aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDoug Barton <dougb@FreeBSD.org>2009-05-31 00:11:36 +0000
committerDoug Barton <dougb@FreeBSD.org>2009-05-31 00:11:36 +0000
commitb0e69f719c1db2c19fcfba96f0dac9a5a2277350 (patch)
tree72d567a9bc3fb8adcfcbaa9baedc122d53071209
parentfe9c1406ede29d1f2b9969c75785beef87a4bf87 (diff)
downloadsrc-b0e69f719c1db2c19fcfba96f0dac9a5a2277350.tar.gz
src-b0e69f719c1db2c19fcfba96f0dac9a5a2277350.zip
Vendor import of BIND 9.6.1rc1
Notes
Notes: svn path=/vendor/bind9/dist/; revision=193141
-rw-r--r--CHANGES902
-rw-r--r--COPYRIGHT4
-rw-r--r--FAQ5
-rw-r--r--FAQ.xml8
-rw-r--r--Makefile.in26
-rw-r--r--NSEC3-NOTES128
-rw-r--r--README193
-rw-r--r--README.idnkit8
-rw-r--r--README.pkcs1161
-rw-r--r--acconfig.h14
-rw-r--r--bin/Makefile.in6
-rw-r--r--bin/check/Makefile.in6
-rw-r--r--bin/check/check-tool.c252
-rw-r--r--bin/check/check-tool.h9
-rw-r--r--bin/check/named-checkconf.89
-rw-r--r--bin/check/named-checkconf.c55
-rw-r--r--bin/check/named-checkconf.docbook12
-rw-r--r--bin/check/named-checkconf.html18
-rw-r--r--bin/check/named-checkzone.821
-rw-r--r--bin/check/named-checkzone.c69
-rw-r--r--bin/check/named-checkzone.docbook19
-rw-r--r--bin/check/named-checkzone.html24
-rw-r--r--bin/dig/Makefile.in6
-rw-r--r--bin/dig/dig.115
-rw-r--r--bin/dig/dig.c93
-rw-r--r--bin/dig/dig.docbook39
-rw-r--r--bin/dig/dig.html44
-rw-r--r--bin/dig/dighost.c232
-rw-r--r--bin/dig/host.110
-rw-r--r--bin/dig/host.c38
-rw-r--r--bin/dig/host.docbook9
-rw-r--r--bin/dig/host.html16
-rw-r--r--bin/dig/include/dig/dig.h33
-rw-r--r--bin/dig/nslookup.12
-rw-r--r--bin/dig/nslookup.c47
-rw-r--r--bin/dig/nslookup.docbook2
-rw-r--r--bin/dig/nslookup.html2
-rw-r--r--bin/dnssec/Makefile.in26
-rw-r--r--bin/dnssec/dnssec-dsfromkey.8124
-rw-r--r--bin/dnssec/dnssec-dsfromkey.c396
-rw-r--r--bin/dnssec/dnssec-dsfromkey.docbook214
-rw-r--r--bin/dnssec/dnssec-dsfromkey.html133
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.8149
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.c327
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.docbook265
-rw-r--r--bin/dnssec/dnssec-keyfromlabel.html171
-rw-r--r--bin/dnssec/dnssec-keygen.86
-rw-r--r--bin/dnssec/dnssec-keygen.c60
-rw-r--r--bin/dnssec/dnssec-keygen.docbook14
-rw-r--r--bin/dnssec/dnssec-keygen.html14
-rw-r--r--bin/dnssec/dnssec-signzone.819
-rw-r--r--bin/dnssec/dnssec-signzone.c1094
-rw-r--r--bin/dnssec/dnssec-signzone.docbook37
-rw-r--r--bin/dnssec/dnssec-signzone.html31
-rw-r--r--bin/dnssec/dnssectool.c6
-rw-r--r--bin/dnssec/dnssectool.h8
-rw-r--r--bin/named/Makefile.in21
-rw-r--r--bin/named/bind9.xsl492
-rw-r--r--bin/named/bind9.xsl.h497
-rw-r--r--bin/named/builtin.c6
-rw-r--r--bin/named/client.c247
-rw-r--r--bin/named/config.c22
-rw-r--r--bin/named/control.c21
-rw-r--r--bin/named/controlconf.c12
-rwxr-xr-xbin/named/convertxsl.pl57
-rw-r--r--bin/named/include/named/builtin.h6
-rw-r--r--bin/named/include/named/client.h42
-rw-r--r--bin/named/include/named/config.h6
-rw-r--r--bin/named/include/named/control.h8
-rw-r--r--bin/named/include/named/globals.h24
-rw-r--r--bin/named/include/named/interfacemgr.h6
-rw-r--r--bin/named/include/named/listenlist.h6
-rw-r--r--bin/named/include/named/log.h7
-rw-r--r--bin/named/include/named/logconf.h6
-rw-r--r--bin/named/include/named/lwaddr.h6
-rw-r--r--bin/named/include/named/lwdclient.h8
-rw-r--r--bin/named/include/named/lwresd.h6
-rw-r--r--bin/named/include/named/lwsearch.h6
-rw-r--r--bin/named/include/named/main.h6
-rw-r--r--bin/named/include/named/notify.h8
-rw-r--r--bin/named/include/named/ns_smf_globals.h6
-rw-r--r--bin/named/include/named/query.h6
-rw-r--r--bin/named/include/named/server.h85
-rw-r--r--bin/named/include/named/sortlist.h6
-rw-r--r--bin/named/include/named/statschannel.h61
-rw-r--r--bin/named/include/named/tkeyconf.h6
-rw-r--r--bin/named/include/named/tsigconf.h6
-rw-r--r--bin/named/include/named/types.h11
-rw-r--r--bin/named/include/named/update.h6
-rw-r--r--bin/named/include/named/xfrout.h6
-rw-r--r--bin/named/include/named/zoneconf.h6
-rw-r--r--bin/named/interfacemgr.c53
-rw-r--r--bin/named/listenlist.c6
-rw-r--r--bin/named/log.c13
-rw-r--r--bin/named/logconf.c6
-rw-r--r--bin/named/lwaddr.c4
-rw-r--r--bin/named/lwdclient.c7
-rw-r--r--bin/named/lwderror.c6
-rw-r--r--bin/named/lwdgabn.c6
-rw-r--r--bin/named/lwdgnba.c4
-rw-r--r--bin/named/lwdgrbn.c6
-rw-r--r--bin/named/lwdnoop.c4
-rw-r--r--bin/named/lwresd.810
-rw-r--r--bin/named/lwresd.c4
-rw-r--r--bin/named/lwresd.docbook9
-rw-r--r--bin/named/lwresd.html18
-rw-r--r--bin/named/lwsearch.c6
-rw-r--r--bin/named/main.c48
-rw-r--r--bin/named/named.811
-rw-r--r--bin/named/named.conf.539
-rw-r--r--bin/named/named.conf.docbook42
-rw-r--r--bin/named/named.conf.html50
-rw-r--r--bin/named/named.docbook14
-rw-r--r--bin/named/named.html24
-rw-r--r--bin/named/notify.c27
-rw-r--r--bin/named/query.c762
-rw-r--r--bin/named/server.c905
-rw-r--r--bin/named/sortlist.c24
-rw-r--r--bin/named/statschannel.c1355
-rw-r--r--bin/named/tkeyconf.c14
-rw-r--r--bin/named/tsigconf.c6
-rw-r--r--bin/named/unix/Makefile.in6
-rw-r--r--bin/named/unix/include/named/os.h4
-rw-r--r--bin/named/unix/os.c213
-rw-r--r--bin/named/update.c1692
-rw-r--r--bin/named/xfrout.c113
-rw-r--r--bin/named/zoneconf.c260
-rw-r--r--bin/nsupdate/Makefile.in8
-rw-r--r--bin/nsupdate/nsupdate.151
-rw-r--r--bin/nsupdate/nsupdate.c754
-rw-r--r--bin/nsupdate/nsupdate.docbook107
-rw-r--r--bin/nsupdate/nsupdate.html103
-rw-r--r--bin/rndc/Makefile.in2
-rw-r--r--bin/rndc/include/rndc/os.h8
-rw-r--r--bin/rndc/rndc-confgen.82
-rw-r--r--bin/rndc/rndc-confgen.c19
-rw-r--r--bin/rndc/rndc-confgen.docbook2
-rw-r--r--bin/rndc/rndc-confgen.html2
-rw-r--r--bin/rndc/rndc.82
-rw-r--r--bin/rndc/rndc.c27
-rw-r--r--bin/rndc/rndc.conf6
-rw-r--r--bin/rndc/rndc.conf.52
-rw-r--r--bin/rndc/rndc.conf.docbook2
-rw-r--r--bin/rndc/rndc.conf.html2
-rw-r--r--bin/rndc/rndc.docbook2
-rw-r--r--bin/rndc/rndc.html2
-rw-r--r--bin/rndc/unix/Makefile.in6
-rw-r--r--bin/rndc/unix/os.c6
-rw-r--r--bin/rndc/util.c6
-rw-r--r--bin/rndc/util.h6
-rw-r--r--config.guess2
-rw-r--r--config.h.in46
-rw-r--r--configure.in719
-rw-r--r--doc/Makefile.in8
-rw-r--r--doc/arm/Bv9ARM-book.xml3183
-rw-r--r--doc/arm/Bv9ARM.ch01.html76
-rw-r--r--doc/arm/Bv9ARM.ch02.html36
-rw-r--r--doc/arm/Bv9ARM.ch03.html54
-rw-r--r--doc/arm/Bv9ARM.ch04.html140
-rw-r--r--doc/arm/Bv9ARM.ch05.html8
-rw-r--r--doc/arm/Bv9ARM.ch06.html2887
-rw-r--r--doc/arm/Bv9ARM.ch07.html35
-rw-r--r--doc/arm/Bv9ARM.ch08.html20
-rw-r--r--doc/arm/Bv9ARM.ch09.html190
-rw-r--r--doc/arm/Bv9ARM.ch10.html13
-rw-r--r--doc/arm/Bv9ARM.html162
-rw-r--r--doc/arm/Bv9ARM.pdf14761
-rw-r--r--doc/arm/Makefile.in8
-rw-r--r--doc/arm/man.dig.html44
-rw-r--r--doc/arm/man.dnssec-dsfromkey.html170
-rw-r--r--doc/arm/man.dnssec-keyfromlabel.html210
-rw-r--r--doc/arm/man.dnssec-keygen.html37
-rw-r--r--doc/arm/man.dnssec-signzone.html33
-rw-r--r--doc/arm/man.host.html24
-rw-r--r--doc/arm/man.named-checkconf.html20
-rw-r--r--doc/arm/man.named-checkzone.html24
-rw-r--r--doc/arm/man.named.html34
-rw-r--r--doc/arm/man.nsupdate.html569
-rw-r--r--doc/arm/man.rndc-confgen.html14
-rw-r--r--doc/arm/man.rndc.conf.html14
-rw-r--r--doc/arm/man.rndc.html22
-rw-r--r--doc/misc/Makefile.in2
-rw-r--r--doc/misc/format-options.pl2
-rw-r--r--doc/misc/ipv62
-rw-r--r--doc/misc/migration2
-rw-r--r--doc/misc/options64
-rwxr-xr-xdoc/misc/sort-options.pl2
-rw-r--r--lib/Makefile.in6
-rw-r--r--lib/bind9/Makefile.in6
-rw-r--r--lib/bind9/api6
-rw-r--r--lib/bind9/check.c432
-rw-r--r--lib/bind9/getaddresses.c6
-rw-r--r--lib/bind9/include/Makefile.in6
-rw-r--r--lib/bind9/include/bind9/Makefile.in6
-rw-r--r--lib/bind9/include/bind9/check.h8
-rw-r--r--lib/bind9/include/bind9/getaddresses.h12
-rw-r--r--lib/bind9/include/bind9/version.h8
-rw-r--r--lib/bind9/version.c6
-rw-r--r--lib/dns/Makefile.in32
-rw-r--r--lib/dns/acache.c4
-rw-r--r--lib/dns/acl.c557
-rw-r--r--lib/dns/adb.c693
-rw-r--r--lib/dns/api6
-rw-r--r--lib/dns/byaddr.c6
-rw-r--r--lib/dns/cache.c127
-rw-r--r--lib/dns/callbacks.c6
-rw-r--r--lib/dns/compress.c6
-rw-r--r--lib/dns/db.c125
-rw-r--r--lib/dns/dbiterator.c6
-rw-r--r--lib/dns/dbtable.c6
-rw-r--r--lib/dns/diff.c130
-rw-r--r--lib/dns/dispatch.c190
-rw-r--r--lib/dns/dlz.c10
-rw-r--r--lib/dns/dnssec.c39
-rw-r--r--lib/dns/ds.c6
-rw-r--r--lib/dns/dst_api.c152
-rw-r--r--lib/dns/dst_internal.h85
-rw-r--r--lib/dns/dst_lib.c6
-rw-r--r--lib/dns/dst_openssl.h12
-rw-r--r--lib/dns/dst_parse.c59
-rw-r--r--lib/dns/dst_parse.h22
-rw-r--r--lib/dns/dst_result.c9
-rw-r--r--lib/dns/forward.c6
-rw-r--r--lib/dns/gen-unix.h8
-rw-r--r--lib/dns/gen.c46
-rw-r--r--lib/dns/gssapi_link.c178
-rw-r--r--lib/dns/gssapictx.c684
-rw-r--r--lib/dns/hmac_link.c337
-rw-r--r--lib/dns/include/Makefile.in6
-rw-r--r--lib/dns/include/dns/Makefile.in12
-rw-r--r--lib/dns/include/dns/acache.h6
-rw-r--r--lib/dns/include/dns/acl.h114
-rw-r--r--lib/dns/include/dns/adb.h19
-rw-r--r--lib/dns/include/dns/bit.h8
-rw-r--r--lib/dns/include/dns/byaddr.h16
-rw-r--r--lib/dns/include/dns/cache.h8
-rw-r--r--lib/dns/include/dns/callbacks.h8
-rw-r--r--lib/dns/include/dns/cert.h8
-rw-r--r--lib/dns/include/dns/compress.h12
-rw-r--r--lib/dns/include/dns/db.h210
-rw-r--r--lib/dns/include/dns/dbiterator.h8
-rw-r--r--lib/dns/include/dns/dbtable.h8
-rw-r--r--lib/dns/include/dns/diff.h31
-rw-r--r--lib/dns/include/dns/dispatch.h23
-rw-r--r--lib/dns/include/dns/dlz.h16
-rw-r--r--lib/dns/include/dns/dnssec.h8
-rw-r--r--lib/dns/include/dns/ds.h6
-rw-r--r--lib/dns/include/dns/events.h9
-rw-r--r--lib/dns/include/dns/fixedname.h8
-rw-r--r--lib/dns/include/dns/forward.h8
-rw-r--r--lib/dns/include/dns/iptable.h70
-rw-r--r--lib/dns/include/dns/journal.h26
-rw-r--r--lib/dns/include/dns/keyflags.h8
-rw-r--r--lib/dns/include/dns/keytable.h6
-rw-r--r--lib/dns/include/dns/keyvalues.h12
-rw-r--r--lib/dns/include/dns/lib.h8
-rw-r--r--lib/dns/include/dns/log.h11
-rw-r--r--lib/dns/include/dns/lookup.h12
-rw-r--r--lib/dns/include/dns/master.h39
-rw-r--r--lib/dns/include/dns/masterdump.h34
-rw-r--r--lib/dns/include/dns/message.h24
-rw-r--r--lib/dns/include/dns/name.h23
-rw-r--r--lib/dns/include/dns/ncache.h28
-rw-r--r--lib/dns/include/dns/nsec.h19
-rw-r--r--lib/dns/include/dns/nsec3.h194
-rw-r--r--lib/dns/include/dns/opcode.h8
-rw-r--r--lib/dns/include/dns/order.h8
-rw-r--r--lib/dns/include/dns/peer.h21
-rw-r--r--lib/dns/include/dns/portlist.h8
-rw-r--r--lib/dns/include/dns/rbt.h769
-rw-r--r--lib/dns/include/dns/rcode.h23
-rw-r--r--lib/dns/include/dns/rdata.h20
-rw-r--r--lib/dns/include/dns/rdataclass.h8
-rw-r--r--lib/dns/include/dns/rdatalist.h29
-rw-r--r--lib/dns/include/dns/rdataset.h68
-rw-r--r--lib/dns/include/dns/rdatasetiter.h8
-rw-r--r--lib/dns/include/dns/rdataslab.h19
-rw-r--r--lib/dns/include/dns/rdatatype.h11
-rw-r--r--lib/dns/include/dns/request.h18
-rw-r--r--lib/dns/include/dns/resolver.h50
-rw-r--r--lib/dns/include/dns/result.h11
-rw-r--r--lib/dns/include/dns/rootns.h8
-rw-r--r--lib/dns/include/dns/sdb.h12
-rw-r--r--lib/dns/include/dns/sdlz.h12
-rw-r--r--lib/dns/include/dns/secalg.h8
-rw-r--r--lib/dns/include/dns/secproto.h8
-rw-r--r--lib/dns/include/dns/soa.h8
-rw-r--r--lib/dns/include/dns/ssu.h58
-rw-r--r--lib/dns/include/dns/stats.h319
-rw-r--r--lib/dns/include/dns/tcpmsg.h8
-rw-r--r--lib/dns/include/dns/time.h8
-rw-r--r--lib/dns/include/dns/timer.h8
-rw-r--r--lib/dns/include/dns/tkey.h78
-rw-r--r--lib/dns/include/dns/tsig.h13
-rw-r--r--lib/dns/include/dns/ttl.h8
-rw-r--r--lib/dns/include/dns/types.h37
-rw-r--r--lib/dns/include/dns/validator.h20
-rw-r--r--lib/dns/include/dns/version.h8
-rw-r--r--lib/dns/include/dns/view.h103
-rw-r--r--lib/dns/include/dns/xfrin.h10
-rw-r--r--lib/dns/include/dns/zone.h224
-rw-r--r--lib/dns/include/dns/zonekey.h8
-rw-r--r--lib/dns/include/dns/zt.h8
-rw-r--r--lib/dns/include/dst/Makefile.in8
-rw-r--r--lib/dns/include/dst/dst.h36
-rw-r--r--lib/dns/include/dst/gssapi.h175
-rw-r--r--lib/dns/include/dst/lib.h8
-rw-r--r--lib/dns/include/dst/result.h11
-rw-r--r--lib/dns/iptable.c188
-rw-r--r--lib/dns/journal.c67
-rw-r--r--lib/dns/key.c6
-rw-r--r--lib/dns/keytable.c6
-rw-r--r--lib/dns/lib.c6
-rw-r--r--lib/dns/log.c11
-rw-r--r--lib/dns/lookup.c2
-rw-r--r--lib/dns/master.c101
-rw-r--r--lib/dns/masterdump.c35
-rw-r--r--lib/dns/message.c134
-rw-r--r--lib/dns/name.c36
-rw-r--r--lib/dns/ncache.c217
-rw-r--r--lib/dns/nsec.c69
-rw-r--r--lib/dns/nsec3.c1377
-rw-r--r--lib/dns/openssl_link.c246
-rw-r--r--lib/dns/openssldh_link.c58
-rw-r--r--lib/dns/openssldsa_link.c205
-rw-r--r--lib/dns/opensslrsa_link.c525
-rw-r--r--lib/dns/order.c6
-rw-r--r--lib/dns/peer.c63
-rw-r--r--lib/dns/portlist.c6
-rw-r--r--lib/dns/rbt.c213
-rw-r--r--lib/dns/rbtdb.c2651
-rw-r--r--lib/dns/rbtdb.h6
-rw-r--r--lib/dns/rbtdb64.c6
-rw-r--r--lib/dns/rbtdb64.h6
-rw-r--r--lib/dns/rcode.c27
-rw-r--r--lib/dns/rdata.c57
-rw-r--r--lib/dns/rdata/any_255/tsig_250.c6
-rw-r--r--lib/dns/rdata/any_255/tsig_250.h6
-rw-r--r--lib/dns/rdata/ch_3/a_1.c6
-rw-r--r--lib/dns/rdata/ch_3/a_1.h6
-rw-r--r--lib/dns/rdata/generic/afsdb_18.c6
-rw-r--r--lib/dns/rdata/generic/afsdb_18.h6
-rw-r--r--lib/dns/rdata/generic/cert_37.c6
-rw-r--r--lib/dns/rdata/generic/cert_37.h6
-rw-r--r--lib/dns/rdata/generic/cname_5.c6
-rw-r--r--lib/dns/rdata/generic/cname_5.h6
-rw-r--r--lib/dns/rdata/generic/dlv_32769.c2
-rw-r--r--lib/dns/rdata/generic/dlv_32769.h6
-rw-r--r--lib/dns/rdata/generic/dname_39.c6
-rw-r--r--lib/dns/rdata/generic/dname_39.h6
-rw-r--r--lib/dns/rdata/generic/dnskey_48.c6
-rw-r--r--lib/dns/rdata/generic/dnskey_48.h6
-rw-r--r--lib/dns/rdata/generic/ds_43.c2
-rw-r--r--lib/dns/rdata/generic/ds_43.h6
-rw-r--r--lib/dns/rdata/generic/gpos_27.c6
-rw-r--r--lib/dns/rdata/generic/gpos_27.h6
-rw-r--r--lib/dns/rdata/generic/hinfo_13.c6
-rw-r--r--lib/dns/rdata/generic/hinfo_13.h6
-rw-r--r--lib/dns/rdata/generic/ipseckey_45.c22
-rw-r--r--lib/dns/rdata/generic/ipseckey_45.h6
-rw-r--r--lib/dns/rdata/generic/isdn_20.c6
-rw-r--r--lib/dns/rdata/generic/isdn_20.h6
-rw-r--r--lib/dns/rdata/generic/key_25.c6
-rw-r--r--lib/dns/rdata/generic/key_25.h6
-rw-r--r--lib/dns/rdata/generic/loc_29.c13
-rw-r--r--lib/dns/rdata/generic/loc_29.h6
-rw-r--r--lib/dns/rdata/generic/mb_7.c6
-rw-r--r--lib/dns/rdata/generic/mb_7.h6
-rw-r--r--lib/dns/rdata/generic/md_3.c6
-rw-r--r--lib/dns/rdata/generic/md_3.h6
-rw-r--r--lib/dns/rdata/generic/mf_4.c6
-rw-r--r--lib/dns/rdata/generic/mf_4.h6
-rw-r--r--lib/dns/rdata/generic/mg_8.c6
-rw-r--r--lib/dns/rdata/generic/mg_8.h6
-rw-r--r--lib/dns/rdata/generic/minfo_14.c6
-rw-r--r--lib/dns/rdata/generic/minfo_14.h6
-rw-r--r--lib/dns/rdata/generic/mr_9.c6
-rw-r--r--lib/dns/rdata/generic/mr_9.h6
-rw-r--r--lib/dns/rdata/generic/mx_15.c6
-rw-r--r--lib/dns/rdata/generic/mx_15.h6
-rw-r--r--lib/dns/rdata/generic/ns_2.c6
-rw-r--r--lib/dns/rdata/generic/ns_2.h6
-rw-r--r--lib/dns/rdata/generic/nsec3_50.c481
-rw-r--r--lib/dns/rdata/generic/nsec3_50.h93
-rw-r--r--lib/dns/rdata/generic/nsec3param_51.c314
-rw-r--r--lib/dns/rdata/generic/nsec3param_51.h38
-rw-r--r--lib/dns/rdata/generic/nsec_47.c4
-rw-r--r--lib/dns/rdata/generic/nsec_47.h4
-rw-r--r--lib/dns/rdata/generic/null_10.c6
-rw-r--r--lib/dns/rdata/generic/null_10.h6
-rw-r--r--lib/dns/rdata/generic/nxt_30.c6
-rw-r--r--lib/dns/rdata/generic/nxt_30.h6
-rw-r--r--lib/dns/rdata/generic/opt_41.c6
-rw-r--r--lib/dns/rdata/generic/opt_41.h6
-rw-r--r--lib/dns/rdata/generic/proforma.c6
-rw-r--r--lib/dns/rdata/generic/proforma.h6
-rw-r--r--lib/dns/rdata/generic/ptr_12.c6
-rw-r--r--lib/dns/rdata/generic/ptr_12.h6
-rw-r--r--lib/dns/rdata/generic/rp_17.c6
-rw-r--r--lib/dns/rdata/generic/rp_17.h6
-rw-r--r--lib/dns/rdata/generic/rrsig_46.c6
-rw-r--r--lib/dns/rdata/generic/rrsig_46.h6
-rw-r--r--lib/dns/rdata/generic/rt_21.c6
-rw-r--r--lib/dns/rdata/generic/rt_21.h6
-rw-r--r--lib/dns/rdata/generic/sig_24.c6
-rw-r--r--lib/dns/rdata/generic/sig_24.h6
-rw-r--r--lib/dns/rdata/generic/soa_6.c35
-rw-r--r--lib/dns/rdata/generic/soa_6.h6
-rw-r--r--lib/dns/rdata/generic/spf_99.c6
-rw-r--r--lib/dns/rdata/generic/spf_99.h6
-rw-r--r--lib/dns/rdata/generic/sshfp_44.c6
-rw-r--r--lib/dns/rdata/generic/sshfp_44.h6
-rw-r--r--lib/dns/rdata/generic/tkey_249.c6
-rw-r--r--lib/dns/rdata/generic/tkey_249.h6
-rw-r--r--lib/dns/rdata/generic/txt_16.c4
-rw-r--r--lib/dns/rdata/generic/txt_16.h6
-rw-r--r--lib/dns/rdata/generic/unspec_103.c6
-rw-r--r--lib/dns/rdata/generic/unspec_103.h6
-rw-r--r--lib/dns/rdata/generic/x25_19.c6
-rw-r--r--lib/dns/rdata/generic/x25_19.h6
-rw-r--r--lib/dns/rdata/hs_4/a_1.c6
-rw-r--r--lib/dns/rdata/hs_4/a_1.h6
-rw-r--r--lib/dns/rdata/in_1/a6_38.c6
-rw-r--r--lib/dns/rdata/in_1/a6_38.h6
-rw-r--r--lib/dns/rdata/in_1/a_1.c6
-rw-r--r--lib/dns/rdata/in_1/a_1.h6
-rw-r--r--lib/dns/rdata/in_1/aaaa_28.c6
-rw-r--r--lib/dns/rdata/in_1/aaaa_28.h6
-rw-r--r--lib/dns/rdata/in_1/apl_42.c4
-rw-r--r--lib/dns/rdata/in_1/apl_42.h6
-rw-r--r--lib/dns/rdata/in_1/dhcid_49.c229
-rw-r--r--lib/dns/rdata/in_1/dhcid_49.h30
-rw-r--r--lib/dns/rdata/in_1/kx_36.c6
-rw-r--r--lib/dns/rdata/in_1/kx_36.h6
-rw-r--r--lib/dns/rdata/in_1/naptr_35.c4
-rw-r--r--lib/dns/rdata/in_1/naptr_35.h6
-rw-r--r--lib/dns/rdata/in_1/nsap-ptr_23.c6
-rw-r--r--lib/dns/rdata/in_1/nsap-ptr_23.h6
-rw-r--r--lib/dns/rdata/in_1/nsap_22.c6
-rw-r--r--lib/dns/rdata/in_1/nsap_22.h6
-rw-r--r--lib/dns/rdata/in_1/px_26.c6
-rw-r--r--lib/dns/rdata/in_1/px_26.h6
-rw-r--r--lib/dns/rdata/in_1/srv_33.c6
-rw-r--r--lib/dns/rdata/in_1/srv_33.h6
-rw-r--r--lib/dns/rdata/in_1/wks_11.c10
-rw-r--r--lib/dns/rdata/in_1/wks_11.h6
-rw-r--r--lib/dns/rdata/rdatastructpre.h6
-rw-r--r--lib/dns/rdata/rdatastructsuf.h6
-rw-r--r--lib/dns/rdatalist.c172
-rw-r--r--lib/dns/rdatalist_p.h15
-rw-r--r--lib/dns/rdataset.c43
-rw-r--r--lib/dns/rdatasetiter.c6
-rw-r--r--lib/dns/rdataslab.c111
-rw-r--r--lib/dns/request.c8
-rw-r--r--lib/dns/resolver.c993
-rw-r--r--lib/dns/result.c9
-rw-r--r--lib/dns/rootns.c11
-rw-r--r--lib/dns/sdb.c28
-rw-r--r--lib/dns/sdlz.c34
-rw-r--r--lib/dns/soa.c6
-rw-r--r--lib/dns/spnego.asn152
-rw-r--r--lib/dns/spnego.c1792
-rw-r--r--lib/dns/spnego.h71
-rw-r--r--lib/dns/spnego_asn1.c885
-rwxr-xr-xlib/dns/spnego_asn1.pl200
-rw-r--r--lib/dns/ssu.c220
-rw-r--r--lib/dns/stats.c353
-rw-r--r--lib/dns/tcpmsg.c6
-rw-r--r--lib/dns/time.c8
-rw-r--r--lib/dns/timer.c6
-rw-r--r--lib/dns/tkey.c337
-rw-r--r--lib/dns/tsig.c157
-rw-r--r--lib/dns/ttl.c6
-rw-r--r--lib/dns/validator.c770
-rw-r--r--lib/dns/version.c6
-rw-r--r--lib/dns/view.c118
-rw-r--r--lib/dns/xfrin.c57
-rw-r--r--lib/dns/zone.c3742
-rw-r--r--lib/dns/zonekey.c6
-rw-r--r--lib/dns/zt.c9
-rw-r--r--lib/isc/Makefile.in34
-rw-r--r--lib/isc/alpha/Makefile.in2
-rw-r--r--lib/isc/alpha/include/Makefile.in2
-rw-r--r--lib/isc/alpha/include/isc/Makefile.in2
-rw-r--r--lib/isc/alpha/include/isc/atomic.h42
-rw-r--r--lib/isc/api6
-rw-r--r--lib/isc/assertions.c4
-rw-r--r--lib/isc/base32.c371
-rw-r--r--lib/isc/base64.c6
-rw-r--r--lib/isc/bitstring.c6
-rw-r--r--lib/isc/buffer.c84
-rw-r--r--lib/isc/bufferlist.c6
-rw-r--r--lib/isc/commandline.c11
-rw-r--r--lib/isc/entropy.c21
-rw-r--r--lib/isc/error.c6
-rw-r--r--lib/isc/event.c6
-rw-r--r--lib/isc/fsaccess.c6
-rw-r--r--lib/isc/hash.c12
-rw-r--r--lib/isc/heap.c18
-rw-r--r--lib/isc/hex.c10
-rw-r--r--lib/isc/hmacmd5.c6
-rw-r--r--lib/isc/hmacsha.c2
-rw-r--r--lib/isc/httpd.c987
-rw-r--r--lib/isc/ia64/Makefile.in2
-rw-r--r--lib/isc/ia64/include/Makefile.in2
-rw-r--r--lib/isc/ia64/include/isc/Makefile.in2
-rw-r--r--lib/isc/ia64/include/isc/atomic.h24
-rw-r--r--lib/isc/include/Makefile.in6
-rw-r--r--lib/isc/include/isc/Makefile.in20
-rw-r--r--lib/isc/include/isc/app.h8
-rw-r--r--lib/isc/include/isc/assertions.h6
-rw-r--r--lib/isc/include/isc/base32.h128
-rw-r--r--lib/isc/include/isc/base64.h8
-rw-r--r--lib/isc/include/isc/bitstring.h8
-rw-r--r--lib/isc/include/isc/boolean.h8
-rw-r--r--lib/isc/include/isc/buffer.h107
-rw-r--r--lib/isc/include/isc/bufferlist.h8
-rw-r--r--lib/isc/include/isc/commandline.h8
-rw-r--r--lib/isc/include/isc/entropy.h31
-rw-r--r--lib/isc/include/isc/error.h8
-rw-r--r--lib/isc/include/isc/event.h8
-rw-r--r--lib/isc/include/isc/eventclass.h6
-rw-r--r--lib/isc/include/isc/file.h12
-rw-r--r--lib/isc/include/isc/formatcheck.h8
-rw-r--r--lib/isc/include/isc/fsaccess.h25
-rw-r--r--lib/isc/include/isc/hash.h12
-rw-r--r--lib/isc/include/isc/heap.h10
-rw-r--r--lib/isc/include/isc/hex.h10
-rw-r--r--lib/isc/include/isc/hmacmd5.h8
-rw-r--r--lib/isc/include/isc/hmacsha.h8
-rw-r--r--lib/isc/include/isc/httpd.h64
-rw-r--r--lib/isc/include/isc/interfaceiter.h8
-rw-r--r--lib/isc/include/isc/ipv6.h6
-rw-r--r--lib/isc/include/isc/iterated_hash.h47
-rw-r--r--lib/isc/include/isc/lang.h8
-rw-r--r--lib/isc/include/isc/lex.h4
-rw-r--r--lib/isc/include/isc/lfsr.h8
-rw-r--r--lib/isc/include/isc/lib.h8
-rw-r--r--lib/isc/include/isc/list.h6
-rw-r--r--lib/isc/include/isc/log.h29
-rw-r--r--lib/isc/include/isc/magic.h8
-rw-r--r--lib/isc/include/isc/md5.h8
-rw-r--r--lib/isc/include/isc/mem.h84
-rw-r--r--lib/isc/include/isc/msgcat.h6
-rw-r--r--lib/isc/include/isc/msgs.h6
-rw-r--r--lib/isc/include/isc/mutexblock.h8
-rw-r--r--lib/isc/include/isc/netaddr.h21
-rw-r--r--lib/isc/include/isc/netscope.h8
-rw-r--r--lib/isc/include/isc/ondestroy.h8
-rw-r--r--lib/isc/include/isc/os.h8
-rw-r--r--lib/isc/include/isc/parseint.h8
-rw-r--r--lib/isc/include/isc/platform.h.in130
-rw-r--r--lib/isc/include/isc/portset.h6
-rw-r--r--lib/isc/include/isc/print.h8
-rw-r--r--lib/isc/include/isc/quota.h6
-rw-r--r--lib/isc/include/isc/radix.h240
-rw-r--r--lib/isc/include/isc/random.h10
-rw-r--r--lib/isc/include/isc/ratelimiter.h14
-rw-r--r--lib/isc/include/isc/refcount.h8
-rw-r--r--lib/isc/include/isc/region.h8
-rw-r--r--lib/isc/include/isc/resource.h6
-rw-r--r--lib/isc/include/isc/result.h11
-rw-r--r--lib/isc/include/isc/resultclass.h8
-rw-r--r--lib/isc/include/isc/rwlock.h8
-rw-r--r--lib/isc/include/isc/serial.h10
-rw-r--r--lib/isc/include/isc/sha1.h8
-rw-r--r--lib/isc/include/isc/sha2.h6
-rw-r--r--lib/isc/include/isc/sockaddr.h11
-rw-r--r--lib/isc/include/isc/socket.h183
-rw-r--r--lib/isc/include/isc/stats.h121
-rw-r--r--lib/isc/include/isc/stdio.h8
-rw-r--r--lib/isc/include/isc/stdlib.h8
-rw-r--r--lib/isc/include/isc/string.h6
-rw-r--r--lib/isc/include/isc/symtab.h10
-rw-r--r--lib/isc/include/isc/task.h26
-rw-r--r--lib/isc/include/isc/taskpool.h8
-rw-r--r--lib/isc/include/isc/timer.h6
-rw-r--r--lib/isc/include/isc/types.h26
-rw-r--r--lib/isc/include/isc/util.h8
-rw-r--r--lib/isc/include/isc/version.h8
-rw-r--r--lib/isc/include/isc/xml.h41
-rw-r--r--lib/isc/inet_aton.c14
-rw-r--r--lib/isc/inet_ntop.c6
-rw-r--r--lib/isc/inet_pton.c6
-rw-r--r--lib/isc/iterated_hash.c48
-rw-r--r--lib/isc/lex.c12
-rw-r--r--lib/isc/lfsr.c6
-rw-r--r--lib/isc/lib.c6
-rw-r--r--lib/isc/log.c29
-rw-r--r--lib/isc/md5.c6
-rw-r--r--lib/isc/mem.c254
-rw-r--r--lib/isc/mips/Makefile.in2
-rw-r--r--lib/isc/mips/include/Makefile.in2
-rw-r--r--lib/isc/mips/include/isc/Makefile.in2
-rw-r--r--lib/isc/mips/include/isc/atomic.h6
-rw-r--r--lib/isc/mutexblock.c6
-rw-r--r--lib/isc/netaddr.c8
-rw-r--r--lib/isc/netscope.c6
-rw-r--r--lib/isc/nls/Makefile.in6
-rw-r--r--lib/isc/nls/msgcat.c6
-rw-r--r--lib/isc/noatomic/Makefile.in2
-rw-r--r--lib/isc/noatomic/include/Makefile.in2
-rw-r--r--lib/isc/noatomic/include/isc/Makefile.in2
-rw-r--r--lib/isc/noatomic/include/isc/atomic.h6
-rw-r--r--lib/isc/nothreads/Makefile.in6
-rw-r--r--lib/isc/nothreads/condition.c6
-rw-r--r--lib/isc/nothreads/include/Makefile.in6
-rw-r--r--lib/isc/nothreads/include/isc/Makefile.in6
-rw-r--r--lib/isc/nothreads/include/isc/condition.h6
-rw-r--r--lib/isc/nothreads/include/isc/mutex.h6
-rw-r--r--lib/isc/nothreads/include/isc/once.h6
-rw-r--r--lib/isc/nothreads/include/isc/thread.h6
-rw-r--r--lib/isc/nothreads/mutex.c6
-rw-r--r--lib/isc/nothreads/thread.c6
-rw-r--r--lib/isc/ondestroy.c6
-rw-r--r--lib/isc/parseint.c6
-rw-r--r--lib/isc/portset.c2
-rw-r--r--lib/isc/powerpc/Makefile.in2
-rw-r--r--lib/isc/powerpc/include/Makefile.in2
-rw-r--r--lib/isc/powerpc/include/isc/Makefile.in2
-rw-r--r--lib/isc/powerpc/include/isc/atomic.h2
-rw-r--r--lib/isc/print.c4
-rw-r--r--lib/isc/pthreads/Makefile.in6
-rw-r--r--lib/isc/pthreads/condition.c6
-rw-r--r--lib/isc/pthreads/include/Makefile.in6
-rw-r--r--lib/isc/pthreads/include/isc/Makefile.in6
-rw-r--r--lib/isc/pthreads/include/isc/condition.h6
-rw-r--r--lib/isc/pthreads/include/isc/mutex.h6
-rw-r--r--lib/isc/pthreads/include/isc/once.h6
-rw-r--r--lib/isc/pthreads/include/isc/thread.h6
-rw-r--r--lib/isc/pthreads/mutex.c4
-rw-r--r--lib/isc/pthreads/thread.c6
-rw-r--r--lib/isc/quota.c6
-rw-r--r--lib/isc/radix.c706
-rw-r--r--lib/isc/random.c6
-rw-r--r--lib/isc/ratelimiter.c6
-rw-r--r--lib/isc/refcount.c6
-rw-r--r--lib/isc/region.c6
-rw-r--r--lib/isc/result.c9
-rw-r--r--lib/isc/rwlock.c26
-rw-r--r--lib/isc/serial.c6
-rw-r--r--lib/isc/sha1.c6
-rw-r--r--lib/isc/sha2.c44
-rw-r--r--lib/isc/sockaddr.c6
-rw-r--r--lib/isc/sparc64/Makefile.in2
-rw-r--r--lib/isc/sparc64/include/Makefile.in2
-rw-r--r--lib/isc/sparc64/include/isc/Makefile.in2
-rw-r--r--lib/isc/sparc64/include/isc/atomic.h6
-rw-r--r--lib/isc/stats.c326
-rw-r--r--lib/isc/string.c6
-rw-r--r--lib/isc/strtoul.c6
-rw-r--r--lib/isc/symtab.c6
-rw-r--r--lib/isc/task.c124
-rw-r--r--lib/isc/task_p.h6
-rw-r--r--lib/isc/taskpool.c7
-rw-r--r--lib/isc/timer.c11
-rw-r--r--lib/isc/timer_p.h6
-rw-r--r--lib/isc/unix/Makefile.in6
-rw-r--r--lib/isc/unix/app.c4
-rw-r--r--lib/isc/unix/dir.c14
-rw-r--r--lib/isc/unix/entropy.c29
-rw-r--r--lib/isc/unix/errno2result.c6
-rw-r--r--lib/isc/unix/errno2result.h6
-rw-r--r--lib/isc/unix/file.c21
-rw-r--r--lib/isc/unix/fsaccess.c6
-rw-r--r--lib/isc/unix/ifiter_getifaddrs.c59
-rw-r--r--lib/isc/unix/ifiter_ioctl.c166
-rw-r--r--lib/isc/unix/ifiter_sysctl.c6
-rw-r--r--lib/isc/unix/include/Makefile.in6
-rw-r--r--lib/isc/unix/include/isc/Makefile.in6
-rw-r--r--lib/isc/unix/include/isc/dir.h6
-rw-r--r--lib/isc/unix/include/isc/int.h6
-rw-r--r--lib/isc/unix/include/isc/keyboard.h6
-rw-r--r--lib/isc/unix/include/isc/net.h7
-rw-r--r--lib/isc/unix/include/isc/netdb.h6
-rw-r--r--lib/isc/unix/include/isc/offset.h7
-rw-r--r--lib/isc/unix/include/isc/stat.h6
-rw-r--r--lib/isc/unix/include/isc/stdtime.h6
-rw-r--r--lib/isc/unix/include/isc/strerror.h8
-rw-r--r--lib/isc/unix/include/isc/syslog.h6
-rw-r--r--lib/isc/unix/include/isc/time.h50
-rw-r--r--lib/isc/unix/interfaceiter.c96
-rw-r--r--lib/isc/unix/ipv6.c6
-rw-r--r--lib/isc/unix/keyboard.c6
-rw-r--r--lib/isc/unix/net.c2
-rw-r--r--lib/isc/unix/os.c6
-rw-r--r--lib/isc/unix/resource.c10
-rw-r--r--lib/isc/unix/socket.c686
-rw-r--r--lib/isc/unix/socket_p.h4
-rw-r--r--lib/isc/unix/stdio.c6
-rw-r--r--lib/isc/unix/stdtime.c6
-rw-r--r--lib/isc/unix/strerror.c10
-rw-r--r--lib/isc/unix/syslog.c2
-rw-r--r--lib/isc/unix/time.c28
-rw-r--r--lib/isc/version.c6
-rw-r--r--lib/isc/x86_32/Makefile.in2
-rw-r--r--lib/isc/x86_32/include/Makefile.in2
-rw-r--r--lib/isc/x86_32/include/isc/Makefile.in2
-rw-r--r--lib/isc/x86_32/include/isc/atomic.h32
-rw-r--r--lib/isc/x86_64/Makefile.in2
-rw-r--r--lib/isc/x86_64/include/Makefile.in2
-rw-r--r--lib/isc/x86_64/include/isc/Makefile.in2
-rw-r--r--lib/isc/x86_64/include/isc/atomic.h34
-rw-r--r--lib/isccc/Makefile.in6
-rw-r--r--lib/isccc/alist.c19
-rw-r--r--lib/isccc/api4
-rw-r--r--lib/isccc/base64.c19
-rw-r--r--lib/isccc/cc.c19
-rw-r--r--lib/isccc/ccmsg.c19
-rw-r--r--lib/isccc/include/Makefile.in6
-rw-r--r--lib/isccc/include/isccc/Makefile.in6
-rw-r--r--lib/isccc/include/isccc/alist.h21
-rw-r--r--lib/isccc/include/isccc/base64.h21
-rw-r--r--lib/isccc/include/isccc/cc.h21
-rw-r--r--lib/isccc/include/isccc/ccmsg.h21
-rw-r--r--lib/isccc/include/isccc/events.h21
-rw-r--r--lib/isccc/include/isccc/lib.h21
-rw-r--r--lib/isccc/include/isccc/result.h21
-rw-r--r--lib/isccc/include/isccc/sexpr.h21
-rw-r--r--lib/isccc/include/isccc/symtab.h21
-rw-r--r--lib/isccc/include/isccc/symtype.h21
-rw-r--r--lib/isccc/include/isccc/types.h21
-rw-r--r--lib/isccc/include/isccc/util.h21
-rw-r--r--lib/isccc/include/isccc/version.h8
-rw-r--r--lib/isccc/lib.c19
-rw-r--r--lib/isccc/result.c19
-rw-r--r--lib/isccc/sexpr.c19
-rw-r--r--lib/isccc/symtab.c15
-rw-r--r--lib/isccc/version.c6
-rw-r--r--lib/isccfg/Makefile.in6
-rw-r--r--lib/isccfg/aclconf.c289
-rw-r--r--lib/isccfg/api4
-rw-r--r--lib/isccfg/include/Makefile.in6
-rw-r--r--lib/isccfg/include/isccfg/Makefile.in6
-rw-r--r--lib/isccfg/include/isccfg/aclconf.h8
-rw-r--r--lib/isccfg/include/isccfg/cfg.h16
-rw-r--r--lib/isccfg/include/isccfg/grammar.h16
-rw-r--r--lib/isccfg/include/isccfg/log.h10
-rw-r--r--lib/isccfg/include/isccfg/namedconf.h8
-rw-r--r--lib/isccfg/include/isccfg/version.h8
-rw-r--r--lib/isccfg/log.c10
-rw-r--r--lib/isccfg/namedconf.c245
-rw-r--r--lib/isccfg/parser.c82
-rw-r--r--lib/isccfg/version.c6
-rw-r--r--lib/lwres/Makefile.in6
-rw-r--r--lib/lwres/api4
-rw-r--r--lib/lwres/assert_p.h6
-rw-r--r--lib/lwres/context.c30
-rw-r--r--lib/lwres/context_p.h8
-rw-r--r--lib/lwres/gai_strerror.c6
-rw-r--r--lib/lwres/getaddrinfo.c54
-rw-r--r--lib/lwres/gethost.c6
-rw-r--r--lib/lwres/getipnode.c2
-rw-r--r--lib/lwres/getnameinfo.c6
-rw-r--r--lib/lwres/getrrset.c6
-rw-r--r--lib/lwres/herror.c6
-rw-r--r--lib/lwres/include/Makefile.in6
-rw-r--r--lib/lwres/include/lwres/Makefile.in6
-rw-r--r--lib/lwres/include/lwres/context.h15
-rw-r--r--lib/lwres/include/lwres/int.h8
-rw-r--r--lib/lwres/include/lwres/ipv6.h8
-rw-r--r--lib/lwres/include/lwres/lang.h8
-rw-r--r--lib/lwres/include/lwres/list.h8
-rw-r--r--lib/lwres/include/lwres/lwbuffer.h8
-rw-r--r--lib/lwres/include/lwres/lwpacket.h8
-rw-r--r--lib/lwres/include/lwres/lwres.h8
-rw-r--r--lib/lwres/include/lwres/netdb.h.in8
-rw-r--r--lib/lwres/include/lwres/platform.h.in6
-rw-r--r--lib/lwres/include/lwres/result.h8
-rw-r--r--lib/lwres/include/lwres/stdlib.h8
-rw-r--r--lib/lwres/include/lwres/version.h8
-rw-r--r--lib/lwres/lwbuffer.c6
-rw-r--r--lib/lwres/lwconfig.c31
-rw-r--r--lib/lwres/lwinetaton.c6
-rw-r--r--lib/lwres/lwinetntop.c6
-rw-r--r--lib/lwres/lwinetpton.c6
-rw-r--r--lib/lwres/lwpacket.c6
-rw-r--r--lib/lwres/lwres_gabn.c6
-rw-r--r--lib/lwres/lwres_gnba.c2
-rw-r--r--lib/lwres/lwres_grbn.c6
-rw-r--r--lib/lwres/lwres_noop.c6
-rw-r--r--lib/lwres/lwresutil.c6
-rw-r--r--lib/lwres/man/Makefile.in6
-rw-r--r--lib/lwres/man/lwres.32
-rw-r--r--lib/lwres/man/lwres.docbook2
-rw-r--r--lib/lwres/man/lwres.html2
-rw-r--r--lib/lwres/man/lwres_buffer.32
-rw-r--r--lib/lwres/man/lwres_buffer.docbook2
-rw-r--r--lib/lwres/man/lwres_buffer.html2
-rw-r--r--lib/lwres/man/lwres_config.32
-rw-r--r--lib/lwres/man/lwres_config.docbook2
-rw-r--r--lib/lwres/man/lwres_config.html2
-rw-r--r--lib/lwres/man/lwres_context.32
-rw-r--r--lib/lwres/man/lwres_context.docbook2
-rw-r--r--lib/lwres/man/lwres_context.html2
-rw-r--r--lib/lwres/man/lwres_gabn.32
-rw-r--r--lib/lwres/man/lwres_gabn.docbook2
-rw-r--r--lib/lwres/man/lwres_gabn.html2
-rw-r--r--lib/lwres/man/lwres_gai_strerror.32
-rw-r--r--lib/lwres/man/lwres_gai_strerror.docbook2
-rw-r--r--lib/lwres/man/lwres_gai_strerror.html2
-rw-r--r--lib/lwres/man/lwres_getaddrinfo.32
-rw-r--r--lib/lwres/man/lwres_getaddrinfo.docbook2
-rw-r--r--lib/lwres/man/lwres_getaddrinfo.html2
-rw-r--r--lib/lwres/man/lwres_gethostent.32
-rw-r--r--lib/lwres/man/lwres_gethostent.docbook2
-rw-r--r--lib/lwres/man/lwres_gethostent.html2
-rw-r--r--lib/lwres/man/lwres_getipnode.32
-rw-r--r--lib/lwres/man/lwres_getipnode.docbook2
-rw-r--r--lib/lwres/man/lwres_getipnode.html2
-rw-r--r--lib/lwres/man/lwres_getnameinfo.32
-rw-r--r--lib/lwres/man/lwres_getnameinfo.docbook2
-rw-r--r--lib/lwres/man/lwres_getnameinfo.html2
-rw-r--r--lib/lwres/man/lwres_getrrsetbyname.32
-rw-r--r--lib/lwres/man/lwres_getrrsetbyname.docbook2
-rw-r--r--lib/lwres/man/lwres_getrrsetbyname.html2
-rw-r--r--lib/lwres/man/lwres_gnba.32
-rw-r--r--lib/lwres/man/lwres_gnba.docbook2
-rw-r--r--lib/lwres/man/lwres_gnba.html2
-rw-r--r--lib/lwres/man/lwres_hstrerror.32
-rw-r--r--lib/lwres/man/lwres_hstrerror.docbook2
-rw-r--r--lib/lwres/man/lwres_hstrerror.html2
-rw-r--r--lib/lwres/man/lwres_inetntop.32
-rw-r--r--lib/lwres/man/lwres_inetntop.docbook2
-rw-r--r--lib/lwres/man/lwres_inetntop.html2
-rw-r--r--lib/lwres/man/lwres_noop.32
-rw-r--r--lib/lwres/man/lwres_noop.docbook2
-rw-r--r--lib/lwres/man/lwres_noop.html2
-rw-r--r--lib/lwres/man/lwres_packet.32
-rw-r--r--lib/lwres/man/lwres_packet.docbook2
-rw-r--r--lib/lwres/man/lwres_packet.html2
-rw-r--r--lib/lwres/man/lwres_resutil.32
-rw-r--r--lib/lwres/man/lwres_resutil.docbook2
-rw-r--r--lib/lwres/man/lwres_resutil.html2
-rw-r--r--lib/lwres/print.c6
-rw-r--r--lib/lwres/print_p.h6
-rw-r--r--lib/lwres/strtoul.c6
-rw-r--r--lib/lwres/unix/Makefile.in6
-rw-r--r--lib/lwres/unix/include/Makefile.in6
-rw-r--r--lib/lwres/unix/include/lwres/Makefile.in6
-rw-r--r--lib/lwres/unix/include/lwres/net.h6
-rw-r--r--lib/lwres/version.c6
-rw-r--r--libtool.m41928
-rw-r--r--ltmain.sh1332
-rw-r--r--make/Makefile.in6
-rw-r--r--make/includes.in6
-rw-r--r--make/mkdep.in33
-rw-r--r--make/rules.in51
-rw-r--r--version12
849 files changed, 58196 insertions, 17257 deletions
diff --git a/CHANGES b/CHANGES
index 8d1f22b8e381..4f55ca2aa0e8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,18 +1,258 @@
- --- 9.4.3-P2 released ---
+
+ --- 9.6.1rc1 released ---
+
+2599. [bug] Address rapid memory growth when validation fails.
