aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDoug Barton <dougb@FreeBSD.org>2012-04-04 23:11:25 +0000
committerDoug Barton <dougb@FreeBSD.org>2012-04-04 23:11:25 +0000
commit42d3eba523963ab015ac451eeea0788b11631c94 (patch)
treed6eb268f26af23cc29cceb581dd5468a2cfef052
parent3939884dc90db099f5601bd7c27d39acf7a8c731 (diff)
downloadsrc-42d3eba523963ab015ac451eeea0788b11631c94.tar.gz
src-42d3eba523963ab015ac451eeea0788b11631c94.zip
Vendor import of BIND 9.8.2vendor/bind9/9.8.2
Notes
Notes: svn path=/vendor/bind9/dist/; revision=233902 svn path=/vendor/bind9/9.8.2/; revision=233903; tag=vendor/bind9/9.8.2
-rw-r--r--CHANGES358
-rw-r--r--COPYRIGHT4
-rw-r--r--FAQ.xml2
-rw-r--r--Makefile.in8
-rw-r--r--README51
-rw-r--r--acconfig.h2
-rw-r--r--bin/Makefile.in2
-rw-r--r--bin/check/Makefile.in2
-rw-r--r--bin/check/check-tool.c2
-rw-r--r--bin/check/check-tool.h2
-rw-r--r--bin/check/named-checkconf.82
-rw-r--r--bin/check/named-checkconf.c2
-rw-r--r--bin/check/named-checkconf.docbook2
-rw-r--r--bin/check/named-checkconf.html12
-rw-r--r--bin/check/named-checkzone.82
-rw-r--r--bin/check/named-checkzone.c14
-rw-r--r--bin/check/named-checkzone.docbook2
-rw-r--r--bin/check/named-checkzone.html12
-rw-r--r--bin/confgen/Makefile.in2
-rw-r--r--bin/confgen/ddns-confgen.82
-rw-r--r--bin/confgen/ddns-confgen.c2
-rw-r--r--bin/confgen/ddns-confgen.docbook2
-rw-r--r--bin/confgen/ddns-confgen.html10
-rw-r--r--bin/confgen/include/confgen/os.h2
-rw-r--r--bin/confgen/keygen.c2
-rw-r--r--bin/confgen/keygen.h2
-rw-r--r--bin/confgen/rndc-confgen.82
-rw-r--r--bin/confgen/rndc-confgen.c2
-rw-r--r--bin/confgen/rndc-confgen.docbook2
-rw-r--r--bin/confgen/rndc-confgen.html12
-rw-r--r--bin/confgen/unix/Makefile.in2
-rw-r--r--bin/confgen/unix/os.c2
-rw-r--r--bin/confgen/util.c2
-rw-r--r--bin/confgen/util.h2
-rw-r--r--bin/dig/Makefile.in2
-rw-r--r--bin/dig/dig.12
-rw-r--r--bin/dig/dig.c4
-rw-r--r--bin/dig/dig.docbook2
-rw-r--r--bin/dig/dig.html20
-rw-r--r--bin/dig/dighost.c96
-rw-r--r--bin/dig/host.12
-rw-r--r--bin/dig/host.c2
-rw-r--r--bin/dig/host.docbook2
-rw-r--r--bin/dig/host.html10
-rw-r--r--bin/dig/include/dig/dig.h4
-rw-r--r--bin/dig/nslookup.12
-rw-r--r--bin/dig/nslookup.c2
-rw-r--r--bin/dig/nslookup.docbook2
-rw-r--r--bin/dig/nslookup.html16
-rw-r--r--bin/dnssec/Makefile.in2
-rw-r--r--bin/dnssec/dnssec-dsfromkey.82
-rw-r--r--bin/dnssec/dnssec-dsfromkey.c13
-rw-r--r--bin/dnssec/dnssec-dsfromkey.docbook2
-rw-r--r--bin/dnssec/dnssec-dsfromkey.html16
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.82
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.c14
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.docbook2
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.html14
-rw-r--r--bin/dnssec/dnssec-keygen.82
-rw-r--r--bin/dnssec/dnssec-keygen.c14
-rw-r--r--bin/dnssec/dnssec-keygen.docbook2
-rw-r--r--bin/dnssec/dnssec-keygen.html16
-rw-r--r--bin/dnssec/dnssec-revoke.813
-rw-r--r--bin/dnssec/dnssec-revoke.c14
-rw-r--r--bin/dnssec/dnssec-revoke.docbook16
-rw-r--r--bin/dnssec/dnssec-revoke.html19
-rw-r--r--bin/dnssec/dnssec-settime.84
-rw-r--r--bin/dnssec/dnssec-settime.c2
-rw-r--r--bin/dnssec/dnssec-settime.docbook5
-rw-r--r--bin/dnssec/dnssec-settime.html17
-rw-r--r--bin/dnssec/dnssec-signzone.82
-rw-r--r--bin/dnssec/dnssec-signzone.c2
-rw-r--r--bin/dnssec/dnssec-signzone.docbook2
-rw-r--r--bin/dnssec/dnssec-signzone.html12
-rw-r--r--bin/dnssec/dnssectool.c25
-rw-r--r--bin/dnssec/dnssectool.h9
-rw-r--r--bin/named/Makefile.in2
-rw-r--r--bin/named/bind.keys.h4
-rw-r--r--bin/named/bind9.xsl2
-rw-r--r--bin/named/bind9.xsl.h6
-rw-r--r--bin/named/builtin.c6
-rw-r--r--bin/named/client.c28
-rw-r--r--bin/named/config.c2
-rw-r--r--bin/named/control.c2
-rw-r--r--bin/named/controlconf.c22
-rwxr-xr-xbin/named/convertxsl.pl4
-rw-r--r--bin/named/include/dlz/dlz_dlopen_driver.h2
-rw-r--r--bin/named/include/named/builtin.h2
-rw-r--r--bin/named/include/named/client.h7
-rw-r--r--bin/named/include/named/config.h2
-rw-r--r--bin/named/include/named/control.h2
-rw-r--r--bin/named/include/named/globals.h2
-rw-r--r--bin/named/include/named/interfacemgr.h2
-rw-r--r--bin/named/include/named/listenlist.h2
-rw-r--r--bin/named/include/named/log.h2
-rw-r--r--bin/named/include/named/logconf.h2
-rw-r--r--bin/named/include/named/lwaddr.h2
-rw-r--r--bin/named/include/named/lwdclient.h2
-rw-r--r--bin/named/include/named/lwresd.h2
-rw-r--r--bin/named/include/named/lwsearch.h2
-rw-r--r--bin/named/include/named/main.h2
-rw-r--r--bin/named/include/named/notify.h2
-rw-r--r--bin/named/include/named/ns_smf_globals.h2
-rw-r--r--bin/named/include/named/query.h2
-rw-r--r--bin/named/include/named/server.h2
-rw-r--r--bin/named/include/named/sortlist.h2
-rw-r--r--bin/named/include/named/statschannel.h2
-rw-r--r--bin/named/include/named/tkeyconf.h2
-rw-r--r--bin/named/include/named/tsigconf.h2
-rw-r--r--bin/named/include/named/types.h2
-rw-r--r--bin/named/include/named/update.h2
-rw-r--r--bin/named/include/named/xfrout.h2
-rw-r--r--bin/named/include/named/zoneconf.h2
-rw-r--r--bin/named/interfacemgr.c2
-rw-r--r--bin/named/listenlist.c2
-rw-r--r--bin/named/log.c2
-rw-r--r--bin/named/logconf.c2
-rw-r--r--bin/named/lwaddr.c2
-rw-r--r--bin/named/lwdclient.c2
-rw-r--r--bin/named/lwderror.c2
-rw-r--r--bin/named/lwdgabn.c2
-rw-r--r--bin/named/lwdgnba.c2
-rw-r--r--bin/named/lwdgrbn.c2
-rw-r--r--bin/named/lwdnoop.c2
-rw-r--r--bin/named/lwresd.82
-rw-r--r--bin/named/lwresd.c2
-rw-r--r--bin/named/lwresd.docbook2
-rw-r--r--bin/named/lwresd.html14
-rw-r--r--bin/named/lwsearch.c2
-rw-r--r--bin/named/main.c21
-rw-r--r--bin/named/named.82
-rw-r--r--bin/named/named.conf.57
-rw-r--r--bin/named/named.conf.docbook7
-rw-r--r--bin/named/named.conf.html37
-rw-r--r--bin/named/named.docbook2
-rw-r--r--bin/named/named.html16
-rw-r--r--bin/named/notify.c2
-rw-r--r--bin/named/query.c1011
-rw-r--r--bin/named/server.c55
-rw-r--r--bin/named/sortlist.c2
-rw-r--r--bin/named/statschannel.c2
-rw-r--r--bin/named/tkeyconf.c2
-rw-r--r--bin/named/tsigconf.c2
-rw-r--r--bin/named/unix/Makefile.in2
-rw-r--r--bin/named/unix/dlz_dlopen_driver.c6
-rw-r--r--bin/named/unix/include/named/os.h2
-rw-r--r--bin/named/unix/os.c2
-rw-r--r--bin/named/update.c14
-rw-r--r--bin/named/xfrout.c17
-rw-r--r--bin/named/zoneconf.c28
-rw-r--r--bin/nsupdate/Makefile.in2
-rw-r--r--bin/nsupdate/nsupdate.12
-rw-r--r--bin/nsupdate/nsupdate.c3
-rw-r--r--bin/nsupdate/nsupdate.docbook2
-rw-r--r--bin/nsupdate/nsupdate.html14
-rw-r--r--bin/rndc/Makefile.in2
-rw-r--r--bin/rndc/include/rndc/os.h2
-rw-r--r--bin/rndc/rndc.82
-rw-r--r--bin/rndc/rndc.c8
-rw-r--r--bin/rndc/rndc.conf2
-rw-r--r--bin/rndc/rndc.conf.52
-rw-r--r--bin/rndc/rndc.conf.docbook2
-rw-r--r--bin/rndc/rndc.conf.html12
-rw-r--r--bin/rndc/rndc.docbook2
-rw-r--r--bin/rndc/rndc.html12
-rw-r--r--bin/rndc/util.c2
-rw-r--r--bin/rndc/util.h2
-rw-r--r--bin/tools/Makefile.in2
-rw-r--r--bin/tools/arpaname.12
-rw-r--r--bin/tools/arpaname.c2
-rw-r--r--bin/tools/arpaname.docbook2
-rw-r--r--bin/tools/arpaname.html8
-rw-r--r--bin/tools/genrandom.86
-rw-r--r--bin/tools/genrandom.c2
-rw-r--r--bin/tools/genrandom.docbook5
-rw-r--r--bin/tools/genrandom.html12
-rw-r--r--bin/tools/isc-hmac-fixup.82
-rw-r--r--bin/tools/isc-hmac-fixup.c2
-rw-r--r--bin/tools/isc-hmac-fixup.docbook2
-rw-r--r--bin/tools/isc-hmac-fixup.html10
-rw-r--r--bin/tools/named-journalprint.82
-rw-r--r--bin/tools/named-journalprint.c2
-rw-r--r--bin/tools/named-journalprint.docbook2
-rw-r--r--bin/tools/named-journalprint.html8
-rw-r--r--bin/tools/nsec3hash.82
-rw-r--r--bin/tools/nsec3hash.c7
-rw-r--r--bin/tools/nsec3hash.docbook2
-rw-r--r--bin/tools/nsec3hash.html10
-rw-r--r--config.h.in25
-rw-r--r--config.threads.in7
-rw-r--r--configure.in30
-rw-r--r--doc/Makefile.in2
-rw-r--r--doc/arm/Bv9ARM-book.xml402
-rw-r--r--doc/arm/Bv9ARM.ch01.html52
-rw-r--r--doc/arm/Bv9ARM.ch02.html24
-rw-r--r--doc/arm/Bv9ARM.ch03.html43
-rw-r--r--doc/arm/Bv9ARM.ch04.html279
-rw-r--r--doc/arm/Bv9ARM.ch05.html8
-rw-r--r--doc/arm/Bv9ARM.ch06.html480
-rw-r--r--doc/arm/Bv9ARM.ch07.html21
-rw-r--r--doc/arm/Bv9ARM.ch08.html20
-rw-r--r--doc/arm/Bv9ARM.ch09.html222
-rw-r--r--doc/arm/Bv9ARM.ch10.html4
-rw-r--r--doc/arm/Bv9ARM.html208
-rw-r--r--doc/arm/Bv9ARM.pdf18365
-rw-r--r--doc/arm/Makefile.in2
-rw-r--r--doc/arm/README-SGML2
-rw-r--r--doc/arm/dnssec.xml4
-rw-r--r--doc/arm/libdns.xml2
-rw-r--r--doc/arm/man.arpaname.html10
-rw-r--r--doc/arm/man.ddns-confgen.html12
-rw-r--r--doc/arm/man.dig.html22
-rw-r--r--doc/arm/man.dnssec-dsfromkey.html18
-rw-r--r--doc/arm/man.dnssec-keyfromlabel.html16
-rw-r--r--doc/arm/man.dnssec-keygen.html18
-rw-r--r--doc/arm/man.dnssec-revoke.html19
-rw-r--r--doc/arm/man.dnssec-settime.html19
-rw-r--r--doc/arm/man.dnssec-signzone.html14
-rw-r--r--doc/arm/man.genrandom.html12
-rw-r--r--doc/arm/man.host.html12
-rw-r--r--doc/arm/man.isc-hmac-fixup.html12
-rw-r--r--doc/arm/man.named-checkconf.html14
-rw-r--r--doc/arm/man.named-checkzone.html14
-rw-r--r--doc/arm/man.named-journalprint.html10
-rw-r--r--doc/arm/man.named.html18
-rw-r--r--doc/arm/man.nsec3hash.html12
-rw-r--r--doc/arm/man.nsupdate.html16
-rw-r--r--doc/arm/man.rndc-confgen.html14
-rw-r--r--doc/arm/man.rndc.conf.html14
-rw-r--r--doc/arm/man.rndc.html14
-rw-r--r--doc/arm/managed-keys.xml2
-rw-r--r--doc/arm/pkcs11.xml125
-rw-r--r--doc/misc/Makefile.in2
-rw-r--r--doc/misc/dnssec2
-rw-r--r--doc/misc/format-options.pl2
-rw-r--r--doc/misc/ipv62
-rw-r--r--doc/misc/migration2
-rw-r--r--doc/misc/migration-4to92
-rw-r--r--doc/misc/options14
-rw-r--r--doc/misc/rfc-compliance2
-rw-r--r--doc/misc/roadmap2
-rw-r--r--doc/misc/sdb2
-rwxr-xr-xdoc/misc/sort-options.pl2
-rw-r--r--isc-config.sh.in2
-rw-r--r--lib/Makefile.in2
-rw-r--r--lib/bind9/Makefile.in2
-rw-r--r--lib/bind9/api7
-rw-r--r--lib/bind9/check.c66
-rw-r--r--lib/bind9/getaddresses.c2
-rw-r--r--lib/bind9/include/Makefile.in2
-rw-r--r--lib/bind9/include/bind9/Makefile.in2
-rw-r--r--lib/bind9/include/bind9/check.h2
-rw-r--r--lib/bind9/include/bind9/getaddresses.h2
-rw-r--r--lib/bind9/include/bind9/version.h2
-rw-r--r--lib/bind9/version.c2
-rw-r--r--lib/dns/Makefile.in4
-rw-r--r--lib/dns/acache.c2
-rw-r--r--lib/dns/acl.c4
-rw-r--r--lib/dns/adb.c5
-rw-r--r--lib/dns/api11
-rw-r--r--lib/dns/byaddr.c2
-rw-r--r--lib/dns/cache.c4
-rw-r--r--lib/dns/callbacks.c4
-rw-r--r--lib/dns/client.c4
-rw-r--r--lib/dns/compress.c2
-rw-r--r--lib/dns/db.c9
-rw-r--r--lib/dns/dbiterator.c2
-rw-r--r--lib/dns/dbtable.c2
-rw-r--r--lib/dns/diff.c4
-rw-r--r--lib/dns/dispatch.c4
-rw-r--r--lib/dns/dlz.c4
-rw-r--r--lib/dns/dns64.c4
-rw-r--r--lib/dns/dnssec.c15
-rw-r--r--lib/dns/ds.c2
-rw-r--r--lib/dns/dst_api.c30
-rw-r--r--lib/dns/dst_internal.h6
-rw-r--r--lib/dns/dst_lib.c2
-rw-r--r--lib/dns/dst_openssl.h4
-rw-r--r--lib/dns/dst_parse.c19
-rw-r--r--lib/dns/dst_parse.h2
-rw-r--r--lib/dns/dst_result.c2
-rw-r--r--lib/dns/ecdb.c20
-rw-r--r--lib/dns/forward.c2
-rw-r--r--lib/dns/gen-unix.h2
-rw-r--r--lib/dns/gen.c2
-rw-r--r--lib/dns/gssapi_link.c4
-rw-r--r--lib/dns/gssapictx.c22
-rw-r--r--lib/dns/hmac_link.c2
-rw-r--r--lib/dns/include/Makefile.in2
-rw-r--r--lib/dns/include/dns/Makefile.in4
-rw-r--r--lib/dns/include/dns/acache.h2
-rw-r--r--lib/dns/include/dns/acl.h4
-rw-r--r--lib/dns/include/dns/adb.h4
-rw-r--r--lib/dns/include/dns/bit.h2
-rw-r--r--lib/dns/include/dns/byaddr.h2
-rw-r--r--lib/dns/include/dns/cache.h4
-rw-r--r--lib/dns/include/dns/callbacks.h4
-rw-r--r--lib/dns/include/dns/cert.h2
-rw-r--r--lib/dns/include/dns/client.h2
-rw-r--r--lib/dns/include/dns/compress.h2
-rw-r--r--lib/dns/include/dns/db.h14
-rw-r--r--lib/dns/include/dns/dbiterator.h2
-rw-r--r--lib/dns/include/dns/dbtable.h2
-rw-r--r--lib/dns/include/dns/diff.h2
-rw-r--r--lib/dns/include/dns/dispatch.h4
-rw-r--r--lib/dns/include/dns/dlz.h4
-rw-r--r--lib/dns/include/dns/dlz_dlopen.h4
-rw-r--r--lib/dns/include/dns/dns64.h2
-rw-r--r--lib/dns/include/dns/dnssec.h7
-rw-r--r--lib/dns/include/dns/ds.h2
-rw-r--r--lib/dns/include/dns/ecdb.h2
-rw-r--r--lib/dns/include/dns/events.h4
-rw-r--r--lib/dns/include/dns/fixedname.h2
-rw-r--r--lib/dns/include/dns/forward.h2
-rw-r--r--lib/dns/include/dns/iptable.h2
-rw-r--r--lib/dns/include/dns/journal.h4
-rw-r--r--lib/dns/include/dns/keydata.h2
-rw-r--r--lib/dns/include/dns/keyflags.h2
-rw-r--r--lib/dns/include/dns/keytable.h2
-rw-r--r--lib/dns/include/dns/keyvalues.h2
-rw-r--r--lib/dns/include/dns/lib.h2
-rw-r--r--lib/dns/include/dns/log.h5
-rw-r--r--lib/dns/include/dns/lookup.h2
-rw-r--r--lib/dns/include/dns/master.h4
-rw-r--r--lib/dns/include/dns/masterdump.h4
-rw-r--r--lib/dns/include/dns/message.h4
-rw-r--r--lib/dns/include/dns/name.h2
-rw-r--r--lib/dns/include/dns/ncache.h2
-rw-r--r--lib/dns/include/dns/nsec.h4
-rw-r--r--lib/dns/include/dns/nsec3.h4
-rw-r--r--lib/dns/include/dns/opcode.h2
-rw-r--r--lib/dns/include/dns/order.h2
-rw-r--r--lib/dns/include/dns/peer.h2
-rw-r--r--lib/dns/include/dns/portlist.h2
-rw-r--r--lib/dns/include/dns/private.h4
-rw-r--r--lib/dns/include/dns/rbt.h2
-rw-r--r--lib/dns/include/dns/rcode.h2
-rw-r--r--lib/dns/include/dns/rdata.h4
-rw-r--r--lib/dns/include/dns/rdataclass.h2
-rw-r--r--lib/dns/include/dns/rdatalist.h2
-rw-r--r--lib/dns/include/dns/rdataset.h4
-rw-r--r--lib/dns/include/dns/rdatasetiter.h2
-rw-r--r--lib/dns/include/dns/rdataslab.h2
-rw-r--r--lib/dns/include/dns/rdatatype.h2
-rw-r--r--lib/dns/include/dns/request.h2
-rw-r--r--lib/dns/include/dns/resolver.h4
-rw-r--r--lib/dns/include/dns/result.h4
-rw-r--r--lib/dns/include/dns/rootns.h2
-rw-r--r--lib/dns/include/dns/rpz.h59
-rw-r--r--lib/dns/include/dns/rriterator.h88
-rw-r--r--lib/dns/include/dns/sdb.h4
-rw-r--r--lib/dns/include/dns/sdlz.h4
-rw-r--r--lib/dns/include/dns/secalg.h2
-rw-r--r--lib/dns/include/dns/secproto.h2
-rw-r--r--lib/dns/include/dns/soa.h2
-rw-r--r--lib/dns/include/dns/ssu.h2
-rw-r--r--lib/dns/include/dns/stats.h4
-rw-r--r--lib/dns/include/dns/tcpmsg.h2
-rw-r--r--lib/dns/include/dns/time.h10
-rw-r--r--lib/dns/include/dns/timer.h2
-rw-r--r--lib/dns/include/dns/tkey.h2
-rw-r--r--lib/dns/include/dns/tsec.h2
-rw-r--r--lib/dns/include/dns/tsig.h2
-rw-r--r--lib/dns/include/dns/ttl.h2
-rw-r--r--lib/dns/include/dns/types.h4
-rw-r--r--lib/dns/include/dns/validator.h2
-rw-r--r--lib/dns/include/dns/version.h2
-rw-r--r--lib/dns/include/dns/view.h4
-rw-r--r--lib/dns/include/dns/xfrin.h2
-rw-r--r--lib/dns/include/dns/zone.h37
-rw-r--r--lib/dns/include/dns/zonekey.h2
-rw-r--r--lib/dns/include/dns/zt.h4
-rw-r--r--lib/dns/include/dst/Makefile.in2
-rw-r--r--lib/dns/include/dst/dst.h13
-rw-r--r--lib/dns/include/dst/gssapi.h2
-rw-r--r--lib/dns/include/dst/lib.h2
-rw-r--r--lib/dns/include/dst/result.h2
-rw-r--r--lib/dns/iptable.c2
-rw-r--r--lib/dns/journal.c4
-rw-r--r--lib/dns/key.c37
-rw-r--r--lib/dns/keydata.c2
-rw-r--r--lib/dns/keytable.c2
-rw-r--r--lib/dns/lib.c2
-rw-r--r--lib/dns/log.c5
-rw-r--r--lib/dns/lookup.c2
-rw-r--r--lib/dns/master.c14
-rw-r--r--lib/dns/masterdump.c10
-rw-r--r--lib/dns/message.c4
-rw-r--r--lib/dns/name.c4
-rw-r--r--lib/dns/ncache.c4
-rw-r--r--lib/dns/nsec.c4
-rw-r--r--lib/dns/nsec3.c8
-rw-r--r--lib/dns/openssl_link.c4
-rw-r--r--lib/dns/openssldh_link.c2
-rw-r--r--lib/dns/openssldsa_link.c4
-rw-r--r--lib/dns/opensslgost_link.c2
-rw-r--r--lib/dns/opensslrsa_link.c4
-rw-r--r--lib/dns/order.c2
-rw-r--r--lib/dns/peer.c2
-rw-r--r--lib/dns/portlist.c2
-rw-r--r--lib/dns/private.c4
-rw-r--r--lib/dns/rbt.c8
-rw-r--r--lib/dns/rbtdb.c381
-rw-r--r--lib/dns/rbtdb.h4
-rw-r--r--lib/dns/rbtdb64.c2
-rw-r--r--lib/dns/rbtdb64.h2
-rw-r--r--lib/dns/rcode.c4
-rw-r--r--lib/dns/rdata.c82
-rw-r--r--lib/dns/rdata/any_255/tsig_250.c4
-rw-r--r--lib/dns/rdata/any_255/tsig_250.h2
-rw-r--r--lib/dns/rdata/ch_3/a_1.c2
-rw-r--r--lib/dns/rdata/ch_3/a_1.h2
-rw-r--r--lib/dns/rdata/generic/afsdb_18.c2
-rw-r--r--lib/dns/rdata/generic/afsdb_18.h2
-rw-r--r--lib/dns/rdata/generic/cert_37.c4
-rw-r--r--lib/dns/rdata/generic/cert_37.h2
-rw-r--r--lib/dns/rdata/generic/cname_5.c2
-rw-r--r--lib/dns/rdata/generic/cname_5.h2
-rw-r--r--lib/dns/rdata/generic/dlv_32769.c4
-rw-r--r--lib/dns/rdata/generic/dlv_32769.h2
-rw-r--r--lib/dns/rdata/generic/dname_39.c2
-rw-r--r--lib/dns/rdata/generic/dname_39.h2
-rw-r--r--lib/dns/rdata/generic/dnskey_48.c4
-rw-r--r--lib/dns/rdata/generic/dnskey_48.h2
-rw-r--r--lib/dns/rdata/generic/ds_43.c4
-rw-r--r--lib/dns/rdata/generic/ds_43.h2
-rw-r--r--lib/dns/rdata/generic/gpos_27.c2
-rw-r--r--lib/dns/rdata/generic/gpos_27.h2
-rw-r--r--lib/dns/rdata/generic/hinfo_13.c2
-rw-r--r--lib/dns/rdata/generic/hinfo_13.h2
-rw-r--r--lib/dns/rdata/generic/hip_55.c2
-rw-r--r--lib/dns/rdata/generic/hip_55.h2
-rw-r--r--lib/dns/rdata/generic/ipseckey_45.c4
-rw-r--r--lib/dns/rdata/generic/ipseckey_45.h2
-rw-r--r--lib/dns/rdata/generic/isdn_20.c2
-rw-r--r--lib/dns/rdata/generic/isdn_20.h2
-rw-r--r--lib/dns/rdata/generic/key_25.c4
-rw-r--r--lib/dns/rdata/generic/key_25.h2
-rw-r--r--lib/dns/rdata/generic/keydata_65533.c4
-rw-r--r--lib/dns/rdata/generic/keydata_65533.h2
-rw-r--r--lib/dns/rdata/generic/loc_29.c2
-rw-r--r--lib/dns/rdata/generic/loc_29.h2
-rw-r--r--lib/dns/rdata/generic/mb_7.c2
-rw-r--r--lib/dns/rdata/generic/mb_7.h2
-rw-r--r--lib/dns/rdata/generic/md_3.c2
-rw-r--r--lib/dns/rdata/generic/md_3.h2
-rw-r--r--lib/dns/rdata/generic/mf_4.c2
-rw-r--r--lib/dns/rdata/generic/mf_4.h2
-rw-r--r--lib/dns/rdata/generic/mg_8.c2
-rw-r--r--lib/dns/rdata/generic/mg_8.h2
-rw-r--r--lib/dns/rdata/generic/minfo_14.c2
-rw-r--r--lib/dns/rdata/generic/minfo_14.h2
-rw-r--r--lib/dns/rdata/generic/mr_9.c2
-rw-r--r--lib/dns/rdata/generic/mr_9.h2
-rw-r--r--lib/dns/rdata/generic/mx_15.c2
-rw-r--r--lib/dns/rdata/generic/mx_15.h2
-rw-r--r--lib/dns/rdata/generic/ns_2.c2
-rw-r--r--lib/dns/rdata/generic/ns_2.h2
-rw-r--r--lib/dns/rdata/generic/nsec3_50.c4
-rw-r--r--lib/dns/rdata/generic/nsec3_50.h4
-rw-r--r--lib/dns/rdata/generic/nsec3param_51.c2
-rw-r--r--lib/dns/rdata/generic/nsec3param_51.h2
-rw-r--r--lib/dns/rdata/generic/nsec_47.c2
-rw-r--r--lib/dns/rdata/generic/nsec_47.h2
-rw-r--r--lib/dns/rdata/generic/null_10.c10
-rw-r--r--lib/dns/rdata/generic/null_10.h2
-rw-r--r--lib/dns/rdata/generic/nxt_30.c2
-rw-r--r--lib/dns/rdata/generic/nxt_30.h2
-rw-r--r--lib/dns/rdata/generic/opt_41.c4
-rw-r--r--lib/dns/rdata/generic/opt_41.h2
-rw-r--r--lib/dns/rdata/generic/proforma.c2
-rw-r--r--lib/dns/rdata/generic/proforma.h2
-rw-r--r--lib/dns/rdata/generic/ptr_12.c2
-rw-r--r--lib/dns/rdata/generic/ptr_12.h2
-rw-r--r--lib/dns/rdata/generic/rp_17.c2
-rw-r--r--lib/dns/rdata/generic/rp_17.h2
-rw-r--r--lib/dns/rdata/generic/rrsig_46.c4
-rw-r--r--lib/dns/rdata/generic/rrsig_46.h2
-rw-r--r--lib/dns/rdata/generic/rt_21.c2
-rw-r--r--lib/dns/rdata/generic/rt_21.h2
-rw-r--r--lib/dns/rdata/generic/sig_24.c4
-rw-r--r--lib/dns/rdata/generic/sig_24.h2
-rw-r--r--lib/dns/rdata/generic/soa_6.c4
-rw-r--r--lib/dns/rdata/generic/soa_6.h2
-rw-r--r--lib/dns/rdata/generic/spf_99.c2
-rw-r--r--lib/dns/rdata/generic/spf_99.h2
-rw-r--r--lib/dns/rdata/generic/sshfp_44.c4
-rw-r--r--lib/dns/rdata/generic/sshfp_44.h2
-rw-r--r--lib/dns/rdata/generic/tkey_249.c4
-rw-r--r--lib/dns/rdata/generic/tkey_249.h2
-rw-r--r--lib/dns/rdata/generic/txt_16.c2
-rw-r--r--lib/dns/rdata/generic/txt_16.h2
-rw-r--r--lib/dns/rdata/generic/unspec_103.c2
-rw-r--r--lib/dns/rdata/generic/unspec_103.h2
-rw-r--r--lib/dns/rdata/generic/x25_19.c2
-rw-r--r--lib/dns/rdata/generic/x25_19.h2
-rw-r--r--lib/dns/rdata/hs_4/a_1.c2
-rw-r--r--lib/dns/rdata/hs_4/a_1.h2
-rw-r--r--lib/dns/rdata/in_1/a6_38.c2
-rw-r--r--lib/dns/rdata/in_1/a6_38.h2
-rw-r--r--lib/dns/rdata/in_1/a_1.c2
-rw-r--r--lib/dns/rdata/in_1/a_1.h2
-rw-r--r--lib/dns/rdata/in_1/aaaa_28.c2
-rw-r--r--lib/dns/rdata/in_1/aaaa_28.h2
-rw-r--r--lib/dns/rdata/in_1/apl_42.c2
-rw-r--r--lib/dns/rdata/in_1/apl_42.h2
-rw-r--r--lib/dns/rdata/in_1/dhcid_49.c4
-rw-r--r--lib/dns/rdata/in_1/dhcid_49.h2
-rw-r--r--lib/dns/rdata/in_1/kx_36.c2
-rw-r--r--lib/dns/rdata/in_1/kx_36.h2
-rw-r--r--lib/dns/rdata/in_1/naptr_35.c4
-rw-r--r--lib/dns/rdata/in_1/naptr_35.h6
-rw-r--r--lib/dns/rdata/in_1/nsap-ptr_23.c2
-rw-r--r--lib/dns/rdata/in_1/nsap-ptr_23.h2
-rw-r--r--lib/dns/rdata/in_1/nsap_22.c2
-rw-r--r--lib/dns/rdata/in_1/nsap_22.h2
-rw-r--r--lib/dns/rdata/in_1/px_26.c2
-rw-r--r--lib/dns/rdata/in_1/px_26.h2
-rw-r--r--lib/dns/rdata/in_1/srv_33.c2
-rw-r--r--lib/dns/rdata/in_1/srv_33.h2
-rw-r--r--lib/dns/rdata/in_1/wks_11.c53
-rw-r--r--lib/dns/rdata/in_1/wks_11.h2
-rw-r--r--lib/dns/rdata/rdatastructpre.h2
-rw-r--r--lib/dns/rdata/rdatastructsuf.h2
-rw-r--r--lib/dns/rdatalist.c4
-rw-r--r--lib/dns/rdatalist_p.h2
-rw-r--r--lib/dns/rdataset.c10
-rw-r--r--lib/dns/rdatasetiter.c2
-rw-r--r--lib/dns/rdataslab.c5
-rw-r--r--lib/dns/request.c12
-rw-r--r--lib/dns/resolver.c224
-rw-r--r--lib/dns/result.c4
-rw-r--r--lib/dns/rootns.c2
-rw-r--r--lib/dns/rpz.c183
-rw-r--r--lib/dns/rriterator.c10
-rw-r--r--lib/dns/sdb.c4
-rw-r--r--lib/dns/sdlz.c8
-rw-r--r--lib/dns/soa.c2
-rw-r--r--lib/dns/spnego.asn12
-rw-r--r--lib/dns/spnego.c15
-rw-r--r--lib/dns/spnego.h2
-rw-r--r--lib/dns/spnego_asn1.c2
-rwxr-xr-xlib/dns/spnego_asn1.pl4
-rw-r--r--lib/dns/ssu.c2
-rw-r--r--lib/dns/ssu_external.c4
-rw-r--r--lib/dns/stats.c2
-rw-r--r--lib/dns/tcpmsg.c2
-rw-r--r--lib/dns/time.c16
-rw-r--r--lib/dns/timer.c2
-rw-r--r--lib/dns/tkey.c4
-rw-r--r--lib/dns/tsec.c2
-rw-r--r--lib/dns/tsig.c30
-rw-r--r--lib/dns/ttl.c4
-rw-r--r--lib/dns/validator.c75
-rw-r--r--lib/dns/version.c2
-rw-r--r--lib/dns/view.c7
-rw-r--r--lib/dns/xfrin.c4
-rw-r--r--lib/dns/zone.c343
-rw-r--r--lib/dns/zonekey.c2
-rw-r--r--lib/dns/zt.c4
-rw-r--r--lib/export/Makefile.in2
-rw-r--r--lib/export/dns/Makefile.in4
-rw-r--r--lib/export/dns/include/Makefile.in2
-rw-r--r--lib/export/dns/include/dns/Makefile.in2
-rw-r--r--lib/export/dns/include/dst/Makefile.in2
-rw-r--r--lib/export/irs/Makefile.in4
-rw-r--r--lib/export/irs/include/Makefile.in6
-rw-r--r--lib/export/irs/include/irs/Makefile.in2
-rw-r--r--lib/export/isc/Makefile.in2
-rw-r--r--lib/export/isc/include/Makefile.in6
-rw-r--r--lib/export/isc/include/isc/Makefile.in2
-rw-r--r--lib/export/isc/include/isc/bind9.h2
-rw-r--r--lib/export/isc/nls/Makefile.in2
-rw-r--r--lib/export/isc/nothreads/Makefile.in2
-rw-r--r--lib/export/isc/nothreads/include/Makefile.in6
-rw-r--r--lib/export/isc/nothreads/include/isc/Makefile.in2
-rw-r--r--lib/export/isc/pthreads/Makefile.in2
-rw-r--r--lib/export/isc/pthreads/include/Makefile.in6
-rw-r--r--lib/export/isc/pthreads/include/isc/Makefile.in2
-rw-r--r--lib/export/isc/unix/Makefile.in2
-rw-r--r--lib/export/isc/unix/include/Makefile.in6
-rw-r--r--lib/export/isc/unix/include/isc/Makefile.in2
-rw-r--r--lib/export/isccfg/Makefile.in4
-rw-r--r--lib/export/isccfg/include/Makefile.in6
-rw-r--r--lib/export/isccfg/include/isccfg/Makefile.in2
-rw-r--r--lib/export/samples/Makefile-postinstall.in2
-rw-r--r--lib/export/samples/Makefile.in2
-rw-r--r--lib/export/samples/nsprobe.c4
-rw-r--r--lib/export/samples/sample-async.c2
-rw-r--r--lib/export/samples/sample-gai.c2
-rw-r--r--lib/export/samples/sample-request.c2
-rw-r--r--lib/export/samples/sample-update.c2
-rw-r--r--lib/export/samples/sample.c2
-rw-r--r--lib/irs/Makefile.in2
-rw-r--r--lib/irs/api7
-rw-r--r--lib/irs/context.c2
-rw-r--r--lib/irs/dnsconf.c2
-rw-r--r--lib/irs/gai_strerror.c2
-rw-r--r--lib/irs/getaddrinfo.c2
-rw-r--r--lib/irs/getnameinfo.c4
-rw-r--r--lib/irs/include/Makefile.in2
-rw-r--r--lib/irs/include/irs/Makefile.in2
-rw-r--r--lib/irs/include/irs/context.h2
-rw-r--r--lib/irs/include/irs/dnsconf.h2
-rw-r--r--lib/irs/include/irs/netdb.h.in2
-rw-r--r--lib/irs/include/irs/platform.h.in2
-rw-r--r--lib/irs/include/irs/resconf.h2
-rw-r--r--lib/irs/include/irs/types.h2
-rw-r--r--lib/irs/include/irs/version.h2
-rw-r--r--lib/irs/resconf.c4
-rw-r--r--lib/irs/version.c2
-rw-r--r--lib/isc/Makefile.in4
-rw-r--r--lib/isc/alpha/Makefile.in2
-rw-r--r--lib/isc/alpha/include/Makefile.in2
-rw-r--r--lib/isc/alpha/include/isc/Makefile.in2
-rw-r--r--lib/isc/alpha/include/isc/atomic.h2
-rw-r--r--lib/isc/api7
-rw-r--r--lib/isc/app_api.c2
-rw-r--r--lib/isc/assertions.c2
-rw-r--r--lib/isc/backtrace-emptytbl.c2
-rw-r--r--lib/isc/backtrace.c2
-rw-r--r--lib/isc/base32.c2
-rw-r--r--lib/isc/base64.c2
-rw-r--r--lib/isc/bitstring.c2
-rw-r--r--lib/isc/buffer.c2
-rw-r--r--lib/isc/bufferlist.c2
-rw-r--r--lib/isc/commandline.c2
-rw-r--r--lib/isc/entropy.c2
-rw-r--r--lib/isc/error.c2
-rw-r--r--lib/isc/event.c2
-rw-r--r--lib/isc/fsaccess.c2
-rw-r--r--lib/isc/hash.c2
-rw-r--r--lib/isc/heap.c4
-rw-r--r--lib/isc/hex.c2
-rw-r--r--lib/isc/hmacmd5.c2
-rw-r--r--lib/isc/hmacsha.c19
-rw-r--r--lib/isc/httpd.c4
-rw-r--r--lib/isc/ia64/Makefile.in2
-rw-r--r--lib/isc/ia64/include/Makefile.in2
-rw-r--r--lib/isc/ia64/include/isc/Makefile.in2
-rw-r--r--lib/isc/ia64/include/isc/atomic.h2
-rw-r--r--lib/isc/include/Makefile.in2
-rw-r--r--lib/isc/include/isc/Makefile.in6
-rw-r--r--lib/isc/include/isc/app.h2
-rw-r--r--lib/isc/include/isc/assertions.h2
-rw-r--r--lib/isc/include/isc/backtrace.h2
-rw-r--r--lib/isc/include/isc/base32.h2
-rw-r--r--lib/isc/include/isc/base64.h2
-rw-r--r--lib/isc/include/isc/bind9.h2
-rw-r--r--lib/isc/include/isc/bitstring.h2
-rw-r--r--lib/isc/include/isc/boolean.h2
-rw-r--r--lib/isc/include/isc/buffer.h2
-rw-r--r--lib/isc/include/isc/bufferlist.h2
-rw-r--r--lib/isc/include/isc/commandline.h2
-rw-r--r--lib/isc/include/isc/entropy.h2
-rw-r--r--lib/isc/include/isc/error.h2
-rw-r--r--lib/isc/include/isc/event.h2
-rw-r--r--lib/isc/include/isc/eventclass.h2
-rw-r--r--lib/isc/include/isc/file.h4
-rw-r--r--lib/isc/include/isc/formatcheck.h2
-rw-r--r--lib/isc/include/isc/fsaccess.h2
-rw-r--r--lib/isc/include/isc/hash.h2
-rw-r--r--lib/isc/include/isc/heap.h2
-rw-r--r--lib/isc/include/isc/hex.h2
-rw-r--r--lib/isc/include/isc/hmacmd5.h2
-rw-r--r--lib/isc/include/isc/hmacsha.h2
-rw-r--r--lib/isc/include/isc/httpd.h2
-rw-r--r--lib/isc/include/isc/interfaceiter.h2
-rw-r--r--lib/isc/include/isc/ipv6.h2
-rw-r--r--lib/isc/include/isc/iterated_hash.h2
-rw-r--r--lib/isc/include/isc/lang.h2
-rw-r--r--lib/isc/include/isc/lex.h2
-rw-r--r--lib/isc/include/isc/lfsr.h2
-rw-r--r--lib/isc/include/isc/lib.h2
