENO: checking whether we are cross compiling" >&5 +echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6 +echo "$as_me:$LINENO: result: $cross_compiling" >&5 +echo "${ECHO_T}$cross_compiling" >&6 + +echo "$as_me:$LINENO: checking for suffix of executables" >&5 +echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6 +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + # If both `conftest.exe' and `conftest' are `present' (well, observable) +# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will +# work properly (i.e., refer to `conftest.exe'), while it won't with +# `rm'. +for ac_file in `(ls conftest.exe; ls conftest; ls conftest.*) 2>/dev/null`; do + case $ac_file in + *.$ac_ext | *.o | *.obj | *.xcoff | *.tds | *.d | *.pdb ) ;; + *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + export ac_cv_exeext + break;; + * ) break;; + esac +done else - GCC= + { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link" >&5 +echo "$as_me: error: cannot compute suffix of executables: cannot compile and link" >&2;} + { (exit 1); exit 1; }; } fi -ac_test_CFLAGS="${CFLAGS+set}" -ac_save_CFLAGS="$CFLAGS" -CFLAGS= -echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 -echo "configure:719: checking whether ${CC-cc} accepts -g" >&5 -if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 +rm -f conftest$ac_cv_exeext +echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5 +echo "${ECHO_T}$ac_cv_exeext" >&6 + +rm -f conftest.$ac_ext +EXEEXT=$ac_cv_exeext +ac_exeext=$EXEEXT +echo "$as_me:$LINENO: checking for suffix of object files" >&5 +echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6 +if test "${ac_cv_objext+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 else - echo 'void f(){}' > conftest.c -if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.o conftest.obj +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + for ac_file in `(ls conftest.o conftest.obj; ls conftest.*) 2>/dev/null`; do + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb ) ;; + *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` + break;; + esac +done +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile" >&5 +echo "$as_me: error: cannot compute suffix of object files: cannot compile" >&2;} + { (exit 1); exit 1; }; } +fi + +rm -f conftest.$ac_cv_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_objext" >&5 +echo "${ECHO_T}$ac_cv_objext" >&6 +OBJEXT=$ac_cv_objext +ac_objext=$OBJEXT +echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5 +echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6 +if test "${ac_cv_c_compiler_gnu+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +#ifndef __GNUC__ + choke me +#endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_compiler_gnu=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_compiler_gnu=no +fi +rm -f conftest.$ac_objext conftest.$ac_ext +ac_cv_c_compiler_gnu=$ac_compiler_gnu + +fi +echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5 +echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6 +GCC=`test $ac_compiler_gnu = yes && echo yes` +ac_test_CFLAGS=${CFLAGS+set} +ac_save_CFLAGS=$CFLAGS +CFLAGS="-g" +echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5 +echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6 +if test "${ac_cv_prog_cc_g+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then ac_cv_prog_cc_g=yes else - ac_cv_prog_cc_g=no + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_prog_cc_g=no fi -rm -f conftest* - +rm -f conftest.$ac_objext conftest.$ac_ext fi - -echo "$ac_t""$ac_cv_prog_cc_g" 1>&6 +echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5 +echo "${ECHO_T}$ac_cv_prog_cc_g" >&6 if test "$ac_test_CFLAGS" = set; then - CFLAGS="$ac_save_CFLAGS" + CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then CFLAGS="-g -O2" @@ -745,452 +1772,1512 @@ else CFLAGS= fi fi - - - - - -echo $ac_n "checking for library containing res_mkquery""... $ac_c" 1>&6 -echo "configure:755: checking for library containing res_mkquery" >&5 -if eval "test \"`echo '$''{'ac_cv_search_res_mkquery'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_res_mkquery="no" -cat > conftest.$ac_ext <conftest.$ac_ext <<_ACEOF +#ifndef __cplusplus + choke me +#endif +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + for ac_declaration in \ + ''\ + '#include ' \ + 'extern "C" void std::exit (int) throw (); using std::exit;' \ + 'extern "C" void std::exit (int); using std::exit;' \ + 'extern "C" void exit (int) throw ();' \ + 'extern "C" void exit (int);' \ + 'void exit (int);' +do + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" #include "confdefs.h" -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char res_mkquery(); +#include +$ac_declaration +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +exit (42); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + : +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +continue +fi +rm -f conftest.$ac_objext conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" +$ac_declaration +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +exit (42); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + break +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +fi +rm -f conftest.$ac_objext conftest.$ac_ext +done +rm -f conftest* +if test -n "$ac_declaration"; then + echo '#ifdef __cplusplus' >>confdefs.h + echo $ac_declaration >>confdefs.h + echo '#endif' >>confdefs.h +fi -int main() { -res_mkquery() -; return 0; } -EOF -if { (eval echo configure:773: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +fi +rm -f conftest.$ac_objext conftest.$ac_ext +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + + + + + +echo "$as_me:$LINENO: checking for library containing res_mkquery" >&5 +echo $ECHO_N "checking for library containing res_mkquery... $ECHO_C" >&6 +if test "${ac_cv_search_res_mkquery+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_func_search_save_LIBS=$LIBS +ac_cv_search_res_mkquery=no +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char res_mkquery (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +res_mkquery (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then ac_cv_search_res_mkquery="none required" else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 fi -rm -f conftest* -test "$ac_cv_search_res_mkquery" = "no" && for i in resolv bind; do -LIBS="-l$i $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" #include "confdefs.h" -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char res_mkquery(); -int main() { -res_mkquery() -; return 0; } -EOF -if { (eval echo configure:795: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_res_mkquery="-l$i" +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char res_mkquery (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +res_mkquery (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_search_res_mkquery="-l$ac_lib" break else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext + done fi - -echo "$ac_t""$ac_cv_search_res_mkquery" 1>&6 -if test "$ac_cv_search_res_mkquery" != "no"; then +LIBS=$ac_func_search_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_search_res_mkquery" >&5 +echo "${ECHO_T}$ac_cv_search_res_mkquery" >&6 +if test "$ac_cv_search_res_mkquery" != no; then test "$ac_cv_search_res_mkquery" = "none required" || LIBS="$ac_cv_search_res_mkquery $LIBS" - -else : - -fi; -echo $ac_n "checking for socket in -lsocket""... $ac_c" 1>&6 -echo "configure:816: checking for socket in -lsocket" >&5 -ac_lib_var=`echo socket'_'socket | sed 'y%./+-%__p_%'` -if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 + +fi + + +echo "$as_me:$LINENO: checking for socket in -lsocket" >&5 +echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6 +if test "${ac_cv_lib_socket_socket+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 else - ac_save_LIBS="$LIBS" + ac_check_lib_save_LIBS=$LIBS LIBS="-lsocket $LIBS" -cat > conftest.$ac_ext <conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif /* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char socket(); - -int main() { -socket() -; return 0; } -EOF -if { (eval echo configure:835: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=yes" + builtin and then its argument prototype would still apply. */ +char socket (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +socket (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_socket_socket=yes else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=no" + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_lib_socket_socket=no fi -rm -f conftest* -LIBS="$ac_save_LIBS" - +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi -if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo socket | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - cat >> confdefs.h <&5 +echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6 +if test $ac_cv_lib_socket_socket = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBSOCKET 1 +_ACEOF LIBS="-lsocket $LIBS" -else - echo "$ac_t""no" 1>&6 fi -echo $ac_n "checking for inet_ntoa in -lnsl""... $ac_c" 1>&6 -echo "configure:863: checking for inet_ntoa in -lnsl" >&5 -ac_lib_var=`echo nsl'_'inet_ntoa | sed 'y%./+-%__p_%'` -if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 + +echo "$as_me:$LINENO: checking for inet_ntoa in -lnsl" >&5 +echo $ECHO_N "checking for inet_ntoa in -lnsl... $ECHO_C" >&6 +if test "${ac_cv_lib_nsl_inet_ntoa+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 else - ac_save_LIBS="$LIBS" + ac_check_lib_save_LIBS=$LIBS LIBS="-lnsl $LIBS" -cat > conftest.$ac_ext <conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif /* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char inet_ntoa(); - -int main() { -inet_ntoa() -; return 0; } -EOF -if { (eval echo configure:882: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=yes" + builtin and then its argument prototype would still apply. */ +char inet_ntoa (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +inet_ntoa (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_nsl_inet_ntoa=yes else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=no" + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_lib_nsl_inet_ntoa=no fi -rm -f conftest* -LIBS="$ac_save_LIBS" - +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi -if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo nsl | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - cat >> confdefs.h <&5 +echo "${ECHO_T}$ac_cv_lib_nsl_inet_ntoa" >&6 +if test $ac_cv_lib_nsl_inet_ntoa = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNSL 1 +_ACEOF LIBS="-lnsl $LIBS" -else - echo "$ac_t""no" 1>&6 fi -echo $ac_n "checking for socklen_t""... $ac_c" 1>&6 -echo "configure:910: checking for socklen_t" >&5 -if eval "test \"`echo '$''{'ac_cv_type_socklen_t'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 + +for ac_func in gethostbyname2 +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +echo "$as_me:$LINENO: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 +if eval "test \"\${$as_ac_var+set}\" = set"; then + echo $ECHO_N "(cached) $ECHO_C" >&6 else - - cat > conftest.$ac_ext <conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. */ +#include +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func (); +char (*f) (); + +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +f = $ac_func; +#endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + eval "$as_ac_var=yes" +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +eval "$as_ac_var=no" +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + +echo "$as_me:$LINENO: checking for getaddrinfo" >&5 +echo $ECHO_N "checking for getaddrinfo... $ECHO_C" >&6 +if test "${ac_cv_func_getaddrinfo+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char getaddrinfo (); below. */ +#include +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char getaddrinfo (); +char (*f) (); + +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_getaddrinfo) || defined (__stub___getaddrinfo) +choke me +#else +f = getaddrinfo; +#endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_func_getaddrinfo=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_func_getaddrinfo=no +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_func_getaddrinfo" >&5 +echo "${ECHO_T}$ac_cv_func_getaddrinfo" >&6 +if test $ac_cv_func_getaddrinfo = yes; then + cat >>confdefs.h <<\_ACEOF +#define HAVE_GETADDRINFO 1 +_ACEOF + +else + LIBOBJS="$LIBOBJS getaddrinfo.$ac_objext" +fi + +echo "$as_me:$LINENO: checking for getnameinfo" >&5 +echo $ECHO_N "checking for getnameinfo... $ECHO_C" >&6 +if test "${ac_cv_func_getnameinfo+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char getnameinfo (); below. */ +#include +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char getnameinfo (); +char (*f) (); + +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_getnameinfo) || defined (__stub___getnameinfo) +choke me +#else +f = getnameinfo; +#endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_func_getnameinfo=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_func_getnameinfo=no +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_func_getnameinfo" >&5 +echo "${ECHO_T}$ac_cv_func_getnameinfo" >&6 +if test $ac_cv_func_getnameinfo = yes; then + cat >>confdefs.h <<\_ACEOF +#define HAVE_GETNAMEINFO 1 +_ACEOF + +else + LIBOBJS="$LIBOBJS getnameinfo.$ac_objext" +fi + + +echo "$as_me:$LINENO: checking for socklen_t" >&5 +echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6 +if test "${ac_cv_type_socklen_t+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" #include "confdefs.h" #include #include -int main() { +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ socklen_t len = 42; return len; -; return 0; } -EOF -if { (eval echo configure:924: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then ac_cv_type_socklen_t=yes else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_type_socklen_t=no + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_type_socklen_t=no fi -rm -f conftest* +rm -f conftest.$ac_objext conftest.$ac_ext fi - -echo "$ac_t""$ac_cv_type_socklen_t" 1>&6 +echo "$as_me:$LINENO: result: $ac_cv_type_socklen_t" >&5 +echo "${ECHO_T}$ac_cv_type_socklen_t" >&6 if test $ac_cv_type_socklen_t != yes; then - cat >> confdefs.h <<\EOF + cat >>confdefs.h <<\_ACEOF #define socklen_t int -EOF +_ACEOF + + fi + +echo "$as_me:$LINENO: checking for sa_len" >&5 +echo $ECHO_N "checking for sa_len... $ECHO_C" >&6 +if test "${ac_cv_sa_len+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" +#include + #include +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +struct sockaddr sa; sa.sa_len = 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sa_len=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_sa_len=no +fi +rm -f conftest.$ac_objext conftest.$ac_ext + +fi +echo "$as_me:$LINENO: result: $ac_cv_sa_len" >&5 +echo "${ECHO_T}$ac_cv_sa_len" >&6 + if test $ac_cv_sa_len = yes; then + cat >>confdefs.h <<\_ACEOF +#define HAVE_SA_LEN 1 +_ACEOF fi -trap '' 1 2 15 -cat > confcache <<\EOF +ac_config_files="$ac_config_files Makefile" +cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure -# scripts and configure runs. It is not useful on other systems. -# If it contains results you don't want to keep, you may remove or edit it. +# scripts and configure runs, see configure's option --config-cache. +# It is not useful on other systems. If it contains results you don't +# want to keep, you may remove or edit it. # -# By default, configure uses ./config.cache as the cache file, -# creating it if it does not exist already. You can give configure -# the --cache-file=FILE option to use a different cache file; that is -# what configure does when it calls configure scripts in -# subdirectories, so they share the cache. -# Giving --cache-file=/dev/null disables caching, for debugging configure. -# config.status only pays attention to the cache file if you give it the -# --recheck option to rerun configure. +# config.status only pays attention to the cache file if you give it +# the --recheck option to rerun configure. # -EOF +# `ac_cv_env_foo' variables (set or unset) will be overriden when +# loading this file, other *unset* `ac_cv_foo' will be assigned the +# following values. + +_ACEOF + # The following way of writing the cache mishandles newlines in values, # but we know of no workaround that is simple, portable, and efficient. # So, don't put newlines in cache variables' values. # Ultrix sh set writes to stderr and can't be redirected directly, # and sets the high bit in the cache file unless we assign to the vars. -(set) 2>&1 | - case `(ac_space=' '; set | grep ac_space) 2>&1` in - *ac_space=\ *) - # `set' does not quote correctly, so add quotes (double-quote substitution - # turns \\\\ into \\, and sed turns \\ into \). - sed -n \ - -e "s/'/'\\\\''/g" \ - -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p" - ;; - *) - # `set' quotes correctly as required by POSIX, so do not add quotes. - sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p' - ;; - esac >> confcache -if cmp -s $cache_file confcache; then - : -else +{ + (set) 2>&1 | + case `(ac_space=' '; set | grep ac_space) 2>&1` in + *ac_space=\ *) + # `set' does not quote correctly, so add quotes (double-quote + # substitution turns \\\\ into \\, and sed turns \\ into \). + sed -n \ + "s/'/'\\\\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" + ;; + *) + # `set' quotes correctly as required by POSIX, so do not add quotes. + sed -n \ + "s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p" + ;; + esac; +} | + sed ' + t clear + : clear + s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ + t end + /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ + : end' >>confcache +if cmp -s $cache_file confcache; then :; else if test -w $cache_file; then - echo "updating cache $cache_file" - cat confcache > $cache_file + test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file" + cat confcache >$cache_file else echo "not updating unwritable cache $cache_file" fi fi rm -f confcache -trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15 - test "x$prefix" = xNONE && prefix=$ac_default_prefix # Let make expand exec_prefix. test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' -# Any assignment to VPATH causes Sun make to only execute -# the first set of double-colon rules, so remove it if not needed. -# If there is a colon in the path, we need to keep it. +# VPATH may cause trouble with some makes, so we remove $(srcdir), +# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and +# trailing colons and then remove the whole line if VPATH becomes empty +# (actually we leave an empty line to preserve line numbers). if test "x$srcdir" = x.; then - ac_vpsub='/^[ ]*VPATH[ ]*=[^:]*$/d' + ac_vpsub='/^[ ]*VPATH[ ]*=/{ +s/:*\$(srcdir):*/:/; +s/:*\${srcdir}:*/:/; +s/:*@srcdir@:*/:/; +s/^\([^=]*=[ ]*\):*/\1/; +s/:*$//; +s/^[^=]*=[ ]*$//; +}' fi -trap 'rm -f $CONFIG_STATUS conftest*; exit 1' 1 2 15 - # Transform confdefs.h into DEFS. # Protect against shell expansion while executing Makefile rules. # Protect against Makefile macro expansion. -cat > conftest.defs <<\EOF -s%#define \([A-Za-z_][A-Za-z0-9_]*\) *\(.*\)%-D\1=\2%g -s%[ `~#$^&*(){}\\|;'"<>?]%\\&%g -s%\[%\\&%g -s%\]%\\&%g -s%\$%$$%g -EOF -DEFS=`sed -f conftest.defs confdefs.h | tr '\012' ' '` -rm -f conftest.defs +# +# If the first sed substitution is executed (which looks for macros that +# take arguments), then we branch to the quote section. Otherwise, +# look for a macro that doesn't take arguments. +cat >confdef2opt.sed <<\_ACEOF +t clear +: clear +s,^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*([^)]*)\)[ ]*\(.*\),-D\1=\2,g +t quote +s,^[ ]*#[ ]*define[ ][ ]*\([^ ][^ ]*\)[ ]*\(.*\),-D\1=\2,g +t quote +d +: quote +s,[ `~#$^&*(){}\\|;'"<>?],\\&,g +s,\[,\\&,g +s,\],\\&,g +s,\$,$$,g +p +_ACEOF +# We use echo to avoid assuming a particular line-breaking character. +# The extra dot is to prevent the shell from consuming trailing +# line-breaks from the sub-command output. A line-break within +# single-quotes doesn't work because, if this script is created in a +# platform that uses two characters for line-breaks (e.g., DOS), tr +# would break. +ac_LF_and_DOT=`echo; echo .` +DEFS=`sed -n -f confdef2opt.sed confdefs.h | tr "$ac_LF_and_DOT" ' .'` +rm -f confdef2opt.sed + -# Without the "./", some shells look in PATH for config.status. : ${CONFIG_STATUS=./config.status} - -echo creating $CONFIG_STATUS -rm -f $CONFIG_STATUS -cat > $CONFIG_STATUS <&5 +echo "$as_me: creating $CONFIG_STATUS" >&6;} +cat >$CONFIG_STATUS <<_ACEOF +#! $SHELL +# Generated by $as_me. # Run this file to recreate the current configuration. -# This directory was configured as follows, -# on host `(hostname || uname -n) 2>/dev/null | sed 1q`: -# -# $0 $ac_configure_args -# # Compiler output produced by configure, useful for debugging -# configure, is in ./config.log if it exists. +# configure, is in config.log if it exists. -ac_cs_usage="Usage: $CONFIG_STATUS [--recheck] [--version] [--help]" -for ac_option -do - case "\$ac_option" in - -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) - echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion" - exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;; - -version | --version | --versio | --versi | --vers | --ver | --ve | --v) - echo "$CONFIG_STATUS generated by autoconf version 2.13" - exit 0 ;; - -help | --help | --hel | --he | --h) - echo "\$ac_cs_usage"; exit 0 ;; - *) echo "\$ac_cs_usage"; exit 1 ;; - esac -done +debug=false +SHELL=\${CONFIG_SHELL-$SHELL} +_ACEOF -ac_given_srcdir=$srcdir +cat >>$CONFIG_STATUS <<\_ACEOF -trap 'rm -fr `echo "Makefile" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15 -EOF -cat >> $CONFIG_STATUS < conftest.subs <<\\CEOF -$ac_vpsub -$extrasub -s%@SHELL@%$SHELL%g -s%@CFLAGS@%$CFLAGS%g -s%@CPPFLAGS@%$CPPFLAGS%g -s%@CXXFLAGS@%$CXXFLAGS%g -s%@FFLAGS@%$FFLAGS%g -s%@DEFS@%$DEFS%g -s%@LDFLAGS@%$LDFLAGS%g -s%@LIBS@%$LIBS%g -s%@exec_prefix@%$exec_prefix%g -s%@prefix@%$prefix%g -s%@program_transform_name@%$program_transform_name%g -s%@bindir@%$bindir%g -s%@sbindir@%$sbindir%g -s%@libexecdir@%$libexecdir%g -s%@datadir@%$datadir%g -s%@sysconfdir@%$sysconfdir%g -s%@sharedstatedir@%$sharedstatedir%g -s%@localstatedir@%$localstatedir%g -s%@libdir@%$libdir%g -s%@includedir@%$includedir%g -s%@oldincludedir@%$oldincludedir%g -s%@infodir@%$infodir%g -s%@mandir@%$mandir%g -s%@CC@%$CC%g - -CEOF -EOF - -cat >> $CONFIG_STATUS <<\EOF - -# Split the substitutions into bite-sized pieces for seds with -# small command number limits, like on Digital OSF/1 and HP-UX. -ac_max_sed_cmds=90 # Maximum number of lines to put in a sed script. -ac_file=1 # Number of current file. -ac_beg=1 # First line for current file. -ac_end=$ac_max_sed_cmds # Line after last line for current file. -ac_more_lines=: -ac_sed_cmds="" -while $ac_more_lines; do - if test $ac_beg -gt 1; then - sed "1,${ac_beg}d; ${ac_end}q" conftest.subs > conftest.s$ac_file - else - sed "${ac_end}q" conftest.subs > conftest.s$ac_file - fi - if test ! -s conftest.s$ac_file; then - ac_more_lines=false - rm -f conftest.s$ac_file - else - if test -z "$ac_sed_cmds"; then - ac_sed_cmds="sed -f conftest.s$ac_file" - else - ac_sed_cmds="$ac_sed_cmds | sed -f conftest.s$ac_file" - fi - ac_file=`expr $ac_file + 1` - ac_beg=$ac_end - ac_end=`expr $ac_end + $ac_max_sed_cmds` - fi -done -if test -z "$ac_sed_cmds"; then - ac_sed_cmds=cat +# Be Bourne compatible +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: +elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then + set -o posix fi -EOF -cat >> $CONFIG_STATUS </dev/null 2>&1; then + as_unset=unset +else + as_unset=false +fi -CONFIG_FILES=\${CONFIG_FILES-"Makefile"} -EOF -cat >> $CONFIG_STATUS <<\EOF -for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then - # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". - case "$ac_file" in - *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'` - ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;; - *) ac_file_in="${ac_file}.in" ;; +(set +x; test -n "`(LANG=C; export LANG) 2>&1`") && + { $as_unset LANG || test "${LANG+set}" != set; } || + { LANG=C; export LANG; } +(set +x; test -n "`(LC_ALL=C; export LC_ALL) 2>&1`") && + { $as_unset LC_ALL || test "${LC_ALL+set}" != set; } || + { LC_ALL=C; export LC_ALL; } +(set +x; test -n "`(LC_TIME=C; export LC_TIME) 2>&1`") && + { $as_unset LC_TIME || test "${LC_TIME+set}" != set; } || + { LC_TIME=C; export LC_TIME; } +(set +x; test -n "`(LC_CTYPE=C; export LC_CTYPE) 2>&1`") && + { $as_unset LC_CTYPE || test "${LC_CTYPE+set}" != set; } || + { LC_CTYPE=C; export LC_CTYPE; } +(set +x; test -n "`(LANGUAGE=C; export LANGUAGE) 2>&1`") && + { $as_unset LANGUAGE || test "${LANGUAGE+set}" != set; } || + { LANGUAGE=C; export LANGUAGE; } +(set +x; test -n "`(LC_COLLATE=C; export LC_COLLATE) 2>&1`") && + { $as_unset LC_COLLATE || test "${LC_COLLATE+set}" != set; } || + { LC_COLLATE=C; export LC_COLLATE; } +(set +x; test -n "`(LC_NUMERIC=C; export LC_NUMERIC) 2>&1`") && + { $as_unset LC_NUMERIC || test "${LC_NUMERIC+set}" != set; } || + { LC_NUMERIC=C; export LC_NUMERIC; } +(set +x; test -n "`(LC_MESSAGES=C; export LC_MESSAGES) 2>&1`") && + { $as_unset LC_MESSAGES || test "${LC_MESSAGES+set}" != set; } || + { LC_MESSAGES=C; export LC_MESSAGES; } + + +# Name of the executable. +as_me=`(basename "$0") 2>/dev/null || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)$' \| \ + . : '\(.\)' 2>/dev/null || +echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; } + /^X\/\(\/\/\)$/{ s//\1/; q; } + /^X\/\(\/\).*/{ s//\1/; q; } + s/.*/./; q'` + +# PATH needs CR, and LINENO needs CR and PATH. +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + echo "#! /bin/sh" >conftest.sh + echo "exit 0" >>conftest.sh + chmod +x conftest.sh + if (PATH=".;."; conftest.sh) >/dev/null 2>&1; then + PATH_SEPARATOR=';' + else + PATH_SEPARATOR=: + fi + rm -f conftest.sh +fi + + + as_lineno_1=$LINENO + as_lineno_2=$LINENO + as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null` + test "x$as_lineno_1" != "x$as_lineno_2" && + test "x$as_lineno_3" = "x$as_lineno_2" || { + # Find who we are. Look in the path if we contain no path at all + # relative or not. + case $0 in + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break +done + + ;; + esac + # We did not find ourselves, most probably we were run as `sh COMMAND' + # in which case we are not to be found in the path. + if test "x$as_myself" = x; then + as_myself=$0 + fi + if test ! -f "$as_myself"; then + { { echo "$as_me:$LINENO: error: cannot find myself; rerun with an absolute path" >&5 +echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2;} + { (exit 1); exit 1; }; } + fi + case $CONFIG_SHELL in + '') + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for as_base in sh bash ksh sh5; do + case $as_dir in + /*) + if ("$as_dir/$as_base" -c ' + as_lineno_1=$LINENO + as_lineno_2=$LINENO + as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null` + test "x$as_lineno_1" != "x$as_lineno_2" && + test "x$as_lineno_3" = "x$as_lineno_2" ') 2>/dev/null; then + CONFIG_SHELL=$as_dir/$as_base + export CONFIG_SHELL + exec "$CONFIG_SHELL" "$0" ${1+"$@"} + fi;; + esac + done +done +;; esac - # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories. + # Create $as_me.lineno as a copy of $as_myself, but with $LINENO + # uniformly replaced by the line number. The first 'sed' inserts a + # line-number line before each line; the second 'sed' does the real + # work. The second script uses 'N' to pair each line-number line + # with the numbered line, and appends trailing '-' during + # substitution so that $LINENO is not a special case at line end. + # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the + # second 'sed' script. Blame Lee E. McMahon for sed's syntax. :-) + sed '=' <$as_myself | + sed ' + N + s,$,-, + : loop + s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3, + t loop + s,-$,, + s,^['$as_cr_digits']*\n,, + ' >$as_me.lineno && + chmod +x $as_me.lineno || + { { echo "$as_me:$LINENO: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&5 +echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2;} + { (exit 1); exit 1; }; } - # Remove last slash and all that follows it. Not all systems have dirname. - ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'` - if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then - # The file is in a subdirectory. - test ! -d "$ac_dir" && mkdir "$ac_dir" - ac_dir_suffix="/`echo $ac_dir|sed 's%^\./%%'`" - # A "../" for each directory in $ac_dir_suffix. - ac_dots=`echo $ac_dir_suffix|sed 's%/[^/]*%../%g'` + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensible to this). + . ./$as_me.lineno + # Exit status is that of the last command. + exit +} + + +case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in + *c*,-n*) ECHO_N= ECHO_C=' +' ECHO_T=' ' ;; + *c*,* ) ECHO_N=-n ECHO_C= ECHO_T= ;; + *) ECHO_N= ECHO_C='\c' ECHO_T= ;; +esac + +if expr a : '\(a\)' >/dev/null 2>&1; then + as_expr=expr +else + as_expr=false +fi + +rm -f conf$$ conf$$.exe conf$$.file +echo >conf$$.file +if ln -s conf$$.file conf$$ 2>/dev/null; then + # We could just check for DJGPP; but this test a) works b) is more generic + # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04). + if test -f conf$$.exe; then + # Don't use ln at all; we don't have any links + as_ln_s='cp -p' else - ac_dir_suffix= ac_dots= + as_ln_s='ln -s' + fi +elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln +else + as_ln_s='cp -p' +fi +rm -f conf$$ conf$$.exe conf$$.file + +as_executable_p="test -f" + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="sed y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="sed y%*+%pp%;s%[^_$as_cr_alnum]%_%g" + + +# IFS +# We need space, tab and new line, in precisely that order. +as_nl=' +' +IFS=" $as_nl" + +# CDPATH. +$as_unset CDPATH || test "${CDPATH+set}" != set || { CDPATH=$PATH_SEPARATOR; export CDPATH; } + +exec 6>&1 + +# Open the log real soon, to keep \$[0] and so on meaningful, and to +# report actual input values of CONFIG_FILES etc. instead of their +# values after options handling. Logging --version etc. is OK. +exec 5>>config.log +{ + echo + sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX +## Running $as_me. ## +_ASBOX +} >&5 +cat >&5 <<_CSEOF + +This file was extended by $as_me, which was +generated by GNU Autoconf 2.53. Invocation command line was + + CONFIG_FILES = $CONFIG_FILES + CONFIG_HEADERS = $CONFIG_HEADERS + CONFIG_LINKS = $CONFIG_LINKS + CONFIG_COMMANDS = $CONFIG_COMMANDS + $ $0 $@ + +_CSEOF +echo "on `(hostname || uname -n) 2>/dev/null | sed 1q`" >&5 +echo >&5 +_ACEOF + +# Files that config.status was made for. +if test -n "$ac_config_files"; then + echo "config_files=\"$ac_config_files\"" >>$CONFIG_STATUS +fi + +if test -n "$ac_config_headers"; then + echo "config_headers=\"$ac_config_headers\"" >>$CONFIG_STATUS +fi + +if test -n "$ac_config_links"; then + echo "config_links=\"$ac_config_links\"" >>$CONFIG_STATUS +fi + +if test -n "$ac_config_commands"; then + echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS +fi + +cat >>$CONFIG_STATUS <<\_ACEOF + +ac_cs_usage="\ +\`$as_me' instantiates files from templates according to the +current configuration. + +Usage: $0 [OPTIONS] [FILE]... + + -h, --help print this help, then exit + -V, --version print version number, then exit + -d, --debug don't remove temporary files + --recheck update $as_me by reconfiguring in the same conditions + --file=FILE[:TEMPLATE] + instantiate the configuration file FILE + +Configuration files: +$config_files + +Report bugs to ." +_ACEOF + +cat >>$CONFIG_STATUS <<_ACEOF +ac_cs_version="\\ +config.status +configured by $0, generated by GNU Autoconf 2.53, + with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" + +Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001 +Free Software Foundation, Inc. +This config.status script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it." +srcdir=$srcdir +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF +# If no file are specified by the user, then we need to provide default +# value. By we need to know if files were specified by the user. +ac_need_defaults=: +while test $# != 0 +do + case $1 in + --*=*) + ac_option=`expr "x$1" : 'x\([^=]*\)='` + ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'` + shift + set dummy "$ac_option" "$ac_optarg" ${1+"$@"} + shift + ;; + -*);; + *) # This is not an option, so the user has probably given explicit + # arguments. + ac_need_defaults=false;; + esac + + case $1 in + # Handling of the options. +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF + -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) + echo "running $SHELL $0 " $ac_configure_args " --no-create --no-recursion" + exec $SHELL $0 $ac_configure_args --no-create --no-recursion ;; +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF + --version | --vers* | -V ) + echo "$ac_cs_version"; exit 0 ;; + --he | --h) + # Conflict between --help and --header + { { echo "$as_me:$LINENO: error: ambiguous option: $1 +Try \`$0 --help' for more information." >&5 +echo "$as_me: error: ambiguous option: $1 +Try \`$0 --help' for more information." >&2;} + { (exit 1); exit 1; }; };; + --help | --hel | -h ) + echo "$ac_cs_usage"; exit 0 ;; + --debug | --d* | -d ) + debug=: ;; + --file | --fil | --fi | --f ) + shift + CONFIG_FILES="$CONFIG_FILES $1" + ac_need_defaults=false;; + --header | --heade | --head | --hea ) + shift + CONFIG_HEADERS="$CONFIG_HEADERS $1" + ac_need_defaults=false;; + + # This is an error. + -*) { { echo "$as_me:$LINENO: error: unrecognized option: $1 +Try \`$0 --help' for more information." >&5 +echo "$as_me: error: unrecognized option: $1 +Try \`$0 --help' for more information." >&2;} + { (exit 1); exit 1; }; } ;; + + *) ac_config_targets="$ac_config_targets $1" ;; + + esac + shift +done + +_ACEOF + + + + + +cat >>$CONFIG_STATUS <<\_ACEOF +for ac_config_target in $ac_config_targets +do + case "$ac_config_target" in + # Handling of arguments. + "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;; + *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5 +echo "$as_me: error: invalid argument: $ac_config_target" >&2;} + { (exit 1); exit 1; }; };; + esac +done + +# If the user did not use the arguments to specify the items to instantiate, +# then the envvar interface is used. Set only those that are not. +# We use the long form for the default assignment because of an extremely +# bizarre bug on SunOS 4.1.3. +if $ac_need_defaults; then + test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files +fi + +# Create a temporary directory, and hook for its removal unless debugging. +$debug || +{ + trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0 + trap '{ (exit 1); exit 1; }' 1 2 13 15 +} + +# Create a (secure) tmp directory for tmp files. +: ${TMPDIR=/tmp} +{ + tmp=`(umask 077 && mktemp -d -q "$TMPDIR/csXXXXXX") 2>/dev/null` && + test -n "$tmp" && test -d "$tmp" +} || +{ + tmp=$TMPDIR/cs$$-$RANDOM + (umask 077 && mkdir $tmp) +} || +{ + echo "$me: cannot create a temporary directory in $TMPDIR" >&2 + { (exit 1); exit 1; } +} + +_ACEOF + +cat >>$CONFIG_STATUS <<_ACEOF + +# +# CONFIG_FILES section. +# + +# No need to generate the scripts if there are no CONFIG_FILES. +# This happens for instance when ./config.status config.h +if test -n "\$CONFIG_FILES"; then + # Protect against being on the right side of a sed subst in config.status. + sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g; + s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF +s,@SHELL@,$SHELL,;t t +s,@PATH_SEPARATOR@,$PATH_SEPARATOR,;t t +s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t +s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t +s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t +s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t +s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t +s,@exec_prefix@,$exec_prefix,;t t +s,@prefix@,$prefix,;t t +s,@program_transform_name@,$program_transform_name,;t t +s,@bindir@,$bindir,;t t +s,@sbindir@,$sbindir,;t t +s,@libexecdir@,$libexecdir,;t t +s,@datadir@,$datadir,;t t +s,@sysconfdir@,$sysconfdir,;t t +s,@sharedstatedir@,$sharedstatedir,;t t +s,@localstatedir@,$localstatedir,;t t +s,@libdir@,$libdir,;t t +s,@includedir@,$includedir,;t t +s,@oldincludedir@,$oldincludedir,;t t +s,@infodir@,$infodir,;t t +s,@mandir@,$mandir,;t t +s,@build_alias@,$build_alias,;t t +s,@host_alias@,$host_alias,;t t +s,@target_alias@,$target_alias,;t t +s,@DEFS@,$DEFS,;t t +s,@ECHO_C@,$ECHO_C,;t t +s,@ECHO_N@,$ECHO_N,;t t +s,@ECHO_T@,$ECHO_T,;t t +s,@LIBS@,$LIBS,;t t +s,@CC@,$CC,;t t +s,@CFLAGS@,$CFLAGS,;t t +s,@LDFLAGS@,$LDFLAGS,;t t +s,@CPPFLAGS@,$CPPFLAGS,;t t +s,@ac_ct_CC@,$ac_ct_CC,;t t +s,@EXEEXT@,$EXEEXT,;t t +s,@OBJEXT@,$OBJEXT,;t t +s,@LIBOBJS@,$LIBOBJS,;t t +CEOF + +_ACEOF + + cat >>$CONFIG_STATUS <<\_ACEOF + # Split the substitutions into bite-sized pieces for seds with + # small command number limits, like on Digital OSF/1 and HP-UX. + ac_max_sed_lines=48 + ac_sed_frag=1 # Number of current file. + ac_beg=1 # First line for current file. + ac_end=$ac_max_sed_lines # Line after last line for current file. + ac_more_lines=: + ac_sed_cmds= + while $ac_more_lines; do + if test $ac_beg -gt 1; then + sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag + else + sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag + fi + if test ! -s $tmp/subs.frag; then + ac_more_lines=false + else + # The purpose of the label and of the branching condition is to + # speed up the sed processing (if there are no `@' at all, there + # is no need to browse any of the substitutions). + # These are the two extra sed commands mentioned above. + (echo ':t + /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed + if test -z "$ac_sed_cmds"; then + ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed" + else + ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed" + fi + ac_sed_frag=`expr $ac_sed_frag + 1` + ac_beg=$ac_end + ac_end=`expr $ac_end + $ac_max_sed_lines` + fi + done + if test -z "$ac_sed_cmds"; then + ac_sed_cmds=cat + fi +fi # test -n "$CONFIG_FILES" + +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF +for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue + # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". + case $ac_file in + - | *:- | *:-:* ) # input from stdin + cat >$tmp/stdin + ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'` + ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;; + *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'` + ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;; + * ) ac_file_in=$ac_file.in ;; + esac + + # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories. + ac_dir=`(dirname "$ac_file") 2>/dev/null || +$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$ac_file" : 'X\(//\)[^/]' \| \ + X"$ac_file" : 'X\(//\)$' \| \ + X"$ac_file" : 'X\(/\)' \| \ + . : '\(.\)' 2>/dev/null || +echo X"$ac_file" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; } + /^X\(\/\/\)[^/].*/{ s//\1/; q; } + /^X\(\/\/\)$/{ s//\1/; q; } + /^X\(\/\).*/{ s//\1/; q; } + s/.*/./; q'` + { case "$ac_dir" in + [\\/]* | ?:[\\/]* ) as_incr_dir=;; + *) as_incr_dir=.;; +esac +as_dummy="$ac_dir" +for as_mkdir_dir in `IFS='/\\'; set X $as_dummy; shift; echo "$@"`; do + case $as_mkdir_dir in + # Skip DOS drivespec + ?:) as_incr_dir=$as_mkdir_dir ;; + *) + as_incr_dir=$as_incr_dir/$as_mkdir_dir + test -d "$as_incr_dir" || + mkdir "$as_incr_dir" || + { { echo "$as_me:$LINENO: error: cannot create \"$ac_dir\"" >&5 +echo "$as_me: error: cannot create \"$ac_dir\"" >&2;} + { (exit 1); exit 1; }; } + ;; + esac +done; } + + ac_builddir=. + +if test "$ac_dir" != .; then + ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'` + # A "../" for each directory in $ac_dir_suffix. + ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'` +else + ac_dir_suffix= ac_top_builddir= +fi + +case $srcdir in + .) # No --srcdir option. We are building in place. + ac_srcdir=. + if test -z "$ac_top_builddir"; then + ac_top_srcdir=. + else + ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'` + fi ;; + [\\/]* | ?:[\\/]* ) # Absolute path. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir ;; + *) # Relative path. + ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_builddir$srcdir ;; +esac +# Don't blindly perform a `cd "$ac_dir"/$ac_foo && pwd` since $ac_foo can be +# absolute. +ac_abs_builddir=`cd "$ac_dir" && cd $ac_builddir && pwd` +ac_abs_top_builddir=`cd "$ac_dir" && cd $ac_top_builddir && pwd` +ac_abs_srcdir=`cd "$ac_dir" && cd $ac_srcdir && pwd` +ac_abs_top_srcdir=`cd "$ac_dir" && cd $ac_top_srcdir && pwd` + + + + if test x"$ac_file" != x-; then + { echo "$as_me:$LINENO: creating $ac_file" >&5 +echo "$as_me: creating $ac_file" >&6;} + rm -f "$ac_file" + fi + # Let's still pretend it is `configure' which instantiates (i.e., don't + # use $as_me), people would be surprised to read: + # /* config.h. Generated by config.status. */ + if test x"$ac_file" = x-; then + configure_input= + else + configure_input="$ac_file. " + fi + configure_input=$configure_input"Generated from `echo $ac_file_in | + sed 's,.*/,,'` by configure." + + # First look for the input files in the build tree, otherwise in the + # src tree. + ac_file_inputs=`IFS=: + for f in $ac_file_in; do + case $f in + -) echo $tmp/stdin ;; + [\\/$]*) + # Absolute (can't be DOS-style, as IFS=:) + test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5 +echo "$as_me: error: cannot find input file: $f" >&2;} + { (exit 1); exit 1; }; } + echo $f;; + *) # Relative + if test -f "$f"; then + # Build tree + echo $f + elif test -f "$srcdir/$f"; then + # Source tree + echo $srcdir/$f + else + # /dev/null tree + { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5 +echo "$as_me: error: cannot find input file: $f" >&2;} + { (exit 1); exit 1; }; } + fi;; + esac + done` || { (exit 1); exit 1; } +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF + sed "$ac_vpsub +$extrasub +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF +:t +/@[a-zA-Z_][a-zA-Z_0-9]*@/!b +s,@configure_input@,$configure_input,;t t +s,@srcdir@,$ac_srcdir,;t t +s,@abs_srcdir@,$ac_abs_srcdir,;t t +s,@top_srcdir@,$ac_top_srcdir,;t t +s,@abs_top_srcdir@,$ac_abs_top_srcdir,;t t +s,@builddir@,$ac_builddir,;t t +s,@abs_builddir@,$ac_abs_builddir,;t t +s,@top_builddir@,$ac_top_builddir,;t t +s,@abs_top_builddir@,$ac_abs_top_builddir,;t t +" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out + rm -f $tmp/stdin + if test x"$ac_file" != x-; then + mv $tmp/out $ac_file + else + cat $tmp/out + rm -f $tmp/out fi - case "$ac_given_srcdir" in - .) srcdir=. - if test -z "$ac_dots"; then top_srcdir=. - else top_srcdir=`echo $ac_dots|sed 's%/$%%'`; fi ;; - /*) srcdir="$ac_given_srcdir$ac_dir_suffix"; top_srcdir="$ac_given_srcdir" ;; - *) # Relative path. - srcdir="$ac_dots$ac_given_srcdir$ac_dir_suffix" - top_srcdir="$ac_dots$ac_given_srcdir" ;; - esac +done +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF - echo creating "$ac_file" - rm -f "$ac_file" - configure_input="Generated automatically from `echo $ac_file_in|sed 's%.*/%%'` by configure." - case "$ac_file" in - *Makefile*) ac_comsub="1i\\ -# $configure_input" ;; - *) ac_comsub= ;; - esac - - ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"` - sed -e "$ac_comsub -s%@configure_input@%$configure_input%g -s%@srcdir@%$srcdir%g -s%@top_srcdir@%$top_srcdir%g -" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file -fi; done -rm -f conftest.s* - -EOF -cat >> $CONFIG_STATUS <> $CONFIG_STATUS <<\EOF - -exit 0 -EOF +{ (exit 0); exit 0; } +_ACEOF chmod +x $CONFIG_STATUS -rm -fr confdefs* $ac_clean_files -test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1 +ac_clean_files=$ac_clean_files_save + + +# configure is writing to config.log, and then calls config.status. +# config.status does its own redirection, appending to config.log. +# Unfortunately, on DOS this fails, as config.log is still kept open +# by configure, so config.status won't be able to write to it; its +# output is simply discarded. So we exec the FD to /dev/null, +# effectively closing config.log, so it can be properly (re)opened and +# appended to by config.status. When coming back to configure, we +# need to make the FD available again. +if test "$no_create" != yes; then + ac_cs_success=: + exec 5>/dev/null + $SHELL $CONFIG_STATUS || ac_cs_success=false + exec 5>>config.log + # Use ||, not &&, to avoid exiting from the if with $? = 1, which + # would make configure fail if this is the last instruction. + $ac_cs_success || { (exit 1); exit 1; } +fi diff --git a/contrib/queryperf/configure.in b/contrib/queryperf/configure.in index 1b7737fad5..efbd9462c1 100644 --- a/contrib/queryperf/configure.in +++ b/contrib/queryperf/configure.in @@ -36,9 +36,31 @@ AC_DEFUN(AC_TYPE_SOCKLEN_T, fi ]) -AC_SEARCH_LIBS(res_mkquery, resolv bind); +AC_DEFUN(AC_SA_LEN, +[AC_CACHE_CHECK([for sa_len], ac_cv_sa_len, +[ + AC_TRY_COMPILE( + [#include + #include ], + [struct sockaddr sa; sa.sa_len = 0;], + ac_cv_sa_len=yes, + ac_cv_sa_len=no) +]) + if test $ac_cv_sa_len = yes; then + AC_DEFINE(HAVE_SA_LEN) + fi +]) + +AC_SEARCH_LIBS(res_mkquery, resolv bind) AC_CHECK_LIB(socket, socket) AC_CHECK_LIB(nsl, inet_ntoa) +AC_CHECK_FUNCS(gethostbyname2) +AC_CHECK_FUNC(getaddrinfo, + AC_DEFINE(HAVE_GETADDRINFO), AC_LIBOBJ(getaddrinfo)) +AC_CHECK_FUNC(getnameinfo, + AC_DEFINE(HAVE_GETNAMEINFO), AC_LIBOBJ(getnameinfo)) + AC_TYPE_SOCKLEN_T +AC_SA_LEN AC_OUTPUT(Makefile) diff --git a/contrib/queryperf/queryperf.c b/contrib/queryperf/queryperf.c index 15f635fb7a..88b9303344 100644 --- a/contrib/queryperf/queryperf.c +++ b/contrib/queryperf/queryperf.c @@ -18,7 +18,7 @@ /*** *** DNS Query Performance Testing Tool (queryperf.c) *** - *** Version $Id: queryperf.c,v 1.8 2003/03/26 06:07:54 marka Exp $ + *** Version $Id: queryperf.c,v 1.9 2004/05/12 07:04:58 jinmei Exp $ *** *** Stephen Jacob ***/ @@ -39,14 +39,18 @@ #include #include +#ifndef HAVE_GETADDRINFO +#include "missing/addrinfo.h" +#endif + /* * Configuration defaults */ #define DEF_MAX_QUERIES_OUTSTANDING 20 #define DEF_QUERY_TIMEOUT 5 /* in seconds */ -#define DEF_SERVER_TO_QUERY "localhost" -#define DEF_SERVER_PORT 53 +#define DEF_SERVER_TO_QUERY "127.0.0.1" +#define DEF_SERVER_PORT "53" #define DEF_BUFFER_SIZE 32 /* in k */ /* @@ -116,11 +120,13 @@ unsigned int query_timeout = DEF_QUERY_TIMEOUT; int ignore_config_changes = FALSE; unsigned int socket_bufsize = DEF_BUFFER_SIZE; +int family = AF_UNSPEC; int use_stdin = TRUE; char *datafile_name; /* init NULL */ char *server_to_query; /* init NULL */ -unsigned int server_port = DEF_SERVER_PORT; +char *server_port; /* init NULL */ +struct addrinfo *server_ai; /* init NULL */ int run_only_once = FALSE; int use_timelimit = FALSE; @@ -154,8 +160,8 @@ struct timeval time_of_end_of_run; struct query_status *status; /* init NULL */ unsigned int query_status_allocated; /* init 0 */ -int query_socket; /* init 0 */ -struct sockaddr_in qaddr; +int query_socket = -1; +int socket4 = -1, socket6 = -1; static char *rcode_strings[] = RCODE_STRINGS; @@ -180,7 +186,7 @@ void show_startup_info(void) { printf("\n" "DNS Query Performance Testing Tool\n" -"Version: $Id: queryperf.c,v 1.8 2003/03/26 06:07:54 marka Exp $\n" +"Version: $Id: queryperf.c,v 1.9 2004/05/12 07:04:58 jinmei Exp $\n" "\n"); } @@ -193,17 +199,18 @@ show_usage(void) { fprintf(stderr, "\n" "Usage: queryperf [-d datafile] [-s server_addr] [-p port] [-q num_queries]\n" -" [-b bufsize] [-t timeout] [-n] [-l limit] [-1]\n" +" [-b bufsize] [-t timeout] [-n] [-l limit] [-f family] [-1]\n" " [-e] [-D] [-c] [-v] [-h]\n" " -d specifies the input data file (default: stdin)\n" " -s sets the server to query (default: %s)\n" -" -p sets the port on which to query the server (default: %u)\n" +" -p sets the port on which to query the server (default: %s)\n" " -q specifies the maximum number of queries outstanding (default: %d)\n" " -t specifies the timeout for query completion in seconds (default: %d)\n" " -n causes configuration changes to be ignored\n" " -l specifies how a limit for how long to run tests in seconds (no default)\n" " -1 run through input only once (default: multiple iff limit given)\n" " -b set input/output buffer size in kilobytes (default: %d k)\n" +" -f specify address family of DNS transport, inet or inet6 (default: any)\n" " -e enable EDNS 0\n" " -D set the DNSSEC OK bit (implies EDNS)\n" " -c print the number of packets with each rcode\n" @@ -287,14 +294,7 @@ set_server(char *new_name) { return (-1); } - if ((server_he = gethostbyname(new_name)) == NULL) { - fprintf(stderr, "Error: gethostbyname(\"%s\") failed\n", - new_name); - return (-1); - } - strcpy(server_to_query, new_name); - qaddr.sin_addr = *((struct in_addr *)server_he->h_addr); return (0); } @@ -307,16 +307,64 @@ set_server(char *new_name) { * Return a non-negative integer otherwise */ int -set_server_port(unsigned int new_port) { - if (new_port > MAX_PORT) +set_server_port(char *new_port) { + unsigned int uint_val; + + if ((is_uint(new_port, &uint_val)) != TRUE) + return (-1); + + if (uint_val && uint_val > MAX_PORT) return (-1); else { - server_port = new_port; - qaddr.sin_port = htons(server_port); + if (server_port != NULL && new_port != NULL && + strcmp(server_port, new_port) == 0) + return (0); + + free(server_port); + server_port = NULL; + + if ((server_port = malloc(strlen(new_port) + 1)) == NULL) { + fprintf(stderr, + "Error allocating memory for server port: " + "%s\n", new_port); + return (-1); + } + + strcpy(server_port, new_port); + return (0); } } +int +set_server_sa(void) { + struct addrinfo hints, *res; + static struct protoent *proto; + int error; + + if (proto == NULL && (proto = getprotobyname("udp")) == NULL) { + fprintf(stderr, "Error: getprotobyname call failed"); + return (-1); + } + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = family; + hints.ai_socktype = SOCK_DGRAM; + hints.ai_protocol = proto->p_proto; + if ((error = getaddrinfo(server_to_query, server_port, + &hints, &res)) != 0) { + fprintf(stderr, "Error: getaddrinfo(%s, %s) failed\n", + server_to_query, server_port); + return (-1); + } + + /* replace the server's addrinfo */ + if (server_ai != NULL) + freeaddrinfo(server_ai); + server_ai = res; + return (0); +} + /* * is_digit: * Tests if a character is a digit @@ -425,8 +473,23 @@ parse_args(int argc, char **argv) { int c; unsigned int uint_arg_val; - while ((c = getopt(argc, argv, "q:t:nd:s:p:1l:b:eDcvh")) != -1) { + while ((c = getopt(argc, argv, "f:q:t:nd:s:p:1l:b:eDcvh")) != -1) { switch (c) { + case 'f': + if (strcmp(optarg, "inet") == 0) + family = AF_INET; +#ifdef AF_INET6 + else if (strcmp(optarg, "inet6") == 0) + family = AF_INET6; +#endif + else if (strcmp(optarg, "any") == 0) + family = AF_UNSPEC; + else { + fprintf(stderr, "Invalid address family: %s\n", + optarg); + return (-1); + } + break; case 'q': if (is_uint(optarg, &uint_arg_val) == TRUE) { set_max_queries(uint_arg_val); @@ -476,7 +539,7 @@ parse_args(int argc, char **argv) { if (is_uint(optarg, &uint_arg_val) == TRUE && uint_arg_val < MAX_PORT) { - set_server_port(uint_arg_val); + set_server_port(optarg); portset = TRUE; } else { fprintf(stderr, "Option requires a positive " @@ -582,39 +645,54 @@ close_datafile(void) { /* * open_socket: - * Open a socket for the queries + * Open a socket for the queries. When we have an active socket already, + * close it and open a new one. * * Return -1 on failure - * Return a non-negative integer otherwise + * Return the socket identifier */ int open_socket(void) { int sock; - struct protoent *proto; - struct sockaddr_in bind_addr; int ret; int bufsize; + struct addrinfo hints, *res; - bind_addr.sin_family = AF_INET; - bind_addr.sin_port = htons(0); /* Have bind allocate a random port */ - bind_addr.sin_addr.s_addr = htonl(INADDR_ANY); - bzero(&(bind_addr.sin_zero), 8); + memset(&hints, 0, sizeof(hints)); + hints.ai_family = server_ai->ai_family; + hints.ai_socktype = server_ai->ai_socktype; + hints.ai_protocol = server_ai->ai_protocol; + hints.ai_flags = AI_PASSIVE; - if ((proto = getprotobyname("udp")) == NULL) { - fprintf(stderr, "Error: getprotobyname call failed"); + if ((ret = getaddrinfo(NULL, "0", &hints, &res)) != 0) { + fprintf(stderr, + "Error: getaddrinfo for bind socket failed: %s\n", + gai_strerror(ret)); return (-1); } - if ((sock = socket(PF_INET, SOCK_DGRAM, proto->p_proto)) == -1) { + if ((sock = socket(res->ai_family, SOCK_DGRAM, + res->ai_protocol)) == -1) { fprintf(stderr, "Error: socket call failed"); - return (-1); + goto fail; } - if (bind(sock, (struct sockaddr *)&bind_addr, sizeof(struct sockaddr)) - == -1) { - fprintf(stderr, "Error: bind call failed"); - return (-1); +#if defined(AF_INET6) && defined(IPV6_V6ONLY) + if (res->ai_family == AF_INET6) { + int on = 1; + + if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, + &on, sizeof(on)) == -1) { + fprintf(stderr, + "Warning: setsockopt(IPV6_V6ONLY) failed\n"); + } } +#endif + + if (bind(sock, res->ai_addr, res->ai_addrlen) == -1) + fprintf(stderr, "Error: bind call failed"); + + freeaddrinfo(res); bufsize = 1024 * socket_bufsize; @@ -628,32 +706,80 @@ open_socket(void) { if (ret < 0) fprintf(stderr, "Warning: setsockbuf(SO_SNDBUF) failed\n"); - query_socket = sock; - - return (0); + return (sock); + + fail: + if (res) + freeaddrinfo(res); + return (-1); } /* * close_socket: - * Close the query socket + * Close the query socket(s) * * Return -1 on failure * Return a non-negative integer otherwise */ int close_socket(void) { - if (query_socket != 0) { - if (close(query_socket) != 0) { - fprintf(stderr, "Error: unable to close socket\n"); + if (socket4 != -1) { + if (close(socket4) != 0) { + fprintf(stderr, + "Error: unable to close IPv4 socket\n"); return (-1); } } - query_socket = 0; + if (socket6 != -1) { + if (close(socket6) != 0) { + fprintf(stderr, + "Error: unable to close IPv6 socket\n"); + return (-1); + } + } + + query_socket = -1; return (0); } +/* + * change_socket: + * Choose an appropriate socket according to the address family of the + * current server. Open a new socket if necessary. + * + * Return -1 on failure + * Return the socket identifier + */ +int +change_socket(void) { + int s, *sockp; + + switch (server_ai->ai_family) { + case AF_INET: + sockp = &socket4; + break; +#ifdef AF_INET6 + case AF_INET6: + sockp = &socket6; + break; +#endif + default: + fprintf(stderr, "unexpected address family: %d\n", + server_ai->ai_family); + exit(1); + } + + if (*sockp == -1) { + if ((s = open_socket()) == -1) + return (-1); + *sockp = s; + } + + return (*sockp); +} + /* * setup: * Set configuration options from command line arguments @@ -664,11 +790,6 @@ close_socket(void) { */ int setup(int argc, char **argv) { - qaddr.sin_family = AF_INET; - qaddr.sin_port = htons(0); - qaddr.sin_addr.s_addr = htonl(INADDR_ANY); - bzero(&(qaddr.sin_zero), 8); - set_input_stdin(); if (set_max_queries(DEF_MAX_QUERIES_OUTSTANDING) == -1) { @@ -697,7 +818,10 @@ setup(int argc, char **argv) { if (open_datafile() == -1) return (-1); - if (open_socket() == -1) + if (set_server_sa() == -1) + return (-1); + + if ((query_socket = change_socket()) == -1) return (-1); return (0); @@ -733,7 +857,7 @@ difftv(struct timeval tv1, struct timeval tv2) { diff = (double)diff_sec + ((double)diff_usec / 1000000.0); - return diff; + return (diff); } /* @@ -875,6 +999,7 @@ update_config(char *config_change_desc) { unsigned int uint_val; int directive_number; int check; + int old_af; if (ignore_config_changes == TRUE) { fprintf(stderr, "Ignoring configuration change: %s", @@ -928,9 +1053,29 @@ update_config(char *config_change_desc) { return; } - if (set_server(config_value) == -1) + if (set_server(config_value) == -1) { fprintf(stderr, "Set server error: unable to change " "the server name to '%s'\n", config_value); + return; + } + + old_af = server_ai->ai_family; + if (set_server_sa() == -1) { + fprintf(stderr, "Set server error: unable to resolve " + "a new server '%s'\n", + config_value); + return; + } + if (old_af != server_ai->ai_family) { + if ((query_socket = change_socket()) == -1) { + /* XXX: this is fatal */ + fprintf(stderr, "Set server error: " + "unable to open a new socket " + "for '%s'\n", config_value); + exit(1); + } + } + break; case V_PORT: @@ -943,9 +1088,15 @@ update_config(char *config_change_desc) { check = is_uint(config_value, &uint_val); if ((check == TRUE) && (uint_val > 0)) { - if (set_server_port(uint_val) == -1) { + if (set_server_port(config_value) == -1) { fprintf(stderr, "Invalid config: Bad value for" " %s: %s\n", directive, config_value); + } else { + if (set_server_sa() == -1) { + fprintf(stderr, + "Failed to set a new port\n"); + return; + } } } else fprintf(stderr, "Invalid config: Bad value for " @@ -1098,7 +1249,7 @@ dispatch_query(unsigned short int id, char *dom, int qt) { packet_buffer[1] = id_ptr[1]; bytes_sent = sendto(query_socket, packet_buffer, buffer_len, 0, - (struct sockaddr *)&qaddr, sockaddrlen); + server_ai->ai_addr, server_ai->ai_addrlen); if (bytes_sent == -1) { fprintf(stderr, "Failed to send query packet: %s %d\n", dom, qt); @@ -1121,6 +1272,7 @@ send_query(char *query_desc) { static unsigned short int use_query_id = 0; static int qname_len = MAX_DOMAIN_LEN; static char domain[MAX_DOMAIN_LEN + 1]; + char serveraddr[NI_MAXHOST]; int query_type; unsigned int count; @@ -1132,14 +1284,30 @@ send_query(char *query_desc) { } if (dispatch_query(use_query_id, domain, query_type) == -1) { - fprintf(stderr, "Error sending query: %s\n", query_desc); + char *addrstr; + + if (getnameinfo(server_ai->ai_addr, server_ai->ai_addrlen, + serveraddr, sizeof(serveraddr), NULL, 0, + NI_NUMERICHOST) == 0) { + addrstr = serveraddr; + } else + addrstr = "???"; /* XXX: this should not happen */ + fprintf(stderr, "Error sending query to %s: %s\n", + addrstr, query_desc); return; } if (setup_phase == TRUE) { set_timenow(&time_of_first_query); setup_phase = FALSE; - printf("[Status] Sending queries\n"); + if (getnameinfo(server_ai->ai_addr, server_ai->ai_addrlen, + serveraddr, sizeof(serveraddr), NULL, 0, + NI_NUMERICHOST) != 0) { + fprintf(stderr, "Error printing server address\n"); + return; + } + printf("[Status] Sending queries (beginning with %s)\n", + serveraddr); } /* Find the first slot in status[] that is not in use */ @@ -1163,39 +1331,6 @@ send_query(char *query_desc) { num_queries_outstanding++; } -/* - * data_available: - * Is there data available on the given file descriptor? - * - * Return TRUE if there is - * Return FALSE otherwise - */ -int -data_available(int fd, double wait) { - fd_set read_fds; - struct timeval tv; - int retval; - - /* Set list of file descriptors */ - FD_ZERO(&read_fds); - FD_SET(fd, &read_fds); - - if ((wait > 0.0) && (wait < (double)LONG_MAX)) { - tv.tv_sec = (long)floor(wait); - tv.tv_usec = (long)(1000000.0 * (wait - floor(wait))); - } else { - tv.tv_sec = 0; - tv.tv_usec = 0; - } - - retval = select(fd + 1, &read_fds, NULL, NULL, &tv); - - if (FD_ISSET(fd, &read_fds)) - return (TRUE); - else - return (FALSE); -} - /* * register_response: * Register receipt of a query @@ -1236,15 +1371,18 @@ register_response(unsigned short int id, unsigned int rcode) { */ void process_single_response(int sockfd) { - static struct sockaddr_in from_addr; + struct sockaddr_storage from_addr_ss; + struct sockaddr *from_addr; static unsigned char in_buf[MAX_BUFFER_LEN]; int numbytes, addr_len, resp_id; int flags; - addr_len = sizeof(struct sockaddr); + memset(&from_addr_ss, 0, sizeof(from_addr_ss)); + from_addr = (struct sockaddr *)&from_addr_ss; + addr_len = sizeof(from_addr_ss); if ((numbytes = recvfrom(sockfd, in_buf, MAX_BUFFER_LEN, - 0, (struct sockaddr *)&from_addr, &addr_len)) == -1) { + 0, from_addr, &addr_len)) == -1) { fprintf(stderr, "Error receiving datagram\n"); return; } @@ -1255,6 +1393,55 @@ process_single_response(int sockfd) { register_response(resp_id, flags & 0xF); } +/* + * data_available: + * Is there data available on the given file descriptor? + * + * Return TRUE if there is + * Return FALSE otherwise + */ +int +data_available(double wait) { + fd_set read_fds; + struct timeval tv; + int retval; + int available = FALSE; + int maxfd = -1; + + /* Set list of file descriptors */ + FD_ZERO(&read_fds); + if (socket4 != -1) { + FD_SET(socket4, &read_fds); + maxfd = socket4; + } + if (socket6 != -1) { + FD_SET(socket6, &read_fds); + if (maxfd == -1 || maxfd < socket6) + maxfd = socket6; + } + + if ((wait > 0.0) && (wait < (double)LONG_MAX)) { + tv.tv_sec = (long)floor(wait); + tv.tv_usec = (long)(1000000.0 * (wait - floor(wait))); + } else { + tv.tv_sec = 0; + tv.tv_usec = 0; + } + + retval = select(maxfd + 1, &read_fds, NULL, NULL, &tv); + + if (socket4 != -1 && FD_ISSET(socket4, &read_fds)) { + available = TRUE; + process_single_response(socket4); + } + if (socket6 != -1 && FD_ISSET(socket6, &read_fds)) { + available = TRUE; + process_single_response(socket6); + } + + return (available); +} + /* * process_responses: * Go through any/all received responses and remove them from the list of @@ -1274,11 +1461,9 @@ process_responses(void) { first_packet_wait = 0.0; } - if (data_available(query_socket, first_packet_wait) == TRUE) { - process_single_response(query_socket); - - while (data_available(query_socket, 0.0) == TRUE) - process_single_response(query_socket); + if (data_available(first_packet_wait) == TRUE) { + while (data_available(0.0) == TRUE) + ; } } @@ -1393,9 +1578,10 @@ print_statistics(void) { printf("\n"); - printf(" Started at: %s", ctime(&start_time.tv_sec)); + printf(" Started at: %s", + ctime((const time_t *)&start_time.tv_sec)); printf(" Finished at: %s", - ctime(&time_of_end_of_run.tv_sec)); + ctime((const time_t *)&time_of_end_of_run.tv_sec)); printf(" Ran for: %.6lf seconds\n", run_time); printf("\n"); From 234ef071da767c70518b887c5a913687b05b19e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?= Date: Wed, 12 May 2004 07:06:40 +0000 Subject: [PATCH 095/146] missing files --- contrib/queryperf/missing/addrinfo.h | 100 ++++ contrib/queryperf/missing/getaddrinfo.c | 632 ++++++++++++++++++++++++ contrib/queryperf/missing/getnameinfo.c | 226 +++++++++ 3 files changed, 958 insertions(+) create mode 100644 contrib/queryperf/missing/addrinfo.h create mode 100644 contrib/queryperf/missing/getaddrinfo.c create mode 100644 contrib/queryperf/missing/getnameinfo.c diff --git a/contrib/queryperf/missing/addrinfo.h b/contrib/queryperf/missing/addrinfo.h new file mode 100644 index 0000000000..54a5e85bd8 --- /dev/null +++ b/contrib/queryperf/missing/addrinfo.h @@ -0,0 +1,100 @@ +/* + * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifndef HAVE_GETADDRINFO + +/* + * Error return codes from getaddrinfo() + */ +#define EAI_ADDRFAMILY 1 /* address family for hostname not supported */ +#define EAI_AGAIN 2 /* temporary failure in name resolution */ +#define EAI_BADFLAGS 3 /* invalid value for ai_flags */ +#define EAI_FAIL 4 /* non-recoverable failure in name resolution */ +#define EAI_FAMILY 5 /* ai_family not supported */ +#define EAI_MEMORY 6 /* memory allocation failure */ +#define EAI_NODATA 7 /* no address associated with hostname */ +#define EAI_NONAME 8 /* hostname nor servname provided, or not known */ +#define EAI_SERVICE 9 /* servname not supported for ai_socktype */ +#define EAI_SOCKTYPE 10 /* ai_socktype not supported */ +#define EAI_SYSTEM 11 /* system error returned in errno */ +#define EAI_BADHINTS 12 +#define EAI_PROTOCOL 13 +#define EAI_MAX 14 + +/* + * Flag values for getaddrinfo() + */ +#define AI_PASSIVE 0x00000001 /* get address to use bind() */ +#define AI_CANONNAME 0x00000002 /* fill ai_canonname */ +#define AI_NUMERICHOST 0x00000004 /* prevent name resolution */ +/* valid flags for addrinfo */ +#define AI_MASK (AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST) + +#define AI_ALL 0x00000100 /* IPv6 and IPv4-mapped (with AI_V4MAPPED) */ +#define AI_V4MAPPED_CFG 0x00000200 /* accept IPv4-mapped if kernel supports */ +#define AI_ADDRCONFIG 0x00000400 /* only if any address is assigned */ +#define AI_V4MAPPED 0x00000800 /* accept IPv4-mapped IPv6 address */ +/* special recommended flags for getipnodebyname */ +#define AI_DEFAULT (AI_V4MAPPED_CFG | AI_ADDRCONFIG) + +/* + * Constants for getnameinfo() + */ +#define NI_MAXHOST 1025 +#define NI_MAXSERV 32 + +/* + * Flag values for getnameinfo() + */ +#define NI_NOFQDN 0x00000001 +#define NI_NUMERICHOST 0x00000002 +#define NI_NAMEREQD 0x00000004 +#define NI_NUMERICSERV 0x00000008 +#define NI_DGRAM 0x00000010 + +struct addrinfo { + int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ + int ai_family; /* PF_xxx */ + int ai_socktype; /* SOCK_xxx */ + int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ + size_t ai_addrlen; /* length of ai_addr */ + char *ai_canonname; /* canonical name for hostname */ + struct sockaddr *ai_addr; /* binary address */ + struct addrinfo *ai_next; /* next structure in linked list */ +}; + +struct sockaddr_storage { + u_char __ss_len; + u_char __ss_family; + u_char fill[126]; +}; + +extern void freehostent(struct hostent *); +extern char *gai_strerror(int); +#endif diff --git a/contrib/queryperf/missing/getaddrinfo.c b/contrib/queryperf/missing/getaddrinfo.c new file mode 100644 index 0000000000..69eb748c0f --- /dev/null +++ b/contrib/queryperf/missing/getaddrinfo.c @@ -0,0 +1,632 @@ +/* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "addrinfo.h" + +#define SUCCESS 0 +#define ANY 0 +#define YES 1 +#define NO 0 + +static const char in_addrany[] = { 0, 0, 0, 0 }; +static const char in6_addrany[] = { + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; +static const char in_loopback[] = { 127, 0, 0, 1 }; +static const char in6_loopback[] = { + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 +}; + +struct sockinet { + u_char si_len; + u_char si_family; + u_short si_port; +}; + +static struct afd { + int a_af; + int a_addrlen; + int a_socklen; + int a_off; + const char *a_addrany; + const char *a_loopback; +} afdl [] = { +#ifdef INET6 +#define N_INET6 0 + {PF_INET6, sizeof(struct in6_addr), + sizeof(struct sockaddr_in6), + offsetof(struct sockaddr_in6, sin6_addr), + in6_addrany, in6_loopback}, +#define N_INET 1 +#else +#define N_INET 0 +#endif + {PF_INET, sizeof(struct in_addr), + sizeof(struct sockaddr_in), + offsetof(struct sockaddr_in, sin_addr), + in_addrany, in_loopback}, + {0, 0, 0, 0, NULL, NULL}, +}; + +#ifdef INET6 +#define PTON_MAX 16 +#else +#define PTON_MAX 4 +#endif + + +static int get_name(const char *, struct afd *, + struct addrinfo **, char *, struct addrinfo *, + int); +static int get_addr(const char *, int, struct addrinfo **, + struct addrinfo *, int); +static int get_addr0(const char *, int, struct addrinfo **, + struct addrinfo *, int); +static int str_isnumber(const char *); + +static char *ai_errlist[] = { + "Success", + "Address family for hostname not supported", /* EAI_ADDRFAMILY */ + "Temporary failure in name resolution", /* EAI_AGAIN */ + "Invalid value for ai_flags", /* EAI_BADFLAGS */ + "Non-recoverable failure in name resolution", /* EAI_FAIL */ + "ai_family not supported", /* EAI_FAMILY */ + "Memory allocation failure", /* EAI_MEMORY */ + "No address associated with hostname", /* EAI_NODATA */ + "hostname nor servname provided, or not known",/* EAI_NONAME */ + "servname not supported for ai_socktype", /* EAI_SERVICE */ + "ai_socktype not supported", /* EAI_SOCKTYPE */ + "System error returned in errno", /* EAI_SYSTEM */ + "Invalid value for hints", /* EAI_BADHINTS */ + "Resolved protocol is unknown", /* EAI_PROTOCOL */ + "Unknown error", /* EAI_MAX */ +}; + +#define GET_CANONNAME(ai, str) \ +if (pai->ai_flags & AI_CANONNAME) {\ + if (((ai)->ai_canonname = (char *)malloc(strlen(str) + 1)) != NULL) {\ + strcpy((ai)->ai_canonname, (str));\ + } else {\ + error = EAI_MEMORY;\ + goto free;\ + }\ +} + +#ifdef HAVE_SA_LEN +#define SET_AILEN(ai,l) (ai)->ai_addr->sa_len = (ai)->ai_addrlen = (l) +#else +#define SET_AILEN(ai,l) (ai)->ai_addrlen = (l) +#endif + +#define GET_AI(ai, afd, addr, port) {\ + char *p;\ + if (((ai) = (struct addrinfo *)malloc(sizeof(struct addrinfo) +\ + ((afd)->a_socklen)))\ + == NULL) {\ + error = EAI_MEMORY;\ + goto free;\ + }\ + memcpy(ai, pai, sizeof(struct addrinfo));\ + (ai)->ai_addr = (struct sockaddr *)((ai) + 1);\ + memset((ai)->ai_addr, 0, (afd)->a_socklen);\ + SET_AILEN((ai), (afd)->a_socklen);\ + (ai)->ai_addr->sa_family = (ai)->ai_family = (afd)->a_af;\ + ((struct sockinet *)(ai)->ai_addr)->si_port = port;\ + p = (char *)((ai)->ai_addr);\ + memcpy(p + (afd)->a_off, (addr), (afd)->a_addrlen);\ +} + +#define ERR(err) { error = (err); goto bad; } + +char * +gai_strerror(ecode) + int ecode; +{ + if (ecode < 0 || ecode > EAI_MAX) + ecode = EAI_MAX; + return ai_errlist[ecode]; +} + +void +freeaddrinfo(ai) + struct addrinfo *ai; +{ + struct addrinfo *next; + + do { + next = ai->ai_next; + if (ai->ai_canonname) + free(ai->ai_canonname); + /* no need to free(ai->ai_addr) */ + free(ai); + } while ((ai = next) != NULL); +} + +static int +str_isnumber(p) + const char *p; +{ + char *q = (char *)p; + while (*q) { + if (! isdigit(*q)) + return NO; + q++; + } + return YES; +} + +int +getaddrinfo(hostname, servname, hints, res) + const char *hostname, *servname; + const struct addrinfo *hints; + struct addrinfo **res; +{ + struct addrinfo sentinel; + struct addrinfo *top = NULL; + struct addrinfo *cur; + int i, error = 0; + char pton[PTON_MAX]; + struct addrinfo ai; + struct addrinfo *pai; + u_short port; + + /* initialize file static vars */ + sentinel.ai_next = NULL; + cur = &sentinel; + pai = &ai; + pai->ai_flags = 0; + pai->ai_family = PF_UNSPEC; + pai->ai_socktype = ANY; + pai->ai_protocol = ANY; + pai->ai_addrlen = 0; + pai->ai_canonname = NULL; + pai->ai_addr = NULL; + pai->ai_next = NULL; + port = ANY; + + if (hostname == NULL && servname == NULL) + return EAI_NONAME; + if (hints) { + /* error check for hints */ + if (hints->ai_addrlen || hints->ai_canonname || + hints->ai_addr || hints->ai_next) + ERR(EAI_BADHINTS); /* xxx */ + if (hints->ai_flags & ~AI_MASK) + ERR(EAI_BADFLAGS); + switch (hints->ai_family) { + case PF_UNSPEC: + case PF_INET: +#ifdef INET6 + case PF_INET6: +#endif + break; + default: + ERR(EAI_FAMILY); + } + memcpy(pai, hints, sizeof(*pai)); + switch (pai->ai_socktype) { + case ANY: + switch (pai->ai_protocol) { + case ANY: + break; + case IPPROTO_UDP: + pai->ai_socktype = SOCK_DGRAM; + break; + case IPPROTO_TCP: + pai->ai_socktype = SOCK_STREAM; + break; + default: + pai->ai_socktype = SOCK_RAW; + break; + } + break; + case SOCK_RAW: + break; + case SOCK_DGRAM: + if (pai->ai_protocol != IPPROTO_UDP && + pai->ai_protocol != ANY) + ERR(EAI_BADHINTS); /*xxx*/ + pai->ai_protocol = IPPROTO_UDP; + break; + case SOCK_STREAM: + if (pai->ai_protocol != IPPROTO_TCP && + pai->ai_protocol != ANY) + ERR(EAI_BADHINTS); /*xxx*/ + pai->ai_protocol = IPPROTO_TCP; + break; + default: + ERR(EAI_SOCKTYPE); + break; + } + } + + /* + * service port + */ + if (servname) { + if (str_isnumber(servname)) { + if (pai->ai_socktype == ANY) { + /* caller accept *ANY* socktype */ + pai->ai_socktype = SOCK_DGRAM; + pai->ai_protocol = IPPROTO_UDP; + } + port = htons(atoi(servname)); + } else { + struct servent *sp; + char *proto; + + proto = NULL; + switch (pai->ai_socktype) { + case ANY: + proto = NULL; + break; + case SOCK_DGRAM: + proto = "udp"; + break; + case SOCK_STREAM: + proto = "tcp"; + break; + default: + fprintf(stderr, "panic!\n"); + break; + } + if ((sp = getservbyname(servname, proto)) == NULL) + ERR(EAI_SERVICE); + port = sp->s_port; + if (pai->ai_socktype == ANY) { + if (strcmp(sp->s_proto, "udp") == 0) { + pai->ai_socktype = SOCK_DGRAM; + pai->ai_protocol = IPPROTO_UDP; + } else if (strcmp(sp->s_proto, "tcp") == 0) { + pai->ai_socktype = SOCK_STREAM; + pai->ai_protocol = IPPROTO_TCP; + } else + ERR(EAI_PROTOCOL); /*xxx*/ + } + } + } + + /* + * hostname == NULL. + * passive socket -> anyaddr (0.0.0.0 or ::) + * non-passive socket -> localhost (127.0.0.1 or ::1) + */ + if (hostname == NULL) { + struct afd *afd; + int s; + + for (afd = &afdl[0]; afd->a_af; afd++) { + if (!(pai->ai_family == PF_UNSPEC + || pai->ai_family == afd->a_af)) { + continue; + } + + /* + * filter out AFs that are not supported by the kernel + * XXX errno? + */ + s = socket(afd->a_af, SOCK_DGRAM, 0); + if (s < 0) + continue; + close(s); + + if (pai->ai_flags & AI_PASSIVE) { + GET_AI(cur->ai_next, afd, afd->a_addrany, port); + /* xxx meaningless? + * GET_CANONNAME(cur->ai_next, "anyaddr"); + */ + } else { + GET_AI(cur->ai_next, afd, afd->a_loopback, + port); + /* xxx meaningless? + * GET_CANONNAME(cur->ai_next, "localhost"); + */ + } + cur = cur->ai_next; + } + top = sentinel.ai_next; + if (top) + goto good; + else + ERR(EAI_FAMILY); + } + + /* hostname as numeric name */ + for (i = 0; afdl[i].a_af; i++) { + if (inet_pton(afdl[i].a_af, hostname, pton) == 1) { + u_long v4a; + u_char pfx; + + switch (afdl[i].a_af) { + case AF_INET: + v4a = ntohl(((struct in_addr *)pton)->s_addr); + if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a)) + pai->ai_flags &= ~AI_CANONNAME; + v4a >>= IN_CLASSA_NSHIFT; + if (v4a == 0 || v4a == IN_LOOPBACKNET) + pai->ai_flags &= ~AI_CANONNAME; + break; +#ifdef INET6 + case AF_INET6: + pfx = ((struct in6_addr *)pton)->s6_addr[0]; + if (pfx == 0 || pfx == 0xfe || pfx == 0xff) + pai->ai_flags &= ~AI_CANONNAME; + break; +#endif + } + + if (pai->ai_family == afdl[i].a_af || + pai->ai_family == PF_UNSPEC) { + if (! (pai->ai_flags & AI_CANONNAME)) { + GET_AI(top, &afdl[i], pton, port); + goto good; + } + /* + * if AI_CANONNAME and if reverse lookup + * fail, return ai anyway to pacify + * calling application. + * + * XXX getaddrinfo() is a name->address + * translation function, and it looks strange + * that we do addr->name translation here. + */ + get_name(pton, &afdl[i], &top, pton, pai, port); + goto good; + } else + ERR(EAI_FAMILY); /*xxx*/ + } + } + + if (pai->ai_flags & AI_NUMERICHOST) + ERR(EAI_NONAME); + + /* hostname as alphabetical name */ + error = get_addr(hostname, pai->ai_family, &top, pai, port); + if (error == 0) { + if (top) { + good: + *res = top; + return SUCCESS; + } else + error = EAI_FAIL; + } + free: + if (top) + freeaddrinfo(top); + bad: + *res = NULL; + return error; +} + +static int +get_name(addr, afd, res, numaddr, pai, port0) + const char *addr; + struct afd *afd; + struct addrinfo **res; + char *numaddr; + struct addrinfo *pai; + int port0; +{ + u_short port = port0 & 0xffff; + struct hostent *hp; + struct addrinfo *cur; + int error = 0; + hp = gethostbyaddr(addr, afd->a_addrlen, afd->a_af); + if (hp && hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) { + GET_AI(cur, afd, hp->h_addr_list[0], port); + GET_CANONNAME(cur, hp->h_name); + } else + GET_AI(cur, afd, numaddr, port); + + *res = cur; + return SUCCESS; + free: + if (cur) + freeaddrinfo(cur); + + /* bad: */ + *res = NULL; + return error; +} + +static int +get_addr(hostname, af, res0, pai, port0) + const char *hostname; + int af; + struct addrinfo **res0; + struct addrinfo *pai; + int port0; +{ + int i, error, ekeep; + struct addrinfo *cur; + struct addrinfo **res; + int retry; + int s; + + res = res0; + ekeep = 0; + error = 0; + for (i = 0; afdl[i].a_af; i++) { + retry = 0; + if (af == AF_UNSPEC) { + /* + * filter out AFs that are not supported by the kernel + * XXX errno? + */ + s = socket(afdl[i].a_af, SOCK_DGRAM, 0); + if (s < 0) + continue; + close(s); + } else { + if (af != afdl[i].a_af) + continue; + } + /* It is WRONG, we need getipnodebyname(). */ +again: + error = get_addr0(hostname, afdl[i].a_af, res, pai, port0); + switch (error) { + case EAI_AGAIN: + if (++retry < 3) + goto again; + /* FALL THROUGH*/ + default: + if (ekeep == 0) + ekeep = error; + break; + } + if (*res) { + /* make chain of addrs */ + for (cur = *res; + cur && cur->ai_next; + cur = cur->ai_next) + ; + if (!cur) + return EAI_FAIL; + res = &cur->ai_next; + } + } + + /* if we got something, it's okay */ + if (*res0) + return 0; + + return error ? error : ekeep; +} + +static int +get_addr0(hostname, af, res, pai, port0) + const char *hostname; + int af; + struct addrinfo **res; + struct addrinfo *pai; + int port0; +{ + u_short port = port0 & 0xffff; + struct addrinfo sentinel; + struct hostent *hp; + struct addrinfo *top, *cur; + struct afd *afd; + int i, error = 0, h_error; + char *ap; + + top = NULL; + sentinel.ai_next = NULL; + cur = &sentinel; + +#ifdef HAVE_GETHOSTBYNAME2 + if (af == AF_UNSPEC) { + error = EAI_FAIL; + goto bad; + } + hp = gethostbyname2(hostname, af); +#else + if (af != AF_UNSPEC && af != AF_INET) { + error = EAI_FAIL; + goto bad; + } + hp = gethostbyname(hostname); +#endif + h_error = h_errno; + + if (hp == NULL) { + switch (h_error) { + case HOST_NOT_FOUND: + case NO_DATA: + error = EAI_NODATA; + break; + case TRY_AGAIN: + error = EAI_AGAIN; + break; + case NO_RECOVERY: + case NETDB_INTERNAL: + default: + error = EAI_FAIL; + break; + } + goto bad; + } + + if ((hp->h_name == NULL) || (hp->h_name[0] == 0) || + (hp->h_addr_list[0] == NULL)) + ERR(EAI_FAIL); + + for (i = 0; (ap = hp->h_addr_list[i]) != NULL; i++) { + switch (af) { +#ifdef INET6 + case AF_INET6: + afd = &afdl[N_INET6]; + break; +#endif +#ifndef INET6 + default: /* AF_UNSPEC */ +#endif + case AF_INET: + afd = &afdl[N_INET]; + break; +#ifdef INET6 + default: /* AF_UNSPEC */ + if (IN6_IS_ADDR_V4MAPPED((struct in6_addr *)ap)) { + ap += sizeof(struct in6_addr) - + sizeof(struct in_addr); + afd = &afdl[N_INET]; + } else + afd = &afdl[N_INET6]; + break; +#endif + } + GET_AI(cur->ai_next, afd, ap, port); + if (cur == &sentinel) { + top = cur->ai_next; + GET_CANONNAME(top, hp->h_name); + } + cur = cur->ai_next; + } + *res = top; + return SUCCESS; + free: + if (top) + freeaddrinfo(top); + bad: + *res = NULL; + return error; +} diff --git a/contrib/queryperf/missing/getnameinfo.c b/contrib/queryperf/missing/getnameinfo.c new file mode 100644 index 0000000000..6b1cbe113f --- /dev/null +++ b/contrib/queryperf/missing/getnameinfo.c @@ -0,0 +1,226 @@ +/* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * Issues to be discussed: + * - Thread safe-ness must be checked + * - Return values. There seems to be no standard for return value (RFC2553) + * but INRIA implementation returns EAI_xxx defined for getaddrinfo(). + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "addrinfo.h" + +#define SUCCESS 0 +#define ANY 0 +#define YES 1 +#define NO 0 + +static struct afd { + int a_af; + int a_addrlen; + int a_socklen; + int a_off; +} afdl [] = { +#ifdef INET6 + {PF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6), + offsetof(struct sockaddr_in6, sin6_addr)}, +#endif + {PF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in), + offsetof(struct sockaddr_in, sin_addr)}, + {0, 0, 0}, +}; + +struct sockinet { + u_char si_len; + u_char si_family; + u_short si_port; +}; + +#define ENI_NOSOCKET 0 +#define ENI_NOSERVNAME 1 +#define ENI_NOHOSTNAME 2 +#define ENI_MEMORY 3 +#define ENI_SYSTEM 4 +#define ENI_FAMILY 5 +#define ENI_SALEN 6 + +int +getnameinfo(sa, salen, host, hostlen, serv, servlen, flags) + const struct sockaddr *sa; + size_t salen; + char *host; + size_t hostlen; + char *serv; + size_t servlen; + int flags; +{ + struct afd *afd; + struct servent *sp; + struct hostent *hp; + u_short port; + int family, len, i; + char *addr, *p; + u_long v4a; + int h_error; + char numserv[512]; + char numaddr[512]; + + if (sa == NULL) + return ENI_NOSOCKET; + +#ifdef HAVE_SA_LEN + len = sa->sa_len; + if (len != salen) return ENI_SALEN; +#else + len = salen; +#endif + + family = sa->sa_family; + for (i = 0; afdl[i].a_af; i++) + if (afdl[i].a_af == family) { + afd = &afdl[i]; + goto found; + } + return ENI_FAMILY; + + found: + if (len != afd->a_socklen) return ENI_SALEN; + + port = ((struct sockinet *)sa)->si_port; /* network byte order */ + addr = (char *)sa + afd->a_off; + + if (serv == NULL || servlen == 0) { + /* what we should do? */ + } else if (flags & NI_NUMERICSERV) { + snprintf(numserv, sizeof(numserv), "%d", ntohs(port)); + if (strlen(numserv) > servlen) + return ENI_MEMORY; + strcpy(serv, numserv); + } else { + sp = getservbyport(port, (flags & NI_DGRAM) ? "udp" : "tcp"); + if (sp) { + if (strlen(sp->s_name) > servlen) + return ENI_MEMORY; + strcpy(serv, sp->s_name); + } else + return ENI_NOSERVNAME; + } + + switch (sa->sa_family) { + case AF_INET: + v4a = ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr); + if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a)) + flags |= NI_NUMERICHOST; + v4a >>= IN_CLASSA_NSHIFT; + if (v4a == 0 || v4a == IN_LOOPBACKNET) + flags |= NI_NUMERICHOST; + break; +#ifdef INET6 + case AF_INET6: + { + struct sockaddr_in6 *sin6; + sin6 = (struct sockaddr_in6 *)sa; + switch (sin6->sin6_addr.s6_addr[0]) { + case 0x00: + if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) + ; + else if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr)) + ; + else + flags |= NI_NUMERICHOST; + break; + default: + if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) + flags |= NI_NUMERICHOST; + else if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) + flags |= NI_NUMERICHOST; + break; + } + } + break; +#endif + } + if (host == NULL || hostlen == 0) { + /* what should we do? */ + } else if (flags & NI_NUMERICHOST) { + /* NUMERICHOST and NAMEREQD conflicts with each other */ + if (flags & NI_NAMEREQD) + return ENI_NOHOSTNAME; + if (inet_ntop(afd->a_af, addr, numaddr, sizeof(numaddr)) + == NULL) + return ENI_SYSTEM; + if (strlen(numaddr) > hostlen) + return ENI_MEMORY; + strcpy(host, numaddr); + } else { +#ifdef USE_GETIPNODEBY + hp = getipnodebyaddr(addr, afd->a_addrlen, afd->a_af, &h_error); +#else + hp = gethostbyaddr(addr, afd->a_addrlen, afd->a_af); + h_error = h_errno; +#endif + + if (hp) { + if (flags & NI_NOFQDN) { + p = strchr(hp->h_name, '.'); + if (p) *p = '\0'; + } + if (strlen(hp->h_name) > hostlen) { +#ifdef USE_GETIPNODEBY + freehostent(hp); +#endif + return ENI_MEMORY; + } + strcpy(host, hp->h_name); +#ifdef USE_GETIPNODEBY + freehostent(hp); +#endif + } else { + if (flags & NI_NAMEREQD) + return ENI_NOHOSTNAME; + if (inet_ntop(afd->a_af, addr, numaddr, sizeof(numaddr)) + == NULL) + return ENI_NOHOSTNAME; + if (strlen(numaddr) > hostlen) + return ENI_MEMORY; + strcpy(host, numaddr); + } + } + return SUCCESS; +} From 1195e2e1f2853df56d7ec69d2e01a99d44e4d61d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 12 May 2004 07:40:13 +0000 Subject: [PATCH 096/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 758dbacb76..9333b4b1dc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1634. [placeholder] rt11208 + 1633. [bug] named should return NOTIMP to update requests to a slaves without a allow-update-forwarding acl specified. [RT #11331] From e3421eaa6cebe658a4e6cf77013f39279e0c8468 Mon Sep 17 00:00:00 2001 From: Michael Graff Date: Wed, 12 May 2004 23:01:36 +0000 Subject: [PATCH 097/146] include for NetBSD --- lib/isc/unix/os.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/isc/unix/os.c b/lib/isc/unix/os.c index 7e209531dc..d344938283 100644 --- a/lib/isc/unix/os.c +++ b/lib/isc/unix/os.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.13 2004/03/05 05:11:46 marka Exp $ */ +/* $Id: os.c,v 1.14 2004/05/12 23:01:36 explorer Exp $ */ #include @@ -55,7 +55,8 @@ hpux_ncpus(void) { #endif /* __hpux */ #if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME) -#include +#include /* for FreeBSD */ +#include /* for NetBSD */ #include static int From 754ebd37e782356aedbb2987e3c1a8ab4f29574e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 12 May 2004 23:53:09 +0000 Subject: [PATCH 098/146] newcopyrights --- util/copyrights | 3 +++ 1 file changed, 3 insertions(+) diff --git a/util/copyrights b/util/copyrights index 373cc1cc24..85b1cbda74 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1020,6 +1020,9 @@ ./contrib/queryperf/configure.in X 2001 ./contrib/queryperf/input/sample.0 X 2001 ./contrib/queryperf/input/sample.1 X 2001 +./contrib/queryperf/missing/addrinfo.h X 2004 +./contrib/queryperf/missing/getaddrinfo.c X 2004 +./contrib/queryperf/missing/getnameinfo.c X 2004 ./contrib/queryperf/queryperf.c X 2001 ./contrib/queryperf/utils/gen-data-queryperf.py X 2003 ./contrib/sdb/bdb/README X 2002 From 4499c6cd5e376c59e06cd0be61f3620a1336bc5f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 14 May 2004 00:10:52 +0000 Subject: [PATCH 099/146] 1635. [bug] Memory leak on error in query_addds(). --- CHANGES | 2 ++ bin/named/query.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 9333b4b1dc..4a3ff5fde5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1635. [bug] Memory leak on error in query_addds(). + 1634. [placeholder] rt11208 1633. [bug] named should return NOTIMP to update requests to a diff --git a/bin/named/query.c b/bin/named/query.c index 1ba7622df2..556c294646 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.258 2004/04/15 01:58:23 marka Exp $ */ +/* $Id: query.c,v 1.259 2004/05/14 00:10:52 marka Exp $ */ #include @@ -1785,7 +1785,7 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node) { rdataset = query_newrdataset(client); sigrdataset = query_newrdataset(client); if (rdataset == NULL || sigrdataset == NULL) - return; + goto cleanup; /* * Look for the DS record, which may or may not be present. From 97f1498ddac27be9b923a18f83dc2aa15cc40d83 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 14 May 2004 00:51:52 +0000 Subject: [PATCH 100/146] move cleanup of in_roothints earlier to make it easier to detect reference count mismatches. --- bin/named/server.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index 606726a141..0e6320c6e2 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.425 2004/04/20 14:11:46 marka Exp $ */ +/* $Id: server.c,v 1.426 2004/05/14 00:51:52 marka Exp $ */ #include @@ -2877,6 +2877,8 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { if (server->blackholeacl != NULL) dns_acl_detach(&server->blackholeacl); + dns_db_detach(&server->in_roothints); + isc_task_endexclusive(server->task); isc_task_detach(&server->task); @@ -3028,8 +3030,6 @@ ns_server_destroy(ns_server_t **serverp) { INSIST(ISC_LIST_EMPTY(server->viewlist)); - dns_db_detach(&server->in_roothints); - dns_aclenv_destroy(&server->aclenv); isc_quota_destroy(&server->recursionquota); From 4e681da26da4fff442b3ae24b0da2de1f240c43c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 14 May 2004 00:55:57 +0000 Subject: [PATCH 101/146] 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if a error had occured. The database version no longer matched the version of the database that was dumped. --- CHANGES | 4 ++++ lib/dns/masterdump.c | 14 ++++++++------ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 4a3ff5fde5..0cf4d7baad 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +1636. [bug] The dump done callback could get ISC_R_SUCCESS even if + a error had occured. The database version no longer + matched the version of the database that was dumped. + 1635. [bug] Memory leak on error in query_addds(). 1634. [placeholder] rt11208 diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c index 532d4e810d..3b2ce7ec6e 100644 --- a/lib/dns/masterdump.c +++ b/lib/dns/masterdump.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: masterdump.c,v 1.73 2004/03/05 05:09:21 marka Exp $ */ +/* $Id: masterdump.c,v 1.74 2004/05/14 00:55:57 marka Exp $ */ #include @@ -979,6 +979,7 @@ closeandrename(FILE *f, isc_result_t result, const char *temp, const char *file) static void dump_quantum(isc_task_t *task, isc_event_t *event) { isc_result_t result; + isc_result_t tresult; dns_dumpctx_t *dctx; REQUIRE(event != NULL); @@ -994,11 +995,12 @@ dump_quantum(isc_task_t *task, isc_event_t *event) { return; } - if (dctx->file != NULL) - result = closeandrename(dctx->f, result, - dctx->tmpfile, dctx->file); - if (dctx->version != NULL) - dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE); + if (dctx->file != NULL) { + tresult = closeandrename(dctx->f, result, + dctx->tmpfile, dctx->file); + if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS) + result = tresult; + } (dctx->done)(dctx->done_arg, result); isc_event_free(&event); dns_dumpctx_detach(&dctx); From f6f0bf7d4bb135ba1a421520076a47a61b6870fc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 14 May 2004 01:07:23 +0000 Subject: [PATCH 102/146] 1637. [bug] Node reference leak on error in addnoqname(). --- CHANGES | 2 ++ lib/dns/rbtdb.c | 19 ++++++++++++------- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 0cf4d7baad..b1c1f1769f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1637. [bug] Node reference leak on error in addnoqname(). + 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if a error had occured. The database version no longer matched the version of the database that was dumped. diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index d0693fd6bd..0c85c8238c 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.197 2004/05/05 01:32:58 marka Exp $ */ +/* $Id: rbtdb.c,v 1.198 2004/05/14 01:05:53 marka Exp $ */ /* * Principal Author: Bob Halley @@ -3178,6 +3178,7 @@ attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) { dns_rbtnode_t *node = (dns_rbtnode_t *)source; REQUIRE(VALID_RBTDB(rbtdb)); + REQUIRE(targetp != NULL && *targetp == NULL); LOCK(&rbtdb->node_locks[node->locknum].lock); INSIST(node->references > 0); @@ -4093,8 +4094,10 @@ addnoqname(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, RUNTIME_CHECK(result == ISC_R_SUCCESS); noqname = isc_mem_get(mctx, sizeof(*noqname)); - if (noqname == NULL) - return (ISC_R_NOMEMORY); + if (noqname == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } dns_name_init(&noqname->name, NULL); noqname->nsec = NULL; noqname->nsecsig = NULL; @@ -4115,6 +4118,8 @@ addnoqname(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, return (ISC_R_SUCCESS); cleanup: + dns_rdataset_disassociate(&nsec); + dns_rdataset_disassociate(&nsecsig); free_noqname(mctx, &noqname); return(result); } @@ -4957,7 +4962,7 @@ static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) { dns_db_t *db = source->private1; dns_dbnode_t *node = source->private2; - dns_dbnode_t *cloned_node; + dns_dbnode_t *cloned_node = NULL; attachnode(db, node, &cloned_node); *target = *source; @@ -4988,9 +4993,8 @@ rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name, dns_dbnode_t *cloned_node; struct noqname *noqname = rdataset->private6; + cloned_node = NULL; attachnode(db, node, &cloned_node); - attachnode(db, node, &cloned_node); - nsec->methods = &rdataset_methods; nsec->rdclass = db->rdclass; nsec->type = dns_rdatatype_nsec; @@ -5004,6 +5008,8 @@ rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name, nsec->private5 = NULL; nsec->private6 = NULL; + cloned_node = NULL; + attachnode(db, node, &cloned_node); nsecsig->methods = &rdataset_methods; nsecsig->rdclass = db->rdclass; nsecsig->type = dns_rdatatype_rrsig; @@ -5022,7 +5028,6 @@ rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name, return (ISC_R_SUCCESS); } - /* * Rdataset Iterator Methods */ From d968099d461d1cbfa75edf3b13b2982ea3220293 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 14 May 2004 03:14:31 +0000 Subject: [PATCH 103/146] 1638. [placeholder] rt113347 --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index b1c1f1769f..148fcace27 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1638. [placeholder] rt113347 + 1637. [bug] Node reference leak on error in addnoqname(). 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if From 6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 14 May 2004 04:45:58 +0000 Subject: [PATCH 104/146] 1606. [bug] DVL insecurity proof was failing. 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. --- CHANGES | 5 +- lib/dns/include/dns/db.h | 12 +- lib/dns/include/dns/result.h | 5 +- lib/dns/include/dns/validator.h | 4 +- lib/dns/rbtdb.c | 153 ++++++++++++++---- lib/dns/resolver.c | 51 ++++-- lib/dns/result.c | 5 +- lib/dns/validator.c | 264 +++++++++++++++++++++++++++++++- util/copyrights | 19 +++ 9 files changed, 462 insertions(+), 56 deletions(-) diff --git a/CHANGES b/CHANGES index 148fcace27..34b2b9ead9 100644 --- a/CHANGES +++ b/CHANGES @@ -87,9 +87,10 @@ 1607. [bug] dig, host and nslookup were still using random() to generate query ids. [RT# 11013] -1606. [placeholder] rt10440a +1606. [bug] DVL insecurity proof was failing. + +1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. -1605. [placeholder] rt10440a 1604. [bug] A xfrout_ctx_create() failure would result in xfrout_ctx_destroy() being called with a diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h index b62541f60f..b4c7261da5 100644 --- a/lib/dns/include/dns/db.h +++ b/lib/dns/include/dns/db.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: db.h,v 1.76 2004/03/05 05:09:41 marka Exp $ */ +/* $Id: db.h,v 1.77 2004/05/14 04:45:57 marka Exp $ */ #ifndef DNS_DB_H #define DNS_DB_H 1 @@ -188,6 +188,7 @@ struct dns_db { #define DNS_DBFIND_PENDINGOK 0x08 #define DNS_DBFIND_NOEXACT 0x10 #define DNS_DBFIND_FORCENSEC 0x20 +#define DNS_DBFIND_COVERINGNSEC 0x40 /* * Options that can be specified for dns_db_addrdataset(). @@ -647,6 +648,12 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, * is only necessary when querying a database that was not secure * when created. * + * If the DNS_DBFIND_COVERINGNSEC option is set, then look for a + * NSEC record that potentially covers 'name' if a answer cannot + * be found. Note the returned NSEC needs to be checked to ensure + * that it is correct. This only affects answers returned from the + * cache. + * * To respond to a query for SIG records, the caller should create a * rdataset iterator and extract the signatures from each rdataset. * @@ -770,6 +777,9 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, * DNS_R_EMPTYNAME The name exists but there is * no data at the name. * + * DNS_R_COVERINGNSEC The returned data is a NSEC + * that potentially covers 'name'. + * * Error results: * * ISC_R_NOMEMORY diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h index a41fbfa80f..c134a9f398 100644 --- a/lib/dns/include/dns/result.h +++ b/lib/dns/include/dns/result.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.h,v 1.105 2004/04/15 23:40:26 marka Exp $ */ +/* $Id: result.h,v 1.106 2004/05/14 04:45:58 marka Exp $ */ #ifndef DNS_RESULT_H #define DNS_RESULT_H 1 @@ -142,8 +142,9 @@ #define DNS_R_DYNAMIC (ISC_RESULTCLASS_DNS + 98) #define DNS_R_UNKNOWNCOMMAND (ISC_RESULTCLASS_DNS + 99) #define DNS_R_MUSTBESECURE (ISC_RESULTCLASS_DNS + 100) +#define DNS_R_COVERINGNSEC (ISC_RESULTCLASS_DNS + 101) -#define DNS_R_NRESULTS 101 /* Number of results */ +#define DNS_R_NRESULTS 102 /* Number of results */ /* * DNS wire format rcodes. diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h index 59d2aefe33..21be023d71 100644 --- a/lib/dns/include/dns/validator.h +++ b/lib/dns/include/dns/validator.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.h,v 1.28 2004/04/15 23:40:26 marka Exp $ */ +/* $Id: validator.h,v 1.29 2004/05/14 04:45:58 marka Exp $ */ #ifndef DNS_VALIDATOR_H #define DNS_VALIDATOR_H 1 @@ -121,6 +121,8 @@ struct dns_validator { dns_fixedname_t wild; ISC_LINK(dns_validator_t) link; dns_rdataset_t * dlv; + dns_fixedname_t dlvsep; + isc_boolean_t havedlvsep; isc_boolean_t mustbesecure; }; diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 0c85c8238c..48440fdf06 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.198 2004/05/14 01:05:53 marka Exp $ */ +/* $Id: rbtdb.c,v 1.199 2004/05/14 04:45:56 marka Exp $ */ /* * Principal Author: Bob Halley @@ -842,8 +842,7 @@ clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, /* * If this is a NONEXISTENT rdataset, we can delete it. */ - if ((current->attributes & RDATASET_ATTR_NONEXISTENT) - != 0) { + if (NONEXISTENT(current)) { if (top_prev != NULL) top_prev->next = current->next; else @@ -1931,8 +1930,7 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep, * Is this a "this rdataset doesn't * exist" record? */ - if ((header->attributes & - RDATASET_ATTR_NONEXISTENT) != 0) + if (NONEXISTENT(header)) header = NULL; break; } else @@ -2204,8 +2202,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, * Is this a "this rdataset doesn't * exist" record? */ - if ((header->attributes & - RDATASET_ATTR_NONEXISTENT) != 0) + if (NONEXISTENT(header)) header = NULL; break; } else @@ -2658,8 +2655,7 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node, node->dirty = 1; header_prev = header; } - } else if ((header->attributes & - RDATASET_ATTR_NONEXISTENT) == 0) { + } else if (EXISTS(header)) { /* * We've found an extant rdataset. See if * we're interested in it. @@ -2735,6 +2731,104 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node, return (result); } +static isc_result_t +find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep, + isc_stdtime_t now, dns_name_t *foundname, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) +{ + dns_rbtnode_t *node; + rdatasetheader_t *header, *header_next, *header_prev; + rdatasetheader_t *found, *foundsig; + isc_boolean_t empty_node; + isc_result_t result; + dns_fixedname_t fname, forigin; + dns_name_t *name, *origin; + rbtdb_rdatatype_t matchtype, sigmatchtype, nsectype; + + matchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_nsec, 0); + nsectype = RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_nsec); + sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, + dns_rdatatype_nsec); + + do { + node = NULL; + dns_fixedname_init(&fname); + name = dns_fixedname_name(&fname); + dns_fixedname_init(&forigin); + origin = dns_fixedname_name(&forigin); + result = dns_rbtnodechain_current(&search->chain, name, + origin, &node); + if (result != ISC_R_SUCCESS) + return (result); + LOCK(&(search->rbtdb->node_locks[node->locknum].lock)); + found = NULL; + foundsig = NULL; + empty_node = ISC_TRUE; + header_prev = NULL; + for (header = node->data; + header != NULL; + header = header_next) { + header_next = header->next; + if (header->ttl <= now) { + /* + * This rdataset is stale. If no one else is + * using the node, we can clean it up right + * now, otherwise we mark it as stale, and the + * node as dirty, so it will get cleaned up + * later. + */ + if (node->references == 0) { + INSIST(header->down == NULL); + if (header_prev != NULL) + header_prev->next = + header->next; + else + node->data = header->next; + free_rdataset(search->rbtdb->common.mctx, + header); + } else { + header->attributes |= + RDATASET_ATTR_STALE; + node->dirty = 1; + header_prev = header; + } + continue; + } + if (NONEXISTENT(header) || NXDOMAIN(header)) { + header_prev = header; + continue; + } + empty_node = ISC_FALSE; + if (header->type == matchtype) + found = header; + else if (header->type == sigmatchtype) + foundsig = header; + header_prev = header; + } + if (found != NULL) { + result = dns_name_concatenate(name, origin, + foundname, NULL); + if (result != ISC_R_SUCCESS) + goto unlock_node; + bind_rdataset(search->rbtdb, node, found, + now, rdataset); + if (foundsig != NULL) + bind_rdataset(search->rbtdb, node, foundsig, + now, sigrdataset); + new_reference(search->rbtdb, node); + *nodep = node; + result = DNS_R_COVERINGNSEC; + } else if (!empty_node) { + result = ISC_R_NOTFOUND; + }else + result = dns_rbtnodechain_prev(&search->chain, NULL, + NULL); + unlock_node: + UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock)); + } while (empty_node && result == ISC_R_SUCCESS); + return (result); +} + static isc_result_t cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, dns_rdatatype_t type, unsigned int options, isc_stdtime_t now, @@ -2750,7 +2844,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, rdatasetheader_t *header, *header_prev, *header_next; rdatasetheader_t *found, *nsheader; rdatasetheader_t *foundsig, *nssig, *cnamesig; - rbtdb_rdatatype_t sigtype, nsecype; + rbtdb_rdatatype_t sigtype, nsectype; UNUSED(version); @@ -2785,6 +2879,13 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, cache_zonecut_callback, &search); if (result == DNS_R_PARTIALMATCH) { + if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0) { + result = find_coveringnsec(&search, nodep, now, + foundname, rdataset, + sigrdataset); + if (result == DNS_R_COVERINGNSEC) + goto tree_exit; + } if (search.zonecut != NULL) { result = setup_delegation(&search, nodep, foundname, rdataset, sigrdataset); @@ -2818,7 +2919,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, found = NULL; foundsig = NULL; sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type); - nsecype = RBTDB_RDATATYPE_VALUE(0, type); + nsectype = RBTDB_RDATATYPE_VALUE(0, type); nsheader = NULL; nssig = NULL; cnamesig = NULL; @@ -2846,8 +2947,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, node->dirty = 1; header_prev = header; } - } else if ((header->attributes & RDATASET_ATTR_NONEXISTENT) - == 0) { + } else if (EXISTS(header)) { /* * We now know that there is at least one active * non-stale rdataset at this node. @@ -2889,7 +2989,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, */ foundsig = header; } else if (header->type == RBTDB_RDATATYPE_NCACHEANY || - header->type == nsecype) { + header->type == nsectype) { /* * We've found a negative cache entry. */ @@ -3114,8 +3214,7 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options, node->dirty = 1; header_prev = header; } - } else if ((header->attributes & RDATASET_ATTR_NONEXISTENT) - == 0) { + } else if (EXISTS(header)) { /* * If we found a type we were looking for, remember * it. @@ -3449,8 +3548,7 @@ zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, * Is this a "this rdataset doesn't * exist" record? */ - if ((header->attributes & - RDATASET_ATTR_NONEXISTENT) != 0) + if (NONEXISTENT(header)) header = NULL; break; } else @@ -3500,7 +3598,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node; rdatasetheader_t *header, *header_next, *found, *foundsig; - rbtdb_rdatatype_t matchtype, sigmatchtype, nsecype; + rbtdb_rdatatype_t matchtype, sigmatchtype, nsectype; isc_result_t result; REQUIRE(VALID_RBTDB(rbtdb)); @@ -3518,7 +3616,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, found = NULL; foundsig = NULL; matchtype = RBTDB_RDATATYPE_VALUE(type, covers); - nsecype = RBTDB_RDATATYPE_VALUE(0, type); + nsectype = RBTDB_RDATATYPE_VALUE(0, type); if (covers == 0) sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type); else @@ -3535,12 +3633,11 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, */ header->attributes |= RDATASET_ATTR_STALE; rbtnode->dirty = 1; - } else if ((header->attributes & RDATASET_ATTR_NONEXISTENT) == - 0) { + } else if (EXISTS(header)) { if (header->type == matchtype) found = header; else if (header->type == RBTDB_RDATATYPE_NCACHEANY || - header->type == nsecype) + header->type == nsectype) found = header; else if (header->type == sigmatchtype) foundsig = header; @@ -3720,7 +3817,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, isc_boolean_t header_nx; isc_boolean_t newheader_nx; isc_boolean_t merge; - dns_rdatatype_t nsecype, rdtype, covers; + dns_rdatatype_t nsectype, rdtype, covers; dns_trust_t trust; /* @@ -3758,7 +3855,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE; topheader_prev = NULL; - nsecype = 0; + nsectype = 0; if (rbtversion == NULL && !newheader_nx) { rdtype = RBTDB_RDATATYPE_BASE(newheader->type); if (rdtype == 0) { @@ -3785,7 +3882,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, rbtnode->dirty = 1; goto find_header; } - nsecype = RBTDB_RDATATYPE_VALUE(covers, 0); + nsectype = RBTDB_RDATATYPE_VALUE(covers, 0); } else { /* * We're adding something that isn't a @@ -3825,7 +3922,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, topheader = NULL; goto find_header; } - nsecype = RBTDB_RDATATYPE_VALUE(0, rdtype); + nsectype = RBTDB_RDATATYPE_VALUE(0, rdtype); } } @@ -3833,7 +3930,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, topheader != NULL; topheader = topheader->next) { if (topheader->type == newheader->type || - topheader->type == nsecype) + topheader->type == nsectype) break; topheader_prev = topheader; } diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index b7eb0297a6..7f89953253 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.287 2004/04/19 23:16:20 marka Exp $ */ +/* $Id: resolver.c,v 1.288 2004/05/14 04:45:56 marka Exp $ */ #include @@ -65,25 +65,28 @@ DNS_LOGCATEGORY_RESOLVER, \ DNS_LOGMODULE_RESOLVER, \ ISC_LOG_DEBUG(3), \ - "fctx %p: %s", fctx, (m)) + "fctx %p(%s'): %s", fctx, fctx->info, (m)) #define FCTXTRACE2(m1, m2) \ isc_log_write(dns_lctx, \ DNS_LOGCATEGORY_RESOLVER, \ DNS_LOGMODULE_RESOLVER, \ ISC_LOG_DEBUG(3), \ - "fctx %p: %s %s", fctx, (m1), (m2)) + "fctx %p(%s): %s %s", \ + fctx, fctx->info, (m1), (m2)) #define FTRACE(m) isc_log_write(dns_lctx, \ DNS_LOGCATEGORY_RESOLVER, \ DNS_LOGMODULE_RESOLVER, \ ISC_LOG_DEBUG(3), \ - "fetch %p (fctx %p): %s", \ - fetch, fetch->private, (m)) + "fetch %p (fctx %p(%s)): %s", \ + fetch, fetch->private, \ + fetch->private->info, (m)) #define QTRACE(m) isc_log_write(dns_lctx, \ DNS_LOGCATEGORY_RESOLVER, \ DNS_LOGMODULE_RESOLVER, \ ISC_LOG_DEBUG(3), \ - "resquery %p (fctx %p): %s", \ - query, query->fctx, (m)) + "resquery %p (fctx %p(%s)): %s", \ + query, query->fctx, \ + query->fctx->info, (m)) #else #define RTRACE(m) #define RRTRACE(r, m) @@ -152,6 +155,7 @@ struct fetchctx { dns_rdatatype_t type; unsigned int options; unsigned int bucketnum; + char * info; /* Locked by appropriate bucket lock. */ fetchstate state; isc_boolean_t want_shutdown; @@ -1121,6 +1125,8 @@ resquery_send(resquery_t *query) { &secure_domain); if (result != ISC_R_SUCCESS) secure_domain = ISC_FALSE; + if (res->view->dlv != NULL) + secure_domain = ISC_TRUE; if (secure_domain) fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD; } else @@ -2287,6 +2293,7 @@ fctx_destroy(fetchctx_t *fctx) { dns_name_free(&fctx->name, res->mctx); dns_db_detach(&fctx->cache); dns_adb_detach(&fctx->adb); + isc_mem_free(res->mctx, fctx->info); isc_mem_put(res->mctx, fctx, sizeof(*fctx)); LOCK(&res->nlock); @@ -2575,6 +2582,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, isc_interval_t interval; dns_fixedname_t qdomain; unsigned int findoptions = 0; + char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; /* * Caller must be holding the lock for bucket number 'bucketnum'. @@ -2584,11 +2593,18 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, fctx = isc_mem_get(res->mctx, sizeof(*fctx)); if (fctx == NULL) return (ISC_R_NOMEMORY); + dns_name_format(name, buf, sizeof(buf)); + dns_rdatatype_format(type, typebuf, sizeof(typebuf)); + strcat(buf, "/"); /* checked */ + strcat(buf, typebuf); /* checked */ + fctx->info = isc_mem_strdup(res->mctx, buf); + if (fctx->info == NULL) + goto cleanup_fetch; FCTXTRACE("create"); dns_name_init(&fctx->name, NULL); result = dns_name_dup(name, res->mctx, &fctx->name); if (result != ISC_R_SUCCESS) - goto cleanup_fetch; + goto cleanup_info; dns_name_init(&fctx->domain, NULL); dns_rdataset_init(&fctx->nameservers); @@ -2761,6 +2777,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, cleanup_name: dns_name_free(&fctx->name, res->mctx); + cleanup_info: + isc_mem_free(res->mctx, fctx->info); + cleanup_fetch: isc_mem_put(res->mctx, fctx, sizeof(*fctx)); @@ -3091,7 +3110,6 @@ validated(isc_task_t *task, isc_event_t *event) { ardataset, &eresult); if (result != ISC_R_SUCCESS) goto noanswer_response; - goto answer_response; } @@ -3152,8 +3170,9 @@ validated(isc_task_t *task, isc_event_t *event) { goto cleanup_event; } + answer_response: /* - * Cache any NS records that happened to be validate. + * Cache any NS/NSEC records that happened to be validated. */ result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY); while (result == ISC_R_SUCCESS) { @@ -3163,14 +3182,15 @@ validated(isc_task_t *task, isc_event_t *event) { for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { - if (rdataset->type != dns_rdatatype_ns || + if ((rdataset->type != dns_rdatatype_ns && + rdataset->type != dns_rdatatype_nsec) || rdataset->trust != dns_trust_secure) continue; for (sigrdataset = ISC_LIST_HEAD(name->list); sigrdataset != NULL; sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { if (sigrdataset->type != dns_rdatatype_rrsig || - sigrdataset->covers != dns_rdatatype_ns) + sigrdataset->covers != rdataset->type) continue; break; } @@ -3197,7 +3217,6 @@ validated(isc_task_t *task, isc_event_t *event) { result = ISC_R_SUCCESS; - answer_response: /* * Respond with an answer, positive or negative, * as opposed to an error. 'node' must be non-NULL. @@ -3262,6 +3281,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { if (result != ISC_R_SUCCESS) return (result); + if (res->view->dlv != NULL) + secure_domain = ISC_TRUE; + if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) need_validation = ISC_FALSE; else @@ -3686,6 +3708,9 @@ ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) { if (result != ISC_R_SUCCESS) return (result); + if (res->view->dlv != NULL) + secure_domain = ISC_TRUE; + if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) need_validation = ISC_FALSE; else diff --git a/lib/dns/result.c b/lib/dns/result.c index 982cc4b1f5..d5ba87ce12 100644 --- a/lib/dns/result.c +++ b/lib/dns/result.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.c,v 1.116 2004/04/15 23:40:25 marka Exp $ */ +/* $Id: result.c,v 1.117 2004/05/14 04:45:57 marka Exp $ */ #include @@ -150,7 +150,8 @@ static const char *text[DNS_R_NRESULTS] = { "dynamic zone", /* 98 DNS_R_DYNAMIC */ "unknown command", /* 99 DNS_R_UNKNOWNCOMMAND */ - "must-be-secure" /* 100 DNS_R_MUSTBESECURE */ + "must-be-secure", /* 100 DNS_R_MUSTBESECURE */ + "covering NSEC record returned" /* 101 DNS_R_COVERINGNSEC */ }; static const char *rcode_text[DNS_R_NRCODERESULTS] = { diff --git a/lib/dns/validator.c b/lib/dns/validator.c index ddaf8c00c9..078f9dbd35 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.121 2004/04/15 23:40:25 marka Exp $ */ +/* $Id: validator.c,v 1.122 2004/05/14 04:45:57 marka Exp $ */ #include @@ -53,6 +53,7 @@ #define VALATTR_INSECURITY 0x0010 #define VALATTR_DLV 0x0020 #define VALATTR_DLVTRIED 0x0040 +#define VALATTR_DLVSEPTRIED 0x0080 #define VALATTR_NEEDNOQNAME 0x0100 #define VALATTR_NEEDNOWILDCARD 0x0200 @@ -68,6 +69,7 @@ #define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0) #define DLV(val) ((val->attributes & VALATTR_DLV) != 0) #define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0) +#define DLVSEPTRIED(val) ((val->attributes & VALATTR_DLVSEPTRIED) != 0) #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0) @@ -107,6 +109,9 @@ validator_logcreate(dns_validator_t *val, static isc_result_t dlv_validatezonekey(dns_validator_t *val); +static isc_result_t +finddlvsep(dns_validator_t *val, isc_boolean_t resume); + static void validator_done(dns_validator_t *val, isc_result_t result) { isc_task_t *task; @@ -735,6 +740,16 @@ negauthvalidated(isc_task_t *task, isc_event_t *event) { static inline isc_result_t view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { + dns_fixedname_t fixedname; + dns_name_t *foundname; + dns_rdata_nsec_t nsec; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_result_t result; + unsigned int options; + char buf1[DNS_NAME_FORMATSIZE]; + char buf2[DNS_NAME_FORMATSIZE]; + char buf3[DNS_NAME_FORMATSIZE]; + if (dns_rdataset_isassociated(&val->frdataset)) dns_rdataset_disassociate(&val->frdataset); if (dns_rdataset_isassociated(&val->fsigrdataset)) @@ -742,9 +757,106 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { if (val->view->zonetable == NULL) return (ISC_R_CANCELED); - return (dns_view_simplefind(val->view, name, type, 0, - DNS_DBFIND_PENDINGOK, ISC_FALSE, - &val->frdataset, &val->fsigrdataset)); + + options = DNS_DBFIND_PENDINGOK; + if (type == dns_rdatatype_dlv) + options |= DNS_DBFIND_COVERINGNSEC; + dns_fixedname_init(&fixedname); + foundname = dns_fixedname_name(&fixedname); + result = dns_view_find(val->view, name, type, 0, options, + ISC_FALSE, NULL, NULL, foundname, + &val->frdataset, &val->fsigrdataset); + if (result == DNS_R_NXDOMAIN) { + if (dns_rdataset_isassociated(&val->frdataset)) + dns_rdataset_disassociate(&val->frdataset); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_disassociate(&val->fsigrdataset); + } else if (result == DNS_R_COVERINGNSEC) { + validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC"); + /* + * Check if the returned NSEC covers the name. + */ + INSIST(type == dns_rdatatype_dlv); + if (val->frdataset.trust != dns_trust_secure) { + validator_log(val, ISC_LOG_DEBUG(3), + "covering nsec: trust %u", + val->frdataset.trust); + goto notfound; + } + result = dns_rdataset_first(&val->frdataset); + if (result != ISC_R_SUCCESS) + goto notfound; + dns_rdataset_current(&val->frdataset, &rdata); + if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) && + !