+ [RT #19654]
+
+2597. [bug] Handle a validation failure with a insecure delegation
+ from a NSEC3 signed master/slave zone. [RT #19464]
+
+2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
+ long, leading to inefficient memory usage or rejecting
+ newer cache entries in the worst case. [RT #19563]
+
+2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
+
+2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
+
+2591. [bug] named could die when processing a update in
+ removed_orphaned_ds(). [RT #19507]
+
+2588. [bug] SO_REUSEADDR could be set unconditionally after failure
+ of bind(2) call. This should be rare and mostly
+ harmless, but may cause interference with other
+ processes that happen to use the same port. [RT #19642]
+
+2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
+ or SDB. [RT #19577]
+
+2585. [bug] Uninitialized socket name could be referenced via a
+ statistics channel, triggering an assertion failure in
+ XML rendering. [RT #19427]
+
+2584. [bug] alpha: gcc optimization could break atomic operations.
+ [RT #19227]
+
+2583. [port] netbsd: provide a control to not add the compile
+ date to the version string, -DNO_VERSION_DATE.
+
+2582. [bug] Don't emit warning log message when we attempt to
+ remove non-existant journal. [RT #19516]
2579. [bug] DNSSEC lookaside validation failed to handle unknown
algorithms. [RT #19479]
- --- 9.4.3-P1 released ---
+2578. [bug] Changed default sig-signing-type to 65534, because
+ 65535 turns out to be reserved. [RT #19477]
+
+2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
+ [RT #18837]
+
+ --- 9.6.1b1 released ---
+
+2577. [doc] Clarified some statistics counters. [RT #19454]
+
+2576. [bug] NSEC record were not being correctly signed when
+ a zone transitions from insecure to secure.
+ Handle such incorrectly signed zones. [RT #19114]
+
+2574. [doc] Document nsupdate -g and -o. [RT #19351]
+
+2573. [bug] Replacing a non-CNAME record with a CNAME record in a
+ single transaction in a signed zone failed. [RT #19397]
+
+2568. [bug] Report when the write to indicate a otherwise
+ successful start fails. [RT #19360]
+
+2567. [bug] dst__privstruct_writefile() could miss write errors.
+ write_public_key() could miss write errors.
+ dnssec-dsfromkey could miss write errors.
+ [RT #19360]
+
+2564. [bug] Only take EDNS fallback steps when processing timeouts.
+ [RT #19405]
+
+2563. [bug] Dig could leak a socket causing it to wait forever
+ to exit. [RT #19359]
+
+2562. [doc] ARM: miscellaneous improvements, reorganization,
+ and some new content.
+
+2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
+
+2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
+
+2559. [bug] dnssec-dsfromkey could compute bad DS records when
+ reading from a K* files. [RT #19357]
+
+2557. [cleanup] PCI compliance:
+ * new libisc log module file
+ * isc_dir_chroot() now also changes the working
+ directory to "/".
+ * additional INSISTs
+ * additional logging when files can't be removed.
+
+2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the
+ error checks in the correct order resulting in the
+ wrong error code sometimes being returned. [RT #19249]
+
+2554. [bug] Validation of uppercase queries from NSEC3 zones could
+ fail. [RT #19297]
+
+2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
+
+2552. [bug] zero-no-soa-ttl-cache was not being honoured.
+ [RT #19340]
+
+2551. [bug] Potential Reference leak on return. [RT #19341]
+
+2550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>.
+ [RT #19343]
+
+2549. [port] linux: define NR_OPEN if not currently defined.
+ [RT #19344]
+
+2548. [bug] Install iterated_hash.h. [RT #19335]
+
+2547. [bug] openssl_link.c:mem_realloc() could reference an
+ out-of-range area of the source buffer. New public
+ function isc_mem_reallocate() was introduced to address
+ this bug. [RT #19313]
+
+2545. [doc] ARM: Legal hostname checking (check-names) is
+ for SRV RDATA too. [RT #19304]
+
+2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
+
+2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
+
+2542. [doc] Update the description of dig +adflag. [RT #19290]
+
+2541. [bug] Conditionally update dispatch manager statistics.
+ [RT #19247]
+
+2539. [security] Update the interaction between recursion, allow-query,
+ allow-query-cache and allow-recursion. [RT #19198]
+
+2538. [bug] cache/ADB memory could grow over max-cache-size,
+ especially with threads and smaller max-cache-size
+ values. [RT #19240]
+
+2537. [experimental] Added more statistics counters including those on socket
+ I/O events and query RTT histograms. [RT #18802]
+
+2536. [cleanup] Silence some warnings when -Werror=format-security is
+ specified. [RT #19083]
+
+2535. [bug] dig +showsearh and +trace interacted badly. [RT #19091]
+
+2532. [bug] dig: check the question section of the response to
+ see if it matches the asked question. [RT #18495]
+
+2531. [bug] Change #2207 was incomplete. [RT #19098]
+
+2530. [bug] named failed to reject insecure to secure transitions
+ via UPDATE. [RT #19101]
+
+2529. [cleanup] Upgrade libtool to silence complaints from recent
+ version of autoconf. [RT #18657]
+
+2528. [cleanup] Silence spurious configure warning about
+ --datarootdir [RT #19096]
+
+2527. [bug] named could reuse cache on reload with
+ enabling/disabling validation. [RT #19119]
+
+2525. [experimental] New logging category "query-errors" to provide detailed
+ internal information about query failures, especially
+ about server failures. [RT #19027]
+
+2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
+
+2523. [bug] Random type rdata freed by dns_nsec_typepresent().
+ [RT #19112]
+
+2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
+
+2521. [bug] Improve epoll cross compilation support. [RT #19047]
+
+2519. [bug] dig/host with -4 or -6 didn't work if more than two
+ nameserver addresses of the excluded address family
+ preceded in resolv.conf. [RT #19081]
+
+2517. [bug] dig +trace with -4 or -6 failed when it chose a
+ nameserver address of the excluded address.
+ [RT #18843]
+
+2516. [bug] glue sort for responses was performed even when not
+ needed. [RT #19039]
+
+2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
+ a nameserver of the excluded address family.
+ [RT #18848]
+
+2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
+ [RT #18885]
+
+2506. [port] solaris: Check at configure time if
+ hack_shutup_pthreadonceinit is needed. [RT #19037]
+
+2505. [port] Treat amd64 similarly to x86_64 when determining
+ atomic operation support. [RT #19031]
+
+2503. [port] linux: improve compatibility with Linux Standard
+ Base. [RT #18793]
+
+2502. [cleanup] isc_radix: Improve compliance with coding style,
+ document function in <isc/radix.h>. [RT #18534]
+
+ --- 9.6.0 released ---
+
+2520. [bug] Update xml statistics version number to 2.0 as change
+ #2388 made the schema incompatible to the previous
+ version. [RT #19080]
+
+ --- 9.6.0rc2 released ---
+
+2515. [port] win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
+ [RT #19063]
+
+2513 [bug] Fix windows cli build. [RT #19062]
+
+2510. [bug] "dig +sigchase" could trigger REQUIRE failures.
+ [RT #19033]
+
+2509. [bug] Specifying a fixed query source port was broken.
+ [RT #19051]
+
+2504. [bug] Address race condition in the socket code. [RT #18899]
-2522. [security] Handle -1 from DSA_do_verify().
+ --- 9.6.0rc1 released ---
2498. [bug] Removed a bogus function argument used with
ISC_SOCKET_USE_POLLWATCH: it could cause compiler
warning or crash named with the debug 1 level
of logging. [RT #18917]
- --- 9.4.3 released ---
+2497. [bug] Don't add RRSIG bit to NSEC3 bit map for insecure
+ delegation.
+
+2496. [bug] Add sanity length checks to NSID option. [RT #18813]
+
+2495. [bug] Tighten RRSIG checks. [RT #18795]
+
+2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
+ installed. [RT #18826]
+
+2493. [bug] The linux capabilities code was not correctly cleaning
+ up after itself. [RT #18767]
+
+2492. [func] Rndc status now reports the number of cpus discovered
+ and the number of worker threads when running
+ multi-threaded. [RT #18273]
+
+2491. [func] Attempt to re-use a local port if we are already using
+ the port. [RT #18548]
2490. [port] aix: work around a kernel bug where IPV6_RECVPKTINFO
is cleared when IPV6_V6ONLY is set. [RT #18785]
@@ -23,7 +263,58 @@
Define ISC_SOCKET_USE_POLLWATCH at build time to enable
this workaround. [RT #18870]
- --- 9.4.3rc1 released ---
+2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records
+ from keyset and .key files. [RT #18694]
+
+2487. [bug] Give TCP connections longer to complete. [RT #18675]
+
+2486. [func] The default locations for named.pid and lwresd.pid
+ are now /var/run/named/named.pid and
+ /var/run/lwresd/lwresd.pid respectively.
+
+ This allows the owner of the containing directory
+ to be set, for "named -u" support, and allows there
+ to be a permanent symbolic link in the path, for
+ "named -t" support. [RT #18306]
+
+2485. [bug] Change update's the handling of obscured RRSIG
+ records. Not all orphaned DS records were being
+ removed. [RT #18828]
+
+2484. [bug] It was possible to trigger a REQUIRE failure when
+ adding NSEC3 proofs to the response in
+ query_addwildcardproof(). [RT #18828]
+
+2483. [port] win32: chroot() is not supported. [RT #18805]
+
+2482. [port] libxml2: support versions 2.7.* in addition
+ to 2.6.*. [RT #18806]
+
+ --- 9.6.0b1 released ---
+
+2481. [bug] rbtdb.c:matchparams() failed to handle NSEC3 chain
+ collisions. [RT #18812]
+
+2480. [bug] named could fail to emit all the required NSEC3
+ records. [RT #18812]
+
+2479. [bug] xfrout:covers was not properly initialized. [RT #18801]
+
+2478. [bug] 'addresses' could be used uninitialized in
+ configure_forward(). [RT #18800]
+
+2477. [bug] dig: the global option to print the command line is
+ +cmd not print_cmd. Update the output to reflect
+ this. [RT #17008]
+
+2476. [doc] ARM: improve documentation for max-journal-size and
+ ixfr-from-differences. [RT #15909] [RT #18541]
+
+2475. [bug] LRU cache cleanup under overmem condition could purge
+ particular entries more aggressively. [RT #17628]
+
+2474. [bug] ACL structures could be allocated with insufficient
+ space, causing an array overrun. [RT #18765]
2473. [port] linux: raise the limit on open files to the possible
maximum value before spawning threads; 'files'
@@ -33,9 +324,12 @@
2472. [port] linux: check the number of available cpu's before
calling chroot as it depends on "/proc". [RT #16923]
-2471. [bug] named-checkzone was not reporting missing manditory
+2471. [bug] named-checkzone was not reporting missing mandatory
glue when sibling checks were disabled. [RT #18768]
+2470. [bug] Elements of the isc_radix_node_t could be incorrectly
+ overwritten. [RT# 18719]
+
2469. [port] solaris: Work around Solaris's select() limitations.
[RT #18769]
@@ -50,10 +344,14 @@
2465. [bug] Adb's handling of lame addresses was different
for IPv4 and IPv6. [RT #18738]
+2464. [port] linux: check that a capability is present before
+ trying to set it. [RT #18135]
+
2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket
API and glibc hides parts of the IPv6 Advanced Socket
API as a result. This is stupid as it breaks how the
- two halves (Basic and Advanced) of the IPv6 Socket API were designed to be used but we have to live with it.
+ two halves (Basic and Advanced) of the IPv6 Socket API
+ were designed to be used but we have to live with it.
Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
API. [RT #18388]
@@ -62,17 +360,48 @@
2461. [port] sunos: Change #2363 was not complete. [RT #17513]
+ --- 9.6.0a1 released ---
+
+2460. [bug] Don't call dns_db_getnsec3parameters() on the cache.
+ [RT #18697]
+
+2459. [contrib] Import dnssec-zkt to contrib/zkt. [RT #18448]
+
2458. [doc] ARM: update and correction for max-cache-size.
[RT #18294]
-2455. [bug] Stop metadata being transfered via axfr/ixfr.
+2457. [tuning] max-cache-size is reverted to 0, the previous
+ default. It should be safe because expired cache
+ entries are also purged. [RT #18684]
+
+2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any
+ address, regardless of family. They now correctly
+ distinguish IPv4 from IPv6. [RT #18559]
+
+2455. [bug] Stop metadata being transferred via axfr/ixfr.
[RT #18639]
+2454. [func] nsupdate: you can now set a default ttl. [RT #18317]
+
2453. [bug] Remove NULL pointer dereference in dns_journal_print().
[RT #18316]
-2449. [bug] libbind: Out of bounds reference in dns_ho.c:addrsort.
- [RT #18044]
+2452. [func] Improve bin/test/journalprint. [RT #18316]
+
+2451. [port] solaris: handle runtime linking better. [RT #18356]
+
+2450. [doc] Fix lwresd docbook problem for manual page.
+ [RT #18672]
+
+2449. [placeholder]
+
+2448. [func] Add NSEC3 support. [RT #15452]
+
+2447. [cleanup] libbind has been split out as a separate product.
+
+2446. [func] Add a new log message about build options on startup.
+ A new command-line option '-V' for named is also
+ provided to show this information. [RT# 18645]
2445. [doc] ARM out-of-date on empty reverse zones (list includes
RFC1918 address, but these are not yet compiled in).
@@ -81,31 +410,46 @@
2444. [port] Linux, FreeBSD, AIX: Turn off path mtu discovery
(clear DF) for UDP responses and requests.
- --- 9.4.3b3 released ---
-
2443. [bug] win32: UDP connect() would not generate an event,
and so connected UDP sockets would never clean up.
Fix this by doing an immediate WSAConnect() rather
than an io completion port type for UDP.
-2438. [bug] Timeouts could be logged incorrectly under win32.
- [RT #18617]
+2442. [bug] A lock could be destroyed twice. [RT# 18626]
+
+2441. [bug] isc_radix_insert() could copy radix tree nodes
+ incompletely. [RT #18573]
+
+2440. [bug] named-checkconf used an incorrect test to determine
+ if an ACL was set to none.
+
+2439. [bug] Potential NULL dereference in dns_acl_isanyornone().
+ [RT #18559]
+
+2438. [bug] Timeouts could be logged incorrectly under win32.
2437. [bug] Sockets could be closed too early, leading to
inconsistent states in the socket module. [RT #18298]
2436. [security] win32: UDP client handler can be shutdown. [RT #18576]
+2435. [bug] Fixed an ACL memory leak affecting win32.
+
+2434. [bug] Fixed a minor error-reporting bug in
+ lib/isc/win32/socket.c.
+
2433. [tuning] Set initial timeout to 800ms.
-2432. [bug] More Windows socket handling improvements. Stop
+2432. [bug] More Windows socket handling improvements. Stop
using I/O events and use IO Completion Ports
throughout. Rewrite the receive path logic to make
it easier to support multiple simultaneous
- requestrs in the future. Add stricter consistency
+ requesters in the future. Add stricter consistency
checking as a compile-time option (define
ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
+2431. [bug] Acl processing could leak memory. [RT #18323]
+
2430. [bug] win32: isc_interval_set() could round down to
zero if the input was less than NS_INTERVAL
nanoseconds. Round up instead. [RT #18549]
@@ -113,8 +457,14 @@
2429. [doc] nsupdate should be in section 1 of the man pages.
[RT #18283]
+2428. [bug] dns_iptable_merge() mishandled merges of negative
+ tables. [RT #18409]
+
+2427. [func] Treat DNSKEY queries as if "minimal-response yes;"
+ was set. [RT #18528]
+
2426. [bug] libbind: inet_net_pton() can sometimes return the
- wrong value if excessively large netmasks are
+ wrong value if excessively large net masks are
supplied. [RT #18512]
2425. [bug] named didn't detect unavailable query source addresses
@@ -125,6 +475,12 @@
epoll and /dev/poll to be selected at compile
time. [RT #18277]
+2423. [security] Randomize server selection on queries, so as to
+ make forgery a little more difficult. Instead of
+ always preferring the server with the lowest RTT,
+ pick a server with RTT within the same 128
+ millisecond band. [RT #18441]
+
2422. [bug] Handle the special return value of a empty node as
if it was a NXRRSET in the validator. [RT #18447]
@@ -133,13 +489,20 @@
Use caution: this option may not work for some
operating systems without rebuilding named.
-2420. [bug] Windows socket handling cleanup. Let the io
- completion event send out cancelled read/write
- done events, which keeps us from writing to memeory
+2420. [bug] Windows socket handling cleanup. Let the io
+ completion event send out canceled read/write
+ done events, which keeps us from writing to memory
we no longer have ownership of. Add debugging
socket_log() function. Rework TCP socket handling
to not leak sockets.
+2419. [cleanup] Document that isc_socket_create() and isc_socket_open()
+ should not be used for isc_sockettype_fdwatch sockets.
+ [RT #18521]
+
+2418. [bug] AXFR request on a DLZ could trigger a REQUIRE failure
+ [RT #18430]
+
2417. [bug] Connecting UDP sockets for outgoing queries could
unexpectedly fail with an 'address already in use'
error. [RT #18411]
@@ -147,26 +510,42 @@
2416. [func] Log file descriptors that cause exceeding the
internal maximum. [RT #18460]
+2415. [bug] 'rndc dumpdb' could trigger various assertion failures
+ in rbtdb.c. [RT #18455]
+
2414. [bug] A masterdump context held the database lock too long,
causing various troubles such as dead lock and
recursive lock acquisition. [RT #18311, #18456]
2413. [bug] Fixed an unreachable code path in socket.c. [RT #18442]
-2412. [bug] win32: address a resourse leak. [RT #18374]
+2412. [bug] win32: address a resource leak. [RT #18374]
2411. [bug] Allow using a larger number of sockets than FD_SETSIZE
for select(). To enable this, set ISC_SOCKET_MAXSOCKETS
at compilation time. [RT #18433]
+ Note: with changes #2469 and #2421 above, there is no
+ need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
+ any more.
+
2410. [bug] Correctly delete m_versionInfo. [RT #18432]
+2409. [bug] Only log that we disabled EDNS processing if we were
+ subsequently successful. [RT #18029]
+
2408. [bug] A duplicate TCP dispatch event could be sent, which
could then trigger an assertion failure in
resquery_response(). [RT #18275]
2407. [port] hpux: test for sys/dyntune.h. [RT #18421]
+2406. [placeholder]
+
+2405. [cleanup] The default value for dnssec-validation was changed to
+ "yes" in 9.5.0-P1 and all subsequent releases; this
+ was inadvertently omitted from CHANGES at the time.
+
2404. [port] hpux: files unlimited support.
2403. [bug] TSIG context leak. [RT #18341]
@@ -176,13 +555,17 @@
2401. [bug] Expect to get E[MN]FILE errno internal_accept()
(from accept() or fcntl() system calls). [RT #18358]
-2399. [bug] Abort timeout queries to reduce the number of open
- UDP sockets. [RT #18367]
+2400. [bug] Log if kqueue()/epoll_create()/open(/dev/poll) fails.
+ [RT #18297]
+
+2399. [placeholder]
2398. [bug] Improve file descriptor management. New,
temporary, named.conf option reserved-sockets,
default 512. [RT #18344]
+2397. [bug] gssapi_functions had too many elements. [RT #18355]
+
2396. [bug] Don't set SO_REUSEADDR for randomized ports.
[RT #18336]
@@ -193,35 +576,42 @@
open files to 'unlimited' as described in the
documentation. [RT #18331]
+2393. [bug] nested acls containing keys could trigger an
+ assertion in acl.c. [RT #18166]
+
2392. [bug] remove 'grep -q' from acl test script, some platforms
don't support it. [RT #18253]
-2391 [port] hpux: cover additional recvmsg() error codes.
+2391. [port] hpux: cover additional recvmsg() error codes.
[RT #18301]
-2390 [bug] dispatch.c could make a false warning on 'odd socket'.
+2390. [bug] dispatch.c could make a false warning on 'odd socket'.
[RT #18301].
-2389 [bug] Move the "working directory writable" check to after
+2389. [bug] Move the "working directory writable" check to after
the ns_os_changeuser() call. [RT #18326]
+2388. [bug] Avoid using tables for layout purposes in
+ statistics XSL [RT #18159].
+
+2387. [bug] Silence compiler warnings in lib/isc/radix.c.
+ [RT #18147] [RT #18258]
+
2386. [func] Add warning about too small 'open files' limit.
[RT #18269]
- --- 9.4.3b2 released ---
-
2385. [bug] A condition variable in socket.c could leak in
rare error handling [RT #17968].
-2384. [security] Additional support for query port randomization (change
- #2375) including performance improvement and port range
- specification. [RT #17949, #18098]
+2384. [security] Fully randomize UDP query ports to improve
+ forgery resilience. [RT #17949, #18098]
2383. [bug] named could double queries when they resulted in
SERVFAIL due to overkilling EDNS0 failure detection.
[RT #18182]
-2382. [doc] Add descriptions of IPSECKEY, SPF and SSHFP to ARM.
+2382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
+ to ARM.
2381. [port] dlz/mysql: support multiple install layouts for
mysql. <prefix>/include/{,mysql/}mysql.h and
@@ -235,41 +625,104 @@
2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant
TLDs and supported RRs with TTLs [RT #17972]
+2378. [bug] gssapi_functions{} had a redundant member in BIND 9.5.
+ [RT #18169]
+
2377. [bug] Address race condition in dnssec-signzone. [RT #18142]
2376. [bug] Change #2144 was not complete.
-2375. [security] Fully randomize UDP query ports to improve
- forgery resilience. [RT #17949]
+2375. [placeholder]
+
+2374. [bug] "blackhole" ACLs could cause named to segfault due
+ to some uninitialized memory. [RT #18095]
+
+2373. [bug] Default values of zone ACLs were re-parsed each time a
+ new zone was configured, causing an overconsumption
+ of memory. [RT #18092]
+
+2372. [bug] Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
-2372. [bug] fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
+2371. [doc] Add +nsid option to dig man page. [RT #18039]
+
+2370. [bug] "rndc freeze" could trigger an assertion in named
+ when called on a nonexistent zone. [RT #18050]
2369. [bug] libbind: Array bounds overrun on read in bitncmp().
[RT #18054]
+2368. [port] Linux: use libcap for capability management if
+ possible. [RT# 18026]
+
+2367. [bug] Improve counting of dns_resstatscounter_retry
+ [RT #18030]
+
+2366. [bug] Adb shutdown race. [RT #18021]
+
+2365. [bug] Fix a bug that caused dns_acl_isany() to return
+ spurious results. [RT #18000]
+
2364. [bug] named could trigger a assertion when serving a
malformed signed zone. [RT #17828]
2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
[RT #17513]
+2362. [cleanup] Make "rrset-order fixed" a compile-time option.
+ settable by "./configure --enable-fixed-rrset".
+ Disabled by default. [RT #17977]
+
2361. [bug] "recursion" statistics counter could be counted
multiple times for a single query. [RT #17990]
- --- 9.4.3b1 released ---
+2360. [bug] Fix a condition where we release a database version
+ (which may acquire a lock) while holding the lock.
+
+2359. [bug] Fix NSID bug. [RT #17942]
2358. [doc] Update host's default query description. [RT #17934]
+2357. [port] Don't use OpenSSL's engine support in versions before
+ OpenSSL 0.9.7f. [RT #17922]
+
2356. [bug] Built in mutex profiler was not scalable enough.
[RT #17436]
-2353. [func] libbind: nsid support. [RT #17091]
+2355. [func] Extend the number statistics counters available.
+ [RT #17590]
+
+2354. [bug] Failed to initialize some rdatasetheader_t elements.
+ [RT #17927]
+
+2353. [func] Add support for Name Server ID (RFC 5001).
+ 'dig +nsid' requests NSID from server.
+ 'request-nsid yes;' causes recursive server to send
+ NSID requests to upstream servers. Server responds
+ to NSID requests with the string configured by
+ 'server-id' option. [RT #17091]
+
+2352. [bug] Various GSS_API fixups. [RT #17729]
+
+2351. [bug] convertxsl.pl generated very long lines. [RT #17906]
2350. [port] win32: IPv6 support. [RT #17797]
+2349. [func] Provide incremental re-signing support for secure
+ dynamic zones. [RT #1091]
+
+2348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support.
+ Documentation is in the new README.pkcs11 file.
+ New tool, dnssec-keyfromlabel, which takes the
+ label of a key pair in a HSM and constructs a DNS
+ key pair for use by named and dnssec-signzone.
+ [RT #16844]
+
2347. [bug] Delete now traverses the RB tree in the canonical
order. [RT #17451]
+2346. [func] Memory statistics now cover all active memory contexts
+ in increased detail. [RT #17580]
+
2345. [bug] named-checkconf failed to detect when forwarders
were set at both the options/view level and in
a root zone. [RT #17671]
@@ -280,6 +733,8 @@
2343. [bug] (Seemingly) duplicate IPv6 entries could be
created in ADB. [RT #17837]
+2342. [func] Use getifaddrs() if available under Linux. [RT #17224]
+
2341. [bug] libbind: add missing -I../include for off source
tree builds. [RT #17606]
@@ -292,12 +747,16 @@
2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614]
-2335. [port] sunos: libbind and *printf() support for long long.
+2336. [func] If "named -6" is specified then listen on all IPv6
+ interfaces if there are not listen-on-v6 clauses in
+ named.conf. [RT #17581]
+
+2335. [port] sunos: libbind and *printf() support for long long.
[RT #17513]
2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one
bug in fromstruct_txt(). [RT #17609]
-
+
2333. [bug] Fix off by one error in isc_time_nowplusinterval().
[RT #17608]
@@ -321,21 +780,40 @@
J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
M.ROOT-SERVERS.NET.
+2327. [bug] It was possible to dereference a NULL pointer in
+ rbtdb.c. Implement dead node processing in zones as
+ we do for caches. [RT #17312]
+
2326. [bug] It was possible to trigger a INSIST in the acache
processing.
2325. [port] Linux: use capset() function if available. [RT #17557]
+2324. [bug] Fix IPv6 matching against "any;". [RT #17533]
+
2323. [port] tru64: namespace clash. [RT #17547]
2322. [port] MacOS: work around the limitation of setrlimit()
for RLIMIT_NOFILE. [RT #17526]
-2319. [bug] Silence Coverity warnings in
+2321. [placeholder]
+
+2320. [func] Make statistics counters thread-safe for platforms
+ that support certain atomic operations. [RT #17466]
+
+2319. [bug] Silence Coverity warnings in
lib/dns/rdata/in_1/apl_42.c. [RT #17469]
2318. [port] sunos fixes for libbind. [RT #17514]
+2317. [bug] "make distclean" removed bind9.xsl.h. [RT #17518]
+
+2316. [port] Missing #include <isc/print.h> in lib/dns/gssapictx.c.
+ [RT #17513]
+
+2315. [bug] Used incorrect address family for mapped IPv4
+ addresses in acl.c. [RT #17519]
+
2314. [bug] Uninitialized memory use on error path in
bin/named/lwdnoop.c. [RT #17476]
@@ -345,11 +823,15 @@
2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c.
[RT #17458]
-2311. [func] Update ACL regression test. [RT #17462]
+2311. [bug] IPv6 addresses could match IPv4 ACL entries and
+ vice versa. [RT #17462]
2310. [bug] dig, host, nslookup: flush stdout before emitting
debug/fatal messages. [RT #17501]
+2309. [cleanup] Fix Coverity warnings in lib/dns/acl.c and iptable.c.
+ [RT #17455]
+
2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c.
[RT #17495]
@@ -371,7 +853,7 @@
2301. [bug] Remove resource leak and fix error messages in
bin/tests/system/lwresd/lwtest.c. [RT #17474]
-2300. [bug] Fixed failure to close open file in
+2300. [bug] Fixed failure to close open file in
bin/tests/names/t_names.c. [RT #17473]
2299. [bug] Remove unnecessary NULL check in
@@ -389,22 +871,39 @@
2295. [bug] Silence static overrun error in bin/named/lwaddr.c.
[RT #17459]
+2294. [func] Allow the experimental statistics channels to have
+ multiple connections and ACL.
+ Note: the stats-server and stats-server-v6 options
+ available in the previous beta releases are replaced
+ with the generic statistics-channels statement.
+
2293. [func] Add ACL regression test. [RT #17375]
2292. [bug] Log if the working directory is not writable.
[RT #17312]
-2291. [bug] PR_SET_DUMPABLE may be set too late. Also report
+2291. [bug] PR_SET_DUMPABLE may be set too late. Also report
failure to set PR_SET_DUMPABLE. [RT #17312]
2290. [bug] Let AD in the query signal that the client wants AD
set in the response. [RT #17301]
+2289. [func] named-checkzone now reports the out-of-zone CNAME
+ found. [RT #17309]
+
2288. [port] win32: mark service as running when we have finished
loading. [RT #17441]
2287. [bug] Use 'volatile' if the compiler supports it. [RT #17413]
+2286. [func] Allow a TCP connection to be used as a weak
+ authentication method for reverse zones.
+ New update-policy methods tcp-self and 6to4-self.
+ [RT #17378]
+
+2285. [func] Test framework for client memory context management.
+ [RT #17377]
+
2284. [bug] Memory leak in UPDATE prerequisite processing.
[RT #17377]
@@ -413,7 +912,15 @@
memory context rather than the clients memory
context. [RT #17377]
-2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available,
+2282. [bug] Acl code fixups. [RT #17346] [RT #17374]
+
+2281. [bug] Attempts to use undefined acls were not being logged.
+ [RT #17307]
+
+2280. [func] Allow the experimental http server to be reached
+ over IPv6 as well as IPv4. [RT #17332]
+
+2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available,
to protect applications from receiving spurious
SIGPIPE signals when using the resolver.
@@ -423,12 +930,21 @@
2277. [bug] Empty zone names were not correctly being caught at
in the post parse checks. [RT #17357]
+2276. [bug] Install <dst/gssapi.h>. [RT# 17359]
+
+2275. [func] Add support to dig to perform IXFR queries over UDP.
+ [RT #17235]
+
+2274. [func] Log zone transfer statistics. [RT #17336]
+
2273. [bug] Adjust log level to WARNING when saving inconsistent
stub/slave master and journal files. [RT# 17279]
2272. [bug] Handle illegal dnssec-lookaside trust-anchor names.
[RT #17262]
+2271. [bug] Fix a memory leak in http server code [RT #17100]
+
2270. [bug] dns_db_closeversion() version->writer could be reset
before it is tested. [RT #17290]
@@ -437,6 +953,12 @@
2268. [bug] 0.IN-ADDR.ARPA was missing from the empty zones
list.
+ --- 9.5.0b1 released ---
+
+2267. [bug] Radix tree node_num value could be set incorrectly,
+ causing positive ACL matches to look like negative
+ ones. [RT #17311]
+
2266. [bug] client.c:get_clientmctx() returned the same mctx
once the pool of mctx's was filled. [RT #17218]
@@ -451,21 +973,14 @@
2262. [bug] Error status from all but the last view could be
lost. [RT #17292]
-2260. [bug] Reported wrong clients-per-query when increasing the
- value. [RT #17236]
-
-2247. [doc] Sort doc/misc/options. [RT #17067]
+2261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272]
-2246. [bug] Make the startup of test servers (ans.pl) more
- robust. [RT #17147]
-
- --- 9.4.2 released ---
+2260. [bug] Reported wrong clients-per-query when increasing the
+ value. [RT #17236]
- --- 9.4.2rc2 released ---
+2259. [placeholder]
-2259. [bug] Reverse incorrect LIBINTERFACE bump of libisc
- in 9.4.2rc1. Applications built against 9.4.2rc1
- will need to be rebuilt.
+ --- 9.5.0a7 released ---
2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
[RT #17241]
@@ -483,20 +998,52 @@
intermediate values as timer->idle was reset by
isc_timer_touch(). [RT #17243]
- --- 9.4.2rc1 released ---
+2253. [func] "max-cache-size" defaults to 32M.
+ "max-acache-size" defaults to 16M.
-2251. [doc] Update memstatistics-file documentation to reflect
- reality. Note there is behaviour change for BIND 9.5.
- [RT #17113]
+2252. [bug] Fixed errors in sortlist code [RT #17216]
-2249. [bug] Only set Authentic Data bit if client requested
- DNSSEC, per RFC 3655 [RT #17175]
+2251. [placeholder]
+
+2250. [func] New flag 'memstatistics' to state whether the
+ memory statistics file should be written or not.
+ Additionally named's -m option will cause the
+ statistics file to be written. [RT #17113]
+
+2249. [bug] Only set Authentic Data bit if client requested
+ DNSSEC, per RFC 3655 [RT #17175]
-2248. [cleanup] Fix several errors reported by Coverity. [RT #17160]
+2248. [cleanup] Fix several errors reported by Coverity. [RT #17160]
+
+2247. [doc] Sort doc/misc/options. [RT #17067]
+
+2246. [bug] Make the startup of test servers (ans.pl) more
+ robust. [RT #17147]
2245. [bug] Validating lack of DS records at trust anchors wasn't
working. [RT #17151]
+2244. [func] Allow the check of nameserver names against the
+ SOA MNAME field to be disabled by specifying
+ 'notify-to-soa yes;'. [RT #17073]
+
+2243. [func] Configuration files without a newline at the end now
+ parse without error. [RT #17120]
+
+2242. [bug] nsupdate: GSS-TSIG support using the Heimdal Kerberos
+ library could require a source of random data.
+ [RT #17127]
+
+2241. [func] nsupdate: add a interactive 'help' command. [RT #17099]
+
+2240. [bug] Cleanup nsupdates GSS-TSIG support. Convert
+ a number of INSIST()s into plain fatal() errors
+ which report the triggering result code.
+ The 'key' command wasn't disabling GSS-TSIG.
+ [RT #17099]
+
+2239. [func] Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
+
2238. [bug] It was possible to trigger a REQUIRE when a
validation was canceled. [RT #17106]
@@ -507,7 +1054,11 @@
2235. [bug] <isc/atomic.h> was not being installed. [RT #17135]
-2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134]
+2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134]
+
+2233. [func] Add support for O(1) ACL processing, based on
+ radix tree code originally written by Kevin
+ Brintnall. [RT #16288]
2232. [bug] dns_adb_findaddrinfo() could fail and return
ISC_R_SUCCESS. [RT #17137]
@@ -518,34 +1069,44 @@
2230. [bug] We could INSIST reading a corrupted journal.
[RT #17132]
+2229. [bug] Null pointer dereference on query pool creation
+ failure. [RT #17133]
+
2228. [contrib] contrib: Change 2188 was incomplete.
2227. [cleanup] Tidied up the FAQ. [RT #17121]
+2226. [placeholder]
+
2225. [bug] More support for systems with no IPv4 addresses.
- [RT #17111]
+ [RT #17111]
2224. [bug] Defer journal compaction if a xfrin is in progress.
[RT #17119]
2223. [bug] Make a new journal when compacting. [RT #17119]
+2222. [func] named-checkconf now checks server key references.
+ [RT #17097]
+
2221. [bug] Set the event result code to reflect the actual
- record returned to caller when a cache update is
+ record turned to caller when a cache update is
rejected due to a more credible answer existing.
[RT #17017]
2220. [bug] win32: Address a race condition in final shutdown of
the Windows socket code. [RT #17028]
-
+
2219. [bug] Apply zone consistency checks to additions, not
removals, when updating. [RT #17049]
2218. [bug] Remove unnecessary REQUIRE from dns_validator_create().
[RT #16976]
+2217. [func] Adjust update log levels. [RT #17092]
+
2216. [cleanup] Fix a number of errors reported by Coverity.
- [RT #17094]
+ [RT #17094]
2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
@@ -559,6 +1120,9 @@
2212. [func] 'host -m' now causes memory statistics and active
memory to be printed at exit. [RT 17028]
+2211. [func] Update "dynamic update temporarily disabled" message.
+ [RT #17065]
+
2210. [bug] Deleting class specific records via UPDATE could
fail. [RT #17074]
@@ -572,7 +1136,7 @@
2207. [port] Some implementations of getaddrinfo() fail to set
ai_canonname correctly. [RT #17061]
- --- 9.4.2b1 released ---
+ --- 9.5.0a6 released ---
2206. [security] "allow-query-cache" and "allow-recursion" now
cross inherit from each other.
@@ -588,15 +1152,21 @@
localhost;) is used.
[RT #16987]
-
+
2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
+2204. [bug] "rndc flushanme name unknown-view" caused named
+ to crash. [RT #16984]
+
2203. [security] Query id generation was cryptographically weak.
[RT # 16915]
2202. [security] The default acls for allow-query-cache and
allow-recursion were not being applied. [RT #16960]
+2201. [bug] The build failed in a separate object directory.
+ [RT #16943]
+
2200. [bug] The search for cached NSEC records was stopping to
early leading to excessive DLV queries. [RT #16930]
@@ -613,8 +1183,13 @@
2196. [port] win32: yield processor while waiting for once to
to complete. [RT #16958]
+2195. [func] dnssec-keygen now defaults to nametype "ZONE"
+ when generating DNSKEYs. [RT #16954]
+
2194. [bug] Close journal before calling 'done' in xfrin.c.
+ --- 9.5.0a5 released ---
+
2193. [port] win32: BINDInstall.exe is now linked statically.
[RT #16906]
@@ -622,6 +1197,17 @@
Studio's redistributable dlls if building with
Visual Stdio 2005 or later.
+2191. [func] named-checkzone now allows dumping to stdout (-).
+ named-checkconf now has -h for help.
+ named-checkzone now has -h for help.
+ rndc now has -h for help.
+ Better handling of '-?' for usage summaries.
+ [RT #16707]
+
+2190. [func] Make fallback to plain DNS from EDNS due to timeouts
+ more visible. New logging category "edns-disabled".
+ [RT #16871]
+
2189. [bug] Handle socket() returning EINTR. [RT #15949]
2188. [contrib] queryperf: autoconf changes to make the search for
@@ -637,6 +1223,9 @@
2185. [port] sunos: libbind: check for ssize_t, memmove() and
memchr(). [RT #16463]
+2184. [bug] bind9.xsl.h didn't build out of the source tree.
+ [RT #16830]
+
2183. [bug] dnssec-signzone didn't handle offline private keys
well. [RT #16832]
@@ -649,6 +1238,9 @@
2180. [cleanup] Remove bit test from 'compress_test' as they
are no longer needed. [RT #16497]
+2179. [func] 'rndc command zone' will now find 'zone' if it is
+ unique to all the views. [RT #16821]
+
2178. [bug] 'rndc reload' of a slave or stub zone resulted in
a reference leak. [RT #16867]
@@ -667,6 +1259,11 @@
2173. [port] win32: When compiling with MSVS 2005 SP1 we also
need to ship Microsoft.VC80.MFCLOC.
+ --- 9.5.0a4 released ---
+
+2172. [bug] query_addsoa() was being called with a non zone db.
+ [RT #16834]
+
2171. [bug] Handle breaks in DNSSEC trust chains where the parent
servers are not DS aware (DS queries to the parent
return a referral to the child).