-rw-r--r--lib/isc/include/isc/list.h4
-rw-r--r--lib/isc/include/isc/log.h2
-rw-r--r--lib/isc/include/isc/magic.h2
-rw-r--r--lib/isc/include/isc/md5.h2
-rw-r--r--lib/isc/include/isc/mem.h4
-rw-r--r--lib/isc/include/isc/msgcat.h2
-rw-r--r--lib/isc/include/isc/msgs.h2
-rw-r--r--lib/isc/include/isc/mutexblock.h2
-rw-r--r--lib/isc/include/isc/namespace.h4
-rw-r--r--lib/isc/include/isc/netaddr.h2
-rw-r--r--lib/isc/include/isc/netscope.h2
-rw-r--r--lib/isc/include/isc/ondestroy.h2
-rw-r--r--lib/isc/include/isc/os.h2
-rw-r--r--lib/isc/include/isc/parseint.h2
-rw-r--r--lib/isc/include/isc/platform.h.in2
-rw-r--r--lib/isc/include/isc/portset.h2
-rw-r--r--lib/isc/include/isc/print.h2
-rw-r--r--lib/isc/include/isc/quota.h2
-rw-r--r--lib/isc/include/isc/radix.h2
-rw-r--r--lib/isc/include/isc/random.h2
-rw-r--r--lib/isc/include/isc/ratelimiter.h2
-rw-r--r--lib/isc/include/isc/refcount.h2
-rw-r--r--lib/isc/include/isc/region.h2
-rw-r--r--lib/isc/include/isc/resource.h2
-rw-r--r--lib/isc/include/isc/result.h7
-rw-r--r--lib/isc/include/isc/resultclass.h2
-rw-r--r--lib/isc/include/isc/rwlock.h2
-rw-r--r--lib/isc/include/isc/serial.h2
-rw-r--r--lib/isc/include/isc/sha1.h2
-rw-r--r--lib/isc/include/isc/sha2.h2
-rw-r--r--lib/isc/include/isc/sockaddr.h2
-rw-r--r--lib/isc/include/isc/socket.h4
-rw-r--r--lib/isc/include/isc/stats.h4
-rw-r--r--lib/isc/include/isc/stdio.h2
-rw-r--r--lib/isc/include/isc/stdlib.h2
-rw-r--r--lib/isc/include/isc/string.h2
-rw-r--r--lib/isc/include/isc/symtab.h12
-rw-r--r--lib/isc/include/isc/task.h4
-rw-r--r--lib/isc/include/isc/taskpool.h4
-rw-r--r--lib/isc/include/isc/timer.h2
-rw-r--r--lib/isc/include/isc/types.h4
-rw-r--r--lib/isc/include/isc/util.h14
-rw-r--r--lib/isc/include/isc/version.h2
-rw-r--r--lib/isc/include/isc/xml.h2
-rw-r--r--lib/isc/inet_aton.c2
-rw-r--r--lib/isc/inet_ntop.c2
-rw-r--r--lib/isc/inet_pton.c2
-rw-r--r--lib/isc/iterated_hash.c2
-rw-r--r--lib/isc/lex.c2
-rw-r--r--lib/isc/lfsr.c2
-rw-r--r--lib/isc/lib.c2
-rw-r--r--lib/isc/log.c4
-rw-r--r--lib/isc/md5.c2
-rw-r--r--lib/isc/mem.c4
-rw-r--r--lib/isc/mem_api.c2
-rw-r--r--lib/isc/mips/Makefile.in2
-rw-r--r--lib/isc/mips/include/Makefile.in2
-rw-r--r--lib/isc/mips/include/isc/Makefile.in2
-rw-r--r--lib/isc/mips/include/isc/atomic.h2
-rw-r--r--lib/isc/mutexblock.c9
-rw-r--r--lib/isc/netaddr.c4
-rw-r--r--lib/isc/netscope.c2
-rw-r--r--lib/isc/nls/Makefile.in2
-rw-r--r--lib/isc/nls/msgcat.c2
-rw-r--r--lib/isc/noatomic/Makefile.in2
-rw-r--r--lib/isc/noatomic/include/Makefile.in2
-rw-r--r--lib/isc/noatomic/include/isc/Makefile.in2
-rw-r--r--lib/isc/noatomic/include/isc/atomic.h2
-rw-r--r--lib/isc/nothreads/Makefile.in2
-rw-r--r--lib/isc/nothreads/condition.c2
-rw-r--r--lib/isc/nothreads/include/Makefile.in2
-rw-r--r--lib/isc/nothreads/include/isc/Makefile.in2
-rw-r--r--lib/isc/nothreads/include/isc/condition.h2
-rw-r--r--lib/isc/nothreads/include/isc/mutex.h2
-rw-r--r--lib/isc/nothreads/include/isc/once.h2
-rw-r--r--lib/isc/nothreads/include/isc/thread.h2
-rw-r--r--lib/isc/nothreads/mutex.c2
-rw-r--r--lib/isc/nothreads/thread.c2
-rw-r--r--lib/isc/ondestroy.c2
-rw-r--r--lib/isc/parseint.c2
-rw-r--r--lib/isc/portset.c2
-rw-r--r--lib/isc/powerpc/Makefile.in2
-rw-r--r--lib/isc/powerpc/include/Makefile.in2
-rw-r--r--lib/isc/powerpc/include/isc/Makefile.in2
-rw-r--r--lib/isc/powerpc/include/isc/atomic.h4
-rw-r--r--lib/isc/print.c2
-rw-r--r--lib/isc/pthreads/Makefile.in2
-rw-r--r--lib/isc/pthreads/condition.c2
-rw-r--r--lib/isc/pthreads/include/Makefile.in2
-rw-r--r--lib/isc/pthreads/include/isc/Makefile.in2
-rw-r--r--lib/isc/pthreads/include/isc/condition.h2
-rw-r--r--lib/isc/pthreads/include/isc/mutex.h2
-rw-r--r--lib/isc/pthreads/include/isc/once.h2
-rw-r--r--lib/isc/pthreads/include/isc/thread.h2
-rw-r--r--lib/isc/pthreads/mutex.c2
-rw-r--r--lib/isc/pthreads/thread.c2
-rw-r--r--lib/isc/quota.c2
-rw-r--r--lib/isc/radix.c4
-rw-r--r--lib/isc/random.c2
-rw-r--r--lib/isc/ratelimiter.c2
-rw-r--r--lib/isc/refcount.c2
-rw-r--r--lib/isc/region.c2
-rw-r--r--lib/isc/result.c5
-rw-r--r--lib/isc/rwlock.c4
-rw-r--r--lib/isc/serial.c2
-rw-r--r--lib/isc/sha1.c4
-rw-r--r--lib/isc/sha2.c18
-rw-r--r--lib/isc/sockaddr.c4
-rw-r--r--lib/isc/socket_api.c4
-rw-r--r--lib/isc/sparc64/Makefile.in2
-rw-r--r--lib/isc/sparc64/include/Makefile.in2
-rw-r--r--lib/isc/sparc64/include/isc/Makefile.in2
-rw-r--r--lib/isc/sparc64/include/isc/atomic.h2
-rw-r--r--lib/isc/stats.c4
-rw-r--r--lib/isc/string.c4
-rw-r--r--lib/isc/strtoul.c2
-rw-r--r--lib/isc/symtab.c53
-rw-r--r--lib/isc/task.c4
-rw-r--r--lib/isc/task_api.c4
-rw-r--r--lib/isc/task_p.h4
-rw-r--r--lib/isc/taskpool.c4
-rw-r--r--lib/isc/timer.c4
-rw-r--r--lib/isc/timer_api.c2
-rw-r--r--lib/isc/timer_p.h2
-rw-r--r--lib/isc/unix/Makefile.in2
-rw-r--r--lib/isc/unix/app.c2
-rw-r--r--lib/isc/unix/dir.c4
-rw-r--r--lib/isc/unix/entropy.c2
-rw-r--r--lib/isc/unix/errno2result.c11
-rw-r--r--lib/isc/unix/errno2result.h8
-rw-r--r--lib/isc/unix/file.c4
-rw-r--r--lib/isc/unix/fsaccess.c2
-rw-r--r--lib/isc/unix/ifiter_getifaddrs.c2
-rw-r--r--lib/isc/unix/ifiter_ioctl.c2
-rw-r--r--lib/isc/unix/ifiter_sysctl.c2
-rw-r--r--lib/isc/unix/include/Makefile.in2
-rw-r--r--lib/isc/unix/include/isc/Makefile.in2
-rw-r--r--lib/isc/unix/include/isc/dir.h2
-rw-r--r--lib/isc/unix/include/isc/int.h2
-rw-r--r--lib/isc/unix/include/isc/keyboard.h2
-rw-r--r--lib/isc/unix/include/isc/net.h4
-rw-r--r--lib/isc/unix/include/isc/netdb.h2
-rw-r--r--lib/isc/unix/include/isc/offset.h2
-rw-r--r--lib/isc/unix/include/isc/stat.h2
-rw-r--r--lib/isc/unix/include/isc/stdtime.h4
-rw-r--r--lib/isc/unix/include/isc/strerror.h2
-rw-r--r--lib/isc/unix/include/isc/syslog.h2
-rw-r--r--lib/isc/unix/include/isc/time.h2
-rw-r--r--lib/isc/unix/interfaceiter.c2
-rw-r--r--lib/isc/unix/ipv6.c2
-rw-r--r--lib/isc/unix/keyboard.c2
-rw-r--r--lib/isc/unix/net.c4
-rw-r--r--lib/isc/unix/os.c2
-rw-r--r--lib/isc/unix/resource.c2
-rw-r--r--lib/isc/unix/socket.c40
-rw-r--r--lib/isc/unix/socket_p.h2
-rw-r--r--lib/isc/unix/stdio.c17
-rw-r--r--lib/isc/unix/stdtime.c2
-rw-r--r--lib/isc/unix/strerror.c2
-rw-r--r--lib/isc/unix/syslog.c2
-rw-r--r--lib/isc/unix/time.c28
-rw-r--r--lib/isc/version.c2
-rw-r--r--lib/isc/x86_32/Makefile.in2
-rw-r--r--lib/isc/x86_32/include/Makefile.in2
-rw-r--r--lib/isc/x86_32/include/isc/Makefile.in2
-rw-r--r--lib/isc/x86_32/include/isc/atomic.h2
-rw-r--r--lib/isc/x86_64/Makefile.in2
-rw-r--r--lib/isc/x86_64/include/Makefile.in2
-rw-r--r--lib/isc/x86_64/include/isc/Makefile.in2
-rw-r--r--lib/isc/x86_64/include/isc/atomic.h2
-rw-r--r--lib/isccc/Makefile.in4
-rw-r--r--lib/isccc/alist.c2
-rw-r--r--lib/isccc/api7
-rw-r--r--lib/isccc/base64.c2
-rw-r--r--lib/isccc/cc.c29
-rw-r--r--lib/isccc/ccmsg.c2
-rw-r--r--lib/isccc/include/Makefile.in2
-rw-r--r--lib/isccc/include/isccc/Makefile.in2
-rw-r--r--lib/isccc/include/isccc/alist.h2
-rw-r--r--lib/isccc/include/isccc/base64.h2
-rw-r--r--lib/isccc/include/isccc/cc.h2
-rw-r--r--lib/isccc/include/isccc/ccmsg.h2
-rw-r--r--lib/isccc/include/isccc/events.h2
-rw-r--r--lib/isccc/include/isccc/lib.h2
-rw-r--r--lib/isccc/include/isccc/result.h2
-rw-r--r--lib/isccc/include/isccc/sexpr.h2
-rw-r--r--lib/isccc/include/isccc/symtab.h2
-rw-r--r--lib/isccc/include/isccc/symtype.h2
-rw-r--r--lib/isccc/include/isccc/types.h2
-rw-r--r--lib/isccc/include/isccc/util.h2
-rw-r--r--lib/isccc/include/isccc/version.h2
-rw-r--r--lib/isccc/lib.c2
-rw-r--r--lib/isccc/result.c2
-rw-r--r--lib/isccc/sexpr.c2
-rw-r--r--lib/isccc/symtab.c2
-rw-r--r--lib/isccc/version.c2
-rw-r--r--lib/isccfg/Makefile.in4
-rw-r--r--lib/isccfg/aclconf.c6
-rw-r--r--lib/isccfg/api7
-rw-r--r--lib/isccfg/dnsconf.c2
-rw-r--r--lib/isccfg/include/Makefile.in2
-rw-r--r--lib/isccfg/include/isccfg/Makefile.in2
-rw-r--r--lib/isccfg/include/isccfg/aclconf.h4
-rw-r--r--lib/isccfg/include/isccfg/cfg.h2
-rw-r--r--lib/isccfg/include/isccfg/dnsconf.h2
-rw-r--r--lib/isccfg/include/isccfg/grammar.h2
-rw-r--r--lib/isccfg/include/isccfg/log.h2
-rw-r--r--lib/isccfg/include/isccfg/namedconf.h2
-rw-r--r--lib/isccfg/include/isccfg/version.h2
-rw-r--r--lib/isccfg/log.c2
-rw-r--r--lib/isccfg/namedconf.c14
-rw-r--r--lib/isccfg/parser.c4
-rw-r--r--lib/isccfg/version.c2
-rw-r--r--lib/lwres/Makefile.in2
-rw-r--r--lib/lwres/api7
-rw-r--r--lib/lwres/assert_p.h4
-rw-r--r--lib/lwres/context.c2
-rw-r--r--lib/lwres/context_p.h2
-rw-r--r--lib/lwres/gai_strerror.c2
-rw-r--r--lib/lwres/getaddrinfo.c2
-rw-r--r--lib/lwres/gethost.c2
-rw-r--r--lib/lwres/getipnode.c2
-rw-r--r--lib/lwres/getnameinfo.c33
-rw-r--r--lib/lwres/getrrset.c2
-rw-r--r--lib/lwres/herror.c4
-rw-r--r--lib/lwres/include/Makefile.in2
-rw-r--r--lib/lwres/include/lwres/Makefile.in2
-rw-r--r--lib/lwres/include/lwres/context.h2
-rw-r--r--lib/lwres/include/lwres/int.h2
-rw-r--r--lib/lwres/include/lwres/ipv6.h2
-rw-r--r--lib/lwres/include/lwres/lang.h2
-rw-r--r--lib/lwres/include/lwres/list.h2
-rw-r--r--lib/lwres/include/lwres/lwbuffer.h2
-rw-r--r--lib/lwres/include/lwres/lwpacket.h2
-rw-r--r--lib/lwres/include/lwres/lwres.h2
-rw-r--r--lib/lwres/include/lwres/netdb.h.in2
-rw-r--r--lib/lwres/include/lwres/platform.h.in2
-rw-r--r--lib/lwres/include/lwres/result.h2
-rw-r--r--lib/lwres/include/lwres/stdlib.h2
-rw-r--r--lib/lwres/include/lwres/version.h2
-rw-r--r--lib/lwres/lwbuffer.c2
-rw-r--r--lib/lwres/lwconfig.c4
-rw-r--r--lib/lwres/lwinetaton.c2
-rw-r--r--lib/lwres/lwinetntop.c2
-rw-r--r--lib/lwres/lwinetpton.c13
-rw-r--r--lib/lwres/lwpacket.c2
-rw-r--r--lib/lwres/lwres_gabn.c2
-rw-r--r--lib/lwres/lwres_gnba.c2
-rw-r--r--lib/lwres/lwres_grbn.c2
-rw-r--r--lib/lwres/lwres_noop.c2
-rw-r--r--lib/lwres/lwresutil.c2
-rw-r--r--lib/lwres/man/Makefile.in2
-rw-r--r--lib/lwres/man/lwres.32
-rw-r--r--lib/lwres/man/lwres.docbook2
-rw-r--r--lib/lwres/man/lwres.html14
-rw-r--r--lib/lwres/man/lwres_buffer.32
-rw-r--r--lib/lwres/man/lwres_buffer.docbook2
-rw-r--r--lib/lwres/man/lwres_buffer.html4
-rw-r--r--lib/lwres/man/lwres_config.36
-rw-r--r--lib/lwres/man/lwres_config.docbook5
-rw-r--r--lib/lwres/man/lwres_config.html12
-rw-r--r--lib/lwres/man/lwres_context.36
-rw-r--r--lib/lwres/man/lwres_context.docbook5
-rw-r--r--lib/lwres/man/lwres_context.html10
-rw-r--r--lib/lwres/man/lwres_gabn.36
-rw-r--r--lib/lwres/man/lwres_gabn.docbook5
-rw-r--r--lib/lwres/man/lwres_gabn.html10
-rw-r--r--lib/lwres/man/lwres_gai_strerror.36
-rw-r--r--lib/lwres/man/lwres_gai_strerror.docbook5
-rw-r--r--lib/lwres/man/lwres_gai_strerror.html8
-rw-r--r--lib/lwres/man/lwres_getaddrinfo.36
-rw-r--r--lib/lwres/man/lwres_getaddrinfo.docbook5
-rw-r--r--lib/lwres/man/lwres_getaddrinfo.html10
-rw-r--r--lib/lwres/man/lwres_gethostent.36
-rw-r--r--lib/lwres/man/lwres_gethostent.docbook5
-rw-r--r--lib/lwres/man/lwres_gethostent.html12
-rw-r--r--lib/lwres/man/lwres_getipnode.36
-rw-r--r--lib/lwres/man/lwres_getipnode.docbook5
-rw-r--r--lib/lwres/man/lwres_getipnode.html10
-rw-r--r--lib/lwres/man/lwres_getnameinfo.36
-rw-r--r--lib/lwres/man/lwres_getnameinfo.docbook5
-rw-r--r--lib/lwres/man/lwres_getnameinfo.html12
-rw-r--r--lib/lwres/man/lwres_getrrsetbyname.36
-rw-r--r--lib/lwres/man/lwres_getrrsetbyname.docbook5
-rw-r--r--lib/lwres/man/lwres_getrrsetbyname.html10
-rw-r--r--lib/lwres/man/lwres_gnba.36
-rw-r--r--lib/lwres/man/lwres_gnba.docbook5
-rw-r--r--lib/lwres/man/lwres_gnba.html10
-rw-r--r--lib/lwres/man/lwres_hstrerror.36
-rw-r--r--lib/lwres/man/lwres_hstrerror.docbook5
-rw-r--r--lib/lwres/man/lwres_hstrerror.html10
-rw-r--r--lib/lwres/man/lwres_inetntop.36
-rw-r--r--lib/lwres/man/lwres_inetntop.docbook5
-rw-r--r--lib/lwres/man/lwres_inetntop.html10
-rw-r--r--lib/lwres/man/lwres_noop.36
-rw-r--r--lib/lwres/man/lwres_noop.docbook5
-rw-r--r--lib/lwres/man/lwres_noop.html10
-rw-r--r--lib/lwres/man/lwres_packet.36
-rw-r--r--lib/lwres/man/lwres_packet.docbook5
-rw-r--r--lib/lwres/man/lwres_packet.html8
-rw-r--r--lib/lwres/man/lwres_resutil.36
-rw-r--r--lib/lwres/man/lwres_resutil.docbook5
-rw-r--r--lib/lwres/man/lwres_resutil.html10
-rw-r--r--lib/lwres/print.c4
-rw-r--r--lib/lwres/print_p.h4
-rw-r--r--lib/lwres/strtoul.c4
-rw-r--r--lib/lwres/unix/Makefile.in4
-rw-r--r--lib/lwres/unix/include/Makefile.in4
-rw-r--r--lib/lwres/unix/include/lwres/Makefile.in4
-rw-r--r--lib/lwres/unix/include/lwres/net.h8
-rw-r--r--lib/lwres/version.c4
-rw-r--r--make/Makefile.in4
-rw-r--r--make/includes.in4
-rw-r--r--make/mkdep.in38
-rw-r--r--make/rules.in38
-rwxr-xr-xmkinstalldirs2
-rw-r--r--release-notes.css2
-rw-r--r--version8
992 files changed, 14784 insertions, 12761 deletions
diff --git a/CHANGES b/CHANGES
index dc0b2c69981c..19f8e51615a3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,9 +1,309 @@
- --- 9.8.1-P1 released ---
+ --- 9.8.2 released ---
+
+3298. [bug] Named could dereference a NULL pointer in
+ zmgr_start_xfrin_ifquota if the zone was being removed.
+ [RT #28419]
+
+3297. [bug] Named could die on a malformed master file. [RT #28467]
+
+3295. [bug] Adjust isc_time_secondsastimet range check to be more
+ portable. [RT # 26542]
+
+3294. [bug] isccc/cc.c:table_fromwire failed to free alist on
+ error. [RT #28265]
+
+3291. [port] Fixed a build error on systems without ENOTSUP.
+ [RT #28200]
+
+3290. [bug] <isc/hmacsha.h> was not being installed. [RT #28169]
+
+3288. [bug] dlz_destroy() function wasn't correctly registered
+ by the DLZ dlopen driver. [RT #28056]
+
+3287. [port] Update ans.pl to work with Net::DNS 0.68. [RT #28028]
+
+3286. [bug] Managed key maintenance timer could fail to start
+ after 'rndc reconfig'. [RT #26786]
+
+ --- 9.8.2rc2 released ---
+
+3285. [bug] val-frdataset was incorrectly disassociated in
+ proveunsecure after calling startfinddlvsep.
+ [RT #27928]
+
+3284. [bug] Address race conditions with the handling of
+ rbtnode.deadlink. [RT #27738]
+
+3283. [bug] Raw zones with with more than 512 records in a RRset
+ failed to load. [RT #27863]
+
+3282. [bug] Restrict the TTL of NS RRset to no more than that
+ of the old NS RRset when replacing it.
+ [RT #27792] [RT #27884]
+
+3281. [bug] SOA refresh queries could be treated as cancelled
+ despite succeeding over the loopback interface.
+ [RT #27782]
+
+3280. [bug] Potential double free of a rdataset on out of memory
+ with DNS64. [RT #27762]
+
+3278. [bug] Make sure automatic key maintenance is started
+ when "auto-dnssec maintain" is turned on during
+ "rndc reconfig". [RT #26805]
+
+3276. [bug] win32: ns_os_openfile failed to return NULL on
+ safe_open failure. [RT #27696]
+
+3274. [bug] Log when a zone is not reusable. Only set loadtime
+ on successful loads. [RT #27650]
+
+3273. [bug] AAAA responses could be returned in the additional
+ section even when filter-aaaa-on-v4 was in use.
+ [RT #27292]
+
+3271. [port] darwin: mksymtbl is not always stable, loop several
+ times before giving up. mksymtbl was using non
+ portable perl to covert 64 bit hex strings. [RT #27653]
+
+3268. [bug] Convert RRSIG expiry times to 64 timestamps to work
+ out the earliest expiry time. [RT #23311]
+
+3267. [bug] Memory allocation failures could be mis-reported as
+ unexpected error. New ISC_R_UNSET result code.
+ [RT #27336]
+
+3266. [bug] The maximum number of NSEC3 iterations for a
+ DNSKEY RRset was not being properly computed.
+ [RT #26543]
+
+3262. [bug] Signed responses were handled incorrectly by RPZ.
+ [RT #27316]
+
+ --- 9.8.2rc1 released ---
+
+3260. [bug] "rrset-order cyclic" could appear not to rotate
+ for some query patterns. [RT #27170/27185]
+
+3259. [bug] named-compilezone: Suppress "dump zone to <file>"
+ message when writing to stdout. [RT #27109]
+
+3258. [test] Add "forcing full sign with unreadable keys" test.
+ [RT #27153]
+
+3257. [bug] Do not generate a error message when calling fsync()
+ in a pipe or socket. [RT #27109]
+
+3256. [bug] Disable empty zones for lwresd -C. [RT #27139]
+
+3254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels.
+ [RT #22249]
+
+3253. [bug] Return DNS_R_SYNTAX when the input to a text field is
+ too long. [RT #26956]
+
+3251. [bug] Enforce a upper bound (65535 bytes) on the amount of
+ memory dns_sdlz_putrr() can allocate per record to
+ prevent run away memory consumption on ISC_R_NOSPACE.
+ [RT #26956]
+
+3250. [func] 'configure --enable-developer'; turn on various
+ configure options, normally off by default, that
+ we want developers to build and test with. [RT #27103]
+
+3249. [bug] Update log message when saving slave zones files for
+ analysis after load failures. [RT #27087]
+
+3248. [bug] Configure options --enable-fixed-rrset and
+ --enable-exportlib were incompatible with each
+ other. [RT #27087]
+
+3247. [bug] 'raw' format zones failed to preserve load order
+ breaking 'fixed' sort order. [RT #27087]
+
+3243. [port] netbsd,bsdi: the thread defaults were not being
+ properly set.
+
+3241. [bug] Address race conditions in the resolver code.
+ [RT #26889]
+
+3240. [bug] DNSKEY state change events could be missed. [RT #26874]
+
+3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent
+ timestamp. [RT #26883]
+
+3238. [bug] keyrdata was not being reinitialized in
+ lib/dns/rbtdb.c:iszonesecure. [RT#26913]
+
+3237. [bug] dig -6 didn't work with +trace. [RT #26906]
+
+ --- 9.8.2b1 released ---
+
+3234. [bug] 'make depend' produced invalid makefiles. [RT #26830]
+
+3231. [bug] named could fail to send a uncompressable zone.
+ [RT #26796]
+
+3230. [bug] 'dig axfr' failed to properly handle a multi-message
+ axfr with a serial of 0. [RT #26796]
+
+3229. [bug] Fix local variable to struct var assignment
+ found by CLANG warning.
+
+3228. [tuning] Dynamically grow symbol table to improve zone
+ loading performance. [RT #26523]
+
+3227. [bug] Interim fix to make WKS's use of getprotobyname()
+ and getservbyname() self thread safe. [RT #26232]
+
+3226. [bug] Address minor resource leakages. [RT #26624]
+
+3221. [bug] Fixed a potential coredump on shutdown due to
+ referencing fetch context after it's been freed.
+ [RT #26720]
+
+3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips()
+ could fail to set the database version correctly,
+ causing an assertion failure. [RT #26180]
3218. [security] Cache lookup could return RRSIG data associated with
nonexistent records, leading to an assertion
failure. [RT #26590]
+3217. [cleanup] Fix build problem with --disable-static. [RT #26476]
+
+3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478]
+
+3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188]
+
+3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
+ list prior to adding a reference to it leading a
+ possible assertion failure. [RT #23219]
+
+3209. [func] Add "dnssec-lookaside 'no'". [RT #24858]
+
+3208. [bug] 'dig -y' handle unknown tsig alorithm better.
+ [RT #25522]
+
+3207. [contrib] Fixed build error in Berkeley DB DLZ module. [RT #26444]
+
+3206. [cleanup] Add ISC information to log at start time. [RT #25484]
+
+3204. [bug] When a master server that has been marked as
+ unreachable sends a NOTIFY, mark it reachable
+ again. [RT #25960]
+
+3203. [bug] Increase log level to 'info' for validation failures
+ from expired or not-yet-valid RRSIGs. [RT #21796]
+
+3200. [doc] Some rndc functions were undocumented or were
+ missing from 'rndc -h' output. [RT #25555]
+
+3198. [doc] Clarified that dnssec-settime can alter keyfile
+ permissions. [RT #24866]
+
+3196. [bug] nsupdate: return nonzero exit code when target zone
+ doesn't exist. [RT #25783]
+
+3195. [cleanup] Silence "file not found" warnings when loading
+ managed-keys zone. [RT #26340]
+
+3194. [doc] Updated RFC references in the 'empty-zones-enable'
+ documentation. [RT #25203]
+
+3193. [cleanup] Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
+ dnssec.h. [RT #26415]
+
+3192. [bug] A query structure could be used after being freed.
+ [RT #22208]
+
+3191. [bug] Print NULL records using "unknown" format. [RT #26392]
+
+3190. [bug] Underflow in error handling in isc_mutexblock_init.
+ [RT #26397]
+
+3189. [test] Added a summary report after system tests. [RT #25517]
+
+3188. [bug] zone.c:zone_refreshkeys() could fail to detach
+ references correctly when errors occurred, causing
+ a hang on shutdown. [RT #26372]
+
+3187. [port] win32: support for Visual Studio 2008. [RT #26356]
+
+3186. [bug] Version/db mis-match in rpz code. [RT #26180]
+
+3179. [port] kfreebsd: build issues. [RT #26273]
+
+3175. [bug] Fix how DNSSEC positive wildcard responses from a
+ NSEC3 signed zone are validated. Stop sending a
+ unnecessary NSEC3 record when generating such
+ responses. [RT #26200]
+
+3174. [bug] Always compute to revoked key tag from scratch.
+ [RT #26186]
+
+3173. [port] Correctly validate root DS responses. [RT #25726]
+
+3171. [bug] Exclusively lock the task when adding a zone using
+ 'rndc addzone'. [RT #25600]
+
+3170. [func] RPZ update:
+ - fix precedence among competing rules
+ - improve ARM text including documenting rule precedence
+ - try to rewrite CNAME chains until first hit
+ - new "rpz" logging channel
+ - RDATA for CNAME rules can include wildcards
+ - replace "NO-OP" named.conf policy override with
+ "PASSTHRU" and add "DISABLED" override ("NO-OP"
+ is still recognized)
+ [RT #25172]
+
+3169. [func] Catch db/version mis-matches when calling dns_db_*().
+ [RT #26017]
+
+3167. [bug] Negative answers from forwarders were not being
+ correctly tagged making them appear to not be cached.
+ [RT #25380]
+
+3162. [test] start.pl: modified to allow for "named.args" in
+ ns*/ subdirectory to override stock arguments to
+ named. Largely from RT#26044, but no separate ticket.
+
+3161. [bug] zone.c:del_sigs failed to always reset rdata leading
+ assertion failures. [RT #25880]
+
+3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing
+ the config file before pausing the server. [RT #21373]
+
+3155. [bug] Fixed a build failure when using contrib DLZ
+ drivers (e.g., mysql, postgresql, etc). [RT #25710]
+
+3154. [bug] Attempting to print an empty rdataset could trigger
+ an assert. [RT #25452]
+
+3152. [cleanup] Some versions of gcc and clang failed due to
+ incorrect use of __builtin_expect. [RT #25183]
+
+3151. [bug] Queries for type RRSIG or SIG could be handled
+ incorrectly. [RT #21050]
+
+3148. [bug] Processing of normal queries could be stalled when
+ forwarding a UPDATE message. [RT #24711]
+
+3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]
+
+3145. [test] Capture output of ATF unit tests in "./atf.out" if
+ there were any errors while running them. [RT #25527]
+
+3144. [bug] dns_dbiterator_seek() could trigger an assert when
+ used with a nonexistent database node. [RT #25358]
+
+3143. [bug] Silence clang compiler warnings. [RT #25174]
+
+3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
+ for the hashing algorithms (md5, sha1 - sha512, and
+ their hmac counterparts). [RT #25067]
+
--- 9.8.1 released ---
--- 9.8.1rc1 released ---
@@ -14,7 +314,7 @@
3138. [bug] Address memory leaks and out-of-order operations when
shutting named down. [RT #25210]
-3136. [func] Add RFC 1918 reverse zones to the list of built-in
+3136. [func] Add RFC 1918 reverse zones to the list of built-in
empty zones switched on by the 'empty-zones-enable'
option. [RT #24990]
@@ -34,9 +334,9 @@
3133. [bug] Change #3114 was incomplete. [RT #24577]
-3131. [tuning] Improve scalability by allocating one zone task
- per 100 zones at startup time, rather than using a
- fixed-size task table. [RT #24406]
+3131. [tuning] Improve scalability by allocating one zone task
+ per 100 zones at startup time, rather than using a
+ fixed-size task table. [RT #24406]
3129. [bug] Named could crash on 'rndc reconfig' when
allow-new-zones was set to yes and named ACLs
@@ -62,10 +362,10 @@
3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]
-3121. [security] An authoritative name server sending a negative
- response containing a very large RRset could
- trigger an off-by-one error in the ncache code
- and crash named. [RT #24650]
+3121. [security] An authoritative name server sending a negative
+ response containing a very large RRset could
+ trigger an off-by-one error in the ncache code
+ and crash named. [RT #24650]
3120. [bug] Named could fail to validate zones listed in a DLV
that validated insecure without using DLV and had
@@ -99,9 +399,9 @@
"krb5-subdomain", which allow machines to update
their own records, to the BIND 9 ARM.
-3111. [bug] Improved consistency checks for dnssec-enable and
- dnssec-validation, added test cases to the
- checkconf system test. [RT #24398]
+3111. [bug] Improved consistency checks for dnssec-enable and
+ dnssec-validation, added test cases to the
+ checkconf system test. [RT #24398]
3110. [bug] dnssec-signzone: Wrong error message could appear
when attempting to sign with no KSK. [RT #24369]
@@ -109,10 +409,10 @@
3107. [bug] dnssec-signzone: Report the correct number of ZSKs
when using -x. [RT #20852]
-3105. [bug] GOST support can be suppressed by "configure
- --without-gost" [RT #24367]
+3105. [bug] GOST support can be suppressed by "configure
+ --without-gost" [RT #24367]
-3104. [bug] Better support for cross-compiling. [RT #24367]
+3104. [bug] Better support for cross-compiling. [RT #24367]
3103. [bug] Configuring 'dnssec-validation auto' in a view
instead of in the options statement could trigger
@@ -142,7 +442,7 @@
3094. [doc] Expand dns64 documentation.
-3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
+3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]
3092. [bug] Signatures for records at the zone apex could go
stale due to an incorrect timer setting. [RT #23769]
@@ -151,7 +451,7 @@
and then subsequently activated could fail to trigger
automatic signing. [RT #22911]
-3090. [func] Make --with-gssapi default [RT #23738]
+3090. [func] Make --with-gssapi default [RT #23738]
3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
and add setup.sh in order to resolve changing
@@ -269,9 +569,9 @@
3043. [test] Merged in the NetBSD ATF test framework (currently
version 0.12) for development of future unit tests.