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) { + /* Parent NSEC record. */ + if (dns_name_issubdomain(name, foundname)) { + validator_log(val, ISC_LOG_DEBUG(3), + "covering nsec: for parent"); + goto notfound; + } + } + result = dns_rdata_tostruct(&rdata, &nsec, NULL); + if (result != ISC_R_SUCCESS) + goto notfound; + if (dns_name_compare(foundname, &nsec.next) >= 0) { + /* End of zone chain. */ + if (!dns_name_issubdomain(name, &nsec.next)) { + /* + * XXXMPA We could look for a parent NSEC + * at nsec.next and if found retest with + * this NSEC. + */ + dns_rdata_freestruct(&nsec); + validator_log(val, ISC_LOG_DEBUG(3), + "covering nsec: not in zone"); + goto notfound; + } + } else if (dns_name_compare(name, &nsec.next) >= 0) { + /* + * XXXMPA We could check if this NSEC is at a zone + * apex and if the qname is not below it and look for + * a parent NSEC with the same name. This requires + * that we can cache both NSEC records which we + * currently don't support. + */ + dns_rdata_freestruct(&nsec); + validator_log(val, ISC_LOG_DEBUG(3), + "covering nsec: not in range"); + goto notfound; + } + if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) { + dns_name_format(name, buf1, sizeof buf1); + dns_name_format(foundname, buf2, sizeof buf2); + dns_name_format(&nsec.next, buf3, sizeof buf3); + validator_log(val, ISC_LOG_DEBUG(3), + "covering nsec found: '%s' '%s' '%s'", + buf1, buf2, buf3); + } + if (dns_rdataset_isassociated(&val->frdataset)) + dns_rdataset_disassociate(&val->frdataset); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_disassociate(&val->fsigrdataset); + dns_rdata_freestruct(&nsec); + result = DNS_R_NCACHENXDOMAIN; + } else if (result != ISC_R_SUCCESS && + result != DNS_R_GLUE && + result != DNS_R_HINT && + result != DNS_R_NCACHENXDOMAIN && + result != DNS_R_NCACHENXRRSET && + result != DNS_R_NXRRSET && + result != DNS_R_HINTNXRRSET && + result != ISC_R_NOTFOUND) { + goto notfound; + } + return (result); + + notfound: + if (dns_rdataset_isassociated(&val->frdataset)) + dns_rdataset_disassociate(&val->frdataset); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_disassociate(&val->fsigrdataset); + return (ISC_R_NOTFOUND); } static inline isc_boolean_t @@ -2097,9 +2209,127 @@ check_ds_algorithm(dns_validator_t *val, dns_name_t *name, return (ISC_FALSE); } +static void +dlv_fetched2(isc_task_t *task, isc_event_t *event) { + dns_fetchevent_t *devent; + dns_validator_t *val; + isc_boolean_t want_destroy; + isc_result_t eresult; + isc_result_t result; + + UNUSED(task); + INSIST(event->ev_type == DNS_EVENT_FETCHDONE); + devent = (dns_fetchevent_t *)event; + val = devent->ev_arg; + eresult = devent->result; + + isc_event_free(&event); + dns_resolver_destroyfetch(&val->fetch); + + INSIST(val->event != NULL); + validator_log(val, ISC_LOG_DEBUG(3), "in dlv_fetched2: %s", + dns_result_totext(eresult)); + + LOCK(&val->lock); + if (eresult == ISC_R_SUCCESS) { + val->havedlvsep = ISC_TRUE; + result = proveunsecure(val, ISC_FALSE); + if (result != DNS_R_WAIT) + validator_done(val, result); + } else if (eresult == DNS_R_NXRRSET || + eresult == DNS_R_NXDOMAIN || + eresult == DNS_R_NCACHENXRRSET || + eresult == DNS_R_NCACHENXDOMAIN) { + result = finddlvsep(val, ISC_TRUE); + if (result == ISC_R_SUCCESS) { + result = proveunsecure(val, ISC_FALSE); + if (result != DNS_R_WAIT) + validator_done(val, result); + } else if (result == ISC_R_NOTFOUND) { + validator_done(val, ISC_R_SUCCESS); + } else if (result != DNS_R_WAIT) + validator_done(val, result); + } + want_destroy = exit_check(val); + UNLOCK(&val->lock); + if (want_destroy) + destroy(val); +} + +static isc_result_t +finddlvsep(dns_validator_t *val, isc_boolean_t resume) { + dns_fixedname_t dlvfixed; + dns_name_t *dlvname; + dns_name_t *dlvsep; + dns_name_t noroot; + isc_result_t result; + unsigned int labels; + + if (!resume) { + dns_fixedname_init(&val->dlvsep); + dlvsep = dns_fixedname_name(&val->dlvsep); + dns_name_copy(val->event->name, dlvsep, NULL); + val->attributes |= VALATTR_DLVSEPTRIED; + } else { + dlvsep = dns_fixedname_name(&val->dlvsep); + labels = dns_name_countlabels(dlvsep); + dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep); + } + dns_name_init(&noroot, NULL); + dns_fixedname_init(&dlvfixed); + dlvname = dns_fixedname_name(&dlvfixed); + labels = dns_name_countlabels(dlvsep); + dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot); + result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL); + while (result == ISC_R_NOSPACE) { + labels = dns_name_countlabels(dlvsep); + dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep); + dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot); + result = dns_name_concatenate(&noroot, val->view->dlv, + dlvname, NULL); + } + if (result != ISC_R_SUCCESS) { + validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed"); + return (DNS_R_NOVALIDSIG); + } + + while (dns_name_countlabels(dlvname) > + dns_name_countlabels(val->view->dlv)) + { + result = view_find(val, dlvname, dns_rdatatype_dlv); + if (result == ISC_R_SUCCESS) { + if (val->frdataset.trust < dns_trust_secure) + return (DNS_R_NOVALIDSIG); + val->havedlvsep = ISC_TRUE; + return (ISC_R_SUCCESS); + } + if (result == ISC_R_NOTFOUND) { + result = create_fetch(val, dlvname, dns_rdatatype_dlv, + dlv_fetched2, "finddlvsep"); + if (result != ISC_R_SUCCESS) + return (result); + return (DNS_R_WAIT); + } + if (result != DNS_R_NXRRSET && + result != DNS_R_NXDOMAIN && + result != DNS_R_NCACHENXRRSET && + result != DNS_R_NCACHENXDOMAIN) + return (result); + /* + * Strip first labels from both dlvsep and dlvname. + */ + labels = dns_name_countlabels(dlvsep); + dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep); + labels = dns_name_countlabels(dlvname); + dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname); + } + return (ISC_R_NOTFOUND); +} + static isc_result_t proveunsecure(dns_validator_t *val, isc_boolean_t resume) { isc_result_t result; + isc_result_t tresult; dns_fixedname_t secroot; dns_name_t *tname; @@ -2110,11 +2340,30 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { /* * If the name is not under a security root, it must be insecure. */ - if (result == ISC_R_NOTFOUND) - return (ISC_R_SUCCESS); + if (val->view->dlv != NULL && !DLVSEPTRIED(val) && + !dns_name_issubdomain(val->event->name, val->view->dlv)) { + tresult = finddlvsep(val, ISC_FALSE); + if (tresult != ISC_R_NOTFOUND && tresult != ISC_R_SUCCESS) { + validator_log(val, ISC_LOG_DEBUG(3), + "finddlvsep returned: %s", + dns_result_totext(tresult)); + return (tresult); + } + } - else if (result != ISC_R_SUCCESS) + if (result == ISC_R_NOTFOUND) { + if (!val->havedlvsep) + return (ISC_R_SUCCESS); + dns_name_copy(dns_fixedname_name(&val->dlvsep), + dns_fixedname_name(&secroot), NULL); + } else if (result != ISC_R_SUCCESS) return (result); + else if (val->havedlvsep && + dns_name_issubdomain(dns_fixedname_name(&val->dlvsep), + dns_fixedname_name(&secroot))) { + dns_name_copy(dns_fixedname_name(&val->dlvsep), + dns_fixedname_name(&secroot), NULL); + } if (!resume) { val->labels = @@ -2427,6 +2676,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, val->nsecset = NULL; val->soaname = NULL; val->seensig = ISC_FALSE; + val->havedlvsep = ISC_FALSE; val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name); dns_rdataset_init(&val->frdataset); dns_rdataset_init(&val->fsigrdataset); diff --git a/util/copyrights b/util/copyrights index 85b1cbda74..a148849496 100644 --- a/util/copyrights +++ b/util/copyrights @@ -457,6 +457,25 @@ ./bin/tests/system/dialup/setup.sh SH 2000,2001,2004 ./bin/tests/system/dialup/tests.sh SH 2000,2001,2004 ./bin/tests/system/digcomp.pl PERL 2000,2001,2004 +./bin/tests/system/dlv/clean.sh SH 2004 +./bin/tests/system/dlv/setup.sh SH 2004 +./bin/tests/system/dlv/tests.sh SH 2004 +./bin/tests/system/dlv/ns1/named.conf CONF-C 2004 +./bin/tests/system/dlv/ns1/root.db ZONE 2004 +./bin/tests/system/dlv/ns1/rootservers.utld.db ZONE 2004 +./bin/tests/system/dlv/ns2/hints ZONE 2004 +./bin/tests/system/dlv/ns2/named.conf CONF-C 2004 +./bin/tests/system/dlv/ns2/utld.db ZONE 2004 +./bin/tests/system/dlv/ns3/child.db.in ZONE 2004 +./bin/tests/system/dlv/ns3/dlv.db.in ZONE 2004 +./bin/tests/system/dlv/ns3/hints ZONE 2004 +./bin/tests/system/dlv/ns3/named.conf CONF-C 2004 +./bin/tests/system/dlv/ns3/sign.sh SH 2004 +./bin/tests/system/dlv/ns4/child.db ZONE 2004 +./bin/tests/system/dlv/ns4/hints ZONE 2004 +./bin/tests/system/dlv/ns4/named.conf CONF-C 2004 +./bin/tests/system/dlv/ns5/hints ZONE 2004 +./bin/tests/system/dlv/ns5/named.conf CONF-C 2004 ./bin/tests/system/dnssec/README TXT.BRIEF 2000,2001,2002,2004 ./bin/tests/system/dnssec/clean.sh SH 2000,2001,2002,2004 ./bin/tests/system/dnssec/dnssec_update_test.pl PERL 2002,2004 From 2cd8fa3ef9b168429dcf76603e7b95c58317dd28 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 14 May 2004 04:58:24 +0000 Subject: [PATCH 105/146] 1639. [func] Initial dlv system test. --- CHANGES | 2 + bin/tests/system/dlv/clean.sh | 27 +++ bin/tests/system/dlv/ns1/named.conf | 35 ++++ bin/tests/system/dlv/ns1/root.db | 24 +++ bin/tests/system/dlv/ns1/rootservers.utld.db | 20 +++ bin/tests/system/dlv/ns2/hints | 18 ++ bin/tests/system/dlv/ns2/named.conf | 35 ++++ bin/tests/system/dlv/ns2/utld.db | 56 ++++++ bin/tests/system/dlv/ns3/child.db.in | 22 +++ bin/tests/system/dlv/ns3/dlv.db.in | 20 +++ bin/tests/system/dlv/ns3/hints | 18 ++ bin/tests/system/dlv/ns3/named.conf | 43 +++++ bin/tests/system/dlv/ns3/sign.sh | 174 +++++++++++++++++++ bin/tests/system/dlv/ns4/child.db | 41 +++++ bin/tests/system/dlv/ns4/hints | 18 ++ bin/tests/system/dlv/ns4/named.conf | 36 ++++ bin/tests/system/dlv/ns5/hints | 18 ++ bin/tests/system/dlv/ns5/named.conf | 64 +++++++ bin/tests/system/dlv/ns5/rndc.conf | 13 ++ bin/tests/system/dlv/setup.sh | 21 +++ bin/tests/system/dlv/tests.sh | 19 ++ 21 files changed, 724 insertions(+) create mode 100644 bin/tests/system/dlv/clean.sh create mode 100644 bin/tests/system/dlv/ns1/named.conf create mode 100644 bin/tests/system/dlv/ns1/root.db create mode 100644 bin/tests/system/dlv/ns1/rootservers.utld.db create mode 100644 bin/tests/system/dlv/ns2/hints create mode 100644 bin/tests/system/dlv/ns2/named.conf create mode 100644 bin/tests/system/dlv/ns2/utld.db create mode 100644 bin/tests/system/dlv/ns3/child.db.in create mode 100644 bin/tests/system/dlv/ns3/dlv.db.in create mode 100644 bin/tests/system/dlv/ns3/hints create mode 100644 bin/tests/system/dlv/ns3/named.conf create mode 100755 bin/tests/system/dlv/ns3/sign.sh create mode 100644 bin/tests/system/dlv/ns4/child.db create mode 100644 bin/tests/system/dlv/ns4/hints create mode 100644 bin/tests/system/dlv/ns4/named.conf create mode 100644 bin/tests/system/dlv/ns5/hints create mode 100644 bin/tests/system/dlv/ns5/named.conf create mode 100644 bin/tests/system/dlv/ns5/rndc.conf create mode 100644 bin/tests/system/dlv/setup.sh create mode 100644 bin/tests/system/dlv/tests.sh diff --git a/CHANGES b/CHANGES index 34b2b9ead9..733317ea83 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1639. [func] Initial dlv system test. + 1638. [placeholder] rt113347 1637. [bug] Node reference leak on error in addnoqname(). diff --git a/bin/tests/system/dlv/clean.sh b/bin/tests/system/dlv/clean.sh new file mode 100644 index 0000000000..378edc8f5a --- /dev/null +++ b/bin/tests/system/dlv/clean.sh @@ -0,0 +1,27 @@ +#!/bin/sh +# +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: clean.sh,v 1.2 2004/05/14 04:58:18 marka Exp $ + +rm -f random.data +rm -f ns*/named.run +rm -f ns3/K* +rm -f ns3/*.db +rm -f ns3/*.signed +rm -f ns3/dlvset-* +rm -f ns3/dsset-* +rm -f ns3/keyset-* +rm -f ns3/trusted.conf ns5/trusted.conf diff --git a/bin/tests/system/dlv/ns1/named.conf b/bin/tests/system/dlv/ns1/named.conf new file mode 100644 index 0000000000..eee981de2b --- /dev/null +++ b/bin/tests/system/dlv/ns1/named.conf @@ -0,0 +1,35 @@ +/* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2004/05/14 04:58:20 marka Exp $ */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable no; +}; + +zone "." { type master; file "root.db"; }; +zone "rootservers.utld" { type master; file "rootservers.utld.db"; }; diff --git a/bin/tests/system/dlv/ns1/root.db b/bin/tests/system/dlv/ns1/root.db new file mode 100644 index 0000000000..c1bc6adf7e --- /dev/null +++ b/bin/tests/system/dlv/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: root.db,v 1.2 2004/05/14 04:58:20 marka Exp $ + +$TTL 120 +@ SOA ns.rootservers.utld hostmaster.ns.rootservers.utld ( + 1 3600 1200 604800 60 ) +@ NS ns.rootservers.utld +ns A 10.53.0.1 +; +utld NS ns.utld +ns.utld A 10.53.0.2 diff --git a/bin/tests/system/dlv/ns1/rootservers.utld.db b/bin/tests/system/dlv/ns1/rootservers.utld.db new file mode 100644 index 0000000000..e0a5f1a748 --- /dev/null +++ b/bin/tests/system/dlv/ns1/rootservers.utld.db @@ -0,0 +1,20 @@ +; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: rootservers.utld.db,v 1.2 2004/05/14 04:58:20 marka Exp $ + +$TTL 120 +@ SOA ns hostmaster.ns 1 3600 1200 604800 60 +@ NS ns +ns A 10.53.0.1 diff --git a/bin/tests/system/dlv/ns2/hints b/bin/tests/system/dlv/ns2/hints new file mode 100644 index 0000000000..2edca0fb83 --- /dev/null +++ b/bin/tests/system/dlv/ns2/hints @@ -0,0 +1,18 @@ +; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: hints,v 1.2 2004/05/14 04:58:21 marka Exp $ + +. 0 NS ns.rootservers.utld. +ns.rootservers.utld. 0 A 10.53.0.1 diff --git a/bin/tests/system/dlv/ns2/named.conf b/bin/tests/system/dlv/ns2/named.conf new file mode 100644 index 0000000000..0b4e36b0ef --- /dev/null +++ b/bin/tests/system/dlv/ns2/named.conf @@ -0,0 +1,35 @@ +/* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2004/05/14 04:58:21 marka Exp $ */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable no; +}; + +zone "." { type hint; file "hints"; }; +zone "utld" { type master; file "utld.db"; }; diff --git a/bin/tests/system/dlv/ns2/utld.db b/bin/tests/system/dlv/ns2/utld.db new file mode 100644 index 0000000000..ab2be69fa6 --- /dev/null +++ b/bin/tests/system/dlv/ns2/utld.db @@ -0,0 +1,56 @@ +; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: utld.db,v 1.2 2004/05/14 04:58:21 marka Exp $ + +$TTL 120 +@ SOA ns hostmaster.ns 1 3600 1200 604800 60 +@ NS ns +ns A 10.53.0.2 +; +rootservers NS ns.rootservers +ns.rootservers A 10.53.0.1 +; +dlv NS ns.dlv +ns.dlv A 10.53.0.3 +; +child1 NS ns.child1 +ns.child1 A 10.53.0.3 +; +child2 NS ns.child2 +ns.child2 A 10.53.0.4 +; +child3 NS ns.child3 +ns.child3 A 10.53.0.3 +; +child4 NS ns.child4 +ns.child4 A 10.53.0.3 +; +child5 NS ns.child5 +ns.child5 A 10.53.0.3 +; +child6 NS ns.child6 +ns.child6 A 10.53.0.4 +; +child7 NS ns.child7 +ns.child7 A 10.53.0.3 +; +child8 NS ns.child8 +ns.child8 A 10.53.0.3 +; +child9 NS ns.child9 +ns.child9 A 10.53.0.3 +; +child10 NS ns.child10 +ns.child10 A 10.53.0.3 diff --git a/bin/tests/system/dlv/ns3/child.db.in b/bin/tests/system/dlv/ns3/child.db.in new file mode 100644 index 0000000000..f172b694d9 --- /dev/null +++ b/bin/tests/system/dlv/ns3/child.db.in @@ -0,0 +1,22 @@ +; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: child.db.in,v 1.2 2004/05/14 04:58:21 marka Exp $ + +$TTL 120 +@ SOA ns hostmaster.ns 1 3600 1200 604800 60 +@ NS ns +ns A 10.53.0.3 +foo TXT foo +bar TXT bar diff --git a/bin/tests/system/dlv/ns3/dlv.db.in b/bin/tests/system/dlv/ns3/dlv.db.in new file mode 100644 index 0000000000..996f87c7c6 --- /dev/null +++ b/bin/tests/system/dlv/ns3/dlv.db.in @@ -0,0 +1,20 @@ +; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: dlv.db.in,v 1.2 2004/05/14 04:58:22 marka Exp $ + +$TTL 120 +@ SOA ns hostmaster.ns 1 3600 1200 604800 60 +@ NS ns +ns A 10.53.0.3 diff --git a/bin/tests/system/dlv/ns3/hints b/bin/tests/system/dlv/ns3/hints new file mode 100644 index 0000000000..ef01e029c4 --- /dev/null +++ b/bin/tests/system/dlv/ns3/hints @@ -0,0 +1,18 @@ +; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: hints,v 1.2 2004/05/14 04:58:22 marka Exp $ + +. 0 NS ns.rootservers.utld. +ns.rootservers.utld. 0 A 10.53.0.1 diff --git a/bin/tests/system/dlv/ns3/named.conf b/bin/tests/system/dlv/ns3/named.conf new file mode 100644 index 0000000000..042dc23a30 --- /dev/null +++ b/bin/tests/system/dlv/ns3/named.conf @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2004/05/14 04:58:22 marka Exp $ */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; +}; + +zone "." { type hint; file "hints"; }; +zone "dlv.utld" { type master; file "dlv.signed"; }; +zone "child1.utld" { type master; file "child1.signed"; }; // dlv +zone "child3.utld" { type master; file "child3.signed"; }; // dlv +zone "child4.utld" { type master; file "child4.signed"; }; // dlv +zone "child5.utld" { type master; file "child5.signed"; }; // dlv +zone "child7.utld" { type master; file "child7.signed"; }; // no dlv +zone "child8.utld" { type master; file "child8.signed"; }; // no dlv +zone "child9.utld" { type master; file "child9.signed"; }; // dlv +zone "child10.utld" { type master; file "child.db.in"; }; // dlv unsigned diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh new file mode 100755 index 0000000000..d1bb2c4740 --- /dev/null +++ b/bin/tests/system/dlv/ns3/sign.sh @@ -0,0 +1,174 @@ +#!/bin/sh +# +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: sign.sh,v 1.2 2004/05/14 04:58:22 marka Exp $ + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data +dlvsets= + +zone=child1.utld. +infile=child.db.in +zonefile=child1.utld.db +outfile=child1.signed +dlvzone=dlv.utld. +dlvsets="$dlvsets dlvset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null +echo "I: signed $zone" + + +zone=child3.utld. +infile=child.db.in +zonefile=child3.utld.db +outfile=child3.signed +dlvzone=dlv.utld. +dlvsets="$dlvsets dlvset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null +echo "I: signed $zone" + + +zone=child4.utld. +infile=child.db.in +zonefile=child4.utld.db +outfile=child4.signed +dlvzone=dlv.utld. +dlvsets="$dlvsets dlvset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null +echo "I: signed $zone" + + +zone=child5.utld. +infile=child.db.in +zonefile=child5.utld.db +outfile=child5.signed +dlvzone=dlv.utld. +dlvsets="$dlvsets dlvset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null +echo "I: signed $zone" + + +zone=child7.utld. +infile=child.db.in +zonefile=child7.utld.db +outfile=child7.signed +dlvzone=dlv.utld. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null +echo "I: signed $zone" + + +zone=child8.utld. +infile=child.db.in +zonefile=child8.utld.db +outfile=child8.signed +dlvzone=dlv.utld. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null +echo "I: signed $zone" + + +zone=child9.utld. +infile=child.db.in +zonefile=child9.utld.db +outfile=child9.signed +dlvzone=dlv.utld. +dlvsets="$dlvsets dlvset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null +echo "I: signed $zone" + +zone=child10.utld. +infile=child.db.in +zonefile=child10.utld.db +outfile=child10.signed +dlvzone=dlv.utld. +dlvsets="$dlvsets dlvset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null +echo "I: signed $zone" + + +zone=dlv.utld. +infile=dlv.db.in +zonefile=dlv.utld.db +outfile=dlv.signed +dlvzone=dlv.utld. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone` + +cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null +echo "I: signed $zone" + + +cat $keyname2.key | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print < trusted.conf +cp trusted.conf ../ns5 diff --git a/bin/tests/system/dlv/ns4/child.db b/bin/tests/system/dlv/ns4/child.db new file mode 100644 index 0000000000..5bbd6cb85b --- /dev/null +++ b/bin/tests/system/dlv/ns4/child.db @@ -0,0 +1,41 @@ +; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: child.db,v 1.2 2004/05/14 04:58:22 marka Exp $ + +$TTL 120 +@ SOA ns hostmaster.ns 1 3600 1200 604800 60 +@ NS ns +ns A 10.53.0.3 +; +rootservers NS ns.rootservers +ns.rootservers A 10.53.0.1 +; +child1 NS ns.child1 +ns.child1 A 10.53.0.3 +; +child2 NS ns.child2 +ns.child2 A 10.53.0.4 +; +child3 NS ns.child3 +ns.child3 A 10.53.0.3 +; +child4 NS ns.child4 +ns.child4 A 10.53.0.3 +; +child5 NS ns.child5 +ns.child5 A 10.53.0.3 +; +child6 NS ns.child5 +ns.child6 A 10.53.0.4 diff --git a/bin/tests/system/dlv/ns4/hints b/bin/tests/system/dlv/ns4/hints new file mode 100644 index 0000000000..982ed44e12 --- /dev/null +++ b/bin/tests/system/dlv/ns4/hints @@ -0,0 +1,18 @@ +; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: hints,v 1.2 2004/05/14 04:58:23 marka Exp $ + +. 0 NS ns.rootservers.utld. +ns.rootservers.utld. 0 A 10.53.0.1 diff --git a/bin/tests/system/dlv/ns4/named.conf b/bin/tests/system/dlv/ns4/named.conf new file mode 100644 index 0000000000..b6ea3c0b34 --- /dev/null +++ b/bin/tests/system/dlv/ns4/named.conf @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2004/05/14 04:58:23 marka Exp $ */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable no; +}; + +zone "." { type hint; file "hints"; }; +zone "child2.utld" { type master; file "child.db"; }; +zone "child6.utld" { type master; file "child.db"; }; diff --git a/bin/tests/system/dlv/ns5/hints b/bin/tests/system/dlv/ns5/hints new file mode 100644 index 0000000000..982ed44e12 --- /dev/null +++ b/bin/tests/system/dlv/ns5/hints @@ -0,0 +1,18 @@ +; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: hints,v 1.2 2004/05/14 04:58:23 marka Exp $ + +. 0 NS ns.rootservers.utld. +ns.rootservers.utld. 0 A 10.53.0.1 diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf new file mode 100644 index 0000000000..70f7d422dd --- /dev/null +++ b/bin/tests/system/dlv/ns5/named.conf @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2004/05/14 04:58:23 marka Exp $ */ + +/* + * Choose a keyname that is unlikely to clash with any real key names. + * This allows it to be added to the system's rndc.conf with minimal + * likelyhood of collision. + * + * e.g. + * key "cc64b3d1db63fc88d7cb5d2f9f57d258" { + * algorithm hmac-md5; + * secret "34f88008d07deabbe65bd01f1d233d47"; + * }; + * + * server "10.53.0.5" { + * key cc64b3d1db63fc88d7cb5d2f9f57d258; + * port 5353; + * }; + * + * rndc -s 10.53.0.5 + */ + +key "cc64b3d1db63fc88d7cb5d2f9f57d258" { + algorithm hmac-md5; + secret "34f88008d07deabbe65bd01f1d233d47"; +}; + +controls { + inet 10.53.0.5 port 5353 allow { any; } + keys { cc64b3d1db63fc88d7cb5d2f9f57d258; }; +}; + +include "trusted.conf"; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-enable yes; + dnssec-lookaside "dlv.utld"; +}; + +zone "." { type hint; file "hints"; }; diff --git a/bin/tests/system/dlv/ns5/rndc.conf b/bin/tests/system/dlv/ns5/rndc.conf new file mode 100644 index 0000000000..d95417c42e --- /dev/null +++ b/bin/tests/system/dlv/ns5/rndc.conf @@ -0,0 +1,13 @@ +/* + * Copyright. + */ + +key "cc64b3d1db63fc88d7cb5d2f9f57d258" { + algorithm hmac-md5; + secret "34f88008d07deabbe65bd01f1d233d47"; +}; + +options { + default-server 10.53.0.5; + default-port 5353; +}; diff --git a/bin/tests/system/dlv/setup.sh b/bin/tests/system/dlv/setup.sh new file mode 100644 index 0000000000..0e3898b125 --- /dev/null +++ b/bin/tests/system/dlv/setup.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: setup.sh,v 1.2 2004/05/14 04:58:19 marka Exp $ + +../../genrandom 400 random.data + +(cd ns3 && sh -e sign.sh) diff --git a/bin/tests/system/dlv/tests.sh b/bin/tests/system/dlv/tests.sh new file mode 100644 index 0000000000..d074faf711 --- /dev/null +++ b/bin/tests/system/dlv/tests.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# +# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: tests.sh,v 1.2 2004/05/14 04:58:19 marka Exp $ + +exit 0 From 5ba04ba7a99371afcd4d988854ee71bffdb20df4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 14 May 2004 05:08:00 +0000 Subject: [PATCH 106/146] 1638. [bug] "ixfr-from-differences" could generate a REQUIRE failure if the journal open failed. [RT #11347] --- CHANGES | 5 +++-- lib/dns/journal.c | 18 +++++++++++++----- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 733317ea83..7854b60a1a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,8 @@ 1639. [func] Initial dlv system test. -1638. [placeholder] rt113347 - +1638. [bug] "ixfr-from-differences" could generate a REQUIRE + failure if the journal open failed. [RT #11347] + 1637. [bug] Node reference leak on error in addnoqname(). 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if diff --git a/lib/dns/journal.c b/lib/dns/journal.c index 95c8bc577a..5930af4fe0 100644 --- a/lib/dns/journal.c +++ b/lib/dns/journal.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journal.c,v 1.87 2004/05/11 22:20:13 marka Exp $ */ +/* $Id: journal.c,v 1.88 2004/05/14 05:08:00 marka Exp $ */ #include @@ -1822,10 +1822,16 @@ dns_db_diff(isc_mem_t *mctx, dns_fixedname_init(&fixname[0]); dns_fixedname_init(&fixname[1]); - CHECK(dns_journal_open(mctx, journal_filename, ISC_TRUE, &journal)); + result = dns_journal_open(mctx, journal_filename, ISC_TRUE, &journal); + if (result != ISC_R_SUCCESS) + return (result); - CHECK(dns_db_createiterator(db[0], ISC_FALSE, &dbit[0])); - CHECK(dns_db_createiterator(db[1], ISC_FALSE, &dbit[1])); + result = dns_db_createiterator(db[0], ISC_FALSE, &dbit[0]); + if (result != ISC_R_SUCCESS) + goto cleanup_journal; + result = dns_db_createiterator(db[1], ISC_FALSE, &dbit[1]); + if (result != ISC_R_SUCCESS) + goto cleanup_interator0; itresult[0] = dns_dbiterator_first(dbit[0]); itresult[1] = dns_dbiterator_first(dbit[1]); @@ -1898,8 +1904,10 @@ dns_db_diff(isc_mem_t *mctx, failure: dns_diff_clear(&resultdiff); - dns_dbiterator_destroy(&dbit[0]); dns_dbiterator_destroy(&dbit[1]); + cleanup_interator0: + dns_dbiterator_destroy(&dbit[0]); + cleanup_journal: dns_journal_destroy(&journal); return (result); } From 7952b2b43e880b18e63613805f71fd3e8624bb44 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 14 May 2004 05:58:40 +0000 Subject: [PATCH 107/146] DVL -> DLV --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 7854b60a1a..6a99be22d8 100644 --- a/CHANGES +++ b/CHANGES @@ -90,7 +90,7 @@ 1607. [bug] dig, host and nslookup were still using random() to generate query ids. [RT# 11013] -1606. [bug] DVL insecurity proof was failing. +1606. [bug] DLV insecurity proof was failing. 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. From 48b492d73ae5328c5efef4b9e0f22063e0ab058a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 14 May 2004 23:50:09 +0000 Subject: [PATCH 108/146] newcopyrights --- util/copyrights | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/util/copyrights b/util/copyrights index a148849496..9e71f43a89 100644 --- a/util/copyrights +++ b/util/copyrights @@ -458,8 +458,6 @@ ./bin/tests/system/dialup/tests.sh SH 2000,2001,2004 ./bin/tests/system/digcomp.pl PERL 2000,2001,2004 ./bin/tests/system/dlv/clean.sh SH 2004 -./bin/tests/system/dlv/setup.sh SH 2004 -./bin/tests/system/dlv/tests.sh SH 2004 ./bin/tests/system/dlv/ns1/named.conf CONF-C 2004 ./bin/tests/system/dlv/ns1/root.db ZONE 2004 ./bin/tests/system/dlv/ns1/rootservers.utld.db ZONE 2004 @@ -476,6 +474,9 @@ ./bin/tests/system/dlv/ns4/named.conf CONF-C 2004 ./bin/tests/system/dlv/ns5/hints ZONE 2004 ./bin/tests/system/dlv/ns5/named.conf CONF-C 2004 +./bin/tests/system/dlv/ns5/rndc.conf CONF-C 2004 +./bin/tests/system/dlv/setup.sh SH 2004 +./bin/tests/system/dlv/tests.sh SH 2004 ./bin/tests/system/dnssec/README TXT.BRIEF 2000,2001,2002,2004 ./bin/tests/system/dnssec/clean.sh SH 2000,2001,2002,2004 ./bin/tests/system/dnssec/dnssec_update_test.pl PERL 2002,2004 From ec3f1d35170225c74d11c27bb184e250d150b209 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?= Date: Sat, 15 May 2004 03:37:34 +0000 Subject: [PATCH 109/146] 1629. [func] dig now supports IPv6 scoped addresses with the extended format in the local-server part. [RT #8753] --- CHANGES | 3 +- lib/bind9/getaddresses.c | 65 +++++++++++++++++++++++++++++++----- lib/isc/include/isc/result.h | 5 +-- lib/isc/netaddr.c | 5 +-- lib/isc/result.c | 5 +-- lib/isc/sockaddr.c | 10 +++++- lib/isccfg/parser.c | 8 +++-- 7 files changed, 83 insertions(+), 18 deletions(-) diff --git a/CHANGES b/CHANGES index 6a99be22d8..b29cc971a5 100644 --- a/CHANGES +++ b/CHANGES @@ -25,7 +25,8 @@ 1630. [contrib] queryperf: add support for IPv6 transport. -1629. [placeholder] rt8753 +1629. [func] dig now supports IPv6 scoped addresses with the + extended format in the local-server part. [RT #8753] 1628. [bug] Typo in Compaq Trucluster support. [RT# 11264] diff --git a/lib/bind9/getaddresses.c b/lib/bind9/getaddresses.c index b4c9158b44..d407f64066 100644 --- a/lib/bind9/getaddresses.c +++ b/lib/bind9/getaddresses.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: getaddresses.c,v 1.15 2004/03/05 05:09:04 marka Exp $ */ +/* $Id: getaddresses.c,v 1.16 2004/05/15 03:37:33 jinmei Exp $ */ #include #include @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -67,19 +68,67 @@ bind9_getaddresses(const char *hostname, in_port_t port, have_ipv4 = (isc_net_probeipv4() == ISC_R_SUCCESS); have_ipv6 = (isc_net_probeipv6() == ISC_R_SUCCESS); - if (inet_pton(AF_INET6, hostname, &in6) == 1) { - if (!have_ipv6) - return (ISC_R_FAMILYNOSUPPORT); - isc_sockaddr_fromin6(&addrs[0], &in6, port); - *addrcount = 1; - return (ISC_R_SUCCESS); - } else if (inet_pton(AF_INET, hostname, &in4) == 1) { + /* + * Try IPv4, then IPv6. In order to handle the extended format + * for IPv6 scoped addresses (address%scope_ID), we'll use a local + * working buffer of 128 bytes. The length is an ad-hoc value, but + * should be enough for this purpose; the buffer can contain a string + * of at least 80 bytes for scope_ID in addition to any IPv6 numeric + * addresses (up to 46 bytes), the delimiter character and the + * terminating NULL character. + */ + if (inet_pton(AF_INET, hostname, &in4) == 1) { if (have_ipv4) isc_sockaddr_fromin(&addrs[0], &in4, port); else isc_sockaddr_v6fromin(&addrs[0], &in4, port); *addrcount = 1; return (ISC_R_SUCCESS); + } else if (strlen(hostname) <= 127) { + char tmpbuf[128], *d; + isc_uint32_t zone = 0; + + strcpy(tmpbuf, hostname); + d = strchr(tmpbuf, '%'); + if (d != NULL) + *d = '\0'; + + if (inet_pton(AF_INET6, tmpbuf, &in6) == 1) { + isc_netaddr_t na; + + if (!have_ipv6) + return (ISC_R_FAMILYNOSUPPORT); + + if (d != NULL) { +#ifdef ISC_PLATFORM_HAVESCOPEID + isc_result_t result; + + result = isc_netscope_pton(AF_INET6, d + 1, + &in6, &zone); + + if (result != ISC_R_SUCCESS) + return (result); +#else + /* + * The extended format is specified while the + * system does not provide the ability to use + * it. Throw an explicit error instead of + * ignoring the specified value. + */ + return (ISC_R_BADADDRESSFORM); +#endif + } + + isc_netaddr_fromin6(&na, &in6); + isc_netaddr_setzone(&na, zone); + isc_sockaddr_fromnetaddr(&addrs[0], + (const isc_netaddr_t *)&na, + port); + + *addrcount = 1; + return (ISC_R_SUCCESS); + + } } #ifdef USE_GETADDRINFO memset(&hints, 0, sizeof(hints)); diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h index d1ae566f0a..d3bfb49a74 100644 --- a/lib/isc/include/isc/result.h +++ b/lib/isc/include/isc/result.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.h,v 1.62 2004/03/05 05:11:00 marka Exp $ */ +/* $Id: result.h,v 1.63 2004/05/15 03:37:34 jinmei Exp $ */ #ifndef ISC_RESULT_H #define ISC_RESULT_H 1 @@ -82,11 +82,12 @@ #define ISC_R_BADNUMBER 56 /* not a valid number */ #define ISC_R_DISABLED 57 /* disabled */ #define ISC_R_MAXSIZE 58 /* max size */ +#define ISC_R_BADADDRESSFORM 59 /* invalid address format */ /* * Not a result code: the number of results. */ -#define ISC_R_NRESULTS 59 +#define ISC_R_NRESULTS 60 ISC_LANG_BEGINDECLS diff --git a/lib/isc/netaddr.c b/lib/isc/netaddr.c index a2081afacb..74cd159535 100644 --- a/lib/isc/netaddr.c +++ b/lib/isc/netaddr.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: netaddr.c,v 1.27 2004/03/05 05:10:47 marka Exp $ */ +/* $Id: netaddr.c,v 1.28 2004/05/15 03:37:33 jinmei Exp $ */ #include @@ -47,7 +47,8 @@ isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b) { break; case AF_INET6: if (memcmp(&a->type.in6, &b->type.in6, - sizeof(a->type.in6)) != 0) + sizeof(a->type.in6)) != 0 || + a->zone != b->zone) return (ISC_FALSE); break; default: diff --git a/lib/isc/result.c b/lib/isc/result.c index 68acf9f2d2..7eb3a4332c 100644 --- a/lib/isc/result.c +++ b/lib/isc/result.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.c,v 1.62 2004/03/05 05:10:48 marka Exp $ */ +/* $Id: result.c,v 1.63 2004/05/15 03:37:33 jinmei Exp $ */ #include @@ -96,7 +96,8 @@ static const char *text[ISC_R_NRESULTS] = { "soft quota reached", /* 55 */ "not a valid number", /* 56 */ "disabled", /* 57 */ - "max size" /* 58 */ + "max size", /* 58 */ + "invalid address format" /* 59 */ }; #define ISC_RESULT_RESULTSET 2 diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c index 27b9309f95..edaaf5b06d 100644 --- a/lib/isc/sockaddr.c +++ b/lib/isc/sockaddr.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sockaddr.c,v 1.59 2004/03/05 05:10:49 marka Exp $ */ +/* $Id: sockaddr.c,v 1.60 2004/05/15 03:37:33 jinmei Exp $ */ #include @@ -57,6 +57,10 @@ isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b) { if (memcmp(&a->type.sin6.sin6_addr, &b->type.sin6.sin6_addr, sizeof(a->type.sin6.sin6_addr)) != 0) return (ISC_FALSE); +#ifdef ISC_PLATFORM_HAVESCOPEID + if (a->type.sin6.sin6_scope_id != b->type.sin6.sin6_scope_id) + return (ISC_FALSE); +#endif if (a->type.sin6.sin6_port != b->type.sin6.sin6_port) return (ISC_FALSE); break; @@ -86,6 +90,10 @@ isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b) { if (memcmp(&a->type.sin6.sin6_addr, &b->type.sin6.sin6_addr, sizeof(a->type.sin6.sin6_addr)) != 0) return (ISC_FALSE); +#ifdef ISC_PLATFORM_HAVESCOPEID + if (a->type.sin6.sin6_scope_id != b->type.sin6.sin6_scope_id) + return (ISC_FALSE); +#endif break; default: if (memcmp(&a->type, &b->type, a->length) != 0) diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c index 8a4affd493..14223142ba 100644 --- a/lib/isccfg/parser.c +++ b/lib/isccfg/parser.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: parser.c,v 1.112 2004/03/18 02:58:07 marka Exp $ */ +/* $Id: parser.c,v 1.113 2004/05/15 03:37:34 jinmei Exp $ */ #include @@ -1671,7 +1671,7 @@ token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) { } if ((flags & CFG_ADDR_V6OK) != 0 && strlen(s) <= 127U) { - char buf[128]; + char buf[128]; /* see lib/bind9/getaddresses.c */ char *d; /* zone delimiter */ isc_uint32_t zone = 0; /* scope zone ID */ @@ -1682,6 +1682,7 @@ token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) { if (inet_pton(AF_INET6, buf, &in6a) == 1) { if (d != NULL) { +#ifdef ISC_PLATFORM_HAVESCOPEID isc_result_t result; result = isc_netscope_pton(AF_INET6, @@ -1690,6 +1691,9 @@ token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) { &zone); if (result != ISC_R_SUCCESS) return (result); +#else + return (ISC_R_BADADDRESSFORM); +#endif } isc_netaddr_fromin6(na, &in6a); From b7430af4de26a44e14d11927aeb1bddd9d72d0f6 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 15 May 2004 23:18:03 +0000 Subject: [PATCH 110/146] new draft --- doc/draft/draft-ietf-dnsext-nsec-rdata-05.txt | 503 ----------------- doc/draft/draft-ietf-dnsext-nsec-rdata-06.txt | 504 ++++++++++++++++++ 2 files changed, 504 insertions(+), 503 deletions(-) delete mode 100644 doc/draft/draft-ietf-dnsext-nsec-rdata-05.txt create mode 100644 doc/draft/draft-ietf-dnsext-nsec-rdata-06.txt diff --git a/doc/draft/draft-ietf-dnsext-nsec-rdata-05.txt b/doc/draft/draft-ietf-dnsext-nsec-rdata-05.txt deleted file mode 100644 index acdf4581ed..0000000000 --- a/doc/draft/draft-ietf-dnsext-nsec-rdata-05.txt +++ /dev/null @@ -1,503 +0,0 @@ - - -DNS Extensions Working Group J. Schlyter, Ed. -Internet-Draft March 11, 2004 -Updates: RFC 2535, RFC TCR -Expires: September 9, 2004 - - - DNSSEC NSEC RDATA Format - draft-ietf-dnsext-nsec-rdata-05.txt - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that other - groups may also distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at http:// - www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on September 9, 2004. - -Copyright Notice - - Copyright (C) The Internet Society (2004). All Rights Reserved. - -Abstract - - This document redefines the wire format of the "Type Bit Map" field - in the NSEC resource record RDATA format to cover the full RR type - space. - - - - - - - - - - - -Schlyter Expires September 9, 2004 [Page 1] - -Internet-Draft DNSSEC NSEC RDATA Format March 2004 - - -Table of Contents - - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2. The NSEC Resource Record . . . . . . . . . . . . . . . . . . 3 - 2.1 NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . . . 4 - 2.1.1 The Next Domain Name Field . . . . . . . . . . . . . . . . . 4 - 2.1.2 The List of Type Bit Map(s) Field . . . . . . . . . . . . . 4 - 2.1.3 Inclusion of Wildcard Names in NSEC RDATA . . . . . . . . . 5 - 2.2 The NSEC RR Presentation Format . . . . . . . . . . . . . . 5 - 2.3 NSEC RR Example . . . . . . . . . . . . . . . . . . . . . . 6 - 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . 6 - 4. Security Considerations . . . . . . . . . . . . . . . . . . 6 - Normative References . . . . . . . . . . . . . . . . . . . . 6 - Informational References . . . . . . . . . . . . . . . . . . 7 - Author's Address . . . . . . . . . . . . . . . . . . . . . . 7 - A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 - Intellectual Property and Copyright Statements . . . . . . . 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Schlyter Expires September 9, 2004 [Page 2] - -Internet-Draft DNSSEC NSEC RDATA Format March 2004 - - -1. Introduction - - The NSEC [6] Resource Record (RR) is used for authenticated proof of - the non-existence of DNS owner names and types. The NSEC RR is based - on the NXT RR as described in RFC 2535 [3], and is similar except for - the name and typecode. The RDATA format for the NXT RR had a - limitation in that, without using a yet undefined extension - mechanism, the the RDATA could only carry information about the - existence of the first 127 types. - - To prevent the introduction of an extension mechanism into a deployed - base of DNSSEC aware servers and resolvers, once the first 127 type - codes are allocated, this document redefines the wire format of the - "Type Bit Map" field in the NSEC RDATA to cover the full RR type - space. - - This document introduces a new format for the type bit map. The - properties of the type bit map format are that it can cover the full - possible range of typecodes, that it is relatively economic in the - amount of space it uses for the common case of a few types with an - owner name, that it can represent owner names with all possible types - present in packets of approximately 8.5 kilobytes and that the - representation is simple to implement. Efficient searching of the - type bitmap for the presence of certain types is not a requirement. - - For convenience and completeness this document presents the syntax - and semantics for the NSEC RR based on the specification in RFC 2535 - [3] and as updated by RFC TCR [6], thereby not introducing changes - except for the syntax of the type bit map. - - This document updates RFC 2535 [3] and RFC TCR [6]. - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119 [1]. - -2. The NSEC Resource Record - - The NSEC resource record lists two separate things: the owner name of - the next RRset in the canonical ordering of the zone, and the set of - RR types present at the NSEC RR's owner name. The complete set of - NSEC RRs in a zone both indicate which RRsets exist in a zone and - also form a chain of owner names in the zone. This information is - used to provide authenticated denial of existence for DNS data, as - described in RFC 2535 [3]. - - The type value for the NSEC RR is 47. - - - - -Schlyter Expires September 9, 2004 [Page 3] - -Internet-Draft DNSSEC NSEC RDATA Format March 2004 - - - The NSEC RR RDATA format is class independent and defined for all - classes. - - The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL - field. This is in the spirit of negative caching [2]. - -2.1 NSEC RDATA Wire Format - - The RDATA of the NSEC RR is as shown below: - - 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / Next Domain Name / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / List of Type Bit Map(s) / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - -2.1.1 The Next Domain Name Field - - The Next Domain Name field contains the owner name of the next RR in - the canonical ordering of the zone. The value of the Next Domain - Name field in the last NSEC record in the zone is the name of the - zone apex (the owner name of the zone's SOA RR). - - A sender MUST NOT use DNS name compression on the Next Domain Name - field when transmitting an NSEC RR. A receiver which receives an - NSEC RR containing a compressed Next Domain Name field SHOULD - decompress the field value. - - Owner names of RRsets not authoritative for the given zone (such as - glue records) MUST NOT be listed in the Next Domain Name unless at - least one authoritative RRset exists at the same owner name. - -2.1.2 The List of Type Bit Map(s) Field - - The RR type space is split into 256 window blocks, each representing - the low-order 8 bits of the 16-bit RR type space. Each block that has - at least one active RR type is encoded using a single octet window - number (from 0 to 255), a single octet bitmap length (from 1 to 32) - indicating the number of octets used for the window block's bitmap, - and up to 32 octets (256 bits) of bitmap. - - Blocks are present in the NSEC RR RDATA in increasing numerical - order. - - "|" denotes concatenation - - - -Schlyter Expires September 9, 2004 [Page 4] - -Internet-Draft DNSSEC NSEC RDATA Format March 2004 - - - Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) + - - Each bitmap encodes the low-order 8 bits of RR types within the - window block, in network bit order. The first bit is bit 0. For - window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds - to RR type 2 (NS), and so forth. For window block 1, bit 1 - corresponds to RR type 257, bit 2 to RR type 258. If a bit is set to - 1, it indicates that an RRset of that type is present for the NSEC - RR's owner name. If a bit is set to 0, it indicates that no RRset of - that type is present for the NSEC RR's owner name. - - Since bit 0 in window block 0 refers to the non-existing RR type 0, - it MUST be set to 0. After verification, the validator MUST ignore - the value of bit 0 in window block 0. - - Bits representing Meta-TYPEs or QTYPEs as specified in RFC 2929 [4] - (section 3.1) or within the range reserved for assignment only to - QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in - zone data. If encountered, they must be ignored upon reading. - - Blocks with no types present MUST NOT be included. Trailing zero - octets in the bitmap MUST be omitted. The length of each block's - bitmap is determined by the type code with the largest numerical - value, within that block, among the set of RR types present at the - NSEC RR's owner name. Trailing zero octets not specified MUST be - interpretted as zero octets. - -2.1.3 Inclusion of Wildcard Names in NSEC RDATA - - If a wildcard owner name appears in a zone, the wildcard label ("*") - is treated as a literal symbol and is treated the same as any other - owner name for purposes of generating NSEC RRs. Wildcard owner names - appear in the Next Domain Name field without any wildcard expansion. - RFC 2535 [3] describes the impact of wildcards on authenticated - denial of existence. - -2.2 The NSEC RR Presentation Format - - The presentation format of the RDATA portion is as follows: - - The Next Domain Name field is represented as a domain name. - - The List of Type Bit Map(s) Field is represented as a sequence of RR - type mnemonics. When the mnemonic is not known, the TYPE - representation as described in RFC 3597 [5] (section 5) MUST be used. - - - - - - -Schlyter Expires September 9, 2004 [Page 5] - -Internet-Draft DNSSEC NSEC RDATA Format March 2004 - - -2.3 NSEC RR Example - - The following NSEC RR identifies the RRsets associated with - alfa.example.com. and identifies the next authoritative name after - alfa.example.com. - - alfa.example.com. 86400 IN NSEC host.example.com. A MX RRSIG NSEC TYPE1234 - - The first four text fields specify the name, TTL, Class, and RR type - (NSEC). The entry host.example.com. is the next authoritative name - after alfa.example.com. in canonical order. The A, MX, RRSIG, NSEC - and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC and - TYPE1234 RRsets associated with the name alfa.example.com. - - The RDATA section of the NSEC RR above would be encoded as: - - 0x04 'h' 'o' 's' 't' - 0x07 'e' 'x' 'a' 'm' 'p' 'l' 'e' - 0x03 'c' 'o' 'm' 0x00 - 0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03 - 0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00 - 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 - 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 - 0x00 0x00 0x00 0x00 0x20 - - Assuming that the resolver can authenticate this NSEC record, it - could be used to prove that beta.example.com does not exist, or could - be used to prove there is no AAAA record associated with - alfa.example.com. Authenticated denial of existence is discussed in - RFC 2535 [3]. - -3. IANA Considerations - - This document introduces no new IANA considerations, because all of - the protocol parameters used in this document have already been - assigned by RFC TCR [6]. - -4. Security Considerations - - The update of the RDATA format and encoding does not affect the - security of the use of NSEC RRs. - -Normative References - - [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997. - - [2] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC - - - -Schlyter Expires September 9, 2004 [Page 6] - -Internet-Draft DNSSEC NSEC RDATA Format March 2004 - - - 2308, March 1998. - - [3] Eastlake, D., "Domain Name System Security Extensions", RFC - 2535, March 1999. - - [4] Eastlake, D., Brunner-Williams, E. and B. Manning, "Domain Name - System (DNS) IANA Considerations", BCP 42, RFC 2929, September - 2000. - - [5] Gustafsson, A., "Handling of Unknown DNS Resource Record (RR) - Types", RFC 3597, September 2003. - - [6] Weiler, S., "Legacy Resolver Compatibility for Delegation - Signer", draft-ietf-dnsext-dnssec-2535typecode-change-05 (work - in progress), October 2003. - -Informational References - - [7] Mockapetris, P., "Domain names - concepts and facilities", STD - 13, RFC 1034, November 1987. - - [8] Mockapetris, P., "Domain names - implementation and - specification", STD 13, RFC 1035, November 1987. - - -Author's Address - - Jakob Schlyter (editor) - Karl Gustavsgatan 15 - Goteborg SE-411 25 - Sweden - - EMail: jakob@schlyter.se - -Appendix A. Acknowledgements - - The encoding described in this document was initially proposed by - Mark Andrews. Other encodings where proposed by David Blacka and - Michael Graff. - - - - - - - - - - - - -Schlyter Expires September 9, 2004 [Page 7] - -Internet-Draft DNSSEC NSEC RDATA Format March 2004 - - -Intellectual Property Statement - - The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; neither does it represent that it - has made any effort to identify any such rights. Information on the - IETF's procedures with respect to rights in standards-track and - standards-related documentation can be found in BCP-11. Copies of - claims of rights made available for publication and any assurances of - licenses to be made available, or the result of an attempt made to - obtain a general license or permission for the use of such - proprietary rights by implementors or users of this specification can - be obtained from the IETF Secretariat. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights which may cover technology that may be required to practice - this standard. Please address the information to the IETF Executive - Director. - - -Full Copyright Statement - - Copyright (C) The Internet Society (2004). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assignees. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - - - -Schlyter Expires September 9, 2004 [Page 8] - -Internet-Draft DNSSEC NSEC RDATA Format March 2004 - - - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - -Acknowledgment - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Schlyter Expires September 9, 2004 [Page 9] - diff --git a/doc/draft/draft-ietf-dnsext-nsec-rdata-06.txt b/doc/draft/draft-ietf-dnsext-nsec-rdata-06.txt new file mode 100644 index 0000000000..c8904456bb --- /dev/null +++ b/doc/draft/draft-ietf-dnsext-nsec-rdata-06.txt @@ -0,0 +1,504 @@ + +DNS Extensions Working Group J. Schlyter, Ed. +Internet-Draft May 10, 2004 +Updates: RFC 2535, RFC TCR (if approved) +Expires: November 8, 2004 + + + DNSSEC NSEC RDATA Format + draft-ietf-dnsext-nsec-rdata-06.txt + +Status of this Memo + + This document is an Internet-Draft and is in full conformance with + all provisions of Section 10 of RFC2026. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that other + groups may also distribute working documents as Internet-Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at http:// + www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on November 8, 2004. + +Copyright Notice + + Copyright (C) The Internet Society (2004). All Rights Reserved. + +Abstract + + This document redefines the wire format of the "Type Bit Map" field + in the NSEC resource record RDATA format to cover the full RR type + space. + + + + + + + + + + + +Schlyter Expires November 8, 2004 [Page 1] + +Internet-Draft DNSSEC NSEC RDATA Format May 2004 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. The NSEC Resource Record . . . . . . . . . . . . . . . . . . 3 + 2.1 NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . . . 4 + 2.1.1 The Next Domain Name Field . . . . . . . . . . . . . . . . . 4 + 2.1.2 The List of Type Bit Map(s) Field . . . . . . . . . . . . . 4 + 2.1.3 Inclusion of Wildcard Names in NSEC RDATA . . . . . . . . . 5 + 2.2 The NSEC RR Presentation Format . . . . . . . . . . . . . . 5 + 2.3 NSEC RR Example . . . . . . . . . . . . . . . . . . . . . . 5 + 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . 6 + 4. Security Considerations . . . . . . . . . . . . . . . . . . 6 + Normative References . . . . . . . . . . . . . . . . . . . . 6 + Informational References . . . . . . . . . . . . . . . . . . 7 + Author's Address . . . . . . . . . . . . . . . . . . . . . . 7 + A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 + Intellectual Property and Copyright Statements . . . . . . . 8 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Schlyter Expires November 8, 2004 [Page 2] + +Internet-Draft DNSSEC NSEC RDATA Format May 2004 + + +1. Introduction + + The NSEC [5] Resource Record (RR) is used for authenticated proof of + the non-existence of DNS owner names and types. The NSEC RR is based + on the NXT RR as described in RFC 2535 [2], and is similar except for + the name and typecode. The RDATA format for the NXT RR has the + limitation in that the RDATA could only carry information about the + existence of the first 127 types. RFC 2535 did reserve a bit to + specify an extension mechanism, but the mechanism was never actually + defined. + + In order to avoid the need to develop an extension mechanism into a + deployed base of DNSSEC aware servers and resolvers once the first + 127 type codes are allocated, this document redefines the wire format + of the "Type Bit Map" field in the NSEC RDATA to cover the full RR + type space. + + This document introduces a new format for the type bit map. The + properties of the type bit map format are that it can cover the full + possible range of typecodes, that it is relatively economical in the + amount of space it uses for the common case of a few types with an + owner name, that it can represent owner names with all possible types + present in packets of approximately 8.5 kilobytes and that the + representation is simple to implement. Efficient searching of the + type bitmap for the presence of certain types is not a requirement. + + For convenience and completeness this document presents the syntax + and semantics for the NSEC RR based on the specification in RFC 2535 + [2] and as updated by RFC TCR [5], thereby not introducing changes + except for the syntax of the type bit map. + + This document updates RFC 2535 [2] and RFC TCR [5]. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [1]. + +2. The NSEC Resource Record + + The NSEC resource record lists two separate things: the owner name of + the next RRset in the canonical ordering of the zone, and the set of + RR types present at the NSEC RR's owner name. The complete set of + NSEC RRs in a zone both indicate which RRsets exist in a zone and + also form a chain of owner names in the zone. This information is + used to provide authenticated denial of existence for DNS data, as + described in RFC 2535 [2]. + + The type value for the NSEC RR is 47. + + + +Schlyter Expires November 8, 2004 [Page 3] + +Internet-Draft DNSSEC NSEC RDATA Format May 2004 + + + The NSEC RR RDATA format is class independent and defined for all + classes. + + The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL + field. This is in the spirit of negative caching [8]. + +2.1 NSEC RDATA Wire Format + + The RDATA of the NSEC RR is as shown below: + + 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + / Next Domain Name / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + / List of Type Bit Map(s) / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + +2.1.1 The Next Domain Name Field + + The Next Domain Name field contains the owner name of the next RR in + the canonical ordering of the zone. The value of the Next Domain + Name field in the last NSEC record in the zone is the name of the + zone apex (the owner name of the zone's SOA RR). + + A sender MUST NOT use DNS name compression on the Next Domain Name + field when transmitting an NSEC RR. + + Owner names of RRsets not authoritative for the given zone (such as + glue records) MUST NOT be listed in the Next Domain Name unless at + least one authoritative RRset exists at the same owner name. + +2.1.2 The List of Type Bit Map(s) Field + + The RR type space is split into 256 window blocks, each representing + the low-order 8 bits of the 16-bit RR type space. Each block that has + at least one active RR type is encoded using a single octet window + number (from 0 to 255), a single octet bitmap length (from 1 to 32) + indicating the number of octets used for the window block's bitmap, + and up to 32 octets (256 bits) of bitmap. + + Window blocks are present in the NSEC RR RDATA in increasing + numerical order. + + "|" denotes concatenation + + Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) + + + + +Schlyter Expires November 8, 2004 [Page 4] + +Internet-Draft DNSSEC NSEC RDATA Format May 2004 + + + Each bitmap encodes the low-order 8 bits of RR types within the + window block, in network bit order. The first bit is bit 0. For + window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds + to RR type 2 (NS), and so forth. For window block 1, bit 1 + corresponds to RR type 257, bit 2 to RR type 258. If a bit is set to + 1, it indicates that an RRset of that type is present for the NSEC + RR's owner name. If a bit is set to 0, it indicates that no RRset of + that type is present for the NSEC RR's owner name. + + Since bit 0 in window block 0 refers to the non-existing RR type 0, + it MUST be set to 0. After verification, the validator MUST ignore + the value of bit 0 in window block 0. + + Bits representing Meta-TYPEs or QTYPEs as specified in RFC 2929 [3] + (section 3.1) or within the range reserved for assignment only to + QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in + zone data. If encountered, they must be ignored upon reading. + + Blocks with no types present MUST NOT be included. Trailing zero + octets in the bitmap MUST be omitted. The length of each block's + bitmap is determined by the type code with the largest numerical + value, within that block, among the set of RR types present at the + NSEC RR's owner name. Trailing zero octets not specified MUST be + interpretted as zero octets. + +2.1.3 Inclusion of Wildcard Names in NSEC RDATA + + If a wildcard owner name appears in a zone, the wildcard label ("*") + is treated as a literal symbol and is treated the same as any other + owner name for purposes of generating NSEC RRs. Wildcard owner names + appear in the Next Domain Name field without any wildcard expansion. + RFC 2535 [2] describes the impact of wildcards on authenticated + denial of existence. + +2.2 The NSEC RR Presentation Format + + The presentation format of the RDATA portion is as follows: + + The Next Domain Name field is represented as a domain name. + + The List of Type Bit Map(s) Field is represented as a sequence of RR + type mnemonics. When the mnemonic is not known, the TYPE + representation as described in RFC 3597 [4] (section 5) MUST be used. + +2.3 NSEC RR Example + + The following NSEC RR identifies the RRsets associated with + alfa.example.com. and identifies the next authoritative name after + + + +Schlyter Expires November 8, 2004 [Page 5] + +Internet-Draft DNSSEC NSEC RDATA Format May 2004 + + + alfa.example.com. + + alfa.example.com. 86400 IN NSEC host.example.com. A MX RRSIG NSEC TYPE1234 + + The first four text fields specify the name, TTL, Class, and RR type + (NSEC). The entry host.example.com. is the next authoritative name + after alfa.example.com. in canonical order. The A, MX, RRSIG, NSEC + and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC and + TYPE1234 RRsets associated with the name alfa.example.com. + + The RDATA section of the NSEC RR above would be encoded as: + + 0x04 'h' 'o' 's' 't' + 0x07 'e' 'x' 'a' 'm' 'p' 'l' 'e' + 0x03 'c' 'o' 'm' 0x00 + 0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03 + 0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00 + 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 + 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 + 0x00 0x00 0x00 0x00 0x20 + + Assuming that the resolver can authenticate this NSEC record, it + could be used to prove that beta.example.com does not exist, or could + be used to prove there is no AAAA record associated with + alfa.example.com. Authenticated denial of existence is discussed in + RFC 2535 [2]. + +3. IANA Considerations + + This document introduces no new IANA considerations, because all of + the protocol parameters used in this document have already been + assigned by RFC TCR [5]. + +4. Security Considerations + + The update of the RDATA format and encoding does not affect the + security of the use of NSEC RRs. + +Normative References + + [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [2] Eastlake, D., "Domain Name System Security Extensions", RFC + 2535, March 1999. + + [3] Eastlake, D., Brunner-Williams, E. and B. Manning, "Domain Name + System (DNS) IANA Considerations", BCP 42, RFC 2929, September + + + +Schlyter Expires November 8, 2004 [Page 6] + +Internet-Draft DNSSEC NSEC RDATA Format May 2004 + + + 2000. + + [4] Gustafsson, A., "Handling of Unknown DNS Resource Record (RR) + Types", RFC 3597, September 2003. + + [5] Weiler, S., "Legacy Resolver Compatibility for Delegation + Signer", draft-ietf-dnsext-dnssec-2535typecode-change-05 (work + in progress), October 2003. + +Informational References + + [6] Mockapetris, P., "Domain names - concepts and facilities", STD + 13, RFC 1034, November 1987. + + [7] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [8] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC + 2308, March 1998. + + +Author's Address + + Jakob Schlyter (editor) + Karl Gustavsgatan 15 + Goteborg SE-411 25 + Sweden + + EMail: jakob@schlyter.se + +Appendix A. Acknowledgements + + The encoding described in this document was initially proposed by + Mark Andrews. Other encodings where proposed by David Blacka and + Michael Graff. + + + + + + + + + + + + + + + + +Schlyter Expires November 8, 2004 [Page 7] + +Internet-Draft DNSSEC NSEC RDATA Format May 2004 + + +Intellectual Property Statement + + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; neither does it represent that it + has made any effort to identify any such rights. Information on the + IETF's procedures with respect to rights in standards-track and + standards-related documentation can be found in BCP-11. Copies of + claims of rights made available for publication and any assurances of + licenses to be made available, or the result of an attempt made to + obtain a general license or permission for the use of such + proprietary rights by implementors or users of this specification can + be obtained from the IETF Secretariat. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights which may cover technology that may be required to practice + this standard. Please address the information to the IETF Executive + Director. + + +Full Copyright Statement + + Copyright (C) The Internet Society (2004). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assignees. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + + + +Schlyter Expires November 8, 2004 [Page 8] + +Internet-Draft DNSSEC NSEC RDATA Format May 2004 + + + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +Acknowledgment + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Schlyter Expires November 8, 2004 [Page 9] + + + From d439f9e08de79fb5fad4587c22a32034e7bbd275 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 15 May 2004 23:25:33 +0000 Subject: [PATCH 111/146] new draft --- ...-dnsop-dnssec-operational-practices-00.txt | 1288 ---------------- ...-dnsop-dnssec-operational-practices-01.txt | 1344 +++++++++++++++++ 2 files changed, 1344 insertions(+), 1288 deletions(-) delete mode 100644 doc/draft/draft-ietf-dnsop-dnssec-operational-practices-00.txt create mode 100644 doc/draft/draft-ietf-dnsop-dnssec-operational-practices-01.txt diff --git a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-00.txt b/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-00.txt deleted file mode 100644 index 04addcfb24..0000000000 --- a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-00.txt +++ /dev/null @@ -1,1288 +0,0 @@ - - -DNSOP O. Kolkman -Internet-Draft RIPE NCC -Expires: March 1, 2004 R. Gieben - NLnet Labs - September 2003 - - - DNSSEC Operational Practices - draft-ietf-dnsop-dnssec-operational-practices-00.txt - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that other - groups may also distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at http:// - www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on March 1, 2004. - -Copyright Notice - - Copyright (C) The Internet Society (2003). All Rights Reserved. - -Abstract - - This document intends to describe a set of practices for operating a - DNSSEC aware enviroment. Its target audience is zone administrators - who are deploying DNSSEC and need a guide to help them chose sensible - values for DNSSEC parameters. Is also discusses operational matters - like key rollovers, KSK and ZSK considerations and more. - - - - - - - - - -Kolkman & Gieben Expires March 1, 2004 [Page 1] - -Internet-Draft DNSSEC Operational Practices September 2003 - - -Table of Contents - - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 - 1.1 The use of the term 'key' . . . . . . . . . . . . . . . . . 3 - 2. Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . . 3 - 2.1 Time definitions . . . . . . . . . . . . . . . . . . . . . . 3 - 2.2 Time considerations . . . . . . . . . . . . . . . . . . . . 4 - 3. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 - 3.1 Motivations for the KSK and ZSK functions . . . . . . . . . 6 - 3.2 Key security considerations . . . . . . . . . . . . . . . . 7 - 3.3 Key rollovers . . . . . . . . . . . . . . . . . . . . . . . 8 - 3.3.1 Zone-signing key rollovers . . . . . . . . . . . . . . . . . 9 - 3.3.2 Key-signing key rollovers . . . . . . . . . . . . . . . . . 12 - 4. Planning for emergency key rollover. . . . . . . . . . . . . 13 - 4.1 KSK compromise . . . . . . . . . . . . . . . . . . . . . . . 13 - 4.2 ZSK compromise . . . . . . . . . . . . . . . . . . . . . . . 14 - 4.3 Compromises of keys anchored in resolvers . . . . . . . . . 14 - 5. Parental policies. . . . . . . . . . . . . . . . . . . . . . 14 - 5.1 Initial key exchanges and parental policies - considerations. . . . . . . . . . . . . . . . . . . . . . . 14 - 5.2 Storing keys so hashes can be regenerated . . . . . . . . . 15 - 5.3 Security lameness checks. . . . . . . . . . . . . . . . . . 15 - 5.4 SIG DS validity period. . . . . . . . . . . . . . . . . . . 15 - 6. Security considerations . . . . . . . . . . . . . . . . . . 16 - 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 16 - Normative References . . . . . . . . . . . . . . . . . . . . 16 - Informative References . . . . . . . . . . . . . . . . . . . 16 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 17 - A. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 17 - B. Zone-signing key rollover howto . . . . . . . . . . . . . . 18 - C. Typographic conventions . . . . . . . . . . . . . . . . . . 19 - D. Document Details and Changes . . . . . . . . . . . . . . . . 20 - D.1 draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . . 21 - Intellectual Property and Copyright Statements . . . . . . . 22 - - - - - - - - - - - - - - - - - -Kolkman & Gieben Expires March 1, 2004 [Page 2] - -Internet-Draft DNSSEC Operational Practices September 2003 - - -1. Introduction - - During workshops and early operational deployment tests, operators - and system administrators gained knowledge about operating DNSSEC - aware DNS services. This document describes these practices. - - The structure of the document is as follows. It starts with - discussing some of the considerations with respect to timing - parameters of DNS in relation to DNSSEC (Section 2). Aspects of key - management such as key rollover schemes are described in Section 3. - Emergency rollover considerations are addressed in Section 4. The - Typographic conventions used in this document are explained in - Appendix C. - - Since this is a document with operational suggestions and there is no - protocol specifications the RFC2119 [5] language does not apply. - -1.1 The use of the term 'key' - - It is assumed that the reader is familiar with the concept of - asymmetric keys on which DNSSEC is based. Therefore this document - will use the term key rather loosely. Wherever we write that 'a key - is used to sign data' it is assumed that the reader knows that it is - the private part of the key-pair that is used for signing. It is also - assumed that the reader will know that the public part of the - key-pair is published in the DNSKEY resource record and that it is - the public part of a key-pair that is used in key-exchanges. - -2. Time in DNSSEC - - Without DNSSEC all times in DNS are relative. The SOA's refresh, - retry and expiration timers are counters that are being used to - determine the time elapsed after a slave server synced (or tried to - sync) with a master server. The TTL value and the SOA minimum TTL - parameter [6] are used to to determine how long a forwarder should - cache data after it has been fetched from an authoritative server. - DNSSEC introduces the notion of an absolute time in the DNS. - Signatures in DNSSEC have an expiration date after which the - signature is invalid and the signed data is to be considered BAD. - -2.1 Time definitions - - In this document we will be using a number of time related terms. - Within the context of this document the following definitions apply: - - o "Signature validity period" - - - - - -Kolkman & Gieben Expires March 1, 2004 [Page 3] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - The period that a signature is valid. It starts at the time - specified in the signature inception field of the RRSIG RR and - ends at the time specified in the expiration field of the RRSIG - RR. - - o "Signature publication period" - - Time after which a signature made with a key is replaced with a - new signature made with the same key. This replacement takes - place by publishing the relevant RRSIG in the master zone file. - If a signature is published on time T0 and a new signature is - published on time T1, the signature publication period is T1 - - T0. If all signatures are refreshed at zone (re)signing then - the signature publication period is equal to the period between - two consecutive zone signing operations. - - o "Key publication period" - - The period for which the public part of the key is published in - the DNS. The public part of the key can be published in the DNS - while it has not yet been used to sign data. As soon as a - public key is published a brute force attack can be attempted - to recover the private key. Publishing the public key in - advance (and not signing any data with it) does not guard - against this attack. - - [Editor's Note: We don't use this term in the doc yet, is it - needed elsewhere and handy to define here? No:1 Yes:0] - - o "Maximum/Minimum Zone TTL" - - The maximum or minimum value of all the TTLs in a zone. - - -2.2 Time considerations - - Because of the expiration of signatures one should consider the - following. - - o The Maximum zone TTL of your zone data should be a fraction of - your signature validity period. - - If the TTL would be of similar order as the signature validity - period then all RRsets fetched during the validity period would - be cached until the signature expiration time. As a result - query behavior might become bursty. - - - - - -Kolkman & Gieben Expires March 1, 2004 [Page 4] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - We suggest the TTL on all the RRs in your zone to be at least - an order of magnitude smaller than your signature validity - period. - - o The signature publication period should at least be one maximum - TTL smaller than the signature validity period. - - If a zone is resigned shortly before the end of the signature - validity period this may cause simultaneous expiration of data - from caches which leads to bursty query behavior and increase - the load on authoritative servers. - - o The Minimum zone TTL should be long enough to fetch and verify all - the RRs in the authentication chain. - - 1. During validation, some data may expire before validation - is complete. The validator should be able to keep all the - data, until validation is complete. This applies to all data - in the chain of trust: DSs, DNSKEYs, RRSIGs, and the final - answers i.e. the RR that is returned for the initial query. - - 2. Frequent verification causes load on recursive - nameservers. Data at delegation points, DSs, DNSKEYs and - RRSIGs benefit from caching. The TTL on those should be - relatively long. - - We have seen events where data needed for verification of an - authentication chain had expired from caches. - - We suggest the TTL on DNSKEY and DSs to be at least of the - order 10 minutes to an hour and all the other RRs in your zone - to be at least 30 seconds. These are absolute minimum, we - recommend zone administrators to chose longer ones. - - [Editor's Note: this observation could be implementation - specific. We are not sure if we should leave this item] - - o Slave servers will need to be able to fetch newly signed zones - well before the data expires from your zone. - - If a properly implemented slave server is not able to contact a - master server for an extended period the data will at some - point expire and the slave server will not hand out any data. - If the server serves a DNSSEC zone than it may well happen that - the signatures expire well before the SOA expiration timer - counted down to zero. It is not possible to fully prevent this - from happening by tweaking the SOA parameters. But the effects - can be minimized if the SOA expiration time is of the same of - - - -Kolkman & Gieben Expires March 1, 2004 [Page 5] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - order of magnitude as or smaller than the signature validity - period. - - When a zone cannot be updated while signatures in that zone - have expired non-secure resolvers will continue to be able to - resolve the data served by the particular slave servers. Only - security aware resolvers that receive data with expired - signatures will experience problems. - - We suggest the SOA expiration timer being approximately one - third or one fourth of the signature validity period. - - We also suggest that operators of nameservers with slave zones - develop watchdogs to be able to spot these upcoming signature - expirations in slave zones, so that appropriate action can be - taken. - - o [Editor's Note: Need examples here] - - -3. Keys - -3.1 Motivations for the KSK and ZSK functions - - Delegation Signer [7] introduced the concept of key-signing and - zone-signing keys.The Key-signing-flag [4] introduced the concept of - a key with the Secure Entry Point flag set; a key that is the first - key from the zone when following an authentication chain. When using - a key-signing key with the SEP flag set (the parent has a DS RR - pointing to that DNSKEY) and when using zone-signing keys without the - SEP flag set (a practice which we recommend ) one can use the - following operational procedures. - - The zone-signing key can be used to sign all the data in a zone on a - regular basis. When a zone-signing key is to be rolled over no - interactions with the parent is needed. This allows for relatively - short "Signature Validity Periods" (order of days). - - The key-signing key (with the SEP flag set) is only to be used to - sign the Key RR set from the zone apex. If a key-signing key is to be - rolled over, there will be interactions with parties other than the - zone maintainer such as the registry of the parent zone or - administrators of verifying resolvers that have the particular key - configured as trusted entry points. Hence, the "Key Usage Time" of - these keys can and should be made much longer. Although, given a long - enough key, the "Key Usage Time" can be on the order of years we - suggest to plan for a "Key Usage Time" of the order of a few months - so that a key rollover remains an operational routine. - - - -Kolkman & Gieben Expires March 1, 2004 [Page 6] - -Internet-Draft DNSSEC Operational Practices September 2003 - - -3.2 Key security considerations - - In RFC2541 [2] a number of considerations with respect to the - security of keys are described. That document deals with the - generation, lifetime, size and storage of private keys. - - In Section 3 of RFC2541 [2], Eastlake does have some suggestions: 13 - months for long-lived keys and 36 days for transaction keys but - suggestions for key sizes are not made. - - If we read the long-lived key being a key that is used as key-signing - key and transaction keys being zone signing keys, then these - recommendations are good starting points for an operational - procedure. These recommendations will lead to rollovers occurring - frequently enough so that they can become part of 'operational - habits' and the procedure does not have to be reinvented every time a - key is replaced. - - When choosing a key sizes, zone administrators will need to take into - account how long a key will be used and how much data will be signed - during the key publication period. It is hard to give precise - recommendations but Lenstra and Verheul [9] supplied the following - table with lower bound estimates for cryptographic key sizes. Their - recommendations are based on a set of explicitly formulated parameter - settings, combined with existing data points about cryptosystems. For - details we refer to the original paper. - - Year RSA key sizes Elliptic Curve Key Size - 2000 952 132 - 2001 990 135 - 2002 1028 139 - 2003 1068 140 - 2004 1108 143 - - 2005 1149 147 - 2006 1191 148 - 2007 1235 152 - 2008 1279 155 - 2009 1323 157 - - - 2010 1369 160 - 2011 1416 163 - 2012 1464 165 - 2013 1513 168 - 2014 1562 172 - - 2015 1613 173 - - - -Kolkman & Gieben Expires March 1, 2004 [Page 7] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - 2016 1664 177 - 2017 1717 180 - 2018 1771 181 - 2019 1825 185 - - - 2020 1881 188 - 2021 1937 190 - 2022 1995 193 - 2023 2054 197 - 2024 2113 198 - - 2025 2174 202 - 2026 2236 205 - 2027 2299 207 - 2028 2362 210 - 2029 2427 213 - - Suppose you want your key to last 3 years and the current year is - 2003. Add 3 to 2003 equals 2006 and read of the sizes: 1191 for - asymmetric keys and 148 bits for elliptic curve keys. - - Note that adding only a "handful of bits" to the key size will - increase the key's resistance against brute force attacks. - -3.3 Key rollovers - - Key rollovers are a fact of life when using DNSSEC. A DNSSEC key - cannot be used forever (see RFC2541 [2] and Section 3.2 ). Zone - maintainers who are in the process of rolling their keys have to take - into account that data they have published in previous versions of - their zone still lives in caches. When deploying DNSSEC this becomes - an important consideration; ignoring data that may be in caches may - lead to loss of service for clients. - - The most pressing example of this is when zone material which is - signed with an old key is being validated by a resolver which does - not have the old zone key cached. If the old key is no longer present - in the current zone, this validation fails, marking the data BAD. - Alternatively, an attempt could be made to validate data which is - signed with a new key against an old key that lives in a local cache, - also resulting in data being marked BAD. - - To appreciate the situation one could think of a number of - authoritative servers that may not be instantaneously running the - same version of a zone and a security aware non-recursive resolver - that sits behind security aware caching forwarders. - - - - -Kolkman & Gieben Expires March 1, 2004 [Page 8] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - Note that KSK rollovers and ZSK rollovers are different. A zone-key - rollover can be handled in two different way: pre-publish and - [Editors note: ref please] double-sig. The pre-publish technique - works because the key-signing key stays the same during this ZSK - rollover. With this KSK a cache is able to validate the new keyset of - a zone. With a KSK rollover a cache can not validate the new keyset, - because it does not trust the new KSK. - - [Editors note: This needs more verbose explanation, nobody will - appreciate the situation just yet. Help with text and examples is - appreciated] - -3.3.1 Zone-signing key rollovers - - For zone-signing key rollovers there are two ways to make sure that - during the rollover the data still in caches can be verified with the - new keysets or the newly generated signatures can be verified with - the keys still in caches. One schema uses double signatures, it is - described in Section 3.3.1.1, the other uses key pre-publication - (Section 3.3.1.2). The pros, cons and recommendations are described - in Section 3.3.1.3. - -3.3.1.1 A double signature zone-signing key rollover - - This section shows how to perform a ZSK key rollover using the double - zone data signature scheme. - - During the rollover stage the new version of the zone file will need - to propagate to all authoritative servers and the data that exists in - (distant) caches will need to expire, this will take at least the - maximum Zone TTL . - - normal roll after - - SOA0 SOA1 SOA2 - RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) - RRSIG11(SOA1) - - DNSKEY1 DNSKEY1 DNSKEY1 - DNSKEY10 DNSKEY10 DNSKEY11 - DNSKEY11 - RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY) - RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) - RRSIG11(DNSKEY) - - - - - - - -Kolkman & Gieben Expires March 1, 2004 [Page 9] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - normal: Version 0 of the zone: DNSKEY 1 is a key-signing key. DNSKEY - 10 is used to sign all the data of the zone, it is the - zone-signing key. - - roll: At the rollover stage (SOA serial 1) DNSKEY 11 is introduced - into the keyset and all the data in the zone is signed with DNSKEY - 10 and DNSKEY 11. The rollover period will need to exist until all - data from version 0 of the zone has expired from remote caches. - This will take at least the Maximum Zone TTL of the version 0 of - the zone. - - after: DNSKEY 10 is removed from the zone. All the signatures from - DNSKEY 10 are removed from the zone. The keyset, now only - containing DNSKEY 11 is resigned with the DNSKEY 1. - - At every instance the data from the previous version of the zone can - be verified with the key from the current version. And vice verse, - the data from the current version can be verified with the data from - the previous version of the zone. The duration of the rollover phase - and the period between rollovers should be at least the "Maximum Zone - TTL". - - To be on the safe side one could make sure that the rollover phase - lasts until the signature expiration time of the data in version 0 of - the zone. But this date could be considerable longer than the Maximum - Zone TTL, making the rollover a lengthly procedure. - - Note that in this example we assumed that the zone did not get - modified during the rollover. New data can be introduced in the zone - as long as it is signed with both keys. - -3.3.1.2 Pre-publish keyset rollover - - This section shows how to perform a ZSK rollover without the need to - sign all the data in a zone twice. We recommend this method because - it has advantages in the case of key compromises. If the old key gets - compromised the new key is already distributed in the DNS. The zone - administrator is then able to quickly switch to the new key and - remove the compromised key from the zone. Another major advantage is - that the zone size does not double, as is the case with the double - signature ZSK rollover. A small "HOWTO" for this kind of rollover can - be found in Appendix B. - - normal pre-roll roll after - - SOA0 SOA1 SOA2 SOA3 - RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3) - - - - -Kolkman & Gieben Expires March 1, 2004 [Page 10] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1 - DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11 - DNSKEY11 DNSKEY11 - RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY) - RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) - - - normal: Version 0 of the zone: DNSKEY 1 is a key-signing key. DNSKEY - 10 is used to sign all the data of the zone, its the zone-signing - key. - - pre-roll: DNSKEY 11 is introduced in the keyset. Note that no - signatures are generated with this key yet, but this will not - prevent brute force attacks on the public key. The minimum - duration of this pre-roll phase is the time it takes for the data - to propagate to the authoritative servers plus TTL value on the - keyset. This would boil down to two times the Maximum Zone TTL. - - roll: - - At the rollover stage (SOA serial 1) DNSKEY 11 is used to sign the - data in the zone (exclusively i.e. all the signatures from DNSKEY - 10 are removed from the zone.). DNSKEY 10 remains published in the - keyset. This way data that was loaded into caches from version 1 - of the zone can still be verified with key sets fetched from - version 2 of the zone. - - The minimum time that the keyset that includes DNSKEY 10 is to be - published is the time that it takes for zone data from the - previous version of the zone to expire from old caches i.e. the - time it takes for this zone to propagate to all authoritative - servers plus the Maximum Zone TTL value of any of the data in the - previous version of the zone. - - after: DNSKEY 10 is removed from the zone. The keyset, now only - containing DNSKEY 11 is resigned with the DNSKEY 1. - - The above scheme can be simplified a bit by always publishing the - "future" key immediately after the rollover. The scheme would look - like this (we show 2 rollovers); the future key is introduced in - "after" as DNSKEY 12 and again a newer one, numbered 13, in "2nd - after": - - - normal roll after 2nd roll 2nd after - - SOA0 SOA2 SOA3 SOA4 SOA5 - RRSIG10(SOA0) RRSIG11(SOA2) RRSIG11(SOA3) RRSIG12(SOA4) RRSIG12(SOA5) - - - -Kolkman & Gieben Expires March 1, 2004 [Page 11] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1 - DNSKEY10 DNSKEY10 DNSKEY11 DNSKEY11 DNSKEY12 - DNSKEY11 DNSKEY11 DNSKEY12 DNSKEY12 DNSKEY13 - RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY) - RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) RRSIG12(DNSKEY) RRSIG12(DNSKEY) - - - Note that the key introduced after the rollover is not used for - production yet; the private key can thus be stored in a physically - secure manner and does not need to be 'fetched' every time a zone - needs to be signed. - - This scheme has the benefit that the key that is intended for future - use, can immediately be used during an emergency rollover under the - assumption that it was stored in a physically secure manner. - -3.3.1.3 Pros and cons of the schemes - - A double signature rollover: The drawback of this signing scheme is - that during the rollover the number of signatures in your zone - doubles, which may be prohibitive if you have very big zones. An - advantage is that it only requires three steps. - - Prepublish-keyset rollover: This rollover does not involve signing - the zone data twice. Instead, just before the actual rollover the - new key is published in the keyset and thus available for - cryptanalysis attacks. A small disavantage is that this process - requires four steps. Also the prepublish scheme is useless for - KSKs as explained in Section 3.3. - - -3.3.2 Key-signing key rollovers - - For the rollover of a key-signing key the same considerations as for - the rollover of a zone-signing key apply. However we can use a double - signature scheme to guarantee that old data (only the apex keyset) in - caches can be verified with a new keyset and vice versa. Since only - the keyset is signed with a KSK, size considerations do not apply. - - - normal roll after - - SOA0 SOA1 SOA2 - RRSIG10(SOA0) RRSIG10(SOA1) RRSIG10(SOA2) - - DNSKEY1 DNSKEY1 DNSKEY2 - DNSKEY2 - DNSKEY10 DNSKEY10 DNSKEY10 - - - -Kolkman & Gieben Expires March 1, 2004 [Page 12] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG2(DNSKEY) - RRSIG2 (DNSKEY) - RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY) - - -4. Planning for emergency key rollover. - - This section deals with preparation for a possible key compromise. - Our advice is to have a documented procedure ready for when a key - compromise is suspected or confirmed. - - [Editors note: We are much in favor of a rollover tactic that keeps - the authentication chain intact as long as possible. This has as a - result that one has to take all the regular rollover properties into - account.] - - When the private material of one of your keys is compromised it can - be used by 'blackhats' for as long as a valid authentication chain - exists. A authentication chain remains intact for: - - as long as a signature over the compromised key in the - authentication chain is valid, - - as long as a parental DS RR (and signature) points to the - compromised key, - - as long as the key is anchored in a resolver and is used as a - starting point for validation. (This is the hardest to update.) - - While an authentication chain to your compromised key exists your - name-space is vulnerable to abuse by the "blackhat". Zone operators - have to make a trade off if the abuse of the compromised key is worse - than having data in caches that cannot be validated. If the zone - operator chooses to break the authentication chain to the compromised - key, data in caches signed with this key can not be validated. On the - other hand if the zone administrator chooses to take the path of a - regular roll-over the "blackhat" can spoof data so that it appears to - be valid, note that this kind of attack will usually be localized in - the Internet topology. - - -4.1 KSK compromise - - When the KSK has been compromised the parent must be notified as soon - as possible and through secure means. The keyset of the zone should - be resigned as soon as possible. Care must be taken to not break the - authentication chain. The local zone can only be resigned with the - new KSK after the parent's zone has been updated with the new KSK. - - - -Kolkman & Gieben Expires March 1, 2004 [Page 13] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - Before this update takes place it would be best to drop the security - status of a zone all together: the parent removes the DS of the child - at the next zone update. After that the child can be made secure - again. An additional danger of a key compromise is that the - compromised key can be used to facilitate a legitemate DNSKEY/DS and/ - or nameserver rollover at the parent. When that happens the domain - can be in dispute. An out of band and secure notify mechanism to - contact a parent is needed in this case. - -4.2 ZSK compromise - - Mainly because there is no parental interaction required when a ZSK - is compromised the situation is less severe than with with a KSK - compromise. The zone must still be resigned with a new ZSK as soon - as possible. As this is a local operation and requires no - communication between the parent and child this can be achieved - fairly quickly. One has to take into account though that just as with - a normal rollover the immediate disappearance from the old - compromised key may lead to verification problems. The - pre-publication scheme as discussed above minimizes that problem. - -4.3 Compromises of keys anchored in resolvers - - A key can also be pre-configured in resolvers. If DNSSEC is rolled - out as planned the root key should be pre-configured in every secure - aware resolver on the planet. [Editors Note: add more about - authentication of a newly received resolver key] - - If that key is compromised all the resolvers should be notified of - this fact. Zone administrators may consider setting up a mailing list - to communicate the fact that a SEP key is about to be rolled over. - This communication will of course need to be authenticated e.g. by - using digital signatures. - -5. Parental policies. - -5.1 Initial key exchanges and parental policies considerations. - - The initial key exchange is always subject to the policies set by the - parent (or its registry). When designing a key exchange policy one - should take into account that the authentication and authorization - mechanisms used during a key exchange should be as strong as the - authentication and authorization mechanisms used for the exchange of - delegation information between parent and child. - - Using the DNS itself as the source for the actual DNSKEY material - with an off-band check on the validity of the DNSKEY has the benefit - that it reduces the changes of operator error. A parental DNSKEY - - - -Kolkman & Gieben Expires March 1, 2004 [Page 14] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - download tool can make use of the SEP bit [4] to select the proper - key from a DNSSEC keyset; thereby reducing the change that the wrong - DNSKEY is sent. It can validate the self-signature over a key; - thereby verifying the ownership of the private key material. Besides, - by fetching the DNSKEY from the DNS one can be sure that the child - will not become invisible once the parent indicates the child is - secure by publishing the DS RR. - - Note: the off-band verification is still needed when the keymaterial - is fetched by a tool. The parent can not be sure if the DNSKEY RRs - where not spoofed. - -5.2 Storing keys so hashes can be regenerated - - When designing a registry system one should consider if the DNSKEYs - or the corresponding DSs are stored. Storing DNSKEYs will help during - troubleshooting while the overhead of calculating DS records from - them is minimal. - - Having a out-of-band mechanism, such as a WHOIS database, to find out - which keys are used to generate DS Resource Records for specific - owners may also help with troubleshooting. - -5.3 Security lameness checks. - - Security lameness is defined as the event that a parent has a DS - Resource Record that points to a non-existing DNSKEY RR. At key - exchange a parent should make sure that the childs key is actually - configured in the DNS before publishing a DS RR in its zone. Failure - to do so would render the child's zone marked "BAD". - - Child zones should be very careful removing DNSKEY material, - specifically SEP keys, for which a DS RR exist. - - Once a zone is "security lame" a fix (e.g. by removing a DS RR) will - take time to propagate through the DNS. - -5.4 SIG DS validity period. - - Since the DS can be replayed as long as it has a valid signature a - short signature validity period over the DS minimizes the time a - child is vulnerable in the case of a compromise of the child's KSK. - A signature validity period that is too short introduces the - possibility that a zone is marked BAD in case of a configuration - error in the signer; there may not be enough time to fix the problems - before signatures expire. Something as mundane as weekends show the - need for a DS signature lifetimes longer than 2 days. We recommend - the minimum for a DS signature validity period to be about a few - - - -Kolkman & Gieben Expires March 1, 2004 [Page 15] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - days. - - The maximum signature lifetime of the DS record depends on how long - child zones are willing to be vulnerable after a key compromise. We - consider a signature validity period of the order of one week a good - compromise between the operational constraints of the parent and - minimizing damage for the child. - -6. Security considerations - - DNSSEC adds data integrity to the DNS. This document tries to assess - considerations to operate a stable and secure DNSSEC service. - -7. Acknowledgments - - We, the folk mentioned as authors, only acted as editors. Most of the - ideas in this draft where the result of collective efforts during - workshops and discussions and try outs. - - At the risk of forgetting individuals who where the original - contributors of the ideas we like to acknowledge people who where - actively involved in the compilation of this document. In - alphabetical order: Olafur Gudmundsson, Wesley Griffin, Michael - Richardson, Scott Rose, Rick van Rein, Tim McGinnis. - - Kolkman and Gieben take the blame for all mistakes. - -Normative References - - [1] Eastlake, D., "Domain Name System Security Extensions", RFC - 2535, March 1999. - - [2] Eastlake, D., "DNS Security Operational Considerations", RFC - 2541, March 1999. - - [3] Lewis, E., "DNS Security Extension Clarification on Zone - Status", RFC 3090, March 2001. - - [4] Lewis, E., Kolkman, O. and J. Schlyter, "KEY RR Key-Signing Key - (KSK) Flag", draft-ietf-dnsext-keyrr-key-signing-flag-06 (work - in progress), February 2003. - -Informative References - - [5] Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997. - - [6] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC - - - -Kolkman & Gieben Expires March 1, 2004 [Page 16] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - 2308, March 1998. - - [7] Gudmundsson, O., "Delegation Signer Resource Record", - draft-ietf-dnsext-delegation-signer-13 (work in progress), March - 2003. - - [8] Arends, R., "Protocol Modifications for the DNS Security - Extensions", draft-ietf-dnsext-dnssec-protocol-01 (work in - progress), March 2003. - - [9] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key Sizes", - The Journal of Cryptology 14 (255-293), 2001. - - -Authors' Addresses - - Olaf M. Kolkman - RIPE NCC - Singel 256 - Amsterdam 1016 AB - NL - - Phone: +31 20 535 4444 - EMail: olaf@ripe.net - URI: http://www.ripe.net/ - - - Miek Gieben - NLnet Labs - Kruislaan 419 - Amsterdam 1098 VA - NL - - EMail: miek@nlnetlabs.nl - URI: http://www.nlnetlabs.nl - -Appendix A. Terminology - - In this document there is some jargon used that is defined in other - documents. In most cases we have not copied the text from the - documents defining the terms but give a more elaborate explanation of - the meaning. Note that these explanations should not be seen as - authoritative. - - Private and Public Keys: DNSSEC secures the DNS through the use of - public key cryptography. Public key cryptography is based on the - existence of 2 keys, a public key and a private key. The public - keys are published in the DNS by use of the DNSKEY Resource Record - - - -Kolkman & Gieben Expires March 1, 2004 [Page 17] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - (DNSKEY RR). Private keys are supposed to remain private i.e. - should not be exposed to parties not-authorized to do the actual - signing. - - Signer: The system that has access to the private key material and - signs the Resource Record sets in a zone. A signer may be - configured to sign only parts of the zone e.g. only those RRsets - for which existing signatures are about to expire. - - KSK: A Key-Signing key (KSK) is a key that is used for exclusively - signing the apex keyset. The fact that a key is a KSK is only - relevant to the signing tool. - - ZSK: A Zone signing key (ZSK) is a key that is used for signing all - data in a zone. The fact that a key is a ZSK is only relevant to - the signing tool. - - BAD: [Editors Note: a reference here] A RRset in DNSSEC is marked - "bad" when a signature of a RRset does not validate against the - DNSKEY. Even is the key itself was not marked BAD. BAD data is not - cached. - - Singing the Zone File: The term used for the event where an - administrator joyfully signs its zone file while producing melodic - sound patterns. - - -Appendix B. Zone-signing key rollover howto - - Using the pre-published signature scheme and the most conservative - method to assure oneself that data does not live in distant caches - here follows the "HOWTO". [WES: has some comments about this] - - STEP 0, the preparation: Create two keys and publish them both in - your keyset. Mark one of the keys as "active" and the other as - "published". Use the "active" key for signing your zone data. - Store the private part of the "published" key, preferably - off-line. - - STEP 1, determine expiration: At the beginning of the rollover: - make a note of the highest expiration time of signatures in your - zonefile created with the current key currently marked as - "active". - - Wait until the expiration time marked in STEP 1 - - - - - - -Kolkman & Gieben Expires March 1, 2004 [Page 18] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - STEP 2 Then start using the key that was marked as "published" to - sign your data i.e. mark it as "active". Stop using the key that - was marked as "active", mark it as "rolled". - - STEP 3: It is safe to engage in a new rollover (STEP 1) after at - least one "signature validity period". - - -Appendix C. Typographic conventions - - The following typographic conventions are used in this document: - - Key notation: A key is denoted by KEYx, where x is a number, x could - be thought of as the key id. - - RRset notations: RRs are only denoted by the type all other - information, owner, class, rdata and TTL is left out. Thus: - example.com 3600 IN A 192.168.1.1 is reduced to: A. RRsets are a - list of RRs. A example of this would be: A1,A2, specifying the - RRset containing two A records. This could again be abreviated to - just: A. - - Signature notation: Signatures are denoted as SIGx(RRset), which - means that RRset is signed with KEYx. - - Zone representation: Using the above notation we have simplify the - representation of a signed zone by leaving out all unneeded - details such as the names and by just representing all data by - "SOAx" - - SOA representation: Soa's are represented as SOA x, where x is the - serial number. - - Using this notation the following zone : - - - example.net. 600 IN SOA ns.example.net. ernie.example.net. ( - 10 ; serial - 450 ; refresh (7 minutes 30 seconds) - 600 ; retry (10 minutes) - 345600 ; expire (4 days) - 300 ; minimum (5 minutes) - ) - 600 RRSIG SOA 5 2 600 20130522213204 ( - 20130422213204 14 example.net. - cmL62SI6iAX46xGNQAdQ... ) - 600 NS a.iana-servers.net. - 600 NS b.iana-servers.net. - - - -Kolkman & Gieben Expires March 1, 2004 [Page 19] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - 600 RRSIG NS 5 2 600 20130507213204 ( - 20130407213204 14 example.net. - SO5epiJei19AjXoUpFnQ ... ) - 3600 DNSKEY 256 3 5 ( - EtRB9MP5/AvOuVO0I8XDxy0... - ) ; key id = 14 - 3600 DNSKEY 256 3 5 ( - gsPW/Yy19GzYIY+Gnr8HABU... - ) ; key id = 15 - 3600 RRSIG DNSKEY 5 2 3600 20130522213204 ( - 20130422213204 14 example.net. - J4zCe8QX4tXVGjV4e1r9... ) - 3600 RRSIG DNSKEY 5 2 3600 20130522213204 ( - 20130422213204 15 example.net. - keVDCOpsSeDReyV6O... ) - 600 NSEC a.example.net. NS SOA TXT RRSIG DNSKEY NSEC - 600 RRSIG NSEC 5 2 600 20130507213204 ( - 20130407213204 14 example.net. - obj3HEp1GjnmhRjX... ) - a.example.net. 600 IN TXT "A label" - 600 RRSIG TXT 5 3 600 20130507213204 ( - 20130407213204 14 example.net. - IkDMlRdYLmXH7QJnuF3v... ) - 600 NSEC b.example.com. TXT RRSIG NSEC - 600 RRSIG NSEC 5 3 600 20130507213204 ( - 20130407213204 14 example.net. - bZMjoZ3bHjnEz0nIsPMM... ) - - ... - - - is reduced to the following represenation: - - SOA10 - RRSIG14(SOA10) - - DNSKEY14 - DNSKEY15 - - RRSIG14(KEY) - RRSIG15(KEY) - - The rest of the zone data has the same signature as the SOA record, - i.e a RRSIG created with DNSKEY 14. - -Appendix D. Document Details and Changes - - This section is to be removed by the RFC editor if and when the - - - -Kolkman & Gieben Expires March 1, 2004 [Page 20] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - document is published. - - $Header: /var/cvs/dnssec-key/ - draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.5 2003/10/10 - 09:49:07 dnssec Exp $ - -D.1 draft-ietf-dnsop-dnssec-operational-practices-00 - - Submission as working group document. This document is a modified and - updated version of draft-kolkman-dnssec-operational-practices-00. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Kolkman & Gieben Expires March 1, 2004 [Page 21] - -Internet-Draft DNSSEC Operational Practices September 2003 - - -Intellectual Property Statement - - The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; neither does it represent that it - has made any effort to identify any such rights. Information on the - IETF's procedures with respect to rights in standards-track and - standards-related documentation can be found in BCP-11. Copies of - claims of rights made available for publication and any assurances of - licenses to be made available, or the result of an attempt made to - obtain a general license or permission for the use of such - proprietary rights by implementors or users of this specification can - be obtained from the IETF Secretariat. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights which may cover technology that may be required to practice - this standard. Please address the information to the IETF Executive - Director. - - -Full Copyright Statement - - Copyright (C) The Internet Society (2003). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assignees. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - - - -Kolkman & Gieben Expires March 1, 2004 [Page 22] - -Internet-Draft DNSSEC Operational Practices September 2003 - - - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - -Acknowledgment - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Kolkman & Gieben Expires March 1, 2004 [Page 23] - diff --git a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-01.txt b/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-01.txt new file mode 100644 index 0000000000..04815175fd --- /dev/null +++ b/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-01.txt @@ -0,0 +1,1344 @@ + +DNSOP O. Kolkman +Internet-Draft RIPE NCC +Expires: August 30, 2004 R. Gieben + NLnet Labs + March 2004 + + + DNSSEC Operational Practices + draft-ietf-dnsop-dnssec-operational-practices-01.txt + +Status of this Memo + + This document is an Internet-Draft and is in full conformance with + all provisions of Section 10 of RFC2026. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that other + groups may also distribute working documents as Internet-Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at http:// + www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on August 30, 2004. + +Copyright Notice + + Copyright (C) The Internet Society (2004). All Rights Reserved. + +Abstract + + This document describes a set of practices for operating a DNSSEC + aware environment. The target audience is zone administrators + deploying DNSSEC that need a guide to help them chose appropriate + values for DNSSEC parameters. It also discusses operational matters + such as key rollovers, KSK and ZSK considerations and related + matters. + + + + + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 1] + +Internet-Draft DNSSEC Operational Practices March 2004 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1 The Use of the Term 'key' . . . . . . . . . . . . . . . . 3 + 1.2 Keeping the Chain of Trust Intact . . . . . . . . . . . . 3 + 2. Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . 4 + 2.1 Time Definitions . . . . . . . . . . . . . . . . . . . . . 4 + 2.2 Time Considerations . . . . . . . . . . . . . . . . . . . 5 + 3. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 + 3.1 Motivations for the KSK and ZSK Functions . . . . . . . . 7 + 3.2 Key Security Considerations . . . . . . . . . . . . . . . 8 + 3.2.1 Key Validity Period . . . . . . . . . . . . . . . . . 8 + 3.2.2 Key Algorithm . . . . . . . . . . . . . . . . . . . . 8 + 3.2.3 Key Sizes . . . . . . . . . . . . . . . . . . . . . . 8 + 3.3 Key Rollovers . . . . . . . . . . . . . . . . . . . . . . 9 + 3.3.1 Zone-signing Key Rollovers . . . . . . . . . . . . . . 10 + 3.3.2 Key-signing Key Rollovers . . . . . . . . . . . . . . 13 + 4. Planning for Emergency Key Rollover . . . . . . . . . . . . . 14 + 4.1 KSK Compromise . . . . . . . . . . . . . . . . . . . . . . 15 + 4.2 ZSK Compromise . . . . . . . . . . . . . . . . . . . . . . 15 + 4.3 Compromises of Keys Anchored in Resolvers . . . . . . . . 16 + 5. Parental Policies . . . . . . . . . . . . . . . . . . . . . . 16 + 5.1 Initial Key Exchanges and Parental Policies + Considerations . . . . . . . . . . . . . . . . . . . . . . 16 + 5.2 Storing Keys So Hashes Can Be Regenerated . . . . . . . . 16 + 5.3 Security Lameness Checks . . . . . . . . . . . . . . . . . 17 + 5.4 DS Signature Validity Period . . . . . . . . . . . . . . . 17 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17 + 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 + 8.1 Normative References . . . . . . . . . . . . . . . . . . . . 18 + 8.2 Informative References . . . . . . . . . . . . . . . . . . . 18 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 19 + A. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 19 + B. Zone-signing Key Rollover Howto . . . . . . . . . . . . . . . 20 + C. Typographic Conventions . . . . . . . . . . . . . . . . . . . 20 + D. Document Details and Changes . . . . . . . . . . . . . . . . . 22 + D.1 draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 22 + D.2 draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 22 + Intellectual Property and Copyright Statements . . . . . . . . 