@@ -683,27 +1280,43 @@
2167. [bug] When re-using a automatic zone named failed to
attach it to the new view. [RT #16786]
+ --- 9.5.0a3 released ---
+
2166. [bug] When running in batch mode, dig could misinterpret
a server address as a name to be looked up, causing
unexpected output. [RT #16743]
-2164. [bug] The code to determine how named-checkzone /
+2165. [func] Allow the destination address of a query to determine
+ if we will answer the query or recurse.
+ allow-query-on, allow-recursion-on and
+ allow-query-cache-on. [RT #16291]
+
+2164. [bug] The code to determine how named-checkzone /
named-compilezone was called failed under windows.
[RT #16764]
+2163. [bug] If only one of query-source and query-source-v6
+ specified a port the query pools code broke (change
+ 2129). [RT #16768]
+
2162. [func] Allow "rrset-order fixed" to be disabled at compile
time. [RT #16665]
-2161. [bug] 'rndc flush' could report a false success. [RT #16698]
+2161. [bug] Fix which log messages are emitted for 'rndc flush'.
+ [RT #16698]
2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned
from getifaddrs(). [RT #16708]
+ --- 9.5.0a2 released ---
+
2159. [bug] Array bounds overrun in acache processing. [RT #16710]
2158. [bug] ns_client_isself() failed to initialize key
leading to a REQUIRE failure. [RT #16688]
+2157. [func] dns_db_transfernode() created. [RT #16685]
+
2156. [bug] Fix node reference leaks in lookup.c:lookup_find(),
resolver.c:validated() and resolver.c:cache_name().
Fix a memory leak in rbtdb.c:free_noqname().
@@ -713,6 +1326,9 @@
2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com.
[RT #16694]
+2154. [func] Scoped (e.g. IPv6 link-local) addresses may now be
+ matched in acls by omitting the scope. [RT #16599]
+
2153. [bug] nsupdate could leak memory. [RT #16691]
2152. [cleanup] Use sizeof(buf) instead of fixed number in
@@ -729,6 +1345,8 @@
if there were still active memory contexts.
[RT #16672]
+2148. [func] Add positive logging for rndc commands. [RT #14623]
+
2147. [bug] libbind: remove potential buffer overflow from
hmac_link.c. [RT #16437]
@@ -757,17 +1375,6 @@
2139. [bug] dns_view_find() was being called with wrong type
in adb.c. [RT #16670]
-2119. [compat] libbind: allow res_init() to succeed enough to
- return the default domain even if it was unable
- to allocate memory.
-
- --- 9.4.1 released ---
-
-2172. [bug] query_addsoa() was being called with a non zone db.
- [RT #16834]
-
- --- 9.4.0 released ---
-
2138. [bug] Lock order reversal in resolver.c. [RT #16653]
2137. [port] Mips little endian and/or mips 64 bit are now
@@ -778,6 +1385,8 @@
2135. [bug] Uninitialized rdataset in sdlz.c. [RT# 16656]
+2134. [func] Additional statistics support. [RT #16666]
+
2133. [port] powerpc: Support both IBM and MacOS Power PC
assembler syntaxes. [RT #16647]
@@ -786,9 +1395,13 @@
2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630]
-2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635]
+2130. [func] Log if CD or DO were set. [RT #16640]
- --- 9.4.0rc2 released ---
+2129. [func] Provide a pool of UDP sockets for queries to be
+ made over. See use-queryport-pool, queryport-pool-ports
+ and queryport-pool-updateinterval. [RT #16415]
+
+2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635]
2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563]
@@ -800,9 +1413,22 @@
2124. [security] It was possible to dereference a freed fetch
context. [RT #16584]
+ --- 9.5.0a1 released ---
+
+2123. [func] Use Doxygen to generate internal documentation.
+ [RT #11398]
+
+2122. [func] Experimental http server and statistics support
+ for named via xml.
+
+2121. [func] Add a 10 slot dead masters cache (LRU) with a 600
+ second timeout. [RT #16553]
+
2120. [doc] Fix markup on nsupdate man page. [RT #16556]
- --- 9.4.0rc1 released ---
+2119. [compat] libbind: allow res_init() to succeed enough to
+ return the default domain even if it was unable
+ to allocate memory.
2118. [bug] Handle response with long chains of domain name
compression pointers which point to other compression
@@ -837,8 +1463,14 @@
2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502]
+2108. [func] DHCID support. [RT #16456]
+
2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]
+2106. [func] 'rndc status' now reports named's version. [RT #16426]
+
+2105. [func] GSS-TSIG support (RFC 3645).
+
2104. [port] Fix Solaris SMF error message.
2103. [port] Add /usr/sfw to list of locations for OpenSSL
@@ -846,8 +1478,6 @@
2102. [port] Silence Solaris 10 warnings.
- --- 9.4.0b4 released ---
-
2101. [bug] OpenSSL version checks were not quite right.
[RT #16476]
@@ -860,8 +1490,6 @@
triggered an INSIST failure about the node lock
reference. [RT #16411]
- --- 9.4.0b3 released ---
-
2097. [bug] named could reference a destroyed memory context
after being reloaded / reconfigured. [RT #16428]
@@ -870,14 +1498,14 @@
2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and
net_cidr_ntop_ipv6(). [RT #16388]
-
+
2094. [contrib] Update named-bootconf. [RT# 16404]
2093. [bug] named-checkzone -s was broken.
2092. [bug] win32: dig, host, nslookup. Use registry config
if resolv.conf does not exist or no nameservers
- listed. [RT #15877]
+ listed. [RT #15877]
2091. [port] dighost.c: race condition on cleanup. [RT #16417]
@@ -906,8 +1534,6 @@
2082. [doc] Document 'cache-file' as a test only option.
- --- 9.4.0b2 released ---
-
2081. [port] libbind: minor 64-bit portability fix in memcluster.c.
[RT #16360]
@@ -971,8 +1597,6 @@
2060. [bug] Enabling DLZ support could leave views partially
configured. [RT #16295]
- --- 9.4.0b1 released ---
-
2059. [bug] Search into cache rbtdb could trigger an INSIST
failure while cleaning up a stale rdataset.
[RT #16292]
@@ -1052,13 +1676,15 @@
2036. [bug] 'rndc recursing' could cause trigger a REQUIRE.
[RT #16075]
+2035. [func] Make falling back to TCP on UDP refresh failure
+ optional. Default "try-tcp-refresh yes;" for BIND 8
+ compatibility. [RT #16123]
+
2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124]
2033. [bug] We weren't creating multiple client memory contexts
on demand as expected. [RT #16095]
- --- 9.4.0a6 released ---
-
2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074]
2031. [bug] Emit a error message when "rndc refresh" is called on
@@ -1105,8 +1731,6 @@
allowed but requested and we had the answer
to the original qname. [RT #15945]
- --- 9.4.0a5 released ---
-
2015. [cleanup] use-additional-cache is now acache-enable for
consistency. Default acache-enable off in BIND 9.4
as it requires memory usage to be configured.
@@ -1126,7 +1750,7 @@
the signed zone, either as an increment or as the
system time(). [RT #15633]
- --- 9.4.0a4 released ---
+2010. [placeholder] rt15958
2009. [bug] libbind: Coverity fixes. [RT #15808]
@@ -1280,12 +1904,12 @@
1966. [bug] Don't set CD when we have fallen back to plain DNS.
[RT #15727]
-1965. [func] Suppress spurious "recusion requested but not
+1965. [func] Suppress spurious "recursion requested but not
available" warning with 'dig +qr'. [RT #15780].
1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723]
-1963. [port] Tru64 4.0E doesn't support send() and recv().
+1963. [port] Tru64 4.0E doesn't support send() and recv().
[RT #15586]
1962. [bug] Named failed to clear old update-policy when it
@@ -1328,7 +1952,7 @@
1951. [security] Drop queries from particular well known ports.
Don't return FORMERR to queries from particular
well known ports. [RT #15636]
-
+
1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
a TCP socket. This prevents the source address being
set for TCP connections. [RT #15628]
@@ -1350,19 +1974,13 @@
1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended.
To generate a RSAMD5 key you must explicitly request
RSAMD5. [RT #13780]
-
+
1944. [cleanup] isc_hash_create() does not need a read/write lock.
[RT #15522]
1943. [bug] Set the loadtime after rolling forward the journal.
[RT #15647]
-1597. [func] Allow notify-source and query-source to be specified
- on a per server basis similar to transfer-source.
- [RT #6496]
-
- --- 9.4.0a3 released ---
-
1942. [bug] If the name of a DNSKEY match that of one in
trusted-keys do not attempt to validate the DNSKEY
using the parents DS RRset. [RT #15649]
@@ -1390,12 +2008,6 @@
prior to returning them if it can be done without
requiring DNSKEYs to be fetched. [RT #15430]
-1919. [contrib] queryperf: a set of new features: collecting/printing
- response delays, printing intermediate results, and
- adjusting query rate for the "target" qps.
-
- --- 9.4.0a2 released ---
-
1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]
@@ -1434,7 +2046,9 @@
have the desired performance characteristics.
[RT #15454]
- --- 9.4.0a1 released ---
+1919. [contrib] queryperf: a set of new features: collecting/printing
+ response delays, printing intermediate results, and
+ adjusting query rate for the "target" qps.
1918. [bug] Memory leak when checking acls. [RT #15391]
@@ -1472,7 +2086,7 @@
[RT #15034]
1905. [bug] Strings returned from cfg_obj_asstring() should be
- treated as read-only. The prototype for
+ treated as read-only. The prototype for
cfg_obj_asstring() has been updated to reflect this.
[RT #15256]
@@ -1577,6 +2191,8 @@
1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]
+1871. [placeholder]
+
1870. [func] Added framework for handling multiple EDNS versions.
[RT #14873]
@@ -1602,10 +2218,10 @@
1863. [bug] rrset-order "fixed" error messages not complete.
1862. [func] Add additional zone data constancy checks.
- named-checkzone has extended checking of NS, MX and
+ named-checkzone has extended checking of NS, MX and
SRV record and the hosts they reference.
named has extended post zone load checks.
- New zone options: check-mx and integrity-check.
+ New zone options: check-mx and integrity-check.
[RT #4940]
1861. [bug] dig could trigger a INSIST on certain malformed
@@ -1648,9 +2264,9 @@
1848. [bug] Improve SMF integration. [RT #13238]
1847. [bug] isc_ondestroy_init() is called too late in
- dns_rbtdb_create()/dns_rbtdb64_create().
+ dns_rbtdb_create()/dns_rbtdb64_create().
[RT #13661]
-
+
1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer
<bortzmeyer@nic.fr>.
@@ -1721,6 +2337,8 @@
1822. [bug] check-names test for RT was reversed. [RT #13382]
+1821. [placeholder]
+
1820. [bug] Gracefully handle acl loops. [RT #13659]
1819. [bug] The validator needed to check both the algorithm and
@@ -1870,6 +2488,10 @@
1773. [bug] Fast retry on host / net unreachable. [RT #13153]
+1772. [placeholder]
+
+1771. [placeholder]
+
1770. [bug] named-checkconf failed to report missing a missing
file clause for rbt{64} master/hint zones. [RT#13009]
@@ -1936,7 +2558,7 @@
[RT #12866]
1748. [func] dig now returns the byte count for axfr/ixfr.
-
+
1747. [bug] BIND 8 compatibility: named/named-checkconf failed
to parse "host-statistics-max" in named.conf.
@@ -1954,7 +2576,7 @@
requested number of worker threads then destruction
of the manager would trigger an INSIST() failure.
[RT #12790]
-
+
1742. [bug] Deleting all records at a node then adding a
previously existing record, in a single UPDATE
transaction, failed to leave / regenerate the
@@ -1965,7 +2587,7 @@
1740. [bug] Replace rbt's hash algorithm as it performed badly
with certain zones. [RT #12729]
-
+
NOTE: a hash context now needs to be established
via isc_hash_create() if the application was not
already doing this.
@@ -1980,7 +2602,7 @@
1736. [bug] dst_key_fromnamedfile() could fail to read a
public key. [RT #12687]
-
+
1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
[RE #12688]
@@ -2157,7 +2779,7 @@
1675. [bug] named would sometimes add extra NSEC records to
the authority section.
-
+
1674. [port] linux: increase buffer size used to scan
/proc/net/if_inet6.
@@ -2173,6 +2795,8 @@
1670. [func] Log UPDATE requests to slave zones without an acl as
"disabled" at debug level 3. [RT# 11657]
+1669. [placeholder]
+
1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core.
1667. [port] linux: not all versions have IF_NAMESIZE.
@@ -2229,7 +2853,7 @@
1648. [func] Update dnssec-lookaside named.conf syntax to support
multiple dnssec-lookaside namespaces (not yet
- implemented).
+ implemented).
1647. [bug] It was possible trigger a INSIST when chasing a DS
record that required walking back over a empty node.
@@ -2259,7 +2883,7 @@
1638. [bug] "ixfr-from-differences" could generate a REQUIRE
failure if the journal open failed. [RT #11347]
-
+
1637. [bug] Node reference leak on error in addnoqname().
1636. [bug] The dump done callback could get ISC_R_SUCCESS even if
@@ -2353,21 +2977,21 @@
1607. [bug] dig, host and nslookup were still using random()
to generate query ids. [RT# 11013]
-1606. [bug] DLV insecurity proof was failing.
+1606. [bug] DLV insecurity proof was failing.
1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
1604. [bug] A xfrout_ctx_create() failure would result in
xfrout_ctx_destroy() being called with a
partially initialized structure.
-
+
1603. [bug] nsupdate: set interactive based on isatty().
[RT# 10929]
1602. [bug] Logging to a file failed unless a size was specified.
[RT# 10925]
-1601. [bug] Silence spurious warning 'both "recursion no;" and
+1601. [bug] Silence spurious warning 'both "recursion no;" and
"allow-recursion" active' warning from view "_bind".
[RT# 10920]
@@ -2379,6 +3003,10 @@
1598. [func] Specify that certain parts of the namespace must
be secure (dnssec-must-be-secure).
+1597. [func] Allow notify-source and query-source to be specified
+ on a per server basis similar to transfer-source.
+ [RT #6496]
+
1596. [func] Accept 'notify-source' style syntax for query-source.
1595. [func] New notify type 'master-only'. Enable notify for
@@ -4280,7 +4908,7 @@
963. [bug] Bad ISC_LANG_ENDDECLS. [RT #1645]
962. [bug] libbind: bad "#undef", don't attempt to install
- non-existant nlist.h. [RT #1640]
+ non-existent nlist.h. [RT #1640]
961. [bug] Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
was not defined. [RT #1482]
@@ -6918,7 +7546,7 @@
188. [func] Log a warning message when an incoming zone transfer
contains out-of-zone data.
- 187. [func] isc_ratelimter_enqueue() has an additional argument
+ 187. [func] isc_ratelimiter_enqueue() has an additional argument
'task'.
186. [func] dns_request_getresponse() has an additional argument
@@ -7061,7 +7689,7 @@
masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
- 149. [cleanup] Removed usused argument 'olist' from
+ 149. [cleanup] Removed unused argument 'olist' from
dns_c_view_unsetordering().
148. [cleanup] Stop issuing some warnings about some configuration
@@ -7137,7 +7765,7 @@
128. [cleanup] <isc/dir.h> had ISC_LANG_BEGINDECLS instead of
ISC_LANG_ENDDECLS at end of header.
- 127. [cleanup] The contracts for the comparision routines
+ 127. [cleanup] The contracts for the comparison routines
dns_name_fullcompare(), dns_name_compare(),
dns_name_rdatacompare(), and dns_rdata_compare() now
specify that the order value returned is < 0, 0, or > 0
diff --git a/COPYRIGHT b/COPYRIGHT
index 8d6a0cef1378..620ee985983c 100644
--- a/COPYRIGHT
+++ b/COPYRIGHT
@@ -1,4 +1,4 @@
-Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2003 Internet Software Consortium.
Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
-$Id: COPYRIGHT,v 1.9.18.5 2008/01/02 23:46:02 tbox Exp $
+$Id: COPYRIGHT,v 1.14.176.1 2009/01/05 23:47:22 tbox Exp $
Portions Copyright (C) 1996-2001 Nominum, Inc.
diff --git a/FAQ b/FAQ
index 2c333bef3b24..2846b31fe091 100644
--- a/FAQ
+++ b/FAQ
@@ -1,6 +1,6 @@
Frequently Asked Questions about BIND 9
-Copyright 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright 2004-2009 Internet Systems Consortium, Inc. ("ISC")
Copyright 2000-2003 Internet Software Consortium.
@@ -600,7 +600,7 @@ Q: Why do queries for NSEC3 records fail to return the NSEC3 record?
A: NSEC3 records are strictly meta data and can only be returned in the
authority section. This is done so that signing the zone using NSEC3
- records does not bring names into existance that do not exist in the
+ records does not bring names into existence that do not exist in the
unsigned version of the zone.
5. Operating-System Specific Questions
@@ -825,7 +825,6 @@ A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to
use certain interrupts as a source of random events. You can make this
permanent by setting rand_irqs in /etc/rc.conf.
- /etc/rc.conf
rand_irqs="3 14 15"
See also <http://people.freebsd.org/~dougb/randomness.html>.
diff --git a/FAQ.xml b/FAQ.xml
index b624d06d5341..95346f7d052a 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -1,7 +1,7 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: FAQ.xml,v 1.4.4.24 2008/09/10 01:32:25 tbox Exp $ -->
+<!-- $Id: FAQ.xml,v 1.46.56.4 2009/02/19 01:51:58 tbox Exp $ -->
<article class="faq">
<title>Frequently Asked Questions about BIND 9</title>
@@ -28,6 +28,7 @@
<year>2006</year>
<year>2007</year>
<year>2008</year>
+ <year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -1067,7 +1068,7 @@ empty:
NSEC3 records are strictly meta data and can only be
returned in the authority section. This is done so that
signing the zone using NSEC3 records does not bring names
- into existance that do not exist in the unsigned version
+ into existence that do not exist in the unsigned version
of the zone.
</para>
</answer>
@@ -1470,7 +1471,6 @@ options {
</para>
<informalexample>
<programlisting>
-/etc/rc.conf
rand_irqs="3 14 15"</programlisting>
</informalexample>
<para>
diff --git a/Makefile.in b/Makefile.in
index 9ff0f6493292..662ee0f99490 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.43.18.6 2007/09/03 23:46:21 tbox Exp $
+# $Id: Makefile.in,v 1.52.48.2 2009/02/20 23:47:23 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -21,17 +21,16 @@ top_srcdir = @top_srcdir@
@BIND9_VERSION@
-SUBDIRS = make lib bin doc @LIBBIND@
+SUBDIRS = make lib bin doc
TARGETS =
-@BIND9_MAKE_RULES@
+MANPAGES = isc-config.sh.1
+
+HTMLPAGES = isc-config.sh.html
+
+MANOBJS = ${MANPAGES} ${HTMLPAGES}
-distclean::
- @if [ "X@LIBBIND@" = "X" ] ; then \
- i=lib/bind; \
- echo "making $@ in `pwd`/$$i"; \
- (cd $$i; ${MAKE} ${MAKEDEFS} $@) || exit 1; \
- fi
+@BIND9_MAKE_RULES@
distclean::
rm -f config.cache config.h config.log config.status TAGS
@@ -43,12 +42,19 @@ distclean::
maintainer-clean::
rm -f configure
+docclean manclean maintainer-clean::
+ rm -f ${MANOBJS}
+
+doc man:: ${MANOBJS}
+
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} \
${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: isc-config.sh installdirs
${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
+ ${INSTALL_DATA} ${srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
tags:
rm -f TAGS
diff --git a/NSEC3-NOTES b/NSEC3-NOTES
new file mode 100644
index 000000000000..d23b20eefd22
--- /dev/null
+++ b/NSEC3-NOTES
@@ -0,0 +1,128 @@
+
+ DNSSEC and UPDATE
+
+ Converting from insecure to secure
+
+As of BIND 9.6.0 it is possible to move a zone between being insecure
+to secure and back again. A secure zone can be using NSEC or NSEC3.
+
+To move a zone from insecure to secure you need to configure named
+so that it can see the K* files which contain the public and private
+parts of the keys that will be used to sign the zone. These files
+will have been generated by dnssec-keygen. You can do this by
+placing them in the key-directory as specified in named.conf.
+
+ zone example.net {
+ type master;
+ allow-update { .... };
+ file "dynamic/example.net/example.net";
+ key-directory "dynamic/example.net";
+ };
+
+Assuming one KSK and one ZSK DNSKEY key have been generated. Then
+this will cause the zone to be signed with the ZSK and the DNSKEY
+RRset to be signed with the KSK DNSKEY. A NSEC chain will also be
+generated as part of the initial signing process.
+
+ % nsupdate
+ > ttl 3600
+ > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+ > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+ > send
+
+While the update request will complete almost immediately the zone
+will not be completely signed until named has had time to walk the
+zone and generate the NSEC and RRSIG records. Initially the NSEC
+record at the zone apex will have the OPT bit set. When the NSEC
+chain is complete the OPT bit will be cleared. Additionally when
+the zone is fully signed the private type (default TYPE65535) records
+will have a non zero value for the final octet.
+
+The private type record has 5 octets.
+ algorithm (octet 1)
+ key id in network order (octet 2 and 3)
+ removal flag (octet 4)
+ complete flag (octet 5)
+
+If you wish to go straight to a secure zone using NSEC3 you should
+also add a NSECPARAM record to the update request with the flags
+field set to indicate whether the NSEC3 chain will have the OPTOUT
+bit set or not.
+
+ % nsupdate
+ > ttl 3600
+ > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+ > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+ > update add example.net NSEC3PARAM 1 1 100 1234567890
+ > send
+
+Again the update request will complete almost immediately however the
+NSEC3PARAM record will have additional flag bits set indicating that the
+NSEC3 chain is under construction. When the NSEC3 chain is complete the
+flags field will be set to zero.
+
+While the initial signing and NSEC/NSEC3 chain generation is happening
+other updates are possible.
+
+ DNSKEY roll overs via UPDATE
+
+It is possible to perform key rollovers via update. You need to
+add the K* files for the new keys so that named can find them. You
+can then add the new DNSKEY RRs via update. Named will then cause
+the zone to be signed with the new keys. When the signing is
+complete the private type records will be updated so that the last
+octet is non zero.
+
+If this is for a KSK you need to inform the parent and any trust
+anchor repositories of the new KSK.
+
+You should then wait for the maximum TLL in the zone before removing the
+old DNSKEY. If it is a KSK that is being updated you also need to wait
+for the DS RRset in the parent to be updated and its TTL to expire.
+This ensures that all clients will be able to verify at least a signature
+when you remove the old DNSKEY.
+
+The old DNSKEY can be removed via UPDATE. Take care to specify
+the correct key. Named will clean out any signatures generated by
+the old key after the update completes.
+
+ NSEC3PARAM rollovers via UPDATE.
+
+Add the new NSEC3PARAM record via update. When the new NSEC3 chain
+has been generated the NSEC3PARAM flag field will be zero. At this
+point you can remove the old NSEC3PARAM record. The old chain will
+be removed after the update request completes.
+
+ Converting from NSEC to NSEC3
+
+To do this you just need to add a NSEC3PARAM record. When the
+conversion is complete the NSEC chain will have been removed and
+the NSEC3PARAM record will have a zero flag field. The NSEC3 chain
+will be generated before the NSEC chain is destroyed.
+
+ Converting from NSEC3 to NSEC
+
+To do this remove all NSEC3PARAM records with a zero flag field. The
+NSEC chain will be generated before the NSEC3 chain is removed.
+
+ Converting from secure to insecure
+
+To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains
+will be removed as well as associated NSEC3PARAM records. This will
+take place after the update requests completes.
+
+ Periodic re-signing.
+
+Named will periodically re-sign RRsets which have not been re-signed
+as a result of some update action. The signature lifetimes will
+be adjusted so as to spread the re-sign load over time rather than
+all at once.
+
+ NSEC3 and OPTOUT
+
+Named only supports creating new NSEC3 chains where all the NSEC3
+records in the zone have the same OPTOUT state. Named supports
+UPDATES to zones where the NSEC3 records in the chain have mixed
+OPTOUT state. Named does not support changing the OPTOUT state of
+an individual NSEC3 record, the entire chain needs to be changed if
+the OPTOUT state of an individual NSEC3 needs to be changed.
diff --git a/README b/README
index 0a0bc9e86f6d..d15198848024 100644
--- a/README
+++ b/README
@@ -42,29 +42,50 @@ BIND 9
Stichting NLnet - NLnet Foundation
Nominum, Inc.
-BIND 9.4.3
+BIND 9.6.0
- BIND 9.4.3 is a maintenance release, fixing bugs in 9.4.2.
+ BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
+ releases, including:
-BIND 9.4.2
+ Full NSEC3 support
- BIND 9.4.2 is a maintenance release, containing fixes for
- a number of bugs in 9.4.1.
+ Automatic zone re-signing
- Warning: If you installed BIND 9.4.2rc1 then any applications
- linked against this release candidate will need to be rebuilt.
+ New update-policy methods tcp-self and 6to4-self
-BIND 9.4.1
+ The BIND 8 resolver library, libbind, has been removed from the
+ BIND 9 distribution and is now available as a separate download.
- BIND 9.4.1 is a security release, containing a fix for
- a security bugs in 9.4.0.
+ Change the default pid file location from /var/run to
+ /var/run/{named,lwresd} for improved chroot/setuid support.
+
+BIND 9.5.0
+
+ BIND 9.5.0 has a number of new features over 9.4,
+ including:
+
+ GSS-TSIG support (RFC 3645).
+
+ DHCID support.
+
+ Experimental http server and statistics support for named via xml.
+
+ More detailed statistics counters including those supported in BIND 8.
+
+ Faster ACL processing.
+
+ Use Doxygen to generate internal documentation.
+
+ Efficient LRU cache-cleaning mechanism.
+
+ NSID support.
BIND 9.4.0
BIND 9.4.0 has a number of new features over 9.3,
including:
- Implemented "additional section caching" (or "acache"), an
+ Implemented "additional section caching (or acache)", an
internal cache framework for additional section content to
improve response performance. Several configuration options
were provided to control the behavior.
@@ -76,13 +97,14 @@ BIND 9.4.0
rndc now allows addresses to be set in the server clauses.
- New option "allow-query-cache". This lets allow-query be
- used to specify the default zone access level rather than
- having to have every zone override the global value.
- allow-query-cache can be set at both the options and view
- levels. If allow-query-cache is not set then allow-recursion
- is used if set, otherwise allow-query is used if set, otherwise
- the default (localhost; localnets;) is used.
+ New option "allow-query-cache". This lets "allow-query"
+ be used to specify the default zone access level rather
+ than having to have every zone override the global value.
+ "allow-query-cache" can be set at both the options and view
+ levels. If "allow-query-cache" is not set then "allow-recursion"
+ is used if set, otherwise "allow-query" is used if set
+ unless "recursion no;" is set in which case "none;" is used,
+ otherwise the default (localhost; localnets;) is used.
rndc: the source address can now be specified.
@@ -155,11 +177,12 @@ BIND 9.4.0
Add support for CH A record.
- Add additional zone data consistancy checks. named-checkzone
+ Add additional zone data constancy checks. named-checkzone
has extended checking of NS, MX and SRV record and the hosts
they reference. named has extended post zone load checks.
New zone options: check-mx and integrity-check.
+
edns-udp-size can now be overridden on a per server basis.
dig can now specify the EDNS version when making a query.
@@ -172,7 +195,7 @@ BIND 9.4.0
Detect duplicates of UDP queries we are recursing on and
drop them. New stats category "duplicates".
- Memory management. "USE INTERNAL MALLOC" is now runtime selectable.
+ "USE INTERNAL MALLOC" is now runtime selectable.
The lame cache is now done on a <qname,qclass,qtype> basis
as some servers only appear to be lame for certain query
@@ -187,9 +210,9 @@ BIND 9.4.0
Support for IPSECKEY rdata type.
- Raise the UDP receive buffer size to 32k if it is less than 32k.
+ Raise the UDP recieve buffer size to 32k if it is less than 32k.
- x86 and x86_64 now have separate atomic locking implementations.
+ x86 and x86_64 now have seperate atomic locking implementations.
named-checkconf now validates update-policy entries.
@@ -217,69 +240,9 @@ BIND 9.4.0
to set 'RA' when 'RD' is set unless a server is explicitly
set.
- Integrate contributed DLZ code into named.
-
- Integrate contributed IDN code from JPNIC.
-
- Validate pending NS RRsets, in the authority section, prior
- to returning them if it can be done without requiring DNSKEYs
- to be fetched.
-
- It is now possible to configure named to accept expired
- RRSIGs. Default "dnssec-accept-expired no;". Setting
- "dnssec-accept-expired yes;" leaves named vulnerable to
- replay attacks.
+ Integrate contibuted DLZ code into named.
- Additional memory leakage checks.
-
- The maximum EDNS UDP response named will send can now be
- set in named.conf (max-udp-size). This is independent of
- the advertised receive buffer (edns-udp-size).
-
- Named now falls back to advertising EDNS with a 512 byte
- receive buffer if the initial EDNS queries fail.
-
- Control the zeroing of the negative response TTL to a soa
- query. Defaults "zero-no-soa-ttl yes;" and
- "zero-no-soa-ttl-cache no;".
-
- Separate out MX and SRV to CNAME checks.
-
- dig/nslookup/host: warn about missing "QR".
-
- TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
- HMACSHA512 support.
-
- dnssec-signzone: output the SOA record as the first record
- in the signed zone.
-
- Two new update policies. "selfsub" and "selfwild".
-
- dig, nslookup and host now advertise a 4096 byte EDNS UDP
- buffer size by default.
-
- Report when a zone is removed.
-
- DS/DLV SHA256 digest algorithm support.
-
- Implement "rrset-order fixed".
-
- Check the KSK flag when updating a secure dynamic zone.
- New zone option "update-check-ksk yes;".
-
- It is now possible to explicitly enable DNSSEC validation.
- default dnssec-validation no; to be changed to yes in 9.5.0.
-
- It is now possible to enable/disable DNSSEC validation
- from rndc. This is useful for the mobile hosts where the
- current connection point breaks DNSSEC (firewall/proxy).
-
- rndc validation newstate [view]
-
- dnssec-signzone can now update the SOA record of the signed
- zone, either as an increment or as the system time().
-
- Statistics about acache now recorded and sent to log.
+ Integrate contibuted IDN code from JPNIC.
libbind: corresponds to that from BIND 8.4.7.
@@ -423,31 +386,35 @@ Building
We've had successful builds and tests on the following systems:
COMPAQ Tru64 UNIX 5.1B
+ Fedora Core 6
FreeBSD 4.10, 5.2.1, 6.2
HP-UX 11.11
- NetBSD 1.5
- Slackware Linux 8.1
- Solaris 8, 9, 9 (x86)
+ Mac OS X 10.5
+ NetBSD 3.x and 4.0-beta
+ OpenBSD 3.3 and up
+ Solaris 8, 9, 9 (x86), 10
+ Ubuntu 7.04, 7.10
Windows XP/2003/2008
NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
Windows, including Windows NT and Windows 2000, are no longer
supported.
- Additionally, we have unverified reports of success building
- previous versions of BIND 9 from users of the following systems:
-
- AIX 5L
- SuSE Linux 7.0
- Slackware Linux 7.x, 8.0
- Red Hat Linux 7.1
- Debian GNU/Linux 2.2 and 3.0
- Mandrake 8.1
- OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8
- UnixWare 7.1.1
- HP-UX 10.20
- BSD/OS 4.2
- Mac OS X 10.1, 10.3.8
+ We have recent reports from the user community that a supported
+ version of BIND will build and run on the following systems:
+
+ AIX 4.3, 5L
+ CentOS 4, 4.5, 5
+ Darwin 9.0.0d1/ARM
+ Debian 4
+ Fedora Core 5, 7
+ FreeBSD 6.1
+ HP-UX 11.23 PA
+ MacOS X 10.4, 10.5
+ Red Hat Enterprise Linux 4, 5
+ SCO OpenServer 5.0.6
+ Slackware 9, 10
+ SuSE 9, 10
To build, just
@@ -484,12 +451,13 @@ Building
-DDIG_SIGCHASE_BU=1)
Disable dropping queries from particular well known ports.
-DNS_CLIENT_DROPPORT=0
- Disable support for "rrset-order fixed".
- -DDNS_RDATASET_FIXED=0
- Sibling glue checking in named-checkzone is enabled by default.
+ Sibling glue checking in named-checkzone is enabled by default.
To disable the default check set. -DCHECK_SIBLING=0
named-checkzone checks out-of-zone addresses by default.
To disable this default set. -DCHECK_LOCAL=0
+ To create the default pid files in ${localstatedir}/run rather
+ than ${localstatedir}/run/{named,lwresd}/ set.
+ -DNS_RUN_PID_DIR=0
Enable workaround for Solaris kernel bug about /dev/poll
-DISC_SOCKET_USE_POLLWATCH=1
The watch timeout is also configurable, e.g.,
@@ -519,9 +487,6 @@ Building
a nonstandard prefix, you can tell configure where to
look for it using "--with-openssl=/prefix".
- To build libbind (the BIND 8 resolver library), specify
- "--enable-libbind" on the configure command line.
-
On some platforms it is necessary to explictly request large
file support to handle files bigger than 2GB. This can be
done by "--enable-largefile" on the configure command line.
@@ -533,6 +498,11 @@ Building
on the configure command line. The default is operating
system dependent.
+ Support for the "fixed" rrset-order option can be enabled
+ or disabled by specifying "--enable-fixed-rrset" or
+ "--disable-fixed-rrset" on the configure command line.
+ The default is "disabled", to reduce memory footprint.
+
If your operating system has integrated support for IPv6, it
will be used automatically. If you have installed KAME IPv6
separately, use "--with-kame[=PATH]" to specify its location.
@@ -613,8 +583,9 @@ Bug Reports and Mailing Lists
http://www.isc.org/ops/lists/
If you're planning on making changes to the BIND 9 source
- code, you might want to join the BIND Forum as a Worker.
- This gives you access to the bind-workers@isc.org mailing
- list and pre-release access to the code.
+ code, you might want to join the BIND Workers mailing list.
+ Send mail to
+
+ bind-workers-request@isc.org
+
- http://www.isc.org/sw/guild/bf/
diff --git a/README.idnkit b/README.idnkit
index 316f8793bc6b..0eda0a5e7d9d 100644
--- a/README.idnkit
+++ b/README.idnkit
@@ -55,7 +55,7 @@ at least specify `--with-idn' option to enable IDN support.
`--with-libiconv' assumes that your C compiler has `-R'
option, and that the option adds the specified run-time path
- to an exacutable binary. If `-R' option of your compiler has
+ to an executable binary. If `-R' option of your compiler has
different meaning, or your compiler lacks the option, you
should use `--with-iconv' option instead. Binary command
without run-time path information might be unexecutable.
@@ -68,7 +68,7 @@ at least specify `--with-idn' option to enable IDN support.
specified, `--with-iconv' is prior to `--with-libiconv'.
--with-iconv=ICONV_LIBSPEC
- If your libc doens't provide iconv(), you need to specify the
+ If your libc doesn't provide iconv(), you need to specify the
library containing iconv() with this option. `ICONV_LIBSPEC'
is the argument(s) to `cc' or `ld' to link the library, for
example, `--with-iconv="-L/usr/local/lib -liconv"'.
@@ -82,7 +82,7 @@ at least specify `--with-idn' option to enable IDN support.
this option is not specified, `-L${PREFIX}/lib -lidnkit' is
assumed, where ${PREFIX} is the installation prefix specified
with `--with-idn' option above. You may need to use this
- option to specify extra argments, for example,
+ option to specify extra arguments, for example,
`--with-idnlib="-L/usr/local/lib -R/usr/local/lib -lidnkit"'.
Please consult `README' for other configuration options.
@@ -109,4 +109,4 @@ about idnkit and this patch.
Bug reports and comments on this kit should be sent to
mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
-; $Id: README.idnkit,v 1.2.2.2 2005/09/12 02:12:08 marka Exp $
+; $Id: README.idnkit,v 1.2.762.1 2009/01/18 23:25:14 marka Exp $
diff --git a/README.pkcs11 b/README.pkcs11
new file mode 100644
index 000000000000..b58640de1c5a
--- /dev/null
+++ b/README.pkcs11
@@ -0,0 +1,61 @@
+
+ BIND-9 PKCS#11 support
+
+Prerequisite
+
+The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
+released the 2007-11-21 for OpenSSL 0.9.8g, with a bug fix (call to free)
+and some improvements, including user friendly PIN management.
+
+Compilation
+
+"configure --with-pkcs11 ..."
+
+PKCS#11 Libraries
+
+Tested with Solaris one with a SCA board and with openCryptoki with the
+software token.
+
+OpenSSL Engines
+
+With PKCS#11 support the PKCS#11 engine is statically loaded but at its
+initialization it dynamically loads the PKCS#11 objects.
+Even the pre commands are therefore unused they are defined with:
+ SO_PATH:
+ define: PKCS11_SO_PATH
+ default: /usr/local/lib/engines/engine_pkcs11.so
+ MODULE_PATH:
+ define: PKCS11_MODULE_PATH
+ default: /usr/lib/libpkcs11.so
+Without PKCS#11 support, a specific OpenSSL engine can be still used
+by defining ENGINE_ID at compile time.
+
+PKCS#11 tools
+
+The contrib/pkcs11-keygen directory contains a set of experimental tools
+to handle keys stored in a Hardware Security Module at the benefit of BIND.
+
+The patch for OpenSSL 0.9.8g is in this directory. Read its README.pkcs11
+for the way to use it (these are the original notes so with the original
+path, etc. Define OPENCRYPTOKI to use it with openCryptoki.)
+
+PIN management
+
+With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
+each time it is required. With the improved engine, the PIN should be
+entered the first time it is required or can be configured in the
+OpenSSL configuration file (aka. openssl.cnf) by adding in it:
+ - at the beginning:
+ openssl_conf = openssl_def
+ - at any place these sections:
+ [ openssl_def ]
+ engines = engine_section
+ [ engine_section ]
+ pkcs11 = pkcs11_section
+ [ pkcs11_section ]
+ PIN = put__your__pin__value__here
+
+Note
+
+Some names here are registered trademarks, at least Solaris is a trademark
+of Sun Microsystems Inc...
diff --git a/acconfig.h b/acconfig.h
index e8f7d52c0578..eb19150513ad 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: acconfig.h,v 1.44.18.5 2005/04/29 00:15:20 marka Exp $ */
+/* $Id: acconfig.h,v 1.51.334.2 2009/02/16 23:47:15 tbox Exp $ */
/*! \file */
@@ -25,9 +25,6 @@
***/
@TOP@
-/** define to `int' if <sys/types.h> doesn't define. */
-#undef ssize_t
-
/** define on DEC OSF to enable 4.4BSD style sa_len support */
#undef _SOCKADDR_LEN
@@ -61,9 +58,6 @@
/** define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
#undef HAVE_IFLIST_SYSCTL
-/** define if chroot() is available */
-#undef HAVE_CHROOT
-
/** define if tzset() is available */
#undef HAVE_TZSET
@@ -115,7 +109,7 @@ int sigwait(const unsigned int *set, int *sig);
* The silly continuation line is to keep configure from
* commenting out the #undef.
*/
-
+
#undef \
va_start
#define va_start(ap, last) \
diff --git a/bin/Makefile.in b/bin/Makefile.in
index 2e29f94fabd4..ef28e0c6168a 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2001 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.23 2004/03/05 04:57:10 marka Exp $
+# $Id: Makefile.in,v 1.25 2007/06/19 23:46:59 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index cd9ecf6e984b..06f55418b4db 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2003 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.24.18.6 2006/06/09 00:54:08 marka Exp $
+# $Id: Makefile.in,v 1.32 2007/06/19 23:46:59 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c
index 2136a63a7588..e0a7208f3788 100644
--- a/bin/check/check-tool.c
+++ b/bin/check/check-tool.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check-tool.c,v 1.10.18.20 2008/10/24 01:43:17 tbox Exp $ */
+/* $Id: check-tool.c,v 1.35.36.3 2009/01/20 02:03:18 marka Exp $ */
/*! \file */
@@ -24,16 +24,17 @@
#include <stdio.h>
#include "check-tool.h"
-#include <isc/util.h>
-
#include <isc/buffer.h>
#include <isc/log.h>
-#include <isc/net.h>
+#include <isc/mem.h>
#include <isc/netdb.h>
+#include <isc/net.h>
#include <isc/region.h>
#include <isc/stdio.h>
#include <isc/string.h>
+#include <isc/symtab.h>
#include <isc/types.h>
+#include <isc/util.h>
#include <dns/fixedname.h>
#include <dns/log.h>
@@ -69,6 +70,15 @@
goto cleanup; \
} while (0)
+#define ERR_IS_CNAME 1
+#define ERR_NO_ADDRESSES 2
+#define ERR_LOOKUP_FAILURE 3
+#define ERR_EXTRA_A 4
+#define ERR_EXTRA_AAAA 5
+#define ERR_MISSING_GLUE 5
+#define ERR_IS_MXCNAME 6
+#define ERR_IS_SRVCNAME 7
+
static const char *dbtype[] = { "rbt" };
int debug = 0;
@@ -105,9 +115,62 @@ static isc_logcategory_t categories[] = {
{ "queries", 0 },
{ "unmatched", 0 },
{ "update-security", 0 },
+ { "query-errors", 0 },
{ NULL, 0 }
};
+static isc_symtab_t *symtab = NULL;
+static isc_mem_t *sym_mctx;
+
+static void
+freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
+ UNUSED(type);
+ UNUSED(value);
+ isc_mem_free(userarg, key);
+}
+
+static void
+add(char *key, int value) {
+ isc_result_t result;
+ isc_symvalue_t symvalue;
+
+ if (sym_mctx == NULL) {
+ result = isc_mem_create(0, 0, &sym_mctx);
+ if (result != ISC_R_SUCCESS)
+ return;
+ }
+
+ if (symtab == NULL) {
+ result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx,
+ ISC_FALSE, &symtab);
+ if (result != ISC_R_SUCCESS)
+ return;
+ }
+
+ key = isc_mem_strdup(sym_mctx, key);
+ if (key == NULL)
+ return;
+
+ symvalue.as_pointer = NULL;
+ result = isc_symtab_define(symtab, key, value, symvalue,
+ isc_symexists_reject);
+ if (result != ISC_R_SUCCESS)
+ isc_mem_free(sym_mctx, key);
+}
+
+static isc_boolean_t
+logged(char *key, int value) {
+ isc_result_t result;
+
+ if (symtab == NULL)
+ return (ISC_FALSE);
+
+ result = isc_symtab_lookup(symtab, key, value, NULL);
+ if (result == ISC_R_SUCCESS)
+ return (ISC_TRUE);
+ return (ISC_FALSE);
+}
+
static isc_boolean_t
checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
dns_rdataset_t *a, dns_rdataset_t *aaaa)
@@ -156,29 +219,39 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
cur->ai_next != NULL)
cur = cur->ai_next;
if (cur != NULL && cur->ai_canonname != NULL &&
- strcasecmp(ai->ai_canonname, namebuf) != 0) {
+ strcasecmp(cur->ai_canonname, namebuf) != 0 &&
+ !logged(namebuf, ERR_IS_CNAME)) {
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/NS '%s' (out of zone) "
- "is a CNAME (illegal)",
- ownerbuf, namebuf);
+ "is a CNAME '%s' (illegal)",
+ ownerbuf, namebuf,
+ cur->ai_canonname);
/* XXX950 make fatal for 9.5.0 */
/* answer = ISC_FALSE; */
+ add(namebuf, ERR_IS_CNAME);
}
break;
case EAI_NONAME:
#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
case EAI_NODATA:
#endif
- dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' (out of zone) "
- "has no addresses records (A or AAAA)",
- ownerbuf, namebuf);
+ if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+ dns_zone_log(zone, ISC_LOG_ERROR,
+ "%s/NS '%s' (out of zone) "
+ "has no addresses records (A or AAAA)",
+ ownerbuf, namebuf);
+ add(namebuf, ERR_NO_ADDRESSES);
+ }
/* XXX950 make fatal for 9.5.0 */
return (ISC_TRUE);
default:
- dns_zone_log(zone, ISC_LOG_WARNING,
- "getaddrinfo(%s) failed: %s",
- namebuf, gai_strerror(result));
+ if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+ dns_zone_log(zone, ISC_LOG_WARNING,
+ "getaddrinfo(%s) failed: %s",
+ namebuf, gai_strerror(result));
+ add(namebuf, ERR_LOOKUP_FAILURE);
+ }
return (ISC_TRUE);
}
if (a == NULL || aaaa == NULL)
@@ -201,12 +274,13 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
break;
}
}
- if (!match) {
+ if (!match && !logged(namebuf, ERR_EXTRA_A)) {
dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
"extra GLUE A record (%s)",
ownerbuf, namebuf,
inet_ntop(AF_INET, rdata.data,
addrbuf, sizeof(addrbuf)));
+ add(namebuf, ERR_EXTRA_A);
/* XXX950 make fatal for 9.5.0 */
/* answer = ISC_FALSE; */
}
@@ -230,12 +304,13 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
break;
}
}
- if (!match) {
+ if (!match && !logged(namebuf, ERR_EXTRA_AAAA)) {
dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
"extra GLUE AAAA record (%s)",
ownerbuf, namebuf,
inet_ntop(AF_INET6, rdata.data,
addrbuf, sizeof(addrbuf)));
+ add(namebuf, ERR_EXTRA_AAAA);
/* XXX950 make fatal for 9.5.0. */
/* answer = ISC_FALSE; */
}
@@ -247,42 +322,48 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
/*
* Check that all addresses appear in the glue.