- Use configure --with-atf to build ATF internally
- or configure --with-atf=prefix to use an external
- copy. [RT #23209]
+ Use configure --with-atf to build ATF internally
+ or configure --with-atf=prefix to use an external
+ copy. [RT #23209]
3042. [bug] dig +trace could fail attempting to use IPv6
addresses on systems with only IPv4 connectivity.
@@ -706,7 +1006,7 @@
2929. [bug] Improved handling of GSS security contexts:
- added LRU expiration for generated TSIGs
- added the ability to use a non-default realm
- - added new "realm" keyword in nsupdate
+ - added new "realm" keyword in nsupdate
- limited lifetime of generated keys to 1 hour
or the lifetime of the context (whichever is
smaller)
@@ -1535,7 +1835,7 @@
--with-export-includedir. [RT #20252]
2675. [bug] dnssec-signzone could crash if the key directory
- did not exist. [RT #20232]
+ did not exist. [RT #20232]
--- 9.7.0a3 released ---
@@ -1626,7 +1926,7 @@
64-bit systems. [RT #20076]
2650. [bug] Assertion failure in dnssec-signzone when trying
- to read keyset-* files. [RT #20075]
+ to read keyset-* files. [RT #20075]
2649. [bug] Set the domain for forward only zones. [RT #19944]
@@ -1698,7 +1998,7 @@
2630. [func] Improved syntax for DDNS autoconfiguration: use
"update-policy local;" to switch on local DDNS in a
zone. (The "ddns-autoconf" option has been removed.)
- [RT #19875]
+ [RT #19875]
2629. [port] Check for seteuid()/setegid(), use setresuid()/
setresgid() if not present. [RT #19932]
@@ -2383,10 +2683,10 @@
time. [RT #18277]
2423. [security] Randomize server selection on queries, so as to
- make forgery a little more difficult. Instead of
- always preferring the server with the lowest RTT,
- pick a server with RTT within the same 128
- millisecond band. [RT #18441]
+ make forgery a little more difficult. Instead of
+ always preferring the server with the lowest RTT,
+ pick a server with RTT within the same 128
+ millisecond band. [RT #18441]
2422. [bug] Handle the special return value of a empty node as
if it was a NXRRSET in the validator. [RT #18447]
@@ -2467,7 +2767,7 @@
2399. [placeholder]
-2398. [bug] Improve file descriptor management. New,
+2398. [bug] Improve file descriptor management. New,
temporary, named.conf option reserved-sockets,
default 512. [RT #18344]
diff --git a/COPYRIGHT b/COPYRIGHT
index 6f94496d4ba5..6f2c8e5aa226 100644
--- a/COPYRIGHT
+++ b/COPYRIGHT
@@ -1,4 +1,4 @@
-Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2003 Internet Software Consortium.
Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
-$Id: COPYRIGHT,v 1.17.14.1 2011-02-22 06:34:47 marka Exp $
+$Id: COPYRIGHT,v 1.17.14.2 2012/01/04 23:46:18 tbox Exp $
Portions of this code release fall under one or more of the
following Copyright notices. Please see individual source
diff --git a/FAQ.xml b/FAQ.xml
index 4c83f7647075..7b21689ce905 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: FAQ.xml,v 1.54 2010-01-19 23:48:55 tbox Exp $ -->
+<!-- $Id: FAQ.xml,v 1.54 2010/01/19 23:48:55 tbox Exp $ -->
<article class="faq">
<title>Frequently Asked Questions about BIND 9</title>
diff --git a/Makefile.in b/Makefile.in
index f0edc926ba78..2a00df415f38 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.58.250.2 2011-02-28 01:19:57 tbox Exp $
+# $Id: Makefile.in,v 1.58.250.4 2011/09/06 04:06:11 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -64,8 +64,10 @@ tags:
check: test
test:
- (cd bin/tests && ${MAKE} ${MAKEDEFS} test)
- (test -f unit/unittest.sh && $(SHELL) unit/unittest.sh)
+ status=0; \
+ (cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
+ (test -f unit/unittest.sh && $(SHELL) unit/unittest.sh) || status=1; \
+ exit $$status
FAQ: FAQ.xml
${XSLTPROC} doc/xsl/isc-docbook-text.xsl FAQ.xml | \
diff --git a/README b/README
index 708def9dd3ee..d78fb859d19e 100644
--- a/README
+++ b/README
@@ -48,6 +48,14 @@ BIND 9
For a detailed list of user-visible changes from
previous releases, see the CHANGES file.
+ For up-to-date release notes and errata, see
+ http://www.isc.org/software/bind9/releasenotes
+
+BIND 9.8.2
+
+ BIND 9.8.2 includes a number of bug fixes and prevents a security
+ problem described in CVE-2011-4313
+
BIND 9.8.1
BIND 9.8.1 includes a number of bug fixes and enhancements from
@@ -314,6 +322,7 @@ Building
libraries. sh-utils-1.16 provides a "printf" which compiles
on SunOS 4.
+
Documentation
The BIND 9 Administrator Reference Manual is included with the
@@ -336,6 +345,48 @@ Documentation
in the other README files.
+Change Log
+
+ A detailed list of all changes to BIND 9 is included in the
+ file CHANGES, with the most recent changes listed first.
+ Change notes include tags indicating the category of the
+ change that was made; these categories are:
+
+ [func] New feature
+
+ [bug] General bug fix
+
+ [security] Fix for a significant security flaw
+
+ [experimental] Used for new features when the syntax
+ or other aspects of the design are still
+ in flux and may change
+
+ [port] Portability enhancement
+
+ [maint] Updates to built-in data such as root
+ server addresses and keys
+
+ [tuning] Changes to built-in configuration defaults
+ and constants to improve performanceo
+
+ [protocol] Updates to the DNS protocol such as new
+ RR types
+
+ [test] Changes to the automatic tests, not
+ affecting server functionality
+
+ [cleanup] Minor corrections and refactoring
+
+ [doc] Documentation
+
+ In general, [func] and [experimental] tags will only appear
+ in new-feature releases (i.e., those with version numbers
+ ending in zero). Some new functionality may be backported to
+ older releases on a case-by-case basis. All other change
+ types may be applied to all currently-supported releases.
+
+
Bug Reports and Mailing Lists
Bugs reports should be sent to
diff --git a/acconfig.h b/acconfig.h
index d9da221f83f1..736d1bcdd31d 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: acconfig.h,v 1.53 2008-12-01 23:47:44 tbox Exp $ */
+/* $Id: acconfig.h,v 1.53 2008/12/01 23:47:44 tbox Exp $ */
/*! \file */
diff --git a/bin/Makefile.in b/bin/Makefile.in
index d263d795eb02..e4805520e7e6 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.29 2009-10-05 12:07:08 fdupont Exp $
+# $Id: Makefile.in,v 1.29 2009/10/05 12:07:08 fdupont Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index d5827dcce11e..403933b2ed7d 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.36 2009-12-05 23:31:40 each Exp $
+# $Id: Makefile.in,v 1.36 2009/12/05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c
index 4d2ca5c45ab5..422d9b1cde98 100644
--- a/bin/check/check-tool.c
+++ b/bin/check/check-tool.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check-tool.c,v 1.41 2010-09-07 23:46:59 tbox Exp $ */
+/* $Id: check-tool.c,v 1.41 2010/09/07 23:46:59 tbox Exp $ */
/*! \file */
diff --git a/bin/check/check-tool.h b/bin/check/check-tool.h
index 4371ae29ec20..e988597a740d 100644
--- a/bin/check/check-tool.h
+++ b/bin/check/check-tool.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check-tool.h,v 1.16 2010-09-07 23:46:59 tbox Exp $ */
+/* $Id: check-tool.h,v 1.16 2010/09/07 23:46:59 tbox Exp $ */
#ifndef CHECK_TOOL_H
#define CHECK_TOOL_H
diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8
index fabcfa916eb7..67a8f4a3da6a 100644
--- a/bin/check/named-checkconf.8
+++ b/bin/check/named-checkconf.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: named-checkconf.8,v 1.33 2009-12-29 01:14:03 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index 11a429c649cd..a342dd9fbd9a 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named-checkconf.c,v 1.54.62.2 2011-03-12 04:59:13 tbox Exp $ */
+/* $Id: named-checkconf.c,v 1.54.62.2 2011/03/12 04:59:13 tbox Exp $ */
/*! \file */
diff --git a/bin/check/named-checkconf.docbook b/bin/check/named-checkconf.docbook
index fe12cb3ea278..9535e28430cf 100644
--- a/bin/check/named-checkconf.docbook
+++ b/bin/check/named-checkconf.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkconf.docbook,v 1.22 2009-12-28 23:21:16 each Exp $ -->
+<!-- $Id: named-checkconf.docbook,v 1.22 2009/12/28 23:21:16 each Exp $ -->
<refentry id="man.named-checkconf">
<refentryinfo>
<date>June 14, 2000</date>
diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html
index f5e4cd385114..aa80c7cbe888 100644
--- a/bin/check/named-checkconf.html
+++ b/bin/check/named-checkconf.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkconf.html,v 1.33 2009-12-29 01:14:03 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543395"></a><h2>DESCRIPTION</h2>
+<a name="id2543396"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
checks the syntax, but not the semantics, of a
<span><strong class="command">named</strong></span> configuration file. The file is parsed
@@ -52,7 +52,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543444"></a><h2>OPTIONS</h2>
+<a name="id2543445"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
@@ -91,21 +91,21 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543568"></a><h2>RETURN VALUES</h2>
+<a name="id2543569"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543579"></a><h2>SEE ALSO</h2>
+<a name="id2543580"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543609"></a><h2>AUTHOR</h2>
+<a name="id2543610"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8
index 1bb784606d8d..92c8bdcffcf1 100644
--- a/bin/check/named-checkzone.8
+++ b/bin/check/named-checkzone.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: named-checkzone.8,v 1.47 2010-01-17 01:14:02 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c
index 100e809867d1..11491b580862 100644
--- a/bin/check/named-checkzone.c
+++ b/bin/check/named-checkzone.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named-checkzone.c,v 1.61 2010-09-07 23:46:59 tbox Exp $ */
+/* $Id: named-checkzone.c,v 1.61.62.2 2011/12/22 23:45:54 tbox Exp $ */
/*! \file */
@@ -112,6 +112,7 @@ main(int argc, char **argv) {
const char *outputformatstr = NULL;
dns_masterformat_t inputformat = dns_masterformat_text;
dns_masterformat_t outputformat = dns_masterformat_text;
+ isc_boolean_t logdump = ISC_FALSE;
FILE *errout = stdout;
outputstyle = &dns_master_style_full;
@@ -418,6 +419,7 @@ main(int argc, char **argv) {
if (progmode == progmode_compile) {
dumpzone = 1; /* always dump */
+ logdump = !quiet;
if (output_filename == NULL) {
fprintf(stderr,
"output file required, but not specified\n");
@@ -436,8 +438,10 @@ main(int argc, char **argv) {
(output_filename == NULL ||
strcmp(output_filename, "-") == 0 ||
strcmp(output_filename, "/dev/fd/1") == 0 ||
- strcmp(output_filename, "/dev/stdout") == 0))
+ strcmp(output_filename, "/dev/stdout") == 0)) {
errout = stderr;
+ logdump = ISC_FALSE;
+ }
if (isc_commandline_index + 2 != argc)
usage();
@@ -462,13 +466,13 @@ main(int argc, char **argv) {
&zone);
if (result == ISC_R_SUCCESS && dumpzone) {
- if (!quiet && progmode == progmode_compile) {
+ if (logdump) {
fprintf(errout, "dump zone to %s...", output_filename);
fflush(errout);
}
result = dump_zone(origin, zone, output_filename,
outputformat, outputstyle);
- if (!quiet && progmode == progmode_compile)
+ if (logdump)
fprintf(errout, "done\n");
}
diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook
index 415ee1c34499..33dc15e47095 100644
--- a/bin/check/named-checkzone.docbook
+++ b/bin/check/named-checkzone.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkzone.docbook,v 1.40 2010-01-16 23:48:15 tbox Exp $ -->
+<!-- $Id: named-checkzone.docbook,v 1.40 2010/01/16 23:48:15 tbox Exp $ -->
<refentry id="man.named-checkzone">
<refentryinfo>
<date>June 13, 2000</date>
diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html
index e0532af0f590..2be53a7b3498 100644
--- a/bin/check/named-checkzone.html
+++ b/bin/check/named-checkzone.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkzone.html,v 1.47 2010-01-17 01:14:02 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -33,7 +33,7 @@
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543694"></a><h2>DESCRIPTION</h2>
+<a name="id2543696"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -53,7 +53,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543730"></a><h2>OPTIONS</h2>
+<a name="id2543731"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
@@ -247,14 +247,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544377"></a><h2>RETURN VALUES</h2>
+<a name="id2544446"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544389"></a><h2>SEE ALSO</h2>
+<a name="id2544458"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
@@ -262,7 +262,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544422"></a><h2>AUTHOR</h2>
+<a name="id2544491"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index da3587982cd3..64ddf760a067 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.8 2009-12-05 23:31:40 each Exp $
+# $Id: Makefile.in,v 1.8 2009/12/05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/confgen/ddns-confgen.8 b/bin/confgen/ddns-confgen.8
index d69af398e614..fd2670e5ff4e 100644
--- a/bin/confgen/ddns-confgen.8
+++ b/bin/confgen/ddns-confgen.8
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: ddns-confgen.8,v 1.10 2009-09-19 01:14:52 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/confgen/ddns-confgen.c b/bin/confgen/ddns-confgen.c
index 3fdf4d47417f..826b500d950c 100644
--- a/bin/confgen/ddns-confgen.c
+++ b/bin/confgen/ddns-confgen.c
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: ddns-confgen.c,v 1.9.308.2 2011-03-12 04:59:13 tbox Exp $ */
+/* $Id: ddns-confgen.c,v 1.9.308.2 2011/03/12 04:59:13 tbox Exp $ */
/*! \file */
diff --git a/bin/confgen/ddns-confgen.docbook b/bin/confgen/ddns-confgen.docbook
index 2b3e1c0556a5..cedfbf5726c8 100644
--- a/bin/confgen/ddns-confgen.docbook
+++ b/bin/confgen/ddns-confgen.docbook
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: ddns-confgen.docbook,v 1.6 2009-09-18 22:08:55 fdupont Exp $ -->
+<!-- $Id: ddns-confgen.docbook,v 1.6 2009/09/18 22:08:55 fdupont Exp $ -->
<refentry id="man.ddns-confgen">
<refentryinfo>
<date>Jan 29, 2009</date>
diff --git a/bin/confgen/ddns-confgen.html b/bin/confgen/ddns-confgen.html
index 17c3f26dccae..6b2f7dc5d563 100644
--- a/bin/confgen/ddns-confgen.html
+++ b/bin/confgen/ddns-confgen.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: ddns-confgen.html,v 1.10 2009-09-19 01:14:52 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543395"></a><h2>DESCRIPTION</h2>
+<a name="id2543396"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">ddns-confgen</strong></span>
generates a key for use by <span><strong class="command">nsupdate</strong></span>
and <span><strong class="command">named</strong></span>. It simplifies configuration
@@ -58,7 +58,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543454"></a><h2>OPTIONS</h2>
+<a name="id2543456"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
@@ -125,7 +125,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543642"></a><h2>SEE ALSO</h2>
+<a name="id2543643"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -133,7 +133,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543681"></a><h2>AUTHOR</h2>
+<a name="id2543682"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/confgen/include/confgen/os.h b/bin/confgen/include/confgen/os.h
index bf80f00ef417..2019701fa62d 100644
--- a/bin/confgen/include/confgen/os.h
+++ b/bin/confgen/include/confgen/os.h
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: os.h,v 1.3 2009-06-11 23:47:55 tbox Exp $ */
+/* $Id: os.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
/*! \file */
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index c259e7e6a721..a5db317700d8 100644
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: keygen.c,v 1.4 2009-11-12 14:02:38 marka Exp $ */
+/* $Id: keygen.c,v 1.4 2009/11/12 14:02:38 marka Exp $ */
/*! \file */
diff --git a/bin/confgen/keygen.h b/bin/confgen/keygen.h
index cea25dd4f92a..a9ded4092f54 100644
--- a/bin/confgen/keygen.h
+++ b/bin/confgen/keygen.h
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: keygen.h,v 1.3 2009-06-11 23:47:55 tbox Exp $ */
+/* $Id: keygen.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
#ifndef RNDC_KEYGEN_H
#define RNDC_KEYGEN_H 1
diff --git a/bin/confgen/rndc-confgen.8 b/bin/confgen/rndc-confgen.8
index a1b3ae86b735..faffdac4b5e3 100644
--- a/bin/confgen/rndc-confgen.8
+++ b/bin/confgen/rndc-confgen.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: rndc-confgen.8,v 1.7 2009-07-11 01:12:45 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
index 0eac35fefac6..1ad14a99aa15 100644
--- a/bin/confgen/rndc-confgen.c
+++ b/bin/confgen/rndc-confgen.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rndc-confgen.c,v 1.5.308.2 2011-03-12 04:59:13 tbox Exp $ */
+/* $Id: rndc-confgen.c,v 1.5.308.2 2011/03/12 04:59:13 tbox Exp $ */
/*! \file */
diff --git a/bin/confgen/rndc-confgen.docbook b/bin/confgen/rndc-confgen.docbook
index d43fcfbe8aa4..af2cc4321dda 100644
--- a/bin/confgen/rndc-confgen.docbook
+++ b/bin/confgen/rndc-confgen.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc-confgen.docbook,v 1.4 2009-06-15 23:47:59 tbox Exp $ -->
+<!-- $Id: rndc-confgen.docbook,v 1.4 2009/06/15 23:47:59 tbox Exp $ -->
<refentry id="man.rndc-confgen">
<refentryinfo>
<date>Aug 27, 2001</date>
diff --git a/bin/confgen/rndc-confgen.html b/bin/confgen/rndc-confgen.html
index 82a712091614..03ee5199a116 100644
--- a/bin/confgen/rndc-confgen.html
+++ b/bin/confgen/rndc-confgen.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc-confgen.html,v 1.7 2009-07-11 01:12:45 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543432"></a><h2>DESCRIPTION</h2>
+<a name="id2543433"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
@@ -48,7 +48,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543477"></a><h2>OPTIONS</h2>
+<a name="id2543478"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
@@ -155,7 +155,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543790"></a><h2>EXAMPLES</h2>
+<a name="id2543792"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
@@ -172,7 +172,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543832"></a><h2>SEE ALSO</h2>
+<a name="id2543833"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -180,7 +180,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543870"></a><h2>AUTHOR</h2>
+<a name="id2543872"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/confgen/unix/Makefile.in b/bin/confgen/unix/Makefile.in
index 1785e0d0f4de..924701e61ff2 100644
--- a/bin/confgen/unix/Makefile.in
+++ b/bin/confgen/unix/Makefile.in
@@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.3 2009-06-11 23:47:55 tbox Exp $
+# $Id: Makefile.in,v 1.3 2009/06/11 23:47:55 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/confgen/unix/os.c b/bin/confgen/unix/os.c
index e439a5182648..3901350d7705 100644
--- a/bin/confgen/unix/os.c
+++ b/bin/confgen/unix/os.c
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: os.c,v 1.3 2009-06-11 23:47:55 tbox Exp $ */
+/* $Id: os.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
/*! \file */
diff --git a/bin/confgen/util.c b/bin/confgen/util.c
index 158a8d355818..5f5f817a5d3d 100644
--- a/bin/confgen/util.c
+++ b/bin/confgen/util.c
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: util.c,v 1.3 2009-06-11 23:47:55 tbox Exp $ */
+/* $Id: util.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
/*! \file */
diff --git a/bin/confgen/util.h b/bin/confgen/util.h
index 651b6e558cf2..f3b2ec9dee18 100644
--- a/bin/confgen/util.h
+++ b/bin/confgen/util.h
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: util.h,v 1.4 2009-09-29 15:06:05 fdupont Exp $ */
+/* $Id: util.h,v 1.4 2009/09/29 15:06:05 fdupont Exp $ */
#ifndef RNDC_UTIL_H
#define RNDC_UTIL_H 1
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index bebef6f45d34..19dc61c4353f 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.47 2009-12-05 23:31:40 each Exp $
+# $Id: Makefile.in,v 1.47 2009/12/05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/dig/dig.1 b/bin/dig/dig.1
index 87d5045701ce..6e3bfb6c0c6e 100644
--- a/bin/dig/dig.1
+++ b/bin/dig/dig.1
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dig.1,v 1.54 2010-03-05 01:14:15 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 728838721275..5e5ec0fa48d4 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dig.c,v 1.237.124.3 2011-03-11 06:46:58 marka Exp $ */
+/* $Id: dig.c,v 1.237.124.4 2011/12/07 17:23:55 each Exp $ */
/*! \file */
@@ -1527,7 +1527,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
if (strncmp(rv[0], "%", 1) == 0)
break;
if (strncmp(rv[0], "@", 1) == 0) {
- addresscount = getaddresses(lookup, &rv[0][1]);
+ addresscount = getaddresses(lookup, &rv[0][1], NULL);
} else if (rv[0][0] == '+') {
plus_option(&rv[0][1], is_batchfile,
lookup);
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index 19e2ca2afbf3..d64d038b500d 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dig.docbook,v 1.47 2010-03-04 23:50:34 tbox Exp $ -->
+<!-- $Id: dig.docbook,v 1.47 2010/03/04 23:50:34 tbox Exp $ -->
<refentry id="man.dig">
<refentryinfo>
diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index c9ce8f0e254c..ceef3fa8d988 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dig.html,v 1.49 2010-03-05 01:14:15 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -34,7 +34,7 @@
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543522"></a><h2>DESCRIPTION</h2>
+<a name="id2543524"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -80,7 +80,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543595"></a><h2>SIMPLE USAGE</h2>
+<a name="id2543597"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
@@ -126,7 +126,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543686"></a><h2>OPTIONS</h2>
+<a name="id2543688"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
@@ -230,7 +230,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544035"></a><h2>QUERY OPTIONS</h2>
+<a name="id2544037"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -561,7 +561,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545184"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2545186"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
@@ -607,7 +607,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545245"></a><h2>IDN SUPPORT</h2>
+<a name="id2545248"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -621,14 +621,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545336"></a><h2>FILES</h2>
+<a name="id2545338"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545353"></a><h2>SEE ALSO</h2>
+<a name="id2545355"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -636,7 +636,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545390"></a><h2>BUGS</h2>
+<a name="id2545393"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 319ba3e74727..9695de0dbc4c 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dighost.c,v 1.336.22.4 2011-03-11 06:46:58 marka Exp $ */
+/* $Id: dighost.c,v 1.336.22.9 2011/12/07 17:23:55 each Exp $ */
/*! \file
* \note
@@ -66,6 +66,7 @@
#include <dns/tsig.h>
#include <dst/dst.h>
+#include <dst/result.h>
#include <isc/app.h>
#include <isc/base64.h>
@@ -81,6 +82,7 @@
#include <isc/print.h>
#include <isc/random.h>
#include <isc/result.h>
+#include <isc/serial.h>
#include <isc/string.h>
#include <isc/task.h>
#include <isc/timer.h>
@@ -360,6 +362,8 @@ connect_timeout(isc_task_t *task, isc_event_t *event);
static void
launch_next_query(dig_query_t *query, isc_boolean_t include_question);
+static void
+send_tcp_connect(dig_query_t *query);
static void *
mem_alloc(void *arg, size_t size) {
@@ -742,7 +746,7 @@ make_empty_lookup(void) {
looknew->xfr_q = NULL;
looknew->current_query = NULL;
looknew->doing_xfr = ISC_FALSE;
- looknew->ixfr_serial = ISC_FALSE;
+ looknew->ixfr_serial = 0;
looknew->trace = ISC_FALSE;
looknew->trace_root = ISC_FALSE;
looknew->identify = ISC_FALSE;
@@ -787,6 +791,7 @@ make_empty_lookup(void) {
looknew->new_search = ISC_FALSE;
looknew->done_as_is = ISC_FALSE;
looknew->need_search = ISC_FALSE;
+ dns_fixedname_init(&looknew->fdomain);
ISC_LINK_INIT(looknew, link);
ISC_LIST_INIT(looknew->q);
ISC_LIST_INIT(looknew->my_server_list);
@@ -862,6 +867,8 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
looknew->tsigctx = NULL;
looknew->need_search = lookold->need_search;
looknew->done_as_is = lookold->done_as_is;
+ dns_name_copy(dns_fixedname_name(&lookold->fdomain),
+ dns_fixedname_name(&looknew->fdomain), NULL);
if (servers)
clone_server_list(lookold->my_server_list,
@@ -925,6 +932,11 @@ setup_text_key(void) {
secretsize = isc_buffer_usedlength(&secretbuf);
+ if (hmacname == NULL) {
+ result = DST_R_UNSUPPORTEDALG;
+ goto failure;
+ }
+
result = dns_name_fromtext(&keyname, namebuf, dns_rootname, 0, namebuf);
if (result != ISC_R_SUCCESS)
goto failure;
@@ -1698,6 +1710,9 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
isc_result_t result;
isc_boolean_t success = ISC_FALSE;
int numLookups = 0;
+ int num;
+ isc_result_t lresult, addresses_result;
+ char bad_namestr[DNS_NAME_FORMATSIZE];
dns_name_t *domain;
isc_boolean_t horizontal = ISC_FALSE, bad = ISC_FALSE;
@@ -1705,6 +1720,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
debug("following up %s", query->lookup->textname);
+ addresses_result = ISC_R_SUCCESS;
+ bad_namestr[0] = '\0';
for (result = dns_message_firstname(msg, section);
result == ISC_R_SUCCESS;
result = dns_message_nextname(msg, section)) {
@@ -1783,15 +1800,27 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
lookup->trace_root = ISC_FALSE;
if (lookup->ns_search_only)
lookup->recurse = ISC_FALSE;
- dns_fixedname_init(&lookup->fdomain);
domain = dns_fixedname_name(&lookup->fdomain);
dns_name_copy(name, domain, NULL);
}
debug("adding server %s", namestr);
- numLookups += getaddresses(lookup, namestr);
+ num = getaddresses(lookup, namestr, &lresult);
+ if (lresult != ISC_R_SUCCESS) {
+ debug("couldn't get address for '%s': %s",
+ namestr, isc_result_totext(lresult));
+ if (addresses_result == ISC_R_SUCCESS) {
+ addresses_result = lresult;
+ strcpy(bad_namestr, namestr);
+ }
+ }
+ numLookups += num;
dns_rdata_reset(&rdata);
}
}
+ if (numLookups == 0 && addresses_result != ISC_R_SUCCESS) {
+ fatal("couldn't get address for '%s': %s",
+ bad_namestr, isc_result_totext(result));
+ }
if (lookup == NULL &&
section == DNS_SECTION_ANSWER &&
@@ -1838,12 +1867,10 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
* Return ISC_TRUE iff there was another searchlist entry.
*/
static isc_boolean_t
-next_origin(dns_message_t *msg, dig_query_t *query) {
+next_origin(dig_query_t *query) {
dig_lookup_t *lookup;
dig_searchlist_t *search;
- UNUSED(msg);
-
INSIST(!free_now);
debug("next_origin()");
@@ -2318,7 +2345,7 @@ send_done(isc_task_t *_task, isc_event_t *event) {
query->waiting_senddone = ISC_FALSE;
l = query->lookup;
- if (l->ns_search_only && !l->trace_root) {
+ if (l->ns_search_only && !l->trace_root && !l->tcp_mode) {
debug("sending next, since searching");
next = ISC_LIST_NEXT(query, link);
if (next != NULL)
@@ -2865,8 +2892,10 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
dns_rdataset_t *rdataset = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_soa_t soa;
- isc_uint32_t serial;
+ isc_uint32_t ixfr_serial = query->lookup->ixfr_serial, serial;
isc_result_t result;
+ isc_boolean_t ixfr = query->lookup->rdtype == dns_rdatatype_ixfr;
+ isc_boolean_t axfr = query->lookup->rdtype == dns_rdatatype_axfr;
debug("check_for_more_data()");
@@ -2916,6 +2945,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
query->second_rr_rcvd = ISC_TRUE;
query->second_rr_serial = 0;
debug("got the second rr as nonsoa");
+ axfr = ISC_TRUE;
goto next_rdata;
}
@@ -2925,6 +2955,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
*/
if (rdata.type != dns_rdatatype_soa)
goto next_rdata;
+
/* Now we have an SOA. Work with it. */
debug("got an SOA");
result = dns_rdata_tostruct(&rdata, &soa, NULL);
@@ -2934,15 +2965,17 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
if (!query->first_soa_rcvd) {
query->first_soa_rcvd = ISC_TRUE;
query->first_rr_serial = serial;
- debug("this is the first %d",
- query->lookup->ixfr_serial);
- if (query->lookup->ixfr_serial >=
- serial)
+ debug("this is the first serial %u",
+ serial);
+ if (ixfr && isc_serial_ge(ixfr_serial,
+ serial)) {
+ debug("got up to date "
+ "response");
goto doexit;
+ }
goto next_rdata;
}
- if (query->lookup->rdtype ==
- dns_rdatatype_axfr) {
+ if (axfr) {
debug("doing axfr, got second SOA");
goto doexit;
}
@@ -2952,22 +2985,12 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
"empty zone");
goto doexit;
}
- debug("this is the second %d",
- query->lookup->ixfr_serial);
+ debug("this is the second serial %u",
+ serial);
query->second_rr_rcvd = ISC_TRUE;
query->second_rr_serial = serial;
goto next_rdata;
}
- if (query->second_rr_serial == 0) {
- /*
- * If the second RR was a non-SOA
- * record, and we're getting any
- * other SOA, then this is an
- * AXFR, and we're done.
- */
- debug("done, since axfr");
- goto doexit;
- }
/*
* If we get to this point, we're doing an
* IXFR and have to start really looking
@@ -2983,7 +3006,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
debug("done with ixfr");
goto doexit;
}
- debug("meaningless soa %d", serial);
+ debug("meaningless soa %u", serial);
next_rdata:
result = dns_rdataset_next(rdataset);
} while (result == ISC_R_SUCCESS);
@@ -3360,7 +3383,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
if (!l->doing_xfr || l->xfr_q == query) {
if (msg->rcode != dns_rcode_noerror &&
(l->origin != NULL || l->need_search)) {
- if (!next_origin(msg, query) || showsearch) {
+ if (!next_origin(query) || showsearch) {
printmessage(query, msg, ISC_TRUE);
received(b->used, &sevent->address, query);
}
@@ -3546,7 +3569,7 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
}
int
-getaddresses(dig_lookup_t *lookup, const char *host) {
+getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp) {
isc_result_t result;
isc_sockaddr_t sockaddrs[DIG_MAX_ADDRESSES];
isc_netaddr_t netaddr;
@@ -3556,9 +3579,14 @@ getaddresses(dig_lookup_t *lookup, const char *host) {
result = bind9_getaddresses(host, 0, sockaddrs,
DIG_MAX_ADDRESSES, &count);
- if (result != ISC_R_SUCCESS)
- fatal("couldn't get address for '%s': %s",
- host, isc_result_totext(result));
+ if (resultp != NULL)
+ *resultp = result;
+ if (result != ISC_R_SUCCESS) {
+ if (resultp == NULL)
+ fatal("couldn't get address for '%s': %s",
+ host, isc_result_totext(result));
+ return 0;
+ }
for (i = 0; i < count; i++) {
isc_netaddr_fromsockaddr(&netaddr, &sockaddrs[i]);
@@ -4208,7 +4236,6 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
return (result);
}
-
isc_result_t
get_trusted_key(isc_mem_t *mctx)
{
@@ -4270,6 +4297,7 @@ get_trusted_key(isc_mem_t *mctx)
if (key != NULL)
dst_key_free(&key);
}
+ fclose(fp);
return (ISC_R_SUCCESS);
}
diff --git a/bin/dig/host.1 b/bin/dig/host.1
index 464d517a0b3d..b6eb81ba40f6 100644
--- a/bin/dig/host.1
+++ b/bin/dig/host.1
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: host.1,v 1.31 2009-07-11 01:12:45 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/dig/host.c b/bin/dig/host.c
index c7a8e0eb575f..82eea056c0d1 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: host.c,v 1.124.40.3 2011-03-11 06:46:59 marka Exp $ */
+/* $Id: host.c,v 1.124.40.3 2011/03/11 06:46:59 marka Exp $ */
/*! \file */
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index 9ffd8e6ffb11..bc435f92f11c 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: host.docbook,v 1.20 2009-01-20 23:47:56 tbox Exp $ -->
+<!-- $Id: host.docbook,v 1.20 2009/01/20 23:47:56 tbox Exp $ -->
<refentry id="man.host">
<refentryinfo>
diff --git a/bin/dig/host.html b/bin/dig/host.html
index 531fc1d78968..d5fb6e735fb1 100644
--- a/bin/dig/host.html
+++ b/bin/dig/host.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: host.html,v 1.30 2009-07-11 01:12:45 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543434"></a><h2>DESCRIPTION</h2>
+<a name="id2543436"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@@ -184,7 +184,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543800"></a><h2>IDN SUPPORT</h2>
+<a name="id2543802"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -198,12 +198,12 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543822"></a><h2>FILES</h2>
+<a name="id2543825"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543834"></a><h2>SEE ALSO</h2>
+<a name="id2543836"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>
diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
index 2db5de552fc3..6c186dec5e4b 100644
--- a/bin/dig/include/dig/dig.h
+++ b/bin/dig/include/dig/dig.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dig.h,v 1.111.306.2 2011-02-28 01:19:58 tbox Exp $ */
+/* $Id: dig.h,v 1.111.306.3 2011/12/07 17:23:55 each Exp $ */
#ifndef DIG_H
#define DIG_H
@@ -289,7 +289,7 @@ isc_result_t
get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr);
int
-getaddresses(dig_lookup_t *lookup, const char *host);
+getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
isc_result_t
get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
diff --git a/bin/dig/nslookup.1 b/bin/dig/nslookup.1
index e97ee1f9ba39..f988995ba86e 100644
--- a/bin/dig/nslookup.1
+++ b/bin/dig/nslookup.1
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: nslookup.1,v 1.16 2010-02-23 01:14:31 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index e327c0f7fce4..48c390b8ae0e 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: nslookup.c,v 1.127.38.2 2011-02-28 01:19:58 tbox Exp $ */
+/* $Id: nslookup.c,v 1.127.38.2 2011/02/28 01:19:58 tbox Exp $ */
#include <config.h>
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
index 9c4789d4cb18..f4d497b3998b 100644
--- a/bin/dig/nslookup.docbook
+++ b/bin/dig/nslookup.docbook
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nslookup.docbook,v 1.18 2010-02-22 23:49:11 tbox Exp $ -->
+<!-- $Id: nslookup.docbook,v 1.18 2010/02/22 23:49:11 tbox Exp $ -->
<!--
- Copyright (c) 1985, 1989
- The Regents of the University of California. All rights reserved.
diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html
index bae63bd0fd3d..4bf6aab5c43c 100644
--- a/bin/dig/nslookup.html
+++ b/bin/dig/nslookup.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nslookup.html,v 1.23 2010-02-23 01:14:31 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -21,7 +21,7 @@
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476276"></a><div class="titlepage"></div>
+<a name="id2476277"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>nslookup &#8212; query Internet name servers interactively</p>
@@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">nslookup</code> [<code class="option">-option</code>] [name | -] [server]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543358"></a><h2>DESCRIPTION</h2>
+<a name="id2543361"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">Nslookup</strong></span>
is a program to query Internet domain name servers. <span><strong class="command">Nslookup</strong></span>
has two modes: interactive and non-interactive. Interactive mode allows
@@ -43,7 +43,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543374"></a><h2>ARGUMENTS</h2>
+<a name="id2543377"></a><h2>ARGUMENTS</h2>
<p>
Interactive mode is entered in the following cases:
</p>
@@ -78,7 +78,7 @@ nslookup -query=hinfo -timeout=10
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543418"></a><h2>INTERACTIVE COMMANDS</h2>
+<a name="id2543420"></a><h2>INTERACTIVE COMMANDS</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
<dd>
@@ -288,19 +288,19 @@ nslookup -query=hinfo -timeout=10
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2546284"></a><h2>FILES</h2>
+<a name="id2546286"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2546296"></a><h2>SEE ALSO</h2>
+<a name="id2546298"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2546330"></a><h2>Author</h2>
+<a name="id2546332"></a><h2>Author</h2>
<p>
Andrew Cherenson
</p>
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 0f5e4e842c20..6bfd162d8d35 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.42 2009-12-05 23:31:40 each Exp $
+# $Id: Makefile.in,v 1.42 2009/12/05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8
index 25aa2bf831fc..437aa371cff4 100644
--- a/bin/dnssec/dnssec-dsfromkey.8
+++ b/bin/dnssec/dnssec-dsfromkey.8
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-dsfromkey.8,v 1.13 2010-12-24 01:14:20 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index b7f84a041110..c4b157cd9b1a 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-dsfromkey.c,v 1.19 2010-12-23 04:07:59 marka Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.19.14.2 2011/09/05 23:45:53 tbox Exp $ */
/*! \file */
@@ -265,12 +265,10 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
fatal("can't print class");
isc_buffer_usedregion(&nameb, &r);
- isc_util_fwrite(r.base, 1, r.length, stdout);
-
- putchar(' ');
+ printf("%.*s ", (int)r.length, r.base);
isc_buffer_usedregion(&classb, &r);
- isc_util_fwrite(r.base, 1, r.length, stdout);
+ printf("%.*s", (int)r.length, r.base);
if (lookaside == NULL)
printf(" DS ");
@@ -278,8 +276,7 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
printf(" DLV ");
isc_buffer_usedregion(&textb, &r);
- isc_util_fwrite(r.base, 1, r.length, stdout);
- putchar('\n');
+ printf("%.*s\n", (int)r.length, r.base);
}
ISC_PLATFORM_NORETURN_PRE static void
diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook
index 36410d5f35c1..d139ba5ec7c8 100644
--- a/bin/dnssec/dnssec-dsfromkey.docbook
+++ b/bin/dnssec/dnssec-dsfromkey.docbook
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-dsfromkey.docbook,v 1.12 2010-12-23 23:47:08 tbox Exp $ -->
+<!-- $Id: dnssec-dsfromkey.docbook,v 1.12 2010/12/23 23:47:08 tbox Exp $ -->
<refentry id="man.dnssec-dsfromkey">
<refentryinfo>
<date>August 26, 2009</date>
diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html
index 54cc1ab61ca2..3031c391afa8 100644
--- a/bin/dnssec/dnssec-dsfromkey.html
+++ b/bin/dnssec/dnssec-dsfromkey.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-dsfromkey.html,v 1.13 2010-12-24 01:14:19 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,14 +32,14 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543464"></a><h2>DESCRIPTION</h2>
+<a name="id2543465"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543476"></a><h2>OPTIONS</h2>
+<a name="id2543477"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
@@ -100,7 +100,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543662"></a><h2>EXAMPLE</h2>
+<a name="id2543664"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -115,7 +115,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543692"></a><h2>FILES</h2>
+<a name="id2543693"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -129,13 +129,13 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543728"></a><h2>CAVEAT</h2>
+<a name="id2543729"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543737"></a><h2>SEE ALSO</h2>
+<a name="id2543738"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -145,7 +145,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543777"></a><h2>AUTHOR</h2>
+<a name="id2543778"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8
index a0fd69351bdc..e3bb48f14006 100644
--- a/bin/dnssec/dnssec-keyfromlabel.8
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-keyfromlabel.8,v 1.18.14.2 2011-02-28 02:37:42 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 1323ed718691..6a0714676382 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keyfromlabel.c,v 1.32.14.2 2011-03-12 04:59:14 tbox Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.32.14.4 2011/11/30 00:51:38 marka Exp $ */
/*! \file */
@@ -110,7 +110,8 @@ usage(void) {
int
main(int argc, char **argv) {
- char *algname = NULL, *nametype = NULL, *type = NULL;
+ char *algname = NULL, *freeit = NULL;
+ char *nametype = NULL, *type = NULL;
const char *directory = NULL;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
@@ -342,6 +343,9 @@ main(int argc, char **argv) {
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
else
algname = strdup(DEFAULT_ALGORITHM);
+ if (algname == NULL)
+ fatal("strdup failed");
+ freeit = algname;
if (verbose > 0)
fprintf(stderr, "no algorithm specified; "
"defaulting to %s\n", algname);
@@ -514,8 +518,7 @@ main(int argc, char **argv) {
* is a risk of ID collision due to this key or another key
* being revoked.