23 + + + + + + + + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 2] + +Internet-Draft DNSSEC Operational Practices March 2004 + + +1. Introduction + + During workshops and early operational deployment tests, operators + and system administrators gained experience about operating DNSSEC + aware DNS services. This document translates these experiences into + a set of practices for zone administrators. At the time of writing, + there exists very little experience with DNSSEC in production + environments, this document should therefore explicitly not be seen + as represented 'Best Current Practices'. + + The procedures herein are focused on the maintenance of signed zones + (i.e. signing and publishing zones on authoritative servers). It is + intended that maintenance of zones such as resigning or key rollovers + be transparent to any verifying clients on the Internet. + + The structure of this document is as follows: It begins with + discussing some of the considerations with respect to timing + parameters of DNS in relation to DNSSEC (Section 2). Aspects of key + management such as key rollover schemes are described in Section 3. + Emergency rollover considerations are addressed in Section 4. The + typographic conventions used in this document are explained in + Appendix C. + + Since this is a document with operational suggestions and there are + no protocol specifications, the RFC2119 [5] language does not apply. + +1.1 The Use of the Term 'key' + + It is assumed that the reader is familiar with the concept of + asymmetric keys on which DNSSEC is based (Public Key Cryptography + [Ref to Schneider?]). Therefore, this document will use the term + 'key' rather loosely. Where it is written that 'a key is used to sign + data' it is assumed that the reader understands that it is the + private part of the key-pair that is used for signing. It is also + assumed that the reader understands that the public part of the + key-pair is published in the DNSKEY resource record and that it is + used in key-exchanges. + +1.2 Keeping the Chain of Trust Intact + + Maintaining a valid chain of trust is important because broken chains + of trust will result in data being marked as bogus, which may cause + entire (sub)domains to become invisible to verifying clients. The + administrators of secured zones have to realise that their zone is, + to their clients, part of a chain of trust. + + As mentioned in the introduction, the procedures herein are intended + to ensure maintenance of zones, such as resigning or key rollovers, + + + +Kolkman & Gieben Expires August 30, 2004 [Page 3] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + be transparent to the verifying clients on the Internet. + Administrators of secured zones will have to keep in mind that data + published on an authoritative primary server will not be immediately + seen by verifying clients; it may take some time for the data to be + transfered to other secondary authoritative nameservers, during which + period clients may be fetching data from caching non-authoritative + servers. For the verifying clients it is important that data from + secured zones can be used to build chains of trust regardless of + whether the data came directly from an authoritative server, a + caching nameserver or some middle box. Only by carefully using the + available timing parameters can a zone administrator assure that the + data necessary for verification can be obtained. + + The responsibility for maintaining the chain of trust is shared by + administrators of secured zones in the chain of trust. This is most + obvious in the case of a 'key compromise' when a trade off between + maintaining a valid chain of trust and the fact that the key has been + stolen, must be made. + + The zone administrator will have to make a tradeoff between keeping + the chain of trust intact -thereby allowing for attacks with the + compromised key- or to deliberately break the chain of trust thereby + making secured subdomains invisible to security aware resolvers. Also + see Section 4. + +2. Time in DNSSEC + + Without DNSSEC all times in DNS are relative. The SOA's refresh, + retry and expiration timers are counters that are used to determine + the time elapsed after a slave server syncronised (or tried to + syncronise) with a master server. The Time to Live (TTL) value and + the SOA minimum TTL parameter [6] are used to determine how long a + forwarder should cache data after it has been fetched from an + authoritative server. DNSSEC introduces the notion of an absolute + time in the DNS. Signatures in DNSSEC have an expiration date after + which the signature is marked as invalid and the signed data is to be + considered bogus. + +2.1 Time Definitions + + In this document we will be using a number of time related terms. + Within the context of this document the following definitions apply: + o "Signature validity period" + The period that a signature is valid. It starts at the time + specified in the signature inception field of the RRSIG RR and + ends at the time specified in the expiration field of the RRSIG + RR. + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 4] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + o "Signature publication period" + Time after which a signature (made with a specific key) is + replaced with a new signature (made with the same key). This + replacement takes place by publishing the relevant RRSIG in the + master zone file. If a signature is published at time T0 and a + new signature is published at time T1, the signature + publication period is T1 - T0. + If all signatures are refreshed at zone (re)signing then the + signature publication period is equal signature validity + period. + o "Maximum/Minimum Zone TTL" + The maximum or minimum value of all the TTLs in a zone. + +2.2 Time Considerations + + Because of the expiration of signatures, one should consider the + following. + o The Maximum Zone TTL of your zone data should be a fraction of + your signature validity period. + If the TTL would be of similar order as the signature validity + period, then all RRsets fetched during the validity period + would be cached until the signature expiration time. As a + result query load on authoritative servers would peak at + signature expiration time. + To avoid query load peaks we suggest the TTL on all the RRs in + your zone to be at least a few times smaller than your + signature validity period. + o The signature publication period should be at least one maximum + TTL smaller than the signature validity period. + Resigning a zone shortly before the end of the signature + validity period may cause simultaneous expiration of data from + caches. This in turn may lead to peaks in the load on + authoritative servers. + o The Minimum zone TTL should be long enough to both fetch and + verify all the RRs in the authentication chain. + 1. During validation, some data may expire before the + validation is complete. The validator should be able to keep + all data, until is completed. This applies to all RRs needed + to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and + the final answers i.e. the RR that is returned for the + initial query. + 2. Frequent verification causes load on recursive + nameservers. Data at delegation points, DSs, DNSKEYs and + RRSIGs benefit from caching. The TTL on those should be + relatively long. + + + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 5] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + We have seen events where data needed for verification of an + authentication chain had expired from caches. + We suggest the TTL on DNSKEY and DSs to be between ten minutes + and one hour. We recommend zone administrators to chose TTLs + longer than half a minute. + [Editor's Note: this observation could be implementation + specific. We are not sure if we should leave this item] + o Slave servers will need to be able to fetch newly signed zones + well before the data expires from your zone. + 'Better no answers than bad answers.' + If a properly implemented slave server is not able to contact a + master server for an extended period the data will at some + point expire and the slave server will not hand out any data. + If the server serves a DNSSEC zone than it may well happen that + the signatures expire well before the SOA expiration timer + counts down to zero. It is not possible to completely prevent + this from happening by tweaking the SOA parameters. However, + the effects can be minimized where the SOA expiration time is + equal or smaller than the signature validity period. + The consequence of an authoritative server not being able to + update a zone, whilst that zone includes expired signaturs, is + that non-secure resolvers will continue to be able to resolve + data served by the particular slave servers. Security aware + resolvers will experience problems. + We suggest the SOA expiration timer being approximately one + third or one fourth of the signature validity period. It will + allow problems with transfers from the master server to be + noticed before the actual signature time out. + We suggest that operators of nameservers with slave zones + develop 'watch dogs' to spot upcoming signature expirations in + slave zones, and take appropriate action. + When determining the value for the expiration parameter one has + to take the following into account: What are the chances that + all my secondary zones expire; How quickly can I reach an + administrator and load a valid zone? All these arguments are + not DNSSEC specific. + +3. Keys + + In the DNSSEC protocol there is only one type of key, the zone key. + With this key, the data in a zone is signed. + + To make zone re-signing and key rollovers procedures easier to + implement, it is possible to use one or more keys as Key Signing Keys + (KSK) these keys will only sign the apex DNSKEY RRs in a zone. Other + keys can be used to sign all the RRsets in a zone and are referred to + as Zone Signing Keys (ZSK). In this document we assume that KSKs are + the subset of keys that are used for key exchanges with the parents + + + +Kolkman & Gieben Expires August 30, 2004 [Page 6] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + and potentially for configuration as trusted anchors - the so called + Secure Entry Point keys (SEP). In this document we assume a + one-to-one mapping between KSK and SEP keys and we assume the SEP + flag [4] to be set on KSKs. + +3.1 Motivations for the KSK and ZSK Functions + + Differentiating between the KSK to ZSK functions has several + advantages: + + o Making the KSK stronger (i.e. using more bits in the key material) + has little operational impact since it is only used to sign a + small fraction of the zone data. + o As the KSK is only used to sign a keyset, which is most probably + updated less frequently than other data in the zone, it can be + stored separately from (and thus in a safer location than) the + ZSK. + o A KSK can be used for longer periods. + o No parent/child interaction is required when ZSKs are updated. + + The KSK is used less than ZSK, once a keyset is signed with the KSK + all the keys in the keyset can be used as ZSK. If a ZSK is + compromised, it can be simply dropped from the keyset. The new keyset + is then resigned with the KSK. + + Given the assumption that for KSKs the SEP flag is set, the KSK can + be distinguished from a ZSK by examining the flag field in the DNSKEY + RR. If the flag field is an odd number it is a KSK if it is an even + number it is a ZSK e.g. a value of 256 and a key signing key has 257. + + The zone-signing key can be used to sign all the data in a zone on a + regular basis. When a zone-signing key is to be rolled, no + interaction with the parent is needed. This allows for relatively + short "Signature Validity Periods". That is, Signature Validity + Periods of the order of days. + + The key-signing key is only to be used to sign the Key RR set from + the zone apex. If a key-signing key is to be rolled over, there will + be interactions with parties other than the zone administrator such + as the registry of the parent zone or administrators of verifying + resolvers that have the particular key configured as trusted entry + points. Hence, the "Key Usage Time" of these keys can and should be + made much longer. Although, given a long enough key, the "Key Usage + Time" can be on the order of years we suggest to plan for a "Key + Usage Time" of the order of a few months so that a key rollover + remains an operational routine. + + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 7] + +Internet-Draft DNSSEC Operational Practices March 2004 + + +3.2 Key Security Considerations + + Keys in DNSSEC have a number of parameters which should all be chosen + with care, the most important once are: size, algorithm and the key + validity period (its lifetime). + +3.2.1 Key Validity Period + + RFC2541 [2] describes a number of considerations with respect to the + security of keys. The document deals with the generation, lifetime, + size and storage of private keys. + + In Section 3 of RFC2541 [2] there are some suggestions for a key + validity period: 13 months for long-lived keys and 36 days for + transaction keys but suggestions for key sizes are not made. + + If we say long-lived keys are key-signing keys and transactions keys + are zone-signing keys, these recommendations will lead to rollovers + occurring frequently enough to become part of 'operational habits'; + the procedure does not have to be reinvented every time a key is + replaced. + +3.2.2 Key Algorithm + + We recommend you choose RSA/SHA-1 as the preferred algorithm for the + key. RSA has been developed in an open and transparent manner. As the + patent on RSA expired in 2001, its use is now also free. The current + known attacks on RSA can be defeated by making your key longer. As + the MD5 hashing algorithm is showing (theoretical) cracks, we + recommend the usage of SHA1. + +3.2.3 Key Sizes + + When choosing key sizes, zone administrators will need to take into + account how long a key will be used and how much data will be signed + during the key publication period. It is hard to give precise + recommendations but Lenstra and Verheul [9] supplied the following + table with lower bound estimates for cryptographic key sizes. Their + recommendations are based on a set of explicitly formulated parameter + settings, combined with existing data points about cryptosystems. For + details we refer to the original paper. + + [Editor's Note: DSA???] + + + + + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 8] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + Year RSA Key Sizes Elliptic Curve Key Size + 2000 952 132 + 2001 990 135 + 2002 1028 139 + 2003 1068 140 + 2004 1108 143 + + 2005 1149 147 + 2006 1191 148 + 2007 1235 152 + 2008 1279 155 + 2009 1323 157 + + + 2010 1369 160 + 2011 1416 163 + 2012 1464 165 + 2013 1513 168 + 2014 1562 172 + + 2015 1613 173 + 2016 1664 177 + 2017 1717 180 + 2018 1771 181 + 2019 1825 185 + + + 2020 1881 188 + 2021 1937 190 + 2022 1995 193 + 2023 2054 197 + 2024 2113 198 + + 2025 2174 202 + 2026 2236 205 + 2027 2299 207 + 2028 2362 210 + 2029 2427 213 + + For example, should you wish your key to last three years from 2003, + check the RSA keysize values for 2006 in this table. In this case + 1191. + +3.3 Key Rollovers + + Key rollovers are a fact of life when using DNSSEC. A DNSSEC key + cannot be used forever (see RFC2541 [2] and Section 3.2 ). Zone + administrators who are in the process of rolling their keys have to + + + +Kolkman & Gieben Expires August 30, 2004 [Page 9] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + take into account that data published in previous versions of their + zone still lives in caches. When deploying DNSSEC, this becomes an + important consideration; ignoring data that may be in caches may lead + to loss of service for clients. + + The most pressing example of this is when zone material signed with + an old key is being validated by a resolver which does not have the + old zone key cached. If the old key is no longer present in the + current zone, this validation fails, marking the data bogus. + Alternatively, an attempt could be made to validate data which is + signed with a new key against an old key that lives in a local cache, + also resulting in data being marked bogus. + + To appreciate the situation one could think of a number of + authoritative servers that may not be instantaneously running the + same version of a zone and a security aware non-recursive resolver + that sits behind security aware caching forwarders. + + Note that KSK rollovers and ZSK rollovers are different. A zone-key + rollover can be handled in two different ways: pre-publish (Section + Section 3.3.1.1) and double signature (Section Section 3.3.1.2). The + pre-publish technique works because the key-signing key stays the + same during this ZSK rollover. With this KSK a cache is able to + validate the new keyset of a zone. With a KSK rollover a cache can + not validate the new keyset, because it does not trust the new KSK. + + [Editors note: This needs more verbose explanation, nobody will + appreciate the situation just yet. Help with text and examples is + appreciated] + +3.3.1 Zone-signing Key Rollovers + + For zone-signing key rollovers there are two ways to make sure that + during the rollover data still cached can be verified with the new + keysets or newly generated signatures can be verified with the keys + still in caches. One schema uses double signatures, it is described + in Section 3.3.1.2, the other uses key pre-publication (Section + 3.3.1.1). The pros, cons and recommendations are described in Section + 3.3.1.3. + +3.3.1.1 Pre-publish Keyset Rollover + + This section shows how to perform a ZSK rollover without the need to + sign all the data in a zone twice - the so called "prepublish + rollover". We recommend this method because it has advantages in the + case of key compromise. If the old key is compromised, the new key + has already been distributed in the DNS. The zone administrator is + then able to quickly switch to the new key and remove the compromised + + + +Kolkman & Gieben Expires August 30, 2004 [Page 10] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + key from the zone. Another major advantage is that the zone size does + not double, as is the case with the double signature ZSK rollover. A + small "HOWTO" for this kind of rollover can be found in Appendix B. + + normal pre-roll roll after + + SOA0 SOA1 SOA2 SOA3 + RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3) + + DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1 + DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11 + DNSKEY11 DNSKEY11 + RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY) + RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) + + + normal: Version 0 of the zone: DNSKEY 1 is the key-signing key. + DNSKEY 10 is used to sign all the data of the zone, the + zone-signing key. + pre-roll: DNSKEY 11 is introduced into the keyset. Note that no + signatures are generated with this key yet, but this does not + secure against brute force attacks on the public key. The minimum + duration of this pre-roll phase is the time it takes for the data + to propagate to the authoritative servers plus TTL value of the + keyset. This equates to two times the Maximum Zone TTL. + roll: At the rollover stage (SOA serial 1) DNSKEY 11 is used to sign + the data in the zone exclusively (i.e. all the signatures from + DNSKEY 10 are removed from the zone). DNSKEY 10 remains published + in the keyset. This way data that was loaded into caches from + version 1 of the zone can still be verified with key sets fetched + from version 2 of the zone. + The minimum time that the keyset including DNSKEY 10 is to be + published is the time that it takes for zone data from the + previous version of the zone to expire from old caches i.e. the + time it takes for this zone to propagate to all authoritative + servers plus the Maximum Zone TTL value of any of the data in the + previous version of the zone. + after: DNSKEY 10 is removed from the zone. The keyset, now only + containing DNSKEY 11 is resigned with the DNSKEY 1. + + The above scheme can be simplified by always publishing the "future" + key immediately after the rollover. The scheme would look as follows + (we show two rollovers); the future key is introduced in "after" as + DNSKEY 12 and again a newer one, numbered 13, in "2nd after": + + + + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 11] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + normal roll after 2nd roll 2nd after + + SOA0 SOA2 SOA3 SOA4 SOA5 + RRSIG10(SOA0) RRSIG11(SOA2) RRSIG11(SOA3) RRSIG12(SOA4) RRSIG12(SOA5) + + DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1 + DNSKEY10 DNSKEY10 DNSKEY11 DNSKEY11 DNSKEY12 + DNSKEY11 DNSKEY11 DNSKEY12 DNSKEY12 DNSKEY13 + RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY) + RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) RRSIG12(DNSKEY) RRSIG12(DNSKEY) + + + Note that the key introduced after the rollover is not used for + production yet; the private key can thus be stored in a physically + secure manner and does not need to be 'fetched' every time a zone + needs to be signed. + + This scheme has the benefit that the key that is intended for future + use: immediately during an emergency rollover assuming that the + private key was stored in a physically secure manner. + +3.3.1.2 Double Signature Zone-signing Key Rollover + + This section shows how to perform a ZSK key rollover using the double + zone data signature scheme, aptly named "double sig rollover". + + During the rollover stage the new version of the zone file will need + to propagate to all authoritative servers and the data that exists in + (distant) caches will need to expire, this will take at least the + maximum Zone TTL . + + normal roll after + + SOA0 SOA1 SOA2 + RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) + RRSIG11(SOA1) + + DNSKEY1 DNSKEY1 DNSKEY1 + DNSKEY10 DNSKEY10 DNSKEY11 + DNSKEY11 + RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY) + RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) + RRSIG11(DNSKEY) + + normal: Version 0 of the zone: DNSKEY 1 is the key-signing key. + DNSKEY 10 is used to sign all the data of the zone, the + zone-signing key. + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 12] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + roll: At the rollover stage (SOA serial 1) DNSKEY 11 is introduced + into the keyset and all the data in the zone is signed with DNSKEY + 10 and DNSKEY 11. The rollover period will need to exist until all + data from version 0 of the zone has expired from remote caches. + This will take at least the maximum Zone TTL of version 0 of the + zone. + after: DNSKEY 10 is removed from the zone. All the signatures from + DNSKEY 10 are removed from the zone. The keyset, now only + containing DNSKEY 11, is resigned with DNSKEY 1. + + At every instance the data from the previous version of the zone can + be verified with the key from the current version and vice verse. The + data from the current version can be verified with the data from the + previous version of the zone. The duration of the rollover phase and + the period between rollovers should be at least the "Maximum Zone + TTL". + + Making sure that the rollover phase lasts until the signature + expiration time of the data in version 0 of the zone is recommended. + However, this date could be considerably longer than the Maximum Zone + TTL, making the rollover a lengthy procedure. + + Note that in this example we assumed that the zone was not modified + during the rollover. New data can be introduced in the zone as long + as it is signed with both keys. + +3.3.1.3 Pros and Cons of the Schemes + + Prepublish-keyset rollover: This rollover does not involve signing + the zone data twice. Instead, just before the actual rollover, the + new key is published in the keyset and thus available for + cryptanalysis attacks. A small disavantage is that this process + requires four steps. Also the prepublish scheme will not work for + KSKs as explained in Section 3.3. + Double signature rollover: The drawback of this signing scheme is + that during the rollover the number of signatures in your zone + doubles, this may be prohibitive if you have very big zones. An + advantage is that it only requires three steps. + +3.3.2 Key-signing Key Rollovers + + For the rollover of a key-signing key the same considerations as for + the rollover of a zone-signing key apply. However we can use a double + signature scheme to guarantee that old data (only the apex keyset) in + caches can be verified with a new keyset and vice versa. + + Since only the keyset is signed with a KSK, zone size considerations + do not apply. + + + +Kolkman & Gieben Expires August 30, 2004 [Page 13] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + normal roll after + + SOA0 SOA1 SOA2 + RRSIG10(SOA0) RRSIG10(SOA1) RRSIG10(SOA2) + + DNSKEY1 DNSKEY1 DNSKEY2 + DNSKEY2 + DNSKEY10 DNSKEY10 DNSKEY10 + RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG2(DNSKEY) + RRSIG2 (DNSKEY) + RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY) + + normal: Version 0 of the zone. The parental DS points to DNSKEY1. + Before the rollover starts the child will have to verify what the + TTL is of the DS RR that points to DNSKEY1 - it is needed during + the rollover and we refer to the value as TTL_DS. + roll: During the rollover phase the zone administrator generates a + second KSK, DNSKEY2. The key is provided to the parent and the + child will have to wait until a new DS RR has been generated that + points to DNSKEY2. After that DS RR has been published on _all_ + servers authoritative for the parents zone, the zone administrator + has to wait at least TTL_DS to make sure that the old DS RR has + expired from distant caches. + after: DNSKEY1 has been removed. + + The scenario above puts the responsibility for maintaining a valid + chain of trust with the child. It also is based on the premises that + the parent only has one DS RR (per algorithm) per zone. St John [The + draft has expired] proposed a mechanism where using an established + trust relation, the interaction can be performed in-band. In this + mechanism there are periods where there are two DS RRs at the parent. + + [Editors note: We probably need to mention more] + +4. Planning for Emergency Key Rollover + + This section deals with preparation for a possible key compromise. + Our advice is to have a documented procedure ready for when a key + compromise is suspected or confirmed. + + [Editors note: We are much in favor of a rollover tactic that keeps + the authentication chain intact as long as possible. This means that + one has to take all the regular rollover properties into account.] + + When the private material of one of your keys is compromised it can + be used for as long as a valid authentication chain exists. An + authentication chain remains intact for: + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 14] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + o as long as a signature over the compromised key in the + authentication chain is valid, + o as long as a parental DS RR (and signature) points to the + compromised key, + o as long as the key is anchored in a resolver and is used as a + starting point for validation. (This is the hardest to update.) + While an authentication chain to your compromised key exists, your + name-space is vulnerable to abuse by the malicious key holder (i.e. + the owner of the compromised key). Zone operators have to make a + trade off if the abuse of the compromised key is worse than having + data in caches that cannot be validated. If the zone operator chooses + to break the authentication chain to the compromised key, data in + caches signed with this key cannot be validated. However, if the zone + administrator chooses to take the path of a regular roll-over, the + malicious key holder can spoof data so that it appears to be valid, + note that this kind of attack will usually be localised in the + Internet topology. + + +4.1 KSK Compromise + + When the KSK has been compromised the parent must be notified as soon + as possible using secure means. The keyset of the zone should be + resigned as soon as possible. Care must be taken to not break the + authentication chain. The local zone can only be resigned with the + new KSK after the parent's zone has been updated with the new KSK. + Before this update takes place it would be best to drop the security + status of a zone all together: the parent removes the DS of the child + at the next zone update. After that the child can be made secure + again. + + An additional danger of a key compromise is that the compromised key + can be used to facilitate a legitimate DNSKEY/DS and/or nameserver + rollover at the parent. When that happens the domain can be in + dispute. An out of band and secure notify mechanism to contact a + parent is needed in this case. + +4.2 ZSK Compromise + + Primarily because there is no parental interaction required when a + ZSK is compromised, the situation is less severe than with with a KSK + compromise. The zone must still be resigned with a new ZSK as soon + as possible. As this is a local operation and requires no + communication between the parent and child this can be achieved + fairly quickly. However, one has to take into account that just as + with a normal rollover the immediate disappearance from the old + compromised key may lead to verification problems. The + pre-publication scheme as discussed above minimises such problems. + + + +Kolkman & Gieben Expires August 30, 2004 [Page 15] + +Internet-Draft DNSSEC Operational Practices March 2004 + + +4.3 Compromises of Keys Anchored in Resolvers + + A key can also be pre-configured in resolvers. If DNSSEC is rolled + out as planned the root key should be pre-configured in every secure + aware resolver on the planet. [Editors Note: add more about + authentication of a newly received resolver key] + + If trust-anchor keys are compromised, the resolvers using these keys + should be notified of this fact. Zone administrators may consider + setting up a mailing list to communicate the fact that a SEP key is + about to be rolled over. This communication will of course need to be + authenticated e.g. by using digital signatures. + +5. Parental Policies + +5.1 Initial Key Exchanges and Parental Policies Considerations + + The initial key exchange is always subject to the policies set by the + parent (or its registry). When designing a key exchange policy one + should take into account that the authentication and authorisation + mechanisms used during a key exchange should be as strong as the + authentication and authorisation mechanisms used for the exchange of + delegation information between parent and child. + + Using the DNS itself as the source for the actual DNSKEY material, + with an off-band check on the validity of the DNSKEY, has the benefit + that it reduces the chances of user error. A parental DNSKEY download + tool can make use of the SEP bit [4] to select the proper key from a + DNSSEC keyset; thereby reducing the chance that the wrong DNSKEY is + sent. It can validate the self-signature over a key; thereby + verifying the ownership of the private key material. Fetching the + DNSKEY from the DNS ensures that the child will not become bogus once + the parent publishes the DS RR indicating the child is secure. + + Note: the off-band verification is still needed when the key-material + is fetched by a tool. The parent can not be sure whether the DNSKEY + RRs have been spoofed. + +5.2 Storing Keys So Hashes Can Be Regenerated + + When designing a registry system one should consider if the DNSKEYs + and/or the corresponding DSs are stored. Storing DNSKEYs will help + during troubleshooting while the overhead of calculating DS records + from them is minimal. + + Having an out-of-band mechanism, such as a Whois database, to find + out which keys are used to generate DS Resource Records for specific + owners may also help with troubleshooting. + + + +Kolkman & Gieben Expires August 30, 2004 [Page 16] + +Internet-Draft DNSSEC Operational Practices March 2004 + + +5.3 Security Lameness Checks + + Security Lameness is defined as what happens when a parent has a DS + Resource Record pointing to a non-existing DNSKEY RR. During key + exchange a parent should make sure that the child's key is actually + configured in the DNS before publishing a DS RR in its zone. Failure + to do so would render the child's zone being marked as bogus. + + Child zones should be very careful removing DNSKEY material, + specifically SEP keys, for which a DS RR exists. + + Once a zone is "security lame" a fix (e.g. by removing a DS RR) will + take time to propagate through the DNS. + +5.4 DS Signature Validity Period + + Since the DS can be replayed as long as it has a valid signature a + short signature validity period over the DS minimises the time a + child is vulnerable in the case of a compromise of the child's + KSK(s). A signature validity period that is too short introduces the + possibility that a zone is marked bogus in case of a configuration + error in the signer; there may not be enough time to fix the problems + before signatures expire. Something as mundane as operator + unavailability during weekends shows the need for DS signature + lifetimes longer than 2 days. We recommend the minimum for a DS + signature validity period to be a few days. + + The maximum signature lifetime of the DS record depends on how long + child zones are willing to be vulnerable after a key compromise. We + consider a signature validity period of around one week to be a good + compromise between the operational constraints of the parent and + minimising damage for the child. + +6. Security Considerations + + DNSSEC adds data integrity to the DNS. This document tries to assess + considerations to operate a stable and secure DNSSEC service. Not + taking into account the 'data propagation' properties in the DNS will + cause validation failures and may make secured zones unavailable to + security aware resolvers. + +7. Acknowledgments + + We, the folk mentioned as authors, only acted as editors. Most of the + ideas in this draft were the result of collective efforts during + workshops, discussions and try outs. + + At the risk of forgetting individuals who where the original + + + +Kolkman & Gieben Expires August 30, 2004 [Page 17] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + contributors of the ideas we would like to acknowledge people who + where actively involved in the compilation of this document. In + random order: Olafur Gudmundsson, Wesley Griffin, Michael Richardson, + Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette and Olivier + Courtay, Sam Weiler. + + Emma Bretherick and Adrian Bedford corrected many of the spelling and + style issues. + + Kolkman and Gieben take the blame for introducing all miscakes(SIC). + +8. References + +8.1 Normative References + + [1] Eastlake, D., "Domain Name System Security Extensions", RFC + 2535, March 1999. + + [2] Eastlake, D., "DNS Security Operational Considerations", RFC + 2541, March 1999. + + [3] Lewis, E., "DNS Security Extension Clarification on Zone + Status", RFC 3090, March 2001. + + [4] Lewis, E., Kolkman, O. and J. Schlyter, "KEY RR Key-Signing Key + (KSK) Flag", draft-ietf-dnsext-keyrr-key-signing-flag-06 (work + in progress), February 2003. + +8.2 Informative References + + [5] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [6] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC + 2308, March 1998. + + [7] Gudmundsson, O., "Delegation Signer Resource Record", + draft-ietf-dnsext-delegation-signer-13 (work in progress), March + 2003. + + [8] Arends, R., "Protocol Modifications for the DNS Security + Extensions", draft-ietf-dnsext-dnssec-protocol-01 (work in + progress), March 2003. + + [9] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key Sizes", + The Journal of Cryptology 14 (255-293), 2001. + + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 18] + +Internet-Draft DNSSEC Operational Practices March 2004 + + +Authors' Addresses + + Olaf M. Kolkman + RIPE NCC + Singel 256 + Amsterdam 1016 AB + The Netherlands + + Phone: +31 20 535 4444 + EMail: olaf@ripe.net + URI: http://www.ripe.net/ + + + Miek Gieben + NLnet Labs + Kruislaan 419 + Amsterdam 1098 VA + The Netherlands + + EMail: miek@nlnetlabs.nl + URI: http://www.nlnetlabs.nl + +Appendix A. Terminology + + In this document there is some jargon used that is defined in other + documents. In most cases we have not copied the text from the + documents defining the terms but given a more elaborate explanation + of the meaning. Note that these explanations should not be seen as + authoritative. + + Private and Public Keys: DNSSEC secures the DNS through the use of + public key cryptography. Public key cryptography is based on the + existence of two keys, a public key and a private key. The public + keys are published in the DNS by use of the DNSKEY Resource Record + (DNSKEY RR). Private keys should remain private i.e. should not be + exposed to parties not-authorised to do the actual signing. + Signer: The system that has access to the private key material and + signs the Resource Record sets in a zone. A signer may be + configured to sign only parts of the zone e.g. only those RRsets + for which existing signatures are about to expire. + KSK: A Key-Signing Key (KSK) is a key that is used exclusively for + signing the apex keyset. The fact that a key is a KSK is only + relevant to the signing tool. + ZSK: A Zone Signing Key (ZSK) is a key that is used for signing all + data in a zone. The fact that a key is a ZSK is only relevant to + the signing tool. + + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 19] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + SEP Key: A KSK that has a parental DS record pointing to it. Note: + this is not enforced in the protocol. A SEP Key with no parental + DS is security lame. + Anchored Key: A DNSKEY configured in resolvers around the globe. This + Key is hard to update, hence the term anchored. + Bogus: [Editors Note: a reference here] An RRset in DNSSEC is marked + "Bogus" when a signature of a RRset does not validate against the + DNSKEY. Even if the key itself was not marked Bogus. A cache may + choose to cache Bogus data for various reasons. + Singing the Zone File: The term used for the event where an + administrator joyfully signs its zone file while producing melodic + sound patterns. + Zone Administrator: The 'role' that is responsible for signing a zone + and publishing it on the primary authoritative server. + +Appendix B. Zone-signing Key Rollover Howto + + Using the pre-published signature scheme and the most conservative + method to assure oneself that data does not live in distant caches + here follows the "HOWTO". [WES: has some comments about this] + Key notation: + Step 0: The preparation: Create two keys and publish both in your + keyset. Mark one of the keys as "active" and the other as + "published". Use the "active" key for signing your zone data. + Store the private part of the "published" key, preferably + off-line. + Step 1: Determine expiration: At the beginning of the rollover make a + note of the highest expiration time of signatures in your zone + file created with the current key marked as "active". + Wait until the expiration time marked in Step 1 has passed + Step 2: Then start using the key that was marked as "published" to + sign your data i.e. mark it as "active". Stop using the key that + was marked as "active", mark it as "rolled". + Step 3: It is safe to engage in a new rollover (Step 1) after at + least one "signature validity period". + +Appendix C. Typographic Conventions + + The following typographic conventions are used in this document: + Key notation: A key is denoted by KEYx, where x is a number, x could + be thought of as the key id. + RRset notations: RRs are only denoted by the type. All other + information - owner, class, rdata and TTL - is left out. Thus: + example.com 3600 IN A 192.168.1.1 is reduced to: A. RRsets are a + list of RRs. A example of this would be: A1,A2, specifying the + RRset containing two A records. This could again be abbreviated to + just: A. + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 20] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + Signature notation: Signatures are denoted as RRSIGx(RRset), which + means that RRset is signed with DNSKEYx. + Zone representation: Using the above notation we have simplified the + representation of a signed zone by leaving out all unnecessary + details such as the names and by representing all data by "SOAx" + SOA representation: SOA's are represented as SOAx, where x is the + serial number. + Using this notation the following zone : + + + example.net. 600 IN SOA ns.example.net. ernie.example.net. ( + 10 ; serial + 450 ; refresh (7 minutes 30 seconds) + 600 ; retry (10 minutes) + 345600 ; expire (4 days) + 300 ; minimum (5 minutes) + ) + 600 RRSIG SOA 5 2 600 20130522213204 ( + 20130422213204 14 example.net. + cmL62SI6iAX46xGNQAdQ... ) + 600 NS a.iana-servers.net. + 600 NS b.iana-servers.net. + 600 RRSIG NS 5 2 600 20130507213204 ( + 20130407213204 14 example.net. + SO5epiJei19AjXoUpFnQ ... ) + 3600 DNSKEY 256 3 5 ( + EtRB9MP5/AvOuVO0I8XDxy0... + ) ; key id = 14 + 3600 DNSKEY 256 3 5 ( + gsPW/Yy19GzYIY+Gnr8HABU... + ) ; key id = 15 + 3600 RRSIG DNSKEY 5 2 3600 20130522213204 ( + 20130422213204 14 example.net. + J4zCe8QX4tXVGjV4e1r9... ) + 3600 RRSIG DNSKEY 5 2 3600 20130522213204 ( + 20130422213204 15 example.net. + keVDCOpsSeDReyV6O... ) + 600 NSEC a.example.net. NS SOA TXT RRSIG DNSKEY NSEC + 600 RRSIG NSEC 5 2 600 20130507213204 ( + 20130407213204 14 example.net. + obj3HEp1GjnmhRjX... ) + a.example.net. 600 IN TXT "A label" + 600 RRSIG TXT 5 3 600 20130507213204 ( + 20130407213204 14 example.net. + IkDMlRdYLmXH7QJnuF3v... ) + 600 NSEC b.example.com. TXT RRSIG NSEC + 600 RRSIG NSEC 5 3 600 20130507213204 ( + 20130407213204 14 example.net. + + + +Kolkman & Gieben Expires August 30, 2004 [Page 21] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + bZMjoZ3bHjnEz0nIsPMM... ) + + ... + + + is reduced to the following represenation: + + SOA10 + RRSIG14(SOA10) + + DNSKEY14 + DNSKEY15 + + RRSIG14(KEY) + RRSIG15(KEY) + + The rest of the zone data has the same signature as the SOA record, + i.e a RRSIG created with DNSKEY 14. + +Appendix D. Document Details and Changes + + This section is to be removed by the RFC editor if and when the + document is published. + + $Header: /var/cvs/dnssec-key/ + draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.22 2004/05/12 + 08:29:11 dnssec Exp $ + +D.1 draft-ietf-dnsop-dnssec-operational-practices-00 + + Submission as working group document. This document is a modified and + updated version of draft-kolkman-dnssec-operational-practices-00. + +D.2 draft-ietf-dnsop-dnssec-operational-practices-01 + + changed the definition of "Bogus" to reflect the one in the protocol + draft. + + Bad to Bogus + + Style and spelling corrections + + KSK - SEP mapping made explicit. + + Updates from Sam Weiler added + + + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 22] + +Internet-Draft DNSSEC Operational Practices March 2004 + + +Intellectual Property Statement + + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; neither does it represent that it + has made any effort to identify any such rights. Information on the + IETF's procedures with respect to rights in standards-track and + standards-related documentation can be found in BCP-11. Copies of + claims of rights made available for publication and any assurances of + licenses to be made available, or the result of an attempt made to + obtain a general license or permission for the use of such + proprietary rights by implementors or users of this specification can + be obtained from the IETF Secretariat. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights which may cover technology that may be required to practice + this standard. Please address the information to the IETF Executive + Director. + + +Full Copyright Statement + + Copyright (C) The Internet Society (2004). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assignees. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + + + +Kolkman & Gieben Expires August 30, 2004 [Page 23] + +Internet-Draft DNSSEC Operational Practices March 2004 + + + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +Acknowledgment + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Kolkman & Gieben Expires August 30, 2004 [Page 24] + + From 51c7f79515ea5dbf30134295f78af5d3539c2d44 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sun, 16 May 2004 00:15:04 +0000 Subject: [PATCH 112/146] LIBTOO_MODE_INSTALL -> LIBTOOL_MODE_INSTALL --- bin/named/Makefile.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in index cda8cd1ff6..e199cc7960 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.80 2004/03/05 04:57:45 marka Exp $ +# $Id: Makefile.in,v 1.81 2004/05/16 00:15:04 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -126,6 +126,6 @@ installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs - ${LIBTOO_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done From be00eb0795d2def3452de0da2adde74e7eda6982 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 17 May 2004 03:15:59 +0000 Subject: [PATCH 113/146] 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was incorrectly closing the socket. [RT #11291] --- CHANGES | 3 +++ lib/isc/win32/socket.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index b29cc971a5..9cdf77afcd 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was + incorrectly closing the socket. [RT #11291] + 1639. [func] Initial dlv system test. 1638. [bug] "ixfr-from-differences" could generate a REQUIRE diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c index e94cecd818..f37e7b5d41 100644 --- a/lib/isc/win32/socket.c +++ b/lib/isc/win32/socket.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.31 2004/05/03 23:54:38 marka Exp $ */ +/* $Id: socket.c,v 1.32 2004/05/17 03:15:59 marka Exp $ */ /* This code has been rewritten to take advantage of Windows Sockets * I/O Completion Ports and Events. I/O Completion Ports is ONLY @@ -3656,7 +3656,6 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) { isc_socket_newconnev_t *next; isc_task_t *current_task; - socket_event_delete(sock); dev = ISC_LIST_HEAD(sock->accept_list); while (dev != NULL) { From 4a6f552617fe422ad90826e48c2a3446e3a2574b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 17 May 2004 05:37:41 +0000 Subject: [PATCH 114/146] 1634. [bug] named didn't supply a useful error message when it detected duplicate views. [RT #11208] --- CHANGES | 3 ++- lib/bind9/check.c | 30 +++++++++++++++++++++++++++++- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 9cdf77afcd..81bb8b799f 100644 --- a/CHANGES +++ b/CHANGES @@ -14,7 +14,8 @@ 1635. [bug] Memory leak on error in query_addds(). -1634. [placeholder] rt11208 +1634. [bug] named didn't supply a useful error message when it + detected duplicate views. [RT #11208] 1633. [bug] named should return NOTIMP to update requests to a slaves without a allow-update-forwarding acl specified. diff --git a/lib/bind9/check.c b/lib/bind9/check.c index db90d6c7a6..b4b205c507 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.45 2004/04/15 23:40:24 marka Exp $ */ +/* $Id: check.c,v 1.46 2004/05/17 05:37:41 marka Exp $ */ #include @@ -1175,6 +1175,7 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) { cfg_listelt_t *velement; isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult; + isc_symtab_t *symtab = NULL; static const char *builtin[] = { "localhost", "localnets", "any", "none"}; @@ -1216,6 +1217,9 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) { } } + tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_TRUE, &symtab); + if (tresult != ISC_R_SUCCESS) + result = tresult; for (velement = cfg_list_first(views); velement != NULL; velement = cfg_list_next(velement)) @@ -1226,6 +1230,8 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) { cfg_obj_t *vclassobj = cfg_tuple_get(view, "class"); dns_rdataclass_t vclass = dns_rdataclass_in; isc_result_t tresult = ISC_R_SUCCESS; + const char *key = cfg_obj_asstring(vname); + isc_symvalue_t symvalue; if (cfg_obj_isstring(vclassobj)) { isc_textregion_t r; @@ -1238,12 +1244,34 @@ bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) { "view '%s': invalid class %s", cfg_obj_asstring(vname), r.base); } + if (tresult == ISC_R_SUCCESS && symtab != NULL) { + symvalue.as_pointer = view; + tresult = isc_symtab_define(symtab, key, vclass, + symvalue, + isc_symexists_reject); + if (tresult == ISC_R_EXISTS) { + const char *file; + unsigned int line; + RUNTIME_CHECK(isc_symtab_lookup(symtab, key, + vclass, &symvalue) == ISC_R_SUCCESS); + file = cfg_obj_file(symvalue.as_pointer); + line = cfg_obj_line(symvalue.as_pointer); + cfg_obj_log(view, logctx, ISC_LOG_ERROR, + "view '%s': already exists " + "previous definition: %s:%u", + key, file, line); + result = tresult; + } else if (result != ISC_R_SUCCESS) + result = tresult; + } if (tresult == ISC_R_SUCCESS) tresult = check_viewconf(config, voptions, vclass, logctx, mctx); if (tresult != ISC_R_SUCCESS) result = ISC_R_FAILURE; } + if (symtab != NULL) + isc_symtab_destroy(&symtab); if (views != NULL && options != NULL) { obj = NULL; From b407caa0b5b60c5bb9fc7733886b884617ba16fe Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 17 May 2004 07:52:46 +0000 Subject: [PATCH 115/146] pullup: 1661. [cleanup] indiscriminate use strlcat/strlcpy make auditing harder. --- lib/bind/irs/dns_ho.c | 54 +++++++++++++--------------- lib/bind/irs/dns_nw.c | 9 ++--- lib/bind/irs/gen_gr.c | 74 +++++++++++++++++++++----------------- lib/bind/irs/getaddrinfo.c | 6 +--- lib/bind/irs/hesiod.c | 35 +++++------------- 5 files changed, 78 insertions(+), 100 deletions(-) diff --git a/lib/bind/irs/dns_ho.c b/lib/bind/irs/dns_ho.c index 46f2ca580f..cac33b9ddf 100644 --- a/lib/bind/irs/dns_ho.c +++ b/lib/bind/irs/dns_ho.c @@ -52,7 +52,7 @@ /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: dns_ho.c,v 1.14 2004/03/18 02:57:58 marka Exp $"; +static const char rcsid[] = "$Id: dns_ho.c,v 1.15 2004/05/17 07:52:46 marka Exp $"; #endif /* LIBC_SCCS and not lint */ /* Imports. */ @@ -414,38 +414,44 @@ ho_byaddr(struct irs_ho *this, const void *addr, int len, int af) break; case AF_INET6: if (q->action != RESTGT_IGNORE) { + const char *nibsuff = res_get_nibblesuffix(pvt->res); qp = q->qname; for (n = IN6ADDRSZ - 1; n >= 0; n--) { i = SPRINTF((qp, "%x.%x.", uaddr[n] & 0xf, (uaddr[n] >> 4) & 0xf)); - if (i < 0) + if (i != 4) abort(); qp += i; } -#ifdef HAVE_STRLCAT - strlcat(q->qname, res_get_nibblesuffix(pvt->res), - sizeof(q->qname)); -#else - strcpy(qp, res_get_nibblesuffix(pvt->res)); -#endif + if (strlen(q->qname) + strlen(nibsuff) + 1 > + sizeof q->qname) { + errno = ENAMETOOLONG; + RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL); + hp = NULL; + goto cleanup; + } + strcpy(qp, nibsuff); /* (checked) */ } if (q2->action != RESTGT_IGNORE) { + const char *nibsuff2 = res_get_nibblesuffix2(pvt->res); qp = q2->qname; for (n = IN6ADDRSZ - 1; n >= 0; n--) { i = SPRINTF((qp, "%x.%x.", uaddr[n] & 0xf, (uaddr[n] >> 4) & 0xf)); - if (i < 0) + if (i != 4) abort(); qp += i; } -#ifdef HAVE_STRLCAT - strlcat(q->qname, res_get_nibblesuffix2(pvt->res), - sizeof(q->qname)); -#else - strcpy(qp, res_get_nibblesuffix2(pvt->res)); -#endif + if ((qp - q->qname) + strlen(nibsuff2) + 1 > + sizeof q->qname){ + errno = ENAMETOOLONG; + RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL); + hp = NULL; + goto cleanup; + } + strcpy(qp, nibsuff2); /* (checked) */ } break; default: @@ -820,11 +826,7 @@ gethostans(struct irs_ho *this, had_error++; continue; } -#ifdef HAVE_STRLCPY - strlcpy(bp, tbuf, ep - bp); -#else - strcpy(bp, tbuf); -#endif + strcpy(bp, tbuf); /* (checked) */ pvt->host.h_name = bp; hname = bp; bp += n; @@ -856,11 +858,7 @@ gethostans(struct irs_ho *this, had_error++; continue; } -#ifdef HAVE_STRLCPY - strlcpy(bp, tbuf, ep - bp); -#else - strcpy(bp, tbuf); -#endif + strcpy(bp, tbuf); /* (checked) */ tname = bp; bp += n; continue; @@ -996,11 +994,7 @@ gethostans(struct irs_ho *this, n = strlen(qname) + 1; /* for the \0 */ if (n > (ep - bp) || n >= MAXHOSTNAMELEN) goto no_recovery; -#ifdef HAVE_STRLCPY - strlcpy(bp, qname, ep - bp); -#else - strcpy(bp, qname); -#endif + strcpy(bp, qname); /* (checked) */ pvt->host.h_name = bp; bp += n; } diff --git a/lib/bind/irs/dns_nw.c b/lib/bind/irs/dns_nw.c index 79a5aefcf0..8368b747f6 100644 --- a/lib/bind/irs/dns_nw.c +++ b/lib/bind/irs/dns_nw.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: dns_nw.c,v 1.9 2004/03/18 02:57:58 marka Exp $"; +static const char rcsid[] = "$Id: dns_nw.c,v 1.10 2004/05/17 07:52:46 marka Exp $"; #endif /* LIBC_SCCS and not lint */ /* Imports. */ @@ -349,12 +349,7 @@ get1101answer(struct irs_nw *this, RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); return (NULL); } -#ifdef HAVE_STRLCPY - strlcpy(bp, name, ep - bp); - pvt->net.n_name = bp; -#else - pvt->net.n_name = strcpy(bp, name); -#endif + pvt->net.n_name = strcpy(bp, name); /* (checked) */ bp += n; } break; diff --git a/lib/bind/irs/gen_gr.c b/lib/bind/irs/gen_gr.c index a32bdd26d6..34fec98ad8 100644 --- a/lib/bind/irs/gen_gr.c +++ b/lib/bind/irs/gen_gr.c @@ -16,7 +16,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: gen_gr.c,v 1.6 2004/03/09 06:30:00 marka Exp $"; +static const char rcsid[] = "$Id: gen_gr.c,v 1.7 2004/05/17 07:52:46 marka Exp $"; #endif /* Imports */ @@ -83,7 +83,7 @@ static void gr_res_set(struct irs_gr *, struct __res_state *, void (*)(void *)); -static void grmerge(struct irs_gr *gr, const struct group *src, +static int grmerge(struct irs_gr *gr, const struct group *src, int preserve); static int countvec(char **vec); @@ -92,6 +92,10 @@ static int countnew(char **old, char **new); static size_t sizenew(char **old, char **new); static int newgid(int, gid_t *, gid_t); +/* Macros */ + +#define FREE_IF(x) do { if ((x) != NULL) { free(x); (x) = NULL; } } while (0) + /* Public */ struct irs_gr * @@ -171,7 +175,8 @@ gr_byname(struct irs_gr *this, const char *name) { gr = rule->inst->gr; tval = (*gr->byname)(gr, name); if (tval) { - grmerge(this, tval, dirty++); + if (!grmerge(this, tval, dirty++)) + return (NULL); if (!(rule->flags & IRS_MERGE)) break; } else { @@ -197,7 +202,8 @@ gr_bygid(struct irs_gr *this, gid_t gid) { gr = rule->inst->gr; tval = (*gr->bygid)(gr, gid); if (tval) { - grmerge(this, tval, dirty++); + if (!grmerge(this, tval, dirty++)) + return (NULL); if (!(rule->flags & IRS_MERGE)) break; } else { @@ -321,7 +327,7 @@ gr_res_set(struct irs_gr *this, struct __res_state *res, /* Private. */ -static void +static int grmerge(struct irs_gr *this, const struct group *src, int preserve) { struct pvt *pvt = (struct pvt *)this->private; char *cp, **m, **p, *oldmembuf, *ep; @@ -332,9 +338,9 @@ grmerge(struct irs_gr *this, const struct group *src, int preserve) { pvt->group.gr_gid = src->gr_gid; if (pvt->nmemb < 1) { m = malloc(sizeof *m); - if (!m) { + if (m == NULL) { /* No harm done, no work done. */ - return; + return (0); } pvt->group.gr_mem = m; pvt->nmemb = 1; @@ -351,9 +357,9 @@ grmerge(struct irs_gr *this, const struct group *src, int preserve) { n = ndst + nnew + 1; if ((size_t)n > pvt->nmemb) { m = realloc(pvt->group.gr_mem, n * sizeof *m); - if (!m) { + if (m == NULL) { /* No harm done, no work done. */ - return; + return (0); } pvt->group.gr_mem = m; pvt->nmemb = n; @@ -371,13 +377,13 @@ grmerge(struct irs_gr *this, const struct group *src, int preserve) { } if (n == 0) { /* No work to do. */ - return; + return (1); } used = preserve ? pvt->membufsize : 0; cp = malloc(used + n); - if (!cp) { + if (cp == NULL) { /* No harm done, no work done. */ - return; + return (0); } ep = cp + used + n; if (used != 0) @@ -401,12 +407,13 @@ grmerge(struct irs_gr *this, const struct group *src, int preserve) { if (isnew(pvt->group.gr_mem, *m)) { *p++ = cp; *p = NULL; -#ifdef HAVE_STRLCPY - strlcpy(cp, *m, ep - cp); -#else - strcpy(cp, *m); -#endif - cp += strlen(cp) + 1; + n = strlen(*m) + 1; + if (n > ep - cp) { + FREE_IF(oldmembuf); + return (0); + } + strcpy(cp, *m); /* (checked) */ + cp += n; } if (preserve) { pvt->group.gr_name = pvt->membuf + @@ -415,23 +422,26 @@ grmerge(struct irs_gr *this, const struct group *src, int preserve) { (pvt->group.gr_passwd - oldmembuf); } else { pvt->group.gr_name = cp; -#ifdef HAVE_STRLCPY - strlcpy(cp, src->gr_name, ep - cp); -#else - strcpy(cp, src->gr_name); -#endif - cp += strlen(src->gr_name) + 1; + n = strlen(src->gr_name) + 1; + if (n > ep - cp) { + FREE_IF(oldmembuf); + return (0); + } + strcpy(cp, src->gr_name); /* (checked) */ + cp += n; + pvt->group.gr_passwd = cp; -#ifdef HAVE_STRLCPY - strlcpy(cp, src->gr_passwd, ep - cp); -#else - strcpy(cp, src->gr_passwd); -#endif - cp += strlen(src->gr_passwd) + 1; + n = strlen(src->gr_passwd) + 1; + if (n > ep - cp) { + FREE_IF(oldmembuf); + return (0); + } + strcpy(cp, src->gr_passwd); /* (checked) */ + cp += n; } - if (oldmembuf != NULL) - free(oldmembuf); + FREE_IF(oldmembuf); INSIST(cp >= pvt->membuf && cp <= &pvt->membuf[pvt->membufsize]); + return (1); } static int diff --git a/lib/bind/irs/getaddrinfo.c b/lib/bind/irs/getaddrinfo.c index 89db519fcf..31a45367e7 100644 --- a/lib/bind/irs/getaddrinfo.c +++ b/lib/bind/irs/getaddrinfo.c @@ -937,11 +937,7 @@ copy_ai(pai) free(ai); return NULL; } -#ifdef HAVE_STRLCPY - strlcpy(ai->ai_canonname, pai->ai_canonname, l); -#else - strncpy(ai->ai_canonname, pai->ai_canonname, l); -#endif + strcpy(ai->ai_canonname, pai->ai_canonname); /* (checked) */ } else { /* just to make sure */ ai->ai_canonname = NULL; diff --git a/lib/bind/irs/hesiod.c b/lib/bind/irs/hesiod.c index 714a48dd3a..b6ffbfaf8f 100644 --- a/lib/bind/irs/hesiod.c +++ b/lib/bind/irs/hesiod.c @@ -1,5 +1,5 @@ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: hesiod.c,v 1.4 2004/03/18 02:57:59 marka Exp $"; +static const char rcsid[] = "$Id: hesiod.c,v 1.5 2004/05/17 07:52:46 marka Exp $"; #endif /* @@ -92,19 +92,14 @@ hesiod_init(void **context) { /* * Use compiled in defaults. */ - ctx->LHS = malloc(strlen(DEF_LHS)+1); - ctx->RHS = malloc(strlen(DEF_RHS)+1); - if (ctx->LHS == 0 || ctx->RHS == 0) { + ctx->LHS = malloc(strlen(DEF_LHS) + 1); + ctx->RHS = malloc(strlen(DEF_RHS) + 1); + if (ctx->LHS == NULL || ctx->RHS == NULL) { errno = ENOMEM; goto cleanup; } -#ifdef HAVE_STRLCPY - strlcpy(ctx->LHS, DEF_LHS, strlen(DEF_LHS) + 1); - strlcpy(ctx->RHS, DEF_RHS, strlen(DEF_RHS) + 1); -#else - strcpy(ctx->LHS, DEF_LHS); - strcpy(ctx->RHS, DEF_RHS); -#endif + strcpy(ctx->LHS, DEF_LHS); /* (checked) */ + strcpy(ctx->RHS, DEF_RHS); /* (checked) */ #else goto cleanup; #endif @@ -123,22 +118,10 @@ hesiod_init(void **context) { goto cleanup; } if (cp[0] == '.') { -#ifdef HAVE_STRLCPY - strlcpy(ctx->RHS, cp, RHSlen); -#else - strcpy(ctx->RHS, cp); -#endif + strcpy(ctx->RHS, cp); /* (checked) */ } else { -#ifdef HAVE_STRLCPY - strlcpy(ctx->RHS, ".", RHSlen); -#else - strcpy(ctx->RHS, "."); -#endif -#ifdef HAVE_STRLCAT - strlcat(ctx->RHS, cp, RHSlen); -#else - strcat(ctx->RHS, cp); -#endif + strcpy(ctx->RHS, "."); /* (checked) */ + strcat(ctx->RHS, cp); /* (checked) */ } } From 4f04f13a4ddf7661d840d763ecc213059ec9636e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 17 May 2004 10:14:06 +0000 Subject: [PATCH 116/146] Install MFC71.DLL and MSVCR71.DLL if _MSC_VER is 1400 --- bin/win32/BINDInstall/BINDInstallDlg.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp index 44fe7d2cdb..3bb1c5a4ac 100644 --- a/bin/win32/BINDInstall/BINDInstallDlg.cpp +++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: BINDInstallDlg.cpp,v 1.16 2004/04/19 04:16:54 marka Exp $ */ +/* $Id: BINDInstallDlg.cpp,v 1.17 2004/05/17 10:14:06 marka Exp $ */ /* * Copyright (c) 1999-2000 by Nortel Networks Corporation @@ -113,9 +113,13 @@ const FileData installFiles[] = {"msvcrt.dll", FileData::WinSystem, FileData::Critical, TRUE}, # endif #endif -#if _MSC_VER > 1200 +#if _MSC_VER == 1300 {"mfc70.dll", FileData::WinSystem, FileData::Critical, TRUE}, {"msvcr70.dll", FileData::WinSystem, FileData::Critical, TRUE}, +#endif +#if _MSC_VER == 1400 + {"mfc71.dll", FileData::WinSystem, FileData::Critical, TRUE}, + {"msvcr71.dll", FileData::WinSystem, FileData::Critical, TRUE}, #endif {"bindevt.dll", FileData::WinSystem, FileData::Normal, FALSE}, {"libbind9.dll", FileData::WinSystem, FileData::Critical, FALSE}, From c928cebdc511aca424bd4f9fbd61246038967f30 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 17 May 2004 10:14:37 +0000 Subject: [PATCH 117/146] do not install dnssec-makekeyset and dnssec-signkey. --- bin/win32/BINDInstall/BINDInstallDlg.cpp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp index 3bb1c5a4ac..b119b49401 100644 --- a/bin/win32/BINDInstall/BINDInstallDlg.cpp +++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: BINDInstallDlg.cpp,v 1.17 2004/05/17 10:14:06 marka Exp $ */ +/* $Id: BINDInstallDlg.cpp,v 1.18 2004/05/17 10:14:37 marka Exp $ */ /* * Copyright (c) 1999-2000 by Nortel Networks Corporation @@ -138,8 +138,6 @@ const FileData installFiles[] = {"nslookup.exe", FileData::BinDir, FileData::Normal, FALSE}, {"rndc-confgen.exe", FileData::BinDir, FileData::Normal, FALSE}, {"dnssec-keygen.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"dnssec-makekeyset.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"dnssec-signkey.exe", FileData::BinDir, FileData::Normal, FALSE}, {"dnssec-signzone.exe", FileData::BinDir, FileData::Normal, FALSE}, {"named-checkconf.exe", FileData::BinDir, FileData::Normal, FALSE}, {"named-checkzone.exe", FileData::BinDir, FileData::Normal, FALSE}, From cc3b9bde96c66a674be5e31bcd993902f1351288 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 18 May 2004 01:31:12 +0000 Subject: [PATCH 118/146] mfc71.dll and msvcr71.dll correspond to _MSC_VER 1310 (Wesley Griffin) --- bin/win32/BINDInstall/BINDInstallDlg.cpp | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp index b119b49401..8dad08dc68 100644 --- a/bin/win32/BINDInstall/BINDInstallDlg.cpp +++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: BINDInstallDlg.cpp,v 1.18 2004/05/17 10:14:37 marka Exp $ */ +/* $Id: BINDInstallDlg.cpp,v 1.19 2004/05/18 01:31:12 marka Exp $ */ /* * Copyright (c) 1999-2000 by Nortel Networks Corporation @@ -113,13 +113,12 @@ const FileData installFiles[] = {"msvcrt.dll", FileData::WinSystem, FileData::Critical, TRUE}, # endif #endif -#if _MSC_VER == 1300 - {"mfc70.dll", FileData::WinSystem, FileData::Critical, TRUE}, - {"msvcr70.dll", FileData::WinSystem, FileData::Critical, TRUE}, -#endif -#if _MSC_VER == 1400 +#if _MSC_VER >= 1310 {"mfc71.dll", FileData::WinSystem, FileData::Critical, TRUE}, {"msvcr71.dll", FileData::WinSystem, FileData::Critical, TRUE}, +#elif _MSC_VER > 1200 + {"mfc70.dll", FileData::WinSystem, FileData::Critical, TRUE}, + {"msvcr70.dll", FileData::WinSystem, FileData::Critical, TRUE}, #endif {"bindevt.dll", FileData::WinSystem, FileData::Normal, FALSE}, {"libbind9.dll", FileData::WinSystem, FileData::Critical, FALSE}, From 84bcefe9eebfc2a775e51c5356150476a07c788d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 19 May 2004 05:36:35 +0000 Subject: [PATCH 119/146] new draft --- ... => draft-ietf-dnsext-dnssec-intro-10.txt} | 2914 ++++---- ... draft-ietf-dnsext-dnssec-protocol-06.txt} | 6498 ++++++++--------- ...> draft-ietf-dnsext-dnssec-records-08.txt} | 4034 +++++----- 3 files changed, 6723 insertions(+), 6723 deletions(-) rename doc/draft/{draft-ietf-dnsext-dnssec-intro-09.txt => draft-ietf-dnsext-dnssec-intro-10.txt} (60%) rename doc/draft/{draft-ietf-dnsext-dnssec-protocol-05.txt => draft-ietf-dnsext-dnssec-protocol-06.txt} (54%) rename doc/draft/{draft-ietf-dnsext-dnssec-records-07.txt => draft-ietf-dnsext-dnssec-records-08.txt} (73%) diff --git a/doc/draft/draft-ietf-dnsext-dnssec-intro-09.txt b/doc/draft/draft-ietf-dnsext-dnssec-intro-10.txt similarity index 60% rename from doc/draft/draft-ietf-dnsext-dnssec-intro-09.txt rename to doc/draft/draft-ietf-dnsext-dnssec-intro-10.txt index 8097d63455..5ac9cba56e 100644 --- a/doc/draft/draft-ietf-dnsext-dnssec-intro-09.txt +++ b/doc/draft/draft-ietf-dnsext-dnssec-intro-10.txt @@ -1,1401 +1,1513 @@ - - -DNS Extensions R. Arends -Internet-Draft Telematica Instituut -Expires: August 16, 2004 R. Austein - ISC - M. Larson - VeriSign - D. Massey - USC/ISI - S. Rose - NIST - February 16, 2004 - - - DNS Security Introduction and Requirements - draft-ietf-dnsext-dnssec-intro-09 - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that other - groups may also distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at http:// - www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on August 16, 2004. - -Copyright Notice - - Copyright (C) The Internet Society (2004). All Rights Reserved. - -Abstract - - The Domain Name System Security Extensions (DNSSEC) add data origin - authentication and data integrity to the Domain Name System. This - document introduces these extensions, and describes their - capabilities and limitations. This document also discusses the - services that the DNS security extensions do and do not provide. - - - -Arends, et al. Expires August 16, 2004 [Page 1] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - - Last, this document describes the interrelationships between the - group of documents that collectively describe DNSSEC. - -Table of Contents - - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2. Definitions of Important DNSSEC Terms . . . . . . . . . . . . 4 - 3. Services Provided by DNS Security . . . . . . . . . . . . . . 7 - 3.1 Data Origin Authentication and Data Integrity . . . . . . . . 7 - 3.2 Authenticating Name and Type Non-Existence . . . . . . . . . . 8 - 4. Services Not Provided by DNS Security . . . . . . . . . . . . 10 - 5. Resolver Considerations . . . . . . . . . . . . . . . . . . . 11 - 6. Stub Resolver Considerations . . . . . . . . . . . . . . . . . 12 - 7. Zone Considerations . . . . . . . . . . . . . . . . . . . . . 13 - 7.1 TTL values vs. RRSIG validity period . . . . . . . . . . . . . 13 - 7.2 New Temporal Dependency Issues for Zones . . . . . . . . . . . 13 - 8. Name Server Considerations . . . . . . . . . . . . . . . . . . 14 - 9. DNS Security Document Family . . . . . . . . . . . . . . . . . 15 - 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 - 11. Security Considerations . . . . . . . . . . . . . . . . . . . 17 - 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19 - Normative References . . . . . . . . . . . . . . . . . . . . . 20 - Informative References . . . . . . . . . . . . . . . . . . . . 21 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 22 - Intellectual Property and Copyright Statements . . . . . . . . 24 - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 2] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -1. Introduction - - This document introduces the Domain Name System Security Extensions - (DNSSEC). This document and its two companion documents - ([I-D.ietf-dnsext-dnssec-records] and - [I-D.ietf-dnsext-dnssec-protocol]) update, clarify, and refine the - security extensions defined in RFC 2535 [RFC2535] and its - predecessors. These security extensions consist of a set of new - resource record types and modifications to the existing DNS protocol - [RFC1035]. The new records and protocol modifications are not fully - described in this document, but are described in a family of - documents outlined in Section 9. Section 3 and Section 4 describe the - capabilities and limitations of the security extensions in greater - detail. Section 5, Section 6, Section 7, and Section 8 discuss the - effect that these security extensions will have on resolvers, stub - resolvers, zones and name servers. - - This document and its two companions update and obsolete RFCs 2535 - [RFC2535], 3008 [RFC3008], 3090 [RFC3090], 3226 [RFC3226], and 3445 - [RFC3445], as well as several works in progress: "Redefinition of the - AD bit" [RFC3655], "Legacy Resolver Compatibility for Delegation - Signer" [I-D.ietf-dnsext-dnssec-2535typecode-change], and "Delegation - Signer Resource Record" [RFC3658]. This document set also updates, - but does not obsolete, RFCs 1034 [RFC1034], 1035 [RFC1035], 2136 - [RFC2136], 2181 [RFC2181], 2308 [RFC2308] and 3597 [RFC3597]. - - The DNS security extensions provide origin authentication and - integrity protection for DNS data, as well as a means of public key - distribution. These extensions do not provide confidentiality. - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 3] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -2. Definitions of Important DNSSEC Terms - - This section defines a number of terms used in this document set. - Since this is intended to be useful as a reference while reading the - rest of the document set, first-time readers may wish to skim this - section quickly, read the rest of this document, then come back to - this section. - - authentication chain: an alternating sequence of DNSKEY RRsets and DS - RRsets forms a chain of signed data, with each link in the chain - vouching for the next. A DNSKEY RR is used to verify the - signature covering a DS RR and allows the DS RR to be - authenticated. The DS RR contains a hash of another DNSKEY RR and - this new DNSKEY RR is authenticated by matching the hash in the DS - RR. This new DNSKEY RR in turn authenticates another DNSKEY RRset - and, in turn, some DNSKEY RR in this set may be used to - authenticate another DS RR and so forth until the chain finally - ends with a DNSKEY RR which signs the desired DNS data. For - example, the root DNSKEY RRset can be used to authenticate the DS - RRset for "example." The "example." DS RRset contains a hash that - matches some "example." DNSKEY and this DNSKEY signs the - "example." DNSKEY RRset. Private key counterparts of the - "example." DNSKEY RRset sign data records such as "www.example." - as well as DS RRs for delegations such as "subzone.example." - - authentication key: A public key which a security-aware resolver has - verified and can therefore use to authenticate data. A - security-aware resolver can obtain authentication keys in three - ways. First, the resolver is generally preconfigured to know - about at least one public key. This preconfigured data is usually - either the public key itself or a hash of the key as found in the - DS RR. Second, the resolver may use an authenticated public key - to verify a DS RR and its associated DNSKEY RR. Third, the - resolver may be able to determine that a new key has been signed - by another key which the resolver has verified. Note that the - resolver must always be guided by local policy when deciding - whether to authenticate a new key, even if the local policy is - simply to authenticate any new key for which the resolver is able - verify the signature. - - delegation point: Term used to describe the name at the parental side - of a zone cut. That is, the delegation point for "foo.example" - would be the foo.example node in the "example" zone (as opposed to - the zone apex of the "foo.example" zone). - - island of security: Term used to describe a signed, delegated zone - that does not have an authentication chain from its delegating - parent. That is, there is no DS RR with the island's public key - - - -Arends, et al. Expires August 16, 2004 [Page 4] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - - in its delegating parent zone (see - [I-D.ietf-dnsext-dnssec-records]). An island of security is served - by a security-aware nameserver and may provide authentication - chains to any delegated child zones. Responses from an island of - security or its descendents can only be authenticated if its zone - key can be authenticated by some trusted means out of band from - the DNS protocol. - - key signing key: An authentication key which is used to sign one or - more other authentication keys for a given zone. Typically, a key - signing key will sign a zone signing key, which in turn will sign - other zone data. Local policy may require the zone signing key to - be changed frequently, while the key signing key may have a longer - validity period in order to provide a more stable secure entry - point into the zone. Designating an authentication key as a key - signing key is purely an operational issue: DNSSEC validation does - not distinguish between key signing keys and other DNSSEC - authentication keys. Key signing keys are discussed in more - detail in [I-D.ietf-dnsext-keyrr-key-signing-flag]. See also: zone - signing key. - - non-validating security-aware stub resolver: A security-aware stub - resolver which trusts one or more security-aware recursive name - servers to perform most of the tasks discussed in this document - set on its behalf. In particular, a non-validating security-aware - stub resolver is an entity which sends DNS queries, receives DNS - responses, and is capable of establishing an appropriately secured - channel to a security-aware recursive name server which will - provide these services on behalf of the security-aware stub - resolver. See also: security-aware stub resolver, validating - security-aware stub resolver. - - non-validating stub resolver: A less tedious term for a - non-validating security-aware stub resolver. - - security-aware name server: An entity acting in the role of a name - server (defined in section 2.4 of [RFC1034]) which understands the - DNS security extensions defined in this document set. In - particular, a security-aware name server is an entity which - receives DNS queries, sends DNS responses, supports the EDNS0 - [RFC2671] message size extension and the DO bit [RFC3225], and - supports the RR types and message header bits defined in this - document set. - - security-aware recursive name server: An entity which acts in both - the security-aware name server and security-aware resolver roles. - A more cumbersome equivalent phrase would be "a security-aware - name server which offers recursive service". - - - -Arends, et al. Expires August 16, 2004 [Page 5] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - - security-aware resolver: An entity acting in the role of a resolver - (defined in section 2.4 of [RFC1034]) which understands the DNS - security extensions defined in this document set. In particular, - a security-aware resolver is an entity which sends DNS queries, - receives DNS responses, supports the EDNS0 [RFC2671] message size - extension and the DO bit [RFC3225], and is capable of using the RR - types and message header bits defined in this document set to - provide DNSSEC services. - - security-aware stub resolver: An entity acting in the role of a stub - resolver (defined in section 5.3.1 of [RFC1034]) which has enough - of an understanding the DNS security extensions defined in this - document set to provide additional services not available from a - security-oblivious stub resolver. Security-aware stub resolvers - may be either "validating" or "non-validating" depending on - whether the stub resolver attempts to verify DNSSEC signatures on - its own or trusts a friendly security-aware name server to do so. - See also: validating stub resolver, non-validating stub resolver. - - security-oblivious : An which is not - "security-aware". - - signed zone: A zone whose RRsets are signed and which contains - properly constructed DNSKEY, RRSIG, NSEC and (optionally) DS - records. - - unsigned zone: A zone which is not signed. - - validating security-aware stub resolver: A security-aware resolver - which operates sends queries in recursive mode but which performs - signature validation on its own rather than just blindly trusting - a friendly security-aware recursive name server. See also: - security-aware stub resolver, non-validating security-aware stub - resolver. - - validating stub resolver: A less tedious term for a validating - security-aware stub resolver. - - zone signing key: An authentication key which is used to sign a zone. - See key signing key, above. Typically a zone signing key will be - part of the same DNSKEY RRset as the key signing key which signs - it, but is used for a slightly different purpose and may differ - from the key signing key in other ways, such as validity lifetime. - Designating an authentication key as a zone signing key is purely - an operational issue: DNSSEC validation does not distinguish - between zone signing keys and other DNSSEC authentication keys. - See also: key signing key. - - - - -Arends, et al. Expires August 16, 2004 [Page 6] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -3. Services Provided by DNS Security - - The Domain Name System (DNS) security extensions provide origin - authentication and integrity assurance services for DNS data, - including mechanisms for authenticated denial of existence of DNS - data. These mechanisms are described below. - - These mechanisms require changes to the DNS protocol. DNSSEC adds - four new resource record types (RRSIG, DNSKEY, DS and NSEC) and two - new message header bits (CD and AD). In order to support the larger - DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also - requires EDNS0 support [RFC2671]. Finally, DNSSEC requires support - for the DO bit [RFC3225], so that a security-aware resolver can - indicate in its queries that it wishes to receive DNSSEC RRs in - response messages. - - These services protect against most of the threats to the Domain Name - System described in [I-D.ietf-dnsext-dns-threats]. - -3.1 Data Origin Authentication and Data Integrity - - DNSSEC provides authentication by associating cryptographically - generated digital signatures with DNS RRsets. These digital - signatures are stored in a new resource record, the RRSIG record. - Typically, there will be a single private key that signs a zone's - data, but multiple keys are possible: for example, there may be keys - for each of several different digital signature algorithms. If a - security-aware resolver reliably learns a zone's public key, it can - authenticate that zone's signed data. An important DNSSEC concept is - that the key that signs a zone's data is associated with the zone - itself and not with the zone's authoritative name servers (public - keys for DNS transaction authentication mechanisms may also appear in - zones, as described in [RFC2931], but DNSSEC itself is concerned with - object security of DNS data, not channel security of DNS - transactions). - - A security-aware resolver can learn a zone's public key either by - having the key preconfigured into the resolver or by normal DNS - resolution. To allow the latter, public keys are stored in a new - type of resource record, the DNSKEY RR. Note that the private keys - used to sign zone data must be kept secure, and should be stored - offline when practical to do so. To discover a public key reliably - via DNS resolution, the target key itself needs to be signed by - either a preconfigured authentication key or another key that has - been authenticated previously. Security-aware resolvers authenticate - zone information by forming an authentication chain from a newly - learned public key back to a previously known authentication public - key, which in turn either must have been preconfigured into the - - - -Arends, et al. Expires August 16, 2004 [Page 7] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - - resolver or must have been learned and verified previously. - Therefore, the resolver must be configured with at least one public - key or hash of a public key: if the preconfigured key is a zone - signing key, then it will authenticate the associated zone; if the - preconfigured key is a key signing key, it will authenticate a zone - signing key. If the resolver has been preconfigured with the hash of - a key rather than the key itself, the resolver may need to obtain the - key via a DNS query. To help security-aware resolvers establish this - authentication chain, security-aware name servers attempt to send the - signature(s) needed to authenticate a zone's public key in the DNS - reply message along with the public key itself, provided there is - space available in the message. - - The Delegation Signer (DS) RR type simplifies some of the - administrative tasks involved in signing delegations across - organizational boundaries. The DS RRset resides at a delegation - point in a parent zone and indicates the key or keys used by the - delegated child zone to self-sign the DNSKEY RRset at the child - zone's apex. The child zone, in turn, uses one or more of the keys - in this DNSKEY RRset to sign its zone data. The typical - authentication chain is therefore DNSKEY->[DS->DNSKEY]*->RRset, where - "*" denotes zero or more DS->DNSKEY subchains. DNSSEC permits more - complex authentication chains, such as additional layers of DNSKEY - RRs signing other DNSKEY RRs within a zone. - - A security-aware resolver normally constructs this authentication - chain from the root of the DNS hierarchy down to the leaf zones based - on preconfigured knowledge of the public key for the root. Local - policy, however, may also allow a security-aware resolver to use one - or more preconfigured keys (or key hashes) other than the root key, - or may not provide preconfigured knowledge of the root key, or may - prevent the resolver from using particular keys for arbitrary reasons - even if those keys are properly signed with verifiable signatures. - DNSSEC provides mechanisms by which a security-aware resolver can - determine whether an RRset's signature is "valid" within the meaning - of DNSSEC. In the final analysis however, authenticating both DNS - keys and data is a matter of local policy, which may extend or even - override the protocol extensions defined in this document set. - -3.2 Authenticating Name and Type Non-Existence - - The security mechanism described in Section 3.1 only provides a way - to sign existing RRsets in a zone. The problem of providing negative - responses with the same level of authentication and integrity - requires the use of another new resource record type, the NSEC - record. The NSEC record allows a security-aware resolver to - authenticate a negative reply for either name or type non-existence - via the same mechanisms used to authenticate other DNS replies. Use - - - -Arends, et al. Expires August 16, 2004 [Page 8] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - - of NSEC records requires a canonical representation and ordering for - domain names in zones. Chains of NSEC records explicitly describe - the gaps, or "empty space", between domain names in a zone, as well - as listing the types of RRsets present at existing names. Each NSEC - record is signed and authenticated using the mechanisms described in - Section 3.1. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 9] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -4. Services Not Provided by DNS Security - - DNS was originally designed with the assumptions that the DNS will - return the same answer to any given query regardless of who may have - issued the query, and that all data in the DNS is thus visible. - Accordingly, DNSSEC is not designed to provide confidentiality, - access control lists, or other means of differentiating between - inquirers. - - DNSSEC provides no protection against denial of service attacks. - Security-aware resolvers and security-aware name servers are - vulnerable to an additional class of denial of service attacks based - on cryptographic operations. Please see Section 11 for details. - - The DNS security extensions provide data and origin authentication - for DNS data. The mechanisms outlined above are not designed to - protect operations such as zone transfers and dynamic update - [RFC3007]. Message authentication schemes described in [RFC2845] and - [RFC2931] address security operations that pertain to these - transactions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 10] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -5. Resolver Considerations - - A security-aware resolver needs to be able to perform cryptographic - functions necessary to verify digital signatures using at least the - mandatory-to-implement algorithm(s). Security-aware resolvers must - also be capable of forming an authentication chain from a newly - learned zone back to an authentication key, as described above. This - process might require additional queries to intermediate DNS zones to - obtain necessary DNSKEY, DS and RRSIG records. A security-aware - resolver should be configured with at least one authentication key or - a key's DS RR hash as the starting point from which it will attempt - to establish authentication chains. - - If a security-aware resolver is separated from the relevant - authoritative name servers by a recursive name server or by any sort - of device which acts as a proxy for DNS, and if the recursive name - server or proxy is not security-aware, the security-aware resolver - may not be capable of operating in a secure mode. For example, if a - security-aware resolver's packets are routed through a network - address translation device that includes a DNS proxy which is not - security-aware, the security-aware resolver may find it difficult or - impossible to obtain or validate signed DNS data. - - If a security-aware resolver must rely on an unsigned zone or a name - server that is not security aware, the resolver may not be able to - validate DNS responses, and will need a local policy on whether to - accept unverified responses. - - A security-aware resolver should take a signature's validation period - into consideration when determining the TTL of data in its cache, to - avoid caching signed data beyond the validity period of the - signature, but should also allow for the possibility that the - security-aware resolver's own clock is wrong. Thus, a security-aware - resolver which is part of a security-aware recursive name server will - need to pay careful attention to the DNSSEC "checking disabled" (CD) - bit [I-D.ietf-dnsext-dnssec-records]. This is in order to avoid - blocking valid signatures from getting through to other - security-aware resolvers which are clients of this recursive name - server. See [I-D.ietf-dnsext-dnssec-protocol] for how a secure - recursive server handles queries with the CD bit set. - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 11] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -6. Stub Resolver Considerations - - Although not strictly required to do so by the protocol, most DNS - queries originate from stub resolvers. Stub resolvers, by - definition, are minimal DNS resolvers which use recursive query mode - to offload most of the work of DNS resolution to a recursive name - server. Given the widespread use of stub resolvers, the DNSSEC - architecture has to take stub resolvers into account, but the - security features needed in a stub resolver differ in some respects - from those needed in a full security-aware resolver. - - Even an unaugmented stub resolver may get some benefit from DNSSEC if - the recursive name servers it uses are security-aware, but for the - stub resolver to place any real reliance on DNSSEC services, the stub - resolver must trust both the recursive name servers in question and - the communication channels between itself and those name servers. - The first of these issues is a local policy issue: in essence, a - security-oblivious stub resolver has no real choice but to place - itself at the mercy of the recursive name servers that it uses, since - it does not perform DNSSEC validity checks on its own. The second - issue requires some kind of channel security mechanism; proper use of - DNS transaction authentication mechanisms such as SIG(0) or TSIG - would suffice, as would appropriate use of IPsec, and particular - implementations may have other choices available, such as operating - system specific interprocess communication mechanisms. - Confidentiality is not needed for this channel, but data integrity - and message authentication are. - - A security-aware stub resolver which does trust both its recursive - name servers and its communication channel to them may choose to - examine the setting of the AD bit in the message header of the - response messages it receives. The stub resolver can use this flag - bit as a hint to find out whether the recursive name server was able - to validate signatures for all of the data in the Answer and - Authority sections of the response. - - There is one more step which a security-aware stub resolver can take - if, for whatever reason, it is not able to establish a useful trust - relationship with the recursive name servers which it uses: it can - perform its own signature validation, by setting the Checking - Disabled (CD) bit in its query messages. A validating stub resolver - is thus able to treat the DNSSEC signatures as a trust relationship - between the zone administrator and the stub resolver itself. - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 12] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -7. Zone Considerations - - There are several differences between signed and unsigned zones. A - signed zone will contain additional security-related records (RRSIG, - DNSKEY, DS and NSEC records). RRSIG and NSEC records may be - generated by a signing process prior to serving the zone. The RRSIG - records that accompany zone data have defined inception and - expiration times, which establish a validity period for the - signatures and the zone data the signatures cover. - -7.1 TTL values vs. RRSIG validity period - - It is important to note the distinction between a RRset's TTL value - and the signature validity period specified by the RRSIG RR covering - that RRset. DNSSEC does not change the definition or function of the - TTL value, which is intended to maintain database coherency in - caches. A caching resolver purges RRsets from its cache no later than - the end of the time period specified by the TTL fields of those - RRsets, regardless of whether or not the resolver is security-aware. - - The inception and expiration fields in the RRSIG RR - [I-D.ietf-dnsext-dnssec-records], on the other hand, specify the time - period during which the signature can be used to validate the RRset - that it covers. The signatures associated with signed zone data are - only valid for the time period specified by these fields in the RRSIG - RRs in question. TTL values cannot extend the validity period of - signed RRsets in a resolver's cache, but the resolver may use the - time remaining before expiration of the signature validity period of - a signed RRset as an upper bound for the TTL of the signed RRset and - its associated RRSIG RR in the resolver's cache. - -7.2 New Temporal Dependency Issues for Zones - - Information in a signed zone has a temporal dependency which did not - exist in the original DNS protocol. A signed zone requires regular - maintenance to ensure that each RRset in the zone has a current valid - RRSIG RR. The signature validity period of an RRSIG RR is an - interval during which the signature for one particular signed RRset - can be considered valid, and the signatures of different RRsets in a - zone may expire at different times. Re-signing one or more RRsets in - a zone will change one or more RRSIG RRs, which in turn will require - incrementing the zone's SOA serial number to indicate that a zone - change has occurred and re-signing the SOA RRset itself. Thus, - re-signing any RRset in a zone may also trigger DNS NOTIFY messages - and zone transfers operations. - - - - - - -Arends, et al. Expires August 16, 2004 [Page 13] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -8. Name Server Considerations - - A security-aware name server should include the appropriate DNSSEC - records (RRSIG, DNSKEY, DS and NSEC) in all responses to queries from - resolvers which have signaled their willingness to receive such - records via use of the DO bit in the EDNS header, subject to message - size limitations. Since inclusion of these DNSSEC RRs could easily - cause UDP message truncation and fallback to TCP, a security-aware - name server must also support the EDNS "sender's UDP payload" - mechanism. - - If possible, the private half of each DNSSEC key pair should be kept - offline, but this will not be possible for a zone for which DNS - dynamic update has been enabled. In the dynamic update case, the - primary master server for the zone will have to re-sign the zone when - updated, so the private half of the zone signing key will have to be - kept online. This is an example of a situation where the ability to - separate the zone's DNSKEY RRset into zone signing key(s) and key - signing key(s) may be useful, since the key signing key(s) in such a - case can still be kept offline. - - DNSSEC, by itself, is not enough to protect the integrity of an - entire zone during zone transfer operations, since even a signed zone - contains some unsigned, nonauthoritative data if the zone has any - children, so zone maintenance operations will require some additional - mechanisms (most likely some form of channel security, such as TSIG, - SIG(0), or IPsec). - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 14] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -9. DNS Security Document Family - - The DNSSEC document set can be partitioned into several main groups, - under the larger umbrella of the DNS base protocol documents. - - The "DNSSEC protocol document set" refers to the three documents - which form the core of the DNS security extensions: - - 1. DNS Security Introduction and Requirements (this document) - - 2. Resource Records for DNS Security Extensions - [I-D.ietf-dnsext-dnssec-records] - - 3. Protocol Modifications for the DNS Security Extensions - [I-D.ietf-dnsext-dnssec-protocol] - - The "Digital Signature Algorithm Specification" document set refers - to the group of documents that describe how specific digital - signature algorithms should be implemented to fit the DNSSEC resource - record format. Each of these documents deals with a specific digital - signature algorithm. - - The "Transaction Authentication Protocol" document set refers to the - group of documents that deal with DNS message authentication, - including secret key establishment and verification. While not - strictly part of the DNSSEC specification as defined in this set of - documents, this group is noted to show its relationship to DNSSEC. - - The final document set, "New Security Uses", refers to documents that - seek to use proposed DNS Security extensions for other security - related purposes. DNSSEC does not provide any direct security for - these new uses, but may be used to support them. Documents that fall - in this category include the use of DNS in the storage and - distribution of certificates [RFC2538]. - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 15] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -10. IANA Considerations - - This overview document introduces no new IANA considerations. Please - see [I-D.ietf-dnsext-dnssec-records] for a complete review of the - IANA considerations introduced by DNSSEC. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 16] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -11. Security Considerations - - This document introduces the DNS security extensions and describes - the document set that contains the new security records and DNS - protocol modifications. This document discusses the capabilities and - limitations of these extensions. The extensions provide data origin - authentication and data integrity using digital signatures over - resource record sets. - - In order for a security-aware resolver to validate a DNS response, - all zones along the path from the trusted starting point to the zone - containing the response zones must be signed, and all name servers - and resolvers involved in the resolution process must be - security-aware, as defined in this document set. A security-aware - resolver cannot verify responses originating from an unsigned zone, - from a zone not served by a security-aware name server, or for any - DNS data which the resolver is only able to obtain through a - recursive name server which is not security-aware. If there is a - break in the authentication chain such that a security-aware resolver - cannot obtain and validate the authentication keys it needs, then the - security-aware resolver cannot validate the affected DNS data. - - This document briefly discusses other methods of adding security to a - DNS query, such as using a channel secured by IPsec or using a DNS - transaction authentication mechanism, but transaction security is not - part of DNSSEC per se. - - A non-validating security-aware stub resolver, by definition, does - not perform DNSSEC signature validation on its own, and thus is - vulnerable both to attacks on (and by) the security-aware recursive - name servers which perform these checks on its behalf and also to - attacks on its communication with those security-aware recursive name - servers. Non-validating security-aware stub resolvers should use some - form of channel security to defend against the latter threat. The - only known defense against the former threat would be for the - security-aware stub resolver to perform its own signature validation, - at which point, again by definition, it would no longer be a - non-validating security-aware stub resolver. - - DNSSEC does not protect against denial of service attacks. DNSSEC - makes DNS vulnerable to a new class of denial of service attacks - based on cryptographic operations against security-aware resolvers - and security-aware name servers, since an attacker can attempt to use - DNSSEC mechanisms to consume a victim's resources. This class of - attacks takes at least two forms. An attacker may be able to consume - resources in a security-aware resolver's signature validation code by - tampering with RRSIG RRs in response messages or by constructing - needlessly complex signature chains. An attacker may also be able to - - - -Arends, et al. Expires August 16, 2004 [Page 17] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - - consume resources in a security-aware name server which supports DNS - dynamic update, by sending a stream of update messages that force the - security-aware name server to re-sign some RRsets in the zone more - frequently than would otherwise be necessary. - - DNSSEC introduces the ability for a hostile party to enumerate all - the names in a zone by following the NSEC chain. NSEC RRs assert - which names do not exist in a zone by linking from existing name to - existing name along a canonical ordering of all the names within a - zone. Thus, an attacker can query these NSEC RRs in sequence to - obtain all the names in a zone. While not an attack on the DNS - itself, this could allow an attacker to map network hosts or other - resources by enumerating the contents of a zone. There are non-DNS - protocol means of detecting and limiting this attack beyond the scope - of this document set. - - DNSSEC introduces significant additional complexity to the DNS, and - thus introduces many new opportunities for implementation bugs and - misconfigured zones. In particular, enabling DNSSEC signature - validation in a resolver may cause entire legitimate zones to become - effectively unreachable due to DNSSEC configuration errors or bugs. - - DNSSEC does not provide confidentiality, due to a deliberate design - choice. - - DNSSEC does not protect against tampering with unsigned zone data. - Non-authoritative data at zone cuts (glue and NS RRs in the parent - zone) are not signed. This does not pose a problem when validating - the authentication chain, but does mean that the non-authoritative - data itself is vulnerable to tampering during zone transfer - operations. Thus, while DNSSEC can provide data origin - authentication and data integrity for RRsets, it cannot do so for - zones, and other mechanisms must be used to protect zone transfer - operations. - - Please see [I-D.ietf-dnsext-dnssec-records] and - [I-D.ietf-dnsext-dnssec-protocol] for additional security - considerations. - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 18] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -12. Acknowledgements - - This document was created from the input and ideas of the members of - the DNS Extensions Working Group. While explicitly listing everyone - who has contributed during the decade during which DNSSEC has been - under development would be an impossible task, the editors would - particularly like to thank the following people for their - contributions to and comments on this document set: Mark Andrews, - Derek Atkins, Alan Barrett, Dan Bernstein, David Blacka, Len Budney, - Randy Bush, Francis Dupont, Donald Eastlake, Miek Gieben, Michael - Graff, Olafur Gudmundsson, Gilles Guette, Andreas Gustafsson, Phillip - Hallam-Baker, Walter Howard, Stephen Jacob, Simon Josefsson, Olaf - Kolkman, Mark Kosters, David Lawrence, Ted Lemon, Ed Lewis, Ted - Lindgreen, Josh Littlefield, Rip Loomis, Bill Manning, Mans Nilsson, - Masataka Ohta, Rob Payne, Jim Reid, Michael Richardson, Erik - Rozendaal, Jakob Schlyter, Mike StJohns, Sam Weiler, and Brian - Wellington. - - No doubt the above is an incomplete list. We apologize to anyone we - left out. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 19] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -Normative References - - [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", - STD 13, RFC 1034, November 1987. - - [RFC1035] Mockapetris, P., "Domain names - implementation and - specification", STD 13, RFC 1035, November 1987. - - [RFC2535] Eastlake, D., "Domain Name System Security Extensions", - RFC 2535, March 1999. - - [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC - 2671, August 1999. - - [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC - 3225, December 2001. - - [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver - message size requirements", RFC 3226, December 2001. - - [RFC3445] Massey, D. and S. Rose, "Limiting the Scope of the KEY - Resource Record (RR)", RFC 3445, December 2002. - - [I-D.ietf-dnsext-dnssec-records] - Arends, R., Austein, R., Larson, M., Massey, D. and S. - Rose, "Resource Records for DNS Security Extensions", - draft-ietf-dnsext-dnssec-records-07 (work in progress), - February 2004. - - [I-D.ietf-dnsext-dnssec-protocol] - Arends, R., Austein, R., Larson, M., Massey, D. and S. - Rose, "Protocol Modifications for the DNS Security - Extensions", draft-ietf-dnsext-dnssec-protocol-05 (work in - progress), February 2004. - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 20] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -Informative References - - [RFC2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic - Updates in the Domain Name System (DNS UPDATE)", RFC 2136, - April 1997. - - [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS - Specification", RFC 2181, July 1997. - - [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS - NCACHE)", RFC 2308, March 1998. - - [RFC2538] Eastlake, D. and O. Gudmundsson, "Storing Certificates in - the Domain Name System (DNS)", RFC 2538, March 1999. - - [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B. - Wellington, "Secret Key Transaction Authentication for DNS - (TSIG)", RFC 2845, May 2000. - - [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( - SIG(0)s)", RFC 2931, September 2000. - - [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic - Update", RFC 3007, November 2000. - - [RFC3008] Wellington, B., "Domain Name System Security (DNSSEC) - Signing Authority", RFC 3008, November 2000. - - [RFC3090] Lewis, E., "DNS Security Extension Clarification on Zone - Status", RFC 3090, March 2001. - - [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record - (RR) Types", RFC 3597, September 2003. - - [RFC3655] Wellington, B. and O. Gudmundsson, "Redefinition of DNS - Authenticated Data (AD) bit", RFC 3655, November 2003. - - [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record - (RR)", RFC 3658, December 2003. - - [I-D.ietf-dnsext-dns-threats] - Atkins, D. and R. Austein, "Threat Analysis Of The Domain - Name System", draft-ietf-dnsext-dns-threats-05 (work in - progress), November 2003. - - [I-D.ietf-dnsext-dnssec-2535typecode-change] - Weiler, S., "Legacy Resolver Compatibility for Delegation - Signer", draft-ietf-dnsext-dnssec-2535typecode-change-06 - - - -Arends, et al. Expires August 16, 2004 [Page 21] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - - (work in progress), December 2003. - - [I-D.ietf-dnsext-keyrr-key-signing-flag] - Kolkman, O., Schlyter, J. and E. Lewis, "KEY RR Secure - Entry Point Flag", - draft-ietf-dnsext-keyrr-key-signing-flag-12 (work in - progress), December 2003. - - -Authors' Addresses - - Roy Arends - Telematica Instituut - Drienerlolaan 5 - 7522 NB Enschede - NL - - EMail: roy.arends@telin.nl - - - Rob Austein - Internet Systems Consortium - 950 Charter Street - Redwood City, CA 94063 - USA - - EMail: sra@isc.org - - - Matt Larson - VeriSign, Inc. - 21345 Ridgetop Circle - Dulles, VA 20166-6503 - USA - - EMail: mlarson@verisign.com - - - Dan Massey - USC Information Sciences Institute - 3811 N. Fairfax Drive - Arlington, VA 22203 - USA - - EMail: masseyd@isi.edu - - - - - - -Arends, et al. Expires August 16, 2004 [Page 22] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - - Scott Rose - National Institute for Standards and Technology - 100 Bureau Drive - Gaithersburg, MD 20899-8920 - USA - - EMail: scott.rose@nist.gov - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 23] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - -Intellectual Property Statement - - The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; neither does it represent that it - has made any effort to identify any such rights. Information on the - IETF's procedures with respect to rights in standards-track and - standards-related documentation can be found in BCP-11. Copies of - claims of rights made available for publication and any assurances of - licenses to be made available, or the result of an attempt made to - obtain a general license or permission for the use of such - proprietary rights by implementors or users of this specification can - be obtained from the IETF Secretariat. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights which may cover technology that may be required to practice - this standard. Please address the information to the IETF Executive - Director. - - -Full Copyright Statement - - Copyright (C) The Internet Society (2004). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assignees. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - - - -Arends, et al. Expires August 16, 2004 [Page 24] - -Internet-Draft DNSSEC Introduction and Requirements February 2004 - - - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 25] - - + + +DNS Extensions R. Arends +Internet-Draft Telematica Instituut +Expires: November 15, 2004 R. Austein + ISC + M. Larson + VeriSign + D. Massey + USC/ISI + S. Rose + NIST + May 17, 2004 + + + DNS Security Introduction and Requirements + draft-ietf-dnsext-dnssec-intro-10 + +Status of this Memo + + This document is an Internet-Draft and is in full conformance with + all provisions of Section 10 of RFC2026. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that other + groups may also distribute working documents as Internet-Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at http:// + www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on November 15, 2004. + +Copyright Notice + + Copyright (C) The Internet Society (2004). All Rights Reserved. + +Abstract + + The Domain Name System Security Extensions (DNSSEC) add data origin + authentication and data integrity to the Domain Name System. This + document introduces these extensions, and describes their + capabilities and limitations. This document also discusses the + services that the DNS security extensions do and do not provide. + + + +Arends, et al. Expires November 15, 2004 [Page 1] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + + Last, this document describes the interrelationships between the + group of documents that collectively describe DNSSEC. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Definitions of Important DNSSEC Terms . . . . . . . . . . . . 4 + 3. Services Provided by DNS Security . . . . . . . . . . . . . . 8 + 3.1 Data Origin Authentication and Data Integrity . . . . . . 8 + 3.2 Authenticating Name and Type Non-Existence . . . . . . . . 9 + 4. Services Not Provided by DNS Security . . . . . . . . . . . . 11 + 5. Scope of the DNSSEC Document Set and Last Hop Issues . . . . . 12 + 6. Resolver Considerations . . . . . . . . . . . . . . . . . . . 14 + 7. Stub Resolver Considerations . . . . . . . . . . . . . . . . . 15 + 8. Zone Considerations . . . . . . . . . . . . . . . . . . . . . 16 + 8.1 TTL values vs. RRSIG validity period . . . . . . . . . . . 16 + 8.2 New Temporal Dependency Issues for Zones . . . . . . . . . 16 + 9. Name Server Considerations . . . . . . . . . . . . . . . . . . 17 + 10. DNS Security Document Family . . . . . . . . . . . . . . . . 18 + 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 19 + 12. Security Considerations . . . . . . . . . . . . . . . . . . 20 + 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 + 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 + 14.1 Normative References . . . . . . . . . . . . . . . . . . . . 23 + 14.2 Informative References . . . . . . . . . . . . . . . . . . . 23 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25 + Intellectual Property and Copyright Statements . . . . . . . . 26 + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 2] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +1. Introduction + + This document introduces the Domain Name System Security Extensions + (DNSSEC). This document and its two companion documents + ([I-D.ietf-dnsext-dnssec-records] and + [I-D.ietf-dnsext-dnssec-protocol]) update, clarify, and refine the + security extensions defined in RFC 2535 [RFC2535] and its + predecessors. These security extensions consist of a set of new + resource record types and modifications to the existing DNS protocol + [RFC1035]. The new records and protocol modifications are not fully + described in this document, but are described in a family of + documents outlined in Section 10. Section 3 and Section 4 describe + the capabilities and limitations of the security extensions in + greater detail. Section 5 discusses the scope of the document set. + Section 6, Section 7, Section 8, and Section 9 discuss the effect + that these security extensions will have on resolvers, stub + resolvers, zones and name servers. + + This document and its two companions update and obsolete RFCs 2535 + [RFC2535], 3008 [RFC3008], 3090 [RFC3090], 3445 [RFC3445], 3655 + [RFC3655], 3658 [RFC3658], 3755 [RFC3755], and the Work in Progress + [I-D.ietf-dnsext-nsec-rdata]. This document set also updates, but + does not obsolete, RFCs 1034 [RFC1034], 1035 [RFC1035], 2136 + [RFC2136], 2181 [RFC2181], 2308 [RFC2308], 3597 [RFC3597], and parts + of 3226 [RFC3226] (dealing with DNSSEC). + + The DNS security extensions provide origin authentication and + integrity protection for DNS data, as well as a means of public key + distribution. These extensions do not provide confidentiality. + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 3] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +2. Definitions of Important DNSSEC Terms + + This section defines a number of terms used in this document set. + Since this is intended to be useful as a reference while reading the + rest of the document set, first-time readers may wish to skim this + section quickly, read the rest of this document, then come back to + this section. + + Authentication Chain: An alternating sequence of DNSKEY RRsets and DS + RRsets forms a chain of signed data, with each link in the chain + vouching for the next. A DNSKEY RR is used to verify the + signature covering a DS RR and allows the DS RR to be + authenticated. The DS RR contains a hash of another DNSKEY RR and + this new DNSKEY RR is authenticated by matching the hash in the DS + RR. This new DNSKEY RR in turn authenticates another DNSKEY RRset + and, in turn, some DNSKEY RR in this set may be used to + authenticate another DS RR and so forth until the chain finally + ends with a DNSKEY RR whose corresponding private key signs the + desired DNS data. For example, the root DNSKEY RRset can be used + to authenticate the DS RRset for "example." The "example." DS + RRset contains a hash that matches some "example." DNSKEY, and + this DNSKEY's corresponding private key signs the "example." + DNSKEY RRset. Private key counterparts of the "example." DNSKEY + RRset sign data records such as "www.example." as well as DS RRs + for delegations such as "subzone.example." + + Authentication Key: A public key that a security-aware resolver has + verified and can therefore use to authenticate data. A + security-aware resolver can obtain authentication keys in three + ways. First, the resolver is generally configured to know about + at least one public key; this configured data is usually either + the public key itself or a hash of the public key as found in the + DS RR (see "trust anchor"). Second, the resolver may use an + authenticated public key to verify a DS RR and its associated + DNSKEY RR. Third, the resolver may be able to determine that a + new public key has been signed by the private key corresponding to + another public key which the resolver has verified. Note that the + resolver must always be guided by local policy when deciding + whether to authenticate a new public key, even if the local policy + is simply to authenticate any new public key for which the + resolver is able verify the signature. + + Delegation Point: Term used to describe the name at the parental side + of a zone cut. That is, the delegation point for "foo.example" + would be the foo.example node in the "example" zone (as opposed to + the zone apex of the "foo.example" zone). + + + + + +Arends, et al. Expires November 15, 2004 [Page 4] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + + Island of Security: Term used to describe a signed, delegated zone + that does not have an authentication chain from its delegating + parent. That is, there is no DS RR containing a hash of a DNSKEY + RR for the island in its delegating parent zone (see + [I-D.ietf-dnsext-dnssec-records]). An island of security is served + by security-aware name servers and may provide authentication + chains to any delegated child zones. Responses from an island of + security or its descendents can only be authenticated if its + authentication keys can be authenticated by some trusted means out + of band from the DNS protocol. + + Key Signing Key: An authentication key that corresponds to a private + key used to sign one or more other authentication keys for a given + zone. Typically, the private key corresponding to a key signing + key will sign a zone signing key, which in turn has a + corresponding private key which will sign other zone data. Local + policy may require the zone signing key to be changed frequently, + while the key signing key may have a longer validity period in + order to provide a more stable secure entry point into the zone. + Designating an authentication key as a key signing key is purely + an operational issue: DNSSEC validation does not distinguish + between key signing keys and other DNSSEC authentication keys, and + it is possible to use a single key as both a key signing key and a + zone signing key. Key signing keys are discussed in more detail + in [RFC3757]. Also see: zone signing key. + + Non-Validating Security-Aware Stub Resolver: A security-aware stub + resolver which trusts one or more security-aware recursive name + servers to perform most of the tasks discussed in this document + set on its behalf. In particular, a non-validating security-aware + stub resolver is an entity which sends DNS queries, receives DNS + responses, and is capable of establishing an appropriately secured + channel to a security-aware recursive name server which will + provide these services on behalf of the security-aware stub + resolver. See also: security-aware stub resolver, validating + security-aware stub resolver. + + Non-Validating Stub Resolver: A less tedious term for a + non-validating security-aware stub resolver. + + Security-Aware Name Server: An entity acting in the role of a name + server (defined in section 2.4 of [RFC1034]) that understands the + DNS security extensions defined in this document set. In + particular, a security-aware name server is an entity which + receives DNS queries, sends DNS responses, supports the EDNS0 + [RFC2671] message size extension and the DO bit [RFC3225], and + supports the RR types and message header bits defined in this + document set. + + + +Arends, et al. Expires November 15, 2004 [Page 5] + + + Security-Aware Recursive Name Server: An entity which acts in both + the security-aware name server and security-aware resolver roles. + A more cumbersome equivalent phrase would be "a security-aware + name server which offers recursive service". + + Security-Aware Resolver: An entity acting in the role of a resolver + (defined in section 2.4 of [RFC1034]) which understands the DNS + security extensions defined in this document set. In particular, + a security-aware resolver is an entity which sends DNS queries, + receives DNS responses, supports the EDNS0 [RFC2671] message size + extension and the DO bit [RFC3225], and is capable of using the RR + types and message header bits defined in this document set to + provide DNSSEC services. + + Security-Aware Stub Resolver: An entity acting in the role of a stub + resolver (defined in section 5.3.1 of [RFC1034]) which has enough + of an understanding the DNS security extensions defined in this + document set to provide additional services not available from a + security-oblivious stub resolver. Security-aware stub resolvers + may be either "validating" or "non-validating" depending on + whether the stub resolver attempts to verify DNSSEC signatures on + its own or trusts a friendly security-aware name server to do so. + See also: validating stub resolver, non-validating stub resolver. + + Security-Oblivious : An that is not + "security-aware". + + Signed Zone: A zone whose RRsets are signed and which contains + properly constructed DNSKEY, RRSIG, NSEC and (optionally) DS + records. + + Trust Anchor: A configured DNSKEY RR or DS RR hash of a DNSKEY RR. A + validating security-aware resolver uses this public key or hash as + a starting point for building the authentication chain to a signed + DNS response. In general, a validating resolver will need to + obtain the initial values of its trust anchors via some secure or + trusted means outside the DNS protocol. Presence of a trust + anchor also implies that the resolver should expect the zone to + which the trust anchor points to be signed + + Unsigned Zone: A zone that is not signed. + + Validating Security-Aware Stub Resolver: A security-aware resolver + that sends queries in recursive mode but which performs signature + validation on its own rather than just blindly trusting an + upstream security-aware recursive name server. See also: + security-aware stub resolver, non-validating security-aware stub + resolver. + + + + + +Arends, et al. Expires November 15, 2004 [Page 6] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + + Validating Stub Resolver: A less tedious term for a validating + security-aware stub resolver. + + Zone Signing Key: An authentication key that corresponds to a private + key used to sign a zone. Typically a zone signing key will be + part of the same DNSKEY RRset as the key signing key whose + corresponding private key signs this DNSKEY RRset, but the zone + signing key is used for a slightly different purpose, and may + differ from the key signing key in other ways, such as validity + lifetime. Designating an authentication key as a zone signing key + is purely an operational issue: DNSSEC validation does not + distinguish between zone signing keys and other DNSSEC + authentication keys, and it is possible to use a single key as + both a key signing key and a zone signing key. See also: key + signing key. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 7] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +3. Services Provided by DNS Security + + The Domain Name System (DNS) security extensions provide origin + authentication and integrity assurance services for DNS data, + including mechanisms for authenticated denial of existence of DNS + data. These mechanisms are described below. + + These mechanisms require changes to the DNS protocol. DNSSEC adds + four new resource record types (RRSIG, DNSKEY, DS and NSEC) and two + new message header bits (CD and AD). In order to support the larger + DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also + requires EDNS0 support [RFC2671]. Finally, DNSSEC requires support + for the DO bit [RFC3225], so that a security-aware resolver can + indicate in its queries that it wishes to receive DNSSEC RRs in + response messages. + + These services protect against most of the threats to the Domain Name + System described in [I-D.ietf-dnsext-dns-threats]. + +3.1 Data Origin Authentication and Data Integrity + + DNSSEC provides authentication by associating cryptographically + generated digital signatures with DNS RRsets. These digital + signatures are stored in a new resource record, the RRSIG record. + Typically, there will be a single private key that signs a zone's + data, but multiple keys are possible: for example, there may be keys + for each of several different digital signature algorithms. If a + security-aware resolver reliably learns a zone's public key, it can + authenticate that zone's signed data. An important DNSSEC concept is + that the key that signs a zone's data is associated with the zone + itself and not with the zone's authoritative name servers (public + keys for DNS transaction authentication mechanisms may also appear in + zones, as described in [RFC2931], but DNSSEC itself is concerned with + object security of DNS data, not channel security of DNS + transactions). + + A security-aware resolver can learn a zone's public key either by + having a trust anchor configured into the resolver or by normal DNS + resolution. To allow the latter, public keys are stored in a new + type of resource record, the DNSKEY RR. Note that the private keys + used to sign zone data must be kept secure, and should be stored + offline when practical to do so. To discover a public key reliably + via DNS resolution, the target key itself needs to be signed by + either a configured authentication key or another key that has been + authenticated previously. Security-aware resolvers authenticate zone + information by forming an authentication chain from a newly learned + public key back to a previously known authentication public key, + which in turn either has been configured into the resolver or must + + + +Arends, et al. Expires November 15, 2004 [Page 8] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + + have been learned and verified previously. Therefore, the resolver + must be configured with at least one trust anchor. If the configured + key is a zone signing key, then it will authenticate the associated + zone; if the configured key is a key signing key, it will + authenticate a zone signing key. If the resolver has been configured + with the hash of a key rather than the key itself, the resolver may + need to obtain the key via a DNS query. To help security-aware + resolvers establish this authentication chain, security-aware name + servers attempt to send the signature(s) needed to authenticate a + zone's public key(s) in the DNS reply message along with the public + key itself, provided there is space available in the message. + + The Delegation Signer (DS) RR type simplifies some of the + administrative tasks involved in signing delegations across + organizational boundaries. The DS RRset resides at a delegation + point in a parent zone and indicates the public key(s) corresponding + to the private key(s) used to self-sign the DNSKEY RRset at the + delegated child zone's apex. The administrator of the child zone, in + turn, uses the private key(s) corresponding to one or more of the + public keys in this DNSKEY RRset to sign the child zone's data. The + typical authentication chain is therefore + DNSKEY->[DS->DNSKEY]*->RRset, where "*" denotes zero or more + DS->DNSKEY subchains. DNSSEC permits more complex authentication + chains, such as additional layers of DNSKEY RRs signing other DNSKEY + RRs within a zone. + + A security-aware resolver normally constructs this authentication + chain from the root of the DNS hierarchy down to the leaf zones based + on configured knowledge of the public key for the root. Local + policy, however, may also allow a security-aware resolver to use one + or more configured public keys (or hashes of public keys) other than + the root public key, or may not provide configured knowledge of the + root public key, or may prevent the resolver from using particular + public keys for arbitrary reasons even if those public keys are + properly signed with verifiable signatures. DNSSEC provides + mechanisms by which a security-aware resolver can determine whether + an RRset's signature is "valid" within the meaning of DNSSEC. In the + final analysis however, authenticating both DNS keys and data is a + matter of local policy, which may extend or even override the + protocol extensions defined in this document set. See for further + discussion. + +3.2 Authenticating Name and Type Non-Existence + + The security mechanism described in Section 3.1 only provides a way + to sign existing RRsets in a zone. The problem of providing negative + responses with the same level of authentication and integrity + requires the use of another new resource record type, the NSEC + + + +Arends, et al. Expires November 15, 2004 [Page 9] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + + record. The NSEC record allows a security-aware resolver to + authenticate a negative reply for either name or type non-existence + via the same mechanisms used to authenticate other DNS replies. Use + of NSEC records requires a canonical representation and ordering for + domain names in zones. Chains of NSEC records explicitly describe + the gaps, or "empty space", between domain names in a zone, as well + as listing the types of RRsets present at existing names. Each NSEC + record is signed and authenticated using the mechanisms described in + Section 3.1. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 10] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +4. Services Not Provided by DNS Security + + DNS was originally designed with the assumptions that the DNS will + return the same answer to any given query regardless of who may have + issued the query, and that all data in the DNS is thus visible. + Accordingly, DNSSEC is not designed to provide confidentiality, + access control lists, or other means of differentiating between + inquirers. + + DNSSEC provides no protection against denial of service attacks. + Security-aware resolvers and security-aware name servers are + vulnerable to an additional class of denial of service attacks based + on cryptographic operations. Please see Section 12 for details. + + The DNS security extensions provide data and origin authentication + for DNS data. The mechanisms outlined above are not designed to + protect operations such as zone transfers and dynamic update + [RFC3007]. Message authentication schemes described in [RFC2845] and + [RFC2931] address security operations that pertain to these + transactions. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 11] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +5. Scope of the DNSSEC Document Set and Last Hop Issues + + The specification in this document set defines the behavior for zone + signers and security-aware name servers and resolvers in such a way + that the validating entities can unambiguously determine the state of + the data. + + A validating resolver can determine these 4 states: + + Secure: The validating resolver has a trust anchor, a chain of trust + and is able to verify all the signatures in the response. + + Insecure: The validating resolver has a trust anchor, a chain of + trust, and, at some delegation point, signed proof of the + non-existence of a DS record. That indicates that subsequent + branches in the tree are provably insecure. A validating resolver + may have local policy to mark parts of the domain space as + insecure. + + Bogus: The validating resolver has a trust anchor and there is a + secure delegation which is indicating that subsidiary data will be + signed, but the response fails to validate due to one or more + reasons: missing signatures, expired signatures, signatures with + unsupported algorithms, data missing which the relevant NSEC RR + says should be present, and so forth. + + Indeterminate: There is no trust anchor which would indicate that a + specific portion of the tree is secure. This is the default + operation mode. + + This specification only defines how security aware name servers can + signal non-validating stub resolvers that data was found to be bogus + (using RCODE=2, "Server Failure" -- see + [I-D.ietf-dnsext-dnssec-protocol]). + + There is a mechanism for security aware name servers to signal + security-aware stub resolvers that data was found to be secure (using + the AD bit, see [I-D.ietf-dnsext-dnssec-protocol]). + + This specification does not define a format for communicating why + responses were found to be bogus or marked as insecure. The current + signaling mechanism does not distinguish between indeterminate and + insecure. + + A method for signaling advanced error codes and policy between a + security aware stub resolver and security aware recursive nameservers + is a topic for future work, as is the interface between a security + aware resolver and the applications that use it. Note, however, that + + + +Arends, et al. Expires November 15, 2004 [Page 12] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + + the lack of the specification of such communication does not prohibit + deployment of signed zones or the deployment of security aware + recursive name servers that prohibit propagation of bogus data to the + applications. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 13] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +6. Resolver Considerations + + A security-aware resolver needs to be able to perform cryptographic + functions necessary to verify digital signatures using at least the + mandatory-to-implement algorithm(s). Security-aware resolvers must + also be capable of forming an authentication chain from a newly + learned zone back to an authentication key, as described above. This + process might require additional queries to intermediate DNS zones to + obtain necessary DNSKEY, DS and RRSIG records. A security-aware + resolver should be configured with at least one trust anchor as the + starting point from which it will attempt to establish authentication + chains. + + If a security-aware resolver is separated from the relevant + authoritative name servers by a recursive name server or by any sort + of device which acts as a proxy for DNS, and if the recursive name + server or proxy is not security-aware, the security-aware resolver + may not be capable of operating in a secure mode. For example, if a + security-aware resolver's packets are routed through a network + address translation device that includes a DNS proxy which is not + security-aware, the security-aware resolver may find it difficult or + impossible to obtain or validate signed DNS data. + + If a security-aware resolver must rely on an unsigned zone or a name + server that is not security aware, the resolver may not be able to + validate DNS responses, and will need a local policy on whether to + accept unverified responses. + + A security-aware resolver should take a signature's validation period + into consideration when determining the TTL of data in its cache, to + avoid caching signed data beyond the validity period of the + signature, but should also allow for the possibility that the + security-aware resolver's own clock is wrong. Thus, a security-aware + resolver which is part of a security-aware recursive name server will + need to pay careful attention to the DNSSEC "checking disabled" (CD) + bit [I-D.ietf-dnsext-dnssec-records]. This is in order to avoid + blocking valid signatures from getting through to other + security-aware resolvers which are clients of this recursive name + server. See [I-D.ietf-dnsext-dnssec-protocol] for how a secure + recursive server handles queries with the CD bit set. + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 14] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +7. Stub Resolver Considerations + + Although not strictly required to do so by the protocol, most DNS + queries originate from stub resolvers. Stub resolvers, by + definition, are minimal DNS resolvers which use recursive query mode + to offload most of the work of DNS resolution to a recursive name + server. Given the widespread use of stub resolvers, the DNSSEC + architecture has to take stub resolvers into account, but the + security features needed in a stub resolver differ in some respects + from those needed in a full security-aware resolver. + + Even a security-oblivious stub resolver may get some benefit from + DNSSEC if the recursive name servers it uses are security-aware, but + for the stub resolver to place any real reliance on DNSSEC services, + the stub resolver must trust both the recursive name servers in + question and the communication channels between itself and those name + servers. The first of these issues is a local policy issue: in + essence, a security-oblivious stub resolver has no real choice but to + place itself at the mercy of the recursive name servers that it uses, + since it does not perform DNSSEC validity checks on its own. The + second issue requires some kind of channel security mechanism; proper + use of DNS transaction authentication mechanisms such as SIG(0) or + TSIG would suffice, as would appropriate use of IPsec, and particular + implementations may have other choices available, such as operating + system specific interprocess communication mechanisms. + Confidentiality is not needed for this channel, but data integrity + and message authentication are. + + A security-aware stub resolver that does trust both its recursive + name servers and its communication channel to them may choose to + examine the setting of the AD bit in the message header of the + response messages it receives. The stub resolver can use this flag + bit as a hint to find out whether the recursive name server was able + to validate signatures for all of the data in the Answer and + Authority sections of the response. + + There is one more step that a security-aware stub resolver can take + if, for whatever reason, it is not able to establish a useful trust + relationship with the recursive name servers which it uses: it can + perform its own signature validation, by setting the Checking + Disabled (CD) bit in its query messages. A validating stub resolver + is thus able to treat the DNSSEC signatures as a trust relationship + between the zone administrator and the stub resolver itself. + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 15] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +8. Zone Considerations + + There are several differences between signed and unsigned zones. A + signed zone will contain additional security-related records (RRSIG, + DNSKEY, DS and NSEC records). RRSIG and NSEC records may be + generated by a signing process prior to serving the zone. The RRSIG + records that accompany zone data have defined inception and + expiration times, which establish a validity period for the + signatures and the zone data the signatures cover. + +8.1 TTL values vs. RRSIG validity period + + It is important to note the distinction between a RRset's TTL value + and the signature validity period specified by the RRSIG RR covering + that RRset. DNSSEC does not change the definition or function of the + TTL value, which is intended to maintain database coherency in + caches. A caching resolver purges RRsets from its cache no later than + the end of the time period specified by the TTL fields of those + RRsets, regardless of whether or not the resolver is security-aware. + + The inception and expiration fields in the RRSIG RR + [I-D.ietf-dnsext-dnssec-records], on the other hand, specify the time + period during which the signature can be used to validate the covered + RRset. The signatures associated with signed zone data are only + valid for the time period specified by these fields in the RRSIG RRs + in question. TTL values cannot extend the validity period of signed + RRsets in a resolver's cache, but the resolver may use the time + remaining before expiration of the signature validity period of a + signed RRset as an upper bound for the TTL of the signed RRset and + its associated RRSIG RR in the resolver's cache. + +8.2 New Temporal Dependency Issues for Zones + + Information in a signed zone has a temporal dependency which did not + exist in the original DNS protocol. A signed zone requires regular + maintenance to ensure that each RRset in the zone has a current valid + RRSIG RR. The signature validity period of an RRSIG RR is an + interval during which the signature for one particular signed RRset + can be considered valid, and the signatures of different RRsets in a + zone may expire at different times. Re-signing one or more RRsets in + a zone will change one or more RRSIG RRs, which in turn will require + incrementing the zone's SOA serial number to indicate that a zone + change has occurred and re-signing the SOA RRset itself. Thus, + re-signing any RRset in a zone may also trigger DNS NOTIFY messages + and zone transfers operations. + + + + + + +Arends, et al. Expires November 15, 2004 [Page 16] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +9. Name Server Considerations + + A security-aware name server should include the appropriate DNSSEC + records (RRSIG, DNSKEY, DS and NSEC) in all responses to queries from + resolvers which have signaled their willingness to receive such + records via use of the DO bit in the EDNS header, subject to message + size limitations. Since inclusion of these DNSSEC RRs could easily + cause UDP message truncation and fallback to TCP, a security-aware + name server must also support the EDNS "sender's UDP payload" + mechanism. + + If possible, the private half of each DNSSEC key pair should be kept + offline, but this will not be possible for a zone for which DNS + dynamic update has been enabled. In the dynamic update case, the + primary master server for the zone will have to re-sign the zone when + updated, so the private key corresponding to the zone signing key + will have to be kept online. This is an example of a situation where + the ability to separate the zone's DNSKEY RRset into zone signing + key(s) and key signing key(s) may be useful, since the key signing + key(s) in such a case can still be kept offline and may have a longer + useful lifetime than the zone signing key(s). + + DNSSEC, by itself, is not enough to protect the integrity of an + entire zone during zone transfer operations, since even a signed zone + contains some unsigned, nonauthoritative data if the zone has any + children. Therefore, zone maintenance operations will require some + additional mechanisms (most likely some form of channel security, + such as TSIG, SIG(0), or IPsec). + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 17] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +10. DNS Security Document Family + + The DNSSEC document set can be partitioned into several main groups, + under the larger umbrella of the DNS base protocol documents. + + The "DNSSEC protocol document set" refers to the three documents + which form the core of the DNS security extensions: + 1. DNS Security Introduction and Requirements (this document) + 2. Resource Records for DNS Security Extensions + [I-D.ietf-dnsext-dnssec-records] + 3. Protocol Modifications for the DNS Security Extensions + [I-D.ietf-dnsext-dnssec-protocol] + + Additionally, any document that would add to, or change the core DNS + Security extensions would fall into this category. This includes any + future work on the communication between security-aware stub + resolvers and upstream security-aware recursive name servers. + + The "Digital Signature Algorithm Specification" document set refers + to the group of documents that describe how specific digital + signature algorithms should be implemented to fit the DNSSEC resource + record format. Each document in this set deals with a specific + digital signature algorithm. + + The "Transaction Authentication Protocol" document set refers to the + group of documents that deal with DNS message authentication, + including secret key establishment and verification. While not + strictly part of the DNSSEC specification as defined in this set of + documents, this group is noted because of its relationship to DNSSEC. + + The final document set, "New Security Uses", refers to documents that + seek to use proposed DNS Security extensions for other security + related purposes. DNSSEC does not provide any direct security for + these new uses, but may be used to support them. Documents that fall + in this category include the use of DNS in the storage and + distribution of certificates [RFC2538]. + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 18] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +11. IANA Considerations + + This overview document introduces no new IANA considerations. Please + see [I-D.ietf-dnsext-dnssec-records] for a complete review of the + IANA considerations introduced by DNSSEC. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 19] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +12. Security Considerations + + This document introduces the DNS security extensions and describes + the document set that contains the new security records and DNS + protocol modifications. The extensions provide data origin + authentication and data integrity using digital signatures over + resource record sets.This document discusses the capabilities and + limitations of these extensions. + + In order for a security-aware resolver to validate a DNS response, + all zones along the path from the trusted starting point to the zone + containing the response zones must be signed, and all name servers + and resolvers involved in the resolution process must be + security-aware, as defined in this document set. A security-aware + resolver cannot verify responses originating from an unsigned zone, + from a zone not served by a security-aware name server, or for any + DNS data which the resolver is only able to obtain through a + recursive name server which is not security-aware. If there is a + break in the authentication chain such that a security-aware resolver + cannot obtain and validate the authentication keys it needs, then the + security-aware resolver cannot validate the affected DNS data. + + This document briefly discusses other methods of adding security to a + DNS query, such as using a channel secured by IPsec or using a DNS + transaction authentication mechanism, but transaction security is not + part of DNSSEC per se. + + A non-validating security-aware stub resolver, by definition, does + not perform DNSSEC signature validation on its own, and thus is + vulnerable both to attacks on (and by) the security-aware recursive + name servers which perform these checks on its behalf and also to + attacks on its communication with those security-aware recursive name + servers. Non-validating security-aware stub resolvers should use some + form of channel security to defend against the latter threat. The + only known defense against the former threat would be for the + security-aware stub resolver to perform its own signature validation, + at which point, again by definition, it would no longer be a + non-validating security-aware stub resolver. + + DNSSEC does not protect against denial of service attacks. DNSSEC + makes DNS vulnerable to a new class of denial of service attacks + based on cryptographic operations against security-aware resolvers + and security-aware name servers, since an attacker can attempt to use + DNSSEC mechanisms to consume a victim's resources. This class of + attacks takes at least two forms. An attacker may be able to consume + resources in a security-aware resolver's signature validation code by + tampering with RRSIG RRs in response messages or by constructing + needlessly complex signature chains. An attacker may also be able to + + + +Arends, et al. Expires November 15, 2004 [Page 20] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + + consume resources in a security-aware name server which supports DNS + dynamic update, by sending a stream of update messages that force the + security-aware name server to re-sign some RRsets in the zone more + frequently than would otherwise be necessary. + + DNSSEC introduces the ability for a hostile party to enumerate all + the names in a zone by following the NSEC chain. NSEC RRs assert + which names do not exist in a zone by linking from existing name to + existing name along a canonical ordering of all the names within a + zone. Thus, an attacker can query these NSEC RRs in sequence to + obtain all the names in a zone. While not an attack on the DNS + itself, this could allow an attacker to map network hosts or other + resources by enumerating the contents of a zone. There are non-DNS + protocol means of detecting and limiting this attack beyond the scope + of this document set. + + DNSSEC introduces significant additional complexity to the DNS, and + thus introduces many new opportunities for implementation bugs and + misconfigured zones. In particular, enabling DNSSEC signature + validation in a resolver may cause entire legitimate zones to become + effectively unreachable due to DNSSEC configuration errors or bugs. + + DNSSEC does not provide confidentiality, due to a deliberate design + choice. + + DNSSEC does not protect against tampering with unsigned zone data. + Non-authoritative data at zone cuts (glue and NS RRs in the parent + zone) are not signed. This does not pose a problem when validating + the authentication chain, but does mean that the non-authoritative + data itself is vulnerable to tampering during zone transfer + operations. Thus, while DNSSEC can provide data origin + authentication and data integrity for RRsets, it cannot do so for + zones, and other mechanisms must be used to protect zone transfer + operations. + + Please see [I-D.ietf-dnsext-dnssec-records] and + [I-D.ietf-dnsext-dnssec-protocol] for additional security + considerations. + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 21] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +13. Acknowledgements + + This document was created from the input and ideas of the members of + the DNS Extensions Working Group. While explicitly listing everyone + who has contributed during the decade during which DNSSEC has been + under development would be an impossible task, the editors would + particularly like to thank the following people for their + contributions to and comments on this document set: Mark Andrews, + Derek Atkins, Alan Barrett, Dan Bernstein, David Blacka, Len Budney, + Randy Bush, Francis Dupont, Donald Eastlake, Miek Gieben, Michael + Graff, Olafur Gudmundsson, Gilles Guette, Andreas Gustafsson, Phillip + Hallam-Baker, Walter Howard, Stephen Jacob, Simon Josefsson, Olaf + Kolkman, Mark Kosters, David Lawrence, Ted Lemon, Ed Lewis, Ted + Lindgreen, Josh Littlefield, Rip Loomis, Bill Manning, Mans Nilsson, + Masataka Ohta, Rob Payne, Jim Reid, Michael Richardson, Erik + Rozendaal, Jakob Schlyter, Mike StJohns, Paul Vixie, Sam Weiler, and + Brian Wellington. + + No doubt the above list is incomplete. We apologize to anyone we + left out. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 22] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +14. References + +14.1 Normative References + + [I-D.ietf-dnsext-dnssec-protocol] + Arends, R., Austein, R., Larson, M., Massey, D. and S. + Rose, "Protocol Modifications for the DNS Security + Extensions", draft-ietf-dnsext-dnssec-protocol-06 (work in + progress), May 2004. + + [I-D.ietf-dnsext-dnssec-records] + Arends, R., Austein, R., Larson, M., Massey, D. and S. + Rose, "Resource Records for DNS Security Extensions", + draft-ietf-dnsext-dnssec-records-08 (work in progress), + May 2004. + + [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", + STD 13, RFC 1034, November 1987. + + [RFC1035] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [RFC2535] Eastlake, D., "Domain Name System Security Extensions", + RFC 2535, March 1999. + + [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC + 2671, August 1999. + + [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC + 3225, December 2001. + + [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver + message size requirements", RFC 3226, December 2001. + + [RFC3445] Massey, D. and S. Rose, "Limiting the Scope of the KEY + Resource Record (RR)", RFC 3445, December 2002. + +14.2 Informative References + + [I-D.ietf-dnsext-dns-threats] + Atkins, D. and R. Austein, "Threat Analysis Of The Domain + Name System", draft-ietf-dnsext-dns-threats-07 (work in + progress), April 2004. + + [I-D.ietf-dnsext-nsec-rdata] + Schlyter, J., "KEY RR Secure Entry Point Flag", + draft-ietf-dnsext-nsec-rdata-05 (work in progress), March + 2004. + + + +Arends, et al. Expires November 15, 2004 [Page 23] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + + [RFC2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic + Updates in the Domain Name System (DNS UPDATE)", RFC 2136, + April 1997. + + [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS + Specification", RFC 2181, July 1997. + + [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS + NCACHE)", RFC 2308, March 1998. + + [RFC2538] Eastlake, D. and O. Gudmundsson, "Storing Certificates in + the Domain Name System (DNS)", RFC 2538, March 1999. + + [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B. + Wellington, "Secret Key Transaction Authentication for DNS + (TSIG)", RFC 2845, May 2000. + + [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( + SIG(0)s)", RFC 2931, September 2000. + + [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic + Update", RFC 3007, November 2000. + + [RFC3008] Wellington, B., "Domain Name System Security (DNSSEC) + Signing Authority", RFC 3008, November 2000. + + [RFC3090] Lewis, E., "DNS Security Extension Clarification on Zone + Status", RFC 3090, March 2001. + + [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record + (RR) Types", RFC 3597, September 2003. + + [RFC3655] Wellington, B. and O. Gudmundsson, "Redefinition of DNS + Authenticated Data (AD) bit", RFC 3655, November 2003. + + [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record + (RR)", RFC 3658, December 2003. + + [RFC3755] Weiler, S., "Legacy Resolver Compatibility for Delegation + Signer", RFC 3755, April 2004. + + [RFC3757] Kolkman, O., Schlyter, J. and E. Lewis, "KEY RR Secure + Entry Point Flag", RFC 3757, April 2004. + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 24] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +Authors' Addresses + + Roy Arends + Telematica Instituut + Drienerlolaan 5 + 7522 NB Enschede + NL + + EMail: roy.arends@telin.nl + + + Rob Austein + Internet Systems Consortium + 950 Charter Street + Redwood City, CA 94063 + USA + + EMail: sra@isc.org + + + Matt Larson + VeriSign, Inc. + 21345 Ridgetop Circle + Dulles, VA 20166-6503 + USA + + EMail: mlarson@verisign.com + + + Dan Massey + USC Information Sciences Institute + 3811 N. Fairfax Drive + Arlington, VA 22203 + USA + + EMail: masseyd@isi.edu + + + Scott Rose + National Institute for Standards and Technology + 100 Bureau Drive + Gaithersburg, MD 20899-8920 + USA + + EMail: scott.rose@nist.gov + + + + + + +Arends, et al. Expires November 15, 2004 [Page 25] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + +Intellectual Property Statement + + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; neither does it represent that it + has made any effort to identify any such rights. Information on the + IETF's procedures with respect to rights in standards-track and + standards-related documentation can be found in BCP-11. Copies of + claims of rights made available for publication and any assurances of + licenses to be made available, or the result of an attempt made to + obtain a general license or permission for the use of such + proprietary rights by implementors or users of this specification can + be obtained from the IETF Secretariat. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights which may cover technology that may be required to practice + this standard. Please address the information to the IETF Executive + Director. + + +Full Copyright Statement + + Copyright (C) The Internet Society (2004). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assignees. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + + + +Arends, et al. Expires November 15, 2004 [Page 26] + +Internet-Draft DNSSEC Introduction and Requirements May 2004 + + + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +Acknowledgment + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 27] + + diff --git a/doc/draft/draft-ietf-dnsext-dnssec-protocol-05.txt b/doc/draft/draft-ietf-dnsext-dnssec-protocol-06.txt similarity index 54% rename from doc/draft/draft-ietf-dnsext-dnssec-protocol-05.txt rename to doc/draft/draft-ietf-dnsext-dnssec-protocol-06.txt index 1a9f8aaf7a..a6f628e3c7 100644 --- a/doc/draft/draft-ietf-dnsext-dnssec-protocol-05.txt +++ b/doc/draft/draft-ietf-dnsext-dnssec-protocol-06.txt @@ -1,3249 +1,3249 @@ - - -DNS Extensions R. Arends -Internet-Draft Telematica Instituut -Expires: August 16, 2004 M. Larson - VeriSign - R. Austein - ISC - D. Massey - USC/ISI - S. Rose - NIST - February 16, 2004 - - - Protocol Modifications for the DNS Security Extensions - draft-ietf-dnsext-dnssec-protocol-05 - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that other - groups may also distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at http:// - www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on August 16, 2004. - -Copyright Notice - - Copyright (C) The Internet Society (2004). All Rights Reserved. - -Abstract - - This document is part of a family of documents which describe the DNS - Security Extensions (DNSSEC). The DNS Security Extensions are a - collection of new resource records and protocol modifications which - add data origin authentication and data integrity to the DNS. This - document describes the DNSSEC protocol modifications. This document - - - -Arends, et al. Expires August 16, 2004 [Page 1] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - defines the concept of a signed zone, along with the requirements for - serving and resolving using DNSSEC. These techniques allow a - security-aware resolver to authenticate both DNS resource records and - authoritative DNS error indications. - - This document obsoletes RFC 2535 and incorporates changes from all - updates to RFC 2535. - -Table of Contents - - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 - 1.1 Background and Related Documents . . . . . . . . . . . . . . 4 - 1.2 Reserved Words . . . . . . . . . . . . . . . . . . . . . . . 4 - 1.3 Editors' Notes . . . . . . . . . . . . . . . . . . . . . . . 4 - 1.3.1 Open Technical Issues . . . . . . . . . . . . . . . . . . . 4 - 1.3.2 Technical Changes or Corrections . . . . . . . . . . . . . . 4 - 1.3.3 Typos and Minor Corrections . . . . . . . . . . . . . . . . 5 - 2. Zone Signing . . . . . . . . . . . . . . . . . . . . . . . . 6 - 2.1 Including DNSKEY RRs in a Zone . . . . . . . . . . . . . . . 6 - 2.2 Including RRSIG RRs in a Zone . . . . . . . . . . . . . . . 6 - 2.3 Including NSEC RRs in a Zone . . . . . . . . . . . . . . . . 7 - 2.4 Including DS RRs in a Zone . . . . . . . . . . . . . . . . . 8 - 2.5 Changes to the CNAME Resource Record. . . . . . . . . . . . 8 - 2.6 Example of a Secure Zone . . . . . . . . . . . . . . . . . . 9 - 3. Serving . . . . . . . . . . . . . . . . . . . . . . . . . . 10 - 3.1 Authoritative Name Servers . . . . . . . . . . . . . . . . . 10 - 3.1.1 Including RRSIG RRs in a Response . . . . . . . . . . . . . 11 - 3.1.2 Including DNSKEY RRs In a Response . . . . . . . . . . . . . 11 - 3.1.3 Including NSEC RRs In a Response . . . . . . . . . . . . . . 12 - 3.1.4 Including DS RRs In a Response . . . . . . . . . . . . . . . 14 - 3.1.5 Responding to Queries for Type AXFR or IXFR . . . . . . . . 16 - 3.1.6 The AD and CD Bits in an Authoritative Response . . . . . . 17 - 3.2 Recursive Name Servers . . . . . . . . . . . . . . . . . . . 17 - 3.2.1 The DO bit . . . . . . . . . . . . . . . . . . . . . . . . . 18 - 3.2.2 The CD bit . . . . . . . . . . . . . . . . . . . . . . . . . 18 - 3.2.3 The AD bit . . . . . . . . . . . . . . . . . . . . . . . . . 18 - 3.3 Example DNSSEC Responses . . . . . . . . . . . . . . . . . . 19 - 4. Resolving . . . . . . . . . . . . . . . . . . . . . . . . . 20 - 4.1 EDNS Support . . . . . . . . . . . . . . . . . . . . . . . . 20 - 4.2 Signature Verification Support . . . . . . . . . . . . . . . 20 - 4.3 Determining Security Status of Data . . . . . . . . . . . . 21 - 4.4 Preconfigured Public Keys . . . . . . . . . . . . . . . . . 22 - 4.5 Response Caching . . . . . . . . . . . . . . . . . . . . . . 22 - 4.6 Handling of the CD and AD bits . . . . . . . . . . . . . . . 22 - 4.7 Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . 23 - 4.8 Stub resolvers . . . . . . . . . . . . . . . . . . . . . . . 24 - 4.8.1 Handling of the DO Bit . . . . . . . . . . . . . . . . . . . 24 - 4.8.2 Handling of the CD Bit . . . . . . . . . . . . . . . . . . . 24 - - - -Arends, et al. Expires August 16, 2004 [Page 2] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - 4.8.3 Handling of the AD Bit . . . . . . . . . . . . . . . . . . . 24 - 5. Authenticating DNS Responses . . . . . . . . . . . . . . . . 26 - 5.1 Special Considerations for Islands of Security . . . . . . . 27 - 5.2 Authenticating Referrals . . . . . . . . . . . . . . . . . . 27 - 5.3 Authenticating an RRset Using an RRSIG RR . . . . . . . . . 28 - 5.3.1 Checking the RRSIG RR Validity . . . . . . . . . . . . . . . 29 - 5.3.2 Reconstructing the Signed Data . . . . . . . . . . . . . . . 30 - 5.3.3 Checking the Signature . . . . . . . . . . . . . . . . . . . 31 - 5.3.4 Authenticating A Wildcard Expanded RRset Positive - Response . . . . . . . . . . . . . . . . . . . . . . . . . . 32 - 5.4 Authenticated Denial of Existence . . . . . . . . . . . . . 32 - 5.5 Authentication Example . . . . . . . . . . . . . . . . . . . 33 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . 34 - 7. Security Considerations . . . . . . . . . . . . . . . . . . 35 - 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 36 - Normative References . . . . . . . . . . . . . . . . . . . . 37 - Informative References . . . . . . . . . . . . . . . . . . . 38 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 38 - A. Signed Zone Example . . . . . . . . . . . . . . . . . . . . 40 - B. Example Responses . . . . . . . . . . . . . . . . . . . . . 46 - B.1 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 - B.2 Name Error . . . . . . . . . . . . . . . . . . . . . . . . . 47 - B.3 No Data Error . . . . . . . . . . . . . . . . . . . . . . . 48 - B.4 Referral to Signed Zone . . . . . . . . . . . . . . . . . . 49 - B.5 Referral to Unsigned Zone . . . . . . . . . . . . . . . . . 50 - B.6 Wildcard Expansion . . . . . . . . . . . . . . . . . . . . . 50 - B.7 Wildcard No Data Error . . . . . . . . . . . . . . . . . . . 51 - B.8 DS Child Zone No Data Error . . . . . . . . . . . . . . . . 52 - C. Authentication Examples . . . . . . . . . . . . . . . . . . 54 - C.1 Authenticating An Answer . . . . . . . . . . . . . . . . . . 54 - C.1.1 Authenticating the example DNSKEY RR . . . . . . . . . . . . 54 - C.2 Name Error . . . . . . . . . . . . . . . . . . . . . . . . . 55 - C.3 No Data Error . . . . . . . . . . . . . . . . . . . . . . . 55 - C.4 Referral to Signed Zone . . . . . . . . . . . . . . . . . . 55 - C.5 Referral to Unsigned Zone . . . . . . . . . . . . . . . . . 55 - C.6 Wildcard Expansion . . . . . . . . . . . . . . . . . . . . . 56 - C.7 Wildcard No Data Error . . . . . . . . . . . . . . . . . . . 56 - C.8 DS Child Zone No Data Error . . . . . . . . . . . . . . . . 56 - Intellectual Property and Copyright Statements . . . . . . . 57 - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 3] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -1. Introduction - - The DNS Security Extensions (DNSSEC) are a collection of new resource - records and protocol modifications which add data origin - authentication and data integrity to the DNS. This document defines - the DNSSEC protocol modifications. Section 2 of this document defines - the concept of a signed zone and lists the requirements for zone - signing. Section 3 describes the modifications to authoritative name - server behavior necessary to handle signed zones. Section 4 describes - the behavior of entities which include security-aware resolver - functions. Finally, Section 5 defines how to use DNSSEC RRs to - authenticate a response. - -1.1 Background and Related Documents - - The reader is assumed to be familiar with the basic DNS concepts - described in RFC1034 [RFC1034] and RFC1035 [RFC1035]. - - This document is part of a family of documents which define DNSSEC. - An introduction to DNSSEC and definition of common terms can be found - in [I-D.ietf-dnsext-dnssec-intro]. A definition of the DNSSEC - resource records can be found in [I-D.ietf-dnsext-dnssec-records]. - -1.2 Reserved Words - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119. [RFC2119]. - -1.3 Editors' Notes - -1.3.1 Open Technical Issues - -1.3.2 Technical Changes or Corrections - - Please report technical corrections to dnssec-editors@east.isi.edu. - To assist the editors, please indicate the text in error and point - out the RFC that defines the correct behavior. For a technical - change where no RFC that defines the correct behavior, or if there's - more than one applicable RFC and the definitions conflict, please - post the issue to namedroppers. - - An example correction to dnssec-editors might be: Page X says - "DNSSEC RRs SHOULD be automatically returned in responses." This was - true in RFC 2535, but RFC 3225 (Section 3, 3rd paragraph) says the - DNSSEC RR types MUST NOT be included in responses unless the resolver - indicated support for DNSSEC. - - - - -Arends, et al. Expires August 16, 2004 [Page 4] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -1.3.3 Typos and Minor Corrections - - Please report any typos corrections to dnssec-editors@east.isi.edu. - To assist the editors, please provide enough context for us to find - the incorrect text quickly. - - An example message to dnssec-editors might be: page X says "the - DNSSEC standard has been in development for over 1 years". It - should read "over 10 years". - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 5] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -2. Zone Signing - - DNSSEC introduces the concept of signed zones. A signed zone - includes DNSKEY, RRSIG, NSEC and (optionally) DS records according to - the rules specified in Section 2.1, Section 2.2, Section 2.3 and - Section 2.4, respectively. A zone that does not include these - records according to the rules in this section is an unsigned zone. - - DNSSEC requires a change to the definition of the CNAME resource - record [RFC1035]. Section 2.5 changes the CNAME RR to allow RRSIG - and NSEC RRs to appear at the same owner name as a CNAME RR. - -2.1 Including DNSKEY RRs in a Zone - - To sign a zone, the zone's administrator generates one or more - public/private key pairs and uses the private key(s) to sign - authoritative RRsets in the zone. For each private key used to - create RRSIG RRs, there SHOULD be a corresponding zone DNSKEY RR with - the public component stored in the zone. A zone key DNSKEY RR MUST - have the Zone Key bit of the flags RDATA field set to one -- see - Section 2.1.1 of [I-D.ietf-dnsext-dnssec-records]. Public keys - associated with other DNS operations MAY be stored in DNSKEY RRs that - are not marked as zone keys but MUST NOT be used to verify RRSIGs. - - If the zone is delegated and does not wish to act as an island of - security, the zone MUST have at least one DNSKEY RR at the apex to - act as a secure entry point into the zone. This DNSKEY would then be - used to generate a DS RR at the delegating parent (see - [I-D.ietf-dnsext-dnssec-records]). - - DNSKEY RRs MUST NOT appear at delegation points. - -2.2 Including RRSIG RRs in a Zone - - For each authoritative RRset in a signed zone, there MUST be at least - one RRSIG record that meets all of the following requirements: - - o The RRSIG owner name is equal to the RRset owner name; - - o The RRSIG class is equal to the RRset class; - - o The RRSIG Type Covered field is equal to the RRset type; - - o The RRSIG Original TTL field is equal to the TTL of the RRset; - - o The RRSIG RR's TTL is equal to the TTL of the RRset; - - o The RRSIG Labels field is equal to the number of labels in the - - - -Arends, et al. Expires August 16, 2004 [Page 6] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - RRset owner name, not counting the null root label and not - counting the leftmost label if it is a wildcard; - - o The RRSIG Signer's Name field is equal to the name of the zone - containing the RRset; and - - o The RRSIG Algorithm, Signer's Name, and Key Tag fields identify a - zone key DNSKEY record at the zone apex. - - The process for constructing the RRSIG RR for a given RRset is - described in [I-D.ietf-dnsext-dnssec-records]. An RRset MAY have - multiple RRSIG RRs associated with it. - - An RRSIG RR itself MUST NOT be signed, since signing an RRSIG RR - would add no value and would create an infinite loop in the signing - process. - - The NS RRset that appears at the zone apex name MUST be signed, but - the NS RRsets that appear at delegation points (that is, the NS - RRsets in the parent zone that delegate the name to the child zone's - name servers) MUST NOT be signed. Glue address RRsets associated with - delegations MUST NOT be signed. - - There MUST be an RRSIG for each RRset using at least one DNSKEY of - each algorithm in the parent zone's DS RRset and each additional - algorithm, if any, in the apex DNSKEY RRset. The apex DNSKEY RRset - itself MUST be signed by each algorithm appearing in the DS RRset. - -2.3 Including NSEC RRs in a Zone - - Each owner name in the zone which has authoritative data or a - delegation point NS RRset MUST have an NSEC resource record. The - process for constructing the NSEC RR for a given name is described in - [I-D.ietf-dnsext-dnssec-records]. - - The TTL value for any NSEC RR SHOULD be the same as the minimum TTL - value field in the zone SOA RR. - - An NSEC record (and its associated RRSIG RRset) MUST NOT be the only - RRset at any particular owner name. That is, the signing process - MUST NOT create NSEC or RRSIG RRs for owner names nodes which were - not the owner name of any RRset before the zone was signed. - - The type bitmap of every NSEC resource record in a signed zone MUST - indicate the presence of both the NSEC record itself and its - corresponding RRSIG record. - - The difference between the set of owner names that require RRSIG - - - -Arends, et al. Expires August 16, 2004 [Page 7] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - records and the set of owner names that require NSEC records is - subtle and worth highlighting. RRSIG records are present at the - owner names of all authoritative RRsets. NSEC records are present at - the owner names of all names for which the signed zone is - authoritative and also at the owner names of delegations from the - signed zone to its children. Neither NSEC nor RRSIG records are - present (in the parent zone) at the owner names of glue address - RRsets. Note, however, that this distinction is for the most part is - only visible during the zone signing process, because NSEC RRsets are - authoritative data, and are therefore signed, thus any owner name - which has an NSEC RRset will have RRSIG RRs as well in the signed - zone. - -2.4 Including DS RRs in a Zone - - The DS resource record establishes authentication chains between DNS - zones. A DS RRset SHOULD be present at a delegation point when the - child zone is signed. The DS RRset MAY contain multiple records, - each referencing a public key in the child zone used to verify the - RRSIGs in that zone. All DS RRsets in a zone MUST be signed and DS - RRsets MUST NOT appear at a zone's apex. - - A DS RR SHOULD point to a DNSKEY RR which is present in the child's - apex DNSKEY RRset, and the child's apex DNSKEY RRset SHOULD be signed - by the corresponding private key. - - The TTL of a DS RRset SHOULD match the TTL of the delegating NS RRset - (i.e., the NS RRset from the same zone containing the DS RRset). - - Construction of a DS RR requires knowledge of the corresponding - DNSKEY RR in the child zone, which implies communication between the - child and parent zones. This communication is an operational matter - not covered by this document. - -2.5 Changes to the CNAME Resource Record. - - If a CNAME RRset is present at a name in a signed zone, appropriate - RRSIG and NSEC RRsets are REQUIRED at that name. A KEY RRset at that - name for secure dynamic update purposes is also allowed. Other types - MUST NOT be present at that name. - - This is a modification to the original CNAME definition given in - [RFC1034]. The original definition of the CNAME RR did not allow any - other types to coexist with a CNAME record, but a signed zone - requires NSEC and RRSIG RRs for every authoritative name. To resolve - this conflict, this specification modifies the definition of the - CNAME resource record to allow it to coexist with NSEC and RRSIG RRs. - - - - -Arends, et al. Expires August 16, 2004 [Page 8] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -2.6 Example of a Secure Zone - - Appendix A shows a complete example of a small signed zone. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 9] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -3. Serving - - This section describes the behavior of entities that include - security-aware name server functions. In many cases such functions - will be part of a security-aware recursive name server, but a - security-aware authoritative name server has some of the same - requirements as a security-aware recursive name server does. - Functions specific to security-aware recursive name servers are - described in Section 3.2; functions specific to authoritative servers - are described in Section 3.1. - - The terms "SNAME", "SCLASS", and "STYPE" in the following discussion - are as used in [RFC1034]. - - A security-aware name server MUST support the EDNS0 [RFC2671] message - size extension, MUST support a message size of at least 1220 octets, - and SHOULD support a message size of 4000 octets [RFC3226]. - - A security-aware name server that receives a DNS query that does not - include the EDNS OPT pseudo-RR or that has the DO bit set to zero - MUST treat the RRSIG, DNSKEY, and NSEC RRs as it would any other - RRset, and MUST NOT perform any of the additional processing - described below. Since the DS RR type has the peculiar property of - only existing in the parent zone at delegation points, DS RRs always - require some special processing, as described in Section 3.1.4.1. - - DNSSEC allocates two new bits in the DNS message header: the CD - (Checking Disabled) bit and the AD (Authentic Data) bit. The CD bit - is controlled by resolvers; a security-aware name server MUST copy - the CD bit from a query into the corresponding response. The AD bit - is controlled by name servers; a security-aware name server MUST - ignore the setting of the AD bit in queries. See Section 3.1.6, - Section 3.2.2, Section 3.2.3, Section 4, and Section 4.8 for details - on the behavior of these bits. - -3.1 Authoritative Name Servers - - Upon receiving a relevant query that has the EDNS [RFC2671] OPT - pseudo-RR DO bit [RFC3225] set to one, a security-aware authoritative - name server for a signed zone MUST include additional RRSIG, NSEC, - and DS RRs according to the following rules: - - o RRSIG RRs that can be used to authenticate a response MUST be - included in the response according to the rules in Section 3.1.1; - - o NSEC RRs that can be used to provide authenticated denial of - existence MUST be included in the response automatically according - to the rules in Section 3.1.3; - - - -Arends, et al. Expires August 16, 2004 [Page 10] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - o Either a DS RRset or an NSEC RR proving that no DS RRs exist MUST - be included in referrals automatically according to the rules in - Section 3.1.4. - - DNSSEC does not change the DNS zone transfer protocol. Section 3.1.5 - discusses zone transfer requirements. - -3.1.1 Including RRSIG RRs in a Response - - When responding to a query that has the DO bit set to one, a - security-aware authoritative name server SHOULD attempt to send RRSIG - RRs that a security-aware resolver can use to authenticate the RRsets - in the response. Inclusion of RRSIG RRs in a response is subject to - the following rules: - - o When placing a signed RRset in the Answer section, the name server - MUST also place its RRSIG RRs in the Answer section. The RRSIG - RRs have a higher priority for inclusion than any other RRsets - that may need to be included. If space does not permit inclusion - of these RRSIG RRs, the name server MUST set the TC bit. - - o When placing a signed RRset in the Authority section, the name - server MUST also place its RRSIG RRs in the Authority section. - The RRSIG RRs have a higher priority for inclusion than any other - RRsets that may need to be included. If space does not permit - inclusion of these RRSIG RRs, the name server MUST set the TC bit. - - o When placing a signed RRset in the Additional section, the name - server MUST also place its RRSIG RRs in the Additional section. - If space does not permit inclusion of both the RRset and its - associated RRSIG RRs, the name server MUST NOT set the TC bit - solely because these RRSIG RRs didn't fit. - - -3.1.2 Including DNSKEY RRs In a Response - - When responding to a query that has the DO bit set to one and that - requests the SOA or NS RRs at the apex of a signed zone, a - security-aware authoritative name server for that zone MAY return the - zone apex DNSKEY RRset in the Additional section. In this situation, - the DNSKEY RRset and associated RRSIG RRs have lower priority than - any other information that would be placed in the additional section. - The name server SHOULD NOT include the DNSKEY RRset unless there is - enough space in the response message for both the DNSKEY RRset and - its associated RRSIG RR(s). If there is not enough space to include - these DNSKEY and RRSIG RRs, the name server MUST omit them and MUST - NOT set the TC bit solely because these RRs didn't fit (see Section - 3.1.1). - - - -Arends, et al. Expires August 16, 2004 [Page 11] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -3.1.3 Including NSEC RRs In a Response - - When responding to a query that has the DO bit set to one, a - security-aware authoritative name server for a signed zone MUST - include NSEC RRs in each of the following cases: - - No Data: The zone contains RRsets that exactly match , - but does not contain any RRsets that exactly match . - - Name Error: The zone does not contain any RRsets that match either exactly or via wildcard name expansion. - - Wildcard Answer: The zone does not contain any RRsets that exactly - match but does contain an RRset that matches - via wildcard name expansion. - - Wildcard No Data: The zone does not contain any RRsets that exactly - match , does contain one or more RRsets that match - via wildcard name expansion, but does not contain - any RRsets that match via wildcard name - expansion. - - In each of these cases, the name server includes NSEC RRs in the - response to prove that an exact match for was - not present in the zone and that the response that the name server is - returning is correct given the data that are in the zone. - -3.1.3.1 Including NSEC RRs: No Data Response - - If the zone contains RRsets matching but contains no - RRset matching , then the name server MUST - include the NSEC RR for along with its associated - RRSIG RR(s) in the Authority section of the response (see Section - 3.1.1). If space does not permit inclusion of the NSEC RR or its - associated RRSIG RR(s), the name server MUST set the TC bit (see - Section 3.1.1). - - Since the search name exists, wildcard name expansion does not apply - to this query, and a single signed NSEC RR suffices to prove the - requested RR type does not exist. - -3.1.3.2 Including NSEC RRs: Name Error Response - - If the zone does not contain any RRsets matching - either exactly or via wildcard name expansion, then the name server - MUST include the following NSEC RRs in the Authority section, along - with their associated RRSIG RRs: - - - -Arends, et al. Expires August 16, 2004 [Page 12] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - o An NSEC RR proving that there is no exact match for ; and - - o An NSEC RR proving that the zone contains no RRsets that would - match via wildcard name expansion. - - In some cases a single NSEC RR may prove both of these points, in - that case the name server SHOULD only include the NSEC RR and its - RRSIG RR(s) once in the Authority section. - - If space does not permit inclusion of these NSEC and RRSIG RRs, the - name server MUST set the TC bit (see Section 3.1.1). - - The owner names of these NSEC and RRSIG RRs are not subject to - wildcard name expansion when these RRs are included in the Authority - section of the response. - - Note that this form of response includes cases in which SNAME - corresponds to an empty non-terminal name within the zone (a name - which is not the owner name for any RRset but which is the parent - name of one or more RRsets). - -3.1.3.3 Including NSEC RRs: Wildcard Answer Response - - If the zone does not contain any RRsets which exactly match but does contain an RRset which matches via wildcard name expansion, the name server MUST include the - wildcard-expanded answer and the corresponding wildcard-expanded - RRSIG RRs in the Answer section, and MUST include in the Authority - section an NSEC RR and associated RRSIG RR(s) proving that the zone - does not contain a closer match for . If space does - not permit inclusion of the answer, NSEC and RRSIG RRs, the name - server MUST set the TC bit (see Section 3.1.1). - -3.1.3.4 Including NSEC RRs: Wildcard No Data Response - - This case is a combination of the previous cases. The zone does not - contain an exact match for , and while the zone does - contain RRsets which match via wildcard expansion, - none of those RRsets match STYPE. The name server MUST include the - following NSEC RRs in the Authority section, along with their - associated RRSIG RRs: - - o An NSEC RR proving that there are no RRsets matching STYPE at the - wildcard owner name which matched via wildcard - expansion; and - - o An NSEC RR proving that there are no RRsets in the zone which - - - -Arends, et al. Expires August 16, 2004 [Page 13] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - would have been a closer match for . - - In some cases a single NSEC RR may prove both of these points, in - which case the name server SHOULD only include the NSEC RR and its - RRSIG RR(s) once in the Authority section. - - The owner names of these NSEC and RRSIG RRs are not subject to - wildcard name expansion when these RRs are included in the Authority - section of the response. - - If space does not permit inclusion of these NSEC and RRSIG RRs, the - name server MUST set the TC bit (see Section 3.1.1). - -3.1.3.5 Finding The Right NSEC RRs - - As explained above, there are several situations in which a - security-aware authoritative name server needs to locate an NSEC RR - which proves that a particular SNAME does not exist. Locating such - an NSEC RR within an authoritative zone is relatively simple, at - least in concept. The following discussion assumes that the name - server is authoritative for the zone which would have held the - nonexistent SNAME. The algorithm below is written for clarity, not - efficiency. - - To find the NSEC which proves that name N does not exist in the zone - Z which would have held it, construct sequence S consisting of every - name in Z, sorted into canonical order - [I-D.ietf-dnsext-dnssec-records]. Find the name M which would have - immediately preceded N in S if N had existed. M is the owner name of - the NSEC RR which proves that N does not exist. - - The algorithm for finding the NSEC RR which proves that a given name - is not covered by any applicable wildcard is similar, but requires an - extra step. More precisely, the algorithm for finding the NSEC - proving that the applicable wildcard name does not exist is precisely - the same as the algorithm for finding the NSEC RR which proves that - any other name does not exist: the part that's missing is how to - determine the name of the nonexistent applicable wildcard. In - practice, this is easy, because the authoritative name server has - already checked for the presence of precisely this wildcard name as - part of step (1)(c) of the normal lookup algorithm described in - Section 4.3.2 of [RFC1034]. - -3.1.4 Including DS RRs In a Response - - When responding to a query which has the DO bit set to one, a - security-aware authoritative name server returning a referral - includes DNSSEC data along with the NS RRset. - - - -Arends, et al. Expires August 16, 2004 [Page 14] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - If a DS RRset is present at the delegation point, the name server - MUST return both the DS RRset and its associated RRSIG RR(s) in the - Authority section along with the NS RRset. The name server MUST - place the NS RRset before the DS RRset and its associated RRSIG - RR(s). - - If no DS RRset is present at the delegation point, the name server - MUST return both the NSEC RR which proves that the DS RRset is not - present and the NSEC RR's associated RRSIG RR(s) along with the NS - RRset. The name server MUST place the NS RRset before the NSEC RRset - and its associated RRSIG RR(s). - - Including these DS, NSEC, and RRSIG RRs increases the size of - referral messages, and may cause some or all glue RRs to be omitted. - If space does not permit inclusion of the DS or NSEC RRset and - associated RRSIG RRs, the name server MUST set the TC bit (see - Section 3.1.1). - -3.1.4.1 Responding to Queries for DS RRs - - The DS resource record type is unusual in that it appears only on the - parent zone's side of a zone cut. For example, the DS RRset for the - delegation of "foo.example" is stored in the "example" zone rather - than in the "foo.example" zone. This requires special processing - rules for both name servers and resolvers, since the name server for - the child zone is authoritative for the name at the zone cut by the - normal DNS rules but the child zone does not contain the DS RRset. - - A security-aware resolver sends queries to the parent zone when - looking for a needed DS RR at a delegation point (see Section 4.2). - However, special rules are necessary to avoid confusing - security-oblivious resolvers which might become involved in - processing such a query (for example, in a network configuration that - forces a security-aware resolver to channel its queries through a - security-oblivious recursive name server). The rest of this section - describes how a security-aware name server processes DS queries in - order to avoid this problem. - - The need for special processing by a security-aware name server only - arises when all the following conditions are met: - - o the name server has received a query for the DS RRset at a zone - cut; and - - o the name server is authoritative for the child zone; and - - o the name server is not authoritative for the parent zone; and - - - - -Arends, et al. Expires August 16, 2004 [Page 15] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - o the name server does not offer recursion. - - In all other cases, the name server either has some way of obtaining - the DS RRset or could not have been expected to have the DS RRset - even by the pre-DNSSEC processing rules, so the name server can - return either the DS RRset or an error response according to the - normal processing rules. - - If all of the above conditions are met, however, the name server is - authoritative for SNAME but cannot supply the requested RRset. In - this case, the name server MUST return an authoritative "no data" - response showing that the DS RRset does not exist in the child zone's - apex. See Appendix B.8 for an example of such a response. - -3.1.5 Responding to Queries for Type AXFR or IXFR - - DNSSEC does not change the DNS zone transfer process. A signed zone - will contain RRSIG, DNSKEY, NSEC, and DS resource records, but these - records have no special meaning with respect to a zone transfer - operation, and these RRs are treated as any other resource record - type. - - An authoritative name server is not required to verify that a zone is - properly signed before sending or accepting a zone transfer. - However, an authoritative name server MAY choose to reject the entire - zone transfer if the zone fails meets any of the signing requirements - described in Section 2. The primary objective of a zone transfer is - to ensure that all authoritative name servers have identical copies - of the zone. An authoritative name server which chooses to perform - its own zone validation MUST NOT selectively reject some RRs and - accept others. - - DS RRsets appear only on the parental side of a zone cut and are - authoritative data in the parent zone. As with any other - authoritative RRset, the DS RRset MUST be included in zone transfers - of the zone in which the RRset is authoritative data: in the case of - the DS RRset, this is the parent zone. - - NSEC RRs appear in both the parent and child zones at a zone cut, and - are authoritative data in both the parent and child zones. The - parental and child NSEC RRs at a zone cut are never identical to each - other, since the NSEC RR in the child zone's apex will always - indicate the presence of the child zone's SOA RR while the parental - NSEC RR at the zone cut will never indicate the presence of an SOA - RR. As with any other authoritative RRs, NSEC RRs MUST be included - in zone transfers of the zone in which they are authoritative data: - the parental NSEC RR at a zone cut MUST be included zone transfers of - the parent zone, while the NSEC at the zone apex of the child zone - - - -Arends, et al. Expires August 16, 2004 [Page 16] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - MUST be included in zone transfers of the child zone. - - RRSIG RRs appear in both the parent and child zones at a zone cut, - and are authoritative in whichever zone contains the authoritative - RRset for which the RRSIG RR provides the signature. That is, the - RRSIG RR for a DS RRset or a parental NSEC RR at a zone cut will be - authoritative in the parent zone, while the RRSIG for any RRset in - the child zone's apex will be authoritative in the child zone. As - with any other authoritative RRs, RRSIG RRs MUST be included in zone - transfers of the zone in which they are authoritative data. - -3.1.6 The AD and CD Bits in an Authoritative Response - - The CD and AD bits are designed to be used in communication between - security-aware resolvers and security-aware recursive name servers. - This bits are for the most part not relevant to query processing by - security-aware authoritative name servers. - - Since a security-aware name server does not perform signature - validation for authoritative data during query processing even when - the CD bit is set to zero, a security-aware name server SHOULD ignore - the setting of the CD bit when composing an authoritative response. - - A security-aware name server MUST NOT set the AD bit in a response - unless the name server considers all RRsets in the Answer and - Authority sections of the response to be authentic. A security-aware - name server's local policy MAY consider data from an authoritative - zone to be authentic without further validation, but the name server - MUST NOT do so unless the name server obtained the authoritative zone - via secure means (such as a secure zone transfer mechanism), and MUST - NOT do so unless this behavior has been configured explicitly. - - A security-aware name server which supports recursion MUST follow the - rules for the CD and AD bits given in Section 3.2 when generating a - response that involves data obtained via recursion. - -3.2 Recursive Name Servers - - As explained in [I-D.ietf-dnsext-dnssec-intro], a security-aware - recursive name server is an entity which acts in both the - security-aware name server and security-aware resolver roles. This - section uses the terms "name server side" and "resolver side" to - refer to the code within a security-aware recursive name server which - implements the security-aware name server role and the code which - implements the security-aware resolver role, respectively. - - The resolver side follows the usual rules for caching and negative - caching which would apply to any security-aware resolver. - - - -Arends, et al. Expires August 16, 2004 [Page 17] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -3.2.1 The DO bit - - The resolver side of a security-aware recursive name server MUST set - the DO bit when sending requests, regardless of the state of the DO - bit in the initiating request received by the name server side. If - the DO bit in an initiating query is not set, the name server side - MUST strip any authenticating DNSSEC RRs from the response, but MUST - NOT strip any DNSSEC RRs that the initiating query explicitly - requested. - -3.2.2 The CD bit - - The CD bit exists in order to allow a security-aware resolver to - disable signature validation in a security-aware name server's - processing of a particular query. - - The name server side MUST copy the setting of the CD bit from a query - to the corresponding response. - - The name server side of a security-aware recursive name server MUST - pass the sense of the CD bit to the resolver side along with the rest - of an initiating query, so that the resolver side will know whether - or not it is required to verify the response data it returns to the - name server side. If the CD bit is set to one, it indicates that the - originating resolver is willing to perform whatever authentication - its local policy requires, thus the resolver side of the recursive - name server need not perform authentication on the RRsets in the - response. When the CD bit is set to one the recursive name server - SHOULD, if possible, return the requested data to the originating - resolver even if the recursive name server's local authentication - policy would reject the records in question. That is, by setting the - CD bit, the originating resolver has indicated that it takes - responsibility for performing its own authentication, and the - recursive name server should not interfere. - - If the resolver side implements a BAD cache (see Section 4.7) and the - name server side receives a query which matches an entry in the - resolver side's BAD cache, the name server side's response depends on - the sense of the CD bit in the original query. If the CD bit is set, - the name server side SHOULD return the data from the BAD cache; if - the CD bit is not set, the name server side MUST return RCODE 2 - (server failure). - -3.2.3 The AD bit - - The name server side of a security-aware recursive name server MUST - NOT set the AD bit in a response unless the name server considers all - RRsets in the Answer and Authority sections of the response to be - - - -Arends, et al. Expires August 16, 2004 [Page 18] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - authentic, and SHOULD set the AD bit if and only if the resolver side - considers all RRsets in the Answer section and any relevant negative - response RRs in the Authority section to be authentic. The resolver - side MUST follow the procedure described in Section 5 to determine - whether the RRs in question are authentic. - -3.3 Example DNSSEC Responses - - See Appendix B for example response packets. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 19] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -4. Resolving - - This section describes the behavior of entities which include - security-aware resolver functions. In many cases such functions will - be part of a security-aware recursive name server, but a stand-alone - security-aware resolver has many of the same requirements. Functions - specific to security-aware recursive name servers are described in - Section 3.2. - -4.1 EDNS Support - - A security-aware resolver MUST include an EDNS [RFC2671] OPT - pseudo-RR with the DO [RFC3225] bit set to one when sending queries. - - A security-aware resolver MUST support a message size of at least - 1220 octets, SHOULD support a message size of 4000 octets, and MUST - advertise the supported message size using the "sender's UDP payload - size" field in the EDNS OPT pseudo-RR. A security-aware resolver MUST - handle fragmented UDP packets correctly regardless of whether any - such fragmented packets were received via IPv4 or IPv6. Please see - [RFC3226] for discussion of these requirements. - -4.2 Signature Verification Support - - A security-aware resolver MUST support the signature verification - mechanisms described in Section 5, and MUST apply them to every - received response except when: - - o The security-aware resolver is part of a security-aware recursive - name server, and the response is the result of recursion on behalf - of a query received with the CD bit set; - - o The response is the result of a query generated directly via some - form of application interface which instructed the security-aware - resolver not to perform validation for this query; or - - o Validation for this query has been disabled by local policy. - - A security-aware resolver's support for signature verification MUST - include support for verification of wildcard owner names. - - Editors' note: The rest of this section is expected to change once - the WG reaches closure on Q-23. - - A security-aware resolver MUST attempt to retrieve missing DS, - DNSKEY, or RRSIG RRs via explicit queries if the resolver needs these - RRs in order to perform signature verification. - - - - -Arends, et al. Expires August 16, 2004 [Page 20] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - A security-aware resolver MUST attempt to retrieve a missing NSEC RR - which the resolver needs to authenticate a NODATA response. In - general it is not possible for a resolver to retrieve missing NSEC - RRs, since the resolver will have no way of knowing the owner name of - the missing NSEC RR, but in the specific case of a NODATA response, - the resolver may know the name of the missing NSEC RR, and in such - cases must therefore attempt to retrieve it. - - When attempting to retrieve missing NSEC RRs which reside on the - parental side at a zone cut, a security-aware iterative-mode resolver - MUST query the name servers for the parent zone, not the child zone. - - When attempting to retrieve a missing DS, a security-aware - iterative-mode resolver MUST query the name servers for the parent - zone, not the child zone. As explained in Section 3.1.4.1, - security-aware name servers need to apply special processing rules to - handle the DS RR, and in some situations the resolver may also need - to apply special rules to locate the name servers for the parent zone - if the resolver does not already have the parent's NS RRset. To - locate the parent NS RRset, the resolver can start with the - delegation name, strip off the leftmost label, and query for an NS - RRset by that name; if no NS RRset is present at that name, the - resolver then strips of the leftmost remaining label and retries the - query for that name, repeating this process of walking up the tree - until it either finds the NS RRset or runs out of labels. - - Editors' note: This algorithm could easily be read as an - invitation to careless implementors to hammer the root zone - servers. Better wording would be welcome. - - -4.3 Determining Security Status of Data - - Editors' note: This section is waiting for resolution of Q-28. - - A security-aware resolver MUST be able to determine whether or not it - should expect a particular RRset to be signed. More precisely, a - security-aware resolver must be able to distinguish between three - cases: - - 1. An RRset for which the resolver is able to build a chain of - signed DNSKEY and DS RRs from a trusted security anchor to the - RRset. In this case, the RRset should be signed, and is subject - to signature validation as described above. - - 2. An RRset for which the resolver knows that it has no chain of - signed DNSKEY and DS RRs from any trusted starting point to the - RRset. This can occur when the target RRset lies in an unsigned - - - -Arends, et al. Expires August 16, 2004 [Page 21] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - zone or in a descendent of an unsigned zone. In this case, the - RRset may or may not be signed, but the resolver will not be able - to verify the signature. - - 3. An RRset for which the resolver is not able to determine whether - or not the RRset should be signed, because the resolver is not - able to obtain the necessary DNSSEC RRs. This can occur when the - security-aware resolver is not able to contact security-aware - name servers for the relevant zones. - - -4.4 Preconfigured Public Keys - - A security-aware resolver MUST be capable of being preconfigured with - at least one trusted public key or DS RR, and SHOULD be capable of - being preconfigured with multiple trusted public keys or DS RRs. - Since a security-aware resolver will not be able to validate - signatures without such a preconfigured trusted key, the resolver - SHOULD have some reasonably robust mechanism for obtaining such keys - when it boots; examples of such a mechanism would be some form of - non-volatile storage (such as a disk drive) or some form of trusted - local network configuration mechanism. - -4.5 Response Caching - - Editors' note: RIPE "last call" workshop felt that the WG needs to - reexamine and discuss this section. - - A security-aware resolver SHOULD cache each response as a single - atomic entry containing the entire answer, including the named RRset - and any associated DNSSEC RRs. The resolver SHOULD discard the - entire atomic entry when any of the RRs contained in it expire. In - most cases the appropriate cache index for the atomic entry will be - the triple , but in cases such as the response - form described in Section 3.1.3.2 the appropriate cache index will be - the double . - -4.6 Handling of the CD and AD bits - - A security-aware resolver MAY set the CD bit in a query to one in - order to indicate that the resolver takes responsibility for - performing whatever authentication its local policy requires on the - RRsets in the response. See Section 3.2 for the effect this bit has - on the behavior of security-aware recursive name servers. - - A security-aware resolver MUST zero the AD bit when composing query - messages to protect against buggy name servers which blindly copy - header bits which they do not understand from the query message to - - - -Arends, et al. Expires August 16, 2004 [Page 22] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - the response message. - - A resolver MUST disregard the meaning of the CD and AD bits in a - response unless the response was obtained using a secure channel or - the resolver was specifically configured to regard the message header - bits without using a secure channel. - -4.7 Rate Limiting - - A security-aware resolver SHOULD NOT cache data with invalid - signatures under normal circumstances. However, a security-aware - resolver SHOULD take steps to rate limit the number of identical - queries that it generates if signature validation of the responses - fails repeatedly. - - Conceptually, this is similar in some respects to negative caching - [RFC2308], but since the resolver has no way of obtaining an - appropriate caching TTL from received data in this case, the TTL will - have to be set by the implementation. This document refers to the - data retained as part of such a rate limiting mechanism as the "BAD - cache". - - A security-aware resolver MAY chose to retain RRsets for which - signature validation has failed in its BAD cache, but MUST NOT return - such RRsets from its BAD cache unless both of the following - conditions are met: - - o The resolver has recently generated enough queries identical to - this one that the resolver is suppressing queries for this ; and - - o The resolver is not required to validate the signatures of the - RRsets in question under the rules given in Section 4 of this - document. - - The intent of the above rule is to provide the raw data to clients - which are capable of performing their own signature verification - checks while protecting clients which depend on this resolver to - perform such checks. Several of the possible reasons why signature - validation might fail involve conditions which may not apply equally - to this resolver and the client which invoked it: for example, this - resolver's clock may be set incorrectly, or the client may have - knowledge of a relevant island of security which this resolver does - not share. In such cases, "protecting" a client which is capable of - performing its own signature validation from ever seeing the "bad" - data does not help the client. - - - - - -Arends, et al. Expires August 16, 2004 [Page 23] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -4.8 Stub resolvers - - A security-aware stub resolver MUST support the DNSSEC RR types, at - least to the extent of not mishandling responses just because they - contain DNSSEC RRs. - -4.8.1 Handling of the DO Bit - - A non-validating security-aware stub resolver MAY include the DNSSEC - RRs returned by a security-aware recursive name server as part of the - data that the stub resolver hands back to the application which - invoked it but is not required to do so. A non-validating stub - resolver that wishes to do this will need to set the DO bit in - receive DNSSEC RRs from the recursive name server. - - A validating security-aware stub resolver MUST set the DO bit, since - otherwise it will not receive the DNSSEC RRs it needs to perform - signature validation. - -4.8.2 Handling of the CD Bit - - A non-validating security-aware stub resolver SHOULD NOT set the CD - bit when sending queries unless requested by the application layer, - since by definition, a non-validating stub resolver depends on the - security-aware recursive name server to perform validation on its - behalf. - - A validating security-aware stub resolver SHOULD set the CD bit, - since otherwise the security-aware recursive name server will answer - the query using the name server's local policy, which may prevent the - stub resolver from receiving data which would be acceptable to the - stub resolver's local policy. - -4.8.3 Handling of the AD Bit - - A non-validating security-aware stub resolver MAY chose to examine - the setting of the AD bit in response messages that it receives in - order to determine whether the security-aware recursive name server - which sent the response claims to have cryptographically verified the - data in the Answer and Authority sections of the response message. - Note, however, that the responses received by a security-aware stub - resolver are heavily dependent on the local policy of the - security-aware recursive name server, so as a practical matter there - may be little practical value to checking the status of the AD bit - except perhaps as a debugging aid. In any case, a security-aware - stub resolver MUST NOT place any reliance on signature validation - allegedly performed on its behalf except when the security-aware stub - resolver obtained the data in question from a trusted security-aware - - - -Arends, et al. Expires August 16, 2004 [Page 24] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - recursive name server via a secure channel. - - A validating security-aware stub resolver SHOULD NOT examine the - setting of the AD bit in response messages, since, by definition, the - stub resolver performs its own signature validation regardless of the - setting of the AD bit. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 25] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -5. Authenticating DNS Responses - - In order to use DNSSEC RRs for authentication, a security-aware - resolver requires preconfigured knowledge of at least one - authenticated DNSKEY or DS RR. The process for obtaining and - authenticating this initial DNSKEY or DS RR is achieved via some - external mechanism. For example, a resolver could use some off-line - authenticated exchange to obtain a zone's DNSKEY RR or obtain a DS RR - that identifies and authenticates a zone's DNSKEY RR. The remainder - of this section assumes that the resolver has somehow obtained an - initial set of authenticated DNSKEY RRs. - - An initial DNSKEY RR can be used to authenticate a zone's apex DNSKEY - RRset. To authenticate an apex DNSKEY RRset using an initial key, - the resolver MUST: - - 1. Verify that the initial DNSKEY RR appears in the apex DNSKEY - RRset, and verify that the DNSKEY RR MUST have the Zone Key Flag - (DNSKEY RDATA bit 7) set to one. - - 2. Verify that there is some RRSIG RR that covers the apex DNSKEY - RRset, and that the combination of the RRSIG RR and the initial - DNSKEY RR authenticates the DNSKEY RRset. The process for using - an RRSIG RR to authenticate an RRset is described in Section 5.3. - - Once the resolver has authenticated the apex DNSKEY RRset using an - initial DNSKEY RR, delegations from that zone can be authenticated - using DS RRs. This allows a resolver to start from an initial key, - and use DS RRsets to proceed recursively down the DNS tree obtaining - other apex DNSKEY RRsets. If the resolver were preconfigured with a - root DNSKEY RR, and if every delegation had a DS RR associated with - it, then the resolver could obtain and validate any apex DNSKEY - RRset. The process of using DS RRs to authenticate referrals is - described in Section 5.2. - - Once the resolver has authenticated a zone's apex DNSKEY RRset, - Section 5.3 shows how the resolver can use DNSKEY RRs in the apex - DNSKEY RRset and RRSIG RRs from the zone to authenticate any other - RRsets in the zone. Section 5.4 shows how the resolver can use - authenticated NSEC RRsets from the zone to prove that an RRset is not - present in the zone. - - When a resolver indicates support for DNSSEC (by setting the DO bit), - a security-aware name server should attempt to provide the necessary - DNSKEY, RRSIG, NSEC, and DS RRsets in a response (see Section 3). - However, a security-aware resolver may still receive a response that - that lacks the appropriate DNSSEC RRs, whether due to configuration - issues such as a security-oblivious recursive name server that - - - -Arends, et al. Expires August 16, 2004 [Page 26] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - accidentally interfere with DNSSEC RRs or due to a deliberate attack - in which an adversary forges a response, strips DNSSEC RRs from a - response, or modifies a query so that DNSSEC RRs appear not to be - requested. The absence of DNSSEC data in a response MUST NOT by - itself be taken as an indication that no authentication information - exists. - - A resolver SHOULD expect authentication information from signed - zones. A resolver SHOULD believe that a zone is signed if the - resolver has been configured with public key information for the - zone, or if the zone's parent is signed and the delegation from the - parent contains a DS RRset. - -5.1 Special Considerations for Islands of Security - - Islands of security (see [I-D.ietf-dnsext-dnssec-intro]) are signed - zones for which it is not possible to construct an authentication - chain to the zone from its parent. Validating signatures within an - island of security requires the validator to have some other means of - obtaining an initial authenticated zone key for the island. If a - validator cannot obtain such a key, it will have to choose whether to - accept the unvalidated responses or not based on local policy. - - All the normal processes for validating responses apply to islands of - security. The only difference between normal validation and - validation within an island of security is in how the validator - obtains a starting point for the authentication chain. - -5.2 Authenticating Referrals - - Once the apex DNSKEY RRset for a signed parent zone has been - authenticated, DS RRsets can be used to authenticate the delegation - to a signed child zone. A DS RR identifies a DNSKEY RR in the child - zone's apex DNSKEY RRset, and contains a cryptographic digest of the - child zone's DNSKEY RR. A strong cryptographic digest algorithm - ensures that an adversary can not easily generate a DNSKEY RR that - matches the digest. Thus, authenticating the digest allows a - resolver to authenticate the matching DNSKEY RR. The resolver can - then use this child DNSKEY RR to authenticate the entire child apex - DNSKEY RRset. - - Given a DS RR for a delegation, the child zone's apex DNSKEY RRset - can be authenticated if all of the following hold: - - o The DS RR has been authenticated using some DNSKEY RR in the - parent's apex DNSKEY RRset (see Section 5.3); - - o The Algorithm and Key Tag in the DS RR match the Algorithm field - - - -Arends, et al. Expires August 16, 2004 [Page 27] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - and the key tag of a DNSKEY RR in the child zone's apex DNSKEY - RRset that, when hashed using the digest algorithm specified in - the DS RR's Digest Type field, results in a digest value that - matches the Digest field of the DS RR; and - - o The matching DNSKEY RR in the child zone has the Zone Flag bit set - to one, the corresponding private key has signed the child zone's - apex DNSKEY RRset, and the resulting RRSIG RR authenticates the - child zone's apex DNSKEY RRset. - - If the referral from the parent zone did not contain a DS RRset, the - response should have included a signed NSEC RRset proving that no DS - RRset exists for the delegated name (see Section 3.1.4). A - security-aware resolver MUST query the name servers for the parent - zone for the DS RRset if the referral includes neither a DS RRset nor - a NSEC RRset proving that the DS RRset does not exist (see Section - 4). - - If the resolver authenticates an NSEC RRset that proves that no DS - RRset is present for this zone, then there is no authentication path - leading from the parent to the child. If the resolver has an initial - DNSKEY or DS RR that belongs to the child zone or to any delegation - below the child zone, this initial DNSKEY or DS RR MAY be used to - re-establish an authentication path. If no such initial DNSKEY or DS - RR exists, the resolver can not authenticate RRsets in or below the - child zone. - - Note that, for a signed delegation, there are two NSEC RRs associated - with the delegated name. One NSEC RR resides in the parent zone, and - can be used to prove whether a DS RRset exists for the delegated - name. The second NSEC RR resides in the child zone, and identifies - which RRsets are present at the apex of the child zone. The parent - NSEC RR and child NSEC RR can always be distinguished, since the SOA - bit will be set in the child NSEC RR and clear in the parent NSEC RR. - A security-aware resolver MUST use the parent NSEC RR when attempting - to prove that a DS RRset does not exist. - - If the resolver does not support any of the algorithms listed in an - authenticated DS RRset, then the resolver will not be able to verify - the authentication path to the child zone. In this case, the - resolver SHOULD treat the child zone as if it were unsigned. - -5.3 Authenticating an RRset Using an RRSIG RR - - A resolver can use an RRSIG RR and its corresponding DNSKEY RR to - attempt to authenticate RRsets. The resolver first checks the RRSIG - RR to verify that it covers the RRset, has a valid time interval, and - identifies a valid DNSKEY RR. The resolver then constructs the - - - -Arends, et al. Expires August 16, 2004 [Page 28] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - canonical form of the signed data by appending the RRSIG RDATA - (excluding the Signature Field) with the canonical form of the - covered RRset. Finally, resolver uses the public key and signature - to authenticate the signed data. Section 5.3.1, Section 5.3.2, and - Section 5.3.3 describe each step in detail. - -5.3.1 Checking the RRSIG RR Validity - - A security-aware resolver can use an RRSIG RR to authenticate an - RRset if all of the following conditions hold: - - o The RRSIG RR and the RRset MUST have the same owner name and the - same class; - - o The RRSIG RR's Signer's Name field MUST be the name of the zone - that contains the RRset; - - o The RRSIG RR's Type Covered field MUST equal the RRset's type; - - o The number of labels in the RRset owner name MUST be greater than - or equal to the value in the RRSIG RR's Labels field; - - o The resolver's notion of the current time MUST be less than or - equal to the time listed in the RRSIG RR's Expiration field; - - o The resolver's notion of the current time MUST be greater than or - equal to the time listed in the RRSIG RR's Inception field; - - o The RRSIG RR's Signer's Name, Algorithm, and Key Tag fields MUST - match the owner name, algorithm, and key tag for some DNSKEY RR in - the zone's apex DNSKEY RRset; - - o The matching DNSKEY RR MUST be present in the zone's apex DNSKEY - RRset, and MUST have the Zone Flag bit (DNSKEY RDATA Flag bit 7) - set to one. - - It is possible for more than one DNSKEY RR to match the conditions - above. In this case, the resolver can not predetermine which DNSKEY - RR to use to authenticate the signature, MUST try each matching - DNSKEY RR until the resolver has either validated the signature or - has run out of matching public keys to try. - - Note that this authentication process is only meaningful if the - resolver authenticates the DNSKEY RR before using it to validate - signatures. The matching DNSKEY RR is considered to be authentic if: - - o The apex DNSKEY RRset containing the DNSKEY RR is considered - authentic; or - - - -Arends, et al. Expires August 16, 2004 [Page 29] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - o The RRset covered by the RRSIG RR is the apex DNSKEY RRset itself, - and the DNSKEY RR either matches an authenticated DS RR from the - parent zone or matches a DS RR or DNSKEY RR that the resolver has - been preconfigured to believe to be authentic. - - -5.3.2 Reconstructing the Signed Data - - Once the RRSIG RR has met the validity requirements described in - Section 5.3.1, the resolver needs to reconstruct the original signed - data. The original signed data includes RRSIG RDATA (excluding the - Signature field) and the canonical form of the RRset. Aside from - being ordered, the canonical form of the RRset might also differ from - the received RRset due to DNS name compression, decremented TTLs, or - wildcard expansion. The resolver should use the following to - reconstruct the original signed data: - - signed_data = RRSIG_RDATA | RR(1) | RR(2)... where - - "|" denotes concatenation - - RRSIG_RDATA is the wire format of the RRSIG RDATA fields - with the Signature field excluded and the Signer's Name - in canonical form. - - RR(i) = name | class | type | OrigTTL | RDATA length | RDATA - - name is calculated according to the function below - - class is the RRset's class - - type is the RRset type and all RRs in the class - - OrigTTL is the value from the RRSIG Original TTL field - - All names in the RDATA field are in canonical form - - The set of all RR(i) is sorted into canonical order. - - To calculate the name: - let rrsig_labels = the value of the RRSIG Labels field - - let fqdn = RRset's fully qualified domain name in - canonical form - - let fqdn_labels = Label count of the fqdn above. - - if rrsig_labels = fqdn_labels, - - - -Arends, et al. Expires August 16, 2004 [Page 30] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - name = fqdn - - if rrsig_labels < fqdn_labels, - name = "*." | the rightmost rrsig_label labels of the - fqdn - - if rrsig_labels > fqdn_labels - the RRSIG RR did not pass the necessary validation - checks and MUST NOT be used to authenticate this - RRset. - - The canonical forms for names and RRsets are defined in - [I-D.ietf-dnsext-dnssec-records]. - - NSEC RRsets at a delegation boundary require special processing. - There are two distinct NSEC RRsets associated with a signed delegated - name. One NSEC RRset resides in the parent zone, and specifies which - RRset are present at the parent zone. The second NSEC RRset resides - at the child zone, and identifies which RRsets are present at the - apex in the child zone. The parent NSEC RRset and child NSEC RRset - can always be distinguished since only the child NSEC RRs will - specify an SOA RRset exists at the name. When reconstructing the - original NSEC RRset for the delegation from the parent zone, the NSEC - RRs MUST NOT be combined with NSEC RRs from the child zone, and when - reconstructing the original NSEC RRset for the apex of the child - zone, the NSEC RRs MUST NOT be combined with NSEC RRs from the parent - zone. - - Note also that each of the two NSEC RRsets at a delegation point has - a corresponding RRSIG RR with an owner name matching the delegated - name, and each of these RRSIG RRs is authoritative data associated - with the same zone that contains the corresponding NSEC RRset. If - necessary, a resolver can tell these RRSIG RRs apart by checking the - Signer's Name field. - -5.3.3 Checking the Signature - - Once the resolver has validated the RRSIG RR as described in Section - 5.3.1 and reconstructed the original signed data as described in - Section 5.3.2, the resolver can attempt to use the cryptographic - signature to authenticate the signed data, and thus (finally!) - authenticate the RRset. - - The Algorithm field in the RRSIG RR identifies the cryptographic - algorithm used to generate the signature. The signature itself is - contained in the Signature field of the RRSIG RDATA, and the public - key used to verify the signature is contained in the Public Key field - of the matching DNSKEY RR(s) (found in Section 5.3.1). - - - -Arends, et al. Expires August 16, 2004 [Page 31] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - [I-D.ietf-dnsext-dnssec-records] provides a list of algorithm types, - and provides pointers to the documents that define each algorithm's - use. - - Note that it is possible for more than one DNSKEY RR to match the - conditions in Section 5.3.1. In this case, the resolver can only - determine which DNSKEY RR by trying each matching public key until - the resolver either succeeds in validating the signature or runs out - of keys to try. - - If the Labels field of the RRSIG RR is not equal to the number of - labels in the RRset's fully qualified owner name, then the RRset is - either invalid or the result of wildcard expansion. The resolver - MUST verify that wildcard expansion was applied properly before - considering the RRset to be authentic. Section 5.3.4 describes how - to determine whether a wildcard was applied properly. - - If other RRSIG RRs also cover this RRset, the local resolver security - policy determines whether the resolver also needs to test these RRSIG - RRs, and determines how to resolve conflicts if these RRSIG RRs lead - to differing results. - - If the resolver accepts the RRset as authentic, the resolver MUST set - the TTL of the RRSIG RR and each RR in the authenticated RRset to a - value no greater than the minimum of: - - o The RRset's TTL as received in the response; - - o The RRSIG RR's TTL as received in the response; and - - o The value in the RRSIG RR's Original TTL field. - - -5.3.4 Authenticating A Wildcard Expanded RRset Positive Response - - If the number of labels in an RRset's owner name is greater than the - Labels field of the covering RRSIG RR, then the RRset and its - covering RRSIG RR were created as a result of wildcard expansion. - Once the resolver has verified the signature as described in Section - 5.3, the resolver must take additional steps to verify the - non-existence of an exact match or closer wildcard match for the - query. Section 5.4 discusses these steps. - - Note that the response received by the resolver should include all - NSEC RRs needed to authenticate the response (see Section 3.1.3). - -5.4 Authenticated Denial of Existence - - - - -Arends, et al. Expires August 16, 2004 [Page 32] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - A resolver can use authenticated NSEC RRs to prove that an RRset is - not present in a signed zone. Security-aware name servers should - automatically include any necessary NSEC RRs for signed zones in - their responses to security-aware resolvers. - - Security-aware resolvers MUST first authenticate NSEC RRsets - according to the standard RRset authentication rules described in - Section 5.3, then apply the NSEC RRsets as follows: - - o If the requested RR name matches the owner name of an - authenticated NSEC RR, then the NSEC RR's type bit map field lists - all RR types present at that owner name, and a resolver can prove - that the requested RR type does not exist by checking for the RR - type in the bit map. If the number of labels in an authenticated - NSEC RR's owner name equals the Labels field of the covering RRSIG - RR, then the existence of the NSEC RR proves that wildcard - expansion could not have been used to match the request. - - o If the requested RR name would appear after an authenticated NSEC - RR's owner name and before the name listed in that NSEC RR's Next - Domain Name field according to the canonical DNS name order - defined in [I-D.ietf-dnsext-dnssec-records], then no RRsets with - the requested name exist in the zone. However, it is possible - that a wildcard could be used to match the requested RR owner name - and type, so proving that the requested RRset does not exist also - requires proving that no possible wildcard RRset exists that could - have been used to generate a positive response. - - To prove non-existence of an RRset, the resolver must be able to - verify both that the queried RRset does not exist and that no - relevant wildcard RRset exists. Proving this may require more than - one NSEC RRset from the zone. If the complete set of necessary NSEC - RRsets is not present in a response (perhaps due to message - truncation), then a security-aware resolver MUST resend the query in - order to attempt to obtain the full collection of NSEC RRs necessary - to verify non-existence of the requested RRset. As with all DNS - operations, however, the resolver MUST bound the work it puts into - answering any particular query. - - Since a verified NSEC RR proves the existence of both itself and its - corresponding RRSIG RR, a verifier MUST ignore the settings of the - NSEC and RRSIG bits in an NSEC RR. - -5.5 Authentication Example - - Appendix C shows an example the authentication process. - - - - - -Arends, et al. Expires August 16, 2004 [Page 33] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -6. IANA Considerations - - [I-D.ietf-dnsext-dnssec-records] contains a review of the IANA - considerations introduced by DNSSEC. The additional IANA - considerations discussed in this document: - - [RFC2535] reserved the CD and AD bits in the message header. The - meaning of the AD bit was redefined in [RFC3655] and the meaning of - both the CD and AD bit are restated in this document. No new bits in - the DNS message header are defined in this document. - - [RFC2671] introduced EDNS and [RFC3225] reserved the DNSSEC OK bit - and defined its use. The use is restated but not altered in this - document. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 34] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -7. Security Considerations - - This document describes how the DNS security extensions use public - key cryptography to sign and authenticate DNS resource record sets. - Please see [I-D.ietf-dnsext-dnssec-intro] for terminology and general - security considerations related to DNSSEC; see - [I-D.ietf-dnsext-dnssec-intro] for considerations specific to the - DNSSEC resource record types. - - An active attacker who can set the CD bit in a DNS query message or - the AD bit in a DNS response message can use these bits to defeat the - protection which DNSSEC attempts to provide to security-oblivious - recursive-mode resolvers. For this reason, use of these control bits - by a security-aware recursive-mode resolver requires a secure - channel. See Section 3.2.2 and Section 4.8 for further discussion. - - The protocol described in this document attempts to extend the - benefits of DNSSEC to security-oblivious stub resolvers. However, - since recovery from validation failures is likely to be specific to - particular applications, the facilities that DNSSEC provides for stub - resolvers may prove inadequate. Operators of security-aware - recursive name servers will need to pay close attention to the - behavior of the applications which use their services when choosing a - local validation policy; failure to do so could easily result in the - recursive name server accidently denying service to the clients it is - intended to support. - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 35] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -8. Acknowledgements - - This document was created from the input and ideas of the members of - the DNS Extensions Working Group and working group mailing list. The - editors would like to express their thanks for the comments and - suggestions received during the revision of these security extension - specifications. While explicitly listing everyone who has - contributed during the decade during which DNSSEC has been under - development would be an impossible task, - [I-D.ietf-dnsext-dnssec-intro] includes a list of some of the - participants who were kind enough to comment on these documents. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 36] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -Normative References - - [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", - STD 13, RFC 1034, November 1987. - - [RFC1035] Mockapetris, P., "Domain names - implementation and - specification", STD 13, RFC 1035, November 1987. - - [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, - August 1996. - - [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, March 1997. - - [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS - Specification", RFC 2181, July 1997. - - [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC - 2671, August 1999. - - [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC - 3225, December 2001. - - [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver - message size requirements", RFC 3226, December 2001. - - [I-D.ietf-dnsext-dnssec-intro] - Arends, R., Austein, R., Larson, M., Massey, D. and S. - Rose, "DNS Security Introduction and Requirements", - draft-ietf-dnsext-dnssec-intro-09 (work in progress), - February 2004. - - [I-D.ietf-dnsext-dnssec-records] - Arends, R., Austein, R., Larson, M., Massey, D. and S. - Rose, "Resource Records for DNS Security Extensions", - draft-ietf-dnsext-dnssec-records-07 (work in progress), - February 2004. - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 37] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -Informative References - - [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS - NCACHE)", RFC 2308, March 1998. - - [RFC2535] Eastlake, D., "Domain Name System Security Extensions", - RFC 2535, March 1999. - - [RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY - RR)", RFC 2930, September 2000. - - [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( - SIG(0)s)", RFC 2931, September 2000. - - [RFC3655] Wellington, B. and O. Gudmundsson, "Redefinition of DNS - Authenticated Data (AD) bit", RFC 3655, November 2003. - - [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record - (RR)", RFC 3658, December 2003. - - [I-D.ietf-dnsext-wcard-clarify] - Halley, B. and E. Lewis, "Clarifying the Role of Wild Card - Domains in the Domain Name System", - draft-ietf-dnsext-wcard-clarify-02 (work in progress), - September 2003. - - -Authors' Addresses - - Roy Arends - Telematica Instituut - Drienerlolaan 5 - 7522 NB Enschede - NL - - EMail: roy.arends@telin.nl - - - Matt Larson - VeriSign, Inc. - 21345 Ridgetop Circle - Dulles, VA 20166-6503 - USA - - EMail: mlarson@verisign.com - - - - - - -Arends, et al. Expires August 16, 2004 [Page 38] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - Rob Austein - Internet Systems Consortium - 950 Charter Street - Redwood City, CA 94063 - USA - - EMail: sra@isc.org - - - Dan Massey - USC Information Sciences Institute - 3811 N. Fairfax Drive - Arlington, VA 22203 - USA - - EMail: masseyd@isi.edu - - - Scott Rose - National Institute for Standards and Technology - 100 Bureau Drive - Gaithersburg, MD 20899-8920 - USA - - EMail: scott.rose@nist.gov - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 39] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -Appendix A. Signed Zone Example - - The following example shows a (small) complete signed zone. - - example. 3600 IN SOA ns1.example. bugs.x.w.example. ( - 1071609350 - 3600 - 300 - 3600000 - 3600 - ) - 3600 RRSIG SOA 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - F1KxMLu2zwDUFgUtdAqCq6F9zkaIPb3B7dzA - hRLp8riOMQQgCCQ4x9KvSu2xLJa539jQIRW0 - VBU6+FZWzC2IJcc5liv2SXzyfiPu8diB9+Bj - CSITjVX0IGrQgd+PKkaTxWQzG9TDZ2TtgnyM - owLe/OV+Qqqic7ShV/S9l2YJF9I= ) - 3600 NS ns1.example. - 3600 NS ns2.example. - 3600 RRSIG NS 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - YgTFj4yXRzbOddwfOTQhLHGPWm7x55ZRoPVz - +bxuPHTozw3I2gpno81Em1RuVekWJHivAvQj - s1h72oh+ipBadjCGSRu46u1T9JYUSLxLecgY - eEw9qDeQIoZHRny5bYrX1x87ItEo5+n1lwOH - FTVyQbVkcaxQ6U2FbZtMbfo//go= ) - 3600 MX 1 xx.example. - 3600 RRSIG MX 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - JE9Kcx4NaXpaO2Jjyo5yi+DT6wgxwregHg18 - 7xOOF0KjIYQpaoFY3Kp8MAKT7aupZpr5DmHe - IpBNI6jC59A2uNVP+6UfqAyJMoNnq9d/paM+ - M+adwb+xrT+dZYpFZzyeXPmBqA/PVAtw1d5Q - 7wxkDWyzgasGiMNIKgYrm9vXz04= ) - 3600 NSEC a.example. NS SOA MX RRSIG NSEC DNSKEY - 3600 RRSIG NSEC 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - kE9ARiewdQSCsLXY9ldasZEW54kKhfEN2lsT - vDD4biJsTPeaOXJ6bJ7s0CvybknENin3uqIX - TAy6bsL919sEI3/SoHiRCwHalVmUPIWCsz4g - Ee7gkQ+1uFzi7L8LGX9NjQI74s3M//OW2+T4 - 7T/nOEOVZujD8IN/Utv+KUg+P6U= ) - 3600 DNSKEY 256 3 5 ( - AQPmfvH5TF0S/vnd08C9EbVlG/+wbmFecyjH - UtEh3d8h045BE36XSbr0XZU6kPLgA/Shf7TV - fKduDMH7ASlP8MpUX4ci9ZiXffBjUKvsHORv - BgtAcUYRofvzRZ/jl078bI/JJg9ee4ndY6FO - - - -Arends, et al. Expires August 16, 2004 [Page 40] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - 5LtAM3ElSpRIIhAm4b2c69IMdwrU2Q== - ) - 3600 DNSKEY 257 3 5 ( - AQOwHAYrbYVzzKHF0PDHSt4zY+Vz1+yLz1/U - Pv2j2nukkWKLipnqg8X2vI754SRpqwpPCKpv - klUr36CE0byYLOpRE5WlKZjXm3uzDFIVdHUE - 2lFwkMP9tSHUrXbjypiZWZP71qNuBeYCDAyT - nLu7mxrT1Y7GdSV7I6vwt0mDSWQDXQ== - ) - 3600 RRSIG DNSKEY 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - Pkxt/YJHVcnm3+56YGYziM69NDFJDEernUEU - pU1yBY8H7TlvIWhJz/qHsWcPt79ri0lP0Ho5 - YDVp6GOFxBcR/7ejtV/izHO5tb88WM8xJLNc - tJZeSSVG62kt1q5fiKKsxhhpqZFQgc+h6htG - PjJstq6fvRq8kX7TPJcljUmDFKM= ) - 3600 RRSIG DNSKEY 5 1 3600 20040115201552 ( - 20031216201552 60717 example. - EVJnkWJSUTdaxIRX374Ki84OhYRYB+7TM/Z/ - C8ufeGjcZkAPpkA3XjPao+4kG/lR/qW8oyNK - L0g5BI9fkcptXjf+0y3n5y/con6f+FOwHgdY - J7/fjSW27L3Je0MSrR3T/RNaokZafWDCT/34 - Uu/YHFJKdBxs7sMeSBJ4UPm2uwc= ) - a.example. 3600 IN NS ns1.a.example. - 3600 IN NS ns2.a.example. - 3600 DS 48327 5 1 ( - DFEB5E00E71A4DED5CABBBD7F15F24871983 - CAB7 ) - 3600 RRSIG DS 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - wj4ME4MuuZN77PGiE8xgBmCXpRpUocRJLbW/ - hBbMGk2qtA9ose1Jr2F9rOU6zvU9Z0HQgxnb - rSBfaeCZFmk3yOlo9Uqref4ukk9hwIjzxo7c - ZbJstCYWiLF57i1k5Cj6npMbUZSIgRGcB+dC - 0yfe2uolEkeegjesDZuF+fC61Eg= ) - 3600 NSEC ai.example. NS DS RRSIG NSEC - 3600 RRSIG NSEC 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - iq8exEVhvdx4s3w3VmK3Mzfngwpmpv3NwOpb - RMtgba/u5kyD4Mf03jyLtJLUevry2rZcRjF1 - 3kDuKmewJ0jWA4sMuljJpx10rhvwlcKaJE3O - ViEb66GFqDxCXExikKWsPm8qckYZLQ7ABNjf - YgfAHJEJJj7K88QbKEK4/Je1hyk= ) - ns1.a.example. 3600 IN A 192.0.2.5 - ns2.a.example. 3600 IN A 192.0.2.6 - ai.example. 3600 IN A 192.0.2.9 - 3600 RRSIG A 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - - - -Arends, et al. Expires August 16, 2004 [Page 41] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - hxNyPE9Wn675NDH/IpB2LZzhrUtV9eEndid8 - jiteGyki6CAEJKm1Dr2bjlrzdgfFBrpIac9c - Up4zMlAkitX/7D9vFus8nLSvEHngpdc12Hlk - OrvT0EsYA2XeQ0h3PPQk5FcK2ekxZvw5Zm7A - sWifTxvcG5hv+A6TOd0O2xJYRik= ) - 3600 HINFO "KLH-10" "ITS" - 3600 RRSIG HINFO 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - 4aSnKLykRT7htnnS8HtlM0YLMwU1Z92pvf/C - hxETE5B6W8x+uJs9KV9nlZ/B6TNk4nFRgKg2 - KpKvEq7xUybNKwbbeGZE9n2fDH0FeDgHjqW2 - Ke0lQuszRxjx+McTEqVJMyHrBKnqNdUh1G92 - xo9NLoltg0GuwggZM240pRoTwO8= ) - 3600 AAAA 2001:db8::f00:baa9 - 3600 RRSIG AAAA 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - oq16/pU4MuvkgQyFqGrHqggz47i6iZL714u5 - 9UsmGM1Y/qyQZsR4wi6hC2zIWXNJxIPIhitJ - G6M5pjExUH/vOe0DIW73t/NHzcj0zOjxAPEI - A+jBlOwn2EY5q87PMzBIeHWSx7DxtEIMC8XI - zkK+1+Z5aqj1pmZ4yXUvd2znGnQ= ) - 3600 NSEC b.example. A HINFO AAAA RRSIG NSEC - 3600 RRSIG NSEC 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - Xr3qBss/U0yN12SL2stWs0AACeQjvRms9+xE - ishTjb4B/XQ8yAfAmby5yF5DKR8900M0hT3Y - ikp/wIF4TmtH5W7UFN13To/GWGJygaa7wyzU - 4AtgtRwmmevSAgzxhC7yRXUWyhpfQoW7zwpR - ovChG5Ih3TOa8Qnch4IJQVfSFNU= ) - b.example. 3600 IN NS ns1.b.example. - 3600 IN NS ns2.b.example. - 3600 NSEC ns1.example. NS RRSIG NSEC - 3600 RRSIG NSEC 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - nFufQRM2UtSYTAwQaKEnIpua5ZHLqJrcLGAs - VUpLoPOEsAXex1N3uIJQWmoXnr9Up00G7jbW - VOVaLUvXR7b/4sQkyQLbOl9GpWiA1NYjPneN - k3i+OWi3NmvRN71CuNky87DrVg0p2Mf2MjLX - GRIZP9W1bgeDHZRcCNz2hQ67SgY= ) - ns1.b.example. 3600 IN A 192.0.2.7 - ns2.b.example. 3600 IN A 192.0.2.8 - ns1.example. 3600 IN A 192.0.2.1 - 3600 RRSIG A 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - 5FrF88yOT6iiBdkiQLqaXkma0gCQza5/kLK7 - CgoMNlCR2QYhsur2X7Fex2/OYEmOkzOqO7Gs - RoIc4e3nt+kfpd/4Htp9T5v+NXmMVPmW3Jmf - +ZGpEf86AI7Rw3x2bSmVOzsxa4xUxE+DuINa - - - -Arends, et al. Expires August 16, 2004 [Page 42] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - WNJ/ulvIFa20d0xtlB7jazNCZ3Y= ) - 3600 NSEC ns2.example. A RRSIG NSEC - 3600 RRSIG NSEC 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - WaeyPcQtFjXj4cxDcqVseuhZPA4K/qSb7ylZ - sj55rJ8OqEKDYt71e1MT3F5p76wKtLaPmoc0 - eLGnDD+Xouu/tWXtsjj5QpMhl13DUD0GLBiA - s/wwxreW0SWkh4JJirodDE7vSIiI6gPJYhIj - I2A5W86mMEbSgEF/pZHX/wi5FJI= ) - ns2.example. 3600 IN A 192.0.2.2 - 3600 RRSIG A 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - sfFOjxKZz1LMhyDfmB43RhIUVOHlVbLtP0lL - xBsxcHt48NKLth81pzSWRFQfUtMCjaGWMtuK - HFEVaAQXcwllWXXLbVpc9a32govT+hsapcht - sPyxkcEpYEFTtB93edKRVQ0IgZBPOI02R6vG - wCbeY0Rl8MIRcAaiIkFos/8hd1g= ) - 3600 NSEC *.w.example. A RRSIG NSEC - 3600 RRSIG NSEC 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - Vxovi9gQjxqYBI5QF2ZcbZ/5my7C+22uXKVb - IN5dmV82uu2TqJ4g2a2KKywlVi+4Kcnm4O3b - f7pV4g7pcQopa9AFiY8byFrPftuNvraDyp6J - aPllr/HnIPGP4Vw78LKW4n812K2VxV8p/IJl - yCup5bk/Dr47eU2/6+lqrBTOV8Q= ) - *.w.example. 3600 IN MX 1 ai.example. - 3600 RRSIG MX 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - mzcZPkLFaFycrnJuHY8LHdmvmyD8prPbQXHg - OXuGLRpO+qRU04v97KYNy8si1Ijmo85nI4Ns - Hl2+WpbMguW9gyPpdHqIYkKJbOrX2b4bz6WA - n7NlR05Rf2tE3e54a1LP0po55yqGtxdPKWOK - 91Ena87PA2MvoOE+A3ZpEk8MjEE= ) - 3600 NSEC x.w.example. MX RRSIG NSEC - 3600 RRSIG NSEC 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - OeBMvLlBam90xU/KxvyAYBNGWpvMf1TbaJFr - f0Ip+tTkiqeEE8fx2ZAg1JcY9uhldms/9y45 - 9HxO9Q3ZO6jfQzsx62YQaBte85d/Udhzf4AK - /RHsZGSOabsu6DhacWC2Ew7vEgcMfiPHFzWW - ANi1i3zhPOd3+Vjt4IQzaJXqVZE= ) - x.w.example. 3600 IN MX 1 xx.example. - 3600 RRSIG MX 5 3 3600 20040115201552 ( - 20031216201552 41681 example. - g2H7+tChKsYRqxDkrLZgraaKBF2pah6YNCEW - ORmXLzrB6RWtXbjVHXjagBhZYsMPzkPqwn4m - 8IYSaPD0X3z001aXsgsh9WF+AOgbqa0eoIIY - MHIEJ9MHB5cS33XXv2fY6iFmjLuZUz+pNSfv - - - -Arends, et al. Expires August 16, 2004 [Page 43] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - btznHMFDIbtuw/tAX7xXH2pDDHY= ) - 3600 NSEC x.y.w.example. MX RRSIG NSEC - 3600 RRSIG NSEC 5 3 3600 20040115201552 ( - 20031216201552 41681 example. - zwAU3bQHLeDawvqbvlmNosGMGDz9wdEe/iia - CU8DbanqOzUiPfqEgBN3evFMpGBM9H3zMjGA - EjnP4fMerk7dzD8jfyLzNdCGsJjPtnEgctGA - aNd+NGtSmedzeNGvlj7mNxnAdqHFY1c902pT - 3lMXiX4KNWUhB87q/pT/5z+xrqY= ) - x.y.w.example. 3600 IN MX 1 xx.example. - 3600 RRSIG MX 5 4 3600 20040115201552 ( - 20031216201552 41681 example. - slLY7KbPseET3XMJz/yGJBJpDczy1N2W4SAD - v5Jx/osOWviEJBpUEwRndX+VmsmQJqKsQxtE - unmxl4Sh9cuVyALJy1ByF9hZ0+E3i35qoxOK - Oe+JZyiEiebZfZ8doH5J+keCkIQ8EHzw8Hnk - Iykd5UmaTO5j4LlRnAvF8Z1m9/k= ) - 3600 NSEC xx.example. MX RRSIG NSEC - 3600 RRSIG NSEC 5 4 3600 20040115201552 ( - 20031216201552 41681 example. - sjHnEm4kiIK64bRskNc3vxEHe12l9Lg8Y7G8 - VsXMUEEDeBCB3qlrGQeqhdl+gsQGRBiOA8Jj - Jr5F9RNZepVLGv+t5fALeoe0gLHsWoTlfTdq - AJ8a2E5BZYYvy9hjh9Y4Kqd23HOv21o2OC0J - viOQHZ6I4xoZQP5G7r98/PhlrLM= ) - xx.example. 3600 IN A 192.0.2.10 - 3600 RRSIG A 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - fQfj8RhKKhC2vI0OJxgnZLeXFhpMmpjwV/ap - tCkUP1YagLF9gB4NLRUrV1QO/e1f2zyxSngq - iDW9yUJjKQcv9EWzbDd0kzXxPu11y/iS7oMS - KOsVB4Mp7BM5q2kcBXBrM+Rr0eibvBXmHs8G - 0ToQVY81bPc3WXKZjRxQl3jiKtU= ) - 3600 HINFO "KLH-10" "TOPS-20" - 3600 RRSIG HINFO 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - fZIotOyJqpRTZ0KH5lsZIksuyslAMckBclZw - p3LJiaYAibf+rwNFpS3CPUFsyCrA8UL+iVfA - gTxa6O8+yKYsDXZ2x6wPPDqmBEeHT1XiKEA/ - pC+O35tVS6oLMYWJyGAGBJitXZQGr+MiBvSp - EDXT07qFXtGntvBSpF9uQbEub6Y= ) - 3600 AAAA 2001:db8::f00:baaa - 3600 RRSIG AAAA 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - kLh5dTA0XBIIjEV/guGo9pEOKNZ0Elvbuhm2 - dFbnHuZ1tLirjzCYr8CsmF9bSIKLbiMRc/SD - mDhMUKFMhsVqCMwqfYjxXvTOG21BKyCki0Gg - CgvRD47lC4NnCSaB6B6Ysj0Aupv75Nnqwi9Z - - - -Arends, et al. Expires August 16, 2004 [Page 44] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - D4ZubIon0XGe9fIjLnmb3pX/FUk= ) - 3600 NSEC example. A HINFO AAAA RRSIG NSEC - 3600 RRSIG NSEC 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - sbF8bfC6zqyuio2iov0C9byDCejWvxMJYgjn - uy3nXbvVXXzcA+d2zG6uPQ8VLRSolCE+OQqE - NsABxmoBhBwdxCrCpnU8SvzAkrRLwuOqAu1a - 1yBIfd352PHkQg1sxVDHGoFo3cFKzvkuD187 - sSNF3PAC0HPadh7SdHmXlFQtQ44= ) - - The apex DNSKEY set includes two DNSKEY RRs, and the DNSKEY RDATA - Flags indicate that each of these DNSKEY RRs is a zone key. One of - these DNSKEY RRs also has the SEP flag set and has been used to sign - the apex DNSKEY RRset; this is the key which should be hashed to - generate a DS record to be inserted into the parent zone. The other - DNSKEY is used to sign all the other RRsets in the zone. - - The zone includes a wildcard entry "*.w.example". Note that the name - "*.w.example" is used in constructing NSEC chains, and that the RRSIG - covering the "*.w.example" MX RRset has a label count of 2. - - The zone also includes two delegations. The delegation to - "b.example" includes an NS RRset, glue address records, and an NSEC - RR; note that only the NSEC RRset is signed. The delegation to - "a.example" provides a DS RR; note that only the NSEC and DS RRsets - are signed. - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 45] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -Appendix B. Example Responses - - The examples in this section show response messages using the signed - zone example in Appendix A. - -B.1 Answer - - A successful query to an authoritative server. - - ;; Header: QR AA DO RCODE=0 - ;; - ;; Question - x.w.example. IN MX - - ;; Answer - x.w.example. 3600 IN MX 1 xx.example. - x.w.example. 3600 RRSIG MX 5 3 3600 20040115201552 ( - 20031216201552 41681 example. - g2H7+tChKsYRqxDkrLZgraaKBF2pah6YNCEW - ORmXLzrB6RWtXbjVHXjagBhZYsMPzkPqwn4m - 8IYSaPD0X3z001aXsgsh9WF+AOgbqa0eoIIY - MHIEJ9MHB5cS33XXv2fY6iFmjLuZUz+pNSfv - btznHMFDIbtuw/tAX7xXH2pDDHY= ) - - ;; Authority - example. 3600 NS ns1.example. - example. 3600 NS ns2.example. - example. 3600 RRSIG NS 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - YgTFj4yXRzbOddwfOTQhLHGPWm7x55ZRoPVz - +bxuPHTozw3I2gpno81Em1RuVekWJHivAvQj - s1h72oh+ipBadjCGSRu46u1T9JYUSLxLecgY - eEw9qDeQIoZHRny5bYrX1x87ItEo5+n1lwOH - FTVyQbVkcaxQ6U2FbZtMbfo//go= ) - - ;; Additional - xx.example. 3600 IN A 192.0.2.10 - xx.example. 3600 RRSIG A 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - fQfj8RhKKhC2vI0OJxgnZLeXFhpMmpjwV/ap - tCkUP1YagLF9gB4NLRUrV1QO/e1f2zyxSngq - iDW9yUJjKQcv9EWzbDd0kzXxPu11y/iS7oMS - KOsVB4Mp7BM5q2kcBXBrM+Rr0eibvBXmHs8G - 0ToQVY81bPc3WXKZjRxQl3jiKtU= ) - xx.example. 3600 AAAA 2001:db8::f00:baaa - xx.example. 3600 RRSIG AAAA 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - kLh5dTA0XBIIjEV/guGo9pEOKNZ0Elvbuhm2 - - - -Arends, et al. Expires August 16, 2004 [Page 46] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - dFbnHuZ1tLirjzCYr8CsmF9bSIKLbiMRc/SD - mDhMUKFMhsVqCMwqfYjxXvTOG21BKyCki0Gg - CgvRD47lC4NnCSaB6B6Ysj0Aupv75Nnqwi9Z - D4ZubIon0XGe9fIjLnmb3pX/FUk= ) - ns1.example. 3600 IN A 192.0.2.1 - ns1.example. 3600 RRSIG A 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - 5FrF88yOT6iiBdkiQLqaXkma0gCQza5/kLK7 - CgoMNlCR2QYhsur2X7Fex2/OYEmOkzOqO7Gs - RoIc4e3nt+kfpd/4Htp9T5v+NXmMVPmW3Jmf - +ZGpEf86AI7Rw3x2bSmVOzsxa4xUxE+DuINa - WNJ/ulvIFa20d0xtlB7jazNCZ3Y= ) - ns2.example. 3600 IN A 192.0.2.2 - ns2.example. 3600 RRSIG A 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - sfFOjxKZz1LMhyDfmB43RhIUVOHlVbLtP0lL - xBsxcHt48NKLth81pzSWRFQfUtMCjaGWMtuK - HFEVaAQXcwllWXXLbVpc9a32govT+hsapcht - sPyxkcEpYEFTtB93edKRVQ0IgZBPOI02R6vG - wCbeY0Rl8MIRcAaiIkFos/8hd1g= ) - - -B.2 Name Error - - An authoritative name error. The NSEC RRs prove that the name does - not exist and that no covering wildcard exists. - - ;; Header: QR AA DO RCODE=3 - ;; - ;; Question - ml.example. IN A - - ;; Answer - ;; (empty) - - ;; Authority - example. 3600 IN SOA ns1.example. bugs.x.w.example. ( - 1071609350 - 3600 - 300 - 3600000 - 3600 - ) - example. 3600 RRSIG SOA 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - F1KxMLu2zwDUFgUtdAqCq6F9zkaIPb3B7dzA - hRLp8riOMQQgCCQ4x9KvSu2xLJa539jQIRW0 - VBU6+FZWzC2IJcc5liv2SXzyfiPu8diB9+Bj - - - -Arends, et al. Expires August 16, 2004 [Page 47] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - CSITjVX0IGrQgd+PKkaTxWQzG9TDZ2TtgnyM - owLe/OV+Qqqic7ShV/S9l2YJF9I= ) - b.example. 3600 NSEC ns1.example. NS RRSIG NSEC - b.example. 3600 RRSIG NSEC 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - nFufQRM2UtSYTAwQaKEnIpua5ZHLqJrcLGAs - VUpLoPOEsAXex1N3uIJQWmoXnr9Up00G7jbW - VOVaLUvXR7b/4sQkyQLbOl9GpWiA1NYjPneN - k3i+OWi3NmvRN71CuNky87DrVg0p2Mf2MjLX - GRIZP9W1bgeDHZRcCNz2hQ67SgY= ) - example. 3600 NSEC a.example. NS SOA MX RRSIG NSEC DNSKEY - example. 3600 RRSIG NSEC 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - kE9ARiewdQSCsLXY9ldasZEW54kKhfEN2lsT - vDD4biJsTPeaOXJ6bJ7s0CvybknENin3uqIX - TAy6bsL919sEI3/SoHiRCwHalVmUPIWCsz4g - Ee7gkQ+1uFzi7L8LGX9NjQI74s3M//OW2+T4 - 7T/nOEOVZujD8IN/Utv+KUg+P6U= ) - - ;; Additional - ;; (empty) - - -B.3 No Data Error - - A "NODATA" response. The NSEC RR proves that the name exists and - that the requested RR type does not. - - ;; Header: QR AA DO RCODE=0 - ;; - ;; Question - ns1.example. IN MX - - ;; Answer - ;; (empty) - - ;; Authority - example. 3600 IN SOA ns1.example. bugs.x.w.example. ( - 1071609350 - 3600 - 300 - 3600000 - 3600 - ) - example. 3600 RRSIG SOA 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - F1KxMLu2zwDUFgUtdAqCq6F9zkaIPb3B7dzA - hRLp8riOMQQgCCQ4x9KvSu2xLJa539jQIRW0 - - - -Arends, et al. Expires August 16, 2004 [Page 48] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - VBU6+FZWzC2IJcc5liv2SXzyfiPu8diB9+Bj - CSITjVX0IGrQgd+PKkaTxWQzG9TDZ2TtgnyM - owLe/OV+Qqqic7ShV/S9l2YJF9I= ) - ns1.example. 3600 NSEC ns2.example. A RRSIG NSEC - ns1.example. 3600 RRSIG NSEC 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - WaeyPcQtFjXj4cxDcqVseuhZPA4K/qSb7ylZ - sj55rJ8OqEKDYt71e1MT3F5p76wKtLaPmoc0 - eLGnDD+Xouu/tWXtsjj5QpMhl13DUD0GLBiA - s/wwxreW0SWkh4JJirodDE7vSIiI6gPJYhIj - I2A5W86mMEbSgEF/pZHX/wi5FJI= ) - - ;; Additional - ;; (empty) - - -B.4 Referral to Signed Zone - - Referral to a signed zone. The DS RR contains the data which the - resolver will need to validate the corresponding DNSKEY RR in the - child zone's apex. - - ;; Header: QR DO RCODE=0 - ;; - ;; Question - mc.a.example. IN MX - - ;; Answer - ;; (empty) - - ;; Authority - a.example. 3600 IN NS ns1.a.example. - a.example. 3600 IN NS ns2.a.example. - a.example. 3600 DS 48327 5 1 ( - DFEB5E00E71A4DED5CABBBD7F15F24871983 - CAB7 ) - a.example. 3600 RRSIG DS 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - wj4ME4MuuZN77PGiE8xgBmCXpRpUocRJLbW/ - hBbMGk2qtA9ose1Jr2F9rOU6zvU9Z0HQgxnb - rSBfaeCZFmk3yOlo9Uqref4ukk9hwIjzxo7c - ZbJstCYWiLF57i1k5Cj6npMbUZSIgRGcB+dC - 0yfe2uolEkeegjesDZuF+fC61Eg= ) - - ;; Additional - ns1.a.example. 3600 IN A 192.0.2.5 - ns2.a.example. 3600 IN A 192.0.2.6 - - - - -Arends, et al. Expires August 16, 2004 [Page 49] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -B.5 Referral to Unsigned Zone - - Referral to an unsigned zone. The NSEC RR proves that no DS RR for - this delegation exists in the parent zone. - - ;; Header: QR DO RCODE=0 - ;; - ;; Question - mc.b.example. IN MX - - ;; Answer - ;; (empty) - - ;; Authority - b.example. 3600 IN NS ns1.b.example. - b.example. 3600 IN NS ns2.b.example. - b.example. 3600 NSEC ns1.example. NS RRSIG NSEC - b.example. 3600 RRSIG NSEC 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - nFufQRM2UtSYTAwQaKEnIpua5ZHLqJrcLGAs - VUpLoPOEsAXex1N3uIJQWmoXnr9Up00G7jbW - VOVaLUvXR7b/4sQkyQLbOl9GpWiA1NYjPneN - k3i+OWi3NmvRN71CuNky87DrVg0p2Mf2MjLX - GRIZP9W1bgeDHZRcCNz2hQ67SgY= ) - - ;; Additional - ns1.b.example. 3600 IN A 192.0.2.7 - ns2.b.example. 3600 IN A 192.0.2.8 - - -B.6 Wildcard Expansion - - A successful query which was answered via wildcard expansion. The - label count in the answer's RRSIG RR indicates that a wildcard RRset - was expanded to produce this response, and the NSEC RR proves that no - closer match exists in the zone. - - ;; Header: QR AA DO RCODE=0 - ;; - ;; Question - a.z.w.example. IN MX - - ;; Answer - a.z.w.example. 3600 IN MX 1 ai.example. - a.z.w.example. 3600 RRSIG MX 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - mzcZPkLFaFycrnJuHY8LHdmvmyD8prPbQXHg - OXuGLRpO+qRU04v97KYNy8si1Ijmo85nI4Ns - - - -Arends, et al. Expires August 16, 2004 [Page 50] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - Hl2+WpbMguW9gyPpdHqIYkKJbOrX2b4bz6WA - n7NlR05Rf2tE3e54a1LP0po55yqGtxdPKWOK - 91Ena87PA2MvoOE+A3ZpEk8MjEE= ) - - ;; Authority - example. 3600 NS ns1.example. - example. 3600 NS ns2.example. - example. 3600 RRSIG NS 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - YgTFj4yXRzbOddwfOTQhLHGPWm7x55ZRoPVz - +bxuPHTozw3I2gpno81Em1RuVekWJHivAvQj - s1h72oh+ipBadjCGSRu46u1T9JYUSLxLecgY - eEw9qDeQIoZHRny5bYrX1x87ItEo5+n1lwOH - FTVyQbVkcaxQ6U2FbZtMbfo//go= ) - x.y.w.example. 3600 NSEC xx.example. MX RRSIG NSEC - x.y.w.example. 3600 RRSIG NSEC 5 4 3600 20040115201552 ( - 20031216201552 41681 example. - sjHnEm4kiIK64bRskNc3vxEHe12l9Lg8Y7G8 - VsXMUEEDeBCB3qlrGQeqhdl+gsQGRBiOA8Jj - Jr5F9RNZepVLGv+t5fALeoe0gLHsWoTlfTdq - AJ8a2E5BZYYvy9hjh9Y4Kqd23HOv21o2OC0J - viOQHZ6I4xoZQP5G7r98/PhlrLM= ) - - ;; Additional - ai.example. 3600 IN A 192.0.2.9 - ai.example. 3600 RRSIG A 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - hxNyPE9Wn675NDH/IpB2LZzhrUtV9eEndid8 - jiteGyki6CAEJKm1Dr2bjlrzdgfFBrpIac9c - Up4zMlAkitX/7D9vFus8nLSvEHngpdc12Hlk - OrvT0EsYA2XeQ0h3PPQk5FcK2ekxZvw5Zm7A - sWifTxvcG5hv+A6TOd0O2xJYRik= ) - ai.example. 3600 AAAA 2001:db8::f00:baa9 - ai.example. 3600 RRSIG AAAA 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - oq16/pU4MuvkgQyFqGrHqggz47i6iZL714u5 - 9UsmGM1Y/qyQZsR4wi6hC2zIWXNJxIPIhitJ - G6M5pjExUH/vOe0DIW73t/NHzcj0zOjxAPEI - A+jBlOwn2EY5q87PMzBIeHWSx7DxtEIMC8XI - zkK+1+Z5aqj1pmZ4yXUvd2znGnQ= ) - - -B.7 Wildcard No Data Error - - A "NODATA" response for a name covered by a wildcard. The NSEC RRs - prove that the matching wildcard name does not have any RRs of the - requested type and that no closer match exists in the zone. - - - - -Arends, et al. Expires August 16, 2004 [Page 51] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - ;; Header: QR AA DO RCODE=0 - ;; - ;; Question - a.z.w.example. IN AAAA - - ;; Answer - ;; (empty) - - ;; Authority - example. 3600 IN SOA ns1.example. bugs.x.w.example. ( - 1071609350 - 3600 - 300 - 3600000 - 3600 - ) - example. 3600 RRSIG SOA 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - F1KxMLu2zwDUFgUtdAqCq6F9zkaIPb3B7dzA - hRLp8riOMQQgCCQ4x9KvSu2xLJa539jQIRW0 - VBU6+FZWzC2IJcc5liv2SXzyfiPu8diB9+Bj - CSITjVX0IGrQgd+PKkaTxWQzG9TDZ2TtgnyM - owLe/OV+Qqqic7ShV/S9l2YJF9I= ) - x.y.w.example. 3600 NSEC xx.example. MX RRSIG NSEC - x.y.w.example. 3600 RRSIG NSEC 5 4 3600 20040115201552 ( - 20031216201552 41681 example. - sjHnEm4kiIK64bRskNc3vxEHe12l9Lg8Y7G8 - VsXMUEEDeBCB3qlrGQeqhdl+gsQGRBiOA8Jj - Jr5F9RNZepVLGv+t5fALeoe0gLHsWoTlfTdq - AJ8a2E5BZYYvy9hjh9Y4Kqd23HOv21o2OC0J - viOQHZ6I4xoZQP5G7r98/PhlrLM= ) - *.w.example. 3600 NSEC x.w.example. MX RRSIG NSEC - *.w.example. 3600 RRSIG NSEC 5 2 3600 20040115201552 ( - 20031216201552 41681 example. - OeBMvLlBam90xU/KxvyAYBNGWpvMf1TbaJFr - f0Ip+tTkiqeEE8fx2ZAg1JcY9uhldms/9y45 - 9HxO9Q3ZO6jfQzsx62YQaBte85d/Udhzf4AK - /RHsZGSOabsu6DhacWC2Ew7vEgcMfiPHFzWW - ANi1i3zhPOd3+Vjt4IQzaJXqVZE= ) - - ;; Additional - ;; (empty) - - -B.8 DS Child Zone No Data Error - - A "NODATA" response for a QTYPE=DS query which was mistakenly sent to - a name server for the child zone. - - - -Arends, et al. Expires August 16, 2004 [Page 52] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - ;; Header: QR AA DO RCODE=0 - ;; - ;; Question - example. IN DS - - ;; Answer - ;; (empty) - - ;; Authority - example. 3600 IN SOA ns1.example. bugs.x.w.example. ( - 1071609350 - 3600 - 300 - 3600000 - 3600 - ) - example. 