*/
- for (cur = ai; cur != NULL; cur = cur->ai_next) {
- switch (cur->ai_family) {
- case AF_INET:
- rdataset = a;
- ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
- type = "A";
- break;
- case AF_INET6:
- rdataset = aaaa;
- ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
- type = "AAAA";
- break;
- default:
- continue;
- }
- match = ISC_FALSE;
- if (dns_rdataset_isassociated(rdataset))
- result = dns_rdataset_first(rdataset);
- else
- result = ISC_R_FAILURE;
- while (result == ISC_R_SUCCESS && !match) {
- dns_rdataset_current(rdataset, &rdata);
- if (memcmp(ptr, rdata.data, rdata.length) == 0)
- match = ISC_TRUE;
- dns_rdata_reset(&rdata);
- result = dns_rdataset_next(rdataset);
- }
- if (!match) {
- dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
- "missing GLUE %s record (%s)",
- ownerbuf, namebuf, type,
- inet_ntop(cur->ai_family, ptr,
- addrbuf, sizeof(addrbuf)));
- /* XXX950 make fatal for 9.5.0. */
- /* answer = ISC_FALSE; */
+ if (!logged(namebuf, ERR_MISSING_GLUE)) {
+ isc_boolean_t missing_glue = ISC_FALSE;
+ for (cur = ai; cur != NULL; cur = cur->ai_next) {
+ switch (cur->ai_family) {
+ case AF_INET:
+ rdataset = a;
+ ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
+ type = "A";
+ break;
+ case AF_INET6:
+ rdataset = aaaa;
+ ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
+ type = "AAAA";
+ break;
+ default:
+ continue;
+ }
+ match = ISC_FALSE;
+ if (dns_rdataset_isassociated(rdataset))
+ result = dns_rdataset_first(rdataset);
+ else
+ result = ISC_R_FAILURE;
+ while (result == ISC_R_SUCCESS && !match) {
+ dns_rdataset_current(rdataset, &rdata);
+ if (memcmp(ptr, rdata.data, rdata.length) == 0)
+ match = ISC_TRUE;
+ dns_rdata_reset(&rdata);
+ result = dns_rdataset_next(rdataset);
+ }
+ if (!match) {
+ dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
+ "missing GLUE %s record (%s)",
+ ownerbuf, namebuf, type,
+ inet_ntop(cur->ai_family, ptr,
+ addrbuf, sizeof(addrbuf)));
+ /* XXX950 make fatal for 9.5.0. */
+ /* answer = ISC_FALSE; */
+ missing_glue = ISC_TRUE;
+ }
}
+ if (missing_glue)
+ add(namebuf, ERR_MISSING_GLUE);
}
freeaddrinfo(ai);
return (answer);
@@ -332,10 +413,15 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0)
level = ISC_LOG_WARNING;
if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "%s/MX '%s' (out of zone) "
- "is a CNAME (illegal)",
- ownerbuf, namebuf);
+ if (!logged(namebuf, ERR_IS_MXCNAME)) {
+ dns_zone_log(zone, level,
+ "%s/MX '%s' (out of zone)"
+ " is a CNAME '%s' "
+ "(illegal)",
+ ownerbuf, namebuf,
+ cur->ai_canonname);
+ add(namebuf, ERR_IS_MXCNAME);
+ }
if (level == ISC_LOG_ERROR)
answer = ISC_FALSE;
}
@@ -347,16 +433,23 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
case EAI_NODATA:
#endif
- dns_zone_log(zone, ISC_LOG_ERROR, "%s/MX '%s' (out of zone) "
- "has no addresses records (A or AAAA)",
- ownerbuf, namebuf);
+ if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+ dns_zone_log(zone, ISC_LOG_ERROR,
+ "%s/MX '%s' (out of zone) "
+ "has no addresses records (A or AAAA)",
+ ownerbuf, namebuf);
+ add(namebuf, ERR_NO_ADDRESSES);
+ }
/* XXX950 make fatal for 9.5.0. */
return (ISC_TRUE);
default:
- dns_zone_log(zone, ISC_LOG_WARNING,
+ if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+ dns_zone_log(zone, ISC_LOG_WARNING,
"getaddrinfo(%s) failed: %s",
namebuf, gai_strerror(result));
+ add(namebuf, ERR_LOOKUP_FAILURE);
+ }
return (ISC_TRUE);
}
#else
@@ -405,10 +498,14 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0)
level = ISC_LOG_WARNING;
if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) {
- dns_zone_log(zone, level,
- "%s/SRV '%s' (out of zone) "
- "is a CNAME (illegal)",
- ownerbuf, namebuf);
+ if (!logged(namebuf, ERR_IS_SRVCNAME)) {
+ dns_zone_log(zone, level, "%s/SRV '%s'"
+ " (out of zone) is a "
+ "CNAME '%s' (illegal)",
+ ownerbuf, namebuf,
+ cur->ai_canonname);
+ add(namebuf, ERR_IS_SRVCNAME);
+ }
if (level == ISC_LOG_ERROR)
answer = ISC_FALSE;
}
@@ -420,16 +517,23 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
case EAI_NODATA:
#endif
- dns_zone_log(zone, ISC_LOG_ERROR, "%s/SRV '%s' (out of zone) "
- "has no addresses records (A or AAAA)",
- ownerbuf, namebuf);
+ if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+ dns_zone_log(zone, ISC_LOG_ERROR,
+ "%s/SRV '%s' (out of zone) "
+ "has no addresses records (A or AAAA)",
+ ownerbuf, namebuf);
+ add(namebuf, ERR_NO_ADDRESSES);
+ }
/* XXX950 make fatal for 9.5.0. */
return (ISC_TRUE);
default:
- dns_zone_log(zone, ISC_LOG_WARNING,
- "getaddrinfo(%s) failed: %s",
- namebuf, gai_strerror(result));
+ if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+ dns_zone_log(zone, ISC_LOG_WARNING,
+ "getaddrinfo(%s) failed: %s",
+ namebuf, gai_strerror(result));
+ add(namebuf, ERR_LOOKUP_FAILURE);
+ }
return (ISC_TRUE);
}
#else
@@ -438,7 +542,7 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
}
isc_result_t
-setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
isc_logdestination_t destination;
isc_logconfig_t *logconfig = NULL;
isc_log_t *log = NULL;
@@ -450,7 +554,7 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
dns_log_setcontext(log);
cfg_log_init(log);
- destination.file.stream = stdout;
+ destination.file.stream = errout;
destination.file.name = NULL;
destination.file.versions = ISC_LOG_ROLLNEVER;
destination.file.maximum_size = 0;
@@ -534,14 +638,14 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
FILE *output = stdout;
if (debug) {
- if (filename != NULL)
+ if (filename != NULL && strcmp(filename, "-") != 0)
fprintf(stderr, "dumping \"%s\" to \"%s\"\n",
zonename, filename);
else
fprintf(stderr, "dumping \"%s\"\n", zonename);
}
- if (filename != NULL) {
+ if (filename != NULL && strcmp(filename, "-") != 0) {
result = isc_stdio_open(filename, "w+", &output);
if (result != ISC_R_SUCCESS) {
@@ -553,7 +657,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
result = dns_zone_dumptostream2(zone, output, fileformat, style);
- if (filename != NULL)
+ if (output != stdout)
(void)isc_stdio_close(output);
return (result);
diff --git a/bin/check/check-tool.h b/bin/check/check-tool.h
index ef9017f39ef3..b0ba7e06ef44 100644
--- a/bin/check/check-tool.h
+++ b/bin/check/check-tool.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check-tool.h,v 1.7.18.4 2005/06/20 01:19:25 marka Exp $ */
+/* $Id: check-tool.h,v 1.14 2007/06/18 23:47:17 tbox Exp $ */
#ifndef CHECK_TOOL_H
#define CHECK_TOOL_H
@@ -23,6 +23,7 @@
/*! \file */
#include <isc/lang.h>
+#include <isc/stdio.h>
#include <isc/types.h>
#include <dns/masterdump.h>
@@ -31,7 +32,7 @@
ISC_LANG_BEGINDECLS
isc_result_t
-setup_logging(isc_mem_t *mctx, isc_log_t **logp);
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp);
isc_result_t
load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8
index 364e6b977101..852b13364ec2 100644
--- a/bin/check/named-checkconf.8
+++ b/bin/check/named-checkconf.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: named-checkconf.8,v 1.16.18.13 2007/06/20 02:26:58 marka Exp $
+.\" $Id: named-checkconf.8,v 1.30 2007/06/20 02:27:32 marka Exp $
.\"
.hy 0
.ad l
@@ -33,13 +33,18 @@
named\-checkconf \- named configuration file syntax checking tool
.SH "SYNOPSIS"
.HP 16
-\fBnamed\-checkconf\fR [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR]
+\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR]
.SH "DESCRIPTION"
.PP
\fBnamed\-checkconf\fR
checks the syntax, but not the semantics, of a named configuration file.
.SH "OPTIONS"
.PP
+\-h
+.RS 4
+Print the usage summary and exit.
+.RE
+.PP
\-t \fIdirectory\fR
.RS 4
Chroot to
diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index 96efd794661c..eba0d93b641d 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named-checkconf.c,v 1.28.18.16 2007/11/26 23:46:18 tbox Exp $ */
+/* $Id: named-checkconf.c,v 1.46.222.2 2009/02/16 23:47:15 tbox Exp $ */
/*! \file */
@@ -47,6 +47,8 @@
#include "check-tool.h"
+static const char *program = "named-checkconf";
+
isc_log_t *logc = NULL;
#define CHECK(r)\
@@ -59,9 +61,9 @@ isc_log_t *logc = NULL;
/*% usage */
static void
usage(void) {
- fprintf(stderr, "usage: named-checkconf [-j] [-v] [-z] [-t directory] "
- "[named.conf]\n");
- exit(1);
+ fprintf(stderr, "usage: %s [-h] [-j] [-v] [-z] [-t directory] "
+ "[named.conf]\n", program);
+ exit(1);
}
/*% directory callback */
@@ -171,9 +173,9 @@ configure_zone(const char *vclass, const char *view,
zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
classobj = cfg_tuple_get(zconfig, "class");
- if (!cfg_obj_isstring(classobj))
- zclass = vclass;
- else
+ if (!cfg_obj_isstring(classobj))
+ zclass = vclass;
+ else
zclass = cfg_obj_asstring(classobj);
zoptions = cfg_tuple_get(zconfig, "options");
@@ -192,9 +194,9 @@ configure_zone(const char *vclass, const char *view,
return (ISC_R_FAILURE);
if (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0)
return (ISC_R_SUCCESS);
- cfg_map_get(zoptions, "database", &dbobj);
- if (dbobj != NULL)
- return (ISC_R_SUCCESS);
+ cfg_map_get(zoptions, "database", &dbobj);
+ if (dbobj != NULL)
+ return (ISC_R_SUCCESS);
cfg_map_get(zoptions, "file", &fileobj);
if (fileobj == NULL)
return (ISC_R_FAILURE);
@@ -285,8 +287,8 @@ configure_zone(const char *vclass, const char *view,
} else
INSIST(0);
} else {
- zone_options |= DNS_ZONEOPT_CHECKNAMES;
- zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
+ zone_options |= DNS_ZONEOPT_CHECKNAMES;
+ zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
}
masterformat = dns_masterformat_text;
@@ -397,8 +399,10 @@ main(int argc, char **argv) {
int exit_status = 0;
isc_entropy_t *ectx = NULL;
isc_boolean_t load_zones = ISC_FALSE;
-
- while ((c = isc_commandline_parse(argc, argv, "djt:vz")) != EOF) {
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ while ((c = isc_commandline_parse(argc, argv, "dhjt:vz")) != EOF) {
switch (c) {
case 'd':
debug++;
@@ -415,12 +419,6 @@ main(int argc, char **argv) {
isc_result_totext(result));
exit(1);
}
- result = isc_dir_chdir("/");
- if (result != ISC_R_SUCCESS) {
- fprintf(stderr, "isc_dir_chdir: %s\n",
- isc_result_totext(result));
- exit(1);
- }
break;
case 'v':
@@ -434,11 +432,22 @@ main(int argc, char **argv) {
dochecksrv = ISC_FALSE;
break;
- default:
+ case '?':
+ if (isc_commandline_option != '?')
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ case 'h':
usage();
+
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
}
}
+ if (isc_commandline_index + 1 < argc)
+ usage();
if (argv[isc_commandline_index] != NULL)
conffile = argv[isc_commandline_index];
if (conffile == NULL || conffile[0] == '\0')
@@ -446,7 +455,7 @@ main(int argc, char **argv) {
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
- RUNTIME_CHECK(setup_logging(mctx, &logc) == ISC_R_SUCCESS);
+ RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
diff --git a/bin/check/named-checkconf.docbook b/bin/check/named-checkconf.docbook
index af7a73d2ed32..53592392da39 100644
--- a/bin/check/named-checkconf.docbook
+++ b/bin/check/named-checkconf.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkconf.docbook,v 1.8.18.10 2007/08/28 07:19:55 tbox Exp $ -->
+<!-- $Id: named-checkconf.docbook,v 1.19 2007/06/19 06:58:03 marka Exp $ -->
<refentry id="man.named-checkconf">
<refentryinfo>
<date>June 14, 2000</date>
@@ -53,6 +53,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>named-checkconf</command>
+ <arg><option>-h</option></arg>
<arg><option>-v</option></arg>
<arg><option>-j</option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
@@ -74,6 +75,15 @@
<variablelist>
<varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Print the usage summary and exit.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html
index 910df0d16090..34bec808aaab 100644
--- a/bin/check/named-checkconf.html
+++ b/bin/check/named-checkconf.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkconf.html,v 1.9.18.20 2007/06/20 02:26:58 marka Exp $ -->
+<!-- $Id: named-checkconf.html,v 1.30 2007/06/20 02:27:32 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,18 +29,22 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543383"></a><h2>DESCRIPTION</h2>
+<a name="id2543387"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
checks the syntax, but not the semantics, of a named
configuration file.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543395"></a><h2>OPTIONS</h2>
+<a name="id2543399"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Print the usage summary and exit.
+ </p></dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Chroot to <code class="filename">directory</code> so that
@@ -70,21 +74,21 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543489"></a><h2>RETURN VALUES</h2>
+<a name="id2543507"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543500"></a><h2>SEE ALSO</h2>
+<a name="id2543518"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543530"></a><h2>AUTHOR</h2>
+<a name="id2543548"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8
index bd538ac6c5d9..5520da348682 100644
--- a/bin/check/named-checkzone.8
+++ b/bin/check/named-checkzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: named-checkzone.8,v 1.18.18.23 2007/06/20 02:26:58 marka Exp $
+.\" $Id: named-checkzone.8,v 1.42.334.1 2009/01/23 01:53:33 tbox Exp $
.\"
.hy 0
.ad l
@@ -33,7 +33,7 @@
named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
.SH "SYNOPSIS"
.HP 16
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
+\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
.HP 18
\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
.SH "DESCRIPTION"
@@ -58,6 +58,11 @@ configuration file.
Enable debugging.
.RE
.PP
+\-h
+.RS 4
+Print the usage summary and exit.
+.RE
+.PP
\-q
.RS 4
Quiet mode \- exit code only.
@@ -77,7 +82,7 @@ When loading the zone file read the journal if it exists.
.PP
\-c \fIclass\fR
.RS 4
-Specify the class of the zone. If not specified "IN" is assumed.
+Specify the class of the zone. If not specified, "IN" is assumed.
.RE
.PP
\-i \fImode\fR
@@ -188,7 +193,11 @@ Specify whether NS records should be checked to see if they are addresses. Possi
\-o \fIfilename\fR
.RS 4
Write zone output to
-\fIfilename\fR. This is mandatory for
+\fIfilename\fR. If
+\fIfilename\fR
+is
+\fI\-\fR
+then write to standard out. This is mandatory for
\fBnamed\-compilezone\fR.
.RE
.PP
@@ -263,7 +272,7 @@ BIND 9 Administrator Reference Manual.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
-Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2002 Internet Software Consortium.
.br
diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c
index f16053bcbb11..e91cbeadc10c 100644
--- a/bin/check/named-checkzone.c
+++ b/bin/check/named-checkzone.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named-checkzone.c,v 1.29.18.21 2008/10/24 01:43:17 tbox Exp $ */
+/* $Id: named-checkzone.c,v 1.51.34.2 2009/02/16 23:47:15 tbox Exp $ */
/*! \file */
@@ -106,6 +106,7 @@ main(int argc, char **argv) {
const char *outputformatstr = NULL;
dns_masterformat_t inputformat = dns_masterformat_text;
dns_masterformat_t outputformat = dns_masterformat_text;
+ FILE *errout = stdout;
outputstyle = &dns_master_style_full;
@@ -140,8 +141,10 @@ main(int argc, char **argv) {
#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
+ isc_commandline_errprint = ISC_FALSE;
+
while ((c = isc_commandline_parse(argc, argv,
- "c:df:i:jk:m:n:qs:t:o:vw:DF:M:S:W:"))
+ "c:df:hi:jk:m:n:qs:t:o:vw:DF:M:S:W:"))
!= EOF) {
switch (c) {
case 'c':
@@ -265,12 +268,6 @@ main(int argc, char **argv) {
isc_result_totext(result));
exit(1);
}
- result = isc_dir_chdir("/");
- if (result != ISC_R_SUCCESS) {
- fprintf(stderr, "isc_dir_chdir: %s\n",
- isc_result_totext(result));
- exit(1);
- }
break;
case 's':
@@ -343,17 +340,17 @@ main(int argc, char **argv) {
zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
break;
- default:
+ case '?':
+ if (isc_commandline_option != '?')
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ prog_name, isc_commandline_option);
+ case 'h':
usage();
- }
- }
- if (progmode == progmode_compile) {
- dumpzone = 1; /* always dump */
- if (output_filename == NULL) {
- fprintf(stderr,
- "output file required, but not specified\n");
- usage();
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ prog_name, isc_commandline_option);
+ exit(1);
}
}
@@ -390,12 +387,36 @@ main(int argc, char **argv) {
}
}
- if (isc_commandline_index + 2 > argc)
+ if (progmode == progmode_compile) {
+ dumpzone = 1; /* always dump */
+ if (output_filename == NULL) {
+ fprintf(stderr,
+ "output file required, but not specified\n");
+ usage();
+ }
+ }
+
+ if (output_filename != NULL)
+ dumpzone = 1;
+
+ /*
+ * If we are outputing to stdout then send the informational
+ * output to stderr.
+ */
+ if (dumpzone &&
+ (output_filename == NULL ||
+ strcmp(output_filename, "-") == 0 ||
+ strcmp(output_filename, "/dev/fd/1") == 0 ||
+ strcmp(output_filename, "/dev/stdout") == 0))
+ errout = stderr;
+
+ if (isc_commandline_index + 2 != argc)
usage();
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
if (!quiet)
- RUNTIME_CHECK(setup_logging(mctx, &lctx) == ISC_R_SUCCESS);
+ RUNTIME_CHECK(setup_logging(mctx, errout, &lctx)
+ == ISC_R_SUCCESS);
RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
== ISC_R_SUCCESS);
@@ -409,17 +430,17 @@ main(int argc, char **argv) {
if (result == ISC_R_SUCCESS && dumpzone) {
if (!quiet && progmode == progmode_compile) {
- fprintf(stdout, "dump zone to %s...", output_filename);
- fflush(stdout);
+ fprintf(errout, "dump zone to %s...", output_filename);
+ fflush(errout);
}
result = dump_zone(origin, zone, output_filename,
outputformat, outputstyle);
if (!quiet && progmode == progmode_compile)
- fprintf(stdout, "done\n");
+ fprintf(errout, "done\n");
}
if (!quiet && result == ISC_R_SUCCESS)
- fprintf(stdout, "OK\n");
+ fprintf(errout, "OK\n");
destroy();
if (lctx != NULL)
isc_log_destroy(&lctx);
diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook
index 11b85ef373ae..d8634473146e 100644
--- a/bin/check/named-checkzone.docbook
+++ b/bin/check/named-checkzone.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkzone.docbook,v 1.11.18.21 2007/08/28 07:19:55 tbox Exp $ -->
+<!-- $Id: named-checkzone.docbook,v 1.34.334.2 2009/01/22 23:47:04 tbox Exp $ -->
<refentry id="man.named-checkzone">
<refentryinfo>
<date>June 13, 2000</date>
@@ -36,6 +36,7 @@
<year>2005</year>
<year>2006</year>
<year>2007</year>
+ <year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -56,6 +57,7 @@
<cmdsynopsis>
<command>named-checkzone</command>
<arg><option>-d</option></arg>
+ <arg><option>-h</option></arg>
<arg><option>-j</option></arg>
<arg><option>-q</option></arg>
<arg><option>-v</option></arg>
@@ -137,6 +139,15 @@
</varlistentry>
<varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Print the usage summary and exit.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-q</term>
<listitem>
<para>
@@ -168,7 +179,7 @@
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
- Specify the class of the zone. If not specified "IN" is assumed.
+ Specify the class of the zone. If not specified, "IN" is assumed.
</para>
</listitem>
</varlistentry>
@@ -301,6 +312,8 @@
<listitem>
<para>
Write zone output to <filename>filename</filename>.
+ If <filename>filename</filename> is <filename>-</filename> then
+ write to standard out.
This is mandatory for <command>named-compilezone</command>.
</para>
</listitem>
diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html
index 0e1015d30c12..71dc445eaa7e 100644
--- a/bin/check/named-checkzone.html
+++ b/bin/check/named-checkzone.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named-checkzone.html,v 1.11.18.30 2007/06/20 02:26:58 marka Exp $ -->
+<!-- $Id: named-checkzone.html,v 1.42.334.1 2009/01/23 01:53:33 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,11 +29,11 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543665"></a><h2>DESCRIPTION</h2>
+<a name="id2543672"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -53,12 +53,16 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543700"></a><h2>OPTIONS</h2>
+<a name="id2543707"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
Enable debugging.
</p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Print the usage summary and exit.
+ </p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Quiet mode - exit code only.
@@ -74,7 +78,7 @@
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
- Specify the class of the zone. If not specified "IN" is assumed.
+ Specify the class of the zone. If not specified, "IN" is assumed.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
@@ -169,6 +173,8 @@
<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
<dd><p>
Write zone output to <code class="filename">filename</code>.
+ If <code class="filename">filename</code> is <code class="filename">-</code> then
+ write to standard out.
This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
@@ -233,14 +239,14 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544299"></a><h2>RETURN VALUES</h2>
+<a name="id2544328"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544311"></a><h2>SEE ALSO</h2>
+<a name="id2544340"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
@@ -248,7 +254,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544344"></a><h2>AUTHOR</h2>
+<a name="id2544373"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index 836b7f21e738..bc9d34f044d5 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.33.18.6 2005/09/09 14:11:04 marka Exp $
+# $Id: Makefile.in,v 1.41 2007/06/19 23:46:59 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
diff --git a/bin/dig/dig.1 b/bin/dig/dig.1
index c9df21eaf4b0..f7f4370a59b1 100644
--- a/bin/dig/dig.1
+++ b/bin/dig/dig.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dig.1,v 1.23.18.24 2008/10/14 01:30:11 tbox Exp $
+.\" $Id: dig.1,v 1.50.44.2 2009/02/03 01:52:10 tbox Exp $
.\"
.hy 0
.ad l
@@ -291,7 +291,7 @@ A synonym for
.PP
\fB+[no]adflag\fR
.RS 4
-Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
+Set [do not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT\-OUT range. AD=0 indicate that some part of the answer was insecure or not validated.
.RE
.PP
\fB+[no]cdflag\fR
@@ -480,7 +480,7 @@ Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE.
Specifies a file containing trusted keys to be used with
\fB+sigchase\fR. Each DNSKEY record must be on its own line.
.sp
-If not specified
+If not specified,
\fBdig\fR
will look for
\fI/etc/trusted\-key.key\fR
@@ -495,6 +495,11 @@ Requires dig be compiled with \-DDIG_SIGCHASE.
.RS 4
When chasing DNSSEC signature chains perform a top\-down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
.RE
+.PP
+\fB+[no]nsid\fR
+.RS 4
+Include an EDNS name server ID request when sending a query.
+.RE
.SH "MULTIPLE QUERIES"
.PP
The BIND 9 implementation of
@@ -557,7 +562,7 @@ RFC1035.
.PP
There are probably too many query options.
.SH "COPYRIGHT"
-Copyright \(co 2004\-2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2003 Internet Software Consortium.
.br
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 5cde9c430e60..f740a1d62966 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dig.c,v 1.186.18.33 2008/10/15 02:19:18 marka Exp $ */
+/* $Id: dig.c,v 1.225.26.4 2009/05/06 10:18:33 fdupont Exp $ */
/*! \file */
@@ -111,6 +111,24 @@ static const char * const rcodetext[] = {
"BADVERS"
};
+/*% safe rcodetext[] */
+static char *
+rcode_totext(dns_rcode_t rcode)
+{
+ static char buf[sizeof("?65535")];
+ union {
+ const char *consttext;
+ char *deconsttext;
+ } totext;
+
+ if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
+ snprintf(buf, sizeof(buf), "?%u", rcode);
+ totext.deconsttext = buf;
+ } else
+ totext.consttext = rcodetext[rcode];
+ return totext.deconsttext;
+}
+
/*% print usage */
static void
print_usage(FILE *fp) {
@@ -195,6 +213,7 @@ help(void) {
" +[no]identify (ID responders in short answers)\n"
" +[no]trace (Trace delegation down from root)\n"
" +[no]dnssec (Request DNSSEC records)\n"
+" +[no]nsid (Request Name Server ID)\n"
#ifdef DIG_SIGCHASE
" +[no]sigchase (Chase DNSSEC signatures)\n"
" +trusted-key=#### (Trusted Key when chasing DNSSEC sigs)\n"
@@ -468,7 +487,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
if (headers) {
printf(";; ->>HEADER<<- opcode: %s, status: %s, "
"id: %u\n",
- opcodetext[msg->opcode], rcodetext[msg->rcode],
+ opcodetext[msg->opcode],
+ rcode_totext(msg->rcode),
msg->id);
printf(";; flags:");
if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
@@ -640,9 +660,9 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
}
if (first) {
snprintf(append, sizeof(append),
- ";; global options: %s %s\n",
- short_form ? "short_form" : "",
- printcmd ? "printcmd" : "");
+ ";; global options:%s%s\n",
+ short_form ? " +short" : "",
+ printcmd ? " +cmd" : "");
first = ISC_FALSE;
remaining = sizeof(lookup->cmdline) -
strlen(lookup->cmdline) - 1;
@@ -800,7 +820,9 @@ plus_option(char *option, isc_boolean_t is_batchfile,
switch (cmd[1]) {
case 'e': /* defname */
FULLCHECK("defname");
- usesearch = state;
+ if (!lookup->trace) {
+ usesearch = state;
+ }
break;
case 'n': /* dnssec */
FULLCHECK("dnssec");
@@ -842,7 +864,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
lookup->identify = state;
break;
case 'g': /* ignore */
- default: /* Inherets default for compatibility */
+ default: /* Inherits default for compatibility */
FULLCHECK("ignore");
lookup->ignore = ISC_TRUE;
}
@@ -861,21 +883,33 @@ plus_option(char *option, isc_boolean_t is_batchfile,
goto invalid_option;
ndots = parse_uint(value, "ndots", MAXNDOTS);
break;
- case 's': /* nssearch */
- FULLCHECK("nssearch");
- lookup->ns_search_only = state;
- if (state) {
- lookup->trace_root = ISC_TRUE;
- lookup->recurse = ISC_TRUE;
- lookup->identify = ISC_TRUE;
- lookup->stats = ISC_FALSE;
- lookup->comments = ISC_FALSE;
- lookup->section_additional = ISC_FALSE;
- lookup->section_authority = ISC_FALSE;
- lookup->section_question = ISC_FALSE;
- lookup->rdtype = dns_rdatatype_ns;
- lookup->rdtypeset = ISC_TRUE;
- short_form = ISC_TRUE;
+ case 's':
+ switch (cmd[2]) {
+ case 'i': /* nsid */
+ FULLCHECK("nsid");
+ if (state && lookup->edns == -1)
+ lookup->edns = 0;
+ lookup->nsid = state;
+ break;
+ case 's': /* nssearch */
+ FULLCHECK("nssearch");
+ lookup->ns_search_only = state;
+ if (state) {
+ lookup->trace_root = ISC_TRUE;
+ lookup->recurse = ISC_TRUE;
+ lookup->identify = ISC_TRUE;
+ lookup->stats = ISC_FALSE;
+ lookup->comments = ISC_FALSE;
+ lookup->section_additional = ISC_FALSE;
+ lookup->section_authority = ISC_FALSE;
+ lookup->section_question = ISC_FALSE;
+ lookup->rdtype = dns_rdatatype_ns;
+ lookup->rdtypeset = ISC_TRUE;
+ short_form = ISC_TRUE;
+ }
+ break;
+ default:
+ goto invalid_option;
}
break;
default:
@@ -928,7 +962,9 @@ plus_option(char *option, isc_boolean_t is_batchfile,
switch (cmd[1]) {
case 'e': /* search */
FULLCHECK("search");
- usesearch = state;
+ if (!lookup->trace) {
+ usesearch = state;
+ }
break;
case 'h':
if (cmd[2] != 'o')
@@ -949,8 +985,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
break;
case 'w': /* showsearch */
FULLCHECK("showsearch");
- showsearch = state;
- usesearch = state;
+ if (!lookup->trace) {
+ showsearch = state;
+ usesearch = state;
+ }
break;
default:
goto invalid_option;
@@ -1009,6 +1047,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
lookup->section_additional = ISC_FALSE;
lookup->section_authority = ISC_TRUE;
lookup->section_question = ISC_FALSE;
+ usesearch = ISC_FALSE;
}
break;
case 'i': /* tries */
@@ -1254,6 +1293,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
MAXSERIAL);
(*lookup)->section_question = plusquest;
(*lookup)->comments = pluscomm;
+ (*lookup)->tcp_mode = ISC_TRUE;
} else {
(*lookup)->rdtype = rdtype;
(*lookup)->rdtypeset = ISC_TRUE;
@@ -1594,6 +1634,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
lookup->section_question =
plusquest;
lookup->comments = pluscomm;
+ lookup->tcp_mode = ISC_TRUE;
} else {
lookup->rdtype = rdtype;
lookup->rdtypeset = ISC_TRUE;
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index 92be18050cf0..f987465b2d18 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dig.docbook,v 1.17.18.24 2008/10/14 00:54:40 marka Exp $ -->
+<!-- $Id: dig.docbook,v 1.42.44.3 2009/02/02 04:42:48 marka Exp $ -->
<refentry id="man.dig">
<refentryinfo>
@@ -43,6 +43,7 @@
<year>2006</year>
<year>2007</year>
<year>2008</year>
+ <year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -449,17 +450,19 @@
<varlistentry>
<term><option>+[no]adflag</option></term>
- <listitem>
- <para>
- Set [do not set] the AD (authentic data) bit in the query. The
- AD bit
- currently has a standard meaning only in responses, not in
- queries,
- but the ability to set the bit in the query is provided for
- completeness.
- </para>
- </listitem>
- </varlistentry>
+ <listitem>
+ <para>
+ Set [do not set] the AD (authentic data) bit in the
+ query. This requests the server to return whether
+ all of the answer and authority sections have all
+ been validated as secure according to the security
+ policy of the server. AD=1 indicates that all records
+ have been validated as secure and the answer is not
+ from a OPT-OUT range. AD=0 indicate that some part
+ of the answer was insecure or not validated.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><option>+[no]cdflag</option></term>
@@ -816,7 +819,7 @@
on its own line.
</para>
<para>
- If not specified <command>dig</command> will look for
+ If not specified, <command>dig</command> will look for
<filename>/etc/trusted-key.key</filename> then
<filename>trusted-key.key</filename> in the current directory.
</para>
@@ -837,6 +840,14 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>+[no]nsid</option></term>
+ <listitem>
+ <para>
+ Include an EDNS name server ID request when sending a query.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index a8c459447f12..11b55cc75929 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dig.html,v 1.13.18.30 2008/10/14 01:30:11 tbox Exp $ -->
+<!-- $Id: dig.html,v 1.45.44.2 2009/02/03 01:52:10 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -34,7 +34,7 @@
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543515"></a><h2>DESCRIPTION</h2>
+<a name="id2543518"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
@@ -80,7 +80,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543589"></a><h2>SIMPLE USAGE</h2>
+<a name="id2543592"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
@@ -126,7 +126,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543680"></a><h2>OPTIONS</h2>
+<a name="id2543683"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
@@ -230,7 +230,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544028"></a><h2>QUERY OPTIONS</h2>
+<a name="id2544032"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
@@ -308,13 +308,15 @@
</p></dd>
<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
<dd><p>
- Set [do not set] the AD (authentic data) bit in the query. The
- AD bit
- currently has a standard meaning only in responses, not in
- queries,
- but the ability to set the bit in the query is provided for
- completeness.
- </p></dd>
+ Set [do not set] the AD (authentic data) bit in the
+ query. This requests the server to return whether
+ all of the answer and authority sections have all
+ been validated as secure according to the security
+ policy of the server. AD=1 indicates that all records
+ have been validated as secure and the answer is not
+ from a OPT-OUT range. AD=0 indicate that some part
+ of the answer was insecure or not validated.
+ </p></dd>
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
<dd><p>
Set [do not set] the CD (checking disabled) bit in the query.
@@ -529,7 +531,7 @@
on its own line.
</p>
<p>
- If not specified <span><strong class="command">dig</strong></span> will look for
+ If not specified, <span><strong class="command">dig</strong></span> will look for
<code class="filename">/etc/trusted-key.key</code> then
<code class="filename">trusted-key.key</code> in the current directory.
</p>
@@ -543,13 +545,17 @@
validation.
Requires dig be compiled with -DDIG_SIGCHASE.
</p></dd>
+<dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
+<dd><p>
+ Include an EDNS name server ID request when sending a query.
+ </p></dd>
</dl></div>
<p>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545149"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2545166"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
@@ -595,7 +601,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545211"></a><h2>IDN SUPPORT</h2>
+<a name="id2545228"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -609,14 +615,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545234"></a><h2>FILES</h2>
+<a name="id2545251"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545251"></a><h2>SEE ALSO</h2>
+<a name="id2545336"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -624,7 +630,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545356"></a><h2>BUGS</h2>
+<a name="id2545373"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 8736c0cc75c5..470261cb2da7 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dighost.c,v 1.259.18.49 2008/07/23 23:33:02 marka Exp $ */
+/* $Id: dighost.c,v 1.311.70.8 2009/02/25 02:39:21 marka Exp $ */
/*! \file
* \note
@@ -583,6 +583,11 @@ copy_server_list(lwres_conf_t *confdata, dig_serverlist_t *dest) {
for (i = 0; i < confdata->nsnext; i++) {
af = addr2af(confdata->nameservers[i].family);
+ if (af == AF_INET && !have_ipv4)
+ continue;
+ if (af == AF_INET6 && !have_ipv6)
+ continue;
+
lwres_net_ntop(af, confdata->nameservers[i].address,
tmp, sizeof(tmp));
newsrv = make_server(tmp, tmp);
@@ -724,6 +729,7 @@ make_empty_lookup(void) {
looknew->servfail_stops = ISC_TRUE;
looknew->besteffort = ISC_TRUE;
looknew->dnssec = ISC_FALSE;
+ looknew->nsid = ISC_FALSE;
#ifdef DIG_SIGCHASE
looknew->sigchase = ISC_FALSE;
#if DIG_SIGCHASE_TD
@@ -770,7 +776,7 @@ make_empty_lookup(void) {
* the query list, since it will be regenerated by the setup_lookup()
* function, nor does it queue up the new lookup for processing.
* Caution: If you don't clone the servers, you MUST clone the server
- * list seperately from somewhere else, or construct it by hand.
+ * list separately from somewhere else, or construct it by hand.
*/
dig_lookup_t *
clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
@@ -803,6 +809,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
looknew->servfail_stops = lookold->servfail_stops;
looknew->besteffort = lookold->besteffort;
looknew->dnssec = lookold->dnssec;
+ looknew->nsid = lookold->nsid;
#ifdef DIG_SIGCHASE
looknew->sigchase = lookold->sigchase;
#if DIG_SIGCHASE_TD
@@ -1004,10 +1011,18 @@ void
setup_system(void) {
dig_searchlist_t *domain = NULL;
lwres_result_t lwresult;
+ unsigned int lwresflags;
debug("setup_system()");
- lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);
+ lwresflags = LWRES_CONTEXT_SERVERMODE;
+ if (have_ipv4)
+ lwresflags |= LWRES_CONTEXT_USEIPV4;
+ if (have_ipv6)
+ lwresflags |= LWRES_CONTEXT_USEIPV6;
+
+ lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free,
+ lwresflags);
if (lwresult != LWRES_R_SUCCESS)
fatal("lwres_context_create failed");
@@ -1033,8 +1048,10 @@ setup_system(void) {
debug("ndots is %d.", ndots);
}
+ copy_server_list(lwconf, &server_list);
+
/* If we don't find a nameserver fall back to localhost */
- if (lwconf->nsnext == 0) {
+ if (ISC_LIST_EMPTY(server_list)) {
if (have_ipv4) {
lwresult = add_nameserver(lwconf, "127.0.0.1", AF_INET);
if (lwresult != ISC_R_SUCCESS)
@@ -1045,10 +1062,9 @@ setup_system(void) {
if (lwresult != ISC_R_SUCCESS)
fatal("add_nameserver failed");
}
- }
- if (ISC_LIST_EMPTY(server_list))
copy_server_list(lwconf, &server_list);
+ }
#ifdef WITH_IDN
initialize_idn();
@@ -1155,11 +1171,11 @@ setup_libs(void) {
/*%
* Add EDNS0 option record to a message. Currently, the only supported
- * options are UDP buffer size and the DO bit.
+ * options are UDP buffer size, the DO bit, and NSID request.
*/
static void
add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns,
- isc_boolean_t dnssec)
+ isc_boolean_t dnssec, isc_boolean_t nsid)
{
dns_rdataset_t *rdataset = NULL;
dns_rdatalist_t *rdatalist = NULL;
@@ -1182,8 +1198,19 @@ add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns,
rdatalist->ttl = edns << 16;
if (dnssec)
rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
- rdata->data = NULL;
- rdata->length = 0;
+ if (nsid) {
+ unsigned char data[4];
+ isc_buffer_t buf;
+
+ isc_buffer_init(&buf, data, sizeof(data));
+ isc_buffer_putuint16(&buf, DNS_OPT_NSID);
+ isc_buffer_putuint16(&buf, 0);
+ rdata->data = data;
+ rdata->length = sizeof(data);
+ } else {
+ rdata->data = NULL;
+ rdata->length = 0;
+ }
ISC_LIST_INIT(rdatalist->rdata);
ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
dns_rdatalist_tordataset(rdatalist, rdataset);
@@ -1387,7 +1414,7 @@ start_lookup(void) {
key_name) == ISC_TRUE)
trustedkey = tk_list.key[i];
/*
- * Verifier que la temp est bien la plus basse
+ * Verify temp is really the lowest
* WARNING
*/
}
@@ -1848,7 +1875,7 @@ setup_lookup(dig_lookup_t *lookup) {
&lookup->name);
dns_message_puttempname(lookup->sendmsg,
&lookup->oname);
- fatal("Origin '%s' is not in legal name syntax (%s)",
+ fatal("'%s' is not in legal name syntax (%s)",
lookup->origin->origin,
isc_result_totext(result));
}
@@ -1953,12 +1980,15 @@ setup_lookup(dig_lookup_t *lookup) {
if ((lookup->rdtype == dns_rdatatype_axfr) ||
(lookup->rdtype == dns_rdatatype_ixfr)) {
- lookup->doing_xfr = ISC_TRUE;
/*
- * Force TCP mode if we're doing an xfr.
- * XXX UDP ixfr's would be useful
+ * Force TCP mode if we're doing an axfr.
*/
- lookup->tcp_mode = ISC_TRUE;
+ if (lookup->rdtype == dns_rdatatype_axfr) {
+ lookup->doing_xfr = ISC_TRUE;
+ lookup->tcp_mode = ISC_TRUE;
+ } else if (lookup->tcp_mode) {
+ lookup->doing_xfr = ISC_TRUE;
+ }
}
add_question(lookup->sendmsg, lookup->name, lookup->rdclass,
@@ -1995,7 +2025,7 @@ setup_lookup(dig_lookup_t *lookup) {
if (lookup->edns < 0)
lookup->edns = 0;
add_opt(lookup->sendmsg, lookup->udpsize,
- lookup->edns, lookup->dnssec);
+ lookup->edns, lookup->dnssec, lookup->nsid);
}
result = dns_message_rendersection(lookup->sendmsg,
@@ -2175,6 +2205,21 @@ bringup_timer(dig_query_t *query, unsigned int default_timeout) {
}
static void
+force_timeout(dig_lookup_t *l, dig_query_t *query) {
+ isc_event_t *event;
+
+ event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE,
+ connect_timeout, l,
+ sizeof(isc_event_t));
+ if (event == NULL) {
+ fatal("isc_event_allocate: %s",
+ isc_result_totext(ISC_R_NOMEMORY));
+ }
+ isc_task_send(global_task, &event);
+}
+
+
+static void
connect_done(isc_task_t *task, isc_event_t *event);
/*%
@@ -2193,7 +2238,16 @@ send_tcp_connect(dig_query_t *query) {
l = query->lookup;
query->waiting_connect = ISC_TRUE;
query->lookup->current_query = query;
- get_address(query->servname, port, &query->sockaddr);
+ result = get_address(query->servname, port, &query->sockaddr);
+ if (result == ISC_R_NOTFOUND) {
+ /*
+ * This servname doesn't have an address. Try the next server
+ * by triggering an immediate 'timeout' (we lie, but the effect
+ * is the same).
+ */
+ force_timeout(l, query);
+ return;
+ }
if (specified_source &&
(isc_sockaddr_pf(&query->sockaddr) !=
@@ -2266,7 +2320,12 @@ send_udp(dig_query_t *query) {
if (!query->recv_made) {
/* XXX Check the sense of this, need assertion? */
query->waiting_connect = ISC_FALSE;
- get_address(query->servname, port, &query->sockaddr);
+ result = get_address(query->servname, port, &query->sockaddr);
+ if (result == ISC_R_NOTFOUND) {
+ /* This servname doesn't have an address. */
+ force_timeout(l, query);
+ return;
+ }
result = isc_socket_create(socketmgr,
isc_sockaddr_pf(&query->sockaddr),
@@ -2337,8 +2396,14 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
cq = query->lookup->current_query;
if (!l->tcp_mode)
send_udp(ISC_LIST_NEXT(cq, link));
- else
+ else {
+ isc_socket_cancel(query->sock, NULL,
+ ISC_SOCKCANCEL_ALL);
+ isc_socket_detach(&query->sock);
+ sockcount--;
+ debug("sockcount=%d", sockcount);
send_tcp_connect(ISC_LIST_NEXT(cq, link));
+ }
UNLOCK_LOOKUP;
return;
}
@@ -2892,18 +2957,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
if (result == ISC_R_SUCCESS && (msgflags & DNS_MESSAGEFLAG_QR) == 0)
printf(";; Warning: query response not set\n");
- if (!match) {
- isc_buffer_invalidate(&query->recvbuf);
- isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
- ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
- result = isc_socket_recvv(query->sock, &query->recvlist, 1,
- global_task, recv_done, query);
- check_result(result, "isc_socket_recvv");
- recvcount++;
- isc_event_free(&event);
- UNLOCK_LOOKUP;
- return;
- }
+ if (!match)
+ goto udp_mismatch;
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
check_result(result, "dns_message_create");
@@ -2958,6 +3013,52 @@ recv_done(isc_task_t *task, isc_event_t *event) {
UNLOCK_LOOKUP;
return;
}
+ if (msg->counts[DNS_SECTION_QUESTION] != 0) {
+ match = ISC_TRUE;
+ for (result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
+ result == ISC_R_SUCCESS && match;
+ result = dns_message_nextname(msg, DNS_SECTION_QUESTION)) {
+ dns_name_t *name = NULL;
+ dns_rdataset_t *rdataset;
+
+ dns_message_currentname(msg, DNS_SECTION_QUESTION,
+ &name);
+ for (rdataset = ISC_LIST_HEAD(name->list);
+ rdataset != NULL;
+ rdataset = ISC_LIST_NEXT(rdataset, link)) {
+ if (l->rdtype != rdataset->type ||
+ l->rdclass != rdataset->rdclass ||
+ !dns_name_equal(l->name, name)) {
+ char namestr[DNS_NAME_FORMATSIZE];
+ char typebuf[DNS_RDATATYPE_FORMATSIZE];
+ char classbuf[DNS_RDATACLASS_FORMATSIZE];
+ dns_name_format(name, namestr,
+ sizeof(namestr));
+ dns_rdatatype_format(rdataset->type,
+ typebuf,
+ sizeof(typebuf));
+ dns_rdataclass_format(rdataset->rdclass,
+ classbuf,
+ sizeof(classbuf));
+ printf(";; Question section mismatch: "
+ "got %s/%s/%s\n",
+ namestr, typebuf, classbuf);
+ match = ISC_FALSE;
+ }
+ }
+ }
+ if (!match) {
+ dns_message_destroy(&msg);
+ if (l->tcp_mode) {
+ isc_event_free(&event);
+ clear_query(query);
+ check_next_lookup(l);
+ UNLOCK_LOOKUP;
+ return;
+ } else
+ goto udp_mismatch;
+ }
+ }
if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 &&
!l->ignore && !l->tcp_mode) {
printf(";; Truncated, retrying in TCP mode.\n");
@@ -3212,6 +3313,19 @@ recv_done(isc_task_t *task, isc_event_t *event) {
}
isc_event_free(&event);
UNLOCK_LOOKUP;
+ return;
+
+ udp_mismatch:
+ isc_buffer_invalidate(&query->recvbuf);
+ isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
+ ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
+ result = isc_socket_recvv(query->sock, &query->recvlist, 1,
+ global_task, recv_done, query);
+ check_result(result, "isc_socket_recvv");
+ recvcount++;
+ isc_event_free(&event);
+ UNLOCK_LOOKUP;
+ return;
}
/*%
@@ -3219,7 +3333,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
* used in looking up server names, etc... and needs to use system-supplied
* routines, since they may be using a non-DNS system for these lookups.