*/
- if (key_collision(dst_key_id(key), name, directory, alg, mctx, &exact))
- {
+ if (key_collision(key, name, directory, mctx, &exact)) {
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, directory, &buf);
if (ret != ISC_R_SUCCESS)
@@ -560,5 +563,8 @@ main(int argc, char **argv) {
isc_mem_free(mctx, label);
isc_mem_destroy(&mctx);
+ if (freeit != NULL)
+ free(freeit);
+
return (0);
}
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index c731e6eab606..5f3e0e681f97 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keyfromlabel.docbook,v 1.18.14.2 2011-02-28 01:19:58 tbox Exp $ -->
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.18.14.2 2011/02/28 01:19:58 tbox Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html
index c939ed68d75c..f2c72c57afe0 100644
--- a/bin/dnssec/dnssec-keyfromlabel.html
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keyfromlabel.html,v 1.17.14.2 2011-02-28 02:37:42 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543494"></a><h2>DESCRIPTION</h2>
+<a name="id2543495"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -44,7 +44,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543512"></a><h2>OPTIONS</h2>
+<a name="id2543513"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
@@ -163,7 +163,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543876"></a><h2>TIMING OPTIONS</h2>
+<a name="id2543877"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -210,7 +210,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544042"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2544043"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
@@ -249,7 +249,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544115"></a><h2>SEE ALSO</h2>
+<a name="id2544116"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -257,7 +257,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544148"></a><h2>AUTHOR</h2>
+<a name="id2544149"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index ea4690eb71a1..690abf9325c0 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-keygen.8,v 1.55 2010-12-24 01:14:19 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 9a93ee3c9418..cc1d9b11fa9f 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.115.14.2 2011-03-12 04:59:14 tbox Exp $ */
+/* $Id: dnssec-keygen.c,v 1.115.14.4 2011/11/30 00:51:38 marka Exp $ */
/*! \file */
@@ -197,7 +197,8 @@ progress(int p)
int
main(int argc, char **argv) {
- char *algname = NULL, *nametype = NULL, *type = NULL;
+ char *algname = NULL, *freeit = NULL;
+ char *nametype = NULL, *type = NULL;
char *classname = NULL;
char *endp;
dst_key_t *key = NULL;
@@ -509,6 +510,9 @@ main(int argc, char **argv) {
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
else
algname = strdup(DEFAULT_ALGORITHM);
+ if (algname == NULL)
+ fatal("strdup failed");
+ freeit = algname;
if (verbose > 0)
fprintf(stderr, "no algorithm specified; "
"defaulting to %s\n", algname);
@@ -965,8 +969,7 @@ main(int argc, char **argv) {
* if there is a risk of ID collision due to this key
* or another key being revoked.
*/
- if (key_collision(dst_key_id(key), name, directory,
- alg, mctx, NULL)) {
+ if (key_collision(key, name, directory, mctx, NULL)) {
conflict = ISC_TRUE;
if (null_key) {
dst_key_free(&key);
@@ -1020,5 +1023,8 @@ main(int argc, char **argv) {
isc_mem_stats(mctx, stdout);
isc_mem_destroy(&mctx);
+ if (freeit != NULL)
+ free(freeit);
+
return (0);
}
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index dc140ebfe386..f0cf7f5f0815 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keygen.docbook,v 1.36 2010-12-23 04:07:59 marka Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.36 2010/12/23 04:07:59 marka Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 2f3a69b9a2fd..4bf1f6b4a094 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keygen.html,v 1.47 2010-12-24 01:14:20 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543578"></a><h2>DESCRIPTION</h2>
+<a name="id2543579"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
@@ -46,7 +46,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543596"></a><h2>OPTIONS</h2>
+<a name="id2543597"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
@@ -248,7 +248,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544301"></a><h2>TIMING OPTIONS</h2>
+<a name="id2544166"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -319,7 +319,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544491"></a><h2>GENERATED KEYS</h2>
+<a name="id2544356"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
@@ -365,7 +365,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544642"></a><h2>EXAMPLE</h2>
+<a name="id2544506"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -386,7 +386,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544685"></a><h2>SEE ALSO</h2>
+<a name="id2544550"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
@@ -395,7 +395,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544716"></a><h2>AUTHOR</h2>
+<a name="id2544581"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dnssec/dnssec-revoke.8 b/bin/dnssec/dnssec-revoke.8
index d57b6aa09de2..2af719e249df 100644
--- a/bin/dnssec/dnssec-revoke.8
+++ b/bin/dnssec/dnssec-revoke.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-revoke.8,v 1.9 2010-05-19 01:14:14 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
@@ -32,7 +32,7 @@
dnssec\-revoke \- Set the REVOKED bit on a DNSSEC key
.SH "SYNOPSIS"
.HP 14
-\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] {keyfile}
+\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] [\fB\-R\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-revoke\fR
@@ -70,6 +70,11 @@ Force overwrite: Causes
\fBdnssec\-revoke\fR
to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key.
.RE
+.PP
+\-R
+.RS 4
+Print the key tag of the key with the REVOKE bit set but do not revoke the key.
+.RE
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8),
@@ -79,5 +84,5 @@ RFC 5011.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
-Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
.br
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 90e905c4d0b0..8346f1c91182 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-revoke.c,v 1.22 2010-05-06 23:50:56 tbox Exp $ */
+/* $Id: dnssec-revoke.c,v 1.22.124.2 2011/10/20 23:46:27 tbox Exp $ */
/*! \file */
@@ -92,6 +92,7 @@ main(int argc, char **argv) {
isc_buffer_t buf;
isc_boolean_t force = ISC_FALSE;
isc_boolean_t remove = ISC_FALSE;
+ isc_boolean_t id = ISC_FALSE;
if (argc == 1)
usage();
@@ -104,7 +105,7 @@ main(int argc, char **argv) {
isc_commandline_errprint = ISC_FALSE;
- while ((ch = isc_commandline_parse(argc, argv, "E:fK:rhv:")) != -1) {
+ while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:")) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
@@ -126,6 +127,9 @@ main(int argc, char **argv) {
case 'r':
remove = ISC_TRUE;
break;
+ case 'R':
+ id = ISC_TRUE;
+ break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
@@ -186,6 +190,10 @@ main(int argc, char **argv) {
fatal("Invalid keyfile name %s: %s",
filename, isc_result_totext(result));
+ if (id) {
+ fprintf(stdout, "%u\n", dst_key_rid(key));
+ goto cleanup;
+ }
dst_key_format(key, keystr, sizeof(keystr));
if (verbose > 2)
diff --git a/bin/dnssec/dnssec-revoke.docbook b/bin/dnssec/dnssec-revoke.docbook
index b7b562021308..99518bb2f2fa 100644
--- a/bin/dnssec/dnssec-revoke.docbook
+++ b/bin/dnssec/dnssec-revoke.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-revoke.docbook,v 1.7 2009-11-03 21:44:46 each Exp $ -->
+<!-- $Id: dnssec-revoke.docbook,v 1.7.266.2 2011/10/20 23:46:27 tbox Exp $ -->
<refentry id="man.dnssec-revoke">
<refentryinfo>
<date>June 1, 2009</date>
@@ -37,6 +37,7 @@
<docinfo>
<copyright>
<year>2009</year>
+ <year>2011</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@@ -49,6 +50,7 @@
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f</option></arg>
+ <arg><option>-R</option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -123,6 +125,16 @@
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>-R</term>
+ <listitem>
+ <para>
+ Print the key tag of the key with the REVOKE bit set but do
+ not revoke the key.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/bin/dnssec/dnssec-revoke.html b/bin/dnssec/dnssec-revoke.html
index fad9ac520196..b3b71b961cf4 100644
--- a/bin/dnssec/dnssec-revoke.html
+++ b/bin/dnssec/dnssec-revoke.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-revoke.html,v 1.9 2010-05-19 01:14:14 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -28,10 +28,10 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] {keyfile}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543373"></a><h2>DESCRIPTION</h2>
+<a name="id2543382"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-revoke</strong></span>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
@@ -39,7 +39,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543385"></a><h2>OPTIONS</h2>
+<a name="id2543394"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
@@ -69,17 +69,22 @@
write the new key pair even if a file already exists matching
the algorithm and key ID of the revoked key.
</p></dd>
+<dt><span class="term">-R</span></dt>
+<dd><p>
+ Print the key tag of the key with the REVOKE bit set but do
+ not revoke the key.
+ </p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543491"></a><h2>SEE ALSO</h2>
+<a name="id2543512"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543515"></a><h2>AUTHOR</h2>
+<a name="id2543537"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8
index cbe4092e52a1..8a5e2e789005 100644
--- a/bin/dnssec/dnssec-settime.8
+++ b/bin/dnssec/dnssec-settime.8
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-settime.8,v 1.14.70.1 2011-03-22 02:37:44 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
@@ -52,7 +52,7 @@ simply prints the key timing metadata already stored in the key.
.PP
When key metadata fields are changed, both files of a key pair (\fIKnnnn.+aaa+iiiii.key\fR
and
-\fIKnnnn.+aaa+iiiii.private\fR) are regenerated. Metadata fields are stored in the private file. A human\-readable description of the metadata is also placed in comments in the key file.
+\fIKnnnn.+aaa+iiiii.private\fR) are regenerated. Metadata fields are stored in the private file. A human\-readable description of the metadata is also placed in comments in the key file. The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600).
.SH "OPTIONS"
.PP
\-f
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index a1258ef30cda..7a814904a99a 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-settime.c,v 1.28.16.3 2011-06-02 20:24:11 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.28.16.3 2011/06/02 20:24:11 each Exp $ */
/*! \file */
diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook
index daf720ba9362..3d89b651b473 100644
--- a/bin/dnssec/dnssec-settime.docbook
+++ b/bin/dnssec/dnssec-settime.docbook
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-settime.docbook,v 1.11.70.2 2011-03-21 23:46:58 tbox Exp $ -->
+<!-- $Id: dnssec-settime.docbook,v 1.11.70.3 2011/11/03 20:21:30 each Exp $ -->
<refentry id="man.dnssec-settime">
<refentryinfo>
<date>July 15, 2009</date>
@@ -82,7 +82,8 @@
<filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
- file.
+ file. The private file's permissions are always set to be
+ inaccessible to anyone other than the owner (mode 0600).
</para>
</refsect1>
diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html
index baca8f56ece5..0ac82bcbd3da 100644
--- a/bin/dnssec/dnssec-settime.html
+++ b/bin/dnssec/dnssec-settime.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-settime.html,v 1.14.70.1 2011-03-22 02:37:44 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543422"></a><h2>DESCRIPTION</h2>
+<a name="id2543424"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-settime</strong></span>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
@@ -52,11 +52,12 @@
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
- file.
+ file. The private file's permissions are always set to be
+ inaccessible to anyone other than the owner (mode 0600).
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543470"></a><h2>OPTIONS</h2>
+<a name="id2543472"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f</span></dt>
<dd><p>
@@ -89,7 +90,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543562"></a><h2>TIMING OPTIONS</h2>
+<a name="id2543563"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
@@ -168,7 +169,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543701"></a><h2>PRINTING OPTIONS</h2>
+<a name="id2543770"></a><h2>PRINTING OPTIONS</h2>
<p>
<span><strong class="command">dnssec-settime</strong></span> can also be used to print the
timing metadata associated with a key.
@@ -194,7 +195,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543915"></a><h2>SEE ALSO</h2>
+<a name="id2543848"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -202,7 +203,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543948"></a><h2>AUTHOR</h2>
+<a name="id2543881"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index 9822883747b8..028068803cdb 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-signzone.8,v 1.59 2009-12-04 01:13:44 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index fe02d2e6bcec..953e2b086fc8 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.262.110.9 2011-07-19 23:47:12 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.262.110.9 2011/07/19 23:47:12 tbox Exp $ */
/*! \file */
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 51a14968a9c3..128ebe96341b 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-signzone.docbook,v 1.44 2009-12-03 23:18:16 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index 28e7158e6e7c..82185c6477d5 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-signzone.html,v 1.45 2009-12-04 01:13:44 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543596"></a><h2>DESCRIPTION</h2>
+<a name="id2543597"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543611"></a><h2>OPTIONS</h2>
+<a name="id2543612"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
@@ -379,7 +379,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544896"></a><h2>EXAMPLE</h2>
+<a name="id2544965"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -409,14 +409,14 @@ db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
-<a name="id2545019"></a><h2>SEE ALSO</h2>
+<a name="id2545020"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545044"></a><h2>AUTHOR</h2>
+<a name="id2545045"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index da6b0b2a789e..882b042f1b8e 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.c,v 1.60 2010-01-19 23:48:56 tbox Exp $ */
+/* $Id: dnssectool.c,v 1.60.162.3 2011/10/21 03:56:32 marka Exp $ */
/*! \file */
@@ -406,19 +406,24 @@ set_keyversion(dst_key_t *key) {
}
isc_boolean_t
-key_collision(isc_uint16_t id, dns_name_t *name, const char *dir,
- dns_secalg_t alg, isc_mem_t *mctx, isc_boolean_t *exact)
+key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
+ isc_mem_t *mctx, isc_boolean_t *exact)
{
isc_result_t result;
isc_boolean_t conflict = ISC_FALSE;
dns_dnsseckeylist_t matchkeys;
dns_dnsseckey_t *key = NULL;
- isc_uint16_t oldid, diff;
- isc_uint16_t bits = DNS_KEYFLAG_REVOKE; /* flag bits to look for */
+ isc_uint16_t id, oldid;
+ isc_uint32_t rid, roldid;
+ dns_secalg_t alg;
if (exact != NULL)
*exact = ISC_FALSE;
+ id = dst_key_id(dstkey);
+ rid = dst_key_rid(dstkey);
+ alg = dst_key_alg(dstkey);
+
ISC_LIST_INIT(matchkeys);
result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
if (result == ISC_R_NOTFOUND)
@@ -430,10 +435,11 @@ key_collision(isc_uint16_t id, dns_name_t *name, const char *dir,
goto next;
oldid = dst_key_id(key->key);
- diff = (oldid > id) ? (oldid - id) : (id - oldid);
- if ((diff & ~bits) == 0) {
+ roldid = dst_key_rid(key->key);
+
+ if (oldid == rid || roldid == id || id == oldid) {
conflict = ISC_TRUE;
- if (diff != 0) {
+ if (id != oldid) {
if (verbose > 1)
fprintf(stderr, "Key ID %d could "
"collide with %d\n",
@@ -461,4 +467,3 @@ key_collision(isc_uint16_t id, dns_name_t *name, const char *dir,
return (conflict);
}
-
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index b52bc135ea0e..e6dfe51aeed3 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2007-2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.h,v 1.31 2010-01-19 23:48:56 tbox Exp $ */
+/* $Id: dnssectool.h,v 1.31.162.2 2011/10/20 23:46:27 tbox Exp $ */
#ifndef DNSSECTOOL_H
#define DNSSECTOOL_H 1
@@ -78,6 +78,7 @@ void
set_keyversion(dst_key_t *key);
isc_boolean_t
-key_collision(isc_uint16_t id, dns_name_t *name, const char *dir,
- dns_secalg_t alg, isc_mem_t *mctx, isc_boolean_t *exact);
+key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
+ isc_mem_t *mctx, isc_boolean_t *exact);
+
#endif /* DNSSEC_DNSSECTOOL_H */
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 86400c47f026..272cf960b336 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.114.14.2 2011-03-10 23:47:25 tbox Exp $
+# $Id: Makefile.in,v 1.114.14.2 2011/03/10 23:47:25 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/named/bind.keys.h b/bin/named/bind.keys.h
index 0177214159e7..61e3f700c6cf 100644
--- a/bin/named/bind.keys.h
+++ b/bin/named/bind.keys.h
@@ -1,6 +1,6 @@
/*
- * Generated by bindkeys.pl 1.7 2011-01-04 23:47:13 tbox Exp
- * From bind.keys 1.7 2011-01-03 23:45:07 each Exp
+ * Generated by bindkeys.pl 1.7 2011/01/04 23:47:13 tbox Exp
+ * From bind.keys 1.7 2011/01/03 23:45:07 each Exp
*/
#define TRUSTED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
index 5913c1cc2000..8063cc666a24 100644
--- a/bin/named/bind9.xsl
+++ b/bin/named/bind9.xsl
@@ -15,7 +15,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: bind9.xsl,v 1.21 2009-01-27 23:47:54 tbox Exp $ -->
+<!-- $Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp $ -->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
index b6f1f5491b95..19a58ff17c7e 100644
--- a/bin/named/bind9.xsl.h
+++ b/bin/named/bind9.xsl.h
@@ -1,6 +1,6 @@
/*
- * Generated by convertxsl.pl 1.14 2008-07-17 23:43:26 jinmei Exp
- * From bind9.xsl 1.21 2009-01-27 23:47:54 tbox Exp
+ * Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp
+ * From bind9.xsl 1.21 2009/01/27 23:47:54 tbox Exp
*/
static char xslmsg[] =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
@@ -20,7 +20,7 @@ static char xslmsg[] =
" - PERFORMANCE OF THIS SOFTWARE.\n"
"-->\n"
"\n"
- "<!-- \045Id: bind9.xsl,v 1.21 2009-01-27 23:47:54 tbox Exp \045 -->\n"
+ "<!-- \045Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp \045 -->\n"
"\n"
"<xsl:stylesheet version=\"1.0\"\n"
" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\n"
diff --git a/bin/named/builtin.c b/bin/named/builtin.c
index d7730e7afed0..86afa5a0370a 100644
--- a/bin/named/builtin.c
+++ b/bin/named/builtin.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: builtin.c,v 1.20 2011-01-07 23:47:07 tbox Exp $ */
+/* $Id: builtin.c,v 1.20.14.3 2012/01/11 20:19:40 ckb Exp $ */
/*! \file
* \brief
@@ -300,6 +300,7 @@ do_authors_lookup(dns_sdblookup_t *lookup) {
const char **p;
static const char *authors[] = {
"Mark Andrews",
+ "Curtis Blackburn",
"James Brister",
"Ben Cottrell",
"Michael Graff",
@@ -308,6 +309,7 @@ do_authors_lookup(dns_sdblookup_t *lookup) {
"Evan Hunt",
"JINMEI Tatuya",
"David Lawrence",
+ "Scott Mann",
"Danny Mayer",
"Damien Neil",
"Matt Nelson",
diff --git a/bin/named/client.c b/bin/named/client.c
index 2115ac101bcf..606cc2d4dad4 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: client.c,v 1.271.10.2 2011-07-28 04:30:54 marka Exp $ */
+/* $Id: client.c,v 1.271.10.4 2012/01/31 23:46:39 tbox Exp $ */
#include <config.h>
@@ -934,6 +934,15 @@ ns_client_send(ns_client_t *client) {
render_opts = 0;
else
render_opts = DNS_MESSAGERENDER_OMITDNSSEC;
+
+ preferred_glue = 0;
+ if (client->view != NULL) {
+ if (client->view->preferred_glue == dns_rdatatype_a)
+ preferred_glue = DNS_MESSAGERENDER_PREFER_A;
+ else if (client->view->preferred_glue == dns_rdatatype_aaaa)
+ preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
+ }
+
#ifdef ALLOW_FILTER_AAAA_ON_V4
/*
* filter-aaaa-on-v4 yes or break-dnssec option to suppress
@@ -942,17 +951,15 @@ ns_client_send(ns_client_t *client) {
* that we have both AAAA and A records,
* and that we either have no signatures that the client wants
* or we are supposed to break DNSSEC.
+ *
+ * Override preferred glue if necessary.
*/
- if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0)
+ if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0) {
render_opts |= DNS_MESSAGERENDER_FILTER_AAAA;
-#endif
- preferred_glue = 0;
- if (client->view != NULL) {
- if (client->view->preferred_glue == dns_rdatatype_a)
+ if (preferred_glue == DNS_MESSAGERENDER_PREFER_AAAA)
preferred_glue = DNS_MESSAGERENDER_PREFER_A;
- else if (client->view->preferred_glue == dns_rdatatype_aaaa)
- preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
}
+#endif
/*
* XXXRTH The following doesn't deal with TCP buffer resizing.
@@ -2109,6 +2116,9 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
client->recursionquota = NULL;
client->interface = NULL;
client->peeraddr_valid = ISC_FALSE;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ client->filter_aaaa = dns_v4_aaaa_ok;
+#endif
ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
NS_EVENT_CLIENTCONTROL, client_start, client, client,
NULL, NULL);
diff --git a/bin/named/config.c b/bin/named/config.c
index e34e5c4e63bf..f5e93e42a666 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.c,v 1.113.16.2 2011-02-28 01:19:58 tbox Exp $ */
+/* $Id: config.c,v 1.113.16.2 2011/02/28 01:19:58 tbox Exp $ */
/*! \file */
diff --git a/bin/named/control.c b/bin/named/control.c
index 3fc7bd3916f5..ff084fc7d5a9 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: control.c,v 1.41 2010-12-03 22:05:19 each Exp $ */
+/* $Id: control.c,v 1.41 2010/12/03 22:05:19 each Exp $ */
/*! \file */
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index bd269e519b3e..926c20543d55 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008, 2011 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: controlconf.c,v 1.60.544.2 2011-03-12 04:59:14 tbox Exp $ */
+/* $Id: controlconf.c,v 1.60.544.3 2011/12/22 08:10:09 marka Exp $ */
/*! \file */
@@ -373,17 +373,8 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
if (result == ISC_R_SUCCESS)
break;
isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
- if (result == ISCCC_R_BADAUTH) {
- /*
- * For some reason, request is non-NULL when
- * isccc_cc_fromwire returns ISCCC_R_BADAUTH.
- */
- if (request != NULL)
- isccc_sexpr_free(&request);
- } else {
- log_invalid(&conn->ccmsg, result);
- goto cleanup;
- }
+ log_invalid(&conn->ccmsg, result);
+ goto cleanup;
}
if (key == NULL) {
@@ -1148,6 +1139,11 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
if (result == ISC_R_SUCCESS)
isc_socket_setname(listener->sock, "control", NULL);
+#ifndef ISC_ALLOW_MAPPED
+ if (result == ISC_R_SUCCESS)
+ isc_socket_ipv6only(listener->sock, ISC_TRUE);
+#endif
+
if (result == ISC_R_SUCCESS)
result = isc_socket_bind(listener->sock, &listener->address,
ISC_SOCKET_REUSEADDRESS);
diff --git a/bin/named/convertxsl.pl b/bin/named/convertxsl.pl
index a6a56686e209..87550b3c1a58 100755
--- a/bin/named/convertxsl.pl
+++ b/bin/named/convertxsl.pl
@@ -14,12 +14,12 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: convertxsl.pl,v 1.14 2008-07-17 23:43:26 jinmei Exp $
+# $Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $
use strict;
use warnings;
-my $rev = '$Id: convertxsl.pl,v 1.14 2008-07-17 23:43:26 jinmei Exp $';
+my $rev = '$Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $';
$rev =~ s/\$//g;
$rev =~ s/,v//g;
$rev =~ s/Id: //;
diff --git a/bin/named/include/dlz/dlz_dlopen_driver.h b/bin/named/include/dlz/dlz_dlopen_driver.h
index fc51c49da767..7af325a13b30 100644
--- a/bin/named/include/dlz/dlz_dlopen_driver.h
+++ b/bin/named/include/dlz/dlz_dlopen_driver.h
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dlz_dlopen_driver.h,v 1.1.4.4 2011-03-17 09:41:06 fdupont Exp $ */
+/* $Id: dlz_dlopen_driver.h,v 1.1.4.4 2011/03/17 09:41:06 fdupont Exp $ */
#ifndef DLZ_DLOPEN_DRIVER_H
#define DLZ_DLOPEN_DRIVER_H
diff --git a/bin/named/include/named/builtin.h b/bin/named/include/named/builtin.h
index ec1a5754e1ae..a5185ba60f35 100644
--- a/bin/named/include/named/builtin.h
+++ b/bin/named/include/named/builtin.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: builtin.h,v 1.6 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: builtin.h,v 1.6 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NAMED_BUILTIN_H
#define NAMED_BUILTIN_H 1
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index 33f124d94c14..109d160b456b 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: client.h,v 1.91 2009-10-26 23:14:53 each Exp $ */
+/* $Id: client.h,v 1.91.278.2 2012/01/31 23:46:39 tbox Exp $ */
#ifndef NAMED_CLIENT_H
#define NAMED_CLIENT_H 1
@@ -141,6 +141,9 @@ struct ns_client {
isc_netaddr_t destaddr;
struct in6_pktinfo pktinfo;
isc_event_t ctlevent;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ dns_v4_aaaa_t filter_aaaa;
+#endif
/*%
* Information about recent FORMERR response(s), for
* FORMERR loop avoidance. This is separate for each
diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h
index d1570b0e5704..c16c800fe126 100644
--- a/bin/named/include/named/config.h
+++ b/bin/named/include/named/config.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.h,v 1.16 2009-06-11 23:47:55 tbox Exp $ */
+/* $Id: config.h,v 1.16 2009/06/11 23:47:55 tbox Exp $ */
#ifndef NAMED_CONFIG_H
#define NAMED_CONFIG_H 1
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index e699892ca4ce..24e59093b4d1 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: control.h,v 1.31 2010-08-16 22:21:06 marka Exp $ */
+/* $Id: control.h,v 1.31 2010/08/16 22:21:06 marka Exp $ */
#ifndef NAMED_CONTROL_H
#define NAMED_CONTROL_H 1
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index 7bea32d52b55..842931677b55 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: globals.h,v 1.89.54.2 2011-06-17 23:47:10 tbox Exp $ */
+/* $Id: globals.h,v 1.89.54.2 2011/06/17 23:47:10 tbox Exp $ */
#ifndef NAMED_GLOBALS_H
#define NAMED_GLOBALS_H 1
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
index 1b1e4638d995..2724c393cdc5 100644
--- a/bin/named/include/named/interfacemgr.h
+++ b/bin/named/include/named/interfacemgr.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: interfacemgr.h,v 1.33 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: interfacemgr.h,v 1.33 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NAMED_INTERFACEMGR_H
#define NAMED_INTERFACEMGR_H 1
diff --git a/bin/named/include/named/listenlist.h b/bin/named/include/named/listenlist.h
index e1c20024f545..9e65d5df3a93 100644
--- a/bin/named/include/named/listenlist.h
+++ b/bin/named/include/named/listenlist.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: listenlist.h,v 1.15 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: listenlist.h,v 1.15 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NAMED_LISTENLIST_H
#define NAMED_LISTENLIST_H 1
diff --git a/bin/named/include/named/log.h b/bin/named/include/named/log.h
index 1ce680f31e02..032743acbfb2 100644
--- a/bin/named/include/named/log.h
+++ b/bin/named/include/named/log.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: log.h,v 1.27 2009-01-07 23:47:46 tbox Exp $ */
+/* $Id: log.h,v 1.27 2009/01/07 23:47:46 tbox Exp $ */
#ifndef NAMED_LOG_H
#define NAMED_LOG_H 1
diff --git a/bin/named/include/named/logconf.h b/bin/named/include/named/logconf.h
index fc91c10db815..03543452a967 100644
--- a/bin/named/include/named/logconf.h
+++ b/bin/named/include/named/logconf.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: logconf.h,v 1.17 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: logconf.h,v 1.17 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NAMED_LOGCONF_H
#define NAMED_LOGCONF_H 1
diff --git a/bin/named/include/named/lwaddr.h b/bin/named/include/named/lwaddr.h
index 3818620614a5..962aa91cd853 100644
--- a/bin/named/include/named/lwaddr.h
+++ b/bin/named/include/named/lwaddr.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwaddr.h,v 1.8 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: lwaddr.h,v 1.8 2007/06/19 23:46:59 tbox Exp $ */
/*! \file */
diff --git a/bin/named/include/named/lwdclient.h b/bin/named/include/named/lwdclient.h
index 5451b73675ab..c345176a2127 100644
--- a/bin/named/include/named/lwdclient.h
+++ b/bin/named/include/named/lwdclient.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwdclient.h,v 1.20 2009-01-17 23:47:42 tbox Exp $ */
+/* $Id: lwdclient.h,v 1.20 2009/01/17 23:47:42 tbox Exp $ */
#ifndef NAMED_LWDCLIENT_H
#define NAMED_LWDCLIENT_H 1
diff --git a/bin/named/include/named/lwresd.h b/bin/named/include/named/lwresd.h
index 3a540fb84fd8..565e58d7abf9 100644
--- a/bin/named/include/named/lwresd.h
+++ b/bin/named/include/named/lwresd.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwresd.h,v 1.19 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: lwresd.h,v 1.19 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NAMED_LWRESD_H
#define NAMED_LWRESD_H 1
diff --git a/bin/named/include/named/lwsearch.h b/bin/named/include/named/lwsearch.h
index b9ced52dc0b2..c1b4f48f62c3 100644
--- a/bin/named/include/named/lwsearch.h
+++ b/bin/named/include/named/lwsearch.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwsearch.h,v 1.9 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: lwsearch.h,v 1.9 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NAMED_LWSEARCH_H
#define NAMED_LWSEARCH_H 1
diff --git a/bin/named/include/named/main.h b/bin/named/include/named/main.h
index 6116add55b85..44251fa825c6 100644
--- a/bin/named/include/named/main.h
+++ b/bin/named/include/named/main.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: main.h,v 1.17 2009-09-29 23:48:03 tbox Exp $ */
+/* $Id: main.h,v 1.17 2009/09/29 23:48:03 tbox Exp $ */
#ifndef NAMED_MAIN_H
#define NAMED_MAIN_H 1
diff --git a/bin/named/include/named/notify.h b/bin/named/include/named/notify.h
index 34fabcd0620c..4e0a57e519c8 100644
--- a/bin/named/include/named/notify.h
+++ b/bin/named/include/named/notify.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: notify.h,v 1.16 2009-01-17 23:47:42 tbox Exp $ */
+/* $Id: notify.h,v 1.16 2009/01/17 23:47:42 tbox Exp $ */
#ifndef NAMED_NOTIFY_H
#define NAMED_NOTIFY_H 1
diff --git a/bin/named/include/named/ns_smf_globals.h b/bin/named/include/named/ns_smf_globals.h
index 5c6b9170f626..3a3574357758 100644
--- a/bin/named/include/named/ns_smf_globals.h
+++ b/bin/named/include/named/ns_smf_globals.h
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: ns_smf_globals.h,v 1.7 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: ns_smf_globals.h,v 1.7 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NS_SMF_GLOBALS_H
#define NS_SMF_GLOBALS_H 1
diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h
index 37f771bd5960..6dfe96bc9d4d 100644
--- a/bin/named/include/named/query.h
+++ b/bin/named/include/named/query.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.h,v 1.45 2011-01-13 04:59:24 tbox Exp $ */
+/* $Id: query.h,v 1.45 2011/01/13 04:59:24 tbox Exp $ */
#ifndef NAMED_QUERY_H
#define NAMED_QUERY_H 1
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 3c6426eecf61..25aa641ad37e 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.h,v 1.110 2010-08-16 23:46:52 tbox Exp $ */
+/* $Id: server.h,v 1.110 2010/08/16 23:46:52 tbox Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
diff --git a/bin/named/include/named/sortlist.h b/bin/named/include/named/sortlist.h
index 5f3b05b6ed8b..b9f607611441 100644
--- a/bin/named/include/named/sortlist.h
+++ b/bin/named/include/named/sortlist.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: sortlist.h,v 1.11 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: sortlist.h,v 1.11 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NAMED_SORTLIST_H
#define NAMED_SORTLIST_H 1
diff --git a/bin/named/include/named/statschannel.h b/bin/named/include/named/statschannel.h
index fff7cade4e1c..0c36d8c706ce 100644
--- a/bin/named/include/named/statschannel.h
+++ b/bin/named/include/named/statschannel.h
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: statschannel.h,v 1.3 2008-04-03 05:55:51 marka Exp $ */
+/* $Id: statschannel.h,v 1.3 2008/04/03 05:55:51 marka Exp $ */
#ifndef NAMED_STATSCHANNEL_H
#define NAMED_STATSCHANNEL_H 1
diff --git a/bin/named/include/named/tkeyconf.h b/bin/named/include/named/tkeyconf.h
index 89d050c4795b..02bd71883a0f 100644
--- a/bin/named/include/named/tkeyconf.h
+++ b/bin/named/include/named/tkeyconf.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: tkeyconf.h,v 1.16 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: tkeyconf.h,v 1.16 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NS_TKEYCONF_H
#define NS_TKEYCONF_H 1
diff --git a/bin/named/include/named/tsigconf.h b/bin/named/include/named/tsigconf.h
index 4a59ec2c0ff7..30bdf319d318 100644
--- a/bin/named/include/named/tsigconf.h
+++ b/bin/named/include/named/tsigconf.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: tsigconf.h,v 1.18 2009-06-11 23:47:55 tbox Exp $ */
+/* $Id: tsigconf.h,v 1.18 2009/06/11 23:47:55 tbox Exp $ */
#ifndef NS_TSIGCONF_H
#define NS_TSIGCONF_H 1
diff --git a/bin/named/include/named/types.h b/bin/named/include/named/types.h
index 96c4c012b71f..7a7886e2b634 100644
--- a/bin/named/include/named/types.h
+++ b/bin/named/include/named/types.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: types.h,v 1.31 2009-01-09 23:47:45 tbox Exp $ */
+/* $Id: types.h,v 1.31 2009/01/09 23:47:45 tbox Exp $ */
#ifndef NAMED_TYPES_H
#define NAMED_TYPES_H 1
diff --git a/bin/named/include/named/update.h b/bin/named/include/named/update.h
index ffa55efb8d7b..a34570c2f5b7 100644
--- a/bin/named/include/named/update.h
+++ b/bin/named/include/named/update.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: update.h,v 1.13 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: update.h,v 1.13 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NAMED_UPDATE_H
#define NAMED_UPDATE_H 1
diff --git a/bin/named/include/named/xfrout.h b/bin/named/include/named/xfrout.h
index 4bea6f156a2f..4bb79a31e970 100644
--- a/bin/named/include/named/xfrout.h
+++ b/bin/named/include/named/xfrout.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: xfrout.h,v 1.12 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: xfrout.h,v 1.12 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NAMED_XFROUT_H
#define NAMED_XFROUT_H 1
diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h
index 65cf72f9f3ac..ebaad684ae7a 100644
--- a/bin/named/include/named/zoneconf.h
+++ b/bin/named/include/named/zoneconf.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zoneconf.h,v 1.28 2010-12-20 23:47:20 tbox Exp $ */
+/* $Id: zoneconf.h,v 1.28 2010/12/20 23:47:20 tbox Exp $ */
#ifndef NS_ZONECONF_H
#define NS_ZONECONF_H 1
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index 513fb2491094..d194d2b877cf 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: interfacemgr.c,v 1.95.426.2 2011-03-12 04:59:14 tbox Exp $ */
+/* $Id: interfacemgr.c,v 1.95.426.2 2011/03/12 04:59:14 tbox Exp $ */
/*! \file */
diff --git a/bin/named/listenlist.c b/bin/named/listenlist.c
index b1aa4277569a..513fe9c70b13 100644
--- a/bin/named/listenlist.c
+++ b/bin/named/listenlist.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: listenlist.c,v 1.14 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: listenlist.c,v 1.14 2007/06/19 23:46:59 tbox Exp $ */
/*! \file */
diff --git a/bin/named/log.c b/bin/named/log.c
index 5d1c942074ca..5d19dcb205c6 100644
--- a/bin/named/log.c
+++ b/bin/named/log.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: log.c,v 1.49 2009-01-07 01:46:40 jinmei Exp $ */
+/* $Id: log.c,v 1.49 2009/01/07 01:46:40 jinmei Exp $ */
/*! \file */
diff --git a/bin/named/logconf.c b/bin/named/logconf.c
index 4fcb4e8dcaed..5d17ab0e6016 100644
--- a/bin/named/logconf.c
+++ b/bin/named/logconf.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: logconf.c,v 1.42.816.3 2011-03-05 23:52:06 tbox Exp $ */