3600 RRSIG SOA 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - F1KxMLu2zwDUFgUtdAqCq6F9zkaIPb3B7dzA - hRLp8riOMQQgCCQ4x9KvSu2xLJa539jQIRW0 - VBU6+FZWzC2IJcc5liv2SXzyfiPu8diB9+Bj - CSITjVX0IGrQgd+PKkaTxWQzG9TDZ2TtgnyM - owLe/OV+Qqqic7ShV/S9l2YJF9I= ) - example. 3600 NSEC a.example. NS SOA MX RRSIG NSEC DNSKEY - example. 3600 RRSIG NSEC 5 1 3600 20040115201552 ( - 20031216201552 41681 example. - kE9ARiewdQSCsLXY9ldasZEW54kKhfEN2lsT - vDD4biJsTPeaOXJ6bJ7s0CvybknENin3uqIX - TAy6bsL919sEI3/SoHiRCwHalVmUPIWCsz4g - Ee7gkQ+1uFzi7L8LGX9NjQI74s3M//OW2+T4 - 7T/nOEOVZujD8IN/Utv+KUg+P6U= ) - - ;; Additional - ;; (empty) - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 53] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -Appendix C. Authentication Examples - - The examples in this section show how the response messages in - Appendix B are authenticated. - -C.1 Authenticating An Answer - - The query in section Appendix B.1 returned an MX RRset for - "x.w.example.com". The corresponding RRSIG indicates the MX RRset was - signed by an "example" DNSKEY with algorithm 5 and key tag 41681. - The resolver needs the corresponding DNSKEY RR in order to - authenticate this answer. The discussion below describes how a - resolver might obtain this DNSKEY RR. - - The RRSIG indicates the original TTL of the MX RRset was 3600 and, - for the purpose of authentication, the current TTL is replaced by - 3600. The RRSIG labels field value of 3 indicates the answer was - not the result of wildcard expansion. The "x.w.example.com" MX RRset - is placed in canonical form and, assuming the current time falls - between the signature inception and expiration dates, the signature - is authenticated. - -C.1.1 Authenticating the example DNSKEY RR - - This example shows the logical authentication process that starts - from the a preconfigured root DNSKEY (or DS RR) and moves down the - tree to authenticate the desired "example" DNSKEY RR. Note the - logical order is presented for clarity and an implementation may - choose to construct the authentication as referrals are received or - may choose to construct the authentication chain only after all - RRsets have been obtained, or in any other combination it sees fit. - The example here demonstrates only the logical process and does not - dictate any implementation rules. - - We assume the resolver starts with an preconfigured DNSKEY RR for the - root zone (or a preconfigured DS RR for the root zone). The resolver - checks this preconfigured DNSKEY RR is present in the root DNSKEY - RRset (or the DS RR matches some DNSKEY in the root DNSKEY RRset), - this DNSKEY RR has signed the root DNSKEY RRset and the signature - lifetime is valid. If all these conditions are met, all keys in the - DNSKEY RRset are considered authenticated. The resolver then uses - one (or more) of the root DNSKEY RRs to authenticate the "example" DS - RRset. Note the resolver may need to query the root zone to obtain - the root DNSKEY RRset and/or "example" DS RRset. - - Once the DS RRset has been authenticated using the root DNSKEY, the - resolver checks the "example" DNSKEY RRset for some "example" DNSKEY - RR that matches one of the authenticated "example" DS RRs. If such a - - - -Arends, et al. Expires August 16, 2004 [Page 54] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - matching "example" DNSKEY is found, the resolver checks this DNSKEY - RR has signed the "example" DNSKEY RRset and the signature lifetime - is valid. If all these conditions are met, all keys in the "example" - DNSKEY RRset are considered authenticated. - - Finally the resolver checks that some DNSKEY RR in the "example" - DNSKEY RRset uses algorithm 5 and has a key tag of 41681. This - DNSKEY is used to authenticated the RRSIG included in the response. - If multiple "example" DNSKEY RRs have algorithm 5 and key tag of - 41681, then each DNSKEY RR is tried and the answer is authenticated - if either DNSKEY RR validates the signature as described above. - -C.2 Name Error - - The query in section Appendix B.2 returned NSEC RRs that prove the - requested data does not exist and no wildcard applies. The negative - reply is authenticated by verifying both NSEC RRs. The NSEC RRs are - authenticated in a manner identical to that of the MX RRset discussed - above. - -C.3 No Data Error - - The query in section Appendix B.3 returned an NSEC RR that proves the - requested name exists, but the requested RR type does not exist. The - negative reply is authenticated by verifying the NSEC RR. The NSEC - RR is authenticated in a manner identical to that of the MX RRset - discussed above. - -C.4 Referral to Signed Zone - - The query in section Appendix B.4 returned a referral to the signed - "a.example." zone. The DS RR is authenticated in a manner identical - to that of the MX RRset discussed above. This DS RR is used to - authenticate the "a.example" DNSKEY RRset. - - Once the "a.example" DS RRset has been authenticated using the - "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset - for some "a.example" DNSKEY RR that matches the DS RR. If such a - matching "a.example" DNSKEY is found, the resolver checks this DNSKEY - RR has signed the "a.example" DNSKEY RRset and the signature lifetime - is valid. If all these conditions are met, all keys in the - "a.example" DNSKEY RRset are considered authenticated. - -C.5 Referral to Unsigned Zone - - The query in section Appendix B.5 returned a referral to an unsigned - "b.example." zone. The NSEC proves that no authentication leads from - "example" to "b.example" and the NSEC RR is authenticated in a manner - - - -Arends, et al. Expires August 16, 2004 [Page 55] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - identical to that of the MX RRset discussed above. - -C.6 Wildcard Expansion - - The query in section Appendix B.6 returned an answer that was - produced as a result of wildcard expansion. The RRset expanded as - the similar to The corresponding RRSIG indicates the MX RRset was - signed by an "example" DNSKEY with algorithm 5 and key tag 41681. - The RRSIG indicates the original TTL of the MX RRset was 3600 and, - for the purpose of authentication, the current TTL is replaced by - 3600. The RRSIG labels field value of 2 indicates the answer the - result of wildcard expansion since the "a.z.w.example" name contains - 4 labels. The name "a.z.w.w.example" is replaced by "*.w.example", - the MX RRset is placed in canonical form and, assuming the current - time falls between the signature inception and expiration dates, the - signature is authenticated. - - The NSEC proves that no closer match (exact or closer wildcard) could - have been used to answer this query and the NSEC RR must also be - authenticated before the answer is considered valid. - -C.7 Wildcard No Data Error - - The query in section Appendix B.7 returned NSEC RRs that prove the - requested data does not exist and no wildcard applies. The negative - reply is authenticated by verifying both NSEC RRs. - -C.8 DS Child Zone No Data Error - - The query in section Appendix B.8 returned NSEC RRs that shows the - requested was answered by a child server ("example" server). The - NSEC RR indicates the presence of an SOA RR, showing the answer is - from the child . Queries for the "example" DS RRset should be sent - to the parent servers ("root" servers). - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 56] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - -Intellectual Property Statement - - The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; neither does it represent that it - has made any effort to identify any such rights. Information on the - IETF's procedures with respect to rights in standards-track and - standards-related documentation can be found in BCP-11. Copies of - claims of rights made available for publication and any assurances of - licenses to be made available, or the result of an attempt made to - obtain a general license or permission for the use of such - proprietary rights by implementors or users of this specification can - be obtained from the IETF Secretariat. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights which may cover technology that may be required to practice - this standard. Please address the information to the IETF Executive - Director. - - -Full Copyright Statement - - Copyright (C) The Internet Society (2004). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assignees. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - - - -Arends, et al. Expires August 16, 2004 [Page 57] - -Internet-Draft DNSSEC Protocol Modifications February 2004 - - - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 58] - - + + +DNS Extensions R. Arends +Internet-Draft Telematica Instituut +Expires: November 15, 2004 M. Larson + VeriSign + R. Austein + ISC + D. Massey + USC/ISI + S. Rose + NIST + May 17, 2004 + + + Protocol Modifications for the DNS Security Extensions + draft-ietf-dnsext-dnssec-protocol-06 + +Status of this Memo + + This document is an Internet-Draft and is in full conformance with + all provisions of Section 10 of RFC2026. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that other + groups may also distribute working documents as Internet-Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at http:// + www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on November 15, 2004. + +Copyright Notice + + Copyright (C) The Internet Society (2004). All Rights Reserved. + +Abstract + + This document is part of a family of documents which describe the DNS + Security Extensions (DNSSEC). The DNS Security Extensions are a + collection of new resource records and protocol modifications which + add data origin authentication and data integrity to the DNS. This + document describes the DNSSEC protocol modifications. This document + + + +Arends, et al. Expires November 15, 2004 [Page 1] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + defines the concept of a signed zone, along with the requirements for + serving and resolving using DNSSEC. These techniques allow a + security-aware resolver to authenticate both DNS resource records and + authoritative DNS error indications. + + This document obsoletes RFC 2535 and incorporates changes from all + updates to RFC 2535. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 1.1 Background and Related Documents . . . . . . . . . . . . . 4 + 1.2 Reserved Words . . . . . . . . . . . . . . . . . . . . . . 4 + 1.3 Editors' Notes . . . . . . . . . . . . . . . . . . . . . . 4 + 1.3.1 Open Technical Issues . . . . . . . . . . . . . . . . 4 + 1.3.2 Technical Changes or Corrections . . . . . . . . . . . 4 + 1.3.3 Typos and Minor Corrections . . . . . . . . . . . . . 5 + 2. Zone Signing . . . . . . . . . . . . . . . . . . . . . . . . . 6 + 2.1 Including DNSKEY RRs in a Zone . . . . . . . . . . . . . . 6 + 2.2 Including RRSIG RRs in a Zone . . . . . . . . . . . . . . 6 + 2.3 Including NSEC RRs in a Zone . . . . . . . . . . . . . . . 7 + 2.4 Including DS RRs in a Zone . . . . . . . . . . . . . . . . 8 + 2.5 Changes to the CNAME Resource Record. . . . . . . . . . . 8 + 2.6 Example of a Secure Zone . . . . . . . . . . . . . . . . . 9 + 3. Serving . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 + 3.1 Authoritative Name Servers . . . . . . . . . . . . . . . . 11 + 3.1.1 Including RRSIG RRs in a Response . . . . . . . . . . 11 + 3.1.2 Including DNSKEY RRs In a Response . . . . . . . . . . 12 + 3.1.3 Including NSEC RRs In a Response . . . . . . . . . . . 12 + 3.1.4 Including DS RRs In a Response . . . . . . . . . . . . 15 + 3.1.5 Responding to Queries for Type AXFR or IXFR . . . . . 16 + 3.1.6 The AD and CD Bits in an Authoritative Response . . . 17 + 3.2 Recursive Name Servers . . . . . . . . . . . . . . . . . . 17 + 3.2.1 The DO bit . . . . . . . . . . . . . . . . . . . . . . 18 + 3.2.2 The CD bit . . . . . . . . . . . . . . . . . . . . . . 18 + 3.2.3 The AD bit . . . . . . . . . . . . . . . . . . . . . . 19 + 3.3 Example DNSSEC Responses . . . . . . . . . . . . . . . . . 19 + 4. Resolving . . . . . . . . . . . . . . . . . . . . . . . . . . 20 + 4.1 EDNS Support . . . . . . . . . . . . . . . . . . . . . . . 20 + 4.2 Signature Verification Support . . . . . . . . . . . . . . 20 + 4.3 Determining Security Status of Data . . . . . . . . . . . 21 + 4.4 Configured Trust Anchors . . . . . . . . . . . . . . . . . 21 + 4.5 Response Caching . . . . . . . . . . . . . . . . . . . . . 22 + 4.6 Handling of the CD and AD bits . . . . . . . . . . . . . . 22 + 4.7 Caching BAD Data . . . . . . . . . . . . . . . . . . . . . 22 + 4.8 Synthesized CNAMEs . . . . . . . . . . . . . . . . . . . . 23 + 4.9 Stub resolvers . . . . . . . . . . . . . . . . . . . . . . 23 + 4.9.1 Handling of the DO Bit . . . . . . . . . . . . . . . . 24 + + + +Arends, et al. Expires November 15, 2004 [Page 2] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + 4.9.2 Handling of the CD Bit . . . . . . . . . . . . . . . . 24 + 4.9.3 Handling of the AD Bit . . . . . . . . . . . . . . . . 24 + 5. Authenticating DNS Responses . . . . . . . . . . . . . . . . . 25 + 5.1 Special Considerations for Islands of Security . . . . . . 26 + 5.2 Authenticating Referrals . . . . . . . . . . . . . . . . . 26 + 5.3 Authenticating an RRset Using an RRSIG RR . . . . . . . . 27 + 5.3.1 Checking the RRSIG RR Validity . . . . . . . . . . . . 28 + 5.3.2 Reconstructing the Signed Data . . . . . . . . . . . . 28 + 5.3.3 Checking the Signature . . . . . . . . . . . . . . . . 30 + 5.3.4 Authenticating A Wildcard Expanded RRset Positive + Response . . . . . . . . . . . . . . . . . . . . . . . 31 + 5.4 Authenticated Denial of Existence . . . . . . . . . . . . 31 + 5.5 Resolver Behavior When Signatures Do Not Validate . . . . 32 + 5.6 Authentication Example . . . . . . . . . . . . . . . . . . 32 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 34 + 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 35 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 36 + 9.1 Normative References . . . . . . . . . . . . . . . . . . . . 36 + 9.2 Informative References . . . . . . . . . . . . . . . . . . . 36 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 37 + A. Signed Zone Example . . . . . . . . . . . . . . . . . . . . . 39 + B. Example Responses . . . . . . . . . . . . . . . . . . . . . . 45 + B.1 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . 45 + B.2 Name Error . . . . . . . . . . . . . . . . . . . . . . . . 46 + B.3 No Data Error . . . . . . . . . . . . . . . . . . . . . . 47 + B.4 Referral to Signed Zone . . . . . . . . . . . . . . . . . 48 + B.5 Referral to Unsigned Zone . . . . . . . . . . . . . . . . 49 + B.6 Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 50 + B.7 Wildcard No Data Error . . . . . . . . . . . . . . . . . . 51 + B.8 DS Child Zone No Data Error . . . . . . . . . . . . . . . 52 + C. Authentication Examples . . . . . . . . . . . . . . . . . . . 54 + C.1 Authenticating An Answer . . . . . . . . . . . . . . . . . 54 + C.1.1 Authenticating the example DNSKEY RR . . . . . . . . . 54 + C.2 Name Error . . . . . . . . . . . . . . . . . . . . . . . . 55 + C.3 No Data Error . . . . . . . . . . . . . . . . . . . . . . 55 + C.4 Referral to Signed Zone . . . . . . . . . . . . . . . . . 55 + C.5 Referral to Unsigned Zone . . . . . . . . . . . . . . . . 55 + C.6 Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 56 + C.7 Wildcard No Data Error . . . . . . . . . . . . . . . . . . 56 + C.8 DS Child Zone No Data Error . . . . . . . . . . . . . . . 56 + Intellectual Property and Copyright Statements . . . . . . . . 57 + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 3] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +1. Introduction + + The DNS Security Extensions (DNSSEC) are a collection of new resource + records and protocol modifications which add data origin + authentication and data integrity to the DNS. This document defines + the DNSSEC protocol modifications. Section 2 of this document defines + the concept of a signed zone and lists the requirements for zone + signing. Section 3 describes the modifications to authoritative name + server behavior necessary to handle signed zones. Section 4 describes + the behavior of entities which include security-aware resolver + functions. Finally, Section 5 defines how to use DNSSEC RRs to + authenticate a response. + +1.1 Background and Related Documents + + The reader is assumed to be familiar with the basic DNS concepts + described in [RFC1034] and [RFC1035]. + + This document is part of a family of documents that define DNSSEC. + An introduction to DNSSEC and definition of common terms can be found + in [I-D.ietf-dnsext-dnssec-intro]. A definition of the DNSSEC + resource records can be found in [I-D.ietf-dnsext-dnssec-records]. + +1.2 Reserved Words + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119. [RFC2119]. + +1.3 Editors' Notes + +1.3.1 Open Technical Issues + +1.3.2 Technical Changes or Corrections + + Please report technical corrections to dnssec-editors@east.isi.edu. + To assist the editors, please indicate the text in error and point + out the RFC that defines the correct behavior. For a technical + change where no RFC that defines the correct behavior, or if there's + more than one applicable RFC and the definitions conflict, please + post the issue to namedroppers. + + An example correction to dnssec-editors might be: Page X says + "DNSSEC RRs SHOULD be automatically returned in responses." This was + true in RFC 2535, but RFC 3225 (Section 3, 3rd paragraph) says the + DNSSEC RR types MUST NOT be included in responses unless the resolver + indicated support for DNSSEC. + + + + +Arends, et al. Expires November 15, 2004 [Page 4] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +1.3.3 Typos and Minor Corrections + + Please report any typos corrections to dnssec-editors@east.isi.edu. + To assist the editors, please provide enough context for us to find + the incorrect text quickly. + + An example message to dnssec-editors might be: page X says "the + DNSSEC standard has been in development for over 1 years". It + should read "over 10 years". + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 5] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +2. Zone Signing + + DNSSEC introduces the concept of signed zones. A signed zone + includes DNSKEY, RRSIG, NSEC and (optionally) DS records according to + the rules specified in Section 2.1, Section 2.2, Section 2.3 and + Section 2.4, respectively. A zone that does not include these + records according to the rules in this section is an unsigned zone. + + DNSSEC requires a change to the definition of the CNAME resource + record [RFC1035]. Section 2.5 changes the CNAME RR to allow RRSIG + and NSEC RRs to appear at the same owner name as a CNAME RR. + +2.1 Including DNSKEY RRs in a Zone + + To sign a zone, the zone's administrator generates one or more + public/private key pairs and uses the private key(s) to sign + authoritative RRsets in the zone. For each private key used to + create RRSIG RRs, there SHOULD be a corresponding zone DNSKEY RR with + the public component stored in the zone. A zone key DNSKEY RR MUST + have the Zone Key bit of the flags RDATA field set to one -- see + Section 2.1.1 of [I-D.ietf-dnsext-dnssec-records]. Public keys + associated with other DNS operations MAY be stored in DNSKEY RRs that + are not marked as zone keys but MUST NOT be used to verify RRSIGs. + + If the zone is delegated and does not wish to act as an island of + security, the zone MUST have at least one DNSKEY RR at the apex to + act as a secure entry point into the zone. This DNSKEY would then be + used to generate a DS RR at the delegating parent (see + [I-D.ietf-dnsext-dnssec-records]). + + DNSKEY RRs MUST NOT appear at delegation points. + +2.2 Including RRSIG RRs in a Zone + + For each authoritative RRset in a signed zone, there MUST be at least + one RRSIG record that meets all of the following requirements: + o The RRSIG owner name is equal to the RRset owner name; + o The RRSIG class is equal to the RRset class; + o The RRSIG Type Covered field is equal to the RRset type; + o The RRSIG Original TTL field is equal to the TTL of the RRset; + o The RRSIG RR's TTL is equal to the TTL of the RRset; + o The RRSIG Labels field is equal to the number of labels in the + RRset owner name, not counting the null root label and not + counting the leftmost label if it is a wildcard; + o The RRSIG Signer's Name field is equal to the name of the zone + containing the RRset; and + o The RRSIG Algorithm, Signer's Name, and Key Tag fields identify a + zone key DNSKEY record at the zone apex. + + + +Arends, et al. Expires November 15, 2004 [Page 6] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + The process for constructing the RRSIG RR for a given RRset is + described in [I-D.ietf-dnsext-dnssec-records]. An RRset MAY have + multiple RRSIG RRs associated with it. + + An RRSIG RR itself MUST NOT be signed, since signing an RRSIG RR + would add no value and would create an infinite loop in the signing + process. + + The NS RRset that appears at the zone apex name MUST be signed, but + the NS RRsets that appear at delegation points (that is, the NS + RRsets in the parent zone that delegate the name to the child zone's + name servers) MUST NOT be signed. Glue address RRsets associated with + delegations MUST NOT be signed. + + There MUST be an RRSIG for each RRset using at least one DNSKEY of + each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset + itself MUST be signed by each algorithm appearing in the DS RRset + located at the delegating parent (if any). + +2.3 Including NSEC RRs in a Zone + + Each owner name in the zone which has authoritative data or a + delegation point NS RRset MUST have an NSEC resource record. The + process for constructing the NSEC RR for a given name is described in + [I-D.ietf-dnsext-dnssec-records]. + + The TTL value for any NSEC RR SHOULD be the same as the minimum TTL + value field in the zone SOA RR. + + An NSEC record (and its associated RRSIG RRset) MUST NOT be the only + RRset at any particular owner name. That is, the signing process + MUST NOT create NSEC or RRSIG RRs for owner names nodes which were + not the owner name of any RRset before the zone was signed. The main + reasons for this are a desire for namespace consistency between + signed and unsigned versions of the same zone and a desire to reduce + the risk of response inconsistency in security oblivious recursive + name servers. + + The type bitmap of every NSEC resource record in a signed zone MUST + indicate the presence of both the NSEC record itself and its + corresponding RRSIG record. + + The difference between the set of owner names that require RRSIG + records and the set of owner names that require NSEC records is + subtle and worth highlighting. RRSIG records are present at the + owner names of all authoritative RRsets. NSEC records are present at + the owner names of all names for which the signed zone is + authoritative and also at the owner names of delegations from the + + + +Arends, et al. Expires November 15, 2004 [Page 7] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + signed zone to its children. Neither NSEC nor RRSIG records are + present (in the parent zone) at the owner names of glue address + RRsets. Note, however, that this distinction is for the most part is + only visible during the zone signing process, because NSEC RRsets are + authoritative data, and are therefore signed, thus any owner name + which has an NSEC RRset will have RRSIG RRs as well in the signed + zone. + + The bitmap for the NSEC RR at a delegation point requires special + attention. Bits corresponding to the delegation NS RRset and the RR + types for which the parent zone has authoritative data MUST be set to + 1; bits corresponding to any non-NS RRset for which the parent is not + authoritative MUST be set to 0. + +2.4 Including DS RRs in a Zone + + The DS resource record establishes authentication chains between DNS + zones. A DS RRset SHOULD be present at a delegation point when the + child zone is signed. The DS RRset MAY contain multiple records, + each referencing a public key in the child zone used to verify the + RRSIGs in that zone. All DS RRsets in a zone MUST be signed and DS + RRsets MUST NOT appear at a zone's apex. + + A DS RR SHOULD point to a DNSKEY RR which is present in the child's + apex DNSKEY RRset, and the child's apex DNSKEY RRset SHOULD be signed + by the corresponding private key. + + The TTL of a DS RRset SHOULD match the TTL of the delegating NS RRset + (i.e., the NS RRset from the same zone containing the DS RRset). + + Construction of a DS RR requires knowledge of the corresponding + DNSKEY RR in the child zone, which implies communication between the + child and parent zones. This communication is an operational matter + not covered by this document. + +2.5 Changes to the CNAME Resource Record. + + If a CNAME RRset is present at a name in a signed zone, appropriate + RRSIG and NSEC RRsets are REQUIRED at that name. A KEY RRset at that + name for secure dynamic update purposes is also allowed. Other types + MUST NOT be present at that name. + + This is a modification to the original CNAME definition given in + [RFC1034]. The original definition of the CNAME RR did not allow any + other types to coexist with a CNAME record, but a signed zone + requires NSEC and RRSIG RRs for every authoritative name. To resolve + this conflict, this specification modifies the definition of the + CNAME resource record to allow it to coexist with NSEC and RRSIG RRs. + + + +Arends, et al. Expires November 15, 2004 [Page 8] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +2.6 Example of a Secure Zone + + Appendix A shows a complete example of a small signed zone. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 9] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +3. Serving + + This section describes the behavior of entities that include + security-aware name server functions. In many cases such functions + will be part of a security-aware recursive name server, but a + security-aware authoritative name server has some of the same + requirements. Functions specific to security-aware recursive name + servers are described in Section 3.2; functions specific to + authoritative servers are described in Section 3.1. + + The terms "SNAME", "SCLASS", and "STYPE" in the following discussion + are as used in [RFC1034]. + + A security-aware name server MUST support the EDNS0 [RFC2671] message + size extension, MUST support a message size of at least 1220 octets, + and SHOULD support a message size of 4000 octets [RFC3226]. + + A security-aware name server that receives a DNS query that does not + include the EDNS OPT pseudo-RR or that has the DO bit set to zero + MUST treat the RRSIG, DNSKEY, and NSEC RRs as it would any other + RRset, and MUST NOT perform any of the additional processing + described below. Since the DS RR type has the peculiar property of + only existing in the parent zone at delegation points, DS RRs always + require some special processing, as described in Section 3.1.4.1. + + Security aware name servers that receive queries for security RR + types which match the content of more than one zone that it serves + (e.g. NSEC and RRSIG RRs above and below a delegation point where the + server is authoritative for both zones) are encouraged to behave + self-consistently. The name server MAY return one of the following: + o The above-delegation RRsets + o The below-delegation RRsets + o Both above and below-delegation RRsets + o Empty answer section (i.e. no records) + o Some other response + o An error + As long as the response is always consistent for each query to the + name server. + + DNSSEC allocates two new bits in the DNS message header: the CD + (Checking Disabled) bit and the AD (Authentic Data) bit. The CD bit + is controlled by resolvers; a security-aware name server MUST copy + the CD bit from a query into the corresponding response. The AD bit + is controlled by name servers; a security-aware name server MUST + ignore the setting of the AD bit in queries. See Section 3.1.6, + Section 3.2.2, Section 3.2.3, Section 4, and Section 4.9 for details + on the behavior of these bits. + + + + +Arends, et al. Expires November 15, 2004 [Page 10] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + A security aware name server which synthesizes CNAME RRs from DNAME + RRs as described in [RFC2672] SHOULD NOT generate signatures for the + synthesized CNAME RRs. + +3.1 Authoritative Name Servers + + Upon receiving a relevant query that has the EDNS [RFC2671] OPT + pseudo-RR DO bit [RFC3225] set to one, a security-aware authoritative + name server for a signed zone MUST include additional RRSIG, NSEC, + and DS RRs according to the following rules: + o RRSIG RRs that can be used to authenticate a response MUST be + included in the response according to the rules in Section 3.1.1; + o NSEC RRs that can be used to provide authenticated denial of + existence MUST be included in the response automatically according + to the rules in Section 3.1.3; + o Either a DS RRset or an NSEC RR proving that no DS RRs exist MUST + be included in referrals automatically according to the rules in + Section 3.1.4. + + DNSSEC does not change the DNS zone transfer protocol. Section 3.1.5 + discusses zone transfer requirements. + +3.1.1 Including RRSIG RRs in a Response + + When responding to a query that has the DO bit set to one, a + security-aware authoritative name server SHOULD attempt to send RRSIG + RRs that a security-aware resolver can use to authenticate the RRsets + in the response. A name server SHOULD make every attempt to keep the + RRset and its associated RRSIG(s) together in a response. Inclusion + of RRSIG RRs in a response is subject to the following rules: + o When placing a signed RRset in the Answer section, the name server + MUST also place its RRSIG RRs in the Answer section. The RRSIG + RRs have a higher priority for inclusion than any other RRsets + that may need to be included. If space does not permit inclusion + of these RRSIG RRs, the name server MUST set the TC bit. + o When placing a signed RRset in the Authority section, the name + server MUST also place its RRSIG RRs in the Authority section. + The RRSIG RRs have a higher priority for inclusion than any other + RRsets that may need to be included. If space does not permit + inclusion of these RRSIG RRs, the name server MUST set the TC bit. + o When placing a signed RRset in the Additional section, the name + server MUST also place its RRSIG RRs in the Additional section. + If space does not permit inclusion of both the RRset and its + associated RRSIG RRs, the name server MAY drop the RRSIG RRs. If + this happens, the name server MUST NOT set the TC bit solely + because these RRSIG RRs didn't fit. + + + + + +Arends, et al. Expires November 15, 2004 [Page 11] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +3.1.2 Including DNSKEY RRs In a Response + + When responding to a query that has the DO bit set to one and that + requests the SOA or NS RRs at the apex of a signed zone, a + security-aware authoritative name server for that zone MAY return the + zone apex DNSKEY RRset in the Additional section. In this situation, + the DNSKEY RRset and associated RRSIG RRs have lower priority than + any other information that would be placed in the additional section. + The name server SHOULD NOT include the DNSKEY RRset unless there is + enough space in the response message for both the DNSKEY RRset and + its associated RRSIG RR(s). If there is not enough space to include + these DNSKEY and RRSIG RRs, the name server MUST omit them and MUST + NOT set the TC bit solely because these RRs didn't fit (see Section + 3.1.1). + +3.1.3 Including NSEC RRs In a Response + + When responding to a query that has the DO bit set to one, a + security-aware authoritative name server for a signed zone MUST + include NSEC RRs in each of the following cases: + + No Data: The zone contains RRsets that exactly match , + but does not contain any RRsets that exactly match . + + Name Error: The zone does not contain any RRsets that match either exactly or via wildcard name expansion. + + Wildcard Answer: The zone does not contain any RRsets that exactly + match but does contain an RRset that matches + via wildcard name expansion. + + Wildcard No Data: The zone does not contain any RRsets that exactly + match , does contain one or more RRsets that match + via wildcard name expansion, but does not contain + any RRsets that match via wildcard name + expansion. + + In each of these cases, the name server includes NSEC RRs in the + response to prove that an exact match for was + not present in the zone and that the response that the name server is + returning is correct given the data that are in the zone. + +3.1.3.1 Including NSEC RRs: No Data Response + + If the zone contains RRsets matching but contains no + RRset matching , then the name server MUST + include the NSEC RR for along with its associated + + + +Arends, et al. Expires November 15, 2004 [Page 12] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + RRSIG RR(s) in the Authority section of the response (see Section + 3.1.1). If space does not permit inclusion of the NSEC RR or its + associated RRSIG RR(s), the name server MUST set the TC bit (see + Section 3.1.1). + + Since the search name exists, wildcard name expansion does not apply + to this query, and a single signed NSEC RR suffices to prove the + requested RR type does not exist. + +3.1.3.2 Including NSEC RRs: Name Error Response + + If the zone does not contain any RRsets matching + either exactly or via wildcard name expansion, then the name server + MUST include the following NSEC RRs in the Authority section, along + with their associated RRSIG RRs: + o An NSEC RR proving that there is no exact match for ; and + o An NSEC RR proving that the zone contains no RRsets that would + match via wildcard name expansion. + + In some cases a single NSEC RR may prove both of these points, in + that case the name server SHOULD only include the NSEC RR and its + RRSIG RR(s) once in the Authority section. + + If space does not permit inclusion of these NSEC and RRSIG RRs, the + name server MUST set the TC bit (see Section 3.1.1). + + The owner names of these NSEC and RRSIG RRs are not subject to + wildcard name expansion when these RRs are included in the Authority + section of the response. + + Note that this form of response includes cases in which SNAME + corresponds to an empty non-terminal name within the zone (a name + which is not the owner name for any RRset but which is the parent + name of one or more RRsets). + +3.1.3.3 Including NSEC RRs: Wildcard Answer Response + + If the zone does not contain any RRsets which exactly match but does contain an RRset which matches via wildcard name expansion, the name server MUST include the + wildcard-expanded answer and the corresponding wildcard-expanded + RRSIG RRs in the Answer section, and MUST include in the Authority + section an NSEC RR and associated RRSIG RR(s) proving that the zone + does not contain a closer match for . If space does + not permit inclusion of the answer, NSEC and RRSIG RRs, the name + server MUST set the TC bit (see Section 3.1.1). + + + + +Arends, et al. Expires November 15, 2004 [Page 13] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +3.1.3.4 Including NSEC RRs: Wildcard No Data Response + + This case is a combination of the previous cases. The zone does not + contain an exact match for , and while the zone does + contain RRsets which match via wildcard expansion, + none of those RRsets match STYPE. The name server MUST include the + following NSEC RRs in the Authority section, along with their + associated RRSIG RRs: + o An NSEC RR proving that there are no RRsets matching STYPE at the + wildcard owner name which matched via wildcard + expansion; and + o An NSEC RR proving that there are no RRsets in the zone which + would have been a closer match for . + + In some cases a single NSEC RR may prove both of these points, in + which case the name server SHOULD only include the NSEC RR and its + RRSIG RR(s) once in the Authority section. + + The owner names of these NSEC and RRSIG RRs are not subject to + wildcard name expansion when these RRs are included in the Authority + section of the response. + + If space does not permit inclusion of these NSEC and RRSIG RRs, the + name server MUST set the TC bit (see Section 3.1.1). + +3.1.3.5 Finding The Right NSEC RRs + + As explained above, there are several situations in which a + security-aware authoritative name server needs to locate an NSEC RR + which proves that no RRsets matching a particular SNAME exist. + Locating such an NSEC RR within an authoritative zone is relatively + simple, at least in concept. The following discussion assumes that + the name server is authoritative for the zone which would have held + the nonexistent RRsets matching SNAME. The algorithm below is + written for clarity, not efficiency. + + To find the NSEC which proves that no RRsets matching name N exist in + the zone Z which would have held them, construct sequence S + consisting of the owner names of every RRset in Z, sorted into + canonical order [I-D.ietf-dnsext-dnssec-records], with no duplicate + names. Find the name M which would have immediately preceded N in S + if any RRsets with owner name N had existed. M is the owner name of + the NSEC RR which proves that no RRsets exist with owner name N. + + The algorithm for finding the NSEC RR which proves that a given name + is not covered by any applicable wildcard is similar, but requires an + extra step. More precisely, the algorithm for finding the NSEC + proving that no RRsets exist with the applicable wildcard name is + + + +Arends, et al. Expires November 15, 2004 [Page 14] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + precisely the same as the algorithm for finding the NSEC RR which + proves that RRsets with any other owner name do not exist: the part + that's missing is how to determine the name of the nonexistent + applicable wildcard. In practice, this is easy, because the + authoritative name server has already checked for the presence of + precisely this wildcard name as part of step (1)(c) of the normal + lookup algorithm described in Section 4.3.2 of [RFC1034]. + +3.1.4 Including DS RRs In a Response + + When responding to a query which has the DO bit set to one, a + security-aware authoritative name server returning a referral + includes DNSSEC data along with the NS RRset. + + If a DS RRset is present at the delegation point, the name server + MUST return both the DS RRset and its associated RRSIG RR(s) in the + Authority section along with the NS RRset. The name server MUST + place the NS RRset before the DS RRset and its associated RRSIG + RR(s). + + If no DS RRset is present at the delegation point, the name server + MUST return both the NSEC RR which proves that the DS RRset is not + present and the NSEC RR's associated RRSIG RR(s) along with the NS + RRset. The name server MUST place the NS RRset before the NSEC RRset + and its associated RRSIG RR(s). + + Including these DS, NSEC, and RRSIG RRs increases the size of + referral messages, and may cause some or all glue RRs to be omitted. + If space does not permit inclusion of the DS or NSEC RRset and + associated RRSIG RRs, the name server MUST set the TC bit (see + Section 3.1.1). + +3.1.4.1 Responding to Queries for DS RRs + + The DS resource record type is unusual in that it appears only on the + parent zone's side of a zone cut. For example, the DS RRset for the + delegation of "foo.example" is stored in the "example" zone rather + than in the "foo.example" zone. This requires special processing + rules for both name servers and resolvers, since the name server for + the child zone is authoritative for the name at the zone cut by the + normal DNS rules but the child zone does not contain the DS RRset. + + A security-aware resolver sends queries to the parent zone when + looking for a needed DS RR at a delegation point (see Section 4.2). + However, special rules are necessary to avoid confusing + security-oblivious resolvers which might become involved in + processing such a query (for example, in a network configuration that + forces a security-aware resolver to channel its queries through a + + + +Arends, et al. Expires November 15, 2004 [Page 15] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + security-oblivious recursive name server). The rest of this section + describes how a security-aware name server processes DS queries in + order to avoid this problem. + + The need for special processing by a security-aware name server only + arises when all the following conditions are met: + o the name server has received a query for the DS RRset at a zone + cut; and + o the name server is authoritative for the child zone; and + o the name server is not authoritative for the parent zone; and + o the name server does not offer recursion. + + In all other cases, the name server either has some way of obtaining + the DS RRset or could not have been expected to have the DS RRset + even by the pre-DNSSEC processing rules, so the name server can + return either the DS RRset or an error response according to the + normal processing rules. + + If all of the above conditions are met, however, the name server is + authoritative for SNAME but cannot supply the requested RRset. In + this case, the name server MUST return an authoritative "no data" + response showing that the DS RRset does not exist in the child zone's + apex. See Appendix B.8 for an example of such a response. + +3.1.5 Responding to Queries for Type AXFR or IXFR + + DNSSEC does not change the DNS zone transfer process. A signed zone + will contain RRSIG, DNSKEY, NSEC, and DS resource records, but these + records have no special meaning with respect to a zone transfer + operation. + + An authoritative name server is not required to verify that a zone is + properly signed before sending or accepting a zone transfer. + However, an authoritative name server MAY choose to reject the entire + zone transfer if the zone fails meets any of the signing requirements + described in Section 2. The primary objective of a zone transfer is + to ensure that all authoritative name servers have identical copies + of the zone. An authoritative name server that chooses to perform + its own zone validation MUST NOT selectively reject some RRs and + accept others. + + DS RRsets appear only on the parental side of a zone cut and are + authoritative data in the parent zone. As with any other + authoritative RRset, the DS RRset MUST be included in zone transfers + of the zone in which the RRset is authoritative data: in the case of + the DS RRset, this is the parent zone. + + NSEC RRs appear in both the parent and child zones at a zone cut, and + + + +Arends, et al. Expires November 15, 2004 [Page 16] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + are authoritative data in both the parent and child zones. The + parental and child NSEC RRs at a zone cut are never identical to each + other, since the NSEC RR in the child zone's apex will always + indicate the presence of the child zone's SOA RR while the parental + NSEC RR at the zone cut will never indicate the presence of an SOA + RR. As with any other authoritative RRs, NSEC RRs MUST be included + in zone transfers of the zone in which they are authoritative data: + the parental NSEC RR at a zone cut MUST be included zone transfers of + the parent zone, while the NSEC at the zone apex of the child zone + MUST be included in zone transfers of the child zone. + + RRSIG RRs appear in both the parent and child zones at a zone cut, + and are authoritative in whichever zone contains the authoritative + RRset for which the RRSIG RR provides the signature. That is, the + RRSIG RR for a DS RRset or a parental NSEC RR at a zone cut will be + authoritative in the parent zone, while the RRSIG for any RRset in + the child zone's apex will be authoritative in the child zone. As + with any other authoritative RRs, RRSIG RRs MUST be included in zone + transfers of the zone in which they are authoritative data. + +3.1.6 The AD and CD Bits in an Authoritative Response + + The CD and AD bits are designed for use in communication between + security-aware resolvers and security-aware recursive name servers. + These bits are for the most part not relevant to query processing by + security-aware authoritative name servers. + + A security-aware name server does not perform signature validation + for authoritative data during query processing even when the CD bit + is set to zero. A security-aware name server SHOULD clear the CD bit + when composing an authoritative response. + + A security-aware name server MUST NOT set the AD bit in a response + unless the name server considers all RRsets in the Answer and + Authority sections of the response to be authentic. A security-aware + name server's local policy MAY consider data from an authoritative + zone to be authentic without further validation, but the name server + MUST NOT do so unless the name server obtained the authoritative zone + via secure means (such as a secure zone transfer mechanism), and MUST + NOT do so unless this behavior has been configured explicitly. + + A security-aware name server which supports recursion MUST follow the + rules for the CD and AD bits given in Section 3.2 when generating a + response that involves data obtained via recursion. + +3.2 Recursive Name Servers + + As explained in [I-D.ietf-dnsext-dnssec-intro], a security-aware + + + +Arends, et al. Expires November 15, 2004 [Page 17] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + recursive name server is an entity which acts in both the + security-aware name server and security-aware resolver roles. This + section uses the terms "name server side" and "resolver side" to + refer to the code within a security-aware recursive name server which + implements the security-aware name server role and the code which + implements the security-aware resolver role, respectively. + + The resolver side follows the usual rules for caching and negative + caching which would apply to any security-aware resolver. + +3.2.1 The DO bit + + The resolver side of a security-aware recursive name server MUST set + the DO bit when sending requests, regardless of the state of the DO + bit in the initiating request received by the name server side. If + the DO bit in an initiating query is not set, the name server side + MUST strip any authenticating DNSSEC RRs from the response, but MUST + NOT strip any DNSSEC RR types that the initiating query explicitly + requested. + +3.2.2 The CD bit + + The CD bit exists in order to allow a security-aware resolver to + disable signature validation in a security-aware name server's + processing of a particular query. + + The name server side MUST copy the setting of the CD bit from a query + to the corresponding response. + + The name server side of a security-aware recursive name server MUST + pass the sense of the CD bit to the resolver side along with the rest + of an initiating query, so that the resolver side will know whether + or not it is required to verify the response data it returns to the + name server side. If the CD bit is set to one, it indicates that the + originating resolver is willing to perform whatever authentication + its local policy requires, thus the resolver side of the recursive + name server need not perform authentication on the RRsets in the + response. When the CD bit is set to one the recursive name server + SHOULD, if possible, return the requested data to the originating + resolver even if the recursive name server's local authentication + policy would reject the records in question. That is, by setting the + CD bit, the originating resolver has indicated that it takes + responsibility for performing its own authentication, and the + recursive name server should not interfere. + + If the resolver side implements a BAD cache (see Section 4.7) and the + name server side receives a query which matches an entry in the + resolver side's BAD cache, the name server side's response depends on + + + +Arends, et al. Expires November 15, 2004 [Page 18] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + the sense of the CD bit in the original query. If the CD bit is set, + the name server side SHOULD return the data from the BAD cache; if + the CD bit is not set, the name server side MUST return RCODE 2 + (server failure). + + The intent of the above rule is to provide the raw data to clients + which are capable of performing their own signature verification + checks while protecting clients which depend on the resolver side of + a security-aware recursive name server to perform such checks. + Several of the possible reasons why signature validation might fail + involve conditions which may not apply equally to the recursive name + server and the client which invoked it: for example, the recursive + name server's clock may be set incorrectly, or the client may have + knowledge of a relevant island of security which the recursive name + server does not share. In such cases, "protecting" a client which is + capable of performing its own signature validation from ever seeing + the "bad" data does not help the client. + +3.2.3 The AD bit + + The name server side of a security-aware recursive name server MUST + NOT set the AD bit in a response unless the name server considers all + RRsets in the Answer and Authority sections of the response to be + authentic. The name server side SHOULD set the AD bit if and only if + the resolver side considers all RRsets in the Answer section and any + relevant negative response RRs in the Authority section to be + authentic. The resolver side MUST follow the procedure described in + Section 5 to determine whether the RRs in question are authentic. + However, for backwards compatibility, a recursive name server MAY set + the AD bit when a response includes unsigned CNAME RRs if those CNAME + RRs demonstrably could have been synthesized from an authentic DNAME + RR which is also included in the response according to the synthesis + rules described in [RFC2672]. + +3.3 Example DNSSEC Responses + + See Appendix B for example response packets. + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 19] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +4. Resolving + + This section describes the behavior of entities that include + security-aware resolver functions. In many cases such functions will + be part of a security-aware recursive name server, but a stand-alone + security-aware resolver has many of the same requirements. Functions + specific to security-aware recursive name servers are described in + Section 3.2. + +4.1 EDNS Support + + A security-aware resolver MUST include an EDNS [RFC2671] OPT + pseudo-RR with the DO [RFC3225] bit set to one when sending queries. + + A security-aware resolver MUST support a message size of at least + 1220 octets, SHOULD support a message size of 4000 octets, and MUST + advertise the supported message size using the "sender's UDP payload + size" field in the EDNS OPT pseudo-RR. A security-aware resolver MUST + handle fragmented UDP packets correctly regardless of whether any + such fragmented packets were received via IPv4 or IPv6. Please see + [RFC3226] for discussion of these requirements. + +4.2 Signature Verification Support + + A security-aware resolver MUST support the signature verification + mechanisms described in Section 5, and MUST apply them to every + received response except when: + o The security-aware resolver is part of a security-aware recursive + name server, and the response is the result of recursion on behalf + of a query received with the CD bit set; + o The response is the result of a query generated directly via some + form of application interface which instructed the security-aware + resolver not to perform validation for this query; or + o Validation for this query has been disabled by local policy. + + A security-aware resolver's support for signature verification MUST + include support for verification of wildcard owner names. + + Security aware resolvers MAY query for missing security RRs in an + attempt to perform validation; implementations that choose to do so + must be aware of the fact that the answers received may not be + sufficient to validate the original response. + + When attempting to retrieve missing NSEC RRs which reside on the + parental side at a zone cut, a security-aware iterative-mode resolver + MUST query the name servers for the parent zone, not the child zone. + + When attempting to retrieve a missing DS, a security-aware + + + +Arends, et al. Expires November 15, 2004 [Page 20] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + iterative-mode resolver MUST query the name servers for the parent + zone, not the child zone. As explained in Section 3.1.4.1, + security-aware name servers need to apply special processing rules to + handle the DS RR, and in some situations the resolver may also need + to apply special rules to locate the name servers for the parent zone + if the resolver does not already have the parent's NS RRset. To + locate the parent NS RRset, the resolver can start with the + delegation name, strip off the leftmost label, and query for an NS + RRset by that name; if no NS RRset is present at that name, the + resolver then strips of the leftmost remaining label and retries the + query for that name, repeating this process of walking up the tree + until it either finds the NS RRset or runs out of labels. + +4.3 Determining Security Status of Data + + A security-aware resolver MUST be able to determine whether or not it + should expect a particular RRset to be signed. More precisely, a + security-aware resolver must be able to distinguish between four + cases: + + Secure: An RRset for which the resolver is able to build a chain of + signed DNSKEY and DS RRs from a trusted security anchor to the + RRset. In this case, the RRset should be signed, and is subject + to signature validation as described above. + + Insecure: An RRset for which the resolver knows that it has no chain + of signed DNSKEY and DS RRs from any trusted starting point to the + RRset. This can occur when the target RRset lies in an unsigned + zone or in a descendent of an unsigned zone. In this case, the + RRset may or may not be signed, but the resolver will not be able + to verify the signature. + + Bogus: An RRset for which the resolver believes that it ought to be + able to establish a chain of trust but is unable to do so, either + due to signatures that for some reason fail to validate or due to + missing data which the relevant DNSSEC RRs indicate should be + present. This case may indicate an attack, but may also indicate + a configuration error or some form of data corruption. + + Indeterminate: An RRset for which the resolver is not able to + determine whether or not the RRset should be signed, because the + resolver is not able to obtain the necessary DNSSEC RRs. This can + occur when the security-aware resolver is not able to contact + security-aware name servers for the relevant zones. + +4.4 Configured Trust Anchors + + A security-aware resolver MUST be capable of being configured with at + + + +Arends, et al. Expires November 15, 2004 [Page 21] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + least one trusted public key or DS RR, and SHOULD be capable of being + configured with multiple trusted public keys or DS RRs. Since a + security-aware resolver will not be able to validate signatures + without such a configured trust anchor, the resolver SHOULD have some + reasonably robust mechanism for obtaining such keys when it boots; + examples of such a mechanism would be some form of non-volatile + storage (such as a disk drive) or some form of trusted local network + configuration mechanism. + + Note that trust anchors also covers key material that is updated in a + secure manner. This secure manner could be through physical media, a + key exchange protocol, or some other out of band means. + +4.5 Response Caching + + A security-aware resolver SHOULD cache each response as a single + atomic entry containing the entire answer, including the named RRset + and any associated DNSSEC RRs. The resolver SHOULD discard the + entire atomic entry when any of the RRs contained in it expire. In + most cases the appropriate cache index for the atomic entry will be + the triple , but in cases such as the response + form described in Section 3.1.3.2 the appropriate cache index will be + the double . + +4.6 Handling of the CD and AD bits + + A security-aware resolver MAY set the CD bit in a query to one in + order to indicate that the resolver takes responsibility for + performing whatever authentication its local policy requires on the + RRsets in the response. See Section 3.2 for the effect this bit has + on the behavior of security-aware recursive name servers. + + A security-aware resolver MUST zero the AD bit when composing query + messages to protect against buggy name servers which blindly copy + header bits which they do not understand from the query message to + the response message. + + A resolver MUST disregard the meaning of the CD and AD bits in a + response unless the response was obtained using a secure channel or + the resolver was specifically configured to regard the message header + bits without using a secure channel. + +4.7 Caching BAD Data + + While many validation errors will be transient, some are likely to be + more persistent, such as those caused by administrative error + (failure to re-sign a zone, clock skew, and so forth). Since + requerying will not help in these cases, validating resolvers might + + + +Arends, et al. Expires November 15, 2004 [Page 22] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + generate a significant amount of unnecessary DNS traffic as a result + of repeated queries for RRsets with persistent validation failures. + + To prevent such unnecessary DNS traffic, security-aware resolvers MAY + cache data with invalid signatures, with some restrictions. + Conceptually, caching such data is similar to negative caching + [RFC2308], except that instead of caching a valid negative response, + the resolver is caching the fact that a particular answer failed to + validate. This document refers to a cache of data with invalid + signatures as a "BAD cache". + + Resolvers which implement a BAD cache MUST take steps to prevent the + cache from being useful as a denial-of-service attack amplifier. In + particular: + o Since RRsets which fail to validate do not have trustworthy TTLs, + the implementation MUST assign a TTL. This TTL SHOULD be small, + in order to mitigate the effect of caching the results of an + attack. + o In order to prevent caching of a transient validation failure + (which might be the result of an attack), resolvers SHOULD track + queries that result in validation failures, and SHOULD only answer + from the BAD cache after the number of times that responses to + queries for that particular have failed to + validate exceeds a threshold value. + + Resolvers MUST NOT return RRsets from the BAD cache unless the + resolver is not required to validate the signatures of the RRsets in + question under the rules given in Section 4.2 of this document. See + Section 3.2.2 for discussion of how the responses returned by a + security-aware recursive name server interact with a BAD cache. + +4.8 Synthesized CNAMEs + + A validating security-aware resolver MUST treat the signature of a + valid signed DNAME RR as also covering unsigned CNAME RRs which could + have been synthesized from the DNAME RR as described in [RFC2672], at + least to the extent of not rejecting a response message solely + because it contains such CNAME RRs. The resolver MAY retain such + CNAME RRs in its cache or in the answers it hands back, but is not + required to do so. + +4.9 Stub resolvers + + A security-aware stub resolver MUST support the DNSSEC RR types, at + least to the extent of not mishandling responses just because they + contain DNSSEC RRs. + + + + + +Arends, et al. Expires November 15, 2004 [Page 23] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +4.9.1 Handling of the DO Bit + + A non-validating security-aware stub resolver MAY include the DNSSEC + RRs returned by a security-aware recursive name server as part of the + data that the stub resolver hands back to the application which + invoked it but is not required to do so. A non-validating stub + resolver that wishes to do this will need to set the DO bit in + receive DNSSEC RRs from the recursive name server. + + A validating security-aware stub resolver MUST set the DO bit, since + otherwise it will not receive the DNSSEC RRs it needs to perform + signature validation. + +4.9.2 Handling of the CD Bit + + A non-validating security-aware stub resolver SHOULD NOT set the CD + bit when sending queries unless requested by the application layer, + since by definition, a non-validating stub resolver depends on the + security-aware recursive name server to perform validation on its + behalf. + + A validating security-aware stub resolver SHOULD set the CD bit, + since otherwise the security-aware recursive name server will answer + the query using the name server's local policy, which may prevent the + stub resolver from receiving data which would be acceptable to the + stub resolver's local policy. + +4.9.3 Handling of the AD Bit + + A non-validating security-aware stub resolver MAY chose to examine + the setting of the AD bit in response messages that it receives in + order to determine whether the security-aware recursive name server + which sent the response claims to have cryptographically verified the + data in the Answer and Authority sections of the response message. + Note, however, that the responses received by a security-aware stub + resolver are heavily dependent on the local policy of the + security-aware recursive name server, so as a practical matter there + may be little practical value to checking the status of the AD bit + except perhaps as a debugging aid. In any case, a security-aware + stub resolver MUST NOT place any reliance on signature validation + allegedly performed on its behalf except when the security-aware stub + resolver obtained the data in question from a trusted security-aware + recursive name server via a secure channel. + + A validating security-aware stub resolver SHOULD NOT examine the + setting of the AD bit in response messages, since, by definition, the + stub resolver performs its own signature validation regardless of the + setting of the AD bit. + + + +Arends, et al. Expires November 15, 2004 [Page 24] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +5. Authenticating DNS Responses + + In order to use DNSSEC RRs for authentication, a security-aware + resolver requires configured knowledge of at least one authenticated + DNSKEY or DS RR. The process for obtaining and authenticating this + initial trust anchors is achieved via some external mechanism. For + example, a resolver could use some off-line authenticated exchange to + obtain a zone's DNSKEY RR or obtain a DS RR that identifies and + authenticates a zone's DNSKEY RR. The remainder of this section + assumes that the resolver has somehow obtained an initial set of + trust anchors. + + An initial DNSKEY RR can be used to authenticate a zone's apex DNSKEY + RRset. To authenticate an apex DNSKEY RRset using an initial key, + the resolver MUST: + 1. Verify that the initial DNSKEY RR appears in the apex DNSKEY + RRset, and verify that the DNSKEY RR MUST have the Zone Key Flag + (DNSKEY RDATA bit 7) set to one. + 2. Verify that there is some RRSIG RR that covers the apex DNSKEY + RRset, and that the combination of the RRSIG RR and the initial + DNSKEY RR authenticates the DNSKEY RRset. The process for using + an RRSIG RR to authenticate an RRset is described in Section 5.3. + + Once the resolver has authenticated the apex DNSKEY RRset using an + initial DNSKEY RR, delegations from that zone can be authenticated + using DS RRs. This allows a resolver to start from an initial key, + and use DS RRsets to proceed recursively down the DNS tree obtaining + other apex DNSKEY RRsets. If the resolver were configured with a + root DNSKEY RR, and if every delegation had a DS RR associated with + it, then the resolver could obtain and validate any apex DNSKEY + RRset. The process of using DS RRs to authenticate referrals is + described in Section 5.2. + + Once the resolver has authenticated a zone's apex DNSKEY RRset, + Section 5.3 shows how the resolver can use DNSKEY RRs in the apex + DNSKEY RRset and RRSIG RRs from the zone to authenticate any other + RRsets in the zone. Section 5.4 shows how the resolver can use + authenticated NSEC RRsets from the zone to prove that an RRset is not + present in the zone. + + When a resolver indicates support for DNSSEC (by setting the DO bit), + a security-aware name server should attempt to provide the necessary + DNSKEY, RRSIG, NSEC, and DS RRsets in a response (see Section 3). + However, a security-aware resolver may still receive a response that + that lacks the appropriate DNSSEC RRs, whether due to configuration + issues such as an upstream security-oblivious recursive name server + that accidentally interferes with DNSSEC RRs or due to a deliberate + attack in which an adversary forges a response, strips DNSSEC RRs + + + +Arends, et al. Expires November 15, 2004 [Page 25] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + from a response, or modifies a query so that DNSSEC RRs appear not to + be requested. The absence of DNSSEC data in a response MUST NOT by + itself be taken as an indication that no authentication information + exists. + + A resolver SHOULD expect authentication information from signed + zones. A resolver SHOULD believe that a zone is signed if the + resolver has been configured with public key information for the + zone, or if the zone's parent is signed and the delegation from the + parent contains a DS RRset. + +5.1 Special Considerations for Islands of Security + + Islands of security (see [I-D.ietf-dnsext-dnssec-intro]) are signed + zones for which it is not possible to construct an authentication + chain to the zone from its parent. Validating signatures within an + island of security requires the validator to have some other means of + obtaining an initial authenticated zone key for the island. If a + validator cannot obtain such a key, it SHOULD switch to operating as + if the zones in the island of security are unsigned. + + All the normal processes for validating responses apply to islands of + security. The only difference between normal validation and + validation within an island of security is in how the validator + obtains a trust anchor for the authentication chain. + +5.2 Authenticating Referrals + + Once the apex DNSKEY RRset for a signed parent zone has been + authenticated, DS RRsets can be used to authenticate the delegation + to a signed child zone. A DS RR identifies a DNSKEY RR in the child + zone's apex DNSKEY RRset, and contains a cryptographic digest of the + child zone's DNSKEY RR. A strong cryptographic digest algorithm + ensures that an adversary can not easily generate a DNSKEY RR that + matches the digest. Thus, authenticating the digest allows a + resolver to authenticate the matching DNSKEY RR. The resolver can + then use this child DNSKEY RR to authenticate the entire child apex + DNSKEY RRset. + + Given a DS RR for a delegation, the child zone's apex DNSKEY RRset + can be authenticated if all of the following hold: + o The DS RR has been authenticated using some DNSKEY RR in the + parent's apex DNSKEY RRset (see Section 5.3); + o The Algorithm and Key Tag in the DS RR match the Algorithm field + and the key tag of a DNSKEY RR in the child zone's apex DNSKEY + RRset and, when hashed using the digest algorithm specified in the + DS RR's Digest Type field, results in a digest value that matches + the Digest field of the DS RR; and + + + +Arends, et al. Expires November 15, 2004 [Page 26] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + o The matching DNSKEY RR in the child zone has the Zone Flag bit set + to one, the corresponding private key has signed the child zone's + apex DNSKEY RRset, and the resulting RRSIG RR authenticates the + child zone's apex DNSKEY RRset. + + If the referral from the parent zone did not contain a DS RRset, the + response should have included a signed NSEC RRset proving that no DS + RRset exists for the delegated name (see Section 3.1.4). A + security-aware resolver MUST query the name servers for the parent + zone for the DS RRset if the referral includes neither a DS RRset nor + a NSEC RRset proving that the DS RRset does not exist (see Section + 4). + + If the validator authenticates an NSEC RRset that proves that no DS + RRset is present for this zone, then there is no authentication path + leading from the parent to the child. If the resolver has an initial + DNSKEY or DS RR that belongs to the child zone or to any delegation + below the child zone, this initial DNSKEY or DS RR MAY be used to + re-establish an authentication path. If no such initial DNSKEY or DS + RR exists, the validator can not authenticate RRsets in or below the + child zone. + + If the validator does not support any of the algorithms listed in an + authenticated DS RRset, then the resolver has no supported + authentication path leading from the parent to the child. The + resolver should treat this case as it would the case of an + authenticated NSEC RRset proving that no DS RRset exists, as + described above. + + Note that, for a signed delegation, there are two NSEC RRs associated + with the delegated name. One NSEC RR resides in the parent zone, and + can be used to prove whether a DS RRset exists for the delegated + name. The second NSEC RR resides in the child zone, and identifies + which RRsets are present at the apex of the child zone. The parent + NSEC RR and child NSEC RR can always be distinguished, since the SOA + bit will be set in the child NSEC RR and clear in the parent NSEC RR. + A security-aware resolver MUST use the parent NSEC RR when attempting + to prove that a DS RRset does not exist. + + If the resolver does not support any of the algorithms listed in an + authenticated DS RRset, then the resolver will not be able to verify + the authentication path to the child zone. In this case, the + resolver SHOULD treat the child zone as if it were unsigned. + +5.3 Authenticating an RRset Using an RRSIG RR + + A validator can use an RRSIG RR and its corresponding DNSKEY RR to + attempt to authenticate RRsets. The validator first checks the RRSIG + + + +Arends, et al. Expires November 15, 2004 [Page 27] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + RR to verify that it covers the RRset, has a valid time interval, and + identifies a valid DNSKEY RR. The validator then constructs the + canonical form of the signed data by appending the RRSIG RDATA + (excluding the Signature Field) with the canonical form of the + covered RRset. Finally, the validator uses the public key and + signature to authenticate the signed data. Section 5.3.1, Section + 5.3.2, and Section 5.3.3 describe each step in detail. + +5.3.1 Checking the RRSIG RR Validity + + A security-aware resolver can use an RRSIG RR to authenticate an + RRset if all of the following conditions hold: + o The RRSIG RR and the RRset MUST have the same owner name and the + same class; + o The RRSIG RR's Signer's Name field MUST be the name of the zone + that contains the RRset; + o The RRSIG RR's Type Covered field MUST equal the RRset's type; + o The number of labels in the RRset owner name MUST be greater than + or equal to the value in the RRSIG RR's Labels field; + o The validator's notion of the current time MUST be less than or + equal to the time listed in the RRSIG RR's Expiration field; + o The validator's notion of the current time MUST be greater than or + equal to the time listed in the RRSIG RR's Inception field; + o The RRSIG RR's Signer's Name, Algorithm, and Key Tag fields MUST + match the owner name, algorithm, and key tag for some DNSKEY RR in + the zone's apex DNSKEY RRset; + o The matching DNSKEY RR MUST be present in the zone's apex DNSKEY + RRset, and MUST have the Zone Flag bit (DNSKEY RDATA Flag bit 7) + set to one. + + It is possible for more than one DNSKEY RR to match the conditions + above. In this case, the validator cannot predetermine which DNSKEY + RR to use to authenticate the signature, MUST try each matching + DNSKEY RR until either the signature is validated or the validator + has run out of matching public keys to try. + + Note that this authentication process is only meaningful if the + validator authenticates the DNSKEY RR before using it to validate + signatures. The matching DNSKEY RR is considered to be authentic if: + o The apex DNSKEY RRset containing the DNSKEY RR is considered + authentic; or + o The RRset covered by the RRSIG RR is the apex DNSKEY RRset itself, + and the DNSKEY RR either matches an authenticated DS RR from the + parent zone or matches a trust anchor. + +5.3.2 Reconstructing the Signed Data + + Once the RRSIG RR has met the validity requirements described in + + + +Arends, et al. Expires November 15, 2004 [Page 28] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + Section 5.3.1, the validator needs to reconstruct the original signed + data. The original signed data includes RRSIG RDATA (excluding the + Signature field) and the canonical form of the RRset. Aside from + being ordered, the canonical form of the RRset might also differ from + the received RRset due to DNS name compression, decremented TTLs, or + wildcard expansion. The validator should use the following to + reconstruct the original signed data: + + signed_data = RRSIG_RDATA | RR(1) | RR(2)... where + + "|" denotes concatenation + + RRSIG_RDATA is the wire format of the RRSIG RDATA fields + with the Signature field excluded and the Signer's Name + in canonical form. + + RR(i) = name | type | class | OrigTTL | RDATA length | RDATA + + name is calculated according to the function below + + class is the RRset's class + + type is the RRset type and all RRs in the class + + OrigTTL is the value from the RRSIG Original TTL field + + All names in the RDATA field are in canonical form + + The set of all RR(i) is sorted into canonical order. + + To calculate the name: + let rrsig_labels = the value of the RRSIG Labels field + + let fqdn = RRset's fully qualified domain name in + canonical form + + let fqdn_labels = Label count of the fqdn above. + + if rrsig_labels = fqdn_labels, + name = fqdn + + if rrsig_labels < fqdn_labels, + name = "*." | the rightmost rrsig_label labels of the + fqdn + + if rrsig_labels > fqdn_labels + the RRSIG RR did not pass the necessary validation + checks and MUST NOT be used to authenticate this + + + +Arends, et al. Expires November 15, 2004 [Page 29] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + RRset. + + The canonical forms for names and RRsets are defined in + [I-D.ietf-dnsext-dnssec-records]. + + NSEC RRsets at a delegation boundary require special processing. + There are two distinct NSEC RRsets associated with a signed delegated + name. One NSEC RRset resides in the parent zone, and specifies which + RRset are present at the parent zone. The second NSEC RRset resides + at the child zone, and identifies which RRsets are present at the + apex in the child zone. The parent NSEC RRset and child NSEC RRset + can always be distinguished since only the child NSEC RRs will + specify an SOA RRset exists at the name. When reconstructing the + original NSEC RRset for the delegation from the parent zone, the NSEC + RRs MUST NOT be combined with NSEC RRs from the child zone, and when + reconstructing the original NSEC RRset for the apex of the child + zone, the NSEC RRs MUST NOT be combined with NSEC RRs from the parent + zone. + + Note also that each of the two NSEC RRsets at a delegation point has + a corresponding RRSIG RR with an owner name matching the delegated + name, and each of these RRSIG RRs is authoritative data associated + with the same zone that contains the corresponding NSEC RRset. If + necessary, a resolver can tell these RRSIG RRs apart by checking the + Signer's Name field. + +5.3.3 Checking the Signature + + Once the resolver has validated the RRSIG RR as described in Section + 5.3.1 and reconstructed the original signed data as described in + Section 5.3.2, the validator can attempt to use the cryptographic + signature to authenticate the signed data, and thus (finally!) + authenticate the RRset. + + The Algorithm field in the RRSIG RR identifies the cryptographic + algorithm used to generate the signature. The signature itself is + contained in the Signature field of the RRSIG RDATA, and the public + key used to verify the signature is contained in the Public Key field + of the matching DNSKEY RR(s) (found in Section 5.3.1). + [I-D.ietf-dnsext-dnssec-records] provides a list of algorithm types + and provides pointers to the documents that define each algorithm's + use. + + Note that it is possible for more than one DNSKEY RR to match the + conditions in Section 5.3.1. In this case, the validator can only + determine which DNSKEY RR by trying each matching public key until + the validator either succeeds in validating the signature or runs out + of keys to try. + + + +Arends, et al. Expires November 15, 2004 [Page 30] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + If the Labels field of the RRSIG RR is not equal to the number of + labels in the RRset's fully qualified owner name, then the RRset is + either invalid or the result of wildcard expansion. The resolver + MUST verify that wildcard expansion was applied properly before + considering the RRset to be authentic. Section 5.3.4 describes how + to determine whether a wildcard was applied properly. + + If other RRSIG RRs also cover this RRset, the local resolver security + policy determines whether the resolver also needs to test these RRSIG + RRs, and determines how to resolve conflicts if these RRSIG RRs lead + to differing results. + + If the resolver accepts the RRset as authentic, the validator MUST + set the TTL of the RRSIG RR and each RR in the authenticated RRset to + a value no greater than the minimum of: + o The RRset's TTL as received in the response; + o The RRSIG RR's TTL as received in the response; + o The value in the RRSIG RR's Original TTL field; and + o The difference of the RRSIG RR's Signature Expiration time and the + current time. + +5.3.4 Authenticating A Wildcard Expanded RRset Positive Response + + If the number of labels in an RRset's owner name is greater than the + Labels field of the covering RRSIG RR, then the RRset and its + covering RRSIG RR were created as a result of wildcard expansion. + Once the validator has verified the signature as described in Section + 5.3, it must take additional steps to verify the non-existence of an + exact match or closer wildcard match for the query. Section 5.4 + discusses these steps. + + Note that the response received by the resolver should include all + NSEC RRs needed to authenticate the response (see Section 3.1.3). + +5.4 Authenticated Denial of Existence + + A resolver can use authenticated NSEC RRs to prove that an RRset is + not present in a signed zone. Security-aware name servers should + automatically include any necessary NSEC RRs for signed zones in + their responses to security-aware resolvers. + + Security-aware resolvers MUST first authenticate NSEC RRsets + according to the standard RRset authentication rules described in + Section 5.3, then apply the NSEC RRsets as follows: + o If the requested RR name matches the owner name of an + authenticated NSEC RR, then the NSEC RR's type bit map field lists + all RR types present at that owner name, and a resolver can prove + that the requested RR type does not exist by checking for the RR + + + +Arends, et al. Expires November 15, 2004 [Page 31] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + type in the bit map. If the number of labels in an authenticated + NSEC RR's owner name equals the Labels field of the covering RRSIG + RR, then the existence of the NSEC RR proves that wildcard + expansion could not have been used to match the request. + o If the requested RR name would appear after an authenticated NSEC + RR's owner name and before the name listed in that NSEC RR's Next + Domain Name field according to the canonical DNS name order + defined in [I-D.ietf-dnsext-dnssec-records], then no RRsets with + the requested name exist in the zone. However, it is possible + that a wildcard could be used to match the requested RR owner name + and type, so proving that the requested RRset does not exist also + requires proving that no possible wildcard RRset exists that could + have been used to generate a positive response. + + To prove non-existence of an RRset, the resolver must be able to + verify both that the queried RRset does not exist and that no + relevant wildcard RRset exists. Proving this may require more than + one NSEC RRset from the zone. If the complete set of necessary NSEC + RRsets is not present in a response (perhaps due to message + truncation), then a security-aware resolver MUST resend the query in + order to attempt to obtain the full collection of NSEC RRs necessary + to verify non-existence of the requested RRset. As with all DNS + operations, however, the resolver MUST bound the work it puts into + answering any particular query. + + Since a validated NSEC RR proves the existence of both itself and its + corresponding RRSIG RR, a validator MUST ignore the settings of the + NSEC and RRSIG bits in an NSEC RR. + +5.5 Resolver Behavior When Signatures Do Not Validate + + If for whatever reason none of the RRSIGs can be validated, the + response SHOULD be considered BAD. If the validation was being done + to service a recursive query, the name server MUST return RCODE 2 to + the originating client. However, it MUST return the full response if + and only if the original query had the CD bit set. See also Section + 4.7 on caching responses that do not validate. + +5.6 Authentication Example + + Appendix C shows an example the authentication process. + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 32] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +6. IANA Considerations + + [I-D.ietf-dnsext-dnssec-records] contains a review of the IANA + considerations introduced by DNSSEC. The additional IANA + considerations discussed in this document: + + [RFC2535] reserved the CD and AD bits in the message header. The + meaning of the AD bit was redefined in [RFC3655] and the meaning of + both the CD and AD bit are restated in this document. No new bits in + the DNS message header are defined in this document. + + [RFC2671] introduced EDNS and [RFC3225] reserved the DNSSEC OK bit + and defined its use. The use is restated but not altered in this + document. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 33] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +7. Security Considerations + + This document describes how the DNS security extensions use public + key cryptography to sign and authenticate DNS resource record sets. + Please see [I-D.ietf-dnsext-dnssec-intro] for terminology and general + security considerations related to DNSSEC; see + [I-D.ietf-dnsext-dnssec-intro] for considerations specific to the + DNSSEC resource record types. + + An active attacker who can set the CD bit in a DNS query message or + the AD bit in a DNS response message can use these bits to defeat the + protection which DNSSEC attempts to provide to security-oblivious + recursive-mode resolvers. For this reason, use of these control bits + by a security-aware recursive-mode resolver requires a secure + channel. See Section 3.2.2 and Section 4.9 for further discussion. + + The protocol described in this document attempts to extend the + benefits of DNSSEC to security-oblivious stub resolvers. However, + since recovery from validation failures is likely to be specific to + particular applications, the facilities that DNSSEC provides for stub + resolvers may prove inadequate. Operators of security-aware + recursive name servers will need to pay close attention to the + behavior of the applications which use their services when choosing a + local validation policy; failure to do so could easily result in the + recursive name server accidentally denying service to the clients it + is intended to support. + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 34] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +8. Acknowledgements + + This document was created from the input and ideas of the members of + the DNS Extensions Working Group and working group mailing list. The + editors would like to express their thanks for the comments and + suggestions received during the revision of these security extension + specifications. While explicitly listing everyone who has + contributed during the decade during which DNSSEC has been under + development would be an impossible task, + [I-D.ietf-dnsext-dnssec-intro] includes a list of some of the + participants who were kind enough to comment on these documents. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 35] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +9. References + +9.1 Normative References + + [I-D.ietf-dnsext-dnssec-intro] + Arends, R., Austein, R., Larson, M., Massey, D. and S. + Rose, "DNS Security Introduction and Requirements", + draft-ietf-dnsext-dnssec-intro-10 (work in progress), May + 2004. + + [I-D.ietf-dnsext-dnssec-records] + Arends, R., Austein, R., Larson, M., Massey, D. and S. + Rose, "Resource Records for DNS Security Extensions", + draft-ietf-dnsext-dnssec-records-08 (work in progress), + May 2004. + + [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", + STD 13, RFC 1034, November 1987. + + [RFC1035] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, + August 1996. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS + Specification", RFC 2181, July 1997. + + [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC + 2671, August 1999. + + [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", RFC + 2672, August 1999. + + [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC + 3225, December 2001. + + [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver + message size requirements", RFC 3226, December 2001. + +9.2 Informative References + + [I-D.ietf-dnsext-nsec-rdata] + Schlyter, J., "KEY RR Secure Entry Point Flag", + draft-ietf-dnsext-nsec-rdata-05 (work in progress), March + + + +Arends, et al. Expires November 15, 2004 [Page 36] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + 2004. + + [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS + NCACHE)", RFC 2308, March 1998. + + [RFC2535] Eastlake, D., "Domain Name System Security Extensions", + RFC 2535, March 1999. + + [RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY + RR)", RFC 2930, September 2000. + + [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( + SIG(0)s)", RFC 2931, September 2000. + + [RFC3655] Wellington, B. and O. Gudmundsson, "Redefinition of DNS + Authenticated Data (AD) bit", RFC 3655, November 2003. + + [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record + (RR)", RFC 3658, December 2003. + + +Authors' Addresses + + Roy Arends + Telematica Instituut + Drienerlolaan 5 + 7522 NB Enschede + NL + + EMail: roy.arends@telin.nl + + + Matt Larson + VeriSign, Inc. + 21345 Ridgetop Circle + Dulles, VA 20166-6503 + USA + + EMail: mlarson@verisign.com + + + Rob Austein + Internet Systems Consortium + 950 Charter Street + Redwood City, CA 94063 + USA + + EMail: sra@isc.org + + + +Arends, et al. Expires November 15, 2004 [Page 37] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + Dan Massey + USC Information Sciences Institute + 3811 N. Fairfax Drive + Arlington, VA 22203 + USA + + EMail: masseyd@isi.edu + + + Scott Rose + National Institute for Standards and Technology + 100 Bureau Drive + Gaithersburg, MD 20899-8920 + USA + + EMail: scott.rose@nist.gov + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 38] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +Appendix A. Signed Zone Example + + The following example shows a (small) complete signed zone. + + example. 3600 IN SOA ns1.example. bugs.x.w.example. ( + 1081539377 + 3600 + 300 + 3600000 + 3600 + ) + 3600 RRSIG SOA 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h + 7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF + vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW + DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB + jV7j86HyQgM5e7+miRAz8V01b0I= ) + 3600 NS ns1.example. + 3600 NS ns2.example. + 3600 RRSIG NS 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd + EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf + 4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8 + RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48 + 0HjMeRaZB/FRPGfJPajngcq6Kwg= ) + 3600 MX 1 xx.example. + 3600 RRSIG MX 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + HyDHYVT5KHSZ7HtO/vypumPmSZQrcOP3tzWB + 2qaKkHVPfau/DgLgS/IKENkYOGL95G4N+NzE + VyNU8dcTOckT+ChPcGeVjguQ7a3Ao9Z/ZkUO + 6gmmUW4b89rz1PUxW4jzUxj66PTwoVtUU/iM + W6OISukd1EQt7a0kygkg+PEDxdI= ) + 3600 NSEC a.example. NS SOA MX RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm + FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V + Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW + SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm + jfFJ5arXf4nPxp/kEowGgBRzY/U= ) + 3600 DNSKEY 256 3 5 ( + AQOy1bZVvpPqhg4j7EJoM9rI3ZmyEx2OzDBV + rZy/lvI5CQePxXHZS4i8dANH4DX3tbHol61e + k8EFMcsGXxKciJFHyhl94C+NwILQdzsUlSFo + vBZsyl/NX6yEbtw/xN9ZNcrbYvgjjZ/UVPZI + + + +Arends, et al. Expires November 15, 2004 [Page 39] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + ySFNsgEYvh0z2542lzMKR4Dh8uZffQ== + ) + 3600 DNSKEY 257 3 5 ( + AQOeX7+baTmvpVHb2CcLnL1dMRWbuscRvHXl + LnXwDzvqp4tZVKp1sZMepFb8MvxhhW3y/0QZ + syCjczGJ1qk8vJe52iOhInKROVLRwxGpMfzP + RLMlGybr51bOV/1se0ODacj3DomyB4QB5gKT + Yot/K9alk5/j8vfd4jWCWD+E1Sze0Q== + ) + 3600 RRSIG DNSKEY 5 1 3600 20040509183619 ( + 20040409183619 9465 example. + ZxgauAuIj+k1YoVEOSlZfx41fcmKzTFHoweZ + xYnz99JVQZJ33wFS0Q0jcP7VXKkaElXk9nYJ + XevO/7nAbo88iWsMkSpSR6jWzYYKwfrBI/L9 + hjYmyVO9m6FjQ7uwM4dCP/bIuV/DKqOAK9NY + NC3AHfvCV1Tp4VKDqxqG7R5tTVM= ) + 3600 RRSIG DNSKEY 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + eGL0s90glUqcOmloo/2y+bSzyEfKVOQViD9Z + DNhLz/Yn9CQZlDVRJffACQDAUhXpU/oP34ri + bKBpysRXosczFrKqS5Oa0bzMOfXCXup9qHAp + eFIku28Vqfr8Nt7cigZLxjK+u0Ws/4lIRjKk + 7z5OXogYVaFzHKillDt3HRxHIZM= ) + a.example. 3600 IN NS ns1.a.example. + 3600 IN NS ns2.a.example. + 3600 DS 57855 5 1 ( + B6DCD485719ADCA18E5F3D48A2331627FDD3 + 636B ) + 3600 RRSIG DS 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + oXIKit/QtdG64J/CB+Gi8dOvnwRvqrto1AdQ + oRkAN15FP3iZ7suB7gvTBmXzCjL7XUgQVcoH + kdhyCuzp8W9qJHgRUSwKKkczSyuL64nhgjuD + EML8l9wlWVsl7PR2VnZduM9bLyBhaaPmRKX/ + Fm+v6ccF2EGNLRiY08kdkz+XHHo= ) + 3600 NSEC ai.example. NS DS RRSIG NSEC + 3600 RRSIG NSEC 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + cOlYgqJLqlRqmBQ3iap2SyIsK4O5aqpKSoba + U9fQ5SMApZmHfq3AgLflkrkXRXvgxTQSKkG2 + 039/cRUs6Jk/25+fi7Xr5nOVJsb0lq4zsB3I + BBdjyGDAHE0F5ROJj87996vJupdm1fbH481g + sdkOW6Zyqtz3Zos8N0BBkEx+2G4= ) + ns1.a.example. 3600 IN A 192.0.2.5 + ns2.a.example. 3600 IN A 192.0.2.6 + ai.example. 3600 IN A 192.0.2.9 + 3600 RRSIG A 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + + + +Arends, et al. Expires November 15, 2004 [Page 40] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + pAOtzLP2MU0tDJUwHOKE5FPIIHmdYsCgTb5B + ERGgpnJluA9ixOyf6xxVCgrEJW0WNZSsJicd + hBHXfDmAGKUajUUlYSAH8tS4ZnrhyymIvk3u + ArDu2wfT130e9UHnumaHHMpUTosKe22PblOy + 6zrTpg9FkS0XGVmYRvOTNYx2HvQ= ) + 3600 HINFO "KLH-10" "ITS" + 3600 RRSIG HINFO 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + Iq/RGCbBdKzcYzlGE4ovbr5YcB+ezxbZ9W0l + e/7WqyvhOO9J16HxhhL7VY/IKmTUY0GGdcfh + ZEOCkf4lEykZF9NPok1/R/fWrtzNp8jobuY7 + AZEcZadp1WdDF3jc2/ndCa5XZhLKD3JzOsBw + FvL8sqlS5QS6FY/ijFEDnI4RkZA= ) + 3600 AAAA 2001:db8::f00:baa9 + 3600 RRSIG AAAA 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + nLcpFuXdT35AcE+EoafOUkl69KB+/e56XmFK + kewXG2IadYLKAOBIoR5+VoQV3XgTcofTJNsh + 1rnF6Eav2zpZB3byI6yo2bwY8MNkr4A7cL9T + cMmDwV/hWFKsbGBsj8xSCN/caEL2CWY/5XP2 + sZM6QjBBLmukH30+w1z3h8PUP2o= ) + 3600 NSEC b.example. A HINFO AAAA RRSIG NSEC + 3600 RRSIG NSEC 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + QoshyPevLcJ/xcRpEtMft1uoIrcrieVcc9pG + CScIn5Glnib40T6ayVOimXwdSTZ/8ISXGj4p + P8Sh0PlA6olZQ84L453/BUqB8BpdOGky4hsN + 3AGcLEv1Gr0QMvirQaFcjzOECfnGyBm+wpFL + AhS+JOVfDI/79QtyTI0SaDWcg8U= ) + b.example. 3600 IN NS ns1.b.example. + 3600 IN NS ns2.b.example. + 3600 NSEC ns1.example. NS RRSIG NSEC + 3600 RRSIG NSEC 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx + 9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS + xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs + 0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ + vhRXgWT7OuFXldoCG6TfVFMs9xE= ) + ns1.b.example. 3600 IN A 192.0.2.7 + ns2.b.example. 3600 IN A 192.0.2.8 + ns1.example. 3600 IN A 192.0.2.1 + 3600 RRSIG A 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + F1C9HVhIcs10cZU09G5yIVfKJy5yRQQ3qVet + 5pGhp82pzhAOMZ3K22JnmK4c+IjUeFp/to06 + im5FVpHtbFisdjyPq84bhTv8vrXt5AB1wNB+ + +iAqvIfdgW4sFNC6oADb1hK8QNauw9VePJhK + + + +Arends, et al. Expires November 15, 2004 [Page 41] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + v/iVXSYC0b7mPSU+EOlknFpVECs= ) + 3600 NSEC ns2.example. A RRSIG NSEC + 3600 RRSIG NSEC 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + I4hj+Kt6+8rCcHcUdolks2S+Wzri9h3fHas8 + 1rGN/eILdJHN7JpV6lLGPIh/8fIBkfvdyWnB + jjf1q3O7JgYO1UdI7FvBNWqaaEPJK3UkddBq + ZIaLi8Qr2XHkjq38BeQsbp8X0+6h4ETWSGT8 + IZaIGBLryQWGLw6Y6X8dqhlnxJM= ) + ns2.example. 3600 IN A 192.0.2.2 + 3600 RRSIG A 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + V7cQRw1TR+knlaL1z/psxlS1PcD37JJDaCMq + Qo6/u1qFQu6x+wuDHRH22Ap9ulJPQjFwMKOu + yfPGQPC8KzGdE3vt5snFEAoE1Vn3mQqtu7SO + 6amIjk13Kj/jyJ4nGmdRIc/3cM3ipXFhNTKq + rdhx8SZ0yy4ObIRzIzvBFLiSS8o= ) + 3600 NSEC *.w.example. A RRSIG NSEC + 3600 RRSIG NSEC 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + N0QzHvaJf5NRw1rE9uxS1Ltb2LZ73Qb9bKGE + VyaISkqzGpP3jYJXZJPVTq4UVEsgT3CgeHvb + 3QbeJ5Dfb2V9NGCHj/OvF/LBxFFWwhLwzngH + l+bQAgAcMsLu/nL3nDi1y/JSQjAcdZNDl4bw + Ymx28EtgIpo9A0qmP08rMBqs1Jw= ) + *.w.example. 3600 IN MX 1 ai.example. + 3600 RRSIG MX 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + OMK8rAZlepfzLWW75Dxd63jy2wswESzxDKG2 + f9AMN1CytCd10cYISAxfAdvXSZ7xujKAtPbc + tvOQ2ofO7AZJ+d01EeeQTVBPq4/6KCWhqe2X + TjnkVLNvvhnc0u28aoSsG0+4InvkkOHknKxw + 4kX18MMR34i8lC36SR5xBni8vHI= ) + 3600 NSEC x.w.example. MX RRSIG NSEC + 3600 RRSIG NSEC 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + r/mZnRC3I/VIcrelgIcteSxDhtsdlTDt8ng9 + HSBlABOlzLxQtfgTnn8f+aOwJIAFe1Ee5RvU + 5cVhQJNP5XpXMJHfyps8tVvfxSAXfahpYqtx + 91gsmcV/1V9/bZAG55CefP9cM4Z9Y9NT9XQ8 + s1InQ2UoIv6tJEaaKkP701j8OLA= ) + x.w.example. 3600 IN MX 1 xx.example. + 3600 RRSIG MX 5 3 3600 20040509183619 ( + 20040409183619 38519 example. + Il2WTZ+Bkv+OytBx4LItNW5mjB4RCwhOO8y1 + XzPHZmZUTVYL7LaA63f6T9ysVBzJRI3KRjAP + H3U1qaYnDoN1DrWqmi9RJe4FoObkbcdm7P3I + kx70ePCoFgRz1Yq+bVVXCvGuAU4xALv3W/Y1 + + + +Arends, et al. Expires November 15, 2004 [Page 42] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + jNSlwZ2mSWKHfxFQxPtLj8s32+k= ) + 3600 NSEC x.y.w.example. MX RRSIG NSEC + 3600 RRSIG NSEC 5 3 3600 20040509183619 ( + 20040409183619 38519 example. + aRbpHftxggzgMXdDlym9SsADqMZovZZl2QWK + vw8J0tZEUNQByH5Qfnf5N1FqH/pS46UA7A4E + mcWBN9PUA1pdPY6RVeaRlZlCr1IkVctvbtaI + NJuBba/VHm+pebTbKcAPIvL9tBOoh+to1h6e + IjgiM8PXkBQtxPq37wDKALkyn7Q= ) + x.y.w.example. 3600 IN MX 1 xx.example. + 3600 RRSIG MX 5 4 3600 20040509183619 ( + 20040409183619 38519 example. + k2bJHbwP5LH5qN4is39UiPzjAWYmJA38Hhia + t7i9t7nbX/e0FPnvDSQXzcK7UL+zrVA+3MDj + q1ub4q3SZgcbLMgexxIW3Va//LVrxkP6Xupq + GtOB9prkK54QTl/qZTXfMQpW480YOvVknhvb + +gLcMZBnHJ326nb/TOOmrqNmQQE= ) + 3600 NSEC xx.example. MX RRSIG NSEC + 3600 RRSIG NSEC 5 4 3600 20040509183619 ( + 20040409183619 38519 example. + OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp + ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg + xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX + a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr + QoKqJDCLnoAlcPOPKAm/jJkn3jk= ) + xx.example. 3600 IN A 192.0.2.10 + 3600 RRSIG A 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + kBF4YxMGWF0D8r0cztL+2fWWOvN1U/GYSpYP + 7SoKoNQ4fZKyk+weWGlKLIUM+uE1zjVTPXoa + 0Z6WG0oZp46rkl1EzMcdMgoaeUzzAJ2BMq+Y + VdxG9IK1yZkYGY9AgbTOGPoAgbJyO9EPULsx + kbIDV6GPPSZVusnZU6OMgdgzHV4= ) + 3600 HINFO "KLH-10" "TOPS-20" + 3600 RRSIG HINFO 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + GY2PLSXmMHkWHfLdggiox8+chWpeMNJLkML0 + t+U/SXSUsoUdR91KNdNUkTDWamwcF8oFRjhq + BcPZ6EqrF+vl5v5oGuvSF7U52epfVTC+wWF8 + 3yCUeUw8YklhLWlvk8gQ15YKth0ITQy8/wI+ + RgNvuwbioFSEuv2pNlkq0goYxNY= ) + 3600 AAAA 2001:db8::f00:baaa + 3600 RRSIG AAAA 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + Zzj0yodDxcBLnnOIwDsuKo5WqiaK24DlKg9C + aGaxDFiKgKobUj2jilYQHpGFn2poFRetZd4z + ulyQkssz2QHrVrPuTMS22knudCiwP4LWpVTr + U4zfeA+rDz9stmSBP/4PekH/x2IoAYnwctd/ + + + +Arends, et al. Expires November 15, 2004 [Page 43] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + xS9cL2QgW7FChw16mzlkH6/vsfs= ) + 3600 NSEC example. A HINFO AAAA RRSIG NSEC + 3600 RRSIG NSEC 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + ZFWUln6Avc8bmGl5GFjD3BwT530DUZKHNuoY + 9A8lgXYyrxu+pqgFiRVbyZRQvVB5pccEOT3k + mvHgEa/HzbDB4PIYY79W+VHrgOxzdQGGCZzi + asXrpSGOWwSOElghPnMIi8xdF7qtCntr382W + GghLahumFIpg4MO3LS/prgzVVWo= ) + + The apex DNSKEY set includes two DNSKEY RRs, and the DNSKEY RDATA + Flags indicate that each of these DNSKEY RRs is a zone key. One of + these DNSKEY RRs also has the SEP flag set and has been used to sign + the apex DNSKEY RRset; this is the key which should be hashed to + generate a DS record to be inserted into the parent zone. The other + DNSKEY is used to sign all the other RRsets in the zone. + + The zone includes a wildcard entry "*.w.example". Note that the name + "*.w.example" is used in constructing NSEC chains, and that the RRSIG + covering the "*.w.example" MX RRset has a label count of 2. + + The zone also includes two delegations. The delegation to + "b.example" includes an NS RRset, glue address records, and an NSEC + RR; note that only the NSEC RRset is signed. The delegation to + "a.example" provides a DS RR; note that only the NSEC and DS RRsets + are signed. + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 44] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +Appendix B. Example Responses + + The examples in this section show response messages using the signed + zone example in Appendix A. + +B.1 Answer + + A successful query to an authoritative server. + + ;; Header: QR AA DO RCODE=0 + ;; + ;; Question + x.w.example. IN MX + + ;; Answer + x.w.example. 3600 IN MX 1 xx.example. + x.w.example. 3600 RRSIG MX 5 3 3600 20040509183619 ( + 20040409183619 38519 example. + Il2WTZ+Bkv+OytBx4LItNW5mjB4RCwhOO8y1 + XzPHZmZUTVYL7LaA63f6T9ysVBzJRI3KRjAP + H3U1qaYnDoN1DrWqmi9RJe4FoObkbcdm7P3I + kx70ePCoFgRz1Yq+bVVXCvGuAU4xALv3W/Y1 + jNSlwZ2mSWKHfxFQxPtLj8s32+k= ) + + ;; Authority + example. 3600 NS ns1.example. + example. 3600 NS ns2.example. + example. 3600 RRSIG NS 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd + EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf + 4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8 + RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48 + 0HjMeRaZB/FRPGfJPajngcq6Kwg= ) + + ;; Additional + xx.example. 3600 IN A 192.0.2.10 + xx.example. 3600 RRSIG A 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + kBF4YxMGWF0D8r0cztL+2fWWOvN1U/GYSpYP + 7SoKoNQ4fZKyk+weWGlKLIUM+uE1zjVTPXoa + 0Z6WG0oZp46rkl1EzMcdMgoaeUzzAJ2BMq+Y + VdxG9IK1yZkYGY9AgbTOGPoAgbJyO9EPULsx + kbIDV6GPPSZVusnZU6OMgdgzHV4= ) + xx.example. 3600 AAAA 2001:db8::f00:baaa + xx.example. 3600 RRSIG AAAA 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + Zzj0yodDxcBLnnOIwDsuKo5WqiaK24DlKg9C + + + +Arends, et al. Expires November 15, 2004 [Page 45] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + aGaxDFiKgKobUj2jilYQHpGFn2poFRetZd4z + ulyQkssz2QHrVrPuTMS22knudCiwP4LWpVTr + U4zfeA+rDz9stmSBP/4PekH/x2IoAYnwctd/ + xS9cL2QgW7FChw16mzlkH6/vsfs= ) + ns1.example. 3600 IN A 192.0.2.1 + ns1.example. 3600 RRSIG A 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + F1C9HVhIcs10cZU09G5yIVfKJy5yRQQ3qVet + 5pGhp82pzhAOMZ3K22JnmK4c+IjUeFp/to06 + im5FVpHtbFisdjyPq84bhTv8vrXt5AB1wNB+ + +iAqvIfdgW4sFNC6oADb1hK8QNauw9VePJhK + v/iVXSYC0b7mPSU+EOlknFpVECs= ) + ns2.example. 3600 IN A 192.0.2.2 + ns2.example. 3600 RRSIG A 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + V7cQRw1TR+knlaL1z/psxlS1PcD37JJDaCMq + Qo6/u1qFQu6x+wuDHRH22Ap9ulJPQjFwMKOu + yfPGQPC8KzGdE3vt5snFEAoE1Vn3mQqtu7SO + 6amIjk13Kj/jyJ4nGmdRIc/3cM3ipXFhNTKq + rdhx8SZ0yy4ObIRzIzvBFLiSS8o= ) + + +B.2 Name Error + + An authoritative name error. The NSEC RRs prove that the name does + not exist and that no covering wildcard exists. + + ;; Header: QR AA DO RCODE=3 + ;; + ;; Question + ml.example. IN A + + ;; Answer + ;; (empty) + + ;; Authority + example. 3600 IN SOA ns1.example. bugs.x.w.example. ( + 1081539377 + 3600 + 300 + 3600000 + 3600 + ) + example. 3600 RRSIG SOA 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h + 7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF + vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW + + + +Arends, et al. Expires November 15, 2004 [Page 46] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB + jV7j86HyQgM5e7+miRAz8V01b0I= ) + b.example. 3600 NSEC ns1.example. NS RRSIG NSEC + b.example. 3600 RRSIG NSEC 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx + 9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS + xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs + 0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ + vhRXgWT7OuFXldoCG6TfVFMs9xE= ) + example. 3600 NSEC a.example. NS SOA MX RRSIG NSEC DNSKEY + example. 3600 RRSIG NSEC 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm + FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V + Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW + SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm + jfFJ5arXf4nPxp/kEowGgBRzY/U= ) + + ;; Additional + ;; (empty) + + +B.3 No Data Error + + A "NODATA" response. The NSEC RR proves that the name exists and + that the requested RR type does not. + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 47] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + ;; Header: QR AA DO RCODE=0 + ;; + ;; Question + ns1.example. IN MX + + ;; Answer + ;; (empty) + + ;; Authority + example. 3600 IN SOA ns1.example. bugs.x.w.example. ( + 1081539377 + 3600 + 300 + 3600000 + 3600 + ) + example. 3600 RRSIG SOA 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h + 7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF + vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW + DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB + jV7j86HyQgM5e7+miRAz8V01b0I= ) + ns1.example. 3600 NSEC ns2.example. A RRSIG NSEC + ns1.example. 3600 RRSIG NSEC 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + I4hj+Kt6+8rCcHcUdolks2S+Wzri9h3fHas8 + 1rGN/eILdJHN7JpV6lLGPIh/8fIBkfvdyWnB + jjf1q3O7JgYO1UdI7FvBNWqaaEPJK3UkddBq + ZIaLi8Qr2XHkjq38BeQsbp8X0+6h4ETWSGT8 + IZaIGBLryQWGLw6Y6X8dqhlnxJM= ) + + ;; Additional + ;; (empty) + + +B.4 Referral to Signed Zone + + Referral to a signed zone. The DS RR contains the data which the + resolver will need to validate the corresponding DNSKEY RR in the + child zone's apex. + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 48] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + ;; Header: QR DO RCODE=0 + ;; + ;; Question + mc.a.example. IN MX + + ;; Answer + ;; (empty) + + ;; Authority + a.example. 3600 IN NS ns1.a.example. + a.example. 3600 IN NS ns2.a.example. + a.example. 3600 DS 57855 5 1 ( + B6DCD485719ADCA18E5F3D48A2331627FDD3 + 636B ) + a.example. 3600 RRSIG DS 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + oXIKit/QtdG64J/CB+Gi8dOvnwRvqrto1AdQ + oRkAN15FP3iZ7suB7gvTBmXzCjL7XUgQVcoH + kdhyCuzp8W9qJHgRUSwKKkczSyuL64nhgjuD + EML8l9wlWVsl7PR2VnZduM9bLyBhaaPmRKX/ + Fm+v6ccF2EGNLRiY08kdkz+XHHo= ) + + ;; Additional + ns1.a.example. 3600 IN A 192.0.2.5 + ns2.a.example. 3600 IN A 192.0.2.6 + + +B.5 Referral to Unsigned Zone + + Referral to an unsigned zone. The NSEC RR proves that no DS RR for + this delegation exists in the parent zone. + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 49] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + ;; Header: QR DO RCODE=0 + ;; + ;; Question + mc.b.example. IN MX + + ;; Answer + ;; (empty) + + ;; Authority + b.example. 3600 IN NS ns1.b.example. + b.example. 3600 IN NS ns2.b.example. + b.example. 3600 NSEC ns1.example. NS RRSIG NSEC + b.example. 3600 RRSIG NSEC 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx + 9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS + xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs + 0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ + vhRXgWT7OuFXldoCG6TfVFMs9xE= ) + + ;; Additional + ns1.b.example. 3600 IN A 192.0.2.7 + ns2.b.example. 3600 IN A 192.0.2.8 + + +B.6 Wildcard Expansion + + A successful query which was answered via wildcard expansion. The + label count in the answer's RRSIG RR indicates that a wildcard RRset + was expanded to produce this response, and the NSEC RR proves that no + closer match exists in the zone. + + ;; Header: QR AA DO RCODE=0 + ;; + ;; Question + a.z.w.example. IN MX + + ;; Answer + a.z.w.example. 3600 IN MX 1 ai.example. + a.z.w.example. 3600 RRSIG MX 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + OMK8rAZlepfzLWW75Dxd63jy2wswESzxDKG2 + f9AMN1CytCd10cYISAxfAdvXSZ7xujKAtPbc + tvOQ2ofO7AZJ+d01EeeQTVBPq4/6KCWhqe2X + TjnkVLNvvhnc0u28aoSsG0+4InvkkOHknKxw + 4kX18MMR34i8lC36SR5xBni8vHI= ) + + ;; Authority + + + +Arends, et al. Expires November 15, 2004 [Page 50] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + example. 3600 NS ns1.example. + example. 3600 NS ns2.example. + example. 3600 RRSIG NS 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd + EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf + 4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8 + RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48 + 0HjMeRaZB/FRPGfJPajngcq6Kwg= ) + x.y.w.example. 3600 NSEC xx.example. MX RRSIG NSEC + x.y.w.example. 3600 RRSIG NSEC 5 4 3600 20040509183619 ( + 20040409183619 38519 example. + OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp + ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg + xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX + a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr + QoKqJDCLnoAlcPOPKAm/jJkn3jk= ) + + ;; Additional + ai.example. 3600 IN A 192.0.2.9 + ai.example. 3600 RRSIG A 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + pAOtzLP2MU0tDJUwHOKE5FPIIHmdYsCgTb5B + ERGgpnJluA9ixOyf6xxVCgrEJW0WNZSsJicd + hBHXfDmAGKUajUUlYSAH8tS4ZnrhyymIvk3u + ArDu2wfT130e9UHnumaHHMpUTosKe22PblOy + 6zrTpg9FkS0XGVmYRvOTNYx2HvQ= ) + ai.example. 3600 AAAA 2001:db8::f00:baa9 + ai.example. 3600 RRSIG AAAA 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + nLcpFuXdT35AcE+EoafOUkl69KB+/e56XmFK + kewXG2IadYLKAOBIoR5+VoQV3XgTcofTJNsh + 1rnF6Eav2zpZB3byI6yo2bwY8MNkr4A7cL9T + cMmDwV/hWFKsbGBsj8xSCN/caEL2CWY/5XP2 + sZM6QjBBLmukH30+w1z3h8PUP2o= ) + + +B.7 Wildcard No Data Error + + A "NODATA" response for a name covered by a wildcard. The NSEC RRs + prove that the matching wildcard name does not have any RRs of the + requested type and that no closer match exists in the zone. + + ;; Header: QR AA DO RCODE=0 + ;; + ;; Question + a.z.w.example. IN AAAA + + + + +Arends, et al. Expires November 15, 2004 [Page 51] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + ;; Answer + ;; (empty) + + ;; Authority + example. 3600 IN SOA ns1.example. bugs.x.w.example. ( + 1081539377 + 3600 + 300 + 3600000 + 3600 + ) + example. 3600 RRSIG SOA 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h + 7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF + vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW + DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB + jV7j86HyQgM5e7+miRAz8V01b0I= ) + x.y.w.example. 3600 NSEC xx.example. MX RRSIG NSEC + x.y.w.example. 3600 RRSIG NSEC 5 4 3600 20040509183619 ( + 20040409183619 38519 example. + OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp + ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg + xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX + a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr + QoKqJDCLnoAlcPOPKAm/jJkn3jk= ) + *.w.example. 3600 NSEC x.w.example. MX RRSIG NSEC + *.w.example. 3600 RRSIG NSEC 5 2 3600 20040509183619 ( + 20040409183619 38519 example. + r/mZnRC3I/VIcrelgIcteSxDhtsdlTDt8ng9 + HSBlABOlzLxQtfgTnn8f+aOwJIAFe1Ee5RvU + 5cVhQJNP5XpXMJHfyps8tVvfxSAXfahpYqtx + 91gsmcV/1V9/bZAG55CefP9cM4Z9Y9NT9XQ8 + s1InQ2UoIv6tJEaaKkP701j8OLA= ) + + ;; Additional + ;; (empty) + + +B.8 DS Child Zone No Data Error + + A "NODATA" response for a QTYPE=DS query which was mistakenly sent to + a name server for the child zone. + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 52] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + ;; Header: QR AA DO RCODE=0 + ;; + ;; Question + example. IN DS + + ;; Answer + ;; (empty) + + ;; Authority + example. 3600 IN SOA ns1.example. bugs.x.w.example. ( + 1081539377 + 3600 + 300 + 3600000 + 3600 + ) + example. 3600 RRSIG SOA 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h + 7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF + vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW + DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB + jV7j86HyQgM5e7+miRAz8V01b0I= ) + example. 3600 NSEC a.example. NS SOA MX RRSIG NSEC DNSKEY + example. 3600 RRSIG NSEC 5 1 3600 20040509183619 ( + 20040409183619 38519 example. + O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm + FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V + Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW + SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm + jfFJ5arXf4nPxp/kEowGgBRzY/U= ) + + ;; Additional + ;; (empty) + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 53] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +Appendix C. Authentication Examples + + The examples in this section show how the response messages in + Appendix B are authenticated. + +C.1 Authenticating An Answer + + The query in section Appendix B.1 returned an MX RRset for + "x.w.example.com". The corresponding RRSIG indicates the MX RRset + was signed by an "example" DNSKEY with algorithm 5 and key tag 38519. + The resolver needs the corresponding DNSKEY RR in order to + authenticate this answer. The discussion below describes how a + resolver might obtain this DNSKEY RR. + + The RRSIG indicates the original TTL of the MX RRset was 3600 and, + for the purpose of authentication, the current TTL is replaced by + 3600. The RRSIG labels field value of 3 indicates the answer was not + the result of wildcard expansion. The "x.w.example.com" MX RRset is + placed in canonical form and, assuming the current time falls between + the signature inception and expiration dates, the signature is + authenticated. + +C.1.1 Authenticating the example DNSKEY RR + + This example shows the logical authentication process that starts + from the a configured root DNSKEY (or DS RR) and moves down the tree + to authenticate the desired "example" DNSKEY RR. Note the logical + order is presented for clarity and an implementation may choose to + construct the authentication as referrals are received or may choose + to construct the authentication chain only after all RRsets have been + obtained, or in any other combination it sees fit. The example here + demonstrates only the logical process and does not dictate any + implementation rules. + + We assume the resolver starts with an configured DNSKEY RR for the + root zone (or a configured DS RR for the root zone). The resolver + checks this configured DNSKEY RR is present in the root DNSKEY RRset + (or the DS RR matches some DNSKEY in the root DNSKEY RRset), this + DNSKEY RR has signed the root DNSKEY RRset and the signature lifetime + is valid. If all these conditions are met, all keys in the DNSKEY + RRset are considered authenticated. The resolver then uses one (or + more) of the root DNSKEY RRs to authenticate the "example" DS RRset. + Note the resolver may need to query the root zone to obtain the root + DNSKEY RRset or "example" DS RRset. + + Once the DS RRset has been authenticated using the root DNSKEY, the + resolver checks the "example" DNSKEY RRset for some "example" DNSKEY + RR that matches one of the authenticated "example" DS RRs. If such a + + + +Arends, et al. Expires November 15, 2004 [Page 54] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + matching "example" DNSKEY is found, the resolver checks this DNSKEY + RR has signed the "example" DNSKEY RRset and the signature lifetime + is valid. If all these conditions are met, all keys in the "example" + DNSKEY RRset are considered authenticated. + + Finally the resolver checks that some DNSKEY RR in the "example" + DNSKEY RRset uses algorithm 5 and has a key tag of 38519. This DNSKEY + is used to authenticated the RRSIG included in the response. If + multiple "example" DNSKEY RRs match this algorithm and key tag, then + each DNSKEY RR is tried and the answer is authenticated if any of the + matching DNSKEY RRs validates the signature as described above. + +C.2 Name Error + + The query in section Appendix B.2 returned NSEC RRs that prove the + requested data does not exist and no wildcard applies. The negative + reply is authenticated by verifying both NSEC RRs. The NSEC RRs are + authenticated in a manner identical to that of the MX RRset discussed + above. + +C.3 No Data Error + + The query in section Appendix B.3 returned an NSEC RR that proves the + requested name exists, but the requested RR type does not exist. The + negative reply is authenticated by verifying the NSEC RR. The NSEC + RR is authenticated in a manner identical to that of the MX RRset + discussed above. + +C.4 Referral to Signed Zone + + The query in section Appendix B.4 returned a referral to the signed + "a.example." zone. The DS RR is authenticated in a manner identical + to that of the MX RRset discussed above. This DS RR is used to + authenticate the "a.example" DNSKEY RRset. + + Once the "a.example" DS RRset has been authenticated using the + "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset + for some "a.example" DNSKEY RR that matches the DS RR. If such a + matching "a.example" DNSKEY is found, the resolver checks this DNSKEY + RR has signed the "a.example" DNSKEY RRset and the signature lifetime + is valid. If all these conditions are met, all keys in the + "a.example" DNSKEY RRset are considered authenticated. + +C.5 Referral to Unsigned Zone + + The query in section Appendix B.5 returned a referral to an unsigned + "b.example." zone. The NSEC proves that no authentication leads from + "example" to "b.example" and the NSEC RR is authenticated in a manner + + + +Arends, et al. Expires November 15, 2004 [Page 55] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + identical to that of the MX RRset discussed above. + +C.6 Wildcard Expansion + + The query in section Appendix B.6 returned an answer that was + produced as a result of wildcard expansion. The RRset expanded as the + similar to The corresponding RRSIG indicates the MX RRset was signed + by an "example" DNSKEY with algorithm 5 and key tag 38519. The RRSIG + indicates the original TTL of the MX RRset was 3600 and, for the + purpose of authentication, the current TTL is replaced by 3600. The + RRSIG labels field value of 2 indicates the answer the result of + wildcard expansion since the "a.z.w.example" name contains 4 labels. + The name "a.z.w.w.example" is replaced by "*.w.example", the MX RRset + is placed in canonical form and, assuming the current time falls + between the signature inception and expiration dates, the signature + is authenticated. + + The NSEC proves that no closer match (exact or closer wildcard) could + have been used to answer this query and the NSEC RR must also be + authenticated before the answer is considered valid. + +C.7 Wildcard No Data Error + + The query in section Appendix B.7 returned NSEC RRs that prove the + requested data does not exist and no wildcard applies. The negative + reply is authenticated by verifying both NSEC RRs. + +C.8 DS Child Zone No Data Error + + The query in section Appendix B.8 returned NSEC RRs that shows the + requested was answered by a child server ("example" server). The + NSEC RR indicates the presence of an SOA RR, showing the answer is + from the child . Queries for the "example" DS RRset should be sent + to the parent servers ("root" servers). + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 56] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + +Intellectual Property Statement + + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; neither does it represent that it + has made any effort to identify any such rights. Information on the + IETF's procedures with respect to rights in standards-track and + standards-related documentation can be found in BCP-11. Copies of + claims of rights made available for publication and any assurances of + licenses to be made available, or the result of an attempt made to + obtain a general license or permission for the use of such + proprietary rights by implementors or users of this specification can + be obtained from the IETF Secretariat. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights which may cover technology that may be required to practice + this standard. Please address the information to the IETF Executive + Director. + + +Full Copyright Statement + + Copyright (C) The Internet Society (2004). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assignees. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + + + +Arends, et al. Expires November 15, 2004 [Page 57] + +Internet-Draft DNSSEC Protocol Modifications May 2004 + + + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +Acknowledgment + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 58] + + diff --git a/doc/draft/draft-ietf-dnsext-dnssec-records-07.txt b/doc/draft/draft-ietf-dnsext-dnssec-records-08.txt similarity index 73% rename from doc/draft/draft-ietf-dnsext-dnssec-records-07.txt rename to doc/draft/draft-ietf-dnsext-dnssec-records-08.txt index cfd3567f0a..3ca99bfb72 100644 --- a/doc/draft/draft-ietf-dnsext-dnssec-records-07.txt +++ b/doc/draft/draft-ietf-dnsext-dnssec-records-08.txt @@ -1,2073 +1,1961 @@ - - -DNS Extensions R. Arends -Internet-Draft Telematica Instituut -Expires: August 16, 2004 R. Austein - ISC - M. Larson - VeriSign - D. Massey - USC/ISI - S. Rose - NIST - February 16, 2004 - - - Resource Records for the DNS Security Extensions - draft-ietf-dnsext-dnssec-records-07 - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that other - groups may also distribute working documents as Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at http:// - www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on August 16, 2004. - -Copyright Notice - - Copyright (C) The Internet Society (2004). All Rights Reserved. - -Abstract - - This document is part of a family of documents that describes the DNS - Security Extensions (DNSSEC). The DNS Security Extensions are a - collection of resource records and protocol modifications that - provide source authentication for the DNS. This document defines the - public key (DNSKEY), delegation signer (DS), resource record digital - - - -Arends, et al. Expires August 16, 2004 [Page 1] - -Internet-Draft DNSSEC Resource Records February 2004 - - - signature (RRSIG), and authenticated denial of existence (NSEC) - resource records. The purpose and format of each resource record is - described in detail, and an example of each resource record is given. - - This document obsoletes RFC 2535 and incorporates changes from all - updates to RFC 2535. - -Table of Contents - - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 - 1.1 Background and Related Documents . . . . . . . . . . . . . . 4 - 1.2 Reserved Words . . . . . . . . . . . . . . . . . . . . . . . 4 - 1.3 Editors' Notes . . . . . . . . . . . . . . . . . . . . . . . 4 - 1.3.1 Open Technical Issues . . . . . . . . . . . . . . . . . . . 4 - 1.3.2 Technical Changes or Corrections . . . . . . . . . . . . . . 4 - 1.3.3 Typos and Minor Corrections . . . . . . . . . . . . . . . . 5 - 2. The DNSKEY Resource Record . . . . . . . . . . . . . . . . . 6 - 2.1 DNSKEY RDATA Wire Format . . . . . . . . . . . . . . . . . . 6 - 2.1.1 The Flags Field . . . . . . . . . . . . . . . . . . . . . . 6 - 2.1.2 The Protocol Field . . . . . . . . . . . . . . . . . . . . . 7 - 2.1.3 The Algorithm Field . . . . . . . . . . . . . . . . . . . . 7 - 2.1.4 The Public Key Field . . . . . . . . . . . . . . . . . . . . 7 - 2.1.5 Notes on DNSKEY RDATA Design . . . . . . . . . . . . . . . . 7 - 2.2 The DNSKEY RR Presentation Format . . . . . . . . . . . . . 7 - 2.3 DNSKEY RR Example . . . . . . . . . . . . . . . . . . . . . 8 - 3. The RRSIG Resource Record . . . . . . . . . . . . . . . . . 9 - 3.1 RRSIG RDATA Wire Format . . . . . . . . . . . . . . . . . . 9 - 3.1.1 The Type Covered Field . . . . . . . . . . . . . . . . . . . 10 - 3.1.2 The Algorithm Number Field . . . . . . . . . . . . . . . . . 10 - 3.1.3 The Labels Field . . . . . . . . . . . . . . . . . . . . . . 10 - 3.1.4 Original TTL Field . . . . . . . . . . . . . . . . . . . . . 11 - 3.1.5 Signature Expiration and Inception Fields . . . . . . . . . 11 - 3.1.6 The Key Tag Field . . . . . . . . . . . . . . . . . . . . . 11 - 3.1.7 The Signer's Name Field . . . . . . . . . . . . . . . . . . 12 - 3.1.8 The Signature Field . . . . . . . . . . . . . . . . . . . . 12 - 3.2 The RRSIG RR Presentation Format . . . . . . . . . . . . . . 13 - 3.3 RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . . 13 - 4. The NSEC Resource Record . . . . . . . . . . . . . . . . . . 15 - 4.1 NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . . . 15 - 4.1.1 The Next Domain Name Field . . . . . . . . . . . . . . . . . 15 - 4.1.2 The Type Bit Maps Field . . . . . . . . . . . . . . . . . . 16 - 4.1.3 Inclusion of Wildcard Names in NSEC RDATA . . . . . . . . . 17 - 4.2 The NSEC RR Presentation Format . . . . . . . . . . . . . . 17 - 4.3 NSEC RR Example . . . . . . . . . . . . . . . . . . . . . . 17 - 5. The DS Resource Record . . . . . . . . . . . . . . . . . . . 19 - 5.1 DS RDATA Wire Format . . . . . . . . . . . . . . . . . . . . 19 - 5.1.1 The Key Tag Field . . . . . . . . . . . . . . . . . . . . . 20 - 5.1.2 The Algorithm Field . . . . . . . . . . . . . . . . . . . . 20 - - - -Arends, et al. Expires August 16, 2004 [Page 2] - -Internet-Draft DNSSEC Resource Records February 2004 - - - 5.1.3 The Digest Type Field . . . . . . . . . . . . . . . . . . . 20 - 5.1.4 The Digest Field . . . . . . . . . . . . . . . . . . . . . . 20 - 5.2 Processing of DS RRs When Validating Responses . . . . . . . 20 - 5.3 The DS RR Presentation Format . . . . . . . . . . . . . . . 21 - 5.4 DS RR Example . . . . . . . . . . . . . . . . . . . . . . . 21 - 6. Canonical Form and Order of Resource Records . . . . . . . . 22 - 6.1 Canonical DNS Name Order . . . . . . . . . . . . . . . . . . 22 - 6.2 Canonical RR Form . . . . . . . . . . . . . . . . . . . . . 22 - 6.3 Canonical RR Ordering Within An RRset . . . . . . . . . . . 23 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 24 - 8. Security Considerations . . . . . . . . . . . . . . . . . . 26 - 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 27 - Normative References . . . . . . . . . . . . . . . . . . . . 28 - Informative References . . . . . . . . . . . . . . . . . . . 30 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 30 - A. DNSSEC Algorithm and Digest Types . . . . . . . . . . . . . 32 - A.1 DNSSEC Algorithm Types . . . . . . . . . . . . . . . . . . . 32 - A.1.1 Private Algorithm Types . . . . . . . . . . . . . . . . . . 32 - A.2 DNSSEC Digest Types . . . . . . . . . . . . . . . . . . . . 33 - B. Key Tag Calculation . . . . . . . . . . . . . . . . . . . . 34 - B.1 Key Tag for Algorithm 1 (RSA/MD5) . . . . . . . . . . . . . 35 - Intellectual Property and Copyright Statements . . . . . . . 36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 3] - -Internet-Draft DNSSEC Resource Records February 2004 - - -1. Introduction - - The DNS Security Extensions (DNSSEC) introduce four new DNS resource - record types: DNSKEY, RRSIG, NSEC, and DS. This document defines the - purpose of each resource record (RR), the RR's RDATA format, and its - presentation format (ASCII representation). - -1.1 Background and Related Documents - - The reader is assumed to be familiar with the basic DNS concepts - described in RFC1034 [RFC1034], RFC1035 [RFC1035] and subsequent RFCs - that update them: RFC2136 [RFC2136], RFC2181 [RFC2181] and RFC2308 - [RFC2308]. - - This document is part of a family of documents that define the DNS - security extensions. The DNS security extensions (DNSSEC) are a - collection of resource records and DNS protocol modifications that - add source authentication and data integrity to the Domain Name - System (DNS). An introduction to DNSSEC and definitions of common - terms can be found in [I-D.ietf-dnsext-dnssec-intro]. A description - of DNS protocol modifications can be found in - [I-D.ietf-dnsext-dnssec-protocol]. This document defines the DNSSEC - resource records. - -1.2 Reserved Words - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119 [RFC2119]. - -1.3 Editors' Notes - -1.3.1 Open Technical Issues - - The cryptographic algorithm types (Appendix A) requires input from - the working group. The DSA algorithm was moved to OPTIONAL. This - had strong consensus in workshops and various discussions and a - separate Internet-Draft solely to move DSA from MANDATORY to OPTIONAL - seemed excessive. This draft solicits input on that proposed change. - -1.3.2 Technical Changes or Corrections - - Please report technical corrections to dnssec-editors@east.isi.edu. - To assist the editors, please indicate the text in error and point - out the RFC that defines the correct behavior. For a technical - change where no RFC that defines the correct behavior, or if there's - more than one applicable RFC and the definitions conflict, please - post the issue to namedroppers. - - - -Arends, et al. Expires August 16, 2004 [Page 4] - -Internet-Draft DNSSEC Resource Records February 2004 - - - An example correction to dnssec-editors might be: Page X says - "DNSSEC RRs SHOULD be automatically returned in responses." This was - true in RFC 2535, but RFC 3225 (Section 3, 3rd paragraph) says the - DNSSEC RR types MUST NOT be included in responses unless the resolver - indicated support for DNSSEC. - -1.3.3 Typos and Minor Corrections - - Please report any typos corrections to dnssec-editors@east.isi.edu. - To assist the editors, please provide enough context for us to find - the incorrect text quickly. - - An example message to dnssec-editors might be: page X says "the - DNSSEC standard has been in development for over 1 years". It - should read "over 10 years". - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 5] - -Internet-Draft DNSSEC Resource Records February 2004 - - -2. The DNSKEY Resource Record - - DNSSEC uses public key cryptography to sign and authenticate DNS - resource record sets (RRsets). The public keys are stored in DNSKEY - resource records and are used in the DNSSEC authentication process - described in [I-D.ietf-dnsext-dnssec-protocol]: A zone signs its - authoritative RRsets using a private key and stores the corresponding - public key in a DNSKEY RR. A resolver can then use the public key to - authenticate signatures covering the RRsets in the zone. - - The DNSKEY RR is not intended as a record for storing arbitrary - public keys, and MUST NOT be used to store certificates or public - keys that do not directly relate to the DNS infrastructure. - - The Type value for the DNSKEY RR type is 48. - - The DNSKEY RR is class independent. - - The DNSKEY RR has no special TTL requirements. - -2.1 DNSKEY RDATA Wire Format - - The RDATA for a DNSKEY RR consists of a 2 octet Flags Field, a 1 - octet Protocol Field, a 1 octet Algorithm Field, and the Public Key - Field. - - 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Flags | Protocol | Algorithm | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / / - / Public Key / - / / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - -2.1.1 The Flags Field - - Bit 7 of the Flags field is the Zone Key flag. If bit 7 has value 1, - then the DNSKEY record holds a DNS zone key and the DNSKEY RR's owner - name MUST be the name of a zone. If bit 7 has value 0, then the - DNSKEY record holds some other type of DNS public key, such as a - public key used by TKEY and MUST NOT be used to verify RRSIGs that - cover RRsets. - - Bit 15 of the Flags field is the Secure Entry Point flag, described - in [I-D.ietf-dnsext-keyrr-key-signing-flag]. If bit 15 has value 1, - - - -Arends, et al. Expires August 16, 2004 [Page 6] - -Internet-Draft DNSSEC Resource Records February 2004 - - - then the DNSKEY record holds a key intended for use as a secure entry - point. This flag is only intended to be to a hint to zone signing or - debugging software as to the intended use of this DNSKEY record; - security-aware resolvers MUST NOT alter their behavior during the - signature validation process in any way based on the setting of this - bit. - - Bits 0-6 and 8-14 are reserved: these bits MUST have value 0 upon - creation of the DNSKEY RR, and MUST be ignored upon reception. - -2.1.2 The Protocol Field - - The Protocol Field MUST have value 3 and MUST be treated as invalid - during signature verification if found to be some value other than 3. - -2.1.3 The Algorithm Field - - The Algorithm field identifies the public key's cryptographic - algorithm and determines the format of the Public Key field. A list - of DNSSEC algorithm types can be found in Appendix A.1 - -2.1.4 The Public Key Field - - The Public Key Field holds the public key material. The format - depends on the algorithm of the key being stored and are described in - separate documents. - -2.1.5 Notes on DNSKEY RDATA Design - - Although the Protocol Field always has value 3, it is retained for - backward compatibility with early versions of the KEY record. - -2.2 The DNSKEY RR Presentation Format - - The presentation format of the RDATA portion is as follows: - - The Flag field MUST be represented as an unsigned decimal integer - with a value of 0, 256, or 257. - - The Protocol Field MUST be represented as an unsigned decimal integer - with a value of 3. - - The Algorithm field MUST be represented either as an unsigned - decimal integer or as an algorithm mnemonic as specified in Appendix - A.1. - - The Public Key field MUST be represented as a Base64 encoding of the - Public Key. Whitespace is allowed within the Base64 text. For a - - - -Arends, et al. Expires August 16, 2004 [Page 7] - -Internet-Draft DNSSEC Resource Records February 2004 - - - definition of Base64 encoding, see [RFC1521] Section 5.2. - -2.3 DNSKEY RR Example - - The following DNSKEY RR stores a DNS zone key for example.com. - - example.com. 86400 IN DNSKEY 256 3 5 ( AQPSKmynfzW4kyBv015MUG2DeIQ3 - Cbl+BBZH4b/0PY1kxkmvHjcZc8no - kfzj31GajIQKY+5CptLr3buXA10h - WqTkF7H6RfoRqXQeogmMHfpftf6z - Mv1LyBUgia7za6ZEzOJBOztyvhjL - 742iU/TpPSEDhm2SNKLijfUppn1U - aNvv4w== ) - - The first four text fields specify the owner name, TTL, Class, and RR - type (DNSKEY). Value 256 indicates that the Zone Key bit (bit 7) in - the Flags field has value 1. Value 3 is the fixed Protocol value. - Value 5 indicates the public key algorithm. Appendix A.1 identifies - algorithm type 5 as RSA/SHA1 and indicates that the format of the - RSA/SHA1 public key field is defined in [RFC3110]. The remaining - text is a Base64 encoding of the public key. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 8] - -Internet-Draft DNSSEC Resource Records February 2004 - - -3. The RRSIG Resource Record - - DNSSEC uses public key cryptography to sign and authenticate DNS - resource record sets (RRsets). Digital signatures are stored in - RRSIG resource records and are used in the DNSSEC authentication - process described in [I-D.ietf-dnsext-dnssec-protocol]. A - security-aware resolver can use these RRSIG RRs to authenticate - RRsets from the zone. The RRSIG RR MUST only be used to carry - verification material (digital signatures) used to secure DNS - operations. - - An RRSIG record contains the signature for an RRset with a particular - name, class, and type. The RRSIG RR specifies a validity interval - for the signature and uses the Algorithm, the Signer's Name, and the - Key Tag to identify the DNSKEY RR containing the public key that a - resolver can use to verify the signature. - - Because every authoritative RRset in a zone must be protected by a - digital signature, RRSIG RRs must be present for names containing a - CNAME RR. This is a change to the traditional DNS specification - [RFC1034] that stated that if a CNAME is present for a name, it is - the only type allowed at that name. A RRSIG and NSEC (see Section 4) - MUST exist for the same name as a CNAME resource record in a secure - zone. - - The Type value for the RRSIG RR type is 46. - - The RRSIG RR is class independent. - - An RRSIG RR MUST have the same class as the RRset it covers. - - The TTL value of an RRSIG RR SHOULD match the TTL value of the RRset - it covers. This is an exception to the [RFC2181] rules for TTL - values of individual RRs within a RRset: individual RRSIG with the - same owner name will have different TTL values if the RRsets that - they cover have different TTL values. - -3.1 RRSIG RDATA Wire Format - - The RDATA for an RRSIG RR consists of a 2 octet Type Covered field, a - 1 octet Algorithm field, a 1 octet Labels field, a 4 octet Original - TTL field, a 4 octet Signature Expiration field, a 4 octet Signature - Inception field, a 2 octet Key tag, the Signer's Name field, and the - Signature field. - - 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - - -Arends, et al. Expires August 16, 2004 [Page 9] - -Internet-Draft DNSSEC Resource Records February 2004 - - - | Type Covered | Algorithm | Labels | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Original TTL | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Signature Expiration | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Signature Inception | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Key Tag | / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Signer's Name / - / / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / / - / Signature / - / / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - -3.1.1 The Type Covered Field - - The Type Covered field identifies the type of the RRset which is - covered by this RRSIG record. - -3.1.2 The Algorithm Number Field - - The Algorithm Number field identifies the cryptographic algorithm - used to create the signature. A list of DNSSEC algorithm types can - be found in Appendix A.1 - -3.1.3 The Labels Field - - The Labels field specifies the number of labels in the original RRSIG - RR owner name. The significance of this field is that from it a - verifier can determine if the answer was synthesized from a wildcard. - If so, it can be used to determine what owner name was used in - generating the signature. - - To validate a signature, the validator needs the original owner name - that was used to create the signature. If the original owner name - contains a wildcard label ("*"), the owner name may have been - expanded by the server during the response process, in which case the - validator will need to reconstruct the original owner name in order - to validate the signature. [I-D.ietf-dnsext-dnssec-protocol] - describes how to use the Labels field to reconstruct the original - owner name. - - The value of the Labels field MUST NOT count either the null (root) - label that terminates the owner name or the wildcard label (if - - - -Arends, et al. Expires August 16, 2004 [Page 10] - -Internet-Draft DNSSEC Resource Records February 2004 - - - present). The value of the Labels field MUST be less than or equal - to the number of labels in the RRSIG owner name. For example, - "www.example.com." has a Labels field value of 3, and - "*.example.com." has a Labels field value of 2. Root (".") has a - Labels field value of 0. - - Although the wildcard label is not included in the count stored in - the Labels field of the RRSIG RR, the wildcard label is part of the - RRset's owner name when generating or verifying the signature. - -3.1.4 Original TTL Field - - The Original TTL field specifies the TTL of the covered RRset as it - appears in the authoritative zone. - - The Original TTL field is necessary because a caching resolver - decrements the TTL value of a cached RRset. In order to validate a - signature, a resolver requires the original TTL. - [I-D.ietf-dnsext-dnssec-protocol] describes how to use the Original - TTL field value to reconstruct the original TTL. - -3.1.5 Signature Expiration and Inception Fields - - The Signature Expiration and Inception fields specify a validity - period for the signature. The RRSIG record MUST NOT be used for - authentication prior to the inception date and MUST NOT be used for - authentication after the expiration date. - - Signature Expiration and Inception field values are in POSIX.1 time - format: a 32-bit unsigned number of seconds elapsed since 1 January - 1970 00:00:00 UTC, ignoring leap seconds, in network byte order. The - longest interval which can be expressed by this format without - wrapping is approximately 136 years. An RRSIG RR can have an - Expiration field value which is numerically smaller than the - Inception field value if the expiration field value is near the - 32-bit wrap-around point or if the signature is long lived. Because - of this, all comparisons involving these fields MUST use "Serial - number arithmetic" as defined in [RFC1982]. As a direct consequence, - the values contained in these fields cannot refer to dates more than - 68 years in either the past or the future. - -3.1.6 The Key Tag Field - - The Key Tag field contains the key tag value of the DNSKEY RR that - validates this signature. Appendix B explains how to calculate Key - Tag values. - - - - - -Arends, et al. Expires August 16, 2004 [Page 11] - -Internet-Draft DNSSEC Resource Records February 2004 - - -3.1.7 The Signer's Name Field - - The Signer's Name field value identifies the owner name of the DNSKEY - RR which a security-aware resolver should use to validate this - signature. The Signer's Name field MUST contain the name of the zone - of the covered RRset. A sender MUST NOT use DNS name compression on - the Signer's Name field when transmitting a RRSIG RR. A receiver - which receives an RRSIG RR containing a compressed Signer's Name - field SHOULD decompress the field value. - -3.1.8 The Signature Field - - The Signature field contains the cryptographic signature which covers - the RRSIG RDATA (excluding the Signature field) and the RRset - specified by the RRSIG owner name, RRSIG class, and RRSIG Type - Covered field. The format of this field depends on the algorithm in - use and these formats are described in separate companion documents. - -3.1.8.1 Signature Calculation - - A signature covers the RRSIG RDATA (excluding the Signature Field) - and covers the data RRset specified by the RRSIG owner name, RRSIG - class, and RRSIG Type Covered fields. The RRset is in canonical form - (see Section 6) and the set RR(1),...RR(n) is signed as follows: - - signature = sign(RRSIG_RDATA | RR(1) | RR(2)... ) where - - "|" denotes concatenation; - - RRSIG_RDATA is the wire format of the RRSIG RDATA fields - with the Signer's Name field in canonical form and - the Signature field excluded; - - RR(i) = owner | class | type | TTL | RDATA length | RDATA; - - "owner" is the fully qualified owner name of the RRset in - canonical form (for RRs with wildcard owner names, the - wildcard label is included in the owner name); - - Each RR MUST have the same owner name as the RRSIG RR; - - Each RR MUST have the same class as the RRSIG RR; - - Each RR in the RRset MUST have the RR type listed in the - RRSIG RR's Type Covered field; - - Each RR in the RRset MUST have the TTL listed in the - RRSIG Original TTL Field; - - - -Arends, et al. Expires August 16, 2004 [Page 12] - -Internet-Draft DNSSEC Resource Records February 2004 - - - Any DNS names in the RDATA field of each RR MUST be in - canonical form; and - - The RRset MUST be sorted in canonical order. - - -3.2 The RRSIG RR Presentation Format - - The presentation format of the RDATA portion is as follows: - - The Type Covered field value MUST be represented either as an - unsigned decimal integer or as the mnemonic for the covered RR type. - - The Algorithm field value MUST be represented either as an unsigned - decimal integer or as an algorithm mnemonic as specified in Appendix - A.1. - - The Labels field value MUST be represented as an unsigned decimal - integer. - - The Original TTL field value MUST be represented as an unsigned - decimal integer. - - The Signature Expiration Time and Inception Time field values MUST be - represented in the form YYYYMMDDHHmmSS in UTC, where: - - YYYY is the year (0000-9999, but see Section 3.1.5); - - MM is the month number (01-12); - - DD is the day of the month (01-31); - - HH is the hour in 24 hours notation (00-23); - - mm is the minute (00-59); - - SS is the second (00-59). - - The Key Tag field MUST be represented as an unsigned decimal integer. - - The Signer's Name field value MUST be represented as a domain name. - - The Signature field is represented as a Base64 encoding of the - signature. Whitespace is allowed within the Base64 text. For a - definition of Base64 encoding see [RFC1521] Section 5.2. - -3.3 RRSIG RR Example - - - - -Arends, et al. Expires August 16, 2004 [Page 13] - -Internet-Draft DNSSEC Resource Records February 2004 - - - The following an RRSIG RR stores the signature for the A RRset of - host.example.com: - - host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 ( - 20030220173103 2642 example.com. - oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr - PYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6o - B9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t - GNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkG - J5D6fwFm8nN+6pBzeDQfsS3Ap3o= ) - - The first four fields specify the owner name, TTL, Class, and RR type - (RRSIG). The "A" represents the Type Covered field. The value 5 - identifies the algorithm used (RSA/SHA1) to create the signature. - The value 3 is the number of Labels in the original owner name. The - value 86400 in the RRSIG RDATA is the Original TTL for the covered A - RRset. 20030322173103 and 20030220173103 are the expiration and - inception dates, respectively. 2642 is the Key Tag, and example.com. - is the Signer's Name. The remaining text is a Base64 encoding of the - signature. - - Note that combination of RRSIG RR owner name, class, and Type Covered - indicate that this RRSIG covers the "host.example.com" A RRset. The - Label value of 3 indicates that no wildcard expansion was used. The - Algorithm, Signer's Name, and Key Tag indicate this signature can be - authenticated using an example.com zone DNSKEY RR whose algorithm is - 5 and key tag is 2642. - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 14] - -Internet-Draft DNSSEC Resource Records February 2004 - - -4. The NSEC Resource Record - - The NSEC resource record lists two separate things: the owner name of - the next authoritative RRset in the canonical ordering of the zone, - and the set of RR types present at the NSEC RR's owner name. The - complete set of NSEC RRs in a zone both indicate which authoritative - RRsets exist in a zone and also form a chain of authoritative owner - names in the zone. This information is used to provide authenticated - denial of existence for DNS data, as described in - [I-D.ietf-dnsext-dnssec-protocol]. - - Because every authoritative name in a zone must be part of the NSEC - chain, NSEC RRs must be present for names containing a CNAME RR. - This is a change to the traditional DNS specification [RFC1034] that - stated that if a CNAME is present for a name, it is the only type - allowed at that name. An RRSIG (see Section 3) and NSEC MUST exist - for the same name as a CNAME resource record in a secure zone. - - The type value for the NSEC RR is 47. - - The NSEC RR is class independent. - - The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL - field. This is in the spirt of negative caching [RFC2308]. - -4.1 NSEC RDATA Wire Format - - The RDATA of the NSEC RR is as shown below: - - 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / Next Domain Name / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / Type Bit Maps / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - -4.1.1 The Next Domain Name Field - - The Next Domain Name field contains the owner name of the next - authoritative owner name in the canonical ordering of the zone; see - Section 6.1 for an explanation of canonical ordering. The value of - the Next Domain Name field in the last NSEC record in the zone is the - name of the zone apex (the owner name of the zone's SOA RR). - - A sender MUST NOT use DNS name compression on the Next Domain Name - field when transmitting an NSEC RR. A receiver which receives an - - - -Arends, et al. Expires August 16, 2004 [Page 15] - -Internet-Draft DNSSEC Resource Records February 2004 - - - NSEC RR containing a compressed Next Domain Name field SHOULD - decompress the field value. - - Owner names of RRsets not authoritative for the given zone (such as - glue records) MUST NOT be listed in the Next Domain Name unless at - least one authoritative RRset exists at the same owner name. - -4.1.2 The Type Bit Maps Field - - The Type Bit Maps field identifies the RRset types which exist at the - NSEC RR's owner name. - - The RR type space is split into 256 window blocks, each representing - the low-order 8 bits of the 16-bit RR type space. Each block that has - at least one active RR type is encoded using a single octet window - number (from 0 to 255), a single octet bitmap length (from 1 to 32) - indicating the number of octets used for the window block's bitmap, - and up to 32 octets (256 bits) of bitmap. - - Blocks are present in the NSEC RR RDATA in increasing numerical - order. - - Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+ - - where "|" denotes concatenation. - - Each bitmap encodes the low-order 8 bits of RR types within the - window block, in network bit order. The first bit is bit 0. For - window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds - to RR type 2 (NS), and so forth. For window block 1, bit 1 - corresponds to RR type 257, bit 2 to RR type 258. If a bit is set to - 1, it indicates that an RRset of that type is present for the NSEC - RR's owner name. If a bit is set to 0, it indicates that no RRset of - that type is present for the NSEC RR's owner name. - - Since bit 0 in window block 0 refers to the non-existent RR type 0, - it MUST be set to 0. After verification, the validator MUST ignore - the value of bit 0 in window block 0. - - Bits representing pseudo-types MUST be set to 0, since they do not - appear in zone data. If encountered, they MUST be ignored upon - reading. - - Blocks with no types present MUST NOT be included. Trailing zero - octets in the bitmap MUST be omitted. The length of each block's - bitmap is determined by the type code with the largest numerical - value, within that block, among the set of RR types present at the - NSEC RR's owner name. Trailing zero octets not specified MUST be - - - -Arends, et al. Expires August 16, 2004 [Page 16] - -Internet-Draft DNSSEC Resource Records February 2004 - - - interpreted as zero octets. - - A zone MUST NOT generate an NSEC RR for any domain name that only - holds glue records. - -4.1.3 Inclusion of Wildcard Names in NSEC RDATA - - If a wildcard owner name appears in a zone, the wildcard label ("*") - is treated as a literal symbol and is treated the same as any other - owner name for purposes of generating NSEC RRs. Wildcard owner names - appear in the Next Domain Name field without any wildcard expansion. - [I-D.ietf-dnsext-dnssec-protocol] describes the impact of wildcards - on authenticated denial of existence. - -4.2 The NSEC RR Presentation Format - - The presentation format of the RDATA portion is as follows: - - The Next Domain Name field is represented as a domain name. - - The Type Bit Maps field is represented as a sequence of RR type - mnemonics. When the mnemonic is not known, the TYPE representation - as described in [RFC3597] (section 5) MUST be used. - -4.3 NSEC RR Example - - The following NSEC RR identifies the RRsets associated with - alfa.example.com. and identifies the next authoritative name after - alfa.example.com. - - alfa.example.com. 86400 IN NSEC host.example.com. ( - A MX RRSIG NSEC TYPE1234 ) - - The first four text fields specify the name, TTL, Class, and RR type - (NSEC). The entry host.example.com. is the next authoritative name - after alfa.example.com. in canonical order. The A, MX, RRSIG, NSEC, - and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC, and - TYPE1234 RRsets associated with the name alfa.example.com. - - The RDATA section of the NSEC RR above would be encoded as: - - 0x04 'h' 'o' 's' 't' - 0x07 'e' 'x' 'a' 'm' 'p' 'l' 'e' - 0x03 'c' 'o' 'm' 0x00 - 0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03 - 0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00 - 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 - 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 - - - -Arends, et al. Expires August 16, 2004 [Page 17] - -Internet-Draft DNSSEC Resource Records February 2004 - - - 0x00 0x00 0x00 0x00 0x20 - - Assuming that the resolver can authenticate this NSEC record, it - could be used to prove that beta.example.com does not exist, or could - be used to prove there is no AAAA record associated with - alfa.example.com. Authenticated denial of existence is discussed in - [I-D.ietf-dnsext-dnssec-protocol]. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 18] - -Internet-Draft DNSSEC Resource Records February 2004 - - -5. The DS Resource Record - - The DS Resource Record refers to a DNSKEY RR and is used in the DNS - DNSKEY authentication process. A DS RR refers to a DNSKEY RR by - storing the key tag, algorithm number, and a digest of the DNSKEY RR. - Note that while the digest should be sufficient to identify the - public key, storing the key tag and key algorithm helps make the - identification process more efficient. By authenticating the DS - record, a resolver can authenticate the DNSKEY RR to which the DS - record points. The key authentication process is described in - [I-D.ietf-dnsext-dnssec-protocol]. - - The DS RR and its corresponding DNSKEY RR have the same owner name, - but they are stored in different locations. The DS RR appears only - on the upper (parental) side of a delegation, and is authoritative - data in the parent zone. For example, the DS RR for "example.com" is - stored in the "com" zone (the parent zone) rather than in the - "example.com" zone (the child zone). The corresponding DNSKEY RR is - stored in the "example.com" zone (the child zone). This simplifies - DNS zone management and zone signing, but introduces special response - processing requirements for the DS RR; these are described in - [I-D.ietf-dnsext-dnssec-protocol]. - - The type number for the DS record is 43. - - The DS resource record is class independent. - - The DS RR has no special TTL requirements. - -5.1 DS RDATA Wire Format - - The RDATA for a DS RR consists of a 2 octet Key Tag field, a one - octet Algorithm field, a one octet Digest Type field, and a Digest - field. - - 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Key Tag | Algorithm | Digest Type | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - / / - / Digest / - / / - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 19] - -Internet-Draft DNSSEC Resource Records February 2004 - - -5.1.1 The Key Tag Field - - The Key Tag field lists the key tag of the DNSKEY RR referred to by - the DS record. - - The Key Tag used by the DS RR is identical to the Key Tag used by - RRSIG RRs. Appendix B describes how to compute a Key Tag. - -5.1.2 The Algorithm Field - - The Algorithm field lists the algorithm number of the DNSKEY RR - referred to by the DS record. - - The algorithm number used by the DS RR is identical to the algorithm - number used by RRSIG and DNSKEY RRs. Appendix A.1 lists the algorithm - number types. - -5.1.3 The Digest Type Field - - The DS RR refers to a DNSKEY RR by including a digest of that DNSKEY - RR. The Digest Type field identifies the algorithm used to construct - the digest. Appendix A.2 lists the possible digest algorithm types. - -5.1.4 The Digest Field - - The DS record refers to a DNSKEY RR by including a digest of that - DNSKEY RR. - - The digest is calculated by concatenating the canonical form of the - fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA, - and then applying the digest algorithm. - - digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA); - - "|" denotes concatenation - - DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key. - - - The size of the digest may vary depending on the digest algorithm and - DNSKEY RR size. As of the time of writing, the only defined digest - algorithm is SHA-1, which produces a 20 octet digest. - -5.2 Processing of DS RRs When Validating Responses - - The DS RR links the authentication chain across zone boundaries, so - the DS RR requires extra care in processing. The DNSKEY RR referred - to in the DS RR MUST be a DNSSEC zone key. The DNSKEY RR Flags MUST - - - -Arends, et al. Expires August 16, 2004 [Page 20] - -Internet-Draft DNSSEC Resource Records February 2004 - - - have Flags bit 7 set to value 1. If the key tag does not indicate a - DNSSEC zone key, the DS RR (and DNSKEY RR it references) MUST NOT be - used in the validation process. - -5.3 The DS RR Presentation Format - - The presentation format of the RDATA portion is as follows: - - The Key Tag field MUST be represented as an unsigned decimal integer. - - The Algorithm field MUST be represented either as an unsigned decimal - integer or as an algorithm mnemonic specified in Appendix A.1. - - The Digest Type field MUST be represented as an unsigned decimal - integer. - - The Digest MUST be represented as a sequence of case-insensitive - hexadecimal digits. Whitespace is allowed within the hexadecimal - text. - -5.4 DS RR Example - - The following example shows a DNSKEY RR and its corresponding DS RR. - - dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz - fwJr1AYtsmx3TGkJaNXVbfi/ - 2pHm822aJ5iI9BMzNXxeYCmZ - DRD99WYwYqUSdjMmmAphXdvx - egXd/M5+X7OrzKBaMbCVdFLU - Uh6DhweJBjEVv5f2wwjM9Xzc - nOf+EPbtG9DMBmADjFDc2w/r - ljwvFw== - ) ; key id = 60485 - - dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A - 98631FAD1A292118 ) - - - The first four text fields specify the name, TTL, Class, and RR type - (DS). Value 60485 is the key tag for the corresponding - "dskey.example.com." DNSKEY RR, and value 5 denotes the algorithm - used by this "dskey.example.com." DNSKEY RR. The value 1 is the - algorithm used to construct the digest, and the rest of the RDATA - text is the digest in hexadecimal. - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 21] - -Internet-Draft DNSSEC Resource Records February 2004 - - -6. Canonical Form and Order of Resource Records - - This section defines a canonical form for resource records, a - canonical ordering of DNS names, and a canonical ordering of resource - records within an RRset. A canonical name order is required to - construct the NSEC name chain. A canonical RR form and ordering - within an RRset are required to construct and verify RRSIG RRs. - -6.1 Canonical DNS Name Order - - For purposes of DNS security, owner names are ordered by treating - individual labels as unsigned left-justified octet strings. The - absence of a octet sorts before a zero value octet, and upper case - US-ASCII letters are treated as if they were lower case US-ASCII - letters. - - To compute the canonical ordering of a set of DNS names, start by - sorting the names according to their most significant (rightmost) - labels. For names in which the most significant label is identical, - continue sorting according to their next most significant label, and - so forth. - - For example, the following names are sorted in canonical DNS name - order. The most significant label is "example". At this level, - "example" sorts first, followed by names ending in "a.example", then - names ending "z.example". The names within each level are sorted in - the same way. - - example - a.example - yljkjljk.a.example - Z.a.example - zABC.a.EXAMPLE - z.example - \001.z.example - *.z.example - \200.z.example - - -6.2 Canonical RR Form - - For purposes of DNS security, the canonical form of an RR is the wire - format of the RR where: - - 1. Every domain name in the RR is fully expanded (no DNS name - compression) and fully qualified; - - 2. All uppercase US-ASCII letters in the owner name of the RR are - - - -Arends, et al. Expires August 16, 2004 [Page 22] - -Internet-Draft DNSSEC Resource Records February 2004 - - - replaced by the corresponding lowercase US-ASCII letters; - - 3. If the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR, - HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX, - SRV, DNAME, A6, RRSIG or NSEC, all uppercase US-ASCII letters in - the DNS names contained within the RDATA are replaced by the - corresponding lowercase US-ASCII letters; - - 4. If the owner name of the RR is a wildcard name, the owner name is - in its original unexpanded form, including the "*" label (no - wildcard substitution); and - - 5. The RR's TTL is set to its original value as it appears in the - originating authoritative zone or the Original TTL field of the - covering RRSIG RR. - - -6.3 Canonical RR Ordering Within An RRset - - For purposes of DNS security, RRs with the same owner name, class, - and type are sorted by treating the RDATA portion of the canonical - form of each RR as a left-justified unsigned octet sequence where the - absence of an octet sorts before a zero octet. - - [RFC2181] specifies that an RRset is not allowed to contain duplicate - records (multiple RRs with the same owner name, class, type, and - RDATA). Therefore, if an implementation detects duplicate RRs during - RRset canonicalization, the implementation MUST treat this as a - protocol error. If the implementation chooses to handle this - protocol error in the spirit of the robustness principle (being - liberal in what it accepts), the implementation MUST remove all but - one of the duplicate RR(s) for purposes of calculating the canonical - form of the RRset. - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 23] - -Internet-Draft DNSSEC Resource Records February 2004 - - -7. IANA Considerations - - This document introduces no new IANA considerations, because all of - the protocol parameters used in this document have already been - assigned by previous specifications. However, since the evolution of - DNSSEC has been long and somewhat convoluted, this section attempts - to describe the current state of the IANA registries and other - protocol parameters which are (or once were) related to DNSSEC. - - Please refer to [I-D.ietf-dnsext-dnssec-protocol] for additional IANA - considerations. - - DNS Resource Record Types: [RFC2535] assigned types 24, 25, and 30 to - the SIG, KEY, and NXT RRs, respectively. [RFC3658] assigned DNS - Resource Record Type 43 to DS. - [I-D.ietf-dnsext-dnssec-2535typecode-change] assigned types 46, - 47, and 48 to the RRSIG, NSEC, and DNSKEY RRs, respectively. - [I-D.ietf-dnsext-dnssec-2535typecode-change] also marked type 30 - (NXT) as Obsolete, and restricted use of types 24 (SIG) and 25 - (KEY) to the "SIG(0)" transaction security protocol described in - [RFC2931] and the transaction KEY Resource Record described in - [RFC2930]. - - DNS Security Algorithm Numbers: [RFC2535] created an IANA registry - for DNSSEC Resource Record Algorithm field numbers, and assigned - values 1-4 and 252-255. [RFC3110] assigned value 5. - [I-D.ietf-dnsext-dnssec-2535typecode-change] altered this registry - to include flags for each entry regarding its use with the DNS - security extensions. Each algorithm entry could refer to an - algorithm that can be used for zone signing, transaction security - (see [RFC2931]) or both. Values 6-251 are available for assignment - by IETF standards action. See Appendix A for a full listing of the - DNS Security Algorithm Numbers entries at the time of writing and - their status of use in DNSSEC. - - [RFC3658] created an IANA registry for DNSSEC DS Digest Types, and - assigned value 0 to reserved and value 1 to SHA-1. - - KEY Protocol Values: [RFC2535] created an IANA Registry for KEY - Protocol Values, but [RFC3445] re-assigned all assigned values - other than 3 to reserved and closed this IANA registry. The - registry remains closed, and all KEY and DNSKEY records are - required to have Protocol Octet value of 3. - - Flag bits in the KEY and DNSKEY RRs: - [I-D.ietf-dnsext-dnssec-2535typecode-change] created an IANA - registry for the DNSSEC KEY and DNSKEY RR flag bits. Initially, - this registry only contains an assignment for bit 7 (the ZONE bit) - - - -Arends, et al. Expires August 16, 2004 [Page 24] - -Internet-Draft DNSSEC Resource Records February 2004 - - - and a reservation for bit 15 for the Secure Entry Point flag (SEP - bit) [I-D.ietf-dnsext-keyrr-key-signing-flag]. Bits 0-6 and 8-14 - are available for assignment by IETF Standards Action. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 25] - -Internet-Draft DNSSEC Resource Records February 2004 - - -8. Security Considerations - - This document describes the format of four DNS resource records used - by the DNS security extensions, and presents an algorithm for - calculating a key tag for a public key. Other than the items - described below, the resource records themselves introduce no - security considerations. Please see [I-D.ietf-dnsext-dnssec-intro] - and [I-D.ietf-dnsext-dnssec-protocol] for additional security - considerations related to the use of these records. - - The DS record points to a DNSKEY RR using a cryptographic digest, the - key algorithm type and a key tag. The DS record is intended to - identify an existing DNSKEY RR, but it is theoretically possible for - an attacker to generate a DNSKEY that matches all the DS fields. The - probability of constructing such a matching DNSKEY depends on the - type of digest algorithm in use. The only currently defined digest - algorithm is SHA-1, and the working group believes that constructing - a public key which would match the algorithm, key tag, and SHA-1 - digest given in a DS record would be a sufficiently difficult problem - that such an attack is not a serious threat at this time. - - The key tag is used to help select DNSKEY resource records - efficiently, but it does not uniquely identify a single DNSKEY - resource record. It is possible for two distinct DNSKEY RRs to have - the same owner name, the same algorithm type, and the same key tag. - An implementation which used only the key tag to select a DNSKEY RR - might select the wrong public key in some circumstances. - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 26] - -Internet-Draft DNSSEC Resource Records February 2004 - - -9. Acknowledgments - - This document was created from the input and ideas of the members of - the DNS Extensions Working Group and working group mailing list. The - editors would like to express their thanks for the comments and - suggestions received during the revision of these security extension - specifications. While explicitly listing everyone who has - contributed during the decade during which DNSSEC has been under - development would be an impossible task, - [I-D.ietf-dnsext-dnssec-intro] includes a list of some of the - participants who were kind enough to comment on these documents. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 27] - -Internet-Draft DNSSEC Resource Records February 2004 - - -Normative References - - [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", - STD 13, RFC 1034, November 1987. - - [RFC1035] Mockapetris, P., "Domain names - implementation and - specification", STD 13, RFC 1035, November 1987. - - [RFC1521] Borenstein, N. and N. Freed, "MIME (Multipurpose Internet - Mail Extensions) Part One: Mechanisms for Specifying and - Describing the Format of Internet Message Bodies", RFC - 1521, September 1993. - - [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, - August 1996. - - [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, March 1997. - - [RFC2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic - Updates in the Domain Name System (DNS UPDATE)", RFC 2136, - April 1997. - - [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS - Specification", RFC 2181, July 1997. - - [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS - NCACHE)", RFC 2308, March 1998. - - [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC - 2671, August 1999. - - [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( - SIG(0)s)", RFC 2931, September 2000. - - [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain - Name System (DNS)", RFC 3110, May 2001. - - [RFC3445] Massey, D. and S. Rose, "Limiting the Scope of the KEY - Resource Record (RR)", RFC 3445, December 2002. - - [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record - (RR) Types", RFC 3597, September 2003. - - [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record - (RR)", RFC 3658, December 2003. - - [I-D.ietf-dnsext-dnssec-intro] - - - -Arends, et al. Expires August 16, 2004 [Page 28] - -Internet-Draft DNSSEC Resource Records February 2004 - - - Arends, R., Austein, R., Larson, M., Massey, D. and S. - Rose, "DNS Security Introduction and Requirements", - draft-ietf-dnsext-dnssec-intro-09 (work in progress), - February 2004. - - [I-D.ietf-dnsext-dnssec-protocol] - Arends, R., Austein, R., Larson, M., Massey, D. and S. - Rose, "Protocol Modifications for the DNS Security - Extensions", draft-ietf-dnsext-dnssec-protocol-05 (work in - progress), February 2004. - - [I-D.ietf-dnsext-keyrr-key-signing-flag] - Kolkman, O., Schlyter, J. and E. Lewis, "KEY RR Secure - Entry Point Flag", - draft-ietf-dnsext-keyrr-key-signing-flag-12 (work in - progress), December 2003. - - [I-D.ietf-dnsext-dnssec-2535typecode-change] - Weiler, S., "Legacy Resolver Compatibility for Delegation - Signer", draft-ietf-dnsext-dnssec-2535typecode-change-06 - (work in progress), December 2003. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 29] - -Internet-Draft DNSSEC Resource Records February 2004 - - -Informative References - - [RFC2535] Eastlake, D., "Domain Name System Security Extensions", - RFC 2535, March 1999. - - [RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY - RR)", RFC 2930, September 2000. - - -Authors' Addresses - - Roy Arends - Telematica Instituut - Drienerlolaan 5 - 7522 NB Enschede - NL - - EMail: roy.arends@telin.nl - - - Rob Austein - Internet Systems Consortium - 950 Charter Street - Redwood City, CA 94063 - USA - - EMail: sra@isc.org - - - Matt Larson - VeriSign, Inc. - 21345 Ridgetop Circle - Dulles, VA 20166-6503 - USA - - EMail: mlarson@verisign.com - - - Dan Massey - USC Information Sciences Institute - 3811 N. Fairfax Drive - Arlington, VA 22203 - USA - - EMail: masseyd@isi.edu - - - - - - -Arends, et al. Expires August 16, 2004 [Page 30] - -Internet-Draft DNSSEC Resource Records February 2004 - - - Scott Rose - National Institute for Standards and Technology - 100 Bureau Drive - Gaithersburg, MD 20899-8920 - USA - - EMail: scott.rose@nist.gov - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 31] - -Internet-Draft DNSSEC Resource Records February 2004 - - -Appendix A. DNSSEC Algorithm and Digest Types - - The DNS security extensions are designed to be independent of the - underlying cryptographic algorithms. The DNSKEY, RRSIG, and DS - resource records all use a DNSSEC Algorithm Number to identify the - cryptographic algorithm in use by the resource record. The DS - resource record also specifies a Digest Algorithm Number to identify - the digest algorithm used to construct the DS record. The currently - defined Algorithm and Digest Types are listed below. Additional - Algorithm or Digest Types could be added as advances in cryptography - warrant. - - A DNSSEC aware resolver or name server MUST implement all MANDATORY - algorithms. - -A.1 DNSSEC Algorithm Types - - The DNSKEY, RRSIG, and DS RRs use an 8-bit number used to identify - the security algorithm being used. These values are stored in the - "Algorithm number" field in the resource record RDATA. - - Some algorithms are usable only for zone signing (DNSSEC), some only - for transaction security mechanisms (SIG(0) and TSIG), and some for - both. Those usable for zone signing may appear in DNSKEY, RRSIG, and - DS RRs. Those usable for transaction security would be present in - SIG(0) and KEY RRs as described in [RFC2931] - - Zone - Value Algorithm [Mnemonic] Signing References Status - ----- -------------------- --------- ---------- --------- - 0 reserved - 1 RSA/MD5 [RSAMD5] n RFC 2537 NOT RECOMMENDED - 2 Diffie-Hellman [DH] n RFC 2539 - - 3 DSA/SHA-1 [DSA] y RFC 2536 OPTIONAL - 4 Elliptic Curve [ECC] TBA - - 5 RSA/SHA-1 [RSASHA1] y RFC 3110 MANDATORY - 252 Indirect [INDIRECT] n - - 253 Private [PRIVATEDNS] y see below OPTIONAL - 254 Private [PRIVATEOID] y see below OPTIONAL - 255 reserved - - 6 - 251 Available for assignment by IETF Standards Action. - -A.1.1 Private Algorithm Types - - Algorithm number 253 is reserved for private use and will never be - assigned to a specific algorithm. The public key area in the DNSKEY - RR and the signature area in the RRSIG RR begin with a wire encoded - - - -Arends, et al. Expires August 16, 2004 [Page 32] - -Internet-Draft DNSSEC Resource Records February 2004 - - - domain name, which MUST NOT be compressed. The domain name indicates - the private algorithm to use and the remainder of the public key area - is determined by that algorithm. Entities should only use domain - names they control to designate their private algorithms. - - Algorithm number 254 is reserved for private use and will never be - assigned to a specific algorithm. The public key area in the DNSKEY - RR and the signature area in the RRSIG RR begin with an unsigned - length byte followed by a BER encoded Object Identifier (ISO OID) of - that length. The OID indicates the private algorithm in use and the - remainder of the area is whatever is required by that algorithm. - Entities should only use OIDs they control to designate their private - algorithms. - -A.2 DNSSEC Digest Types - - A "Digest Type" field in the DS resource record types identifies the - cryptographic digest algorithm used by the resource record. The - following table lists the currently defined digest algorithm types. - - VALUE Algorithm STATUS - 0 Reserved - - 1 SHA-1 MANDATORY - 2-255 Unassigned - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 33] - -Internet-Draft DNSSEC Resource Records February 2004 - - -Appendix B. Key Tag Calculation - - The Key Tag field in the RRSIG and DS resource record types provides - a mechanism for selecting a public key efficiently. In most cases, a - combination of owner name, algorithm, and key tag can efficiently - identify a DNSKEY record. Both the RRSIG and DS resource records - have corresponding DNSKEY records. The Key Tag field in the RRSIG - and DS records can be used to help select the corresponding DNSKEY RR - efficiently when more than one candidate DNSKEY RR is available. - - However, it is essential to note that the key tag is not a unique - identifier. It is theoretically possible for two distinct DNSKEY RRs - to have the same owner name, the same algorithm, and the same key - tag. The key tag is used to limit the possible candidate keys, but it - does not uniquely identify a DNSKEY record. Implementations MUST NOT - assume that the key tag uniquely identifies a DNSKEY RR. - - The key tag is the same for all DNSKEY algorithm types except - algorithm 1 (please see Appendix B.1 for the definition of the key - tag for algorithm 1). The key tag algorithm is the sum of the wire - format of the DNSKEY RDATA broken into 2 octet groups. First the - RDATA (in wire format) is treated as a series of 2 octet groups, - these groups are then added together ignoring any carry bits. A - reference implementation of the key tag algorithm is as an ANSI C - function is given below with the RDATA portion of the DNSKEY RR is - used as input. It is not necessary to use the following reference - code verbatim, but the numerical value of the Key Tag MUST be - identical to what the reference implementation would generate for the - same input. - - Please note that the algorithm for calculating the Key Tag is almost - but not completely identical to the familiar ones complement checksum - used in many other Internet protocols. Key Tags MUST be calculated - using the algorithm described here rather than the ones complement - checksum. - - The following ANSI C reference implementation calculates the value of - a Key Tag. This reference implementation applies to all algorithm - types except algorithm 1 (see Appendix B.1). The input is the wire - format of the RDATA portion of the DNSKEY RR. The code is written - for clarity, not efficiency. - - /* - * Assumes that int is at least 16 bits. - * First octet of the key tag is the most significant 8 bits of the - * return value; - * Second octet of the key tag is the least significant 8 bits of the - * return value. - - - -Arends, et al. Expires August 16, 2004 [Page 34] - -Internet-Draft DNSSEC Resource Records February 2004 - - - */ - - unsigned int - keytag ( - unsigned char key[], /* the RDATA part of the DNSKEY RR */ - unsigned int keysize /* the RDLENGTH */ - ) - { - unsigned long ac; /* assumed to be 32 bits or larger */ - int i; /* loop index */ - - for ( ac = 0, i = 0; i < keysize; ++i ) - ac += (i & 1) ? key[i] : key[i] << 8; - ac += (ac >> 16) & 0xFFFF; - return ac & 0xFFFF; - } - - -B.1 Key Tag for Algorithm 1 (RSA/MD5) - - The key tag for algorithm 1 (RSA/MD5) is defined differently than the - key tag for all other algorithms, for historical reasons. For a - DNSKEY RR with algorithm 1, the key tag is defined to be the most - significant 16 bits of the least significant 24 bits in the public - key modulus (in other words, the 4th to last and 3rd to last octets - of the public key modulus). - - Please note that Algorithm 1 is NOT RECOMMENDED. - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 35] - -Internet-Draft DNSSEC Resource Records February 2004 - - -Intellectual Property Statement - - The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; neither does it represent that it - has made any effort to identify any such rights. Information on the - IETF's procedures with respect to rights in standards-track and - standards-related documentation can be found in BCP-11. Copies of - claims of rights made available for publication and any assurances of - licenses to be made available, or the result of an attempt made to - obtain a general license or permission for the use of such - proprietary rights by implementors or users of this specification can - be obtained from the IETF Secretariat. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights which may cover technology that may be required to practice - this standard. Please address the information to the IETF Executive - Director. - - -Full Copyright Statement - - Copyright (C) The Internet Society (2004). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assignees. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - - - -Arends, et al. Expires August 16, 2004 [Page 36] - -Internet-Draft DNSSEC Resource Records February 2004 - - - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 16, 2004 [Page 37] - - + + +DNS Extensions R. Arends +Internet-Draft Telematica Instituut +Expires: November 15, 2004 R. Austein + ISC + M. Larson + VeriSign + D. Massey + USC/ISI + S. Rose + NIST + May 17, 2004 + + + Resource Records for the DNS Security Extensions + draft-ietf-dnsext-dnssec-records-08 + +Status of this Memo + + This document is an Internet-Draft and is in full conformance with + all provisions of Section 10 of RFC2026. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that other + groups may also distribute working documents as Internet-Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at http:// + www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on November 15, 2004. + +Copyright Notice + + Copyright (C) The Internet Society (2004). All Rights Reserved. + +Abstract + + This document is part of a family of documents that describes the DNS + Security Extensions (DNSSEC). The DNS Security Extensions are a + collection of resource records and protocol modifications that + provide source authentication for the DNS. This document defines the + public key (DNSKEY), delegation signer (DS), resource record digital + + + +Arends, et al. Expires November 15, 2004 [Page 1] + +Internet-Draft DNSSEC Resource Records May 2004 + + + signature (RRSIG), and authenticated denial of existence (NSEC) + resource records. The purpose and format of each resource record is + described in detail, and an example of each resource record is given. + + This document obsoletes RFC 2535 and incorporates changes from all + updates to RFC 2535. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 1.1 Background and Related Documents . . . . . . . . . . . . . 4 + 1.2 Reserved Words . . . . . . . . . . . . . . . . . . . . . . 4 + 1.3 Editors' Notes . . . . . . . . . . . . . . . . . . . . . . 4 + 1.3.1 Technical Changes or Corrections . . . . . . . . . . . 4 + 1.3.2 Typos and Minor Corrections . . . . . . . . . . . . . 5 + 2. The DNSKEY Resource Record . . . . . . . . . . . . . . . . . . 6 + 2.1 DNSKEY RDATA Wire Format . . . . . . . . . . . . . . . . . 6 + 2.1.1 The Flags Field . . . . . . . . . . . . . . . . . . . 6 + 2.1.2 The Protocol Field . . . . . . . . . . . . . . . . . . 7 + 2.1.3 The Algorithm Field . . . . . . . . . . . . . . . . . 7 + 2.1.4 The Public Key Field . . . . . . . . . . . . . . . . . 7 + 2.1.5 Notes on DNSKEY RDATA Design . . . . . . . . . . . . . 7 + 2.2 The DNSKEY RR Presentation Format . . . . . . . . . . . . 7 + 2.3 DNSKEY RR Example . . . . . . . . . . . . . . . . . . . . 8 + 3. The RRSIG Resource Record . . . . . . . . . . . . . . . . . . 9 + 3.1 RRSIG RDATA Wire Format . . . . . . . . . . . . . . . . . 9 + 3.1.1 The Type Covered Field . . . . . . . . . . . . . . . . 10 + 3.1.2 The Algorithm Number Field . . . . . . . . . . . . . . 10 + 3.1.3 The Labels Field . . . . . . . . . . . . . . . . . . . 10 + 3.1.4 Original TTL Field . . . . . . . . . . . . . . . . . . 11 + 3.1.5 Signature Expiration and Inception Fields . . . . . . 11 + 3.1.6 The Key Tag Field . . . . . . . . . . . . . . . . . . 11 + 3.1.7 The Signer's Name Field . . . . . . . . . . . . . . . 12 + 3.1.8 The Signature Field . . . . . . . . . . . . . . . . . 12 + 3.2 The RRSIG RR Presentation Format . . . . . . . . . . . . . 13 + 3.3 RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . 13 + 4. The NSEC Resource Record . . . . . . . . . . . . . . . . . . . 15 + 4.1 NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . . 15 + 4.1.1 The Next Domain Name Field . . . . . . . . . . . . . . 15 + 4.1.2 The Type Bit Maps Field . . . . . . . . . . . . . . . 16 + 4.1.3 Inclusion of Wildcard Names in NSEC RDATA . . . . . . 17 + 4.2 The NSEC RR Presentation Format . . . . . . . . . . . . . 17 + 4.3 NSEC RR Example . . . . . . . . . . . . . . . . . . . . . 17 + 5. The DS Resource Record . . . . . . . . . . . . . . . . . . . . 19 + 5.1 DS RDATA Wire Format . . . . . . . . . . . . . . . . . . . 19 + 5.1.1 The Key Tag Field . . . . . . . . . . . . . . . . . . 20 + 5.1.2 The Algorithm Field . . . . . . . . . . . . . . . . . 20 + 5.1.3 The Digest Type Field . . . . . . . . . . . . . . . . 20 + + + +Arends, et al. Expires November 15, 2004 [Page 2] + +Internet-Draft DNSSEC Resource Records May 2004 + + + 5.1.4 The Digest Field . . . . . . . . . . . . . . . . . . . 20 + 5.2 Processing of DS RRs When Validating Responses . . . . . . 20 + 5.3 The DS RR Presentation Format . . . . . . . . . . . . . . 21 + 5.4 DS RR Example . . . . . . . . . . . . . . . . . . . . . . 21 + 6. Canonical Form and Order of Resource Records . . . . . . . . . 22 + 6.1 Canonical DNS Name Order . . . . . . . . . . . . . . . . . 22 + 6.2 Canonical RR Form . . . . . . . . . . . . . . . . . . . . 22 + 6.3 Canonical RR Ordering Within An RRset . . . . . . . . . . 23 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 25 + 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 26 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 + 10.1 Normative References . . . . . . . . . . . . . . . . . . . . 27 + 10.2 Informative References . . . . . . . . . . . . . . . . . . . 28 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 28 + A. DNSSEC Algorithm and Digest Types . . . . . . . . . . . . . . 30 + A.1 DNSSEC Algorithm Types . . . . . . . . . . . . . . . . . . 30 + A.1.1 Private Algorithm Types . . . . . . . . . . . . . . . 30 + A.2 DNSSEC Digest Types . . . . . . . . . . . . . . . . . . . 31 + B. Key Tag Calculation . . . . . . . . . . . . . . . . . . . . . 32 + B.1 Key Tag for Algorithm 1 (RSA/MD5) . . . . . . . . . . . . 33 + Intellectual Property and Copyright Statements . . . . . . . . 34 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 3] + +Internet-Draft DNSSEC Resource Records May 2004 + + +1. Introduction + + The DNS Security Extensions (DNSSEC) introduce four new DNS resource + record types: DNSKEY, RRSIG, NSEC, and DS. This document defines the + purpose of each resource record (RR), the RR's RDATA format, and its + presentation format (ASCII representation). + +1.1 Background and Related Documents + + The reader is assumed to be familiar with the basic DNS concepts + described in [RFC1034], [RFC1035] and subsequent RFCs that update + them: [RFC2136], [RFC2181] and [RFC2308]. + + This document is part of a family of documents that define the DNS + security extensions. The DNS security extensions (DNSSEC) are a + collection of resource records and DNS protocol modifications that + add source authentication and data integrity to the Domain Name + System (DNS). An introduction to DNSSEC and definitions of common + terms can be found in [I-D.ietf-dnsext-dnssec-intro]. A description + of DNS protocol modifications can be found in + [I-D.ietf-dnsext-dnssec-protocol]. This document defines the DNSSEC + resource records. + +1.2 Reserved Words + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + +1.3 Editors' Notes + +1.3.1 Technical Changes or Corrections + + Please report technical corrections to dnssec-editors@east.isi.edu. + To assist the editors, please indicate the text in error and point + out the RFC that defines the correct behavior. For a technical + change where no RFC that defines the correct behavior, or if there's + more than one applicable RFC and the definitions conflict, please + post the issue to namedroppers. + + An example correction to dnssec-editors might be: Page X says + "DNSSEC RRs SHOULD be automatically returned in responses." This was + true in RFC 2535, but RFC 3225 (Section 3, 3rd paragraph) says the + DNSSEC RR types MUST NOT be included in responses unless the resolver + indicated support for DNSSEC. + + + + + + +Arends, et al. Expires November 15, 2004 [Page 4] + +Internet-Draft DNSSEC Resource Records May 2004 + + +1.3.2 Typos and Minor Corrections + + Please report any typos corrections to dnssec-editors@east.isi.edu. + To assist the editors, please provide enough context for us to find + the incorrect text quickly. + + An example message to dnssec-editors might be: page X says "the + DNSSEC standard has been in development for over 1 years". It + should read "over 10 years". + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 5] + +Internet-Draft DNSSEC Resource Records May 2004 + + +2. The DNSKEY Resource Record + + DNSSEC uses public key cryptography to sign and authenticate DNS + resource record sets (RRsets). The public keys are stored in DNSKEY + resource records and are used in the DNSSEC authentication process + described in [I-D.ietf-dnsext-dnssec-protocol]: A zone signs its + authoritative RRsets using a private key and stores the corresponding + public key in a DNSKEY RR. A resolver can then use the public key to + authenticate signatures covering the RRsets in the zone. + + The DNSKEY RR is not intended as a record for storing arbitrary + public keys and MUST NOT be used to store certificates or public keys + that do not directly relate to the DNS infrastructure. + + The Type value for the DNSKEY RR type is 48. + + The DNSKEY RR is class independent. + + The DNSKEY RR has no special TTL requirements. + +2.1 DNSKEY RDATA Wire Format + + The RDATA for a DNSKEY RR consists of a 2 octet Flags Field, a 1 + octet Protocol Field, a 1 octet Algorithm Field, and the Public Key + Field. + + 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Flags | Protocol | Algorithm | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + / / + / Public Key / + / / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + +2.1.1 The Flags Field + + Bit 7 of the Flags field is the Zone Key flag. If bit 7 has value 1, + then the DNSKEY record holds a DNS zone key and the DNSKEY RR's owner + name MUST be the name of a zone. If bit 7 has value 0, then the + DNSKEY record holds some other type of DNS public key, such as a + public key used by TKEY and MUST NOT be used to verify RRSIGs that + cover RRsets. + + Bit 15 of the Flags field is the Secure Entry Point flag, described + in [RFC3757]. If bit 15 has value 1, then the DNSKEY record holds a + + + +Arends, et al. Expires November 15, 2004 [Page 6] + +Internet-Draft DNSSEC Resource Records May 2004 + + + key intended for use as a secure entry point. This flag is only + intended to be to a hint to zone signing or debugging software as to + the intended use of this DNSKEY record; validators MUST NOT alter + their behavior during the signature validation process in any way + based on the setting of this bit. This also means a DNSKEY RR with + the SEP bit set would also need the Zone Key flag set in order to + legally be able to generate signatures. A DNSKEY RR with the SEP set + and the Zone Key flag not set is an invalid DNSKEY. + + Bits 0-6 and 8-14 are reserved: these bits MUST have value 0 upon + creation of the DNSKEY RR, and MUST be ignored upon reception. + +2.1.2 The Protocol Field + + The Protocol Field MUST have value 3 and the DNSKEY RR MUST be + treated as invalid during signature verification if found to be some + value other than 3. + +2.1.3 The Algorithm Field + + The Algorithm field identifies the public key's cryptographic + algorithm and determines the format of the Public Key field. A list + of DNSSEC algorithm types can be found in Appendix A.1 + +2.1.4 The Public Key Field + + The Public Key Field holds the public key material. The format + depends on the algorithm of the key being stored and are described in + separate documents. + +2.1.5 Notes on DNSKEY RDATA Design + + Although the Protocol Field always has value 3, it is retained for + backward compatibility with early versions of the KEY record. + +2.2 The DNSKEY RR Presentation Format + + The presentation format of the RDATA portion is as follows: + + The Flag field MUST be represented as an unsigned decimal integer + with a value of 0, 256, or 257. + + The Protocol Field MUST be represented as an unsigned decimal integer + with a value of 3. + + The Algorithm field MUST be represented either as an unsigned decimal + integer or as an algorithm mnemonic as specified in Appendix A.1. + + + + +Arends, et al. Expires November 15, 2004 [Page 7] + +Internet-Draft DNSSEC Resource Records May 2004 + + + The Public Key field MUST be represented as a Base64 encoding of the + Public Key. Whitespace is allowed within the Base64 text. For a + definition of Base64 encoding, see [RFC1521] Section 5.2. + +2.3 DNSKEY RR Example + + The following DNSKEY RR stores a DNS zone key for example.com. + + example.com. 86400 IN DNSKEY 256 3 5 ( AQPSKmynfzW4kyBv015MUG2DeIQ3 + Cbl+BBZH4b/0PY1kxkmvHjcZc8no + kfzj31GajIQKY+5CptLr3buXA10h + WqTkF7H6RfoRqXQeogmMHfpftf6z + Mv1LyBUgia7za6ZEzOJBOztyvhjL + 742iU/TpPSEDhm2SNKLijfUppn1U + aNvv4w== ) + + The first four text fields specify the owner name, TTL, Class, and RR + type (DNSKEY). Value 256 indicates that the Zone Key bit (bit 7) in + the Flags field has value 1. Value 3 is the fixed Protocol value. + Value 5 indicates the public key algorithm. Appendix A.1 identifies + algorithm type 5 as RSA/SHA1 and indicates that the format of the + RSA/SHA1 public key field is defined in [RFC3110]. The remaining + text is a Base64 encoding of the public key. + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 8] + +Internet-Draft DNSSEC Resource Records May 2004 + + +3. The RRSIG Resource Record + + DNSSEC uses public key cryptography to sign and authenticate DNS + resource record sets (RRsets). Digital signatures are stored in + RRSIG resource records and are used in the DNSSEC authentication + process described in [I-D.ietf-dnsext-dnssec-protocol]. A validator + can use these RRSIG RRs to authenticate RRsets from the zone. The + RRSIG RR MUST only be used to carry verification material (digital + signatures) used to secure DNS operations. + + An RRSIG record contains the signature for an RRset with a particular + name, class, and type. The RRSIG RR specifies a validity interval + for the signature and uses the Algorithm, the Signer's Name, and the + Key Tag to identify the DNSKEY RR containing the public key that a + validator can use to verify the signature. + + Because every authoritative RRset in a zone must be protected by a + digital signature, RRSIG RRs must be present for names containing a + CNAME RR. This is a change to the traditional DNS specification + [RFC1034] that stated that if a CNAME is present for a name, it is + the only type allowed at that name. A RRSIG and NSEC (see Section 4) + MUST exist for the same name as a CNAME resource record in a signed + zone. + + The Type value for the RRSIG RR type is 46. + + The RRSIG RR is class independent. + + An RRSIG RR MUST have the same class as the RRset it covers. + + The TTL value of an RRSIG RR SHOULD match the TTL value of the RRset + it covers. This is an exception to the [RFC2181] rules for TTL + values of individual RRs within a RRset: individual RRSIG with the + same owner name will have different TTL values if the RRsets they + cover have different TTL values. + +3.1 RRSIG RDATA Wire Format + + The RDATA for an RRSIG RR consists of a 2 octet Type Covered field, a + 1 octet Algorithm field, a 1 octet Labels field, a 4 octet Original + TTL field, a 4 octet Signature Expiration field, a 4 octet Signature + Inception field, a 2 octet Key tag, the Signer's Name field, and the + Signature field. + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 9] + +Internet-Draft DNSSEC Resource Records May 2004 + + + 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type Covered | Algorithm | Labels | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Original TTL | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Signature Expiration | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Signature Inception | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Key Tag | / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Signer's Name / + / / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + / / + / Signature / + / / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + +3.1.1 The Type Covered Field + + The Type Covered field identifies the type of the RRset that is + covered by this RRSIG record. + +3.1.2 The Algorithm Number Field + + The Algorithm Number field identifies the cryptographic algorithm + used to create the signature. A list of DNSSEC algorithm types can + be found in Appendix A.1 + +3.1.3 The Labels Field + + The Labels field specifies the number of labels in the original RRSIG + RR owner name. The significance of this field is that a validator + uses it to determine if the answer was synthesized from a wildcard. + If so, it can be used to determine what owner name was used in + generating the signature. + + To validate a signature, the validator needs the original owner name + that was used to create the signature. If the original owner name + contains a wildcard label ("*"), the owner name may have been + expanded by the server during the response process, in which case the + validator will need to reconstruct the original owner name in order + to validate the signature. [I-D.ietf-dnsext-dnssec-protocol] + describes how to use the Labels field to reconstruct the original + owner name. + + + +Arends, et al. Expires November 15, 2004 [Page 10] + +Internet-Draft DNSSEC Resource Records May 2004 + + + The value of the Labels field MUST NOT count either the null (root) + label that terminates the owner name or the wildcard label (if + present). The value of the Labels field MUST be less than or equal + to the number of labels in the RRSIG owner name. For example, + "www.example.com." has a Labels field value of 3, and + "*.example.com." has a Labels field value of 2. Root (".") has a + Labels field value of 0. + + Although the wildcard label is not included in the count stored in + the Labels field of the RRSIG RR, the wildcard label is part of the + RRset's owner name when generating or verifying the signature. + +3.1.4 Original TTL Field + + The Original TTL field specifies the TTL of the covered RRset as it + appears in the authoritative zone. + + The Original TTL field is necessary because a caching resolver + decrements the TTL value of a cached RRset. In order to validate a + signature, a validator requires the original TTL. + [I-D.ietf-dnsext-dnssec-protocol] describes how to use the Original + TTL field value to reconstruct the original TTL. + +3.1.5 Signature Expiration and Inception Fields + + The Signature Expiration and Inception fields specify a validity + period for the signature. The RRSIG record MUST NOT be used for + authentication prior to the inception date and MUST NOT be used for + authentication after the expiration date. + + Signature Expiration and Inception field values are in POSIX.1 time + format: a 32-bit unsigned number of seconds elapsed since 1 January + 1970 00:00:00 UTC, ignoring leap seconds, in network byte order. The + longest interval which can be expressed by this format without + wrapping is approximately 136 years. An RRSIG RR can have an + Expiration field value which is numerically smaller than the + Inception field value if the expiration field value is near the + 32-bit wrap-around point or if the signature is long lived. Because + of this, all comparisons involving these fields MUST use "Serial + number arithmetic" as defined in [RFC1982]. As a direct consequence, + the values contained in these fields cannot refer to dates more than + 68 years in either the past or the future. + +3.1.6 The Key Tag Field + + The Key Tag field contains the key tag value of the DNSKEY RR that + validates this signature. Appendix B explains how to calculate Key + Tag values. + + + +Arends, et al. Expires November 15, 2004 [Page 11] + +Internet-Draft DNSSEC Resource Records May 2004 + + +3.1.7 The Signer's Name Field + + The Signer's Name field value identifies the owner name of the DNSKEY + RR which a validator should use to validate this signature. The + Signer's Name field MUST contain the name of the zone of the covered + RRset. A sender MUST NOT use DNS name compression on the Signer's + Name field when transmitting a RRSIG RR. + +3.1.8 The Signature Field + + The Signature field contains the cryptographic signature that covers + the RRSIG RDATA (excluding the Signature field) and the RRset + specified by the RRSIG owner name, RRSIG class, and RRSIG Type + Covered field. The format of this field depends on the algorithm in + use and these formats are described in separate companion documents. + +3.1.8.1 Signature Calculation + + A signature covers the RRSIG RDATA (excluding the Signature Field) + and covers the data RRset specified by the RRSIG owner name, RRSIG + class, and RRSIG Type Covered fields. The RRset is in canonical form + (see Section 6) and the set RR(1),...RR(n) is signed as follows: + + signature = sign(RRSIG_RDATA | RR(1) | RR(2)... ) where + + "|" denotes concatenation; + + RRSIG_RDATA is the wire format of the RRSIG RDATA fields + with the Signer's Name field in canonical form and + the Signature field excluded; + + RR(i) = owner | type | class | TTL | RDATA length | RDATA + + "owner" is the fully qualified owner name of the RRset in + canonical form (for RRs with wildcard owner names, the + wildcard label is included in the owner name); + + Each RR MUST have the same owner name as the RRSIG RR; + + Each RR MUST have the same class as the RRSIG RR; + + Each RR in the RRset MUST have the RR type listed in the + RRSIG RR's Type Covered field; + + Each RR in the RRset MUST have the TTL listed in the + RRSIG Original TTL Field; + + Any DNS names in the RDATA field of each RR MUST be in + + + +Arends, et al. Expires November 15, 2004 [Page 12] + +Internet-Draft DNSSEC Resource Records May 2004 + + + canonical form; and + + The RRset MUST be sorted in canonical order. + + See Section 6.1 and Section 6.2 for details on canonical name order + and canonical RR form. + +3.2 The RRSIG RR Presentation Format + + The presentation format of the RDATA portion is as follows: + + The Type Covered field is represented as a RR type mnemonic. When + the mnemonic is not known, the TYPE representation as described in + [RFC3597] (section 5) MUST be used. + + The Algorithm field value MUST be represented either as an unsigned + decimal integer or as an algorithm mnemonic as specified in Appendix + A.1. + + The Labels field value MUST be represented as an unsigned decimal + integer. + + The Original TTL field value MUST be represented as an unsigned + decimal integer. + + The Signature Expiration Time and Inception Time field values MUST be + represented either as seconds since 1 January 1970 00:00:00 UTC or in + the form YYYYMMDDHHmmSS in UTC, where: + YYYY is the year (0000-9999, but see Section 3.1.5); + MM is the month number (01-12); + DD is the day of the month (01-31); + HH is the hour in 24 hours notation (00-23); + mm is the minute (00-59); and + SS is the second (00-59). + + The Key Tag field MUST be represented as an unsigned decimal integer. + + The Signer's Name field value MUST be represented as a domain name. + + The Signature field is represented as a Base64 encoding of the + signature. Whitespace is allowed within the Base64 text. See + Section 2.2. + +3.3 RRSIG RR Example + + The following RRSIG RR stores the signature for the A RRset of + host.example.com: + + + + +Arends, et al. Expires November 15, 2004 [Page 13] + +Internet-Draft DNSSEC Resource Records May 2004 + + + host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 ( + 20030220173103 2642 example.com. + oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr + PYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6o + B9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t + GNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkG + J5D6fwFm8nN+6pBzeDQfsS3Ap3o= ) + + The first four fields specify the owner name, TTL, Class, and RR type + (RRSIG). The "A" represents the Type Covered field. The value 5 + identifies the algorithm used (RSA/SHA1) to create the signature. + The value 3 is the number of Labels in the original owner name. The + value 86400 in the RRSIG RDATA is the Original TTL for the covered A + RRset. 20030322173103 and 20030220173103 are the expiration and + inception dates, respectively. 2642 is the Key Tag, and example.com. + is the Signer's Name. The remaining text is a Base64 encoding of the + signature. + + Note that combination of RRSIG RR owner name, class, and Type Covered + indicate that this RRSIG covers the "host.example.com" A RRset. The + Label value of 3 indicates that no wildcard expansion was used. The + Algorithm, Signer's Name, and Key Tag indicate this signature can be + authenticated using an example.com zone DNSKEY RR whose algorithm is + 5 and key tag is 2642. + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 14] + +Internet-Draft DNSSEC Resource Records May 2004 + + +4. The NSEC Resource Record + + The NSEC resource record lists two separate things: the owner name of + the next authoritative RRset in the canonical ordering of the zone, + and the set of RR types present at the NSEC RR's owner name. The + complete set of NSEC RRs in a zone both indicate which authoritative + RRsets exist in a zone and also form a chain of authoritative owner + names in the zone. This information is used to provide authenticated + denial of existence for DNS data, as described in + [I-D.ietf-dnsext-dnssec-protocol]. + + Because every authoritative name in a zone must be part of the NSEC + chain, NSEC RRs must be present for names containing a CNAME RR. + This is a change to the traditional DNS specification [RFC1034] that + stated that if a CNAME is present for a name, it is the only type + allowed at that name. An RRSIG (see Section 3) and NSEC MUST exist + for the same name as a CNAME resource record in a signed zone. + + See [I-D.ietf-dnsext-dnssec-protocol] for discussion of how a zone + signer determines precisely which NSEC RRs it needs to include in a + zone. + + The type value for the NSEC RR is 47. + + The NSEC RR is class independent. + + The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL + field. This is in the spirit of negative caching [RFC2308]. + +4.1 NSEC RDATA Wire Format + + The RDATA of the NSEC RR is as shown below: + + 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + / Next Domain Name / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + / Type Bit Maps / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + +4.1.1 The Next Domain Name Field + + The Next Domain Name field contains the owner name of the next + authoritative owner name in the canonical ordering of the zone; see + Section 6.1 for an explanation of canonical ordering. The value of + the Next Domain Name field in the last NSEC record in the zone is the + + + +Arends, et al. Expires November 15, 2004 [Page 15] + +Internet-Draft DNSSEC Resource Records May 2004 + + + name of the zone apex (the owner name of the zone's SOA RR). + + A sender MUST NOT use DNS name compression on the Next Domain Name + field when transmitting an NSEC RR. + + Owner names of RRsets not authoritative for the given zone (such as + glue records) MUST NOT be listed in the Next Domain Name unless at + least one authoritative RRset exists at the same owner name. + +4.1.2 The Type Bit Maps Field + + The Type Bit Maps field identifies the RRset types which exist at the + NSEC RR's owner name. + + The RR type space is split into 256 window blocks, each representing + the low-order 8 bits of the 16-bit RR type space. Each block that has + at least one active RR type is encoded using a single octet window + number (from 0 to 255), a single octet bitmap length (from 1 to 32) + indicating the number of octets used for the window block's bitmap, + and up to 32 octets (256 bits) of bitmap. + + Blocks are present in the NSEC RR RDATA in increasing numerical + order. + + Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+ + + where "|" denotes concatenation. + + Each bitmap encodes the low-order 8 bits of RR types within the + window block, in network bit order. The first bit is bit 0. For + window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds + to RR type 2 (NS), and so forth. For window block 1, bit 1 + corresponds to RR type 257, bit 2 to RR type 258. If a bit is set to + 1, it indicates that an RRset of that type is present for the NSEC + RR's owner name. If a bit is set to 0, it indicates that no RRset of + that type is present for the NSEC RR's owner name. + + Bits representing pseudo-types MUST be set to 0, since they do not + appear in zone data. If encountered, they MUST be ignored upon + reading. + + Blocks with no types present MUST NOT be included. Trailing zero + octets in the bitmap MUST be omitted. The length of each block's + bitmap is determined by the type code with the largest numerical + value, within that block, among the set of RR types present at the + NSEC RR's owner name. Trailing zero octets not specified MUST be + interpreted as zero octets. + + + + +Arends, et al. Expires November 15, 2004 [Page 16] + +Internet-Draft DNSSEC Resource Records May 2004 + + + The bitmap for the NSEC RR at a delegation point requires special + attention. Bits corresponding to the delegation NS RRset and the RR + types for which the parent zone has authoritative data MUST be set to + 1; bits corresponding to any non-NS RRset for which the parent is not + authoritative MUST be set to 0. + + A zone MUST NOT include an NSEC RR for any domain name that only + holds glue records. + +4.1.3 Inclusion of Wildcard Names in NSEC RDATA + + If a wildcard owner name appears in a zone, the wildcard label ("*") + is treated as a literal symbol and is treated the same as any other + owner name for purposes of generating NSEC RRs. Wildcard owner names + appear in the Next Domain Name field without any wildcard expansion. + [I-D.ietf-dnsext-dnssec-protocol] describes the impact of wildcards + on authenticated denial of existence. + +4.2 The NSEC RR Presentation Format + + The presentation format of the RDATA portion is as follows: + + The Next Domain Name field is represented as a domain name. + + The Type Bit Maps field is represented as a sequence of RR type + mnemonics. When the mnemonic is not known, the TYPE representation + as described in [RFC3597] (section 5) MUST be used. + +4.3 NSEC RR Example + + The following NSEC RR identifies the RRsets associated with + alfa.example.com. and identifies the next authoritative name after + alfa.example.com. + + alfa.example.com. 86400 IN NSEC host.example.com. ( + A MX RRSIG NSEC TYPE1234 ) + + The first four text fields specify the name, TTL, Class, and RR type + (NSEC). The entry host.example.com. is the next authoritative name + after alfa.example.com. in canonical order. The A, MX, RRSIG, NSEC, + and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC, and + TYPE1234 RRsets associated with the name alfa.example.com. + + The RDATA section of the NSEC RR above would be encoded as: + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 17] + +Internet-Draft DNSSEC Resource Records May 2004 + + + 0x04 'h' 'o' 's' 't' + 0x07 'e' 'x' 'a' 'm' 'p' 'l' 'e' + 0x03 'c' 'o' 'm' 0x00 + 0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03 + 0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00 + 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 + 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 + 0x00 0x00 0x00 0x00 0x20 + + Assuming that the validator can authenticate this NSEC record, it + could be used to prove that beta.example.com does not exist, or could + be used to prove there is no AAAA record associated with + alfa.example.com. Authenticated denial of existence is discussed in + [I-D.ietf-dnsext-dnssec-protocol]. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 18] + +Internet-Draft DNSSEC Resource Records May 2004 + + +5. The DS Resource Record + + The DS Resource Record refers to a DNSKEY RR and is used in the DNS + DNSKEY authentication process. A DS RR refers to a DNSKEY RR by + storing the key tag, algorithm number, and a digest of the DNSKEY RR. + Note that while the digest should be sufficient to identify the + public key, storing the key tag and key algorithm helps make the + identification process more efficient. By authenticating the DS + record, a resolver can authenticate the DNSKEY RR to which the DS + record points. The key authentication process is described in + [I-D.ietf-dnsext-dnssec-protocol]. + + The DS RR and its corresponding DNSKEY RR have the same owner name, + but they are stored in different locations. The DS RR appears only + on the upper (parental) side of a delegation, and is authoritative + data in the parent zone. For example, the DS RR for "example.com" is + stored in the "com" zone (the parent zone) rather than in the + "example.com" zone (the child zone). The corresponding DNSKEY RR is + stored in the "example.com" zone (the child zone). This simplifies + DNS zone management and zone signing, but introduces special response + processing requirements for the DS RR; these are described in + [I-D.ietf-dnsext-dnssec-protocol]. + + The type number for the DS record is 43. + + The DS resource record is class independent. + + The DS RR has no special TTL requirements. + +5.1 DS RDATA Wire Format + + The RDATA for a DS RR consists of a 2 octet Key Tag field, a one + octet Algorithm field, a one octet Digest Type field, and a Digest + field. + + 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Key Tag | Algorithm | Digest Type | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + / / + / Digest / + / / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 19] + +Internet-Draft DNSSEC Resource Records May 2004 + + +5.1.1 The Key Tag Field + + The Key Tag field lists the key tag of the DNSKEY RR referred to by + the DS record. + + The Key Tag used by the DS RR is identical to the Key Tag used by + RRSIG RRs. Appendix B describes how to compute a Key Tag. + +5.1.2 The Algorithm Field + + The Algorithm field lists the algorithm number of the DNSKEY RR + referred to by the DS record. + + The algorithm number used by the DS RR is identical to the algorithm + number used by RRSIG and DNSKEY RRs. Appendix A.1 lists the algorithm + number types. + +5.1.3 The Digest Type Field + + The DS RR refers to a DNSKEY RR by including a digest of that DNSKEY + RR. The Digest Type field identifies the algorithm used to construct + the digest. Appendix A.2 lists the possible digest algorithm types. + +5.1.4 The Digest Field + + The DS record refers to a DNSKEY RR by including a digest of that + DNSKEY RR. + + The digest is calculated by concatenating the canonical form of the + fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA, + and then applying the digest algorithm. + + digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA); + + "|" denotes concatenation + + DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key. + + + The size of the digest may vary depending on the digest algorithm and + DNSKEY RR size. As of the time of writing, the only defined digest + algorithm is SHA-1, which produces a 20 octet digest. + +5.2 Processing of DS RRs When Validating Responses + + The DS RR links the authentication chain across zone boundaries, so + the DS RR requires extra care in processing. The DNSKEY RR referred + to in the DS RR MUST be a DNSSEC zone key. The DNSKEY RR Flags MUST + + + +Arends, et al. Expires November 15, 2004 [Page 20] + +Internet-Draft DNSSEC Resource Records May 2004 + + + have Flags bit 7 set to value 1. If the DNSKEY flags do not indicate + a DNSSEC zone key, the DS RR (and DNSKEY RR it references) MUST NOT + be used in the validation process. + +5.3 The DS RR Presentation Format + + The presentation format of the RDATA portion is as follows: + + The Key Tag field MUST be represented as an unsigned decimal integer. + + The Algorithm field MUST be represented either as an unsigned decimal + integer or as an algorithm mnemonic specified in Appendix A.1. + + The Digest Type field MUST be represented as an unsigned decimal + integer. + + The Digest MUST be represented as a sequence of case-insensitive + hexadecimal digits. Whitespace is allowed within the hexadecimal + text. + +5.4 DS RR Example + + The following example shows a DNSKEY RR and its corresponding DS RR. + + dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz + fwJr1AYtsmx3TGkJaNXVbfi/ + 2pHm822aJ5iI9BMzNXxeYCmZ + DRD99WYwYqUSdjMmmAphXdvx + egXd/M5+X7OrzKBaMbCVdFLU + Uh6DhweJBjEVv5f2wwjM9Xzc + nOf+EPbtG9DMBmADjFDc2w/r + ljwvFw== + ) ; key id = 60485 + + dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A + 98631FAD1A292118 ) + + + The first four text fields specify the name, TTL, Class, and RR type + (DS). Value 60485 is the key tag for the corresponding + "dskey.example.com." DNSKEY RR, and value 5 denotes the algorithm + used by this "dskey.example.com." DNSKEY RR. The value 1 is the + algorithm used to construct the digest, and the rest of the RDATA + text is the digest in hexadecimal. + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 21] + +Internet-Draft DNSSEC Resource Records May 2004 + + +6. Canonical Form and Order of Resource Records + + This section defines a canonical form for resource records, a + canonical ordering of DNS names, and a canonical ordering of resource + records within an RRset. A canonical name order is required to + construct the NSEC name chain. A canonical RR form and ordering + within an RRset are required to construct and verify RRSIG RRs. + +6.1 Canonical DNS Name Order + + For purposes of DNS security, owner names are ordered by treating + individual labels as unsigned left-justified octet strings. The + absence of a octet sorts before a zero value octet, and upper case + US-ASCII letters are treated as if they were lower case US-ASCII + letters. + + To compute the canonical ordering of a set of DNS names, start by + sorting the names according to their most significant (rightmost) + labels. For names in which the most significant label is identical, + continue sorting according to their next most significant label, and + so forth. + + For example, the following names are sorted in canonical DNS name + order. The most significant label is "example". At this level, + "example" sorts first, followed by names ending in "a.example", then + names ending "z.example". The names within each level are sorted in + the same way. + + example + a.example + yljkjljk.a.example + Z.a.example + zABC.a.EXAMPLE + z.example + \001.z.example + *.z.example + \200.z.example + + +6.2 Canonical RR Form + + For purposes of DNS security, the canonical form of an RR is the wire + format of the RR where: + 1. Every domain name in the RR is fully expanded (no DNS name + compression) and fully qualified; + 2. All uppercase US-ASCII letters in the owner name of the RR are + replaced by the corresponding lowercase US-ASCII letters; + + + + +Arends, et al. Expires November 15, 2004 [Page 22] + +Internet-Draft DNSSEC Resource Records May 2004 + + + 3. If the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR, + HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX, + SRV, DNAME, A6, RRSIG or NSEC, all uppercase US-ASCII letters in + the DNS names contained within the RDATA are replaced by the + corresponding lowercase US-ASCII letters; + 4. If the owner name of the RR is a wildcard name, the owner name is + in its original unexpanded form, including the "*" label (no + wildcard substitution); and + 5. The RR's TTL is set to its original value as it appears in the + originating authoritative zone or the Original TTL field of the + covering RRSIG RR. + +6.3 Canonical RR Ordering Within An RRset + + For purposes of DNS security, RRs with the same owner name, class, + and type are sorted by treating the RDATA portion of the canonical + form of each RR as a left-justified unsigned octet sequence where the + absence of an octet sorts before a zero octet. + + [RFC2181] specifies that an RRset is not allowed to contain duplicate + records (multiple RRs with the same owner name, class, type, and + RDATA). Therefore, if an implementation detects duplicate RRs when + putting the RRset in canonical form, the implementation MUST treat + this as a protocol error. If the implementation chooses to handle + this protocol error in the spirit of the robustness principle (being + liberal in what it accepts), the implementation MUST remove all but + one of the duplicate RR(s) for purposes of calculating the canonical + form of the RRset. + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 23] + +Internet-Draft DNSSEC Resource Records May 2004 + + +7. IANA Considerations + + This document introduces no new IANA considerations, because all of + the protocol parameters used in this document have already been + assigned by previous specifications. However, since the evolution of + DNSSEC has been long and somewhat convoluted, this section attempts + to describe the current state of the IANA registries and other + protocol parameters which are (or once were) related to DNSSEC. + + Please refer to [I-D.ietf-dnsext-dnssec-protocol] for additional IANA + considerations. + + DNS Resource Record Types: [RFC2535] assigned types 24, 25, and 30 to + the SIG, KEY, and NXT RRs, respectively. [RFC3658] assigned DNS + Resource Record Type 43 to DS. [RFC3755] assigned types 46, 47, + and 48 to the RRSIG, NSEC, and DNSKEY RRs, respectively. [RFC3755] + also marked type 30 (NXT) as Obsolete, and restricted use of types + 24 (SIG) and 25 (KEY) to the "SIG(0)" transaction security + protocol described in [RFC2931] and the transaction KEY Resource + Record described in [RFC2930]. + + DNS Security Algorithm Numbers: [RFC2535] created an IANA registry + for DNSSEC Resource Record Algorithm field numbers, and assigned + values 1-4 and 252-255. [RFC3110] assigned value 5. [RFC3755] + altered this registry to include flags for each entry regarding + its use with the DNS security extensions. Each algorithm entry + could refer to an algorithm that can be used for zone signing, + transaction security (see [RFC2931]) or both. Values 6-251 are + available for assignment by IETF standards action. See Appendix A + for a full listing of the DNS Security Algorithm Numbers entries + at the time of writing and their status of use in DNSSEC. + + [RFC3658] created an IANA registry for DNSSEC DS Digest Types, and + assigned value 0 to reserved and value 1 to SHA-1. + + KEY Protocol Values: [RFC2535] created an IANA Registry for KEY + Protocol Values, but [RFC3445] re-assigned all values other than 3 + to reserved and closed this IANA registry. The registry remains + closed, and all KEY and DNSKEY records are required to have + Protocol Octet value of 3. + + Flag bits in the KEY and DNSKEY RRs: [RFC3755] created an IANA + registry for the DNSSEC KEY and DNSKEY RR flag bits. Initially, + this registry only contains an assignment for bit 7 (the ZONE bit) + and a reservation for bit 15 for the Secure Entry Point flag (SEP + bit) [RFC3757]. Bits 0-6 and 8-14 are available for assignment by + IETF Standards Action. + + + + +Arends, et al. Expires November 15, 2004 [Page 24] + +Internet-Draft DNSSEC Resource Records May 2004 + + +8. Security Considerations + + This document describes the format of four DNS resource records used + by the DNS security extensions, and presents an algorithm for + calculating a key tag for a public key. Other than the items + described below, the resource records themselves introduce no + security considerations. Please see [I-D.ietf-dnsext-dnssec-intro] + and [I-D.ietf-dnsext-dnssec-protocol] for additional security + considerations related to the use of these records. + + The DS record points to a DNSKEY RR using a cryptographic digest, the + key algorithm type and a key tag. The DS record is intended to + identify an existing DNSKEY RR, but it is theoretically possible for + an attacker to generate a DNSKEY that matches all the DS fields. The + probability of constructing such a matching DNSKEY depends on the + type of digest algorithm in use. The only currently defined digest + algorithm is SHA-1, and the working group believes that constructing + a public key which would match the algorithm, key tag, and SHA-1 + digest given in a DS record would be a sufficiently difficult problem + that such an attack is not a serious threat at this time. + + The key tag is used to help select DNSKEY resource records + efficiently, but it does not uniquely identify a single DNSKEY + resource record. It is possible for two distinct DNSKEY RRs to have + the same owner name, the same algorithm type, and the same key tag. + An implementation which uses only the key tag to select a DNSKEY RR + might select the wrong public key in some circumstances. + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 25] + +Internet-Draft DNSSEC Resource Records May 2004 + + +9. Acknowledgments + + This document was created from the input and ideas of the members of + the DNS Extensions Working Group and working group mailing list. The + editors would like to express their thanks for the comments and + suggestions received during the revision of these security extension + specifications. While explicitly listing everyone who has + contributed during the decade during which DNSSEC has been under + development would be an impossible task, + [I-D.ietf-dnsext-dnssec-intro] includes a list of some of the + participants who were kind enough to comment on these documents. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 26] + +Internet-Draft DNSSEC Resource Records May 2004 + + +10. References + +10.1 Normative References + + [I-D.ietf-dnsext-dnssec-intro] + Arends, R., Austein, R., Larson, M., Massey, D. and S. + Rose, "DNS Security Introduction and Requirements", + draft-ietf-dnsext-dnssec-intro-10 (work in progress), May + 2004. + + [I-D.ietf-dnsext-dnssec-protocol] + Arends, R., Austein, R., Larson, M., Massey, D. and S. + Rose, "Protocol Modifications for the DNS Security + Extensions", draft-ietf-dnsext-dnssec-protocol-06 (work in + progress), May 2004. + + [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", + STD 13, RFC 1034, November 1987. + + [RFC1035] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [RFC1521] Borenstein, N. and N. Freed, "MIME (Multipurpose Internet + Mail Extensions) Part One: Mechanisms for Specifying and + Describing the Format of Internet Message Bodies", RFC + 1521, September 1993. + + [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, + August 1996. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic + Updates in the Domain Name System (DNS UPDATE)", RFC 2136, + April 1997. + + [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS + Specification", RFC 2181, July 1997. + + [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS + NCACHE)", RFC 2308, March 1998. + + [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC + 2671, August 1999. + + [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures ( + SIG(0)s)", RFC 2931, September 2000. + + + +Arends, et al. Expires November 15, 2004 [Page 27] + +Internet-Draft DNSSEC Resource Records May 2004 + + + [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain + Name System (DNS)", RFC 3110, May 2001. + + [RFC3445] Massey, D. and S. Rose, "Limiting the Scope of the KEY + Resource Record (RR)", RFC 3445, December 2002. + + [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record + (RR) Types", RFC 3597, September 2003. + + [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record + (RR)", RFC 3658, December 2003. + + [RFC3755] Weiler, S., "Legacy Resolver Compatibility for Delegation + Signer", RFC 3755, April 2004. + + [RFC3757] Kolkman, O., Schlyter, J. and E. Lewis, "KEY RR Secure + Entry Point Flag", RFC 3757, April 2004. + +10.2 Informative References + + [I-D.ietf-dnsext-nsec-rdata] + Schlyter, J., "KEY RR Secure Entry Point Flag", + draft-ietf-dnsext-nsec-rdata-05 (work in progress), March + 2004. + + [RFC2535] Eastlake, D., "Domain Name System Security Extensions", + RFC 2535, March 1999. + + [RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY + RR)", RFC 2930, September 2000. + + +Authors' Addresses + + Roy Arends + Telematica Instituut + Drienerlolaan 5 + 7522 NB Enschede + NL + + EMail: roy.arends@telin.nl + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 28] + +Internet-Draft DNSSEC Resource Records May 2004 + + + Rob Austein + Internet Systems Consortium + 950 Charter Street + Redwood City, CA 94063 + USA + + EMail: sra@isc.org + + + Matt Larson + VeriSign, Inc. + 21345 Ridgetop Circle + Dulles, VA 20166-6503 + USA + + EMail: mlarson@verisign.com + + + Dan Massey + USC Information Sciences Institute + 3811 N. Fairfax Drive + Arlington, VA 22203 + USA + + EMail: masseyd@isi.edu + + + Scott Rose + National Institute for Standards and Technology + 100 Bureau Drive + Gaithersburg, MD 20899-8920 + USA + + EMail: scott.rose@nist.gov + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 29] + +Internet-Draft DNSSEC Resource Records May 2004 + + +Appendix A. DNSSEC Algorithm and Digest Types + + The DNS security extensions are designed to be independent of the + underlying cryptographic algorithms. The DNSKEY, RRSIG, and DS + resource records all use a DNSSEC Algorithm Number to identify the + cryptographic algorithm in use by the resource record. The DS + resource record also specifies a Digest Algorithm Number to identify + the digest algorithm used to construct the DS record. The currently + defined Algorithm and Digest Types are listed below. Additional + Algorithm or Digest Types could be added as advances in cryptography + warrant. + + A DNSSEC aware resolver or name server MUST implement all MANDATORY + algorithms. + +A.1 DNSSEC Algorithm Types + + The DNSKEY, RRSIG, and DS RRs use an 8-bit number used to identify + the security algorithm being used. These values are stored in the + "Algorithm number" field in the resource record RDATA. + + Some algorithms are usable only for zone signing (DNSSEC), some only + for transaction security mechanisms (SIG(0) and TSIG), and some for + both. Those usable for zone signing may appear in DNSKEY, RRSIG, and + DS RRs. Those usable for transaction security would be present in + SIG(0) and KEY RRs as described in [RFC2931] + + Zone + Value Algorithm [Mnemonic] Signing References Status + ----- -------------------- --------- ---------- --------- + 0 reserved + 1 RSA/MD5 [RSAMD5] n RFC 2537 NOT RECOMMENDED + 2 Diffie-Hellman [DH] n RFC 2539 - + 3 DSA/SHA-1 [DSA] y RFC 2536 OPTIONAL + 4 Elliptic Curve [ECC] TBA - + 5 RSA/SHA-1 [RSASHA1] y RFC 3110 MANDATORY + 252 Indirect [INDIRECT] n - + 253 Private [PRIVATEDNS] y see below OPTIONAL + 254 Private [PRIVATEOID] y see below OPTIONAL + 255 reserved + + 6 - 251 Available for assignment by IETF Standards Action. + +A.1.1 Private Algorithm Types + + Algorithm number 253 is reserved for private use and will never be + assigned to a specific algorithm. The public key area in the DNSKEY + RR and the signature area in the RRSIG RR begin with a wire encoded + + + +Arends, et al. Expires November 15, 2004 [Page 30] + +Internet-Draft DNSSEC Resource Records May 2004 + + + domain name, which MUST NOT be compressed. The domain name indicates + the private algorithm to use and the remainder of the public key area + is determined by that algorithm. Entities should only use domain + names they control to designate their private algorithms. + + Algorithm number 254 is reserved for private use and will never be + assigned to a specific algorithm. The public key area in the DNSKEY + RR and the signature area in the RRSIG RR begin with an unsigned + length byte followed by a BER encoded Object Identifier (ISO OID) of + that length. The OID indicates the private algorithm in use and the + remainder of the area is whatever is required by that algorithm. + Entities should only use OIDs they control to designate their private + algorithms. + +A.2 DNSSEC Digest Types + + A "Digest Type" field in the DS resource record types identifies the + cryptographic digest algorithm used by the resource record. The + following table lists the currently defined digest algorithm types. + + VALUE Algorithm STATUS + 0 Reserved - + 1 SHA-1 MANDATORY + 2-255 Unassigned - + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 31] + +Internet-Draft DNSSEC Resource Records May 2004 + + +Appendix B. Key Tag Calculation + + The Key Tag field in the RRSIG and DS resource record types provides + a mechanism for selecting a public key efficiently. In most cases, a + combination of owner name, algorithm, and key tag can efficiently + identify a DNSKEY record. Both the RRSIG and DS resource records + have corresponding DNSKEY records. The Key Tag field in the RRSIG + and DS records can be used to help select the corresponding DNSKEY RR + efficiently when more than one candidate DNSKEY RR is available. + + However, it is essential to note that the key tag is not a unique + identifier. It is theoretically possible for two distinct DNSKEY RRs + to have the same owner name, the same algorithm, and the same key + tag. The key tag is used to limit the possible candidate keys, but it + does not uniquely identify a DNSKEY record. Implementations MUST NOT + assume that the key tag uniquely identifies a DNSKEY RR. + + The key tag is the same for all DNSKEY algorithm types except + algorithm 1 (please see Appendix B.1 for the definition of the key + tag for algorithm 1). The key tag algorithm is the sum of the wire + format of the DNSKEY RDATA broken into 2 octet groups. First the + RDATA (in wire format) is treated as a series of 2 octet groups, + these groups are then added together ignoring any carry bits. + + A reference implementation of the key tag algorithm is as an ANSI C + function is given below with the RDATA portion of the DNSKEY RR is + used as input. It is not necessary to use the following reference + code verbatim, but the numerical value of the Key Tag MUST be + identical to what the reference implementation would generate for the + same input. + + Please note that the algorithm for calculating the Key Tag is almost + but not completely identical to the familiar ones complement checksum + used in many other Internet protocols. Key Tags MUST be calculated + using the algorithm described here rather than the ones complement + checksum. + + The following ANSI C reference implementation calculates the value of + a Key Tag. This reference implementation applies to all algorithm + types except algorithm 1 (see Appendix B.1). The input is the wire + format of the RDATA portion of the DNSKEY RR. The code is written + for clarity, not efficiency. + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 32] + +Internet-Draft DNSSEC Resource Records May 2004 + + + /* + * Assumes that int is at least 16 bits. + * First octet of the key tag is the most significant 8 bits of the + * return value; + * Second octet of the key tag is the least significant 8 bits of the + * return value. + */ + + unsigned int + keytag ( + unsigned char key[], /* the RDATA part of the DNSKEY RR */ + unsigned int keysize /* the RDLENGTH */ + ) + { + unsigned long ac; /* assumed to be 32 bits or larger */ + int i; /* loop index */ + + for ( ac = 0, i = 0; i < keysize; ++i ) + ac += (i & 1) ? key[i] : key[i] << 8; + ac += (ac >> 16) & 0xFFFF; + return ac & 0xFFFF; + } + + +B.1 Key Tag for Algorithm 1 (RSA/MD5) + + The key tag for algorithm 1 (RSA/MD5) is defined differently than the + key tag for all other algorithms, for historical reasons. For a + DNSKEY RR with algorithm 1, the key tag is defined to be the most + significant 16 bits of the least significant 24 bits in the public + key modulus (in other words, the 4th to last and 3rd to last octets + of the public key modulus). + + Please note that Algorithm 1 is NOT RECOMMENDED. + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 33] + +Internet-Draft DNSSEC Resource Records May 2004 + + +Intellectual Property Statement + + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; neither does it represent that it + has made any effort to identify any such rights. Information on the + IETF's procedures with respect to rights in standards-track and + standards-related documentation can be found in BCP-11. Copies of + claims of rights made available for publication and any assurances of + licenses to be made available, or the result of an attempt made to + obtain a general license or permission for the use of such + proprietary rights by implementors or users of this specification can + be obtained from the IETF Secretariat. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights which may cover technology that may be required to practice + this standard. Please address the information to the IETF Executive + Director. + + +Full Copyright Statement + + Copyright (C) The Internet Society (2004). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assignees. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + + + +Arends, et al. Expires November 15, 2004 [Page 34] + +Internet-Draft DNSSEC Resource Records May 2004 + + + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +Acknowledgment + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arends, et al. Expires November 15, 2004 [Page 35] + + From 50e45d74340656422b21a5513f2d7138dfe24b7a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 19 May 2004 23:42:05 +0000 Subject: [PATCH 120/146] 1641. [bug] Update the check-names description in ARM. [RT #11389] --- CHANGES | 2 ++ doc/arm/Bv9ARM-book.xml | 9 ++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 81bb8b799f..a673cc8983 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1641. [bug] Update the check-names description in ARM. [RT #11389] + 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was incorrectly closing the socket. [RT #11291] diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 90d5e58513..2bebda5b53 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2,7 +2,7 @@ - + BIND 9 Administrator Reference Manual @@ -4757,10 +4757,9 @@ The default is the empty list. check-names -This option was used in BIND 8 to restrict the character set of -domain names in master files and/or DNS responses received from the -network. BIND 9 does not restrict the character set of domain names -and does not implement the check-names option. +This option is used to restrict the character set and syntax of +certain domain names in master files and/or DNS responses received from the +network. From 4451e24e9a0a897219c18b8387f114d4102fcc0d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 20 May 2004 02:47:27 +0000 Subject: [PATCH 121/146] regen --- doc/arm/Bv9ARM.ch06.html | 52 +++++++++---------- doc/arm/Bv9ARM.ch07.html | 8 +-- doc/arm/Bv9ARM.ch08.html | 14 ++--- doc/arm/Bv9ARM.ch09.html | 108 +++++++++++++++++++-------------------- doc/arm/Bv9ARM.html | 30 +++++------ 5 files changed, 104 insertions(+), 108 deletions(-) diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index ab41aa75ad..6e34f2a78d 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -94,7 +94,7 @@ HREF="Bv9ARM.ch06.html#Configuration_File_Grammar" >
6.3. Zone File