*/
-void
+isc_result_t
get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
int count;
isc_result_t result;
@@ -3228,9 +3342,11 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
result = bind9_getaddresses(host, port, sockaddr, 1, &count);
isc_app_unblock();
if (result != ISC_R_SUCCESS)
- fatal("couldn't get address for '%s': %s",
- host, isc_result_totext(result));
+ return (result);
+
INSIST(count == 1);
+
+ return (ISC_R_SUCCESS);
}
/*%
@@ -3284,7 +3400,7 @@ cancel_all(void) {
isc_timer_detach(&current_lookup->timer);
q = ISC_LIST_HEAD(current_lookup->q);
while (q != NULL) {
- debug("cancelling query %p, belonging to %p",
+ debug("canceling query %p, belonging to %p",
q, current_lookup);
nq = ISC_LIST_NEXT(q, link);
if (q->sock != NULL) {
@@ -3600,7 +3716,7 @@ dns_rdataset_t *
search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) {
dns_rdataset_t *rdataset;
dns_rdata_sig_t siginfo;
- dns_rdata_t sigrdata;
+ dns_rdata_t sigrdata = DNS_RDATA_INIT;
isc_result_t result;
for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
@@ -3610,7 +3726,6 @@ search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) {
return (rdataset);
} else if ((type == dns_rdatatype_rrsig) &&
(rdataset->type == dns_rdatatype_rrsig)) {
- dns_rdata_init(&sigrdata);
result = dns_rdataset_first(rdataset);
check_result(result, "empty rdataset");
dns_rdataset_current(rdataset, &sigrdata);
@@ -4133,7 +4248,7 @@ isc_result_t
grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset)
{
isc_result_t result;
- dns_rdata_t sigrdata;
+ dns_rdata_t sigrdata = DNS_RDATA_INIT;
dns_rdata_sig_t siginfo;
result = dns_rdataset_first(sigrdataset);
@@ -4153,6 +4268,7 @@ grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset)
}
dns_rdata_freestruct(&siginfo);
+ dns_rdata_reset(&sigrdata);
} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
@@ -4239,7 +4355,7 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
isc_mem_t *mctx)
{
isc_result_t result;
- dns_rdata_t rdata;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
dst_key_t *trustedKey = NULL;
dst_key_t *dnsseckey = NULL;
int i;
@@ -4249,7 +4365,6 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
result = dns_rdataset_first(rdataset);
check_result(result, "empty rdataset");
- dns_rdata_init(&rdata);
do {
dns_rdataset_current(rdataset, &rdata);
@@ -4299,7 +4414,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
isc_mem_t *mctx)
{
isc_result_t result;
- dns_rdata_t keyrdata;
+ dns_rdata_t keyrdata = DNS_RDATA_INIT;
dst_key_t *dnsseckey = NULL;
result = dns_rdataset_first(keyrdataset);
@@ -4322,6 +4437,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
return (ISC_R_SUCCESS);
}
dst_key_free(&dnsseckey);
+ dns_rdata_reset(&keyrdata);
} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
dns_rdata_reset(&keyrdata);
@@ -4335,7 +4451,7 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
isc_mem_t *mctx)
{
isc_result_t result;
- dns_rdata_t sigrdata;
+ dns_rdata_t sigrdata = DNS_RDATA_INIT;
dns_rdata_sig_t siginfo;
result = dns_rdataset_first(sigrdataset);
@@ -4373,6 +4489,7 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
}
}
dns_rdata_freestruct(&siginfo);
+ dns_rdata_reset(&sigrdata);
} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
@@ -4387,25 +4504,23 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
{
isc_result_t result;
- dns_rdata_t keyrdata;
- dns_rdata_t newdsrdata;
- dns_rdata_t dsrdata;
+ dns_rdata_t keyrdata = DNS_RDATA_INIT;
+ dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+ dns_rdata_t dsrdata = DNS_RDATA_INIT;
dns_rdata_ds_t dsinfo;
dst_key_t *dnsseckey = NULL;
unsigned char dsbuf[DNS_DS_BUFFERSIZE];
result = dns_rdataset_first(dsrdataset);
check_result(result, "empty DSset dataset");
- dns_rdata_init(&dsrdata);
do {
dns_rdataset_current(dsrdataset, &dsrdata);
result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
- check_result(result, "dns_rdata_tostruct for DS");
+ check_result(result, "dns_rdata_tostruct for DS");
result = dns_rdataset_first(keyrdataset);
check_result(result, "empty KEY dataset");
- dns_rdata_init(&keyrdata);
do {
dns_rdataset_current(keyrdataset, &keyrdata);
@@ -4420,7 +4535,6 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
* id of DNSKEY referenced by the DS
*/
if (dsinfo.key_tag == dst_key_id(dnsseckey)) {
- dns_rdata_init(&newdsrdata);
result = dns_ds_buildrdata(name, &keyrdata,
dsinfo.digest_type,
@@ -4468,14 +4582,16 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
dns_rdata_reset(&newdsrdata);
}
dst_key_free(&dnsseckey);
+ dns_rdata_reset(&keyrdata);
dnsseckey = NULL;
} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
- dns_rdata_reset(&keyrdata);
+ dns_rdata_reset(&dsrdata);
} while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS);
-#if 0
- dns_rdata_reset(&dsrdata); WARNING
-#endif
+
+ dns_rdata_reset(&keyrdata);
+ dns_rdata_reset(&newdsrdata);
+ dns_rdata_reset(&dsrdata);
return (ISC_R_NOTFOUND);
}
@@ -4868,7 +4984,7 @@ getneededrr(dns_message_t *msg)
{
isc_result_t result;
dns_name_t *name = NULL;
- dns_rdata_t sigrdata;
+ dns_rdata_t sigrdata = DNS_RDATA_INIT;
dns_rdata_sig_t siginfo;
isc_boolean_t true = ISC_TRUE;
@@ -4922,7 +5038,6 @@ getneededrr(dns_message_t *msg)
/* first find the DNSKEY name */
result = dns_rdataset_first(chase_sigrdataset);
check_result(result, "empty RRSIG dataset");
- dns_rdata_init(&sigrdata);
dns_rdataset_current(chase_sigrdataset, &sigrdata);
result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
check_result(result, "sigrdata tostruct siginfo");
@@ -5300,6 +5415,7 @@ prove_nx_domain(dns_message_t *msg,
}
dns_rdata_freestruct(&nsecstruct);
+ dns_rdata_reset(&nsec);
}
} while (dns_message_nextname(msg, DNS_SECTION_AUTHORITY)
== ISC_R_SUCCESS);
@@ -5367,7 +5483,7 @@ prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class,
isc_result_t ret;
dns_rdataset_t *nsecset = NULL;
- printf("We want to prove the non-existance of a type of rdata %d"
+ printf("We want to prove the non-existence of a type of rdata %d"
" or of the zone: \n", type);
if ((ret = dns_message_firstname(msg, DNS_SECTION_AUTHORITY))
diff --git a/bin/dig/host.1 b/bin/dig/host.1
index 9993c0eac8da..eebdad8fe80f 100644
--- a/bin/dig/host.1
+++ b/bin/dig/host.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: host.1,v 1.14.18.16 2008/04/06 01:31:04 tbox Exp $
+.\" $Id: host.1,v 1.29.114.1 2009/01/23 01:53:33 tbox Exp $
.\"
.hy 0
.ad l
@@ -132,7 +132,7 @@ option enables
\fBhost\fR
to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
.PP
-By default
+By default,
\fBhost\fR
uses UDP when making queries. The
\fB\-T\fR
@@ -154,7 +154,7 @@ option is used to select the query type.
\fItype\fR
can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
\fBhost\fR
-automatically selects an appropriate query type. By default it looks for A, AAAA, and MX records, but if the
+automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records, but if the
\fB\-C\fR
option was given, queries will be made for SOA records, and if
\fIname\fR
@@ -213,7 +213,7 @@ runs.
\fBdig\fR(1),
\fBnamed\fR(8).
.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2002 Internet Software Consortium.
.br
diff --git a/bin/dig/host.c b/bin/dig/host.c
index 33025d5307e5..9f302068adf3 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: host.c,v 1.94.18.19 2007/08/28 07:19:55 tbox Exp $ */
+/* $Id: host.c,v 1.116.216.2 2009/05/06 23:47:18 tbox Exp $ */
/*! \file */
@@ -124,6 +124,23 @@ struct rtype rtypes[] = {
{ 0, NULL }
};
+static char *
+rcode_totext(dns_rcode_t rcode)
+{
+ static char buf[sizeof("?65535")];
+ union {
+ const char *consttext;
+ char *deconsttext;
+ } totext;
+
+ if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
+ snprintf(buf, sizeof(buf), "?%u", rcode);
+ totext.deconsttext = buf;
+ } else
+ totext.consttext = rcodetext[rcode];
+ return totext.deconsttext;
+}
+
static void
show_usage(void) {
fputs(
@@ -270,10 +287,10 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
if (query->lookup->rdtype == dns_rdatatype_axfr &&
!((!list_addresses &&
(list_type == dns_rdatatype_any ||
- rdataset->type == list_type)) ||
+ rdataset->type == list_type)) ||
(list_addresses &&
(rdataset->type == dns_rdatatype_a ||
- rdataset->type == dns_rdatatype_aaaa ||
+ rdataset->type == dns_rdatatype_aaaa ||
rdataset->type == dns_rdatatype_ns ||
rdataset->type == dns_rdatatype_ptr))))
continue;
@@ -377,7 +394,7 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
dns_rdata_t rdata = DNS_RDATA_INIT;
unsigned int i = msg->counts[DNS_SECTION_ANSWER];
- while (i-- > 0) {
+ while (i-- > 0) {
rdataset = NULL;
result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_cname, 0, NULL,
@@ -429,7 +446,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
printf("Host %s not found: %d(%s)\n",
(msg->rcode != dns_rcode_nxdomain) ? namestr :
query->lookup->textname, msg->rcode,
- rcodetext[msg->rcode]);
+ rcode_totext(msg->rcode));
return (ISC_R_SUCCESS);
}
@@ -451,7 +468,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1] = 0;
lookup->rdtype = dns_rdatatype_aaaa;
- lookup->rdtypeset = ISC_TRUE;
+ lookup->rdtypeset = ISC_TRUE;
lookup->origin = NULL;
lookup->retries = tries;
ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -462,7 +479,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1] = 0;
lookup->rdtype = dns_rdatatype_mx;
- lookup->rdtypeset = ISC_TRUE;
+ lookup->rdtypeset = ISC_TRUE;
lookup->origin = NULL;
lookup->retries = tries;
ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -471,7 +488,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
if (!short_form) {
printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n",
- opcodetext[msg->opcode], rcodetext[msg->rcode],
+ opcodetext[msg->opcode], rcode_totext(msg->rcode),
msg->id);
printf(";; flags: ");
if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
@@ -689,6 +706,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
lookup->tcp_mode = ISC_TRUE;
} else if (rdtype == dns_rdatatype_ixfr) {
lookup->ixfr_serial = serial;
+ lookup->tcp_mode = ISC_TRUE;
list_type = rdtype;
#ifdef WITH_IDN
} else if (rdtype == dns_rdatatype_a ||
@@ -837,7 +855,7 @@ main(int argc, char **argv) {
ISC_LIST_INIT(lookup_list);
ISC_LIST_INIT(server_list);
ISC_LIST_INIT(search_list);
-
+
fatalexit = 1;
#ifdef WITH_IDN
idnoptions = IDN_ASCCHECK;
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index 2c0ad3d7962f..3e75b05199c6 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: host.docbook,v 1.5.18.13 2008/04/05 23:46:04 tbox Exp $ -->
+<!-- $Id: host.docbook,v 1.18.114.2 2009/01/22 23:47:05 tbox Exp $ -->
<refentry id="man.host">
<refentryinfo>
@@ -42,6 +42,7 @@
<year>2005</year>
<year>2007</year>
<year>2008</year>
+ <year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -180,7 +181,7 @@
</para>
<para>
- By default <command>host</command> uses UDP when making
+ By default, <command>host</command> uses UDP when making
queries. The
<option>-T</option> option makes it use a TCP connection when querying
the name server. TCP will be automatically selected for queries that
@@ -200,7 +201,7 @@
NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
<command>host</command> automatically selects an appropriate
query
- type. By default it looks for A, AAAA, and MX records, but if the
+ type. By default, it looks for A, AAAA, and MX records, but if the
<option>-C</option> option was given, queries will be made for SOA
records, and if <parameter>name</parameter> is a
dotted-decimal IPv4
diff --git a/bin/dig/host.html b/bin/dig/host.html
index 88cd830f033b..f21073174ba8 100644
--- a/bin/dig/host.html
+++ b/bin/dig/host.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: host.html,v 1.7.18.22 2008/04/06 01:31:04 tbox Exp $ -->
+<!-- $Id: host.html,v 1.28.114.1 2009/01/23 01:53:33 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543431"></a><h2>DESCRIPTION</h2>
+<a name="id2543434"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
@@ -130,7 +130,7 @@
referrals to other name servers.
</p>
<p>
- By default <span><strong class="command">host</strong></span> uses UDP when making
+ By default, <span><strong class="command">host</strong></span> uses UDP when making
queries. The
<code class="option">-T</code> option makes it use a TCP connection when querying
the name server. TCP will be automatically selected for queries that
@@ -148,7 +148,7 @@
NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
<span><strong class="command">host</strong></span> automatically selects an appropriate
query
- type. By default it looks for A, AAAA, and MX records, but if the
+ type. By default, it looks for A, AAAA, and MX records, but if the
<code class="option">-C</code> option was given, queries will be made for SOA
records, and if <em class="parameter"><code>name</code></em> is a
dotted-decimal IPv4
@@ -184,7 +184,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543797"></a><h2>IDN SUPPORT</h2>
+<a name="id2543800"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -198,12 +198,12 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543819"></a><h2>FILES</h2>
+<a name="id2543822"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543831"></a><h2>SEE ALSO</h2>
+<a name="id2543834"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>
diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
index 02ae4d22bc50..d9ee7570e9ae 100644
--- a/bin/dig/include/dig/dig.h
+++ b/bin/dig/include/dig/dig.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dig.h,v 1.82.18.23 2007/08/28 07:19:55 tbox Exp $ */
+/* $Id: dig.h,v 1.107.120.2 2009/01/06 23:47:26 tbox Exp $ */
#ifndef DIG_H
#define DIG_H
@@ -102,7 +102,7 @@ typedef struct dig_searchlist dig_searchlist_t;
/*% The dig_lookup structure */
struct dig_lookup {
isc_boolean_t
- pending, /*%< Pending a successful answer */
+ pending, /*%< Pending a successful answer */
waiting_connect,
doing_xfr,
ns_search_only, /*%< dig +nssearch, host -C */
@@ -129,27 +129,28 @@ struct dig_lookup {
need_search,
done_as_is,
besteffort,
- dnssec;
+ dnssec,
+ nsid; /*% Name Server ID (RFC 5001) */
#ifdef DIG_SIGCHASE
isc_boolean_t sigchase;
#if DIG_SIGCHASE_TD
- isc_boolean_t do_topdown,
- trace_root_sigchase,
- rdtype_sigchaseset,
- rdclass_sigchaseset;
+ isc_boolean_t do_topdown,
+ trace_root_sigchase,
+ rdtype_sigchaseset,
+ rdclass_sigchaseset;
/* Name we are going to validate RRset */
- char textnamesigchase[MXNAME];
+ char textnamesigchase[MXNAME];
#endif
#endif
-
+
char textname[MXNAME]; /*% Name we're going to be looking up */
char cmdline[MXNAME];
dns_rdatatype_t rdtype;
dns_rdatatype_t qrdtype;
#if DIG_SIGCHASE_TD
- dns_rdatatype_t rdtype_sigchase;
- dns_rdatatype_t qrdtype_sigchase;
- dns_rdataclass_t rdclass_sigchase;
+ dns_rdatatype_t rdtype_sigchase;
+ dns_rdatatype_t qrdtype_sigchase;
+ dns_rdataclass_t rdclass_sigchase;
#endif
dns_rdataclass_t rdclass;
isc_boolean_t rdtypeset;
@@ -231,7 +232,7 @@ struct dig_searchlist {
};
#ifdef DIG_SIGCHASE
struct dig_message {
- dns_message_t *msg;
+ dns_message_t *msg;
ISC_LINK(dig_message_t) link;
};
#endif
@@ -249,7 +250,7 @@ extern dig_searchlistlist_t search_list;
extern unsigned int extrabytes;
extern isc_boolean_t check_ra, have_ipv4, have_ipv6, specified_source,
- usesearch, showsearch, qr;
+ usesearch, showsearch, qr;
extern in_port_t port;
extern unsigned int timeout;
extern isc_mem_t *mctx;
@@ -284,7 +285,7 @@ extern int idnoptions;
/*
* Routines in dighost.c.
*/
-void
+isc_result_t
get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr);
isc_result_t
diff --git a/bin/dig/nslookup.1 b/bin/dig/nslookup.1
index a453c2fd23a2..2d195345e6f2 100644
--- a/bin/dig/nslookup.1
+++ b/bin/dig/nslookup.1
@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: nslookup.1,v 1.1.10.14 2007/05/16 06:11:27 marka Exp $
+.\" $Id: nslookup.1,v 1.14 2007/05/16 06:12:01 marka Exp $
.\"
.hy 0
.ad l
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index 3327c6e9429a..56796268d90f 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: nslookup.c,v 1.101.18.15 2007/08/28 07:19:55 tbox Exp $ */
+/* $Id: nslookup.c,v 1.117.334.4 2009/05/06 11:41:57 fdupont Exp $ */
#include <config.h>
@@ -26,6 +26,7 @@
#include <isc/commandline.h>
#include <isc/event.h>
#include <isc/parseint.h>
+#include <isc/print.h>
#include <isc/string.h>
#include <isc/timer.h>
#include <isc/util.h>
@@ -129,6 +130,23 @@ static const char *rtypetext[] = {
static void flush_lookup_list(void);
static void getinput(isc_task_t *task, isc_event_t *event);
+static char *
+rcode_totext(dns_rcode_t rcode)
+{
+ static char buf[sizeof("?65535")];
+ union {
+ const char *consttext;
+ char *deconsttext;
+ } totext;
+
+ if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
+ snprintf(buf, sizeof(buf), "?%u", rcode);
+ totext.deconsttext = buf;
+ } else
+ totext.consttext = rcodetext[rcode];
+ return totext.deconsttext;
+}
+
void
dighost_shutdown(void) {
isc_event_t *event = global_event;
@@ -385,14 +403,14 @@ trying(char *frm, dig_lookup_t *lookup) {
isc_result_t
printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
- char servtext[ISC_SOCKADDR_FORMATSIZE];
+ char servtext[ISC_SOCKADDR_FORMATSIZE];
debug("printmessage()");
isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
printf("Server:\t\t%s\n", query->userarg);
printf("Address:\t%s\n", servtext);
-
+
puts("");
if (!short_form) {
@@ -412,7 +430,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
nametext, sizeof(nametext));
printf("** server can't find %s: %s\n",
(msg->rcode != dns_rcode_nxdomain) ? nametext :
- query->lookup->textname, rcodetext[msg->rcode]);
+ query->lookup->textname, rcode_totext(msg->rcode));
debug("returning with rcode == 0");
return (ISC_R_SUCCESS);
}
@@ -441,13 +459,16 @@ show_settings(isc_boolean_t full, isc_boolean_t serv_only) {
dig_server_t *srv;
isc_sockaddr_t sockaddr;
dig_searchlist_t *listent;
+ isc_result_t result;
srv = ISC_LIST_HEAD(server_list);
while (srv != NULL) {
char sockstr[ISC_SOCKADDR_FORMATSIZE];
- get_address(srv->servername, port, &sockaddr);
+ result = get_address(srv->servername, port, &sockaddr);
+ check_result(result, "get_address");
+
isc_sockaddr_format(&sockaddr, sockstr, sizeof(sockstr));
printf("Default server: %s\nAddress: %s\n",
srv->userarg, sockstr);
@@ -505,7 +526,7 @@ testclass(char *typetext) {
tr.base = typetext;
tr.length = strlen(typetext);
result = dns_rdataclass_fromtext(&rdclass, &tr);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS)
return (ISC_TRUE);
else {
printf("unknown query class: %s\n", typetext);
@@ -603,7 +624,7 @@ setoption(char *opt) {
set_timeout(&opt[8]);
} else if (strncasecmp(opt, "t=", 2) == 0) {
set_timeout(&opt[2]);
- } else if (strncasecmp(opt, "rec", 3) == 0) {
+ } else if (strncasecmp(opt, "rec", 3) == 0) {
recurse = ISC_TRUE;
} else if (strncasecmp(opt, "norec", 5) == 0) {
recurse = ISC_FALSE;
@@ -611,21 +632,21 @@ setoption(char *opt) {
set_tries(&opt[6]);
} else if (strncasecmp(opt, "ret=", 4) == 0) {
set_tries(&opt[4]);
- } else if (strncasecmp(opt, "def", 3) == 0) {
+ } else if (strncasecmp(opt, "def", 3) == 0) {
usesearch = ISC_TRUE;
} else if (strncasecmp(opt, "nodef", 5) == 0) {
usesearch = ISC_FALSE;
- } else if (strncasecmp(opt, "vc", 3) == 0) {
+ } else if (strncasecmp(opt, "vc", 3) == 0) {
tcpmode = ISC_TRUE;
} else if (strncasecmp(opt, "novc", 5) == 0) {
tcpmode = ISC_FALSE;
- } else if (strncasecmp(opt, "deb", 3) == 0) {
+ } else if (strncasecmp(opt, "deb", 3) == 0) {
short_form = ISC_FALSE;
showsearch = ISC_TRUE;
} else if (strncasecmp(opt, "nodeb", 5) == 0) {
short_form = ISC_TRUE;
showsearch = ISC_FALSE;
- } else if (strncasecmp(opt, "d2", 2) == 0) {
+ } else if (strncasecmp(opt, "d2", 2) == 0) {
debugging = ISC_TRUE;
} else if (strncasecmp(opt, "nod2", 4) == 0) {
debugging = ISC_FALSE;
@@ -640,7 +661,7 @@ setoption(char *opt) {
} else if (strncasecmp(opt, "nofail", 3) == 0) {
nofail=ISC_TRUE;
} else {
- printf("*** Invalid option: %s\n", opt);
+ printf("*** Invalid option: %s\n", opt);
}
}
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
index dff5fa3dab31..6c9480968365 100644
--- a/bin/dig/nslookup.docbook
+++ b/bin/dig/nslookup.docbook
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nslookup.docbook,v 1.4.2.13 2007/08/28 07:19:55 tbox Exp $ -->
+<!-- $Id: nslookup.docbook,v 1.16 2007/06/18 23:47:17 tbox Exp $ -->
<!--
- Copyright (c) 1985, 1989
- The Regents of the University of California. All rights reserved.
diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html
index 46ae43cc1e52..0f3817653c01 100644
--- a/bin/dig/nslookup.html
+++ b/bin/dig/nslookup.html
@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nslookup.html,v 1.1.10.21 2007/05/16 06:11:27 marka Exp $ -->
+<!-- $Id: nslookup.html,v 1.21 2007/05/16 06:12:01 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index b94dca7ab0df..d59a38fb114e 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.26.18.4 2005/05/02 00:26:11 marka Exp $
+# $Id: Makefile.in,v 1.35 2008/11/07 02:28:49 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -39,20 +39,32 @@ DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
# Alphabetically
-TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@
+TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
+ dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@
OBJS = dnssectool.@O@
-SRCS = dnssec-keygen.c dnssec-signzone.c dnssectool.c
+SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
+ dnssec-signzone.c dnssectool.c
-MANPAGES = dnssec-keygen.8 dnssec-signzone.8
+MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
+ dnssec-signzone.8
-HTMLPAGES = dnssec-keygen.html dnssec-signzone.html
+HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \
+ dnssec-keygen.html dnssec-signzone.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
+dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+ dnssec-dsfromkey.@O@ ${OBJS} ${LIBS}
+
+dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+ dnssec-keyfromlabel.@O@ ${OBJS} ${LIBS}
+
dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-keygen.@O@ ${OBJS} ${LIBS}
diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8
new file mode 100644
index 000000000000..4d4cbc96d107
--- /dev/null
+++ b/bin/dnssec/dnssec-dsfromkey.8
@@ -0,0 +1,124 @@
+.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dnssec-dsfromkey.8,v 1.5 2008/11/08 01:11:47 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: dnssec\-dsfromkey
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: November 29, 2008
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "DNSSEC\-DSFROMKEY" "8" "November 29, 2008" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-dsfromkey \- DNSSEC DS RR generation tool
+.SH "SYNOPSIS"
+.HP 17
+\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] {keyfile}
+.HP 17
+\fBdnssec\-dsfromkey\fR {\-s} [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdir\fR\fR] {dnsname}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-dsfromkey\fR
+outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
+.SH "OPTIONS"
+.PP
+\-1
+.RS 4
+Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256).
+.RE
+.PP
+\-2
+.RS 4
+Use SHA\-256 as the digest algorithm.
+.RE
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Select the digest algorithm. The value of
+\fBalgorithm\fR
+must be one of SHA\-1 (SHA1) or SHA\-256 (SHA256). These values are case insensitive.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level.
+.RE
+.PP
+\-s
+.RS 4
+Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Specifies the DNS class (default is IN), useful only in the keyset mode.
+.RE
+.PP
+\-d \fIdirectory\fR
+.RS 4
+Look for
+\fIkeyset\fR
+files in
+\fBdirectory\fR
+as the directory, ignored when not in the keyset mode.
+.RE
+.SH "EXAMPLE"
+.PP
+To build the SHA\-256 DS RR from the
+\fBKexample.com.+003+26160\fR
+keyfile name, the following command would be issued:
+.PP
+\fBdnssec\-dsfromkey \-2 Kexample.com.+003+26160\fR
+.PP
+The command would print something like:
+.PP
+\fBexample.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
+.SH "FILES"
+.PP
+The keyfile can be designed by the key identification
+\fIKnnnn.+aaa+iiiii\fR
+or the full file name
+\fIKnnnn.+aaa+iiiii.key\fR
+as generated by
+dnssec\-keygen(8).
+.PP
+The keyset file name is built from the
+\fBdirectory\fR, the string
+\fIkeyset\-\fR
+and the
+\fBdnsname\fR.
+.SH "CAVEAT"
+.PP
+A keyfile error can give a "file not found" even if the file exists.
+.SH "SEE ALSO"
+.PP
+\fBdnssec\-keygen\fR(8),
+\fBdnssec\-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 3658,
+RFC 4509.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
new file mode 100644
index 000000000000..653aa3ea7a5a
--- /dev/null
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-dsfromkey.c,v 1.2.14.3 2009/03/02 02:54:15 marka Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-dsfromkey";
+int verbose;
+
+static dns_rdataclass_t rdclass;
+static dns_fixedname_t fixed;
+static dns_name_t *name = NULL;
+static dns_db_t *db = NULL;
+static dns_dbnode_t *node = NULL;
+static dns_rdataset_t keyset;
+static isc_mem_t *mctx = NULL;
+
+static void
+loadkeys(char *dirname, char *setname)
+{
+ isc_result_t result;
+ char filename[1024];
+ isc_buffer_t buf;
+
+ dns_rdataset_init(&keyset);
+ dns_fixedname_init(&fixed);
+ name = dns_fixedname_name(&fixed);
+
+ isc_buffer_init(&buf, setname, strlen(setname));
+ isc_buffer_add(&buf, strlen(setname));
+ result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+ if (result != ISC_R_SUCCESS)
+ fatal("can't convert DNS name %s", setname);
+
+ isc_buffer_init(&buf, filename, sizeof(filename));
+ if (dirname != NULL) {
+ isc_buffer_putstr(&buf, dirname);
+ if (dirname[strlen(dirname) - 1] != '/')
+ isc_buffer_putstr(&buf, "/");
+ }
+ isc_buffer_putstr(&buf, "keyset-");
+ result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
+ check_result(result, "dns_name_tofilenametext()");
+ if (isc_buffer_availablelength(&buf) == 0)
+ fatal("name %s too long", setname);
+ isc_buffer_putuint8(&buf, 0);
+
+ result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
+ rdclass, 0, NULL, &db);
+ if (result != ISC_R_SUCCESS)
+ fatal("can't create database");
+
+ result = dns_db_load(db, filename);
+ if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+ fatal("can't load %s: %s", filename, isc_result_totext(result));
+
+ result = dns_db_findnode(db, name, ISC_FALSE, &node);
+ if (result != ISC_R_SUCCESS)
+ fatal("can't find %s node in %s", setname, filename);
+
+ result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
+ 0, 0, &keyset, NULL);
+ if (result == ISC_R_NOTFOUND)
+ fatal("no DNSKEY RR for %s in %s", setname, filename);
+ else if (result != ISC_R_SUCCESS)
+ fatal("dns_db_findrdataset");
+}
+
+static void
+loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
+ dns_rdata_t *rdata)
+{
+ isc_result_t result;
+ dst_key_t *key = NULL;
+ isc_buffer_t keyb;
+ isc_region_t r;
+
+ dns_rdataset_init(&keyset);
+ dns_rdata_init(rdata);
+
+ isc_buffer_init(&keyb, key_buf, key_buf_size);
+
+ result = dst_key_fromnamedfile(filename, DST_TYPE_PUBLIC, mctx, &key);
+ if (result != ISC_R_SUCCESS)
+ fatal("invalid keyfile name %s: %s",
+ filename, isc_result_totext(result));
+
+ if (verbose > 2) {
+ char keystr[KEY_FORMATSIZE];
+
+ key_format(key, keystr, sizeof(keystr));
+ fprintf(stderr, "%s: %s\n", program, keystr);
+ }
+
+ result = dst_key_todns(key, &keyb);
+ if (result != ISC_R_SUCCESS)
+ fatal("can't decode key");
+
+ isc_buffer_usedregion(&keyb, &r);
+ dns_rdata_fromregion(rdata, dst_key_class(key),
+ dns_rdatatype_dnskey, &r);
+
+ rdclass = dst_key_class(key);
+
+ dns_fixedname_init(&fixed);
+ name = dns_fixedname_name(&fixed);
+ result = dns_name_copy(dst_key_name(key), name, NULL);
+ if (result != ISC_R_SUCCESS)
+ fatal("can't copy name");
+
+ dst_key_free(&key);
+}
+
+static void
+logkey(dns_rdata_t *rdata)
+{
+ isc_result_t result;
+ dst_key_t *key = NULL;
+ isc_buffer_t buf;
+ char keystr[KEY_FORMATSIZE];
+
+ isc_buffer_init(&buf, rdata->data, rdata->length);
+ isc_buffer_add(&buf, rdata->length);
+ result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
+ if (result != ISC_R_SUCCESS)
+ return;
+
+ key_format(key, keystr, sizeof(keystr));
+ fprintf(stderr, "%s: %s\n", program, keystr);
+
+ dst_key_free(&key);
+}
+
+static void
+emitds(unsigned int dtype, dns_rdata_t *rdata)
+{
+ isc_result_t result;
+ unsigned char buf[DNS_DS_BUFFERSIZE];
+ char text_buf[DST_KEY_MAXTEXTSIZE];
+ char class_buf[10];
+ isc_buffer_t textb, classb;
+ isc_region_t r;
+ dns_rdata_t ds;
+
+ isc_buffer_init(&textb, text_buf, sizeof(text_buf));
+ isc_buffer_init(&classb, class_buf, sizeof(class_buf));
+
+ dns_rdata_init(&ds);
+
+ result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
+ if (result != ISC_R_SUCCESS)
+ fatal("can't build DS");
+
+ result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb);
+ if (result != ISC_R_SUCCESS)
+ fatal("can't print DS rdata");
+
+ result = dns_rdataclass_totext(rdclass, &classb);
+ if (result != ISC_R_SUCCESS)
+ fatal("can't print DS class");
+
+ result = dns_name_print(name, stdout);
+ if (result != ISC_R_SUCCESS)
+ fatal("can't print DS name");
+
+ putchar(' ');
+
+ isc_buffer_usedregion(&classb, &r);
+ fwrite(r.base, 1, r.length, stdout);
+
+ printf(" DS ");
+
+ isc_buffer_usedregion(&textb, &r);
+ fwrite(r.base, 1, r.length, stdout);
+ putchar('\n');
+}
+
+static void
+usage(void) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, " %s options keyfile\n\n", program);
+ fprintf(stderr, " %s options [-c class] [-d dir] -s dnsname\n\n",
+ program);
+ fprintf(stderr, "Version: %s\n", VERSION);
+ fprintf(stderr, "Options:\n");
+ fprintf(stderr, " -v <verbose level>\n");
+ fprintf(stderr, " -1: use SHA-1\n");
+ fprintf(stderr, " -2: use SHA-256\n");
+ fprintf(stderr, " -a algorithm: use algorithm\n");
+ fprintf(stderr, "Keyset options:\n");
+ fprintf(stderr, " -s: keyset mode\n");
+ fprintf(stderr, " -c class\n");
+ fprintf(stderr, " -d directory\n");
+ fprintf(stderr, "Output: DS RRs\n");
+
+ exit (-1);
+}
+
+int
+main(int argc, char **argv) {
+ char *algname = NULL, *classname = NULL, *dirname = NULL;
+ char *endp;
+ int ch;
+ unsigned int dtype = DNS_DSDIGEST_SHA1;
+ isc_boolean_t both = ISC_TRUE;
+ isc_boolean_t usekeyset = ISC_FALSE;
+ isc_result_t result;
+ isc_log_t *log = NULL;
+ isc_entropy_t *ectx = NULL;
+ dns_rdata_t rdata;
+
+ dns_rdata_init(&rdata);
+
+ if (argc == 1)
+ usage();
+
+ result = isc_mem_create(0, 0, &mctx);
+ if (result != ISC_R_SUCCESS)
+ fatal("out of memory");
+
+ dns_result_register();
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ while ((ch = isc_commandline_parse(argc, argv,
+ "12a:c:d:sv:h")) != -1) {
+ switch (ch) {
+ case '1':
+ dtype = DNS_DSDIGEST_SHA1;
+ both = ISC_FALSE;
+ break;
+ case '2':
+ dtype = DNS_DSDIGEST_SHA256;
+ both = ISC_FALSE;
+ break;
+ case 'a':
+ algname = isc_commandline_argument;
+ both = ISC_FALSE;
+ break;
+ case 'c':
+ classname = isc_commandline_argument;
+ break;
+ case 'd':
+ dirname = isc_commandline_argument;
+ break;
+ case 's':
+ usekeyset = ISC_TRUE;
+ break;
+ case 'v':
+ verbose = strtol(isc_commandline_argument, &endp, 0);
+ if (*endp != '\0')
+ fatal("-v must be followed by a number");
+ break;
+ case '?':
+ if (isc_commandline_option != '?')
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ /* Falls into */
+ case 'h':
+ usage();
+
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+ }
+ }
+
+ if (algname != NULL) {
+ if (strcasecmp(algname, "SHA1") == 0 ||
+ strcasecmp(algname, "SHA-1") == 0)
+ dtype = DNS_DSDIGEST_SHA1;
+ else if (strcasecmp(algname, "SHA256") == 0 ||
+ strcasecmp(algname, "SHA-256") == 0)
+ dtype = DNS_DSDIGEST_SHA256;
+ else
+ fatal("unknown algorithm %s", algname);
+ }
+
+ rdclass = strtoclass(classname);
+
+ if (argc < isc_commandline_index + 1)
+ fatal("the key file name was not specified");
+ if (argc > isc_commandline_index + 1)
+ fatal("extraneous arguments");
+
+ if (ectx == NULL)
+ setup_entropy(mctx, NULL, &ectx);
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS)
+ fatal("could not initialize hash");
+ result = dst_lib_init(mctx, ectx,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ if (result != ISC_R_SUCCESS)
+ fatal("could not initialize dst");
+ isc_entropy_stopcallbacksources(ectx);
+
+ setup_logging(verbose, mctx, &log);
+
+ if (usekeyset) {
+ loadkeys(dirname, argv[isc_commandline_index]);
+
+ for (result = dns_rdataset_first(&keyset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(&keyset)) {
+ dns_rdata_init(&rdata);
+ dns_rdataset_current(&keyset, &rdata);
+
+ if (verbose > 2)
+ logkey(&rdata);
+
+ if (both) {
+ emitds(DNS_DSDIGEST_SHA1, &rdata);
+ emitds(DNS_DSDIGEST_SHA256, &rdata);
+ } else
+ emitds(dtype, &rdata);
+ }
+ } else {
+ unsigned char key_buf[DST_KEY_MAXSIZE];
+
+ loadkey(argv[isc_commandline_index], key_buf,
+ DST_KEY_MAXSIZE, &rdata);
+
+ if (both) {
+ emitds(DNS_DSDIGEST_SHA1, &rdata);
+ emitds(DNS_DSDIGEST_SHA256, &rdata);
+ } else
+ emitds(dtype, &rdata);
+ }
+
+ if (dns_rdataset_isassociated(&keyset))
+ dns_rdataset_disassociate(&keyset);
+ if (node != NULL)
+ dns_db_detachnode(db, &node);
+ if (db != NULL)
+ dns_db_detach(&db);
+ cleanup_logging(&log);
+ dst_lib_destroy();
+ isc_hash_destroy();
+ cleanup_entropy(&ectx);
+ dns_name_destroy();
+ if (verbose > 10)
+ isc_mem_stats(mctx, stdout);
+ isc_mem_destroy(&mctx);
+
+ fflush(stdout);
+ if (ferror(stdout)) {
+ fprintf(stderr, "write error\n");
+ return (1);
+ } else
+ return (0);
+}
diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook
new file mode 100644
index 000000000000..c2c6b853052c
--- /dev/null
+++ b/bin/dnssec/dnssec-dsfromkey.docbook
@@ -0,0 +1,214 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-dsfromkey.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ -->
+<refentry id="man.dnssec-dsfromkey">
+ <refentryinfo>
+ <date>November 29, 2008</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-dsfromkey</application></refname>
+ <refpurpose>DNSSEC DS RR generation tool</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2008</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-dsfromkey</command>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg><option>-1</option></arg>
+ <arg><option>-2</option></arg>
+ <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+ <arg choice="req">keyfile</arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>dnssec-dsfromkey</command>
+ <arg choice="req">-s</arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg><option>-1</option></arg>
+ <arg><option>-2</option></arg>
+ <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+ <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+ <arg><option>-d <replaceable class="parameter">dir</replaceable></option></arg>
+ <arg choice="req">dnsname</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para><command>dnssec-dsfromkey</command>
+ outputs the Delegation Signer (DS) resource record (RR), as defined in
+ RFC 3658 and RFC 4509, for the given key(s).
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-1</term>
+ <listitem>
+ <para>
+ Use SHA-1 as the digest algorithm (the default is to use
+ both SHA-1 and SHA-256).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-2</term>
+ <listitem>
+ <para>
+ Use SHA-256 as the digest algorithm.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-a <replaceable class="parameter">algorithm</replaceable></term>
+ <listitem>
+ <para>
+ Select the digest algorithm. The value of
+ <option>algorithm</option> must be one of SHA-1 (SHA1) or
+ SHA-256 (SHA256). These values are case insensitive.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s</term>
+ <listitem>
+ <para>
+ Keyset mode: in place of the keyfile name, the argument is
+ the DNS domain name of a keyset file. Following options make sense
+ only in this mode.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c <replaceable class="parameter">class</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the DNS class (default is IN), useful only
+ in the keyset mode.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-d <replaceable class="parameter">directory</replaceable></term>
+ <listitem>
+ <para>
+ Look for <filename>keyset</filename> files in
+ <option>directory</option> as the directory, ignored when
+ not in the keyset mode.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>EXAMPLE</title>
+ <para>
+ To build the SHA-256 DS RR from the
+ <userinput>Kexample.com.+003+26160</userinput>
+ keyfile name, the following command would be issued:
+ </para>
+ <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
+ </para>
+ <para>
+ The command would print something like:
+ </para>
+ <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>FILES</title>
+ <para>
+ The keyfile can be designed by the key identification
+ <filename>Knnnn.+aaa+iiiii</filename> or the full file name
+ <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
+ <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
+ </para>
+ <para>
+ The keyset file name is built from the <option>directory</option>,
+ the string <filename>keyset-</filename> and the
+ <option>dnsname</option>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>CAVEAT</title>
+ <para>
+ A keyfile error can give a "file not found" even if the file exists.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para><citerefentry>
+ <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 3658</citetitle>,
+ <citetitle>RFC 4509</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html
new file mode 100644
index 000000000000..72dfd3a55a13
--- /dev/null
+++ b/bin/dnssec/dnssec-dsfromkey.html
@@ -0,0 +1,133 @@
+<!--
+ - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-dsfromkey.html,v 1.5 2008/11/08 01:11:47 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-dsfromkey</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] {keyfile}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543424"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-dsfromkey</strong></span>
+ outputs the Delegation Signer (DS) resource record (RR), as defined in
+ RFC 3658 and RFC 4509, for the given key(s).
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543435"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-1</span></dt>
+<dd><p>
+ Use SHA-1 as the digest algorithm (the default is to use
+ both SHA-1 and SHA-256).
+ </p></dd>
+<dt><span class="term">-2</span></dt>
+<dd><p>
+ Use SHA-256 as the digest algorithm.
+ </p></dd>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd><p>
+ Select the digest algorithm. The value of
+ <code class="option">algorithm</code> must be one of SHA-1 (SHA1) or
+ SHA-256 (SHA256). These values are case insensitive.
+ </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+ Sets the debugging level.
+ </p></dd>
+<dt><span class="term">-s</span></dt>
+<dd><p>
+ Keyset mode: in place of the keyfile name, the argument is
+ the DNS domain name of a keyset file. Following options make sense
+ only in this mode.
+ </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+ Specifies the DNS class (default is IN), useful only
+ in the keyset mode.
+ </p></dd>
+<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+ Look for <code class="filename">keyset</code> files in
+ <code class="option">directory</code> as the directory, ignored when
+ not in the keyset mode.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543563"></a><h2>EXAMPLE</h2>
+<p>
+ To build the SHA-256 DS RR from the
+ <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
+ keyfile name, the following command would be issued:
+ </p>
+<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
+ </p>
+<p>
+ The command would print something like:
+ </p>
+<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543593"></a><h2>FILES</h2>
+<p>
+ The keyfile can be designed by the key identification
+ <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
+ <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
+ <span class="refentrytitle">dnssec-keygen</span>(8).
+ </p>
+<p>
+ The keyset file name is built from the <code class="option">directory</code>,
+ the string <code class="filename">keyset-</code> and the
+ <code class="option">dnsname</code>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543628"></a><h2>CAVEAT</h2>
+<p>
+ A keyfile error can give a "file not found" even if the file exists.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543638"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+ <em class="citetitle">RFC 3658</em>,
+ <em class="citetitle">RFC 4509</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543674"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8
new file mode 100644
index 000000000000..622205820db0
--- /dev/null
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@@ -0,0 +1,149 @@
+.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dnssec-keyfromlabel.8,v 1.6 2008/11/08 01:11:47 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: dnssec\-keyfromlabel
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: February 8, 2008
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "DNSSEC\-KEYFROMLABEL" "8" "February 8, 2008" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-keyfromlabel \- DNSSEC key generation tool
+.SH "SYNOPSIS"
+.HP 20
+\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-k\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-keyfromlabel\fR
+gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034.
+.SH "OPTIONS"
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Selects the cryptographic algorithm. The value of
+\fBalgorithm\fR
+must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). These values are case insensitive.
+.sp
+Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.
+.sp
+Note 2: DH automatically sets the \-k flag.
+.RE
+.PP
+\-l \fIlabel\fR
+.RS 4
+Specifies the label of keys in the crypto hardware (PKCS#11 device).
+.RE
+.PP
+\-n \fInametype\fR
+.RS 4
+Specifies the owner type of the key. The value of
+\fBnametype\fR
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
+.RE
+.PP
+\-f \fIflag\fR
+.RS 4
+Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
+.RE
+.PP
+\-h
+.RS 4
+Prints a short summary of the options and arguments to
+\fBdnssec\-keygen\fR.
+.RE
+.PP
+\-k
+.RS 4
+Generate KEY records rather than DNSKEY records.
+.RE
+.PP
+\-p \fIprotocol\fR
+.RS 4
+Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
+.RE
+.PP
+\-t \fItype\fR
+.RS 4
+Indicates the use of the key.
+\fBtype\fR
+must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level.
+.RE
+.SH "GENERATED KEY FILES"
+.PP
+When
+\fBdnssec\-keyfromlabel\fR
+completes successfully, it prints a string of the form
+\fIKnnnn.+aaa+iiiii\fR
+to the standard output. This is an identification string for the key files it has generated.
+.TP 4
+\(bu
+\fInnnn\fR
+is the key name.
+.TP 4
+\(bu
+\fIaaa\fR
+is the numeric representation of the algorithm.
+.TP 4
+\(bu
+\fIiiiii\fR
+is the key identifier (or footprint).
+.PP
+\fBdnssec\-keyfromlabel\fR
+creates two files, with names based on the printed string.
+\fIKnnnn.+aaa+iiiii.key\fR
+contains the public key, and
+\fIKnnnn.+aaa+iiiii.private\fR
+contains the private key.
+.PP
+The
+\fI.key\fR
+file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
+.PP
+The
+\fI.private\fR
+file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission.