+/* $Id: logconf.c,v 1.42.816.3 2011/03/05 23:52:06 tbox Exp $ */
/*! \file */
diff --git a/bin/named/lwaddr.c b/bin/named/lwaddr.c
index c7eeb78bc764..ed7880ac2682 100644
--- a/bin/named/lwaddr.c
+++ b/bin/named/lwaddr.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwaddr.c,v 1.10 2008-01-11 23:46:56 tbox Exp $ */
+/* $Id: lwaddr.c,v 1.10 2008/01/11 23:46:56 tbox Exp $ */
/*! \file */
diff --git a/bin/named/lwdclient.c b/bin/named/lwdclient.c
index 63a2be262155..a8431340024c 100644
--- a/bin/named/lwdclient.c
+++ b/bin/named/lwdclient.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwdclient.c,v 1.22 2007-06-18 23:47:18 tbox Exp $ */
+/* $Id: lwdclient.c,v 1.22 2007/06/18 23:47:18 tbox Exp $ */
/*! \file */
diff --git a/bin/named/lwderror.c b/bin/named/lwderror.c
index 9594dba543bc..33f247a45851 100644
--- a/bin/named/lwderror.c
+++ b/bin/named/lwderror.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwderror.c,v 1.12 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: lwderror.c,v 1.12 2007/06/19 23:46:59 tbox Exp $ */
/*! \file */
diff --git a/bin/named/lwdgabn.c b/bin/named/lwdgabn.c
index 6a609c9acc4f..c4b598beb13a 100644
--- a/bin/named/lwdgabn.c
+++ b/bin/named/lwdgabn.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwdgabn.c,v 1.24 2009-09-02 23:48:01 tbox Exp $ */
+/* $Id: lwdgabn.c,v 1.24 2009/09/02 23:48:01 tbox Exp $ */
/*! \file */
diff --git a/bin/named/lwdgnba.c b/bin/named/lwdgnba.c
index 64b05d6b9e86..dfc2ad654399 100644
--- a/bin/named/lwdgnba.c
+++ b/bin/named/lwdgnba.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwdgnba.c,v 1.22 2008-01-14 23:46:56 tbox Exp $ */
+/* $Id: lwdgnba.c,v 1.22 2008/01/14 23:46:56 tbox Exp $ */
/*! \file */
diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
index 22b62c625c12..5c858cbedacd 100644
--- a/bin/named/lwdgrbn.c
+++ b/bin/named/lwdgrbn.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwdgrbn.c,v 1.22 2009-09-02 23:48:01 tbox Exp $ */
+/* $Id: lwdgrbn.c,v 1.22 2009/09/02 23:48:01 tbox Exp $ */
/*! \file */
diff --git a/bin/named/lwdnoop.c b/bin/named/lwdnoop.c
index eebe39d064f5..14d8e0c4cfbb 100644
--- a/bin/named/lwdnoop.c
+++ b/bin/named/lwdnoop.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwdnoop.c,v 1.13 2008-01-22 23:28:04 tbox Exp $ */
+/* $Id: lwdnoop.c,v 1.13 2008/01/22 23:28:04 tbox Exp $ */
/*! \file */
diff --git a/bin/named/lwresd.8 b/bin/named/lwresd.8
index 30dfbd55e783..47a6b782b68a 100644
--- a/bin/named/lwresd.8
+++ b/bin/named/lwresd.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: lwresd.8,v 1.31 2009-07-11 01:12:45 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/named/lwresd.c b/bin/named/lwresd.c
index ad3670960cb1..11198a4324f2 100644
--- a/bin/named/lwresd.c
+++ b/bin/named/lwresd.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwresd.c,v 1.60 2009-09-02 23:48:01 tbox Exp $ */
+/* $Id: lwresd.c,v 1.60 2009/09/02 23:48:01 tbox Exp $ */
/*! \file
* \brief
diff --git a/bin/named/lwresd.docbook b/bin/named/lwresd.docbook
index 934b5da21dcc..dddfe5e51784 100644
--- a/bin/named/lwresd.docbook
+++ b/bin/named/lwresd.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: lwresd.docbook,v 1.20 2009-01-20 23:47:56 tbox Exp $ -->
+<!-- $Id: lwresd.docbook,v 1.20 2009/01/20 23:47:56 tbox Exp $ -->
<refentry>
<refentryinfo>
<date>June 30, 2000</date>
diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html
index 223b1c2c5250..5dc01be1dfb7 100644
--- a/bin/named/lwresd.html
+++ b/bin/named/lwresd.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: lwresd.html,v 1.27 2009-07-11 01:12:45 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
+<a name="id2476274"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">lwresd</span> &#8212; lightweight resolver daemon</p>
@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">lwresd</code> [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-4</code>] [<code class="option">-6</code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543467"></a><h2>DESCRIPTION</h2>
+<a name="id2543469"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">lwresd</strong></span>
is the daemon providing name lookup
services to clients that use the BIND 9 lightweight resolver
@@ -67,7 +67,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543514"></a><h2>OPTIONS</h2>
+<a name="id2543516"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-4</span></dt>
<dd><p>
@@ -197,7 +197,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543931"></a><h2>FILES</h2>
+<a name="id2543933"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
<dd><p>
@@ -210,14 +210,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543971"></a><h2>SEE ALSO</h2>
+<a name="id2543973"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544005"></a><h2>AUTHOR</h2>
+<a name="id2544007"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/named/lwsearch.c b/bin/named/lwsearch.c
index 8ad6779bf510..6754c987bc2c 100644
--- a/bin/named/lwsearch.c
+++ b/bin/named/lwsearch.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: lwsearch.c,v 1.13 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: lwsearch.c,v 1.13 2007/06/19 23:46:59 tbox Exp $ */
/*! \file */
diff --git a/bin/named/main.c b/bin/named/main.c
index d22611360120..30c6ef9cac56 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: main.c,v 1.180.14.3 2011-03-11 06:47:00 marka Exp $ */
+/* $Id: main.c,v 1.180.14.4 2011/11/05 00:45:52 each Exp $ */
/*! \file */
@@ -793,6 +793,25 @@ setup(void) {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "built with %s", ns_g_configargs);
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE,
+ "----------------------------------------------------");
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE,
+ "BIND 9 is maintained by Internet Systems Consortium,");
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE,
+ "Inc. (ISC), a non-profit 501(c)(3) public-benefit ");
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE,
+ "corporation. Support and training for BIND 9 are ");
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE,
+ "available at https://www.isc.org/support");
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE,
+ "----------------------------------------------------");
+
dump_symboltable();
/*
diff --git a/bin/named/named.8 b/bin/named/named.8
index 23805b04a935..222ff426cabd 100644
--- a/bin/named/named.8
+++ b/bin/named/named.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: named.8,v 1.41 2009-10-06 01:14:41 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 9dc7002b09c9..4356c192e6b6 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: named.conf.5,v 1.44.12.1 2011-02-03 12:29:12 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
@@ -254,8 +254,7 @@ options {
disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
dnssec\-enable \fIboolean\fR;
dnssec\-validation \fIboolean\fR;
- dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR;
- dnssec\-lookaside ( \fIauto\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
+ dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-accept\-expired \fIboolean\fR;
dns64\-server \fIstring\fR;
@@ -424,7 +423,7 @@ view \fIstring\fR \fIoptional_class\fR {
disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
dnssec\-enable \fIboolean\fR;
dnssec\-validation \fIboolean\fR;
- dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR;
+ dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
dnssec\-accept\-expired \fIboolean\fR;
dns64\-server \fIstring\fR;
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 962eaaa0e2bd..c6ee1db1ca49 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named.conf.docbook,v 1.49.14.1 2011-02-03 05:50:05 marka Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.49.14.2 2011/11/07 00:31:47 marka Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
@@ -285,8 +285,7 @@ options {
disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
dnssec-enable <replaceable>boolean</replaceable>;
dnssec-validation <replaceable>boolean</replaceable>;
- dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
- dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
+ dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>no</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-accept-expired <replaceable>boolean</replaceable>;
@@ -473,7 +472,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
dnssec-enable <replaceable>boolean</replaceable>;
dnssec-validation <replaceable>boolean</replaceable>;
- dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
+ dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>no</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-accept-expired <replaceable>boolean</replaceable>;
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index f20e411f45b0..71bd94669503 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named.conf.html,v 1.53.12.1 2011-02-03 12:29:12 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543352"></a><h2>DESCRIPTION</h2>
+<a name="id2543353"></a><h2>DESCRIPTION</h2>
<p><code class="filename">named.conf</code> is the configuration file
for
<span><strong class="command">named</strong></span>. Statements are enclosed
@@ -50,14 +50,14 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543380"></a><h2>ACL</h2>
+<a name="id2543381"></a><h2>ACL</h2>
<div class="literallayout"><p><br>
acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
<br>
</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543396"></a><h2>KEY</h2>
+<a name="id2543397"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>domain_name</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
@@ -66,7 +66,7 @@ key <em class="replaceable"><code>domain_name</code></em> {<br>
</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543415"></a><h2>MASTERS</h2>
+<a name="id2543416"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
@@ -75,7 +75,7 @@ masters <em class="replaceable"><code>string</code></em> [<span class="optional"
</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543461"></a><h2>SERVER</h2>
+<a name="id2543462"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
@@ -97,7 +97,7 @@ server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/pref
</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543529"></a><h2>TRUSTED-KEYS</h2>
+<a name="id2543530"></a><h2>TRUSTED-KEYS</h2>
<div class="literallayout"><p><br>
trusted-keys {<br>
<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@@ -105,7 +105,7 @@ trusted-keys {<br>
</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543555"></a><h2>MANAGED-KEYS</h2>
+<a name="id2543556"></a><h2>MANAGED-KEYS</h2>
<div class="literallayout"><p><br>
managed-keys {<br>
<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@@ -113,7 +113,7 @@ managed-keys {<br>
</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543584"></a><h2>CONTROLS</h2>
+<a name="id2543585"></a><h2>CONTROLS</h2>
<div class="literallayout"><p><br>
controls {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
@@ -125,7 +125,7 @@ controls {<br>
</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543619"></a><h2>LOGGING</h2>
+<a name="id2543620"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
channel <em class="replaceable"><code>string</code></em> {<br>
@@ -143,7 +143,7 @@ logging {<br>
</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543657"></a><h2>LWRES</h2>
+<a name="id2543658"></a><h2>LWRES</h2>
<div class="literallayout"><p><br>
lwres {<br>
listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
@@ -156,7 +156,7 @@ lwres {<br>
</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543699"></a><h2>OPTIONS</h2>
+<a name="id2543700"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
@@ -251,8 +251,7 @@ options {<br>
disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-lookaside <em class="replaceable"><code>string</code></em> trust-anchor <em class="replaceable"><code>string</code></em>;<br>
- dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
+ dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
<br>
@@ -361,7 +360,7 @@ options {<br>
</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544577"></a><h2>VIEW</h2>
+<a name="id2544574"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -438,7 +437,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
- dnssec-lookaside <em class="replaceable"><code>string</code></em> trust-anchor <em class="replaceable"><code>string</code></em>;<br>
+ dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
<br>
@@ -524,7 +523,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2545280"></a><h2>ZONE</h2>
+<a name="id2545284"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
type ( master | slave | stub | hint |<br>
@@ -619,12 +618,12 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2545659"></a><h2>FILES</h2>
+<a name="id2545664"></a><h2>FILES</h2>
<p><code class="filename">/etc/named.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545671"></a><h2>SEE ALSO</h2>
+<a name="id2545675"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
index 214f8ac6e9d7..c748911e24a1 100644
--- a/bin/named/named.docbook
+++ b/bin/named/named.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named.docbook,v 1.26 2009-10-05 17:30:49 fdupont Exp $ -->
+<!-- $Id: named.docbook,v 1.26 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.named">
<refentryinfo>
<date>May 21, 2009</date>
diff --git a/bin/named/named.html b/bin/named/named.html
index fa869c4c6d10..cf3cb2678f39 100644
--- a/bin/named/named.html
+++ b/bin/named/named.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named.html,v 1.33 2009-10-06 01:14:41 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">named</code> [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543480"></a><h2>DESCRIPTION</h2>
+<a name="id2543482"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named</strong></span>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
@@ -47,7 +47,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543505"></a><h2>OPTIONS</h2>
+<a name="id2543507"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-4</span></dt>
<dd><p>
@@ -228,7 +228,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543962"></a><h2>SIGNALS</h2>
+<a name="id2543964"></a><h2>SIGNALS</h2>
<p>
In routine operation, signals should not be used to control
the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -249,7 +249,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544010"></a><h2>CONFIGURATION</h2>
+<a name="id2544012"></a><h2>CONFIGURATION</h2>
<p>
The <span><strong class="command">named</strong></span> configuration file is too complex
to describe in detail here. A complete description is provided
@@ -266,7 +266,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544046"></a><h2>FILES</h2>
+<a name="id2544049"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
<dd><p>
@@ -279,7 +279,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544086"></a><h2>SEE ALSO</h2>
+<a name="id2544088"></a><h2>SEE ALSO</h2>
<p><em class="citetitle">RFC 1033</em>,
<em class="citetitle">RFC 1034</em>,
<em class="citetitle">RFC 1035</em>,
@@ -292,7 +292,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544293"></a><h2>AUTHOR</h2>
+<a name="id2544295"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/named/notify.c b/bin/named/notify.c
index da5a651b33cb..de52b8c82bef 100644
--- a/bin/named/notify.c
+++ b/bin/named/notify.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: notify.c,v 1.37 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: notify.c,v 1.37 2007/06/19 23:46:59 tbox Exp $ */
#include <config.h>
diff --git a/bin/named/query.c b/bin/named/query.c
index 4945f474f73f..6d2ee445b8bc 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.c,v 1.353.8.11.4.1 2011-11-16 09:32:08 marka Exp $ */
+/* $Id: query.c,v 1.353.8.24 2012/02/07 01:14:39 marka Exp $ */
/*! \file */
@@ -830,57 +830,41 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
}
static void
-rpz_log(ns_client_t *client) {
- char namebuf1[DNS_NAME_FORMATSIZE];
- char namebuf2[DNS_NAME_FORMATSIZE];
- dns_rpz_st_t *st;
- const char *pat;
+rpz_log_rewrite(ns_client_t *client, const char *disabled,
+ dns_rpz_policy_t policy, dns_rpz_type_t type,
+ dns_name_t *rpz_qname) {
+ char qname_buf[DNS_NAME_FORMATSIZE];
+ char rpz_qname_buf[DNS_NAME_FORMATSIZE];
- if (!ns_g_server->log_queries ||
- !isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
+ if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
return;
- st = client->query.rpz_st;
- dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
- dns_name_format(st->qname, namebuf2, sizeof(namebuf2));
+ dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf));
+ dns_name_format(rpz_qname, rpz_qname_buf, sizeof(rpz_qname_buf));
- switch (st->m.policy) {
- case DNS_RPZ_POLICY_NO_OP:
- pat ="response policy %s rewrite %s NO-OP using %s";
- break;
- case DNS_RPZ_POLICY_NXDOMAIN:
- pat = "response policy %s rewrite %s to NXDOMAIN using %s";
- break;
- case DNS_RPZ_POLICY_NODATA:
- pat = "response policy %s rewrite %s to NODATA using %s";
- break;
- case DNS_RPZ_POLICY_RECORD:
- case DNS_RPZ_POLICY_CNAME:
- pat = "response policy %s rewrite %s using %s";
- break;
- default:
- INSIST(0);
- }
- ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
- DNS_RPZ_INFO_LEVEL, pat, dns_rpz_type2str(st->m.type),
- namebuf1, namebuf2);
+ ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
+ DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s",
+ disabled,
+ dns_rpz_type2str(type), dns_rpz_policy2str(policy),
+ qname_buf, rpz_qname_buf);
}
static void
-rpz_fail_log(ns_client_t *client, int level, dns_rpz_type_t rpz_type,
- dns_name_t *name, const char *str, isc_result_t result)
+rpz_log_fail(ns_client_t *client, int level,
+ dns_rpz_type_t rpz_type, dns_name_t *name,
+ const char *str, isc_result_t result)
{
char namebuf1[DNS_NAME_FORMATSIZE];
char namebuf2[DNS_NAME_FORMATSIZE];
- if (!ns_g_server->log_queries || !isc_log_wouldlog(ns_g_lctx, level))
+ if (!isc_log_wouldlog(ns_g_lctx, level))
return;
dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
dns_name_format(name, namebuf2, sizeof(namebuf2));
ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS,
NS_LOGMODULE_QUERY, level,
- "response policy %s rewrite %s via %s %sfailed: %s",
+ "rpz %s rewrite %s via %s %sfailed: %s",
dns_rpz_type2str(rpz_type),
namebuf1, namebuf2, str, isc_result_totext(result));
}
@@ -889,9 +873,8 @@ rpz_fail_log(ns_client_t *client, int level, dns_rpz_type_t rpz_type,
* Get a policy rewrite zone database.
*/
static isc_result_t
-rpz_getdb(ns_client_t *client, dns_rpz_type_t rpz_type,
- dns_name_t *rpz_qname, dns_zone_t **zonep,
- dns_db_t **dbp, dns_dbversion_t **versionp)
+rpz_getdb(ns_client_t *client, dns_rpz_type_t rpz_type, dns_name_t *rpz_qname,
+ dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp)
{
char namebuf1[DNS_NAME_FORMATSIZE];
char namebuf2[DNS_NAME_FORMATSIZE];
@@ -901,12 +884,11 @@ rpz_getdb(ns_client_t *client, dns_rpz_type_t rpz_type,
result = query_getzonedb(client, rpz_qname, dns_rdatatype_any,
DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version);
if (result == ISC_R_SUCCESS) {
- if (ns_g_server->log_queries &&
- isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) {
+ if (isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) {
dns_name_format(client->query.qname, namebuf1,
sizeof(namebuf1));
dns_name_format(rpz_qname, namebuf2, sizeof(namebuf2));
- ns_client_log(client, NS_LOGCATEGORY_QUERIES,
+ ns_client_log(client, DNS_LOGCATEGORY_RPZ,
NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2,
"try rpz %s rewrite %s via %s",
dns_rpz_type2str(rpz_type),
@@ -915,7 +897,7 @@ rpz_getdb(ns_client_t *client, dns_rpz_type_t rpz_type,
*versionp = rpz_version;
return (ISC_R_SUCCESS);
}
- rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL, rpz_type, rpz_qname,
+ rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, rpz_qname,
"query_getzonedb() ", result);
return (result);
}
@@ -1144,7 +1126,8 @@ query_isduplicate(ns_client_t *client, dns_name_t *name,
if (name == mname)
mname = NULL;
- *mnamep = mname;
+ if (mnamep != NULL)
+ *mnamep = mname;
CTRACE("query_isduplicate: false: done");
return (ISC_FALSE);
@@ -1363,6 +1346,10 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
}
if (qtype == dns_rdatatype_a) {
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ isc_boolean_t have_a = ISC_FALSE;
+#endif
+
/*
* We now go looking for A and AAAA records, along with
* their signatures.
@@ -1385,6 +1372,8 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
if (sigrdataset == NULL)
goto addname;
}
+ if (query_isduplicate(client, fname, dns_rdatatype_a, NULL))
+ goto aaaa_lookup;
result = dns_db_findrdataset(db, node, version,
dns_rdatatype_a, 0,
client->now, rdataset,
@@ -1399,6 +1388,9 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
}
if (result == ISC_R_SUCCESS) {
mname = NULL;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ have_a = ISC_TRUE;
+#endif
if (!query_isduplicate(client, fname,
dns_rdatatype_a, &mname)) {
if (mname != NULL) {
@@ -1428,6 +1420,9 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdataset_disassociate(sigrdataset);
}
}
+ aaaa_lookup:
+ if (query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
+ goto addname;
result = dns_db_findrdataset(db, node, version,
dns_rdatatype_aaaa, 0,
client->now, rdataset,
@@ -1442,6 +1437,17 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
}
if (result == ISC_R_SUCCESS) {
mname = NULL;
+ /*
+ * There's an A; check whether we're filtering AAAA
+ */
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ if (have_a &&
+ (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
+ (client->filter_aaaa == dns_v4_aaaa_filter &&
+ (!WANTDNSSEC(client) || sigrdataset == NULL ||
+ !dns_rdataset_isassociated(sigrdataset)))))
+ goto addname;
+#endif
if (!query_isduplicate(client, fname,
dns_rdatatype_aaaa, &mname)) {
if (mname != NULL) {
@@ -1593,7 +1599,13 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdatatype_t type;
dns_rdatasetadditional_t additionaltype;
- if (qtype != dns_rdatatype_a) {
+ /*
+ * If we don't have an additional cache call query_addadditional.
+ */
+ client = additionalctx->client;
+ REQUIRE(NS_CLIENT_VALID(client));
+
+ if (qtype != dns_rdatatype_a || client->view->acache == NULL) {
/*
* This function is optimized for "address" types. For other
* types, use a generic routine.
@@ -1607,8 +1619,6 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
* Initialization.
*/
rdataset_base = additionalctx->rdataset;
- client = additionalctx->client;
- REQUIRE(NS_CLIENT_VALID(client));
eresult = ISC_R_SUCCESS;
fname = NULL;
rdataset = NULL;
@@ -1861,6 +1871,9 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
if (sigrdataset == NULL)
goto cleanup;
+ if (additionaltype == dns_rdatasetadditional_fromcache &&
+ query_isduplicate(client, fname, dns_rdatatype_a, NULL))
+ goto aaaa_lookup;
/*
* Find A RRset with sig RRset. Even if we don't find a sig RRset
* for a client using DNSSEC, we'll continue the process to make a
@@ -1905,6 +1918,10 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
}
}
+ aaaa_lookup:
+ if (additionaltype == dns_rdatasetadditional_fromcache &&
+ query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
+ goto foundcache;
/* Find AAAA RRset with sig RRset */
result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa,
0, client->now, rdataset, sigrdataset);
@@ -3350,8 +3367,9 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
sigrdataset, fname, ISC_TRUE, cname);
if (!dns_rdataset_isassociated(rdataset))
goto cleanup;
- query_addrrset(client, &fname, &rdataset, &sigrdataset,
- dbuf, DNS_SECTION_AUTHORITY);
+ if (!ispositive)
+ query_addrrset(client, &fname, &rdataset, &sigrdataset,
+ dbuf, DNS_SECTION_AUTHORITY);
/*
* Replace resources which were consumed by query_addrrset.
@@ -3799,14 +3817,15 @@ rpz_st_clear(ns_client_t *client) {
dns_rpz_st_t *st = client->query.rpz_st;
rpz_clean(&st->m.zone, &st->m.db, &st->m.node, NULL);
+ st->m.version = NULL;
if (st->m.rdataset != NULL)
query_putrdataset(client, &st->m.rdataset);
- rpz_clean(NULL, &st->ns.db, NULL, NULL);
- if (st->ns.ns_rdataset != NULL)
- query_putrdataset(client, &st->ns.ns_rdataset);
- if (st->ns.r_rdataset != NULL)
- query_putrdataset(client, &st->ns.r_rdataset);
+ rpz_clean(NULL, &st->r.db, NULL, NULL);
+ if (st->r.ns_rdataset != NULL)
+ query_putrdataset(client, &st->r.ns_rdataset);
+ if (st->r.r_rdataset != NULL)
+ query_putrdataset(client, &st->r.r_rdataset);
rpz_clean(&st->q.zone, &st->q.db, &st->q.node, NULL);
if (st->q.rdataset != NULL)
@@ -3814,15 +3833,18 @@ rpz_st_clear(ns_client_t *client) {
if (st->q.sigrdataset != NULL)
query_putrdataset(client, &st->q.sigrdataset);
st->state = 0;
+ st->m.type = DNS_RPZ_TYPE_BAD;
+ st->m.policy = DNS_RPZ_POLICY_MISS;
}
/*
- * Get NS, A, or AAAA rrset for rpz nsdname or nsip checking.
+ * Get NS, A, or AAAA rrset for response policy zone checks.
*/
static isc_result_t
-rpz_ns_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
- dns_db_t **dbp, dns_dbversion_t *version,
- dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
+rpz_rrset_find(ns_client_t *client, dns_rpz_type_t rpz_type,
+ dns_name_t *name, dns_rdatatype_t type,
+ dns_db_t **dbp, dns_dbversion_t *version,
+ dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
{
dns_rpz_st_t *st;
isc_boolean_t is_zone;
@@ -3833,22 +3855,22 @@ rpz_ns_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
st = client->query.rpz_st;
if ((st->state & DNS_RPZ_RECURSING) != 0) {
- INSIST(st->ns.r_type == type);
+ INSIST(st->r.r_type == type);
INSIST(dns_name_equal(name, st->r_name));
INSIST(*rdatasetp == NULL ||
!dns_rdataset_isassociated(*rdatasetp));
st->state &= ~DNS_RPZ_RECURSING;
- *dbp = st->ns.db;
- st->ns.db = NULL;
+ *dbp = st->r.db;
+ st->r.db = NULL;
if (*rdatasetp != NULL)
query_putrdataset(client, rdatasetp);
- *rdatasetp = st->ns.r_rdataset;
- st->ns.r_rdataset = NULL;
- result = st->ns.r_result;
+ *rdatasetp = st->r.r_rdataset;
+ st->r.r_rdataset = NULL;
+ result = st->r.r_result;
if (result == DNS_R_DELEGATION) {
- rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL,
- DNS_RPZ_TYPE_NSIP, name,
- "rpz_ns_find() ", result);
+ rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
+ rpz_type, name,
+ "rpz_rrset_find(1) ", result);
st->m.policy = DNS_RPZ_POLICY_ERROR;
result = DNS_R_SERVFAIL;
}
@@ -3870,9 +3892,9 @@ rpz_ns_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
result = query_getdb(client, name, type, 0, &zone, dbp,
&version, &is_zone);
if (result != ISC_R_SUCCESS) {
- rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL,
- DNS_RPZ_TYPE_NSIP, name, "NS getdb() ",
- result);
+ rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
+ rpz_type, name,
+ "rpz_rrset_find(2) ", result);
st->m.policy = DNS_RPZ_POLICY_ERROR;
if (zone != NULL)
dns_zone_detach(&zone);
@@ -3885,8 +3907,8 @@ rpz_ns_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
node = NULL;
dns_fixedname_init(&fixed);
found = dns_fixedname_name(&fixed);
- result = dns_db_find(*dbp, name, version, type, 0, client->now, &node,
- found, *rdatasetp, NULL);
+ result = dns_db_find(*dbp, name, version, type, DNS_DBFIND_GLUEOK,
+ client->now, &node, found, *rdatasetp, NULL);
if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) {
/*
* Try the cache if we're authoritative for an
@@ -3901,16 +3923,21 @@ rpz_ns_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
}
rpz_clean(NULL, dbp, &node, NULL);
if (result == DNS_R_DELEGATION) {
+ rpz_clean(NULL, NULL, NULL, rdatasetp);
/*
- * Recurse to get NS rrset or A or AAAA rrset for an NS name.
+ * Recurse for NS rrset or A or AAAA rrset for an NS.
+ * Do not recurse for addresses for the query name.
*/
- rpz_clean(NULL, NULL, NULL, rdatasetp);
- dns_name_copy(name, st->r_name, NULL);
- result = query_recurse(client, type, st->r_name, NULL, NULL,
- resuming);
- if (result == ISC_R_SUCCESS) {
- st->state |= DNS_RPZ_RECURSING;
- result = DNS_R_DELEGATION;
+ if (rpz_type == DNS_RPZ_TYPE_IP) {
+ result = DNS_R_NXRRSET;
+ } else {
+ dns_name_copy(name, st->r_name, NULL);
+ result = query_recurse(client, type, st->r_name,
+ NULL, NULL, resuming);
+ if (result == ISC_R_SUCCESS) {
+ st->state |= DNS_RPZ_RECURSING;
+ result = DNS_R_DELEGATION;
+ }
}
}
return (result);
@@ -3928,7 +3955,7 @@ rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset,
dns_dbversion_t *version;
dns_zone_t *zone;
dns_db_t *db;
- dns_rpz_zone_t *new_rpz;
+ dns_rpz_zone_t *rpz;
isc_result_t result;
st = client->query.rpz_st;
@@ -3939,16 +3966,26 @@ rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset,
}
zone = NULL;
db = NULL;
- for (new_rpz = ISC_LIST_HEAD(client->view->rpz_zones);
- new_rpz != NULL;
- new_rpz = ISC_LIST_NEXT(new_rpz, link)) {
- version = NULL;
+ for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
+ rpz != NULL;
+ rpz = ISC_LIST_NEXT(rpz, link)) {
+ /*
+ * Do not check policy zones that cannot replace a policy
+ * already known to match.
+ */
+ if (st->m.policy != DNS_RPZ_POLICY_MISS) {
+ if (st->m.rpz->num < rpz->num)
+ break;
+ if (st->m.rpz->num == rpz->num &&
+ st->m.type < rpz_type)
+ continue;
+ }
/*
- * Find the database for this policy zone to get its
- * radix tree.
+ * Find the database for this policy zone to get its radix tree.
*/
- result = rpz_getdb(client, rpz_type, &new_rpz->origin,
+ version = NULL;
+ result = rpz_getdb(client, rpz_type, &rpz->origin,
&zone, &db, &version);
if (result != ISC_R_SUCCESS) {
rpz_clean(&zone, &db, NULL, NULL);
@@ -3960,26 +3997,31 @@ rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset,
* hit, if any. Note the domain name and quality of the
* best hit.
*/
- result = dns_db_rpz_findips(new_rpz, rpz_type, zone, db,
- version, rdataset, st);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ (void)dns_db_rpz_findips(rpz, rpz_type, zone, db, version,
+ rdataset, st,
+ client->query.rpz_st->qname);
rpz_clean(&zone, &db, NULL, NULL);
}
return (ISC_R_SUCCESS);
}
+/*
+ * Look for an A or AAAA rdataset
+ * and check for IP or NSIP rewrite policy rules.
+ */
static isc_result_t
-rpz_rewrite_nsip(ns_client_t *client, dns_rdatatype_t type, dns_name_t *name,
- dns_db_t **dbp, dns_dbversion_t *version,
- dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
+rpz_rewrite_rrset(ns_client_t *client, dns_rpz_type_t rpz_type,
+ dns_rdatatype_t type, dns_name_t *name,
+ dns_db_t **dbp, dns_dbversion_t *version,
+ dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
{
isc_result_t result;
- result = rpz_ns_find(client, name, type, dbp, version, rdatasetp,
- resuming);
+ result = rpz_rrset_find(client, rpz_type, name, type, dbp, version,
+ rdatasetp, resuming);
switch (result) {
case ISC_R_SUCCESS:
- result = rpz_rewrite_ip(client, *rdatasetp, DNS_RPZ_TYPE_NSIP);
+ result = rpz_rewrite_ip(client, *rdatasetp, rpz_type);
break;
case DNS_R_EMPTYNAME:
case DNS_R_EMPTYWILD:
@@ -3987,17 +4029,24 @@ rpz_rewrite_nsip(ns_client_t *client, dns_rdatatype_t type, dns_name_t *name,
case DNS_R_NCACHENXDOMAIN:
case DNS_R_NXRRSET:
case DNS_R_NCACHENXRRSET:
+ case ISC_R_NOTFOUND:
result = ISC_R_SUCCESS;
break;
case DNS_R_DELEGATION:
case DNS_R_DUPLICATE:
case DNS_R_DROP:
break;
+ case DNS_R_CNAME:
+ case DNS_R_DNAME:
+ rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, rpz_type,
+ name, "NS address rewrite rrset ", result);
+ result = ISC_R_SUCCESS;
+ break;
default:
if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR;
- rpz_fail_log(client, ISC_LOG_WARNING, DNS_RPZ_TYPE_NSIP,
- name, "NS address rewrite nsip ", result);
+ rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
+ name, "NS address rewrite rrset ", result);
}
break;
}
@@ -4005,15 +4054,61 @@ rpz_rewrite_nsip(ns_client_t *client, dns_rdatatype_t type, dns_name_t *name,
}
/*
+ * Look for both A and AAAA rdatasets
+ * and check for IP or NSIP rewrite policy rules.
+ * Look only for addresses that will be in the ANSWER section
+ * when checking for IP rules.
+ */
+static isc_result_t
+rpz_rewrite_rrsets(ns_client_t *client, dns_rpz_type_t rpz_type,
+ dns_name_t *name, dns_rdatatype_t type,
+ dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
+{
+ dns_rpz_st_t *st;
+ dns_dbversion_t *version;
+ dns_db_t *ipdb;
+ isc_result_t result;
+
+ st = client->query.rpz_st;
+ version = NULL;
+ ipdb = NULL;
+ if ((st->state & DNS_RPZ_DONE_IPv4) == 0 &&
+ ((rpz_type == DNS_RPZ_TYPE_NSIP) ?
+ (st->state & DNS_RPZ_HAVE_NSIPv4) :
+ (st->state & DNS_RPZ_HAVE_IP)) != 0 &&
+ (type == dns_rdatatype_any || type == dns_rdatatype_a)) {
+ result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_a,
+ name, &ipdb, version, rdatasetp,
+ resuming);
+ if (result == ISC_R_SUCCESS)
+ st->state |= DNS_RPZ_DONE_IPv4;
+ } else {
+ result = ISC_R_SUCCESS;
+ }
+ if (result == ISC_R_SUCCESS &&
+ ((rpz_type == DNS_RPZ_TYPE_NSIP) ?
+ (st->state & DNS_RPZ_HAVE_NSIPv6) :
+ (st->state & DNS_RPZ_HAVE_IP)) != 0 &&
+ (type == dns_rdatatype_any || type == dns_rdatatype_aaaa)) {
+ result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_aaaa,
+ name, &ipdb, version, rdatasetp,
+ resuming);
+ }
+ if (ipdb != NULL)
+ dns_db_detach(&ipdb);
+ return (result);
+}
+
+/*
* Get the rrset from a response policy zone.
*/
static isc_result_t
rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
dns_name_t *sname, dns_rpz_type_t rpz_type, dns_zone_t **zonep,
- dns_db_t **dbp, dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp,
+ dns_db_t **dbp, dns_dbversion_t **versionp,
+ dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp,
dns_rpz_policy_t *policyp)
{
- dns_dbversion_t *version;
dns_rpz_policy_t policy;
dns_fixedname_t fixed;
dns_name_t *found;
@@ -4029,8 +4124,8 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
* Try to get either a CNAME or the type of record demanded by the
* request from the policy zone.
*/
- version = NULL;
- result = rpz_getdb(client, rpz_type, qnamef, zonep, dbp, &version);
+ *versionp = NULL;
+ result = rpz_getdb(client, rpz_type, qnamef, zonep, dbp, versionp);
if (result != ISC_R_SUCCESS) {
*policyp = DNS_RPZ_POLICY_MISS;
return (DNS_R_NXDOMAIN);
@@ -4038,17 +4133,17 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
dns_fixedname_init(&fixed);
found = dns_fixedname_name(&fixed);
- result = dns_db_find(*dbp, qnamef, version, dns_rdatatype_any, 0,
+ result = dns_db_find(*dbp, qnamef, *versionp, dns_rdatatype_any, 0,
client->now, nodep, found, *rdatasetp, NULL);
if (result == ISC_R_SUCCESS) {
dns_rdatasetiter_t *rdsiter;
rdsiter = NULL;
- result = dns_db_allrdatasets(*dbp, *nodep, version, 0,
+ result = dns_db_allrdatasets(*dbp, *nodep, *versionp, 0,
&rdsiter);
if (result != ISC_R_SUCCESS) {
dns_db_detachnode(*dbp, nodep);
- rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
+ rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
qnamef, "allrdatasets()", result);
*policyp = DNS_RPZ_POLICY_ERROR;
return (DNS_R_SERVFAIL);
@@ -4065,7 +4160,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
dns_rdatasetiter_destroy(&rdsiter);
if (result != ISC_R_SUCCESS) {
if (result != ISC_R_NOMORE) {
- rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL,
+ rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
rpz_type, qnamef, "rdatasetiter",
result);
*policyp = DNS_RPZ_POLICY_ERROR;
@@ -4083,7 +4178,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
qtype == dns_rdatatype_sig)
result = DNS_R_NXRRSET;
else
- result = dns_db_find(*dbp, qnamef, version,
+ result = dns_db_find(*dbp, qnamef, *versionp,
qtype, 0, client->now,
nodep, found, *rdatasetp,
NULL);
@@ -4095,7 +4190,8 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
policy = DNS_RPZ_POLICY_RECORD;
} else {
policy = dns_rpz_decode_cname(*rdatasetp, sname);
- if (policy == DNS_RPZ_POLICY_RECORD &&
+ if ((policy == DNS_RPZ_POLICY_RECORD ||
+ policy == DNS_RPZ_POLICY_WILDCNAME) &&
qtype != dns_rdatatype_cname &&
qtype != dns_rdatatype_any)
result = DNS_R_CNAME;
@@ -4106,8 +4202,8 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
* DNAME policy RRs have very few if any uses that are not
* better served with simple wildcards. Making the work would
* require complications to get the number of labels matched
- * in the name or the found name itself to the main DNS_R_DNAME
- * case in query_find(). So fall through to treat them as NODATA.