This option was used in BIND 8 to restrict the character set of -domain names in master files and/or DNS responses received from the -network. BIND 9 does not restrict the character set of domain names -and does not implement the check-names option. +> This option is used to restrict the character set and syntax of +certain domain names in master files and/or DNS responses received from the +network.

6.3. Zone File

6.3.1.1. Resource Records

6.3.1.2. Textual expression of RRs

6.3.2. Discussion of MX Records

6.3.4. Inverse Mapping in IPv4

6.3.5. Other Zone File Directives

6.3.5.1. The $ORIGIN

6.3.5.2. The $INCLUDE

6.3.5.3. The $TTL

6.3.6. BIND

7.2. chroot

7.2. chroot

7.2.1. The chroot

7.2.2. Using the setuid

8.1. Common Problems
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?

8.1. Common Problems

8.1.1. It's not working; how can I figure out what's wrong?

8.2. Incrementing and Changing the Serial Number

8.3. Where Can I Get Help?

A.1. Acknowledgments

A.1. Acknowledgments

A.1.1. A Brief History of the DNS

Bibliography

Standards

[RFC974] 

[RFC1034] 

[RFC1035] 

[RFC2181] 

[RFC2308] 

[RFC1995] 

[RFC1996] 

[RFC2136] 

[RFC2845] 

Proposed Standards Still Under Development

[RFC1886] 

[RFC2065] 

[RFC2137] 

Other Important RFCs About DNS

[RFC1535] 

[RFC1536] 

[RFC1982] 

Resource Record Types

[RFC1183] 

[RFC1706] 

[RFC2168] 

[RFC1876] 

[RFC2052] 

[RFC2163] 

[RFC2230] 

DNS

[RFC1101] 

[RFC1123] 

[RFC1591] 

[RFC2317] 

DNS

[RFC1537] 

[RFC1912] 

[RFC2010] 

[RFC2219] 

Other DNS

[RFC1464] 

[RFC1713] 

[RFC1794] 

[RFC2240] 

[RFC2345] 

[RFC2352] 

Obsolete and Unimplemented Experimental RRs

[RFC1712] 

A.3.3. Other Documents About BIND

Bibliography

6.3. Zone File

6.3.2. Discussion of MX Records
6.3.4. Inverse Mapping in IPv4
6.3.5. Other Zone File Directives
6.3.6. BIND
7.2. chroot
7.2.1. The chroot
7.2.2. Using the setuid
8.1. Common Problems
8.1.1. It's not working; how can I figure out what's wrong?
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?
A.1. Acknowledgments
A.1.1. A Brief History of the DNS
A.3.3. Other Documents About BIND Date: Fri, 21 May 2004 08:09:27 +0000 Subject: [PATCH 122/146] 1642. [port] Support OpenSSL implementations which don't have DSA support. [RT #11360] --- CHANGES | 3 +++ acconfig.h | 5 ++++- configure.in | 10 +++++++++- lib/dns/sec/dst/dst_api.c | 8 ++++++-- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index a673cc8983..8ae5143140 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1642. [port] Support OpenSSL implementations which don't have + DSA support. [RT #11360] + 1641. [bug] Update the check-names description in ARM. [RT #11389] 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was diff --git a/acconfig.h b/acconfig.h index 70fc191a32..c44755fd40 100644 --- a/acconfig.h +++ b/acconfig.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: acconfig.h,v 1.44 2004/03/05 04:56:57 marka Exp $ */ +/* $Id: acconfig.h,v 1.45 2004/05/21 08:09:27 marka Exp $ */ /*** *** This file is not to be included by any public header files, because @@ -136,3 +136,6 @@ int sigwait(const unsigned int *set, int *sig); /* Define if you are running under Compaq TruCluster.. */ #undef HAVE_TRUCLUSTER + +/* Define if OpenSSL includes DSA support */ +#undef HAVE_OPENSSL_DSA diff --git a/configure.in b/configure.in index 17ea5538d2..dc5cc413b2 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.356 $) +AC_REVISION($Revision: 1.357 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.13) @@ -467,6 +467,14 @@ int main() { [AC_MSG_RESULT(not compatible) AC_MSG_ERROR(you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23)], [AC_MSG_RESULT(assuming target platform has compatible version)])) + AC_MSG_CHECKING(for OpenSSL DSA support) + if test -f $use_openssl/include/openssl/dsa.h + then + AC_DEFINE(HAVE_OPENSSL_DSA) + AC_MSG_RESULT(yes) + else + AC_MSG_RESULT(no) + fi CFLAGS="$saved_cflags" LIBS="$saved_libs" ;; diff --git a/lib/dns/sec/dst/dst_api.c b/lib/dns/sec/dst/dst_api.c index 4e44c96113..6008832368 100644 --- a/lib/dns/sec/dst/dst_api.c +++ b/lib/dns/sec/dst/dst_api.c @@ -18,7 +18,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_api.c,v 1.114 2004/03/18 02:58:05 marka Exp $ + * $Id: dst_api.c,v 1.115 2004/05/21 08:09:27 marka Exp $ */ #include @@ -145,9 +145,11 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) { RETERR(dst__openssl_init()); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5])); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1])); +#ifdef HAVE_OPENSSL_DSA RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA])); - RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH])); #endif + RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH])); +#endif /* OPENSSL */ #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); #endif @@ -1136,10 +1138,12 @@ algorithm_status(unsigned int alg) { if (dst_algorithm_supported(alg)) return (ISC_R_SUCCESS); +#ifndef OPENSSL if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 || alg == DST_ALG_DSA || alg == DST_ALG_DH || alg == DST_ALG_HMACMD5) return (DST_R_NOCRYPTO); +#endif return (DST_R_UNSUPPORTEDALG); } From cffc2e06f906dd048af4cc27d487deb157f5a082 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 21 May 2004 08:15:37 +0000 Subject: [PATCH 123/146] regen --- config.h.in | 5 +++- configure | 74 +++++++++++++++++++++++++++++++---------------------- 2 files changed, 48 insertions(+), 31 deletions(-) diff --git a/config.h.in b/config.h.in index e7a74f3bdf..a80f06c6ff 100644 --- a/config.h.in +++ b/config.h.in @@ -16,7 +16,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h.in,v 1.60 2004/03/05 13:26:19 marka Exp $ */ +/* $Id: config.h.in,v 1.61 2004/05/21 08:15:36 marka Exp $ */ /*** *** This file is not to be included by any public header files, because @@ -137,6 +137,9 @@ int sigwait(const unsigned int *set, int *sig); /* Define if you are running under Compaq TruCluster.. */ #undef HAVE_TRUCLUSTER +/* Define if OpenSSL includes DSA support */ +#undef HAVE_OPENSSL_DSA + /* Define to 1 if you have the header file. */ #undef HAVE_DLFCN_H diff --git a/configure b/configure index 2a928f657d..bab3c48aad 100755 --- a/configure +++ b/configure @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # -# $Id: configure,v 1.340 2004/05/03 11:15:27 marka Exp $ +# $Id: configure,v 1.341 2004/05/21 08:15:37 marka Exp $ # # Portions Copyright (C) 1996-2001 Nominum, Inc. # @@ -29,7 +29,7 @@ # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# From configure.in Revision: 1.356 . +# From configure.in Revision: 1.357 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -5040,6 +5040,20 @@ rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftes fi fi + echo "$as_me:$LINENO: checking for OpenSSL DSA support" >&5 +echo $ECHO_N "checking for OpenSSL DSA support... $ECHO_C" >&6 + if test -f $use_openssl/include/openssl/dsa.h + then + cat >>confdefs.h <<\_ACEOF +#define HAVE_OPENSSL_DSA 1 +_ACEOF + + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + fi CFLAGS="$saved_cflags" LIBS="$saved_libs" ;; @@ -7815,7 +7829,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 7818 "configure"' > conftest.$ac_ext + echo '#line 7832 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -8805,7 +8819,7 @@ fi # Provide some information about the compiler. -echo "$as_me:8808:" \ +echo "$as_me:8822:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -9843,11 +9857,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9846: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9860: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9850: \$? = $ac_status" >&5 + echo "$as_me:9864: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -10076,11 +10090,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10079: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10093: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10083: \$? = $ac_status" >&5 + echo "$as_me:10097: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -10136,11 +10150,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10139: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10153: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:10143: \$? = $ac_status" >&5 + echo "$as_me:10157: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12320,7 +12334,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:14618: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:14608: \$? = $ac_status" >&5 + echo "$as_me:14622: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -14661,11 +14675,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:14664: $lt_compile\"" >&5) + (eval echo "\"\$as_me:14678: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:14668: \$? = $ac_status" >&5 + echo "$as_me:14682: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -16022,7 +16036,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:16964: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16954: \$? = $ac_status" >&5 + echo "$as_me:16968: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -17007,11 +17021,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17010: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17024: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:17014: \$? = $ac_status" >&5 + echo "$as_me:17028: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -19045,11 +19059,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19048: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19062: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:19052: \$? = $ac_status" >&5 + echo "$as_me:19066: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -19278,11 +19292,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19281: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19295: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:19285: \$? = $ac_status" >&5 + echo "$as_me:19299: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -19338,11 +19352,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:19341: $lt_compile\"" >&5) + (eval echo "\"\$as_me:19355: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:19345: \$? = $ac_status" >&5 + echo "$as_me:19359: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -21522,7 +21536,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext < Date: Sun, 23 May 2004 06:59:20 +0000 Subject: [PATCH 124/146] 1643. [bug] dns_db_closeversion() could leak memory / node references. [RT #11163] --- CHANGES | 3 +++ lib/dns/rbtdb.c | 17 +++++++++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 8ae5143140..0ec878bb72 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1643. [bug] dns_db_closeversion() could leak memory / node + references. [RT #11163] + 1642. [port] Support OpenSSL implementations which don't have DSA support. [RT #11360] diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 48440fdf06..93aaa593e9 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.199 2004/05/14 04:45:56 marka Exp $ */ +/* $Id: rbtdb.c,v 1.200 2004/05/23 06:59:20 marka Exp $ */ /* * Principal Author: Bob Halley @@ -1061,9 +1061,13 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { * isn't being used by anyone, we can clean * it up. */ - if (rbtdb->current_version->references == 0) + if (rbtdb->current_version->references == 0) { cleanup_version = rbtdb->current_version; + APPENDLIST(version->changed_list, + cleanup_version->changed_list, + link); + } /* * Become the current version. */ @@ -1076,6 +1080,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { * We're rolling back this transaction. */ cleanup_list = version->changed_list; + ISC_LIST_INIT(version->changed_list); rollback = ISC_TRUE; cleanup_version = version; rbtdb->future_version = NULL; @@ -1096,6 +1101,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { if (least_greater == NULL) least_greater = rbtdb->current_version; + INSIST(version->serial < least_greater->serial); /* * Is this the least open version? */ @@ -1116,16 +1122,19 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { version->changed_list, link); } - } + } else if (version->serial == rbtdb->least_serial) + INSIST(EMPTY(version->changed_list)); UNLINK(rbtdb->open_versions, version, link); } } least_serial = rbtdb->least_serial; UNLOCK(&rbtdb->lock); - if (cleanup_version != NULL) + if (cleanup_version != NULL) { + INSIST(EMPTY(cleanup_version->changed_list)); isc_mem_put(rbtdb->common.mctx, cleanup_version, sizeof(*cleanup_version)); + } if (!EMPTY(cleanup_list)) { for (changed = HEAD(cleanup_list); From 738bffe2ee7dd6f3efeae8e2cca9017acc9c5f94 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 25 May 2004 18:03:30 +0000 Subject: [PATCH 125/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 0ec878bb72..a6fbf19085 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1644. [placeholder] rt11436 + 1643. [bug] dns_db_closeversion() could leak memory / node references. [RT #11163] From 7e2c0c16d6e03058650f536a5b43cb21598ec91f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 28 May 2004 23:53:46 +0000 Subject: [PATCH 126/146] 1645. [bug] named could trigger a REQUIRE failure if multiple masters with keys are specified. --- CHANGES | 3 +++ lib/dns/zone.c | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index a6fbf19085..a2506ef8c8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1645. [bug] named could trigger a REQUIRE failure if multiple + masters with keys are specified. + 1644. [placeholder] rt11436 1643. [bug] dns_db_closeversion() could leak memory / node diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 6922e9d596..7ae7e7713c 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.414 2004/04/29 01:44:44 marka Exp $ */ +/* $Id: zone.c,v 1.415 2004/05/28 23:53:46 marka Exp $ */ #include @@ -3990,6 +3990,8 @@ soa_query(isc_task_t *task, isc_event_t *event) { return; skip_master: + if (key != NULL) + dns_tsigkey_detach(&key); zone->curmaster++; if (zone->curmaster < zone->masterscnt) goto again; From e94cf7074d8ac30820a715211ae914387996cca9 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Jun 2004 05:08:40 +0000 Subject: [PATCH 127/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index a2506ef8c8..81960e25ad 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1646. [placeholder] rt11486 + 1645. [bug] named could trigger a REQUIRE failure if multiple masters with keys are specified. From c52d94fa4b7eaf8b7be9dfda15f9fc2c01041d51 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 2 Jun 2004 02:38:53 +0000 Subject: [PATCH 128/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 81960e25ad..74ee3f49a1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1647. [placeholder] rt11445 + 1646. [placeholder] rt11486 1645. [bug] named could trigger a REQUIRE failure if multiple From c956fbfbbd536407a2f0ef8f138c27729d31744d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 2 Jun 2004 04:56:25 +0000 Subject: [PATCH 129/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 74ee3f49a1..b425792f53 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1648. [placeholder] rt11439 + 1647. [placeholder] rt11445 1646. [placeholder] rt11486 From 17cb8353e999e3294e6619613f401af3f7b1540c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 3 Jun 2004 02:22:35 +0000 Subject: [PATCH 130/146] update corpauthor --- bin/check/named-checkconf.docbook | 4 ++-- bin/check/named-checkzone.docbook | 4 ++-- bin/dnssec/dnssec-keygen.docbook | 4 ++-- bin/dnssec/dnssec-makekeyset.docbook | 4 ++-- bin/dnssec/dnssec-signkey.docbook | 4 ++-- bin/dnssec/dnssec-signzone.docbook | 8 ++------ bin/named/lwresd.docbook | 4 ++-- bin/named/named.docbook | 4 ++-- bin/rndc/rndc-confgen.docbook | 4 ++-- bin/rndc/rndc.conf.docbook | 4 ++-- bin/rndc/rndc.docbook | 4 ++-- 11 files changed, 22 insertions(+), 26 deletions(-) diff --git a/bin/check/named-checkconf.docbook b/bin/check/named-checkconf.docbook index 8ffdd1be6c..28bcbe3ccc 100644 --- a/bin/check/named-checkconf.docbook +++ b/bin/check/named-checkconf.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -132,7 +132,7 @@ AUTHOR - Internet Software Consortium + Internet Systems Consortium diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook index a9b0318cc4..85bd233615 100644 --- a/bin/check/named-checkzone.docbook +++ b/bin/check/named-checkzone.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -222,7 +222,7 @@ AUTHOR - Internet Software Consortium + Internet Systems Consortium diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index 7a82746ea9..1c85567119 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -324,7 +324,7 @@ AUTHOR - Internet Software Consortium + Internet Systems Consortium diff --git a/bin/dnssec/dnssec-makekeyset.docbook b/bin/dnssec/dnssec-makekeyset.docbook index ff4abd75e5..95606dd228 100644 --- a/bin/dnssec/dnssec-makekeyset.docbook +++ b/bin/dnssec/dnssec-makekeyset.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -220,7 +220,7 @@ AUTHOR - Internet Software Consortium + Internet Systems Consortium diff --git a/bin/dnssec/dnssec-signkey.docbook b/bin/dnssec/dnssec-signkey.docbook index 677e3c8dae..2ba8000fd0 100644 --- a/bin/dnssec/dnssec-signkey.docbook +++ b/bin/dnssec/dnssec-signkey.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -224,7 +224,7 @@ AUTHOR - Internet Software Consortium + Internet Systems Consortium diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 095e16687a..cf3722eaf0 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -343,10 +343,6 @@ dnssec-keygen 8 , - - dnssec-signkey - 8 - , BIND 9 Administrator Reference Manual, RFC 2535. @@ -355,7 +351,7 @@ AUTHOR - Internet Software Consortium + Internet Systems Consortium diff --git a/bin/named/lwresd.docbook b/bin/named/lwresd.docbook index cae8e07888..ef7763974e 100644 --- a/bin/named/lwresd.docbook +++ b/bin/named/lwresd.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -286,7 +286,7 @@ AUTHOR - Internet Software Consortium + Internet Systems Consortium diff --git a/bin/named/named.docbook b/bin/named/named.docbook index 7f3b228499..80c0e7abd2 100644 --- a/bin/named/named.docbook +++ b/bin/named/named.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -356,7 +356,7 @@ AUTHOR - Internet Software Consortium + Internet Systems Consortium diff --git a/bin/rndc/rndc-confgen.docbook b/bin/rndc/rndc-confgen.docbook index de4b5930c3..1f210fd9bb 100644 --- a/bin/rndc/rndc-confgen.docbook +++ b/bin/rndc/rndc-confgen.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -260,7 +260,7 @@ AUTHOR - Internet Software Consortium + Internet Systems Consortium diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook index b643b09fc6..dd9758b6a5 100644 --- a/bin/rndc/rndc.conf.docbook +++ b/bin/rndc/rndc.conf.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -196,7 +196,7 @@ AUTHOR - Internet Software Consortium + Internet Systems Consortium diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook index d0dc96686e..6ddb40b2c3 100644 --- a/bin/rndc/rndc.docbook +++ b/bin/rndc/rndc.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -214,7 +214,7 @@ AUTHOR - Internet Software Consortium + Internet Systems Consortium From 2e286ac71f3621c11a3409f35a859488026b5fb5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 3 Jun 2004 02:45:03 +0000 Subject: [PATCH 131/146] make sure executable files are executable. --- util/kit.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/util/kit.sh b/util/kit.sh index b2c7f18cf2..29a32387b9 100644 --- a/util/kit.sh +++ b/util/kit.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: kit.sh,v 1.27 2004/03/15 06:58:33 marka Exp $ +# $Id: kit.sh,v 1.28 2004/06/03 02:45:03 marka Exp $ # Make a release kit # @@ -121,6 +121,11 @@ rm -rf TODO EXCLUDED conftools util doc/design doc/dev doc/expired \ find . -name .cvsignore -print | xargs rm +# The following files should be executable. +chmod +x configure install-sh mkinstalldirs \ + lib/bind/configure lib/bind/mkinstalldirs \ + bin/tests/system/ifconfig.sh + cd .. || exit 1 kit=$topdir.tar.gz From 6564bfdd885e3e0f1c3764de0969ac54a84b0dca Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 3 Jun 2004 04:12:38 +0000 Subject: [PATCH 132/146] regen --- bin/check/named-checkconf.8 | 4 ++-- bin/check/named-checkconf.html | 4 ++-- bin/check/named-checkzone.8 | 4 ++-- bin/check/named-checkzone.html | 4 ++-- bin/dnssec/dnssec-keygen.8 | 4 ++-- bin/dnssec/dnssec-keygen.html | 4 ++-- bin/dnssec/dnssec-signzone.8 | 5 ++--- bin/dnssec/dnssec-signzone.html | 13 +++---------- bin/named/lwresd.8 | 4 ++-- bin/named/lwresd.html | 4 ++-- bin/named/named.8 | 4 ++-- bin/named/named.html | 4 ++-- bin/rndc/rndc-confgen.8 | 4 ++-- bin/rndc/rndc-confgen.html | 4 ++-- bin/rndc/rndc.8 | 4 ++-- bin/rndc/rndc.conf.5 | 4 ++-- bin/rndc/rndc.conf.html | 4 ++-- bin/rndc/rndc.html | 4 ++-- 18 files changed, 37 insertions(+), 45 deletions(-) diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index bf7c81299c..9c1058ef48 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named-checkconf.8,v 1.18 2004/04/07 00:56:58 marka Exp $ +.\" $Id: named-checkconf.8,v 1.19 2004/06/03 04:12:35 marka Exp $ .\" .TH "NAMED-CHECKCONF" "8" "June 14, 2000" "BIND9" "" .SH NAME @@ -56,4 +56,4 @@ errors were detected and 0 otherwise. \fIBIND 9 Administrator Reference Manual\fR. .SH "AUTHOR" .PP -Internet Software Consortium +Internet Systems Consortium diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index b319248a24..35f1ec37a9 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -15,7 +15,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - +

AUTHOR

Internet Software Consortium +> Internet Systems Consortium

- +

AUTHOR

Internet Software Consortium +> Internet Systems Consortium

- +

AUTHOR

Internet Software Consortium +> Internet Systems Consortium

- + dnssec-keygen(8), - dnssec-signkey(8),

AUTHOR

Internet Software Consortium +> Internet Systems Consortium

- +

AUTHOR

Internet Software Consortium +> Internet Systems Consortium

- +

AUTHOR

Internet Software Consortium +> Internet Systems Consortium

- +

AUTHOR

Internet Software Consortium +> Internet Systems Consortium

- +

AUTHOR

Internet Software Consortium +> Internet Systems Consortium

- +

AUTHOR

Internet Software Consortium +> Internet Systems Consortium

Date: Thu, 3 Jun 2004 04:23:01 +0000 Subject: [PATCH 133/146] update -b usage --- bin/dig/dig.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/dig/dig.c b/bin/dig/dig.c index c8a75f2d14..855ea28c3d 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.190 2004/04/15 06:47:08 marka Exp $ */ +/* $Id: dig.c,v 1.191 2004/06/03 04:23:01 marka Exp $ */ #include #include @@ -173,7 +173,7 @@ help(void) { " -x dot-notation (shortcut for in-addr lookups)\n" " -i (IP6.INT reverse IPv6 lookups)\n" " -f filename (batch mode)\n" -" -b address (bind to source address)\n" +" -b address[#port] (bind to source address/port)\n" " -p port (specify port number)\n" " -t type (specify query type)\n" " -c class (specify query class)\n" From 00cf69e0ae05852112019e5176769b31e819f438 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 3 Jun 2004 04:42:38 +0000 Subject: [PATCH 134/146] don't compare unsigned w/ <= 0. --- lib/bind/resolv/res_send.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/bind/resolv/res_send.c b/lib/bind/resolv/res_send.c index 84d8eb20b2..ea6d643d61 100644 --- a/lib/bind/resolv/res_send.c +++ b/lib/bind/resolv/res_send.c @@ -70,7 +70,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_send.c 8.1 (Berkeley) 6/4/93"; -static const char rcsid[] = "$Id: res_send.c,v 1.10 2004/04/12 07:07:06 marka Exp $"; +static const char rcsid[] = "$Id: res_send.c,v 1.11 2004/06/03 04:42:38 marka Exp $"; #endif /* LIBC_SCCS and not lint */ /* @@ -656,7 +656,7 @@ send_vc(res_state statp, len = INT16SZ; while ((n = read(statp->_vcsock, (char *)cp, (int)len)) > 0) { cp += n; - if ((len -= n) <= 0) + if ((len -= n) == 0) break; } if (n <= 0) { From 0d5f92db3f9e5cec67c837c9951e6e63a30270f2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 3 Jun 2004 04:43:34 +0000 Subject: [PATCH 135/146] res_servicenumber returns -1 on error. --- lib/bind/resolv/res_mkupdate.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/bind/resolv/res_mkupdate.c b/lib/bind/resolv/res_mkupdate.c index 740e2d5400..aa3beed2ed 100644 --- a/lib/bind/resolv/res_mkupdate.c +++ b/lib/bind/resolv/res_mkupdate.c @@ -21,7 +21,7 @@ */ #if !defined(lint) && !defined(SABER) -static const char rcsid[] = "$Id: res_mkupdate.c,v 1.4 2004/03/18 02:58:02 marka Exp $"; +static const char rcsid[] = "$Id: res_mkupdate.c,v 1.5 2004/06/03 04:43:34 marka Exp $"; #endif /* not lint */ #include "port_before.h" @@ -350,13 +350,13 @@ res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) { bm[i] = 0; while (getword_str(buf2, sizeof buf2, &startp, endp)) { - if ((n1 = res_servicenumber(buf2)) <= 0) + if ((n = res_servicenumber(buf2)) <= 0) return (-1); - if (n1 < MAXPORT) { - bm[n1/8] |= (0x80>>(n1%8)); - if (n1 > maxbm) - maxbm = n1; + if (n < MAXPORT) { + bm[n/8] |= (0x80>>(n%8)); + if ((unsigned)n > maxbm) + maxbm = n; } else return (-1); } From 4c4bdb268ad9ece61cd94c3d82c3fcc289d6aec9 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 3 Jun 2004 05:02:52 +0000 Subject: [PATCH 136/146] linux capset --- FAQ | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/FAQ b/FAQ index dab25ced22..966c35f9fd 100644 --- a/FAQ +++ b/FAQ @@ -415,3 +415,9 @@ information in the chroot area. OSF: /etc/zoneinfo/localtime See also tzset(3) and zic(8). + + +Q: I get the error message "named: capset failed: Operation not permitted" +when starting named. + +A: The capset module has not been loaded into the kernel. See insmod(8). From ea0b0c283be744d8b5810927b9981a9afe2f900d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 3 Jun 2004 07:04:06 +0000 Subject: [PATCH 137/146] placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index b425792f53..de3a8bff61 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +1649. [placeholder] rt11206 + 1648. [placeholder] rt11439 1647. [placeholder] rt11445 From f66cd386cf4d0cc65b28cbaeaf540353406393a8 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 4 Jun 2004 02:19:17 +0000 Subject: [PATCH 138/146] 1646. [bug] win32: logging file versions didn't work with non-UNC filenames. [RT#11486] --- CHANGES | 3 ++- lib/isc/log.c | 18 +++++++++++++++--- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index de3a8bff61..a8cb739253 100644 --- a/CHANGES +++ b/CHANGES @@ -4,7 +4,8 @@ 1647. [placeholder] rt11445 -1646. [placeholder] rt11486 +1646. [bug] win32: logging file versions didn't work with + non-UNC filenames. [RT#11486] 1645. [bug] named could trigger a REQUIRE failure if multiple masters with keys are specified. diff --git a/lib/isc/log.c b/lib/isc/log.c index 21dfffd48a..0cbe86a418 100644 --- a/lib/isc/log.c +++ b/lib/isc/log.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.c,v 1.85 2004/04/10 04:33:36 marka Exp $ */ +/* $Id: log.c,v 1.86 2004/06/04 02:19:17 marka Exp $ */ /* Principal Authors: DCL */ @@ -1140,6 +1140,10 @@ greatest_version(isc_logchannel_t *channel, int *greatestp) { unsigned int basenamelen; isc_dir_t dir; isc_result_t result; + char sep = '/'; +#ifdef _WIN32 + char *basename2; +#endif REQUIRE(channel->type == ISC_LOG_TOFILE); @@ -1147,7 +1151,15 @@ greatest_version(isc_logchannel_t *channel, int *greatestp) { * It is safe to DE_CONST the file.name because it was copied * with isc_mem_strdup in isc_log_createchannel. */ - basename = strrchr(FILE_NAME(channel), '/'); + basename = strrchr(FILE_NAME(channel), sep); +#ifdef _WIN32 + basename2 = strrchr(FILE_NAME(channel), '\\'); + if ((basename != NULL && basename2 != NULL && basename2 > basename) || + (basename == NULL && basename2 != NULL)) { + basename = basename2; + sep = '\\'; + } +#endif if (basename != NULL) { *basename++ = '\0'; dirname = FILE_NAME(channel); @@ -1164,7 +1176,7 @@ greatest_version(isc_logchannel_t *channel, int *greatestp) { * Replace the file separator if it was taken out. */ if (basename != FILE_NAME(channel)) - *(basename - 1) = '/'; + *(basename - 1) = sep; /* * Return if the directory open failed. From c315e5cfead876251ee4ff5600ee67303b2729a4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 4 Jun 2004 02:31:43 +0000 Subject: [PATCH 139/146] 1648. [func] Update dnssec-lookaside named.conf syntax to support multiple dnssec-lookaside namespaces (not yet implemented). --- CHANGES | 4 +- bin/named/server.c | 46 ++++-- bin/tests/system/dlv/ns5/named.conf | 4 +- bin/tests/system/dnssec/ns6/named.conf | 4 +- doc/arm/Bv9ARM-book.xml | 14 +- doc/misc/options | 4 +- lib/bind9/check.c | 193 ++++++++++++++----------- lib/isccfg/namedconf.c | 27 +++- 8 files changed, 189 insertions(+), 107 deletions(-) diff --git a/CHANGES b/CHANGES index a8cb739253..4e9bac6183 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ 1649. [placeholder] rt11206 -1648. [placeholder] rt11439 +1648. [func] Update dnssec-lookaside named.conf syntax to support + multiple dnssec-lookaside namespaces (not yet + implemented). 1647. [placeholder] rt11445 diff --git a/bin/named/server.c b/bin/named/server.c index 0e6320c6e2..a391ceff17 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.426 2004/05/14 00:51:52 marka Exp $ */ +/* $Id: server.c,v 1.427 2004/06/04 02:31:40 marka Exp $ */ #include @@ -1171,14 +1171,42 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, obj = NULL; result = ns_config_get(maps, "dnssec-lookaside", &obj); if (result == ISC_R_SUCCESS) { - const char *dlv; - isc_buffer_t b; - dlv = cfg_obj_asstring(obj); - isc_buffer_init(&b, dlv, strlen(dlv)); - isc_buffer_add(&b, strlen(dlv)); - CHECK(dns_name_fromtext(dns_fixedname_name(&view->dlv_fixed), - &b, dns_rootname, ISC_TRUE, NULL)); - view->dlv = dns_fixedname_name(&view->dlv_fixed); + for (element = cfg_list_first(obj); + element != NULL; + element = cfg_list_next(element)) + { + const char *str; + isc_buffer_t b; + dns_name_t *dlv; + + obj = cfg_listelt_value(element); +#if 0 + dns_fixedname_t fixed; + dns_name_t *name; + + /* + * When we support multiple dnssec-lookaside + * entries this is how to find the domain to be + * checked. XXXMPA + */ + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + str = cfg_obj_asstring(cfg_tuple_get(obj, + "domain")); + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + CHECK(dns_name_fromtext(name, &b, dns_rootname, + ISC_TRUE, NULL)); +#endif + str = cfg_obj_asstring(cfg_tuple_get(obj, + "trust-anchor")); + isc_buffer_init(&b, str, strlen(str)); + isc_buffer_add(&b, strlen(str)); + dlv = dns_fixedname_name(&view->dlv_fixed); + CHECK(dns_name_fromtext(dlv, &b, dns_rootname, + ISC_TRUE, NULL)); + view->dlv = dns_fixedname_name(&view->dlv_fixed); + } } else view->dlv = NULL; diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf index 70f7d422dd..ebe0cb426a 100644 --- a/bin/tests/system/dlv/ns5/named.conf +++ b/bin/tests/system/dlv/ns5/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.2 2004/05/14 04:58:23 marka Exp $ */ +/* $Id: named.conf,v 1.3 2004/06/04 02:31:41 marka Exp $ */ /* * Choose a keyname that is unlikely to clash with any real key names. @@ -58,7 +58,7 @@ options { recursion yes; notify yes; dnssec-enable yes; - dnssec-lookaside "dlv.utld"; + dnssec-lookaside "." trust-anchor "dlv.utld"; }; zone "." { type hint; file "hints"; }; diff --git a/bin/tests/system/dnssec/ns6/named.conf b/bin/tests/system/dnssec/ns6/named.conf index b5eca59ee7..4fcd5894b4 100644 --- a/bin/tests/system/dnssec/ns6/named.conf +++ b/bin/tests/system/dnssec/ns6/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.6 2004/03/10 02:19:54 marka Exp $ */ +/* $Id: named.conf,v 1.7 2004/06/04 02:31:41 marka Exp $ */ // NS6 @@ -32,7 +32,7 @@ options { notify yes; disable-algorithms . { DSA; }; dnssec-enable yes; - dnssec-lookaside dlv; + dnssec-lookaside . trust-anchor dlv; }; zone "." { diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 2bebda5b53..6df8cd1565 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2,7 +2,7 @@ - + BIND 9 Administrator Reference Manual @@ -2758,7 +2758,7 @@ statement in the named.conf file: use-id-pool yes_or_no; maintain-ixfr-base yes_or_no; dnssec-enable yes_or_no; - dnssec-lookaside domain; + dnssec-lookaside domain trust-anchor domain; dnssec-must-be-secure domain yes_or_no; forward ( only | first ); forwarders { ip_addr port ip_port ; ip_addr port ip_port ; ... }; @@ -2985,10 +2985,12 @@ Only the most specific will be applied. When set dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the -top of a zone. When set the domain specified by -dnssec-lookaside is appended to DNSKEY's -name and a DLV record is looked up. If the DLV record validates -a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted. +top of a zone. When a DNSKEY is at or below a domain specified by the +deepest dnssec-lookaside, and the normal dnssec validation +has left the key untrusted, the trust-anchor will be append to the key +name and a DLV record will be looked up to see if it can validate the +key. If the DLV record validates a DNSKEY (similarly to the way a DS +record does) the DNSKEY RRset is deemed to be trusted. dnssec-must-be-secure diff --git a/doc/misc/options b/doc/misc/options index 8eec93f4ca..f77e4940c5 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -82,7 +82,7 @@ options { root-delegation-only [ exclude { ; ... } ]; disable-algorithms { ; ... }; dnssec-enable ; - dnssec-lookaside ; + dnssec-lookaside trust-anchor ; dnssec-must-be-secure ; allow-query { ; ... }; allow-transfer { ; ... }; @@ -262,7 +262,7 @@ view { root-delegation-only [ exclude { ; ... } ]; disable-algorithms { ; ... }; dnssec-enable ; - dnssec-lookaside ; + dnssec-lookaside trust-anchor ; dnssec-must-be-secure ; allow-query { ; ... }; allow-transfer { ; ... }; diff --git a/lib/bind9/check.c b/lib/bind9/check.c index b4b205c507..2bca8ab5be 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.46 2004/05/17 05:37:41 marka Exp $ */ +/* $Id: check.c,v 1.47 2004/06/04 02:31:43 marka Exp $ */ #include @@ -279,6 +279,39 @@ disabled_algorithms(cfg_obj_t *disabled, isc_log_t *logctx) { return (result); } +static isc_result_t +nameexist(cfg_obj_t *obj, const char *name, int value, isc_symtab_t *symtab, + const char *fmt, isc_log_t *logctx, isc_mem_t *mctx) +{ + char *key; + const char *file; + unsigned int line; + isc_result_t result; + isc_symvalue_t symvalue; + + key = isc_mem_strdup(mctx, name); + if (key == NULL) + return (ISC_R_NOMEMORY); + symvalue.as_pointer = obj; + result = isc_symtab_define(symtab, key, value, symvalue, + isc_symexists_reject); + if (result == ISC_R_EXISTS) { + RUNTIME_CHECK(isc_symtab_lookup(symtab, key, value, + &symvalue) == ISC_R_SUCCESS); + file = cfg_obj_file(symvalue.as_pointer); + line = cfg_obj_line(symvalue.as_pointer); + + if (file == NULL) + file = ""; + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, fmt, key, file, line); + isc_mem_free(mctx, key); + result = ISC_R_EXISTS; + } else if (result != ISC_R_SUCCESS) { + isc_mem_free(mctx, key); + } + return (result); +} + static isc_result_t mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx, isc_mem_t *mctx) @@ -290,9 +323,6 @@ mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx, dns_name_t *name; isc_buffer_t b; isc_result_t result = ISC_R_SUCCESS; - isc_result_t tresult; - isc_symvalue_t symvalue; - char *key; dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); @@ -300,42 +330,16 @@ mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx, str = cfg_obj_asstring(obj); isc_buffer_init(&b, str, strlen(str)); isc_buffer_add(&b, strlen(str)); - tresult = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL); - if (tresult != ISC_R_SUCCESS) { + result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL); + if (result != ISC_R_SUCCESS) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "bad domain name '%s'", str); - result = tresult; } else { - dns_name_format(name, namebuf, sizeof(namebuf)); - key = isc_mem_strdup(mctx, namebuf); - if (key == NULL) - return (ISC_R_NOMEMORY); - symvalue.as_pointer = secure; - tresult = isc_symtab_define(symtab, key, 1, symvalue, - isc_symexists_reject); - if (tresult == ISC_R_EXISTS) { - const char *file; - unsigned int line; - - RUNTIME_CHECK(isc_symtab_lookup(symtab, key, 1, - &symvalue) == ISC_R_SUCCESS); - isc_mem_free(mctx, key); - file = cfg_obj_file(symvalue.as_pointer); - line = cfg_obj_line(symvalue.as_pointer); - - if (file == NULL) - file = ""; - - cfg_obj_log(secure, logctx, ISC_LOG_ERROR, - "dnssec-must-be-secure '%s': already " - "exists previous definition: %s:%u", - namebuf, file, line); - result = tresult; - } else if (tresult != ISC_R_SUCCESS) { - isc_mem_free(mctx, key); - result = tresult; - } + result = nameexist(secure, namebuf, 1, symtab, + "dnssec-must-be-secure '%s': already " + "exists previous definition: %s:%u", + logctx, mctx); } return (result); } @@ -353,6 +357,7 @@ check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) { unsigned int i; cfg_obj_t *obj = NULL; cfg_listelt_t *element; + isc_symtab_t *symtab = NULL; static intervaltable intervals[] = { { "cleaning-interval", 60, 28 * 24 * 60 }, /* 28 days */ @@ -458,21 +463,70 @@ check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) { obj = NULL; (void)cfg_map_get(options, "dnssec-lookaside", &obj); if (obj != NULL) { - dns_fixedname_t fixedname; - const char *dlv; - isc_buffer_t b; - - dlv = cfg_obj_asstring(obj); - dns_fixedname_init(&fixedname); - isc_buffer_init(&b, dlv, strlen(dlv)); - isc_buffer_add(&b, strlen(dlv)); - tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b, - dns_rootname, ISC_TRUE, NULL); - if (tresult != ISC_R_SUCCESS) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "bad domain name '%s'", dlv); + tresult = isc_symtab_create(mctx, 100, freekey, mctx, + ISC_TRUE, &symtab); + if (tresult != ISC_R_SUCCESS) result = tresult; + for (element = cfg_list_first(obj); + element != NULL; + element = cfg_list_next(element)) + { + dns_fixedname_t fixedname; + dns_name_t *name; + const char *dlv; + isc_buffer_t b; + + obj = cfg_listelt_value(element); + + dlv = cfg_obj_asstring(cfg_tuple_get(obj, "domain")); + dns_fixedname_init(&fixedname); + name = dns_fixedname_name(&fixedname); + isc_buffer_init(&b, dlv, strlen(dlv)); + isc_buffer_add(&b, strlen(dlv)); + tresult = dns_name_fromtext(name, &b, dns_rootname, + ISC_TRUE, NULL); + if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "bad domain name '%s'", dlv); + result = tresult; + } + if (symtab != NULL) { + tresult = nameexist(obj, dlv, 1, symtab, + "dnssec-lookaside '%s': " + "already exists previous " + "definition: %s:%u", + logctx, mctx); + if (tresult != ISC_R_SUCCESS && + result == ISC_R_SUCCESS) + result = tresult; + } + /* + * XXXMPA to be removed when multiple lookaside + * namespaces are supported. + */ + if (!dns_name_equal(dns_rootname, name)) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "dnssec-lookaside '%s': " + "non-root not yet supported", dlv); + if (result == ISC_R_SUCCESS) + result = ISC_R_FAILURE; + } + dlv = cfg_obj_asstring(cfg_tuple_get(obj, + "trust-anchor")); + dns_fixedname_init(&fixedname); + isc_buffer_init(&b, dlv, strlen(dlv)); + isc_buffer_add(&b, strlen(dlv)); + tresult = dns_name_fromtext(name, &b, dns_rootname, + ISC_TRUE, NULL); + if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "bad domain name '%s'", dlv); + if (result == ISC_R_SUCCESS) + result = tresult; + } } + if (symtab != NULL) + isc_symtab_destroy(&symtab); } /* @@ -643,7 +697,6 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab, unsigned int ztype; cfg_obj_t *zoptions; cfg_obj_t *obj = NULL; - isc_symvalue_t symvalue; isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult; unsigned int i; @@ -758,48 +811,22 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab, dns_fixedname_init(&fixedname); isc_buffer_init(&b, zname, strlen(zname)); isc_buffer_add(&b, strlen(zname)); - result = dns_name_fromtext(dns_fixedname_name(&fixedname), &b, + tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b, dns_rootname, ISC_TRUE, NULL); if (result != ISC_R_SUCCESS) { cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR, "zone '%s': is not a valid name", zname); - result = ISC_R_FAILURE; + tresult = ISC_R_FAILURE; } else { char namebuf[DNS_NAME_FORMATSIZE]; - char *key; dns_name_format(dns_fixedname_name(&fixedname), namebuf, sizeof(namebuf)); - key = isc_mem_strdup(mctx, namebuf); - if (key == NULL) - return (ISC_R_NOMEMORY); - symvalue.as_pointer = zconfig; - tresult = isc_symtab_define(symtab, key, - ztype == HINTZONE ? 1 : 2, - symvalue, isc_symexists_reject); - if (tresult == ISC_R_EXISTS) { - const char *file; - unsigned int line; - - RUNTIME_CHECK(isc_symtab_lookup(symtab, key, - ztype == HINTZONE ? 1 : 2, - &symvalue) == ISC_R_SUCCESS); - isc_mem_free(mctx, key); - file = cfg_obj_file(symvalue.as_pointer); - line = cfg_obj_line(symvalue.as_pointer); - - if (file == NULL) - file = ""; - cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR, - "zone '%s': already exists " - "previous definition: %s:%u", - zname, file, line); - result = ISC_R_FAILURE; - } else if (tresult != ISC_R_SUCCESS) { - isc_mem_free(mctx, key); - - return (tresult); - } + tresult = nameexist(zconfig, namebuf, ztype == HINTZONE ? 1 : 2, + symtab, "zone '%s': already exists " + "previous definition: %s:%u", logctx, mctx); + if (tresult != ISC_R_SUCCESS) + result = tresult; } /* diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 5460253c0f..759e199b3e 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namedconf.c,v 1.33 2004/04/15 23:40:27 marka Exp $ */ +/* $Id: namedconf.c,v 1.34 2004/06/04 02:31:43 marka Exp $ */ #include @@ -658,6 +658,28 @@ static cfg_type_t cfg_type_mustbesecure = { &cfg_rep_tuple, mustbesecure_fields }; +/* + * dnssec-lookaside + */ + +static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring }; + +static cfg_type_t cfg_type_trustanchor = { + "trust-anchor", parse_keyvalue, print_keyvalue, doc_keyvalue, + &cfg_rep_string, &trustanchor_kw +}; + +static cfg_tuplefielddef_t lookaside_fields[] = { + { "domain", &cfg_type_astring, 0 }, + { "trust-anchor", &cfg_type_trustanchor, 0 }, + { NULL, NULL, 0 } +}; + +static cfg_type_t cfg_type_lookaside = { + "lookaside", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, + &cfg_rep_tuple, lookaside_fields +}; + /* * Clauses that can be found within the 'view' statement, * with defaults in the 'options' statement. @@ -703,7 +725,7 @@ view_clauses[] = { { "disable-algorithms", &cfg_type_disablealgorithm, CFG_CLAUSEFLAG_MULTI }, { "dnssec-enable", &cfg_type_boolean, 0 }, - { "dnssec-lookaside", &cfg_type_astring, 0 }, + { "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI }, { "dnssec-must-be-secure", &cfg_type_mustbesecure, CFG_CLAUSEFLAG_MULTI }, { NULL, NULL, 0 } @@ -1201,6 +1223,7 @@ controls_clauses[] = { CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_NOTIMP }, { NULL, NULL, 0 } }; + static cfg_clausedef_t * controls_clausesets[] = { controls_clauses, From 6ecbd11029fa201b5f273f4ef016617dc35206ae Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 4 Jun 2004 02:40:50 +0000 Subject: [PATCH 140/146] 1644. [bug] Update the journal modification time after a sucessfull refresh query. [RT #11436] --- CHANGES | 3 ++- lib/dns/zone.c | 9 +++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 4e9bac6183..cdd2b0093c 100644 --- a/CHANGES +++ b/CHANGES @@ -12,7 +12,8 @@ 1645. [bug] named could trigger a REQUIRE failure if multiple masters with keys are specified. -1644. [placeholder] rt11436 +1644. [bug] Update the journal modification time after a + sucessfull refresh query. [RT #11436] 1643. [bug] dns_db_closeversion() could leak memory / node references. [RT #11163] diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 7ae7e7713c..bb855c7e37 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.415 2004/05/28 23:53:46 marka Exp $ */ +/* $Id: zone.c,v 1.416 2004/06/04 02:40:50 marka Exp $ */ #include @@ -3622,7 +3622,12 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { dns_message_destroy(&msg); } else if (isc_serial_eq(soa.serial, zone->serial)) { if (zone->masterfile != NULL) { - result = isc_file_settime(zone->masterfile, &now); + result = ISC_R_FAILURE; + if (zone->journal != NULL) + result = isc_file_settime(zone->journal, &now); + if (result != ISC_R_SUCCESS) + result = isc_file_settime(zone->masterfile, + &now); /* Someone removed the file from underneath us! */ if (result == ISC_R_FILENOTFOUND) { LOCK_ZONE(zone); From 1c52f228e9e2d8784273b7af76794031e480e5e8 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 4 Jun 2004 03:44:53 +0000 Subject: [PATCH 141/146] 1649. [bug] Silence "unexpected non-minimal diff" message. [RT #11206] --- CHANGES | 3 ++- bin/named/update.c | 22 +++++++++++++--------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index cdd2b0093c..a8219d205e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,5 @@ -1649. [placeholder] rt11206 +1649. [bug] Silence "unexpected non-minimal diff" message. + [RT #11206] 1648. [func] Update dnssec-lookaside named.conf syntax to support multiple dnssec-lookaside namespaces (not yet diff --git a/bin/named/update.c b/bin/named/update.c index ee6114e0e2..f5e8b421f3 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.112 2004/05/12 06:38:37 marka Exp $ */ +/* $Id: update.c,v 1.113 2004/06/04 03:44:53 marka Exp $ */ #include @@ -1102,14 +1102,16 @@ add_rr_prepare_action(void *data, rr_t *rr) { isc_result_t result = ISC_R_SUCCESS; add_rr_prepare_ctx_t *ctx = data; dns_difftuple_t *tuple = NULL; + isc_boolean_t equal; /* * If the update RR is a "duplicate" of the update RR, * the update should be silently ignored. */ - if (dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0 && - rr->ttl == ctx->update_rr_ttl) { + equal = ISC_TF(dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0); + if (equal && rr->ttl == ctx->update_rr_ttl) { ctx->ignore_add = ISC_TRUE; + return (ISC_R_SUCCESS); } /* @@ -1137,12 +1139,14 @@ add_rr_prepare_action(void *data, rr_t *rr) { &rr->rdata, &tuple)); dns_diff_append(&ctx->del_diff, &tuple); - CHECK(dns_difftuple_create(ctx->add_diff.mctx, - DNS_DIFFOP_ADD, ctx->name, - ctx->update_rr_ttl, - &rr->rdata, - &tuple)); - dns_diff_append(&ctx->add_diff, &tuple); + if (!equal) { + CHECK(dns_difftuple_create(ctx->add_diff.mctx, + DNS_DIFFOP_ADD, ctx->name, + ctx->update_rr_ttl, + &rr->rdata, + &tuple)); + dns_diff_append(&ctx->add_diff, &tuple); + } } failure: return (result); From 683b9e5e343740eb220bb1f95c1656e9d5a95cf8 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 4 Jun 2004 06:32:57 +0000 Subject: [PATCH 142/146] regen --- doc/arm/Bv9ARM.ch06.html | 97 +++++++++++++++++++---------------- doc/arm/Bv9ARM.ch07.html | 8 +-- doc/arm/Bv9ARM.ch08.html | 14 ++--- doc/arm/Bv9ARM.ch09.html | 108 +++++++++++++++++++-------------------- doc/arm/Bv9ARM.html | 38 +++++++------- 5 files changed, 136 insertions(+), 129 deletions(-) diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 6e34f2a78d..973fb5c1e5 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -94,7 +94,7 @@ HREF="Bv9ARM.ch06.html#Configuration_File_Grammar" >
6.3. Zone File
domain trust-anchor domain; ] [dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the -top of a zone. When set the domain specified by -dnssec-lookaside is appended to DNSKEY's -name and a DLV record is looked up. If the DLV record validates -a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted. +>, and the normal dnssec validation +has left the key untrusted, the trust-anchor will be append to the key +name and a DLV record will be looked up to see if it can validate the +key. If the DLV record validates a DNSKEY (similarly to the way a DS +record does) the DNSKEY RRset is deemed to be trusted.

6.2.16.2. Forwarding

6.2.16.3. 6 to 4 Servers

6.2.16.5. Interfaces

6.2.16.6. Query Address

6.2.16.8. Bad UDP Port Lists

6.2.16.9. Operating System Resource Limits

6.2.16.10. Server Resource Limits

6.2.16.11. Periodic Task Intervals

6.2.19. trusted-keys

6.2.20. trusted-keys

6.2.22. view

6.2.24. zone

6.2.24.1. Zone Types

6.2.24.2. Class

6.2.24.3. Zone Options

6.3. Zone File

6.3.1.1. Resource Records

6.3.1.2. Textual expression of RRs

6.3.2. Discussion of MX Records

6.3.4. Inverse Mapping in IPv4

6.3.5. Other Zone File Directives

6.3.5.1. The $ORIGIN

6.3.5.2. The $INCLUDE

6.3.5.3. The $TTL

6.3.6. BIND

7.2. chroot

7.2. chroot

7.2.1. The chroot

7.2.2. Using the setuid

8.1. Common Problems
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?

8.1. Common Problems

8.1.1. It's not working; how can I figure out what's wrong?

8.2. Incrementing and Changing the Serial Number

8.3. Where Can I Get Help?

A.1. Acknowledgments

A.1. Acknowledgments

A.1.1. A Brief History of the DNS

Bibliography

Standards

[RFC974] 

[RFC1034] 

[RFC1035] 

[RFC2181] 

[RFC2308] 

[RFC1995] 

[RFC1996] 

[RFC2136] 

[RFC2845] 

Proposed Standards Still Under Development

[RFC1886] 

[RFC2065] 

[RFC2137] 

Other Important RFCs About DNS

[RFC1535] 

[RFC1536] 

[RFC1982] 

Resource Record Types

[RFC1183] 

[RFC1706] 

[RFC2168] 

[RFC1876] 

[RFC2052] 

[RFC2163] 

[RFC2230] 

DNS

[RFC1101] 

[RFC1123] 

[RFC1591] 

[RFC2317] 

DNS

[RFC1537] 

[RFC1912] 

[RFC2010] 

[RFC2219] 

Other DNS

[RFC1464] 

[RFC1713] 

[RFC1794] 

[RFC2240] 

[RFC2345] 

[RFC2352] 

Obsolete and Unimplemented Experimental RRs

[RFC1712] 