+.SH "SEE ALSO"
+.PP
+\fBdnssec\-keygen\fR(8),
+\fBdnssec\-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 2539,
+RFC 2845,
+RFC 4033.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
new file mode 100644
index 000000000000..e7587c39663d
--- /dev/null
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright (C) 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-keyfromlabel.c,v 1.4 2008/09/24 02:46:21 marka Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+#define MAX_RSA 4096 /* should be long enough... */
+
+const char *program = "dnssec-keyfromlabel";
+int verbose;
+
+static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
+ " NSEC3DSA | NSEC3RSASHA1";
+
+static void
+usage(void) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, " %s -a alg -l label [options] name\n\n",
+ program);
+ fprintf(stderr, "Version: %s\n", VERSION);
+ fprintf(stderr, "Required options:\n");
+ fprintf(stderr, " -a algorithm: %s\n", algs);
+ fprintf(stderr, " -l label: label of the key\n");
+ fprintf(stderr, " name: owner of the key\n");
+ fprintf(stderr, "Other options:\n");
+ fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
+ fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
+ fprintf(stderr, " -c <class> (default: IN)\n");
+ fprintf(stderr, " -f keyflag: KSK\n");
+ fprintf(stderr, " -t <type>: "
+ "AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
+ "(default: AUTHCONF)\n");
+ fprintf(stderr, " -p <protocol>: "
+ "default: 3 [dnssec]\n");
+ fprintf(stderr, " -v <verbose level>\n");
+ fprintf(stderr, " -k : generate a TYPE=KEY key\n");
+ fprintf(stderr, "Output:\n");
+ fprintf(stderr, " K<name>+<alg>+<id>.key, "
+ "K<name>+<alg>+<id>.private\n");
+
+ exit (-1);
+}
+
+int
+main(int argc, char **argv) {
+ char *algname = NULL, *nametype = NULL, *type = NULL;
+ char *classname = NULL;
+ char *endp;
+ dst_key_t *key = NULL, *oldkey;
+ dns_fixedname_t fname;
+ dns_name_t *name;
+ isc_uint16_t flags = 0, ksk = 0;
+ dns_secalg_t alg;
+ isc_boolean_t null_key = ISC_FALSE;
+ isc_mem_t *mctx = NULL;
+ int ch;
+ int protocol = -1, signatory = 0;
+ isc_result_t ret;
+ isc_textregion_t r;
+ char filename[255];
+ isc_buffer_t buf;
+ isc_log_t *log = NULL;
+ isc_entropy_t *ectx = NULL;
+ dns_rdataclass_t rdclass;
+ int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
+ char *label = NULL;
+
+ if (argc == 1)
+ usage();
+
+ RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+
+ dns_result_register();
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ while ((ch = isc_commandline_parse(argc, argv,
+ "a:c:f:kl:n:p:t:v:h")) != -1)
+ {
+ switch (ch) {
+ case 'a':
+ algname = isc_commandline_argument;
+ break;
+ case 'c':
+ classname = isc_commandline_argument;
+ break;
+ case 'f':
+ if (strcasecmp(isc_commandline_argument, "KSK") == 0)
+ ksk = DNS_KEYFLAG_KSK;
+ else
+ fatal("unknown flag '%s'",
+ isc_commandline_argument);
+ break;
+ case 'k':
+ options |= DST_TYPE_KEY;
+ break;
+ case 'l':
+ label = isc_commandline_argument;
+ break;
+ case 'n':
+ nametype = isc_commandline_argument;
+ break;
+ case 'p':
+ protocol = strtol(isc_commandline_argument, &endp, 10);
+ if (*endp != '\0' || protocol < 0 || protocol > 255)
+ fatal("-p must be followed by a number "
+ "[0..255]");
+ break;
+ case 't':
+ type = isc_commandline_argument;
+ break;
+ case 'v':
+ verbose = strtol(isc_commandline_argument, &endp, 0);
+ if (*endp != '\0')
+ fatal("-v must be followed by a number");
+ break;
+
+ case '?':
+ if (isc_commandline_option != '?')
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ case 'h':
+ usage();
+
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+ }
+ }
+
+ if (ectx == NULL)
+ setup_entropy(mctx, NULL, &ectx);
+ ret = dst_lib_init(mctx, ectx,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ if (ret != ISC_R_SUCCESS)
+ fatal("could not initialize dst");
+
+ setup_logging(verbose, mctx, &log);
+
+ if (label == NULL)
+ fatal("the key label was not specified");
+ if (argc < isc_commandline_index + 1)
+ fatal("the key name was not specified");
+ if (argc > isc_commandline_index + 1)
+ fatal("extraneous arguments");
+
+ if (algname == NULL)
+ fatal("no algorithm was specified");
+ if (strcasecmp(algname, "RSA") == 0) {
+ fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
+ "If you still wish to use RSA (RSAMD5) please "
+ "specify \"-a RSAMD5\"\n");
+ return (1);
+ } else {
+ r.base = algname;
+ r.length = strlen(algname);
+ ret = dns_secalg_fromtext(&alg, &r);
+ if (ret != ISC_R_SUCCESS)
+ fatal("unknown algorithm %s", algname);
+ if (alg == DST_ALG_DH)
+ options |= DST_TYPE_KEY;
+ }
+
+ if (type != NULL && (options & DST_TYPE_KEY) != 0) {
+ if (strcasecmp(type, "NOAUTH") == 0)
+ flags |= DNS_KEYTYPE_NOAUTH;
+ else if (strcasecmp(type, "NOCONF") == 0)
+ flags |= DNS_KEYTYPE_NOCONF;
+ else if (strcasecmp(type, "NOAUTHCONF") == 0) {
+ flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
+ }
+ else if (strcasecmp(type, "AUTHCONF") == 0)
+ /* nothing */;
+ else
+ fatal("invalid type %s", type);
+ }
+
+ if (nametype == NULL) {
+ if ((options & DST_TYPE_KEY) != 0) /* KEY */
+ fatal("no nametype specified");
+ flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */
+ } else if (strcasecmp(nametype, "zone") == 0)
+ flags |= DNS_KEYOWNER_ZONE;
+ else if ((options & DST_TYPE_KEY) != 0) { /* KEY */
+ if (strcasecmp(nametype, "host") == 0 ||
+ strcasecmp(nametype, "entity") == 0)
+ flags |= DNS_KEYOWNER_ENTITY;
+ else if (strcasecmp(nametype, "user") == 0)
+ flags |= DNS_KEYOWNER_USER;
+ else
+ fatal("invalid KEY nametype %s", nametype);
+ } else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */
+ fatal("invalid DNSKEY nametype %s", nametype);
+
+ rdclass = strtoclass(classname);
+
+ if ((options & DST_TYPE_KEY) != 0) /* KEY */
+ flags |= signatory;
+ else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
+ flags |= ksk;
+
+ if (protocol == -1)
+ protocol = DNS_KEYPROTO_DNSSEC;
+ else if ((options & DST_TYPE_KEY) == 0 &&
+ protocol != DNS_KEYPROTO_DNSSEC)
+ fatal("invalid DNSKEY protocol: %d", protocol);
+
+ if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
+ if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
+ fatal("specified null key with signing authority");
+ }
+
+ if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
+ alg == DNS_KEYALG_DH)
+ fatal("a key with algorithm '%s' cannot be a zone key",
+ algname);
+
+ dns_fixedname_init(&fname);
+ name = dns_fixedname_name(&fname);
+ isc_buffer_init(&buf, argv[isc_commandline_index],
+ strlen(argv[isc_commandline_index]));
+ isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
+ ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+ if (ret != ISC_R_SUCCESS)
+ fatal("invalid key name %s: %s", argv[isc_commandline_index],
+ isc_result_totext(ret));
+
+ if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
+ null_key = ISC_TRUE;
+
+ isc_buffer_init(&buf, filename, sizeof(filename) - 1);
+
+ /* associate the key */
+ ret = dst_key_fromlabel(name, alg, flags, protocol,
+ rdclass, "", label, NULL, mctx, &key);
+ isc_entropy_stopcallbacksources(ectx);
+
+ if (ret != ISC_R_SUCCESS) {
+ char namestr[DNS_NAME_FORMATSIZE];
+ char algstr[ALG_FORMATSIZE];
+ dns_name_format(name, namestr, sizeof(namestr));
+ alg_format(alg, algstr, sizeof(algstr));
+ fatal("failed to generate key %s/%s: %s\n",
+ namestr, algstr, isc_result_totext(ret));
+ exit(-1);
+ }
+
+ /*
+ * Try to read a key with the same name, alg and id from disk.
+ * If there is one we must continue generating a new one
+ * unless we were asked to generate a null key, in which
+ * case we return failure.
+ */
+ ret = dst_key_fromfile(name, dst_key_id(key), alg,
+ DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
+ /* do not overwrite an existing key */
+ if (ret == ISC_R_SUCCESS) {
+ isc_buffer_clear(&buf);
+ ret = dst_key_buildfilename(key, 0, NULL, &buf);
+ fprintf(stderr, "%s: %s already exists\n",
+ program, filename);
+ dst_key_free(&key);
+ exit (1);
+ }
+
+ ret = dst_key_tofile(key, options, NULL);
+ if (ret != ISC_R_SUCCESS) {
+ char keystr[KEY_FORMATSIZE];
+ key_format(key, keystr, sizeof(keystr));
+ fatal("failed to write key %s: %s\n", keystr,
+ isc_result_totext(ret));
+ }
+
+ isc_buffer_clear(&buf);
+ ret = dst_key_buildfilename(key, 0, NULL, &buf);
+ printf("%s\n", filename);
+ dst_key_free(&key);
+
+ cleanup_logging(&log);
+ cleanup_entropy(&ectx);
+ dst_lib_destroy();
+ dns_name_destroy();
+ if (verbose > 10)
+ isc_mem_stats(mctx, stdout);
+ isc_mem_destroy(&mctx);
+
+ return (0);
+}
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
new file mode 100644
index 000000000000..2bcf0a48da4a
--- /dev/null
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -0,0 +1,265 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ -->
+<refentry id="man.dnssec-keyfromlabel">
+ <refentryinfo>
+ <date>February 8, 2008</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-keyfromlabel</application></refname>
+ <refpurpose>DNSSEC key generation tool</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2008</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-keyfromlabel</command>
+ <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
+ <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
+ <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+ <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+ <arg><option>-k</option></arg>
+ <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
+ <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
+ <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg choice="req">name</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para><command>dnssec-keyfromlabel</command>
+ gets keys with the given label from a crypto hardware and builds
+ key files for DNSSEC (Secure DNS), as defined in RFC 2535
+ and RFC 4034.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a <replaceable class="parameter">algorithm</replaceable></term>
+ <listitem>
+ <para>
+ Selects the cryptographic algorithm. The value of
+ <option>algorithm</option> must be one of RSAMD5 (RSA)
+ or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+ These values are case insensitive.
+ </para>
+ <para>
+ Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+ algorithm, and DSA is recommended.
+ </para>
+ <para>
+ Note 2: DH automatically sets the -k flag.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-l <replaceable class="parameter">label</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the label of keys in the crypto hardware
+ (PKCS#11 device).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-n <replaceable class="parameter">nametype</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the owner type of the key. The value of
+ <option>nametype</option> must either be ZONE (for a DNSSEC
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+ a host (KEY)),
+ USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+ These values are
+ case insensitive.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c <replaceable class="parameter">class</replaceable></term>
+ <listitem>
+ <para>
+ Indicates that the DNS record containing the key should have
+ the specified class. If not specified, class IN is used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-f <replaceable class="parameter">flag</replaceable></term>
+ <listitem>
+ <para>
+ Set the specified flag in the flag field of the KEY/DNSKEY record.
+ The only recognized flag is KSK (Key Signing Key) DNSKEY.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>dnssec-keygen</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-k</term>
+ <listitem>
+ <para>
+ Generate KEY records rather than DNSKEY records.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p <replaceable class="parameter">protocol</replaceable></term>
+ <listitem>
+ <para>
+ Sets the protocol value for the generated key. The protocol
+ is a number between 0 and 255. The default is 3 (DNSSEC).
+ Other possible values for this argument are listed in
+ RFC 2535 and its successors.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-t <replaceable class="parameter">type</replaceable></term>
+ <listitem>
+ <para>
+ Indicates the use of the key. <option>type</option> must be
+ one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+ is AUTHCONF. AUTH refers to the ability to authenticate
+ data, and CONF the ability to encrypt data.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>GENERATED KEY FILES</title>
+ <para>
+ When <command>dnssec-keyfromlabel</command> completes
+ successfully,
+ it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
+ to the standard output. This is an identification string for
+ the key files it has generated.
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para><filename>nnnn</filename> is the key name.
+ </para>
+ </listitem>
+ <listitem>
+ <para><filename>aaa</filename> is the numeric representation
+ of the
+ algorithm.
+ </para>
+ </listitem>
+ <listitem>
+ <para><filename>iiiii</filename> is the key identifier (or
+ footprint).
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para><command>dnssec-keyfromlabel</command>
+ creates two files, with names based
+ on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
+ contains the public key, and
+ <filename>Knnnn.+aaa+iiiii.private</filename> contains the
+ private
+ key.
+ </para>
+ <para>
+ The <filename>.key</filename> file contains a DNS KEY record
+ that
+ can be inserted into a zone file (directly or with a $INCLUDE
+ statement).
+ </para>
+ <para>
+ The <filename>.private</filename> file contains algorithm
+ specific
+ fields. For obvious security reasons, this file does not have
+ general read permission.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para><citerefentry>
+ <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 2539</citetitle>,
+ <citetitle>RFC 2845</citetitle>,
+ <citetitle>RFC 4033</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html
new file mode 100644
index 000000000000..cbea64b8d75f
--- /dev/null
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@@ -0,0 +1,171 @@
+<!--
+ - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: dnssec-keyfromlabel.html,v 1.5 2008/10/15 01:11:35 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-keyfromlabel</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543413"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
+ gets keys with the given label from a crypto hardware and builds
+ key files for DNSSEC (Secure DNS), as defined in RFC 2535
+ and RFC 4034.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543425"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+<p>
+ Selects the cryptographic algorithm. The value of
+ <code class="option">algorithm</code> must be one of RSAMD5 (RSA)
+ or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+ These values are case insensitive.
+ </p>
+<p>
+ Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+ algorithm, and DSA is recommended.
+ </p>
+<p>
+ Note 2: DH automatically sets the -k flag.
+ </p>
+</dd>
+<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
+<dd><p>
+ Specifies the label of keys in the crypto hardware
+ (PKCS#11 device).
+ </p></dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd><p>
+ Specifies the owner type of the key. The value of
+ <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+ a host (KEY)),
+ USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+ These values are
+ case insensitive.
+ </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+ Indicates that the DNS record containing the key should have
+ the specified class. If not specified, class IN is used.
+ </p></dd>
+<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
+<dd><p>
+ Set the specified flag in the flag field of the KEY/DNSKEY record.
+ The only recognized flag is KSK (Key Signing Key) DNSKEY.
+ </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Prints a short summary of the options and arguments to
+ <span><strong class="command">dnssec-keygen</strong></span>.
+ </p></dd>
+<dt><span class="term">-k</span></dt>
+<dd><p>
+ Generate KEY records rather than DNSKEY records.
+ </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
+<dd><p>
+ Sets the protocol value for the generated key. The protocol
+ is a number between 0 and 255. The default is 3 (DNSSEC).
+ Other possible values for this argument are listed in
+ RFC 2535 and its successors.
+ </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
+<dd><p>
+ Indicates the use of the key. <code class="option">type</code> must be
+ one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+ is AUTHCONF. AUTH refers to the ability to authenticate
+ data, and CONF the ability to encrypt data.
+ </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+ Sets the debugging level.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543619"></a><h2>GENERATED KEY FILES</h2>
+<p>
+ When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
+ successfully,
+ it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
+ to the standard output. This is an identification string for
+ the key files it has generated.
+ </p>
+<div class="itemizedlist"><ul type="disc">
+<li><p><code class="filename">nnnn</code> is the key name.
+ </p></li>
+<li><p><code class="filename">aaa</code> is the numeric representation
+ of the
+ algorithm.
+ </p></li>
+<li><p><code class="filename">iiiii</code> is the key identifier (or
+ footprint).
+ </p></li>
+</ul></div>
+<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
+ creates two files, with names based
+ on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
+ contains the public key, and
+ <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
+ private
+ key.
+ </p>
+<p>
+ The <code class="filename">.key</code> file contains a DNS KEY record
+ that
+ can be inserted into a zone file (directly or with a $INCLUDE
+ statement).
+ </p>
+<p>
+ The <code class="filename">.private</code> file contains algorithm
+ specific
+ fields. For obvious security reasons, this file does not have
+ general read permission.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543691"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+ <em class="citetitle">RFC 2539</em>,
+ <em class="citetitle">RFC 2845</em>,
+ <em class="citetitle">RFC 4033</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543731"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index e667ba9b08e6..13db3d9db149 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-keygen.8,v 1.23.18.16 2008/10/16 01:29:40 tbox Exp $
+.\" $Id: dnssec-keygen.8,v 1.40 2008/10/15 01:11:35 tbox Exp $
.\"
.hy 0
.ad l
@@ -44,7 +44,7 @@ generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It
.RS 4
Selects the cryptographic algorithm. The value of
\fBalgorithm\fR
-must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive.
+must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive.
.sp
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
.sp
@@ -60,7 +60,7 @@ Specifies the number of bits in the key. The choice of key size depends on the a
.RS 4
Specifies the owner type of the key. The value of
\fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation.
.RE
.PP
\-c \fIclass\fR
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 0b57f6d9b0e3..614d388eb7e2 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -1,6 +1,19 @@
/*
- * Portions Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.66.18.10 2007/08/28 07:19:55 tbox Exp $ */
+/* $Id: dnssec-keygen.c,v 1.81 2008/09/25 04:02:38 tbox Exp $ */
/*! \file */
@@ -49,8 +62,9 @@
const char *program = "dnssec-keygen";
int verbose;
-static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 |"
- " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | "
+static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | NSEC3DSA |"
+ " NSEC3RSASHA1 | HMAC-MD5 |"
+ " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |"
" HMAC-SHA384 | HMAC-SHA512";
static isc_boolean_t
@@ -61,7 +75,7 @@ dsa_size_ok(int size) {
static void
usage(void) {
fprintf(stderr, "Usage:\n");
- fprintf(stderr, " %s -a alg -b bits -n type [options] name\n\n",
+ fprintf(stderr, " %s -a alg -b bits [-n type] [options] name\n\n",
program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Required options:\n");
@@ -69,8 +83,10 @@ usage(void) {
fprintf(stderr, " -b key size, in bits:\n");
fprintf(stderr, " RSAMD5:\t\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA1:\t\t[512..%d]\n", MAX_RSA);
+ fprintf(stderr, " NSEC3RSASHA1:\t\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
+ fprintf(stderr, " NSEC3DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
@@ -78,6 +94,7 @@ usage(void) {
fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
+ fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -c <class> (default: IN)\n");
@@ -134,8 +151,10 @@ main(int argc, char **argv) {
dns_result_register();
+ isc_commandline_errprint = ISC_FALSE;
+
while ((ch = isc_commandline_parse(argc, argv,
- "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
+ "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
{
switch (ch) {
case 'a':
@@ -202,12 +221,17 @@ main(int argc, char **argv) {
fatal("-v must be followed by a number");
break;
+ case '?':
+ if (isc_commandline_option != '?')
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
case 'h':
usage();
+
default:
- fprintf(stderr, "%s: invalid argument -%c\n",
- program, ch);
- usage();
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
}
}
@@ -282,6 +306,7 @@ main(int argc, char **argv) {
switch (alg) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
+ case DNS_KEYALG_NSEC3RSASHA1:
if (size != 0 && (size < 512 || size > MAX_RSA))
fatal("RSA key size %d out of range", size);
break;
@@ -290,6 +315,7 @@ main(int argc, char **argv) {
fatal("DH key size %d out of range", size);
break;
case DNS_KEYALG_DSA:
+ case DNS_KEYALG_NSEC3DSA:
if (size != 0 && !dsa_size_ok(size))
fatal("invalid DSS key size: %d", size);
break;
@@ -349,18 +375,20 @@ main(int argc, char **argv) {
break;
}
- if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1) &&
- rsa_exp != 0)
+ if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
+ alg == DNS_KEYALG_NSEC3RSASHA1) && rsa_exp != 0)
fatal("specified RSA exponent for a non-RSA key");
if (alg != DNS_KEYALG_DH && generator != 0)
fatal("specified DH generator for a non-DH key");
- if (nametype == NULL)
- fatal("no nametype specified");
- if (strcasecmp(nametype, "zone") == 0)
+ if (nametype == NULL) {
+ if ((options & DST_TYPE_KEY) != 0) /* KEY / HMAC */
+ fatal("no nametype specified");
+ flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */
+ } else if (strcasecmp(nametype, "zone") == 0)
flags |= DNS_KEYOWNER_ZONE;
- else if ((options & DST_TYPE_KEY) != 0) { /* KEY */
+ else if ((options & DST_TYPE_KEY) != 0) { /* KEY / HMAC */
if (strcasecmp(nametype, "host") == 0 ||
strcasecmp(nametype, "entity") == 0)
flags |= DNS_KEYOWNER_ENTITY;
@@ -373,7 +401,7 @@ main(int argc, char **argv) {
rdclass = strtoclass(classname);
- if ((options & DST_TYPE_KEY) != 0) /* KEY */
+ if ((options & DST_TYPE_KEY) != 0) /* KEY / HMAC */
flags |= signatory;
else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
flags |= ksk;
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index ec7b69be2f42..c267a1b4c25f 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keygen.docbook,v 1.7.18.13 2008/10/15 23:46:06 tbox Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.22 2008/10/14 14:32:50 jreed Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
@@ -92,13 +92,13 @@
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
- DSA, DH (Diffie Hellman), or HMAC-MD5. These values
- are case insensitive.
+ DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
+ These values are case insensitive.
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
- algorithm,
- and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+ algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
+ mandatory.
</para>
<para>
Note 2: HMAC-MD5 and DH automatically set the -k flag.
@@ -130,8 +130,8 @@
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are
- case insensitive.
+ These values are case insensitive. Defaults to ZONE for DNSKEY
+ generation.
</para>
</listitem>
</varlistentry>
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index e0b0bfe059aa..696ef88c3701 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keygen.html,v 1.9.18.22 2008/10/16 01:29:40 tbox Exp $ -->
+<!-- $Id: dnssec-keygen.html,v 1.32 2008/10/15 01:11:35 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,13 +47,13 @@
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
- DSA, DH (Diffie Hellman), or HMAC-MD5. These values
- are case insensitive.
+ DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
+ These values are case insensitive.
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
- algorithm,
- and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+ algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
+ mandatory.
</p>
<p>
Note 2: HMAC-MD5 and DH automatically set the -k flag.
@@ -76,8 +76,8 @@
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are
- case insensitive.
+ These values are case insensitive. Defaults to ZONE for DNSKEY
+ generation.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index 680960ae8928..ca0ed36d4c22 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-signzone.8,v 1.28.18.19 2008/10/16 01:29:40 tbox Exp $
+.\" $Id: dnssec-signzone.8,v 1.47 2008/10/15 01:11:35 tbox Exp $
.\"
.hy 0
.ad l
@@ -33,7 +33,7 @@
dnssec\-signzone \- DNSSEC zone signing tool
.SH "SYNOPSIS"
.HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...]
+\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
.SH "DESCRIPTION"
.PP
\fBdnssec\-signzone\fR
@@ -212,6 +212,21 @@ Sets the debugging level.
Ignore KSK flag on key when determining what to sign.
.RE
.PP
+\-3 \fIsalt\fR
+.RS 4
+Generate a NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain.
+.RE
+.PP
+\-H \fIiterations\fR
+.RS 4
+When generating a NSEC3 chain use this many interations. The default is 100.
+.RE
+.PP
+\-A
+.RS 4
+When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
+.RE
+.PP
zonefile
.RS 4
The file containing the zone to be signed.
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 9b4916910440..1da280f711f6 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -1,6 +1,19 @@
/*
- * Portions Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.177.18.26 2008/06/02 23:46:01 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.209.12.3 2009/01/18 23:25:15 marka Exp $ */
/*! \file */
@@ -26,11 +39,13 @@
#include <time.h>
#include <isc/app.h>
+#include <isc/base32.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/event.h>
#include <isc/file.h>
#include <isc/hash.h>
+#include <isc/hex.h>
#include <isc/mem.h>
#include <isc/mutex.h>
#include <isc/os.h>
@@ -38,10 +53,11 @@
#include <isc/random.h>
#include <isc/serial.h>
#include <isc/stdio.h>
+#include <isc/stdlib.h>
#include <isc/string.h>
#include <isc/task.h>
-#include <isc/util.h>
#include <isc/time.h>
+#include <isc/util.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
@@ -54,7 +70,9 @@
#include <dns/master.h>
#include <dns/masterdump.h>
#include <dns/nsec.h>
+#include <dns/nsec3.h>
#include <dns/rdata.h>
+#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdataclass.h>
#include <dns/rdatasetiter.h>
@@ -71,6 +89,13 @@
const char *program = "dnssec-signzone";
int verbose;
+typedef struct hashlist hashlist_t;
+
+static int nsec_datatype = dns_rdatatype_nsec;
+
+#define IS_NSEC3 (nsec_datatype == dns_rdatatype_nsec3)
+#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
+
#define BUFSIZE 2048
#define MAXDSKEYS 8
@@ -125,6 +150,7 @@ static dns_dbversion_t *gversion; /* The database version */
static dns_dbiterator_t *gdbiter; /* The database iterator */
static dns_rdataclass_t gclass; /* The class */
static dns_name_t *gorigin; /* The database origin */
+static int nsec3flags = 0;
static isc_task_t *master = NULL;
static unsigned int ntasks = 0;
static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
@@ -136,6 +162,8 @@ static dns_name_t *dlv = NULL;
static dns_fixedname_t dlv_fixed;
static dns_master_style_t *dsstyle = NULL;
static unsigned int serialformat = SOA_SERIAL_KEEP;
+static unsigned int hash_length = 0;
+static isc_boolean_t unknownalg = ISC_FALSE;
#define INCSTAT(counter) \
if (printstats) { \
@@ -147,19 +175,8 @@ static unsigned int serialformat = SOA_SERIAL_KEEP;
static void
sign(isc_task_t *task, isc_event_t *event);
-
-static inline void
-set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
- unsigned int shift, mask;
-
- shift = 7 - (index % 8);
- mask = 1 << shift;
-
- if (bit != 0)
- array[index / 8] |= mask;
- else
- array[index / 8] &= (~mask & 0xFF);
-}
+static isc_boolean_t
+nsec3only(dns_dbnode_t *node);
static void
dumpnode(dns_name_t *name, dns_dbnode_t *node) {
@@ -549,6 +566,169 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t));
}
+struct hashlist {
+ unsigned char *hashbuf;
+ size_t entries;
+ size_t size;
+ size_t length;
+};
+
+static void
+hashlist_init(hashlist_t *l, unsigned int nodes, unsigned int length) {
+
+ l->entries = 0;
+ l->length = length + 1;
+
+ if (nodes != 0) {
+ l->size = nodes;
+ l->hashbuf = malloc(l->size * l->length);
+ if (l->hashbuf == NULL)
+ l->size = 0;
+ } else {
+ l->size = 0;
+ l->hashbuf = NULL;
+ }
+}
+
+static void
+hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len)
+{
+
+ REQUIRE(len <= l->length);
+
+ if (l->entries == l->size) {
+ l->size = l->size * 2 + 100;
+ l->hashbuf = realloc(l->hashbuf, l->size * l->length);
+ }
+ memset(l->hashbuf + l->entries * l->length, 0, l->length);
+ memcpy(l->hashbuf + l->entries * l->length, hash, len);
+ l->entries++;
+}
+
+static void
+hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
+ unsigned int hashalg, unsigned int iterations,
+ const unsigned char *salt, size_t salt_length,
+ isc_boolean_t speculative)
+{
+ char nametext[DNS_NAME_FORMATSIZE];
+ unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1];
+ unsigned int len;
+ size_t i;
+
+ len = isc_iterated_hash(hash, hashalg, iterations, salt, salt_length,
+ name->ndata, name->length);
+ if (verbose) {
+ dns_name_format(name, nametext, sizeof nametext);
+ for (i = 0 ; i < len; i++)
+ fprintf(stderr, "%02x", hash[i]);
+ fprintf(stderr, " %s\n", nametext);
+ }
+ hash[len++] = speculative ? 1 : 0;
+ hashlist_add(l, hash, len);
+}
+
+static int
+hashlist_comp(const void *a, const void *b) {
+ return (memcmp(a, b, hash_length + 1));
+}
+
+static void
+hashlist_sort(hashlist_t *l) {
+ qsort(l->hashbuf, l->entries, l->length, hashlist_comp);
+}
+
+static isc_boolean_t
+hashlist_hasdup(hashlist_t *l) {
+ unsigned char *current;
+ unsigned char *next = l->hashbuf;
+ size_t entries = l->entries;
+
+ /*
+ * Skip initial speculative wild card hashs.
+ */
+ while (entries > 0U && next[l->length-1] != 0U) {
+ next += l->length;
+ entries--;
+ }
+
+ current = next;
+ while (entries-- > 1U) {
+ next += l->length;
+ if (next[l->length-1] != 0)
+ continue;
+ if (memcmp(current, next, l->length - 1) == 0)
+ return (ISC_TRUE);
+ current = next;
+ }
+ return (ISC_FALSE);
+}
+
+static const unsigned char *
+hashlist_findnext(const hashlist_t *l,
+ const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
+{
+ unsigned int entries = l->entries;
+ const unsigned char *next = bsearch(hash, l->hashbuf, l->entries,
+ l->length, hashlist_comp);
+ INSIST(next != NULL);
+
+ do {
+ if (next < l->hashbuf + (l->entries - 1) * l->length)
+ next += l->length;
+ else
+ next = l->hashbuf;
+ if (next[l->length - 1] == 0)
+ break;
+ } while (entries-- > 1);
+ INSIST(entries != 0);
+ return (next);
+}
+
+static isc_boolean_t
+hashlist_exists(const hashlist_t *l,
+ const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
+{
+ if (bsearch(hash, l->hashbuf, l->entries, l->length, hashlist_comp))
+ return (ISC_TRUE);
+ else
+ return (ISC_FALSE);
+}
+
+static void
+addnowildcardhash(hashlist_t *l, /*const*/ dns_name_t *name,
+ unsigned int hashalg, unsigned int iterations,
+ const unsigned char *salt, size_t salt_length)
+{
+ dns_fixedname_t fixed;
+ dns_name_t *wild;
+ dns_dbnode_t *node = NULL;
+ isc_result_t result;
+ char namestr[DNS_NAME_FORMATSIZE];
+
+ dns_fixedname_init(&fixed);
+ wild = dns_fixedname_name(&fixed);
+
+ result = dns_name_concatenate(dns_wildcardname, name, wild, NULL);
+ if (result == ISC_R_NOSPACE)
+ return;
+ check_result(result,"addnowildcardhash: dns_name_concatenate()");
+
+ result = dns_db_findnode(gdb, wild, ISC_FALSE, &node);
+ if (result == ISC_R_SUCCESS) {
+ dns_db_detachnode(gdb, &node);
+ return;
+ }
+
+ if (verbose) {
+ dns_name_format(wild, namestr, sizeof(namestr));
+ fprintf(stderr, "adding no-wildcardhash for %s\n", namestr);
+ }
+
+ hashlist_add_dns_name(l, wild, hashalg, iterations, salt, salt_length,
+ ISC_TRUE);
+}
+
static void
opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
dns_db_t **dbp)
@@ -665,91 +845,6 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
}
static isc_boolean_t
-nsec_setbit(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdatatype_t type,
- unsigned int val)
-{
- isc_result_t result;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_nsec_t nsec;
- unsigned int newlen;
- unsigned char bitmap[8192 + 512];
- unsigned char nsecdata[8192 + 512 + DNS_NAME_MAXWIRE];
- isc_boolean_t answer = ISC_FALSE;
- unsigned int i, len, window;
- int octet;
-
- result = dns_rdataset_first(rdataset);
- check_result(result, "dns_rdataset_first()");
- dns_rdataset_current(rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &nsec, NULL);
- check_result(result, "dns_rdata_tostruct");
-
- INSIST(nsec.len <= sizeof(bitmap));
-
- newlen = 0;
-
- memset(bitmap, 0, sizeof(bitmap));
- for (i = 0; i < nsec.len; i += len) {
- INSIST(i + 2 <= nsec.len);
- window = nsec.typebits[i];
- len = nsec.typebits[i+1];
- i += 2;
- INSIST(len > 0 && len <= 32);
- INSIST(i + len <= nsec.len);
- memmove(&bitmap[window * 32 + 512], &nsec.typebits[i], len);
- }
- set_bit(bitmap + 512, type, val);
- for (window = 0; window < 256; window++) {
- for (octet = 31; octet >= 0; octet--)
- if (bitmap[window * 32 + 512 + octet] != 0)
- break;
- if (octet < 0)
- continue;
- bitmap[newlen] = window;
- bitmap[newlen + 1] = octet + 1;
- newlen += 2;
- /*
- * Overlapping move.
- */
- memmove(&bitmap[newlen], &bitmap[window * 32 + 512], octet + 1);
- newlen += octet + 1;
- }
- if (newlen != nsec.len ||
- memcmp(nsec.typebits, bitmap, newlen) != 0) {
- dns_rdata_t newrdata = DNS_RDATA_INIT;
- isc_buffer_t b;
- dns_diff_t diff;
- dns_difftuple_t *tuple = NULL;
-
- dns_diff_init(mctx, &diff);
- result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, name,
- rdataset->ttl, &rdata, &tuple);
- check_result(result, "dns_difftuple_create");
- dns_diff_append(&diff, &tuple);
-
- nsec.typebits = bitmap;
- nsec.len = newlen;
- isc_buffer_init(&b, nsecdata, sizeof(nsecdata));
- result = dns_rdata_fromstruct(&newrdata, rdata.rdclass,
- dns_rdatatype_nsec, &nsec,
- &b);
- check_result(result, "dns_rdata_fromstruct");
-
- result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
- name, rdataset->ttl,
- &newrdata, &tuple);
- check_result(result, "dns_difftuple_create");
- dns_diff_append(&diff, &tuple);
- result = dns_diff_apply(&diff, gdb, gversion);
- check_result(result, "dns_difftuple_apply");
- dns_diff_clear(&diff);
- answer = ISC_TRUE;
- }
- dns_rdata_freestruct(&nsec);
- return (answer);
-}
-
-static isc_boolean_t
delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
dns_rdataset_t nsset;
isc_result_t result;
@@ -769,10 +864,25 @@ delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
return (ISC_TF(result == ISC_R_SUCCESS));
}
+static isc_boolean_t
+secure(dns_name_t *name, dns_dbnode_t *node) {
+ dns_rdataset_t dsset;
+ isc_result_t result;
+
+ if (dns_name_equal(name, gorigin))
+ return (ISC_FALSE);
+
+ dns_rdataset_init(&dsset);
+ result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ds,
+ 0, 0, &dsset, NULL);
+ if (dns_rdataset_isassociated(&dsset))
+ dns_rdataset_disassociate(&dsset);
+
+ return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
/*%
- * Signs all records at a name. This mostly just signs each set individually,
- * but also adds the RRSIG bit to any NSECs generated earlier, deals with
- * parent/child KEY signatures, and handles other exceptional cases.
+ * Signs all records at a name.
*/
static void
signname(dns_dbnode_t *node, dns_name_t *name) {
@@ -780,89 +890,19 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
dns_rdataset_t rdataset;
dns_rdatasetiter_t *rdsiter;
isc_boolean_t isdelegation = ISC_FALSE;
- isc_boolean_t hasds = ISC_FALSE;
- isc_boolean_t changed = ISC_FALSE;
dns_diff_t del, add;
char namestr[DNS_NAME_FORMATSIZE];
- isc_uint32_t nsttl = 0;
+ dns_rdataset_init(&rdataset);
dns_name_format(name, namestr, sizeof(namestr));
/*
* Determine if this is a delegation point.
*/
- if (delegation(name, node, &nsttl))
+ if (delegation(name, node, NULL))
isdelegation = ISC_TRUE;
/*
- * If this is a delegation point, look for a DS set.
- */
- if (isdelegation) {
- dns_rdataset_t dsset;
- dns_rdataset_t sigdsset;
-
- dns_rdataset_init(&dsset);
- dns_rdataset_init(&sigdsset);
- result = dns_db_findrdataset(gdb, node, gversion,
- dns_rdatatype_ds,
- 0, 0, &dsset, &sigdsset);
- if (result == ISC_R_SUCCESS) {
- dns_rdataset_disassociate(&dsset);
- if (generateds) {
- result = dns_db_deleterdataset(gdb, node,
- gversion,
- dns_rdatatype_ds,
- 0);
- check_result(result, "dns_db_deleterdataset");
- } else
- hasds = ISC_TRUE;
- }
- if (generateds) {
- result = loadds(name, nsttl, &dsset);
- if (result == ISC_R_SUCCESS) {
- result = dns_db_addrdataset(gdb, node,
- gversion, 0,
- &dsset, 0, NULL);
- check_result(result, "dns_db_addrdataset");
- hasds = ISC_TRUE;
- dns_rdataset_disassociate(&dsset);
- if (dns_rdataset_isassociated(&sigdsset))
- dns_rdataset_disassociate(&sigdsset);
- } else if (dns_rdataset_isassociated(&sigdsset)) {
- result = dns_db_deleterdataset(gdb, node,
- gversion,
- dns_rdatatype_rrsig,
- dns_rdatatype_ds);
- check_result(result, "dns_db_deleterdataset");
- dns_rdataset_disassociate(&sigdsset);
- }
- } else if (dns_rdataset_isassociated(&sigdsset))
- dns_rdataset_disassociate(&sigdsset);
- }
-
- /*
- * Make sure that NSEC bits are appropriately set.
- */
- dns_rdataset_init(&rdataset);
- RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion,
- dns_rdatatype_nsec, 0, 0, &rdataset,
- NULL) == ISC_R_SUCCESS);
- if (!nokeys)
- changed = nsec_setbit(name, &rdataset, dns_rdatatype_rrsig, 1);
- if (changed) {
- dns_rdataset_disassociate(&rdataset);
- RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion,
- dns_rdatatype_nsec, 0, 0,
- &rdataset,
- NULL) == ISC_R_SUCCESS);
- }
- if (hasds)
- (void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 1);
- else
- (void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 0);
- dns_rdataset_disassociate(&rdataset);
-
- /*
* Now iterate through the rdatasets.
*/
dns_diff_init(mctx, &del);
@@ -884,7 +924,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
* isn't a DS record.
*/
if (isdelegation) {
- if (rdataset.type != dns_rdatatype_nsec &&
+ if (rdataset.type != nsec_datatype &&
rdataset.type != dns_rdatatype_ds)
goto skip;
} else if (rdataset.type == dns_rdatatype_ds) {
@@ -938,6 +978,7 @@ active_node(dns_dbnode_t *node) {
while (result == ISC_R_SUCCESS) {
dns_rdatasetiter_current(rdsiter, &rdataset);
if (rdataset.type != dns_rdatatype_nsec &&
+ rdataset.type != dns_rdatatype_nsec3 &&
rdataset.type != dns_rdatatype_rrsig)
active = ISC_TRUE;
dns_rdataset_disassociate(&rdataset);
@@ -950,7 +991,7 @@ active_node(dns_dbnode_t *node) {
fatal("rdataset iteration failed: %s",
isc_result_totext(result));
- if (!active) {
+ if (!active && nsec_datatype == dns_rdatatype_nsec) {
/*%
* The node is empty of everything but NSEC / RRSIG records.
*/
@@ -1009,6 +1050,32 @@ active_node(dns_dbnode_t *node) {
fatal("rdataset iteration failed: %s",
isc_result_totext(result));
dns_rdatasetiter_destroy(&rdsiter2);
+
+#if 0
+ /*
+ * Delete all NSEC records and RRSIG(NSEC) if we are in
+ * NSEC3 mode and vica versa.
+ */
+ for (result = dns_rdatasetiter_first(rdsiter2);
+ result == ISC_R_SUCCESS;
+ result = dns_rdatasetiter_next(rdsiter2)) {
+ dns_rdatasetiter_current(rdsiter, &rdataset);
+ type = rdataset.type;
+ covers = rdataset.covers;
+ if (type == dns_rdatatype_rrsig)
+ type = covers;
+ dns_rdataset_disassociate(&rdataset);
+ if (type == nsec_datatype ||
+ (type != dns_rdatatype_nsec &&
+ type != dns_rdatatype_nsec3))
+ continue;
+ if (covers != 0)
+ type = dns_rdatatype_rrsig;
+ result = dns_db_deleterdataset(gdb, node, gversion,
+ type, covers);
+ check_result(result, "dns_db_deleterdataset()");
+ }
+#endif
}
dns_rdatasetiter_destroy(&rdsiter);
@@ -1169,11 +1236,8 @@ presign(void) {
isc_result_t result;
gdbiter = NULL;
- result = dns_db_createiterator(gdb, ISC_FALSE, &gdbiter);
+ result = dns_db_createiterator(gdb, 0, &gdbiter);
check_result(result, "dns_db_createiterator()");
-
- result = dns_dbiterator_first(gdbiter);
- check_result(result, "dns_dbiterator_first()");
}
/*%
@@ -1186,6 +1250,8 @@ postsign(void) {
/*%
* Sign the apex of the zone.
+ * Note the origin may not be the first node if there are out of zone
+ * records.
*/
static void
signapex(void) {
@@ -1196,13 +1262,15 @@ signapex(void) {
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
+ result = dns_dbiterator_seek(gdbiter, gorigin);
+ check_result(result, "dns_dbiterator_seek()");
result = dns_dbiterator_current(gdbiter, &node, name);
check_result(result, "dns_dbiterator_current()");
signname(node, name);
dumpnode(name, node);
cleannode(gdb, gversion, node);
dns_db_detachnode(gdb, &node);
- result = dns_dbiterator_next(gdbiter);
+ result = dns_dbiterator_first(gdbiter);
if (result == ISC_R_NOMORE)
finished = ISC_TRUE;
else if (result != ISC_R_SUCCESS)
@@ -1223,6 +1291,8 @@ assignwork(isc_task_t *task, isc_task_t *worker) {
dns_rdataset_t nsec;
isc_boolean_t found;
isc_result_t result;
+ static dns_name_t *zonecut = NULL; /* Protected by namelock. */
+ static dns_fixedname_t fzonecut; /* Protected by namelock. */
static unsigned int ended = 0; /* Protected by namelock. */
if (shuttingdown)
@@ -1250,19 +1320,51 @@ assignwork(isc_task_t *task, isc_task_t *worker) {
if (result != ISC_R_SUCCESS)
fatal("failure iterating database: %s",
isc_result_totext(result));
+ /*
+ * The origin was handled by signapex().
+ */
+ if (dns_name_equal(name, gorigin)) {
+ dns_db_detachnode(gdb, &node);
+ goto next;
+ }
+ /*
+ * Sort the zone data from the glue and out-of-zone data.
+ * For NSEC zones nodes with zone data have NSEC records.
+ * For NSEC3 zones the NSEC3 nodes are zone data but
+ * outside of the zone name space. For the rest we need
+ * to track the bottom of zone cuts.
+ * Nodes which don't need to be signed are dumped here.
+ */
dns_rdataset_init(&nsec);
result = dns_db_findrdataset(gdb, node, gversion,
- dns_rdatatype_nsec, 0, 0,
+ nsec_datatype, 0, 0,
&nsec, NULL);
- if (result == ISC_R_SUCCESS)
- found = ISC_TRUE;
- else
- dumpnode(name, node);
if (dns_rdataset_isassociated(&nsec))
dns_rdataset_disassociate(&nsec);
- if (!found)
+ if (result == ISC_R_SUCCESS) {
+ found = ISC_TRUE;
+ } else if (nsec_datatype == dns_rdatatype_nsec3) {
+ if (dns_name_issubdomain(name, gorigin) &&
+ (zonecut == NULL ||
+ !dns_name_issubdomain(name, zonecut))) {
+ if (delegation(name, node, NULL)) {
+ dns_fixedname_init(&fzonecut);
+ zonecut = dns_fixedname_name(&fzonecut);
+ dns_name_copy(name, zonecut, NULL);
+ if (!OPTOUT(nsec3flags) ||
+ secure(name, node))
+ found = ISC_TRUE;
+ } else
+ found = ISC_TRUE;
+ }
+ }
+
+ if (!found) {
+ dumpnode(name, node);
dns_db_detachnode(gdb, &node);
+ }
+ next:
result = dns_dbiterator_next(gdbiter);
if (result == ISC_R_NOMORE) {
finished = ISC_TRUE;
@@ -1348,6 +1450,43 @@ sign(isc_task_t *task, isc_event_t *event) {
}
/*%
+ * Update / remove the DS RRset. Preserve RRSIG(DS) if possible.
+ */
+static void
+add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) {
+ dns_rdataset_t dsset;
+ dns_rdataset_t sigdsset;
+ isc_result_t result;
+
+ dns_rdataset_init(&dsset);
+ dns_rdataset_init(&sigdsset);
+ result = dns_db_findrdataset(gdb, node, gversion,
+ dns_rdatatype_ds,
+ 0, 0, &dsset, &sigdsset);
+ if (result == ISC_R_SUCCESS) {
+ dns_rdataset_disassociate(&dsset);
+ result = dns_db_deleterdataset(gdb, node, gversion,
+ dns_rdatatype_ds, 0);
+ check_result(result, "dns_db_deleterdataset");
+ }
+ result = loadds(name, nsttl, &dsset);
+ if (result == ISC_R_SUCCESS) {
+ result = dns_db_addrdataset(gdb, node, gversion, 0,
+ &dsset, 0, NULL);
+ check_result(result, "dns_db_addrdataset");
+ dns_rdataset_disassociate(&dsset);
+ if (dns_rdataset_isassociated(&sigdsset))
+ dns_rdataset_disassociate(&sigdsset);
+ } else if (dns_rdataset_isassociated(&sigdsset)) {
+ result = dns_db_deleterdataset(gdb, node, gversion,
+ dns_rdatatype_rrsig,
+ dns_rdatatype_ds);
+ check_result(result, "dns_db_deleterdataset");
+ dns_rdataset_disassociate(&sigdsset);
+ }
+}
+
+/*%
* Generate NSEC records for the zone.