+ * in the name or the found name to the main DNS_R_DNAME case
+ * in query_find(). So fall through to treat them as NODATA.
*/
case DNS_R_NXRRSET:
policy = DNS_RPZ_POLICY_NODATA;
@@ -4126,7 +4222,7 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
default:
dns_db_detach(dbp);
dns_zone_detach(zonep);
- rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef,
+ rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef,
"", result);
policy = DNS_RPZ_POLICY_ERROR;
result = DNS_R_SERVFAIL;
@@ -4150,6 +4246,7 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
dns_name_t *prefix, *suffix, *rpz_qname;
dns_zone_t *zone;
dns_db_t *db;
+ dns_dbversion_t *version;
dns_dbnode_t *node;
dns_rpz_policy_t policy;
unsigned int labels;
@@ -4164,7 +4261,18 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
rpz != NULL;
rpz = ISC_LIST_NEXT(rpz, link)) {
/*
- * Construct the rule's owner name.
+ * Do not check policy zones that cannot replace a policy
+ * already known to match.
+ */
+ if (st->m.policy != DNS_RPZ_POLICY_MISS) {
+ if (st->m.rpz->num < rpz->num)
+ break;
+ if (st->m.rpz->num == rpz->num &&
+ st->m.type < rpz_type)
+ continue;
+ }
+ /*
+ * Construct the policy's owner name.
*/
dns_fixedname_init(&prefixf);
prefix = dns_fixedname_name(&prefixf);
@@ -4183,13 +4291,13 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
INSIST(result == DNS_R_NAMETOOLONG);
labels = dns_name_countlabels(prefix);
if (labels < 2) {
- rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL,
+ rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
rpz_type, suffix,
"concatentate() ", result);
return (ISC_R_SUCCESS);
}
if (labels+1 == dns_name_countlabels(qname)) {
- rpz_fail_log(client, DNS_RPZ_DEBUG_LEVEL1,
+ rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1,
rpz_type, suffix,
"concatentate() ", result);
}
@@ -4197,10 +4305,11 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
}
/*
- * See if the qname rule (or RR) exists.
+ * See if the policy record exists.
*/
result = rpz_find(client, qtype, rpz_qname, qname, rpz_type,
- &zone, &db, &node, rdatasetp, &policy);
+ &zone, &db, &version, &node, rdatasetp,
+ &policy);
switch (result) {
case DNS_R_NXDOMAIN:
case DNS_R_EMPTYNAME:
@@ -4211,14 +4320,31 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
return (DNS_R_SERVFAIL);
default:
/*
- * when more than one name or address hits a rule,
- * prefer the first set of names (qname or NS),
- * the first policy zone, and the smallest name
+ * We are dealing with names here.
+ * With more than one applicable policy, prefer
+ * the earliest configured policy,
+ * QNAME over IP over NSDNAME over NSIP,
+ * and the smallest name.
+ * Because of the testing above,
+ * we known st->m.rpz->num >= rpz->num and either
+ * st->m.rpz->num > rpz->num or st->m.type >= rpz_type
+ */
+ if (st->m.policy != DNS_RPZ_POLICY_MISS &&
+ rpz->num == st->m.rpz->num &&
+ (st->m.type < rpz_type ||
+ (st->m.type == rpz_type &&
+ 0 >= dns_name_compare(rpz_qname, st->qname))))
+ continue;
+
+ /*
+ * Merely log DNS_RPZ_POLICY_DISABLED hits.
*/
- if (st->m.type == rpz_type &&
- rpz->num > st->m.rpz->num &&
- 0 <= dns_name_compare(rpz_qname, st->qname))
+ if (rpz->policy == DNS_RPZ_POLICY_DISABLED) {
+ rpz_log_rewrite(client, "disabled ",
+ policy, rpz_type, rpz_qname);
continue;
+ }
+
rpz_clean(&st->m.zone, &st->m.db, &st->m.node,
&st->m.rdataset);
st->m.rpz = rpz;
@@ -4227,7 +4353,8 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
st->m.policy = policy;
st->m.result = result;
dns_name_copy(rpz_qname, st->qname, NULL);
- if (dns_rdataset_isassociated(*rdatasetp)) {
+ if (*rdatasetp != NULL &&
+ dns_rdataset_isassociated(*rdatasetp)) {
dns_rdataset_t *trdataset;
trdataset = st->m.rdataset;
@@ -4241,6 +4368,7 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
node = NULL;
st->m.db = db;
db = NULL;
+ st->m.version = version;
st->m.zone = zone;
zone = NULL;
}
@@ -4250,24 +4378,38 @@ rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
return (ISC_R_SUCCESS);
}
+static void
+rpz_rewrite_ns_skip(ns_client_t *client, dns_name_t *nsname,
+ isc_result_t result, int level, const char *str)
+{
+ dns_rpz_st_t *st;
+
+ st = client->query.rpz_st;
+
+ if (str != NULL)
+ rpz_log_fail(client, level, DNS_RPZ_TYPE_NSIP, nsname,
+ str, result);
+ if (st->r.ns_rdataset != NULL &&
+ dns_rdataset_isassociated(st->r.ns_rdataset))
+ dns_rdataset_disassociate(st->r.ns_rdataset);
+
+ st->r.label--;
+}
+
/*
- * Look for response policy zone NSIP and NSDNAME rewriting.
+ * Look for response policy zone QNAME, NSIP, and NSDNAME rewriting.
*/
static isc_result_t
-rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
+rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
isc_boolean_t resuming)
{
dns_rpz_st_t *st;
- dns_db_t *ipdb;
dns_rdataset_t *rdataset;
dns_fixedname_t nsnamef;
dns_name_t *nsname;
- dns_dbversion_t *version;
+ isc_boolean_t ck_ip;
isc_result_t result;
- ipdb = NULL;
- rdataset = NULL;
-
st = client->query.rpz_st;
if (st == NULL) {
st = isc_mem_get(client->mctx, sizeof(*st));
@@ -4275,7 +4417,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
return (ISC_R_NOMEMORY);
st->state = 0;
memset(&st->m, 0, sizeof(st->m));
- memset(&st->ns, 0, sizeof(st->ns));
+ st->m.type = DNS_RPZ_TYPE_BAD;
+ st->m.policy = DNS_RPZ_POLICY_MISS;
+ memset(&st->r, 0, sizeof(st->r));
memset(&st->q, 0, sizeof(st->q));
dns_fixedname_init(&st->_qnamef);
dns_fixedname_init(&st->_r_namef);
@@ -4285,78 +4429,147 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
st->fname = dns_fixedname_name(&st->_fnamef);
client->query.rpz_st = st;
}
- if ((st->state & DNS_RPZ_DONE_QNAME) == 0) {
- st->state = DNS_RPZ_DONE_QNAME;
- st->m.type = DNS_RPZ_TYPE_BAD;
- st->m.policy = DNS_RPZ_POLICY_MISS;
+ /*
+ * There is nothing to rewrite if the main query failed.
+ */
+ switch (qresult) {
+ case ISC_R_SUCCESS:
+ case DNS_R_GLUE:
+ case DNS_R_ZONECUT:
+ ck_ip = ISC_TRUE;
+ break;
+ case DNS_R_EMPTYNAME:
+ case DNS_R_NXRRSET:
+ case DNS_R_NXDOMAIN:
+ case DNS_R_EMPTYWILD:
+ case DNS_R_NCACHENXDOMAIN:
+ case DNS_R_NCACHENXRRSET:
+ case DNS_R_CNAME:
+ case DNS_R_DNAME:
+ ck_ip = ISC_FALSE;
+ break;
+ case DNS_R_DELEGATION:
+ case ISC_R_NOTFOUND:
+ return (ISC_R_SUCCESS);
+ case ISC_R_FAILURE:
+ case ISC_R_TIMEDOUT:
+ case DNS_R_BROKENCHAIN:
+ rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, DNS_RPZ_TYPE_QNAME,
+ client->query.qname,
+ "stop on qresult in rpz_rewrite()",
+ qresult);
+ return (ISC_R_SUCCESS);
+ default:
+ rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, DNS_RPZ_TYPE_QNAME,
+ client->query.qname,
+ "stop on unrecognized qresult in rpz_rewrite()",
+ qresult);
+ return (ISC_R_SUCCESS);
+ }
+
+ rdataset = NULL;
+ if ((st->state & DNS_RPZ_DONE_QNAME) == 0) {
/*
- * Check rules for the name if this it the first time,
- * i.e. we've not been recursing.
+ * Check rules for the query name if this it the first time
+ * for the current qname, i.e. we've not been recursing.
+ * There is a first time for each name in a CNAME chain.
*/
- st->state &= ~(DNS_RPZ_HAVE_IP | DNS_RPZ_HAVE_NSIPv4 |
- DNS_RPZ_HAVE_NSIPv6 | DNS_RPZ_HAD_NSDNAME);
result = rpz_rewrite_name(client, qtype, client->query.qname,
DNS_RPZ_TYPE_QNAME, &rdataset);
if (result != ISC_R_SUCCESS)
goto cleanup;
- if (st->m.policy != DNS_RPZ_POLICY_MISS)
- goto cleanup;
- if ((st->state & (DNS_RPZ_HAVE_NSIPv4 | DNS_RPZ_HAVE_NSIPv6 |
- DNS_RPZ_HAD_NSDNAME)) == 0)
+
+ st->r.label = dns_name_countlabels(client->query.qname);
+
+ st->state &= ~(DNS_RPZ_DONE_QNAME_IP | DNS_RPZ_DONE_IPv4);
+ st->state |= DNS_RPZ_DONE_QNAME;
+ }
+
+ /*
+ * Check known IP addresses for the query name.
+ * Any recursion required for the query has already happened.
+ * Do not check addresses that will not be in the ANSWER section.
+ */
+ if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 &&
+ (st->state & DNS_RPZ_HAVE_IP) != 0 && ck_ip) {
+ result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_IP,
+ client->query.qname, qtype,
+ &rdataset, resuming);
+ if (result != ISC_R_SUCCESS)
goto cleanup;
- st->ns.label = dns_name_countlabels(client->query.qname);
+ st->state &= ~DNS_RPZ_DONE_IPv4;
+ st->state |= DNS_RPZ_DONE_QNAME_IP;
+ }
+
+ /*
+ * Stop looking for rules if there are none of the other kinds.
+ */
+ if ((st->state & (DNS_RPZ_HAVE_NSIPv4 | DNS_RPZ_HAVE_NSIPv6 |
+ DNS_RPZ_HAVE_NSDNAME)) == 0) {
+ result = ISC_R_SUCCESS;
+ goto cleanup;
}
dns_fixedname_init(&nsnamef);
dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
- while (st->ns.label > 1 && st->m.policy == DNS_RPZ_POLICY_MISS) {
- if (st->ns.label == dns_name_countlabels(client->query.qname)) {
+ while (st->r.label > 1) {
+ /*
+ * Get NS rrset for each domain in the current qname.
+ */
+ if (st->r.label == dns_name_countlabels(client->query.qname)) {
nsname = client->query.qname;
} else {
nsname = dns_fixedname_name(&nsnamef);
- dns_name_split(client->query.qname, st->ns.label,
+ dns_name_split(client->query.qname, st->r.label,
NULL, nsname);
}
- if (st->ns.ns_rdataset == NULL ||
- !dns_rdataset_isassociated(st->ns.ns_rdataset)) {
+ if (st->r.ns_rdataset == NULL ||
+ !dns_rdataset_isassociated(st->r.ns_rdataset)) {
dns_db_t *db = NULL;
- result = rpz_ns_find(client, nsname, dns_rdatatype_ns,
- &db, NULL, &st->ns.ns_rdataset,
- resuming);
+ result = rpz_rrset_find(client, DNS_RPZ_TYPE_NSDNAME,
+ nsname, dns_rdatatype_ns,
+ &db, NULL, &st->r.ns_rdataset,
+ resuming);
if (db != NULL)
dns_db_detach(&db);
- if (result != ISC_R_SUCCESS) {
- if (result == DNS_R_DELEGATION)
+ if (st->m.policy == DNS_RPZ_POLICY_ERROR)
+ goto cleanup;
+ switch (result) {
+ case ISC_R_SUCCESS:
+ result = dns_rdataset_first(st->r.ns_rdataset);
+ if (result != ISC_R_SUCCESS)
goto cleanup;
- if (result == DNS_R_EMPTYNAME ||
- result == DNS_R_NXRRSET ||
- result == DNS_R_EMPTYWILD ||
- result == DNS_R_NXDOMAIN ||
- result == DNS_R_NCACHENXDOMAIN ||
- result == DNS_R_NCACHENXRRSET ||
- result == DNS_R_CNAME ||
- result == DNS_R_DNAME) {
- rpz_fail_log(client,
- DNS_RPZ_DEBUG_LEVEL2,
- DNS_RPZ_TYPE_NSIP, nsname,
- "NS db_find() ", result);
- dns_rdataset_disassociate(st->ns.
- ns_rdataset);
- st->ns.label--;
- continue;
- }
- if (st->m.policy != DNS_RPZ_POLICY_ERROR) {
- rpz_fail_log(client, DNS_RPZ_INFO_LEVEL,
- DNS_RPZ_TYPE_NSIP, nsname,
- "NS db_find() ", result);
- st->m.policy = DNS_RPZ_POLICY_ERROR;
- }
+ st->state &= ~(DNS_RPZ_DONE_NSDNAME |
+ DNS_RPZ_DONE_IPv4);
+ break;
+ case DNS_R_DELEGATION:
goto cleanup;
+ case DNS_R_EMPTYNAME:
+ case DNS_R_NXRRSET:
+ case DNS_R_EMPTYWILD:
+ case DNS_R_NXDOMAIN:
+ case DNS_R_NCACHENXDOMAIN:
+ case DNS_R_NCACHENXRRSET:
+ case ISC_R_NOTFOUND:
+ case DNS_R_CNAME:
+ case DNS_R_DNAME:
+ rpz_rewrite_ns_skip(client, nsname, result,
+ 0, NULL);
+ continue;
+ case ISC_R_TIMEDOUT:
+ case DNS_R_BROKENCHAIN:
+ case ISC_R_FAILURE:
+ rpz_rewrite_ns_skip(client, nsname, result,
+ DNS_RPZ_DEBUG_LEVEL3,
+ "NS db_find() ");
+ continue;
+ default:
+ rpz_rewrite_ns_skip(client, nsname, result,
+ DNS_RPZ_INFO_LEVEL,
+ "unrecognized NS db_find() ");
+ continue;
}
- result = dns_rdataset_first(st->ns.ns_rdataset);
- if (result != ISC_R_SUCCESS)
- goto cleanup;
}
/*
* Check all NS names.
@@ -4365,17 +4578,30 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
dns_rdata_ns_t ns;
dns_rdata_t nsrdata = DNS_RDATA_INIT;
- dns_rdataset_current(st->ns.ns_rdataset, &nsrdata);
+ dns_rdataset_current(st->r.ns_rdataset, &nsrdata);
result = dns_rdata_tostruct(&nsrdata, &ns, NULL);
dns_rdata_reset(&nsrdata);
if (result != ISC_R_SUCCESS) {
- rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL,
+ rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
DNS_RPZ_TYPE_NSIP, nsname,
"rdata_tostruct() ", result);
st->m.policy = DNS_RPZ_POLICY_ERROR;
goto cleanup;
}
- if ((st->state & DNS_RPZ_HAD_NSDNAME) != 0) {
+ /*
+ * Do nothing about "NS ."
+ */
+ if (dns_name_equal(&ns.name, dns_rootname)) {
+ dns_rdata_freestruct(&ns);
+ result = dns_rdataset_next(st->r.ns_rdataset);
+ continue;
+ }
+ /*
+ * Check this NS name if we did not handle it
+ * during a previous recursion.
+ */
+ if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0 &&
+ (st->state & DNS_RPZ_HAVE_NSDNAME) != 0) {
result = rpz_rewrite_name(client, qtype,
&ns.name,
DNS_RPZ_TYPE_NSDNAME,
@@ -4384,42 +4610,23 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
dns_rdata_freestruct(&ns);
goto cleanup;
}
+ st->state |= DNS_RPZ_DONE_NSDNAME;
}
/*
- * Check all IP addresses for this NS name, but don't
- * bother without NSIP rules or with a NSDNAME hit.
+ * Check all IP addresses for this NS name.
*/
- version = NULL;
- if ((st->state & DNS_RPZ_HAVE_NSIPv4) != 0 &&
- st->m.type != DNS_RPZ_TYPE_NSDNAME &&
- (st->state & DNS_RPZ_DONE_A) == 0) {
- result = rpz_rewrite_nsip(client,
- dns_rdatatype_a,
- &ns.name, &ipdb,
- version, &rdataset,
- resuming);
- if (result == ISC_R_SUCCESS)
- st->state |= DNS_RPZ_DONE_A;
- }
- if (result == ISC_R_SUCCESS &&
- (st->state & DNS_RPZ_HAVE_NSIPv6) != 0 &&
- st->m.type != DNS_RPZ_TYPE_NSDNAME) {
- result = rpz_rewrite_nsip(client,
- dns_rdatatype_aaaa,
- &ns.name, &ipdb,
- version, &rdataset,
- resuming);
- }
+ result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_NSIP,
+ &ns.name, dns_rdatatype_any,
+ &rdataset, resuming);
dns_rdata_freestruct(&ns);
- if (ipdb != NULL)
- dns_db_detach(&ipdb);
if (result != ISC_R_SUCCESS)
goto cleanup;
- st->state &= ~DNS_RPZ_DONE_A;
- result = dns_rdataset_next(st->ns.ns_rdataset);
+ st->state &= ~(DNS_RPZ_DONE_NSDNAME |
+ DNS_RPZ_DONE_IPv4);
+ result = dns_rdataset_next(st->r.ns_rdataset);
} while (result == ISC_R_SUCCESS);
- dns_rdataset_disassociate(st->ns.ns_rdataset);
- st->ns.label--;
+ dns_rdataset_disassociate(st->r.ns_rdataset);
+ st->r.label--;
}
/*
@@ -4429,31 +4636,76 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
cleanup:
if (st->m.policy != DNS_RPZ_POLICY_MISS &&
- st->m.policy != DNS_RPZ_POLICY_NO_OP &&
st->m.policy != DNS_RPZ_POLICY_ERROR &&
st->m.rpz->policy != DNS_RPZ_POLICY_GIVEN)
st->m.policy = st->m.rpz->policy;
- if (st->m.policy == DNS_RPZ_POLICY_NO_OP)
- rpz_log(client);
if (st->m.policy == DNS_RPZ_POLICY_MISS ||
- st->m.policy == DNS_RPZ_POLICY_NO_OP ||
- st->m.policy == DNS_RPZ_POLICY_ERROR)
+ st->m.policy == DNS_RPZ_POLICY_PASSTHRU ||
+ st->m.policy == DNS_RPZ_POLICY_ERROR) {
+ if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU)
+ rpz_log_rewrite(client, "", st->m.policy, st->m.type,
+ st->qname);
rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset);
- if (st->m.policy != DNS_RPZ_POLICY_MISS)
- st->state |= DNS_RPZ_REWRITTEN;
+ }
if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
st->m.type = DNS_RPZ_TYPE_BAD;
result = DNS_R_SERVFAIL;
}
- if (rdataset != NULL)
- query_putrdataset(client, &rdataset);
- if ((st->state & DNS_RPZ_RECURSING) == 0) {
- rpz_clean(NULL, &st->ns.db, NULL, &st->ns.ns_rdataset);
- }
+ query_putrdataset(client, &rdataset);
+ if ((st->state & DNS_RPZ_RECURSING) == 0)
+ rpz_clean(NULL, &st->r.db, NULL, &st->r.ns_rdataset);
return (result);
}
+/*
+ * Add a CNAME to the query response, including translating foo.evil.com and
+ * *.evil.com CNAME *.example.com
+ * to
+ * foo.evil.com CNAME foo.evil.com.example.com
+ */
+static isc_result_t
+rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
+ dns_name_t *cname, dns_name_t *fname, isc_buffer_t *dbuf)
+{
+ dns_fixedname_t prefix, suffix;
+ unsigned int labels;
+ isc_result_t result;
+
+ labels = dns_name_countlabels(cname);
+ if (labels > 2 && dns_name_iswildcard(cname)) {
+ dns_fixedname_init(&prefix);
+ dns_name_split(client->query.qname, 1,
+ dns_fixedname_name(&prefix), NULL);
+ dns_fixedname_init(&suffix);
+ dns_name_split(cname, labels-1,
+ NULL, dns_fixedname_name(&suffix));
+ result = dns_name_concatenate(dns_fixedname_name(&prefix),
+ dns_fixedname_name(&suffix),
+ fname, NULL);
+ if (result == DNS_R_NAMETOOLONG)
+ client->message->rcode = dns_rcode_yxdomain;
+ } else {
+ result = dns_name_copy(cname, fname, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ }
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ query_keepname(client, fname, dbuf);
+ result = query_add_cname(client, client->query.qname,
+ fname, dns_trust_authanswer, st->m.ttl);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ rpz_log_rewrite(client, "", st->m.policy, st->m.type, st->qname);
+ ns_client_qnamereplace(client, fname);
+ /*
+ * Turn off DNSSEC because the results of a
+ * response policy zone cannot verify.
+ */
+ client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC;
+ return (ISC_R_SUCCESS);
+}
+
#define MAX_RESTARTS 16
#define QUERY_ERROR(r) \
@@ -5027,14 +5279,12 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
rpz_st->q.sigrdataset = NULL;
qtype = rpz_st->q.qtype;
+ rpz_st->r.db = event->db;
if (event->node != NULL)
- dns_db_detachnode(db, &event->node);
- rpz_st->ns.db = event->db;
- rpz_st->ns.r_type = event->qtype;
- rpz_st->ns.r_rdataset = event->rdataset;
- if (event->sigrdataset != NULL &&
- dns_rdataset_isassociated(event->sigrdataset))
- dns_rdataset_disassociate(event->sigrdataset);
+ dns_db_detachnode(event->db, &event->node);
+ rpz_st->r.r_type = event->qtype;
+ rpz_st->r.r_rdataset = event->rdataset;
+ query_putrdataset(client, &event->sigrdataset);
} else {
authoritative = ISC_FALSE;
@@ -5085,7 +5335,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
}
if (rpz_st != NULL &&
(rpz_st->state & DNS_RPZ_RECURSING) != 0) {
- rpz_st->ns.r_result = event->result;
+ rpz_st->r.r_result = event->result;
result = rpz_st->q.result;
isc_event_free(ISC_EVENT_PTR(&event));
} else {
@@ -5248,13 +5498,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
RECURSIONOK(client) && !RECURSING(client) &&
- result != DNS_R_DELEGATION && result != ISC_R_NOTFOUND &&
+ (!WANTDNSSEC(client) || sigrdataset == NULL ||
+ !dns_rdataset_isassociated(sigrdataset)) &&
(client->query.rpz_st == NULL ||
(client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) &&
!dns_name_equal(client->query.qname, dns_rootname)) {
isc_result_t rresult;
- rresult = rpz_rewrite(client, qtype, resuming);
+ rresult = rpz_rewrite(client, qtype, result, resuming);
rpz_st = client->query.rpz_st;
switch (rresult) {
case ISC_R_SUCCESS:
@@ -5285,16 +5536,19 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
RECURSE_ERROR(rresult);
goto cleanup;
}
+ if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS)
+ rpz_st->state |= DNS_RPZ_REWRITTEN;
if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS &&
- rpz_st->m.policy != DNS_RPZ_POLICY_NO_OP) {
- result = dns_name_copy(client->query.qname, fname,
- NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- finish_rewrite:
+ rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU &&
+ rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
+ if (rpz_st->m.type == DNS_RPZ_TYPE_QNAME) {
+ result = dns_name_copy(client->query.qname,
+ fname, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ }
rpz_clean(&zone, &db, &node, NULL);
if (rpz_st->m.rdataset != NULL) {
- if (rdataset != NULL)
- query_putrdataset(client, &rdataset);
+ query_putrdataset(client, &rdataset);
rdataset = rpz_st->m.rdataset;
rpz_st->m.rdataset = NULL;
} else if (rdataset != NULL &&
@@ -5305,10 +5559,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
rpz_st->m.node = NULL;
db = rpz_st->m.db;
rpz_st->m.db = NULL;
+ version = rpz_st->m.version;
+ rpz_st->m.version = NULL;
zone = rpz_st->m.zone;
rpz_st->m.zone = NULL;
- result = rpz_st->m.result;
switch (rpz_st->m.policy) {
case DNS_RPZ_POLICY_NXDOMAIN:
result = DNS_R_NXDOMAIN;
@@ -5317,27 +5572,39 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
result = DNS_R_NXRRSET;
break;
case DNS_RPZ_POLICY_RECORD:
+ result = rpz_st->m.result;
if (type == dns_rdatatype_any &&
result != DNS_R_CNAME &&
dns_rdataset_isassociated(rdataset))
dns_rdataset_disassociate(rdataset);
break;
- case DNS_RPZ_POLICY_CNAME:
- result = dns_name_copy(&rpz_st->m.rpz->cname,
- fname, NULL);
+ case DNS_RPZ_POLICY_WILDCNAME:
+ result = dns_rdataset_first(rdataset);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- query_keepname(client, fname, dbuf);
- result = query_add_cname(client,
- client->query.qname,
- fname,
- dns_trust_authanswer,
- rpz_st->m.ttl);
+ dns_rdataset_current(rdataset, &rdata);
+ result = dns_rdata_tostruct(&rdata, &cname,
+ NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ dns_rdata_reset(&rdata);
+ result = rpz_add_cname(client, rpz_st,
+ &cname.cname,
+ fname, dbuf);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+ fname = NULL;
+ want_restart = ISC_TRUE;
+ goto cleanup;
+ case DNS_RPZ_POLICY_CNAME:
+ /*
+ * Add overridding CNAME from a named.conf
+ * response-policy statement
+ */
+ result = rpz_add_cname(client, rpz_st,
+ &rpz_st->m.rpz->cname,
+ fname, dbuf);
if (result != ISC_R_SUCCESS)
goto cleanup;
- ns_client_qnamereplace(client, fname);
fname = NULL;
- client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC;
- rpz_log(client);
want_restart = ISC_TRUE;
goto cleanup;
default:
@@ -5349,11 +5616,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* response policy zone cannot verify.
*/
client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC;
- if (sigrdataset != NULL &&
- dns_rdataset_isassociated(sigrdataset))
- dns_rdataset_disassociate(sigrdataset);
+ query_putrdataset(client, &sigrdataset);
is_zone = ISC_TRUE;
- rpz_log(client);
+ rpz_log_rewrite(client, "", rpz_st->m.policy,
+ rpz_st->m.type, rpz_st->qname);
}
}
@@ -5668,7 +5934,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
case DNS_R_EMPTYNAME:
case DNS_R_NXRRSET:
- nxrrset:
+ iszone_nxrrset:
INSIST(is_zone);
#ifdef dns64_bis_return_excluded_addresses
@@ -5686,6 +5952,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
query_putrdataset(client, &sigrdataset);
rdataset = client->query.dns64_aaaa;
sigrdataset = client->query.dns64_sigaaaa;
+ client->query.dns64_aaaa = NULL;
+ client->query.dns64_sigaaaa = NULL;
if (fname == NULL) {
dbuf = query_getnamebuf(client);
if (dbuf == NULL) {
@@ -5699,8 +5967,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
}
}
dns_name_copy(client->query.qname, fname, NULL);
- client->query.dns64_aaaa = NULL;
- client->query.dns64_sigaaaa = NULL;
dns64 = ISC_FALSE;
#ifdef dns64_bis_return_excluded_addresses
/*
@@ -5735,6 +6001,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
/*
* Look for a NSEC3 record if we don't have a NSEC record.
*/
+ nxrrset_rrsig:
if (!dns_rdataset_isassociated(rdataset) &&
WANTDNSSEC(client)) {
if ((fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
@@ -5860,6 +6127,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
*/
query_releasename(client, &fname);
}
+
/*
* Add SOA. If the query was for a SOA record force the
* ttl to zero so that it is possible for clients to find
@@ -5936,6 +6204,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
query_putrdataset(client, &sigrdataset);
rdataset = client->query.dns64_aaaa;
sigrdataset = client->query.dns64_sigaaaa;
+ client->query.dns64_aaaa = NULL;
+ client->query.dns64_sigaaaa = NULL;
if (fname == NULL) {
dbuf = query_getnamebuf(client);
if (dbuf == NULL) {
@@ -5949,8 +6219,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
}
}
dns_name_copy(client->query.qname, fname, NULL);
- client->query.dns64_aaaa = NULL;
- client->query.dns64_sigaaaa = NULL;
dns64 = ISC_FALSE;
#ifdef dns64_bis_return_excluded_addresses
if (dns64_excluded)
@@ -6201,9 +6469,21 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
need_wildcardproof = ISC_TRUE;
}
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
+ is_v4_client(client) &&
+ ns_client_checkaclsilent(client, NULL,
+ client->view->v4_aaaa_acl,
+ ISC_TRUE) == ISC_R_SUCCESS)
+ client->filter_aaaa = client->view->v4_aaaa;
+ else
+ client->filter_aaaa = dns_v4_aaaa_ok;
+
+#endif
+
if (type == dns_rdatatype_any) {
#ifdef ALLOW_FILTER_AAAA_ON_V4
- isc_boolean_t have_aaaa, have_a, have_sig, filter_aaaa;
+ isc_boolean_t have_aaaa, have_a, have_sig;
/*
* The filter-aaaa-on-v4 option should
@@ -6215,14 +6495,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
have_aaaa = ISC_FALSE;
have_a = !authoritative;
have_sig = ISC_FALSE;
- if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
- is_v4_client(client) &&
- ns_client_checkaclsilent(client, NULL,
- client->view->v4_aaaa_acl,
- ISC_TRUE) == ISC_R_SUCCESS)
- filter_aaaa = ISC_TRUE;
- else
- filter_aaaa = ISC_FALSE;
#endif
/*
* XXXRTH Need to handle zonecuts with special case
@@ -6237,53 +6509,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
}
/*
- * Check all A and AAAA records in all response policy
- * IP address zones
- */
- rpz_st = client->query.rpz_st;
- if (rpz_st != NULL &&
- (rpz_st->state & DNS_RPZ_DONE_QNAME) != 0 &&
- (rpz_st->state & DNS_RPZ_REWRITTEN) == 0 &&
- RECURSIONOK(client) && !RECURSING(client) &&
- (rpz_st->state & DNS_RPZ_HAVE_IP) != 0) {
- for (result = dns_rdatasetiter_first(rdsiter);
- result == ISC_R_SUCCESS;
- result = dns_rdatasetiter_next(rdsiter)) {
- dns_rdatasetiter_current(rdsiter, rdataset);
- if (rdataset->type == dns_rdatatype_a ||
- rdataset->type == dns_rdatatype_aaaa)
- result = rpz_rewrite_ip(client,
- rdataset,
- DNS_RPZ_TYPE_IP);
- dns_rdataset_disassociate(rdataset);
- if (result != ISC_R_SUCCESS)
- break;
- }
- if (result != ISC_R_NOMORE) {
- dns_rdatasetiter_destroy(&rdsiter);
- QUERY_ERROR(DNS_R_SERVFAIL);
- goto cleanup;
- }
- switch (rpz_st->m.policy) {
- case DNS_RPZ_POLICY_MISS:
- break;
- case DNS_RPZ_POLICY_NO_OP:
- rpz_log(client);
- rpz_st->state |= DNS_RPZ_REWRITTEN;
- break;
- case DNS_RPZ_POLICY_NXDOMAIN:
- case DNS_RPZ_POLICY_NODATA:
- case DNS_RPZ_POLICY_RECORD:
- case DNS_RPZ_POLICY_CNAME:
- dns_rdatasetiter_destroy(&rdsiter);
- rpz_st->state |= DNS_RPZ_REWRITTEN;
- goto finish_rewrite;
- default:
- INSIST(0);
- }
- }
-
- /*
* Calling query_addrrset() with a non-NULL dbuf is going
* to either keep or release the name. We don't want it to
* release fname, since we may have to call query_addrrset()
@@ -6304,7 +6529,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* Notice the presence of A and AAAAs so
* that AAAAs can be hidden from IPv4 clients.
*/
- if (filter_aaaa) {
+ if (client->filter_aaaa != dns_v4_aaaa_ok) {
if (rdataset->type == dns_rdatatype_aaaa)
have_aaaa = ISC_TRUE;
else if (rdataset->type == dns_rdatatype_a)
@@ -6361,76 +6586,52 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* Filter AAAAs if there is an A and there is no signature
* or we are supposed to break DNSSEC.
*/
- if (filter_aaaa && have_aaaa && have_a &&
- (!have_sig || !WANTDNSSEC(client) ||
- client->view->v4_aaaa == dns_v4_aaaa_break_dnssec))
+ if (client->filter_aaaa == dns_v4_aaaa_break_dnssec)
client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
+ else if (client->filter_aaaa != dns_v4_aaaa_ok &&
+ have_aaaa && have_a &&
+ (!have_sig || !WANTDNSSEC(client)))
+ client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
#endif
if (fname != NULL)
dns_message_puttempname(client->message, &fname);
- if (n == 0 && is_zone) {
+ if (n == 0) {
/*
- * We didn't match any rdatasets.
+ * No matching rdatasets found in cache. If we were
+ * searching for RRSIG/SIG, that's probably okay;
+ * otherwise this is an error condition.
*/
if ((qtype == dns_rdatatype_rrsig ||
qtype == dns_rdatatype_sig) &&
result == ISC_R_NOMORE) {
- /*
- * XXXRTH If this is a secure zone and we
- * didn't find any SIGs, we should generate
- * an error unless we were searching for
- * glue. Ugh.
- */
if (!is_zone) {
- /*
- * Note: this is dead code because
- * is_zone is always true due to the
- * condition above. But naive
- * recursion would cause infinite
- * attempts of recursion because
- * the answer to (RR)SIG queries
- * won't be cached. Until we figure
- * out what we should do and implement
- * it we intentionally keep this code
- * dead.
- */
authoritative = ISC_FALSE;
dns_rdatasetiter_destroy(&rdsiter);
- if (RECURSIONOK(client)) {
- result = query_recurse(client,
- qtype,
- client->query.qname,
- NULL, NULL,
- resuming);
- if (result == ISC_R_SUCCESS)
- client->query.attributes |=
- NS_QUERYATTR_RECURSING;
- else
- RECURSE_ERROR(result);
- }
+ client->attributes &= ~NS_CLIENTATTR_RA;
goto addauth;
}
- /*
- * We were searching for SIG records in
- * a nonsecure zone. Send a "no error,
- * no data" response.
- */
- /*
- * Add SOA.
- */
- result = query_addsoa(client, db, version,
- ISC_UINT32_MAX,
- ISC_FALSE);
- if (result == ISC_R_SUCCESS)
- result = ISC_R_NOMORE;
- } else {
- /*
- * Something went wrong.
- */
+
+ if (dns_db_issecure(db)) {
+ char namebuf[DNS_NAME_FORMATSIZE];
+ dns_name_format(client->query.qname,
+ namebuf,
+ sizeof(namebuf));
+ ns_client_log(client,
+ DNS_LOGCATEGORY_DNSSEC,
+ NS_LOGMODULE_QUERY,
+ ISC_LOG_WARNING,
+ "missing signature "
+ "for %s", namebuf);
+ }
+
+ dns_rdatasetiter_destroy(&rdsiter);
+ fname = query_newname(client, dbuf, &b);
+ goto nxrrset_rrsig;
+ } else
result = DNS_R_SERVFAIL;
- }
}
+
dns_rdatasetiter_destroy(&rdsiter);
if (result != ISC_R_NOMORE) {
QUERY_ERROR(DNS_R_SERVFAIL);
@@ -6442,48 +6643,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* we know the answer.
*/
- /*
- * Check all A and AAAA records in all response policy
- * IP address zones
- */
- rpz_st = client->query.rpz_st;
- if (rpz_st != NULL &&
- (rpz_st->state & DNS_RPZ_DONE_QNAME) != 0 &&
- (rpz_st->state & DNS_RPZ_REWRITTEN) == 0 &&
- RECURSIONOK(client) && !RECURSING(client) &&
- (rpz_st->state & DNS_RPZ_HAVE_IP) != 0 &&
- (qtype == dns_rdatatype_aaaa || qtype == dns_rdatatype_a)) {
- result = rpz_rewrite_ip(client, rdataset,
- DNS_RPZ_TYPE_IP);
- if (result != ISC_R_SUCCESS) {
- QUERY_ERROR(DNS_R_SERVFAIL);
- goto cleanup;
- }
- /*
- * After a hit in the radix tree for the policy domain,
- * either stop trying to rewrite (DNS_RPZ_POLICY_NO_OP)
- * or restart to ask the ordinary database of the
- * policy zone for the DNS record corresponding to the
- * record in the radix tree.