A.3.3. Other Documents About BIND

Bibliography

6.2.19. trusted-keys
6.2.20. trusted-keys
6.2.22. view
6.2.24. zone
6.3. Zone File
6.3.2. Discussion of MX Records
6.3.4. Inverse Mapping in IPv4
6.3.5. Other Zone File Directives
6.3.6. BIND
7.2. chroot
7.2.1. The chroot
7.2.2. Using the setuid
8.1. Common Problems
8.1.1. It's not working; how can I figure out what's wrong?
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?
A.1. Acknowledgments
A.1.1. A Brief History of the DNS
A.3.3. Other Documents About BIND Date: Mon, 7 Jun 2004 03:28:55 +0000 Subject: [PATCH 143/146] 1647. [bug] It was possible trigger a INSIST when chasing a DS record that required walking back over a empty node. [RT #11445] --- CHANGES | 5 +++-- lib/dns/resolver.c | 38 ++++++++++++++++++++++++++------------ 2 files changed, 29 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index a8219d205e..e0165f47c5 100644 --- a/CHANGES +++ b/CHANGES @@ -5,7 +5,9 @@ multiple dnssec-lookaside namespaces (not yet implemented). -1647. [placeholder] rt11445 +1647. [bug] It was possible trigger a INSIST when chasing a DS + record that required walking back over a empty node. + [RT #11445] 1646. [bug] win32: logging file versions didn't work with non-UNC filenames. [RT#11486] @@ -125,7 +127,6 @@ 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. - 1604. [bug] A xfrout_ctx_create() failure would result in xfrout_ctx_destroy() being called with a partially initaliased structure. diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 7f89953253..c35b15348b 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.288 2004/05/14 04:45:56 marka Exp $ */ +/* $Id: resolver.c,v 1.289 2004/06/07 03:28:55 marka Exp $ */ #include @@ -4716,6 +4716,9 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { isc_boolean_t bucket_empty = ISC_FALSE; isc_boolean_t locked = ISC_FALSE; unsigned int bucketnum; + dns_rdataset_t nameservers; + dns_fixedname_t fixed; + dns_name_t *domain; REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE); fevent = (dns_fetchevent_t *)event; @@ -4731,15 +4734,17 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { if (fevent->db != NULL) dns_db_detach(&fevent->db); - dns_resolver_destroyfetch(&fctx->nsfetch); + dns_rdataset_init(&nameservers); bucketnum = fctx->bucketnum; - if (fevent->result == ISC_R_CANCELED) + if (fevent->result == ISC_R_CANCELED) { + dns_resolver_destroyfetch(&fctx->nsfetch); fctx_done(fctx, ISC_R_CANCELED); - else if (fevent->result == ISC_R_SUCCESS) { + } else if (fevent->result == ISC_R_SUCCESS) { FCTXTRACE("resuming DS lookup"); + dns_resolver_destroyfetch(&fctx->nsfetch); if (dns_rdataset_isassociated(&fctx->nameservers)) dns_rdataset_disassociate(&fctx->nameservers); dns_rdataset_clone(fevent->rdataset, &fctx->nameservers); @@ -4758,22 +4763,29 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { } else { unsigned int n; + /* + * Retrieve state from fctx->nsfetch before we destroy it. + */ + dns_fixedname_init(&fixed); + domain = dns_fixedname_name(&fixed); + dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL); + dns_rdataset_clone(&fctx->nsfetch->private->nameservers, + &nameservers); + dns_resolver_destroyfetch(&fctx->nsfetch); + if (dns_name_equal(&fctx->nsname, domain)) { + fctx_done(fctx, DNS_R_SERVFAIL); + goto cleanup; + } n = dns_name_countlabels(&fctx->nsname); dns_name_getlabelsequence(&fctx->nsname, 1, n - 1, &fctx->nsname); - if (dns_name_equal(&fctx->nsname, &fctx->domain)) { - fctx_done(fctx, DNS_R_SERVFAIL); - goto cleanup; - } if (dns_rdataset_isassociated(fevent->rdataset)) dns_rdataset_disassociate(fevent->rdataset); FCTXTRACE("continuing to look for parent's NS records"); result = dns_resolver_createfetch(fctx->res, &fctx->nsname, - dns_rdatatype_ns, - &fctx->domain, - &fctx->nameservers, NULL, - 0, task, + dns_rdatatype_ns, domain, + &nameservers, NULL, 0, task, resume_dslookup, fctx, &fctx->nsrrset, NULL, &fctx->nsfetch); @@ -4787,6 +4799,8 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { } cleanup: + if (dns_rdataset_isassociated(&nameservers)) + dns_rdataset_disassociate(&nameservers); if (dns_rdataset_isassociated(fevent->rdataset)) dns_rdataset_disassociate(fevent->rdataset); INSIST(fevent->sigrdataset == NULL); From e6c95fe56b0491b533f2ca5a3ed8e8e9f74f4fd2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 7 Jun 2004 03:56:02 +0000 Subject: [PATCH 144/146] 1651. [bug] dig: process multiple dash options. 1650. [bug] dig, nslookup: flush standard out after each command. --- CHANGES | 4 ++ bin/dig/dig.c | 143 +++++++++++++++++++++++++++------------------ bin/dig/nslookup.c | 3 +- 3 files changed, 93 insertions(+), 57 deletions(-) diff --git a/CHANGES b/CHANGES index e0165f47c5..2117fd297c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +1651. [bug] dig: process multiple dash options. + +1650. [bug] dig, nslookup: flush standard out after each command. + 1649. [bug] Silence "unexpected non-minimal diff" message. [RT #11206] diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 855ea28c3d..cb7b9b670b 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.191 2004/06/03 04:23:01 marka Exp $ */ +/* $Id: dig.c,v 1.192 2004/06/07 03:56:02 marka Exp $ */ #include #include @@ -144,8 +144,8 @@ static void print_usage(FILE *fp) { fputs( "Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}\n" -" {global-d-opt} host [@local-server] {local-d-opt}\n" -" [ host [@local-server] {local-d-opt} [...]]\n", fp); +" {global-d-opt} host [@local-server] {local-d-opt}\n" +" [ host [@local-server] {local-d-opt} [...]]\n", fp); } static void @@ -165,7 +165,7 @@ static void help(void) { print_usage(stdout); fputs( -"Where: domain are in the Domain Name System\n" +"Where: domain is in the Domain Name System\n" " q-class is one of (in,hs,ch,...) [default: in]\n" " q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n" " (Use ixfr=version for type ixfr)\n" @@ -1073,13 +1073,14 @@ plus_option(char *option, isc_boolean_t is_batchfile, /* * ISC_TRUE returned if value was used */ +static const char *single_dash_opts = "46dhimnv"; +static const char *dash_opts = "46bcdfhikmnptvyx"; static isc_boolean_t dash_option(char *option, char *next, dig_lookup_t **lookup, - isc_boolean_t *open_type_class, - isc_boolean_t *firstarg, - int argc, char **argv) + isc_boolean_t *open_type_class, isc_boolean_t *firstarg, + int argc, char **argv) { - char cmd, *value, *ptr; + char opt, *value, *ptr; isc_result_t result; isc_boolean_t value_from_next; isc_textregion_t tr; @@ -1089,9 +1090,68 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, struct in_addr in4; struct in6_addr in6; in_port_t srcport; - char *hash; + char *hash, *cmd; - cmd = option[0]; + while (strpbrk(option, single_dash_opts) == &option[0]) { + /* + * Since the -[46dhimnv] options do not take an argument, + * account for them (in any number and/or combination) + * if they appear as the first character(s) of a q-opt. + */ + opt = option[0]; + switch (opt) { + case '4': + if (have_ipv4) { + isc_net_disableipv6(); + have_ipv6 = ISC_FALSE; + } else { + fatal("can't find IPv4 networking"); + return (ISC_FALSE); + } + break; + case '6': + if (have_ipv6) { + isc_net_disableipv4(); + have_ipv4 = ISC_FALSE; + } else { + fatal("can't find IPv6 networking"); + return (ISC_FALSE); + } + break; + case 'd': + ptr = strpbrk(&option[1], dash_opts); + if (ptr != &option[1]) { + cmd = option; + FULLCHECK("debug"); + debugging = ISC_TRUE; + return (ISC_FALSE); + } else + debugging = ISC_TRUE; + break; + case 'h': + help(); + exit(0); + break; + case 'i': + ip6_int = ISC_TRUE; + break; + case 'm': /* memdebug */ + /* memdebug is handled in preparse_args() */ + break; + case 'n': + /* deprecated */ + break; + case 'v': + version(); + exit(0); + break; + } + if (strlen(option) > 1U) + option = &option[1]; + else + return (ISC_FALSE); + } + opt = option[0]; if (strlen(option) > 1U) { value_from_next = ISC_FALSE; value = &option[1]; @@ -1099,45 +1159,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, value_from_next = ISC_TRUE; value = next; } - switch (cmd) { - case 'd': - debugging = ISC_TRUE; - return (ISC_FALSE); - case 'h': - help(); - exit(0); - break; - case 'i': - ip6_int = ISC_TRUE; - return (ISC_FALSE); - case 'm': /* memdebug */ - /* memdebug is handled in preparse_args() */ - return (ISC_FALSE); - case 'n': - /* deprecated */ - return (ISC_FALSE); - case '4': - if (have_ipv4) { - isc_net_disableipv6(); - have_ipv6 = ISC_FALSE; - } else - fatal("can't find IPv4 networking"); - return (ISC_FALSE); - case '6': - if (have_ipv6) { - isc_net_disableipv4(); - have_ipv4 = ISC_FALSE; - } else - fatal("can't find IPv6 networking"); - return (ISC_FALSE); - case 'v': - version(); - exit(0); - break; - } if (value == NULL) goto invalid_option; - switch (cmd) { + switch (opt) { case 'b': hash = strchr(value, '#'); if (hash != NULL) { @@ -1289,20 +1313,26 @@ static void preparse_args(int argc, char **argv) { int rc; char **rv; + char *option; rc = argc; rv = argv; for (rc--, rv++; rc > 0; rc--, rv++) { - if (strcmp(rv[0], "-m") == 0) { - memdebugging = ISC_TRUE; - isc_mem_debugging = ISC_MEM_DEBUGTRACE | - ISC_MEM_DEBUGRECORD; - return; + if (rv[0][0] != '-') + continue; + option = &rv[0][1]; + while (strpbrk(option, single_dash_opts) == &option[0]) { + if (option[0] == 'm') { + memdebugging = ISC_TRUE; + isc_mem_debugging = ISC_MEM_DEBUGTRACE | + ISC_MEM_DEBUGRECORD; + return; + } + option = &option[1]; } } } - static void parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, int argc, char **argv) { @@ -1551,9 +1581,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, } /* - * Callback from dighost.c to allow program-specific shutdown code. Here, - * Here, we're possibly reading from a batch file, then shutting down for - * real if there's nothing in the batch file to read. + * Callback from dighost.c to allow program-specific shutdown code. + * Here, we're possibly reading from a batch file, then shutting down + * for real if there's nothing in the batch file to read. */ void dighost_shutdown(void) { @@ -1568,6 +1598,7 @@ dighost_shutdown(void) { return; } + fflush(stdout); if (feof(batchfp)) { batchname = NULL; isc_app_shutdown(); diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c index 41333a2551..f12c5a02b9 100644 --- a/bin/dig/nslookup.c +++ b/bin/dig/nslookup.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nslookup.c,v 1.103 2004/04/13 02:54:15 marka Exp $ */ +/* $Id: nslookup.c,v 1.104 2004/06/07 03:56:02 marka Exp $ */ #include @@ -725,6 +725,7 @@ get_next_command(void) { char *ptr, *arg; char *input; + fflush(stdout); buf = isc_mem_allocate(mctx, COMMSIZE); if (buf == NULL) fatal("memory allocation failure"); From 8d0d941054982cff5235a9033040ac35c3f06a50 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 8 Jun 2004 00:17:09 +0000 Subject: [PATCH 145/146] bind9-users -> bind-users --- README | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README b/README index aa7ce9503b..1f409fbe24 100644 --- a/README +++ b/README @@ -327,9 +327,9 @@ Bug Reports and Mailing Lists bind9-bugs@isc.org - To join the BIND 9 Users mailing list, send mail to + To join the BIND Users mailing list, send mail to - bind9-users-request@isc.org + bind-users-request@isc.org archives of which can be found via From 5ce5a3c0e9c3b9cc99677365850060ecb5f25c0d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 8 Jun 2004 06:50:21 +0000 Subject: [PATCH 146/146] new draft --- ...t => draft-ietf-dnsext-dns-threats-07.txt} | 264 +- ...s-29.txt => draft-ietf-dnsext-mdns-30.txt} | 3423 +++++++++-------- 2 files changed, 2000 insertions(+), 1687 deletions(-) rename doc/draft/{draft-ietf-dnsext-dns-threats-06.txt => draft-ietf-dnsext-dns-threats-07.txt} (89%) rename doc/draft/{draft-ietf-dnsext-mdns-29.txt => draft-ietf-dnsext-mdns-30.txt} (88%) diff --git a/doc/draft/draft-ietf-dnsext-dns-threats-06.txt b/doc/draft/draft-ietf-dnsext-dns-threats-07.txt similarity index 89% rename from doc/draft/draft-ietf-dnsext-dns-threats-06.txt rename to doc/draft/draft-ietf-dnsext-dns-threats-07.txt index 6540f0def2..15217dad2c 100644 --- a/doc/draft/draft-ietf-dnsext-dns-threats-06.txt +++ b/doc/draft/draft-ietf-dnsext-dns-threats-07.txt @@ -1,10 +1,10 @@ Network Working Group D. Atkins -draft-ietf-dnsext-dns-threats-06.txt IHTFP Consulting +draft-ietf-dnsext-dns-threats-07.txt IHTFP Consulting R. Austein ISC - February 2004 + April 2004 Threat Analysis of the Domain Name System @@ -51,9 +51,9 @@ Abstract -Atkins & Austein Expires 21 August 2004 [Page 1] +Atkins & Austein Expires 9 October 2004 [Page 1] -draft-ietf-dnsext-dns-threats-06.txt February 2004 +draft-ietf-dnsext-dns-threats-07.txt April 2004 1. Introduction @@ -107,9 +107,9 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 -Atkins & Austein Expires 21 August 2004 [Page 2] +Atkins & Austein Expires 9 October 2004 [Page 2] -draft-ietf-dnsext-dns-threats-06.txt February 2004 +draft-ietf-dnsext-dns-threats-07.txt April 2004 [RFC1034], [RFC1035], section 6.1 of [RFC1123], [RFC2181], [RFC2308], @@ -163,9 +163,9 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 -Atkins & Austein Expires 21 August 2004 [Page 3] +Atkins & Austein Expires 9 October 2004 [Page 3] -draft-ietf-dnsext-dns-threats-06.txt February 2004 +draft-ietf-dnsext-dns-threats-07.txt April 2004 heavily used name servers (such as the servers for the root zone), @@ -219,9 +219,9 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 -Atkins & Austein Expires 21 August 2004 [Page 4] +Atkins & Austein Expires 9 October 2004 [Page 4] -draft-ietf-dnsext-dns-threats-06.txt February 2004 +draft-ietf-dnsext-dns-threats-07.txt April 2004 QTYPEs for which a resolver might be querying, this leaves the @@ -248,24 +248,41 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 with a recursing name server that does perform DNSSEC signature checking. -2.3. Name Games +2.3. Name Chaining Perhaps the most interesting class of DNS-specific threats are the - name-based attacks. There are several variations within this class, - sometimes called "cache poisoning" or "fake authority" attacks. What - all of these attacks have in common is that they all involve DNS RRs - whose RDATA portion (right hand side) includes a DNS name. Any such - RR is, at least in principle, a hook that lets an attacker feed bad - data into a victim's cache, thus potentially subverting subsequent - decisions based on DNS names. + name chaining attacks. These are a subset of a larger class of name- + based attacks, sometimes called "cache poisoning" attacks. Most + name-based attacks can be at least partially mitigated by the long- + standing defense of checking RRs in response messages for relevance + to the original query, but such defenses do not catch name chaining + attacks. There are several variations on the basic attack, but what + they all have in common is that they all involve DNS RRs whose RDATA + portion (right hand side) includes a DNS name (or, in a few cases, + something that is not a DNS name but which directly maps to a DNS + name). Any such RR is, at least in principle, a hook that lets an + attacker feed bad data into a victim's cache, thus potentially + subverting subsequent decisions based on DNS names. The worst examples in this class of RRs are CNAME, NS, and DNAME RRs, because they can redirect a victim's query to a location of the attacker's choosing. RRs like MX and SRV are somewhat less dangerous, but in principle they can also be used to trigger further - lookups at a location of the attacker's choosing. + lookups at a location of the attacker's choosing. Address RR types + such as A or AAAA don't have DNS names in their RDATA, but since the + IN-ADDR.ARPA and IP6.ARPA trees are indexed using a DNS encoding of + IPv4 and IPv6 addresses, these record types can also be used in a - The general form of a name-based attack is something like this: + + +Atkins & Austein Expires 9 October 2004 [Page 5] + +draft-ietf-dnsext-dns-threats-07.txt April 2004 + + + name chaining attack. + + The general form of a name chaining attack is something like this: - Victim issues a query, perhaps at the instigation of the attacker or some third party; in some cases the query itself may be @@ -273,13 +290,6 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 using this query as a means to inject false information about some other name). - - -Atkins & Austein Expires 21 August 2004 [Page 5] - -draft-ietf-dnsext-dns-threats-06.txt February 2004 - - - Attacker injects response, whether via packet interception, query guessing, or by being a legitimate name server that's involved at some point in the process of answering the query that the victim @@ -298,19 +308,19 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 Any attacker who can insert resource records into a victim's cache can almost certainly do some kind of damage, so there are cache - poisoning attacks which are not name-based attacks in the sense - discussed here. However, in the case of name-based attacks, the + poisoning attacks which are not name chaining attacks in the sense + discussed here. However, in the case of name chaining attacks, the cause and effect relationship between the initial attack and the eventual result may be significantly more complex than in the other - forms of cache poisoning, so name-based attacks merit special + forms of cache poisoning, so name chaining attacks merit special attention. - The common thread in all of the name-based attacks is that response - messages allow the attacker to introduce arbitrary DNS names of the - attacker's choosing and provide further information that the attacker - claims is associated with those names; unless the victim has better - knowledge of the data associated with those names, the victim is - going to have a hard time defending against this class of attacks. + The common thread in all of the name chaining attacks is that + response messages allow the attacker to introduce arbitrary DNS names + of the attacker's choosing and provide further information that the + attacker claims is associated with those names; unless the victim has + better knowledge of the data associated with those names, the victim + is going to have a hard time defending against this class of attacks. This class of attack is particularly insidious given that it's quite easy for an attacker to provoke a victim into querying for a @@ -318,6 +328,14 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 a link to a 1x1-pixel "web bug" graphic in a piece of Text/HTML mail to the victim. If the victim's mail reading program attempts to follow such a link, the result will be a DNS query for a name chosen + + + +Atkins & Austein Expires 9 October 2004 [Page 6] + +draft-ietf-dnsext-dns-threats-07.txt April 2004 + + by the attacker. DNSSEC should provide a good defense against most (all?) variations @@ -328,20 +346,12 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 injected the data had access to an allegedly secret key whose corresponding public key appears at an expected location in the DNS name space with an expected chain of parental signatures that start - - - -Atkins & Austein Expires 21 August 2004 [Page 6] - -draft-ietf-dnsext-dns-threats-06.txt February 2004 - - with a public key of which the resolver has prior knowledge). DNSSEC signatures do not cover glue records, so there's still a - possibility of a name-based attack involving glue, but with DNSSEC it - is possible to detect the attack by temporarily accepting the glue in - order to fetch the signed authoritative version of the same data, + possibility of a name chaining attack involving glue, but with DNSSEC + it is possible to detect the attack by temporarily accepting the glue + in order to fetch the signed authoritative version of the same data, then checking the signatures on the authoritative version. 2.4. Betrayal By Trusted Server @@ -374,6 +384,14 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 prevent the client host from being able to run an iterative resolver even if the owner of the client machine is willing and able to do so. Thus, while the initial source of this problem is not a DNS protocol + + + +Atkins & Austein Expires 9 October 2004 [Page 7] + +draft-ietf-dnsext-dns-threats-07.txt April 2004 + + attack per se, this sort of betrayal is a threat to DNS clients, and simply switching to a different recursive name server is not an adequate defense. @@ -384,14 +402,6 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 attacker. The defense against this is the same as with a packet interception attack: the resolver must either check DNSSEC signatures itself or use TSIG (or equivalent) to authenticate the server that it - - - -Atkins & Austein Expires 21 August 2004 [Page 7] - -draft-ietf-dnsext-dns-threats-06.txt February 2004 - - has chosen to trust. Note that use of TSIG does not by itself guarantee that a name server is at all trustworthy: all TSIG can do is help a resolver protect its communication with a name server that @@ -430,6 +440,14 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 Much discussion has taken place over the question of authenticated denial of domain names. The particular question is whether there is a requirement for authenticating the non-existence of a name. The + + + +Atkins & Austein Expires 9 October 2004 [Page 8] + +draft-ietf-dnsext-dns-threats-07.txt April 2004 + + issue is whether the resolver should be able to detect when an attacker removes RRs from a response. @@ -440,14 +458,6 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 might be considered a problem. The question remains: how serious is this threat? Clearly the threat does exist; general paranoia says that some day it'll be on the front page of some major newspaper, - - - -Atkins & Austein Expires 21 August 2004 [Page 8] - -draft-ietf-dnsext-dns-threats-06.txt February 2004 - - even if we cannot conceive of a plausible scenario involving this attack today. This implies that some mitigation of this risk is required. @@ -486,6 +496,14 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 applicable). Note that this makes the wildcard mechanisms dependent upon the + + + +Atkins & Austein Expires 9 October 2004 [Page 9] + +draft-ietf-dnsext-dns-threats-07.txt April 2004 + + authenticated denial mechanism described in the previous section. DNSSEC includes mechanisms along the lines described above, which @@ -496,14 +514,6 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 DNSSEC has some problems of its own: - - - -Atkins & Austein Expires 21 August 2004 [Page 9] - -draft-ietf-dnsext-dns-threats-06.txt February 2004 - - - DNSSEC is complex to implement, and includes some nasty edge cases at the zone cuts that require very careful coding. Testbed experience to date suggests that trivial zone configuration errors @@ -542,6 +552,14 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 the validating resolver and the entity creating the DNSSEC signatures. Prior to DNSSEC, all time-related actions in DNS could be performed by a machine that only knew about "elapsed" or + + + +Atkins & Austein Expires 9 October 2004 [Page 10] + +draft-ietf-dnsext-dns-threats-07.txt April 2004 + + "relative" time. Because the validity period of a DNSSEC signature is based on "absolute" time, a validating resolver must have the same concept of absolute time as the zone signer in order to @@ -553,13 +571,6 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 generating signatures whose validity period does not match what the signer intended. - - -Atkins & Austein Expires 21 August 2004 [Page 10] - -draft-ietf-dnsext-dns-threats-06.txt February 2004 - - - The possible existence of wildcard RRs in a zone complicates the authenticated denial mechanism considerably. For most of the decade that DNSSEC has been under development these issues were @@ -598,6 +609,13 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 There are, however, other potential problems at the boundaries where DNS interacts with other protocols. + + +Atkins & Austein Expires 9 October 2004 [Page 11] + +draft-ietf-dnsext-dns-threats-07.txt April 2004 + + 4.2. Securing DNS Dynamic Update DNS dynamic update opens a number of potential problems when combined @@ -608,14 +626,6 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 limited or closed environment such as a DHCP server updating a local DNS name server. - - - -Atkins & Austein Expires 21 August 2004 [Page 11] - -draft-ietf-dnsext-dns-threats-06.txt February 2004 - - Major issues arise when trying to use dynamic update on a secure zone. TSIG can similarly be used in a limited fashion to authenticate the client to the server, but TSIG only protects DNS @@ -651,6 +661,17 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 Scaling properties of the key management problem here are a particular concern that needs more study. + + + + + + +Atkins & Austein Expires 9 October 2004 [Page 12] + +draft-ietf-dnsext-dns-threats-07.txt April 2004 + + 4.3. Securing DNS Zone Replication As discussed in previous sections, DNSSEC per se attempts to provide @@ -664,14 +685,6 @@ draft-ietf-dnsext-dns-threats-06.txt February 2004 security", but still does not provide object security for complete zones, so the trust relationships involved in zone transfer are still very much a hop-by-hop matter of name server operators trusting other - - - -Atkins & Austein Expires 21 August 2004 [Page 12] - -draft-ietf-dnsext-dns-threats-06.txt February 2004 - - name server operators, rather than an end-to-end matter of name server operators trusting zone administrators. @@ -707,6 +720,14 @@ Acknowledgments Dan Bernstein, Randy Bush, Steve Crocker, Olafur Gudmundsson, Russ Housley, Rip Loomis, Allison Mankin, Paul Mockapetris, Thomas Narten Mans Nilsson, Pekka Savola, Paul Vixie, Xunhua Wang, and any other + + + +Atkins & Austein Expires 9 October 2004 [Page 13] + +draft-ietf-dnsext-dns-threats-07.txt April 2004 + + members of the DNS, DNSSEC, DNSIND, and DNSEXT working groups whose names and contributions the authors have forgotten, none of whom are responsible for what the authors did with their ideas. @@ -721,13 +742,6 @@ Normative References [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", RFC 1034, November 1987. - - -Atkins & Austein Expires 21 August 2004 [Page 13] - -draft-ietf-dnsext-dns-threats-06.txt February 2004 - - [RFC1035] Mockapetris, P., "Domain names - implementation and specification", RFC 1035, November 1987. @@ -762,6 +776,14 @@ Informative References Board, "Guidelines for Writing RFC Text on Security Considerations", RFC 3552, July 2003. + + + +Atkins & Austein Expires 9 October 2004 [Page 14] + +draft-ietf-dnsext-dns-threats-07.txt April 2004 + + [Bellovin95] Bellovin, S., "Using the Domain Name System for System Break-Ins", Proceedings of the Fifth Usenix Unix Security Symposium, June 1995. @@ -776,14 +798,6 @@ Informative References [Vixie95] Vixie, P, "DNS and BIND Security Issues", Proceedings of the Fifth Usenix Unix Security Symposium, June 1995. - - - -Atkins & Austein Expires 21 August 2004 [Page 14] - -draft-ietf-dnsext-dns-threats-06.txt February 2004 - - Authors' addresses: Derek Atkins @@ -818,6 +832,14 @@ Intellectual Property Statement be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any + + + +Atkins & Austein Expires 9 October 2004 [Page 15] + +draft-ietf-dnsext-dns-threats-07.txt April 2004 + + copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive @@ -832,14 +854,6 @@ Full Copyright Statement or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are - - - -Atkins & Austein Expires 21 August 2004 [Page 15] - -draft-ietf-dnsext-dns-threats-06.txt February 2004 - - included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other @@ -877,19 +891,5 @@ Acknowledgement - - - - - - - - - - - - - - -Atkins & Austein Expires 21 August 2004 [Page 16] +Atkins & Austein Expires 9 October 2004 [Page 16] diff --git a/doc/draft/draft-ietf-dnsext-mdns-29.txt b/doc/draft/draft-ietf-dnsext-mdns-30.txt similarity index 88% rename from doc/draft/draft-ietf-dnsext-mdns-29.txt rename to doc/draft/draft-ietf-dnsext-mdns-30.txt index 1a51b690d3..1537573911 100644 --- a/doc/draft/draft-ietf-dnsext-mdns-29.txt +++ b/doc/draft/draft-ietf-dnsext-mdns-30.txt @@ -1,1555 +1,1868 @@ - - -DNSEXT Working Group Levon Esibov -INTERNET-DRAFT Bernard Aboba -Category: Standards Track Dave Thaler - Microsoft -20 January 2004 - - - Linklocal Multicast Name Resolution (LLMNR) - -This document is an Internet-Draft and is in full conformance with all -provisions of Section 10 of RFC 2026. - -Internet-Drafts are working documents of the Internet Engineering Task -Force (IETF), its areas, and its working groups. Note that other groups -may also distribute working documents as Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months -and may be updated, replaced, or obsoleted by other documents at any -time. It is inappropriate to use Internet-Drafts as reference material -or to cite them other than as "work in progress." - -The list of current Internet-Drafts can be accessed at -http://www.ietf.org/ietf/1id-abstracts.txt - -The list of Internet-Draft Shadow Directories can be accessed at -http://www.ietf.org/shadow.html. - -Copyright Notice - -Copyright (C) The Internet Society (2004). All Rights Reserved. - -Abstract - -Today, with the rise of home networking, there are an increasing number -of ad-hoc networks operating without a Domain Name System (DNS) server. -In order to allow name resolution in such environments, Link-Local -Multicast Name Resolution (LLMNR) is proposed. LLMNR supports all -current and future DNS formats, types and classes, while operating on a -separate port from DNS, and with a distinct resolver cache. - -The goal of LLMNR is to enable name resolution in scenarios in which -conventional DNS name resolution is not possible. Since LLMNR only -operates on the local link, it cannot be considered a substitute for -DNS. - - - - - - - -Esibov, Aboba & Thaler Standards Track [Page 1] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -Table of Contents - -1. Introduction .......................................... 3 - 1.1 Requirements .................................... 3 - 1.2 Terminology ..................................... 4 -2. Name resolution using LLMNR ........................... 4 - 2.1 LLMNR packet format ............................. 5 - 2.2 Sender behavior ................................. 8 - 2.3 Responder behavior .............................. 8 - 2.4 Unicast queries ................................. 10 - 2.5 Off-link detection .............................. 11 - 2.6 Responder responsibilities ...................... 12 - 2.7 Retransmission and jitter ....................... 13 - 2.8 DNS TTL ......................................... 14 - 2.9 Use of the authority and additional sections .... 14 -3. Usage model ........................................... 14 - 3.1 LLMNR configuration ............................. 15 -4. Conflict resolution ................................... 16 - 4.1 Considerations for multiple interfaces .......... 18 - 4.2 API issues ...................................... 19 -5. Security considerations ............................... 20 - 5.1 Scope restriction ............................... 20 - 5.2 Usage restriction ............................... 21 - 5.3 Cache and port separation ....................... 22 - 5.4 Authentication .................................. 22 -6. IANA considerations ................................... 22 -7. References ............................................ 22 - 7.1 Normative References ............................ 22 - 7.2 Informative References .......................... 23 -Acknowledgments .............................................. 24 -Authors' Addresses ........................................... 25 -Intellectual Property Statement .............................. 25 -Full Copyright Statement ..................................... 26 - - - - - - - - - - - - - - - - - - -Esibov, Aboba & Thaler Standards Track [Page 2] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -1. Introduction - -This document discusses Link Local Multicast Name Resolution (LLMNR), -which utilizes the DNS packet format and supports all current and future -DNS formats, types and classes. LLMNR operates on a separate port from -the Domain Name System (DNS), with a distinct resolver cache. - -The goal of LLMNR is to enable name resolution in scenarios in which -conventional DNS name resolution is not possible. These include -scenarios in which hosts are not configured with the address of a DNS -server, where configured DNS servers do not reply to a query, or where -they respond with errors, as described in Section 2. Since LLMNR only -operates on the local link, it cannot be considered a substitute for -DNS. - -Link-scope multicast addresses are used to prevent propagation of LLMNR -traffic across routers, potentially flooding the network. LLMNR queries -can also be sent to a unicast address, as described in Section 2.4. - -Propagation of LLMNR packets on the local link is considered sufficient -to enable name resolution in small networks. The assumption is that if -a network has a gateway, then the network is able to provide DNS server -configuration. Configuration issues are discussed in Section 3.1. - -In the future, it may be desirable to consider use of multicast name -resolution with multicast scopes beyond the link-scope. This could -occur if LLMNR deployment is successful, the need for multicast name -resolution beyond the link-scope, or multicast routing becomes -ubiquitous. For example, expanded support for multicast name resolution -might be required for mobile ad-hoc networking scenarios, or where no -DNS server is available that is authoritative for the names of local -hosts, and can support dynamic DNS, such as in wireless hotspots. - -Once we have experience in LLMNR deployment in terms of administrative -issues, usability and impact on the network, it will be possible to -reevaluate which multicast scopes are appropriate for use with multicast -name resolution. - -Service discovery in general, as well as discovery of DNS servers using -LLMNR in particular, is outside of the scope of this document, as is -name resolution over non-multicast capable media. - -1.1. Requirements - -In this document, several words are used to signify the requirements of -the specification. These words are often capitalized. The key words -"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD -NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be - - - -Esibov, Aboba & Thaler Standards Track [Page 3] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -interpreted as described in [RFC2119]. - -1.2. Terminology - -This document assumes familiarity with DNS terminology defined in -[RFC1035]. Other terminology used in this document includes: - -Positively Resolved - Responses with RCODE set to zero are referred to in this document - as "positively resolved". - -Routable Address - An address other than a Link-Local address. This includes globally - routable addresses, as well as private addresses. - -Reachable - An address is considered reachable over a link if either an ARP or - neighbor discovery cache entry exists for the address on the link. - -Responder - A host that listens to LLMNR queries, and responds to those for - which it is authoritative. - -Sender - A host that sends an LLMNR query. - -2. Name resolution using LLMNR - -LLMNR is a peer-to-peer name resolution protocol that is not intended as -a replacement for DNS. LLMNR queries are sent to and received on port -TBD. IPv4 administratively scoped multicast usage is specified in -"Administratively Scoped IP Multicast" [RFC2365]. The IPv4 link-scope -multicast address a given responder listens to, and to which a sender -sends queries, is TBD. The IPv6 link-scope multicast address a given -responder listens to, and to which a sender sends all queries, is TBD. - -Typically a host is configured as both an LLMNR sender and a responder. -A host MAY be configured as a sender, but not a responder. However, a -host configured as a responder MUST act as a sender to verify the -uniqueness of names as described in Section 4. This document does not -specify how names are chosen or configured. This may occur via any -mechanism, including DHCPv4 [RFC2131] or DHCPv6 [RFC3315]. - -LLMNR usage MAY be configured manually or automatically on a per -interface basis. By default, LLMNR responders SHOULD be enabled on all -interfaces, at all times. Enabling LLMNR for use in situations where a -DNS server has been configured will result in a change in default -behavior without a simultaneous update to configuration information. - - - -Esibov, Aboba & Thaler Standards Track [Page 4] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -Where this is considered undesirable, LLMNR SHOULD NOT be enabled by -default, so that hosts will neither listen on the link-scope multicast -address, nor will they send queries to that address. - -An LLMNR sender may send a request for any name. However, by default, -LLMNR requests SHOULD be sent only when one of the following conditions -are met: - -[1] No manual or automatic DNS configuration has been performed. If an - interface has been configured with DNS server address(es), then - LLMNR SHOULD NOT be used as the primary name resolution mechanism - on that interface, although it MAY be used as a name resolution - mechanism of last resort. - -[2] DNS servers do not respond. - -[3] DNS servers respond to a DNS query with RCODE=3 (Authoritative Name - Error) or RCODE=0, and an empty answer section. - -A typical sequence of events for LLMNR usage is as follows: - -[a] DNS servers are not configured or do not respond to a DNS query, or - respond with RCODE=3, or RCODE=0 and an empty answer section. - -[b] An LLMNR sender sends an LLMNR query to the link-scope multicast - address(es) defined in Section 2, unless a unicast query is - indicated. A sender SHOULD send LLMNR queries for PTR RRs via - unicast, as specified in Section 2.4. - -[c] A responder responds to this query only if it is authoritative for - the domain name in the query. A responder responds to a multicast - query by sending a unicast UDP response to the sender. Unicast - queries are responded to as indicated in Section 2.4. - -[d] Upon reception of the response, the sender processes it. - -Further details of sender and responder behavior are provided in the -sections that follow. - -2.1. LLMNR packet format - -LLMNR utilizes the DNS packet format defined in [RFC1035] Section 4 for -both queries and responses. LLMNR implementations SHOULD send UDP -queries and responses only as large as are known to be permissible -without causing fragmentation. When in doubt a maximum packet size of -512 octets SHOULD be used. LLMNR implementations MUST accept UDP -queries and responses as large as permitted by the link MTU. - - - - -Esibov, Aboba & Thaler Standards Track [Page 5] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -2.1.1. LLMNR header format - -LLMNR queries and responses utilize the DNS header format defined in -[RFC1035] with exceptions noted below: - - 1 1 1 1 1 1 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| ID | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -|QR| Opcode | Z|TC| Z| Z| Z| Z| Z| RCODE | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| QDCOUNT | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| ANCOUNT | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| NSCOUNT | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -| ARCOUNT | -+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -where: - -ID A 16 bit identifier assigned by the program that generates any kind - of query. This identifier is copied from the query to the response - and can be used by the sender to match responses to outstanding - queries. The ID field in a query SHOULD be set to a pseudo-random - value. - -QR A one bit field that specifies whether this message is an LLMNR - query (0), or an LLMNR response (1). - -OPCODE - A four bit field that specifies the kind of query in this message. - This value is set by the originator of a query and copied into the - response. This specification defines the behavior of standard - queries and responses (opcode value of zero). Future - specifications may define the use of other opcodes with LLMNR. - LLMNR senders and responders MUST support standard queries (opcode - value of zero). LLMNR queries with unsupported OPCODE values MUST - be silently discarded by responders. - -TC TrunCation - specifies that this message was truncated due to - length greater than that permitted on the transmission channel. - The TC bit MUST NOT be set in an LLMNR query and if set is ignored - by an LLMNR responder. If the TC bit is set an LLMNR response, - then the sender MAY use the response if it contains all necessary - information, or the sender MAY discard the response and resend the - - - -Esibov, Aboba & Thaler Standards Track [Page 6] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - - LLMNR query over TCP using the unicast address of the responder as - the destination address. See [RFC2181] and Section 2.4 of this - specification for further discussion of the TC bit. - -Z Reserved for future use. Implementations of this specification - MUST set these bits to zero in both queries and responses. If - these bits are set in a LLMNR query or response, implementations of - this specification MUST ignore them. Since reserved bits could - conceivably be used for different purposes than in DNS, - implementors are advised not to enable processing of these bits in - an LLMNR implementation starting from a DNS code base. - -RCODE - Response code -- this 4 bit field is set as part of LLMNR - responses. In an LLMNR query, the RCODE MUST be zero, and is - ignored by the responder. The response to a multicast LLMNR query - MUST have RCODE set to zero. A sender MUST silently discard an - LLMNR response with a non-zero RCODE sent in response to a - multicast query. - - If an LLMNR responder is authoritative for the name in a multicast - query, but an error is encountered, the responder SHOULD send an - LLMNR response with an RCODE of zero, no RRs in the answer section, - and the TC bit set. This will cause the query to be resent using - TCP, and allow the inclusion of a non-zero RCODE in the response to - the TCP query. Responding with the TC bit set is preferrable to - not sending a response, since it enables errors to be diagnosed. - - Since LLMNR responders only respond to LLMNR queries for names for - which they are authoritative, LLMNR responders MUST NOT respond - with an RCODE of 3; instead, they should not respond at all. - - LLMNR implementations MUST support EDNS0 [RFC2671] and extended - RCODE values. - -QDCOUNT - An unsigned 16 bit integer specifying the number of entries in the - question section. A sender MUST place only one question into the - question section of an LLMNR query. LLMNR responders MUST silently - discard LLMNR queries with QDCOUNT not equal to one. LLMNR senders - MUST silently discard LLMNR responses with QDCOUNT not equal to - one. - -ANCOUNT - An unsigned 16 bit integer specifying the number of resource - records in the answer section. LLMNR responders MUST silently - discard LLMNR queries with ANCOUNT not equal to zero. - - - - -Esibov, Aboba & Thaler Standards Track [Page 7] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -NSCOUNT - An unsigned 16 bit integer specifying the number of name server - resource records in the authority records section. Authority - record section processing is described in Section 2.9. - -ARCOUNT - An unsigned 16 bit integer specifying the number of resource - records in the additional records section. Additional record - section processing is described in Section 2.9. - -2.2. Sender behavior - -A sender may send an LLMNR query for any legal resource record type -(e.g. A, AAAA, SRV, etc.) to the link-scope multicast address. - -As described in Section 2.4, a sender may also send a unicast query. -Sections 2 and 3 describe the circumstances in which LLMNR queries may -be sent. - -The sender MUST anticipate receiving no replies to some LLMNR queries, -in the event that no responders are available within the link-scope or -in the event no positive non-null responses exist for the transmitted -query. If no positive response is received, a resolver treats it as a -response that no records of the specified type and class exist for the -specified name (it is treated the same as a response with RCODE=0 and an -empty answer section). - -Since the responder may order the RRs in the response so as to indicate -preference, the sender SHOULD preserve ordering in the response to the -querying application. - -2.3. Responder behavior - -An LLMNR response MUST be sent to the sender via unicast. - -Upon configuring an IP address responders typically will synthesize -corresponding A, AAAA and PTR RRs so as to be able to respond to LLMNR -queries for these RRs. An SOA RR is synthesized only when a responder -has another RR as well; the SOA RR MUST NOT be the only RR that a -responder has. However, in general whether RRs are manually or -automatically created is an implementation decision. - -For example, a host configured to have computer name "host1" and to be a -member of the "example.com" domain, and with IPv4 address 10.1.1.1 and -IPv6 address 2001:0DB8::1:2:3:FF:FE:4:5:6 might be authoritative for the -following records: - -host1. IN A 10.1.1.1 - - - -Esibov, Aboba & Thaler Standards Track [Page 8] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6 - -host1.example.com. IN A 10.1.1.1 -IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6 - -1.1.1.10.in-addr.arpa. IN PTR host1. -IN PTR host1.example.com. - -6.0.5.0.4.0.E.F.F.F.3.0.2.0.1.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa -IN PTR host1. -IN PTR host1.example.com - -An LLMNR responder might be further manually configured with the name of -a local mail server with an MX RR included in the "host1." and -"host1.example.com." records. - -In responding to queries: - -[a] Responders MUST listen on UDP port TBD on the link-scope multicast - address(es) defined in Section 2, and on UDP and TCP port TBD on - the unicast address(es) that could be set as the source address(es) - when the responder responds to the LLMNR query. - -[b] Responders MUST direct responses to the port from which the query - was sent. When queries are received via TCP this is an inherent - part of the transport protocol. For queries received by UDP the - responder MUST take note of the source port and use that as the - destination port in the response. Responses SHOULD always be sent - from the port to which they were directed. - -[c] Responders MUST respond to LLMNR queries for names and addresses - they are authoritative for. This applies to both forward and - reverse lookups. - -[d] Responders MUST NOT respond to LLMNR queries for names they are not - authoritative for. - -[e] Responders MUST NOT respond using cached data. - -[f] If a DNS server is running on a host that supports LLMNR, the DNS - server MUST respond to LLMNR queries only for the RRSets relating - to the host on which the server is running, but MUST NOT respond - for other records for which the server is authoritative. DNS - servers also MUST NOT send LLMNR queries in order to resolve DNS - queries. - -[g] If a responder is authoritative for a name, it MAY respond with - RCODE=0 and an empty answer section, if the type of query does not - - - -Esibov, Aboba & Thaler Standards Track [Page 9] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - - match a RR that the responder has. - -As an example, a host configured to respond to LLMNR queries for the -name "foo.example.com." is authoritative for the name -"foo.example.com.". On receiving an LLMNR query for an A RR with the -name "foo.example.com." the host authoritatively responds with A RR(s) -that contain IP address(es) in the RDATA of the resource record. If the -responder has a AAAA RR, but no A RR, and an A RR query is received, the -responder would respond with RCODE=0 and an empty answer section. - -In conventional DNS terminology a DNS server authoritative for a zone is -authoritative for all the domain names under the zone apex except for -the branches delegated into separate zones. Contrary to conventional -DNS terminology, an LLMNR responder is authoritative only for the zone -apex. - -For example the host "foo.example.com." is not authoritative for the -name "child.foo.example.com." unless the host is configured with -multiple names, including "foo.example.com." and -"child.foo.example.com.". As a result, "foo.example.com." cannot reply -to an LLMNR query for "child.foo.example.com." with RCODE=3 -(authoritative name error). The purpose of limiting the name authority -scope of a responder is to prevent complications that could be caused by -coexistence of two or more hosts with the names representing child and -parent (or grandparent) nodes in the DNS tree, for example, -"foo.example.com." and "child.foo.example.com.". - -In this example (unless this limitation is introduced) an LLMNR query -for an A resource record for the name "child.foo.example.com." would -result in two authoritative responses: RCODE=3 (authoritative name -error) received from "foo.example.com.", and a requested A record - from -"child.foo.example.com.". To prevent this ambiguity, LLMNR enabled -hosts could perform a dynamic update of the parent (or grandparent) zone -with a delegation to a child zone. In this example a host -"child.foo.example.com." would send a dynamic update for the NS and glue -A record to "foo.example.com.", but this approach significantly -complicates implementation of LLMNR and would not be acceptable for -lightweight hosts. - -2.4. Unicast queries and responses - -Unicast queries SHOULD be sent when: - -[a] A sender repeats a query after it received a response with the TC - bit set to the previous LLMNR multicast query, or - -[b] The sender queries for a PTR RR of a fully formed IP address within - the "in-addr.arpa" or "ip6.arpa" zones. - - - -Esibov, Aboba & Thaler Standards Track [Page 10] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -A responder receiving a unicast query MUST send the response with a -source address set to the destination address field of the IP header of -the query causing the response. - -Unicast LLMNR queries SHOULD be sent using TCP. Senders MUST support -sending TCP queries, and responders MUST support listening for TCP -queries. - -Responses to TCP unicast LLMNR queries MUST be sent using TCP, using -the same connection as the query. If the sender of a TCP query receives -a response to that query not using TCP, the response MUST be silently -discarded. - -Unicast UDP queries MAY be responded to with a UDP response containing -an empty answer section and the TC bit set, so as to require the sender -to resend the query using TCP. - -If an ICMP "Time Exceeded" message is received in response to a unicast -UDP query, or if TCP connection setup cannot be completed in order to -send a unicast TCP query, this is treated as a response that no records -of the specified type and class exist for the specified name (it is -treated the same as a response with RCODE=0 and an empty answer -section). The UDP sender receiving an ICMP "Time Exceeded" message -SHOULD verify that the ICMP error payload contains a valid LLMNR query -packet, which matches a query that is currently in progress, so as to -guard against a potential Denial of Service (DoS) attack. If a match -cannot be made, then the sender relies on the retransmission and timeout -behavior described in Section 2.7. - -2.5. "Off link" detection - -For IPv4, an "on link" address is defined as a link-local address -[IPv4Link] or an address whose prefix belongs to a subnet on the local -link. For IPv6 [RFC2460] an "on link" address is either a link-local -address, defined in [RFC2373], or an address whose prefix belongs to a -subnet on the local link. - -A sender MUST select a source address for LLMNR queries that is "on -link". The destination address of an LLMNR query MUST be a link-scope -multicast address or an "on link" unicast address. - -A responder MUST select a source address for responses that is "on -link". The destination address of an LLMNR response MUST be an "on link" -unicast address. - -On receiving an LLMNR query, the responder MUST check whether it was -sent to a LLMNR multicast addresses defined in Section 2. If it was -sent to another multicast address, then the query MUST be silently - - - -Esibov, Aboba & Thaler Standards Track [Page 11] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -discarded. - -In composing LLMNR queries, the sender MUST set the Hop Limit field in -the IPv6 header and the TTL field in IPv4 header of the response to one -(1). Even when LLMNR queries are sent to a link-scope multicast -address, it is possible that some routers may not properly implement -link-scope multicast, or that link-scope multicast addresses may leak -into the multicast routing system. Therefore setting the IPv6 Hop Limit -or IPv4 TTL field to one provides an additional precaution against -leakage of LLMNR queries. - -In composing a response to an LLMNR query, the responder MUST set the -Hop Limit field in the IPv6 header and the TTL field in IPv4 header of -the response to one (1). This is done so as to prevent the use of LLMNR -for denial of service attacks across the Internet. - -Section 2.4 discusses use of TCP for LLMNR queries and responses. The -responder SHOULD set the TTL or Hop Limit settings on the TCP listen -socket to one (1) so that SYN-ACK packets will have TTL (IPv4) or Hop -Limit (IPv6) set to one (1). This prevents an incoming connection from -off-link since the sender will not receive a SYN-ACK from the responder. - -Implementation note: - - In the sockets API for IPv4 [POSIX], the IP_TTL and IP_MULTICAST_TTL - socket options are used to set the TTL of outgoing unicast and - multicast packets. The IP_RECVTTL socket option is available on some - platforms to retrieve the IPv4 TTL of received packets with - recvmsg(). [RFC2292] specifies similar options for setting and - retrieving the IPv6 Hop Limit. - -2.6. Responder responsibilities - -It is the responsibility of the responder to ensure that RRs returned in -LLMNR responses MUST only include values that are valid on the local -interface, such as IPv4 or IPv6 addresses valid on the local link or -names defended using the mechanism described in Section 4. In -particular: - -[a] If a link-scope IPv6 address is returned in a AAAA RR, that address - MUST be valid on the local link over which LLMNR is used. - -[b] If an IPv4 address is returned, it MUST be reachable through the - link over which LLMNR is used. - -[c] If a name is returned (for example in a CNAME, MX or SRV RR), the - name MUST be resolvable on the local link over which LLMNR is used. - - - - -Esibov, Aboba & Thaler Standards Track [Page 12] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -Routable addresses MUST be included first in the response, if available. -This encourages use of routable address(es) for establishment of new -connections. - -2.7. Retransmission and jitter - -An LLMNR sender uses the timeout interval LLMNR_TIMEOUT to determine -when to retransmit an LLMNR query and how long to collect responses to -an LLMNR query. - -If an LLMNR query sent over UDP is not resolved within LLMNR_TIMEOUT, -then a sender MAY repeat the transmission of the query in order to -assure that it was received by a host capable of responding to it. -Retransmission of UDP queries SHOULD NOT be attempted more than 3 times. -Where LLMNR queries are sent using TCP, retransmission is handled by the -transport layer. - -Because an LLMNR sender cannot know in advance if a query sent using -multicast will receive no response, one response, or more than one -response, the sender SHOULD wait for LLMNR_TIMEOUT in order to collect -all possible responses, rather than considering the multicast query -answered after the first response is received. A unicast query sender -considers the query answered after the first response is received, so -that it only waits for LLMNR_TIMEOUT if no response has been received. - -An LLMNR sender SHOULD dynamically compute the value of LLMNR_TIMEOUT -for each transmission. It is suggested that the computation of -LLMNR_TIMEOUT be based on the response times for earlier LLMNR queries -sent on the same interface. - -For example, the algorithms described in RFC 2988 [RFC2988] (including -exponential backoff) to compute an RTO, which is used as the value of -LLMNR_TIMEOUT. Smaller values MAY be used for the initial RTO (discussed -in Section 2 of [RFC2988], paragraph 2.1), the minimum RTO (discussed in -Section 2 of [RFC2988], paragraph 2.4), and the maximum RTO (discussed -in Section 2 of [RFC2988], paragraph 2.5). - -Recommended values are an initial RTO of 1 second, a minimum RTO of -200ms, and a maximum RTO of 5 seconds. In order to avoid -synchronization, the transmission of each LLMNR query and response -SHOULD delayed by a time randomly selected from the interval 0 to 100 -ms. This delay MAY be avoided by responders responding with RRs which -they have previously determined to be UNIQUE (see Section 4 for -details). - - - - - - - -Esibov, Aboba & Thaler Standards Track [Page 13] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -2.8. DNS TTL - -The responder should use a pre-configured TTL value in the records -returned an LLMNR response. A default value of 30 seconds is -RECOMMENDED. In highly dynamic environments (such as mobile ad-hoc -networks), the TTL value may need to be reduced. - -Due to the TTL minimalization necessary when caching an RRset, all TTLs -in an RRset MUST be set to the same value. - -2.9. Use of the authority and additional sections - -Unlike the DNS, LLMNR is a peer-to-peer protocol and does not have a -concept of delegation. In LLMNR, the NS resource record type may be -stored and queried for like any other type, but it has no special -delegation semantics as it does in the DNS. Responders MAY have NS -records associated with the names for which they are authoritative, but -they SHOULD NOT include these NS records in the authority sections of -responses. - -Responders SHOULD insert an SOA record into the authority section of a -negative response, to facilitate negative caching as specified in -[RFC2308]. The owner name of this SOA record MUST be equal to the query -name. - -Responders SHOULD NOT perform DNS additional section processing, except -as required for EDNS0 and DNSSEC. - -Senders MUST NOT cache RRs from the authority or additional section of a -response as answers, though they may be used for other purposes such as -negative caching. - -3. Usage model - -Since LLMNR is a secondary name resolution mechanism, its usage is in -part determined by the behavior of DNS implementations. This document -does not specify any changes to DNS resolver behavior, such as -searchlist processing or retransmission/failover policy. However, -robust DNS resolver implementations are more likely to avoid unnecessary -LLMNR queries. - -As noted in [DNSPerf], even when DNS servers are configured, a -significant fraction of DNS queries do not receive a response, or result -in negative responses due to missing inverse mappings or NS records that -point to nonexistent or inappropriate hosts. This has the potential to -result in a large number of unnecessary LLMNR queries. - -[RFC1536] describes common DNS implementation errors and fixes. If the - - - -Esibov, Aboba & Thaler Standards Track [Page 14] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -proposed fixes are implemented, unnecessary LLMNR queries will be -reduced substantially, and so implementation of [RFC1536] is -recommended. - -For example, [RFC1536] Section 1 describes issues with retransmission -and recommends implementation of a retransmission policy based on round -trip estimates, with exponential backoff. [RFC1536] Section 4 describes -issues with failover, and recommends that resolvers try another server -when they don't receive a response to a query. These policies are -likely to avoid unnecessary LLMNR queries. - -[RFC1536] Section 3 describes zero answer bugs, which if addressed will -also reduce unnecessary LLMNR queries. - -[RFC1536] Section 6 describes name error bugs and recommended searchlist -processing that will reduce unnecessary RCODE=3 (authoritative name) -errors, thereby also reducing unnecessary LLMNR queries. - -3.1. LLMNR configuration - -Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is -possible for a dual stack host to be configured with the address of a -DNS server over IPv4, while remaining unconfigured with a DNS server -suitable for use over IPv6. - -In these situations, a dual stack host will send AAAA queries to the -configured DNS server over IPv4. However, an IPv6-only host -unconfigured with a DNS server suitable for use over IPv6 will be unable -to resolve names using DNS. Automatic IPv6 DNS configuration mechanisms -(such as [RFC3315] and [DNSDisc]) are not yet widely deployed, and not -all DNS servers support IPv6. Therefore lack of IPv6 DNS configuration -may be a common problem in the short term, and LLMNR may prove useful in -enabling linklocal name resolution over IPv6. - -Where a DHCPv4 server is available but not a DHCPv6 server [RFC3315], -IPv6-only hosts may not be configured with a DNS server. Where there is -no DNS server authoritative for the name of a host or the authoritative -DNS server does not support dynamic client update over IPv6 or -DHCPv6-based dynamic update, then an IPv6-only host will not be able to -do DNS dynamic update, and other hosts will not be able to resolve its -name. - -For example, if the configured DNS server responds to AAAA RR queries -sent over IPv4 or IPv6 with an authoritative name error (RCODE=3), then -it will not be possible to resolve the names of IPv6-only hosts. In -this situation, LLMNR over IPv6 can be used for local name resolution. - -Similarly, if a DHCPv4 server is available providing DNS server - - - -Esibov, Aboba & Thaler Standards Track [Page 15] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -configuration, and DNS server(s) exist which are authoritative for the A -RRs of local hosts and support either dynamic client update over IPv4 or -DHCPv4-based dynamic update, then the names of local IPv4 hosts can be -resolved over IPv4 without LLMNR. However, if no DNS server is -authoritative for the names of local hosts, or the authoritative DNS -server(s) do not support dynamic update, then LLMNR enables linklocal -name resolution over IPv4. - -Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to -configure LLMNR on an interface. The LLMNR Enable Option, described in -[LLMNREnable], can be used to explicitly enable or disable use of LLMNR -on an interface. The LLMNR Enable Option does not determine whether or -in which order DNS itself is used for name resolution. The order in -which various name resolution mechanisms should be used can be specified -using the Name Service Search Option (NSSO) for DHCP [RFC2937], using -the LLMNR Enable Option code carried in the NSSO data. - -It is possible that DNS configuration mechanisms will go in and out of -service. In these circumstances, it is possible for hosts within an -administrative domain to be inconsistent in their DNS configuration. - -For example, where DHCP is used for configuring DNS servers, one or more -DHCP servers can fail. As a result, hosts configured prior to the -outage will be configured with a DNS server, while hosts configured -after the outage will not. Alternatively, it is possible for the DNS -configuration mechanism to continue functioning while configured DNS -servers fail. - -Unless unconfigured hosts periodically retry configuration, an outage in -the DNS configuration mechanism will result in hosts continuing to use -LLMNR even once the outage is repaired. Since LLMNR only enables -linklocal name resolution, this represents an unnecessary degradation in -capabilities. As a result, it is recommended that hosts without a -configured DNS server periodically attempt to obtain DNS configuration. -For example, where DHCP is used for DNS configuration, [RFC2131] -recommends a maximum retry interval of 64 seconds. In the absence of -other guidance, a default retry interval of one (1) minute is -RECOMMENDED. - -4. Conflict resolution - -The sender MUST anticipate receiving multiple replies to the same LLMNR -query, in the event that several LLMNR enabled computers receive the -query and respond with valid answers. When this occurs, the responses -may first be concatenated, and then treated in the same manner that -multiple RRs received from the same DNS server would; the sender -perceives no inherent conflict in the receipt of multiple responses. - - - - -Esibov, Aboba & Thaler Standards Track [Page 16] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -There are some scenarios when multiple responders MAY respond to the -same query. There are other scenarios when only one responder MAY -respond to a query. Resource records for which the latter queries are -submitted are referred as UNIQUE throughout this document. The -uniqueness of a resource record depends on a nature of the name in the -query and type of the query. For example it is expected that: - - - multiple hosts may respond to a query for an SRV type record - - multiple hosts may respond to a query for an A or AAAA type - record for a cluster name (assigned to multiple hosts in - the cluster) - - only a single host may respond to a query for an A or AAAA - type record for a name. - -Every responder that responds to an LLMNR query AND includes a UNIQUE -record in the response: - -[1] MUST verify that there is no other host within the scope of the - LLMNR query propagation that can return a resource record for the - same name, type and class. - -[2] MUST NOT include a UNIQUE resource record in the response without - having verified its uniqueness. - -Where a host is configured to issue LLMNR queries on more than one -interface, each interface should have its own independent LLMNR cache. -For each UNIQUE resource record in a given interface's configuration, -the host MUST verify resource record uniqueness on that interface. To -accomplish this, the host MUST send an LLMNR query for each UNIQUE -resource record. - -By default, a host SHOULD be configured to behave as though all RRs are -UNIQUE. Uniqueness verification is carried out when the host: - - - starts up or is rebooted - - wakes from sleep (if the network interface was inactive during sleep) - - is configured to respond to the LLMNR queries on an interface - enabled for transmission and reception of IP traffic - - is configured to respond to the LLMNR queries using additional - UNIQUE resource records - - detects that an interface is connected and is usable - (e.g. an IEEE 802 hardware link-state change indicating - that a cable was attached or that an association has occurred - with a wireless base station and that any required authentication - has completed) - -When a host that has a UNIQUE record receives an LLMNR query for that -record, the host MUST respond. After the client receives a response, it - - - -Esibov, Aboba & Thaler Standards Track [Page 17] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -MUST check whether the response arrived on an interface different from -the one on which the query was sent. If the response arrives on a -different interface, the client can use the UNIQUE resource record in -response to LLMNR queries. If not, then it MUST NOT use the UNIQUE -resource record in response to LLMNR queries. - -The name conflict detection mechanism doesn't prevent name conflicts -when previously partitioned segments are connected by a bridge. In order -to minimize the chance of conflicts in such a situation, it is -recommended that steps be taken to ensure name uniqueness. For example, -the name could be chosen randomly from a large pool of potential names, -or the name could be assigned via a process designed to guarantee -uniqueness. - -When name conflicts are detected, they SHOULD be logged. To detect -duplicate use of a name, an administrator can use a name resolution -utility which employs LLMNR and lists both responses and responders. -This would allow an administrator to diagnose behavior and potentially -to intervene and reconfigure LLMNR responders who should not be -configured to respond to the same name. - -4.1. Considerations for Multiple Interfaces - -A multi-homed host may elect to configure LLMNR on only one of its -active interfaces. In many situations this will be adequate. However, -should a host need to configure LLMNR on more than one of its active -interfaces, there are some additional precautions it MUST take. -Implementers who are not planning to support LLMNR on multiple -interfaces simultaneously may skip this section. - -A multi-homed host checks the uniqueness of UNIQUE records as described -in Section 4. The situation is illustrated in figure 1. - - ---------- ---------- - | | | | - [A] [myhost] [myhost] - - Figure 1. Link-scope name conflict - -In this situation, the multi-homed myhost will probe for, and defend, -its host name on both interfaces. A conflict will be detected on one -interface, but not the other. The multi-homed myhost will not be able -to respond with a host RR for "myhost" on the interface on the right -(see Figure 1). The multi-homed host may, however, be configured to use -the "myhost" name on the interface on the left. - -Since names are only unique per-link, hosts on different links could be -using the same name. If an LLMNR client sends requests over multiple - - - -Esibov, Aboba & Thaler Standards Track [Page 18] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -interfaces, and receives replies from more than one, the result returned -to the client is defined by the implementation. The situation is -illustrated in figure 2. - - ---------- ---------- - | | | | - [A] [myhost] [A] - - - Figure 2. Off-segment name conflict - -If host myhost is configured to use LLMNR on both interfaces, it will -send LLMNR queries on both interfaces. When host myhost sends a query -for the host RR for name "A" it will receive a response from hosts on -both interfaces. - -Host myhost cannot distinguish between the situation shown in Figure 2, -and that shown in Figure 3 where no conflict exists. - - [A] - | | - ----- ----- - | | - [myhost] - - Figure 3. Multiple paths to same host - -This illustrates that the proposed name conflict resolution mechanism -does not support detection or resolution of conflicts between hosts on -different links. This problem can also occur with unicast DNS when a -multi-homed host is connected to two different networks with separated -name spaces. It is not the intent of this document to address the issue -of uniqueness of names within DNS. - -4.2. API issues - -[RFC2553] provides an API which can partially solve the name ambiguity -problem for applications written to use this API, since the sockaddr_in6 -structure exposes the scope within which each scoped address exists, and -this structure can be used for both IPv4 (using v4-mapped IPv6 -addresses) and IPv6 addresses. - -Following the example in Figure 2, an application on 'myhost' issues the -request getaddrinfo("A", ...) with ai_family=AF_INET6 and -ai_flags=AI_ALL|AI_V4MAPPED. LLMNR requests will be sent from both -interfaces and the resolver library will return a list containing -multiple addrinfo structures, each with an associated sockaddr_in6 -structure. This list will thus contain the IPv4 and IPv6 addresses of - - - -Esibov, Aboba & Thaler Standards Track [Page 19] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -both hosts responding to the name 'A'. Link-local addresses will have a -sin6_scope_id value that disambiguates which interface is used to reach -the address. Of course, to the application, Figures 2 and 3 are still -indistinguishable, but this API allows the application to communicate -successfully with any address in the list. - -5. Security Considerations - -LLMNR is by nature a peer-to-peer name resolution protocol. It is -therefore inherently more vulnerable than DNS, since existing DNS -security mechanisms are difficult to apply to LLMNR. While tools exist -to alllow an attacker to spoof a response to a DNS query, spoofing a -response to an LLMNR query is easier since the query is sent to a link- -scope multicast address, where every host on the logical link will be -made aware of it. - -In order to address the security vulnerabilities, the following -mechanisms are contemplated: - -[1] Scope restrictions. - -[2] Usage restrictions. - -[3] Cache and port separation. - -[4] Authentication. - -These techniques are described in the following sections. - -5.1. Scope restriction - -With LLMNR it is possible that hosts will allocate conflicting names for -a period of time, or that attackers will attempt to deny service to -other hosts by allocating the same name. Such attacks also allow hosts -to receive packets destined for other hosts. - -Since LLMNR is typically deployed in situations where no trust model can -be assumed, it is likely that LLMNR queries and responses will be -unauthenticated. In the absence of authentication, LLMNR reduces the -exposure to such threats by utilizing queries sent to a link-scope -multicast address, as well as setting the TTL (IPv4) or Hop Limit (IPv6) -fields to one (1) on both queries and responses. - -A TTL of one (1) was chosen so as to limit the likelihood that LLMNR can -be used to launch denial of service attacks. For example, were the TTL -of an LLMNR Response to be set to a value larger than one (1), an -attacker could send a large volume of queries from a spoofed source -address, causing an off-link target to be deluged with responses. - - - -Esibov, Aboba & Thaler Standards Track [Page 20] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -Utilizing a TTL of one (1) in LLMNR responses ensures that they will not -be forwarded off-link. Using a TTL of one (1) to set up a TCP connection -in order to send a unicast LLMNR query reduces the likelihood of both -denial of service attacks and spoofed responses. Checking that an LLMNR -query is sent to a link-scope multicast address should prevent spoofing -of multicast queries by off-link attackers. - -While this limits the ability of off-link attackers to spoof LLMNR -queries and responses, it does not eliminate it. For example, it is -possible for an attacker to spoof a response to a frequent query (such -as an A or AAAA query for a popular Internet host), and by using a TTL -or Hop Limit field larger than one (1), for the forged response to reach -the LLMNR sender. - -There also are scenarios such as public "hotspots" where attackers can -be present on the same link. These threats are most serious in wireless -networks such as 802.11, since attackers on a wired network will require -physical access to the home network, while wireless attackers may reside -outside the home. Link-layer security can be of assistance against -these threats if it is available. - -5.2. Usage restriction - -As noted in Sections 2 and 3, LLMNR is intended for usage in a limited -set of scenarios. - -If an LLMNR query is sent whenever a DNS server does not respond in a -timely way, then an attacker can poison the LLMNR cache by responding to -the query with incorrect information. To some extent, these -vulnerabilities exist today, since DNS response spoofing tools are -available that can allow an attacker to respond to a query more quickly -than a distant DNS server. - -Since LLMNR queries are sent and responded to on the local-link, an -attacker will need to respond more quickly to provide its own response -prior to arrival of the response from a legitimate responder. If an -LLMNR query is sent for an off-link host, spoofing a response in a -timely way is not difficult, since a legitimate response will never be -received. - -The vulnerability is more serious if LLMNR is given higher priority than -DNS among the enabled name resolution mechanisms. In such a -configuration, a denial of service attack on the DNS server would not be -necessary in order to poison the LLMNR cache, since LLMNR queries would -be sent even when the DNS server is available. In addition, the LLMNR -cache, once poisoned, would take precedence over the DNS cache, -eliminating the benefits of cache separation. As a result, LLMNR is only -used as a name resolution mechanism of last resort. - - - -Esibov, Aboba & Thaler Standards Track [Page 21] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -5.3. Cache and port separation - -In order to prevent responses to LLMNR queries from polluting the DNS -cache, LLMNR implementations MUST use a distinct, isolated cache for -LLMNR on each interface. The use of separate caches is most effective -when LLMNR is used as a name resolution mechanism of last resort, since -this minimizes the opportunities for poisoning the LLMNR cache, and -decreases reliance on it. - -LLMNR operates on a separate port from DNS, reducing the likelihood that -a DNS server will unintentionally respond to an LLMNR query. - -5.4. Authentication - -LLMNR implementations may not support DNSSEC or TSIG, and as a result, -responses to LLMNR queries may be unauthenticated. If authentication is -desired, and a pre-arranged security configuration is possible, then -IPsec ESP with a null-transform MAY be used to authenticate LLMNR -responses. In a small network without a certificate authority, this can -be most easily accomplished through configuration of a group pre-shared -key for trusted hosts. - -6. IANA Considerations - -This specification creates one new name space: the reserved bits in the -LLMNR header. These are allocated by IETF Consensus, in accordance with -BCP 26 [RFC2434]. - -LLMNR requires allocation of a port TBD for both TCP and UDP. -Assignment of the same port for both transports is requested. - -LLMNR requires allocation of a link-scope multicast IPv4 address TBD. -LLMNR also requires allocation of a link-scope multicast IPv6 address -TBD. - -7. References - -7.1. Normative References - -[RFC1035] Mockapetris, P., "Domain Names - Implementation and - Specification", RFC 1035, November 1987. - -[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, - April 1992. - -[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, March 1997. - - - - -Esibov, Aboba & Thaler Standards Track [Page 22] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS - Specification", RFC 2181, July 1997. - -[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", - RFC 2308, March 1998. - -[RFC2365] Meyer, D., "Administratively Scoped IP Multicast", BCP 23, RFC - 2365, July 1998. - -[RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing - Architecture", RFC 2373, July 1998. - -[RFC2434] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA - Considerations Section in RFCs", BCP 26, RFC 2434, October - 1998. - -[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 - (IPv6) Specification", RFC 2460, December 1998. - -[RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC - 2535, March 1999. - -[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, - August 1999. - -[RFC2988] Paxson, V. and M. Allman, "Computing TCP's Retransmission - Timer", RFC 2988, November 2000. - -7.2. Informative References - -[RFC1536] Kumar, A., et. al., "DNS Implementation Errors and Suggested - Fixes", RFC 1536, October 1993. - -[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, - March 1997. - -[RFC2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic - Updates in the Domain Name System (DNS UPDATE)", RFC 2136, - April 1997. - -[RFC2292] Stevens, W. and M. Thomas, "Advanced Sockets API for IPv6", - RFC 2292, February 1998. - -[RFC2553] Gilligan, R., Thomson, S., Bound, J. and W. Stevens, "Basic - Socket Interface Extensions for IPv6", RFC 2553, March 1999. - -[RFC2937] Smith, C., "The Name Service Search Option for DHCP", RFC - 2937, September 2000. - - - -Esibov, Aboba & Thaler Standards Track [Page 23] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -[RFC3315] Droms, R., et al., "Dynamic Host Configuration Protocol for - IPv6 (DHCPv6)", RFC 3315, July 2003. - -[DNSPerf] Jung, J., et al., "DNS Performance and the Effectiveness of - Caching", IEEE/ACM Transactions on Networking, Volume 10, - Number 5, pp. 589, October 2002. - -[DNSDisc] Durand, A., Hagino, I. and D. Thaler, "Well known site local - unicast addresses to communicate with recursive DNS servers", - Internet draft (work in progress), draft-ietf-ipv6-dns- - discovery-07.txt, October 2002. - -[IPV4Link] - Cheshire, S., Aboba, B. and E. Guttman, "Dynamic Configuration - of IPv4 Link-Local Addresses", Internet draft (work in - progress), draft-ietf-zeroconf-ipv4-linklocal-10.txt, October - 2003. - -[POSIX] IEEE Std. 1003.1-2001 Standard for Information Technology -- - Portable Operating System Interface (POSIX). Open Group - Technical Standard: Base Specifications, Issue 6, December - 2001. ISO/IEC 9945:2002. http://www.opengroup.org/austin - -[LLMNREnable] - Guttman, E., "DHCP LLMNR Enable Option", Internet draft (work - in progress), draft-guttman-mdns-enable-02.txt, April 2002. - -[NodeInfo] - Crawford, M., "IPv6 Node Information Queries", Internet draft - (work in progress), draft-ietf-ipn-gwg-icmp-name- - lookups-09.txt, May 2002. - -Acknowledgments - -This work builds upon original work done on multicast DNS by Bill -Manning and Bill Woodcock. Bill Manning's work was funded under DARPA -grant #F30602-99-1-0523. The authors gratefully acknowledge their -contribution to the current specification. Constructive input has also -been received from Mark Andrews, Stuart Cheshire, Randy Bush, Robert -Elz, Rob Austein, James Gilroy, Olafur Gudmundsson, Erik Guttman, Myron -Hattig, Thomas Narten, Christian Huitema, Erik Nordmark, Sander Van- -Valkenburg, Tomohide Nagashima, Brian Zill, Keith Moore and Markku -Savela. - - - - - - - - -Esibov, Aboba & Thaler Standards Track [Page 24] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -Authors' Addresses - -Levon Esibov -Microsoft Corporation -One Microsoft Way -Redmond, WA 98052 - -EMail: levone@microsoft.com - -Bernard Aboba -Microsoft Corporation -One Microsoft Way -Redmond, WA 98052 - -Phone: +1 425 706 6605 -EMail: bernarda@microsoft.com - -Dave Thaler -Microsoft Corporation -One Microsoft Way -Redmond, WA 98052 - -Phone: +1 425 703 8835 -EMail: dthaler@microsoft.com - -Intellectual Property Statement - -The IETF takes no position regarding the validity or scope of any -intellectual property or other rights that might be claimed to pertain -to the implementation or use of the technology described in this -document or the extent to which any license under such rights might or -might not be available; neither does it represent that it has made any -effort to identify any such rights. Information on the IETF's -procedures with respect to rights in standards-track and standards- -related documentation can be found in BCP-11. Copies of claims of -rights made available for publication and any assurances of licenses to -be made available, or the result of an attempt made to obtain a general -license or permission for the use of such proprietary rights by -implementors or users of this specification can be obtained from the -IETF Secretariat. - -The IETF invites any interested party to bring to its attention any -copyrights, patents or patent applications, or other proprietary rights -which may cover technology that may be required to practice this -standard. Please address the information to the IETF Executive -Director. - - - - - -Esibov, Aboba & Thaler Standards Track [Page 25] - - - - - -INTERNET-DRAFT LLMNR 20 January 2004 - - -Full Copyright Statement - -Copyright (C) The Internet Society (2004). All Rights Reserved. -This document and translations of it may be copied and furnished to -others, and derivative works that comment on or otherwise explain it or -assist in its implementation may be prepared, copied, published and -distributed, in whole or in part, without restriction of any kind, -provided that the above copyright notice and this paragraph are included -on all such copies and derivative works. However, this document itself -may not be modified in any way, such as by removing the copyright notice -or references to the Internet Society or other Internet organizations, -except as needed for the purpose of developing Internet standards in -which case the procedures for copyrights defined in the Internet -Standards process must be followed, or as required to translate it into -languages other than English. The limited permissions granted above are -perpetual and will not be revoked by the Internet Society or its -successors or assigns. This document and the information contained -herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE -INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE -INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED -WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Open Issues - -Open issues with this specification are tracked on the following web -site: - -http://www.drizzle.com/~aboba/DNSEXT/llmnrissues.html - -Expiration Date - -This memo is filed as , and expires -August 4, 2004. - - - - - - - - - - - - - - - - - -Esibov, Aboba & Thaler Standards Track [Page 26] - +DNSEXT Working Group Levon Esibov +INTERNET-DRAFT Bernard Aboba +Category: Standards Track Dave Thaler + Microsoft +17 March 2004 + + + + Linklocal Multicast Name Resolution (LLMNR) + + +This document is an Internet-Draft and is in full conformance with all +provisions of Section 10 of RFC 2026. + + +Internet-Drafts are working documents of the Internet Engineering Task +Force (IETF), its areas, and its working groups. Note that other groups +may also distribute working documents as Internet-Drafts. + + +Internet-Drafts are draft documents valid for a maximum of six months +and may be updated, replaced, or obsoleted by other documents at any +time. It is inappropriate to use Internet-Drafts as reference material +or to cite them other than as "work in progress." + + +The list of current Internet-Drafts can be accessed at +http://www.ietf.org/ietf/1id-abstracts.txt + + +The list of Internet-Draft Shadow Directories can be accessed at +http://www.ietf.org/shadow.html. + + +Copyright Notice + + +Copyright (C) The Internet Society (2004). All Rights Reserved. + + +Abstract + + +Today, with the rise of home networking, there are an increasing number +of ad-hoc networks operating without a Domain Name System (DNS) server. +In order to allow name resolution in such environments, Link-Local +Multicast Name Resolution (LLMNR) is proposed. LLMNR supports all +current and future DNS formats, types and classes, while operating on a +separate port from DNS, and with a distinct resolver cache. + + +The goal of LLMNR is to enable name resolution in scenarios in which +conventional DNS name resolution is not possible. Since LLMNR only +operates on the local link, it cannot be considered a substitute for +DNS. + + + + + + + + +Esibov, Aboba & Thaler Standards Track [Page 1] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +Table of Contents + + +1. Introduction .......................................... 3 + 1.1 Requirements .................................... 3 + 1.2 Terminology ..................................... 4 +2. Name resolution using LLMNR ........................... 4 + 2.1 LLMNR packet format ............................. 5 + 2.2 Sender behavior ................................. 8 + 2.3 Responder behavior .............................. 8 + 2.4 Unicast queries ................................. 10 + 2.5 Off-link detection .............................. 11 + 2.6 Responder responsibilities ...................... 12 + 2.7 Retransmission and jitter ....................... 12 + 2.8 DNS TTL ......................................... 13 + 2.9 Use of the authority and additional sections .... 13 +3. Usage model ........................................... 14 + 3.1 LLMNR configuration ............................. 15 +4. Conflict resolution ................................... 16 + 4.1 Considerations for multiple interfaces .......... 18 + 4.2 API issues ...................................... 19 +5. Security considerations ............................... 19 + 5.1 Scope restriction ............................... 20 + 5.2 Usage restriction ............................... 21 + 5.3 Cache and port separation ....................... 21 + 5.4 Authentication .................................. 22 +6. IANA considerations ................................... 22 +7. References ............................................ 22 + 7.1 Normative References ............................ 22 + 7.2 Informative References .......................... 23 +Acknowledgments .............................................. 24 +Authors' Addresses ........................................... 25 +Intellectual Property Statement .............................. 25 +Full Copyright Statement ..................................... 26 + + + + + + + + + + + + + + + + + + + +Esibov, Aboba & Thaler Standards Track [Page 2] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +1. Introduction + + +This document discusses Link Local Multicast Name Resolution (LLMNR), +which utilizes the DNS packet format and supports all current and future +DNS formats, types and classes. LLMNR operates on a separate port from +the Domain Name System (DNS), with a distinct resolver cache. + + +The goal of LLMNR is to enable name resolution in scenarios in which +conventional DNS name resolution is not possible. These include +scenarios in which hosts are not configured with the address of a DNS +server, where configured DNS servers do not reply to a query, or where +they respond with errors, as described in Section 2. Since LLMNR only +operates on the local link, it cannot be considered a substitute for +DNS. + + +Link-scope multicast addresses are used to prevent propagation of LLMNR +traffic across routers, potentially flooding the network. LLMNR queries +can also be sent to a unicast address, as described in Section 2.4. + + +Propagation of LLMNR packets on the local link is considered sufficient +to enable name resolution in small networks. The assumption is that if +a network has a gateway, then the network is able to provide DNS server +configuration. Configuration issues are discussed in Section 3.1. + + +In the future, it may be desirable to consider use of multicast name +resolution with multicast scopes beyond the link-scope. This could +occur if LLMNR deployment is successful, the need for multicast name +resolution beyond the link-scope, or multicast routing becomes +ubiquitous. For example, expanded support for multicast name resolution +might be required for mobile ad-hoc networking scenarios, or where no +DNS server is available that is authoritative for the names of local +hosts, and can support dynamic DNS, such as in wireless hotspots. + + +Once we have experience in LLMNR deployment in terms of administrative +issues, usability and impact on the network, it will be possible to +reevaluate which multicast scopes are appropriate for use with multicast +name resolution. + + +Service discovery in general, as well as discovery of DNS servers using +LLMNR in particular, is outside of the scope of this document, as is +name resolution over non-multicast capable media. + + +1.1. Requirements + + +In this document, several words are used to signify the requirements of +the specification. These words are often capitalized. The key words +"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD +NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be + + + + +Esibov, Aboba & Thaler Standards Track [Page 3] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +interpreted as described in [RFC2119]. + + +1.2. Terminology + + +This document assumes familiarity with DNS terminology defined in +[RFC1035]. Other terminology used in this document includes: + + +Positively Resolved + Responses with RCODE set to zero are referred to in this document + as "positively resolved". + + +Routable Address + An address other than a Link-Local address. This includes globally + routable addresses, as well as private addresses. + + +Reachable + An address is considered reachable over a link if either an ARP or + neighbor discovery cache entry exists for the address on the link. + + +Responder + A host that listens to LLMNR queries, and responds to those for + which it is authoritative. + + +Sender + A host that sends an LLMNR query. + + +2. Name resolution using LLMNR + + +LLMNR is a peer-to-peer name resolution protocol that is not intended as +a replacement for DNS. LLMNR queries are sent to and received on port +TBD. IPv4 administratively scoped multicast usage is specified in +"Administratively Scoped IP Multicast" [RFC2365]. The IPv4 link-scope +multicast address a given responder listens to, and to which a sender +sends queries, is TBD. The IPv6 link-scope multicast address a given +responder listens to, and to which a sender sends all queries, is TBD. + + +Typically a host is configured as both an LLMNR sender and a responder. +A host MAY be configured as a sender, but not a responder. However, a +host configured as a responder MUST act as a sender to verify the +uniqueness of names as described in Section 4. This document does not +specify how names are chosen or configured. This may occur via any +mechanism, including DHCPv4 [RFC2131] or DHCPv6 [RFC3315]. + + +LLMNR usage MAY be configured manually or automatically on a per +interface basis. By default, LLMNR responders SHOULD be enabled on all +interfaces, at all times. Enabling LLMNR for use in situations where a +DNS server has been configured will result in a change in default +behavior without a simultaneous update to configuration information. + + + + +Esibov, Aboba & Thaler Standards Track [Page 4] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +Where this is considered undesirable, LLMNR SHOULD NOT be enabled by +default, so that hosts will neither listen on the link-scope multicast +address, nor will they send queries to that address. + + +An LLMNR sender may send a request for any name. However, by default, +LLMNR requests SHOULD be sent only when one of the following conditions +are met: + + +[1] No manual or automatic DNS configuration has been performed. If an + interface has been configured with DNS server address(es), then + LLMNR SHOULD NOT be used as the primary name resolution mechanism + on that interface, although it MAY be used as a name resolution + mechanism of last resort. + + +[2] DNS servers do not respond. + + +[3] DNS servers respond to a DNS query with RCODE=3 (Authoritative Name + Error) or RCODE=0, and an empty answer section. + + +A typical sequence of events for LLMNR usage is as follows: + + +[a] DNS servers are not configured or do not respond to a DNS query, or + respond with RCODE=3, or RCODE=0 and an empty answer section. + + +[b] An LLMNR sender sends an LLMNR query to the link-scope multicast + address(es) defined in Section 2, unless a unicast query is + indicated. A sender SHOULD send LLMNR queries for PTR RRs via + unicast, as specified in Section 2.4. + + +[c] A responder responds to this query only if it is authoritative for + the domain name in the query. A responder responds to a multicast + query by sending a unicast UDP response to the sender. Unicast + queries are responded to as indicated in Section 2.4. + + +[d] Upon reception of the response, the sender processes it. + + +Further details of sender and responder behavior are provided in the +sections that follow. + + +2.1. LLMNR packet format + + +LLMNR utilizes the DNS packet format defined in [RFC1035] Section 4 for +both queries and responses. LLMNR implementations SHOULD send UDP +queries and responses only as large as are known to be permissible +without causing fragmentation. When in doubt a maximum packet size of +512 octets SHOULD be used. LLMNR implementations MUST accept UDP +queries and responses as large as permitted by the link MTU. + + + + + +Esibov, Aboba & Thaler Standards Track [Page 5] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +2.1.1. LLMNR header format + + +LLMNR queries and responses utilize the DNS header format defined in +[RFC1035] with exceptions noted below: + + + 1 1 1 1 1 1 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 ++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +| ID | ++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +|QR| Opcode | Z|TC| Z| Z| Z| Z| Z| RCODE | ++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +| QDCOUNT | ++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +| ANCOUNT | ++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +| NSCOUNT | ++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +| ARCOUNT | ++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ + + +where: + + +ID A 16 bit identifier assigned by the program that generates any kind + of query. This identifier is copied from the query to the response + and can be used by the sender to match responses to outstanding + queries. The ID field in a query SHOULD be set to a pseudo-random + value. + + +QR A one bit field that specifies whether this message is an LLMNR + query (0), or an LLMNR response (1). + + +OPCODE + A four bit field that specifies the kind of query in this message. + This value is set by the originator of a query and copied into the + response. This specification defines the behavior of standard + queries and responses (opcode value of zero). Future + specifications may define the use of other opcodes with LLMNR. + LLMNR senders and responders MUST support standard queries (opcode + value of zero). LLMNR queries with unsupported OPCODE values MUST + be silently discarded by responders. + + +TC TrunCation - specifies that this message was truncated due to + length greater than that permitted on the transmission channel. + The TC bit MUST NOT be set in an LLMNR query and if set is ignored + by an LLMNR responder. If the TC bit is set an LLMNR response, + then the sender MAY use the response if it contains all necessary + information, or the sender MAY discard the response and resend the + + + + +Esibov, Aboba & Thaler Standards Track [Page 6] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + + LLMNR query over TCP using the unicast address of the responder as + the destination address. See [RFC2181] and Section 2.4 of this + specification for further discussion of the TC bit. + + +Z Reserved for future use. Implementations of this specification + MUST set these bits to zero in both queries and responses. If + these bits are set in a LLMNR query or response, implementations of + this specification MUST ignore them. Since reserved bits could + conceivably be used for different purposes than in DNS, + implementors are advised not to enable processing of these bits in + an LLMNR implementation starting from a DNS code base. + + +RCODE + Response code -- this 4 bit field is set as part of LLMNR + responses. In an LLMNR query, the RCODE MUST be zero, and is + ignored by the responder. The response to a multicast LLMNR query + MUST have RCODE set to zero. A sender MUST silently discard an + LLMNR response with a non-zero RCODE sent in response to a + multicast query. + + + If an LLMNR responder is authoritative for the name in a multicast + query, but an error is encountered, the responder SHOULD send an + LLMNR response with an RCODE of zero, no RRs in the answer section, + and the TC bit set. This will cause the query to be resent using + TCP, and allow the inclusion of a non-zero RCODE in the response to + the TCP query. Responding with the TC bit set is preferrable to + not sending a response, since it enables errors to be diagnosed. + + + Since LLMNR responders only respond to LLMNR queries for names for + which they are authoritative, LLMNR responders MUST NOT respond + with an RCODE of 3; instead, they should not respond at all. + + + LLMNR implementations MUST support EDNS0 [RFC2671] and extended + RCODE values. + + +QDCOUNT + An unsigned 16 bit integer specifying the number of entries in the + question section. A sender MUST place only one question into the + question section of an LLMNR query. LLMNR responders MUST silently + discard LLMNR queries with QDCOUNT not equal to one. LLMNR senders + MUST silently discard LLMNR responses with QDCOUNT not equal to + one. + + +ANCOUNT + An unsigned 16 bit integer specifying the number of resource + records in the answer section. LLMNR responders MUST silently + discard LLMNR queries with ANCOUNT not equal to zero. + + + + + +Esibov, Aboba & Thaler Standards Track [Page 7] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +NSCOUNT + An unsigned 16 bit integer specifying the number of name server + resource records in the authority records section. Authority + record section processing is described in Section 2.9. + + +ARCOUNT + An unsigned 16 bit integer specifying the number of resource + records in the additional records section. Additional record + section processing is described in Section 2.9. + + +2.2. Sender behavior + + +A sender may send an LLMNR query for any legal resource record type +(e.g. A, AAAA, SRV, etc.) to the link-scope multicast address. + + +As described in Section 2.4, a sender may also send a unicast query. +Sections 2 and 3 describe the circumstances in which LLMNR queries may +be sent. + + +The sender MUST anticipate receiving no replies to some LLMNR queries, +in the event that no responders are available within the link-scope or +in the event no positive non-null responses exist for the transmitted +query. If no positive response is received, a resolver treats it as a +response that no records of the specified type and class exist for the +specified name (it is treated the same as a response with RCODE=0 and an +empty answer section). + + +Since the responder may order the RRs in the response so as to indicate +preference, the sender SHOULD preserve ordering in the response to the +querying application. + + +2.3. Responder behavior + + +An LLMNR response MUST be sent to the sender via unicast. + + +Upon configuring an IP address responders typically will synthesize +corresponding A, AAAA and PTR RRs so as to be able to respond to LLMNR +queries for these RRs. An SOA RR is synthesized only when a responder +has another RR as well; the SOA RR MUST NOT be the only RR that a +responder has. However, in general whether RRs are manually or +automatically created is an implementation decision. + + +For example, a host configured to have computer name "host1" and to be a +member of the "example.com" domain, and with IPv4 address 10.1.1.1 and +IPv6 address 2001:0DB8::1:2:3:FF:FE:4:5:6 might be authoritative for the +following records: + + +host1. IN A 10.1.1.1 + + + + +Esibov, Aboba & Thaler Standards Track [Page 8] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6 + + +host1.example.com. IN A 10.1.1.1 +IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6 + + +1.1.1.10.in-addr.arpa. IN PTR host1. +IN PTR host1.example.com. + + +6.0.5.0.4.0.E.F.F.F.3.0.2.0.1.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa +IN PTR host1. +IN PTR host1.example.com + + +An LLMNR responder might be further manually configured with the name of +a local mail server with an MX RR included in the "host1." and +"host1.example.com." records. + + +In responding to queries: + + +[a] Responders MUST listen on UDP port TBD on the link-scope multicast + address(es) defined in Section 2, and on UDP and TCP port TBD on + the unicast address(es) that could be set as the source address(es) + when the responder responds to the LLMNR query. + + +[b] Responders MUST direct responses to the port from which the query + was sent. When queries are received via TCP this is an inherent + part of the transport protocol. For queries received by UDP the + responder MUST take note of the source port and use that as the + destination port in the response. Responses SHOULD always be sent + from the port to which they were directed. + + +[c] Responders MUST respond to LLMNR queries for names and addresses + they are authoritative for. This applies to both forward and + reverse lookups. + + +[d] Responders MUST NOT respond to LLMNR queries for names they are not + authoritative for. + + +[e] Responders MUST NOT respond using cached data. + + +[f] If a DNS server is running on a host that supports LLMNR, the DNS + server MUST respond to LLMNR queries only for the RRSets relating + to the host on which the server is running, but MUST NOT respond + for other records for which the server is authoritative. DNS + servers also MUST NOT send LLMNR queries in order to resolve DNS + queries. + + +[g] If a responder is authoritative for a name, it MAY respond with + RCODE=0 and an empty answer section, if the type of query does not + + + + +Esibov, Aboba & Thaler Standards Track [Page 9] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + + match a RR that the responder has. + + +As an example, a host configured to respond to LLMNR queries for the +name "foo.example.com." is authoritative for the name +"foo.example.com.". On receiving an LLMNR query for an A RR with the +name "foo.example.com." the host authoritatively responds with A RR(s) +that contain IP address(es) in the RDATA of the resource record. If the +responder has a AAAA RR, but no A RR, and an A RR query is received, the +responder would respond with RCODE=0 and an empty answer section. + + +In conventional DNS terminology a DNS server authoritative for a zone is +authoritative for all the domain names under the zone apex except for +the branches delegated into separate zones. Contrary to conventional +DNS terminology, an LLMNR responder is authoritative only for the zone +apex. + + +For example the host "foo.example.com." is not authoritative for the +name "child.foo.example.com." unless the host is configured with +multiple names, including "foo.example.com." and +"child.foo.example.com.". As a result, "foo.example.com." cannot reply +to an LLMNR query for "child.foo.example.com." with RCODE=3 +(authoritative name error). The purpose of limiting the name authority +scope of a responder is to prevent complications that could be caused by +coexistence of two or more hosts with the names representing child and +parent (or grandparent) nodes in the DNS tree, for example, +"foo.example.com." and "child.foo.example.com.". + + +In this example (unless this limitation is introduced) an LLMNR query +for an A resource record for the name "child.foo.example.com." would +result in two authoritative responses: RCODE=3 (authoritative name +error) received from "foo.example.com.", and a requested A record - from +"child.foo.example.com.". To prevent this ambiguity, LLMNR enabled +hosts could perform a dynamic update of the parent (or grandparent) zone +with a delegation to a child zone. In this example a host +"child.foo.example.com." would send a dynamic update for the NS and glue +A record to "foo.example.com.", but this approach significantly +complicates implementation of LLMNR and would not be acceptable for +lightweight hosts. + + +2.4. Unicast queries and responses + + +Unicast queries SHOULD be sent when: + + +[a] A sender repeats a query after it received a response with the TC + bit set to the previous LLMNR multicast query, or + + +[b] The sender queries for a PTR RR of a fully formed IP address within + the "in-addr.arpa" or "ip6.arpa" zones. + + + + +Esibov, Aboba & Thaler Standards Track [Page 10] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +A responder receiving a unicast query MUST send the response with a +source address set to the destination address field of the IP header of +the query causing the response. + + +Unicast LLMNR queries MUST be sent using TCP. Senders MUST support +sending TCP queries, and responders MUST support listening for TCP +queries. + + +Responses to TCP unicast LLMNR queries MUST be sent using TCP, using +the same connection as the query. If the sender of a TCP query receives +a response to that query not using TCP, the response MUST be silently +discarded. + + +Unicast UDP queries MUST be silently discarded. + + +If TCP connection setup cannot be completed in order to send a unicast +TCP query, this is treated as a response that no records of the +specified type and class exist for the specified name (it is treated the +same as a response with RCODE=0 and an empty answer section). + + +2.5. "Off link" detection + + +For IPv4, an "on link" address is defined as a link-local address +[IPv4Link] or an address whose prefix belongs to a subnet on the local +link. For IPv6 [RFC2460] an "on link" address is either a link-local +address, defined in [RFC2373], or an address whose prefix belongs to a +subnet on the local link. + + +A sender MUST select a source address for LLMNR queries that is "on +link". The destination address of an LLMNR query MUST be a link-scope +multicast address or an "on link" unicast address. + + +A responder MUST select a source address for responses that is "on +link". The destination address of an LLMNR response MUST be an "on link" +unicast address. + + +On receiving an LLMNR query, the responder MUST check whether it was +sent to a LLMNR multicast addresses defined in Section 2. If it was +sent to another multicast address, then the query MUST be silently +discarded. + + +Section 2.4 discusses use of TCP for LLMNR queries and responses. In +composing an LLMNR query using TCP, the sender MUST set the Hop Limit +field in the IPv6 header and the TTL field in the IPv4 header of the +response to one (1). The responder SHOULD set the TTL or Hop Limit +settings on the TCP listen socket to one (1) so that SYN-ACK packets +will have TTL (IPv4) or Hop Limit (IPv6) set to one (1). This prevents +an incoming connection from off-link since the sender will not receive a + + + + +Esibov, Aboba & Thaler Standards Track [Page 11] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +SYN-ACK from the responder. + + +For UDP queries and responses the Hop Limit field in the IPv6 header, +and the TTL field in the IPV4 header MAY be set to any value. However, +it is RECOMMENDED that the value 255 be used for compatibility with +Apple Rendezvous. + + +Implementation note: + + + In the sockets API for IPv4 [POSIX], the IP_TTL and IP_MULTICAST_TTL + socket options are used to set the TTL of outgoing unicast and + multicast packets. The IP_RECVTTL socket option is available on some + platforms to retrieve the IPv4 TTL of received packets with + recvmsg(). [RFC2292] specifies similar options for setting and + retrieving the IPv6 Hop Limit. + + +2.6. Responder responsibilities + + +It is the responsibility of the responder to ensure that RRs returned in +LLMNR responses MUST only include values that are valid on the local +interface, such as IPv4 or IPv6 addresses valid on the local link or +names defended using the mechanism described in Section 4. In +particular: + + +[a] If a link-scope IPv6 address is returned in a AAAA RR, that address + MUST be valid on the local link over which LLMNR is used. + + +[b] If an IPv4 address is returned, it MUST be reachable through the + link over which LLMNR is used. + + +[c] If a name is returned (for example in a CNAME, MX or SRV RR), the + name MUST be resolvable on the local link over which LLMNR is used. + + +Routable addresses MUST be included first in the response, if available. +This encourages use of routable address(es) for establishment of new +connections. + + +2.7. Retransmission and jitter + + +An LLMNR sender uses the timeout interval LLMNR_TIMEOUT to determine +when to retransmit an LLMNR query and how long to collect responses to +an LLMNR query. + + +If an LLMNR query sent over UDP is not resolved within LLMNR_TIMEOUT, +then a sender MAY repeat the transmission of the query in order to +assure that it was received by a host capable of responding to it. +Retransmission of UDP queries SHOULD NOT be attempted more than 3 times. +Where LLMNR queries are sent using TCP, retransmission is handled by the + + + + +Esibov, Aboba & Thaler Standards Track [Page 12] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +transport layer. + + +Because an LLMNR sender cannot know in advance if a query sent using +multicast will receive no response, one response, or more than one +response, the sender SHOULD wait for LLMNR_TIMEOUT in order to collect +all possible responses, rather than considering the multicast query +answered after the first response is received. A unicast query sender +considers the query answered after the first response is received, so +that it only waits for LLMNR_TIMEOUT if no response has been received. + + +An LLMNR sender SHOULD dynamically compute the value of LLMNR_TIMEOUT +for each transmission. It is suggested that the computation of +LLMNR_TIMEOUT be based on the response times for earlier LLMNR queries +sent on the same interface. + + +For example, the algorithms described in RFC 2988 [RFC2988] (including +exponential backoff) compute an RTO, which is used as the value of +LLMNR_TIMEOUT. Smaller values MAY be used for the initial RTO +(discussed in Section 2 of [RFC2988], paragraph 2.1), the minimum RTO +(discussed in Section 2 of [RFC2988], paragraph 2.4), and the maximum +RTO (discussed in Section 2 of [RFC2988], paragraph 2.5). + + +Recommended values are an initial RTO of 1 second, a minimum RTO of +200ms, and a maximum RTO of 5 seconds. In order to avoid +synchronization, the transmission of each LLMNR query and response +SHOULD delayed by a time randomly selected from the interval 0 to 100 +ms. This delay MAY be avoided by responders responding with RRs which +they have previously determined to be UNIQUE (see Section 4 for +details). + + +2.8. DNS TTL + + +The responder should use a pre-configured TTL value in the records +returned an LLMNR response. A default value of 30 seconds is +RECOMMENDED. In highly dynamic environments (such as mobile ad-hoc +networks), the TTL value may need to be reduced. + + +Due to the TTL minimalization necessary when caching an RRset, all TTLs +in an RRset MUST be set to the same value. + + +2.9. Use of the authority and additional sections + + +Unlike the DNS, LLMNR is a peer-to-peer protocol and does not have a +concept of delegation. In LLMNR, the NS resource record type may be +stored and queried for like any other type, but it has no special +delegation semantics as it does in the DNS. Responders MAY have NS +records associated with the names for which they are authoritative, but +they SHOULD NOT include these NS records in the authority sections of + + + + +Esibov, Aboba & Thaler Standards Track [Page 13] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +responses. + + +Responders SHOULD insert an SOA record into the authority section of a +negative response, to facilitate negative caching as specified in +[RFC2308]. The owner name of this SOA record MUST be equal to the query +name. + + +Responders SHOULD NOT perform DNS additional section processing, except +as required for EDNS0 and DNSSEC. + + +Senders MUST NOT cache RRs from the authority or additional section of a +response as answers, though they may be used for other purposes such as +negative caching. + + +3. Usage model + + +Since LLMNR is a secondary name resolution mechanism, its usage is in +part determined by the behavior of DNS implementations. This document +does not specify any changes to DNS resolver behavior, such as +searchlist processing or retransmission/failover policy. However, +robust DNS resolver implementations are more likely to avoid unnecessary +LLMNR queries. + + +As noted in [DNSPerf], even when DNS servers are configured, a +significant fraction of DNS queries do not receive a response, or result +in negative responses due to missing inverse mappings or NS records that +point to nonexistent or inappropriate hosts. This has the potential to +result in a large number of unnecessary LLMNR queries. + + +[RFC1536] describes common DNS implementation errors and fixes. If the +proposed fixes are implemented, unnecessary LLMNR queries will be +reduced substantially, and so implementation of [RFC1536] is +recommended. + + +For example, [RFC1536] Section 1 describes issues with retransmission +and recommends implementation of a retransmission policy based on round +trip estimates, with exponential backoff. [RFC1536] Section 4 describes +issues with failover, and recommends that resolvers try another server +when they don't receive a response to a query. These policies are +likely to avoid unnecessary LLMNR queries. + + +[RFC1536] Section 3 describes zero answer bugs, which if addressed will +also reduce unnecessary LLMNR queries. + + +[RFC1536] Section 6 describes name error bugs and recommended searchlist +processing that will reduce unnecessary RCODE=3 (authoritative name) +errors, thereby also reducing unnecessary LLMNR queries. + + + + + +Esibov, Aboba & Thaler Standards Track [Page 14] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +3.1. LLMNR configuration + + +Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is +possible for a dual stack host to be configured with the address of a +DNS server over IPv4, while remaining unconfigured with a DNS server +suitable for use over IPv6. + + +In these situations, a dual stack host will send AAAA queries to the +configured DNS server over IPv4. However, an IPv6-only host +unconfigured with a DNS server suitable for use over IPv6 will be unable +to resolve names using DNS. Automatic IPv6 DNS configuration mechanisms +(such as [RFC3315] and [DNSDisc]) are not yet widely deployed, and not +all DNS servers support IPv6. Therefore lack of IPv6 DNS configuration +may be a common problem in the short term, and LLMNR may prove useful in +enabling linklocal name resolution over IPv6. + + +Where a DHCPv4 server is available but not a DHCPv6 server [RFC3315], +IPv6-only hosts may not be configured with a DNS server. Where there is +no DNS server authoritative for the name of a host or the authoritative +DNS server does not support dynamic client update over IPv6 or +DHCPv6-based dynamic update, then an IPv6-only host will not be able to +do DNS dynamic update, and other hosts will not be able to resolve its +name. + + +For example, if the configured DNS server responds to AAAA RR queries +sent over IPv4 or IPv6 with an authoritative name error (RCODE=3), then +it will not be possible to resolve the names of IPv6-only hosts. In +this situation, LLMNR over IPv6 can be used for local name resolution. + + +Similarly, if a DHCPv4 server is available providing DNS server +configuration, and DNS server(s) exist which are authoritative for the A +RRs of local hosts and support either dynamic client update over IPv4 or +DHCPv4-based dynamic update, then the names of local IPv4 hosts can be +resolved over IPv4 without LLMNR. However, if no DNS server is +authoritative for the names of local hosts, or the authoritative DNS +server(s) do not support dynamic update, then LLMNR enables linklocal +name resolution over IPv4. + + +Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to +configure LLMNR on an interface. The LLMNR Enable Option, described in +[LLMNREnable], can be used to explicitly enable or disable use of LLMNR +on an interface. The LLMNR Enable Option does not determine whether or +in which order DNS itself is used for name resolution. The order in +which various name resolution mechanisms should be used can be specified +using the Name Service Search Option (NSSO) for DHCP [RFC2937], using +the LLMNR Enable Option code carried in the NSSO data. + + +It is possible that DNS configuration mechanisms will go in and out of + + + + +Esibov, Aboba & Thaler Standards Track [Page 15] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +service. In these circumstances, it is possible for hosts within an +administrative domain to be inconsistent in their DNS configuration. + + +For example, where DHCP is used for configuring DNS servers, one or more +DHCP servers can fail. As a result, hosts configured prior to the +outage will be configured with a DNS server, while hosts configured +after the outage will not. Alternatively, it is possible for the DNS +configuration mechanism to continue functioning while configured DNS +servers fail. + + +Unless unconfigured hosts periodically retry configuration, an outage in +the DNS configuration mechanism will result in hosts continuing to use +LLMNR even once the outage is repaired. Since LLMNR only enables +linklocal name resolution, this represents an unnecessary degradation in +capabilities. As a result, it is recommended that hosts without a +configured DNS server periodically attempt to obtain DNS configuration. +For example, where DHCP is used for DNS configuration, [RFC2131] +recommends a maximum retry interval of 64 seconds. In the absence of +other guidance, a default retry interval of one (1) minute is +RECOMMENDED. + + +4. Conflict resolution + + +The sender MUST anticipate receiving multiple replies to the same LLMNR +query, in the event that several LLMNR enabled computers receive the +query and respond with valid answers. When this occurs, the responses +may first be concatenated, and then treated in the same manner that +multiple RRs received from the same DNS server would; the sender +perceives no inherent conflict in the receipt of multiple responses. + + +There are some scenarios when multiple responders MAY respond to the +same query. There are other scenarios when only one responder MAY +respond to a query. Resource records for which the latter queries are +submitted are referred as UNIQUE throughout this document. The +uniqueness of a resource record depends on a nature of the name in the +query and type of the query. For example it is expected that: + + + - multiple hosts may respond to a query for an SRV type record + - multiple hosts may respond to a query for an A or AAAA type + record for a cluster name (assigned to multiple hosts in + the cluster) + - only a single host may respond to a query for an A or AAAA + type record for a name. + + +Every responder that responds to an LLMNR query AND includes a UNIQUE +record in the response: + + + + + + +Esibov, Aboba & Thaler Standards Track [Page 16] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +[1] MUST verify that there is no other host within the scope of the + LLMNR query propagation that can return a resource record for the + same name, type and class. + + +[2] MUST NOT include a UNIQUE resource record in the response without + having verified its uniqueness. + + +Where a host is configured to issue LLMNR queries on more than one +interface, each interface should have its own independent LLMNR cache. +For each UNIQUE resource record in a given interface's configuration, +the host MUST verify resource record uniqueness on that interface. To +accomplish this, the host MUST send an LLMNR query for each UNIQUE +resource record. + + +By default, a host SHOULD be configured to behave as though all RRs are +UNIQUE. Uniqueness verification is carried out when the host: + + + - starts up or is rebooted + - wakes from sleep (if the network interface was inactive during sleep) + - is configured to respond to the LLMNR queries on an interface + enabled for transmission and reception of IP traffic + - is configured to respond to the LLMNR queries using additional + UNIQUE resource records + - detects that an interface is connected and is usable + (e.g. an IEEE 802 hardware link-state change indicating + that a cable was attached or completion of authentication + (and if needed, association) with a wireless base station + or adhoc network + + +When a host that has a UNIQUE record receives an LLMNR query for that +record, the host MUST respond. After the client receives a response, it +MUST check whether the response arrived on an interface different from +the one on which the query was sent. If the response arrives on a +different interface, the client can use the UNIQUE resource record in +response to LLMNR queries. If not, then it MUST NOT use the UNIQUE +resource record in response to LLMNR queries. + + +The name conflict detection mechanism doesn't prevent name conflicts +when previously partitioned segments are connected by a bridge. In order +to minimize the chance of conflicts in such a situation, it is +recommended that steps be taken to ensure name uniqueness. For example, +the name could be chosen randomly from a large pool of potential names, +or the name could be assigned via a process designed to guarantee +uniqueness. + + +When name conflicts are detected, they SHOULD be logged. To detect +duplicate use of a name, an administrator can use a name resolution +utility which employs LLMNR and lists both responses and responders. + + + + +Esibov, Aboba & Thaler Standards Track [Page 17] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +This would allow an administrator to diagnose behavior and potentially +to intervene and reconfigure LLMNR responders who should not be +configured to respond to the same name. + + +4.1. Considerations for Multiple Interfaces + + +A multi-homed host may elect to configure LLMNR on only one of its +active interfaces. In many situations this will be adequate. However, +should a host need to configure LLMNR on more than one of its active +interfaces, there are some additional precautions it MUST take. +Implementers who are not planning to support LLMNR on multiple +interfaces simultaneously may skip this section. + + +A multi-homed host checks the uniqueness of UNIQUE records as described +in Section 4. The situation is illustrated in figure 1. + + + ---------- ---------- + | | | | + [A] [myhost] [myhost] + + + Figure 1. Link-scope name conflict + + +In this situation, the multi-homed myhost will probe for, and defend, +its host name on both interfaces. A conflict will be detected on one +interface, but not the other. The multi-homed myhost will not be able +to respond with a host RR for "myhost" on the interface on the right +(see Figure 1). The multi-homed host may, however, be configured to use +the "myhost" name on the interface on the left. + + +Since names are only unique per-link, hosts on different links could be +using the same name. If an LLMNR client sends requests over multiple +interfaces, and receives replies from more than one, the result returned +to the client is defined by the implementation. The situation is +illustrated in figure 2. + + + ---------- ---------- + | | | | + [A] [myhost] [A] + + + + Figure 2. Off-segment name conflict + + +If host myhost is configured to use LLMNR on both interfaces, it will +send LLMNR queries on both interfaces. When host myhost sends a query +for the host RR for name "A" it will receive a response from hosts on +both interfaces. + + +Host myhost cannot distinguish between the situation shown in Figure 2, + + + + +Esibov, Aboba & Thaler Standards Track [Page 18] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +and that shown in Figure 3 where no conflict exists. + + + [A] + | | + ----- ----- + | | + [myhost] + + + Figure 3. Multiple paths to same host + + +This illustrates that the proposed name conflict resolution mechanism +does not support detection or resolution of conflicts between hosts on +different links. This problem can also occur with unicast DNS when a +multi-homed host is connected to two different networks with separated +name spaces. It is not the intent of this document to address the issue +of uniqueness of names within DNS. + + +4.2. API issues + + +[RFC2553] provides an API which can partially solve the name ambiguity +problem for applications written to use this API, since the sockaddr_in6 +structure exposes the scope within which each scoped address exists, and +this structure can be used for both IPv4 (using v4-mapped IPv6 +addresses) and IPv6 addresses. + + +Following the example in Figure 2, an application on 'myhost' issues the +request getaddrinfo("A", ...) with ai_family=AF_INET6 and +ai_flags=AI_ALL|AI_V4MAPPED. LLMNR requests will be sent from both +interfaces and the resolver library will return a list containing +multiple addrinfo structures, each with an associated sockaddr_in6 +structure. This list will thus contain the IPv4 and IPv6 addresses of +both hosts responding to the name 'A'. Link-local addresses will have a +sin6_scope_id value that disambiguates which interface is used to reach +the address. Of course, to the application, Figures 2 and 3 are still +indistinguishable, but this API allows the application to communicate +successfully with any address in the list. + + +5. Security Considerations + + +LLMNR is by nature a peer-to-peer name resolution protocol. It is +therefore inherently more vulnerable than DNS, since existing DNS +security mechanisms are difficult to apply to LLMNR. While tools exist +to alllow an attacker to spoof a response to a DNS query, spoofing a +response to an LLMNR query is easier since the query is sent to a link- +scope multicast address, where every host on the logical link will be +made aware of it. + + + + + + +Esibov, Aboba & Thaler Standards Track [Page 19] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +In order to address the security vulnerabilities, the following +mechanisms are contemplated: + + +[1] Scope restrictions. + + +[2] Usage restrictions. + + +[3] Cache and port separation. + + +[4] Authentication. + + +These techniques are described in the following sections. + + +5.1. Scope restriction + + +With LLMNR it is possible that hosts will allocate conflicting names for +a period of time, or that attackers will attempt to deny service to +other hosts by allocating the same name. Such attacks also allow hosts +to receive packets destined for other hosts. + + +Since LLMNR is typically deployed in situations where no trust model can +be assumed, it is likely that LLMNR queries and responses will be +unauthenticated. In the absence of authentication, LLMNR reduces the +exposure to such threats by utilizing UDP queries sent to a link-scope +multicast address, as well as setting the TTL (IPv4) or Hop Limit (IPv6) +fields to one (1) on TCP queries and responses. + + +Using a TTL of one (1) to set up a TCP connection in order to send a +unicast LLMNR query reduces the likelihood of both denial of service +attacks and spoofed responses. Checking that an LLMNR query is sent to +a link-scope multicast address should prevent spoofing of multicast +queries by off-link attackers. + + +While this limits the ability of off-link attackers to spoof LLMNR +queries and responses, it does not eliminate it. For example, it is +possible for an attacker to spoof a response to a frequent query (such +as an A or AAAA query for a popular Internet host), and by using a TTL +or Hop Limit field larger than one (1), for the forged response to reach +the LLMNR sender. + + +When LLMNR queries are sent to a link-scope multicast address, it is +possible that some routers may not properly implement link-scope +multicast, or that link-scope multicast addresses may leak into the +multicast routing system. + + +Setting the IPv6 Hop Limit or IPv4 TTL field to a value larger than one +in an LLMNR UDP response may enable denial of service attacks across the +Internet. However, since LLMNR responders only respond to queries for + + + + +Esibov, Aboba & Thaler Standards Track [Page 20] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +which they are authoritative, and LLMNR does not provide wildcard query +support, it is believed that this threat is minimal. + + +There also are scenarios such as public "hotspots" where attackers can +be present on the same link. These threats are most serious in wireless +networks such as 802.11, since attackers on a wired network will require +physical access to the home network, while wireless attackers may reside +outside the home. Link-layer security can be of assistance against +these threats if it is available. + + +5.2. Usage restriction + + +As noted in Sections 2 and 3, LLMNR is intended for usage in a limited +set of scenarios. + + +If an LLMNR query is sent whenever a DNS server does not respond in a +timely way, then an attacker can poison the LLMNR cache by responding to +the query with incorrect information. To some extent, these +vulnerabilities exist today, since DNS response spoofing tools are +available that can allow an attacker to respond to a query more quickly +than a distant DNS server. + + +Since LLMNR queries are sent and responded to on the local-link, an +attacker will need to respond more quickly to provide its own response +prior to arrival of the response from a legitimate responder. If an +LLMNR query is sent for an off-link host, spoofing a response in a +timely way is not difficult, since a legitimate response will never be +received. + + +The vulnerability is more serious if LLMNR is given higher priority than +DNS among the enabled name resolution mechanisms. In such a +configuration, a denial of service attack on the DNS server would not be +necessary in order to poison the LLMNR cache, since LLMNR queries would +be sent even when the DNS server is available. In addition, the LLMNR +cache, once poisoned, would take precedence over the DNS cache, +eliminating the benefits of cache separation. As a result, LLMNR is only +used as a name resolution mechanism of last resort. + + +5.3. Cache and port separation + + +In order to prevent responses to LLMNR queries from polluting the DNS +cache, LLMNR implementations MUST use a distinct, isolated cache for +LLMNR on each interface. The use of separate caches is most effective +when LLMNR is used as a name resolution mechanism of last resort, since +this minimizes the opportunities for poisoning the LLMNR cache, and +decreases reliance on it. + + +LLMNR operates on a separate port from DNS, reducing the likelihood that + + + + +Esibov, Aboba & Thaler Standards Track [Page 21] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +a DNS server will unintentionally respond to an LLMNR query. + + +5.4. Authentication + + +LLMNR implementations may not support DNSSEC or TSIG, and as a result, +responses to LLMNR queries may be unauthenticated. If authentication is +desired, and a pre-arranged security configuration is possible, then +IPsec ESP with a null-transform MAY be used to authenticate LLMNR +responses. In a small network without a certificate authority, this can +be most easily accomplished through configuration of a group pre-shared +key for trusted hosts. + + +6. IANA Considerations + + +This specification creates one new name space: the reserved bits in the +LLMNR header. These are allocated by IETF Consensus, in accordance with +BCP 26 [RFC2434]. + + +LLMNR requires allocation of a port TBD for both TCP and UDP. +Assignment of the same port for both transports is requested. + + +LLMNR requires allocation of a link-scope multicast IPv4 address TBD. +LLMNR also requires allocation of a link-scope multicast IPv6 address +TBD. + + +7. References + + +7.1. Normative References + + +[RFC1035] Mockapetris, P., "Domain Names - Implementation and + Specification", RFC 1035, November 1987. + + +[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, + April 1992. + + +[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + +[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS + Specification", RFC 2181, July 1997. + + +[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", + RFC 2308, March 1998. + + +[RFC2365] Meyer, D., "Administratively Scoped IP Multicast", BCP 23, RFC + 2365, July 1998. + + + + + + +Esibov, Aboba & Thaler Standards Track [Page 22] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +[RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing + Architecture", RFC 2373, July 1998. + + +[RFC2434] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA + Considerations Section in RFCs", BCP 26, RFC 2434, October + 1998. + + +[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 + (IPv6) Specification", RFC 2460, December 1998. + + +[RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC + 2535, March 1999. + + +[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, + August 1999. + + +[RFC2988] Paxson, V. and M. Allman, "Computing TCP's Retransmission + Timer", RFC 2988, November 2000. + + +7.2. Informative References + + +[RFC1536] Kumar, A., et. al., "DNS Implementation Errors and Suggested + Fixes", RFC 1536, October 1993. + + +[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, + March 1997. + + +[RFC2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic + Updates in the Domain Name System (DNS UPDATE)", RFC 2136, + April 1997. + + +[RFC2292] Stevens, W. and M. Thomas, "Advanced Sockets API for IPv6", + RFC 2292, February 1998. + + +[RFC2553] Gilligan, R., Thomson, S., Bound, J. and W. Stevens, "Basic + Socket Interface Extensions for IPv6", RFC 2553, March 1999. + + +[RFC2937] Smith, C., "The Name Service Search Option for DHCP", RFC + 2937, September 2000. + + +[RFC3315] Droms, R., et al., "Dynamic Host Configuration Protocol for + IPv6 (DHCPv6)", RFC 3315, July 2003. + + +[DNSPerf] Jung, J., et al., "DNS Performance and the Effectiveness of + Caching", IEEE/ACM Transactions on Networking, Volume 10, + Number 5, pp. 589, October 2002. + + + + + + +Esibov, Aboba & Thaler Standards Track [Page 23] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +[DNSDisc] Durand, A., Hagino, I. and D. Thaler, "Well known site local + unicast addresses to communicate with recursive DNS servers", + Internet draft (work in progress), draft-ietf-ipv6-dns- + discovery-07.txt, October 2002. + + +[IPV4Link] + Cheshire, S., Aboba, B. and E. Guttman, "Dynamic Configuration + of IPv4 Link-Local Addresses", Internet draft (work in + progress), draft-ietf-zeroconf-ipv4-linklocal-14.txt, April + 2004. + + +[POSIX] IEEE Std. 1003.1-2001 Standard for Information Technology -- + Portable Operating System Interface (POSIX). Open Group + Technical Standard: Base Specifications, Issue 6, December + 2001. ISO/IEC 9945:2002. http://www.opengroup.org/austin + + +[LLMNREnable] + Guttman, E., "DHCP LLMNR Enable Option", Internet draft (work + in progress), draft-guttman-mdns-enable-02.txt, April 2002. + + +[NodeInfo] + Crawford, M., "IPv6 Node Information Queries", Internet draft + (work in progress), draft-ietf-ipn-gwg-icmp-name- + lookups-09.txt, May 2002. + + +Acknowledgments + + +This work builds upon original work done on multicast DNS by Bill +Manning and Bill Woodcock. Bill Manning's work was funded under DARPA +grant #F30602-99-1-0523. The authors gratefully acknowledge their +contribution to the current specification. Constructive input has also +been received from Mark Andrews, Stuart Cheshire, Randy Bush, Robert +Elz, Rob Austein, James Gilroy, Olafur Gudmundsson, Erik Guttman, Myron +Hattig, Thomas Narten, Christian Huitema, Erik Nordmark, Sander Van- +Valkenburg, Tomohide Nagashima, Brian Zill, Keith Moore and Markku +Savela. + + + + + + + + + + + + + + + + +Esibov, Aboba & Thaler Standards Track [Page 24] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +Authors' Addresses + + +Levon Esibov +Microsoft Corporation +One Microsoft Way +Redmond, WA 98052 + + +EMail: levone@microsoft.com + + +Bernard Aboba +Microsoft Corporation +One Microsoft Way +Redmond, WA 98052 + + +Phone: +1 425 706 6605 +EMail: bernarda@microsoft.com + + +Dave Thaler +Microsoft Corporation +One Microsoft Way +Redmond, WA 98052 + + +Phone: +1 425 703 8835 +EMail: dthaler@microsoft.com + + +Intellectual Property Statement + + +The IETF takes no position regarding the validity or scope of any +intellectual property or other rights that might be claimed to pertain +to the implementation or use of the technology described in this +document or the extent to which any license under such rights might or +might not be available; neither does it represent that it has made any +effort to identify any such rights. Information on the IETF's +procedures with respect to rights in standards-track and standards- +related documentation can be found in BCP-11. Copies of claims of +rights made available for publication and any assurances of licenses to +be made available, or the result of an attempt made to obtain a general +license or permission for the use of such proprietary rights by +implementors or users of this specification can be obtained from the +IETF Secretariat. + + +The IETF invites any interested party to bring to its attention any +copyrights, patents or patent applications, or other proprietary rights +which may cover technology that may be required to practice this +standard. Please address the information to the IETF Executive +Director. + + + + + + +Esibov, Aboba & Thaler Standards Track [Page 25] + + + + + + +INTERNET-DRAFT LLMNR 17 March 2004 + + + +Full Copyright Statement + + +Copyright (C) The Internet Society (2004). All Rights Reserved. +This document and translations of it may be copied and furnished to +others, and derivative works that comment on or otherwise explain it or +assist in its implementation may be prepared, copied, published and +distributed, in whole or in part, without restriction of any kind, +provided that the above copyright notice and this paragraph are included +on all such copies and derivative works. However, this document itself +may not be modified in any way, such as by removing the copyright notice +or references to the Internet Society or other Internet organizations, +except as needed for the purpose of developing Internet standards in +which case the procedures for copyrights defined in the Internet +Standards process must be followed, or as required to translate it into +languages other than English. The limited permissions granted above are +perpetual and will not be revoked by the Internet Society or its +successors or assigns. This document and the information contained +herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE +INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE +INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED +WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +Open Issues + + +Open issues with this specification are tracked on the following web +site: + + +http://www.drizzle.com/~aboba/DNSEXT/llmnrissues.html + + +Expiration Date + + +This memo is filed as , and expires +October 4, 2004. + + + + + + + + + + + + + + + + + + +Esibov, Aboba & Thaler Standards Track [Page 26] \ No newline at end of file