*/
static void
@@ -1358,6 +1497,7 @@ nsecify(void) {
dns_name_t *name, *nextname, *zonecut;
isc_boolean_t done = ISC_FALSE;
isc_result_t result;
+ isc_uint32_t nsttl = 0;
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
@@ -1366,7 +1506,7 @@ nsecify(void) {
dns_fixedname_init(&fzonecut);
zonecut = NULL;
- result = dns_db_createiterator(gdb, ISC_FALSE, &dbiter);
+ result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
check_result(result, "dns_db_createiterator()");
result = dns_dbiterator_first(dbiter);
@@ -1374,9 +1514,11 @@ nsecify(void) {
while (!done) {
dns_dbiterator_current(dbiter, &node, name);
- if (delegation(name, node, NULL)) {
+ if (delegation(name, node, &nsttl)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL);
+ if (generateds)
+ add_ds(name, node, nsttl);
}
result = dns_dbiterator_next(dbiter);
nextnode = NULL;
@@ -1419,6 +1561,451 @@ nsecify(void) {
}
/*%
+ * Does this node only contain NSEC3 records or RRSIG records or is empty.
+ */
+static isc_boolean_t
+nsec3only(dns_dbnode_t *node) {
+ dns_rdatasetiter_t *rdsiter = NULL;
+ isc_result_t result;
+ dns_rdataset_t rdataset;
+ isc_boolean_t answer = ISC_TRUE;
+
+ dns_rdataset_init(&rdataset);
+ result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+ check_result(result, "dns_db_allrdatasets()");
+ result = dns_rdatasetiter_first(rdsiter);
+ while (result == ISC_R_SUCCESS) {
+ dns_rdatasetiter_current(rdsiter, &rdataset);
+ if (rdataset.type != dns_rdatatype_nsec3 &&
+ rdataset.type != dns_rdatatype_rrsig) {
+ answer = ISC_FALSE;
+ result = ISC_R_NOMORE;
+ } else
+ result = dns_rdatasetiter_next(rdsiter);
+ dns_rdataset_disassociate(&rdataset);
+ }
+ if (result != ISC_R_NOMORE)
+ fatal("rdataset iteration failed: %s",
+ isc_result_totext(result));
+ dns_rdatasetiter_destroy(&rdsiter);
+ return (answer);
+}
+
+static void
+addnsec3param(const unsigned char *salt, size_t salt_length,
+ unsigned int iterations)
+{
+ dns_dbnode_t *node = NULL;
+ dns_rdata_nsec3param_t nsec3param;
+ unsigned char nsec3parambuf[5 + 255];
+ dns_rdatalist_t rdatalist;
+ dns_rdataset_t rdataset;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ isc_buffer_t b;
+ isc_result_t result;
+
+ dns_rdataset_init(&rdataset);
+
+ nsec3param.common.rdclass = gclass;
+ nsec3param.common.rdtype = dns_rdatatype_nsec3param;
+ ISC_LINK_INIT(&nsec3param.common, link);
+ nsec3param.mctx = NULL;
+ nsec3param.flags = 0;
+ nsec3param.hash = unknownalg ? DNS_NSEC3_UNKNOWNALG : dns_hash_sha1;
+ nsec3param.iterations = iterations;
+ nsec3param.salt_length = salt_length;
+ DE_CONST(salt, nsec3param.salt);
+
+ isc_buffer_init(&b, nsec3parambuf, sizeof(nsec3parambuf));
+ result = dns_rdata_fromstruct(&rdata, gclass,
+ dns_rdatatype_nsec3param,
+ &nsec3param, &b);
+ rdatalist.rdclass = rdata.rdclass;
+ rdatalist.type = rdata.type;
+ rdatalist.covers = 0;
+ rdatalist.ttl = 0;
+ ISC_LIST_INIT(rdatalist.rdata);
+ ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+ result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+ check_result(result, "dns_rdatalist_tordataset()");
+
+ result = dns_db_findnode(gdb, gorigin, ISC_TRUE, &node);
+ check_result(result, "dns_db_find(gorigin)");
+ result = dns_db_addrdataset(gdb, node, gversion, 0, &rdataset,
+ DNS_DBADD_MERGE, NULL);
+ if (result == DNS_R_UNCHANGED)
+ result = ISC_R_SUCCESS;
+ check_result(result, "addnsec3param: dns_db_addrdataset()");
+ dns_db_detachnode(gdb, &node);
+}
+
+static void
+addnsec3(dns_name_t *name, dns_dbnode_t *node,
+ const unsigned char *salt, size_t salt_length,
+ unsigned int iterations, hashlist_t *hashlist,
+ dns_ttl_t ttl)
+{
+ unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+ const unsigned char *nexthash;
+ unsigned char nsec3buffer[DNS_NSEC3_BUFFERSIZE];
+ dns_fixedname_t hashname;
+ dns_rdatalist_t rdatalist;
+ dns_rdataset_t rdataset;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ isc_result_t result;
+ dns_dbnode_t *nsec3node = NULL;
+ char namebuf[DNS_NAME_FORMATSIZE];
+ size_t hash_length;
+
+ dns_name_format(name, namebuf, sizeof(namebuf));
+
+ dns_fixedname_init(&hashname);
+ dns_rdataset_init(&rdataset);
+
+ dns_name_downcase(name, name, NULL);
+ result = dns_nsec3_hashname(&hashname, hash, &hash_length,
+ name, gorigin, dns_hash_sha1, iterations,
+ salt, salt_length);
+ check_result(result, "addnsec3: dns_nsec3_hashname()");
+ nexthash = hashlist_findnext(hashlist, hash);
+ result = dns_nsec3_buildrdata(gdb, gversion, node,
+ unknownalg ?
+ DNS_NSEC3_UNKNOWNALG : dns_hash_sha1,
+ nsec3flags, iterations,
+ salt, salt_length,
+ nexthash, ISC_SHA1_DIGESTLENGTH,
+ nsec3buffer, &rdata);
+ check_result(result, "addnsec3: dns_nsec3_buildrdata()");
+ rdatalist.rdclass = rdata.rdclass;
+ rdatalist.type = rdata.type;
+ rdatalist.covers = 0;
+ rdatalist.ttl = ttl;
+ ISC_LIST_INIT(rdatalist.rdata);
+ ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+ result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+ check_result(result, "dns_rdatalist_tordataset()");
+ result = dns_db_findnsec3node(gdb, dns_fixedname_name(&hashname),
+ ISC_TRUE, &nsec3node);
+ check_result(result, "addnsec3: dns_db_findnode()");
+ result = dns_db_addrdataset(gdb, nsec3node, gversion, 0, &rdataset,
+ 0, NULL);
+ if (result == DNS_R_UNCHANGED)
+ result = ISC_R_SUCCESS;
+ check_result(result, "addnsec3: dns_db_addrdataset()");
+ dns_db_detachnode(gdb, &nsec3node);
+}
+
+/*%
+ * Clean out NSEC3 record and RRSIG(NSEC3) that are not in the hash list.
+ *
+ * Extract the hash from the first label of 'name' then see if it
+ * is in hashlist. If 'name' is not in the hashlist then delete the
+ * any NSEC3 records which have the same parameters as the chain we
+ * are building.
+ *
+ * XXXMPA Should we also check that it of the form <hash>.<origin>?
+ */
+static void
+nsec3clean(dns_name_t *name, dns_dbnode_t *node,
+ unsigned int hashalg, unsigned int iterations,
+ const unsigned char *salt, size_t salt_length, hashlist_t *hashlist)
+{
+ dns_label_t label;
+ dns_rdata_nsec3_t nsec3;
+ dns_rdata_t rdata, delrdata;
+ dns_rdatalist_t rdatalist;
+ dns_rdataset_t rdataset, delrdataset;
+ isc_boolean_t delete_rrsigs = ISC_FALSE;
+ isc_buffer_t target;
+ isc_result_t result;
+ unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1];
+
+ /*
+ * Get the first label.
+ */
+ dns_name_getlabel(name, 0, &label);
+
+ /*
+ * We want just the label contents.
+ */
+ isc_region_consume(&label, 1);
+
+ /*
+ * Decode base32hex string.
+ */
+ isc_buffer_init(&target, hash, sizeof(hash) - 1);
+ result = isc_base32hex_decoderegion(&label, &target);
+ if (result != ISC_R_SUCCESS)
+ return;
+
+ hash[isc_buffer_usedlength(&target)] = 0;
+
+ if (hashlist_exists(hashlist, hash))
+ return;
+
+ /*
+ * Verify that the NSEC3 parameters match the current ones
+ * otherwise we are dealing with a different NSEC3 chain.
+ */
+ dns_rdataset_init(&rdataset);
+ dns_rdataset_init(&delrdataset);
+
+ result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_nsec3,
+ 0, 0, &rdataset, NULL);
+ if (result != ISC_R_SUCCESS)
+ return;
+
+ /*
+ * Delete any matching NSEC3 records which have parameters that
+ * match the NSEC3 chain we are building.
+ */
+ for (result = dns_rdataset_first(&rdataset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(&rdataset)) {
+ dns_rdata_init(&rdata);
+ dns_rdataset_current(&rdataset, &rdata);
+ dns_rdata_tostruct(&rdata, &nsec3, NULL);
+ if (nsec3.hash == hashalg &&
+ nsec3.iterations == iterations &&
+ nsec3.salt_length == salt_length &&
+ !memcmp(nsec3.salt, salt, salt_length))
+ break;
+ rdatalist.rdclass = rdata.rdclass;
+ rdatalist.type = rdata.type;
+ rdatalist.covers = 0;
+ rdatalist.ttl = rdataset.ttl;
+ ISC_LIST_INIT(rdatalist.rdata);
+ dns_rdata_init(&delrdata);
+ dns_rdata_clone(&rdata, &delrdata);
+ ISC_LIST_APPEND(rdatalist.rdata, &delrdata, link);
+ result = dns_rdatalist_tordataset(&rdatalist, &delrdataset);
+ check_result(result, "dns_rdatalist_tordataset()");
+ result = dns_db_subtractrdataset(gdb, node, gversion,
+ &delrdataset, 0, NULL);
+ dns_rdataset_disassociate(&delrdataset);
+ if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED)
+ check_result(result, "dns_db_subtractrdataset(NSEC3)");
+ delete_rrsigs = ISC_TRUE;
+ }
+ dns_rdataset_disassociate(&rdataset);
+ if (result != ISC_R_NOMORE)
+ check_result(result, "dns_rdataset_first/next");
+
+ if (!delete_rrsigs)
+ return;
+ /*
+ * Delete the NSEC3 RRSIGs
+ */
+ result = dns_db_deleterdataset(gdb, node, gversion,
+ dns_rdatatype_rrsig,
+ dns_rdatatype_nsec3);
+ if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED)
+ check_result(result, "dns_db_deleterdataset(RRSIG(NSEC3))");
+}
+
+/*
+ * Generate NSEC3 records for the zone.
+ */
+static void
+nsec3ify(unsigned int hashalg, unsigned int iterations,
+ const unsigned char *salt, size_t salt_length, hashlist_t *hashlist)
+{
+ dns_dbiterator_t *dbiter = NULL;
+ dns_dbnode_t *node = NULL, *nextnode = NULL;
+ dns_fixedname_t fname, fnextname, fzonecut;
+ dns_name_t *name, *nextname, *zonecut;
+ isc_boolean_t done = ISC_FALSE;
+ isc_result_t result;
+ isc_boolean_t active;
+ isc_uint32_t nsttl = 0;
+ unsigned int count, nlabels;
+ int order;
+
+ dns_fixedname_init(&fname);
+ name = dns_fixedname_name(&fname);
+ dns_fixedname_init(&fnextname);
+ nextname = dns_fixedname_name(&fnextname);
+ dns_fixedname_init(&fzonecut);
+ zonecut = NULL;
+
+ /*
+ * Walk the zone generating the hash names.
+ */
+ result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
+ check_result(result, "dns_db_createiterator()");
+
+ result = dns_dbiterator_first(dbiter);
+ check_result(result, "dns_dbiterator_first()");
+
+ while (!done) {
+ dns_dbiterator_current(dbiter, &node, name);
+ result = dns_dbiterator_next(dbiter);
+ nextnode = NULL;
+ while (result == ISC_R_SUCCESS) {
+ result = dns_dbiterator_current(dbiter, &nextnode,
+ nextname);
+ if (result != ISC_R_SUCCESS)
+ break;
+ active = active_node(nextnode);
+ if (!active) {
+ dns_db_detachnode(gdb, &nextnode);
+ result = dns_dbiterator_next(dbiter);
+ continue;
+ }
+ if (!dns_name_issubdomain(nextname, gorigin) ||
+ (zonecut != NULL &&
+ dns_name_issubdomain(nextname, zonecut))) {
+ dns_db_detachnode(gdb, &nextnode);
+ result = dns_dbiterator_next(dbiter);
+ continue;
+ }
+ if (delegation(nextname, nextnode, &nsttl)) {
+ zonecut = dns_fixedname_name(&fzonecut);
+ dns_name_copy(nextname, zonecut, NULL);
+ if (generateds)
+ add_ds(nextname, nextnode, nsttl);
+ if (OPTOUT(nsec3flags) &&
+ !secure(nextname, nextnode)) {
+ dns_db_detachnode(gdb, &nextnode);
+ result = dns_dbiterator_next(dbiter);
+ continue;
+ }
+ }
+ dns_db_detachnode(gdb, &nextnode);
+ break;
+ }
+ if (result == ISC_R_NOMORE) {
+ dns_name_copy(gorigin, nextname, NULL);
+ done = ISC_TRUE;
+ } else if (result != ISC_R_SUCCESS)
+ fatal("iterating through the database failed: %s",
+ isc_result_totext(result));
+ dns_name_downcase(name, name, NULL);
+ hashlist_add_dns_name(hashlist, name, hashalg, iterations,
+ salt, salt_length, ISC_FALSE);
+ dns_db_detachnode(gdb, &node);
+ /*
+ * Add hashs for empty nodes. Use closest encloser logic.
+ * The closest encloser either has data or is a empty
+ * node for another <name,nextname> span so we don't add
+ * it here. Empty labels on nextname are within the span.
+ */
+ dns_name_downcase(nextname, nextname, NULL);
+ dns_name_fullcompare(name, nextname, &order, &nlabels);
+ addnowildcardhash(hashlist, name, hashalg, iterations,
+ salt, salt_length);
+ count = dns_name_countlabels(nextname);
+ while (count > nlabels + 1) {
+ count--;
+ dns_name_split(nextname, count, NULL, nextname);
+ hashlist_add_dns_name(hashlist, nextname, hashalg,
+ iterations, salt, salt_length,
+ ISC_FALSE);
+ addnowildcardhash(hashlist, nextname, hashalg,
+ iterations, salt, salt_length);
+ }
+ }
+ dns_dbiterator_destroy(&dbiter);
+
+ /*
+ * We have all the hashes now so we can sort them.
+ */
+ hashlist_sort(hashlist);
+
+ /*
+ * Check for duplicate hashes. If found the salt needs to
+ * be changed.
+ */
+ if (hashlist_hasdup(hashlist))
+ fatal("Duplicate hash detected. Pick a different salt.");
+
+ /*
+ * Generate the nsec3 records.
+ */
+ zonecut = NULL;
+ done = ISC_FALSE;
+
+ addnsec3param(salt, salt_length, iterations);
+
+ result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
+ check_result(result, "dns_db_createiterator()");
+
+ result = dns_dbiterator_first(dbiter);
+ check_result(result, "dns_dbiterator_first()");
+
+ while (!done) {
+ dns_dbiterator_current(dbiter, &node, name);
+ result = dns_dbiterator_next(dbiter);
+ nextnode = NULL;
+ while (result == ISC_R_SUCCESS) {
+ result = dns_dbiterator_current(dbiter, &nextnode,
+ nextname);
+ if (result != ISC_R_SUCCESS)
+ break;
+ /*
+ * Cleanout NSEC3 RRsets which don't exist in the
+ * hash table.
+ */
+ nsec3clean(nextname, nextnode, hashalg, iterations,
+ salt, salt_length, hashlist);
+ /*
+ * Skip NSEC3 only nodes when looking for the next
+ * node in the zone. Also skips now empty nodes.
+ */
+ if (nsec3only(nextnode)) {
+ dns_db_detachnode(gdb, &nextnode);
+ result = dns_dbiterator_next(dbiter);
+ continue;
+ }
+ if (!dns_name_issubdomain(nextname, gorigin) ||
+ (zonecut != NULL &&
+ dns_name_issubdomain(nextname, zonecut))) {
+ dns_db_detachnode(gdb, &nextnode);
+ result = dns_dbiterator_next(dbiter);
+ continue;
+ }
+ if (delegation(nextname, nextnode, NULL)) {
+ zonecut = dns_fixedname_name(&fzonecut);
+ dns_name_copy(nextname, zonecut, NULL);
+ if (OPTOUT(nsec3flags) &&
+ !secure(nextname, nextnode)) {
+ dns_db_detachnode(gdb, &nextnode);
+ result = dns_dbiterator_next(dbiter);
+ continue;
+ }
+ }
+ dns_db_detachnode(gdb, &nextnode);
+ break;
+ }
+ if (result == ISC_R_NOMORE) {
+ dns_name_copy(gorigin, nextname, NULL);
+ done = ISC_TRUE;
+ } else if (result != ISC_R_SUCCESS)
+ fatal("iterating through the database failed: %s",
+ isc_result_totext(result));
+ /*
+ * We need to pause here to release the lock on the database.
+ */
+ dns_dbiterator_pause(dbiter);
+ addnsec3(name, node, salt, salt_length, iterations,
+ hashlist, zonettl);
+ dns_db_detachnode(gdb, &node);
+ /*
+ * Add NSEC3's for empty nodes. Use closest encloser logic.
+ */
+ dns_name_fullcompare(name, nextname, &order, &nlabels);
+ count = dns_name_countlabels(nextname);
+ while (count > nlabels + 1) {
+ count--;
+ dns_name_split(nextname, count, NULL, nextname);
+ addnsec3(nextname, NULL, salt, salt_length,
+ iterations, hashlist, zonettl);
+ }
+ }
+ dns_dbiterator_destroy(&dbiter);
+}
+
+/*%
* Load the zone file from disk
*/
static void
@@ -1788,6 +2375,9 @@ usage(void) {
fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
fprintf(stderr, "\t-k key_signing_key\n");
fprintf(stderr, "\t-l lookasidezone\n");
+ fprintf(stderr, "\t-3 salt (NSEC3 salt)\n");
+ fprintf(stderr, "\t-H iterations (NSEC3 iterations)\n");
+ fprintf(stderr, "\t-A (NSEC3 optout)\n");
fprintf(stderr, "\t-z:\t");
fprintf(stderr, "ignore KSK flag in DNSKEYs");
@@ -1852,6 +2442,36 @@ main(int argc, char *argv[]) {
isc_task_t **tasks = NULL;
isc_buffer_t b;
int len;
+ unsigned int iterations = 100U;
+ const unsigned char *salt = NULL;
+ size_t salt_length = 0;
+ unsigned char saltbuf[255];
+ hashlist_t hashlist;
+
+#define CMDLINE_FLAGS "3:aAc:d:e:f:ghH:i:I:j:k:l:m:n:N:o:O:pr:s:StUv:z"
+
+ /*
+ * Process memory debugging argument first.
+ */
+ while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+ switch (ch) {
+ case 'm':
+ if (strcasecmp(isc_commandline_argument, "record") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+ if (strcasecmp(isc_commandline_argument, "trace") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+ if (strcasecmp(isc_commandline_argument, "usage") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+ if (strcasecmp(isc_commandline_argument, "size") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+ if (strcasecmp(isc_commandline_argument, "mctx") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+ break;
+ default:
+ break;
+ }
+ }
+ isc_commandline_reset = ISC_TRUE;
masterstyle = &dns_master_style_explicitttl;
@@ -1863,10 +2483,34 @@ main(int argc, char *argv[]) {
dns_result_register();
- while ((ch = isc_commandline_parse(argc, argv,
- "ac:d:e:f:ghi:I:j:k:l:n:N:o:O:pr:s:Stv:z"))
- != -1) {
+ isc_commandline_errprint = ISC_FALSE;
+
+ while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
+ case '3':
+ if (strcmp(isc_commandline_argument, "-")) {
+ isc_buffer_t target;
+ char *sarg;
+
+ sarg = isc_commandline_argument;
+ isc_buffer_init(&target, saltbuf,
+ sizeof(saltbuf));
+ result = isc_hex_decodestring(sarg, &target);
+ check_result(result,
+ "isc_hex_decodestring(salt)");
+ salt = saltbuf;
+ salt_length = isc_buffer_usedlength(&target);
+ } else {
+ salt = saltbuf;
+ salt_length = 0;
+ }
+ nsec_datatype = dns_rdatatype_nsec3;
+ break;
+
+ case 'A':
+ nsec3flags |= DNS_NSEC3FLAG_OPTOUT;
+ break;
+
case 'a':
tryverify = ISC_TRUE;
break;
@@ -1891,11 +2535,19 @@ main(int argc, char *argv[]) {
generateds = ISC_TRUE;
break;
+ case '?':
+ if (isc_commandline_option != '?')
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
case 'h':
- default:
usage();
break;
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+
case 'i':
endp = NULL;
cycle = strtol(isc_commandline_argument, &endp, 0);
@@ -1934,6 +2586,9 @@ main(int argc, char *argv[]) {
dskeyfile[ndskeys++] = isc_commandline_argument;
break;
+ case 'm':
+ break;
+
case 'n':
endp = NULL;
ntasks = strtol(isc_commandline_argument, &endp, 0);
@@ -1945,6 +2600,15 @@ main(int argc, char *argv[]) {
serialformatstr = isc_commandline_argument;
break;
+ case 'H':
+ iterations = strtoul(isc_commandline_argument,
+ &endp, 0);
+ if (*endp != '\0')
+ fatal("iterations must be numeric");
+ if (iterations > 0xffffU)
+ fatal("iterations too big");
+ break;
+
case 'o':
origin = isc_commandline_argument;
break;
@@ -1975,6 +2639,10 @@ main(int argc, char *argv[]) {
printstats = ISC_TRUE;
break;
+ case 'U': /* Undocumented for testing only. */
+ unknownalg = ISC_TRUE;
+ break;
+
case 'v':
endp = NULL;
verbose = strtol(isc_commandline_argument, &endp, 0);
@@ -2018,7 +2686,7 @@ main(int argc, char *argv[]) {
cycle = (endtime - starttime) / 4;
if (ntasks == 0)
- ntasks = isc_os_ncpus();
+ ntasks = isc_os_ncpus() * 2;
vbprintf(4, "using %d cpus\n", ntasks);
rdclass = strtoclass(classname);
@@ -2082,7 +2750,6 @@ main(int argc, char *argv[]) {
0, 24, 0, 0, 0, 8, mctx);
check_result(result, "dns_master_stylecreate");
-
gdb = NULL;
TIME_NOW(&timer_start);
loadzone(file, origin, rdclass, &gdb);
@@ -2090,6 +2757,18 @@ main(int argc, char *argv[]) {
gclass = dns_db_class(gdb);
zonettl = soattl();
+ if (IS_NSEC3) {
+ isc_boolean_t answer;
+ hash_length = dns_nsec3_hashlength(dns_hash_sha1);
+ hashlist_init(&hashlist, dns_db_nodecount(gdb) * 2,
+ hash_length);
+ result = dns_nsec_nseconly(gdb, gversion, &answer);
+ check_result(result, "dns_nsec_nseconly");
+ if (answer)
+ fatal("NSEC3 generation requested with "
+ "NSEC only DNSKEY");
+ }
+
ISC_LIST_INIT(keylist);
if (argc == 0) {
@@ -2106,6 +2785,9 @@ main(int argc, char *argv[]) {
fatal("cannot load dnskey %s: %s", argv[i],
isc_result_totext(result));
+ if (!dns_name_equal(gorigin, dst_key_name(newkey)))
+ fatal("key %s not at origin\n", argv[i]);
+
key = ISC_LIST_HEAD(keylist);
while (key != NULL) {
dst_key_t *dkey = key->key;
@@ -2143,6 +2825,9 @@ main(int argc, char *argv[]) {
fatal("cannot load dnskey %s: %s", dskeyfile[i],
isc_result_totext(result));
+ if (!dns_name_equal(gorigin, dst_key_name(newkey)))
+ fatal("key %s not at origin\n", dskeyfile[i]);
+
key = ISC_LIST_HEAD(keylist);
while (key != NULL) {
dst_key_t *dkey = key->key;
@@ -2176,6 +2861,15 @@ main(int argc, char *argv[]) {
nokeys = ISC_TRUE;
}
+ if (IS_NSEC3) {
+ unsigned int max;
+ result = dns_nsec3_maxiterations(gdb, NULL, mctx, &max);
+ check_result(result, "dns_nsec3_maxiterations()");
+ if (iterations > max)
+ fatal("NSEC3 iterations too big for weakest DNSKEY "
+ "strength. Maximum iterations allowed %u.", max);
+ }
+
warnifallksk(gdb);
gversion = NULL;
@@ -2195,7 +2889,11 @@ main(int argc, char *argv[]) {
break;
}
- nsecify();
+ if (IS_NSEC3)
+ nsec3ify(dns_hash_sha1, iterations, salt, salt_length,
+ &hashlist);
+ else
+ nsecify();
if (!nokeys) {
writeset("keyset-", dns_rdatatype_dnskey);
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 67eacc143272..2f26ba4e1550 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-signzone.docbook,v 1.10.18.19 2008/10/15 23:46:06 tbox Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.31 2008/10/14 14:28:25 jreed Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 30, 2000</date>
@@ -77,6 +77,9 @@
<arg><option>-t</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-z</option></arg>
+ <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
+ <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
+ <arg><option>-A</option></arg>
<arg choice="req">zonefile</arg>
<arg rep="repeat">key</arg>
</cmdsynopsis>
@@ -400,6 +403,38 @@
</varlistentry>
<varlistentry>
+ <term>-3 <replaceable class="parameter">salt</replaceable></term>
+ <listitem>
+ <para>
+ Generate a NSEC3 chain with the given hex encoded salt.
+ A dash (<replaceable class="parameter">salt</replaceable>) can
+ be used to indicate that no salt is to be used when generating the NSEC3 chain.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-H <replaceable class="parameter">iterations</replaceable></term>
+ <listitem>
+ <para>
+ When generating a NSEC3 chain use this many interations. The
+ default is 100.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-A</term>
+ <listitem>
+ <para>
+ When generating a NSEC3 chain set the OPTOUT flag on all
+ NSEC3 records and do not generate NSEC3 records for insecure
+ delegations.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>zonefile</term>
<listitem>
<para>
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index 18d851d1fcd3..6548d845d525 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-signzone.html,v 1.8.18.25 2008/10/16 01:29:40 tbox Exp $ -->
+<!-- $Id: dnssec-signzone.html,v 1.33 2008/10/15 01:11:35 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,10 +29,10 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543529"></a><h2>DESCRIPTION</h2>
+<a name="id2543550"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543544"></a><h2>OPTIONS</h2>
+<a name="id2543565"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
@@ -226,6 +226,23 @@
<dd><p>
Ignore KSK flag on key when determining what to sign.
</p></dd>
+<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
+<dd><p>
+ Generate a NSEC3 chain with the given hex encoded salt.
+ A dash (<em class="replaceable"><code>salt</code></em>) can
+ be used to indicate that no salt is to be used when generating the NSEC3 chain.
+ </p></dd>
+<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
+<dd><p>
+ When generating a NSEC3 chain use this many interations. The
+ default is 100.
+ </p></dd>
+<dt><span class="term">-A</span></dt>
+<dd><p>
+ When generating a NSEC3 chain set the OPTOUT flag on all
+ NSEC3 records and do not generate NSEC3 records for insecure
+ delegations.
+ </p></dd>
<dt><span class="term">zonefile</span></dt>
<dd><p>
The file containing the zone to be signed.
@@ -241,7 +258,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2544330"></a><h2>EXAMPLE</h2>
+<a name="id2544404"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -270,14 +287,14 @@ db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
-<a name="id2544381"></a><h2>SEE ALSO</h2>
+<a name="id2544523"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2544406"></a><h2>AUTHOR</h2>
+<a name="id2544548"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 4f95540fc4e5..e933a06d6023 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.c,v 1.40.18.3 2005/07/01 03:55:28 marka Exp $ */
+/* $Id: dnssectool.c,v 1.45 2007/06/19 23:46:59 tbox Exp $ */
/*! \file */
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index c5f364813d4d..ee476f4ea78b 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.h,v 1.18 2004/03/05 04:57:41 marka Exp $ */
+/* $Id: dnssectool.h,v 1.22 2008/09/25 04:02:38 tbox Exp $ */
#ifndef DNSSECTOOL_H
#define DNSSECTOOL_H 1
@@ -41,7 +41,7 @@ vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
void
type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
-#define TYPE_FORMATSIZE 10
+#define TYPE_FORMATSIZE 20
void
alg_format(const dns_secalg_t alg, char *cp, unsigned int size);
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index a809e59c5427..4d800a69edaf 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2002 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.80.18.7 2005/09/05 00:18:10 marka Exp $
+# $Id: Makefile.in,v 1.101 2008/09/23 17:25:47 jinmei Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -21,6 +21,8 @@ top_srcdir = @top_srcdir@
@BIND9_VERSION@
+@BIND9_CONFIGARGS@
+
@BIND9_MAKE_INCLUDES@
#
@@ -38,7 +40,7 @@ DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@
DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
-CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \
+CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
@@ -75,7 +77,7 @@ TARGETS = named@EXEEXT@ lwresd@EXEEXT@
OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
controlconf.@O@ interfacemgr.@O@ \
listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \
- query.@O@ server.@O@ sortlist.@O@ \
+ query.@O@ server.@O@ sortlist.@O@ statschannel.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@@ -87,7 +89,7 @@ UOBJS = unix/os.@O@
SRCS = builtin.c client.c config.c control.c \
controlconf.c interfacemgr.c \
listenlist.c log.c logconf.c main.c notify.c \
- query.c server.c sortlist.c \
+ query.c server.c sortlist.c statschannel.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@@ -105,6 +107,7 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
main.@O@: main.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
+ -DCONFIGARGS="\"${CONFIGARGS}\"" \
-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
@@ -130,6 +133,12 @@ docclean manclean maintainer-clean::
clean distclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
+bind9.xsl.h: bind9.xsl convertxsl.pl
+ ${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
+
+depend: bind9.xsl.h
+statschannel.@O@: bind9.xsl.h
+
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
new file mode 100644
index 000000000000..2cadbfd7e47c
--- /dev/null
+++ b/bin/named/bind9.xsl
@@ -0,0 +1,492 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ - Copyright (C) 2006-2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: bind9.xsl,v 1.19.82.2 2009/01/29 23:47:43 tbox Exp $ -->
+
+<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns="http://www.w3.org/1999/xhtml">
+ <xsl:template match="isc/bind/statistics">
+ <html>
+ <head>
+ <style type="text/css">
+body {
+ font-family: sans-serif;
+ background-color: #ffffff;
+ color: #000000;
+}
+
+table {
+ border-collapse: collapse;
+}
+
+tr.rowh {
+ text-align: center;
+ border: 1px solid #000000;
+ background-color: #8080ff;
+ color: #ffffff;
+}
+
+tr.row {
+ text-align: right;
+ border: 1px solid #000000;
+ background-color: teal;
+ color: #ffffff;
+}
+
+tr.lrow {
+ text-align: left;
+ border: 1px solid #000000;
+ background-color: teal;
+ color: #ffffff;
+}
+
+td, th {
+ padding-right: 5px;
+ padding-left: 5px;
+}
+
+.header h1 {
+ background-color: teal;
+ color: #ffffff;
+ padding: 4px;
+}
+
+.content {
+ background-color: #ffffff;
+ color: #000000;
+ padding: 4px;
+}
+
+.item {
+ padding: 4px;
+ align: right;
+}
+
+.value {
+ padding: 4px;
+ font-weight: bold;
+}
+
+div.statcounter h2 {
+ text-align: center;
+ font-size: large;
+ border: 1px solid #000000;
+ background-color: #8080ff;
+ color: #ffffff;
+}
+
+div.statcounter dl {
+ float: left;
+ margin-top: 0;
+ margin-bottom: 0;
+ margin-left: 0;
+ margin-right: 0;
+}
+
+div.statcounter dt {
+ width: 200px;
+ text-align: center;
+ font-weight: bold;
+ border: 0.5px solid #000000;
+ background-color: #8080ff;
+ color: #ffffff;
+}
+
+div.statcounter dd {
+ width: 200px;
+ text-align: right;
+ border: 0.5px solid #000000;
+ background-color: teal;
+ color: #ffffff;
+ margin-left: 0;
+ margin-right: 0;
+}
+
+div.statcounter br {
+ clear: left;
+}
+ </style>
+ <title>BIND 9 Statistics</title>
+ </head>
+ <body>
+ <div class="header">
+ <h1>Bind 9 Configuration and Statistics</h1>
+ </div>
+
+ <br/>
+
+ <table>
+ <tr class="rowh"><th colspan="2">Times</th></tr>
+ <tr class="lrow">
+ <td>boot-time</td>
+ <td><xsl:value-of select="server/boot-time"/></td>
+ </tr>
+ <tr class="lrow">
+ <td>current-time</td>
+ <td><xsl:value-of select="server/current-time"/></td>
+ </tr>
+ </table>
+
+ <br/>
+
+ <table>
+ <tr class="rowh"><th colspan="2">Incoming Requests</th></tr>
+ <xsl:for-each select="server/requests/opcode">
+ <tr class="lrow">
+ <td><xsl:value-of select="name"/></td>
+ <td><xsl:value-of select="counter"/></td>
+ </tr>
+ </xsl:for-each>
+ </table>
+
+ <br/>
+
+ <table>
+ <tr class="rowh"><th colspan="2">Incoming Queries</th></tr>
+ <xsl:for-each select="server/queries-in/rdtype">
+ <tr class="lrow">
+ <td><xsl:value-of select="name"/></td>
+ <td><xsl:value-of select="counter"/></td>
+ </tr>
+ </xsl:for-each>
+ </table>
+
+ <br/>
+
+ <xsl:for-each select="views/view">
+ <table>
+ <tr class="rowh">
+ <th colspan="2">Outgoing Queries from View <xsl:value-of select="name"/></th>
+ </tr>
+ <xsl:for-each select="rdtype">
+ <tr class="lrow">
+ <td><xsl:value-of select="name"/></td>
+ <td><xsl:value-of select="counter"/></td>
+ </tr>
+ </xsl:for-each>
+ </table>
+ <br/>
+ </xsl:for-each>
+
+ <br/>
+
+ <div class="statcounter">
+ <h2>Server Statistics</h2>
+ <xsl:for-each select="server/nsstat">
+ <dl>
+ <dt><xsl:value-of select="name"/></dt>
+ <dd><xsl:value-of select="counter"/></dd>
+ </dl>
+ </xsl:for-each>
+ <br/>
+ </div>
+
+ <div class="statcounter">
+ <h2>Zone Maintenance Statistics</h2>
+ <xsl:for-each select="server/zonestat">
+ <dl>
+ <dt><xsl:value-of select="name"/></dt>
+ <dd><xsl:value-of select="counter"/></dd>
+ </dl>
+ </xsl:for-each>
+ <br />
+ </div>
+
+ <div class="statcounter">
+ <h2>Resolver Statistics (Common)</h2>
+ <xsl:for-each select="server/resstat">
+ <dl>
+ <dt><xsl:value-of select="name"/></dt>
+ <dd><xsl:value-of select="counter"/></dd>
+ </dl>
+ </xsl:for-each>
+ <br />
+ </div>
+
+ <xsl:for-each select="views/view">
+ <div class="statcounter">
+ <h2>Resolver Statistics for View <xsl:value-of select="name"/></h2>
+ <xsl:for-each select="resstat">
+ <dl>
+ <dt><xsl:value-of select="name"/></dt>
+ <dd><xsl:value-of select="counter"/></dd>
+ </dl>
+ </xsl:for-each>
+ <br />
+ </div>
+ </xsl:for-each>
+
+ <br />
+
+ <xsl:for-each select="views/view">
+ <table>
+ <tr class="rowh">
+ <th colspan="2">Cache DB RRsets for View <xsl:value-of select="name"/></th>
+ </tr>
+ <xsl:for-each select="cache/rrset">
+ <tr class="lrow">
+ <td><xsl:value-of select="name"/></td>
+ <td><xsl:value-of select="counter"/></td>
+ </tr>
+ </xsl:for-each>
+ </table>
+ <br/>
+ </xsl:for-each>
+
+ <div class="statcounter">
+ <h2>Socket I/O Statistics</h2>
+ <xsl:for-each select="server/sockstat">
+ <dl>
+ <dt><xsl:value-of select="name"/></dt>
+ <dd><xsl:value-of select="counter"/></dd>
+ </dl>
+ </xsl:for-each>
+ <br/>
+ </div>
+
+ <br/>
+
+ <xsl:for-each select="views/view">
+ <table>
+ <tr class="rowh">
+ <th colspan="10">Zones for View <xsl:value-of select="name"/></th>
+ </tr>
+ <tr class="rowh">
+ <th>Name</th>
+ <th>Class</th>
+ <th>Serial</th>
+ <th>Success</th>
+ <th>Referral</th>
+ <th>NXRRSET</th>
+ <th>NXDOMAIN</th>
+ <th>Failure</th>
+ <th>XfrReqDone</th>
+ <th>XfrRej</th>
+ </tr>
+ <xsl:for-each select="zones/zone">
+ <tr class="lrow">
+ <td>
+ <xsl:value-of select="name"/>
+ </td>
+ <td>
+ <xsl:value-of select="rdataclass"/>
+ </td>
+ <td>
+ <xsl:value-of select="serial"/>
+ </td>
+ <td>
+ <xsl:value-of select="counters/QrySuccess"/>
+ </td>
+ <td>
+ <xsl:value-of select="counters/QryReferral"/>
+ </td>
+ <td>
+ <xsl:value-of select="counters/QryNxrrset"/>
+ </td>
+ <td>
+ <xsl:value-of select="counters/QryNXDOMAIN"/>
+ </td>
+ <td>
+ <xsl:value-of select="counters/QryFailure"/>
+ </td>
+ <td>
+ <xsl:value-of select="counters/XfrReqDone"/>
+ </td>
+ <td>
+ <xsl:value-of select="counters/XfrRej"/>
+ </td>
+ </tr>
+ </xsl:for-each>
+ </table>
+ <br/>
+ </xsl:for-each>
+
+ <br/>
+
+ <table>
+ <tr class="rowh">
+ <th colspan="7">Network Status</th>
+ </tr>
+ <tr class="rowh">
+ <th>ID</th>
+ <th>Name</th>
+ <th>Type</th>
+ <th>References</th>
+ <th>LocalAddress</th>
+ <th>PeerAddress</th>
+ <th>State</th>
+ </tr>
+ <xsl:for-each select="socketmgr/sockets/socket">
+ <tr class="lrow">
+ <td>
+ <xsl:value-of select="id"/>
+ </td>
+ <td>
+ <xsl:value-of select="name"/>
+ </td>
+ <td>
+ <xsl:value-of select="type"/>
+ </td>
+ <td>
+ <xsl:value-of select="references"/>
+ </td>
+ <td>
+ <xsl:value-of select="local-address"/>
+ </td>
+ <td>
+ <xsl:value-of select="peer-address"/>
+ </td>
+ <td>
+ <xsl:for-each select="states">
+ <xsl:value-of select="."/>
+ </xsl:for-each>
+ </td>
+ </tr>
+ </xsl:for-each>
+ </table>
+ <br/>
+ <table>
+ <tr class="rowh">
+ <th colspan="2">Task Manager Configuration</th>
+ </tr>
+ <tr class="lrow">
+ <td>Thread-Model</td>
+ <td>
+ <xsl:value-of select="taskmgr/thread-model/type"/>
+ </td>
+ </tr>
+ <tr class="lrow">
+ <td>Worker Threads</td>
+ <td>
+ <xsl:value-of select="taskmgr/thread-model/worker-threads"/>
+ </td>
+ </tr>
+ <tr class="lrow">
+ <td>Default Quantum</td>
+ <td>
+ <xsl:value-of select="taskmgr/thread-model/default-quantum"/>
+ </td>
+ </tr>
+ <tr class="lrow">
+ <td>Tasks Running</td>
+ <td>
+ <xsl:value-of select="taskmgr/thread-model/tasks-running"/>
+ </td>
+ </tr>
+ </table>
+ <br/>
+ <table>
+ <tr class="rowh">
+ <th colspan="5">Tasks</th>
+ </tr>
+ <tr class="rowh">
+ <th>ID</th>
+ <th>Name</th>
+ <th>References</th>
+ <th>State</th>
+ <th>Quantum</th>
+ </tr>
+ <xsl:for-each select="taskmgr/tasks/task">
+ <tr class="lrow">
+ <td>
+ <xsl:value-of select="id"/>
+ </td>
+ <td>
+ <xsl:value-of select="name"/>
+ </td>
+ <td>
+ <xsl:value-of select="references"/>
+ </td>
+ <td>
+ <xsl:value-of select="state"/>
+ </td>
+ <td>
+ <xsl:value-of select="quantum"/>
+ </td>
+ </tr>
+ </xsl:for-each>
+ </table>
+ <br />
+ <table>
+ <tr class="rowh">
+ <th colspan="4">Memory Usage Summary</th>
+ </tr>
+ <xsl:for-each select="memory/summary/*">
+ <tr class="lrow">
+ <td><xsl:value-of select="name()"/></td>
+ <td><xsl:value-of select="."/></td>
+ </tr>
+ </xsl:for-each>
+ </table>
+ <br />
+ <table>
+ <tr class="rowh">
+ <th colspan="10">Memory Contexts</th>
+ </tr>
+ <tr class="rowh">
+ <th>ID</th>
+ <th>Name</th>
+ <th>References</th>
+ <th>TotalUse</th>
+ <th>InUse</th>
+ <th>MaxUse</th>
+ <th>BlockSize</th>
+ <th>Pools</th>
+ <th>HiWater</th>
+ <th>LoWater</th>
+ </tr>
+ <xsl:for-each select="memory/contexts/context">
+ <tr class="lrow">
+ <td>
+ <xsl:value-of select="id"/>
+ </td>
+ <td>
+ <xsl:value-of select="name"/>
+ </td>
+ <td>
+ <xsl:value-of select="references"/>
+ </td>
+ <td>
+ <xsl:value-of select="total"/>
+ </td>
+ <td>
+ <xsl:value-of select="inuse"/>
+ </td>
+ <td>
+ <xsl:value-of select="maxinuse"/>
+ </td>
+ <td>
+ <xsl:value-of select="blocksize"/>
+ </td>
+ <td>
+ <xsl:value-of select="pools"/>
+ </td>
+ <td>
+ <xsl:value-of select="hiwater"/>
+ </td>
+ <td>
+ <xsl:value-of select="lowater"/>
+ </td>
+ </tr>
+ </xsl:for-each>
+ </table>
+
+ </body>
+ </html>
+ </xsl:template>
+</xsl:stylesheet>
diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
new file mode 100644
index 000000000000..e42fda08041e
--- /dev/null
+++ b/bin/named/bind9.xsl.h
@@ -0,0 +1,497 @@
+/*
+ * Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp
+ * From bind9.xsl 1.19.82.2 2009/01/29 23:47:43 tbox Exp
+ */
+static char xslmsg[] =
+ "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+ "<!--\n"
+ " - Copyright (C) 2006-2009 Internet Systems Consortium, Inc. (\"ISC\")\n"
+ " -\n"
+ " - Permission to use, copy, modify, and/or distribute this software for any\n"
+ " - purpose with or without fee is hereby granted, provided that the above\n"
+ " - copyright notice and this permission notice appear in all copies.\n"
+ " -\n"
+ " - THE SOFTWARE IS PROVIDED \"AS IS\" AND ISC DISCLAIMS ALL WARRANTIES WITH\n"
+ " - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY\n"
+ " - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,\n"
+ " - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM\n"
+ " - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE\n"
+ " - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR\n"
+ " - PERFORMANCE OF THIS SOFTWARE.\n"
+ "-->\n"
+ "\n"
+ "<!-- \045Id: bind9.xsl,v 1.19.82.2 2009/01/29 23:47:43 tbox Exp \045 -->\n"
+ "\n"
+ "<xsl:stylesheet version=\"1.0\"\n"
+ " xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\n"
+ " xmlns=\"http://www.w3.org/1999/xhtml\">\n"
+ " <xsl:template match=\"isc/bind/statistics\">\n"
+ " <html>\n"
+ " <head>\n"
+ " <style type=\"text/css\">\n"
+ "body {\n"
+ " font-family: sans-serif;\n"
+ " background-color: #ffffff;\n"
+ " color: #000000;\n"
+ "}\n"
+ "\n"
+ "table {\n"
+ " border-collapse: collapse;\n"
+ "}\n"
+ "\n"
+ "tr.rowh {\n"
+ " text-align: center;\n"
+ " border: 1px solid #000000;\n"
+ " background-color: #8080ff;\n"
+ " color: #ffffff;\n"
+ "}\n"
+ "\n"
+ "tr.row {\n"
+ " text-align: right;\n"
+ " border: 1px solid #000000;\n"
+ " background-color: teal;\n"
+ " color: #ffffff;\n"
+ "}\n"
+ "\n"
+ "tr.lrow {\n"
+ " text-align: left;\n"
+ " border: 1px solid #000000;\n"
+ " background-color: teal;\n"
+ " color: #ffffff;\n"
+ "}\n"
+ "\n"
+ "td, th {\n"
+ " padding-right: 5px;\n"
+ " padding-left: 5px;\n"
+ "}\n"
+ "\n"
+ ".header h1 {\n"
+ " background-color: teal;\n"
+ " color: #ffffff;\n"
+ " padding: 4px;\n"
+ "}\n"
+ "\n"
+ ".content {\n"
+ " background-color: #ffffff;\n"
+ " color: #000000;\n"
+ " padding: 4px;\n"
+ "}\n"
+ "\n"
+ ".item {\n"
+ " padding: 4px;\n"
+ " align: right;\n"
+ "}\n"
+ "\n"
+ ".value {\n"
+ " padding: 4px;\n"
+ " font-weight: bold;\n"
+ "}\n"
+ "\n"
+ "div.statcounter h2 {\n"
+ " text-align: center;\n"