- */
- switch (rpz_st->m.policy) {
- case DNS_RPZ_POLICY_MISS:
- break;
- case DNS_RPZ_POLICY_NO_OP:
- rpz_log(client);
- rpz_st->state |= DNS_RPZ_REWRITTEN;
- break;
- case DNS_RPZ_POLICY_NXDOMAIN:
- case DNS_RPZ_POLICY_NODATA:
- case DNS_RPZ_POLICY_RECORD:
- case DNS_RPZ_POLICY_CNAME:
- rpz_st->state |= DNS_RPZ_REWRITTEN;
- goto finish_rewrite;
- default:
- INSIST(0);
- }
- }
-
#ifdef ALLOW_FILTER_AAAA_ON_V4
/*
* Optionally hide AAAAs from IPv4 clients if there is an A.
@@ -6493,15 +6652,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* so fundamentally wrong, unavoidably inaccurate, and
* unneeded that it is best to keep it as short as possible.
*/
- if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
- is_v4_client(client) &&
- ns_client_checkaclsilent(client, NULL,
- client->view->v4_aaaa_acl,
- ISC_TRUE) == ISC_R_SUCCESS &&
- (!WANTDNSSEC(client) ||
- sigrdataset == NULL ||
- !dns_rdataset_isassociated(sigrdataset) ||
- client->view->v4_aaaa == dns_v4_aaaa_break_dnssec)) {
+ if (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
+ (client->filter_aaaa == dns_v4_aaaa_filter &&
+ (!WANTDNSSEC(client) || sigrdataset == NULL ||
+ !dns_rdataset_isassociated(sigrdataset))))
+ {
if (qtype == dns_rdatatype_aaaa) {
trdataset = query_newrdataset(client);
result = dns_db_findrdataset(db, node, version,
@@ -6633,7 +6788,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
}
#endif
if (is_zone)
- goto nxrrset;
+ goto iszone_nxrrset;
else
goto ncache_nxrrset;
} else if (result != ISC_R_SUCCESS) {
@@ -6691,9 +6846,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* General cleanup.
*/
rpz_st = client->query.rpz_st;
- if (rpz_st != NULL && (rpz_st->state & DNS_RPZ_RECURSING) == 0)
+ if (rpz_st != NULL && (rpz_st->state & DNS_RPZ_RECURSING) == 0) {
rpz_clean(&rpz_st->m.zone, &rpz_st->m.db, &rpz_st->m.node,
&rpz_st->m.rdataset);
+ rpz_st->state &= ~DNS_RPZ_DONE_QNAME;
+ }
if (rdataset != NULL)
query_putrdataset(client, &rdataset);
if (sigrdataset != NULL)
diff --git a/bin/named/server.c b/bin/named/server.c
index f19a0bbb9371..46f26c4f053e 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.599.8.12 2011-08-02 04:58:45 each Exp $ */
+/* $Id: server.c,v 1.599.8.19 2012/02/22 00:33:32 each Exp $ */
/*! \file */
@@ -2596,14 +2596,19 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
if (result == ISC_R_SUCCESS) {
/* If set to "auto", use the version from the defaults */
const cfg_obj_t *dlvobj;
+ const char *dom;
dlvobj = cfg_listelt_value(cfg_list_first(obj));
- if (!strcmp(cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain")),
- "auto") &&
- cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
- auto_dlv = ISC_TRUE;
- obj = NULL;
- result = cfg_map_get(ns_g_defaults,
- "dnssec-lookaside", &obj);
+ dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
+ if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
+ /* If "no", skip; if "auto", use global default */
+ if (!strcasecmp(dom, "no"))
+ result = ISC_R_NOTFOUND;
+ else if (!strcasecmp(dom, "auto")) {
+ auto_dlv = ISC_TRUE;
+ obj = NULL;
+ result = cfg_map_get(ns_g_defaults,
+ "dnssec-lookaside", &obj);
+ }
}
}
@@ -2704,7 +2709,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
rfc1918 = ISC_FALSE;
empty_zones_enable = ISC_FALSE;
}
- if (empty_zones_enable) {
+ if (empty_zones_enable && !lwresd_g_useresolvconf) {
const char *empty;
int empty_zone = 0;
dns_fixedname_t fixed;
@@ -2842,7 +2847,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
CHECK(dns_zone_create(&zone, mctx));
CHECK(dns_zone_setorigin(zone, name));
dns_zone_setview(zone, view);
- CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
+ CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
+ zone));
dns_zone_setclass(zone, view->rdclass);
dns_zone_settype(zone, dns_zone_master);
dns_zone_setstats(zone, ns_g_server->zonestats);
@@ -3449,6 +3455,12 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
*/
CHECK(dns_view_addzone(view, zone));
+ /*
+ * Ensure that zone keys are reloaded on reconfig
+ */
+ if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0)
+ dns_zone_rekey(zone, ISC_FALSE);
+
cleanup:
if (zone != NULL)
dns_zone_detach(&zone);
@@ -3489,6 +3501,7 @@ add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
dns_zone_attach(pview->managed_keys, &view->managed_keys);
dns_zone_setview(pview->managed_keys, view);
dns_view_detach(&pview);
+ dns_zone_synckeyzone(view->managed_keys);
return (ISC_R_SUCCESS);
}
@@ -4278,15 +4291,12 @@ load_configuration(const char *filename, ns_server_t *server,
ns_cache_t *nsc;
struct cfg_context *nzctx;
int num_zones = 0;
+ isc_boolean_t exclusive = ISC_FALSE;
ISC_LIST_INIT(viewlist);
ISC_LIST_INIT(builtin_viewlist);
ISC_LIST_INIT(cachelist);
- /* Ensure exclusive access to configuration data. */
- result = isc_task_beginexclusive(server->task);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
/* Create the ACL configuration context */
if (ns_g_aclconfctx != NULL)
cfg_aclconfctx_detach(&ns_g_aclconfctx);
@@ -4382,6 +4392,13 @@ load_configuration(const char *filename, ns_server_t *server,
CHECK(result);
}
+ /* Ensure exclusive access to configuration data. */
+ if (!exclusive) {
+ result = isc_task_beginexclusive(server->task);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ exclusive = ISC_TRUE;
+ }
+
/*
* Set process limits, which (usually) needs to be done as root.
*/
@@ -5149,7 +5166,8 @@ load_configuration(const char *filename, ns_server_t *server,
adjust_interfaces(server, ns_g_mctx);
/* Relinquish exclusive access to configuration data. */
- isc_task_endexclusive(server->task);
+ if (exclusive)
+ isc_task_endexclusive(server->task);
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
ISC_LOG_DEBUG(1), "load_configuration: %s",
@@ -7352,13 +7370,14 @@ ns_server_add_zone(ns_server_t *server, char *args) {
CHECK(isc_stdio_open(view->new_zone_file, "a", &fp));
/* Mark view unfrozen so that zone can be added */
+ isc_task_beginexclusive(server->task);
dns_view_thaw(view);
result = configure_zone(cfg->config, parms, vconfig,
server->mctx, view, cfg->actx, ISC_FALSE);
dns_view_freeze(view);
- if (result != ISC_R_SUCCESS) {
+ isc_task_endexclusive(server->task);
+ if (result != ISC_R_SUCCESS)
goto cleanup;
- }
/* Is it there yet? */
CHECK(dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone));
diff --git a/bin/named/sortlist.c b/bin/named/sortlist.c
index 0710fb18da34..daefa0772e93 100644
--- a/bin/named/sortlist.c
+++ b/bin/named/sortlist.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: sortlist.c,v 1.17 2007-09-14 01:46:05 marka Exp $ */
+/* $Id: sortlist.c,v 1.17 2007/09/14 01:46:05 marka Exp $ */
/*! \file */
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
index 1f726941a004..d0518c94eeba 100644
--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: statschannel.c,v 1.26.150.2 2011-03-12 04:59:14 tbox Exp $ */
+/* $Id: statschannel.c,v 1.26.150.2 2011/03/12 04:59:14 tbox Exp $ */
/*! \file */
diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c
index 66c2d7f47cc9..6d852a0871c0 100644
--- a/bin/named/tkeyconf.c
+++ b/bin/named/tkeyconf.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: tkeyconf.c,v 1.33 2010-12-20 23:47:20 tbox Exp $ */
+/* $Id: tkeyconf.c,v 1.33 2010/12/20 23:47:20 tbox Exp $ */
/*! \file */
diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c
index 19e8d385e05b..776b1b9f837d 100644
--- a/bin/named/tsigconf.c
+++ b/bin/named/tsigconf.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: tsigconf.c,v 1.35 2011-01-11 23:47:12 tbox Exp $ */
+/* $Id: tsigconf.c,v 1.35 2011/01/11 23:47:12 tbox Exp $ */
/*! \file */
diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
index a7155a0e358a..135c63437658 100644
--- a/bin/named/unix/Makefile.in
+++ b/bin/named/unix/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.13.244.2 2011-03-10 23:47:26 tbox Exp $
+# $Id: Makefile.in,v 1.13.244.2 2011/03/10 23:47:26 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/named/unix/dlz_dlopen_driver.c b/bin/named/unix/dlz_dlopen_driver.c
index 35dbcab65c01..ca4b1fdfcdaf 100644
--- a/bin/named/unix/dlz_dlopen_driver.c
+++ b/bin/named/unix/dlz_dlopen_driver.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dlz_dlopen_driver.c,v 1.1.4.4 2011-03-17 09:41:06 fdupont Exp $ */
+/* $Id: dlz_dlopen_driver.c,v 1.1.4.6 2012/02/22 23:46:35 tbox Exp $ */
#include <config.h>
@@ -313,6 +313,8 @@ dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
dl_load_symbol(cd, "dlz_subrdataset", ISC_FALSE);
cd->dlz_delrdataset = (dlz_dlopen_delrdataset_t *)
dl_load_symbol(cd, "dlz_delrdataset", ISC_FALSE);
+ cd->dlz_destroy = (dlz_dlopen_destroy_t *)
+ dl_load_symbol(cd, "dlz_destroy", ISC_FALSE);
/* Check the version of the API is the same */
cd->version = cd->dlz_version(&cd->flags);
diff --git a/bin/named/unix/include/named/os.h b/bin/named/unix/include/named/os.h
index c2768f426647..c979e53871d7 100644
--- a/bin/named/unix/include/named/os.h
+++ b/bin/named/unix/include/named/os.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: os.h,v 1.31 2009-08-05 23:47:43 tbox Exp $ */
+/* $Id: os.h,v 1.31 2009/08/05 23:47:43 tbox Exp $ */
#ifndef NS_OS_H
#define NS_OS_H 1
diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c
index 5fd654738600..9637ded473e5 100644
--- a/bin/named/unix/os.c
+++ b/bin/named/unix/os.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: os.c,v 1.104.38.3 2011-03-02 00:04:01 marka Exp $ */
+/* $Id: os.c,v 1.104.38.3 2011/03/02 00:04:01 marka Exp $ */
/*! \file */
diff --git a/bin/named/update.c b/bin/named/update.c
index c99db5f8c46c..6fb6a8536721 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: update.c,v 1.186.16.5 2011-03-25 23:53:52 each Exp $ */
+/* $Id: update.c,v 1.186.16.7 2011/11/03 02:55:34 each Exp $ */
#include <config.h>
@@ -1506,8 +1506,6 @@ check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
* Incremental updating of NSECs and RRSIGs.
*/
-#define MAXZONEKEYS 32 /*%< Maximum number of zone keys supported. */
-
/*%
* We abuse the dns_diff_t type to represent a set of domain names
* affected by the update.
@@ -2131,7 +2129,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_diff_t nsec_diff;
dns_diff_t nsec_mindiff;
isc_boolean_t flag, build_nsec, build_nsec3;
- dst_key_t *zone_keys[MAXZONEKEYS];
+ dst_key_t *zone_keys[DNS_MAXZONEKEYS];
unsigned int nkeys = 0;
unsigned int i;
isc_stdtime_t now, inception, expire;
@@ -2154,7 +2152,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_diff_init(client->mctx, &nsec_mindiff);
result = find_zone_keys(zone, db, newver, client->mctx,
- MAXZONEKEYS, zone_keys, &nkeys);
+ DNS_MAXZONEKEYS, zone_keys, &nkeys);
if (result != ISC_R_SUCCESS) {
update_log(client, zone, ISC_LOG_ERROR,
"could not get zone keys for secure dynamic update");
@@ -4473,6 +4471,12 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
isc_task_t *zonetask = NULL;
ns_client_t *evclient;
+ /*
+ * This may take some time so replace this client.
+ */
+ if (!client->mortal && (client->attributes & NS_CLIENTATTR_TCP) == 0)
+ CHECK(ns_client_replace(client));
+
event = (update_event_t *)
isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
forward_action, NULL, sizeof(*event));
diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c
index 83c64f27954e..6cda6589e1c9 100644
--- a/bin/named/xfrout.c
+++ b/bin/named/xfrout.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: xfrout.c,v 1.139.16.3 2011-07-28 04:30:54 marka Exp $ */
+/* $Id: xfrout.c,v 1.139.16.4 2011/12/01 01:00:50 marka Exp $ */
#include <config.h>
@@ -1287,6 +1287,13 @@ sendstream(xfrout_ctx_t *xfr) {
isc_buffer_free(&xfr->lasttsig);
/*
+ * Account for reserved space.
+ */
+ if (xfr->tsigkey != NULL)
+ INSIST(msg->reserved != 0U);
+ isc_buffer_add(&xfr->buf, msg->reserved);
+
+ /*
* Include a question section in the first message only.
* BIND 8.2.1 will not recognize an IXFR if it does not
* have a question section.
@@ -1324,9 +1331,13 @@ sendstream(xfrout_ctx_t *xfr) {
ISC_LIST_APPEND(qname->list, qrdataset, link);
dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
- }
- else
+ } else {
+ /*
+ * Reserve space for the 12-byte message header
+ */
+ isc_buffer_add(&xfr->buf, 12);
msg->tcp_continuation = 1;
+ }
}
/*
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index a3e713b4e94d..6eef28ae131f 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zoneconf.c,v 1.170.14.4 2011-05-23 20:56:10 each Exp $ */
+/* $Id: zoneconf.c,v 1.170.14.7 2012/01/31 23:46:39 tbox Exp $ */
/*% */
@@ -1329,8 +1329,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
&count));
result = dns_zone_setmasterswithkeys(zone, addrs,
keynames, count);
- ns_config_putipandkeylist(mctx, &addrs, &keynames,
- count);
+ if (count != 0)
+ ns_config_putipandkeylist(mctx, &addrs,
+ &keynames, count);
+ else
+ INSIST(addrs == NULL && keynames == NULL);
} else
result = dns_zone_setmasters(zone, NULL, 0);
RETERR(result);
@@ -1462,15 +1465,21 @@ ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
zoptions = cfg_tuple_get(zconfig, "options");
- if (zonetype_fromconfig(zoptions) != dns_zone_gettype(zone))
+ if (zonetype_fromconfig(zoptions) != dns_zone_gettype(zone)) {
+ dns_zone_log(zone, ISC_LOG_DEBUG(1),
+ "not reusable: type mismatch");
return (ISC_FALSE);
+ }
/*
* We always reconfigure a static-stub zone for simplicity, assuming
* the amount of data to be loaded is small.
*/
- if (zonetype_fromconfig(zoptions) == dns_zone_staticstub)
+ if (zonetype_fromconfig(zoptions) == dns_zone_staticstub) {
+ dns_zone_log(zone, ISC_LOG_DEBUG(1),
+ "not reusable: staticstub");
return (ISC_FALSE);
+ }
obj = NULL;
(void)cfg_map_get(zoptions, "file", &obj);
@@ -1481,8 +1490,11 @@ ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
zfilename = dns_zone_getfile(zone);
if (!((cfilename == NULL && zfilename == NULL) ||
(cfilename != NULL && zfilename != NULL &&
- strcmp(cfilename, zfilename) == 0)))
- return (ISC_FALSE);
+ strcmp(cfilename, zfilename) == 0))) {
+ dns_zone_log(zone, ISC_LOG_DEBUG(1),
+ "not reusable: filename mismatch");
+ return (ISC_FALSE);
+ }
return (ISC_TRUE);
}
diff --git a/bin/nsupdate/Makefile.in b/bin/nsupdate/Makefile.in
index a65aad9162ed..e86731bedd75 100644
--- a/bin/nsupdate/Makefile.in
+++ b/bin/nsupdate/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.36 2009-12-05 23:31:40 each Exp $
+# $Id: Makefile.in,v 1.36 2009/12/05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1
index 9d82891dda9f..58675975233e 100644
--- a/bin/nsupdate/nsupdate.1
+++ b/bin/nsupdate/nsupdate.1
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: nsupdate.1,v 1.13 2010-07-10 01:14:19 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 058088c8996e..743f32134687 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: nsupdate.c,v 1.193.12.3 2011-05-23 22:12:14 each Exp $ */
+/* $Id: nsupdate.c,v 1.193.12.4 2011/11/03 04:30:09 each Exp $ */
/*! \file */
@@ -2280,6 +2280,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
dns_message_destroy(&soaquery);
ddebug("Out of recvsoa");
done_update();
+ seenerror = ISC_TRUE;
return;
}
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index 2a92af438dac..6378df7a7f1e 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nsupdate.docbook,v 1.44 2010-07-09 23:46:51 tbox Exp $ -->
+<!-- $Id: nsupdate.docbook,v 1.44 2010/07/09 23:46:51 tbox Exp $ -->
<refentry id="man.nsupdate">
<refentryinfo>
<date>Aug 25, 2009</date>
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index f48831573e15..5c108e374611 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nsupdate.html,v 1.50 2010-07-10 01:14:19 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543457"></a><h2>DESCRIPTION</h2>
+<a name="id2543459"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">nsupdate</strong></span>
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
@@ -192,7 +192,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543788"></a><h2>INPUT FORMAT</h2>
+<a name="id2543790"></a><h2>INPUT FORMAT</h2>
<p><span><strong class="command">nsupdate</strong></span>
reads input from
<em class="parameter"><code>filename</code></em>
@@ -480,7 +480,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544700"></a><h2>EXAMPLES</h2>
+<a name="id2544702"></a><h2>EXAMPLES</h2>
<p>
The examples below show how
<span><strong class="command">nsupdate</strong></span>
@@ -534,7 +534,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544744"></a><h2>FILES</h2>
+<a name="id2544746"></a><h2>FILES</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
<dd><p>
@@ -557,7 +557,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544827"></a><h2>SEE ALSO</h2>
+<a name="id2544829"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">RFC 2136</em>,
<em class="citetitle">RFC 3007</em>,
@@ -572,7 +572,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2542154"></a><h2>BUGS</h2>
+<a name="id2542156"></a><h2>BUGS</h2>
<p>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in
index 6c7c56f4abf7..e67bad7efc59 100644
--- a/bin/rndc/Makefile.in
+++ b/bin/rndc/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.49 2009-12-05 23:31:40 each Exp $
+# $Id: Makefile.in,v 1.49 2009/12/05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/rndc/include/rndc/os.h b/bin/rndc/include/rndc/os.h
index 91986cb0c1dc..3f2c7767e859 100644
--- a/bin/rndc/include/rndc/os.h
+++ b/bin/rndc/include/rndc/os.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: os.h,v 1.12 2009-06-10 00:27:21 each Exp $ */
+/* $Id: os.h,v 1.12 2009/06/10 00:27:21 each Exp $ */
/*! \file */
diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8
index e4d723bb5197..7197ed0b9288 100644
--- a/bin/rndc/rndc.8
+++ b/bin/rndc/rndc.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: rndc.8,v 1.43 2009-07-11 01:12:46 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index 1e9c3b064a8d..5811cfa141fa 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rndc.c,v 1.131.20.2 2011-02-28 01:19:59 tbox Exp $ */
+/* $Id: rndc.c,v 1.131.20.3 2011/11/03 22:06:31 each Exp $ */
/*! \file */
@@ -142,13 +142,17 @@ command is one of the following:\n\
Flush the given name from the server's cache(s)\n\
status Display status of the server.\n\
recursing Dump the queries that are currently recursing (named.recursing)\n\
+ tsig-list List all currently active TSIG keys, including both statically\n\
+ configured and TKEY-negotiated keys.\n\
+ tsig-delete keyname [view] \n\
+ Delete a TKEY-negotiated TSIG key.\n\
validation newstate [view]\n\
Enable / disable DNSSEC validation.\n\
- *restart Restart the server.\n\
addzone [\"file\"] zone [class [view]] { zone-options }\n\
Add zone to given view. Requires new-zone-file option.\n\
delzone [\"file\"] zone [class [view]]\n\
Removes zone from given view. Requires new-zone-file option.\n\
+ *restart Restart the server.\n\
\n\
* == not yet implemented\n\
Version: %s\n",
diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
index 057028a94b26..67542b91c7a2 100644
--- a/bin/rndc/rndc.conf
+++ b/bin/rndc/rndc.conf
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rndc.conf,v 1.11 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: rndc.conf,v 1.11 2007/06/19 23:46:59 tbox Exp $ */
/*
* Sample rndc configuration file.
diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5
index 54c4af9c21f8..694a4815dac6 100644
--- a/bin/rndc/rndc.conf.5
+++ b/bin/rndc/rndc.conf.5
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: rndc.conf.5,v 1.41 2009-07-11 01:12:46 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
index 4a92682ca970..9de1995467fd 100644
--- a/bin/rndc/rndc.conf.docbook
+++ b/bin/rndc/rndc.conf.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc.conf.docbook,v 1.17 2007-06-18 23:47:25 tbox Exp $ -->
+<!-- $Id: rndc.conf.docbook,v 1.17 2007/06/18 23:47:25 tbox Exp $ -->
<refentry id="man.rndc.conf">
<refentryinfo>
<date>June 30, 2000</date>
diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html
index 463b99fd2c24..b0f904b2ab37 100644
--- a/bin/rndc/rndc.conf.html
+++ b/bin/rndc/rndc.conf.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc.conf.html,v 1.32 2009-07-11 01:12:46 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543352"></a><h2>DESCRIPTION</h2>
+<a name="id2543354"></a><h2>DESCRIPTION</h2>
<p><code class="filename">rndc.conf</code> is the configuration file
for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
@@ -117,7 +117,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543500"></a><h2>EXAMPLE</h2>
+<a name="id2543502"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
options {
default-server localhost;
@@ -191,7 +191,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543592"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2543594"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <code class="filename">rndc.conf</code>
@@ -201,7 +201,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543613"></a><h2>SEE ALSO</h2>
+<a name="id2543616"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@@ -209,7 +209,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543652"></a><h2>AUTHOR</h2>
+<a name="id2543654"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index 3bf63259c785..d407f2b515cb 100644
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc.docbook,v 1.21 2007-12-14 20:39:14 marka Exp $ -->
+<!-- $Id: rndc.docbook,v 1.21 2007/12/14 20:39:14 marka Exp $ -->
<refentry id="man.rndc">
<refentryinfo>
<date>June 30, 2000</date>
diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html
index ecc0f318614a..4195c4e07e9f 100644
--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: rndc.html,v 1.32 2009-07-11 01:12:46 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543413"></a><h2>DESCRIPTION</h2>
+<a name="id2543415"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc</strong></span>
controls the operation of a name
server. It supersedes the <span><strong class="command">ndc</strong></span> utility
@@ -61,7 +61,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543448"></a><h2>OPTIONS</h2>
+<a name="id2543450"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
<dd><p>
@@ -133,7 +133,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543656"></a><h2>LIMITATIONS</h2>
+<a name="id2543658"></a><h2>LIMITATIONS</h2>
<p><span><strong class="command">rndc</strong></span>
does not yet support all the commands of
the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@@ -147,7 +147,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543683"></a><h2>SEE ALSO</h2>
+<a name="id2543685"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -157,7 +157,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543738"></a><h2>AUTHOR</h2>
+<a name="id2543740"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/rndc/util.c b/bin/rndc/util.c
index 8a7078a2135f..c654462bf04d 100644
--- a/bin/rndc/util.c
+++ b/bin/rndc/util.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: util.c,v 1.7 2007-06-19 23:46:59 tbox Exp $ */
+/* $Id: util.c,v 1.7 2007/06/19 23:46:59 tbox Exp $ */
/*! \file */
diff --git a/bin/rndc/util.h b/bin/rndc/util.h
index 8eba61a57ee2..d7277148ffa7 100644
--- a/bin/rndc/util.h
+++ b/bin/rndc/util.h
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: util.h,v 1.12 2009-09-29 23:48:03 tbox Exp $ */
+/* $Id: util.h,v 1.12 2009/09/29 23:48:03 tbox Exp $ */
#ifndef RNDC_UTIL_H
#define RNDC_UTIL_H 1
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
index 35b8285715d2..a77376b251e6 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.13 2010-01-07 23:48:53 tbox Exp $
+# $Id: Makefile.in,v 1.13 2010/01/07 23:48:53 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/tools/arpaname.1 b/bin/tools/arpaname.1
index 66623801814f..5b582514224f 100644
--- a/bin/tools/arpaname.1
+++ b/bin/tools/arpaname.1
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: arpaname.1,v 1.4 2010-05-19 01:14:14 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/tools/arpaname.c b/bin/tools/arpaname.c
index e7f14345dfd6..356a883a45da 100644
--- a/bin/tools/arpaname.c
+++ b/bin/tools/arpaname.c
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: arpaname.c,v 1.4 2009-10-27 03:05:33 marka Exp $ */
+/* $Id: arpaname.c,v 1.4 2009/10/27 03:05:33 marka Exp $ */
#include "config.h"
diff --git a/bin/tools/arpaname.docbook b/bin/tools/arpaname.docbook
index a7eb79e9c3b6..6fb3ca29e5a2 100644
--- a/bin/tools/arpaname.docbook
+++ b/bin/tools/arpaname.docbook
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: arpaname.docbook,v 1.1 2009-03-04 01:30:27 marka Exp $ -->
+<!-- $Id: arpaname.docbook,v 1.1 2009/03/04 01:30:27 marka Exp $ -->
<refentry id="man.arpaname">
<refentryinfo>
<date>March 4, 2009</date>
diff --git a/bin/tools/arpaname.html b/bin/tools/arpaname.html
index e44cfbd782e0..92f46b4f71f6 100644
--- a/bin/tools/arpaname.html
+++ b/bin/tools/arpaname.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: arpaname.html,v 1.4 2010-05-19 01:14:14 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -31,20 +31,20 @@
<div class="cmdsynopsis"><p><code class="command">arpaname</code> {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543345"></a><h2>DESCRIPTION</h2>
+<a name="id2543347"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543357"></a><h2>SEE ALSO</h2>
+<a name="id2543360"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543371"></a><h2>AUTHOR</h2>
+<a name="id2543373"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/tools/genrandom.8 b/bin/tools/genrandom.8
index 5005658c9a14..38c1ccd67c24 100644
--- a/bin/tools/genrandom.8
+++ b/bin/tools/genrandom.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: genrandom.8,v 1.8.124.1 2011-08-09 01:52:58 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
@@ -65,5 +65,5 @@ The file name into which random data should be written.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
-Copyright \(co 2009\-2011 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009\-2012 Internet Systems Consortium, Inc. ("ISC")
.br
diff --git a/bin/tools/genrandom.c b/bin/tools/genrandom.c
index 8473be259404..675e5043d601 100644
--- a/bin/tools/genrandom.c
+++ b/bin/tools/genrandom.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: genrandom.c,v 1.7 2010-05-17 23:51:04 tbox Exp $ */
+/* $Id: genrandom.c,v 1.7 2010/05/17 23:51:04 tbox Exp $ */
/*! \file */
#include <config.h>
diff --git a/bin/tools/genrandom.docbook b/bin/tools/genrandom.docbook
index b52ab4932a19..730aab99bb56 100644
--- a/bin/tools/genrandom.docbook
+++ b/bin/tools/genrandom.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: genrandom.docbook,v 1.6.124.2 2011-08-08 23:45:44 tbox Exp $ -->
+<!-- $Id$ -->
<refentry id="man.genrandom">
<refentryinfo>
<date>Feb 19, 2009</date>
@@ -39,6 +39,7 @@
<year>2009</year>
<year>2010</year>
<year>2011</year>
+ <year>2012</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
diff --git a/bin/tools/genrandom.html b/bin/tools/genrandom.html
index c3b2993a05cc..f69b7ca2da21 100644
--- a/bin/tools/genrandom.html
+++ b/bin/tools/genrandom.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: genrandom.html,v 1.8.124.1 2011-08-09 01:52:58 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">genrandom</code> [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543366"></a><h2>DESCRIPTION</h2>
+<a name="id2543370"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">genrandom</strong></span>
generates a file or a set of files containing a specified quantity
@@ -40,7 +40,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543379"></a><h2>ARGUMENTS</h2>
+<a name="id2543383"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
<dd><p>
@@ -58,14 +58,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543440"></a><h2>SEE ALSO</h2>
+<a name="id2543444"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543466"></a><h2>AUTHOR</h2>
+<a name="id2543470"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/tools/isc-hmac-fixup.8 b/bin/tools/isc-hmac-fixup.8
index 99c58c8304cf..c02ed03f4fb0 100644
--- a/bin/tools/isc-hmac-fixup.8
+++ b/bin/tools/isc-hmac-fixup.8
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: isc-hmac-fixup.8,v 1.4 2010-05-19 01:14:14 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/tools/isc-hmac-fixup.c b/bin/tools/isc-hmac-fixup.c
index 09cb85deeebc..daf391a81cd6 100644
--- a/bin/tools/isc-hmac-fixup.c
+++ b/bin/tools/isc-hmac-fixup.c
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: isc-hmac-fixup.c,v 1.4 2010-03-10 02:17:52 marka Exp $ */
+/* $Id: isc-hmac-fixup.c,v 1.4 2010/03/10 02:17:52 marka Exp $ */
#include <config.h>
diff --git a/bin/tools/isc-hmac-fixup.docbook b/bin/tools/isc-hmac-fixup.docbook
index a3039ee814d9..c298a85861d7 100644
--- a/bin/tools/isc-hmac-fixup.docbook
+++ b/bin/tools/isc-hmac-fixup.docbook
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: isc-hmac-fixup.docbook,v 1.2 2010-01-07 21:52:11 each Exp $ -->
+<!-- $Id: isc-hmac-fixup.docbook,v 1.2 2010/01/07 21:52:11 each Exp $ -->
<refentry id="man.isc-hmac-fixup">
<refentryinfo>
<date>January 5, 2010</date>
diff --git a/bin/tools/isc-hmac-fixup.html b/bin/tools/isc-hmac-fixup.html
index 8b70777cd792..d39ebf0fa166 100644
--- a/bin/tools/isc-hmac-fixup.html
+++ b/bin/tools/isc-hmac-fixup.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: isc-hmac-fixup.html,v 1.4 2010-05-19 01:14:14 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543351"></a><h2>DESCRIPTION</h2>
+<a name="id2543352"></a><h2>DESCRIPTION</h2>
<p>
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -57,7 +57,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543374"></a><h2>SECURITY CONSIDERATIONS</h2>
+<a name="id2543376"></a><h2>SECURITY CONSIDERATIONS</h2>
<p>
Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
are shortened, but as this is how the HMAC protocol works in
@@ -68,14 +68,14 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543388"></a><h2>SEE ALSO</h2>
+<a name="id2543389"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2104</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543405"></a><h2>AUTHOR</h2>
+<a name="id2543406"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/tools/named-journalprint.8 b/bin/tools/named-journalprint.8
index 347b67b1bacd..670cd5d3dda0 100644
--- a/bin/tools/named-journalprint.8
+++ b/bin/tools/named-journalprint.8
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: named-journalprint.8,v 1.4 2010-05-19 01:14:14 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/tools/named-journalprint.c b/bin/tools/named-journalprint.c
index 8a00aa7a85d9..36d1acd3136d 100644
--- a/bin/tools/named-journalprint.c
+++ b/bin/tools/named-journalprint.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named-journalprint.c,v 1.2 2009-12-04 21:59:23 marka Exp $ */
+/* $Id: named-journalprint.c,v 1.2 2009/12/04 21:59:23 marka Exp $ */
/*! \file */
#include <config.h>
diff --git a/bin/tools/named-journalprint.docbook b/bin/tools/named-journalprint.docbook
index d523f8c1aff2..d0bea2c483ad 100644
--- a/bin/tools/named-journalprint.docbook
+++ b/bin/tools/named-journalprint.docbook
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-journalprint.docbook,v 1.2 2009-12-04 21:59:23 marka Exp $ -->
+<!-- $Id: named-journalprint.docbook,v 1.2 2009/12/04 21:59:23 marka Exp $ -->
<refentry id="man.named-journalprint">
<refentryinfo>
<date>Feb 18, 2009</date>
diff --git a/bin/tools/named-journalprint.html b/bin/tools/named-journalprint.html
index 8878fc506555..8639ee885a86 100644
--- a/bin/tools/named-journalprint.html
+++ b/bin/tools/named-journalprint.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-journalprint.html,v 1.4 2010-05-19 01:14:14 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">named-journalprint</code> {<em class="replaceable"><code>journal</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543342"></a><h2>DESCRIPTION</h2>
+<a name="id2543344"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">named-journalprint</strong></span>
prints the contents of a zone journal file in a human-readable
@@ -57,7 +57,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543378"></a><h2>SEE ALSO</h2>
+<a name="id2543379"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
@@ -65,7 +65,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543409"></a><h2>AUTHOR</h2>
+<a name="id2543410"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/tools/nsec3hash.8 b/bin/tools/nsec3hash.8
index 6fba8c886cf9..324391042c90 100644
--- a/bin/tools/nsec3hash.8
+++ b/bin/tools/nsec3hash.8
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: nsec3hash.8,v 1.5 2010-05-19 01:14:14 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
diff --git a/bin/tools/nsec3hash.c b/bin/tools/nsec3hash.c
index 0e2a910c9150..6a54163e689f 100644
--- a/bin/tools/nsec3hash.c
+++ b/bin/tools/nsec3hash.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006, 2008, 2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: nsec3hash.c,v 1.6 2009-10-06 21:20:44 each Exp $ */
+/* $Id$ */
#include <config.h>
@@ -60,7 +60,8 @@ check_result(isc_result_t result, const char *message) {
static void
usage() {
- fatal("salt hash iterations domain");
+ printf("Usage: %s salt algorithm iterations domain\n", program);
+ exit(1);
}
int
diff --git a/bin/tools/nsec3hash.docbook b/bin/tools/nsec3hash.docbook
index 48eb4afb41ca..d20eb83b990b 100644
--- a/bin/tools/nsec3hash.docbook
+++ b/bin/tools/nsec3hash.docbook
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nsec3hash.docbook,v 1.3 2009-03-02 23:47:43 tbox Exp $ -->
+<!-- $Id: nsec3hash.docbook,v 1.3 2009/03/02 23:47:43 tbox Exp $ -->
<refentry id="man.nsec3hash">
<refentryinfo>
<date>Feb 18, 2009</date>
diff --git a/bin/tools/nsec3hash.html b/bin/tools/nsec3hash.html
index e6c09959f153..e5b5a14842a4 100644
--- a/bin/tools/nsec3hash.html
+++ b/bin/tools/nsec3hash.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nsec3hash.html,v 1.5 2010-05-19 01:14:14 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -31,7 +31,7 @@
<div class="cmdsynopsis"><p><code class="command">nsec3hash</code> {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543367"></a><h2>DESCRIPTION</h2>
+<a name="id2543369"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
@@ -39,7 +39,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543380"></a><h2>ARGUMENTS</h2>
+<a name="id2543382"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
<dt><span class="term">salt</span></dt>
<dd><p>
@@ -63,14 +63,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543442"></a><h2>SEE ALSO</h2>
+<a name="id2543444"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5155</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543459"></a><h2>AUTHOR</h2>
+<a name="id2543461"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/config.h.in b/config.h.in
index 477291da29fc..bafcadd2168d 100644
--- a/config.h.in
+++ b/config.h.in
@@ -16,7 +16,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.h.in,v 1.143.8.4 2011-03-10 04:29:14 each Exp $ */
+/* $Id$ */
/*! \file */
@@ -144,6 +144,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if threads need PTHREAD_SCOPE_SYSTEM */
#undef NEED_PTHREAD_SCOPE_SYSTEM
+/* Define if building universal (internal helper macro) */
+#undef AC_APPLE_UNIVERSAL_BUILD
+
/* Define to enable the "filter-aaaa-on-v4" option. */
#undef ALLOW_FILTER_AAAA_ON_V4
@@ -380,6 +383,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME
+/* Define to the home page for this package. */
+#undef PACKAGE_URL
+
/* Define to the version of this package. */
#undef PACKAGE_VERSION
@@ -387,6 +393,9 @@ int sigwait(const unsigned int *set, int *sig);
(O_NDELAY/O_NONBLOCK). */
#undef PORT_NONBLOCK
+/* The size of `void *', as computed by sizeof. */
+#undef SIZEOF_VOID_P
+
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
@@ -400,9 +409,17 @@ int sigwait(const unsigned int *set, int *sig);
/* define if idnkit support is to be included. */
#undef WITH_IDN
-/* Define to 1 if your processor stores words with the most significant byte
- first (like Motorola and SPARC, unlike Intel and VAX). */
-#undef WORDS_BIGENDIAN
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+ significant byte first (like Motorola and SPARC, unlike Intel). */
+#if defined AC_APPLE_UNIVERSAL_BUILD
+# if defined __BIG_ENDIAN__
+# define WORDS_BIGENDIAN 1
+# endif
+#else
+# ifndef WORDS_BIGENDIAN
+# undef WORDS_BIGENDIAN
+# endif
+#endif
/* Define to empty if `const' does not conform to ANSI C. */
#undef const
diff --git a/config.threads.in b/config.threads.in
index e7a8d609ccb1..a56ca37d4830 100644
--- a/config.threads.in
+++ b/config.threads.in
@@ -33,8 +33,9 @@ case $host in
*-*-sysv*OpenUNIX*)
# UnixWare
use_threads=true ;;
-*-netbsd[1234].*)
- # NetBSD earlier than NetBSD 5.0 has poor pthreads. Don't use it by default.
+[*-netbsd[1234].*])
+ # NetBSD earlier than NetBSD 5.0 has poor pthreads.
+ # Don't use it by default.
use_threads=false ;;
*-netbsd*)
use_threads=true ;;
@@ -44,7 +45,7 @@ case $host in
use_threads=false ;;
*-freebsd*)
use_threads=false ;;
-*-bsdi[234]*)
+[*-bsdi[234]*])
# Thread signals do not work reliably on some versions of BSD/OS.
use_threads=false ;;
*-bsdi5*)
diff --git a/configure.in b/configure.in
index ff41067bdae2..2d7132c94dec 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
esyscmd([sed "s/^/# /" COPYRIGHT])dnl
AC_DIVERT_POP()dnl
-AC_REVISION($Revision: 1.512.8.12 $)
+AC_REVISION($Revision: 1.512.8.15 $)
AC_INIT(lib/dns/name.c)
AC_PREREQ(2.59)
@@ -62,6 +62,25 @@ It is available from http://www.isc.org as a separate download.])
;;
esac
+AC_ARG_ENABLE(developer, [ --enable-developer enable developer build settings])
+case "$enable_developer" in
+yes)
+ test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ test "${with_atf+set}" = set || with_atf=yes
+ test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+ test "${enable_rpz_nsip+set}" = set || enable_rpz_nsip=yes
+ test "${enable_rpz_nsdname+set}" = set || enable_rpz_nsdname=yes
+ test "${with_dlz_filesystem+set}" = set || with_dlz_filesystem=yes
+ case "$host" in
+ *-darwin*)
+ test "${enable_exportlib+set}" = set || enable_exportlib=yes
+ ;;
+ *-linux*)
+ test "${enable_exportlib+set}" = set || enable_exportlib=yes
+ ;;
+ esac
+ ;;
+esac
#
# Make very sure that these are the first files processed by
# config.status, since we use the processed output as the input for
@@ -263,7 +282,7 @@ case "$host" in
# as it breaks how the two halves (Basic and Advanced) of the IPv6
# Socket API were designed to be used but we have to live with it.
# Define _GNU_SOURCE to pull in the IPv6 Advanced Socket API.
- *-linux*)
+ *-linux* | *-kfreebsd*-gnu)
STD_CDEFINES="$STD_CDEFINES -D_GNU_SOURCE"
CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE"
;;
@@ -502,7 +521,6 @@ AC_SUBST(LWRES_PLATFORM_NEEDSYSSELECTH)
#
AC_C_BIGENDIAN
-
#
# was --with-openssl specified?
#
@@ -1437,9 +1455,9 @@ case $use_libtool in
O=lo
A=la
LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
- LIBTOOL_MODE_COMPILE='--mode=compile'
- LIBTOOL_MODE_INSTALL='--mode=install'
- LIBTOOL_MODE_LINK='--mode=link'
+ LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC'
+ LIBTOOL_MODE_INSTALL='--mode=install --tag=CC'
+ LIBTOOL_MODE_LINK='--mode=link --tag=CC'
case "$host" in
*) LIBTOOL_ALLOW_UNDEFINED= ;;
esac
diff --git a/doc/Makefile.in b/doc/Makefile.in
index 41d1f9703535..14d35bc2d648 100644
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.11 2007-06-19 23:47:13 tbox Exp $
+# $Id: Makefile.in,v 1.11 2007/06/19 23:47:13 tbox Exp $
# This Makefile is a placeholder. It exists merely to make
# sure that its directory gets created in the object directory
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index b899c8b40596..6137359bf1f4 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.478.8.11 2011-08-02 04:58:46 each Exp $ -->
+<!-- File: $Id$ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@@ -32,6 +32,7 @@
<year>2009</year>
<year>2010</year>
<year>2011</year>
+ <year>2012</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -1462,6 +1463,31 @@ zone "eng.example.com" {
</varlistentry>
<varlistentry>
+ <term><userinput>tsig-list</userinput></term>
+ <listitem>
+ <para>
+ List the names of all TSIG keys currently configured
+ for use by <command>named</command> in each view. The
+ list both statically configured keys and dynamic
+ TKEY-negotiated keys.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><userinput>tsig-delete</userinput>
+ <replaceable>keyname</replaceable>
+ <optional><replaceable>view</replaceable></optional></term>
+ <listitem>
+ <para>
+ Delete a given TKEY-negotated key from the server.
+ (This does not apply to statically configured TSIG
+ keys.)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><userinput>addzone
<replaceable>zone</replaceable>
<optional><replaceable>class</replaceable>
@@ -1898,11 +1924,13 @@ controls {
</para>
<para>
- When acting as a slave, <acronym>BIND</acronym> 9 will
- attempt to use IXFR unless
- it is explicitly disabled. For more information about disabling
- IXFR, see the description of the <command>request-ixfr</command> clause
- of the <command>server</command> statement.
+ When acting as a slave, <acronym>BIND</acronym> 9 will attempt
+ to use IXFR unless it is explicitly disabled via the
+ <command>request-ixfr</command> option or the use of
+ <command>ixfr-from-differences</command>. For
+ more information about disabling IXFR, see the description
+ of the <command>request-ixfr</command> clause of the
+ <command>server</command> statement.
</para>
</sect1>
@@ -4645,6 +4673,19 @@ category notify { null; };
</para>
</entry>
</row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>RPZ</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Information about errors in response policy zone files,
+ rewritten responses, and at the highest
+ <command>debug</command> levels, mere rewriting
+ attempts.
+ </para>
+ </entry>
+ </row>
</tbody>
</tgroup>
</informaltable>
@@ -4993,6 +5034,10 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> cache-file <replaceable>path_name</replaceable>; </optional>
<optional> dump-file <replaceable>path_name</replaceable>; </optional>
<optional> bindkeys-file <replaceable>path_name</replaceable>; </optional>
+ <optional> secroots-file <replaceable>path_name</replaceable>; </optional>
+ <optional> session-keyfile <replaceable>path_name</replaceable>; </optional>
+ <optional> session-keyname <replaceable>key_name</replaceable>; </optional>
+ <optional> session-keyalg <replaceable>algorithm_id</replaceable>; </optional>
<optional> memstatistics <replaceable>yes_or_no</replaceable>; </optional>
<optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
<optional> pid-file <replaceable>path_name</replaceable>; </optional>
@@ -5018,7 +5063,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
<optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-validation (<replaceable>yes_or_no</replaceable> | <constant>auto</constant>); </optional>
- <optional> dnssec-lookaside ( <replaceable>auto</replaceable> |
+ <optional> dnssec-lookaside ( <replaceable>auto</replaceable> |
+ <replaceable>no</replaceable> |
<replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> ); </optional>
<optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
<optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
@@ -5166,7 +5212,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> resolver-query-timeout <replaceable>number</replaceable> ; </optional>
<optional> deny-answer-addresses { <replaceable>address_match_list</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
<optional> deny-answer-aliases { <replaceable>namelist</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
- <optional> response-policy { <replaceable>zone_name</replaceable> <optional> policy <replaceable>given</replaceable> | <replaceable>no-op</replaceable> | <replaceable>nxdomain</replaceable> | <replaceable>nodata</replaceable> | <replaceable>cname domain</replaceable> </optional> ; } ; </optional>
+ <optional> response-policy { <replaceable>zone_name</replaceable> <optional> policy given | disabled | passthru | nxdomain | nodata | cname <replaceable>domain</replaceable> </optional> ; } ; </optional>
};
</programlisting>
@@ -5516,7 +5562,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The pathname of the file the server dumps
security roots to when instructed to do so with
<command>rndc secroots</command>.
- If not specified, the default is <filename>named.secroots</filename>.
+ If not specified, the default is
+ <filename>named.secroots</filename>.
</para>
</listitem>
</varlistentry>
@@ -5561,19 +5608,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
</varlistentry>
<varlistentry>
- <term><command>session-keyfile</command></term>
- <listitem>
- <para>
- The pathname of the file into which to write a session TSIG
- key for use by <command>nsupdate -l</command>. (See the
- discussion of the <command>update-policy</command>
- statement's <userinput>local</userinput> option for more
- details on this feature.)
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
<term><command>port</command></term>
<listitem>
<para>
@@ -5708,6 +5742,11 @@ options {
values for the DLV domain and trust anchor will be
used, along with a built-in key for validation.
</para>
+ <para>
+ If <command>dnssec-lookaside</command> is set to
+ <userinput>no</userinput>, then dnssec-lookaside
+ is not used.
+ </para>
<para>
The default DLV key is stored in the file
<filename>bind.keys</filename>;
@@ -8590,7 +8629,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<para>
Specify a private RDATA type to be used when generating
key signing records. The default is
- <literal>65535</literal>.
+ <literal>65534</literal>.
</para>
<para>
It is expected that this parameter may be removed
@@ -8853,10 +8892,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
and which queries should not be sent to the Internet's root
servers. The official servers which cover these namespaces
return NXDOMAIN responses to these queries. In particular,
- these cover the reverse namespace for addresses from RFC 1918 and
- RFC 3330. They also include the reverse namespace for IPv6 local
- address (locally assigned), IPv6 link local addresses, the IPv6
- loopback address and the IPv6 unknown address.
+ these cover the reverse namespaces for addresses from
+ RFC 1918, RFC 4193, and RFC 5737. They also include the
+ reverse namespace for IPv6 local address (locally assigned),
+ IPv6 link local addresses, the IPv6 loopback address and the
+ IPv6 unknown address.
</para>
<para>
Named will attempt to determine if a built-in zone already exists
@@ -9227,141 +9267,228 @@ deny-answer-aliases { "example.net"; };
<title>Response Policy Zone (RPZ) Rewriting</title>
<para>
<acronym>BIND</acronym> 9 includes an intentionally limited
- mechanism to modify DNS responses for recursive requests
- similar to email anti-spam DNS blacklists.
- All response policy zones are named in the
- <command>response-policy</command> option for the view or among the
- global options if there is no response-policy option for the view.
- </para>
+ mechanism to modify DNS responses for recursive requests
+ somewhat similar to email anti-spam DNS blacklists.
+ Responses can be changed to deny the existence of domains(NXDOMAIN),
+ deny the existence of IP addresses for domains (NODATA),
+ or contain other IP addresses or data.
+ </para>
- <para>
- The rules encoded in a response policy zone (RPZ) are applied
- only to responses to queries that ask for recursion (RD=1).
- RPZs are normal DNS zones containing RRsets
- that can be queried normally if allowed.
- It is usually best to restrict those queries with something like
- <command>allow-query {none; };</command> or
- <command>allow-query { 127.0.0.1; };</command>.
- </para>
+ <para>
+ The actions encoded in a response policy zone (RPZ) are applied
+ only to queries that ask for recursion (RD=1).
+ Response policy zones are named in the
+ <command>response-policy</command> option for the view or among the
+ global options if there is no response-policy option for the view.
+ RPZs are ordinary DNS zones containing RRsets
+ that can be queried normally if allowed.
+ It is usually best to restrict those queries with something like
+ <command>allow-query { localhost; };</command>.
+ </para>
- <para>
- There are four kinds of RPZ rewrite rules. QNAME rules are
- applied to query names in requests and to targets of CNAME
- records resolved in the process of generating the response.
- The owner name of a QNAME rule is the query name relativized
- to the RPZ.
- The records in a rewrite rule are usually A, AAAA, or special
- CNAMEs, but can be any type except DNAME.
- </para>
+ <para>
+ There are four kinds of RPZ records, QNAME, IP, NSIP,
+ and NSDNAME.
+ QNAME records are applied to query names of requests and targets
+ of CNAME records resolved to generate the response.
+ The owner name of a QNAME RPZ record is the query name relativized
+ to the RPZ.
+ </para>
- <para>
- IP rules are triggered by addresses in A and AAAA records.
- All IP addresses in A or AAAA RRsets are tested and the rule
- longest prefix is applied. Ties between rules with equal prefixes
- are broken in favor of the first RPZ mentioned in the
- response-policy option.
- The rule matching the smallest IP address is chosen among equal
- prefix rules from a single RPZ.
- IP rules are expressed in RRsets with owner names that are
- subdomains of rpz-ip and encoding an IP address block, reversed
- as in IN-ARPA.
- prefix.B.B.B.B with prefix between 1 and 32 and B between 1 and 255
- encodes an IPv4 address.
- IPv6 addresses are encoded by with prefix.W.W.W.W.W.W.W.W or
- prefix.WORDS.zz.WORDS. The words in the standard IPv6 text
- representation are reversed, "::" is replaced with ".zz.",
- and ":" becomes ".".
- </para>
+ <para>
+ The second kind of RPZ record, an IP policy record,
+ is triggered by addresses in A and AAAA records
+ for the ANSWER sections of responses.
+ IP policy records have owner names that are
+ subdomains of <userinput>rpz-ip</userinput> relativized to the
+ RPZ origin name and encode an IP address or address block.
+ IPv4 addresses are encoded as
+ <userinput>prefixlength.B4.B3.B2.B1.rpz-ip</userinput>.
+ The prefix length must be between 1 and 32.
+ All four bytes, B4, B3, B2, and B1, must be present.
+ B4 is the decimal value of the least significant byte of the
+ IPv4 address as in IN-ADDR.ARPA.
+ IPv6 addresses are encoded in a format similar to the standard
+ IPv6 text representation,
+ <userinput>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</userinput>.
+ Each of W8,...,W1 is a one to four digit hexadecimal number
+ representing 16 bits of the IPv6 address as in the standard text
+ representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
+ All 8 words must be present except when consecutive
+ zero words are replaced with <userinput>.zz.</userinput>
+ analogous to double colons (::) in standard IPv6 text encodings.
+ The prefix length must be between 1 and 128.
+ </para>
- <para>
- NSDNAME rules match names in NS RRsets for the response or a
- parent. They are encoded as subdomains of rpz-nsdomain relativized
- to the RPZ origin name.
- </para>
+ <para>
+ NSDNAME policy records match names of authoritative servers
+ for the query name, a parent of the query name, a CNAME,
+ or a parent of a CNAME.
+ They are encoded as subdomains of
+ <userinput>rpz-nsdomain</userinput> relativized
+ to the RPZ origin name.
+ </para>
- <para>
- NSIP rules match IP addresses in A and AAAA RRsets for names of
- responsible servers or the names that can be matched by NSDNAME
- rules. The are encoded like IP rules except as subdomains of
- rpz-nsip.
+ <para>
+ NSIP policy records match IP addresses in A and AAAA RRsets
+ for domains that can be checked against NSDNAME policy records.
+ The are encoded like IP policies except as subdomains of
+ <userinput>rpz-nsip</userinput>.
</para>
<para>
- Authority verification issues and variations in authority data in
- the current version of <acronym>BIND</acronym> 9 can cause
- inconsistent results from NSIP and NSDNAME. So they are available
+ The query response is checked against all RPZs, so
+ two or more policy records can apply to a single response.
+ Because DNS responses can be rewritten according by at most a
+ single policy record, a single policy (other than
+ <command>DISABLED</command> policies) must be chosen.
+ Policies are chosen in the following order:
+ <itemizedlist>
+ <listitem>Among applicable zones, use the RPZ that appears first
+ in the response-policy option.
+ </listitem>
+ <listitem>Prefer QNAME to IP to NSDNAME to NSIP policy records
+ in a single RPZ
+ </listitem>
+ <listitem>Among applicable NSDNAME policy records, prefer the
+ policy record that matches the lexically smallest name
+ </listitem>
+ <listitem>Among IP or NSIP policy records, prefer the record
+ with the longest prefix.
+ </listitem>
+ <listitem>Among records with the same prefex length,
+ prefer the IP or NSIP policy record that matches
+ the smallest IP address.
+ </listitem>
+ </itemizedlist>
+ </para>
+
+ <para>
+ When the processing of a response is restarted to resolve
+ DNAME or CNAME records and an applicable policy record set has
+ not been found,
+ all RPZs are again consulted for the DNAME or CNAME names
+ and addresses.
+ </para>
+
+ <para>
+ Authority verification issues and variations in authority data
+ can cause inconsistent results for NSIP and NSDNAME policy records.
+ Glue NS records often differ from authoritative NS records.
+ So they are available
only when <acronym>BIND</acronym> is built with the
<userinput>--enable-rpz-nsip</userinput> or
<userinput>--enable-rpz-nsdname</userinput> options
- on the "configure" command line.
- </para>
+ on the "configure" command line.
+ </para>
- <para>
- Four policies can be expressed.
- The <command>NXDOMAIN</command> policy causes a NXDOMAIN response
- and is expressed with an RRset consisting of a single CNAME
- whose target is the root domain (.).
- <command>NODATA</command> generates NODATA or ANCOUNT=1 regardless
- of query type.
- It is expressed with a CNAME whose target is the wildcard
- top-level domain (*.).
- The <command>NO-OP</command> policy does not change the response
- and is used to "poke holes" in policies for larger CIDR blocks or in
- zones named later in the <command>response-policy</command> option.
- The NO-OP policy is expressed by a CNAME with a target consisting
- of the variable part of the owner name, such as "example.com." for
- a QNAME rule or "128.1.0.0.127." for an IP rule.
- The <command>CNAME</command> policy is used to replace the RRsets
- of response.
- A and AAAA RRsets are most common and useful to capture
- an evil domain in a walled garden, but any valid set of RRsets
- is possible.
- </para>
+ <para>
+ RPZ record sets are special CNAME records or one or more
+ of any types of DNS record except DNAME or DNSSEC.
+ Except when a policy record is a CNAME, there can be more
+ more than one record and more than one type
+ in a set of policy records.
+ Except for three kinds of CNAME records that are illegal except
+ in policy zones, the records in a set are used in the response as if
+ their owner name were the query name. They are copied to the
+ response as dictated by their types.
+ <itemizedlist>
+ <listitem>A CNAME whose target is the root domain (.)
+ specifies the <command>NXDOMAIN</command> policy,
+ which generates an NXDOMAIN response.
+ </listitem>
+ <listitem>A CNAME whose target is the wildcard top-level
+ domain (*.) specifies the <command>NODATA</command> policy,
+ which rewrites the response to NODATA or ANCOUNT=1.
+ </listitem>
+ <listitem>A CNAME whose target is a wildcard hostname such
+ as *.example.com is used normally after the astrisk (*)
+ has been replaced with the query name.
+ These records are usually resolved with ordinary CNAMEs
+ outside the policy zones. They can be useful for logging.
+ </listitem>
+ <listitem>The <command>PASSTHRU</command> policy is specified
+ by a CNAME whose target is the variable part of its own
+ owner name. It causes the response to not be rewritten
+ and is most often used to "poke holes" in policies for
+ CIDR blocks.
+ </listitem>
+ </itemizedlist>
+ </para>
- <para>
- All of the policies in an RPZ can be overridden with a
- <command>policy</command> clause.
- <command>given</command> says "do not override."
- <command>no-op</command> says "do nothing" regardless of the policy
- in RPZ records.
- <command>nxdomain</command> causes all RPZ rules to generate
- NXDOMAIN results.
- <command>nodata</command> gives nodata.
- <command>cname domain</command> causes all RPZ rules to act as if
- the consisted of a "cname domain" record.
- </para>
+ <para>
+ The policies specified in individual records
+ in an RPZ can be overridden with a <command>policy</command> clause
+ in the <command>response-policy</command> option.
+ An organization using an RPZ provided by another organization might
+ use this mechanism to redirect domains to its own walled garden.
+ <itemizedlist>
+ <listitem><command>GIVEN</command> says "do not override."
+ </listitem>
+ <listitem><command>DISABLED</command> causes policy records to do
+ nothing but log what they might have done.
+ The response to the DNS query will be written according to
+ any matching policy records that are not disabled.
+ Policy zones overridden with <command>DISABLED</command> should
+ appear first, because they will often not be logged
+ if a higher precedence policy is found first.
+ </listitem>
+ <listitem><command>PASSTHRU</command> causes all policy records
+ to act as if they were CNAME records with targets the variable
+ part of their owner name. They protect the response from
+ being changed.
+ </listitem>
+ <listitem><command>NXDOMAIN</command> causes all RPZ records
+ to specify NXDOMAIN policies.
+ </listitem>
+ <listitem><command>NODATA</command> overrides with the
+ NODATA policy
+ </listitem>
+ <listitem><command>CNAME domain</command> causes all RPZ
+ policy records to act as if they were "cname domain" records.
+ </listitem>
+ </itemizedlist>
+ </para>
- <para>
- For example, you might use this option statement
+ <para>
+ For example, you might use this option statement
</para>
-<programlisting>response-policy { zone "bl"; };</programlisting>
+<programlisting> response-policy { zone "badlist"; };</programlisting>
<para>
and this zone statement
</para>
-<programlisting>zone "bl" {type master; file "example/bl"; allow-query {none;}; };</programlisting>
+<programlisting> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</programlisting>
<para>
with this zone file
</para>
<programlisting>$TTL 1H
-@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
+@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
+ NS LOCALHOST.
-; QNAME rules
-nxdomain.domain.com CNAME .
-nodata.domain.com CNAME *.
-bad.domain.com A 10.0.0.1
- AAAA 2001:2::1
-ok.domain.com CNAME ok.domain.com.
-*.badzone.domain.com CNAME garden.example.com.
+; QNAME policy records. There are no periods (.) after the owner names.
+nxdomain.domain.com CNAME . ; NXDOMAIN policy
+nodata.domain.com CNAME *. ; NODATA policy
+bad.domain.com A 10.0.0.1 ; redirect to a walled garden
+ AAAA 2001:2::1
-; IP rules rewriting all answers for 127/8 except 127.0.0.1
-8.0.0.0.127.ip CNAME .
-32.1.0.0.127.ip CNAME 32.1.0.0.127.
+; do not rewrite (PASSTHRU) OK.DOMAIN.COM
+ok.domain.com CNAME ok.domain.com.
-; NSDNAME and NSIP rules
+bzone.domain.com CNAME garden.example.com.
+
+; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
+*.bzone.domain.com CNAME *.garden.example.com.
+
+
+; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
+8.0.0.0.127.rpz-ip CNAME .
+32.1.0.0.127.rpz-ip CNAME 32.1.0.0.127. ; PASSTHRU for 127.0.0.1
+
+; NSDNAME and NSIP policy records
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
</programlisting>
- </sect3>
+ </sect3>
</sect2>
<sect2 id="server_statement_grammar">
@@ -14725,9 +14852,8 @@ HOST-127.EXAMPLE. MX 0 .
// RFC1918 space and some reserved space, which is
// commonly used in spoofing attacks.
acl bogusnets {
- 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
- 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12;
- 192.168.0.0/16;
+ 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
+ 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
};
// Set up an ACL called our-nets. Replace this with the
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index f0ec1299e5ab..420d7b355996 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch01.html,v 1.49.14.1 2011-06-22 02:37:19 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,17 +45,17 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564371">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564394">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564534">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564715">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564375">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564398">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564538">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564720">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564737">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564771">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567176">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567253">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567426">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567556">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564741">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564775">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567180">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567257">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567430">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567560">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl>
</div>
@@ -71,7 +71,7 @@
</p>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564371"></a>Scope of Document</h2></div></div></div>
+<a name="id2564375"></a>Scope of Document</h2></div></div></div>
<p>
The Berkeley Internet Name Domain
(<acronym class="acronym">BIND</acronym>) implements a
@@ -87,7 +87,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564394"></a>Organization of This Document</h2></div></div></div>
+<a name="id2564398"></a>Organization of This Document</h2></div></div></div>
<p>
In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
@@ -116,7 +116,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564534"></a>Conventions Used in This Document</h2></div></div></div>
+<a name="id2564538"></a>Conventions Used in This Document</h2></div></div></div>
<p>
In this document, we use the following general typographic
conventions:
@@ -243,7 +243,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564715"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
+<a name="id2564720"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<p>
The purpose of this document is to explain the installation
and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
@@ -253,7 +253,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2564737"></a>DNS Fundamentals</h3></div></div></div>
+<a name="id2564741"></a>DNS Fundamentals</h3></div></div></div>
<p>
The Domain Name System (DNS) is a hierarchical, distributed
database. It stores information for mapping Internet host names to
@@ -275,7 +275,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2564771"></a>Domains and Domain Names</h3></div></div></div>
+<a name="id2564775"></a>Domains and Domain Names</h3></div></div></div>
<p>
The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
organizational or administrative boundaries. Each node of the tree,
@@ -321,7 +321,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567176"></a>Zones</h3></div></div></div>
+<a name="id2567180"></a>Zones</h3></div></div></div>
<p>
To properly operate a name server, it is important to understand
the difference between a <span class="emphasis"><em>zone</em></span>
@@ -374,7 +374,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567253"></a>Authoritative Name Servers</h3></div></div></div>
+<a name="id2567257"></a>Authoritative Name Servers</h3></div></div></div>
<p>
Each zone is served by at least
one <span class="emphasis"><em>authoritative name server</em></span>,
@@ -391,7 +391,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567276"></a>The Primary Master</h4></div></div></div>
+<a name="id2567281"></a>The Primary Master</h4></div></div></div>
<p>
The authoritative server where the master copy of the zone
data is maintained is called the
@@ -411,7 +411,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567374"></a>Slave Servers</h4></div></div></div>
+<a name="id2567379"></a>Slave Servers</h4></div></div></div>
<p>
The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
@@ -427,7 +427,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567396"></a>Stealth Servers</h4></div></div></div>
+<a name="id2567400"></a>Stealth Servers</h4></div></div></div>
<p>
Usually all of the zone's authoritative servers are listed in
NS records in the parent zone. These NS records constitute
@@ -462,7 +462,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567426"></a>Caching Name Servers</h3></div></div></div>
+<a name="id2567430"></a>Caching Name Servers</h3></div></div></div>
<p>
The resolver libraries provided by most operating systems are
<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
@@ -489,7 +489,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567529"></a>Forwarding</h4></div></div></div>
+<a name="id2567533"></a>Forwarding</h4></div></div></div>
<p>
Even a caching name server does not necessarily perform
the complete recursive lookup itself. Instead, it can
@@ -516,7 +516,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567556"></a>Name Servers in Multiple Roles</h3></div></div></div>
+<a name="id2567560"></a>Name Servers in Multiple Roles</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> name server can
simultaneously act as
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index a9fde322a12c..296578197166 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch02.html,v 1.43 2011-01-05 01:14:07 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,16 +45,16 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567590">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567617">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567629">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567724">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567735">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567594">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567621">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567634">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567729">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567739">Supported Operating Systems</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567590"></a>Hardware requirements</h2></div></div></div>
+<a name="id2567594"></a>Hardware requirements</h2></div></div></div>
<p>
<acronym class="acronym">DNS</acronym> hardware requirements have
traditionally been quite modest.
@@ -73,7 +73,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567617"></a>CPU Requirements</h2></div></div></div>
+<a name="id2567621"></a>CPU Requirements</h2></div></div></div>
<p>
CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
i486-class machines
@@ -84,7 +84,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567629"></a>Memory Requirements</h2></div></div></div>
+<a name="id2567634"></a>Memory Requirements</h2></div></div></div>
<p>
The memory of the server has to be large enough to fit the
cache and zones loaded off disk. The <span><strong class="command">max-cache-size</strong></span>
@@ -107,7 +107,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567724"></a>Name Server Intensive Environment Issues</h2></div></div></div>
+<a name="id2567729"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<p>
For name server intensive environments, there are two alternative
configurations that may be used. The first is where clients and
@@ -124,7 +124,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567735"></a>Supported Operating Systems</h2></div></div></div>
+<a name="id2567739"></a>Supported Operating Systems</h2></div></div></div>
<p>
ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
number
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index aaaa96a52b71..32000b188659 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch03.html,v 1.83.8.1 2011-05-24 02:37:17 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,14 +47,14 @@
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567767">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567988">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567771">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567992">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568010">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568364">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568014">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568369">Name Server Operations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568370">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570378">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568374">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570421">Signals</a></span></dt>
</dl></dd>
</dl>
</div>
@@ -68,7 +68,7 @@
<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567767"></a>A Caching-only Name Server</h3></div></div></div>
+<a name="id2567771"></a>A Caching-only Name Server</h3></div></div></div>
<p>
The following sample configuration is appropriate for a caching-only
name server for use by clients internal to a corporation. All
@@ -98,7 +98,7 @@ zone "0.0.127.in-addr.arpa" {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567988"></a>An Authoritative-only Name Server</h3></div></div></div>
+<a name="id2567992"></a>An Authoritative-only Name Server</h3></div></div></div>
<p>
This sample configuration is for an authoritative-only server
that is the master server for "<code class="filename">example.com</code>"
@@ -146,7 +146,7 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568010"></a>Load Balancing</h2></div></div></div>
+<a name="id2568014"></a>Load Balancing</h2></div></div></div>
<p>
A primitive form of load balancing can be achieved in
the <acronym class="acronym">DNS</acronym> by using multiple records
@@ -289,10 +289,10 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568364"></a>Name Server Operations</h2></div></div></div>
+<a name="id2568369"></a>Name Server Operations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2568370"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
+<a name="id2568374"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<p>
This section describes several indispensable diagnostic,
administrative and monitoring tools available to the system
@@ -670,6 +670,21 @@ zone "eng.example.com" {
set to <strong class="userinput"><code>yes</code></strong> to be effective.
It defaults to enabled.
</p></dd>
+<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
+<dd><p>
+ List the names of all TSIG keys currently configured
+ for use by <span><strong class="command">named</strong></span> in each view. The
+ list both statically configured keys and dynamic
+ TKEY-negotiated keys.
+ </p></dd>
+<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong>
+ <em class="replaceable"><code>keyname</code></em>
+ [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
+<dd><p>
+ Delete a given TKEY-negotated key from the server.
+ (This does not apply to statically configured TSIG
+ keys.)
+ </p></dd>
<dt><span class="term"><strong class="userinput"><code>addzone
<em class="replaceable"><code>zone</code></em>
[<span class="optional"><em class="replaceable"><code>class</code></em>
@@ -873,7 +888,7 @@ controls {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570378"></a>Signals</h3></div></div></div>
+<a name="id2570421"></a>Signals</h3></div></div></div>
<p>
Certain UNIX signals cause the name server to take specific
actions, as described in the following table. These signals can
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index f1d0a6ccf13a..202439f5af24 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch04.html,v 1.125.8.9 2011-08-03 02:35:12 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -49,59 +49,59 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570885">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570903">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570934">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570952">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571336">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571478">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571489">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571525">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571651">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571700">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564012">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564086">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571811">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571847">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571905">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571954">Errors</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571714">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2563980">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571968">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572153">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564117">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572183">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572264">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572221">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572300">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572381">Configuring Servers</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563484">Converting from insecure to secure</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563522">Dynamic DNS update method</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563626">Fully automatic zone signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563777">Private-type records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563814">DNSKEY rollovers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563827">Dynamic DNS update method</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563860">Automatic key rollovers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563886">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563896">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563906">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563918">Converting from secure to insecure</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563956">Periodic re-signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571816">NSEC3 and OPTOUT</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571421">Converting from insecure to secure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571459">Dynamic DNS update method</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563508">Fully automatic zone signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563590">Private-type records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563696">DNSKEY rollovers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563708">Dynamic DNS update method</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563741">Automatic key rollovers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563836">NSEC3PARAM rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563846">Converting from NSEC to NSEC3</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563856">Converting from NSEC3 to NSEC</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563868">Converting from secure to insecure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563906">Periodic re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563915">NSEC3 and OPTOUT</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571869">Validating Resolver</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571892">Authoritative Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571685">Validating Resolver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571707">Authoritative Server</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609757">Prerequisites</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607912">Building BIND 9 with PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608144">PKCS #11 Tools</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608174">Using the HSM</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610353">Specifying the engine on the command line</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610467">Running named with automatic zone re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609970">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608219">Building BIND 9 with PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610529">PKCS #11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610560">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635129">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635243">Running named with automatic zone re-signing</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572484">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572669">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572819">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572840">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572868">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572889">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl>
</div>
@@ -247,16 +247,18 @@
to <strong class="userinput"><code>yes</code></strong>.
</p>
<p>
- When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
- attempt to use IXFR unless
- it is explicitly disabled. For more information about disabling
- IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
- of the <span><strong class="command">server</strong></span> statement.
+ When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will attempt
+ to use IXFR unless it is explicitly disabled via the
+ <span><strong class="command">request-ixfr</strong></span> option or the use of
+ <span><strong class="command">ixfr-from-differences</strong></span>. For
+ more information about disabling IXFR, see the description
+ of the <span><strong class="command">request-ixfr</strong></span> clause of the
+ <span><strong class="command">server</strong></span> statement.
</p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570885"></a>Split DNS</h2></div></div></div>
+<a name="id2570934"></a>Split DNS</h2></div></div></div>
<p>
Setting up different views, or visibility, of the DNS space to
internal and external resolvers is usually referred to as a
@@ -286,7 +288,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570903"></a>Example split DNS setup</h3></div></div></div>
+<a name="id2570952"></a>Example split DNS setup</h3></div></div></div>
<p>
Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
(<code class="literal">example.com</code>)
@@ -543,7 +545,7 @@ nameserver 172.16.72.4
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571336"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
+<a name="id2564012"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
<p>
A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -551,7 +553,7 @@ nameserver 172.16.72.4
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571353"></a>Automatic Generation</h4></div></div></div>
+<a name="id2564029"></a>Automatic Generation</h4></div></div></div>
<p>
The following command will generate a 128-bit (16 byte) HMAC-SHA256
key as described above. Longer keys are better, but shorter keys
@@ -575,7 +577,7 @@ nameserver 172.16.72.4
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571392"></a>Manual Generation</h4></div></div></div>
+<a name="id2564068"></a>Manual Generation</h4></div></div></div>
<p>
The shared secret is simply a random sequence of bits, encoded
in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -590,7 +592,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571478"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
+<a name="id2564086"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
<p>
This is beyond the scope of DNS. A secure transport mechanism
should be used. This could be secure FTP, ssh, telephone, etc.
@@ -598,7 +600,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571489"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
+<a name="id2571811"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
<p>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
are
@@ -625,7 +627,7 @@ key host1-host2. {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571525"></a>Instructing the Server to Use the Key</h3></div></div></div>
+<a name="id2571847"></a>Instructing the Server to Use the Key</h3></div></div></div>
<p>
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
@@ -657,7 +659,7 @@ server 10.1.2.3 {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571651"></a>TSIG Key Based Access Control</h3></div></div></div>
+<a name="id2571905"></a>TSIG Key Based Access Control</h3></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> allows IP addresses and ranges
to be specified in ACL
@@ -684,7 +686,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571700"></a>Errors</h3></div></div></div>
+<a name="id2571954"></a>Errors</h3></div></div></div>
<p>
The processing of TSIG signed messages can result in
several errors. If a signed message is sent to a non-TSIG aware
@@ -710,7 +712,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571714"></a>TKEY</h2></div></div></div>
+<a name="id2571968"></a>TKEY</h2></div></div></div>
<p><span><strong class="command">TKEY</strong></span>
is a mechanism for automatically generating a shared secret
between two hosts. There are several "modes" of
@@ -746,7 +748,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2563980"></a>SIG(0)</h2></div></div></div>
+<a name="id2572153"></a>SIG(0)</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
transaction signatures as specified in RFC 2535 and RFC 2931.
@@ -807,7 +809,7 @@ allow-update { key host1-host2. ;};
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2564117"></a>Generating Keys</h3></div></div></div>
+<a name="id2572221"></a>Generating Keys</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-keygen</strong></span> program is used to
generate keys.
@@ -863,7 +865,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572183"></a>Signing the Zone</h3></div></div></div>
+<a name="id2572300"></a>Signing the Zone</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-signzone</strong></span> program is used
to sign a zone.
@@ -905,7 +907,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572264"></a>Configuring Servers</h3></div></div></div>
+<a name="id2572381"></a>Configuring Servers</h3></div></div></div>
<p>
To enable <span><strong class="command">named</strong></span> to respond appropriately
to DNS requests from DNSSEC aware clients,
@@ -1065,7 +1067,7 @@ options {
from insecure to signed and back again. A secure zone can use
either NSEC or NSEC3 chains.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563484"></a>Converting from insecure to secure</h3></div></div></div></div>
+<a name="id2571421"></a>Converting from insecure to secure</h3></div></div></div></div>
<p>Changing a zone from insecure to secure can be done in two
ways: using a dynamic DNS update, or the
<span><strong class="command">auto-dnssec</strong></span> zone option.</p>
@@ -1091,7 +1093,7 @@ options {
well. An NSEC chain will be generated as part of the initial
signing process.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563522"></a>Dynamic DNS update method</h3></div></div></div></div>
+<a name="id2571459"></a>Dynamic DNS update method</h3></div></div></div></div>
<p>To insert the keys via dynamic update:</p>
<pre class="screen">
% nsupdate
@@ -1127,7 +1129,7 @@ options {
<p>While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.</p>
<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563626"></a>Fully automatic zone signing</h3></div></div></div></div>
+<a name="id2563508"></a>Fully automatic zone signing</h3></div></div></div></div>
<p>To enable automatic signing, add the
<span><strong class="command">auto-dnssec</strong></span> option to the zone statement in