+ " font-size: large;\n"
+ " border: 1px solid #000000;\n"
+ " background-color: #8080ff;\n"
+ " color: #ffffff;\n"
+ "}\n"
+ "\n"
+ "div.statcounter dl {\n"
+ " float: left;\n"
+ " margin-top: 0;\n"
+ " margin-bottom: 0;\n"
+ " margin-left: 0;\n"
+ " margin-right: 0;\n"
+ "}\n"
+ "\n"
+ "div.statcounter dt {\n"
+ " width: 200px;\n"
+ " text-align: center;\n"
+ " font-weight: bold;\n"
+ " border: 0.5px solid #000000;\n"
+ " background-color: #8080ff;\n"
+ " color: #ffffff;\n"
+ "}\n"
+ "\n"
+ "div.statcounter dd {\n"
+ " width: 200px;\n"
+ " text-align: right;\n"
+ " border: 0.5px solid #000000;\n"
+ " background-color: teal;\n"
+ " color: #ffffff;\n"
+ " margin-left: 0;\n"
+ " margin-right: 0;\n"
+ "}\n"
+ "\n"
+ "div.statcounter br {\n"
+ " clear: left;\n"
+ "}\n"
+ " </style>\n"
+ " <title>BIND 9 Statistics</title>\n"
+ " </head>\n"
+ " <body>\n"
+ " <div class=\"header\">\n"
+ " <h1>Bind 9 Configuration and Statistics</h1>\n"
+ " </div>\n"
+ "\n"
+ " <br/>\n"
+ "\n"
+ " <table>\n"
+ " <tr class=\"rowh\"><th colspan=\"2\">Times</th></tr>\n"
+ " <tr class=\"lrow\">\n"
+ " <td>boot-time</td>\n"
+ " <td><xsl:value-of select=\"server/boot-time\"/></td>\n"
+ " </tr>\n"
+ " <tr class=\"lrow\">\n"
+ " <td>current-time</td>\n"
+ " <td><xsl:value-of select=\"server/current-time\"/></td>\n"
+ " </tr>\n"
+ " </table>\n"
+ "\n"
+ " <br/>\n"
+ "\n"
+ " <table>\n"
+ " <tr class=\"rowh\"><th colspan=\"2\">Incoming Requests</th></tr>\n"
+ " <xsl:for-each select=\"server/requests/opcode\">\n"
+ " <tr class=\"lrow\">\n"
+ " <td><xsl:value-of select=\"name\"/></td>\n"
+ " <td><xsl:value-of select=\"counter\"/></td>\n"
+ " </tr>\n"
+ " </xsl:for-each>\n"
+ " </table>\n"
+ "\n"
+ " <br/>\n"
+ "\n"
+ " <table>\n"
+ " <tr class=\"rowh\"><th colspan=\"2\">Incoming Queries</th></tr>\n"
+ " <xsl:for-each select=\"server/queries-in/rdtype\">\n"
+ " <tr class=\"lrow\">\n"
+ " <td><xsl:value-of select=\"name\"/></td>\n"
+ " <td><xsl:value-of select=\"counter\"/></td>\n"
+ " </tr>\n"
+ " </xsl:for-each>\n"
+ " </table>\n"
+ "\n"
+ " <br/>\n"
+ "\n"
+ " <xsl:for-each select=\"views/view\">\n"
+ " <table>\n"
+ " <tr class=\"rowh\">\n"
+ " <th colspan=\"2\">Outgoing Queries from View <xsl:value-of select=\"name\"/></th>\n"
+ " </tr>\n"
+ " <xsl:for-each select=\"rdtype\">\n"
+ " <tr class=\"lrow\">\n"
+ " <td><xsl:value-of select=\"name\"/></td>\n"
+ " <td><xsl:value-of select=\"counter\"/></td>\n"
+ " </tr>\n"
+ " </xsl:for-each>\n"
+ " </table>\n"
+ " <br/>\n"
+ " </xsl:for-each>\n"
+ "\n"
+ " <br/>\n"
+ "\n"
+ " <div class=\"statcounter\">\n"
+ " <h2>Server Statistics</h2>\n"
+ " <xsl:for-each select=\"server/nsstat\">\n"
+ " <dl>\n"
+ " <dt><xsl:value-of select=\"name\"/></dt>\n"
+ " <dd><xsl:value-of select=\"counter\"/></dd>\n"
+ " </dl>\n"
+ " </xsl:for-each>\n"
+ " <br/>\n"
+ " </div>\n"
+ "\n"
+ " <div class=\"statcounter\">\n"
+ " <h2>Zone Maintenance Statistics</h2>\n"
+ " <xsl:for-each select=\"server/zonestat\">\n"
+ " <dl>\n"
+ " <dt><xsl:value-of select=\"name\"/></dt>\n"
+ " <dd><xsl:value-of select=\"counter\"/></dd>\n"
+ " </dl>\n"
+ " </xsl:for-each>\n"
+ " <br />\n"
+ " </div>\n"
+ "\n"
+ " <div class=\"statcounter\">\n"
+ " <h2>Resolver Statistics (Common)</h2>\n"
+ " <xsl:for-each select=\"server/resstat\">\n"
+ " <dl>\n"
+ " <dt><xsl:value-of select=\"name\"/></dt>\n"
+ " <dd><xsl:value-of select=\"counter\"/></dd>\n"
+ " </dl>\n"
+ " </xsl:for-each>\n"
+ " <br />\n"
+ " </div>\n"
+ "\n"
+ " <xsl:for-each select=\"views/view\">\n"
+ " <div class=\"statcounter\">\n"
+ " <h2>Resolver Statistics for View <xsl:value-of select=\"name\"/></h2>\n"
+ " <xsl:for-each select=\"resstat\">\n"
+ " <dl>\n"
+ " <dt><xsl:value-of select=\"name\"/></dt>\n"
+ " <dd><xsl:value-of select=\"counter\"/></dd>\n"
+ " </dl>\n"
+ " </xsl:for-each>\n"
+ " <br />\n"
+ " </div>\n"
+ " </xsl:for-each>\n"
+ "\n"
+ " <br />\n"
+ "\n"
+ " <xsl:for-each select=\"views/view\">\n"
+ " <table>\n"
+ " <tr class=\"rowh\">\n"
+ " <th colspan=\"2\">Cache DB RRsets for View <xsl:value-of select=\"name\"/></th>\n"
+ " </tr>\n"
+ " <xsl:for-each select=\"cache/rrset\">\n"
+ " <tr class=\"lrow\">\n"
+ " <td><xsl:value-of select=\"name\"/></td>\n"
+ " <td><xsl:value-of select=\"counter\"/></td>\n"
+ " </tr>\n"
+ " </xsl:for-each>\n"
+ " </table>\n"
+ " <br/>\n"
+ " </xsl:for-each>\n"
+ "\n"
+ " <div class=\"statcounter\">\n"
+ " <h2>Socket I/O Statistics</h2>\n"
+ " <xsl:for-each select=\"server/sockstat\">\n"
+ " <dl>\n"
+ " <dt><xsl:value-of select=\"name\"/></dt>\n"
+ " <dd><xsl:value-of select=\"counter\"/></dd>\n"
+ " </dl>\n"
+ " </xsl:for-each>\n"
+ " <br/>\n"
+ " </div>\n"
+ "\n"
+ " <br/>\n"
+ "\n"
+ " <xsl:for-each select=\"views/view\">\n"
+ " <table>\n"
+ " <tr class=\"rowh\">\n"
+ " <th colspan=\"10\">Zones for View <xsl:value-of select=\"name\"/></th>\n"
+ " </tr>\n"
+ " <tr class=\"rowh\">\n"
+ " <th>Name</th>\n"
+ " <th>Class</th>\n"
+ " <th>Serial</th>\n"
+ " <th>Success</th>\n"
+ " <th>Referral</th>\n"
+ " <th>NXRRSET</th>\n"
+ " <th>NXDOMAIN</th>\n"
+ " <th>Failure</th>\n"
+ " <th>XfrReqDone</th>\n"
+ " <th>XfrRej</th>\n"
+ " </tr>\n"
+ " <xsl:for-each select=\"zones/zone\">\n"
+ " <tr class=\"lrow\">\n"
+ " <td>\n"
+ " <xsl:value-of select=\"name\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"rdataclass\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"serial\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"counters/QrySuccess\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"counters/QryReferral\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"counters/QryNxrrset\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"counters/QryNXDOMAIN\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"counters/QryFailure\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"counters/XfrReqDone\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"counters/XfrRej\"/>\n"
+ " </td>\n"
+ " </tr>\n"
+ " </xsl:for-each>\n"
+ " </table>\n"
+ " <br/>\n"
+ " </xsl:for-each>\n"
+ "\n"
+ " <br/>\n"
+ "\n"
+ " <table>\n"
+ " <tr class=\"rowh\">\n"
+ " <th colspan=\"7\">Network Status</th>\n"
+ " </tr>\n"
+ " <tr class=\"rowh\">\n"
+ " <th>ID</th>\n"
+ " <th>Name</th>\n"
+ " <th>Type</th>\n"
+ " <th>References</th>\n"
+ " <th>LocalAddress</th>\n"
+ " <th>PeerAddress</th>\n"
+ " <th>State</th>\n"
+ " </tr>\n"
+ " <xsl:for-each select=\"socketmgr/sockets/socket\">\n"
+ " <tr class=\"lrow\">\n"
+ " <td>\n"
+ " <xsl:value-of select=\"id\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"name\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"type\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"references\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"local-address\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"peer-address\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:for-each select=\"states\">\n"
+ " <xsl:value-of select=\".\"/>\n"
+ " </xsl:for-each>\n"
+ " </td>\n"
+ " </tr>\n"
+ " </xsl:for-each>\n"
+ " </table>\n"
+ " <br/>\n"
+ " <table>\n"
+ " <tr class=\"rowh\">\n"
+ " <th colspan=\"2\">Task Manager Configuration</th>\n"
+ " </tr>\n"
+ " <tr class=\"lrow\">\n"
+ " <td>Thread-Model</td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"taskmgr/thread-model/type\"/>\n"
+ " </td>\n"
+ " </tr>\n"
+ " <tr class=\"lrow\">\n"
+ " <td>Worker Threads</td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"taskmgr/thread-model/worker-threads\"/>\n"
+ " </td>\n"
+ " </tr>\n"
+ " <tr class=\"lrow\">\n"
+ " <td>Default Quantum</td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"taskmgr/thread-model/default-quantum\"/>\n"
+ " </td>\n"
+ " </tr>\n"
+ " <tr class=\"lrow\">\n"
+ " <td>Tasks Running</td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"taskmgr/thread-model/tasks-running\"/>\n"
+ " </td>\n"
+ " </tr>\n"
+ " </table>\n"
+ " <br/>\n"
+ " <table>\n"
+ " <tr class=\"rowh\">\n"
+ " <th colspan=\"5\">Tasks</th>\n"
+ " </tr>\n"
+ " <tr class=\"rowh\">\n"
+ " <th>ID</th>\n"
+ " <th>Name</th>\n"
+ " <th>References</th>\n"
+ " <th>State</th>\n"
+ " <th>Quantum</th>\n"
+ " </tr>\n"
+ " <xsl:for-each select=\"taskmgr/tasks/task\">\n"
+ " <tr class=\"lrow\">\n"
+ " <td>\n"
+ " <xsl:value-of select=\"id\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"name\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"references\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"state\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"quantum\"/>\n"
+ " </td>\n"
+ " </tr>\n"
+ " </xsl:for-each>\n"
+ " </table>\n"
+ " <br />\n"
+ " <table>\n"
+ " <tr class=\"rowh\">\n"
+ " <th colspan=\"4\">Memory Usage Summary</th>\n"
+ " </tr>\n"
+ " <xsl:for-each select=\"memory/summary/*\">\n"
+ " <tr class=\"lrow\">\n"
+ " <td><xsl:value-of select=\"name()\"/></td>\n"
+ " <td><xsl:value-of select=\".\"/></td>\n"
+ " </tr>\n"
+ " </xsl:for-each>\n"
+ " </table>\n"
+ " <br />\n"
+ " <table>\n"
+ " <tr class=\"rowh\">\n"
+ " <th colspan=\"10\">Memory Contexts</th>\n"
+ " </tr>\n"
+ " <tr class=\"rowh\">\n"
+ " <th>ID</th>\n"
+ " <th>Name</th>\n"
+ " <th>References</th>\n"
+ " <th>TotalUse</th>\n"
+ " <th>InUse</th>\n"
+ " <th>MaxUse</th>\n"
+ " <th>BlockSize</th>\n"
+ " <th>Pools</th>\n"
+ " <th>HiWater</th>\n"
+ " <th>LoWater</th>\n"
+ " </tr>\n"
+ " <xsl:for-each select=\"memory/contexts/context\">\n"
+ " <tr class=\"lrow\">\n"
+ " <td>\n"
+ " <xsl:value-of select=\"id\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"name\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"references\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"total\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"inuse\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"maxinuse\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"blocksize\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"pools\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"hiwater\"/>\n"
+ " </td>\n"
+ " <td>\n"
+ " <xsl:value-of select=\"lowater\"/>\n"
+ " </td>\n"
+ " </tr>\n"
+ " </xsl:for-each>\n"
+ " </table>\n"
+ "\n"
+ " </body>\n"
+ " </html>\n"
+ " </xsl:template>\n"
+ "</xsl:stylesheet>\n";
diff --git a/bin/named/builtin.c b/bin/named/builtin.c
index 06cbd4a24a48..7927737d684d 100644
--- a/bin/named/builtin.c
+++ b/bin/named/builtin.c
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: builtin.c,v 1.5.18.5 2005/08/23 04:12:38 marka Exp $ */
+/* $Id: builtin.c,v 1.12 2007/06/19 23:46:59 tbox Exp $ */
/*! \file
* \brief
diff --git a/bin/named/client.c b/bin/named/client.c
index 03cfdb6a714e..ae5386cb4893 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: client.c,v 1.219.18.31 2008/05/22 23:46:03 tbox Exp $ */
+/* $Id: client.c,v 1.259.12.3 2009/01/29 22:40:33 jinmei Exp $ */
#include <config.h>
@@ -24,6 +24,7 @@
#include <isc/once.h>
#include <isc/platform.h>
#include <isc/print.h>
+#include <isc/stats.h>
#include <isc/stdio.h>
#include <isc/string.h>
#include <isc/task.h>
@@ -41,6 +42,7 @@
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/resolver.h>
+#include <dns/stats.h>
#include <dns/tsig.h>
#include <dns/view.h>
#include <dns/zone.h>
@@ -48,6 +50,7 @@
#include <named/interfacemgr.h>
#include <named/log.h>
#include <named/notify.h>
+#include <named/os.h>
#include <named/server.h>
#include <named/update.h>
@@ -119,9 +122,9 @@ struct ns_clientmgr {
isc_mutex_t lock;
/* Locked by lock. */
isc_boolean_t exiting;
- client_list_t active; /*%< Active clients */
- client_list_t recursing; /*%< Recursing clients */
- client_list_t inactive; /*%< To be recycled */
+ client_list_t active; /*%< Active clients */
+ client_list_t recursing; /*%< Recursing clients */
+ client_list_t inactive; /*%< To be recycled */
#if NMCTXS > 0
/*%< mctx pool for clients. */
unsigned int nextmctx;
@@ -463,6 +466,8 @@ exit_check(ns_client_t *client) {
if (client->state == client->newstate) {
client->newstate = NS_CLIENTSTATE_MAX;
+ if (client->needshutdown)
+ isc_task_shutdown(client->task);
goto unlock;
}
}
@@ -519,6 +524,14 @@ exit_check(ns_client_t *client) {
CTRACE("free");
client->magic = 0;
+ /*
+ * Check that there are no other external references to
+ * the memory context.
+ */
+ if (ns_g_clienttest && isc_mem_references(client->mctx) != 1) {
+ isc_mem_stats(client->mctx, stderr);
+ INSIST(0);
+ }
isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
goto unlock;
@@ -592,6 +605,7 @@ client_shutdown(isc_task_t *task, isc_event_t *event) {
}
client->newstate = NS_CLIENTSTATE_FREED;
+ client->needshutdown = ISC_FALSE;
(void)exit_check(client);
}
@@ -640,11 +654,11 @@ ns_client_checkactive(ns_client_t *client) {
/*
* This client object should normally go inactive
* at this point, but if we have fewer active client
- * objects than desired due to earlier quota exhaustion,
+ * objects than desired due to earlier quota exhaustion,
* keep it active to make up for the shortage.
*/
isc_boolean_t need_another_client = ISC_FALSE;
- if (TCP_CLIENT(client)) {
+ if (TCP_CLIENT(client) && !ns_g_clienttest) {
LOCK(&client->interface->lock);
if (client->interface->ntcpcurrent <
client->interface->ntcptarget)
@@ -906,6 +920,7 @@ ns_client_send(ns_client_t *client) {
unsigned char sendbuf[SEND_BUFFER_SIZE];
unsigned int dnssec_opts;
unsigned int preferred_glue;
+ isc_boolean_t opt_included = ISC_FALSE;
REQUIRE(NS_CLIENT_VALID(client));
@@ -943,11 +958,10 @@ ns_client_send(ns_client_t *client) {
result = dns_message_renderbegin(client->message, &cctx, &buffer);
if (result != ISC_R_SUCCESS)
goto done;
+
if (client->opt != NULL) {
result = dns_message_setopt(client->message, client->opt);
- /*
- * XXXRTH dns_message_setopt() should probably do this...
- */
+ opt_included = ISC_TRUE;
client->opt = NULL;
if (result != ISC_R_SUCCESS)
goto done;
@@ -1003,6 +1017,25 @@ ns_client_send(ns_client_t *client) {
result = client_sendpkg(client, &tcpbuffer);
} else
result = client_sendpkg(client, &buffer);
+
+ /* update statistics (XXXJT: is it okay to access message->xxxkey?) */
+ isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_response);
+ if (opt_included) {
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_edns0out);
+ }
+ if (client->message->tsigkey != NULL) {
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_tsigout);
+ }
+ if (client->message->sig0key != NULL) {
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_sig0out);
+ }
+ if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0)
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_truncatedresp);
+
if (result == ISC_R_SUCCESS)
return;
@@ -1179,11 +1212,46 @@ client_addopt(ns_client_t *client) {
*/
rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE);
- /*
- * No EDNS options in the default case.
- */
- rdata->data = NULL;
- rdata->length = 0;
+ /* Set EDNS options if applicable */
+ if (client->attributes & NS_CLIENTATTR_WANTNSID &&
+ (ns_g_server->server_id != NULL ||
+ ns_g_server->server_usehostname)) {
+ /*
+ * Space required for NSID data:
+ * 2 bytes for opt code
+ * + 2 bytes for NSID length
+ * + NSID itself
+ */
+ char nsid[BUFSIZ], *nsidp;
+ isc_buffer_t *buffer = NULL;
+
+ if (ns_g_server->server_usehostname) {
+ isc_result_t result;
+ result = ns_os_gethostname(nsid, sizeof(nsid));
+ if (result != ISC_R_SUCCESS) {
+ goto no_nsid;
+ }
+ nsidp = nsid;
+ } else
+ nsidp = ns_g_server->server_id;
+
+ rdata->length = strlen(nsidp) + 4;
+ result = isc_buffer_allocate(client->mctx, &buffer,
+ rdata->length);
+ if (result != ISC_R_SUCCESS)
+ goto no_nsid;
+
+ isc_buffer_putuint16(buffer, DNS_OPT_NSID);
+ isc_buffer_putuint16(buffer, strlen(nsidp));
+ isc_buffer_putstr(buffer, nsidp);
+ rdata->data = buffer->base;
+ dns_message_takebuffer(client->message, &buffer);
+ } else {
+no_nsid:
+ rdata->data = NULL;
+ rdata->length = 0;
+ }
+
rdata->rdclass = rdatalist->rdclass;
rdata->type = rdatalist->type;
rdata->flags = 0;
@@ -1218,7 +1286,7 @@ allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) {
* delivered to 'myview'.
*
* We run this unlocked as both the view list and the interface list
- * are updated when the approprite task has exclusivity.
+ * are updated when the appropriate task has exclusivity.
*/
isc_boolean_t
ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
@@ -1253,14 +1321,14 @@ ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
isc_boolean_t match;
isc_result_t result;
- tsig = &mykey->name;
- result = dns_view_gettsig(view, tsig, &key);
+ result = dns_view_gettsig(view, &mykey->name, &key);
if (result != ISC_R_SUCCESS)
continue;
match = dst_key_compare(mykey->key, key->key);
dns_tsigkey_detach(&key);
if (!match)
continue;
+ tsig = dns_tsigkey_identity(mykey);
}
if (allowed(&netsrc, tsig, view->matchclients) &&
@@ -1284,13 +1352,16 @@ client_request(isc_task_t *task, isc_event_t *event) {
isc_buffer_t tbuffer;
dns_view_t *view;
dns_rdataset_t *opt;
- isc_boolean_t ra; /* Recursion available. */
+ dns_name_t *signame;
+ isc_boolean_t ra; /* Recursion available. */
isc_netaddr_t netaddr;
isc_netaddr_t destaddr;
int match;
dns_messageid_t id;
unsigned int flags;
isc_boolean_t notimp;
+ dns_rdata_t rdata;
+ isc_uint16_t optcode;
REQUIRE(event != NULL);
client = event->ev_arg;
@@ -1440,6 +1511,20 @@ client_request(isc_task_t *task, isc_event_t *event) {
}
/*
+ * Update some statistics counters. Don't count responses.
+ */
+ if (isc_sockaddr_pf(&client->peeraddr) == PF_INET) {
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_requestv4);
+ } else {
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_requestv6);
+ }
+ if (TCP_CLIENT(client))
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_tcp);
+
+ /*
* It's a request. Parse it.
*/
result = dns_message_parse(client->message, buffer, 0);
@@ -1452,6 +1537,8 @@ client_request(isc_task_t *task, isc_event_t *event) {
goto cleanup;
}
+ dns_opcodestats_increment(ns_g_server->opcodestats,
+ client->message->opcode);
switch (client->message->opcode) {
case dns_opcode_query:
case dns_opcode_update:
@@ -1499,12 +1586,35 @@ client_request(isc_task_t *task, isc_event_t *event) {
*/
client->ednsversion = (opt->ttl & 0x00FF0000) >> 16;
if (client->ednsversion > 0) {
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_badednsver);
result = client_addopt(client);
if (result == ISC_R_SUCCESS)
result = DNS_R_BADVERS;
ns_client_error(client, result);
goto cleanup;
}
+
+ /* Check for NSID request */
+ result = dns_rdataset_first(opt);
+ if (result == ISC_R_SUCCESS) {
+ dns_rdata_init(&rdata);
+ dns_rdataset_current(opt, &rdata);
+ if (rdata.length >= 2) {
+ isc_buffer_t nsidbuf;
+ isc_buffer_init(&nsidbuf,
+ rdata.data, rdata.length);
+ isc_buffer_add(&nsidbuf, rdata.length);
+ optcode = isc_buffer_getuint16(&nsidbuf);
+ if (optcode == DNS_OPT_NSID)
+ client->attributes |=
+ NS_CLIENTATTR_WANTNSID;
+ }
+ }
+
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_edns0in);
+
/*
* Create an OPT for our reply.
*/
@@ -1591,10 +1701,11 @@ client_request(isc_task_t *task, isc_event_t *event) {
client->message->rdclass == dns_rdataclass_any)
{
dns_name_t *tsig = NULL;
+
sigresult = dns_message_rechecksig(client->message,
view);
if (sigresult == ISC_R_SUCCESS)
- tsig = client->message->tsigname;
+ tsig = dns_tsigkey_identity(client->message->tsigkey);
if (allowed(&netaddr, tsig, view->matchclients) &&
allowed(&destaddr, tsig, view->matchdestinations) &&
@@ -1648,6 +1759,17 @@ client_request(isc_task_t *task, isc_event_t *event) {
client->signer = NULL;
dns_name_init(&client->signername, NULL);
result = dns_message_signer(client->message, &client->signername);
+ if (result != ISC_R_NOTFOUND) {
+ signame = NULL;
+ if (dns_message_gettsig(client->message, &signame) != NULL) {
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_tsigin);
+ } else {
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_sig0in);
+ }
+
+ }
if (result == ISC_R_SUCCESS) {
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
@@ -1664,24 +1786,42 @@ client_request(isc_task_t *task, isc_event_t *event) {
} else {
char tsigrcode[64];
isc_buffer_t b;
- dns_name_t *name = NULL;
dns_rcode_t status;
isc_result_t tresult;
/* There is a signature, but it is bad. */
- if (dns_message_gettsig(client->message, &name) != NULL) {
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_invalidsig);
+ signame = NULL;
+ if (dns_message_gettsig(client->message, &signame) != NULL) {
char namebuf[DNS_NAME_FORMATSIZE];
- dns_name_format(name, namebuf, sizeof(namebuf));
+ char cnamebuf[DNS_NAME_FORMATSIZE];
+ dns_name_format(signame, namebuf, sizeof(namebuf));
status = client->message->tsigstatus;
isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
tresult = dns_tsigrcode_totext(status, &b);
INSIST(tresult == ISC_R_SUCCESS);
tsigrcode[isc_buffer_usedlength(&b)] = '\0';
- ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
- NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
- "request has invalid signature: "
- "TSIG %s: %s (%s)", namebuf,
- isc_result_totext(result), tsigrcode);
+ if (client->message->tsigkey->generated) {
+ dns_name_format(client->message->tsigkey->creator,
+ cnamebuf, sizeof(cnamebuf));
+ ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ NS_LOGMODULE_CLIENT,
+ ISC_LOG_ERROR,
+ "request has invalid signature: "
+ "TSIG %s (%s): %s (%s)", namebuf,
+ cnamebuf,
+ isc_result_totext(result),
+ tsigrcode);
+ } else {
+ ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ NS_LOGMODULE_CLIENT,
+ ISC_LOG_ERROR,
+ "request has invalid signature: "
+ "TSIG %s: %s (%s)", namebuf,
+ isc_result_totext(result),
+ tsigrcode);
+ }
} else {
status = client->message->sig0status;
isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
@@ -1715,9 +1855,17 @@ client_request(isc_task_t *task, isc_event_t *event) {
ra = ISC_FALSE;
if (client->view->resolver != NULL &&
client->view->recursion == ISC_TRUE &&
- ns_client_checkaclsilent(client, client->view->recursionacl,
+ ns_client_checkaclsilent(client, NULL,
+ client->view->recursionacl,
+ ISC_TRUE) == ISC_R_SUCCESS &&
+ ns_client_checkaclsilent(client, NULL,
+ client->view->queryacl,
+ ISC_TRUE) == ISC_R_SUCCESS &&
+ ns_client_checkaclsilent(client, &client->interface->addr,
+ client->view->recursiononacl,
ISC_TRUE) == ISC_R_SUCCESS &&
- ns_client_checkaclsilent(client, client->view->queryacl,
+ ns_client_checkaclsilent(client, &client->interface->addr,
+ client->view->queryonacl,
ISC_TRUE) == ISC_R_SUCCESS)
ra = ISC_TRUE;
@@ -1804,13 +1952,17 @@ client_timeout(isc_task_t *task, isc_event_t *event) {
static isc_result_t
get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) {
isc_mem_t *clientmctx;
-#if NMCTXS > 0
isc_result_t result;
-#endif
/*
* Caller must be holding the manager lock.
*/
+ if (ns_g_clienttest) {
+ result = isc_mem_create(0, 0, mctxp);
+ if (result == ISC_R_SUCCESS)
+ isc_mem_setname(*mctxp, "client", NULL);
+ return (result);
+ }
#if NMCTXS > 0
INSIST(manager->nextmctx < NMCTXS);
clientmctx = manager->mctxpool[manager->nextmctx];
@@ -1818,6 +1970,7 @@ get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) {
result = isc_mem_create(0, 0, &clientmctx);
if (result != ISC_R_SUCCESS)
return (result);
+ isc_mem_setname(clientmctx, "client", NULL);
manager->mctxpool[manager->nextmctx] = clientmctx;
}
@@ -1966,6 +2119,8 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
if (result != ISC_R_SUCCESS)
goto cleanup_query;
+ client->needshutdown = ns_g_clienttest;
+
CTRACE("create");
*clientp = client;
@@ -2056,6 +2211,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
*/
if (nevent->result == ISC_R_SUCCESS) {
client->tcpsocket = nevent->newsocket;
+ isc_socket_setname(client->tcpsocket, "client-tcp", NULL);
client->state = NS_CLIENTSTATE_READING;
INSIST(client->recursionquota == NULL);
@@ -2068,7 +2224,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
} else {
/*
* XXXRTH What should we do? We're trying to accept but
- * it didn't work. If we just give up, then TCP
+ * it didn't work. If we just give up, then TCP
* service may eventually stop.
*
* For now, we just go idle.
@@ -2115,7 +2271,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
* Let a new client take our place immediately, before
* we wait for a request packet. If we don't,
* telnetting to port 53 (once per CPU) will
- * deny service to legititmate TCP clients.
+ * deny service to legitimate TCP clients.
*/
result = isc_quota_attach(&ns_g_server->tcpquota,
&client->tcpquota);
@@ -2149,7 +2305,7 @@ client_accept(ns_client_t *client) {
isc_result_totext(result));
/*
* XXXRTH What should we do? We're trying to accept but
- * it didn't work. If we just give up, then TCP
+ * it didn't work. If we just give up, then TCP
* service may eventually stop.
*
* For now, we just go idle.
@@ -2386,7 +2542,9 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
* Allocate a client. First try to get a recycled one;
* if that fails, make a new one.
*/
- client = ISC_LIST_HEAD(manager->inactive);
+ client = NULL;
+ if (!ns_g_clienttest)
+ client = ISC_LIST_HEAD(manager->inactive);
if (client != NULL) {
MTRACE("recycle");
ISC_LIST_UNLINK(manager->inactive, client, link);
@@ -2442,8 +2600,8 @@ ns_client_getsockaddr(ns_client_t *client) {
}
isc_result_t
-ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
- isc_boolean_t default_allow)
+ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,
+ dns_acl_t *acl, isc_boolean_t default_allow)
{
isc_result_t result;
int match;
@@ -2456,11 +2614,16 @@ ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
goto deny;
}
- isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+
+ if (sockaddr == NULL)
+ isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+ else
+ isc_netaddr_fromsockaddr(&netaddr, sockaddr);
result = dns_acl_match(&netaddr, client->signer, acl,
&ns_g_server->aclenv,
&match, NULL);
+
if (result != ISC_R_SUCCESS)
goto deny; /* Internal error, already logged. */
if (match > 0)
@@ -2475,12 +2638,12 @@ ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
}
isc_result_t
-ns_client_checkacl(ns_client_t *client,
+ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
const char *opname, dns_acl_t *acl,
isc_boolean_t default_allow, int log_level)
{
isc_result_t result =
- ns_client_checkaclsilent(client, acl, default_allow);
+ ns_client_checkaclsilent(client, sockaddr, acl, default_allow);
if (result == ISC_R_SUCCESS)
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
@@ -2503,7 +2666,7 @@ ns_client_name(ns_client_t *client, char *peerbuf, size_t len) {
void
ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
- isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+ isc_logmodule_t *module, int level, const char *fmt, va_list ap)
{
char msgbuf[2048];
char peerbuf[ISC_SOCKADDR_FORMATSIZE];
diff --git a/bin/named/config.c b/bin/named/config.c
index 233d9e097f26..8b96050e9f16 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.c,v 1.47.18.35 2008/09/04 08:03:07 marka Exp $ */
+/* $Id: config.c,v 1.93.14.2 2009/03/17 23:47:28 tbox Exp $ */
/*! \file */
@@ -69,7 +69,7 @@ options {\n\
memstatistics-file \"named.memstats\";\n\
multiple-cnames no;\n\
# named-xfer <obsolete>;\n\
-# pid-file \"" NS_LOCALSTATEDIR "/named.pid\"; /* or /lwresd.pid */\n\
+# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
port 53;\n\
recursing-file \"named.recursing\";\n\
"
@@ -99,13 +99,16 @@ options {\n\
use-ixfr true;\n\
edns-udp-size 4096;\n\
max-udp-size 4096;\n\
+ request-nsid false;\n\
reserved-sockets 512;\n\
\n\
/* view */\n\
allow-notify {none;};\n\
allow-update-forwarding {none;};\n\
allow-query-cache { localnets; localhost; };\n\
+ allow-query-cache-on { any; };\n\
allow-recursion { localnets; localhost; };\n\
+ allow-recursion-on { any; };\n\
# allow-v6-synthesis <obsolete>;\n\
# sortlist <none>\n\
# topology <none>\n\
@@ -122,7 +125,7 @@ options {\n\
query-source-v6 address *;\n\
notify-source *;\n\
notify-source-v6 *;\n\
- cleaning-interval 60;\n\
+ cleaning-interval 0; /* now meaningless */\n\
min-roots 2;\n\
lame-ttl 600;\n\
max-ncache-ttl 10800; /* 3 hours */\n\
@@ -135,21 +138,24 @@ options {\n\
check-mx warn;\n\
acache-enable no;\n\
acache-cleaning-interval 60;\n\
- max-acache-size 0;\n\
+ max-acache-size 16M;\n\
dnssec-enable yes;\n\
- dnssec-validation no; /* Make yes for 9.5. */ \n\
+ dnssec-validation yes; \n\
dnssec-accept-expired no;\n\
clients-per-query 10;\n\
max-clients-per-query 100;\n\
zero-no-soa-ttl-cache no;\n\
+ nsec3-test-zone no;\n\
"
" /* zone */\n\
allow-query {any;};\n\
+ allow-query-on {any;};\n\
allow-transfer {any;};\n\
notify yes;\n\
# also-notify <none>\n\
notify-delay 5;\n\
+ notify-to-soa no;\n\
dialup no;\n\
# forward <none>\n\
# forwarders <none>\n\
@@ -169,6 +175,9 @@ options {\n\
min-refresh-time 300;\n\
multi-master no;\n\
sig-validity-interval 30; /* days */\n\
+ sig-signing-nodes 100;\n\
+ sig-signing-signatures 10;\n\
+ sig-signing-type 65534;\n\
zone-statistics false;\n\
max-journal-size unlimited;\n\
ixfr-from-differences false;\n\
@@ -179,6 +188,7 @@ options {\n\
check-srv-cname warn;\n\
zero-no-soa-ttl yes;\n\
update-check-ksk yes;\n\
+ try-tcp-refresh yes; /* BIND 8 compat */\n\
};\n\
"
diff --git a/bin/named/control.c b/bin/named/control.c
index 3f2d52e946be..8bd8f6ce361f 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: control.c,v 1.20.10.10 2007/09/13 23:46:26 tbox Exp $ */
+/* $Id: control.c,v 1.33 2007/09/13 04:45:18 each Exp $ */
/*! \file */
@@ -63,6 +63,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
isccc_sexpr_t *data;
char *command;
isc_result_t result;
+ int log_level;
#ifdef HAVE_LIBSCF
ns_smf_want_disable = 0;
#endif
@@ -83,14 +84,20 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
return (result);
}
+ /*
+ * Compare the 'command' parameter against all known control commands.
+ */
+ if (command_compare(command, NS_COMMAND_NULL) ||
+ command_compare(command, NS_COMMAND_STATUS)) {
+ log_level = ISC_LOG_DEBUG(1);
+ } else {
+ log_level = ISC_LOG_INFO;
+ }
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
- NS_LOGMODULE_CONTROL, ISC_LOG_DEBUG(1),
+ NS_LOGMODULE_CONTROL, log_level,
"received control channel command '%s'",
command);
- /*
- * Compare the 'command' parameter against all known control commands.
- */
if (command_compare(command, NS_COMMAND_RELOAD)) {
result = ns_server_reloadcommand(ns_g_server, command, text);
} else if (command_compare(command, NS_COMMAND_RECONFIG)) {
@@ -158,6 +165,10 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
result = ns_server_flushname(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_STATUS)) {
result = ns_server_status(ns_g_server, text);
+ } else if (command_compare(command, NS_COMMAND_TSIGLIST)) {
+ result = ns_server_tsiglist(ns_g_server, text);
+ } else if (command_compare(command, NS_COMMAND_TSIGDELETE)) {
+ result = ns_server_tsigdelete(ns_g_server, command, text);
} else if (command_compare(command, NS_COMMAND_FREEZE)) {
result = ns_server_freeze(ns_g_server, ISC_TRUE, command);
} else if (command_compare(command, NS_COMMAND_UNFREEZE) ||
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index e8e36f3e5e52..766f013ba8d6 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: controlconf.c,v 1.40.18.14 2008/07/23 23:33:02 marka Exp $ */
+/* $Id: controlconf.c,v 1.60 2008/07/23 23:27:54 marka Exp $ */
/*! \file */
@@ -597,6 +597,7 @@ control_newconn(isc_task_t *task, isc_event_t *event) {
}
sock = nevent->newsocket;
+ isc_socket_setname(sock, "control", NULL);
(void)isc_socket_getpeername(sock, &peeraddr);
if (listener->type == isc_sockettype_tcp &&
!address_ok(&peeraddr, listener->acl)) {
@@ -1007,7 +1008,7 @@ update_listener(ns_controls_t *cp, controllistener_t **listenerp,
if (control != NULL && type == isc_sockettype_tcp) {
allow = cfg_tuple_get(control, "allow");
result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
- aclconfctx, listener->mctx,
+ aclconfctx, listener->mctx, 0,
&new_acl);
} else {
result = dns_acl_any(listener->mctx, &new_acl);
@@ -1094,7 +1095,8 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
if (control != NULL && type == isc_sockettype_tcp) {
allow = cfg_tuple_get(control, "allow");
result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
- aclconfctx, mctx, &new_acl);
+ aclconfctx, mctx, 0,
+ &new_acl);
} else {
result = dns_acl_any(mctx, &new_acl);
}
@@ -1143,6 +1145,8 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
result = isc_socket_create(ns_g_socketmgr,
isc_sockaddr_pf(&listener->address),
type, &listener->sock);
+ if (result == ISC_R_SUCCESS)
+ isc_socket_setname(listener->sock, "control", NULL);
if (result == ISC_R_SUCCESS)
result = isc_socket_bind(listener->sock, &listener->address,
diff --git a/bin/named/convertxsl.pl b/bin/named/convertxsl.pl
new file mode 100755
index 000000000000..87550b3c1a58
--- /dev/null
+++ b/bin/named/convertxsl.pl
@@ -0,0 +1,57 @@
+#!/usr/bin/env perl
+#
+# Copyright (C) 2006-2008 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $
+
+use strict;
+use warnings;
+
+my $rev = '$Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $';
+$rev =~ s/\$//g;
+$rev =~ s/,v//g;
+$rev =~ s/Id: //;
+
+my $xsl = "unknown";
+my $lines = '';
+
+while (<>) {
+ chomp;
+ # pickout the id for comment.
+ $xsl = $_ if (/<!-- .Id:.* -->/);
+ # convert Id string to a form not recognisable by cvs.
+ $_ =~ s/<!-- .Id:(.*). -->/<!-- \\045Id: $1\\045 -->/;
+ s/[\ \t]+/ /g;
+ s/\>\ \</\>\</g;
+ s/\"/\\\"/g;
+ s/^/\t\"/;
+ s/$/\\n\"/;
+ if ($lines eq "") {
+ $lines .= $_;
+ } else {
+ $lines .= "\n" . $_;
+ }
+}
+
+$xsl =~ s/\$//g;
+$xsl =~ s/<!-- Id: //;
+$xsl =~ s/ -->.*//;
+$xsl =~ s/,v//;
+
+print "/*\n * Generated by $rev \n * From $xsl\n */\n";
+print 'static char xslmsg[] =',"\n";
+print $lines;
+
+print ';', "\n";
diff --git a/bin/named/include/named/builtin.h b/bin/named/include/named/builtin.h
index 37a3e76ac8e2..a5185ba60f35 100644
--- a/bin/named/include/named/builtin.h
+++ b/bin/named/include/named/builtin.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: builtin.h,v 1.2.18.2 2005/04/29 00:15:34 marka Exp $ */
+/* $Id: builtin.h,v 1.6 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NAMED_BUILTIN_H
#define NAMED_BUILTIN_H 1
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index 0cf7985e919b..3ebed3ff1acd 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: client.h,v 1.69.18.9 2006/06/06 00:11:41 marka Exp $ */
+/* $Id: client.h,v 1.86.120.2 2009/01/18 23:47:34 tbox Exp $ */
#ifndef NAMED_CLIENT_H
#define NAMED_CLIENT_H 1
@@ -24,7 +24,7 @@
***** Module Info
*****/
-/*! \file
+/*! \file
* \brief
* This module defines two objects, ns_client_t and ns_clientmgr_t.
*
@@ -97,6 +97,13 @@ struct ns_client {
int nupdates;
int nctls;
int references;
+ isc_boolean_t needshutdown; /*
+ * Used by clienttest to get
+ * the client to go from
+ * inactive to free state
+ * by shutting down the
+ * client's task.
+ */
unsigned int attributes;
isc_task_t * task;
dns_view_t * view;
@@ -155,10 +162,11 @@ struct ns_client {
#define NS_CLIENT_VALID(c) ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
#define NS_CLIENTATTR_TCP 0x01
-#define NS_CLIENTATTR_RA 0x02 /*%< Client gets recusive service */
+#define NS_CLIENTATTR_RA 0x02 /*%< Client gets recursive service */
#define NS_CLIENTATTR_PKTINFO 0x04 /*%< pktinfo is valid */
#define NS_CLIENTATTR_MULTICAST 0x08 /*%< recv'd from multicast */
#define NS_CLIENTATTR_WANTDNSSEC 0x10 /*%< include dnssec records */
+#define NS_CLIENTATTR_WANTNSID 0x20 /*%< include nameserver ID */
extern unsigned int ns_client_requests;
@@ -266,7 +274,9 @@ ns_client_getsockaddr(ns_client_t *client);
*/
isc_result_t
-ns_client_checkaclsilent(ns_client_t *client,dns_acl_t *acl,
+ns_client_checkaclsilent(ns_client_t *client,
+ isc_sockaddr_t *sockaddr,
+ dns_acl_t *acl,
isc_boolean_t default_allow);
/*%
@@ -274,6 +284,8 @@ ns_client_checkaclsilent(ns_client_t *client,dns_acl_t *acl,
*
* Check the current client request against 'acl'. If 'acl'
* is NULL, allow the request iff 'default_allow' is ISC_TRUE.
+ * If netaddr is NULL, check the ACL against client->peeraddr;
+ * otherwise check it against netaddr.
*
* Notes:
*\li This is appropriate for checking allow-update,
@@ -284,6 +296,7 @@ ns_client_checkaclsilent(ns_client_t *client,dns_acl_t *acl,
*
* Requires:
*\li 'client' points to a valid client.
+ *\li 'sockaddr' points to a valid address, or is NULL.
*\li 'acl' points to a valid ACL, or is NULL.
*
* Returns:
@@ -294,18 +307,19 @@ ns_client_checkaclsilent(ns_client_t *client,dns_acl_t *acl,
isc_result_t
ns_client_checkacl(ns_client_t *client,
+ isc_sockaddr_t *sockaddr,
const char *opname, dns_acl_t *acl,
isc_boolean_t default_allow,
int log_level);
/*%
- * Like ns_client_checkacl, but also logs the outcome of the
- * check at log level 'log_level' if denied, and at debug 3
- * if approved. Log messages will refer to the request as
- * an 'opname' request.
+ * Like ns_client_checkaclsilent, except the outcome of the check is
+ * logged at log level 'log_level' if denied, and at debug 3 if approved.
+ * Log messages will refer to the request as an 'opname' request.
*
* Requires:
- *\li Those of ns_client_checkaclsilent(), and:
- *
+ *\li 'client' points to a valid client.
+ *\li 'sockaddr' points to a valid address, or is NULL.
+ *\li 'acl' points to a valid ACL, or is NULL.
*\li 'opname' points to a null-terminated string.
*/
@@ -352,8 +366,8 @@ ns_client_qnamereplace(ns_client_t *client, dns_name_t *name);
isc_boolean_t
ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
- isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
- dns_rdataclass_t rdclass, void *arg);
+ isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+ dns_rdataclass_t rdclass, void *arg);
/*%
* Isself callback.
*/
diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h
index e8e60382e0bf..f7ceed81f7ec 100644
--- a/bin/named/include/named/config.h
+++ b/bin/named/include/named/config.h
@@ -1,8 +1,8 @@
/*
- * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001, 2002 Internet Software Consortium.
*
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.h,v 1.6.18.6 2006/02/28 03:10:47 marka Exp $ */
+/* $Id: config.h,v 1.14 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NAMED_CONFIG_H
#define NAMED_CONFIG_H 1
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index 5b7e5f45f2ca..d382ffe61da6 100644
--- a/